We are a security partner of choice for many of our customers, and we love building long term relationships with our clients. We appreciate that every business has its unique operational challenges, its own priorities and its own threat environment. When we work closely with a client over the long term, we get to know what makes them tick and understand the nuances of their environment.
When we work with a customer to deliver penetration testing over a long term, we're able to bring extra benefits to the table. Here's an example:
Our customer, in the public sector, had a compliance obligation which required testing of their whole estate annually. Traditionally, this had been conducted via a large annual penetration test covering all systems, applications and networks. The outcome of the annual assessment was always a very large collection of penetration test reports – inevitably containing a huge number of different vulnerabilities and weaknesses that needed to be addressed across the estate.
The volume of remedial work dropped into the operational teams at one point in the year tended to be overwhelming; the teams who needed to work on mitigation and remediation were deluged with tickets and simply did not have the bandwidth to action all the fixes needed to resolve the problems. Inevitably, our customer's teams focused on the highest immediate priorities only, and were never able to make inroads to other lower-risk issues which were also important in the grand scheme of the customer's cyber security resilience.
We worked with our customer to refactor their annual testing to take account of this. Breaking down the penetration testing into discrete work packages with an individual monthly focus, we were able to get to a position where our customer's internal teams had a manageable monthly workload in relation to the penetration testing results, and were able to set time aside regularly for security-related tasks that previously might have been overtaken by BAU requirements.
Not only has this new approach led to an easing of pressures on internal teams, it also allowed us to provide extra assurance around critical areas such as endpoints and network segregation controls which were too difficult to incorporate into the once-per-year penetration testing approach. It has also allowed us to build relationships with operational teams, and provided those operational teams with regular touch points to our information security consultants for ad hoc advice whilst we’re working with them. Because internal teams have been able to make inroads into remediation with in a regular, scheduled way, they have also been able to address some of the more pervasive lower-risk issues during their working time.
Overall, working with our customer to change the way they run their penetration testing programme has resulted in more effective remediation of vulnerabilities, and better resilience, whilst simultaneously improving the experience of the customer’s internal operational teams.
We’re always looking for ways that we can adapt the way we work to make our customers more resilient.