When it comes to improving the IT security environment, pen-testing serves as a major tool to identify possible threats and vulnerabilities without an immediate negative impact on the business.
Ethical hackers, also known as white-hat hackers, are cybersecurity experts who use their skills to identify vulnerabilities in systems before malicious hackers can exploit them. Pen-tests are one of the tools used by ethical hackers to deliver valuable insights.
Not all companies have internal ethical hackers and require the engagement of an external team, having a complex task to find the right and trustful partner for pen-testing by ethical hackers.
Here’s the situation:
- You’ve decided to engage ethical hackers and let them execute pen-testing for certain use-cases
- Several external teams providing pen-testing services have been contacted
- You’ve got pen-testing offerings delivered and interviews with the providers have been completed
The questions now are:
- How to select the best suitable provider?
- What are the key driving reasons for a decision towards a certain provider?
- How to compare or measure those driving reasons?
Transparency
Transparency is the foundation of trust in any professional relationship, and ethical hacking is no exception. Ethical hackers must maintain clear communication with their clients, outlining the scope of their work, methodologies, and potential impacts.
Trust Indicator #1:
Is a potential partner explicitly describing in the offering how your data and systems will be handled? Is the description in compliance with your security policies and regulations?
Certification and credentials
Professional certifications play a vital role in establishing trust. You should prioritize offerings by teams having Certifications like Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and Certified Information Systems Security Professional (CISSP) demonstrate that an ethical hacker has undergone rigorous training and possesses the necessary skills and knowledge. These credentials act as a testament to their expertise and commitment to ethical practices.
Trust Indicator #2:
Can a provider deliver confirmation of certifications available in its team? When were the certifications acquired and/or renewed?
Adherence to legal and ethical standards
Ethical hackers must operate within the boundaries of the law and adhere to strict ethical standards. This involves obtaining proper authorization before conducting any testing, respecting privacy, and avoiding any actions that could harm the organization or its stakeholders. A clear understanding and commitment to these standards are essential for maintaining trust.
Trust Indicator #3:
Is a potential partner explicitly describing in the offering how its team will handle legal requirements and data privacy topics? Is the description in compliance with your legal and compliance policies and regulations?
Confidentiality
Ethical hackers often have access to your sensitive information and critical systems. It is a vital requirement for your business that they protect this information and ensure it is not disclosed to unauthorized parties. Non-disclosure agreements (NDAs) and robust data protection measures can help reinforce the commitment to confidentiality.
Trust Indicator #4:
Is an NDA agreement included in the offering and its signing outlined as a mandatory prerequisite? Is the potential partner explicitly asking for any business specific information they have to carry out a special attention with during their engagement?
Professionalism and integrity
Professionalism, integrity, and a strong ethical compass are non-negotiable traits for any ethical hacker. They must consistently demonstrate honesty, reliability, and a dedication to doing what is right for their clients.
Trust Indicator #5:
Was a provider capable of delivering the documents or information as promised in time during the offer process? Have any issues come up in the offering process and did the provider communicate in an honest, proactive and open way to resolve them?
Pricing of offered pen-testing services
Last but not least the overall price for the offered pen-testing services has to be in the range of the industry standard. Cost is always a factor, but it should not be the primary deciding criterion. Compare pricing models and understand what is included in the cost. Consider the value provided in terms of:
- Depth and breadth of testing
- Quality of reports
- Expertise and experience
- Ongoing support and communication
Trust Indicator #6:
Is the offered overall price slightly below, in range of or slightly above the expected industry standard? Is the offering clearly outlining all the components causing all of the calculated costs?