Edit 2: after seeing the replies, my revised advise is to schedule a cheap pen test (can be done in less than a week for less than $2k) and tell the client “Our next pen test is scheduled for next week”. Doesn’t need to be harder than that. Pen tests for satisfying compliance requirements are easy, cheap, and quick.
-
My advice: get on the zoom call and when asked about the pen test, repeat something like “we have a security policy in place that obligates us to do a penetration testing at least annually”
(Assuming you have such a policy. If you don’t, then you and your company is out of your league selling to governments)
Assuming you have a basic set of security policies (almost all of which will say you’ll do pen tests annually), just repeat the line like “we have a security policy in place that obligates us to do a penetration testing at least annually”
And if you’re asked again more specifically whether you’ve done one in the past year, don’t answer directly and repeat the quote again.
The key here is do say the maximum amount of (positive for your company) truthful information and deflect or redirect away from questions where the truth would hurt the sale. Engineers often have trouble with this because it’s most engineers have a tendency to want to answer questions directly and literally.
And, make sure the sales rep is in the call. If the client backs you in a corner and you don’t know how to redirect or deflect, then you hand the baton to the sales guy.
Edit: Or, just do a freaking pen test. You can get one done in less than 2 weeks for less than $2k.
I would go with, "I was not involved with pen testing, but <director> has assured me that it was done."
But really the right thing to do is to have a conversation with the director where you tell him that you want to support the company as well as possible, but saying that a pen test happened is not something you can do. You want the director to feel that you are reasonable and supportive, but realize that they have to find someone else to claim that the pen test occurred.
Why be misleading? The directors are clearly wanting him to be a scapegoat. Just get on the zoom call and say you've never done pen testing, and your director lied to them. Also look for another job, this one has a short lifespan remaining one way or another
You can 100% tell the truth and be misleading. And why should this person put in that effort? The directors will throw them under the bus in an instant, and in fact are probably planning on it.
My advice is to answer the questions politically instead of literally.
Compliance people (on the other end of the line) actually like this in many cases… literal answers can make their jobs harder than politically worded (but not untruthful) answers.
-
My advice: get on the zoom call and when asked about the pen test, repeat something like “we have a security policy in place that obligates us to do a penetration testing at least annually”
(Assuming you have such a policy. If you don’t, then you and your company is out of your league selling to governments)
Assuming you have a basic set of security policies (almost all of which will say you’ll do pen tests annually), just repeat the line like “we have a security policy in place that obligates us to do a penetration testing at least annually”
And if you’re asked again more specifically whether you’ve done one in the past year, don’t answer directly and repeat the quote again.
The key here is do say the maximum amount of (positive for your company) truthful information and deflect or redirect away from questions where the truth would hurt the sale. Engineers often have trouble with this because it’s most engineers have a tendency to want to answer questions directly and literally.
And, make sure the sales rep is in the call. If the client backs you in a corner and you don’t know how to redirect or deflect, then you hand the baton to the sales guy.
Edit: Or, just do a freaking pen test. You can get one done in less than 2 weeks for less than $2k.