As information security consultancy becomes more commoditized with more testing tools and more competitors in the market, consulting companies are looking for ways to survive and to thrive. This article (part of a series) discusses methods to stabilize revenue and increase it. Ideas discussed include subscription services, retainer agreements, and recurring pentesting.
2. Many information security companies these days
are struggling to maintain revenue. Many are finding
it difficult to maintain their rates and their client list.
The InfoSec market has been increasingly
commoditized, with many standalone pentesting
tools and many new competitors.
3. With these new market pressures, InfoSec
consultancies are trying to provide as much value to
their clients as possible, and are looking for ways to
provide new and ongoing services.
4. In this article, we’ll look at some ideas for stabilizing
and increasing revenue at your InfoSec company.
Some of these ideas are currently being used by
some InfoSec companies, but at Security Roots, we
believe these ideas are deserving of wider
implementation and experimentation.
You can think of this article as a brainstorming tool.
As you read these insights, apply them to your
company and your specific clients.
6. The first idea we’ll look at is the pre-booking of
work, which is the point when you sell your services
to a client for a specific time in the future. For
example, a client has an app scheduled for release
six months away, so you pre-sell them 60 man-hours
that they can use any time during that month.
7. Often, this is used in conjunction with a discount on
the usual rate. Maybe you offer your services at 80%
of your normal rate when booked six months ahead
or during a typically quiet block of time on your
calendar.
8. This is a technique used in a lot of industries to
exert some control on the ebb and flow of demand.
For example, the airline industry lowers its rates
during slow seasons in order to maintain
smoothness in its bookings.
Offering a pre-booking discount could also be a way
for your consultancy to maintain some smoothness
in your schedule and even out the times of the year
you know are historically slow or unpredictable.
9. Another way to implement this
would be to have clients pay for
x number of man-hours, which
they could use at any time, as
needed. Tweak this approach
even further by charging higher
rates to ensure immediate
access and a rapid response
from your team.
11. With retainers, clients pay in advance for work to be
specified later.
Some types of retainer-type agreements include:
12. —Paying for emergency response work in the event
something goes wrong. This retainer usage is kind
of like insurance.For a fee, you’re ensuring that
someone is available for an immediate response.
—Clients pay upfront for a certain amount of
pentesting and vulnerability-seeking per month
(this is basically what we talked about above, with
pre-booking of hours).
—Clients pay upfront for guaranteed access to your
team consulting and discussion.
13. With regards to this last idea, there are many ways
you might provide clients access to your team’s
expertise. Your team has deep insights into
vulnerabilities and testing, of course, but they
probably also have a lot of thoughts on secure
development practices.
14. So, for example, let’s say a software company client
is adding an LDAP authentication layer to their
software. This client might find it valuable to get
input from one of your team members on the
process to help them minimize risks of a future
compromise.
16. With subscription services, you are trying to achieve
more passive income and move away from time-
intensive tasks to more automatic ones. The main
difference that separates subscription-based
services from retainer-type services is that your
subscription offerings are not tied to the specifics of
a single project.
17. Your subscription offerings are ways to bundle your
expertise and knowledge into more packageable,
automatic chunks. (Subscriptions can overlap with
retainer agreements a bit, depending on the services
offered.)
18. The traditional subscription service in the industry
has been the Vulnerability Assessment service,
which is often mandated by different policies and
regulatory bodies (e.g. monthly PCI scans). But that
is not the only service you can offer.
20. Automated (or semi-automated)
newsletters/emails. With a
content management system,
you can create a database of
which clients have specific
technologies, and then
automatically send security-
related news about those
individual techs every month (or
more frequently) to your clients
(e.g., security releases by
vendors, new vulnerability
classes, latest research / white
papers / conference
presentations / etc.).
21. Basically, it’s kind of an automated, personalized
newsletter. You can also add in items related to
specific industries (for example, sending banking-
related security news to your bank clients).
22. Product-specific recurring vulnerability scanning.
(This could also be thought of as a retainer-based
deal.) The idea is that you’re running automatic
scans of specific products and technologies without
much need for human oversight of the tests.
23. We’ve seen this service with WordPress site
scanning, but it also works for any other widely
available product category: CMS, e-commerce shop,
blogging platform, enterprise portal, etc.
24. Threat intelligence. No matter what your opinion is
on the merits of “threat intelligence”, the truth is
that vendors providing these types of service have
found a profitable recurring subscription model.
25. Compliance and legal issues. In the same way, you
could automatically gather news/updates on legal
and compliance issues that affect clients in certain
industries, certain regions, or certain technologies,
and send that as an automatic email.
This ongoing communication lets your clients know
that you’re watching trends and watching out for
them on multiple levels as you’re saving their mental
bandwidth.
27. You could charge a retainer/subscription-type
service for recurring vulnerability testing of various
kinds. Examples of recurring tests are:
—Recurring scans of critical assets
—Perimeter monitoring
—Social engineering and phishing attempts of
company’s employees
—Random DDoS fire drills
28. For all testing and scanning you do, you should be
tracking your activities and the related
improvements in the client’s system. This will let you
easily prove the worth of the work your team is
doing.
Keep in mind that it’s not the raw data that is
important to your clients; your main value is in
providing them actionable information, which will
come in the form of trends, delta reporting, and
comparisons with other companies.
30. You could also provide recurring training and
education for your clients. This could take many
forms, depending on your area of expertise or the
client’s needs. Ideas include:
31. Employee Awareness Campaigns
These could be occasional in-person or online
training sessions, dedicated to improving the client
workforce’s understanding of security threats. The
more specific to a client’s needs and workplace you
can make this, obviously the more value the client
gets. But even a fully-automatic online training could
improve things for many clients.
32. Awareness and training doesn’t have to be limited to
lessons, video, or audio. It can also mean monitoring
the news and forwarding to your clients specific
instances where lack of awareness resulted in a
breach or some other negative outcome.
33. The idea is to make your client’s employees have an
“aha” moment and think, “Well, I didn’t know about
that vulnerability, and we could be the next
headline.” This targeted information can prove to
them the value of your regular input on security
issues.
34. Training on Specific Products/Tech
You could do customized or automated online
training on specific products and their vulnerabilities
(e.g., WordPress, Sharepoint, etc.). This goes hand in
hand with your product-specific scanning service.
The knowledge you gain through the scanning
service can be repackaged and offered as training
material, hardening guides, etc.
35. Monthly Calls
Similar to the retainer-style agreement, you could
have clients pay upfront for a certain number of
hours to talk to your staff about practical issues they
are facing or potential threats they want to discuss.
37. We might be saving the strongest idea for last here.
One of the major ways InfoSec companies drop the
ball is that they don’t optimally track the many ways
they might continue to provide value for their
existing clients. Here are some ideas on how to
improve discovery of new opportunities:
38. —Follow-up. Do you check back with existing
clients regularly to see what they are doing and
what they may need? It should be a part of your
standard protocol to check in with clients.
39. —Post-project surveys. When projects are done, a
survey should be given to your clients. Not only
does this help discover their opinions and
thoughts on the completed project, it helps
illuminate the value you just provided them, which
might otherwise be a bit unclear.
40. (For example, ask, “What potential future issues
might have arisen if our team had not uncovered this
vulnerability?”) The survey can also bring to light
other areas in which you might offer them value.
41. —Tracking products and technology used. By
keeping files on what products and tech your
clients are using, this will allow you to proactively
look for opportunities to win work from them. For
example, if there is a major vulnerability
discovered in Android, it can be part of your
process to send an email about this to your
Android app clients.
43. As we’ve talked about in past articles, you shouldn’t
be afraid to start small. Some people put off making
changes to their product/service offerings because
they think there has to be some huge, overarching
plan in place before they make changes. But if there
are obvious quick and easy wins you can get by
making the change, go ahead and do it.
44. For example, you could start offering retainer-type
services tomorrow if you wanted. You could toss up
some copy about these services immediately and
that might have an immediate impact on attracting a
new client.
45. The thing to remember about making these
changes: you will be continuously improving them.
As your clients give you feedback and as your team
understands the product better, you will get better at
doing it. You’ll figure out how to optimize the
process, how to reach more clients, and how to
make more money.
46. So, in short, don’t be afraid to start small and
improve from there.
47. Next...
Hopefully this article has helped you brainstorm
some ideas on how to stabilize and increase
revenue at your InfoSec consultancy.
48. If this article strikes a chord with you, please reach
out and let us know the financial challenges at your
company and maybe some unique changes you’ve
instituted to improve your situation.
In our next article in this series, we’ll be discussing
ways to enact long-term and meaningful cultural
change at your InfoSec company.
49. Was This Article Helpful?
Security Roots’ founder Daniel Martin conceived
and created the open-source collaboration tool
Dradis Framework in 2007. The success of that
application led to the creation of the Security Roots
company and Dradis Professional Edition software.
50. Over the years, Security Roots has helped hundreds
of InfoSec clients improve their team collaboration
and report creation processes. If you have any
questions about what we do or the solutions we
provide, please fill out our Contact Form and we’ll
be in touch right away.