top 10

Top 10 Penetration Testing Decision Factors


 Top 10 for Choosing a Penetration Testing Company

How secure is your network? When is the last time you tested your cybersecurity defenses? Nearly $50k is the average cost for a small business to overcome a data breach—why not take steps now to protect your systems, your employees, and your clients from a cyberattack? You cannot fix what you do not know. A penetration test strengthens your defenses by revealing your weaknesses and recommending prioritized fix actions.

This article contains ten items you should consider when selecting an organization to perform a penetration test against your environment.

1. Use Certified and Experienced Personnel

The penetration testing team should have appropriate penetration testing credentials, such as the EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (LPT), Offensive Security Certified Professional (OSCP), or Certified Ethical Hacker (CEH). The team should also have penetration experience with multiple industries and different environments. Make sure the penetration testing team has experience and knows what they are doing.

2. Deliver Clear Reports with Risk-Based Prioritized Recommendations

Reports should be easy to understand and include summary data for executives and detailed data for technical personnel. The penetration test report should contain a prioritized risk-based list of findings with detailed step-by-step recommendations. Any steps taken to exploit systems should include screenshots, where applicable. Your team should be able to reproduce the findings, given the steps in the report. The vendor should be able to provide a sample and redacted reports. If you can’t understand the report or take action on the findings, what’s the point of the penetration test?

3. Perform Both Manual and Automated Testing

Automated tools do not detect all vulnerabilities and are prone to false positives. Manual methods must be used as part of the penetration test to fill in gaps left by the automated tools, eliminate false positives, and ensure test completeness. Both manual and automated methods should be used for every penetration test. Many penetration testing organizations run automated tools, such as an automated Vulnerability Scanning tool, then try to pass those results off as a penetration test. A penetration test should involve many tools and many manual techniques.

4. Follow a Documented Process

A well-defined documented process should be followed before, during, and after the penetration test engagement. Documented processes ensure completeness, accuracy, and test repeatability. The documented process is also often referred to as a penetration testing methodology. A methodology is often very high-level though and should include detailed steps.

5. Use a Rules of Engagement (ROE) Document for Clear Expectations

Rules of Engagement are designed to ensure everyone is “on the same page” and there are no surprises during the test. The ROE ensures clarity on test expectations by documenting agreed-upon test parameters, such as times for the test, escalation procedures, targets in scope, targets out of scope, and limitations. The ROE document should be signed by you and the penetration testing vendor. It removes ambiguity from the test.

6. Communicate Clearly and Frequently

Routine communications during the penetration test should include when penetration testing begins and ends, what is being tested, whether any critical findings were discovered, any problems, etc. The communication frequency and medium should follow the agreed-upon terms in the ROE. Clear communications are vital during the penetration test.

7. Demonstrate Professionalism and Respect

This should be an obvious one, but it is important to emphasize. The penetration testing team should remember the focus of the test is to help you secure your environment; not provide an environment for them to practice skills or try out new exploits. Continuing exploitation beyond what is necessary is bad practice. The vendor should be able to provide references from previous clients.

8. Identify and Eliminates False Positives

A false positive is when the penetration testing team tells you there is a vulnerability or a problem when there really isn’t one. The penetration testing team should make every effort to eliminate false positives and label questionable findings. This is why manual analysis is critical. A report riddled with false positives wastes your time.

9. Offer “Retest” Options

Once you fix the penetration test report findings, it is critical to validate your remediation steps actually took care of the problem. Many organizations have taken steps to fix problems identified by penetration testers but never validated the steps worked. The penetration testing team should offer an option to rerun the test after you remediate the findings.  The last thing you want is to pay for a penetration test, take time fixing items, and then be hacked later on because you did not validate your fix actions.

10. Protect Your Data During and After the Test

The penetration testing team should follow a documented process to ensure your data remains secure. Penetration test reports often contain identified vulnerabilities, steps to exploit the vulnerabilities, cracked passwords, and other sensitive information. Reports should be labeled appropriately, handled with care, and distributed only to authorized personnel.

Interested in a penetration test? Connect with me.

A CISO Isn’t a Technical Role

CISO roleThe role of CISO (Chief Information Security Officer) is a relative newcomer to the C-suite. Its importance has grown considerably in the last decade as cyber threats became such a high risk. As companies decided they had real challenges with information security, the CISO gained more power to protect their data and digital interests.

There is no debate over the importance of having a CISO on staff, but I’m going to make a possibly controversial statement. A CISO isn’t a technical role. I don’t mean that those with this title shouldn’t have technical acumen, but there are other skills relating to leadership and strategy that matter more than being an expert on every aspect of cybersecurity.

In this post, I’ll make a case for why it isn’t a technical role and define the most critical CISO skills.

Who Are Today’s CISOs?

The path to CISO has evolved significantly in the past 25 years. In the early days, a CISO was compliance-focused, and the functions were purely in the IT bucket. Then risks became a bigger concern, and the job became much less tactical. CISOs were involved in policy and procedure development and creating frameworks.

In the past five years, CISOs have become a central leadership role. They have responsibility for a large portfolio, from cloud strategy to IAM (identity and access management) to mergers and acquisitions. They are the determiners of risk and its priority.

What Challenges Do CISOs Face?

To better understand the skills that matter for CISOs, it’s helpful to know where they are struggling. These insights are from the Global CISO Study.

  • Only 19% state they are highly effective at preventing security breaches.
  • 30% of those surveyed said lack of resources (people and technology) is an obstacle to better security.
  • Regarding talent, 91% said attracting and upskilling were critical for success, while 89% said retaining existing employees was.

Based on this data, I can make some assumptions. CISOs aren’t exceptionally confident in their security posture. They also have lots of concerns regarding staff. They don’t have enough, can’t attract them, and have a hard time keeping them. The cybersecurity job market is flush with opportunity, but that’s somewhat of a negative.

As I’ve talked about before, the demand for these roles created a swarm of paper tigers. These are folks with certifications in cybersecurity who don’t have the skills or experience to handle the demands of the job.

A CISO is like any other C-suite role. They have to build out a team, except now the org chart has more and more layers. This elevation, just like other executives, means they aren’t executors. They set the strategy, make the big decisions, and hopefully hire the right people.

A Less Technical “Outsider” CISO Simplifies Cybersecurity

The concern with a “technical” CISO is they may have come from a paper tiger culture. Lots of CISOs got the job because they had the certifications and degrees. Those hiring them weren’t technical. So, when such a person used overcomplicated language and complex cybersecurity frameworks, the CEO was like, “You’re hired.”

Unfortunately, that path could be making your cybersecurity weak and your network ripe for exploitation. These individuals posture, typically don’t listen to others, and have less-than-optimal communication skills.

Whereas if the CISO is less technical and not an internal ladder climber, it could simplify and improve cybersecurity. These “outsiders” are likely to have more clarity and do the thing they really need to do — lead.

They aren’t distracted by trying to be the smartest person in the room. Instead, they listen and communicate well. They defer to experts about the technical stuff or the newest tools to automate. The truth is cybersecurity strategies don’t need to be complicated to work. Simple is actually better in many cases. And simple comes from people skills, not technical ones.

What Are the Most Important CISO Skills?

An article in Forbes by Darren Death named the Top 10 Skills a CISO needs to be successful (full disclosure, he is a CISO). Here’s the list with my own commentary on each skill.

1. Communication and Presentation Skills

Every leader needs to be a master communicator. Having excellent communication skills is not the same as being articulate or liking to talk. Communication is about listening. When someone is a strong communicator, they engage in conversation with others to learn, not refute. Additionally, communicators use language carefully for clarity.

Presentation skills are equally important. At that level of role, you have to present findings to the rest of the C-suite and board. These presentations must explain where the company is and where it needs to be in cybersecurity to get the funding and resources required.

2. Policy Development and Administration

Policies are the responsibility of a CISO, but technical prowess isn’t needed. What is necessary is developing things that are implementable at scale. What they create must meet the company’s goals and any legal requirements.

3. Political Skills

A CISO needs to be able to interact and persuade. They also need to know what the rest of the executive team needs and their cybersecurity concerns. This is where more of those great listening skills come into play.

4. Knowledge and Understanding of the Business and Its Mission

A CISO’s highest task is to keep what’s important secure. They can’t do this well if they don’t understand the business, its operations, and the missions it seeks to deliver. Grasping the big picture is essential for an effective CISO.

5. Collaboration and Conflict Management

Cybersecurity is not an island unto itself. It involves every area of the business. A great CISO creates partnerships with all those stakeholders. A culture of collaboration can go a long way to improving security. Being able to resolve conflict is also a plus because different parties have competing priorities and opinions.

6. Planning and Strategic Management

Being a planner is also a necessity for the role. There are lots of moving pieces in projects, as well as many people. In planning, a CISO must also be strategic to support the business’s desired risk posture. They also need to be flexible enough in these to pivot when necessary.

7. Supervisory Skills

The CISO is only the top of the team. They have many folks under them that are implementing and executing. Thus, the role needs to be a proven supervisor who chooses to mentor and develop people. This is no place for a dictator.

8. Incident Management

Incidents will happen; preparation is crucial. The CISO should develop, test, and augment an incident management plan.

9. Regulatory and Compliance Knowledge

No matter the industry, there are regulatory and compliance obligations. A CISO should know these inside and out so everything the company does is in line with them. They’ll also need to stay on top of changes, which occur often.

10. Risk Assessment and Management

We end with risk ownership. Risk assessment and management is a never-ending part of the job. A CISO must be in tune with the fluctuating levels of risk and new and emerging ones.

If someone has these 10 skills, they are well-positioned to be a great leader in information security. If they happen to have technical skills, too, all the better. But a narrow focus on a technical CISO is likely to fall flat when what an organization needs is a communicator, mentor, and strategy expert.

CISOs Will Likely Be Culture Leaders, Too

PwC and Harvard Business Review survey on making cybersecurity a competitive advantage also notes that culture will soon be in the CISO bucket. If that plays out, the need for soft skills like those above will far outweigh technical ones. They’ll be setting the security culture, but that has a significant impact on organizational culture. Security, after all, is a responsibility for all employees. Further, when a company has strong cybersecurity, it can be a competitive advantage. It can attract more customers and revenue, reduce costs in other areas, and contribute to job satisfaction.

Cybersecurity and CISOs Are Positively Evolving

The abilities that matter the most for a CISO to succeed have little to do with technical aptitude. The role evolved dramatically and will continue to do so in a positive manner. The entire industry of cybersecurity is, too, and can benefit from these skills. To revolutionize your cybersecurity practices and the team behind it, you’ll learn a lot from my book, The Smartest Person in the Room. Get your copy today for a better cybersecurity future.

Check Out The Smartest Person in The Room