Why do you pen test? - Once again, for me it is regulatory compliance (SOX, PCI, etc.) plus my boss is very security oriented (CISSM) and wants to make sure our holes are plugged before someone else finds it.

Why don't you pen test? - n/a

What is the value? - finding and patching a hole before it can be exploited. We are a multi billion dollar company and all of our business is done over the internet. If I can find and patch a hole that would have cost the company a few million dollars then I have done my job. If I don't find that hole, or we never even looked for it, then the company is hurt financially and their reputation is tarnished.

Who (what functions) should be doing the testing? - that is really going to depend on the type of business. We do both internal and external testing. The security department is not related to the rest of MIS/IT even though we work closely with them. We also contract out to a couple of different companies that do everything from full "black box" testing, to informed application testing.