Most security testing (penetration testing, social engineering, web application penetration testing) requires the use of tools and techniques to simulate an actual attacker, determine what is vulnerable or can be compromised, and provide recommendations for remediation. It is typically considered a “best practice” to rotate security testing vendors at least every few years. We were recently asked about the pros and cons to vendor rotation, and this was the response from our cyber security team:
Pros: Possible benefits of vendor rotation
- Although currently it is not mandated by any compliance requirement that you rotate testing vendors, the SANS Institute issued a white paper on penetration testing that includes the recommendation to rotate firms (page 10, section 2.6).
- Some companies (including Foresite) use customized exploits that we have developed, and these proprietary exploits will vary from firm to firm. Rotation will provide additional findings against these exploits.
- Comparison of quality and value. These range widely from firm to firm, and you may find a different firm provides a more comprehensive test (such as human validation, instead of strictly relying on automated tools). The lowest quote may only give you what you paid for, and saving money is not worth it if the testing provides little to no value to meet your cyber security objectives.
Cons: Potential negatives of vendor rotation
- Once you find a firm that provides thorough testing and well-documented recommendations for improvements, you may not want to risk switching to another vendor and not receiving the same value from the testing.
- Skill levels of staff vary greatly. Some firms insist that testers have a combination of training and experience, others hire based on certifications alone, which may mean the tester relies heavily on the tools and may not be able to accurately validate the findings. When you find a great team that you trust and enjoy working with, it may be harder to find another that you have the same confidence in.
- Context and background knowledge from previous testing is lost if you rotate. But this can also be a plus as a new firm can come in without assumptions.
In the end, until you are under a mandate to rotate, this is a decision you will need to weigh carefully. Vetting an alternate vendor to use at least occasionally can provide another set of eyes without leaving the comfort of a firm you already have an established relationship with.