In the case of validating the CISO’s performance, I could imagine a pentesting company where its compensation depends on whether or not they successfully hacked the company. They could advertise this fact to the CEO (a more sophisticated version of “you only pay us if we hack you!”). Might not solve the problem entirely, but could be a step in the right direction in this case?
This is kind of what bug bounties are! See also https://www.synack.com/red-team/. The limitation with crowdsourcing and bug bounties is that you can generally only use them to find publicly accessible technical problems with your products, and the hackers aren’t allowed to do things like social engineering. I haven’t heard of a consultancy that has this same policy with their pentests, but generally it’d have to be the company contracting them to come up with the compensation policy, as which assets are important and what further “compromise” entails varies between organizations.
In the case of validating the CISO’s performance, I could imagine a pentesting company where its compensation depends on whether or not they successfully hacked the company. They could advertise this fact to the CEO (a more sophisticated version of “you only pay us if we hack you!”). Might not solve the problem entirely, but could be a step in the right direction in this case?
This is kind of what bug bounties are! See also https://www.synack.com/red-team/. The limitation with crowdsourcing and bug bounties is that you can generally only use them to find publicly accessible technical problems with your products, and the hackers aren’t allowed to do things like social engineering. I haven’t heard of a consultancy that has this same policy with their pentests, but generally it’d have to be the company contracting them to come up with the compensation policy, as which assets are important and what further “compromise” entails varies between organizations.