By Greg Johnson, CEO Webcheck Security
Customer Experience or “CX” as it is commonly referred to, is not often associated with penetration testing and other cyber services. In fact, penetration testing is such a technical field of study and execution that rarely are the two connected. Rather it becomes about the targets being tested and the nature of the application code base, REST API or the Linux and Windows systems. These things are important, but not the only success factors in quality service delivery.
Competent testers, with sound methodology rooted in OWASP, ISECOM OSTTM or NIST, are also important, but to use one of my favorite analogies, what good is a brilliant doctor if his callous and aloof nature prevents him from really helping you? The theories and knowledge floating around his mind must translate into treatment in a meaningful way – and so it is with penetration testing!
In building a world-class penetration testing company, I realized early on that for pen testing and other services to truly be successful, the customer experience matters. From project scoping and engagement, to project kickoff, execution and reporting, there is more to success than throwing a report over the wall with a few findings and saying, “thank you for your business!”
To underscore the point, I have observed how other organizations deliver their service. Some have very little concern for client deadlines and peculiarities, desiring that all engagements fit within a tidy box. One common service element in such organizations is the actual delivery of the penetration test itself in this manner: The report is sent with very little explanation or assistance, and no offer of follow-up consultation. Further, when more information is required about how certain exploits were effectively executed, often the communication skills are lacking.
Hence, I decided that in my organization, penetration testers would be hired only if they could talk, write and care. Further, they had to have an “affability quotient.” That means they are not only pleasant to talk to but proactively helpful, taking initiative to alert the client to other conclusions or concerns down the road. We go the extra mile to schedule conferences to discuss results and remediation advice.
In the scenario described above, you have the “physician” that is not only smart, but that cares and shares with the “patient” in a meaningful way. To facilitate the “Big CX” at Webcheck Security, we built therefore several key elements into our process with every test.
Step 0 – Hire people who can talk, write, and care.
Step 1 – Discover client drivers, objectives, compliances, and test peculiarities.
Step 2 – Make it easy to engage – sign and go, pay by credit card or ACH.
Step 3 – Kickoff the project well. Hold a logistics and kickoff call to properly coordinate.
Step 4 - During the test, provide updates and information, particularly for critical findings.
Step 5 – Write clearly, include screenshots, categorize findings, offer Executive Summary.
Step 6 – Include remediation testing.
Step 7 – Offer post-test consultation.
Each of these steps is important. Oddly enough, many companies offering penetration testing and other cyber services do not perform well in any of the steps outlined above. Those companies provides a certified engineer to test, but all bets are off on the other qualities, processes, and skills.
I am aware of a particular cyber assessment company, whose client demonstrated frustration and dismay over a particular engagement. The contracted testers had indeed pivoted into a trusted network segment, but could not provide adequate details to suggest how they did it. In that case, the testers were skilled, but not so adept at the communication part, rendering the result almost useless!
At the end of the day, the client wants to know where the holes are, how to fix them, and what to prevent. All this in a timely fashion and delivered in an effective manner, by people who care about their success. Customer Experience matters in the delivery of cyber services!