Consulting companies are not recruiting companies

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

~    def getcwd(self):
~        """
~        documentation goes here
~        """
~        request=self.compile("""
~        #import "local","sendint" as "sendint"
~        //start of code
~        void main()
~        {
~           int i;
~           i=1;
~           sendint(i);
~        }
~        """)

~        self.sendrequest(request)
~        fd=self.readint()
~        return fd


That's just a mock-up of the real thing, but it compiles and works.
MOSDEF is about a year behind schedule, but as various parts of it
come together, it becomes more and more useful. If you're new to this
list, you probably won't understand why having a C compiler written in
Python is so cool, but just got with us here for a sec.

***

Lately I've been thinking a lot about how consulting companies work,
and why people hire them.

1. It's hard to find people for certain jobs. Sometimes the job is
boring, but still requires a highly experienced and skilled worker.
Sometimes the job is in a boring location, and no one with skills
wants to move there full time.
2. It's good to have workforce flexibility. It's easy to fire consultants.
3. Sometimes you only need people for a short period of time
(project-based consulting).
4. Sometimes what you need is something that is only offered by a
consulting firm (certification, a wide view of your industry, etc)

I think something we're seeing in the industry is that large companies
- - basically all large companies - have realized they are in the
software business, and that software security is not something they
have to outsource. They need the workers there full-time, and they
have no plans to fire them. Alternatively, one of the price pressures
on "penetration-testing" is largely that people have teams in-house
now, running Nessus/Foundstone/Qualys full time.

However, people with actual skill at doing software security (and I
don't think you can train someone to have security skills - no
developer ever got good at software security. It's just never
happened. You either have it or you don't.) are very hard to find.
This leaves management with two options:
1. Hire below-skilled people and hope they clue-up
2. Hire consultants

So there is a high pressure on consulting firms to become expensive
recruitment firms. On the other end, consulting firms are finding it
very hard to meet their margins:
1. Consulting doing software security QA is a bursty kind of income.
You appear only at the end of a project and it's hard to drag that out
into an upsell
2. Consulting with a "product" to back you up (say, specialized CANVAS
training) eventually becomes something that people want to resell and
do for themselves. I would say that right now, no one has a good "how
to write exploits" class other than Immunity just because only
Immunity can give away copies of CANVAS for people to learn to write
exploits with. But eventually, this is going to change. Likewise, when
you build a code-assessment product, people want to just buy that from
you and use it themselves. It's basically impossible for a security
consulting company to differentiate themself based on product or
"processes".

So consulting companies eye the long-term, easy to sell, body-filler
jobs with envy. They want to inject themselves into a big companies
environment as a one-stop-shop for software security, even at the cost
of having their best people be hired away from them.

***

My solution, for Immunity, is that I want Immunity to bring something
other than a warm body who can do the job. I want Immunity consultants
to have that wider view of the industry - to never need training
because Immunity trains them internally, and to have experience that
may not exactly be relavant today, but will become relavant as our
clients change their business. This means having people billing only
three weeks instead of four, but I think it makes more money in the
long run.

What do you guys think?

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAPWl4zOrqAtg8JS8RAu9oAKCsWWFFyy0dZK9EFDOUXWMwYAHhOgCgkjc2
SsXn2JVWhexkYrRw5dymV5g=
=yE+Z
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave