Guest Blog by Zac Amos, Cyber Security Features Writer
CISOs must outsource cybersecurity assistance if they need to supplement internal staff or perform specialised tasks their teams aren’t trained for. One job includes penetration testing, and finding a third-party provider for these invasive cyber defence drills requires extensive industry research and B2B trust.
Security professionals must divulge a lot to pen testers, so reputability, compliance and experience are non-negotiable. What can CISOs keep on their radar that signals a quality pen testing outfit worthy of investigating backdoors and vulnerabilities?
Certifications and Compliance
It’s a red flag if a company doesn’t have pen testing qualifications. Here are the industry standards for certification and compliance:
- Offensive Security Certified Professionals (OSCP) and Offensive Security Web Expert (OSWE)
- NIST SP 800-115
- Open Source Security Testing Methodology Manual (OSSTMM)
- Knowledge of SANS CWE 25 dangerous software weaknesses
- Understanding of OWASP’s top 10 vulnerabilities
- ISO 27001
- Penetration Testing Execution Standard (PTES)
- GIAC Penetration Tester Certification (GPEN) and Web Application Penetration Tester Certification (GWAPT)
- The Cyber Scheme CSTM and CSTL
- CREST CRT and CCT
- Burp Suite Certified Practitioner
- SOC 2
- Related liability insurance and other coverage
More does not always equate to better. However, it can demonstrate tenacity and company expectation to have diverse qualifications, especially when staying informed about the industry’s most prevalent threats. Companies who keep on top of frameworks like the SANS Top 20 Critical Security Controls can minimise risk by around 94%.
People other than cybersecurity analysts and IT professionals need briefings from testers on their findings. Pen testers must relay jargon in an accessible format for stakeholders and management, who may not be familiar with cybersecurity diction. Pen testers have to compile reports of their findings that appeal to nontechnical audiences.
The most vital trait of a quality pen tester is a write-up that’s accessible without losing critical or urgent information. The testers should also provide subsequent actions that are equally legible, giving teams a jumpstart on dealing with vulnerabilities and curating surface areas.
Manual Pen-Testing Options
The pen testing world gets muddled with vulnerability scanning. The latter is an automated service that software can execute. Nontechnical companies may need to learn the difference, and pen testing companies can educate clients about the difference between them when discovering how they want to deploy their strategy.
Scans should supplement manual pen tests — not replace them. CISOs can watch out for companies that scan versus perform manual tests based on their service prices. Companies that sell scans under the guise of pen tests charge less.
CISOs should find companies that prioritise manual tests while leveraging the benefits of automation tools. Scans use information to make determinations based on data points reflective of existing vulnerabilities and trends. Manual pen testers run live, practical tests, expanding upon the knowledge of a data set, especially when curating company service offerings.
Companies have varying cybersecurity problems — some have strong firewalls, while others have unprotected external data silos. Every enterprise is unique, and a third party that hones in on manual pen testing will provide a more customized experience. It’s no use providing equal time in reports or meetings as minuscule software update problems since this could be automated. More pressing network vulnerabilities need additional resources and time to patch.
Individualised testing plans should be comprehensive of all issues found during testing, but expert pen testing providers elaborate on what’s critical to avoid risk acceptance. Cybersecurity is an ever-evolving process for businesses, and investing in and kickstarting every initiative at once is impossible.
Consistency is a broad term for a few qualities in a pen testing provider. The first is a strategic track record. A company should use the same guidelines for pen tests with every client and adjust as needed for customisation. Without a benchmark and rules of engagement that clarify what will happen, the provider wouldn’t be able to assess their methods’ accuracy. A commitment to a foundational plan signifies testers repeatedly used it for its effectiveness and reliability.
Additionally, the staff should be experienced and tenured. Internal rapport is almost as vital as B2B communications because the management of the pen testing provider can confidently vouch for their technicians’ proficiencies.
Industry reviews are another way to determine the value of a pen testing provider. Consistency among other corporate clients encourages CISOs to enter a business partnership.
Pen Test Providers CISOs Can Trust
Pen testing is a sizable upfront investment for long-term peace of mind. Understaffing is an already-present cybersecurity issue, so companies will need third-party assistance. Pen testing is labour-intensive and intimate, as companies relinquish secrets for improved cybersecurity. Trust is vital in a partnership like this.