Much to the chagrin of IT professionals who face the constant onslaught of threats and problems, security tests can never prove that you are secure. That’s because security is a process, not a final destination. As such, security testing should be applied with a well thought-out strategy.

A strategy can include the following reasons for security testing.

1. To establish a baseline risk analysis or vulnerability inventory of the entire organization
2. As a routine checkup such as might be part of a regular audit
3. To comply with regulations, legislation or standards
4. To document controls for a third party audit
5. To validate new processes
6. To implement a new or enhanced business application
7. Upon mergers, acquisitions, and outsourcing
8. Upon installing new infrastructure components such as web servers, virtual private networks or firewalls
9. In reaction to an event such as a security breach

To know what is right for your institution, you need to clearly define your requirements and tailor an approach to meet them. The key questions you need to consider are:

1. What is at risk?
2. What are you protecting against?
3. What do you need to test?
4. What kind of report do you need?

To be secure, an institution must incorporate security into their core functions and systems end-to-end. A well-considered approach to security testing that balances different approaches to your need will improve the value of your security program and help validate the security of your business.