As security professionals, we see a constant evolution as bad actors become more creative – using a range of sophisticated AI, psychological, physical and technical tactics to circumvent security measures.
As organisations advance their security maturity, they begin to recognise the benefits that physical penetration testing (also known as physical pen testing, PPT or physical red teaming PRT) can provide. Incorporating regular testing or even establishing a full-time dedicated team becomes an integral part of their security strategy in anticipating and defending against emerging threats.
In this blog post, we’ll explore why women make excellent physical pen testers and how their unique skills and perspectives benefit the industry.
A Recap on Physical Pen Testing
Typically, a pen testing team operates covertly, unknown to building staff, and may be based off-site or hired through a third-party company. Their methodology involves using open-source intelligence (OSINT), social engineering and a variety of physical intrusion techniques, from seizing opportunistic entry to bypassing locks to test the security measures and procedures in place. The objectives are to identify and then mitigate vulnerabilities to facilities and processes, and to prevent staff complacency and improve security culture.
Each physical pen test project is meticulously planned in alignment with the businesses asset and risk registers to simulate the specific types of attacks that are most relevant to the business; whether it be threats from hostile states, protestors, or criminal activities. The test tactics and objectives are then tailored accordingly.
Why Women Are So Valuable in This Role
It is a well-known fact that women are underrepresented in the security industry. PPT is no different, however, due to implicit and explicit bias, as well as gender stereotypes, women are judged to be much less suspicious and threatening than men and therefore naturally have the upper hand when it comes to social engineering and infiltration.
Women are a force multiplier when used as part of a testing team as there are many situations and pretexts which they can leverage with more successful results than their male counterparts. This is not to say men are not equally as valuable, but from the perspective of a hostile attacker – which is what a testing team aims to adopt – it is important to use biases as an advantage. For instance, although female electricians may be commonplace, using a female as part of an electrical testing pretext is likely to make her more noticeable; the aim, though, is to be as covert as possible, so in this case, a male would be a better choice. In PPT everyone will utilise their strengths and life experiences to maximum effect. An example of where women are more likely to succeed is in tailgating – women have a much higher success rate because even if they are noticed, they are far more likely to be accepted as someone who just accidentally set the alarms off than a man would.
Female Strengths
Unconventional Tactics: Physical breaches often involve social engineering, manipulating personnel or exploiting gaps in procedures. Women can bring a unique perspective to these situations. They are often adept at building rapport with staff, receptionists or security guards in a way that disarms suspicion. They are also particularly good at creating distraction tactics.
Communication and Collaboration: A successful PPT project requires clear communication. Women are often skilled communicators, and excel at fostering a collaborative environment, encouraging open communication within a team and helping to reduce ego-driven decision making.
Diversity of Thought and Problem-Solving: Effective testing requires a multifaceted approach. Women often bring different problem-solving styles and strengths to the table. This diversity of thought is vital for uncovering a wider range of vulnerabilities and crafting creative attack scenarios that a homogenous team might overlook. This variety of perspectives leads to a more comprehensive security assessment.
Lack of Representation: Historically, women have been underrepresented in fields related to security. This lack of representation can contribute to the perception that women are less likely to be involved in suspicious or criminal activities. Therefore, even when security staff are aware that testing may take place, they often become fixated on males over females, allowing the latter to still gain entry. This can be especially useful in later staff debriefs.
Where Are the Women?
So why are there not more female pen testers? Until fairly recently, physical pen testing was seldom advertised. It was something that people often fell into after various careers, typically in the police and services, and was only demanded by organisations with executive support for a truly robust security strategy and the associated budget. However, many people ranging from managers to executives responsible for an organisations security are now aware of the benefits that testing can bring to the organisation and the demand for qualified, experienced and vetted testers has increased exponentially, and shows no signs of abating.
In turn there are now a range of security training providers offering PPT courses such as Optimal Risk and HZL, both corporate sponsors of the Security Institute who offer a very comprehensive Level 4 PPT (RQF), OFQUAL-regulated course which teaches the necessary skills and is suitable for people who don’t have a previous background in security. Holding such a qualification is becoming key for entry to the world of PPT.
Diversity is the future of physical pen testing and the most successful way to identify and mitigate security vulnerabilities, improve security culture and create stronger business resilience. So to the women out there thinking of getting involved, please do: you’ll find that you’re a greater asset than you ever previously thought.
