Vulnerability assessments (VAs) and penetration tests (pen tests) have long been major components of information security programs. In fact, security managers have historically defined when and how they would conduct these exercises, as well as the scope of such exercises. Nevertheless, a missed assessment or pen test traditionally wasn’t a big deal. Considering the resource constraints of most information security departments, missing an assessment period, or even two, was quasi-acceptable.

But ...