A Strategy for Successfully Hiring Experienced Penetration Testing Staff

With careful planning, it is possible to keep cybersecurity initiatives moving with temporary contract staff, while simultaneously recruiting the best permanent team members.

Ask anyone who has tried to hire experienced Penetration Testers, and they will tell you that finding candidates with the right skills and experience is extremely challenging. Such folks are in great demand, are commanding significant salaries, and are already happily employed.

These market dynamics mean that it takes time, money, and effort to locate and recruit top-notch talent. At the same time, your development, Information Security, and compliance organizations are likely to be very vocal in demanding that their security testing needs be addressed immediately. This puts many organizations in a “tight spot,” in which they feel they need to compromise on quality in order to fill positions.

Clearly this is sub-optimal for a number of reasons, the least of which is that security should not be an area in which we “figure it out as we go.” Keeping the organization and its data safe means addressing all security domains with the utmost diligence. Failure to do so may land your company or firm in the news in a most unpleasant way.

There is a way to avoid the flawed decision to compromise on candidate quality, and that is to temporarily address work demands with expert contract staff, while buying time to recruit the best candidate(s)

Whether it be through a project-oriented approach in which RFPs are issued, vendors are solicited, and contracts awarded, or simply through temporarily adding expert staff on a contractual basis, this approach allows essential work and projects to proceed independently of the recruiting process.

Of course, there is no silver bullet here. To successfully employ this strategy, an organization must have:

  • The ability to qualify vendors along several dimensions, including cost, capability, and reliability
  • The experience and/or capability to engage cybersecurity consulting resources
  • The resources to onboard remote contract employees and provide controlled access to test environments
  • The processes and templates necessary to document project requirements, plan and execute, archive artifacts, and internalize knowledge

Let’s take them one-by-one.

Qualifying Cybersecurity Consulting Firms

Finding vendors is very easy to do, but choosing the best partner for your needs is challenging. Considerations include:

  • Cost. Cost is always an important concern, but it can be a colossal mistake to shop primarily on price in this domain. Cybersecurity in general, and Penetration Testing in particular, are not commodity skill sets. Think about it as you would when engaging a doctor or lawyer. That is, focus on the firm’s ability achieve the desired outcome, and only then compare cost.
  • Capability. Does the firm have the experience and track record performing this type of work in your industry? Contact their references and get a feel for client satisfaction. Do they have experience in augmenting existing teams? Can they enrich teams through training and processes through process re-engineering?
  • Reliability. Does the firm have a reputation for bringing in projects on time? Does the firm have a sufficient talent pool to satisfy your needs?

Engaging a Cybersecurity Consulting Firm

This is the easiest challenge to meet, but it can still present a time-consuming obstacle for smaller firms who have not engaged specialized technical staff on a contract basis previously. You should have a template NDA and Master Service Agreement (MSA) ready for customization, and you should be prepared for any delays associated with legal review. The MSA is then extended as needs dictate, using project- or task-specific Statements of Work (SoWs).

Note that the MSA documents the full agreement between the parties (potentially including the NDA) and addresses basic expectations of each, such as insurance requirements, payment and cancellation terms, and conflict resolution. Each SoW documents a specific work item and the detailed expectations associated with it.

Onboarding Cybersecurity Resources

Contract employees must have access to the resources necessary to complete their responsibilities, including computers, accounts, and entitlements. In some cases, special environments or connectivity may need to be provisioned so that testing can be performed without jeopardizing production and/or mission critical systems. All accounts and entitlements should be configured to expire and thus require periodic client management reauthorization. The hiring organization should be prepared to train temporary staff on relevant policies, procedures, and tools. Artifacts documenting that such training has occurred should be gathered and archived.

Cybersecurity Project Management

One of the most challenging aspects of outsourcing work is the planning, execution tracking, and verification of that work. Success demands that a manager—someone who understands both the technical details and project management—produces a plan that (minimally) addresses the following:

Admittedly, each of these concerns is a study in itself, and even a superfluous treatment is beyond the scope of this article. Suffice it to say that failure to adequately plan for and address any one of these concerns can jeopardize project success. Of critical concern to Penetration Testing are the requirements, communication and test plans, and expected documentation.

Knowledge Transfer

We have left one of the most important success criteria for last: the need for permanent staff to take ownership of work products produced by temporary staff. Prerequisites for success include:

  • Staff with the appropriate skills and experience to assume responsibility for certain work or work products
  • A training program to adequately prepare staff to assume responsibility for work or products
  • Sufficient documentation to facilitate understanding of previously completed work
  • Discussion and explanation of next and future steps


If properly funded, planned, and executed, it is possible to keep cybersecurity initiatives moving with temporary contract staff, while simultaneously recruiting the best permanent team members

Success requires a clear-eyed view of your own strengths and weaknesses as organization, careful vendor selection, and diligent project management. We have elaborated key considerations and conditions that must be satisfied to do so successfully.

About Affinity IT Security Services

Since 2009, Affinity IT Security Services has been providing cybersecurity consulting services to clients in the healthcare, insurance, and financial services industries.

Our portfolio of services includes network vulnerability scanning, Penetration Testing, application security testing, Information Security Policy development and governance, anti-phishing campaigns, and cybersecurity awareness programs.

Partner with us to help secure your networks and products. We can help you keep your critical projects moving forward with temporary cybersecurity experts, while you find and recruit the best cybersecurity staff possible. We can even assist in technically assessing candidates.

Contact us today to discuss your cybersecurity challenges at info@affinity-it.com