Monthly Archives: April 2015

Differentiating Your InfoSec Company: Getting Some “Quick Wins”

(Note: This article is part of a series about differentiating your InfoSec company from competitors and improving your perceived value.)

In our first article, we talked about some of the problems facing InfoSec companies: overseas competition, competition from smaller firms and consultancies, and the commoditization of pentesting in general.

The primary challenge for many InfoSec companies is to stand out–to showcase to current and future clients what makes their service different, valuable, and worth the rates being charged.

The process of re-positioning and differentiating an InfoSec company from competitors will be a long and ongoing process, involving procedural changes and cultural changes. In this article we’ll look at some things you can start doing immediately to gain some “quick wins” at your company.

Plan Quick Wins As Part of a Long-Term Process

Why do most New Year’s resolutions fail? It’s because most people try to implement change suddenly, immediately, and haphazardously, without having an underlying strategy or process.

When trying to change an organization’s processes and philosophy, you should remember that the actions you take today should be part of a deeper, longer-term strategy. Immediate actions are great, as long as they are part of a sustained push towards continual improvement.

There are a few dangers in attempting to implement organizational changes without having a broader plan:

  • You might alienate your technical team. If they are used to doing things “their way”, drastic attempts to change their behavior will likely alienate them and ultimately fail.
  • You might cause disruptions to projects and workflow. If you attempt to implement change too rapidly, your team will be confused and work quality will suffer, and this will probably be noticed by your clients.

Your attempts at quick wins should be focused on:

Demonstrating value to your clients. Improving your client’s experience and perception of your company is key to the differentiation process. You want to, above all, make sure your changes are positively influencing your clients’ experience.

Demonstrating value to your team members. The more you can show your team why your changes are valuable and necessary, the more likely it becomes that they will absorb those reasons and make them their own. You want to make it as painless as possible for your team to implement the changes.

Most of the quick wins we will look at will involve gathering information, whether from clients or from team members. This is usually the lowest-hanging and most valuable fruit. Asking questions and gathering information gets you clear on the direction you should be heading in and the steps you should be taking next.

Focus On Core Competencies

What does your company do best? What are your strengths? Having core competencies and a niche sets you apart from your competitors and gets you greater attention.

This can be counter-intuitive. At many companies (not just InfoSec companies), there can be the philosophy of: “Well, we have to do everything, because if we don’t do everything, we’ll miss some clients.” Or: “Our client just asked for this. We have to give it to them to make them happy.”

This leads to a marketplace where pentesting seems more of a generic commodity than it is. Your potential client may be looking at a line of near-identical InfoSec companies, all of whom claim to do everything. In such a marketplace, it can be hard to stand out.

Focusing on what you’re truly great at has several positive results:

  • You become known for being great at the specific systems and technologies at which you excel.
  • By voluntarily defining what you’re not good at, your perceived strengths become that much more believable.

In short, there is power in saying “No” to clients and defining your focus.

One example of how this can play out: If you define one of your core competencies to be SAP Security, then your client may not hire you to do an Android assessment. This may seem like a lost opportunity, and perhaps it is in the short-term.

But what will happen is that your clients and colleagues will remember what your focus is, and will respect that you have a focus and are willing to admit when something is not your specialty. Clients will be more likely to get in touch with you later when they have a problem that falls in your area of expertise. And, down the road, if you expand your core competencies to other technologies, your claims of expertise will be that much more believable and powerful.

Not only is this approach powerful for gaining respect from clients, it also gains you respect from talent you may be recruiting. Being known as a company that specializes in cryptography vulnerabilities, for example, will make it more likely that cryptography experts will want to work with you, which creates a positive feedback loop for your quality and reputation.

Quick Wins

Here are some beginning steps for establishing your company’s core competencies.

  1. Set up an internal meeting to brainstorm what your core strengths are, and how you want to position yourself in the marketplace.
  2. Ask, “Who are our ideal clients?” Getting clear about what clients make your team happy lead to realizations about what your strengths are.
  3. Ask, “Who are the clients we don’t want to serve?” Identifying the clients who aren’t right for you will help you adjust your messaging to speak to the right audience. This will create a self-selecting process, where your favorite work is attracted to you and your least favorite work is not.
  4. Research the industry to see what needs may be underserved. Can you think of a strength you have that not many companies are focused on serving?
  5. Talk to colleagues about your ideas for niche positioning. Ask for feedback about whether your ideas for positioning will be perceived as valid.
  6. Talk to new prospects as if you’ve already repositioned the company and gauge their response. For example, if you’re at a networking event, you might talk to new contacts using your new company messaging and focus, and see how they react, whether positively or with no interest. With methods like these, you can test client and industry response before acting implementing the change on a bigger scale.
  7. Talk to trusted clients and run your ideas by them. Ask questions like, “If we focused on this specific service, would this be valuable to you?”

Learn What Makes Clients Happy

As we talked about a bit in our first article, InfoSec companies can be a little out of touch with ideas of customer service. Often, companies are so focused on the project at hand and delivering the report on time, that client experience can be the last thing on your team’s mind.

But in order to differentiate and get noticed, your team, like it or not, will have to make strides in improving clients’ experience.

Part of the problem is that business owners will often make assumptions about what their clients value. You may assume that your clients value X, Y, and Z about your company. But unless you explicitly ask, you won’t know.

For example, maybe you think your clients value your technical expertise and professionalism, when the truth is that your clients value your ability to accommodate sudden changes in scheduling. Or maybe, above all else, they value a very clear Executive Summary section, which helps them make the case for IT security initiatives.

The point is: You shouldn’t assume anything about what makes your clients happy.

The first thing to do to get more clear in this area is to gather information from clients: information about what they value, what they don’t value; what works, what doesn’t work; what they like about your company specifically and what they don’t like. This information can then be used to:

  • Expose major failures in how your company is serving clients
  • Improve and standardize business procedures and pentesting methodologies
  • Decide on a new company focus (i.e., a core competency)
  • Improve the value and consistency of deliverables
  • Come up with new services (i.e., new ways to make money or add value)

Also, the nice thing about eliciting client feedback is that it helps you sell the necessary changes to your team members. If clients make it clear that they want to see changes, such communication is harder for everyone to ignore.

Quick Wins

Here are some starting steps for gathering much-needed client thoughts.

  1. Have a team meeting and think about the types of questions that would be valuable to ask your clients. Examples of valuable questions include:
  2. “How would you compare your experience with our company with your experiences at other companies?”
  3. For repeat clients: “How would you compare your most recent experience with previous experiences?”
  4. “How would you rate the value of our report?”
  5. “What would you like to see from our report that you didn’t?”
  6. What is the worst part of our reports?
  7. What is our weakest point compared to other vendors?
  8. “Have you recommended us in the past? Why or why not?”
  9. “What kinds of InfoSec services would you like to see offered but are not getting?”

For ease of use, you should try to make most questions Yes/No or a single-choice on a rating scale (e.g., a 1 to 10 scale). Requests for long responses are sometimes too much of a demand and don’t result in actionable information.

Here is an article with many examples of questions you can use to gather customer feedback. And here is an example survey, hosted with Google Forms, that you can copy and modify to hit the ground running.

  1. Using the most relevant questions, draft an email survey to send to existing and past clients. Store the responses to the survey in a format that is easy to share with your team in an ongoing manner (for example, an internal wiki).
  2. Start to create feedback loops in your delivery process for gathering client feedback. For example, you might put a section in the report template that asks them to click a link and fill out a feedback form. By making feedback-gathering part of your process, you ensure it will be done on every project.
  3. Set up a reward system for team members who get high evaluations from clients. (But don’t punish team members just because they don’t get high marks. Employee shortcomings, it has been shown time and time again, are almost always caused by a faulty process.)

Develop New Services

Your company’s relationship with your clients doesn’t end with the deliverable. But it may seem that way at many InfoSec companies, where everything is about completing a project and moving on to the next one.

Ideally, you want to be thinking of additional services that aid your clients’ understanding and deal with their vulnerabilities in an ongoing fashion. Adding additional services has a couple positive effects:

  • Services can be additional products and ways to make money.
  • They can be bundled with your existing pentesting services, as a way to provide added value and to justify your rates.
  • They differentiate you from your competitors.

Some ideas for additional services:

  • Offer clients a custom emailed newsletter that features information on security vulnerabilities for the specific technologies they use. For example, if your client uses WordPress and Magento, every month you deliver them updates and news on WP and Magento security issues. (This could be set up pretty easily in a content management system.)
  • Subscription services that allow your clients to get quick responses and input whenever they run into security problems or just want to bounce an idea off someone knowledgeable. This is essentially a support contract or retainer with guaranteed response time.
  • You could remove a common gap between discovery and remediation by providing vulnerability data in a format clients could upload directly into their bug tracker. (Of course, the format each client needs will depend on the specifics of their bug tracking system.)

These are just a few ideas for additional services.

Blue Ocean Strategy is a popular book about creating uncontested market space, and includes many ideas on how to differentiate offerings and create new services.

Quick Wins

Here are some starting steps for coming up with auxiliary, value-added services.

  1. Ask your team members for ideas on additional services.
  2. Check out competitors and see what they’re doing. Don’t copy them exactly (as the idea is, after all, differentiation) but use those ideas for inspiration.
  3. When polling your clients, ask them for additional feedback, such as: “If we started offering this additional service, would you find it valuable? Would you sign up for it? Would you pay x amount for it?”

Only the Beginning

The ideas in this article are only the beginning, of course. It can sometimes be a long road to change established processes and mindsets at any company. But hopefully we’ve given you some ideas for how to start today on improving the perceived value of your company and, by extension, set yourself apart from the pack.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.

InfoSec Experience It Not Enough…

If you work in the information security industry, you probably are already well aware of the growing competition and commoditization in the marketplace. Overseas companies and small consultancies are charging lower rates, which can make it hard for companies to show why their higher rates are justified.

The truth is that pure, technical experience is no longer enough. It may have been, a few years ago, when competition in our industry was low, but it’s not enough anymore. Even if you know for a fact that you have one of the best, most technically skilled InfoSec teams out there, it doesn’t mean anything unless you are communicating that to your potential clients.

This article (the first in a series) takes a look at some of the reasons behind the industry commoditization. It will also, hopefully, start you out on a journey of optimizing and standardizing your company’s methodology and client-facing communications.

Increasing Competition and Commoditization

You probably already know many of the factors leading to lower average rates in the industry, but here’s a quick rundown:

  • Overseas competition: There are a growing number of overseas InfoSec companies, almost all charging significantly lower rates than the rates of companies in developed countries.
  • Small companies: There are an increasing number of small InfoSec startups. Their lower overhead means they can charge lower rates.
  • Freelancers: Similarly, there are many freelancers (some perhaps are your ex-employees), doing jobs for lower-than-average rates.
  • Software applications: There are a growing number of pentesting applications and tools, which can serve to level the playing field a bit. More importantly, though, it makes it seem to potential clients as if pentesting is more of an interchangeable commodity than it actually is.

All of these factors are creating what has been called a “race to the bottom”. InfoSec companies who were having no problem charging their normal rates a few years ago are now feeling the pressure to match lower rates from competitors or overseas companies to keep their lights on.

For all of these reasons, it is no longer enough for an InfoSec company to be great. They must show and prove their greatness.

Proving Value to Clients

For many InfoSec companies, the concept of trying to communicate their strengths to clients is a foreign concept. So many InfoSec companies are focused almost entirely on staying up-to-date on technology and vulnerabilities, and working on their projects. This is understandable; the work is very important. Without high-quality work, nothing is possible.

But competing in this modern, highly competitive marketplace means you must find ways to show why the work is high-quality. For many InfoSec companies, this will mean making adjustments to their fundamental business philosophy. It will mean focusing, as an organization, on the many ways it’s possible to improve your processes and to showcase those processes.

A Cultural Shift

For many companies primarily focused on the projects right in front of them, this will be a complete cultural shift. An analogy could be made to the major cultural change that happened in American car manufacturing in the 1980s, as companies like Ford and General Motors realized it was necessary to emulate the philosophies of Continual Improvement used by Japanese industry. (If you’d like to learn more about those cultural changes, click here.)

In a similar way, InfoSec companies must adapt a new mindset focused on the client experience and client-facing communication.

Improving Processes

The biggest part of improving the client experience (and potential client experience) is in optimizing and standardizing your processes and procedures. A few examples of how process improvements will help you prove your worth to clients:

The Power of Consistency

Your methodology must be truly consistent. Many companies say things like: “Our process is standardized. We always do x, y, and z on every project we work on.” But in reality, there may be significant variance in methodology from project to project. Different team members and managers may work on every project, and they may have different methods and styles. The company may pay lip service to the idea of consistency, but it may not value it in practice.

Being truly consistent means setting that principle as a real requirement on every project.
* There have to be standards in place.
* Those standards and systems need to be clearly communicated to every team member.
* Managers must communicate why those systems are in place and why they are important.
* There must be concrete measures in place to ensure guidelines are maintained so that, if there is a problem with a project or with a team member’s performance, it can be spotted and addressed.

In many InfoSec companies, the culture will make this difficult. (And we’ll talk more about ways to overcome these cultural obstacles in a future article.) But process consistency is vital. Clients want to know what to expect when they hire you and rehire you; this is especially true for the biggest clients. Consistent processes will demonstrate to your clients (especially your repeat clients) that you value consistency. And with greater consistency, it will be easier to demonstrate what exactly makes your team valuable.

The Power of Reports

Most InfoSec companies understand that reports are valuable, but they don’t truly understand just how valuable. A report is not just a way to communicate technical vulnerabilities and assessments. It is an opportunity. A report can be an opportunity to:

Showcase your consistent processes: If your methodology and business processes are fantastic, and consistent, then a report is a way to showcase your methods and how you thoroughly arrived at your results. You must find a way to work your methodology cleanly into your reports. And you must find a way to make that a part of your process that happens every time.

Proving the right team was on the job: Clients want to feel assured that you have the best people on the job. Reports are an opportunity to show to clients that the people working on their project are highly qualified. (We’ll talk more about the importance of this perception in a future article.)

Get repeat business: When you send deliverables, you are also, indirectly, pitching a client on future work. A report can showcase the benefits of your methodology, which can be a convincing sales message in itself. The report can also communicate the benefits of regular testing to make sure pentesting catches new vulnerabilities. For example, your team might notice problems outside of the scope of the investigation; the report is an opportunity to point out those issues and recommend future responses.

Collaboration and reporting platforms are becoming more and more a must-have for InfoSec companies. These programs help ensure all team members are on the same page and speed up your reporting process. They also make it easier for certain types of communications to wind up in your reports every time, which is important for showcasing your consistency.

The Power of Customer Service and Follow-up

For many InfoSec companies, the idea of customer service is foreign. Following up with clients, or asking for feedback on projects, may not be part of a company’s culture.

But this will need to change if a company wants to be optimally competitive. Companies will need to focus more on the client experience. Managers will need to communicate to team members why customer service is valuable, and what “customer service” means in our project-based, extremelytechnical industry. Clients will need to be prompted for criticisms (and, concurrently, testimonials) so that processes can be continually improved.

Managers and employees must understand that asking for feedback, and ensuring client happiness, is not a “soft” side of the business. Getting feedback from clients is part of a process of continual improvement. Without knowing what makes clients satisfied or frustrated, it’s impossible to improve your service. Or, more importantly, the perception of your product.

These are the same philosophies that helped Japanese auto manufacturers climb to dominance after World War II: a continual focus on their users’ experience and a continual focus on process improvement.

Change Is Possible

At this point, you might be thinking something like, “These are all great, lofty ideas, but you have no idea what it’s like at my company. These things would be impossible to implement here.”

But process improvements and cultural improvements are always possible. It doesn’t matter if you’re a manager or owner trying to implement a top-down improvement process, or a team member trying to convince the higher-ups that there’s a better way of doing things. Change is possible; it will just require intelligent planning and, sometimes, patience and persuasion.

In the coming articles in this series, we’ll be looking at some specific strategies and tips you can start putting in place immediately. These strategies will help you optimize your processes and differentiate your company from your competitors. We will also focus on helping you prove the value of these ideas to your own team, because that is often the most important and difficult part of any institutional change.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.