I am smiling as I write this, precisely because of the changing viewpoints, I have been having around this subject. The question is ‘Can Security Services be managed and sold as a Product?’ something that many clients/customers would like to have.
When I started, I would never have agreed that it is possible to sell it as a product. The service that we provide as assessments, reviews & pen-tests, not only figure the vulnerability that you may have in your systems, but also reflects the creativity of the person carrying out the assessment. While there are always issues that everyone/anyone can find, some of the issues are just your own and show your out of the box thinking, wit and timely execution in the right direction.
For example, a pen-test report can give you two types of findings – some, those can be automated and others that are more logical and need to be found manually. The second type is not generally automatize and is very context dependent in terms of exploitability and impact. Hence, I believed that Security can only be a service and not a product (Product gives you the same result always). It was like the question- Can machines replace us? The answer to which would be ‘NO’.
As I progressed however, I have seen the confusion clients face when getting different kinds of reports from the same (Services) company and the dangerous debate around ‘quality of Findings’. Let’s take the example of a salon. There are various stylists providing you the service of say hairCuts but you might prefer one(stylist) over the other. So, on one fine day, if your stylist isn’t available, would you still go there?
As a Services shop, we must ensure that this trust remains irrespective of some key consultants. That happens, when we start treating the team as the Offering rather than the individual. We need to understand the strength and weakness of each individual but also of the team in general. When you know that for individuals, you can cater to your client expectations better. While, when you know that for the team, you can drive bigger projects, ensure better innovation for your ‘security product’ and own the game in the long run.
This brings about the next question of maintaining standards, just like a product does. Can the service be approached as a checklist or will the output always vary?
Science Vs Art
Some level of consistency is necessary to maintain the standard of your service. To an extent this can be done with following some checklists. This is especially important when you have freshers/newcomers who are still learning but do represent your brand. If nothing else, it guarantees ‘Coverage’ when assessing complex systems.
You might have heard the ‘Is Pentesting/hacking a Science Vs Art?’ question before. Well, if it was only Science, it could be completely programmed. While some of it can and must be automated, beyond a certain point it definitely remains an Art. When the target system is sufficiently complex, the final painting by each one of us may be different. And this must be respected.
Speaking of it realistically, for most of the engagements the duration is very less. But depending on the average speed and experience of the individual/team, how much you can offer within the time will vary. This is where correct estimations play an important role. You generally need to hit the sweet spot where you have just enough to explore, ensure coverage and focus on entry points that will yield. Hence, sometimes your targets could be very few and need a thorough turning around ‘Vs’ times when you have hundreds of thousands of nodes, where you will have to pick your battles wisely. Optimization is the key.
If assessments are your product, quantity is not equal to speed, i.e. a bigger team working on an engagement does not necessarily mean the overall time required will linearly reduce. Also, a bigger team may deliver better quality than individual, but not necessarily the best (if standards are what we are talking about). Simply put, it’s a good idea to go with a bigger team when the target is ‘bigger’ or complex, but a pair might be good for lean targets. Needless to say that when working in teams, coordination is the key, so you get a qualitative whole (as output).
When selling security services to deliver the standards of a product, we need to constantly ensure we are better than programs and/or tools. This is parts comes from our exposure to various systems, domains, types of environments and varying limits of how far you can go in the engagement. For example, you may have done a large red teaming engagement where sky was the limit, but the experience of performing a ‘safe (pen)testing’ on a critical server only comes from all the Faux Pas you have seen and done (or not done). Also, the more you are receptive as a team, the more you can apply from what others have done, both within and without.
Research & Innovation
‘Creative individuals’ may not be necessary to maintain standards or even deliver Security as a Product, but they are important for growth. Security research has enhanced multi fold in the last few years and with the pace of tech, there is hardly any limit to what you can offer to your clients. But few companies happen to do that. Some good ones (esp. those who come with the baggage of having delivered excellence) avoid it, for the fear of not being the best when they start. Paradox, isn’t it?
The world of technology is changing, very fast. Whether it be security services or products, it will survive only if it is solving real world problems. To thrive, though, we need much more than that: be empathetic to your clients (more so because they are the ones who hold the bull by the horns, not you), work as a team (there is something every member has to offer) and know the possibilities way more than your limitations.