Buying Security

This guide is synthesized from almost two hundred resources, as well as a survey of over a hundred security professionals (who have bought a collective thirteen hundred assessments, and sold over twenty-five thousand). Check out the bibliography.

You can’t buy security, but security services vendors play a key role in effective security programs. Shopping for and deriving value from these vendors is becoming a core competency for security professionals. However, many organizations struggle due to information asymmetry and difficulty of assessing performance or quality. Combined with misleading sales tactics and a lack of standardization on delivery, this overwhelming marketplace, now with even more alternatives to traditional single-vendor assessments - buying a decent security engagement is harder than ever.

As one survey respondent put it:

“There is too little reliable information about the type and quality of services offered, and too little knowledge about how to sell and buy them.”

In Penetration Testing Considered Harmful Today (2012), Haroon Meer identified penetration testing as a “market for lemons” - in which information asymmetry (buyers can’t tell good products from bad) drives buyers to offer a price averaging their expectations. This phenomenon then forces good products out of the market, leaving one dominated by subpar products.

In 2007, Gary McGraw coined the “badness-o-meter” for security assessments. It’s a dial that shows possible assessment outcomes, a range from “your security sucks” to “we don’t know.” It’s impossible to prove security, so assessments can only prove your consultant wasn’t good enough to get in within the time and scope allotted.

There isn’t a strong belief in the quality of the average vendor. In our survey, buyers expressed more confidence than sellers. But, sellers would be more qualified to judge average quality, and I trust their judgement more:

This guide will share everything you need to know to effectively buy and get value from security services.