Problem
What is your stance on using a penetration tester that used to be a 3rd-party vendor to the organization? Do you see this as a benefit or a waste of money knowing they have all the inside information? In addition, how often should organizations rotate their pen-testing consultants? Citizens Mutual is embarking on our 2nd test and I don't want to use the same company as last time. It was mentioned by upper management to use an organization that already has 3rd party access. I am dead set against it but being out-ruled by management.