The employees at Black Hills Information Security get paid to break into companies for a living; their focus on security and penetration testing and validation of security controls involves cyber activities such as phishing and hacking, as well as a little old-fashioned casing-the-joint type of work. Jordan Drysdale, Systems Administrator and Tester, calls it "Mission: Implausible."
"The number one question we get asked is, why would anybody want us to break into their organization?" he says. "We are really trying to demonstrate current hacker techniques and adversarial threats in order to lay a roadmap on how organizations can improve their security."
With high-profile data breaches making headlines on a regular basis, Black Hills Information Security plays a crucial role in helping companies recognize areas of vulnerability and take steps to improve security in order to protect sensitive data.
John Strand, who was performing security testing on his own, founded the company in 2008; customer feedback was positive, but in order to gain their business, he was told he would need to start an actual company.
Black Hills Information Security started out small, with a single employee, but with security more important than ever in the digital age, business grew quickly. Today, staff numbers around 75 and is spread across the U.S. Jordan credits Ascent Innovation with helping to fuel their growth.
"Ascent has been fantastic for our company from the beginning," he says. "A lot of our original employees came out of the School of Mines, and we still have Mines interns. Having the incubator for relatively inexpensive rent and power was very valuable for a startup."
Black Hills Information Security typically works with 10 interns at any given time, several of whom are currently attending the School of Mines, and a number of them have gone on to work for the company full-time. Their mathematical skills were crucial in the launch of Active Countermeasures, a spinoff company that focuses on defense, identifying security threats on corporate networks and taking steps to shore up those vulnerabilities.
Black Hills Information Security works with corporations around the world and is one of the top five organizations providing these types of services in the country, competing admirably against capital-rich Silicon Valley companies. Any time a Fortune 100 company submits a bid proposal, they'll get a call. There isn't as high a demand for penetration testing locally, but BHIS fills an important niche in the Black Hills region through education. They hold an annual hands-on conference (soon to expand to tri-annual in order to meet a growing demand) and speak at many other events, educating attendees about security.
Not all their work involves cyber security. BHIS is often hired to see if they can gain physical access onsite through any means necessary — including picking locks and reproducing security badges. This kind of subterfuge is sometimes met with defensiveness, understandable given the compliance issues a successful breach highlights, but most clients understand the value provided by BHIS and implement tighter security measures as a result. That's a win/win for everybody.