Book a Chemistry Call

Building a Hacker Mindset and Why It's Important | Ferd Hagethorn

Building the community, building the right mindset, the hacker mindset is super important. Here's why.

Everybody's spread thin and it’s very difficult to train people to free time of security experts.

In this episode, I had a brutally honest conversation with Ferd Hagethorn, Director of Security Services at Planit Testing, about his challenges, goals, what vendors do that piss him off, and the alternatives.

Ferd heads the cybersecurity practice for Planit Global.

Planit is a quality assurance company operating in Australia, New Zealand, India and the UK.

This is where he defined and established the Security Testing practice and services clients both nationally and worldwide from windy and beautiful Wellington, New Zealand.

Guest at a Glance

💡 Name: Ferd Hagethorn

💡 What he does: Ferd heads the cybersecurity practice for Planit Global. Planit is a quality assurance company operating in Australia, New Zealand, India and the UK. This is where he defined and established the Security Testing practice and services clients both nationally and worldwide from windy and beautiful Wellington, New Zealand.

💡 Where to find Ferd: LinkedIn

Episode Insights

Ferd’s function is an always-on function. He rarely gets downtime, especially given his services are spread around the globe.

“Like with our UK clients, I jump into onto calls, so usually I start in the morning at like 7:30, 8:00 and I, yeah, I have days that I finish at 12:00 AM. So, it can be challenging, but it's also quite fun."

Ferd’s bleeding neck challenge:

Finding people. Everybody is spread thin and it’s very difficult to train up people to free time of pentesters, cloud security experts and those working in governance, risk and compliance.

“Building the community, building the right mindset, the hacker mindset is super important to me.”

What is the hacker mindset?

The hacker mindset is to have the ability to think around problems. Ferd is particularly looking for individuals who are curious; people that want to know how stuff works, how everything's put together, and how it interacts.

“What I'd like to see is people that think a bit further than the bits and the bites and the cables and the plugs.

I want to see them look at, how does the business actually depend on this system that I'm poking and prodding right now?

What could be from that business risk perspective interesting to look at and from a threat as well?

If I would be a threat to this system, how could I hurt them the most and just play out that scenario in the test environments that we are given.”

Why is this important?

Being able to think this way ultimately allows Ferd and his team to cover all bases, give his clients the confidence that their systems are okay, and indications that they know where to address the pain points in their systems.

What Ferd hates most about the cybersecurity industry:

Cold calls and cold emails. They go straight into his spam folder.

“It's just not necessary to do that. If I need something, I'll reach out. I'll do my initial assessment.

The second thing is overpromising and underdelivering.

“Just be honest about what the product can and cannot do.”

How Ferd goes about evaluating and selecting security solutions and tools:

He starts by evaluating tools that are very well known and highly rated in the market. That gives him and his team a head start.

He then usually has it run in shadow.

“We do our regular penetration test. We do our regular cloud security scan, but we have that tool support us in the back, just to see what the output is. We won't use it yet for the client report, but we just see if it picks up the stuff that we regularly pick up when doing our manual checks or our user using our other suites of tools.”

Then, he and his team check the strong and weak points of the tool.

“We usually come up with a package of two, three, sometimes four tools, depending on how big the stack is that we're looking at before we actually say, okay, this is something that gives us like 80, 90% coverage.”

Where Ferd checks for vendor ratings:

  • Gartner Magic Quadrant
  • Google Search
  • Asking his customers
  • Forums

The trigger for selecting a security tool:

Ferd usually uses a combination of tools to look for the same thing.

“We select the tool based on how well it detects issues in the current code base. Some tools are stronger in Java. Others are stronger in C, some are much better in Java script pieces, you name it. So, just from that perspective, we need to be selective. And we usually mix open source with commercial off the shelf type of tools.”

Ferd’s take on comparison sheets on vendor websites:

They do help. Most of them are actually pretty good. When it comes down to the nitty gritty, the real small stuff, he feels they usually exaggerate a bit regarding what the tool can do, how fast it is, and how easy it is in use.

“That's all rose colored glasses, but once you've got the stuff trained in well, it usually does as advertised, but there is a learning stage in front of it.

Something that will be nice is if there will be more open forums on how to use the commercial of the shelf tools."

Where Ferd spends most of his time online:

Mostly in the forums.

“I've gotta feed the accounts and use that to do a lot of research in what's current with current attacks, current vulnerabilities. I don't spend that much time online elsewhere, actually. Mainly it's in the product forums as well.”

The worst thing you've experienced from a vendor:

Ferd hasn’t had any explicit horror stories.


Because he does a really good job pre-screening and defining requirements so he can immediately disqualify vendors and tools that do not fit his needs.

“We are really explicit in our requirements. We are a software testing company from the get go. So, we know how to write requirements. We really come up with a huge list and we just ask them upfront, can it do this? Or can't it do this?

As soon as we get an evaluation version and they lie on that, that evaluation version goes straight into the trash bin."

There are second chances in security buying journies.

But it depends.

Ferd worked with a young startup a couple of years ago. Their product was cool. In the beginning, they said they were ready and aligned with Ferd’s requirements but after further evaluation, they, in fact, were not.

Ferd came back two years later to check up on them and found that they had improved their product based on his feedback. That’s when he said, “let’s move forward with them.”

Ferd and his team currently use their product.

What makes Ferd feel good that vendors do:

  • Listen to feedback and apply it to the product roadmap.
  • Be very approachable, especially on the technical support side.
  • Provide him a direct line to a really good pre-sales professional or technician that acutally knows the code of the system.

“And just keeping those lines exceptionally short. I really like that because it makes me feel very valued. We are professionals from our side, especially in the software testing space. And I expect them to be professionals from their side, as well as somebody that creates software that we actually use.”

Extra pet peeves and advice to the world:

“Protect your test environments for Pete’s sake.

Because 99% of the time when I walk into a client and ask:

Q: ‘Where is this data coming from that you’re testing with?’

A: ‘Oh, that's a copy of production.’

Second question is:

Q: ‘Is it as well protected as in production?

Answer 99% of the time?

A: ‘No.’

And it's also one of my favorite targets if we do like a red team exercise. I don't go after the well-protected stuff because they see me. I go after the test environments. Very much fun to do and they just don't see me coming in. They don't see me sneaking out terabytes of data.”

Differences or anomalies vendors and marketers can take advantage of to stand out:

If vendors can improve, amplify, and gamify training for developers in addition to showing how to fix issues, we would all be in a better spot.

“I'd like to see that it [gamified training] keeps track of how often you could have made a mistake. And then it says, oh, you could have made the mistake, but you actually did well this time, you learned from your last mistake, and just put like a score against that. Gamify it and say, okay, this dev has like a six year track record of not introducing any security vulnerabilities. Here's a big fat prize. Drive home in your Tesla Model 3.”

Subscribe to Audience 1st

Get notified every time an episode drops to better understand your audience and turn them into loyal customers.