internal/external security relationships

As either a security auditor or pen tester, or on the other hand an internal security admin – how does the pen tester / auditor / security pro who is essentially bought in with a  remit of auditing/testing your configurations and setup win you over or form a decent relationship with you? The way I see it, independent 3rd party auditors / pen testers are essentially brought in to find faults/weaknesses in the operations and configuration of apps and infrastructure setup and managed by internal security teams. So there’s already going to be tension between the internal guy and the external tester as the internal guy is going to get all defensive that the external guy is here to just pick faults with his network security and operations – in that case how does the external 3rd party employee win him over, set his mind at ease and demonstrate his worth in conducting this test.

And also, why do internal senior management/directors insist on the independent 3rd party check/pen test? And when they book this 3rd party, how can they book this without offending/demoralising the moral of their internal security guys? At some point they have to say “internal guy A, we have booked company Z to do a thorough IT audit of our network”. To me, an internal guy could take offence as it’s essentially getting these 3rd parties in to criticise my configurations and processes? Especially if they have audit tools like qualysys / nessus. How can management not offend the internal guy by bringing in the external tester, how can they portray the benefits of the independent check in a way that isn’t going to offend the internal guy, or make it seem like a witch hunt to find faults? You really don’t want this conflict or risk demoralising the moral of the internal guy, but at the same time an independent 3rd party check can possibly identify major risks that have been overlooked. It’s a tricky balancing act. I’ve seen comments from internal folk saying “we already run tool, x, y and z ourself why do we need a 3rd party to come in and do the same”.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
Well, here is an idea.

You could break it to them that "we are looking to get certified in $FOO". Doesn't matter if you are in fact looking to get certified in $FOO, or even $BAR, it just matters that $FOO has an audit requirement of your security posture.  If they ask why $FOO, tell them that Sales say they are losing opportunities due to the lack.  If you can be vague and just say "a security certification" that works too.

Then, ask them what they would need to be ready for a relatively hostile audit for $FOO, and if they think we would pass it - tell them you have faith in them, but they need to be honest about this as you can't go back to senior management and say you are ready, if you are not. Tell them to think on that for a couple of days, and get back to you.

Finally, tell them you have decided the best bet is to get a non-hostile audit done by a firm of your own choosing, so that you can be prepared for the hostile audit and have a counter-argument to senior management if anything comes up that you weren't expecting in the audit.   At this point, the auditors you WANT are on "their team" and are there to help them prepare for the "other auditors". Once you have the audit, you can cite budgetry constraints - or go to management and suggest that, as you are apparently ready for $FOO, its worth looking into how much it would cost to get certified so you can put that on future tenders and stuff.....  Suggest a cost/benefit analysis on it, any benefit to sales to have the cert as opposed to the ongoing cost of obtaining and maintaining it.
Dave HoweSoftware and Hardware EngineerCommented:
Ok, three points really.

One, if the external entity *is* only running automated tools, then don't pay them. You can do the same as easily and much more cheaply. With an external audit, you are paying for skill above and beyond just running off-the-shelf software (note however that it can be hard to tell sometimes. I have seen leading edge pentesters come in and run nessus; however, that is both just the first step (why re-invent the wheel if there is an acceptable tool already) *and* as it is a framework, the modules in *his* nessus look nothing like the ones you would download for free)

Second, a fresh pair of eyes is always a good idea - you are familiar and comfortable with your system, and may not see things that a third party scan would pick up. You can of course address this in-house (have someone not usually on a team audit that team) if your staff is big enough, but in many cases its not practical and getting a third party in for a pinch-hit is.

Third, often compliance requires a third party audit and paperwork to prove you pass the tests - in such cases, you should be testing heavily yourself, as the audit isn't cheap and you want to pass first time. You can either approach this in a hostile fashion (we want the cert, we don't want more work) or a constructive one (you want to not only get the cert, but use the process to find any holes in your defenses, given its money committed that we won't get back anyhow)

But any competent internal security team should see the audit as an additional tool they can run - required staff resource is, if anything minimal, and the results can be used to either fix problems or justify more budget.  Sadly, often such report directly to board level, who then use the report to nit-pick and second guess the security posture - I have had some insane results reported from management-selected 3rd parties ("vulnerability! - dmz hosted webserver HAS PORT 80 OPEN FROM WEB!!!" in large red print) but usually you just have to go though the generated report and mark why a "vulnerability" is actually behavour as designed, and let the board member go back to the scanner and ask why they couldn't have figured that out themselves...
pma111Author Commented:
Great points Dave,  much appreciated.
pma111Author Commented:
Just wondered, in the case you were senior management/director, and had to go inform the security team theres a 3rd party coming in in 2 weeks to test/pen test the security controls and operations of the iT environment - how (tactically) would you go about breaking the news to them and answer back any "why are we paying 3rd parties to do the same stuff we do on a daily basis" type questions from the security team? I just worry about morale when it comes to security teams in that it could appear to them that their manager/director doesnt trust their security configs and operations so theyve asked a 3rd party in who does know - its quite a delicate matter
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.