One of the things that concerns me about the direction of Information Security as a discipline is the focus on what I call "gee whiz security". This is the flashy, trendy stuff like new attacks and the marketing terms of the moment (that often are actually meaningful terms that marketing people misuse or misappropriate). It is good to stay on top of new developments, new attack vectors, new defense ideas, etc. but (for most of us that are employed by a company) our job is to provide solutions to solve these issues or provide suggestions on how to mitigate the risks associated with these threats.
If all you provide is a constant stream of risks and concerns without any meaningful solutions or ideas on how to manage a problem, your employer is likely going to have to look elsewhere. This is why when folks ask me about penetration testing as a career choice I advise them to consider a more balanced approach. You can find any number of people or companies that will tell you how bad things are, but what most enterprises want is someone that can find the problems and propose a solution or a plan to address it.
Some advice:
1) When proposing a penetration test - determine what your goal is. Maybe you are better off working with the internal audit or risk management team to understand the known issues and test to see if they have been resolved first.
2) Use a standard methodology when doing any assessments. This should be adjusted to match the policies and standards of the site you are assessing.
3) Every problem or risk you identify should have a solution that matches the companies policies or standards
It's always better to look at assessments as an opportunity to provide ideas and solutions vs. showing someone how broken things may be.
->Pierre
If all you provide is a constant stream of risks and concerns without any meaningful solutions or ideas on how to manage a problem, your employer is likely going to have to look elsewhere. This is why when folks ask me about penetration testing as a career choice I advise them to consider a more balanced approach. You can find any number of people or companies that will tell you how bad things are, but what most enterprises want is someone that can find the problems and propose a solution or a plan to address it.
Some advice:
1) When proposing a penetration test - determine what your goal is. Maybe you are better off working with the internal audit or risk management team to understand the known issues and test to see if they have been resolved first.
2) Use a standard methodology when doing any assessments. This should be adjusted to match the policies and standards of the site you are assessing.
3) Every problem or risk you identify should have a solution that matches the companies policies or standards
It's always better to look at assessments as an opportunity to provide ideas and solutions vs. showing someone how broken things may be.
->Pierre
Comments