The main reason that an organization is vulnerable to threats from hackers is the fact that awareness of these threats is very low. Our experience has shown that a penetration test can be used as an effective tool to increase this awareness. The best way to do this is by presenting the results of a penetration test to these people and use for instance confidential documents they have been working on recently. This has a much bigger impact than stating that it was possible gain privileged access to 90% of all systems and network devices. Most security baselines agree on the fact that penetration testing can be a useful tool. There are added benefits, segments of standards such as BS7799 and ISO17799 may be more easily implemented and adhered to, for example, when it is clear where a firm's security weaknesses lie. The "Code of practice" explicitly states in section 12.2.2 "Compliance checking also covers, for example, penetration testing, which might be carried out by independent experts specifically contracted for this purpose. This can be useful in detecting vulnerabilities in the system and for checking how effective the controls are in preventing unauthorized access due to these vulnerabilities.
"Also IT analyst Gartner states that to avoid being used for, or targeted by, an Internet cyber attack, enterprises should follow security and business continuity best practice. One of these practices according to this analyst is "Perform vulnerability assessments, including penetration testing at least annually, using a third party."
Of course there are also drawbacks to penetration testing. The biggest drawback is that a penetration test is a snapshot of the current state of the IT security of the company. Although it is a bottom line, overall test it only states something about the state of the IT security during the test. It does not state anything about the IT security the day after the test.
The IT environment is not static but a dynamic constantly changing target. To make sure this environment stays secure it is very important to hire well-educated and experienced people that follow proper procedures as for instance an ITIL Change Management procedure.
To summarize, a penetration test is a valuable tool recommended tool by security baselines and IT analysts that can be used: