CISO-turned penetration tester: “It’s not about your satisfaction” Tester tells CISO informally about security shortcomings but not in formal report that goes to auditor. “Tell me verbally what’s wrong and don’t write it down,” she says. But, she says, doing so saves a lot of help desk and employee time and is a good risk-business tradeoff. Tester: Problems present less of a risk to organization than the time it would take to fix them is worth.”]
Source: https://www.csoonline.com/article/2129291/defcon–the-security-penetration-testing-quagmire.html