by Michael Vogel
I’ve been with atsec for more than two years, and I am happy to be on board. But when I joined, I had some concerns. Coming from companies with thousands of employees and revenues in the billions, joining a company with less than one hundred employees worldwide and a few digits less in revenue felt like a step back in my career — although it was clear from the very beginning that I should take the role of one of the managing directors one day.
Joining would have been easier for me if I would have had a counterpart inside the company with the experience I have today who could have answered the burning questions I had before I started.
For people who are hesitant to join atsec today, I will try to sort things out in a fictional interview between a virtual applicant, “Alice,” and myself.
Alice: I would want to work as an evaluator in IT Security, but I am hesitant to join atsec because I think the company is too small.
Michael: I agree that in terms of head count, we are small, but we provide a big platform. You can work on Common Criteria (CC) evaluation or Federal Information Processing Standard (FIPS) testing. You can work with colleagues from six offices around the globe: Munich, Germany; Austin, US; Stockholm, Sweden; Rome, Italy; Beijing and Shanghai, China. All our locations have a sufficient number of employees to get the job done. For locations with about 10–20 evaluators, the size of the team is big enough to successfully conclude bigger projects in a reasonable timeframe on the one hand, and the team is small enough to keep the overhead low on the other hand. If you are growing beyond, let's say, 25 or 30 people, you will have to define teams or departments anyway to manage them efficiently. You’ll still end up working with a team of 10–20 people, even within a large organization.
Alice: But bigger companies have bigger revenues.
Michael: But they also have higher costs, overhead and many more people to share the revenues. atsec takes on highly intellectually challenging evaluations. People are our assets. The most significant chunk of our costs is the salaries and bonuses for our staff. And as long as our colleagues generate sufficient revenues that we can pay salaries and overhead costs, it doesn't make a difference whether we have 100 people, 1,000, 10,000 or 100,000. So, what is important is the revenue per person instead of the total revenues.
Alice: But bigger companies have bigger savings. That makes me feel more secure that the company will survive bad times.
Michael: You have to ask yourself — “why does a company need savings?” You may answer that companies need to be prepared to bridge "bad times" when revenues are temporarily lower than the costs. With the current high number of concurrent profitable projects that we have at each subsidiary, talking about "bad times" feels a little strange. But atsec is also prepared for bad times. We have sufficient savings to bridge longer unpleasant periods even if we haven't experienced any in our many years in operation. The main issue in our discussion, though, is the way you are looking at this topic.
Alice: What's that supposed to mean?
Michael: If you are part of a bigger company or large conglomerate of testing facilities that span industries such as the car, oil and gas, construction, chemical, and so on, the IT security evaluation laboratory work is not the company's core business. And the likelihood is high that this domain does not produce the highest profits compared to other domains the company is engaged in. What do you think will happen when these bigger companies face “bad times,” as you called it?
Alice: At a certain point, the big company will try to secure its core business with the most profitable domains.
Michael: And they will sacrifice everything else. See — you just lost your (virtual) job. And that's not a theoretical scenario. There have been some sad real-life examples in the past years… atsec's business is not “just a bunch of different domains” competing against each other, it's a coherent business in a well-defined domain.
So, our business model is not only tailored to the domain of security evaluation. Every manager at atsec is also experienced in this business, so that the risk of failure is pretty low. And each of them knows your face and your name, if that means anything to you. atsec does not need the decision of the board to pay bonuses, increase a salary, or assign a new role. We are a flat organization, defined by one level and half a hierarchy. Decisions are made quickly without waiting for any board to meet. We don’t have one. Last and not least, if any "bad time" does come, since we are independent, the management will be the first to sacrifice their pay and bonus to make sure our colleagues are being taken care of first. When we have savings, we heavily invested in our people so that we all know business well enough to avoid bad times.
Alice: What about Training? What does your company offer?
Michael: Education is constant at atsec, with both internal and external courses. We have a specific internal education program for the standards we are using to perform IT Security evaluations. Our internal training is thorough. At the same time, we give time to our new colleagues to digest the subject, since we want them to be prepared before facing customers. Mastering a standard is like learning a new language; it takes some time before being proficiently fluent.
Alice: What about participating in conferences and seminars?
Michael: Every year, we participate in at least two conferences: the International Common Criteria Conference (ICCC) and the International Cryptographic Module Conference (ICMC). We ask our colleagues to submit papers to these conferences. The company is a big sponsor of standards communities. We are present where more prominent companies are not. Above all, atsec is the sole founding partner of the International Cryptographic Module Conference (ICMC). We initiated it in 2013, and next year we will celebrate its 10th anniversary. We host and manage the Cryptographic Module User Forum (CMUF) and have colleagues in the ISO community and on Common Criteria User Forum (CCUF) board. We have a colleague participating in the ad-hoc working group defining the certification scheme of the European Cyber Security Act. In addition to Common Criteria and FIPS 140-3 other colleagues in different locations are also involved with: iTC, OTTP-S, FIPS 201 PIV, SCAP, GSA, PCI, GSMA, 5G, NESAS. A few colleagues with additional interest will go to specialized conferences and seminars.
When looking at our contribution, we are way "bigger" than many big companies. From what you can see, security testing and evaluation is a large domain, requiring dedication and commitment from both the company, colleagues, and new employees. Training, conferences, and seminars are part of the continuous learning process. That’s why I said at the beginning that we provide a big platform, where our people can grow into industry experts and become well respected through their contributions to the standardization bodies and leading roles in the security community.
Alice: Wait a minute. If all you described is true, why has no one ever tried to buy you? Shouldn't there be bigger companies eager to acquire you?
Michael: Who said nobody has tried to buy atsec? Do you have any idea how many companies tried to do that precisely? But the founders decided to remain and keep atsec independent. There have been many options where they could have cashed in, taken the money, and walked away. But they didn't. They decided to remain independent and pass the company to the new generation.
They wanted to preserve the culture imprinted in atsec’s four principles and remain an enabling platform for everyone who likes this kind of work, as was in the founders' original idea. In their younger lives, they experienced difficulties in doing this kind of job for a big company. At the same time, many laboratories were acquired by those big companies and conglomerates, and shortly after, either they shut down, or the people left, overwhelmed by the corporate culture. That's something that makes me feel more secure about my job. By the way, why does this independence matter?
We are doing, for example, approval projects for the government. Do you have any idea how keen governments are to work with labs that need source code for products used in government networks but with foreign investors who could force them to share exactly this information?
Alice: You bring an interesting point. What about your turnover?
Michael: We have a lot of colleagues in the company staying for over ten or more years. The founders are still involved, though some are reaching retirement age. We realized that those who do not like this job leave in the first year. Those who like it tend to stay. We’ve had only a few people leaving the lab to go to the vendor to do the same job on the vendor's side. Generally, these former colleagues are returning as customers, because they know we are good and can deliver. We had a few situations where colleagues left and then later asked to come back since they realized atsec is better.
Alice: Uha…. and you took them back?
Michael: Yes, we did! We always try in all situations to have a good environment for our colleagues whether they stay or decide to try a different career path. The employment is at will. We understand that the mind, heart and body must be in one place to achieve top performance. Colleagues who left and returned to us are treasures because they came back with their full heart.
Alice: But if you have that much insight into detailed information about relevant security products, wouldn't that be a good basis for developing your own products? I think that could be quite profitable.
Michael: If you are collaborating with customers on a level as we do as evaluators, you have to keep up your customers' faith and confidence in you every day. And that only works if these words mean something to you. Customers are only returning to you if you manage to succeed in precisely that. If you lose their trust, they are gone for good.
That's the reason why atsec has never developed or sold any products — from what I can see — it never will. In general, atsec doesn’t compete with its customers in any way or form. We are not imposing on our customers to buy or develop a tool to complete an evaluation. I am proud to be part of a company with a clear vision.
Alice: I see. It looks like you know what you are doing...
Michael: That's why atsec has been in the business for more than 20 years. And the future looks promising. It will help if you keep in mind that our world is getting more digital every day. And this implies that values are shifted to the digital world more and more. So, people want them to also be secured in the digital world. Therefore, the job of evaluators in IT security evaluation facilities is sort of “booming” at the moment. At the same time, the job requires highly trained experts in IT security, which are hard to find. But it is not only the technical expertise that matters. Integrity and reliability are essential for every single employee in that domain. atsec’s philosophy and culture is to grow our own experts organically through our rigorous and systematic training program in a nurturing environment. All we are asking is that you have passion for IT security and you are eager to learn. Do you have what it takes?
And how about YOU? Do you have what it takes? Then send your application
to one of our offices - we are looking forward to hearing from you.
