Dear IT Teams: Why Penetration Tests Are Your Best Friends, Not Foes

We’ve heard stories from IT teams about painful and less-than-smooth experiences from pentests undergone in the past. System outages, little preparation time, unclear pentest scopes, and unexpected pentest findings have led to IT teams being disengaged from pentests in general. Another contributing factor is the feeling that pentest findings are a direct criticism of the IT team's performance.

It’s hard not to empathise with their situation.

We believe pentests (and cybersecurity as a whole) should be conducive to a positive uplift in an organisation’s security maturity, and not come at the detriment of teams that make it possible. After all, it should be a collaborative effort at the end of the day, as IT teams are the ones who enable the remediation of security gaps to be possible.

With that in mind, here are three tips for IT teams to help make pentests feel more like the productive exercise they should be, and less like pulling your teeth out!

#1 Pentests should be constructive and a positive conversation for IT teams

Having worked with organisations ranging from large to small enterprises, we acknowledge that “IT” is a huge generalisation. It is hard to be a specialist in many different IT-related domains, let alone cybersecurity. Application development, infrastructure, network operations, cloud and general system administration are only just a few that come to mind.

Therefore, IT teams should feel comfortable acknowledging when they need independent pentests to ultimately make their organisation more secure. It is a positive step to say “we’ve deployed this shiny new application, but we need a specialist who can independently assess the security of this”. No one is perfect, and as cybersecurity professionals, we don’t call ourselves experts in any IT profession. But making the assumption that everything is perfectly secured is a dangerous position to take without the proper training and experience.

Tip: If you’re worried about security gaps in any areas you’re responsible for, be the one who raises security concerns proactively. It will demonstrate that you’re thinking about security -  and if any major findings do crop up, you’ll be credited for being responsible for making your organisation more secure. Additionally, have an open conversation with management about cybersecurity and fostering a security-aware but blameless culture.

#2 Raise concerns before the pentest

One major concern we often hear is “our previous pentesters took down X critical systems, causing Y downtime to our business!”. Naturally, such experiences would leave sour tastes in some IT teams’ mouths.

A halfway-decent pentesting firm should give you an opportunity to outline areas of concern prior to the pentest. “What key systems are currently in scope, and are there any restrictions that should be placed on our testing” is a common question we ask during our onboarding process. Sometimes, we’re asked to exclude specific systems altogether because of business reasons. Upfront concerns raised by IT teams mean that we (as pentesters) can avoid unnecessary pain when we conduct our pentests.

Of course, you should see if there are ways to pentest systems before automatically excluding things out of scope! Deploying a non-production version, timely backups, and avoiding specific pentesting techniques usually make it possible to pentest the majority of systems. A threat actor isn’t going to care that you excluded a system from your pentest, when they’re about to do their own unauthorised pentest!

Tip: Take backup snapshots of your key systems prior to the pentest, especially if it’s in production! This is an absolutely critical control, regardless of whether a pentest is taking place. If you don’t have a backup process that you’re confident in, then you should focus on this first.

#3 Respond to the pentest findings!

Sometimes IT teams are the last people to receive the findings of a pentest, and are shocked to see the number of critical and high severity findings.

When pentesters produce their findings, they usually consider severity in the context of the system they are testing (using the ‘Common Vulnerability Scoring System (CVSS)’). They may not be aware of the contexts around the systems or what the organisation already knows – e.g.  whether their finding is a known and managed risk by the organisation. Additionally, pentesters may not be privy to the business criticality of the system itself, sometimes leading to disagreement between the organisation’s IT teams about finding severity.

As such, IT teams should be part of the organisation’s “management response” to the pentest findings. Pentesters are humans too (shock!) and should listen to reason when an organisation argues against a certain finding severity – but should also exercise professional judgement if they believe their findings are justified.

Tip: Make use of the pentest debriefs to have a healthy discussion about the findings! It can bring forth a lot of value when both sides’ perspectives are heard. If the pentester does not offer one, absolutely request one from them.

Final words

Pentests should not be about proving about “obvious security weaknesses” or making IT teams look bad. It should be about having open-minded conversations about security findings, and taking a constructive step forward in your security journey.

Ready to be supported by an experienced cybersecurity team? Let’s start the conversation - book a meeting with us today.