Every organization that comes to us for penetration testing is driven by different motives. Our clients come from a variety of industries and range from enterprise level organizations down to start-ups that need testing to receive funding. While it would be assumed by many that organizations with web and mobile applications that their desire for an ultra-secure application is the driver for their decision to get security testing, but most organizations have limited resources and it often can come down to making payroll or getting a pentest.
So what drives an organization’s decision to secure a penetration test? At the top of the list are those organizations that are legally required to get the applications and networks tested. These are the financial institutions, healthcare providers, and government agencies. Those that must, will.
There are also companies that have clients which require them to get testing done and if the don’t then they will either be in breach of their contract or will not receive the business of that client. Their clients are either security conscious by internal policies that the leadership have put in place or, more likely, they fall into the previous scenario of needing to adhere to government regulations such as DFARS, NIST, or HIPAA. Similarly, organizations are often required by their investors and venture capital firms to get testing done to keep the funds rolling in. In both cases, they have to get testing done for business to continue.
Other organizations aren’t forced to get testing done by their clients, investors, or the government but are driven for other reasons that just make good business or organizational sense. Many organizations simple are security focused and value security highly. These are groups that could be severely damaged by a security breach if it were to occur or become public, pitch their secure posture as a selling point, or simply want the assurance and peace of mind that their offering or tool is safe from critical vulnerabilities. These are all great reasons to get testing done and are some of our favorite clients to work with because of their commitment to security and desire to create a security conscious culture within their organization.
Many, but not all of these organizations, have internal security teams that run both automated and manual tests constantly but turn to us because they want an outside perspective on their applications and networks or are required to have third party validation. We have clients from all sectors who have difference challenges with varying degrees of complexity and needs. Since our testers have seen so many different vulnerabilities ad holes in the tests they have completed, our clients find getting a test from us often reveals vulnerabilities and security issues that hadn’t yet been identified. Just as an author relies of proof readers and editors to ensure their latest publication is free from errors and mistakes, organizations come to use to review their source code, double check for cross-site scripting, security misconfigurations and other known vulnerabilities. With many companies providing new releases daily or weekly, it is nice to have an outside set of eyes give a review.
Using a security consulting company like Caliber Security Partners can actually save companies money as well! Some groups can’t afford to have an internal team and form them it makes more sense to outsource their security testing and initiatives to us. Paying a salary and benefits to just one security engineer could cost anywhere from two to four of five times more than getting their applications tested periodically by us. Not only do they save money, but they also receive the technical expertise of a firm that performs hundreds of tests per year. This also adds flexibility which is extremely valuable as testing needs often aren’t consistent and hiring a full-time tester can be impractical. Why pay a security engineer to test occasionally but have them spending the bulk of their time doing system administration?
Customers also come to us to help with a push that is needed for an upcoming release or a push to get an application out sooner and their current staff doesn’t have the capacity to perform all the testing needed to have the release come out on time. Sometimes organizations severely underestimate the testing needed and turn to us to augment their staff. A typical security staff augmentation opportunity runs for around three months but can often continue for years. It makes more sense for a company to turn to us for these short-term needs because they don’t have time to recruit, interview, negotiate, wait two weeks for them to quit their current job, train, and get up to speed and familiar with the project, which would be all but complete by the time they got to testing. Meanwhile, they could have some to us for one our consultants and had someone on the project as quickly as they would like. Flexibility to adjust to the needs as they ebb and flow is very valuable and we understand that need our clients possess.
In summary, the reasons that organizations come to us are generally driven by:
Government mandates and regulatory compliance
Client requirements and assurances
Investor and venture capital demands
Organizational security decisions and initiatives
3rd party perspective / review
Have a need for security testing? Email us at firstname.lastname@example.org or fill out a contact form at our contact us page. We would love to have a talk about your security needs and issues and partner to help solve whatever security problems your organization is facing.