Skip content

Why you never pass or fail a TIBER test

It’s impossible to totally eliminate the risk of a cyberattack. No reputable cybersecurity company could give that assurance. For the same reason, you cannot simply pass or fail a TIBER test.

In fact, it would pose a higher risk to state you’d passed as you might take no further action.

Complacency in cybersecurity is risky.

Protecting your organisation from cyberattacks should be continual. And it must be specific to your risk profile and particular operations. As attacks become more sophisticated, so must your testing to keep one step ahead.

If you cannot pass, how do you understand your cybersecurity?

Before conducting TIBER, your level of acceptable risk must be clear. And your regulator’s risk appetite. Only then can you ensure you’re operating at a level of risk you’re both comfortable with.

Your risk profile might be entirely different to another organisation. What is critical for you to address might be a minor concern for another.

TIBER testing provides an organisation-specific professional opinion. Post-testing feedback focuses on what your providers see, think, and recommend.
This is far more valuable to you than a pass.

People are the weakest link

It can be tempting to keep TIBER testing local. A familiar provider in the same country can seem reassuring.

If timelines are tight, engaging an existing provider will be faster than appointing a new one. They’ll already know how you operate and won’t have language differences or limited cultural insight.

But local testing providers are, by their very nature, smaller operators. When handling live TIBER testing, this poses risk.

Generally, local operators have less testing experience, smaller teams, and fewer qualified individuals. Also, their knowledge of cybersecurity beyond finance could be limited. This might not seem significant, but they’ll lack the broader insight of new and emerging risks financial organisations and their regulators are yet to consider.

A local TIBER tester could seem like the safest option. But you might find it’s a higher risk choice.

Why global means better risk management

By their very definition, global TIBER test providers operate in many countries - just like many financial organisations. In fact, organisations often hold data in a handful of geographic locations. Engaging a provider experienced at handling cross-border issues is a big advantage.

Safely moving data between countries requires knowledge of local laws and legal requirements in various regions. Global providers have more experience of this, so your risk is thoroughly managed.

In addition to multi-country operations, larger providers have multi-industry and multi-testing experience to draw from. Working across a much wider landscape, their exposure to risk will be greater. Only by experiencing risk can you become proficient at managing it.

Smaller operators might be able to handle high risk in theory, but have they ever experienced it? Nobody wants to be a guinea pig.

When carrying out TIBER testing, a big hole is effectively punched through the defences of the financial organisation – in a live environment. Should the provider not secure that hole for its exclusive use, the vulnerability remains open for third parties to infiltrate and do incredible harm.

The risk is very real. Your TIBER test provider must demonstrate sufficient experience in operational security to keep your organisation safe during all stages of testing. Global providers are more likely to have larger, higher qualified teams who’ve handled this level of risk many times.

Get more value from TIBER testing

Carrying out a TIBER test is one part of the service you’ll require. Granted, it’s a significant one. But how will you interpret the results and get the greatest value from your investment?

Choose a provider who will project manage your testing from concept to action plan.

The results, in isolation, are of limited use. Your value comes from understanding them and determining what mitigation and future actions you must put in place.

Written in technical language, your corporate team might not understand ‘raw’ test results. When your project is fully managed, your attack manager delivers the findings in meaningful language everyone understands. They’ll highlight risks and recommended actions alongside plenty of guidance and support.

Testing providers who manage your project will ensure the output matches your regulator’s expectations. That means working with a fit for purpose TIBER framework and within the boundaries required.

Regulators will also want outputs they can directly compare with other test results. Only then, can meaningful conversations be had, heightening cybersecurity across the global finance sector.

8 questions you should ask prospective TIBER test providers

For most, shortlisting TIBER providers is not an everyday activity. We’ve put together eight questions you should ask every provider you’re considering. By doing so, you’ll identify the best one for your financial organisation.

  1. What testing experience have they got?

Understand their testing experience in the finance sector but ask about experience in other industries too. It can significantly widen their cyber risk knowledge.

What types of testing have they carried out? Have they completed live tests (CBEST is another well-known live testing framework)?

Ask about their cross-border experience – especially if your organisation operates in many countries.

  1. What qualifications have their team got?

Assess the people you’ll be working closely with. Not just attack specialists – consider intelligence managers and attack managers too. Are you confident of their qualifications and experience?

CREST established a series of qualifications for CBEST providers to achieve. No such qualifications are currently necessary for TIBER testing, but qualified individuals will reduce your risk.

  1. Can you speak to other organisations they’ve worked with?

There’s nothing better than understanding how the provider’s testing helped other financial organisations. Take time to plan a couple of conversations.

  1. What insurances and risk management procedures do they have in place?

How will they manage the risk of a live test? How will they keep your organisation safe from outside attacks during testing? Do they security-check their staff to ensure safe practice?

  1. What schemes are they members of?

Shortlist providers who are members of (or familiar with) schemes that matter to your organisation. Your regulators will welcome this assurance. Also, look for general cybersecurity schemes that add credibility. Common schemes include:

CBEST: UK finance

GBEST: UK government

AASE: Singapore

iCAST: Hong Kong

FEER: Saudi Arabia

CORIE: Australia

  1. Do they understand the legalities and ethics around TIBER testing?

The TIBER framework can use technology, processes, and people. Knowing what’s legally acceptable in your region is important. Operating ethically is also crucial, especially when using people.

  1. How will you receive your results?

Ask for assurance you’ll receive your results in language your team understands. Simply receiving the technical reports limits the value from your testing.

  1. How will they help your organisation after testing?

If you do nothing with your test results, you lose huge value. And yet, the results can be hard to interpret on your own.

Understand the support you’ll receive after testing is complete. Will they help you understand the outcomes? Will they help you formulate a plan?

Your greatest value lies in post-test planning and action. By having sufficient support in this area, you’ll develop the strength of your organisation.