Finding the right TIBER test provider for your organisation is crucial. You’ll want a secure test, but there’s huge value in knowing how to act on the results to protect your operations. An obvious question exists: should you opt for a local provider in your country or choose a larger, global tester?
We consider both options to help you make an informed choice.
Testing in your real world
The TIBER framework is different to many earlier cybersecurity testing procedures. Instead of working in an isolated environment, separate to your main operations, TIBER is live.
Providing far more meaningful results, TIBER pits your live infrastructure against real world threats. This adds a level of risk that must be managed meticulously - by your organisation and your testing provider. The consequences of not doing so are serious.
CBEST was the first testing framework to operate in a live environment. Specialist red teams have been highly trained (and CREST qualified) to deliver CBEST testing that’s secure, legally compliant, and ethical. We believe the TIBER framework must learn from this high level of service.
Consider your local options
It can be tempting to keep TIBER testing local. A familiar provider in the same country can seem reassuring.
If timelines are tight, engaging an existing provider will be faster than appointing a new one. They’ll already know how you operate and won’t have language differences or limited cultural insight.
But local testing providers are, by their very nature, smaller operators. When handling live TIBER testing, this poses risk.
Generally, local operators have less testing experience, smaller teams, and fewer qualified individuals. Also, their knowledge of cybersecurity beyond finance could be limited. This might not seem significant, but they’ll lack broader insight of new and emerging risks financial organisations and their regulators are yet to consider.
A local TIBER tester could seem like the more convenient option. But you might find it’s a higher risk choice.
Why global means better risk management
By their very definition, global TIBER test providers operate in many countries - just like many financial organisations. In fact, organisations often hold data in a handful of geographic locations. Engaging a provider experienced at handling cross-border issues is a big advantage.
Safely moving data between countries requires knowledge of local laws and legal requirements in various regions. Global providers have more experience of this, so your risk is thoroughly managed.
In addition to multi-country operations, larger providers have multi-industry and multi-testing experience to draw from. Working across a much wider landscape, their exposure to risk will be greater. Only by experiencing risk can you become proficient at managing it.
Smaller operators might be able to handle high risk in theory, but have they ever experienced it? Nobody wants to be a guinea pig.
When carrying out TIBER testing, a big hole is effectively punched through the defences of the financial organisation – in a live environment. Should the provider not secure that hole for its exclusive use, the vulnerability remains open for third parties to infiltrate and do incredible harm.
The risk is very real. Your TIBER test provider must demonstrate sufficient experience in operational security to keep your organisation safe during all stages of testing. Global providers are more likely to have larger, higher qualified teams who’ve handled this level of risk many times.
Get more value from TIBER testing
Carrying out a TIBER test is one part of the service you’ll require. Granted, it’s a significant one. But how will you interpret the results and get the greatest value from your investment?
Choose a provider who will project manage your testing from concept to action plan.
The results, in isolation, are of limited use. Your value comes from understanding them and determining what mitigation and future actions you must put in place.
Written in technical language, your corporate team might not understand ‘raw’ test results. When your project is fully managed, your attack manager delivers the findings in meaningful language everyone understands. They’ll highlight risks and recommended actions alongside plenty of guidance and support.
Testing providers who manage your project will ensure the output matches your regulator’s expectations. That means working with a fit for purpose TIBER framework and within the boundaries required.
Regulators will also want outputs they can directly compare with other test results. Only then, can meaningful conversations be had, heightening cybersecurity across the global finance sector.
8 questions you should ask prospective TIBER test providers
For most, shortlisting TIBER providers is not an everyday activity. We’ve put together eight questions you should ask every provider you’re considering. By doing so, you’ll identify the best one for your financial organisation.
What testing experience have they got?
Understand their testing experience in the finance sector but ask about experience in other industries too. It can significantly widen their cyber risk knowledge.
What types of testing have they carried out? Have they completed live tests (CBEST is another well-known live testing framework)?
Ask about their cross-border experience – especially if your organisation operates in many countries.
What qualifications have their team got?
Assess the people you’ll be working closely with. Not just attack specialists – consider intelligence managers and attack managers too. Are you confident of their qualifications and experience?
CREST established a series of qualifications for CBEST providers to achieve. No such qualifications are currently necessary for TIBER testing, but qualified individuals will reduce your risk.
Can you speak to other organisations they’ve worked with?
There’s nothing better than understanding how the provider’s testing helped other financial organisations. Take time to plan a couple of conversations.
What insurances and risk management procedures do they have in place?
How will they manage the risk of a live test? How will they keep your organisation safe from outside attacks during testing? Do they security-check their staff to ensure safe practice?
What schemes are they members of?
Shortlist providers who are members of (or familiar with) schemes that matter to your organisation. Your regulators will welcome this assurance. Also, look for general cybersecurity schemes that add credibility. Common schemes include:
CBEST: UK finance
GBEST: UK government
iCAST: Hong Kong
FEER: Saudi Arabia
Do they understand the legalities and ethics around TIBER testing?
The TIBER framework can use technology, processes, and people. Knowing what’s legally acceptable in your region is important. Operating ethically is also crucial, especially when using people.
How will you receive your results?
Ask for assurance you’ll receive your results in language your team understands. Simply receiving the technical reports limits the value of your testing.
How will they help your organisation after testing?
If you do nothing with your test results, you lose huge value. And yet, the results can be hard to interpret on your own.
Understand the support you’ll receive after testing is complete. Will they help you understand the outcomes? Will they help you formulate a plan?
Your greatest value lies in post-test planning and action. By having sufficient support in this area, you’ll develop the strength of your organisation.