The intended audience of this blog includes business owners, executives, IT managers, IT engineers and those curiously interested in IT. We seek to provide you with the latest IT knowledge and insights from our behind-the-scenes experience. We provide this information to help you manage the specific costs and risks of IT in your business.
In today’s world, data is the most valuable resource. Your information and technology assets need to be properly managed and protected from external threats. 2020 and 2021 were both record years for cyber incidents and attacks. At the very least, we expect the same in the future and recommend planning for how you will manage the security services required to operate and protect your business.
The Challenge of Penetration Testing Procurement
In the year ahead, penetration testing will be more troubling than ever for members of the C-suite. Inevitably, with the incredible rise in cyber incidents, more organizations are budgeting and investing in penetration testing. Setting aside dollars is the first step, but it requires another set of skills and experience to navigate the decisions of procuring penetration testing.
Organizations often don’t have the internal expertise to navigate penetration testing procurement and often that’s the reason penetration testing is pushed off for too long. Procurement teams and businesses executives need technical guidance to understand their options.
Here’s what makes it particularly tricky:
- Penetration testing is a costly service. Demand is increasing and the supply of qualified security professionals that are needed to conduct penetration tests is not adequate. The economic indicators clearly show service providers have the upper hand in the market and can charge a premium for their services.
- Knowing when to start and how often to test is often a matter of contention. Some businesses must conduct annual penetration tests to meet compliance requirements, but for others determining when to start and how often to conduct penetration tests can be a matter of contention. There are many different motivations that may push executives to pull the trigger, but for those unfamiliar with the benefits it can appear as a costly endeavor. If the organization has a backlog of changes or is planning future updates to systems and networks, it can appear that there will always be a better time to conduct a penetration test in the future once the updates are fully completed.
- There are many types of penetration tests to choose from. Red team/blue team, internal/external, black box/white box/gray box, network services/web application/client side/wireless/social engineering/physical. These various options to approach are then compounded with the different technologies and tool sets that are used by penetration testing service providers. Purchasing teams need to understand their needs and align their expectations for what they are aiming to get out of the penetration tests.
- Service provider selection is critical. All service providers “do the work” and issue their “reports”, but often the work cannot be matched up apples to apples and the end deliverables provided by each service provider often are not the same. Still, the biggest discrepancy between service providers is the individual talent of the staff. You want experienced and certified security professionals conducting your penetration test to get the most value out of the simulated attack.
Here’s what Advanticom recommends:
(Full disclosure, at Advanticom we do not provide penetration testing services. We are admittedly not experts in conducting penetration tests and choose to work with other IT service organizations that conduct annual penetration tests on our environment. Our penetration testing plan dictates that we follow the ISO 27001 compliance requirements and conduct an annual penetration test.)
- Commit to penetration testing to improve your cybersecurity posture. Penetration testing is an important tool that identifies whether unauthorized access or malicious activity is possible. The goal with each penetration test is to improve network security and provide protection against future attacks. The test is mimicking a real-world attack to identify potential breach points that hackers would take.
- Make a penetration testing plan. One test isn’t enough for adequate coverage. A penetration test provides a snapshot of the current security posture of the organization at a specific time. You need to plan to test again either after every significant upgrade or alternatively you may plan to test again every year or every quarter depending on the frequency that suits your business needs. Internally, decision makers must align on the motivation for conducting a penetration test and decide how the cybersecurity tool should be used on an ongoing basis.
- Get expert guidance. Decision makers should seek guidance from experts that are already familiar with penetration testing procurement before attempting to figure it out on their own. Depend on those who have been there and done that to help scope out the objectives of your penetration test. If you don’t have the internal resources, Advanticom is glad to help. We can help you understand what is appropriate for your organization and can recommend a service provider for your needs.