internal/external security relationships
Posted on 2011-03-14
As either a security auditor or pen tester, or on the other hand an internal security admin – how does the pen tester / auditor / security pro who is essentially bought in with a remit of auditing/testing your configurations and setup win you over or form a decent relationship with you? The way I see it, independent 3rd party auditors / pen testers are essentially brought in to find faults/weaknesses in the operations and configuration of apps and infrastructure setup and managed by internal security teams. So there’s already going to be tension between the internal guy and the external tester as the internal guy is going to get all defensive that the external guy is here to just pick faults with his network security and operations – in that case how does the external 3rd party employee win him over, set his mind at ease and demonstrate his worth in conducting this test.
And also, why do internal senior management/directors insist on the independent 3rd party check/pen test? And when they book this 3rd party, how can they book this without offending/demoralising the moral of their internal security guys? At some point they have to say “internal guy A, we have booked company Z to do a thorough IT audit of our network”. To me, an internal guy could take offence as it’s essentially getting these 3rd parties in to criticise my configurations and processes? Especially if they have audit tools like qualysys / nessus. How can management not offend the internal guy by bringing in the external tester, how can they portray the benefits of the independent check in a way that isn’t going to offend the internal guy, or make it seem like a witch hunt to find faults? You really don’t want this conflict or risk demoralising the moral of the internal guy, but at the same time an independent 3rd party check can possibly identify major risks that have been overlooked. It’s a tricky balancing act. I’ve seen comments from internal folk saying “we already run tool, x, y and z ourself why do we need a 3rd party to come in and do the same”.