In our company, we’ve succeeded in clearly articulating the deliverables of our products and consulting projects. Building a network of great partners and delegating the work out of range of our primary competencies to them helps both parties concentrate on what’s we’re best at. However, there are a lot of challenges in building distributing the work between different types of security specialists.
Larger part of the market is still struggling to show a viable differentiation for the customer looking to mitigate various infosec-related risks. And the next time we’re asked if our consultancy "is going to be some kind of penetration testing?”, we’ll point our customers to this page.
If you’re selling security services, at some point you’ll (hopefully) start doing the same. And together we can do a better job of explaining the challenges and pitfalls of the sophisticated world of security for people who are professionals in something else.
Here’s a classical scheme of the domains of cybersecurity knowledge:
How does it translate to actual security consulting services? Should they cover the full map? A part of the map? It doesn't really matter. Security consulting services should mitigate real risks, be useful for the customer, and create a real impact. The demand for security consulting should start with raising one question:
“Which risks do we aim at mitigating, under which set of practical business constraints”?
When answered properly, this question frequently defines the type of service that is needed. So, what are the risks that security consulting is actually mitigating?
Put very simply, there are 4 classes of business risks in relation to cybersecurity:
- Strategic risk, which arises when the implementation of a business does not go according to the business model or plan.
- Compliance risk (a subtype of strategic risk when we're talking about upcoming regulatory changes, a subtype of operational risk when we're considering the implication of currently active compliance demands), which is a risk of some regulation intervening and penalising the business/closing opportunities due to a noncompliance with the existing regulation.
- Operational risk – the risk of disruption of day-to-day operations.
- Financial risk – the risk of business not getting its anticipated profit or suffering losses. Has a multitude of sub-risks anf the ones relevant to our industry are reputational risks (sometimes separated into a separate type) – risks, which can ruin the businesses positioning or alienate and scare away the customers.
Security incidents affect all types of business risks, but based on the type of the business – the scale of the impact is very different. Equally, security consulting mitigates the risks in a different proportion, for instance:
- Penetration testing can help to comply with GDPR – it will lower the chances of data leakage, but it’s not the first thing that should be done. It is good for preventing operational risks: threats and vulnerabilities that pentesters detect, which can disrupt your business.
- Compliance consulting can help with improving practical security, but it’s not what it’s actually aiming at. Getting ISO 27001 or SOC2 audit will raise your overall level of security – according to a certain documented standard – but in the current evolving landscape, standards are yet to catch up with the real levels of risk customers are facing already. Having voluntary compliance helps with getting new business and more trust from the partners.
Types of security consulting
So what kind of consulting should you choose? The real question is always – where are you making the biggest impact? For a B2B oligopoly on the market, reputational risk is not a big deal, as we can see – advertisers still sell ads on Facebook, no matter what scandals Facebook’s shady customer data handling techniques go through.
Currently on the security “market” you’re most likely to be facing (or offering) the following types of security consulting:
Generic security consulting.
The most undifferentiated, ‘one-size-fits-all’ consulting focused on anything the customer wants. A rough overview of complete risk surface is extremely helpful when done right, which is generally rare. Through extreme professionalism of some of the companies who sell such services, some risks will be mitigated. In some proportion. Or not. It’s a Russian roulette, without any good factors for success prediction. Result: From in-depth understanding and mitigation of most risks to narrow services addressing some of the risks. You get what you ask and pay for, mostly, or snake-oil when you don't know what you're looking for.
Risk Impact: lower compliance and strategic risks, potentially lower operational and financial risks.
Security risk assessment.
A rough review of complete risk surface is extremely helpful when done right. General security risk assessment is typically a component of other security services (for example, we start with risk assessment in DGAP, but when sold separately by experienced professional, can be extremely efficient way to define priorities, make sane spending decisions for consequential work and
Result: Realistic assessment of cyber-security risks the business and infrastructure/software is facing. Prioritized roadmap of security activities by impact on practical risk.
Risk Impact: better understanding of practical and business risks, relevant to your business.
Security-focused development and infrastructure security.
Prevents development of non-secure software and misconfiguration of the infrastructure.
Risk Impact: operational, compliance (strategic) and reputational risks, the proportion depends on the actual type of business.
Can be roughly split into:
- Secure Software Development Lifecycle, Secure Architecture Consulting: helping customers build software securely, avoiding typical mistakes, applying commonly recognised software design patterns to eliminate classes of risks appropriately.
Result: products are better secured against whole classes of risk.
- Technology-specific consulting: when cryptography should be used, it’s better to ask cryptographers to help with it. When highly-specialised access control tools are deployed -– having experts do it also helps. Security controls are very similar across technology stacks, but security tools, libraries and language-specific techniques differ.
Result: certain security controls will work as they should, delivering real security benefits instead of a false sense of security.
- Perimeter security consulting, secure network design: setting, maintaining, and managing firewalls, access points, intrusion detection systems.
Result: perimeter is less vulnerable to penetration, network is more resilient against external attackers.
Offensive/threat detection security.
Prevents potential security incidents through detection of vulnerabilities. There is a number of classification efforts for offensive security services. Many offensive efforts are differentiated by length - from a simple test (where length of engagement is limited to finding as much as possible over fixed amount of time, or aimed at testing certain controls only) to long-term audit, which involves repeated testing, detection of root causes and verification of corrective measures.
Risk impact: highly positive short-term impact on operational, financial and reputation risks (or any chosen set of risks that are set as goals for offensive effort), medium-to-low impact on strategic and compliance risks.
The common classes of offensive security testing are:
- White-box testing: people who will analyse your product for typical patterns that create security vulnerabilities and will suggest fixes. Typically done following a number of security standards, such as OWASP guidelines. May or may not include: attack simulation, white-box penetration testing, source code review, architecture risk analysis. Is frequently carried out during development process.
Result: your application is likely to be more secure against typical threats you’re facing, whether they are practical or not.
- Black-box testing is targeted at finding security flaws from the outside - as a combination of some of the following activities: vulnerability scanning, network enumeration, penetration testing etc.
Result: your application is likely to be better secured against typical threats you’re facing, with a major focus on finding the exploitable vulnerabilities during the analysis stage.
- Posture assessment / security audit: Combination of white-box/black-box techniques to provide all-encompassing picture of security risks and available mitigations.
Types of security consulting as related to the proportion of covering possible business risks.
There are many more possible types of security consulting you may be offered (or may offer), which combine different products and services together – i.e. SIEM as a service, SOC as a service, etc. But these clearly articulate the value they’re bringing and are built around the products they offer, while the security consulting projects are built around the demands and risks they are expected to mitigate. Or, at least, that’s how they should be built.
For example, in DataGuardian Assistance Program, we focus on secure development, secure architecture and technology consulting where relevant to data security challenges, dealing with some relevant demands from compliance our customers are facing, but in regard to the safety of sensitive data within the customer’s product or infrastructure. We typically advise hiring legal consultants to help with compliance, if such challenges are present, and we advise to do penetration testing after our work.
Explaining the true value, benefits (and limits!) of security consulting to some of the customers is still an uphill battle. But we’re happy to take the challenge.
We do hope to see more colleagues on the market articulating the differences and end-results well. In the end, it’s up to us how the unstructured market demands turn into profit for security professionals and secure systems for customers.
If you’re looking for security consulting to be carried out for your business and still unsure how to start, contact us, we can help.