ARTICLES & INSIGHTS
Security testing – how to choose the right provider
In our previous article, we discussed the rising importance of security testing, and in particular red teaming, to mitigate the plethora of risks associated with managing your data in today’s digital world.
For most companies, it simply isn’t possible – or desirable – to rely solely on an in-house security team to conduct all testing exercises to provide the information security assurance your business needs. Building up and retaining the team can be costly and time-consuming, and in reality it’s often a better option to bring in an independent third-party to help you plan, manage and deliver a successful testing program.
So how do you go about choosing the right provider, aside from trusting your gut instinct and talking to others in the industry to assess their reputation?
Here are nine key factors that can help to guide your selection process.
“For most companies, it simply isn’t possible – or desirable – to rely solely on an in-house security team to conduct all testing exercises to provide the information security assurance your business needs.”
1. CREDENTIALS
Depending on your requirements, you should look for a team that has certifications including CREST (CPSA, CRT and CCT), PCI, and ISO 27001. The team available to you should be diverse, offering a range of cross-sector backgrounds, and they should be able to demonstrate their usage of the latest industry-leading tools and techniques. It’s worth checking that they can provide a holistic service, with the right expertise across a range of assurance, compliance and response services to guide your information security journey.
“Any weak links in your security posture exposes you to immediate risk.”
2. EXPERIENCE
3. INDEPENDENCE
4. CAPACITY
5. APPROACH
Does the provider use a proven testing methodology? Ask for a written overview of their process. In the case of penetration testing, does the team rely largely on manual techniques as well as automation? Are they using a combination of commercial, non-commercial and in-house developed tools to ensure that testing is comprehensive? An automated vulnerability scan or assessment is not a true penetration test. Ensure your vendor can explain the difference between the two and demonstrate which is the most applicable based upon your specific needs. Finally – do you sense the provider is pragmatic and will match their recommendations to your budget?
“An automated vulnerability scan or assessment is not a true penetration test.”
6. REPORTING
Cyber security testing and consultancy is an intangible service. High quality reporting is critical. Ask to see sample reports that they’ve conducted for similar projects. A test report should not be a simple list of problems, without prioritisation or remediation guidance. Reports need to be detailed and comprehensive yet clear, concise, actionable and – above all else – pragmatic. Check that they are specific to your solution or environment, and contain a detailed description of all identified issues, possible ramifications, and recommendations to rectify them. Any issues raised should be categorised, with priorities and urgent actions clearly defined.
7. REMEDIATION WORK
8. ATTITUDE
9. INNOVATION
Maintaining the highest possible levels of information security requires keeping a constant eye on ever-evolving threats and the technological developments to combat them. You need to be confident that your chosen partner’s skills and tools are continually reviewed and updated, and this relies on them demonstrating ongoing commitment to Research and Development – an area into which every team member should invest time.