The new normal? What does that mean? I think in our case, it might mean replacing the way we used to always do it. Time intensive, very costly and certainly not ‘real-time’. Real-time, now that always sounds interesting in the context of security.
ISO 27001 information security certification has now been the defacto standard (excuse the pun) for quite a while now. We embarked our journey around 2014, becoming fully certified a year later. Now I might add there are many ways of order that you might embark on the process of implementing the framework, whether it be risk or process based, it depends on the side of the fence you vacate. But whatever way you complete the various tasks involved, penetration testing is often one of those, shivering, what ifs, that turn the heads of doubt.
It generates so many questions, what on earth should we test? Applications, IP’s, office network, servers? Business critical applications, custom built and hosted? Everything? What if we miss something.
Then there are the pen testing companies, the quotations which lead to the technical forms to fill out, how much can info should we give? And that’s before you receive a quote! And can we trust them?
Once you get back your report, do you have the team to fix the vulnerabilities? More time, or cost. “We just need to get on with our business, this is way too much hassle” I hear you say. “Maybe this 27k thing is not for us, it’s just too hard”. I’ve heard that many times from companies that have had a go. Even IT companies, go figure.
Don’t get me wrong, we didn’t find it easy. We had some help, we took some advice, and I also took a lead auditing certification. This was the only way (for me) to gain insight in to this brand new world of ‘unknowns’. A ‘black box’, as I like to call it.
The insights I gained, were well worth the effort. There are many ‘ah huh’ moments, as things start to fit together and you realise that that thing you thought was going to cause you a massive headache really wasn’t that big a deal.
Penetration testing can be one of those. There are a few areas you are expected to test and monitor, we always thought these had to be a very separate challenge, each requires a report and some evidence. These certainly appear in separate policies and procedures, from encryption, server and network management to security incident and vulnerability policies and procedures.
Like many things in business, technology has taken forever to actually do things better than the ‘old way’, which was often time intensive, but it always worked! So why change?
I’ve noticed a few things that have finally taken hold after switching and your reflection is the classic, “how did we cope before”.
The right penetration testing partner has been one of those. Cost versus value has been almost profound. And when I say partner, I mean the right mixture of automated hands free software, letting you know when something actually needs your attention and the right amount of human interaction, because humans CAN cost a lot of time and resources.
Now to say I’m happy is an understatement. We can now tick so many boxes, easily without hassle and the company and our clients benefit from knowing that what we do is now becoming ‘industry best practice’ or the new normal.