29 July, 2020

Should We Switch Vendors Annually?

Should We Switch Vendors Annually?
Kevin Johnson
Author: Kevin Johnson

Secure Ideas works with lots of different organizations in almost all verticals. One of the questions that comes up quite often is about switching penetration testing or consulting providers regularly. There are several reasons that people will refer to why this is what they do, from audit requirements to an official policy to wanting new perspectives. So let's look at the pros and cons of the switch.

Let's start by discussing the various reasons that switching is a good idea.

The main reason we hear for switching is that your policies or auditors require you to switch. This reason doesn't require a lot of discussion because it is a requirement. The only comment is that you should discuss with the auditor or the people in charge if it fits the goals your organization has. Keep in mind that it is often tied to the idea of job rotation. While this is a valid tie-in, make sure that you are working with the vendors to ensure that you are still building an ever-improving program.

Another reason is that you are unsatisfied with the current consulting team. While this is a good reason, and we would love to take over from the current provider, you should first ask yourself some questions. You need to understand why you are not happy with the results and see if working with the provider would fix the issue you are having. We often talk to people about their previous provider and find that often the problem is communication. If you can resolve this issue, you will get the benefits we discuss below by staying with the same firm.

Another reason that people quote as a reason to switch is to get new eyes on their systems. This idea is a reason that we have multiple consultants working together on our tests. By working with a new team or consultant, the results may include missed vulnerabilities or not tested the same way previously. If this reason is why you are looking to switch, then it is essential to work with your provider to ensure that the test is handled differently. Providing a list of findings or details about the previous tests performed is an excellent start at ensuring that the switch actually improves the testing results. You can also try to have the new testers discuss previous tests with your team and the former consultants.

The last reason we will discuss for changing vendors is to gain access to new skillsets or more expertise. As you work through your tests, especially as you embed them into your security program and SDLC, you may find that the current penetration testers' knowledge or expertise doesn't meet what you are needing. If so, switching providers is an excellent way to get access to the testing you require. As you work with the new organization, make sure that you outline what specific things you are looking for. This discussion will help you ensure that the right people are assigned to your testing.

Now that we have discussed the reasons to switch, we should talk about why staying with a current vendor is a good idea even if that isn't Secure Ideas. Working with the same penetration testing and consulting team helps you build a relationship with the team. This relationship allows for your staff and our testers to find the best ways to work together. We determine lines of communication and knowledge of the environment that allows the test to become more efficient, which means the testing goes further than without those benefits. We can also build upon the previous tests and results to dig further into the systems or applications on subsequent tests.

So whether you switch vendors or stay with your current consulting partner, you must communicate with them exactly what you are looking to accomplish. As long as you work with your partner, the testing and consulting should exceed your expectations. And if you are looking for other companies we would recommend, check out the list.

Join the professionally evil newsletter