I’ve spent a couple of days traveling around to agencies to teach.  It was fun but tiring, and the best part of it is that since I’m not teaching pure doctrine, I can include the “here’s how it works in real life” parts and some of the BSOFH parts–what I refer to as the “security management heretic thoughts”.

Some basic statements, the rest of this post will explain:

• C&A is a commodity market
• Security controls assessment is a commodity market
• PCI assessment is a commodity market
• Most MSSP (or rather, Security Device Management Service Providers) services are commodity markets

Now my boss said the first one to me about 4 months ago and it really needed some time for me to grasp the implications.  What we mean by “commodity market” is that since there isn’t really much of a difference between vendors, the vendors have to compete on having the lower price.

Now what the smart people will try to do is to take the commodity service and try to make it more of a boutique service by increasing the value.  Problem is that it only works if the customers play along and figure out how your service is different–usually what happens is you lose in the market simply because now you’re “too expensive”.

Where Boutique Sits by miss_rogue.

Since the security assessment world is a services business, the only way to compete in a commodity market is to pay your people less and try to charge more. But oh yeah, we compete on price, so that only leaves the paychecks as the way to keep the margin up.

Some ways that vendors will try to keep the assessment costs down:

• Hire cheaper people (yes, paper CISSPs)
• Try to reduce the engegement to a formula/methodlogy (ack, a checklist)
• It’s all about billability:  what percentage of your people’s time is not billable to clients? 
• Put people on assessments who have tangential skills just to keep them billable
• Use Cost-Plus-Margin or Time-Plus-Materials so that you can work more hours
• Use Firm-Fixed-Price contracts with highly reduced services ($150 PCI assessments)

Now inside Government contracting, there’s a fact that’s not known outside of the beltway:  your margins are fixed by the Government.  In other words, they only allow you to have around a 13-15% margin.  The way to make money is that the pie is a much bigger pie, even though you only get a small piece of it.  And yes, they do look at your accounting records and yes, there are loopholes, but for the most part, you can only collect this little margin.  If you stop and think about it, the Government almost forces the majority of its contractors into a commodity market.

Then we wonder why C&A engagements go so haywire…

The problem with commodity markets and vulnerability/risk/pen-test assessments is that your results, and by extension your ability to secure your data, are only as good as the skills and creativity of the people that the vendor sends.  Sounds like a problem?  It is.

So knowing this, how can you as the client get the most out of your service providers? This is a quick list:

• Every year (or every other), get an assessment from somebody who has a good reputation for being thorough (ie, a boutique)
• Be willing to pay more for services than the bottom of the market but be sure that you get quality people to go along with it, otherwise you’ve just added to the vendor’s margin with no real improvements to yourself
• Get assessments from multiple vendors across the span of a year or two–more eyes means different checklists
• Provide the assessors with your own checklists so you can steer them (tip from Dave Mortman)
• Self-identify vulnerabilities when appropriate (especially with vulnerabilities from previous assessments)
• Typical contracting fixes such as scope management, reviewing resumes of key personnel, etc
• Get lucky when the vendor hires really good people who don’t know how much they’re really worth (that was me 5 years ago)
• More than I’m sure will end up in the comments to this post  =)

And the final technique is that it’s all about what you do with the assessment results.  If you feed them into a mitigation plan (goviespeak: POA&M) and improve your security, it’s a win.

• Engagement Economics and Security Assessments
• Categories of Security Controls in Outsourcing
• Splunk Goes After the FISMA Lucre, They’re not Alone
• When the Feds Come Calling
• Split-Horizon Assessments and the Oversight Effect

Interestingly, Splunk has been going after FISMA dollars here lately.  check out the Forbes article, video on YouTube, and their own articles.  I guess there’s another “pig at the trough” (heh, including myself from time to time).

It’s interesting how companies decide to play in the Government market.  It seems like they fall into 2 categories:  companies that have grown to the point where they can sustain the long-term investment with a chance of payoff in 5 years, and companies that are desparate and want a spot at the trough.

To its credit, Splunk seems to be one of the former and not the latter, unlike the hordes of “Continuous Compliance” tools I’ve seen in the past year.

Which brings up the one big elephant in the room that nobody will talk about:  who is making money on FISMA?

This is my quick rundown on where the money is at:

• Large Security Services Firms:  Definitely.  About a quarter of that is document-munging and other jack*ssery that is wasteful, but a good 3/4 of the services are needed and well-received.  Survival tip:  combining FISMA services with other advisory/assessment services.
• Software and Product Vendors:  Yes and no.  Depends on how well they can make that crucial step of doing traceability from their product to the catalog of controls or have a product that’s so compelling that the Government can’t say no (A-V).  Survival tip:  Partner with the large integrator firms.
• Managed Security Service Providers:  Yes, for the time being,  but look at their market getting eaten from the top as US-CERT gets more systems monitored under Einstein and from the bottom as agencies stand up their own capabilities.  Survival tip: US-Cert affiliation and watch your funding trail, when it starts to dry up, you had better be diversified.
• System Integrators:  It’s split.  One half of them take a loss on FISMA-related issues because they get caught in a Do What I Mean with a “Contractor must comply with FISMA and all NIST Guidance” clause.  The other half know how to either scope FISMA into their proposals or they have enough good program management skills to protest changes in scope/cost.  Survival tip:  Have a Government-specific CSO/CISO who understands shared controls and how to negotiate with their SES counterparts.
• 8(a) and Security Boutique Firms:  Yes, depending on how well they can absorb overhead while they look for work.  Survival tip:  being registered as a disadvantaged/woman-owned/minority-owned/foo-owned business means that the big firms have to hire you because their contracts have to contain a certain percentage of small firms.
• Security Training Providers:  Yes.  These guys always win when there’s a demand.  That’s why SANS, ISC2, and a host of hundreds are all located around the beltway.  Survival tip:  trying to absorb government representation in training events and as speakers.

• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Security Assessment Economics
• More on Georgia’s FISMA Reporting
• Imagine that, System Integrators Doing Security Jointly with DoD
• Introducing the Government’s Great InfoSec Equities Issue