It’s no secret that the current job market is brutal for job seekers. As a professional with 14 years of technical security experience and 18 years of general security experience (if you count sitting behind a machine gun), I am not immune to the challenges of today’s job climate. It’s because of this climate that I have returned to consultancy as a bridge to my next role.
I knew I did not want to “hang my own shingle” because one factor making the market rough right now is the oversaturation of vendors in the security services space. This sent me on an adventure to identify partners to work with, and that’s how I found Wolfpack Security.
Wolfpack is a boutique consultancy founded by JJ and Clea in response to the volatility and problems inherent in today’s security services market. The TL;DR is that the market, being stuffed to the brim with vendors, means consumers have the leverage and are spoiled for options. For vendors, this means constantly fighting to establish relationships in an environment that has been artificially forced to be hostile by specific trends:
- Racing to the bottom by commoditizing specialty services
- Becoming dependent on recurring programs
- Compromising brand differentiation to close deals
I ultimately chose to support Wolfpack as an advisor and consultant, so obviously take my next statements with as much of your sodium of choice as you prefer, but I did so because, as I got to know the team and their services, I found some things I was not expecting.
But first, a trip down memory lane for context…
If you rewind 14 years back to 2011, I was a brand-new baby Penetration Tester at a then-very-small but now very well-known compliance-focused organization. That company’s claim to fame was its incredible commitment to a very narrow set of services and specialties. Many of their leaders literally wrote the standards that they assessed against. That company is now very well-known and successful, despite having broadened its portfolio in recent years.
Skipping forward a couple of years, I was at Accuvant (now Optiv) in the Accuvant : Labs business unit. This unit was well-known for having some of the best of the best technical folks; many were recognized for having laid the initial foundations of offensive security testing. This was also a wild success story, with team members eventually going on to found incredible security companies like Atredis, Cylance, and others.
The story repeats once more when I joined iSEC Partners (now NCC Group), where their specialty was in AppSec, specifically focusing on West and East Coast software startups. Once again, they built a brand on a specific set of skills and a high level of execution that was widely respected.
…Meanwhile in the present.
The moral of this particularly long-winded story is that from 2011–2017, it was not only possible but a well-known pattern to set up a laser-focused, specialized practice, lean into that narrow vertical, and use the fact that you had the best people as reliable marketing. Today, due to increased access to information, the popularity of the field, and the ever-growing risks of cybersecurity, “having the best people” isn’t special. Neither is “having a very particular focus.” What is special, however, is having both of those things while also understanding the business why for engagement—and the importance of how testing is executed. This continues to be a very buzzword-heavy unicorn.
I have been a consumer of security services since 2017, and over the last eight years I can say that the single thing that has driven me away from using a vendor is a demonstration of a fundamental lack of understanding, partnered with an absence of genuine curiosity. Every vendor I do not want to work with says some version of how amazing their process is and how it will solve all the issues I have expressed to them—before they have even taken the time to really understand the unique qualities of our organization.
When I asked Wolfpack what makes their services great, their answer was that thing I mentioned four paragraphs ago that I wasn’t expecting.
They told me, “Everyone has amazing people, and anyone can offer dirt-cheap services. We start with our clients’ problem statement and go from there.”
That statement stood out to me, and it has rung true as I have looked closely at their services. Wolfpack can do all of the things a good security consultancy can do, but how they do it is the secret sauce. It’s not some special proprietary tool but rather their starting point of real curiosity, paired with a desire to understand. Their ending point isn’t just a well-written report but a thoughtful plan for moving forward.
This might not sound flashy and impressive at first, but if we look at this in context: if nearly every good firm has talented people, can offer most of the same base services, and price ranges wildly across a spectrum, then innovation in the realm of what a company offers is pretty limited. If you look closely at the output of consulting services, the how is what really determines if you want to continue working with them:
- How the report is written and structured
- How well they understand your systems
- How they manage the project
- How they communicate
- How…
This is where Wolfpack excels: in the how of their engagements, bringing a competitive level of technical execution and services with an exceptional level of attention to ensuring the project meets the desired needs and truly addresses the core of the customer’s problems.
This might sound simple but like the old sayings common sense is not a common virtue this is another example of where the obvious is not the usual. It is for these reasons I am excited to be doing work for and through Wolfpack as a brand that embodies many of the features that I specifically looked for in a vendor.
