Want to know how good your company’s cybersecurity is? Hire a hacker. 

“You need to prepare. That means training. That means practicing,” said Matthew Simmons, Head of Vulnerability and Patch Management, Technology Executive at Wells Fargo. Simmons encourages organizations to use what are known as “red teams”—ethical hackers you bring in to see if they can do what you hope they can’t. 

“We use our trusted hackers, our red teams, to really test us and push us so that we learn from it, and then we can go back and adjust the plan based on what we learned,” Simmons told Nacha’s Payments SmartCast podcast. And since there’s always a chance that a hired hacker will be successful, Simmons suggests setting expectations in advance with management and making clear that “we’re doing this to improve ourselves”.

Of course, that assumes you have a plan. For those who don’t, Simmons stressed that the time to call a cybersecurity pro is not after a breach occurs, as has happened in the past. The time to call is way before, to make sure a breach doesn’t occur. 

“I’ve seen the cybersecurity landscape change over the years. It really has gone from reactive, to how do we put defenses and controls in place to mitigate that and prevent it from happening in the first place,” said Simmons. 

“Have a plan. Build your plans. Test your plans. Because you don’t want to be trying to make the plan up on the first time that you have some type of event.” 

Much more was discussed, and you can listen to the complete podcast below.