Not too long ago, while working at another company, I was subjected to a presentation by a paid speaker at our annual sales kickoff meeting. Since I was heavily focused on security consulting solutions for my client base, our leadership assumed that I would be thrilled by them including a keynote speaker who “specialized” in growing security consulting practices. Admittedly, I was intrigued, but it didn’t take long for my interest to turn into something else.
It quickly became clear that the message the speaker was there to deliver was not about how we could better help our clients reduce risk and be more secure, but instead that we should be using security assessments to drive product, maintenance and managed services revenues. Or in other words, using security assessments as a Trojan Horse to gain access to more of our clients’ budget spend. He even suggested it would be ideal to offer assessments for free, since the main goal was to secure the additional product, maintenance and managed services business that would flow from the assessment findings report.
I don’t want to suggest that my former company (or the speaker) were unethical or didn’t care about their clients, because I am certain that was never the case. There are many companies out there that offer security consulting, assessments and penetration testing that also sell products and managed services. What I will suggest is that objectivity is critical to maximizing the value of security assessments and penetration testing, when the goal of such initiatives is to identify/reduce risk while maximizing the effectiveness and efficiency of existing technology and resource investments.