Monthly Archives: August 2015

Stabilizing (and Increasing) Revenue

Many information security companies these days are struggling to maintain revenue. Many are finding it difficult to maintain their rates and their client list. The InfoSec market has been increasingly commoditized, with many standalone pentesting tools and many new competitors.

With these new market pressures, InfoSec consultancies are trying to provide as much value to their clients as possible, and are looking for ways to provide new and ongoing services.

In this article, we’ll look at some ideas for stabilizing and increasing revenue at your InfoSec company. Some of these ideas are currently being used by some InfoSec companies, but at Security Roots, we believe these ideas are deserving of wider implementation and experimentation.

You can think of this article as a brainstorming tool. As you read these insights, apply them to your company and your specific clients.

Pre-Booking Work

The first idea we’ll look at is the pre-booking of work, which is the point when you sell your services to a client for a specific time in the future. For example, a client has an app scheduled for release six months away, so you pre-sell them 60 man-hours that they can use any time during that month.

Often, this is used in conjunction with a discount on the usual rate. Maybe you offer your services at 80% of your normal rate when booked six months ahead or during a typically quiet block of time on your calendar.

This is a technique used in a lot of industries to exert some control on the ebb and flow of demand. For example, the airline industry lowers its rates during slow seasons in order to maintain smoothness in its bookings. Offering a pre-booking discount could also be a way for your consultancy to maintain some smoothness in your schedule and even out the times of the year you know are historically slow or unpredictable.

Another way to implement this would be to have clients pay for x number of man-hours, which they could use at any time, as needed. Tweak this approach even further by charging higher rates to ensure immediate access and a rapid response from your team.

Retainer Service Agreements

With retainers, clients pay in advance for work to be specified later.

Some types of retainer-type agreements include:

  • Paying for emergency response work in the event something goes wrong. This retainer usage is kind of like insurance.For a fee, you’re ensuring that someone is available for an immediate response.
  • Clients pay upfront for a certain amount of pentesting and vulnerability-seeking per month (this is basically what we talked about above, with pre-booking of hours).
  • Clients pay upfront for guaranteed access to your team consulting and discussion.

With regards to this last idea, there are many ways you might provide clients access to your team’s expertise. Your team has deep insights into vulnerabilities and testing, of course, but they probably also have a lot of thoughts on secure development practices. So, for example, let’s say a software company client is adding an LDAP authentication layer to their software. This client might find it valuable to get input from one of your team members on the process to help them minimize risks of a future compromise.

Subscription Services

With subscription services, you are trying to achieve more passive income and move away from time-intensive tasks to more automatic ones. The main difference that separates subscription-based services from retainer-type services is that your subscription offerings are not tied to the specifics of a single project. Your subscription offerings are ways to bundle your expertise and knowledge into more packageable, automatic chunks. (Subscriptions can overlap with retainer agreements a bit, depending on the services offered.)

The traditional subscription service in the industry has been the Vulnerability Assessment service, which is often mandated by different policies and regulatory bodies (e.g. monthly PCI scans). But that is not the only service you can offer.

Examples of subscription services:

Automated (or semi-automated) newsletters/emails. With a content management system, you can create a database of which clients have specific technologies, and then automatically send security-related news about those individual techs every month (or more frequently) to your clients (e.g., security releases by vendors, new vulnerability classes, latest research / white papers / conference presentations / etc.). Basically, it’s kind of an automated, personalized newsletter. You can also add in items related to specific industries (for example, sending banking-related security news to your bank clients).

Product-specific recurring vulnerability scanning. (This could also be thought of as a retainer-based deal.) The idea is that you’re running automatic scans of specific products and technologies without much need for human oversight of the tests. We’ve seen this service with WordPress site scanning, but it also works for any other widely available product category: CMS, e-commerce shop, blogging platform, enterprise portal, etc.

Threat intelligence. No matter what your opinion is on the merits of “threat intelligence”, the truth is that vendors providing these types of service have found a profitable recurring subscription model.

Compliance and legal issues. In the same way, you could automatically gather news/updates on legal and compliance issues that affect clients in certain industries, certain regions, or certain technologies, and send that as an automatic email. This ongoing communication lets your clients know that you’re watching trends and watching out for them on multiple levels as you’re saving their mental bandwidth.

Recurring Testing Services

You could charge a retainer/subscription-type service for recurring vulnerability testing of various kinds. Examples of recurring tests are:

  • Recurring scans of critical assets
  • Perimeter monitoring
  • Social engineering and phishing attempts of company’s employees
  • Random DDoS fire drills

For all testing and scanning you do, you should be tracking your activities and the related improvements in the client’s system. This will let you easily prove the worth of the work your team is doing. Keep in mind that it’s not the raw data that is important to your clients; your main value is in providing them actionable information, which will come in the form of trends, delta reporting, and comparisons with other companies.

Recurring Training and Education

You could also provide recurring training and education for your clients. This could take many forms, depending on your area of expertise or the client’s needs. Ideas include:

Employee Awareness Campaigns

These could be occasional in-person or online training sessions, dedicated to improving the client workforce’s understanding of security threats. The more specific to a client’s needs and workplace you can make this, obviously the more value the client gets. But even a fully-automatic online training could improve things for many clients.

Awareness and training doesn’t have to be limited to lessons, video, or audio. It can also mean monitoring the news and forwarding to your clients specific instances where lack of awareness resulted in a breach or some other negative outcome. The idea is to make your client’s employees have an “aha” moment and think, “Well, I didn’t know about that vulnerability, and we could be the next headline.” This targeted information can prove to them the value of your regular input on security issues.

Training on Specific Products/Tech

You could do customized or automated online training on specific products and their vulnerabilities (e.g., WordPress, Sharepoint, etc.). This goes hand in hand with your product-specific scanning service. The knowledge you gain through the scanning service can be repackaged and offered as training material, hardening guides, etc.

Monthly Calls

Similar to the retainer-style agreement, you could have clients pay upfront for a certain number of hours to talk to your staff about practical issues they are facing or potential threats they want to discuss.

Better Opportunity Tracking

We might be saving the strongest idea for last here. One of the major ways InfoSec companies drop the ball is that they don’t optimally track the many ways they might continue to provide value for their existing clients. Here are some ideas on how to improve discovery of new opportunities:

  • Follow-up. Do you check back with existing clients regularly to see what they are doing and what they may need? It should be a part of your standard protocol to check in with clients.
  • Post-project surveys. When projects are done, a survey should be given to your clients. Not only does this help discover their opinions and thoughts on the completed project, it helps illuminate the value you just provided them, which might otherwise be a bit unclear. (For example, ask, “What potential future issues might have arisen if our team had not uncovered this vulnerability?”) The survey can also bring to light other areas in which you might offer them value.
  • Tracking products and technology used. By keeping files on what products and tech your clients are using, this will allow you to proactively look for opportunities to win work from them. For example, if there is a major vulnerability discovered in Android, it can be part of your process to send an email about this to your Android app clients.

Start Small and Improve

As we’ve talked about in past articles, you shouldn’t be afraid to start small. Some people put off making changes to their product/service offerings because they think there has to be some huge, overarching plan in place before they make changes. But if there are obvious quick and easy wins you can get by making the change, go ahead and do it.

For example, you could start offering retainer-type services tomorrow if you wanted. You could toss up some copy about these services immediately and that might have an immediate impact on attracting a new client.

The thing to remember about making these changes: you will be continuously improving them. As your clients give you feedback and as your team understands the product better, you will get better at doing it. You’ll figure out how to optimize the process, how to reach more clients, and how to make more money.

So, in short, don’t be afraid to start small and improve from there.


Hopefully this article has helped you brainstorm some ideas on how to stabilize and increase revenue at your InfoSec consultancy.

If this article strikes a chord with you, please reach out and let us know the financial challenges at your company and maybe some unique changes you’ve instituted to improve your situation.

In our next article in this series, we’ll be discussing ways to enact long-term and meaningful cultural change at your InfoSec company.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.