We just wrapped up another Making Money with Security Class, Level 1 – in Research Triangle Park, NC.  One of the topics we discussed centered around the requests we get from IT that just don’t make sense.  I shared some insights from a recent coaching session where we were working on closing some security assessment work.  The IT client was looking for a Pen Test to show their clients how secure they are.

This is a nice thought; however, a good pen tester should always get in! If your team is failing, they need more training or you need new SEs.  Let’s face it, if people are breaking into the Pentagon, they can get into your client too.  Our client didn’t really understand this concept and insisted we quote the pen test anyway.  When they saw the price, they didn’t like it – they wanted us to cut back.  “So what are you asking for?  Would you like us to sort of break in, but not really try?  Are you wanting us to pretend we are amateurs, not professionals, or maybe just try some of the easy things, but not the things a real hacker would try?  And then will you advertise to your clients that you are safe as long as only idiots try to break in?” 

None of this really makes sense simply because the client doesn’t understand.  By going back and working through some analogies – using the house examples from the House & the Cloud, they finally got it.  Now we are on course to assess their risk, giving the client what they need to show their clients that they’ve taken proper “due care” precautions.  Educating your clients may be the smartest thing you ever do.