Loaded question for sure!
In your experience how receptive have your organizations/targets been to conducting pentests?
Outside of compliance drivers, it obviously depends on the organization. Progressive or information technology centric companies I think see more value and thus are receptive. I am currently working with a client that is as such but their main drivers are their client requirements since they are a private company. I have seen lots of other companies that see absolutely no value because IS Managers say their networks are secure.
Ironically, with all the high profile attacks lately (Lulzsec) as soon as the main stream media catches on - it will impact how organizations look at pentests. The main stream media will get these stories, screw them up, and scare people beyond belief. This is always a good thing for Information Security people. All of a sudden if this stuff hits the Wall Street Journal, executives begin to panic...regardless, if you've been telling them for years to get a pentest... Reactive IT, isn't that what we're all used to?
Have you seen value to the pentest?
Assuming the pen test company doesn't just deliver Nessus scan results and actually does a pen test, there is definitely value.
Unfortunately, the gap between modern technology controls and what the bad guys can do is huge. The thing in the middle of that gap are people. I think most of us would agree that the easiest way to get into a network is via social engineering. What usually will come out of a pentest is, "Hey, you need a security awareness program for your employees."
My 2 cents and why I think Info Sec is going to just keep exploding.
General Certification : CPT Practical Submission
