“After the flight is before the flight!” The former football coach Sepp Herberger never said it that way, of course. Still, the footballer quote from the 1950s has not lost its meaning today. It is for a reason that the renowned airlines subject their aircraft to rigorous tests to ensure their functionality.

Every airline is a company, but not every company is an airline. However, parallels can be found in the details. Company vehicles should be checked before the tour and refuelled and safely parked at the end of the tour. Their regular maintenance protects against unpleasant breakdowns or embarrassing moments during both the special exhaust gas inspection and the main inspection. The same applies to coffee machines and microwaves, air conditioning and ventilation, normal lighting and emergency lighting, fire extinguishers and sprinkler systems, the power supply and, of course, IT.

The whole is a process in four phases, which can be summarised under the abbreviation PDCA. Behind it are the terms planning, doing, checking and acting.

The basics and criteria are defined in the planning phase. This includes the IT security strategy, possible risks and threats as well as concrete measures to check the security architecture. The execution phase provides for the implementation of the defined tests, on the basis of which the system is examined in the test phase — including an evaluation of whether the goals set in the planning phase were achieved and whether the security architecture met expectations. Phase four is then about possible corrections to the security strategy and the measures taken. Like in a classic management circle, a PDCA can be repeated accordingly, since it is based on the previous results.

Does there have to be a penetration test in every PDCA circuit? The answer is a clear yes and no. There is no obligation to use any particular component. And penetration test is not equal to penetration test. It doesn't always have to be the complete security structure that is put to the test. Sometimes the email servers are checked, then the employees in the call center, and another time the WiFi...

It is only important that security is always understood as a process and is accordingly anchored in the company's DNA. Then it also works with takeoff and landing!