concepture
Was sagen Pentest über den Reifegrad der Cybersicherheit aus?

Insights

Pentests show the state of security. Why doesn’t anyone want to see that?

Manuel Bohé
Manuel BohéJan 29, 2025 · CEO

‘Our IT department can carry out pentests themselves if they think it’s a necessary measure…’ We often hear this from managers who have completely handed over the issue of cyber security to their IT department. But apart from the fact that tasks can be delegated, but not the responsibility for security, this attitude is dangerous:

‘Our IT department can carry out pentests themselves if they think it’s a necessary measure…’

We often hear this from managers who have completely handed over the issue of cyber security to their IT department. But apart from the fact that tasks can be delegated, but not the responsibility for security, this attitude is dangerous:

FIRST

In times of a shortage of skilled labour, IT administrators in companies already have enough to do with their original tasks. Therefore, they tend to choose security measures that are efficient and easy to administer. Pentests do not fall into this category.

SECOND

The company’s IT department is usually somewhat overwhelmed by the task of carrying out pentests. Ethical hacking is a discipline in its own right that requires specialised skills (e.g. understanding binary or machine code). This is where in-house IT administrators are usually out of the picture, or at least lack the daily practice and experience that external pentesters bring to the table.

THIRD

A pentest uncovers weaknesses. However, not every corporate culture allows mistakes to be discussed openly. Accordingly, there are IT departments that prefer not to carry out pentests too regularly if they are subsequently pilloried for the results.

ERGO:

Your own IT department is not always the best place to decide whether to carry out pentests or not. The decision is better left to top management because they deserve an unvarnished view of cyber security.

We believe that pentests or at least comprehensive vulnerability scans should be a regular routine in companies. Incidentally, standards such as ISO/IEC 27001 (ISMS) also require this – both ad hoc and regular tests.

Sie sehen gerade einen Platzhalterinhalt von YouTube. Um auf den eigentlichen Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie, dass dabei Daten an Drittanbieter weitergegeben werden.

Mehr Informationen

Inhalt entsperren

Erforderlichen Service akzeptieren und Inhalte entsperren