If you use red teaming/ pentesting, somebody at the company has to determine what should be tested—systems services, locations. That may not be easy to determine, involve diligent work and the collaboration of multiple departments—and the incentive to skip parts.
Minor addition to the list of practical problems:
If you use red teaming/ pentesting, somebody at the company has to determine what should be tested—systems services, locations. That may not be easy to determine, involve diligent work and the collaboration of multiple departments—and the incentive to skip parts.
Can’t believe I forgot this one. I will edit the post and add this because it’s also a very common failure mode.