I make toasters

Posted on 2019-12-23 by Matt Strahan in Business Security


In the beginnings of my career in security, I spent a long time on the technical side as a penetration tester. I was a hacker, tasked with breaking into their websites and networks, trying to test their security. Although sometimes that job can be like banging your head against a brick wall, when you get in there is definitely a rush that comes with it. When something you try works, there’s a feeling of exhilaration and victory.

I knew why I was doing it. It was fun, and I was getting paid for it. I lived for that thrill of getting in.

Being focused on what I was trying to do, I wasn’t really looking to see why the customer was getting me to do it. Why were they getting me to hack their organisation?

Security professionals early in their careers will say something like “We will try and find vulnerabilities in the website, and give you recommendations on how to fix them.” This is accurate, but it’s the “what we do”, not the “why we do it”.

Somewhere in their careers many security personnel take a sales course which talks about seeing things from the customer’s perspective. The sales course will tell them to ask about the customer’s problem and to talk about how your solution will help. Having this brand new view of the customer’s perspective, they will go to a customer and they will then say “we will help you be secure. We will make sure the bad guys don’t get into your systems and get your data.”

When they are going to get their CISSP or CISM, they may take another step back and talk about “managing risk” or even “corporate governance”, and discuss how the vulnerabilities are put into risk registers and actioned.

Is that really why the customer wants the test though? Does the organisation want to have fun and find vulns? Is the organisation in it for the risk management? Does the organisation even want to be secure?

Let’s take a hypothetical customer that has called in for a penetration test named Greg. He runs a company that makes toasters.

If we’re chasing the “why”, we’ve got an interesting question. What made Greg want to call in a security company? How does that tie in to the success of the company? What does “success” even mean for that company?

Chances are, Greg doesn’t come into work thinking “I would like to find security vulnerabilities” or “I would like to manage risks.” Why would he? That’s not what his company does. His company makes toasters. Anything that the company does would be towards the goal of making and selling toasters. Success for this company would be making better and cheaper toasters, and selling more toasters to customers that desire to buy them.

Even the security issues that have direct financial impact really just ties into the organisational goals which the finances are there to support and fulfil. Without the capital and investment, the company can no longer make and sell toasters.

It’s a simple idea. We can rephrase the objectives of our security work and work towards the company goal.

  • “We find vulnerabilities that could be used to impact your customer channels and make your customers not want to buy your toasters.”
  • “We manage the risks that could stop you from making toasters.”
  • “We will help you so that when something stops you from making toasters, you will soon be able to make toasters again.”

Really it comes down to one thing:

  • “We will help you make toasters.”

Interestingly, I helped the company that made my toaster with their security needs. Maybe I should look over there and say “I helped make that toaster”. Just like I helped provide legal advice, lend out money, keep the power on, educate people, and heal the sick.

In building Volkis we have tried to keep this in mind. We provide security services for a reason - whether it’s building a security strategy or performing penetration testing, we are there to support the organisation in doing what they are there to do. We help make toasters.


About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn