A number of listings we found also sought someone who can develop automation processes for troubleshooting and maintaining production systems and admin functions.
“The focus now is on development efficiency through automation,” says David Linthicum, senior VP of cloud technology partners, “and the ability to perform tasks more quickly and more effectively. Devops has been a big push for the last several years, and they require new roles to make devops organizations effective.”
Most IT pros say it’s not a matter of whether a company needs a penetration tester but what kind — and whether the hire is a full-time gig. Either way, the era of hackers on the payroll is upon us.
“Depending on the engagement, penetration testers might need to attack networks, hardware, applications, or the people that use those assets,” says Charles Henderson, global head of IBM X-Force Red. “Most offensive security professionals will have skills in social engineering, data exfiltration, software exploitation and vulnerability research. The traits of the penetration tester are actually far more valuable, since curiosity and ingenuity often outweigh technical skill.”
Henderson says there are two questions to ask before a hire is made: Is there enough work to keep a full-time penetration tester engaged? And would that person have the skills necessary to test every likely type of vulnerability?
“Some organizations might benefit from an in-house testing team if they have multiple projects running concurrently,” he says, “but most organizations require testing in bursts. The other consideration is that security testing requires highly specialized skillsets that are relevant to the project at hand. Using a managed service for security testing allows for flexible on-demand projects that are supported by the appropriate skills.”
Mike Fitzmaurice, VP of workflow technology at Nintex, comes down hard on the side of hiring outside testers.
“I would not recommend, under any circumstances, hiring them in-house,” Fitzmaurice says. “If you must, keep them out of the IT reporting chain. You can’t have penetration testers establish relationships with, well, anyone else. It would change the way they view your environment and any available threat vectors. Too much inside knowledge opens certain cognitive doors and inevitably closes off others. To protect IT from outsiders, you need people who think like outsiders. Hire outsiders and rotate them so different people are trying different things. This position should be in demand for a long time -- by security firms.”
The risks go beyond traditional networks and IoT devices, especially as more companies farm out services to the cloud.
“Ultimately it is the needs of the enterprise — post [the hacks of] Target and Home Depot — that really pushed penetration into the spotlight,” saysRuss Wickless of Schellman and Co.’s threat and vulnerability assessment team. “Penetration testing can range in duties across a broad spectrum of work. Engagements can be anything from testing applications in the cloud to an on premise social engineering exercise to test a company’s physical security.”
Sign up for CIO Asia eNewsletters.