Whether you’re in a small business or in a multi-million dollar company, you’d surely want to fortify and maintain your networks physical and IP security by having penetration testing. There may be a lot of pentest companies and professionals out there, but hiring what suits your needs might not be as simple as it sounds.
Pentesting will involve critical procedures such as allowing these professional’s permission to verify and test your existing and new systems, applications, safeguards, and networks that don’t provide unwarranted access to malicious third parties — but pentest companies and individuals can range from being helpful, thorough, and razor-sharp to negligent, irresponsible, and oversold.
With today’s hackers being more sophisticated than ever, hiring a company such as Alpine Security penetration testing will be your best bet against these cyber criminals.
With that, here are 5 things you need to know before hiring professionals for penetration testing:
1. Communication skills
Having a pentest company with excellent communication skills is critical, that is why they must be able to:
- Communicate easily with high-level concepts and technical discussions depending on their audience.
- Demonstrate their communication skills competency, both spoken and written, as test results would only be useful if it’s well written and well understood.
- Produce high-quality reports and explanations of their findings in a detailed manner at non-technical and technical levels.
- Communicate the results in a non-technical level that the business management can comprehend.
For example, if a pentester with advanced penetration testing training finds a serious technical exploit on your system, his or her report will be well explained and outlined for you to easily understand its importance or value.
2. Ethical hacking passion
Ethical hackers as any other professionals should be passionate about their work. If not, the results would be ineffective and inefficient.
When interviewing a candidate, ask about what they will do when they’re not on the job. Their answers would likely reflect the importance of penetration testing to them. Passionate ones will also be personally driven to improve your network’s security.
3. Pentest experience
Although this job is hard to get into, as no individual or company will likely accept a candidate without prior experience. There will always be individuals or companies posing as expert pentesters. This is where a client references can be a good resource to check.
Upon confirming, ask them if they had previous administrative experiences and primary roles on penetration testing. Having these is a good sign of a legitimate candidate.
The thin line that separates a “great” and a “good” pentester will be their situational awareness, as a benefit of having a more profound knowledge of how networks and systems work — that can only be gained from previous network and system administration experience.
4. Security community involvement
Have you ever heard about a hacker conference? Maybe you’ve seen it once or twice on the news or heard about them in passing. but these conferences and communities will involve legitimate candidates who can protect your business from cyber-terrorists.
If you’re looking for solid candidates, you can as well start in participating in local IT security chapters, or in development projects in open source security tools such as OWASP, GitHub, and etc.
Infosec community involvement can allow employers to start building relationships with potential employees, and have a better understanding of how a pentest works.
5. Company or individual reputation
It can give you the impression of providing the most dangerous person a blueprint of your company’s system and networks, and allow them to exploit its weaknesses; this is the reason why reputation is essential when hiring a pentester.
Look for pentesters who have InfoSec community association, and involvement in conferences such as DEFCON, DerbyCon, and ShmooCon. Additionally, you can also check their open source project contributions and blog articles. These will obviously show their passion and enjoyment in penetration testing.
However, experts say that big ego pentesters may undervalue your company’s security over their bragging rights; this why when your looking for candidates don’t always go for the most popular ones. Finding a systematic and thorough penetration tester may provide more efficient and effective results than a famous “stunt hacker.”
With all that said and done, use this article as a guide when hiring a professional penetration tester, as this is an essential part of any organization’s security plan. Whether you’re performing a pentest for the first time or on a planned maintenance schedule, it can surely increase the company’s awareness and defenses on potential cybersecurity breaches.