If you are a security professional, you may have heard your executives say that their data is too sensitive for a penetration tester to read. If you're a consultant, this may be an objection you've heard from your customers.
I was very surprised the first time I heard it, because the argument doesn't hold water up if you think it through. Your counterpart acknowledges two facts:
- The data is highly sensitive.
- There is a chance that a penetration tester could successfully access the data without authorization.
Let me translate that:
- The business would be in trouble if this data were breached.
- Your counterpart is not certain that the data is secure.
Essentially, your counterpart just gave you the best argument they could to conduct a security assessment as soon as possible. Also consider this: Even if a penetration tester gets in and gets access to the data, at least it's someone you've had a chance to vet and who's on your side. If you don't do a penetration test, the attacker will most likely not be as kind to you.
Have you heard similar arguments from your business or customers? Have you found a good way to defuse them? Please let us know in the comments section below. (Commenting requires you to be logged in. Register for a free account if you don't already have one.)