RE: Consulting companies are not recruiting companies

["Mike Bailey" <mike.bailey () sunbladesecurity com>]

I don't know about kool-aid but it seems as though the light of good old
fashion capitalism has cast itself upon Dave.  

A consulting firms primary goal is to be profitable no matter what their
marketing blabber says I'm thinking.. I do actually agree with a lot of what
you said because I've seen much of it happen in the workplace.

I too wonder about companies not spending $ to send staff to conferences. My
former employer would send any of us to class(s) that got us a certification
of any sort but to go to something where you got to learn good stuff was
just silly..


> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Dave Aitel
> Sent: Wednesday, February 25, 2004 10:35 PM
> To: dailydave () lists immunitysec com
> Subject: [Dailydave] Consulting companies are not recruiting companies
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ~    def getcwd(self):
> ~        """
> ~        documentation goes here
> ~        """
> ~        request=self.compile("""
> ~        #import "local","sendint" as "sendint"
> ~        //start of code
> ~        void main()
> ~        {
> ~           int i;
> ~           i=1;
> ~           sendint(i);
> ~        }
> ~        """)
>
> ~        self.sendrequest(request)
> ~        fd=self.readint()
> ~        return fd
>
>
> That's just a mock-up of the real thing, but it compiles and 
> works. MOSDEF is about a year behind schedule, but as various 
> parts of it come together, it becomes more and more useful. 
> If you're new to this list, you probably won't understand why 
> having a C compiler written in Python is so cool, but just 
> got with us here for a sec.
>
> ***
>
> Lately I've been thinking a lot about how consulting 
> companies work, and why people hire them.
>
> 1. It's hard to find people for certain jobs. Sometimes the 
> job is boring, but still requires a highly experienced and 
> skilled worker. Sometimes the job is in a boring location, 
> and no one with skills wants to move there full time. 2. It's 
> good to have workforce flexibility. It's easy to fire 
> consultants. 3. Sometimes you only need people for a short 
> period of time (project-based consulting). 4. Sometimes what 
> you need is something that is only offered by a consulting 
> firm (certification, a wide view of your industry, etc)
>
> I think something we're seeing in the industry is that large companies
> - - basically all large companies - have realized they are in 
> the software business, and that software security is not 
> something they have to outsource. They need the workers there 
> full-time, and they have no plans to fire them. 
> Alternatively, one of the price pressures on 
> "penetration-testing" is largely that people have teams 
> in-house now, running Nessus/Foundstone/Qualys full time.
>
> However, people with actual skill at doing software security 
> (and I don't think you can train someone to have security 
> skills - no developer ever got good at software security. 
> It's just never happened. You either have it or you don't.) 
> are very hard to find. This leaves management with two 
> options: 1. Hire below-skilled people and hope they clue-up 
> 2. Hire consultants
>
> So there is a high pressure on consulting firms to become 
> expensive recruitment firms. On the other end, consulting 
> firms are finding it very hard to meet their margins: 1. 
> Consulting doing software security QA is a bursty kind of 
> income. You appear only at the end of a project and it's hard 
> to drag that out into an upsell 2. Consulting with a 
> "product" to back you up (say, specialized CANVAS
> training) eventually becomes something that people want to 
> resell and do for themselves. I would say that right now, no 
> one has a good "how to write exploits" class other than 
> Immunity just because only Immunity can give away copies of 
> CANVAS for people to learn to write exploits with. But 
> eventually, this is going to change. Likewise, when you build 
> a code-assessment product, people want to just buy that from 
> you and use it themselves. It's basically impossible for a 
> security consulting company to differentiate themself based 
> on product or "processes".
>
> So consulting companies eye the long-term, easy to sell, 
> body-filler jobs with envy. They want to inject themselves 
> into a big companies environment as a one-stop-shop for 
> software security, even at the cost of having their best 
> people be hired away from them.
>
> ***
>
> My solution, for Immunity, is that I want Immunity to bring 
> something other than a warm body who can do the job. I want 
> Immunity consultants to have that wider view of the industry 
> - to never need training because Immunity trains them 
> internally, and to have experience that may not exactly be 
> relavant today, but will become relavant as our clients 
> change their business. This means having people billing only 
> three weeks instead of four, but I think it makes more money 
> in the long run.
>
> What do you guys think?
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFAPWl4zOrqAtg8JS8RAu9oAKCsWWFFyy0dZK9EFDOUXWMwYAHhOgCgkjc2
> SsXn2JVWhexkYrRw5dymV5g=
> =yE+Z
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com 
> http://www.immunitysec.com/mailman/listinfo/da> ilydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave