You are one cog in the wheel...

… a very important one, but few more are needed before a business takes off and money starts rolling in.

This is first in the 'things no pen-testing course will teach you' series. Here's the introductory post.

A pen-testing (or security assessment) business needs to make money, like all other businesses. A pen-tester is a very important part of that business, but not the only important part.

The other important parts of business are the following people with the below skills (Simplified for brevity, please don’t nitpick):- 

1. Ability to convince people to give you a chance
   1. Marketing - Ability to make right noises so that market takes notice of your presence
   2. Sales - Ability to meet prospective customers, pitch your services
   3. Pre-Sales - Ability to write a kick-ass proposal that sells your services, with enough details to convince a customer to hire your company (pre-sales)
2. Project Manager - Ability to plan, schedule, and divide pen-testers for each assessment.
   1. A pen-testing business needs pen-testing projects.
   2. With each project, comes need of pen-testers.
   3. Multiple projects run in a pen-testing company, at any point in time. Which means, 
   4. If you don’t plan the projects properly, 
      1. you may not have pen-tester available for upcoming projects,
      2. you may put less pen-testers for a project that require more,
      3. you may put more pen-testers for a project that doesn’t need as many,
      4. you may not know whether you need to hire more pen-testers or let few go (as you are not getting any more projects).
3. Project Lead - Ability to create presentations conveying your findings to variety of customers at client business (yes, there are more than one type of customer in each company that you pen-test. More about that later).
4. Finance or Accounting - Ability to measure whether the (pen-testing) business is gaining money, or losing it. Without this ability, you won’t know whether you are growing, or shrinking.
5. Recruiters - Ability to identify talented pen-testers and to assist in the overall hiring process.

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r