Social Network For Security Executives: Network, Learn & Collaborate
A common question is why should we get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by outside companies with no bias and partiality to anyone or anything within your organization. Another reason to hire a security testing company is that one may find it difficult to hire and retain Penetration Testers. Following tips will help to choose penetration testing vendor.
Good indicators of vendor’s technology competency are:
If you focus too much on individual certification, you will end up eliminating many good top-notch penetration testers. As an industry, penetration testing has not reached consensus on a meaningful certification framework. So, while large companies encourage individuals to get certifications, this over-emphasis is one the reasons why strong penetration testers are attracted to specialized penetration testing company because they place value on individual skills over industry certifications.
You would be allowing them access to your system, customer information, sensitive company research, insider memoranda and other confidential matters. You will also let them into the backbone of your company’s operations. You would need to be sure that they can be trusted with the data you have. You can look at their previous list of clients and their overall reputation. Talk to competitors and friends alike and ask for recommendations on which penetration testing company to consider and call. More importantly talk to your potential vendor and ask a lot of questions. These might be hypothetical or real questions regarding their systems. You can gauge their level of competence through their responses.
(Read more: Changing landscape of IT security)
Gartner recommends “Penetration Testing carried our regularly is the only way to be one step ahead of hackers”. However with the conventional manual approach this is too costly. Different testing companies levy different fees on their security audits. It is best for you to lay down what kind of penetration testing you need and get quotes from specific companies. Organizations without scalable technology to provide recurrent scanning are normally 30-40 times more costly than organizations that do have a similar feature. It is not enough to conduct one in-depth test a year! You need to find a healthy balance between in-frequent high quality tests and frequent low quality tests.
There are many penetration testing companies who can be impressive in discussing attack vectors, the associated impacts, root causes, and remediation. They may also have their favorite case studies and illustrate each type of vulnerability in common speak. But they may not have the real expertise in front of the keyboard. The simple question which may help you to identify them is: “How specialized is the penetration testing company? Do they deliver this particular service 30% of the time or 60% or 100%?” Good penetration testers are a rare breed. When it comes to testing your network or application, you need a great penetration tester and not a great boutique firm.
(Watch more : Attacks on Smart TV and Connected Smart Devices)
It is true that the man is more important than the machine in case of Penetration Testing. So checking out the resume of the individual is important but the process of testing is also very critical. Check out some of the following:
You need to check how flexible is the vendor to meet your flexibility requirement in terms of testing during the favourable hours as per your need. Sometime your business may need testing during the business off hours.
You need to check what could be your peak requirement. If you have 10 applications and all of them need tests to be conducted together, can your vendor test all of them in parallel?
Adapted from the original blog written at https://www.cisoplatform.com/profiles/blogs/how-to-choose-your-secu...