Talk to References
If a pen-test group is going to actively try to breach your defenses, you want to know their ethics are beyond reproach. That knowledge should come from somewhere other than a well-crafted website or canned testimonials — it should come from conversations with companies that have experienced a pen test by the group in question.
It goes without saying that you'll want to know how well the group performed the basics of the task at hand. Be sure you ask about how well they listened and incorporated specific needs into the final test. Ask about how they interacted with customer employees (an especially critical issue if social engineering is part of the test) and how knowledgeable they were about the components of the tested infrastructure. And ask about how the results of the test were reported. From written materials to in-person presentation of facts, were they left with information that helped make their security better, or did the exercise generate binder-filling fodder to pad out a bookshelf?
In too many cases, a company will treat reference-checking as a duty to be avoided. That's a serious mistake when it comes to choosing a penetration tester. Have a long, detailed conversation, and be sure to include open-ended questions like, "In retrospect, what do you wish you had known going into the project?" as part of the discussion. Using references well will be a huge boon to the final results of the pen test.
(Image: fotogestoeber VIA Adobe Stock)
2020: The Year in SecurityDownload this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Tweet This
0 Comments
