Social Network For CISO (Chief Information Security Officers)
A common question is why should we get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by outside companies with no bias and partiality to anyone or anything within your organization. Another reason to hire a security testing company is that one may find it difficult to hire and retain Penetration Testers.
# Tip 1: Evaluate technology achievements of the vendor
Good indicators of vendor’s technology competency are:
# Tip 2: Focus on the vendor’s real knowledge and not just on certifications
If you focus too much on individual certification, you will end up eliminating many good top-notch penetration testers. As an industry, penetration testing has not reached consensus on a meaningful certification framework. So, while large companies encourage individuals to get certifications, this over-emphasis is one the reasons why strong penetration testers are attracted to specialized penetration testing company because they place value on individual skills over industry certifications.
Tip# 3: Evaluate the company’s trustworthiness and dependability
You would be allowing them access to your system, customer information, sensitive company research, insider memoranda and other confidential matters. You will also let them into the backbone of your company’s operations. You would need to be sure that they can be trusted with the data you have. You can look at their previous list of clients and their overall reputation. Talk to competitors and friends alike and ask for recommendations on which penetration testing company to consider and call. More importantly talk to your potential vendor and ask a lot of questions. These might be hypothetical or real questions regarding their systems. You can gauge their level of competence through their responses.
(Read more: Changing landscape of IT security)
Tip# 4: Consider Cost vs. Frequency advantage
Gartner recommends “Penetration Testing carried our regularly is the only way to be one step ahead of hackers”. However with the conventional manual approach this is too costly. Different testing companies levy different fees on their security audits. It is best for you to lay down what kind of penetration testing you need and get quotes from specific companies. Organizations without scalable technology to provide recurrent scanning are normally 30-40 times more costly than organizations that do have a similar feature. It is not enough to conduct one in-depth test a year! You need to find a healthy balance between in-frequent high quality tests and frequent low quality tests.
Tip# 5: Seek penetration testers (Specialists) and not Generalists
There are many penetration testing companies who can be impressive in discussing attack vectors, the associated impacts, root causes, and remediation. They may also have their favorite case studies and illustrate each type of vulnerability in common speak. But they may not have the real expertise in front of the keyboard. The simple question which may help you to identify them is: “How specialized is the penetration testing company? Do they deliver this particular service 30% of the time or 60% or 100%?” Good penetration testers are a rare breed. When it comes to testing your network or application, you need a great penetration tester and not a great boutique firm.
(Watch more : Attacks on Smart TV and Connected Smart Devices)
Tip# 6: Check the “Process” along with Pen Tester’s resume
It is true that the man is more important than the machine in case of Penetration Testing. So checking out the resume of the individual is important but the process of testing is also very critical. Check out some of the following:
Tip# 7: Flexibility and Turn Around time
You need to check how flexible is the vendor to meet your flexibility requirement in terms of testing during the favourable hours as per your need. Sometime your business may need testing during the business off hours.
Tip# 8: Can the vendor scale up to meet your peak demands?
You need to check what could be your peak requirement. If you have 10 applications and all of them need tests to be conducted together, can your vendor test all of them in parallel?