We Need a Penetration Test! Ohhhk

Companies say it all the time, “We need to get a Penetration Test done”, ok but what’s the objective?

 

Often businesses may execute a Penetration Test but weren’t prepared to handle the remediation effort. That can cause issues to linger for months or years before being resolved. But, there is hope. I’ve seen and heard many Penetration Tester around the world claim they have identified the following with corporate clients (whether internal or external):

  • There is no plan in place for Information Security.
  • Poorly documented policies and procedures and poor communication of such documents with staff and critical third-parties.
  • No post exists for even an entry-level Cyber Security analyst
  • An IT manager had to request a Penetration Test to justify to senior management about the need for a security budget.
  • In the next cycle, hopefully, the following year, the same findings resurface, because no one cared to fix them.
  • The client is almost sure to be losing in the back-end 3-6% of their current profit due to Cyber Security incidents they don’t know to identify.
  • The tester gets paid and repeats the cycle next year, with minimal improvement to the security environment.
The following root causes are often identified by a Penetration Test, but they can be identified without one too:
  • Gaps in Security strategy,
  • Unclear Incident Response plan,
  • Weak Vulnerability Management
  • Lack of security staff!
The above often leads to the creation or a pileup of security issues.

The challenge

It’s usually difficult to communicate to people the benefits of changing their actions without the WHY being compelling and in their face, like, and sometimes it comes down to “you are at risk of dying if you don’t do this” type of compelling. Not just in the Security industry but even with people and their health. Especially in third-world countries where they often react slowly to the value of being proactive instead of reactive. It’s always nice to think that once the value of something is communicated, then it will be a priority but that’s not often the case. To me, a lot of persons are afraid to openly confront facts that they’re requirements just aren’t really a priority to their manager. But if you’re a manager don’t be one of those who demoralise staff, no one misses you on sick days, the company is too scared to let you go because you’ve have been employed for so long and are afraid of lawsuits, and in many cases, have secrets of previous unethical dealings by the company. So, they have management by the balls.

Do you work closely with someone who is in a decision-making position, poor at their job and demotivates staff? Well, that sucks for you, I hope things improve but don’t be afraid to try things to change your circumstances of no progress, like finding a better employer. #Sad

Start with the basics

A lot of companies should start with the basics to develop a good foundation and then build into all the hot topic services. Ensure the following are working together to support security:

  • Policies (IT Governance from senior management)
  • Procedures (A deliberate way of how things should be done)
  • People (Technical and non-technical staff who care and help administer security)
  • Technology (The hardware and software to implement all theoretical security mechanisms)

Those can all be guided by implementing a respected ISMS-Information Security Management System and tweak it as they go along, so it’s optimised for their business operations. I like the content of CIS Critical Security Controls even though they are not marketed as an ISMS, it’s action-packed with security controls and if followed will take a company to a reasonable defensive point. NIST-National Institute of Standards and Technology also has a Cyber Security Framework available to the public. If you google Cyber Security Frameworks, you’ll find lots of useful material.

The Struggle of Drastic Change

This is where it gets fuzzy and wild. Drastic change rarely comes without drastic action, and often companies start to prioritise security when they start to lose money. Whether through losing customers or trying to avoid losing customers. So, here’s the quick but painful list of options to motivate your senior management to care:

  • Emphasise the monetary value of a compromise
  • Focus on the influential decision-makers, the ones who care.
  • Preach, preach, preach, the value of Cyber Security to middle and senior management until they get annoyed and appreciate it.
  • Be creative and promote Cyber Security from different angles and perspectives and with some prayer, hope they will embrace it.

 

If your employer doesn’t care about Cyber Security, still talk to them about it. Also, remember to let your company’s communication culture guide you in how you go about advocating for change. Some leaders are mature and appreciate someone fighting for improvements, while weak leaders find it threatening to their power and status and might try to find a way to cause you further pain and suffering as an employee. Know when to move on from your struggle. If you’re likely to be reprimanded for speaking up, you should work for a better company. Cheers!