If you’re considering pen testing or are reviewing your existing security arrangements, it’s a question worth asking. With so many providers out there, it pays to be able to differentiate offer and approach to ensure you are getting the service – and protection – you need.
Our view is that ‘good’ comes down to a mix of things beyond the technical competency evidence in CHECK/CREST accreditation. A ‘recipe for success’ should be built around the following core elements:
Nail the scope – In-depth scoping calls with technical experts ensure everyone understands the requirements, the industry specifics, the operational concerns, the scenarios of interest. It’s a true real-world test, not a box-ticking scan
Show the implications – Going beyond report findings and outlining their practical application gives you a real-world view of what could happen if vulnerabilities are not remediated. It’s about being relevant and pertinent.
Democratise reporting – Making reporting accessible and intelligible to all is invaluable for getting universal buy-in for security protections. Technical reports should come with at least a management supplement, and ideally an in-person debrief, delivering suitably tuned information for both IT teams and executive boards. Debriefs, or report walkthroughs, allow for more rounded discussion of issues and remediation options, helping all client parties to a better understanding of security posture and business risk.
Respect the process – Execution to scope and schedule needs robust project management. Pre-requisites in place ahead of testing, project kick-off call, morning project calls, evening wash-up calls, last day debrief, final report, report walkthrough, this is how to cover everything and miss nothing.
If you’d like to discuss your pen testing provision with one of our experts, contact Ciaran Mullen.
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch
