~
also, maybe not hire an ethical hacker, but run bug bounty from time to time, at least test the potential vulnerabilities of the site. the security team should not stop exploring their security options because these hackers won't stop up until they find a weakness of the site.
This is almost the same as hiring an ethical hacker, isn't it? But I personally still on the side of hiring a professional to test your site because bounties are usually too small for a pro to bother, so, just relying on them is too risky. I mean, it's better to do both.