You need both internal and external people working on your system.
Always having an internal person is ideal. However, the problem is many organizations that are not over a certain size or generate enough revenue can’t justify the cost of having an internal person whose full-time job is to do just cybersecurity. And notwithstanding, once these people go out and get these certifications and actually have the technical chops to do security audits and penetration tests, they become pretty high-salaried. If you are regular mom and pop shop with ten employees, you likely can’t even afford to have a person full time doing that so what happens, you are forced to actually have someone external come in and do it once a year and pay him for that one-time engagement vs. trying to pay a salary.
Now on the other side when we talk about regulations; if you are a big organization and you are regulated not only are you required to have it done once a year, but you are required to have it done by the external third party. Even if you have internal pen testers, you still are required to have an external one done. It’s almost like you don’t let a CPA audit their own books; you have an external public CPA firm do it to maintain integrity.
When it comes to auditing, we recommend using a third party. Internally or externally, if your job is to secure this organization, it’s not likely that you are going to rate yourself poorly. Who is going to say, I didn’t do a good job of securing the organization when audit time comes around. So have a third party do it and not only that every few years you should rotate to new third party. You can’t use the same third party over and over again because if you do that too much, the third party becomes partly an organization extension. Like the Arthur Andersen-Enron thing that happened all the way back in 2001 where basically Arthur Anderson was no longer unbiased, they were kind of part of Enron. The relationships had developed so much.
If you are big enough to be under any type of regulations, it’s a good idea to have a check and balance through external parties. If you are small just because trying to pay the salary of someone doing it internally is really not feasible, and if you take a small company of 50 people, they might only have one or two IT guys anyway. Trying to give them the additional hat of now auditing and checking security is not feasible because you have someone that’s already stretched in their job and now you are adding up another big responsibility, and you end up with not a good job.