In our previous blog, we discussed the rising importance of security testing, and in particular red teaming, to mitigate the plethora of risks associated with managing your data in today’s digital world.
For most companies, it simply isn’t possible - or desirable - to rely solely on an in-house security team to conduct all testing exercises to provide the information security assurance your business needs. Building up and retaining the team can be costly and time-consuming, and in reality it’s often a better option to bring in an independent third-party to help you plan, manage and deliver a successful testing program.
So how do you go about choosing the right provider, aside from trusting your gut instinct and talking to others in the industry to assess their reputation?
Here are nine key factors that can help to guide your selection process.
Depending on your requirements, you should look for a team that has certifications including CREST (CPSA, CRT and CCT), PCI, and ISO 27001. The team available to you should be diverse, offering a range of cross-sector backgrounds, and they should be able to demonstrate their usage of the latest industry-leading tools and techniques. It’s worth checking that they can provide a holistic service, with the right expertise across a range of assurance, compliance and response services to guide your information security journey.
You can ask your potential provider about the experience of the specific team members who you will be working with. Do they have positive feedback, testimonials and references from clients that include the type of testing you require? Although a large amount of information surrounding information security projects is likely to be sensitive and therefore confidential, providers should be able to demonstrate their capabilities in an anonymised form and provide client recommendations.
You will obtain the best value from your information security provider if they are brand agnostic; in other words, they are not reliant on vendor partnerships and can therefore provide objective advice. This is crucial if they are to review and make valuable recommendations based on your needs, rather than recommending a restricted range of services that they resell.
What is the size of the team and will this meet your needs? You may need them to be flexible especially if they are to manage your peaks and troughs of activity, and provide quick turnaround times. What’s more, if you are looking for a company as a potential long-term information security partner, choose an organisation that can grow with the needs of your business. Does the organisation operate just in the UK or globally? Access to a wider pool of talented testers with global knowledge of the latest security trends could prove highly useful.
Does the provider use a proven testing methodology? Ask for a written overview of their process. In the case of penetration testing, does the team rely largely on manual techniques as well as automation? Are they using a combination of commercial, non-commercial and in-house developed tools to ensure that testing is comprehensive? An automated vulnerability scan or assessment is not a true penetration test. Ensure your vendor can explain the difference between the two and demonstrate which is the most applicable based upon your specific needs. Finally – do you sense the provider is pragmatic and will match their recommendations to your budget?
Cyber security testing and consultancy is an intangible service. High quality reporting is critical. Ask to see sample reports that they’ve conducted for similar projects. A test report should not be a simple list of problems, without prioritisation or remediation guidance. Reports need to be detailed and comprehensive yet clear, concise, actionable and - above all else - pragmatic. Check that they are specific to your solution or environment, and contain a detailed description of all identified issues, possible ramifications, and recommendations to rectify them. Any issues raised should be categorised, with priorities and urgent actions clearly defined.
- Remediation work
Can the company provide ongoing recommendations and strategic guidance? For most organisations, a service provider who disappears off into the sunset after report delivery will not provide you with the greatest value. In our experience, most customers want to know that their testing partners can work with them through to the remediation phase of the project.
Relating to the points above, the ideal outsource specialist is usually one that wants to become your information security partner – as opposed to delivering a one-off service – giving strategic guidance as well as tactical implementation. In practice, this means they should provide you with a team with sufficient depth of knowledge across a range of assurance compliance and response services.
Maintaining the highest possible levels of information security requires keeping a constant eye on ever-evolving threats and the technological developments to combat them. You need to be confident that your chosen partner’s skills and tools are continually reviewed and updated, and this relies on them demonstrating ongoing commitment to Research and Development – an area into which every team member should invest time.