There is increasing competition and commoditization in the information security marketplace. InfoSec companies must optimize and standardize their business processes and methodologies to differentiate themselves from competitors. This article (part of a series) discusses strategies for getting some immediate “quick wins” at your company. It looks at some steps you can take now, today, to start seeing improvement and better responses from your clients.

1. Differentiating Your
InfoSec Company: Getting
Some “Quick Wins”

2. (Note: This article is part of a series about
differentiating your InfoSec company from
competitors and improving your perceived value.)

3. In our first article, we talked about some of the
problems facing InfoSec companies: overseas
competition, competition from smaller firms and
consultancies, and the commoditization of
pentesting in general.
The primary challenge for many InfoSec companies
is to stand out--to showcase to current and future
clients what makes their service different, valuable,
and worth the rates being charged.

4. The process of re-positioning and differentiating an
InfoSec company from competitors will be a long
and ongoing process, involving procedural changes
and cultural changes. In this article we’ll look at
some things you can start doing immediately to gain
some “quick wins” at your company.

5. Plan Quick Wins As Part of a Long-
Term Process

6. Why do most New Year’s resolutions fail? It’s
because most people try to implement change
suddenly, immediately, and haphazardously, without
having an underlying strategy or process.

7. When trying to change an organization’s processes
and philosophy, you should remember that the
actions you take today should be part of a deeper,
longer-term strategy. Immediate actions are great,
as long as they are part of a sustained push towards
continual improvement.

8. There are a few dangers in attempting to implement
organizational changes without having a broader
plan:

9. —You might alienate your technical team. If they are
used to doing things “their way”, drastic attempts
to change their behavior will likely alienate them
and ultimately fail.

10. —You might cause disruptions to projects and
workflow. If you attempt to implement change too
rapidly, your team will be confused and work
quality will suffer, and this will probably be noticed
by your clients.

11. Your attempts at quick wins should be focused on:

12. Demonstrating value to your
clients. Improving your client’s
experience and perception of
your company is key to the
differentiation process. You want
to, above all, make sure your
changes are positively
influencing your clients’
experience.

13. Demonstrating value to your team members. The
more you can show your team why your changes are
valuable and necessary, the more likely it becomes
that they will absorb those reasons and make them
their own. You want to make it as painless as
possible for your team to implement the changes.

14. Most of the quick wins we will look at will involve
gathering information, whether from clients or from
team members. This is usually the lowest-hanging
and most valuable fruit. Asking questions and
gathering information gets you clear on the direction
you should be heading in and the steps you should
be taking next.

15. Focus On Core Competencies

16. What does your company do best? What are your
strengths? Having core competencies and a niche
sets you apart from your competitors and gets you
greater attention.

17. This can be counter-intuitive. At
many companies (not just
InfoSec companies), there can
be the philosophy of: “Well, we
have to do everything, because
if we don’t do everything, we’ll
miss some clients.” Or: “Our
client just asked for this. We
have to give it to them to make
them happy.”

18. This leads to a marketplace where pentesting seems
more of a generic commodity than it is. Your
potential client may be looking at a line of near-
identical InfoSec companies, all of whom claim to
do everything. In such a marketplace, it can be hard
to stand out.

19. Focusing on what you’re truly great at has several
positive results:
—You become known for being great at the specific
systems and technologies at which you excel.
—By voluntarily defining what you’re not good at,
your perceived strengths become that much more
believable.

20. In short, there is power in saying “No” to clients and
defining your focus.
One example of how this can play out: If you define
one of your core competencies to be SAP Security,
then your client may not hire you to do an Android
assessment. This may seem like a lost opportunity,
and perhaps it is in the short-term.

21. But what will happen is that your clients and
colleagues will remember what your focus is, and
will respect that you have a focus and are willing to
admit when something is not your specialty. Clients
will be more likely to get in touch with you later
when they have a problem that falls in your area of
expertise.

22. And, down the road, if you expand your core
competencies to other technologies, your claims of
expertise will be that much more believable and
powerful.

23. Not only is this approach powerful for gaining
respect from clients, it also gains you respect from
talent you may be recruiting.
Being known as a company that specializes in
cryptography vulnerabilities, for example, will make
it more likely that cryptography experts will want to
work with you, which creates a positive feedback
loop for your quality and reputation.

24. Quick Wins

25. Here are some beginning steps
for establishing your company’s
core competencies.

26. 1. Set up an internal meeting to brainstorm what
your core strengths are, and how you want to
position yourself in the marketplace.
2. Ask, “Who are our ideal clients?” Getting clear
about what clients make your team happy lead to
realizations about what your strengths are.

27. 3. Ask, “Who are the clients we don’t want to
serve?” Identifying the clients who aren’t right for
you will help you adjust your messaging to speak to
the right audience. This will create a self-selecting
process, where your favorite work is attracted to
you and your least favorite work is not.

28. 4. Research the industry to see what needs may be
underserved. Can you think of a strength you have
that not many companies are focused on serving?
5. Talk to colleagues about your ideas for niche
positioning. Ask for feedback about whether your
ideas for positioning will be perceived as valid.

29. 6. Talk to new prospects as if you’ve already
repositioned the company and gauge their
response. For example, if you’re at a networking
event, you might talk to new contacts using your
new company messaging and focus, and see how
they react, whether positively or with no interest.
With methods like these, you can test client and
industry response before acting implementing the
change on a bigger scale.

30. 7. Talk to trusted clients and run
your ideas by them. Ask
questions like, “If we focused on
this specific service, would this
be valuable to you?”

31. Learn What Makes Clients Happy

32. As we talked about a bit in our first article, InfoSec
companies can be a little out of touch with ideas of
customer service. Often, companies are so focused
on the project at hand and delivering the report on
time, that client experience can be the last thing on
your team’s mind.
But in order to differentiate and get noticed, your
team, like it or not, will have to make strides in
improving clients’ experience.

33. Part of the problem is that business owners will
often make assumptions about what their clients
value. You may assume that your clients value X, Y,
and Z about your company. But unless you explicitly
ask, you won’t know.

34. For example, maybe you think your clients value
your technical expertise and professionalism, when
the truth is that your clients value your ability to
accommodate sudden changes in scheduling. Or
maybe, above all else, they value a very clear
Executive Summary section, which helps them make
the case for IT security initiatives.

35. The point is: You shouldn’t assume anything about
what makes your clients happy.

36. The first thing to do to get more clear in this area is
to gather information from clients: information about
what they value, what they don’t value; what works,
what doesn’t work; what they like about your
company specifically and what they don’t like. This
information can then be used to:

37. —Expose major failures in how your company is
serving clients
—Improve and standardize business procedures
and pentesting methodologies

38. —Decide on a new company focus (i.e., a core
competency)
—Improve the value and consistency of deliverables
—Come up with new services (i.e., new ways to
make money or add value)

39. Also, the nice thing about eliciting client feedback is
that it helps you sell the necessary changes to your
team members. If clients make it clear that they
want to see changes, such communication is harder
for everyone to ignore.

40. Quick Wins

41. Here are some starting steps for
gathering much-needed client
thoughts.
1. Have a team meeting and
think about the types of
questions that would be
valuable to ask your clients.
Examples of valuable questions
include:

42. —“How would you compare your experience with
our company with your experiences at other
companies?”
—For repeat clients: “How would you compare your
most recent experience with previous
experiences?”
—“How would you rate the value of our report?”

43. —“What would you like to see from our report that
you didn’t?”
—What is the worst part of our reports?
—What is our weakest point compared to other
vendors?
—“Have you recommended us in the past? Why or
why not?”
—“What kinds of InfoSec services would you like to
see offered but are not getting?”

44. For ease of use, you should try to make most
questions Yes/No or a single-choice on a rating
scale (e.g., a 1 to 10 scale). Requests for long
responses are sometimes too much of a demand
and don’t result in actionable information.

45. Here is an article with many examples of questions
you can use to gather customer feedback. And here
is an example survey, hosted with Google Forms,
that you can copy and modify to hit the ground
running.

46. 2. Using the most relevant questions, draft an email
survey to send to existing and past clients. Store the
responses to the survey in a format that is easy to
share with your team in an ongoing manner (for
example, an internal wiki).

47. 3. Start to create feedback loops in your delivery
process for gathering client feedback. For example,
you might put a section in the report template that
asks them to click a link and fill out a feedback
form. By making feedback-gathering part of your
process, you ensure it will be done on every project.

48. 4. Set up a reward system for team members who
get high evaluations from clients. (But don’t punish
team members just because they don’t get high
marks. Employee shortcomings, it has been shown
time and time again, are almost always caused by a
faulty process.)

49. Develop New Services

50. Your company’s relationship with your clients
doesn’t end with the deliverable. But it may seem
that way at many InfoSec companies, where
everything is about completing a project and moving
on to the next one.

51. Ideally, you want to be thinking of additional
services that aid your clients’ understanding and
deal with their vulnerabilities in an ongoing fashion.
Adding additional services has a couple positive
effects:

52. —Services can be additional products and ways to
make money.
—They can be bundled with your existing pentesting
services, as a way to provide added value and to
justify your rates.
—They differentiate you from your competitors.

53. Some ideas for additional services:
—Offer clients a custom emailed newsletter that
features information on security vulnerabilities for
the specific technologies they use. For example, if
your client uses WordPress and Magento, every
month you deliver them updates and news on WP
and Magento security issues. (This could be set
up pretty easily in a content management system.)

54. —Subscription services that allow your clients to
get quick responses and input whenever they run
into security problems or just want to bounce an
idea off someone knowledgeable. This is
essentially a support contract or retainer with
guaranteed response time.

55. —You could remove a common gap between
discovery and remediation by providing
vulnerability data in a format clients could upload
directly into their bug tracker. (Of course, the
format each client needs will depend on the
specifics of their bug tracking system.)

56. These are just a few ideas for additional services.
Blue Ocean Strategy is a popular book about
creating uncontested market space, and includes
many ideas on how to differentiate offerings and
create new services.

57. Quick Wins

58. Here are some starting steps for coming up with
auxiliary, value-added services.

59. 1. Ask your team members for ideas on additional
services.
2. Check out competitors and see what they’re
doing. Don’t copy them exactly (as the idea is, after
all, differentiation) but use those ideas for
inspiration.

60. 3. When polling your clients, ask them for additional
feedback, such as: “If we started offering this
additional service, would you find it valuable? Would
you sign up for it? Would you pay x amount for it?”

61. Only the Beginning

62. The ideas in this article are only the beginning, of
course. It can sometimes be a long road to change
established processes and mindsets at any
company. But hopefully we’ve given you some ideas
for how to start today on improving the perceived
value of your company and, by extension, set
yourself apart from the pack.

63. If You Need Help…
Security Roots’ founder Daniel Martin conceived
and created the open-source collaboration tool
Dradis Framework in 2007. The success of that
application led to the creation of the Security Roots
company and Dradis Professional Edition software.

64. Over the years, Security Roots has helped hundreds
of InfoSec clients improve their team collaboration
and report creation processes. If you have any
questions about what we do or the solutions we
provide, please fill out our Contact Form and we’ll
be in touch right away.
If you’ve found this article helpful, please reach out
and let us know how the information has worked for
you. And keep an eye out for the future articles in
this series.