Price versus Value; Why it is Important in Information Security

Leave a comment

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>

Are you one of “them”? Damaging your information security efforts without even knowing it

Leave a comment

90ee2b65615c3fda2b2c4190697c34d4It was ten to six in the morning, and I was on the  station platform waiting for my train to arrive to take me to London. As I walked past two people who were talking, one of them was earnestly telling the other about problems in his office that were caused by “them”:

they’ve changed the heating in the office to make it more consistent apparently but what they don’t realise is that it is sending us all to sleep. They just don’t get it, they’re idiots, and it’s a waste of money

It seems the faceless bureaucrats and management just don’t get it at this gentleman’s place of work and are doing everything they can to hinder the company’s ability to work effectively! But scratch a bit deeper and you may see a slightly different story of trying to deal with complaints from parts of the building that are too cold, using antiquated heating systems that don’t balance heat well the further from the heat source they are, or even just trying to make everyone feel more comfortable in the cold winter months.

The unfortunate impact of their actions though is that productivity has dropped in some areas, and the impression of the team and people behind it has dramatically reduced.

I have regularly stressed the importance of information security ultimately contributing to the success of the business, allowing it to sell more beer if you will, but that is only possible if you understand the business, collaborate with the people on the ground, and align your efforts to their goals. By treating risks in isolated parts of the business without looking at the wider impacts you run the risk of overheating other parts of the business. What initial makes sense in one place does not make sense in another, and the quick win you thought you had really turns out to require a far more nuanced approach.

If what you are doing is simply unavoidable and impacts to the other parts of the business will be felt, then collaboration and communication is vital. Explaining the complaints, challenges, risks etc. and allowing them to voice their feedback is important to ensure people remain bought into your plans. Who knows, you may actually get some better ideas from them that you hadn’t even considered. This approach requires nerves of steel and the skin of a rhino though, as many will see the opportunity to take a swipe at you, but seeing the process through is far more effective in the long term.

Asking for feedback afterwards, chatting to individuals and leadership about what they think about what you have done, and putting that feedback to work to improve your next iteration of the programme all help bring people on side and improve the effectiveness of your information security stance.

Once you are seen to be working in the long term interests of the company and the people who work there, decisions you take and implement will be seen in that wider context, and not just as the actions of someone just “doing their job” and being one of… them.

Why >WE< must meet the demands of the business

Leave a comment

At the recent RSA conference in San Francisco, David Spark asked the question “Why doesn’t the business align better with security?” and there were some interesting responses:

I actually only agreed with the last comment from Michael Farnum (whom I have followed on Twitter and finally got to meet for the first time at RSA… see “bald men of security” in my RSA roundup). He rightly says that that the business should not align with security, as it is the role of security to align with the business. Compare this to the question “Why doesn’t the business align better with IT?” or “Why doesn’t the business align better with HR?” and the question immediately becomes moot.

levelI think David was right to ask the question because it has uncovered with greater clarity something that I and many other have been talking about for some time now, namely that security for too long has been carying out secrurity for its own sake rather than supporting the business achieve its goals. In my own paraphrased words “this is what I need security to do to help me sell more beer“.

This was reiterated by Andy Ellis at a session at RSA where he said precisely this;

are you the conscience of the business or an enabler to the business?

Finance is there to provide money, make that money work more effectively and ensure the money is providing the best value for the good of the business. IT is there to provide technology services at the best possible value for the good of the business. HR is there to provide people, support them, nurture them and align them (or move them  out), for the good of the business.

What is your security programme doing for the good of the business, rather than the good of security? Asking this question alone will help you along to your business goals and actually help them achieve their goals, not yours.