Original Research

Locks & Leaks

Risk, resilience, and red teams! Promoting and supporting the Physical Red Teaming profession, along with articles, tutorials, and stories about physical security, red teaming, and security risk management.

This is Part 2 of Build it or Buy it? Establishing a New Red Team (Click to View Part 1)

Decision Factors

There are a number of factors that should help you decide which model to use when establishing a corporate red team, or when deciding on how to approach a specific engagement:

  • Trust (Existing): How much do you trust your red team vendors?

  • Trust (Needed): How much trust is needed for a specific red team assessment? Do you have exceptionally valuable assets that outsiders cannot assess?

  • Vendor Talent: Do you have vendors that have the skills to conduct the assessment you need (i.e., are the vendors capable)? Conversely, do you have vendors with specific skill sets needed to test a specific control?

  • In-House Talent: Do you have the skills, numbers, and experience in-house to conduct the assessment(s) that are needed for your organization?

  • Cost: What does it cost to outsource the red team assessment, and what does it cost to bring them in house? What additional benefits do you get for each scenario? Note that you should try a wide array of vendors when pricing an assessment. I have seen 7x difference in proposals for red teaming the same site ($50k vs. $350k) depending on the vendors you work with. I’m happy to help you scope an engagement as needed, at no cost, just reach out.

  • Bureaucracy: Does your company have an exceptionally high bar for onboarding new vendors? Is the headcount approval and hiring process so lengthy and painful that your time and money would be better spent working with vendors? Consider the pros and cons of each option based on the strengths and weaknesses of your corporate bureaucracy.

  • Existing Resources: Do you have existing vendors that are capable of conducting red team assessments? What about existing personnel or teams that could be repurposed part or full-time for this role?

There is no universally correct model for how an organization should conduct red team assessments. I recommend experimenting with several of the above approaches until you find something that works well. If you are creating new red team capabilities for your entity, I recommend you follow the following steps:

  1. Determine your model. Will you build an in-house team, hire consultants, leverage students, or one of the additional red team models listed above?

  2. If you plan to hire an in-house red team:

    1. Review the previous job descriptions and write a clear, concise job posting that attracts diverse talent.

    2. Connect with someone who has hired physical security red teamers. I can provide some assistance, but you will be better off if I connect you with other red team managers who are better at finding, interviewing, and hiring talented people than I am.

    3. Create an operator growth plan and ensure you have sufficient budget for training, conferences, and certifications.

  3. If you plan to hire a red team vendor:

    1. Speak to multiple red team vendors and assess their strengths, shortcomings, prices, flexibility, and understanding of your business and security needs. Determine how they deliver findings and whether that matches your company’s needs.

    2. Benchmark with peers. Many public and private entities have full or part-time physical security red teams, and even more contract these assessments with vendors. Speak to industry peers and see which vendors and types of assessments they recommend.

    3. Brief the vendor on your needs and sensitives. Determine whether you are attempting to Capture the Flag or escalate until caught.

    4. Work together to create Letters of Authorization for the assessment.

    5. Repeat with multiple vendors to see different findings and leverage different unique skillsets.

Ultimately, it is not difficult or complex to stand up a red teaming function, but it does require time and attention to detail. No matter your situation, someone has probably tackled similar problems. Seek them out and expand on their successes and learn from their mistakes. Read more, benchmark with peers, and ask for help from red team leaders focused on maturing the physical security red team profession.

Security Assurance & Stress Testing