Source for reasonable pen testing

HCHTech

HCHTech

Well-Known Member
Reaction score
4,243
Location
Pittsburgh, PA - USA
I have a small client (5 employees) in a pretty-specialized industry that is starting to work with a big company (think Fortune 500) that everyone has heard of. They have the first draft of the working contract, and it has the following language:
  • Upon request by COMPANY, and at least once per year, CONTRACTOR must provide COMPANY an annually updated assurance report from an independent third-party auditor demonstrating compliance with the SECURITY STANDARD. The assurance report provided by CONTRACTOR may be: (i) a SOC II Type 2 audit report; (ii) an ISAE 3402 Type 2 report; or (iii) any other similar report agreed to by COMPANY in writing
  • At least once per year, CONTRACTOR must have penetration tests performed on any IT SYSTEMS of CONTRACTOR GROUP which store, process, or transmit COMPANY DATA. CONTRACTOR hereby agrees to provide the results of the penetration test to COMPANY upon COMPANY’s written request.
Initial pokes at getting a SOC II audit and penetration testing have produced quotes in the $30K to $50K range, which as you might imagine has them reeling from sticker shock. This might just be something they have to swallow to work with such a large company, but maybe they are just asking the wrong companies for quotes.

Has anyone worked with a more-reasonable vendor to get these things for a client?
 
Have they considered going the route of responding, "We're happy to do this if you're happy to pay for it?"

If "THE COMPANY" requires this, then they are the ones who should be paying for it.
 
We use SOCSoter for our NIST/CMMC clients.
When the whole NIST/DFARS compliance stuff started coming out for those businesses that do work for the government, I figured the market would be taken advantage of by services such as this..with crazy high jacked up prices. I looked at a LOT of places that do this, and after a few years of waiting....found SOCSOter.

Read up on how they started up. And a comfort that it wasn't a company being propped up to be bought out by some big turd like Kaseya.

www.socsoter.com

Comprehensive, affordable, channel-only.

Network cybersecurity for MSPs - ready-to-deploy affordable platform built for small to mid-sized companies - backed by US-based SOC!
www.socsoter.com www.socsoter.com

Mention me if you chat with 'em.
 
britechguy said:
Have they considered going the route of responding, "We're happy to do this if you're happy to pay for it?"

If "THE COMPANY" requires this, then they are the ones who should be paying for it.
Click to expand...
And the Fortune 500 company will rightly say that they are paying for it whenever they buy whatever product the local company provides. It’s the cost of doing business. You add markup to your product to offset those costs and leverage it over the terms of a contract.
 
I really don't care how one does this, but I'll be damned if I am going to pay for requirements someone else imposes. I don't need 'em, they do.

But if you build this in to the contract, fine. But make sure whoever your contracts lawyer is makes sure your ass is covered if "the big boy" decides to bail.
 
britechguy said:
I really don't care how one does this, but I'll be damned if I am going to pay for requirements someone else imposes. I don't need 'em, they do.

But if you build this in to the contract, fine. But make sure whoever your contracts lawyer is makes sure your ass is covered if "the big boy" decides to bail.
Click to expand...
Yep and any contract the big boy provides will give them the out and not you...
 
Yeah, that's the thing. If you are David (my little client) and they are Goliath (In this case Shell Oil), your choices are 'Do what they want' or 'Don't do business with them'. I've heard more horror stories than I care to remember about the downsides of doing business with a giant when you're the little guy.

Here's one: I have a single-employee event planner that does primarily corporate events. She does a couple million in business every year, so it's not a still-wet-behind-the-ears wedding planner we're talking about. She landed a gig with Johnson & Johnson doing a dozen big events a year all over the country. They ROUTINELY pay her invoices in 120-days, sometimes longer. They hang her out to dry when something beyond her control goes south. She has fired them twice in the time I have known her and they come back and convince her to sign up again by prepaying for stuff, then go right back to the normal 120-day schedule for future invoices. I can't believe she continues to work with them, but I guess in the end they pay her a lot of money. She told me she has a $1M credit line and needs every penny to keep them as a client. Yikes.
 
Companies that do this to get work/partner with bigger companies, have to treat this like a gym membership, or say, licensing...in order to do business with them. Yes they have to "buy in" to do this work for the big company.

We have a few small businesses (under 5 people) that do work for the government. No...not "designing nukes" or anything top secret. One company provides cleaning supplies for the US Navy Base in Groton CT. Yup..they sell mops, brooms, DEP floor cleaner, soap, etc...to the Navy Base. Yet...they had to get setup under NIST 800-171/DFARS compliance a few years ago..and we helped. So they went from an annual IT budget of a few thousand a year, to....like $20k/year..for the testing, SIEM on their network and in their 365 cloud, etc. Pretty big change in IT buget! BUT..their whole purpose as a business was supplying the Navy base with cleaning supplies...so it was either quit, or...pay it. So they chose to continue to do good business. Heck they're doing pretty good...I've seen the owners house and what they drive.

Another client of ours makes submarine simulation trainers for the Navy. Like 3/4 scale conning towers..wrap around big screens, to train upcoming Sub captains. Think of it like a giant Microsoft Flight Simulator, but instead of in the cockpit of a plane, it's standing in a nearly full size conning tower and having wrap around 360* views of various harbors leading to Navy Bases all over the world. And they build some other metal fabricated parts for the Navy, but nothing top secret, or even something you'd think is CUI. Steel ladders for docks, etc. He's also a business of just 5...and his IT budget went way crazy when he had to start doing NIST compliance (pretty soon CMMC..even more crazy tight). BUT...if he wants to keep doing this (and he DOES enjoy his job)...that's a price to remain in the game. He's one of the clients we have SOCSoter SIEM services with..and did preliminary scoring.

I kinda don't blame the gov't for kicking in these rules. Heck..just look at how many businesses that take your credit card aren't even remotely concerned about your credit cards information. Most scoff at PCI compliance. How about if you hand someone your drivers license and they walk away for a minute. Or your SS#. No wonder there is so much identity theft.
 
I look at it as a business decision. If you want to get into certain sectors you have to play by the rules and that includes paying for the proper tools and services. So it just becomes an issue of how to make you get covered for those "special"things.
 
YeOldeStonecat said:
Most scoff at PCI compliance.
Click to expand...

I certainly did. It was a case of expecting Fort Knox security for tiny mom n' pop businesses.

Simple care with a card, and using the equipment supplied by your processor, is security enough. The days of knuckle busters with carbon copies, terminals that held charges until batch processing at the end of the day, and the like are long gone.

Square is considered PCI compliant, and unless the operator is themselves a thief, recording numbers, there's nothing one can do other than swipe and hand the card back. No data is held at the vendor end and the transaction is completed and authorized usually before the credit card is handed back to its rightful owner.

I only wish that everyone actually checked the back of the card to see if its signed before accepting it and then looking at the signature on the receipt before handing it back. That would go a lot further in cutting fraud than virtually anything in PCI compliance does.
 
You must log in or register to reply here.

Similar threads

PDXMicro
Rival company wants quote for insurance purposes
Replies
15
Views
2K
Digital Sage
Digital Sage
P
Asus RMA debacle
Replies
14
Views
3K
ComputerRepairTech
ComputerRepairTech
T
help to create PC Service packages
Replies
3
Views
1K
Tech in SC
Tech in SC
bertie40
"Handbags at 12 paces" between me and ........ Mel.
Replies
3
Views
2K
gadgetfixup
gadgetfixup
tankman1989
Using Craigslist "computer Gigs" as a source for work
Replies
16
Views
2K
cmonova
cmonova
Back
Top