Business partnerships in infosec

Posted on 2020-05-08 by Alexei Doudkine in Industry


Partnering with other business is a huge part of the Volkis business model. We spend significant effort finding, talking to, and proving our worth to potential partners. But why do we do it? It goes back one of our core principles:

Do what you love

This motto is the reason we don’t sell product or do IT managed services for our customers. However, we don’t want to outright dismiss a customer asking us for security products, engineering, managed services, programming, business consultancy or incident response. That wouldn’t be helpful. This is where business partnerships come in. We leverage our partners who DO enjoy those other parts of security and recommend them to our customers.

The inverse is also true. Because we specialise in security services, our partners who lack the capability come to us as their trusted provider. Even in our short lifetime as a company, we’ve proven this to work.

But why is it so important? Why can’t companies just start their own pentesting teams? This is what I want to explore.

The chicken and egg problem

Let’s say you decide you want to start a pentesting team. What is the first step? Find a pentester of course! But who’s going to interview them? No one in your company knows much about hacking or pentesting because if they did, you’d already have a team. One of 2 things will happen:

  1. You get lucky and find someone who is highly experienced with the rare set of skills required to do the work and grow the new business unit.
  2. You thought you got lucky, but in fact the new hire isn’t up to scratch. Unfortunately, you don’t know that yet and it could take several months for you to figure out. Worst case scenario is your new service offerings are subpar and damaging your business reputation.

I have been in the industry a while and sadly seen number 2 happen a lot (not just with pentesting teams). You need to decide if the risk is worth it.

Capital

Continuing our fictional scenario, the capital cost in initial setup is an obvious factor. The good news is that software products and infrastructure are relatively cheap. Salaries will be your major cost and that brings me to the less good news. The time effort in the initial setup can be significant. Consider just a few of the mandatory things you need to create before even starting a single pentesting project:

  • Report template
  • Methodologies
  • Risk assessment guidelines
  • Sales training
  • Proposal templates
  • Data security considerations & implementation (You really don’t want to be hacked for data on how to hack your customers)
  • Project workflow

I would call these minimum requirements and sacrificing any one significantly impacts the chance of success.

Operational costs

This is where the real cost of running a pentesting team can sneak up on you. Let’s say you really want the pentesting team to succeed so you’ve thought about what the ongoing expenses are. Let’s list some of the obvious:

  • Software licenses
  • Laptop refresh

That’s it right? What else is needed to continue doing pentests? Well, if you actually want your team to be happy, quite a lot:

  • Yearly training budget
  • Hardware budgets to buy new tech
  • Lab infrastructure + maintenance
  • Team days (we call them presentation days)
  • Maintenance of assets (report template, processes, etc.)
  • Supporting licenses (stuff like Microsoft 365, Jira, whatever else your company gives all employees)

Again, these are minimum cost requirements for a decent team to function properly.

Hackers are hard

I have been a hacker and someone who leads other hackers. I learned the hard way that some hacker can be difficult to manage. We are a stubborn bunch with pretty unique values when it comes to jobs. For example, many hackers I’ve spoken to will value quality of life over any amount of monetary reward. We crave interesting, diverse work that challenges our problem-solving abilities. Doing just web app pentests all day everyday will not suffice.

Training and improvement are essential as well. Not improving is going backwards. The aforementioned training budget helps but isn’t enough to keep someone engaged. A training plan, unique for everyone, is usually needed for a pentesting team, which requires significant effort and expertise to create.

Freedom and autonomy are also very high priorities. This means, if your company doesn’t allow flexible work or uses very rigid processes, your pentesting team will either be unhappy or will distance themselves from the rest of the company – something I’ve experienced first-hand with very negative consequences.

Finally, hackers really need to gel with their team. Bad team culture is the fastest way to destroy a pentesting team which is why hiring the right people is so important. On the other hand, people that gel well are usually very loyal to the team. The irony is that what makes hackers good at what they do also makes them sometimes hard to work with.

Is this still something you want to do?

After reading all that, if your answer is “yes”, absolutely go for it! But be cautious and be aware of your new team’s need. Both Matt and I have seen entire teams get up and leave in the space of a few weeks when things go wrong. Don’t be yet another company this happens to.

Otherwise, if you’d rather not have the headache, consider partnering with a business (like us) that has a good reputation to fulfil your customers’ pentest and other security needs you might not provide. If done right, it’s a win/win/win for everyone involved.


About the author

Alexei Doudkine is Co-Founder and Offensive Director at Volkis. Hacker, tinkerer, car modder and dog person, Alexei has been in the infosec game for over 10 years focusing on the “attack” side of security. You can catch him on Twitter and LinkedIn.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn