There is increasing competition and commoditization in the information security marketplace. For better or worse, pure technical knowledge and experience is not enough. InfoSec companies must go out of their way to demonstrate and communicate their value to potential clients. This includes optimizing and standardizing internal processes and client-facing communications. This article (the first in a series) discusses the problems facing InfoSec companies and some strategies for standing out from the crowd.

1. InfoSec Experience Is Not
Enough…

2. If you work in the information security industry, you
probably are already well aware of the growing
competition and commoditization in the
marketplace.
Overseas companies and small consultancies are
charging lower rates, which can make it hard for
companies to show why their higher rates are
justified.

3. The truth is that pure, technical experience is no
longer enough. It may have been, a few years ago,
when competition in our industry was low, but it’s
not enough anymore.
Even if you know for a fact that you have one of the
best, most technically skilled InfoSec teams out
there, it doesn’t mean anything unless you are
communicating that to your potential clients.

4. This article (the first in a series) takes a look at some
of the reasons behind the industry commoditization.
It will also, hopefully, start you out on a journey of
optimizing and standardizing your company’s
methodology and client-facing communications.

5. Increasing Competition and
Commoditization

6. You probably already know many of the factors
leading to lower average rates in the industry, but
here’s a quick rundown:

7. —Overseas competition: There are a growing
number of overseas InfoSec companies, almost
all charging significantly lower rates than the
rates of companies in developed countries.
—Small companies: There are an increasing number
of small InfoSec startups. Their lower overhead
means they can charge lower rates.

8. —Freelancers: Similarly, there are many freelancers
(some perhaps are your ex-employees), doing
jobs for lower-than-average rates.

9. —Software applications: There
are a growing number of
pentesting applications and
tools, which can serve to level
the playing field a bit. More
importantly, though, it makes
it seem to potential clients as
if pentesting is more of an
interchangeable commodity
than it actually is.

10. All of these factors are creating what has been
called a “race to the bottom”. InfoSec companies
who were having no problem charging their normal
rates a few years ago are now feeling the pressure
to match lower rates from competitors or overseas
companies to keep their lights on.

11. For all of these reasons, it is no longer enough for an
InfoSec company to be great. They must show and
prove their greatness.

12. Proving Value to Clients

13. For many InfoSec companies, the concept of trying
to communicate their strengths to clients is a
foreign concept.
So many InfoSec companies are focused almost
entirely on staying up-to-date on technology and
vulnerabilities, and working on their projects. This is
understandable; the work is very important. Without
high-quality work, nothing is possible.

14. But competing in this modern, highly competitive
marketplace means you must find ways to show
why the work is high-quality.
For many InfoSec companies, this will mean making
adjustments to their fundamental business
philosophy. It will mean focusing, as an organization,
on the many ways it’s possible to improve your
processes and to showcase those processes.

15. A Cultural Shift

16. For many companies primarily focused on the
projects right in front of them, this will be a
complete cultural shift.

17. An analogy could be made to the
major cultural change that
happened in American car
manufacturing in the 1980s, as
companies like Ford and
General Motors realized it was
necessary to emulate the
philosophies of Continual
Improvement used by Japanese
industry. If you’d like to learn
more about those cultural
changes, click here.

18. In a similar way, InfoSec companies must adapt a
new mindset focused on the client experience and
client-facing communication.

19. Improving Processes

20. The biggest part of improving the client experience
(and potential client experience) is in optimizing and
standardizing your processes and procedures. A few
examples of how process improvements will help
you prove your worth to clients:

21. The Power of Consistency

22. Your methodology must be truly consistent. Many
companies say things like: “Our process is
standardized. We always do x, y, and z on every
project we work on.” But in reality, there may be
significant variance in methodology from project to
project.

23. Different team members and managers may work on
every project, and they may have different methods
and styles. The company may pay lip service to the
idea of consistency, but it may not value it in
practice.

24. Being truly consistent means setting that principle
as a real requirement on every project.
—There have to be standards in place.
—Those standards and systems need to be clearly
communicated to every team member.
—Managers must communicate why those systems
are in place and why they are important.

25. —There must be concrete measures in place to
ensure guidelines are maintained so that, if there
is a problem with a project or with a team
member’s performance, it can be spotted and
addressed.

26. In many InfoSec companies, the culture will make
this difficult. (And we’ll talk more about ways to
overcome these cultural obstacles in a future
article.) But process consistency is vital. Clients
want to know what to expect when they hire you and
rehire you; this is especially true for the biggest
clients.

27. Consistent processes will demonstrate to your
clients (especially your repeat clients) that you value
consistency. And with greater consistency, it will be
easier to demonstrate what exactly makes your
team valuable.

28. The Power of Reports

29. Most InfoSec companies understand that reports
are valuable, but they don’t truly understand just
how valuable. A report is not just a way to
communicate technical vulnerabilities and
assessments. It is an opportunity. A report can be an
opportunity to:

30. Showcase your consistent processes: If your
methodology and business processes are fantastic,
and consistent, then a report is a way to showcase
your methods and how you thoroughly arrived at
your results.
You must find a way to work your methodology
cleanly into your reports. And you must find a way to
make that a part of your process that happens every
time.

31. Proving the right team was on the job: Clients want
to feel assured that you have the best people on the
job. Reports are an opportunity to show to clients
that the people working on their project are highly
qualified. (We’ll talk more about the importance of
this perception in a future article.)

32. Get repeat business: When you send deliverables,
you are also, indirectly, pitching a client on future
work. A report can showcase the benefits of your
methodology, which can be a convincing sales
message in itself.

33. The report can also communicate the benefits of
regular testing to make sure pentesting catches new
vulnerabilities. For example, your team might notice
problems outside of the scope of the investigation;
the report is an opportunity to point out those issues
and recommend future responses.

34. Collaboration and reporting platforms are becoming
more and more a must-have for InfoSec companies.
These programs help ensure all team members are
on the same page and speed up your reporting
process.
They also make it easier for certain types of
communications to wind up in your reports every
time, which is important for showcasing your
consistency.

35. The Power of Customer Service and
Follow-up
For many InfoSec companies,
the idea of customer service is
foreign. Following up with
clients, or asking for feedback
on projects, may not be part of a
company’s culture.

36. But this will need to change if a company wants to
be optimally competitive. Companies will need to
focus more on the client experience.

37. Managers will need to communicate to team
members why customer service is valuable, and
what “customer service” means in our project-
based, extremelytechnical industry.
Clients will need to be prompted for criticisms (and,
concurrently, testimonials) so that processes can be
continually improved.

38. Managers and employees must
understand that asking for
feedback, and ensuring client
happiness, is not a “soft” side of
the business. Getting feedback
from clients is part of a process
of continual improvement.
Without knowing what makes
clients satisfied or frustrated, it’s
impossible to improve your
service. Or, more importantly,
the perception of your product.

39. These are the same philosophies that helped
Japanese auto manufacturers climb to dominance
after World War II: a continual focus on their users’
experience and a continual focus on process
improvement.

40. Change Is Possible

41. At this point, you might be thinking something like,
“These are all great, lofty ideas, but you have no
idea what it’s like at my company. These things
would be impossible to implement here.”

42. But process improvements and cultural
improvements are always possible. It doesn’t matter
if you’re a manager or owner trying to implement a
top-down improvement process, or a team member
trying to convince the higher-ups that there’s a
better way of doing things.
Change is possible; it will just require intelligent
planning and, sometimes, patience and persuasion.

43. In the coming articles in this series, we’ll be looking
at some specific strategies and tips you can start
putting in place immediately. These strategies will
help you optimize your processes and differentiate
your company from your competitors.

44. We will also focus on helping you prove the value of
these ideas to your own team, because that is often
the most important and difficult part of any
institutional change.

45. If You Need Help…
Security Roots’ founder Daniel Martin conceived
and created the open-source collaboration tool
Dradis Framework in 2007. The success of that
application led to the creation of the Security Roots
company and Dradis Professional Edition software.

46. Over the years, Security Roots has helped hundreds
of InfoSec clients improve their team collaboration
and report creation processes. If you have any
questions about what we do or the solutions we
provide, please fill out our Contact Form and we’ll
be in touch right away.
If you’ve found this article helpful, please reach out
and let us know how the information has worked for
you. And keep an eye out for the future articles in
this series.