The report, written by experts at Security Lancaster, Lancaster University’s EPSRC and GCHQ-approved security research centre, and BSI (British Standards Institution), argues that greater standardisation of penetration testing – known outside the industry as ethical hacking - would increase transparency for clients and boost the cyber security industry by improving consistency and the ability of UK firms to export services.

Penetration testing involves an authorised attack, carried out by experienced professionals, on an organisation’s IT internal and external infrastructure, to identify vulnerabilities that may be present.

William Knowles, from Lancaster University’s Security Lancaster, said: “Penetration testing has become widespread. Increased standardisation would serve to protect cyber security professionals by providing a level playing-field on which to compete.

“A lack of consumer clarity in a complex professional services market, coupled with increasing demand for companies to provide levels of security assurance in order to do business, leads to variable quality in the market place, which could put companies at risk.”

Currently, the inconsistent terminology and levels of service offered are holding back the industry, leading one security provider to describe the current situation as like a “Wild West.”

The report makes three recommendations for standardisation:

• Standardise terminology for different levels of testing – to enable clients to make more informed decisions and to compare like for like with providers. This would also help to offer the service to international markets.

• Guidelines for reporting structure and content – to offer clients greater consistency through the use of metrics and recommendations, as well as empowering clients to understand security threats facing their organisations.

• The creation of guidelines for auditors on using penetration test results as evidence within compliance assessments for security standards is also recommended.

The report’s authors interviewed 54 stakeholders including 32 penetration testing providers and their clients, as well as seven industry stakeholders, including technical bodies and government departments.

William Knowles said: “The threat of cyber attacks has led to an increase of simulated and controlled cyber security evaluations of IT infrastructures. Such evaluations are frequently referred to as penetration testing. However, in practice, the nomenclature encompasses a variety of other labels, including vulnerability assessments, IT health checks, ‘red team’ exercises, and ethical hacking.

“Both providers and clients were found to be dissatisfied by the lack of transparency and consistency in industry offerings. Given the importance and rapid growth of penetration testing, resolving these needs for best practice quickly would aid both providers and buyers.

“Standardisation of terminology would enable clients to compare like for like, and provide clarity and consistency, which would also aid the commoditisation of penetration testing, particularly when looking to international markets. It would also help to alleviate some of the frustrations revealed in the report, where providers see competitors offering vulnerability assessments badged as penetration tests.”

Dr Alistair Baron, of Security Lancaster and co-author, said: "Another concern highlighted during the interviews was the potential legal and ethical perils surrounding the use of social engineering as part of penetration testing exercises. This is an area that will be tackled in future research at Security Lancaster."

While pointing out existing issues within the industry, the report recognises the foundations laid by schemes such as CHECK, CREST and Tigerscheme.

Tim McGarr, Market Development Manager for ICT & Asset Management, Governance & Resilience at BSI, said: “Organisations are increasingly looking to the penetration testing industry to better understand and improve their cyber security. As this thought leadership report has shown, there are respected qualifications for individual penetration testers, but that there can be greater consistency of the service penetration testing firms provide.

“Greater standardisation in this area as identified in the report should allow customers to know they are getting a consistent comparable service. In addition, it will allow providers to better demonstrate and differentiate their capabilities. BSI will use the findings of the report to reach out to the stakeholders in the penetration testing market to determine the demand for new standards.”

BSI is currently in dialogue with various stakeholders in the penetration testing industry to take these standards recommendations forward. If you are interested in inputting to the approach please contact Tim.McGarr@bsigroup.com

To find out more about Security Lancaster and how it can help your organisation, see www.lancaster.ac.uk/security-lancaster or contact Business Partnerships Manager and Associate Director for Security Lancaster, Dr Daniel Prince 07807 125 781 d.prince@lancaster.ac.uk

The full report can be viewed here.

About BSI
BSI (British Standards Institution) is the business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence. Formed in 1901, BSI was the world’s first National Standards Body and a founding member of the International Organization for Standardization (ISO). Over a century later it continues to facilitate business improvement across the globe by helping its clients drive performance, manage risk and grow sustainably through the adoption of international management systems standards, many of which BSI originated. Renowned for its marks of excellence including the consumer recognized BSI Kitemark™, BSI’s influence spans multiple sectors including aerospace, automotive, built environment, food, healthcare and ICT. With over 80,000 clients in 172 countries, BSI is an organization whose standards inspire excellence across the globe.

To learn more, please visit www.bsigroup.com