In our first article, we talked about some of the problems facing InfoSec companies: overseas competition, competition from smaller firms and consultancies, and the commoditization of pentesting in general.
The primary challenge for many InfoSec companies is to stand out–to showcase to current and future clients what makes their service different, valuable, and worth the rates being charged.
The process of re-positioning and differentiating an InfoSec company from competitors will be a long and ongoing process, involving procedural changes and cultural changes. In this article we’ll look at some things you can start doing immediately to gain some “quick wins” at your company.
Why do most New Year’s resolutions fail? It’s because most people try to implement change suddenly, immediately, and haphazardously, without having an underlying strategy or process.
When trying to change an organization’s processes and philosophy, you should remember that the actions you take today should be part of a deeper, longer-term strategy. Immediate actions are great, as long as they are part of a sustained push towards continual improvement.
There are a few dangers in attempting to implement organizational changes without having a broader plan:
Your attempts at quick wins should be focused on:
Demonstrating value to your clients. Improving your client’s experience and perception of your company is key to the differentiation process. You want to, above all, make sure your changes are positively influencing your clients’ experience.
Demonstrating value to your team members. The more you can show your team why your changes are valuable and necessary, the more likely it becomes that they will absorb those reasons and make them their own. You want to make it as painless as possible for your team to implement the changes.
Most of the quick wins we will look at will involve gathering information, whether from clients or from team members. This is usually the lowest-hanging and most valuable fruit. Asking questions and gathering information gets you clear on the direction you should be heading in and the steps you should be taking next.
What does your company do best? What are your strengths? Having core competencies and a niche sets you apart from your competitors and gets you greater attention.
This can be counter-intuitive. At many companies (not just InfoSec companies), there can be the philosophy of: “Well, we have to do everything, because if we don’t do everything, we’ll miss some clients.” Or: “Our client just asked for this. We have to give it to them to make them happy.”
This leads to a marketplace where pentesting seems more of a generic commodity than it is. Your potential client may be looking at a line of near-identical InfoSec companies, all of whom claim to do everything. In such a marketplace, it can be hard to stand out.
Focusing on what you’re truly great at has several positive results:
In short, there is power in saying “No” to clients and defining your focus.
One example of how this can play out: If you define one of your core competencies to be SAP Security, then your client may not hire you to do an Android assessment. This may seem like a lost opportunity, and perhaps it is in the short-term.
But what will happen is that your clients and colleagues will remember what your focus is, and will respect that you have a focus and are willing to admit when something is not your specialty. Clients will be more likely to get in touch with you later when they have a problem that falls in your area of expertise. And, down the road, if you expand your core competencies to other technologies, your claims of expertise will be that much more believable and powerful.
Not only is this approach powerful for gaining respect from clients, it also gains you respect from talent you may be recruiting. Being known as a company that specializes in cryptography vulnerabilities, for example, will make it more likely that cryptography experts will want to work with you, which creates a positive feedback loop for your quality and reputation.
Here are some beginning steps for establishing your company’s core competencies.
As we talked about a bit in our first article, InfoSec companies can be a little out of touch with ideas of customer service. Often, companies are so focused on the project at hand and delivering the report on time, that client experience can be the last thing on your team’s mind.
But in order to differentiate and get noticed, your team, like it or not, will have to make strides in improving clients’ experience.
Part of the problem is that business owners will often make assumptions about what their clients value. You may assume that your clients value X, Y, and Z about your company. But unless you explicitly ask, you won’t know.
For example, maybe you think your clients value your technical expertise and professionalism, when the truth is that your clients value your ability to accommodate sudden changes in scheduling. Or maybe, above all else, they value a very clear Executive Summary section, which helps them make the case for IT security initiatives.
The point is: You shouldn’t assume anything about what makes your clients happy.
The first thing to do to get more clear in this area is to gather information from clients: information about what they value, what they don’t value; what works, what doesn’t work; what they like about your company specifically and what they don’t like. This information can then be used to:
Also, the nice thing about eliciting client feedback is that it helps you sell the necessary changes to your team members. If clients make it clear that they want to see changes, such communication is harder for everyone to ignore.
Here are some starting steps for gathering much-needed client thoughts.
For ease of use, you should try to make most questions Yes/No or a single-choice on a rating scale (e.g., a 1 to 10 scale). Requests for long responses are sometimes too much of a demand and don’t result in actionable information.
Here is an article with many examples of questions you can use to gather customer feedback. And here is an example survey, hosted with Google Forms, that you can copy and modify to hit the ground running.
Your company’s relationship with your clients doesn’t end with the deliverable. But it may seem that way at many InfoSec companies, where everything is about completing a project and moving on to the next one.
Ideally, you want to be thinking of additional services that aid your clients’ understanding and deal with their vulnerabilities in an ongoing fashion. Adding additional services has a couple positive effects:
Some ideas for additional services:
These are just a few ideas for additional services.
Blue Ocean Strategy is a popular book about creating uncontested market space, and includes many ideas on how to differentiate offerings and create new services.
Here are some starting steps for coming up with auxiliary, value-added services.
The ideas in this article are only the beginning, of course. It can sometimes be a long road to change established processes and mindsets at any company. But hopefully we’ve given you some ideas for how to start today on improving the perceived value of your company and, by extension, set yourself apart from the pack.