A lot of companies have penetration testing done on technology assets. This is a great practice and validates the security policies and services in place. Normally a pen test team will complete its tests and then provide feedback on improvements/remediation's that need to be put in place. After the results are handed over, the IT generalist or IT manager is tasked with remediating the suggestions from the Pen Testing Team. This process actually has many problems with it for the mid-market and smaller organizations.
1. Managing two vendors
Smaller organizations don't have the time/ budget/resources to manage two vendors for IT. Managing two vendors means two sets of meetings, two quotes to review, two sets of technology mindsets and approaches, and a lack of skill set to ensure quality service is given.
This process and disconnect between two separate vendors for technology security introduce a huge gap in efficiency causing larger budget constraints. Most large organizations struggle with this dichotomy and this is only exemplified when you move down market.
3. Quality Assurance
A lot of the time a penetration testing team will perform the audit and then hand over results. The next year, most of the remediation still do not exist. If the remediation team was the penetration team this would most likely not be the case. The operation team does not know the security world as well as the penetration testing team so remediating is sometimes extremely difficult, if not impossible.
From an ethical standpoint, the security practices dictate you have separation of roles. In practice, the operational efficiency along with the lower OPEX, along with the assurance of completion from experts, can mean the penetration team is the best option for remediation. As an industry, I believe this philosophy and practice will gain traction over time. Although not perfect, a remediated environment is better than an environment with known exposed weakness allowed to stay weak is the better option.
For more information please contact a Nexigen Security Engineer at firstname.lastname@example.org, review our security services at www.nexigen.com, or click the button below!