Recently, we’ve been seeing a steady number of RFPs for Cyber Security solutions roll in that not only request items such as email security, firewall and end point protection but they also want penetration testing included with the solution.
When we don’t respond or no bid, sometimes we get asked why. Our explanation for not providing Pen testing along with the security solution is simple:
As an MSSP provider, testing the system that we put in place and manage creates a conflict.
Imagine the IRS allowing your accounting team to perform their own audit instead of doing it themselves or hiring an outside, unbiased third party. It’s kind of like letting the fox guard the hen house. Even if it’s a well fed, honest and well-mannered fox, it just doesn’t look good.
When you’ve already put out an RFP and a vendor includes penetration testing in their cyber security offering and it’s not from a 3rd party, if you really like that vendor and want to do business with them, we suggest that you take the extra time to amend your RFP and ask that vendor to provide a third-party solution instead or create a new, totally separate RFP.