Steve Katz sat at his desk, reading an e-mail that he had hoped never to see. An outsider had access to the systems at his company. Katz, who was CISO at a large
financial firm, would have to tell his boss. And that could be the start of something ugly.
The silver lining for Katz was this: The outsider was an ethical hacker Katz had hired to see if the company’s systems could be penetrated. While it wouldn’t be fun to deliver the news—“the guy had become a user of the system. He could’ve probably gotten access to critical applications,” Katz says—at least it was just a penetration test.
So while some CSOs may be grumbling about pen tests, it’s clear that others want them. As a consultant, Pfeil says pen testing occupies most of his time. “Pen tests were a valuable tool in my life as a CSO, and they still are,” he says. CISOs just need to apply these lessons to make sure they’re getting the value they should.