‘Our IT department can carry out pentests themselves if they think it’s a necessary measure…’
We often hear this from managers who have completely handed over the issue of cyber security to their IT department. But apart from the fact that tasks can be delegated, but not the responsibility for security, this attitude is dangerous:
FIRST 
In times of a shortage of skilled labour, IT administrators in companies already have enough to do with their original tasks. Therefore, they tend to choose security measures that are efficient and easy to administer. Pentests do not fall into this category.
SECOND 
The company’s IT department is usually somewhat overwhelmed by the task of carrying out pentests. Ethical hacking is a discipline in its own right that requires specialised skills (e.g. understanding binary or machine code). This is where in-house IT administrators are usually out of the picture, or at least lack the daily practice and experience that external pentesters bring to the table.
THIRD
A pentest uncovers weaknesses. However, not every corporate culture allows mistakes to be discussed openly. Accordingly, there are IT departments that prefer not to carry out pentests too regularly if they are subsequently pilloried for the results.
ERGO:
Your own IT department is not always the best place to decide whether to carry out pentests or not. The decision is better left to top management because they deserve an unvarnished view of cyber security.
We believe that pentests or at least comprehensive vulnerability scans should be a regular routine in companies. Incidentally, standards such as ISO/IEC 27001 (ISMS) also require this – both ad hoc and regular tests.
