Penetration testing activities in the organisation were particularly painful. Project often didn’t have budget for it, planning and scheduling involved many different teams, and during the activity itself it was often found that pre-requisites weren’t in place, so often the full scope of the planned testing activity wasn’t performed. This often led to involvement of Senior Managers and CISO with Senior Managers from other areas, and a last minute rush to get thins fixed and/or CISO asking to delay launch until testing could be performed.

I was given the task to improve the business experience of this highly visible process throughout the organisation, and identify constraints and bottlenecks and a plan to improve on them.

The main thing I wanted to understand was the lack of budget issue and what were the causes for that. Organisations have internal budget related processes which often security isn’t present which could be leading to it.

I then needed to find the closest to documentation of process that could be identified and the last challenge was getting data to support any findings, as these were mostly managed from emails so I was going to have to find a way to base my assessment less on opinion and more on hard data (or has factual as I could get to) based on custom-built questionnaires. This included documentation review and interviewing Project Managers, Security team and other relevant stakeholders.

-Accelerate the delivery of outcomes, documents and plans
-Identify opportunities to reduce spend and introduce opportunities and efficiencies
-Provide confidence in quality and relevance of work and people

I identified a lack of presence in the IT budgeting process was part of the problem of not having budget available, so introduced a T-shirt sizing estimate in the IT process to account for security testing and an allocation of emergency budget to deal with in-flight projects which hadn’t been considered.

Scoping agreement and waiting for Project Managers to raise the actual Purchase orders were, combined, taking on average 3.5 months which was adding severe delays to the whole process and a lack of accountability on Pre-requisites and pre-validation before commencing activity were the main challenges that were leading to frustration and Senior Management to be involved

Value was delivered by;
– Enhanced Reputation with Peers
– Better Asset Utilisation and Reduced Waste
– Average end to end time for a Penetration test was 113.5 days and reduced 90 days by the time I left, but expecting further improvements
– Better realisation of scoped activities equating to value for money

Pains relieved included;
-Lack of Credibility with peers
-Lack of Strategic Alignment across Business
-Lack of Budget
-Reduced attrition between Senior Managers

• cyber security
• information security
• InfoSecurity Management
• process improvement

• BI & Analytics