As a Junior AC one common task will be attending expert interviews and taking notes. You end up being the knowledge base and the one who can contribute prime pieces of information in meetings that others are not aware of. This may not always be on a topic that you understand before the project, with some technical terms as in the example below. You are not expected to be an expert in all areas and often, it is important to look past the technical language to get the real story beneath it.

The Task:

OC&C is working for a company that offers cyber security testing in the UK and Europe, to help them develop their strategy for the next 5 years. This company's main service is providing 'testers,' who are people that will try to break into their clients' systems to check for any vulnerabilities and exposure that they may have to cyber criminals. Our client is a large generalist in this field.

As part of this process your team is considering factors such as how they compare to other players in the market, and the potential impact of the skills gap to their business. You have interviewed a few industry experts about the market and need to summarise the key takeaways (bullet points) in an email to send to the rest of your team, including the partners.

Please send an email to the team, which answers the below 3 questions by summarising points from the expert interview notes. Please format your response as one bullet point for each answer to the below:

• Do customers generally use one provider at a time or multiple providers at once and why?
• What is the most important accreditation for a tester in Europe to have?
• What trend in the market is causing tester providers to increase their prices & what does this mean for smaller organisations?

Please remember it's important to be concise when summarising these types of documents. There is no need for additional information/ research to be able to complete to the task, all of the information you require is in the expert interview notes below.

Project Cyber Expert Interview Notes - 1st March 2022

The Market

Have providers been putting up the prices of testers with wage inflation?

• About 50% have, but only putting them up about 30 a day on average
• Smaller firms have had to put their prices up slightly, but all have seen a ridiculous increase in salaries of testers

Is this increase because of the skills gap? (Are there not enough testers with the skill set available).

• Don't think so - there are lots of people out there, but they think that they deserve more than what companies can offer them
• Lots of open positions but also lots of people looking for work
• Highly skilled people know they can ask for 400k plus but smaller companies can't afford that, so smaller companies more likely to choose people without certifications
• Lots of people are going independent, just this year they know 8 testers who have gone independent because they want a better work-life balance - they can work 12 days a month at 500 a day still earning pretty good money

If I am a customer using these services, would I usually have a single provider? Or use several?

• In Europe especially the bigger organisations develop multiple sprints parallel to each other, they have a pool of security testing organisations who can help them out in ongoing testing
• Can compare the work from different companies, if someone is slacking move towards someone who is performing better
• This will drive more quality in the tests, can challenge the results of different testers more
• Encourage multiple tests, same piece of software by different people
• If vulnerabilities found by one tester but not another, then shows poor quality

Accredited providers:

How important do you think both SOC and pen testing accreditations are? e.g., CREST, how important is this?

• CREST is only UK, it's not important for any other organisation outside of Europe

Is there an equivalent for Europe?

Important that you work according to ISO 27001/2, if you have a pen testing organisation that is not ISO certified then you don't have a chance

What is more important is the certification of the pen testers: way more important as this says something

OSCP is worth way more than CEH as an accreditation in the UK. Quality of OSCP assessment is higher, CEH is basically a multiple-choice exam

There are specific certifications for pen testers and ethical hackers so if they have them that is really good