Is Penetration Testing and Vulnerability Assessment becoming a saturated market? Are companies open to outsourcing the services or would they prefer to build an in-house team?
Thank you!
There would always be a need to outsource this part. Not all companies would need it, but if for example, you’re in fintech, then you definitely need a 3rd party to do pen testing against your system. That way, you can claim that a 3rd party has verified and certified your system secure.
However, if you do this without doing continuous testing yourself via your internal team, then the engagement with that vendor would be longer and more expensive.
For example. If you’ve never pen tested your own system and you bring in a vendor, then you would do alot of bug fixing while that vendor’s meter is running (so to speak). But if you’ve already done your part, then it’s all formalities with the vendor.
Re outsourcing in general:
IMHO, I never close my doors to outsourcing. There would always be a time wherein you have a spike (months) of urgent and important work to be done but you cant seem to justify hiring people for that because it’s just a “spike”. Then I’d outsource - regardless of it’s outsourcing the whole project or via staff augmentation. If you have an agile or lean setup, then staff augmentation may be the way to go (since it’s just like adding people to your existing team temporarily, or adding a totally new scrum team, but practise-wise, they all still follow your standards and procedures. And you still have total control and have total agility). Finding a trusted vendor may be difficult though. You may need to go through a few before finding one that works for you. But once you do, maintain a relationship. Because that would be a mutually fruitful relationship, even if you move to another company.
Very Interesting. Thank you so much. makes things so much easier.
Thank You! I Just did. It is exactly what we do as well. Please do check ZinnoX.com
Thank You Douglas, that sounds like a great strategy. May I ask what specifically you look for in vendors, when you decide to outsource?
Here’s my general priority list. However, a failure in any of these probably negates a great score in the other categories.
1. Quality – Reliability of results and updated to latest threats
2. Price – This can be higher or lower in priority depending on appetite of the organization
3. Reputation – Sometimes larger customers require that I use a vendor from a list of vendors they’ve approved beforehand.
4. Admin - Ease of use for adding users, adding locations, or navigating the interface.
5. Reporting Features – Readability of reports and limited noise
This is brilliant! Thank you so much Douglas! It makes me so happy to know that we qualify and excel in each of the points in your checklist (except point number 3, Reputation. Being a Start-Up company, we are yet to gain some recognition in the global market. But we'll get there soon :) ) This has helped us immensely. Thank you.
Definitely! Different perspectives help cover a wider range of vulnerabilities.
Content you might like
Patch management: to reduce attack surface and avoid system misconfigurations39%
Malware and ransomware prevention: to protect endpoints from social engineering attacks58%
Malware and fileless malware detection and response: to protect against malicious software49%
Threat Hunting: to detect unknown threats that are acting or dormant in your environment and have bypassed the security controls33%
Not planning to change endpoint security strategy10%
Strongly agree3%
Agree63%
Neutral21%
Disagree10%
Strongly disagree0%
Unsure1%
Thank you Yousuf. Could you please elaborate on the "next gen security solutions". Are they part of MSSP's offerings?
Yes part of MSSP's offerings and I would consider these to be in larger demand going forward.