Getting Some “Quick Wins”

In our first article, we talked about some of the problems facing InfoSec companies: overseas competition, competition from smaller firms and consultancies, and the commoditization of pentesting in general.

The primary challenge for many InfoSec companies is to stand out–to showcase to current and future clients what makes their service different, valuable, and worth the rates being charged.

The process of re-positioning and differentiating an InfoSec company from competitors will be a long and ongoing process, involving procedural changes and cultural changes. In this article we’ll look at some things you can start doing immediately to gain some “quick wins” at your company.

Plan Quick Wins As Part of a Long-Term Process

Why do most New Year’s resolutions fail? It’s because most people try to implement change suddenly, immediately, and haphazardously, without having an underlying strategy or process.

When trying to change an organization’s processes and philosophy, you should remember that the actions you take today should be part of a deeper, longer-term strategy. Immediate actions are great, as long as they are part of a sustained push towards continual improvement.

There are a few dangers in attempting to implement organizational changes without having a broader plan:

• You might alienate your technical team. If they are used to doing things “their way”, drastic attempts to change their behavior will likely alienate them and ultimately fail.
• You might cause disruptions to projects and workflow. If you attempt to implement change too rapidly, your team will be confused and work quality will suffer, and this will probably be noticed by your clients.

Your attempts at quick wins should be focused on:

Demonstrating value to your clients. Improving your client’s experience and perception of your company is key to the differentiation process. You want to, above all, make sure your changes are positively influencing your clients’ experience.

Demonstrating value to your team members. The more you can show your team why your changes are valuable and necessary, the more likely it becomes that they will absorb those reasons and make them their own. You want to make it as painless as possible for your team to implement the changes.

Most of the quick wins we will look at will involve gathering information, whether from clients or from team members. This is usually the lowest-hanging and most valuable fruit. Asking questions and gathering information gets you clear on the direction you should be heading in and the steps you should be taking next.

Focus On Core Competencies

What does your company do best? What are your strengths? Having core competencies and a niche sets you apart from your competitors and gets you greater attention.

This can be counter-intuitive. At many companies (not just InfoSec companies), there can be the philosophy of: “Well, we have to do everything, because if we don’t do everything, we’ll miss some clients.” Or: “Our client just asked for this. We have to give it to them to make them happy.”

This leads to a marketplace where pentesting seems more of a generic commodity than it is. Your potential client may be looking at a line of near-identical InfoSec companies, all of whom claim to do everything. In such a marketplace, it can be hard to stand out.

Focusing on what you’re truly great at has several positive results:

• You become known for being great at the specific systems and technologies at which you excel.
• By voluntarily defining what you’re not good at, your perceived strengths become that much more believable.

In short, there is power in saying “No” to clients and defining your focus.

One example of how this can play out: If you define one of your core competencies to be SAP Security, then your client may not hire you to do an Android assessment. This may seem like a lost opportunity, and perhaps it is in the short-term.

But what will happen is that your clients and colleagues will remember what your focus is, and will respect that you have a focus and are willing to admit when something is not your specialty. Clients will be more likely to get in touch with you later when they have a problem that falls in your area of expertise. And, down the road, if you expand your core competencies to other technologies, your claims of expertise will be that much more believable and powerful.

Not only is this approach powerful for gaining respect from clients, it also gains you respect from talent you may be recruiting. Being known as a company that specializes in cryptography vulnerabilities, for example, will make it more likely that cryptography experts will want to work with you, which creates a positive feedback loop for your quality and reputation.

Quick Wins

Here are some beginning steps for establishing your company’s core competencies.

1. Set up an internal meeting to brainstorm what your core strengths are, and how you want to position yourself in the marketplace.
2. Ask, “Who are our ideal clients?” Getting clear about what clients make your team happy lead to realizations about what your strengths are.
3. Ask, “Who are the clients we don’t want to serve?” Identifying the clients who aren’t right for you will help you adjust your messaging to speak to the right audience. This will create a self-selecting process, where your favorite work is attracted to you and your least favorite work is not.
4. Research the industry to see what needs may be underserved. Can you think of a strength you have that not many companies are focused on serving?
5. Talk to colleagues about your ideas for niche positioning. Ask for feedback about whether your ideas for positioning will be perceived as valid.
6. Talk to new prospects as if you’ve already repositioned the company and gauge their response. For example, if you’re at a networking event, you might talk to new contacts using your new company messaging and focus, and see how they react, whether positively or with no interest. With methods like these, you can test client and industry response before acting implementing the change on a bigger scale.
7. Talk to trusted clients and run your ideas by them. Ask questions like, “If we focused on this specific service, would this be valuable to you?”

Learn What Makes Clients Happy

As we talked about a bit in our first article, InfoSec companies can be a little out of touch with ideas of customer service. Often, companies are so focused on the project at hand and delivering the report on time, that client experience can be the last thing on your team’s mind.

But in order to differentiate and get noticed, your team, like it or not, will have to make strides in improving clients’ experience.

Part of the problem is that business owners will often make assumptions about what their clients value. You may assume that your clients value X, Y, and Z about your company. But unless you explicitly ask, you won’t know.

For example, maybe you think your clients value your technical expertise and professionalism, when the truth is that your clients value your ability to accommodate sudden changes in scheduling. Or maybe, above all else, they value a very clear Executive Summary section, which helps them make the case for IT security initiatives.

The point is: You shouldn’t assume anything about what makes your clients happy.

The first thing to do to get more clear in this area is to gather information from clients: information about what they value, what they don’t value; what works, what doesn’t work; what they like about your company specifically and what they don’t like. This information can then be used to:

• Expose major failures in how your company is serving clients
• Improve and standardize business procedures and pentesting methodologies
• Decide on a new company focus (i.e., a core competency)
• Improve the value and consistency of deliverables
• Come up with new services (i.e., new ways to make money or add value)

Also, the nice thing about eliciting client feedback is that it helps you sell the necessary changes to your team members. If clients make it clear that they want to see changes, such communication is harder for everyone to ignore.

Quick Wins

Here are some starting steps for gathering much-needed client thoughts.

1. Have a team meeting and think about the types of questions that would be valuable to ask your clients. Examples of valuable questions include:
2. “How would you compare your experience with our company with your experiences at other companies?”
3. For repeat clients: “How would you compare your most recent experience with previous experiences?”
4. “How would you rate the value of our report?”
5. “What would you like to see from our report that you didn’t?”
6. What is the worst part of our reports?
7. What is our weakest point compared to other vendors?
8. “Have you recommended us in the past? Why or why not?”
9. “What kinds of InfoSec services would you like to see offered but are not getting?”

For ease of use, you should try to make most questions Yes/No or a single-choice on a rating scale (e.g., a 1 to 10 scale). Requests for long responses are sometimes too much of a demand and don’t result in actionable information.

Here is an article with many examples of questions you can use to gather customer feedback. And here is an example survey, hosted with Google Forms, that you can copy and modify to hit the ground running.

1. Using the most relevant questions, draft an email survey to send to existing and past clients. Store the responses to the survey in a format that is easy to share with your team in an ongoing manner (for example, an internal wiki).
2. Start to create feedback loops in your delivery process for gathering client feedback. For example, you might put a section in the report template that asks them to click a link and fill out a feedback form. By making feedback-gathering part of your process, you ensure it will be done on every project.
3. Set up a reward system for team members who get high evaluations from clients. (But don’t punish team members just because they don’t get high marks. Employee shortcomings, it has been shown time and time again, are almost always caused by a faulty process.)

Develop New Services

Your company’s relationship with your clients doesn’t end with the deliverable. But it may seem that way at many InfoSec companies, where everything is about completing a project and moving on to the next one.

Ideally, you want to be thinking of additional services that aid your clients’ understanding and deal with their vulnerabilities in an ongoing fashion. Adding additional services has a couple positive effects:

• Services can be additional products and ways to make money.
• They can be bundled with your existing pentesting services, as a way to provide added value and to justify your rates.
• They differentiate you from your competitors.

Some ideas for additional services:

• Offer clients a custom emailed newsletter that features information on security vulnerabilities for the specific technologies they use. For example, if your client uses WordPress and Magento, every month you deliver them updates and news on WP and Magento security issues. (This could be set up pretty easily in a content management system.)
• Subscription services that allow your clients to get quick responses and input whenever they run into security problems or just want to bounce an idea off someone knowledgeable. This is essentially a support contract or retainer with guaranteed response time.
• You could remove a common gap between discovery and remediation by providing vulnerability data in a format clients could upload directly into their bug tracker. (Of course, the format each client needs will depend on the specifics of their bug tracking system.)

These are just a few ideas for additional services.

Blue Ocean Strategy is a popular book about creating uncontested market space, and includes many ideas on how to differentiate offerings and create new services.

Quick Wins

Here are some starting steps for coming up with auxiliary, value-added services.

1. Ask your team members for ideas on additional services.
2. Check out competitors and see what they’re doing. Don’t copy them exactly (as the idea is, after all, differentiation) but use those ideas for inspiration.
3. When polling your clients, ask them for additional feedback, such as: “If we started offering this additional service, would you find it valuable? Would you sign up for it? Would you pay x amount for it?”

Only the Beginning

The ideas in this article are only the beginning, of course. It can sometimes be a long road to change established processes and mindsets at any company. But hopefully we’ve given you some ideas for how to start today on improving the perceived value of your company and, by extension, set yourself apart from the pack.