Security Ripcord

Information Security Consultancy - Market Analysis Summary

September 10th, 2007 cutaway Posted in Management, Security, consulting 3 Comments »

In an attempt to understand the business process better I have recently been working on a business plan for an information security consultancy.  I have based the plan I am working on around a sample business plan I found through Bplans.com titled Computer Consulting Business Plan.  This is a business plan for an actual IT business and modifying most of the sections has not been very difficult.  That is until I came to the Market Analysis Summary section.  It was quickly apparent that I would not be able to cut, paste, and modify the information provided as it did not represent what comes to my mind when I thing about the information security market.

After a little looking around, however, I determined that there is not much information available concerning information security consultancies.  The closest thing that I could find were articles written about Managed Security Service Providers.  Although the customers and services are close there is still several differences between the MSSPs and a consultancy that need to be taken into consideration.

According to the business plan that I am following, a Market Analysis Summary is performed by analyzing Market Segmentation, Target Market Segment Strategy, and Service Business Analysis.  If I am reading into this correctly the basic gist of a Market Analysis Summary is to help determine who the business will target, what services they will provide to these targets, and identify who are the competitors that will be offering similar services to the targets.  In an effort to determine if I am correct, and to provide more information online, the following is what I have written to satisfy the Market Segmentation and Target Market Segment Strategy.  I am hoping that people will comment and let me know if I have forgotten something, misinterpreted something, wandered off the path, or completely misunderstood the goal.

Market Analysis Summary

I.  Market Segmentation

  • Individuals - Many people are concerned about how they are
    affected by hackers and identity thieves. But outside of training and
    user awareness this is probably not the most lucrative group. Although
    some individuals may be worth taking on as clients usually these will
    fall into the Home Office group. Barring allowing people to come to
    group training sessions this groups should be avoided unless absolutely
    necessary.
  • Home Office Businesses - The largest and fastest growing
    segment, this segment is obviously defined as small businesses that are
    based primarily out of the owner’s home. This is not the same as simple
    home computer users. Small quick resources should be developed to
    facilitate plug-in-go solutions such as Linux Linksys Wireless Routers,
    pfSense firewalls, secure desktop builds, etc. This group would benefit
    from weekly and monthly email alerts. Baselining and external
    assessment is a possibility but not likely.
  • Small Businesses - Defined by the government as businesses
    with 1 to 99 employees. This group could also benefit from the
    plug-in-go setups mentioned for the Home Office group. Larger
    organizations may require more advanced solutions such as central
    logging, IDS, email servers, SPAM filters, more advanced network
    design, etc. Larger organizations may also require policy development.
    This group could also benefit from training and customized email
    alerts. Baselining and external assessment may be feasible on a monthly
    or yearly basis.
  • Medium Businesses - 100 to 499 employees. Same as Small
    Business only more likely to be dealing with administrative personnel.
    These will most likely lean toward baselining and assessments after
    review and mitigation. Possibility for pentesting. Possibility for more
    advanced and frequent training.
  • Large Businesses - 500 or more employees. Same as Medium Businesses.

II.  Target Market Segment Strategy

The following image (the original image has been split for display purposes) is an attempt to break down the different types of businesses and the security services they might require. Each color is significant in that they bring the two lists together. The color of each business, or actually regulatory requirement, is linked via color to the services that the business subsection is most likely to purchase. This definitely different from the services that regulations say they are required to do in order to be compliant.

Market Needs

The list of security related services can be broken down into a specific list of business needs.

  • Training for technical and nontechnical staff.
  • Implementation of business and security related technologies.
  • Assessments for determining state.
  • Auditing to determine/ensure compliance with policies and regulations.
  • Development of policies.
  • Development and implementation of incident response.
  • Research into the security of current and future technologies.

Market Trends

Drivers of the Security Market Place in order of importance to a small security consultant company.

  1. Increase in consequences for technological and non-technological breaches.

    • Identity Theft

      • This issue will drive the development of new or the modification of current regulations.
      • Changes will increase individual responsibility in the form of monetary and criminal penalties.
    • Theft of Intellectual Property
      • Affected by the dynamic technological growth in third world countries.

        • Increased the flow of money in and out of these countries.
        • Allowed for cost effective education to reach remote locations.
        • Expanded the level of connectivity to remote locations.
        • Raised the need for rapid technological advancement to keep pace with more advanced companies.
      • Affected by differences in societal belief systems.
        • Military espionage is usually only illegal when it is
          occurring against the victim. Politics always provide plausible
          deniability.
        • Some countries believe that business espionage is a part of the game and therefore acceptable.
    • Service Availability
      • Customers want a product or service “right now.”
      • Customers will most often go some place else if the product or services is unavailable even for a short period of time.
      • It is fairly easy to adversely and unanimously affect online availability.
  2. Security evolving into a part of job descriptions and duties.
    • The funding for security related projects are funded infrequently or not at all in small and medium businesses.
    • Administrators and managers are increasingly expected to be
      responsible for security considerations thereby negating the necessity
      for extra personnel.
    • Outside help in the form of consultants, MSSPs, or Value
      Added Resellers (VARs) are brought in for development and deployment or
      when necessary for very specific projects such as regulatory auditing.
  3. Rapid Growth of Technology
    • Number of non-security and security related products.

      • Difficult to send people to training on each and every product.
      • Understanding a product does not necessarily mean the person understands how it fits into the overall deployment.
      • Often lack sufficient security evaluations.
    • Need for advanced web applications
      • These are great for online businesses.
      • Are often complex.
      • Often have been rushed to market and lack sufficient security evaluations.
    • Diversity has increased attack vectors.
      • Each product has individual and often unique considerations.
      • This has caused the rapid increase in software and hardware analysis tools that are used by good and bad guys.
  4. Growth of Managed Security Service Providers.
    • Provide businesses with the option to outsource all or part of their security solutions.
    • A medium and large MSSP can pull from a pool of experienced professionals and then tailor to the specific needs of a business.
    • Medium and large MSSP are willing to pay for security research as a service to customers and for marketing purposes.
  5. Government security driven by the security of commercial solutions. I marked this low because of my lack of experience in security research or this might have been placed as high as #2.
    • This will have to be addressed at some point.
    • May mean network separation from the Internet but this will have a bigger affect for telecom consulting firms.
    • Will mean an increase in code and product review and analysis.
    • Will generate business for large firms and MSSPs.
      • These companies will have to augment by purchasing or hiring smaller consultant firms.
    • Vulnerabilities in products may start to affect payments and bonuses to vendors and resellers.
      • This will drive vendors to increase code and product review and analysis.

Market Growth

Although there is not much to find referencing growth in information security consulting there are several references to the increase in businesses turning to MSSPs for solutions.

Helpful Links

Go forth and do good things,
Cutaway

Technorati Tags: , , , ,

Powered by ScribeFire.