Pros and Cons

Jon Oltsik, senior analyst for information security at Enterprise Strategy Group, an I.T. industry analyst firm, says Scottish Re's inside move isn't unusual among bigger organizations.

"Large companies with strong security staff often do penetration testing in-house," he says. "If your staff has the skills, the fact that they know the landscape can streamline the penetration testing process and lower costs."

Core Security has a professional services division that will perform penetration tests on the client's behalf. But many customers are just interested in the company's software, Cassidy says.

In-house penetration testing has its drawbacks. The internal tester is imbued in the company's security practices. A consultant, on the other hand, lacks preconceptions about how protective measures are supposed to work and can attack the network as a true outsider. "It is difficult for an insider to forget everything he/she knows and act like a stranger," Oltsik says.

He adds that even the large companies doing in-house penetration tests usually hire a third party to occasionally conduct similar testing as a safeguard, but that is not the case at Scottish Re. Instead, the company's internal auditor conducts penetration tests in addition to the I.T. security team.

Has in-house testing contributed to improved security at Scottish Re? "We are seeing fewer and fewer issues overall," Odiorne says. "The fact that we can test at any time, anytime we make a change, has been a big plus for our overall confidence in our security posture."

Discuss Security Testing: Taking Charge   >>> Be the FIRST to comment on this article!

>>> More Projects: Security Articles          >>> More By John Moore