Results 1 to 5 of 5

Thread: CEO vs ICT

Hybrid View

  1. #1
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default CEO vs ICT

    Probably those of us who have done corporate work have been approached by the companies IT team for some pre-engagement work, meet with the CTO and the CEO, the corporate lawyers and all that sort of thing.

    I was asked this morning to perform an engagement. When I asked for a meeting with the CEO:
    Code:
    From: XXXXXX XXXXX <xxxxxxxx@xxxxx.xx.xxx.xx>
    To: gitsnik@xxxxxxxxxxx.xxx
    Subject: Re: Penetration Test
    
    The [CEO] is too busy to concern himself with IT matters like this and won't be available for any meetings. The [boss] is on vacation at the moment so it is just me and my unit
    I'm not walking anywhere near this one for any money considering where it came from but I wanted to ask the question of the community:

    Would you require the CEO involved in your pre-engagement meetings? Would you take this job? Assume it's a SMB about 80 people, corporate.

    Considering I don't actively engage in this sort of thing at the moment, it's more than a little dodgy, but it still made me wonder.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  2. #2
    Senior Member voidnecron's Avatar
    Join Date
    May 2010
    Posts
    132

    Default Re: CEO vs ICT

    You need to know if that person has the mandate to engage/setup such an investigation, but thats quite hard if everybody above him is either away or not available.
    I wouldn't take the job since, from what I read, it has something fishy around it and might cause more trouble then money is worth.

    Good luck making a decision.
    "The difference between RAID1 and RAID0 is that the zero stands for how many files you're gonna have after a harddisk failure."

  3. #3
    Member
    Join Date
    Jan 2010
    Posts
    70

    Default Re: CEO vs ICT

    Here's the thing, in my experience, a penetration test is something that doesn't get organized overnight. There's a lot of back and forth with legal, and it's usually a few days before the contract is in place. Knowing that, why wouldn't you send them an initial quote, your standard paperwork, and make sure that they get you in touch with the legal department to negotiate a contract? It's not like you should be taking jobs without this type of agreement in place. If this is a new customer, just let them know how you do business (ie: we put an agreement in place first, get all the "cya" stuff out of the way, then discuss the deadlines, reporting, and debriefing).

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: CEO vs ICT

    Quote Originally Posted by orgcandman View Post
    why wouldn't you send them an initial quote, your standard paperwork, and make sure that they get you in touch with the legal department to negotiate a contract?
    Covering my ass is important, supremely important, but isn't really the point. This guy isn't the division head of ICT, he claimed that noone above him is available for discussions to set this up. Reputation is more important. I don't do this with big websites like Shearwater and their ilk, I get by on word of mouth and am still very very choosy. To me, and the reason I am inclined to step away from this (apart from not being particularly active lately), this sysadmin is akin to a child saying that mum and dad say its ok. Even if I want to take the job, and get the paperwork from legal, how would it represent to customers that I am willing to ignore the chain of command and take the word of an admin.

    Thus the question, would you get the CEO involved. My opinion is pretty clear, but if I wanted my opinion I wouldn't make a thread about it.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Senior Member voidnecron's Avatar
    Join Date
    May 2010
    Posts
    132

    Default Re: CEO vs ICT

    In that case, why don't you just go over the sysadmins head and just make an appointment with the CEO, via his secretary?
    Most of the time when you say something fancy like 'performing a simulation hack on your company' instead of 'pentesting' you got all their attention.
    "The difference between RAID1 and RAID0 is that the zero stands for how many files you're gonna have after a harddisk failure."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •