Jake Williams · Apr 19, 2022 · 10:55 AM UTC

Jake Williams

Jake Williams @MalwareJake

19 Apr 2022

Hot take: if you're not going to action pentest results, don't waste your money on a penetration test. Spend that same budget and bring in security training for your system admins instead.

280

Hal Pomeranz · Apr 19, 2022 · 12:46 PM UTC

Hal Pomeranz · Apr 19, 2022 · 12:46 PM UTC

Hal Pomeranz @hal_pomeranz

19 Apr 2022

Replying to @MalwareJake

There’s a “pen test” checkbox on your compliance reports (excuse me, “third party security assessment”), not an “action” or “training” checkbox. What a world.

Apr 19, 2022 · 12:46 PM UTC

Michael Mimo 💽 · Apr 19, 2022 · 6:53 PM UTC

Michael Mimo 💽 @securitydevops

19 Apr 2022

Replying to @hal_pomeranz @MalwareJake

There is a training check box as well. ISO 27001 section 7.2 b) "Ensure that these persons are competent, on the basis of appropriate education, training, or experience." Once hired they need to continue training. Staff not trained in years is a nonconformity.