Today were launching a marketplace for penetration testers. Its not a simple marketplace like eBay. Weve designed it according to the requirements we heard from enterprises. My goal is to make the best pen testers known to all. My personal odyssey on the subject is below, and why I embrace the security niche I once eschewed. I would love to hear your feedback.
Where I started
Ive been a CISO for the last decade, and headed up security at Symantec, Nuance, Fremont Bank and Pivotal Software. For many years I was NOT a fan of penetration testing by any means. The reason, which was held by many of my peers, was that pen testing added little value a decade ago.
Penetration testing (pen-testing) is where enterprises hire external third parties to use real-world offensive methodologies (and now standardized ones) and tools to see what can be exploited. Many CISOs were not fans of the process as 1) finding competent pen testers was time consuming and expensive 2) Most CISOs know they had a lot of work to do before they would could withstand a pen-test and would rather get vulnerability management, patching, inventory and encryption rolled out. 3) Much of the critical data was buried deep in networks will no way in other than physical access or VPN. CISOs assumed it was safe.
When the world changed
In the last four years, things changed. A lot. Cloud adoption went mainstream. The rise of Box, Dropbox, Office 365, Google Apps and AWS occurred. In 2012, the FFIEC, which oversees most financial institutions, gave a vague thumbs-up to cloud computing. By 2014, billions of documents were in the cloud (leading to the rise of CASBs). By 2015, many CISOs were seeing DevOps take over their domain and many privately admit they have no idea what DevOps does in their organization. Now, undeniably, critical data is in the cloud.
Externally, things changed too. People finally were blamed for breaches: After Target was hacked, the CIO and CEO were fired. When Sony Pictures was hacked the chairman was fired. Other 2015 breaches led to the resignations of the Ashley Madison CEO and the director of OPM. Boards now ask their CISO how likely they are to be breached in 2016.
The PCI Council embraced pen testing. It is now mandatory for PCI-DSS certification and FedRAMP. More will follow.
The problem today
Pen testing now makes sense, but problem (1) above is still a painpoint in a highly fragmented penetration tester market. It is not easy to find competent and available pen testers, who can write an actionable report at a reasonable price. The process takes hundreds of hours, and the lengthy due diligence is a key reason why pen testing is frustrating. The other option is to take the first answer the Google ad brings (the triumph of marketing)
How we propose solving it.
Over the last 6 months we talked to several enterprises to gather requirements and ideas. The bottom line: Build a marketplace with customer-based satisfaction scores. The requirements of such a marketplace would be:
To be useful, pen testing needs to evolve into something like an eBay marketplace. But evolve is the key word, as there are many layers of complexity. Create a penetration testing job today.
The logical process is:
Feedback and scoring from customers will reward responsive and talented pen testers, rather than those with the highest marketing budgets. We want to take the pain and frustration out of getting the right pen tester. Today we take the first step.