It was T’s first week in a new organisation and they went into a project meeting for a new product that was about to be released.
T: Has this product been pen tested?
Project manager (PM): We don’t usually do pen tests on most systems, unless they’re really high risk, and even then we wait 6-12 months after they’ve gone live to do so.
T: I don’t know what kind of setup you people have here. But from where I’m from, PM’s have been fired for a lot less.
PM: Are you threatening me?
T: No, I’m just telling you the tale of the mythical land I’ve come from. But I will strongly suggest that you carry out a pen test.
PM: Look, I know you’re new here to this organisation and you’re trying to make your mark. But this isn’t the place to make a name for yourself.
T: I would never want to make a name for myself. Once you have a name, there come certain expectations. Trying to live up to my parents expectations was hard enough, there’s no way I’d like to bring that kind of baggage into work with me.
PM: Do what you will, this is how we’ve always done things around here.
T: That’s fine, my job is to provide some guidance and document findings.
Two days later.
PM: T my friend. Do you have any recommendations on how we can scope this pen test?