A CISO approach to pentesting; why so many reports are never used

Fleur van Leusden

Playlists: 'MCH2022' videos starting here / audio

Pentesting can provide vital information to organisations about their security. However, many reports end up never being used or not being used to their full potential. That is partly due to the pentesters and their writing skills. But in large part is also to be attributed to CISO's lack of guidance and involvement.

I am not a spokesperson for all CISOs, but I do have quite a bit of experience in the pentesting field as a CISO. As such; I would like to share my thoughts about how a CISO can lead the pentesting process as effectively as possible, as well as what I as a CISO like to see in my pentesting reports.

I will also highlight why some reports don't get used and why I think we struggle with this as much as we sometimes do.

I think this information is usefull for pentesters and CISO's alike, because it shows both sides how the other one works and thinks.

Many pentesting reports are never followed up on, which is a shame, because a lot of hard work goes into them a lot of the time.

In this talk I will try to explain why this happens and will try to clarify how we can make some changes to the practice, reporting and follow up to make pentests more effective.

I will also talk about some of the things that have gone wrong during pentests I've been involved in. Scoping is important y'all!

If you're interested in what managers generally think certain jargon means (what's a checksum?), come check out the talk and you'll find out ;).

p.s. I can't find where to edit my personal profile, but I'm currently no longer CISO for DIVD. Since the beginning of this year I've joined the Board instead.