But Once You’ve Experienced Them, You Can’t Live Without Them
When it comes to vulnerability management, the goal of the cyber security team is to identify, verify, and prioritize vulnerability remediation on internal, internet facing, and cloud-based IT infrastructure. But without a project manager on the team, too often I see that pentesters fall into responsibilities outside of that clearly defined goal – into areas like administration, logistics, and finance, which ultimately take the tester away from the job at hand. This is where the project manager becomes essential.
The project management role is a cross-functional and integral part of every vulnerability management program. They bear the responsibility of effectively working not only with pentesters but also with sales, finance, developers, and management, all aimed at driving a path to success for the client. Drilling down even further, the project management team also ensures that project tracking is timely, reports are getting to clients by the promised date, budgeting alignment is maintained, and last but not least, work with the team to schedule client tests and ensure the maximum use of resource allocation.
In short, project managers are capable of much more than what’s written in their job description. To paint a picture of these capabilities and understand the value they can bring to your pentesting engagements, here are five things you didn’t know a project manager could do – but once you’ve experienced them, you can’t live without them.
Administration Services That Give a Concierge-like Experience
Project managers are a bit like a concierge. It’s important that they are able to read clients and tailor their style of project delivery to best suit them. This ability gives the client that feeling of “white glove service.” But it’s more than style, it’s also technical competence that a professional project manager can bring to a vulnerability testing program. Applying past experiences (successes and failures) to current or new clients who have never gone through a specific type of penetration test before is invaluable. Time, energy, and budget are saved. So, if your project manager asks, “have you ever been part of a (insert example here) type of pentest,” it’s due to a desire to help clear some hurdles or roadblocks early on in the engagement and set the stage for a smooth and successful project.
Documentation at Your Fingertips
Everyone is crazy busy these days. And our clients are no different. No one has the time to read the results of vulnerability testing from hundreds of pages-long PDFs that are not organized, deduplicated or consolidated. Project managers help assist busy security professionals cut through the clutter and assist in training them how to have a quick, or ‘dashboard,’ view of the information versus sifting through all the data. Eliminating the need to wade through those reports is a huge time saver and allows security teams to consume the data in real-time and discern where things are at and if any immediate action should be taken. With hackers attacking every 39 seconds, on average 2,244 times a day according to a University of Maryland study, time is critical.
Customization to Provide Information that Matters
Importantly, project managers work hard to provide the information that matters most to a client engagement. For example, information on the project status dashboard, which also includes information around the project budget, is customized as not all clients have the same needs. To design the dashboard view, project managers work as advisors and collaborators to help a client determine what is most important to see, taking their role into consideration. These customization sessions oftentimes result in a healthy back-and-forth dialogue which helps with envisioning future views of data as well.
In addition to the customized project status and financial view of data created by the project manager, NetSPI has a vulnerability management and orchestration platform, Resolve, that provides a dashboard view of penetration testing results and allows clients to dig deeper into the testing outcomes, delegate findings to different team members, have threaded discussions, and run reporting for different levels of the organization, all directly from the platform.
Logistics to Save Time and Budget, Eliminate Stress
In any particular penetration testing assignment, there can be as many as 15 people involved, from both the client side and the testing side. Imagine you’re a tester and now you have to coordinate ever-changing schedules, confirm scope, track project dates, and maintain them in the system, send out reminders, write up meeting minutes, join sales calls, attend and prepare information for monthly or quarterly client meetings – all on top of the actual testing. With a smile. In my view, it’s too much for a tester to handle, and ultimately takes them away from the important work of ethical hacking. This really comes down to customer service. Project managers live and breathe logistics so the project can thrive.
An Anchor Who Handles Issues Management Like a Pro
An ideal project manager is one who has passion for the job and puts the client first. Critically, the project manager may be in a situation where issues management skills are needed to analyze a particular client circumstance and provide workable solutions on how to move a project forward. The project manager should be the anchor of the vulnerability management program, who advocates for the client at every turn.
Historically, project managers have been very task oriented. They had a project plan, checked in with a team, assigned tasks, and checked back periodically to see the status of those tasks. That style of project management is waning, and we are now seeing project managers step into an actual leadership role. They’re leading the entire team, in addition to leading clients toward the best course of success.