Social engineering is not necessary in many cases when performing security assessments

Here' some advice I often give to clients looking at a security assessment.  If you want to have a security assessment done at your company for the first time and you think you need social engineering as part of the project, you might want to ask yourself a question first: do you currently have security awareness training in place?  If not, then you can almost assuredly bet that you will fail that part of the assessment.  So why actually perform that step?

An answer might be that you want to prove to management that security awareness is an issue.  That is a very valid point.  However, if you have got to the point that management is signing off on a security assessment, my guess is that they have an inkling that your security posture is already in need of help.  Most likely you have done some selling and they believe you (either that or they are spending money just because they feel like it, which is not very likely with management).  So maybe you can just ask the firm doing the assessment to include a section in your deliverable stating that there is no security awareness and that your company is very likely susceptible to social engineering attacks.

This serves two purposes.  It gives your management a recommendation from a third party that you have a gap that can likely be filled to a great degree by security awareness.  It also saves you money so you can afford to have other areas assessed that you otherwise might not have been able to cover.

If you find that you need to have the social engineering step performed, try to keep that section light.  That means only perform one scenario on a limited number of employees.  That gives the proof you need, but it doesn't cost as much to perform.