Pros and Cons

By John Moore  |  Posted 2007-03-09 Print this article Print

Reinsurance firm Scottish Re wanted more control over penetration testing, so it took the work away from a consultant and brought the service in-house.

Pros and Cons

Jon Oltsik, senior analyst for information security at Enterprise Strategy Group, an I.T. industry analyst firm, says Scottish Re's inside move isn't unusual among bigger organizations.

"Large companies with strong security staff often do penetration testing in-house," he says. "If your staff has the skills, the fact that they know the landscape can streamline the penetration testing process and lower costs."

Core Security has a professional services division that will perform penetration tests on the client's behalf. But many customers are just interested in the company's software, Cassidy says.

In-house penetration testing has its drawbacks. The internal tester is imbued in the company's security practices. A consultant, on the other hand, lacks preconceptions about how protective measures are supposed to work and can attack the network as a true outsider. "It is difficult for an insider to forget everything he/she knows and act like a stranger," Oltsik says.

He adds that even the large companies doing in-house penetration tests usually hire a third party to occasionally conduct similar testing as a safeguard, but that is not the case at Scottish Re. Instead, the company's internal auditor conducts penetration tests in addition to the I.T. security team.

Has in-house testing contributed to improved security at Scottish Re? "We are seeing fewer and fewer issues overall," Odiorne says. "The fact that we can test at any time, anytime we make a change, has been a big plus for our overall confidence in our security posture."

John writes the Contract Watch column and his own column for the Channel Insider.

John has covered the information-technology industry for 15 years, focusing on government issues, systems integrators, resellers and channel activities. Prior to working with Channel Insider, he was an editor at Smart Partner, and a department editor at Federal Computer Week, a newspaper covering federal information technology. At Federal Computer Week, John covered federal contractors and compiled the publication's annual ranking of the market's top 25 integrators. John also was a senior editor in the Washington, D.C., bureau of Computer Systems News.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.