Once you think your systems are locked down, you should probably get somebody to try to break in. Normally you imagine hackers from the outside breaking in. However the truth is that the intruder may be somebody on the inside. Or an attacker can have some help from somebody on the inside. So your security tests need to take this into account.
You are going to want the guys who disguise themselves and try to physically gain entry to your systems doing your tests. I read a funny story the other day. A guy left a bunch of USB flash drives around. More than half of them were picked up people and used. They got a surprise when the guy's software automatically ran on their machines. People are just not too careful.
Just like you have internal software test teams, you could also have an internal penetration tests team. These guys are called the Red Team. But it is best to use somebody from the outside. Just make sure you are not hiring a criminal, even if they are "reformed".
Good-fast-cheap. Pick two. - I got invited to a meeting with the customer today. There was a problem in production. And the customer wanted answers. When it came time, I explained wha...