Time
13 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
13

Video Transcription

00:01
Hello and welcome to another penetration testing execution Standard discussion. Today we're going to look at scoop creep at a high level within the pre engagement interactions section. So let's go ahead and jump into our disclaimer.
00:18
The Pee test videos do cover tools that could be used for system hacking.
00:23
Any tools discussed or used during the demonstration should be researched and understood by the user. Please research your laws and regulations regarding the use of such tools in your area. Encryption standards can be different depending on where you're at and tools that you can use. Our possess could be different based on your region as well. So while we are learning
00:42
and trying to figure out new things, we want to make sure that we don't get into any trouble with the law as well.
00:49
So let's jump into our objectives for this discussion.
00:52
So we're going to look at scope, creep and what it is. We're going to identify some reasons why it is dangerous to firms. Discuss how to approach the subject with your clients, and we're going to discuss how to deal with existing customers on dhe, how it can create reduce costs and that will be a component of the overall subject that will look at
01:11
now. What is scope creep? Why does it matter? Why is it important for us to kind of take the time to look at well, scope? Creep is when a project runs outside of its original scope of work or when work is done beyond the agreed upon scope.
01:26
And so the reason that this can become problematic, or the reason that you can have issues with this
01:32
is that scope creep is brought on by a lack of clarity. And so when we're doing our initial scope meetings, when we're having discussions about what the client is hoping to achieve, if both parties don't go into that relationship with a clear understanding of what's being done
01:48
that can create an environment for scope creep testers would provide or conduct work directly, um, for the client.
01:57
So this is an issue where you as maybe the manager or business owner for a security firm, comes up with the scope of work and agreed upon rate etcetera for a client friend, whatever the case may be,
02:10
and then the tester starts doing the work and then is convinced by the client that they can do additional work or provide something outside of scope.
02:21
Now, there are some instances, but not always where clients will attempt to get additional work at the originally estimated cost. And so this is the examples of Hey, air. You sure you can't scan this extra I, Pierre? Hey, while you're using that automated tool, can you maybe get this range in addition to this range?
02:39
Um, you know, I'm not asking you to do any anything crazy. I'm just wanting you to do do this little piece. I think that it's it should be included or is a part of this. And so that
02:50
could cause issues where ah client may attempt to get additional work without you. No additional funds being provided her time and then poorly defined initial requirements. And so, if you again, where we talked about well defined scopes and things of that nature where you
03:06
instead of specifying the Web applications, it'll be tested. You just say OK, we'll test the Web applications for the environment and then you get there and there's 50 Web applications that the client actually has and manages, and they expect you to test all 50
03:21
you thought maybe there would only be one or two that would need to be looked at. So that dramatically increases the scope
03:27
and can cause issues within that.
03:29
Now, what is some of the reasons that scope creep turmoil can can be a real thing. Well,
03:37
the first and foremost is is that it does increase cost to the firm doing the testing. And the reason for that is is that it drives up labor costs. So when we do an estimate for a project we perceive there's a certain number of hours we know that we pay a certain rate to our staff members or our contractors.
03:55
And if the rate or amount of Tom goes up
04:00
but the amount of amount of funds is the same or reduced, then that will naturally drive the cost of the project up over time. And it will eventually put us in a state where we lose money now. Not to say that money is the only thing that matters.
04:15
But in the instance where you're trying Thio, you know, run a security firm or run a business that best penetration testing that has to be considered
04:24
now There is also increased opportunity costs. So by adding work to the project that
04:30
to it it may not benefit the firm or the client. So
04:35
this essentially what happens is, is the clown. Expectation is somewhere up here,
04:42
and the firm's idea of the work that needs to be done is here. Well, that is a quite a distance between what the firm thought they were doing and what the client thought they were getting. And so the firm may may think, well, it benefits us, too.
04:59
Bring ourselves up to the client expectation. We don't want a bad review. We want to do you know the best job This is our, you know, only the fifth job we've ever done. And so you decide to take on that extra work in order to save an opportunity and improve the relationship.
05:14
But what may happen is that the client may be confused as to why your expectations or the scope wasn't here to begin with, and this causes frustration on their part. And so even though you think you're doing what's right to to align, you know with their expectations and meet that opportunity,
05:31
it may actually cause more harm than good. So it's always,
05:34
always again good to be transparent and tried to meet those expectations up front.
05:41
Now documentation may need to have updates. And so if you've written a report, let's say and that report is taken into consideration. Certain factors dates, times
05:50
that may change the report entirely. So there may be some assumptions that were made initially. There may be some evidence that you had. There may be some other factors that build into that report that by adding this extra segment AG adding this extra application doing these things,
06:10
it may change the report dramatically. It may cause you to have to go back and rewrite that again. That just comes into
06:16
additional labor and opportunity cost increase,
06:21
and then we run into, ah, drop dead date that may have been issued. And so now we worry about quality, and the reason for that is that if nothing changes in the contract and we allow scope creep to be be there and we allow it to run rampant
06:38
and we have a drop date dead date, that may penalize us as the provider of the service
06:44
for not completing the work at times are on time, then we may, in the end, rush to meet that deadline in order to try and not be penalized by that drop dead date.
06:56
And so we want to be aware of those things that scope creep. While it it may not seem like it is a big deal, it can cause many, many issues for an organization with respect to work, quality, cost of labor, cost of of the opportunity, being lost, things of that nature.
07:13
So how do we approach scope, creep directly with the client? Well, we've talked in other areas about addressing additional hours, additional labor, things of that nature, so that remains consistent.
07:25
But what we need to do is address the client's expectations, what they are and why the work should or should not be done during the current project.
07:33
I'm not saying that scope creep is always a definite no, but the way that you approached scope creep should be, um, organized. It should be in a manner that you're seeking
07:46
resolution. Either you help the client to understand why you can do something and and why documentation would they need to be updated, et cetera,
07:56
or you help them to understand why the work should not be done
08:01
and again address any contract language and how the work could be added in where applicable. So there may not always be a case where the work can be done, where it can be added, or where there's anything in a contract that would require you to consider doing the extra work. So in those cases
08:16
you need to take that contract language, determine what's going to be in the best interest of the client as well as your organization,
08:24
and just ensured that you you address that transparently and openly and then by the end, have a PATH board. If the work cannot be done during the current scope, so never, never just go back and say, No, absolutely not, not doing the work. Nothing we can do there. Sorry, Too bad, so sad. It would be beneficial. Say you know what?
08:43
We won't be able to address it in the given scope because of X y Z,
08:48
but
08:50
we can always come back and provide you with the service is in this particular manner, and we can address it through this scope
08:58
and oh, by the way, since we're familiar with the environment, and we're aware of what's going on.
09:01
You know, we can provide a reasonable rate for that as well, so that brings into the discussion how we would benefit from working with and keeping existing customers happy. Now this is some of this is opinion based and from experience in dealing with
09:18
existing customers. And, you know, I want you to kind of make your own decisions on the manner. But this is definitely some key points to remember when working with existing customers.
09:28
Um
09:28
one. You're already working with them. So it's never a bad thing that a customer wants you to do more work or that wants you two to do more to assist in securing the environment, whatever the case may be. But there's a time and a place in a way to address that work.
09:43
You're also at Anat Vantage because you understand the environment. So the morning you work with an existing customer, the more you build that relationship, the better your understanding of their environment is
09:54
the greater benefit you can provide with respect to risk reduction in those activities.
09:58
Now again, this part is Maura opinion,
10:03
but you should definitely work to provide a fair rate. Repeat business is good business. You know the worst thing that you can have as a firm or is a provider of penetration. Testing is months where you're not doing work,
10:16
and so to have clients that want to continue to use your firm, it only makes sense that you build that relationship. You continue to provide a fair rate, you know, while it may be tempting to charge in excess because of the scarcity of work
10:33
overtime, you build a reputation for doing good business for having, ah, hi hi reputation in the community and with your clients. They'll continue to come back so that can provide a benefit to you by keeping those customers and then try to be consistent across your existing customer base. And so if you do more work for one customer
10:50
and you allow scope, creep, toe happen more often than that with another,
10:54
and those customers are in similar industries. There are times when they'll talk to one another, and you always want to ensure that if they ever do that, you never sweat the details of that, that you always provide fair work and that you're consistent. And so, regardless of how you treat
11:09
a scope creep just remembered to be considerate and consistent across the board.
11:15
Now let's do a quick check on learning true or false scope. Creep can keep a business profitable in the long term.
11:24
So again, true or false scope creep can keep a business profitable.
11:31
Okay, in the long term,
11:33
all right, So the consideration here is that we're talking specifically about Scope Creek
11:39
and it being long term, well, stretching work out when you've got something like a fixed fee would not be beneficial. And even if you were charging by the hour and the client was agreeing to pay overtime, stress and frustration would potentially catch up to the client.
11:58
And there may be instances in contract language where you can't recognize
12:03
payment until the work is completed. And so if a client continues to drag along and then it's the next thing, and then it's the next thing, and then it's the next thing. And then the next thing you know, you're six months down the road on a project that should have been 30 days, and you can't collect until that project is closed.
12:20
You've now put yourself in a circumstance where that that project may not be profitable or it may be very difficult to collect on because you've allowed scope creep to be so rampant in that.
12:30
So they're correct. Answer here is false.
12:33
There are very few circumstances where strokes scope creep can keep a business profitable by continuing to be a problem in their projects.
12:43
So in summary, we explained what scope creep is We looked at why it's dangerous to two firms Y scope creep can cause torm oil within a business. We explained how to approach the subject with clients disgusting. You know how we come to, um, beneficial
13:01
end to whether why we will do the work,
13:03
why we won't do the work. And we give them a path forward to maybe have that work done at a later date
13:11
and then the tips in dealing with existing customers. Like I said, there's those air somewhat opinionated. But when you have existing customers and they continue to do repeat business with you, the last thing you want to do is damage that that trust are damaged. That reputation that you have in the community with the businesses that you serve so always
13:31
remember to treat customers and a consistent manner when it comes to scope, creep
13:35
and billing and things of that nature that will only benefit you in the long term and again provide you with the ability to continue to build a client base and foster long term relationships.
13:46
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Penetration Testing Execution Standard (PTES)

In this course we will lay out the Penetration Testing Execution Standard (PTES) in all its phases and their application for business leaders and Security Professionals alike.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor