I have known Paul Eaton since I joined 7Safe in 2015. In fact, we were both recruited at the same time. We have spent the last two and a half years assisting in the growth of the advanced security testing, digital forensics and training combined brand that is ‘PA & 7Safe’. It’s been a time of whirlwind change in the UK and globally, not least in the data security and data protection space that President Trump calls “The Cyber”.
Paul started out in sales. His role was customer support for our penetration testing clients and much of his first year was spent working alongside the penetration testing consultants (who would scope detailed sales proposals) in order to sell their time and responding to enquiries for that service. He was, and is, a natural salesperson in his work. As a marketer, I always felt reassured when Paul was handling a lead because I knew that he would take it forward to a price quotation and – wherever possible – a closed sale, in his calm, controlled and methodical manner. It never occurred to me at the time that he would want to move into a technical role, so his decision to bring a promising sales career to an end to literally start again from ground level in another discipline as a penetration tester struck me at the time as a remarkably brave move.
Paul Eaton (right), 7Safe Penetration Tester
We all have certain perceptions about technical careers. In the James Bond films, it is hard to envisage any of the obsessively dedicated, fearless engineers and scientists of Q Branch being former salespeople after a mid-life career change. Rather, you can imagine the head of section, ‘Q’, who today is much younger than his predecessors and skilled as an ace computer hacker, to be ‘born to the manor’ so to speak. A double first in Maths, doctoral degrees in technology and the science of cyberspace, and too many years spent playing with a keyboard from pre-school onwards to be anything other than a natural. It’s a classic misconception: that only a minority of the population could consider a work life as a ‘white hat ethical hacker’ – or as the leading industry body, CREST, prefers to term them: penetration testers.
“I had some exposure to the IT world before joining 7Safe,” Paul reflects. “Mostly in first line support work and subsequently my multimedia technology degree. It’s really what I wanted to do with my life. The trouble is, the pressures of financial circumstances meant that I had to take what came along when I needed it. I had my first break in a sales role. The company was a mobile phone provider and the experience taught me a great deal about B2C sales and the customer journey. It wasn’t a particularly technical training though and at the time, I thought ‘There’s no point in crying about the fact that I’m making money, even if it’s not doing what I want to do’. If work was fun, I told myself, it wouldn’t be called work.”
M: What changed that mode of thinking?
P: Simple: I joined 7Safe, the technical services arm of PA Consulting. My role was sales. And it was an interesting job, handling enquiries for our penetration testing services. Initially, I had no opportunity to scope the jobs as they passed through the system but through self-endeavour, I got myself to the stage where I was the first member of the sales team to be able to do this. I worked with the client organisation’s IT manager usually to determine the criticality of the system or application, whether the testing needed to be done onsite or offsite, the approximate number of IP addresses, types systems involved, pages and parameters for websites and factors that determine the size of the job. Gradually my knowledge developed and I became comfortable establishing what could affect the time that the test ends up taking, and whether or not the testing has to be performed on a live system; or even for that matter a production environment where pentesters need to be especially careful and avoid the use of automated tools with the potential to cause costly disruption to normal operations.
I did this work under the supervision of two highly-skilled senior penetration testers; our head of security testing, Aleksander Gorkowienko, and senior penetration tester, Amir Azam. They taught me the CREST methodology that I would later go on to use. By 2016, I had conducted a large number of scopes in my sales role, so I was already in a position to take my knowledge a step further and start training. In fact, it was obvious to the technical experts at that stage that I was taken with the idea of learning more about pentests than was really necessary to sell our services. So I have Aleks and Amir to thank for spotting my innate talent and developing this.”
M: Where do you think that this unusual talent came from – was it in your genes?
P: No, not really. Although my early experiences taught me what I enjoyed the most. When I started playing text-based adventure games, I enjoyed the lateral thinking that was needed that would get me a higher score or move up a level. Unlocking secrets is a key part of the work of penetration testers and you often find the ‘beat the system’ games urge is there early in ethical hackers.
Programming (predominantly with Java) of course was in my degree syllabus as was the history of computing science. Later, I studied web design including ASP, HTML, Flash and databases as part of my degree. Operating systems, notably Linux, which I specialise in now, were fascinating to me then. The only problem was that I couldn’t see a way to use that interest in a challenging career that would also be rewarding. Given the path I had taken, a route into administering banks of servers, coding or system architecture design didn’t seem feasible and were not something that I necessarily wanted to pursue.
I simply didn’t know how to put together the components of my ideal career until I arrived at 7Safe, and then it was fantastic that I found myself selling something as fascinating penetration testing services as part of a wider service offering. Once I was there in that situation, all the jigsaw pieces just clicked in place. When I told Aleks that I was interested in training to do the job, he put me on 7Safe’s CSTA and CSTP courses to see how I would get on. I passed them both first time and achieved a merit in CSTP. Once I was qualified at that level, 7Safe’s managing partner decided that I was ready to take on a junior pentester’s duties and set about arranging a new contract for me. In the meantime, I carried on scoping pentest assignments, feeling ever more confident with each passing day.”
M: So you were on your way to being a fully-qualified and experience team member?
P: Not quite! Something else happened first, at the crossroads of my career Destiny, so to speak. I was offered a more senior role with another company as their sales manager. When I discussed it with my wife, Robyn, I was torn. If I changed careers in mid-life, it could take a few years to reach the level of earnings that this managerial job presented – even with the support that I had from Aleks and other colleagues to become an experienced penetration tester; a role which would pay the same later, but not now. I am a very fortunate man though because Robyn said: “You must do what makes you happy in the long run,” She was quite right of course, and it’s obvious to me today in my second year as a qualified penetration tester that I made the right decision at that critical moment. Reacquainting myself with Linux has since reconnected me with one of my early passions in the IT world and I can honestly say that the job that I am doing makes me happy to go into work every day. In my professional life, I can hand on heart say that it is the best single decision that I have ever made. If I had taken the other company's offer, my work life would be about achieving monetary targets and I would probably have been feeling bored and unfulfilled. Today, and every working day, I am tackling new and genuinely exciting challenges.
M: What sort of assignments have you undertaken so far?
P: Needless to say, I cannot talk in this interview about the security testing work that we do for 7Safe’s clients; however, it covers a wide variety of technical competencies within penetration testing and has involved web design, retail, ecommerce, banking and finance, technology development, oil exploration, critical national infrastructure, and an impressive range of both large and small corporate and public service clients. My personal favourites are digital technology developers who really value our input.
M: Where will you go next with this?
P: When my skills have developed further and I am fully-qualified through the 7Safe CREST-accredited pathway that we follow, I will be able to classroom train other aspiring penetration testers. Our delegates come from every nation on Earth and from a variety of backgrounds, so you get a sense that we are part of a large global army of ethical hackers. I think that I will enjoy training others when the time comes.
M: What really makes it worthwhile?
P: Perhaps the best bit about the whole experience though is being part of a team dedicated to being the best at what we do, and having the support of my colleagues. We interact together creatively in order to find and exploit vulnerabilities in systems. Together, we push the technology to its limits and discover new ways to attack. Our clients really appreciate this dedication because it means that their systems will be safer and their futures more prosperous. What we do is enormously empowering.”
# # #
Would you like to start a new career in penetration testing or develop your existing skills so that you can take on advanced challenges across a range of specialisms? There is a high demand for cyber security professionals with technical qualifications. The Center for Cyber Safety and Education’s eighth Global Information Security Workforce Study (GISWS) in 2017 projected a 1.8 million shortfall in cyber security professionals – 20% higher than a five-year forecast previously published by the organisation in 2015. The research also took a look at the economic impact that the dearth of infosec professionals in the wider UK IT jobs market is having, and found that three-quarters of security professionals being paid more than £47,000 a year.
If this sounds interesting, read on …
Building your own capability
Education underpins everything we do. We offer Penetration Testing courses to help individuals develop professional skills through CREST and IISP-accredited courses and organisations build their own in-house capability to test cyber security defences.
For more information see about training with PA & 7Safe, contact Richard Allen, head of education, on +44 (0)1763 285 285 or email education@7Safe.com