We typically run into two types of IT personnel when conducting a Penetration Test. Most IT staff understand the need for our service and requested or at least welcome it. They look forward to working with us and seeing the test results and mitigation strategies. However, we occasionally run into IT staff members who are hesitant and worried that we are there to make them look bad or expose something they are doing wrong. This is not something they should be concerned about. Our services are an independent audit, aimed at helping the IT department by giving a fresh perspective and one from a team specializing in information security. Just as a CFO doesn’t fret when their CPA firm combs through the books and suggests adjustments, IT staff should understand that an independent security assessment is a smart choice that will allow them to perform their job at the highest level. Our goal is always to work in concert with the IT staff. We ensure we point out all the things being done well and provide our unique expertise to show ways to be even more secure. We do not point fingers and assess blame; we provide expert advice and strategies
There are 3 key-points you should understand that will help you realize why an assessment is greatly beneficial:
- IT Staff are pressured to make things Functional and Easy-to-Use, which are diametrically opposed to Security. Therefore, the IT staff is pressured to be insecure. We have no such pressures.
- It is extremely difficult to look at your own network with a fresh, outsider’s perspective, and thus objectively analyze the security risks an attacker may see.
- We often can be the evidence you need to justify a budget increase. Seeing the results of not preventively spending on security measures are eye-opening.
When we have completed a Penetration Test, those I.T. departments that were hesitant to let us in see that the exercise was a worthy investment. So if you are one of those I.T. guys that is concerned over having a penetration test performed, don’t be. You will see in the end that we are an asset, not an enemy.