Congratulations! You just completed your penetration test. You’ve read the report, planned your mitigation strategies, and started executing on the plan to resolve the findings.
Then what? Maybe you completed the test to check-off a compliance-required box… or maybe, it was your organisation’s goal to say you have one. Cruicially - you’ve done the hard work, and you should share that fact proudly with your clients.
If you completed your pentest to check a compliance box, you’re not alone. There are hundreds of organisations who complete pentests every day who just want to be able to answer “yes” when a security questionnaire comes their way. Our partners at Trustpage, however, are pioneering a new type of relationship with security; one where companies are clearly communicating their security information earlier and more often with prospects.
The reason is rather simple: the less you lean in on your security policies throughout the sales cycle, the bigger the questionnaire that comes your way down the line. Take your marketing site, for example. Most companies understand the importance of having their product features displayed and marketed across the website. You’re providing prospects with the information they need to understand your product upfront.
Rare, though, is to find companies proactively addressing the security of these features, or their company’s security posture at large. By transitioning into a culture of proactively and transparently sharing the many reasons a buyer can and should trust you, you instil confidence to engage. Instantly you become the type of company a buyer is excited to take back to their internal teams—the surest way to win in any competitive situation.
Proudly sharing the results of your pentest is a great way to start this journey. You’ve already put in the work to get the results and resolve the findings… why not let the world know?
There’s no doubt that the results of your pentest should be considered sensitive, they are (by definition) all the ways that someone could access your data without authorization. If you’re confident in the mitigation your team has undergone to resolve the findings, you should also feel confident sharing the test with trusted clients and prospects.
While it's common practice to post some security resources online, publishing your pentest without a gate probably isn’t a great idea. Even though you’re sure of your results, handing someone the potential “keys to the castle” could create unnecessary risk for your software and sow doubt among prospects.
For this reason, we recommend sharing the report after a non-disclosure agreement has been signed. This shows your prospects that you’re confident enough in your mitigation strategies to let them in on the discovered risks, but secure enough to only share the documents with the folks who are serious about vetting your solution.
While you could wait for prospects to bombard you with requests for your pentest results, audits, or other questions on your data security standards, we’re believers that there has to be a better way. For OnSecurity, our Trust Centre is the best way to share our posture with customers and prospects alike and build confidence in our security programme from day zero.
A Trust Centre can be thought of as a nutrition label for your business' security. It's the place where you can outline and store all materials about how you protect and process data. Like a nutrition label, it gives potential or existing customers all the information they need to feel comfortable with your product or service.
Creating a Trust Centre allows you to confidently and securely share the results of your penetration test, both within the report, and in more specific detail on an all-in-one site designed to outline the details of your security.
There are countless options for creating an impactful Trust Centre within your organisation, and we’re happy to share a few of our favourite examples with you.
Many enterprise organisations including the likes of Salesforce and Monday have taken to building their own, self-hosted Trust Centres on their website. These pages are typically static, displaying a defined set of information that has been vetted by both security and marketing teams. At a minimum, these types of pages show customers and prospects that security is a consideration for the organisations they’re considering.
Designing, building, and executing a DIY Trust Centre can take weeks or months depending on your organisation’s structure. Our partners at Trust Page have made it quick and easy to create and publish a Trust Centre, so you can bring together everything required to build trust with your clients.
From AI-generated content based on your policies, to automated NDA-protection for your new pentest, you can share your results in a snap.