Clients often ask if they should keep the same penetration testing vendor each year or rotate. While we hate to have our clients depart and pride ourselves in cultivating a partnership with them, we always adhere to giving unbiased advice. Unfortunately, it’s not a simple answer, depending on several factors. Read on to learn about some of the pros and cons of switching penetration testing vendors to choose what is suitable for your organization.
1. Pros to Rotating Penetration Testing Vendors
Rotating penetration testing vendors gives a fresh perspective on your organization’s security. While penetration testing has standard methodologies, it is a subtle art. Each penetration tester and vendor has its own methodologies, reporting styles, and focus areas that may supplement another vendor. This could give you an entirely new look at security measurement. Rotating vendors allows you to receive different advisory viewpoints, new toolsets, and testing against a “new advisory.”
2. Cons to Rotating Penetration Testing Vendors
However, rotating penetration testing vendors can have some significant drawbacks. The most important is that clients lose the partnership knowledge gained from working closely with a security vendor. This can take many forms, such as unique reporting customizations, knowledge areas of focus, or overall cadence of working styles. You often lose the trending of previous findings to measure overall improvement. For example, we provide comparisons from the previous testing directly beside current findings to show verification of what has improved, remained the same, or net new findings. Lastly, clients have shared horror stories of less than quality performances from security vendors, and if you’re on a tight budget, this may severely impact your overall security program for the year.
3. Conclusion
Several factors are in play when choosing to stay or rotate penetration testing vendors. First, it’s a risk balancing act, much like you are currently doing with your security program. If you’re happy with the quality of service you are getting, then perhaps it’s a good idea to stay. However, if you have an extra budget, a mature security program, are unhappy with your current vendor, or simply want to see what’s out there, it may make sense to rotate. At TCM Security, we help curb these issues by rotating the tester each year. However, we have the previous tester perform quality assurance on the findings report. This tandem approach generates a fresh perspective while retaining that level of partnership that we’ve seen great results from. Learn more about our internal and external penetration testing by visiting our website.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com