What I Have Learned - Part 6 PenTest Misalignment

What I Have Learned - Part 6 PenTest Misalignment

Something that I learned in my time as a consultant is that I didn't always understand or agree with business decisions. I had to learn how to step outside of my security engineer world and look at things from different perspectives in order to be an effective consultant.

A great example of this is Penetration Testing. If you are on the security team of a company and either engaged in performing penetration tests or hiring 3rd parties to do them you might thing that the goal is something like:

"Find and fix as many serious vulnerabilities in the product or environment as possible"

However, the executive team's goal might be something like:

"We want a lot of quick and frequent tests that don't find much so that we can meet compliance requirements as cheaply as possible and use these results as a part of our sales strategy."

This might be very hard to accept if you are a security professional who wants to do "real" security, but it's important to look at reality objectively. In many more organizations than you might imagine, maximizing revenue and minimizing expense in the short term is a much higher priority than doing things "right" from a security or engineering perspective.

You might argue that this damages long term prospects, and I would generally agree, but this might be understood and accepted as a part of the strategy. If the strategy is to ramp up fast, generate rapid revenue, and then get acquired, then it might make sense to do the minimum in certain areas.

The Takeaway

It's up to you to decide if you want to align yourself with the executive team's goals in order for the company to be successful in the context of the set strategy, or if you want to try to convince them to modify their strategy. Many executive teams that I've dealt with are not honest about this, even with themselves, and it's not hard to see why.

It feels good to say you want your company to have the best security posture possible and to hire a team who has that as their goal, but in the end I think its better to be honest up front about what you really want and care about. This helps ensure your team knows what they are signing up for and stays in alignment.

It might also make sense in some cases for you as a security practitioner to move to a different organization that is more in alignment with your values and its helpful to be able to do this with objective acceptance rather than anger and resentment.

Thanks for listening,