For pen testing firm IOActive, security is cultural not transactional

IOActive may not be a household name but you almost certainly know its work.

The Seattle-headquartered company has been behind some of the most breathtaking hacks in the past decade. Its researchers have broken into in-flight airplanes from the ground and reverse engineered an ATM to spit out gobs of cash. One of the company’s most revered hackers discovered a way to remotely shock a pacemaker out of rhythm. And remember that now-infamous hack that remotely killed the engine of a Jeep? That was IOActive, too.

If it’s connected, they will bet that they can hack it.

IOActive has made a name for itself with its publicly reported findings, but its bread and butter is helping its corporate customers better understand how they approach security.

Since its founding more than two decades ago, the penetration testing and ethical hacking company now serves customers mostly in the Global 1000 largest companies to help assess and test their security posture.

“You can have the absolute most sophisticated alarm in the entire world, and I guarantee our team can break in,” said Jennifer Steffens, IOActive’s chief executive, in a call with TechCrunch. “But if you left your front door unlocked lock, hackers are going to walk right through.”

“Don’t pay us to show you how to break into the alarm before someone learns how to lock the door,” she said.

Much of the company’s work is done with its corporate clients under non-disclosure agreements. By thinking like the bad actors trying to get, IOActive’s testers search and find vulnerabilities — and fix them before they can be exploited. It’s what Steffens refers to as the “evil bit,” describing it as a “natural curiosity to tear everything apart and see how it works.”

“We always like to take the attackers perspective,” she said. As testers, they look at the entire company’s systems and networks — and not just the big obstacles.

All it takes is an out-of-date printer that hasn’t been patched in years or an Internet of Things device with a default password that can bring a company crashing down. IOActive’s testers look at everything — and spare nothing.

“Security is much more valuable the earlier you think about it and building maturity by design — versus bolting it on at the end,” said Steffens. She said it’s faster, less expensive, and more effective to think about security by design first and not as an afterthought, which is where mistakes are made and vulnerabilities are found.

But for IOActive, testing a company’s security isn’t transactional or an in-and-out job. It’s a never-ending effort — one that requires reworking how a company approaches security from the ground up. The company sees security as a culture, and something that grows and develops over time. By working with the bigger companies, it sends a message of “how should we be behaving” to startups and small-to-medium sized businesses. Steffens said getting in at the ground level with some of the newer companies is where it has the most impact.

“We really want to be able to embed ourselves in their security fabric and figure out how to really help them as a business,” she said.

It’s not just a matter of revenue, it’s a principle that the company stakes its reputation on. In some cases, IOActive has clients that have been around longer than Steffens has been at the company — a little over a decade.

“We want these the long term relationships where we can have that long term impact,” she said.

It’s a business model that clearly works. The company is entirely self-funded, said Steffens. “There’s no magic here,” she said. “We really invest everything back into the company to be able to scale.” The company has four offices, including London and Dubai. It also has an office and a lab in Madrid.

But the company’s public pride and joy is its research arm, which helps give the company a public face amid the consulting work it keeps under wraps. Steffens admitted it’s the kind of “big sexy systems” her staff researchers and consultants want to hack in their spare time. She said some of the company’s biggest research findings have been from her staff buying technology — either for function or for fun — and tearing them apart.

It’s a side project to the company’s main moneymaker, but it’s a healthy balance that helps promote its cultural security mission.

“We’re really trying to change industry perspective and build awareness for the critical need for security from the start,” said Steffens.

There is no such thing as perfect security, she said. But making sure there’s a culture and attitude of being aware of security is one of the most critical components a company can have.

Read more: