Last updated at Tue, 25 Jul 2017 18:03:09 GMT

If you are a security professional, you may have heard your executives say that their data is too sensitive for a penetration tester to read. If you're a consultant, this may be an objection you've heard from your customers.

I was very surprised the first time I heard it, because the argument doesn't hold water up if you think it through. Your counterpart acknowledges two facts:

  1. The data is highly sensitive.
  2. There is a chance that a penetration tester could successfully access the data without authorization.

Let me translate that:

  1. The business would be in trouble if this data were breached.
  2. Your counterpart is not certain that the data is secure.

Essentially, your counterpart just gave you the best argument they could to conduct a security assessment as soon as possible. Also consider this: Even if a penetration tester gets in and gets access to the data, at least it's someone you've had a chance to vet and who's on your side. If you don't do a penetration test, the attacker will most likely not be as kind to you.

Have you heard similar arguments from your business or customers? Have you found a good way to defuse them? Please let us know in the comments section below. (Commenting requires you to be logged in. Register for a free account if you don't already have one.)