20 for 2020: Prove It

(Information Security Program)

Originally from David’s Linkedin:

Ch 20 of Tetra Defense‘s #20for2020: “Prove it.”

Chapters 1-19 of the series were all about building an #informationsecurity program with the most structure & rigor possible. This final installment is about trying to tear that program apart.

#penetrationtesting is the simple idea that you pay a #hacker (one of the good ones) to do everything within their power (and the signed statement of work) to break into your systems. That might include your wireless networks, software that you’ve designed in-house, and even your building using lock picking & #socialengineering tactics.

It’s not uncommon for an organization to want to start with this step, and it’s easy to see why. If you’re just starting your #cybersecurity journey, you want to know what your current posture is, right?

That’s an admirable thought, but a pen test is the last thing you want to pay for in this case. If you’ve given no thought to your security, a good and honest pen tester can probably just tell you how they’d break in (and save you thousands of dollars and a bunch of time).

If you’re in the early stages, get a #riskassessment, not a penetration test. A pen test will tell you how someone might break in; a risk assessment will tell you what to improve and how to improve it.

Check out the rest of the 20 for 2020 video series: