Posted on 2022-04-13 by Matt Strahan in Volkis News
When building a cyber security company there’s a question we have to keep front of mind at all times. What value do we bring as a company? It’s one thing to just say “yes of course we provide value as a company” but for me I’ve tried to make an actual list. I’ve put up the results of this up in a new handbook page.
This exercise is more than just a bit of a boost for our egos. Rather, it’s a genuine component of the consulting model - of the business model that Volkis fits into. Whenever we have an engagement, there are three parties that come into play. They are the client, the consultancy, and the consultants themselves. The value of the consultants’ time is obvious: they perform the work. They find the security vulnerabilities in the systems that are being tested or find the ways the system might not be up to spec.
Why would the client not just contract someone out directly or employ their own pentester? If we don’t provide actual value then what’s the point? Thinking about this question directly has helped me solidify in my mind what we need to do well as a company and helped build our business model.
The bare minimum that consulting companies can do
I was looking around the industry with this question in the back of my mind and realised that the only thing a lot of companies actually provide is a simple connection between client and consultant. They’re sales companies or body shopping companies with a fancy brand, not providing value themselves apart from being a slightly more personalised version of Airtasker or Seek.
This isn’t something I’m necessarily saying critically - if companies are upfront about this service it is a valuable service to have. Sometimes a client doesn’t actually need more than a skilled person to do work that needs to be done and that’s okay.
Where I become more ethically dubious is where companies dress what they’re doing up as more and pretending to provide more value than they actually are. They dress up their services as if they provide all the rest of the value but really they may only provide the basic legal protections and the client hookup.
What’s the rest of the value that Volkis provides then?
The new handbook page goes over in detail these additional parts of the value that Volkis as a company provides:
- Support from the team
- Training and mentoring
- Capability
- Capacity and coordination
- Reputation and quality assurance
- Effective and efficient workflow and systems
- Stability, HR, and additional employee benefits
- Risk management, legal protections, insurance, and limited liability
That’s a lot! It’s as concise a list as I could make while still getting out what I wanted to say. I’d like to highlight a couple of the sections in this post to show what I think we do well.
Support from the team
Penetration testing and cyber security consulting is an incredibly hard job. A consultant might come across any of the technologies in the huge gamut of IT and suddenly be expected to learn enough about the technologies to be able to manipulate them. All of this technology is constantly changing in a way that makes it a version of the Red Queen’s race, where you spend all of your effort just trying to keep up. This is an imposing thought for anyone going into the field. To be able to cope you need to be able to lean on the rest of your team.
With a good team there’s going to be other members who have experienced the technology or situation before. They can provide help, advice, or even active assistance. Team members can be used for brainstorming and ideas - just explaining your problem to someone rubber duck debugging style can help break through.
When you’re engaging with Volkis you don’t just get the services of the consultant that you’re directly working with, but they’re instead backed by the skills and capability of the entire team. Without this support, the consultant might just be left spending all their time trying to keep up.
Reputation and quality assurance
When a client engages a person or company to provide cyber security consulting, there is a lot of trust that the client has to place in the consultants. This could even include providing direct access to the internal network, permission to hack their systems, and even administrator credentials and direct access to the most sensitive information and systems the organisation has.
This trust is such a key part of testing that recently Singapore introduced a licensing scheme for cyber security consultancies.
In addition to all this access that the organisation trusts will not be abused, there’s the simple thought of “has the consultant done the job properly?” When there’s only 5 vulnerabilities found, is that all there is or is there another 20 that have been missed?.
At Volkis we bring our reputation as an organisation that we’ve built with the delivery of high quality work. We do this with trained employees, great processes, and quality assurance. We also use transparency as a way of building our trust with clients and our reputation. It forms one of our key Volkis Values. We have our open handbook complete with methodologies, guides, processes, policies, and procedures that our clients can freely browse. We also open source tools on our Gitlab account which also shows some of our work in improving security toolsets and processes. This “what you see is what you get” puts aside the uncertainty that acts as a barrier to building trust.
Putting it all together
This list is something I’m intending to maintain and read every once in a while. It’s already helped align my mind in what we need to do well and I feel that thinking this way can help us succeed both as an organisation and in helping our clients.
The new page is called “What value does Volkis as a company bring to penetration testing?”. Like everything in our handbook, you’re able to give it a read yourself. If you think of something that isn’t listed there but should be you can put in a git merge request!
About the author
Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.
Photo by Ian Schneider on Unsplash.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn