If an internal security assessor faces resistance from legal regarding social engineering tests, what is a recommended action?

In situations where an internal security assessor is facing resistance from the legal team regarding social engineering tests, running a test assessment with legal for their buy-in is a prudent action. This approach facilitates a collaborative effort to understand the concerns and requirements from the legal perspective. By involving legal in a preliminary assessment, the assessor can demonstrate the value and importance of social engineering tests in enhancing overall security posture while also addressing any legal considerations that may arise.

Additionally, this collaborative approach helps to establish trust and open communication between the security team and legal, which may lead to a better understanding of the risks, requirements, and potential outcomes of the tests. Addressing legal concerns proactively can assist in ensuring that the testing aligns with legal standards and organizational policies, ultimately fostering a more effective security strategy.

Engaging legal in the process also allows for a more informed discussion about the ethical implications and regulatory requirements associated with social engineering tests, which can be crucial in gaining their approval and support.