As part of our 10-year celebrations, we sat down with Toro’s Founder, Peter Connolly, to reflect on our journey so far.
What inspired you to start Toro 10 years ago?
I spent the first part of my corporate security career attacking organisations and realised quite quickly that by replicating the blended attacks that criminals were conducting, so blending hacking with social engineering and physical intrusion, we were going to be successful in finding holes in the defender’s security.
Mostly because those defenders are still really stove piped so Heads of IT not speaking to Heads of Physical Security or Personnel Security and leaving gaps that criminals - and we, as testers could exploit.
When I looked across the consultancy marketplace, I saw that there were no businesses like Toro that were focused on converged security. While the concept had existed for about 20 years, businesses still weren’t fully embracing it, and service companies like ours were not helping to raise awareness about the value of converged security.
That’s why I founded Toro - to defend our clients in that blended space where cyber meets physical and people.
What are some of the proudest achievements over the past decade?
One of the things I’m most proud of is the work we’ve done for governments to build resilience across hundreds of critical suppliers into the UK Government. This hasn’t just improved the security of these organisations - it has saved people’s lives in conflict zones and when facing nation-state threat actors.
Many of these suppliers don’t have the resources of a large company to protect themselves, but they do face a range of highly sophisticated threats. This work plays directly into our purpose: helping organisations thrive in a safe and secure space.
I think it’s about helping organisations recognise that security should not be seen as a business cost but as a business enabler. Strong security can unlock new opportunities, allowing businesses to grow, explore new markets, and manage risks better - ultimately helping them thrive.
This is also important part of building a culture within an organisation where employees feel that their employer genuinely cares about their safety, not just at work but in their personal lives as well.
How has the industry changed over the last 10 years and how has Toro adapted?
One of the biggest things that have affected businesses has been the pandemic, which accelerated the move to cloud-based IT infrastructure and also highlighted just how reliant businesses and as a nation we are on a long overseas supply chain. It showed just how important it is to build resilience within that supply chain, and to have contingency plans for when critical suppliers are no longer able to support the business.
The pandemic also underscored the importance of individual resilience. So, building a culture where people are comfortable dealing with challenging situations and changing environments.
At Toro the training, experience and the breadth of knowledge that our people have outside of their traditional lane, were key in maintaining our resilience during this time.
Geopolitical events such as the conflict in Ukraine has highlighted the real-world threats facing organisations and individuals. At the same time, technological advancements, especially in AI, have amplified both the threat and sophistication of attacks but also the resources that the defenders have. Cyber security has become an arms race, where the defenders must second guess what the attackers will do and have just nanoseconds to respond as opposed to before when we had days or weeks to prepare ourselves for an emerging threat.
The pace and sophistication of attacks has forced businesses to respond quicker but also take more risks. A key example is patching. Traditional patching timelines are just not effective enough at addressing the emergence of new security threats and just how quickly attackers can exploit those security vulnerabilities. Organisations are having to do patching much quicker than they’d previously done increasing the risk of something going wrong accidentally and the system not working. This is again just another critical part of business risk management that must be addressed.
Another thing linked to the pandemic that has affected our client’s security, and their mindset has been the move remote and hybrid working. Recognising that the physical facilities that our clients need to protect haven’t changed but the use of those facilities, has changed dramatically. Security protections now need to extend beyond office walls and into employees’ homes, where they often work on less secure networks. It’s also recognising that people feel quite lonely and don’t have the immediate support network they once had in an office environment to ask security related questions or to check if the email they received is legitimate or not.
We’ve found the most effective way to do this is by helping people protect themselves and their families in their personal lives. Once they understand best practices in that context, they are far more likely to bring them into the workplace.
To ensure we are staying ahead we invest heavily in research and development, gathering and disseminating threat intelligence to our clients. Because we both attack and defend our clients, and respond when they experience breaches, we see every aspect of the kill chain in action. This gives us a unique perspective, allowing us to advise organisations on emerging vulnerabilities and threats, and to help them prepare for and respond to attacks more effectively.
What's been the key to building and maintaining a strong company culture?
Culture is about values and behaviours.
We have done a huge amount of work to analyse and define what we believe our company values are. Whilst this has been an ongoing process over the years, what’s been interesting is that the core values we identified in the early days of Toro are still the same values that define us today, 10 years on. Whilst some of the words we use may have evolved, and the context may have shifted, but the values remain unchanged.
Our values are a reflection of the people within the organisation. Every time a new person joins Toro, their values help shape our culture in some way, just as the organisation influences them in return. Our core values, which we refer to as our EPIC values, capture what makes us successful and a great place to work.
Beyond values, our culture is reinforced through behaviours. It is about muscle memory, using our values as a hand rails to guide the way we behave, the decisions we make, and how we operate as a team. This can also means making tough choices, such as turning down work from clients whose values do not align with ours.
The ways of working - our routines, structure and the way we deliver excellence - has also played a crucial role. While we are always looking for ways to improve, we are now in the space of marginal gains territory, refining and optimising a mature and well-established way of working.
We regularly audit and review hundreds of organisations our size, and I believe we are punching well above our weight in governance, risk, compliance, and company culture. That culture is not just a byproduct of our success but a key driver of it. We have built a strong foundation based on the shared values of great people, and that continues to be one of our biggest strengths.
What makes Toro's approach to security different from other companies?
A big difference with Toro is that many security companies tend to keep their staff focused within a specific area or discipline, but we do things differently. We invest in broadening and deepening the expertise of our people, so they understand not just cyber security, but also physical and people vulnerabilities. This allows us to offer a more comprehensive service to our clients.
Even if a project is primarily focused on cyber security, we always include recommendations related to physical and people security. This integrated approach is what truly sets us apart.
We're also constantly striving to improve what we do. We don't rest on our laurels - we gather feedback, analyse data, and hold workshops to keep refining and enhancing our processes.
If you could give your 10-years-ago self one piece of advice, what would it be?
I would tell myself to narrow the focus of the company slightly. Like many business owners in the early days, we were a bit like a toddler finding our way in the world, trying to figure out what we believed was important and where our approach to convergence fitted within the business community.
Looking back, our approach to converged resilience was years ahead of where many of our clients were in terms of their security culture and strategy. In many cases, the industry itself was still catching up. It meant it could be overwhelming and feel insurmountable talking to an organisation about driving towards convergence. Whilst many organisations recognised convergence as the right direction of travel, they also knew it would take years to get there.
I think in many ways we pushed too hard and too fast. We were often banging the drum, on the back of a successful attack simulation by us, using that as an opportunity to show clients how much more secure they could have been if their security leaders worked together. I think that whilst that approach was effective in highlighting gaps, I think we could have done more to formalise the concept of security convergence from the start.
So, what we are in the process of doing now - defining convergence, building a network of advocates, and delivering courses for the next generation of security leaders to give them the knowledge of taking a more converged approach - is something we should have been doing from the beginning. Establishing a structured education process earlier would have helped drive adoption more effectively and positioned us as thought leaders in the space even sooner.
Where do you see Toro in the next 10 years?
We have some really exciting initiatives in the pipeline as part of our company strategy.
We have a tech solution and are in the process of developing another one. We are also pioneering some really interesting solutions to help companies assure and maximise their use of AI.
We're finding increasingly effective ways to help our clients meet the increase of legislation challenges under emerging frameworks like NIS2, DORA, the AI act. Some of physical work we’ve been doing in preparation for Martyn’s Law is really interesting and a novel approach to something which I hope will be really innovative.
A major goal for us is to continue driving forward the convergence approach to security risk management. A key part of this will be developing a more comprehensive managed security solutions for our clients. Recognising that too often, ad-hoc consulting projects can often be just a sticking plaster, while a long-term approach that aligns security with business goals is what really makes a difference. What excites me is the idea of offering a single, integrated service that protects our clients' digital, physical, and people assets all at once. It’s something I don’t see many others doing well in the converged security space.
One of the ways we’re addressing this is through the launch of Toro Secure360, which brings together cyber, physical, and people security in a way that is more holistic and sustainable for organisations. With Toro Secure360, we’re helping clients build a more resilient security posture by providing around-the-clock protection against advanced threats, integrating multiple layers of defence to defend against today’s emerging threats.
We also want to expand into new markets. Currently most of our current client base is in the UK in both the public and private sector, with a good network of clients in Switzerland, the EU, the US, and Asia. But over the next decade, we want to formalise this expansion, and also look at areas like the Channel Islands, where small and medium-sized businesses like Switzerland don’t have access to local talent to protect themselves and would rather find a security partner back in the UK.
What are the biggest opportunities and challenges?
The economic environment is undoubtedly tough at the moment. The UK is still finding its place in the world post-Brexit, particularly in relation to Europe. At the same time, geopolitical shifts, such as the policies and the immediate reactions of the Trump administration and their impact on global alliances, have led UK businesses and the government to reassess their relationships with both the US and Europe.
The ongoing war in Ukraine is a clear and present threat to UK security - one that will likely remain for decades. This conflict has reshaped the security landscape, forcing businesses to rethink their risk management strategies and resilience planning. Our challenge is to find innovative ways to keep our clients safe while helping their businesses continue to thrive in the face of such uncertainty.
That said, times of significant change also present opportunities. Businesses that are forward-thinking, agile, and innovative - like Toro - have the chance to lead the way in security and resilience. The need for converged security solutions has never been greater, and organisations are increasingly recognising the value of taking a holistic approach to managing digital, physical, and human risks.
What message would you have for employers, customers, and partners who've supported Toro over the last 10 years?
Thank you for your belief and trust in us. Thank you for helping us understand your business and your goals, and for having the maturity to align our cyber, physical, and people security solutions with those goals.
Thank you for your commitment and for continuing to choose us to support you. We’ve just hit our 600th client, which is a huge milestone, and we couldn’t have done it without your support. We look forward to another decade of working with you.