By Michael Gianarakis, Senior Security Consultant
Originally published: http://eightbit.io/post/56489111073/the-information-security-vacuum
Many penetration testers and information security consultants complain when a client just accepts the risk of an issue or doesn’t provide adequate support to the security team. I often hear “ the business doesn’t get security” and that “security risk is a business risk, they should pay more attention”.
Unfortunately, what I don’t see is penetration testers and security consultants actively trying to understand business in order to truly understand, and more importantly, articulate the security risk. I’m not talking about “the business” of a client but rather business in general. In fact I often encounter disdain for the very notion of devoting any time or thought to understanding business and risk concepts.
If you fall into this group as a penetration tester, then I am of the opinion that you are nothing more than an automated scanner with less false positives and your days are likely numbered.
I’m not suggesting that as a penetration tester you should go out and get an MBA. You don’t need to become an expert in every industry that your clients operate in. What’s needed is a more thorough, nuanced view of information security issues through the lens of business risk. Penetration testers need to know how the risk of security issue is affected by factors such as market forces within the industry, regulatory and reporting obligations, risk management practices, project governance processes, corporate finance and management accounting.
Security does not operate in a vacuum.
Many people seem to think it doesn’t matter. That they should only be concerned with technical risk only (“hey this XSS bug allows me to steal your session”) and that the business context is irrelevant or not their concern. In some cases, at certain organisations, this may be true but most of the time clients are looking for how the technical risk connects to their business.
A valuable security consultant will make that connection for them