Have you heard the term “Scope Creep” before? Chances are you haven’t, because it’s one of the most commonly missed things to be mindful of in Information Security / Cyber Security.
What is “Scope Creep”?
Usually during the pre-engagement phase of Penetration Testing, while you are defining your contract, you set aside a block of hours that you feel will serve as the proper amount of time to properly test your client according to the SOW (Statement of Work). This block of time is considered as the “Scope”.
Scope creep is when a client commonly says to you “Oh hey, While you are here, can you test this ________ also, it’s something we forgot to include in the initial engagement.” And trust me, this happens more than it doesn’t. And most Pentesters are so happy to have landed another contract, they work harder to oblige the client, and work it into the already existing scope of work.
But here’s the thing; aside from the legal problems this can pose, it will eat up more of your pre-determined block of time (scope) and you will find yourself working longer, thus decreasing profits. Now if you have been enrolled in our Penetration Testing for Beginners course, you will know that I constantly bring up this issue, and warn you should never work for free. In fact, there is a way to hit the ESC key on this common debacle, while still meeting the clients request.
Escaping the Creep:
One successful way I have found to do this is is approaching your client in a manner that makes them aware that you want to help, but also you need to get paid extra. For instance:
“No problem Mr. Customer, I certainly understand. So what I will do is have a separate Statement of Work drawn up to include the added time and resources that will go into testing the additional resources you mentioned. Once we get that signed and returned back, we will go ahead and work that into the schedule. Where should I send it, to your email?”
You should never ever work for free. There will never be any benefit to it, and in fact, most clients will take that as a sign of weakness, and during the rest of your business relationship, will always seem to have “Forgotten to include that” in the statement of work. It’s a serious trap. Don’t fall victim to it.
So by now, I hope that you are able to understand how Scope Creep can negatively impact your time and resources, and now how to effective hit the ESC key in a manner that makes the intent clear and concise.
If you have enjoyed this article, please share it with your friends and colleagues.