Before you do a comparison of companies offering penetration testing services for your organization, make sure you ask the 3 big questions, first.
In the video below, Mike Smith lists the 3 big questions, and why you need to ask them (to yourselves), before you go shopping for vendors that can do penetration testing.
Want Mike’s recommendations on the best vendors to quote for penetration testing services? Click the button below, and ask him today.
About Mike
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards and in 2011, he was honored as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on LinkedIn, Twitter or SpiceWorks.
Transcript
Your company is looking into doing some penetration testing. Well, before you start going and looking for a bunch of quotes on penetration testing, what I’d like to do is give you a few questions to ask about your company internally, before you start quoting a lot of service providers. So that’s why I made this video.
Shortcut
But before I get into it, let me just mention really quickly. If you want to know which penetration testing companies you should be quoting, reach out, contact me. Give me a call (714.593.0011), send me an email. This is what I do. I’m a broker for all the major cybersecurity service provider, penetration testing companies. And I know the differences between all of them.
So if you reach out to me, I can ask you a few questions and help you find the best vendors with the best reputations that’ll be a great fit for your company. And for our service, we don’t charge you a thing. So absolutely no reason not to reach out to me.
When you should do a penetration test
But back to the topic, penetration testing. So, you want to do penetration testing? Absolutely great.
One thing I should also tell you to do is watch my video on risk assessment. So looking at cybersecurity risk assessment, you want to know where penetration testing lies and what step that is in looking at your overall cybersecurity risk for your company. So watch that video as well.
But in the meantime, just regarding penetration testing, say you’re ready for penetration testing, you definitely want to find a service provider out there, a company that can do it for you. Three things you want to ask yourself.
Framework
Number one. What is the security, the cybersecurity framework that our company needs to follow? Do we need to follow NIST? Do we need to follow HIPAA? Do we need to be PCI compliant? What framework or frameworks typically does your company have to follow? Maybe if it doesn’t have to follow anything, at least follow one of them, like NIST or something like that. So that’s the first question you should ask. Because if you’re going to start penetration testing, you want to know what you have to protect for number one.
Why
Then the number two question you want to ask yourself is, what is motivating us to get a penetration test? Is it required for our insurance? It’s just a requirement? Does our company really want to know? Are they really concerned about cybersecurity, and they want to do a penetration test to really get more involved in cybersecurity, and really make sure your company is protected? Or maybe it’s just some type of check box.
Maybe you want to do business with another company that requires you to have a penetration test every once in a while. So knowing that answer is going to help you know which type of penetration testing you should be looking for.
For instance, if you’re just trying to check a box, you might want to go with a service provider that just offers automated penetration testing. That’s going to be the least expensive route, and it’s going to cover everything you would need to do in terms of checking a box. But it’s not going to be very thorough. It’s not going to be very hands-on. It’s going to be fairly inaccurate, but at least it’s going to check the box.
Now, if your company is honestly concerned about cybersecurity, you’re going to want to go with a company that uses certified ethical hackers who can maybe do white box versus gray box versus black box testing, all kinds of different stuff. But all in all, ask the question, “why are we looking at penetration testing?” And that will help you determine some things there.
Risk Tolerance
The last question you should ask yourself before looking at penetration testing vendors is, what is our risk tolerance? So once you’ve determined your framework that you’re using, once you know why you’re looking at penetration testing, what you want to determine is, what is our risk tolerance and where does it lie? Where are we willing to have an incident happen and it’s not that big of a deal? Or where can we absolutely not have an incident happen?
Or if we do have an incident happen, we can’t have a threat actor with 100 days of dwell time in that area of our company. We want a few minutes of dwell time, not hundreds of hours of dwell time. So figure out where your risks are.
Because with penetration testing, if you think about it, you can test all kinds of stuff. You can test physical security. You can test internet security. You can test servers. You can test users. You can test phishing. You can test all kinds of different stuff.
But the more things you add to that list, the more expensive the penetration testing gets. And if some of that stuff doesn’t even really matter to you guys, why do it? So definitely ask yourself what your risk tolerance is about the different areas of your business.
Want Mike’s recommendations?
I hope that was helpful. If you’d like to know which penetration testing companies your company should quote, there’s thousands of them out there.
Don’t start searching Google. You’re probably going to end up picking the wrong ones. Just reach out to me. Contact me, send me an email, give me a call (714.593.0011). I’m happy to help. I’ll ask you a few questions, help you narrow down what your requirements are. And I’ll give you some recommendations in terms of which vendors have the best reputation, are going to be the best fit for your company, based on those three questions and more, all kinds of good stuff.
So I’m a broker for all these major companies. This is what I do, and we don’t charge you anything for you to use our service. So I’ll make sure you get introduced to the right companies, the right people at those companies, and it doesn’t cost you a thing. So there’s absolutely no reason not to reach out and at least see what I have to say.
So if you like the video, don’t forget to hit the like button down below. And I will catch you on the next one.
Related Content
Penetration Testing Services Comparison: What should your report look like?
When you're comparing penetration testing services for your organization, what should the final report […]
Penetration Test vs. Vulnerability Scan: What is the difference?
What is the difference between a penetration test and vulnerability scan, for cybersecurity?
In the […]
Penetration Testing Services Comparison: What is Physical Security pen testing methodology?
What is physical security penetration testing methodology?
In the video below, Mike continues his video […]
Penetration Testing Services Comparison: What is Social Engineering Pen Testing Methodology?
What is "social engineering" penetration testing methodology?
In his latest video, Mike continues his […]
Penetration Testing Services Comparison: What is Internal Penetration Testing?
What is "Internal" Penetration Testing?
In the video below, Mike continues his video series on […]
Penetration Testing Services Comparison: What is an External Pen Test?
What is an external pen test?
In the video below, Mike continues his video series on penetration testing […]