To business, pen-testers are like jumbo-jets...

...profitable only when on-air, expensive when in hanger. Second in the 'things no pentest course will teach you' series, this post talks about how business looks at pentesters, and what a pentester needs to keep in mind during their career.

To business, pen-testers are like jumbo-jets...
Photo by Toni Pomar / Unsplash

...profitable only when on-air, expensive when in hanger.

This is part of a series of posts, first one here.

Here’s one way of looking at flow of money in a company (this is a simplified scenario, actual accounting is more complex): -

  1. Company bids for and wins a project.
  2. A team is allocated to work on the project.
  3. For the entire time that the team is working on the project, their salaries, cost of the tool used, any logistical costs incurred, etc. are earmarked as ‘expenses’ towards that project.
  4. After the work is done, invoices are raised to the customer.
  5. When customer pays against the invoices, company books the payment as ‘revenue’.
In a business, every hire has to be useful and contribute to the business in one way or the other.

Pen-testers are useful when they are deployed on a project. That’s when pen-tester’s salary is offset against invoices raised on projects (salaries are one of the biggest entries under ‘opex’ heading in a balance sheet).

It is a red flag when you are not involved in any project or not doing any pentesting for your company. Here’s how it will unfold: -

  1. During business reviews (how much we earned, what are the expenses, whats our profit pre and post EBITDA, etc.), performance of each business unit (BU) is presented.
  2. If security assessment BU is not performing, additional questions are asked.

While this happens at top management layer, middle management also has their internal reviews. In these internal reviews, each project is reviewed.

  1. If a project has more resources than planned, it gets questioned.
  2. If a project is incurring more cost than planned, it gets scrutinised in detail.
  3. If a project has not raised any invoice, since its start, it gets scrutinised.

In a security assessment company, pentesters are among the highest-paid techies apart from the business executives, of course.

The closer you are to business, higher will be the payout.

When the company performs, you will be praised for your contributions. When company doesn’t perform well, every one’s contributions will be reviewed and re-aligned.

So, ensure that you are always involved and contribute to the business. You can do so by,

  1. pentesting for a customer,
  2. preparing reports for more than one pentest,
  3. mentoring junior pentesters, 
  4. writing articles on company blog, 
  5. submitting cfp for a conference, 
  6. actually speaking in a conference, 
  7. working towards releasing a tool that helps company in pentesting project, etc.) that helps your company execute pentest faster and better.

Strive to be useful at all times. 

I believe we all suffer from Parashurama’s curse to Karna. I believe it is so because we all are slowly turning into Karna (believing we don’t get our fair share, then lying to get ahead in life, doing all sorts of bad things in name of friendship, etc.). But I digress.

Bottom line - You won’t remember all your contributions when needed (aka ‘appraisal time’). So, keep a journal of all the times that you proved ‘useful’ to your company.

While down-time is required, nothing beats usefulness. 

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel):