When \u201cthe tail is wagging the dog,\u201d you know that something has gone wrong. Priorities are not straight, and a part of the system does not understand its role. Providers of offense-oriented security services, such as penetration testing and red team engagements often make draconian recommendations. In pursuit of least effort, these recommendations often wind up impacting your ability to do business. You should ask yourself: Is this vendor acting like a partner in my business? Or are they making recommendations which could consequently inhibit my organization?\nWe often review clients\u2019 previous penetration testing reports, to give them advice on moving forward with better testing and security practices. These reports, provided by security vendors of all sizes, often include completely unrealistic advice. On more than one occasion, we have seen recommendations that organizations disable a protocol that is often critical to their ability to connect computers to the network (DHCP). This is really a misguided attempt to prevent \u201crogue\u201d devices from connecting. In most organizations (including these specific clients), removing that protocol would have incurred a significant amount of effort, with little gain in security. If the recommendation were blindly followed without planning, it would have caused the network to fail.\nAs a fun exercise (or late April Fools\u2019 prank), ask your IT staff what impact disabling DHCP right now, for \u201csecurity purposes\u201d, would have on the network. You\u2019ll likely detect some amount of terror in their face. If they have a sense of humor, they may respond with something like: \u201cYou\u2019ll be perfectly secure, because within a day, nothing will be able to connect to the network\u201d.\nUnrealistic recommendations extend past the technical realm. Many security testing vendors make recommendations that put too much responsibility in the hands of individual users. While users need to be aware of security policies and their importance, most do not have the technical background needed to confidently evaluate the safety of every single email they read, or website they visit.\nSuch techniques for identifying phishing attempts and other attacks are covered in user training, but are not fool proof. Not all hackers and scammers use poor grammar or obvious attempts to convince users to download malicious software. An end-user cannot be expected to be both the first and last line of defense for an organization. Realistic and useful security practices and monitoring must acknowledge and account for the eventual compromise of individuals\u2019 workstations.\nRecommendations that are not actionable are essentially useless. After all, extreme recommendations\u2014like \u201cturn it off!\u201d\u2014will make most things secure, but not functional. Realistically, good cybersecurity measures will likely be an inconvenience, but should not deter your ability to operate. You may add steps to the process of logging in. You may have to task IT staff with finding alternatives to practices and software that are found to be insecure. You should never, however, get a recommendation from your security testing provider that prevents you from doing business. Availability is as important as the any other basic tenets of security (Confidentiality and Integrity).\nBottom line: If it sounds like it\u2019s not actionable, it may be time to get a second opinion from another vendor that has a more realistic approach.