With all the benefits of having a pentester on your payroll, you probably would want to work with one immediately. But just as with hiring any type of staff, there are some things that you need to consider. Your first goal when selecting an ethical hacker to work for you is to figure out the size and scope of the project.
Different hackers have different skills, speak different programming languages, and have different expectations for a project. Outline your needs as much as possible before you start looking.
1. Check Certification
After you’ve ensured your pentesting team is familiar with each methodology, it’s important to check certification.
A university degree in information and cybersecurity certifications that includes continuing education in IT and coding is a great sign that your white-hat hacker has a strong foundation of technical knowledge.
You should also be sure to ask about any standard certificates so you know exactly what you’re looking at. Ask about any standard organization your hackers belong to.
2. Ask about Their Tests
A good education is valuable, but having the right papers does not mean much if you’re not actively field testing. A good hacker is always researching and trying out the latest attack methods, pushing those boundaries even more than black hat hackers.
3. Ask about Their Plans
This is where knowledge of the project you’re expecting your hackers to tackle really comes in handy. It’s a good practice to make sure you yourself at least have a basic understanding of what is involved. After that, you will be able to ask the right questions and judge the answers given.
There are various schools of thought when it comes to penetration testing and ethical hacking, even among the same company. Questions you may want to ask include:
- Have you tested a similar company or organization in the past?
- Does your contract include protection for my network and hardware?
- What methodology would you recommend for my organization?
- What sort of liability insurance do you offer?
- How will you transmit my data?
- How long will you store my records?
- And always, always ask for references.
4. Get A Sample Report
Along with references, and certification, you may want to test your white hat hacker’s ability with a sample report. Asking for a sample report is considered good practice, and helps you anticipate the kind of information you can expect, and any tweaks you may want to make as you go. A good penetration test report should include:
- An executive summary describing your security as it stands, and anything that requires immediate attention.
- A technical review, so you know exactly what tests were performed, and which systems were included.
- Detailed lists of all vulnerabilities, including any screen caps or tool outputs to add context, and recommendations for improvements that take into account your budget, maintenance, personnel and time.
- A thorough sample report can help you clarify the methodology of your ethical hacker before you start. Being able to have this preview allows for suggestions or changes in a hacker’s methodology. This will ensure you get what you need.
4. Ask About Options for Retesting
An ongoing relationship with a penetration testing firm helps your company stay protected long-term. Ask about options and pricing for retesting, so you can be sure your IT team has correctly implemented the recommendations proposed by your white hat hackers, and so you can be kept updated against future attacks.
5. Build a Relationship with Your Hacker Heroes
Because it’s so important to have a long-term relationship with talented ethical hackers to keep your business protected, pay attention to the way your pentesting company conducts business, before, during, and after testing.
Are they transparent and clear in their methods? Do the results match the promises the company made? Would you recommend the company to your network? It’s essential that you’re able to trust the third-party company with your sensitive data, or even your entire network.
Takeaway
When it comes to securing your company data, hiring a white hat hacker to test for weaknesses is the best way to stay up to date on the latest threats. Though you can hire a pentester who works freelance, your best option is to choose a pentesting vendor, who is more likely to be certified, to offer liability reports and have a standard you can accurately measure.
By asking the right questions and developing a relationship with the vendors, you’ll be able to keep your company protected against ongoing threats you don’t even know are there.
