A Cyber Rose by Any Other Name (might be an apricot). Does it ever frustrate you to hear about a company that contracted for a ‘Penetration Test’ and received something completely different? I recently worked with a prospect who paid for a penetration test, and yet, when I reviewed the deliverable -what he really got a fancy vulnerability scan. Now, there isn’t anything wrong with getting a vulnerability scan, as long as you aren’t paying very much for it, and you know what to do with the output.
However, in this prospect’s case, he paid a lot for a penetration test because that’s what he really needed, and in return received a substandard, mislabeled (and to my way of thinking, fraudulent) product. Sure, it came from a fancy cybersecurity company with lots of certifications but our guy didn’t know the difference.
Our industry is full of confusing terms and often these terms are coopted by marketers or salespeople and applied to things that look similar (to them) but have widely different meanings and value. Now before I get flooded with responses about how many knowledgeable, high integrity marketing or salespeople you know, I’m with you. I know a bunch too. My point is that our industry lacks real technical/objective specificity when we use terms to describe cybersecurity services.
For instance, wouldn’t it be nice for everyone (service providers and customers) to agree on the definition of a penetration test, an application penetration test and a vulnerability scan? That way, when a customer requests a quote for one of these services from multiple companies, we would all be providing the same type of service, with similar methods and outcomes. We could then differentiate on other things such as better process, quality guarantees, remediation services, etc. So, here’s a stab at defining the characteristics of three offerings (I’ve skipped other variants of penetration tests, including physical, social, WiFi, etc.):
Do you believe that there is consistency in the way that service providers label their offerings and provide customer value? Where do you think the greatest amount of education is required, at the service provider or consumer level?