What’s the best way to determine how often penetration testing is needed? Are there certain organizations or industries that should do it more often?

There’s no one best answer. Similar to the questions: “How often should I exercise?”, “How often should I go for a dental cleaning?” and “How often should I change the oil in my car?” there are many variables when it comes to penetration testing.

Some considerations: network complexity, how often systems and applications are changed, third party applications, updates, and the concept of “Least Privilege”, budget, and so on.