I have one client that has been testing his security for the last 2 years in ways that would made the Pentagon jealous.

They had tested their networks, both internal and external, by performing black-box and white-box penetration tests, risks analysis and an all-or-nothing phishing attack attempt (to random employees). They tested also their physical security, calling for drills, performing penetration tests and by trying to prevent information disclosure (they randomly visit employees and if they find any papers on their trash bins they get a reprimand, they are supposed to shred everything, regardless of how stupid or small it is).