|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joey Peloquin (joeyp
cotse.net)
Date: Thu Oct 02 2008 - 14:45:32 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Zack Payton wrote:
>
> > In my experience, companies usually already know that physical
> security and susceptibility to social engineering are their weak spots,
> and aren't interested in paying us to tell them what they already know.
>
>
> But at the same time, things like white hat phishing campaigns against
> staff can be an easy way to measure the effectiveness of security
> awareness training...
> Clients like get some metrics regarding the effectiveness of security
> training. It helps the suits to know where to spend their money.
>
Don't get me wrong, I'm not arguing against the necessity and validity of
these kinds of tests, but rather explaining that *we* aren't normally
successful in getting the client to include them in the scope. We offer
every single time, and recommend they include the tests for the very reasons
you give.
Maybe 1 in 15 or 20 take us up on it. Far too few IMO.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]