Engagement Economics and Security Assessments

Posted September 29th, 2010 by

Ah yes, I’ve explained this about a hundred times this week (at that thing that I can’t blog about, but @McKeay @MikD and @Sawaba were there so fill in the gaps), thought I should get this down somewhere.

the 3 factors that determine how much money you will make (or lose) in a consulting practice:

  • Bill Rate: how much do you charge your customers.  This is pretty familiar to most folks.
  • Utilization: what percentage of your employees’ time is spent being billable.  The trick here is if you can get them to work 50 hours/week because then they’re at 125% utilization and suspiciously close to “uncompensated overtime”, a concept I’ll maybe explain in the future.
  • Leverage: the ratio of bosses to worker bees.  More experienced people are more expensive to have as employees.  Usually a company loses money on these folks because the bill rate is less than what they are paid.  Conversely, the biggest margin is on work done by junior folks.  A highly leveraged ratio is 1:25, a lowly leveraged ratio is 1:5 or even less.

Site Assessment photo by punkin3.14.

And then we have the security assessments business and security consulting in general.  Let’s face it, security assessments are a commodity market.  What this means is that since most competitors in the assessment space charge the same amount (or at least relatively close to each other), this means some things about the profitability of an assessment engagement:

  • Assuming a Firm Fixed Price for the engagement, the Effective Bill Rate is inversely proportionate to the amount of hours you spend on the project.  IE, $30K/60 hours=$500/hour and 30K/240 hours = $125/hour.  I know this is a shocker, but the less amount of time you spend on an assessment, the bigger your margin but you would also expect the quality to suffer.
  • Highly leveraged engagements let you keep margin but over time the quality suffers.  1:25 is incredibly lousy for quality but awesome for profit.  If you start looking at security assessment teams, they’re usually 1:4 or 1:5 which means that the assessment vendor is getting squeezed on margin.
  • Keeping your people engaged as much as possible gives you that extra bit of margin.  Of course, if they’re spending 100% of their time on the road, they’ll get burned out really quickly.  This is not good for both staff longevity (and subsequent recruiting costs) and for work quality.

Now for the questions that this raises for me:

  • Is there a 2-tier market where there are ninjas (expensive, high quality) and farmers (commodity prices, OK quality)?
  • How do we keep audit/assessment quality up despite economic pressure?  IE, how do we create the conditions where the ninja business model is viable?
  • Are we putting too much trust in our auditors/assessors for what we can reasonably expect them to perform successfully?
  • How can any information security framework focused solely on audit/assessment survive past 5 years? (5-10 years is the SWAG time on how long it takes a technology to go from “nobody’s done this before” to “we have a tool to automate most of it”)
  • What’s the alternative?

Similar Posts:

Posted in Rants, What Doesn't Work | 3 Comments »

3 Responses

  1.  Ben Says:

    Rather than seeking an alternative, maybe we should instead be compensating for the “lowest common denominator” nature of audit/assessment. Yes, there are “ninja” orgs, but they’re often a bit more specialized.

    The two things I’ve seen large audit firms try in optimizing their net is a) reducing personnel costs, and b) automating practices. The former tended to reduce quality, while the latter allowed for at least some evening out of quality, though it wasn’t likely to be all that good.

    In (a) we typically see the cheapest labor possible hired (fresh meat from college – even better if they lack IT skills). Of course, this really means pushing heavily into checklist-based work flows, with little or no adaptability. It’s how we end up with auditors saying “sorry, AES isn’t allowed, but 3DES is” when there’s a typo on their little list.

    In the case of (b) there was at least some hope for improvement in that some tools can do a better job than others. Unfortunately, as we now know, tools still require competent operators, and when you start with (a), then you kind of lose that angle. Oops.

    I think the answer overall, then, is to not rely too heavily on generalist auditors, and to then seek out skilled specialists for truly important assessment work. Now, the question is, how do you write a requirement that would result in this change? I think the failed model would be to require some sort of specialist certification that can then be leveraged into higher rates. Unfortunately, this has broken because the bar has been set to low, making it a field-leveler rather than a differentiator. Back to that old failed mindset…

    Bottom line: We’re not culturally positioned to embrace different approaches. We’re not ready to think differently.

  2.  Tweets that mention Engagement Economics and Security Assessments | The Guerilla CISO -- Topsy.com Says:

    […] This post was mentioned on Twitter by novainfosec, alex knorr. alex knorr said: Engagement Economics and Security Assessments: Ah yes, I’ve explained this about a hundred times this week (at tha… http://bit.ly/9ZWif7 […]

  3.  LonerVamp Says:

    *mumbling as I walk on by*

    What we need is some good ol’ fashioned sacrificial lambs to demonstrate that security has value and skimping with poor auditor quality could kill your business.

    At some point, we can invoke the Jerry Maguire approach of less clients, more personal! 🙂 I imagine that’s where many ninjas will go, eventually.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: