How To Take Charge Of Your Penetration Testing Delivery Problem

How to take charge of your penetration testing problem

Let’s talk capacity.

In any industry it’s a problem. In cyber security and for penetration testing companies, specifically, it can be a nightmare. No matter how big or small your business is.

From having built my own penetration testing consultancy to working for one of the world’s largest, here’s my insight.

Managing penetration testing delivery is like trying to “nail jelly to a wall.”

It moves…. continually… as projects come and go (or more accurately, are scheduled (for yesterday), delayed and postponed).

As a cyber security business that offers penetration testing, consulting or assurance services you’re either working over or under capacity at any given time. This could be day-to-day, week-to-week, month-to-month or year-to-year.

Flip a coin to assess the risk to your business. It’s the same.


Let’s start with delivery.

Work over capacity and your consultants moan, groan and answer recruiters calls. They know their value. There’s a shortage in the market. According to the the 2015 (ISC)2 Global Information Security Workforce Study, 1.5m security professionals are needed by 2020.

They’re in demand and prized assets. They like the fame and love the premium salaries that they can command. They work on their terms and hold you to ransom. It’s “happy days” for them so you had better behave.

Now, let’s look at sales.

Your salesperson has spent months working on a prospect, has won them over, brought in the business and needs it delivered for a specific date. They know their client can’t wait and yet they’re now being told that they’ll have to.

It’s not their fault you don’t have the consultants to deliver the penetration test, but they’re accountable to their client. They’ll face them and tell them that they can’t deliver it in accordance with the time-scales. They’ll be the ones who’ll look unprofessional. And, if it’s a new client they may never be called upon again. With their reputation damaged and an income dip, they’ll be peeved (that’s putting it mildly). And, chances are they’ll answer recruiters calls, find another job and leave.



And, you better be too. Just count the cost….

  • Cost of a lost client.
  • Cost to recruit a new consultant.
  • Cost to recruit a new salesperson.
  • Cost to get both up-to-speed.
  • Cost to repair the brand. Word gets out.

Let’s model some figures.

1 client stays with the company on average 10-years. They’re not a huge client but let’s work on the basis they’re buying about £60,000’s worth of services from you each year. The total revenue you loose is £600,000.

1 new (mid range) consultant costs £60,000/year. Your recruiter’s fees (20%) amount to £12,000.

1 new (mid range) sales consultant costs £50,000/year. Your recruiter’s fees (20%) amount to £10,000. It takes them 3-months to get up to speed. Until then, they’ve not brought in any revenue. You’ve been used to £60,000/month from your the previous salesperson so that’s a loss of £180,000.

Your total loss is £912,000 and that’s without considering the possibility that your salesperson has taken existing clients or that more staff will follow their lead and go.

It’s not great. Let’s move on.

Work under capacity and you’re equally screwed. You’ve now got expensive consultants sitting on the bench and whilst they’re happy you’re once again loosing money. Keep this up and you’re out of business and now it’s you who’s answering recruiters calls and looking for a job.

So, what if there was a way to solve this. What if there was a way for you to better manage your penetration testing delivery and sales pipeline. What if you had an additional way to get more sales. What if you could turn resources on and off in an instant without high costs & risks to your business.

Would you be interested to find out more?

Now I want to hear from you…

Tell me in the comments below or in a private email:

  • What’s your biggest frustration around delivering or offering penetration testing services?

Please share your stories and experiences here, and if you’ve got a question, just pop it down here. If you want to contact me to discuss how you can improve business development for you or your team click here.

PS. The big favour ask…

I’m on a mission. I believe passionately in entrepreneurship and cyber security. I want to see more survive and thrive so more businesses can be protected. If you want to help and share my beliefs, please just share my posts.


Jane Frankland
Follow me

Jane Frankland

Jane Frankland is a successful cyber security technology entrepreneur, author, speaker, business consultant, and Board Advisor for ClubCISO. Having held directorships and senior executive positions within her own company and at several large PLCs, she now provides forward thinking cyber security organisations with strategic business development solutions.
Jane Frankland
Follow me