In information security consulting and especially in the area of bespoke penetration testing services, the fourth quarter tends to be a bit of a shit show for lack of a better term. It may have something to do with the nascent nature of information security budgeting processes, new managers, schedule pushes or all of these things and more combined. The truth of the matter is that a bunch of firms look for “emergency pen testing” in the fourth quarter and many consulting firms bend over backwards annually under the deluge of requests trying to grab as much business as possible.
At Anvil, we are working with our customers and attempting to have thoughtful conversations about their needs and requirements for the end of the year and the beginning of next year. As we look at September and what we have going on between now and the end of the calendar year, we are taking strides to understand what our current clients need and we are making adjustments which will allow us to appropriately handle a percentage of overflow (a buffer into which we are willing to comfortably bend).
Why “comfortably bend” rather than go for it and take as much business as possible? In line with our desire to provide our clients the best possible services and to do work that we find challenging and interesting, we do not want to overstretch. Overstretching would cause us to fail at providing the quality service that we want to provide and it would also fail our consultants and partners.
If you are a provider of penetration testing services, start talking to your clients right now and get your backup plans in place. Make sure you understand your bandwidth and the types of things you need to walk away from doing. Develop a list of partner firms that you can engage with or suggest to your own clients. This list should obviously be of firms that you feel would qualify to do the work as well as you would yourself.
If you are a purchaser of penetration testing services, know what type of firm you need; define your plans; and partner up with at least one firm to do your planning. Remember to have a backup plan and discuss this with your penetration testing partner. If they are unwilling to suggest other firms that can provide you with services, think seriously about finding a new partner that has your best security interests in mind and use this initial firm as your backup. Talk to your partner as early as possible so that they can plan together with you and make sure you get the best results possible. September is the time to be planning for tests that will need to get completed before the end of the year if possible. You know your organization so even sharing plans (under NDA of course) will help your partner with not being surprised at the coming work-load and to be able to give you options. And if you realize your partner is not giving you the service you deserve, find a new penetration testing partner.
In reality, what I am proposing is a short-term solution to making sure that your firm has appropriate plans in place to get quality penetration testing from a trusted partner within the context of what is happening today. What we, as an industry, will need to address eventually are the underlying issues that drive the Q4 madness. We will save that for another time.
About the Author
Chris Elbring is Managing Partner of Anvil Ventures. Prior to founding Anvil, Elbring worked as CEO and CTO of a startup security software development firm, President of a boutique, regional security consulting firm, an independent technology and security consultant, Director of Software Development of a mobile, biometric firm and most recently as Senior Vice President of Research and Delivery at IOActive, Inc.