If you work in the information security industry, you probably are already well aware of the growing competition and commoditization in the marketplace. Overseas companies and small consultancies are charging lower rates, which can make it hard for companies to show why their higher rates are justified.
The truth is that pure, technical experience is no longer enough. It may have been, a few years ago, when competition in our industry was low, but it’s not enough anymore. Even if you know for a fact that you have one of the best, most technically skilled InfoSec teams out there, it doesn’t mean anything unless you are communicating that to your potential clients.
This article (the first in a series) takes a look at some of the reasons behind the industry commoditization. It will also, hopefully, start you out on a journey of optimizing and standardizing your company’s methodology and client-facing communications.
Increasing Competition and Commoditization
You probably already know many of the factors leading to lower average rates in the industry, but here’s a quick rundown:
- Overseas competition: There are a growing number of overseas InfoSec companies, almost all charging significantly lower rates than the rates of companies in developed countries.
- Small companies: There are an increasing number of small InfoSec startups. Their lower overhead means they can charge lower rates.
- Freelancers: Similarly, there are many freelancers (some perhaps are your ex-employees), doing jobs for lower-than-average rates.
- Software applications: There are a growing number of pentesting applications and tools, which can serve to level the playing field a bit. More importantly, though, it makes it seem to potential clients as if pentesting is more of an interchangeable commodity than it actually is.
All of these factors are creating what has been called a “race to the bottom”. InfoSec companies who were having no problem charging their normal rates a few years ago are now feeling the pressure to match lower rates from competitors or overseas companies to keep their lights on.
For all of these reasons, it is no longer enough for an InfoSec company to be great. They must show and prove their greatness.
Proving Value to Clients
For many InfoSec companies, the concept of trying to communicate their strengths to clients is a foreign concept. So many InfoSec companies are focused almost entirely on staying up-to-date on technology and vulnerabilities, and working on their projects. This is understandable; the work is very important. Without high-quality work, nothing is possible.
But competing in this modern, highly competitive marketplace means you must find ways to show why the work is high-quality. For many InfoSec companies, this will mean making adjustments to their fundamental business philosophy. It will mean focusing, as an organization, on the many ways it’s possible to improve your processes and to showcase those processes.
A Cultural Shift
For many companies primarily focused on the projects right in front of them, this will be a complete cultural shift. An analogy could be made to the major cultural change that happened in American car manufacturing in the 1980s, as companies like Ford and General Motors realized it was necessary to emulate the philosophies of Continual Improvement used by Japanese industry. (If you’d like to learn more about those cultural changes, click here.)
In a similar way, InfoSec companies must adapt a new mindset focused on the client experience and client-facing communication.
The biggest part of improving the client experience (and potential client experience) is in optimizing and standardizing your processes and procedures. A few examples of how process improvements will help you prove your worth to clients:
The Power of Consistency
Your methodology must be truly consistent. Many companies say things like: “Our process is standardized. We always do x, y, and z on every project we work on.” But in reality, there may be significant variance in methodology from project to project. Different team members and managers may work on every project, and they may have different methods and styles. The company may pay lip service to the idea of consistency, but it may not value it in practice.
Being truly consistent means setting that principle as a real requirement on every project.
* There have to be standards in place.
* Those standards and systems need to be clearly communicated to every team member.
* Managers must communicate why those systems are in place and why they are important.
* There must be concrete measures in place to ensure guidelines are maintained so that, if there is a problem with a project or with a team member’s performance, it can be spotted and addressed.
In many InfoSec companies, the culture will make this difficult. (And we’ll talk more about ways to overcome these cultural obstacles in a future article.) But process consistency is vital. Clients want to know what to expect when they hire you and rehire you; this is especially true for the biggest clients. Consistent processes will demonstrate to your clients (especially your repeat clients) that you value consistency. And with greater consistency, it will be easier to demonstrate what exactly makes your team valuable.
The Power of Reports
Most InfoSec companies understand that reports are valuable, but they don’t truly understand just how valuable. A report is not just a way to communicate technical vulnerabilities and assessments. It is an opportunity. A report can be an opportunity to:
Showcase your consistent processes: If your methodology and business processes are fantastic, and consistent, then a report is a way to showcase your methods and how you thoroughly arrived at your results. You must find a way to work your methodology cleanly into your reports. And you must find a way to make that a part of your process that happens every time.
Proving the right team was on the job: Clients want to feel assured that you have the best people on the job. Reports are an opportunity to show to clients that the people working on their project are highly qualified. (We’ll talk more about the importance of this perception in a future article.)
Get repeat business: When you send deliverables, you are also, indirectly, pitching a client on future work. A report can showcase the benefits of your methodology, which can be a convincing sales message in itself. The report can also communicate the benefits of regular testing to make sure pentesting catches new vulnerabilities. For example, your team might notice problems outside of the scope of the investigation; the report is an opportunity to point out those issues and recommend future responses.
Collaboration and reporting platforms are becoming more and more a must-have for InfoSec companies. These programs help ensure all team members are on the same page and speed up your reporting process. They also make it easier for certain types of communications to wind up in your reports every time, which is important for showcasing your consistency.
The Power of Customer Service and Follow-up
For many InfoSec companies, the idea of customer service is foreign. Following up with clients, or asking for feedback on projects, may not be part of a company’s culture.
But this will need to change if a company wants to be optimally competitive. Companies will need to focus more on the client experience. Managers will need to communicate to team members why customer service is valuable, and what “customer service” means in our project-based, extremelytechnical industry. Clients will need to be prompted for criticisms (and, concurrently, testimonials) so that processes can be continually improved.
Managers and employees must understand that asking for feedback, and ensuring client happiness, is not a “soft” side of the business. Getting feedback from clients is part of a process of continual improvement. Without knowing what makes clients satisfied or frustrated, it’s impossible to improve your service. Or, more importantly, the perception of your product.
These are the same philosophies that helped Japanese auto manufacturers climb to dominance after World War II: a continual focus on their users’ experience and a continual focus on process improvement.
Change Is Possible
At this point, you might be thinking something like, “These are all great, lofty ideas, but you have no idea what it’s like at my company. These things would be impossible to implement here.”
But process improvements and cultural improvements are always possible. It doesn’t matter if you’re a manager or owner trying to implement a top-down improvement process, or a team member trying to convince the higher-ups that there’s a better way of doing things. Change is possible; it will just require intelligent planning and, sometimes, patience and persuasion.
In the coming articles in this series, we’ll be looking at some specific strategies and tips you can start putting in place immediately. These strategies will help you optimize your processes and differentiate your company from your competitors. We will also focus on helping you prove the value of these ideas to your own team, because that is often the most important and difficult part of any institutional change.
Was This Article Helpful?
Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.
Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.
If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.