Enterprise Salespeople are a lot like Computer Security Researchers

Posted on February 4, 2017

Who do hackers stereotypically hate most? Probably business people. They schmooze around with their fake friends, talk about value and synergy, have a poor understanding of technology, and disrespect our craftsmanship. They hobble highly-skilled work as no more than a means to their nefarious profit-driven ends. Yet, I think there’s a strong resemblence between the most businessy and Successful enterprise salesperson and the much-glorified hardcore penetration tester who regularly collects on bug bounties.

How do many pen testers operate? They first collect as much information as possible. When they’re satisfied with the amount and quality of data, they’ll attempt to conquer one of many entry points exposed from a system’s exterior and eventually perform privilege escalations once they’re inside.

Here’s a visual representation of what a system intrusion could look like:

+-------------+ | SHIT WEBAPP | (1) break into this +-------------+ | | | +-------------------+ | | (3) leverage position to | (2) pwn db /^^^^^^^^^\ pwn whole network +-----------------+ /^ CORPORATE ^\ | DATABASE | < CLOUD VPN > +-----------------+ \vvvvvvvvvvvvv/

Outbound salespeople do a pretty similar dance. They first gather intel. When they’re happy with the amount and quality of data, then they’ll try to access an entry point. Once they’re in, they try to find the decision maker(s) and perform privilege escalation.

Here’s a visual representation of what an enterprise sale could look like:

+-------------+ | GATEKEEPER | (1) get past this +-------------+ | | | +-------------------+ | | (3) cross-sell and get warm leads | (2) make the sale /^^^^^^^^^^^^^^^\ +-----------------+ /^ CORPORATE ^\ | ECONOMIC BUYER | < REFERRAL NETWORK > +-----------------+ \vvvvvvvvvvvvvvvvvvv/

While their tools and tactics are different, the general outlines look very similar: failure is the norm. Persistence, savviness, and ingenuity are keys to winning. The big firms have very well-defined processes that can efficiently perforate a staggering amount of organizations at breakneck speeds. Both fields are founded on trust, and the best practicioners seem to be most concerned with other people. There may be things for these fields to learn from each other after all.