When it comes to selecting a penetration testing provider, there are a lot of different points that need to be taken into account. What type of penetration test are you looking for? What is driving the need for a penetration test? Today we will explore some tips to help you in your penetration testing provider selection process.
Penetration Testing Provider Selection Tips
- Specific vs. Generic – There are many companies out there that offer penetration testing as an ancillary service to their core offerings. There are also companies that specialize in only penetration testing and information security. When you are making your selection, if you want the best results from the assessment, you may want someone that specializes in penetration testing as their core competency rather than someone that does it on the side among other IT services. Here at Triaxiom, we are an information security pure play and specialize in penetration testing.
- Credentials – When selecting a vendor, you should look at both the credentials of the company as well as the credentials of the engineer(s) that will be performing your assessment. The company certifications are more broad and focus on the delivery, execution, methodology, and documentation aspects, while the individual engineer credentials speak more to that persons skill set and expertise. Triaxiom is a certified CREST penetration testing company, a C3PAO, a PCI QSA Company, and all of our engineers have a minimum of 5 years experience in the industry and hold multiple relevant certifications.
- Partnership – As with most business-to-business relationships, a true partnership is key. With security, the team you are working with may come into contact with extremely sensitive information, may need to be contacted in the middle of the night, or may be frequently consulted following an engagement. Make sure that the vendor you select is trustworthy and someone that you truly believe would be a long term fit for your security program.
- Soft Skills – Remember that with a penetration test, there is the technical aspect of vulnerabilities found, remediation recommendations, etc., but the engineers will also be responsible for communicating those results in the final reports and presentations to your organization and management. Ensure that your vendor and the engineer assigned to your project can get down in the weeds with your technical team, but can also bubble up important information to the executive and board levels.
Why Does it Matter?
Every organization has a different driver behind their penetration testing requirements. Whether yours is to meet compliance requirements, grow your security program, or improve your security posture, it is still important to ensure you are selecting the penetration testing provider that is right for you. While it may not seem like a big deal to start, organizations often wind up frustrated with issues during testing because of an inexperienced engineer or they are left with nothing more than a vulnerability scan after paying for a full blown penetration test. Reach out to us today if you are ready to discuss your next penetration test!