On Vendors Offering Discounts on VA/PT Services “Due to Financial Crisis”

I have a bone to pick with the idea of vendors suddenly offering price drops on their assessments and such “in response to the financial crisis.” In my opinion, this is nothing more than a gimmick. A cheap come-on to win more business while the times are tough and the chips are down. If you can offer these discounts today without it impacting your margins at a serious level or making it tough on you to do business, then why couldn’t you do it last week, last month or last year? I’ll tell you why, because you were caught up in that extra margin and extra charge to your clients and in making that extra profit.

At MicroSolved, I have refused to play these games with our customers for 20 years. I strive every day to keep our prices as low as possible for the work we do, to pay our team fairly and to keep us in business. We contribute to the community, support the Credit Union movement, engage with companies and organizations all around the world that are dedicated to “doing the right thing.” We continually strive to focus on increasing our value to clients and keeping our costs as low as possible. Here are a few examples of some of the steps we have taken and are taking to do so:

Consultant presence. Years ago, our onsite presence for assessments and pen-testing was a high cost item for clients. Travel, lodging and per diem were and are high ticket items. Several years ago, in an effort to lessen the financial impact on our clients and staff, we began using VPN connectivity and shipping appliance computers instead of people. The cost of shipping this hardware remains expensive today, but nothing like airfare and hotels for a security team. In 2009, our team is moving to create and deploy stable, trustworthy virtual machine images that we can move over the Internet to bring these costs to near zero. Developing these tools and testing them takes time, resources and money, but we are dedicated to continuing to bring the most value to our clients for the least amount of dollars possible. This is just one more way we can work with clients to improve their security and reduce their cost to minimize risk.

Simplified reporting for VA/PT. Our clients tell us all of the time that our reports are the best they have seen and are provided in the most useable format they can imagine. We long ago (several years) stopped shipping HTML reports and the like. Today, our typical reporting is an easy to read executive summary with a one page dashboard for the engagement findings, a technical manager report that identifies and ranks root causes of the security issues we identify and a technical details report that is provided as a detailed Excel spreadsheet so you can change, sort, import or manage the data as you see fit. Our reports have received positive comments from auditors, regulators and clients from around the world. This year, we will again be undertaking a special project to continue to refine our reporting structures. For us, leading the industry is not enough, we want to establish even more value for our clients and help them manage the reporting data in ways that reduce their heavy lifting. As always, if you have ideas on this, let us know.

Real humans to talk to. We don’t have a web portal for your reports. We don’t have an automated system for requesting assessments or the like. We do have a technical project manager that is assigned to your account. They have access to the actual engineers doing your assessments and pen-testing, and so do you. We don’t believe that dealing with some complicated web application that also might have exposures to vulnerabilities and other issues makes our clients more productive OR more secure. MSI clients talk to real humans. We talk to clients routinely during their engagements and keep them up to date as they desire on the testing and work as it moves forward. You can communicate with your technical project manager on the phone, via email or via SMS if you like. You can have a call with the engineers to clarify issues or to get answers to technical questions about the engagement. We even support our engagements for one year, allowing you to ask questions, interact with the security team and get answers up to 12 months after the engagement!

Approaches like HoneyPoint. HoneyPoint is our leading-edge software for managing the insider threat. It was designed from the ground up with the idea of “deploy and forget” (SM) in mind. We created it so you could have security visibility around your environment in a powerful way that eliminates false positives, signature updates and tuning. Long before the current “financial crisis” we wanted to help organizations get better security with less resources, and we have. Today, organizations are using HoneyPoint along with tools like OSSEC to replace IDS/IPS systems and finding the total cost of ownership to be 1/2 and the total resource costs to manage the solutions to be 1/10 of their older, less evolved solutions. In fact, many small and home-based organizations have begun using our “scattersensing” approach with HoneyPoint Personal Edition to identify bot-net infections and malware breakouts, as well as suspicious insider activities for a total software cost of ~$30.00 US!

There you have it. I have “put my money where my mouth is”. At MSI, we know the financial stress is real. We know you have significant security AND budget challenges. We are striving to help you with both, BUT, NOT JUST TODAY and NOT JUST FOR A WIN FOR US. We can’t just knock arbitrary costs out of our prices because we spend EVERY DAY focused on keeping those prices low and our value high for our clients. That has been our focus for 20 years and as long as I am the CEO, it will continue to be our focus. We believe that our engineers, sales and marketing teams and other employees support our efforts. They have shown time and time again to be committed to VALUE for our clients. We may not always be the cheapest security vendor. I know our services cost more in some cases than the “scan and forget” vendors out there. I am OK with that. For 20 years I have enjoyed doing business with clients who appreciate honesty, trust, better communication and the MSI work ethic. Our clients love the work we do for them and many tell me repeatedly how much value we bring. That, in the end, I believe, is the measure of true success.

So, if you are looking for a security vendor to help you find the most value for your security budget, give us a call. We will be happy to talk to you about your needs and how MSI may be able to help. We will put together flexible payment plans, menus of services and subscriptions for engagements if you desire. We hope to talk to you soon about how we can help you be more secure with less time and money. That’s our commitment today and long after the current “financial crisis” has passed.

MicroSolved, Inc. (614) 351-1237 x206

info < at > microsolved <dot> com for more information via email

This entry was posted in End-user Focused, General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

1 thought on “On Vendors Offering Discounts on VA/PT Services “Due to Financial Crisis”

  1. Kudos to you and your team Brent!

    You’ve stood by these words for the past decade that I’ve known you. I only wish more organizations took such a win-win approach to their customers.

Leave a Reply