Many times penetration tests are conducted because they are required because of policy or for compliance that may be for an industry or legal requirement. This is all well and good and when issues are discovered and there always are issues we prioritize and address them.
I was visiting with a customer recently who was going through a fire drill as there was a mass phishing attack yesterday on their company that appeared to come from Human Resources and was offering a free $25 gift card and the user just needed to login with your domain username and password then enter your home address. My customer was trying to identify who internally received the email and was looking to their spam and mail protection provider to quickly provide this to no avail. Unfortunately for my customer Information Security does not own this service and as we progressed further in the conversation he proceeded to tell me all the issues they are having with it. They have been unsuccessful in convincing the infrastructure team that the service needs to be changed to something that meets the basic needs to stop spam and phishing attacks as well as provide reporting.
This customer does test their incident response plan semi-annually and this lead me to conclude that why not conduct a Red Team/ Blue Team exercise for their testing this year where there is a targeted email attack and the teams need to defend against it. What is interesting is the incident response tests are monitored and graded by audit and a failure in the test like the real incident had will receive much greater visibility and further his cause to get this technology replaced.
Now this is only a small example of how testing can be used to help further a project or better solidify a need. The options here are endless when you think about how specific you can be with penetration testing. I challenge you to open up your mind and creativity to find ways pen testing can help you gain buy in for that next project whether that be a next gen firewall, DLP, malware protection or new policies.