Re: Contract Rates??

[Paul Melson <pmelson () gmail com>]

On Fri, Oct 2, 2009 at 3:07 PM, Richard Lee <richard () snowshoefox com> wrote:
> 1. Economic state of US
>
> 2. China outpaces all other countries in network attacks that target
> both client-side and perimeter. That means they have much more real
> world experience across the board.
> (Brief article:
> http://features.csmonitor.com/innovation/2009/10/01/state-of-the-internet-most-attacks-from-china-s-korea-is-fastest/)

To Richard,

Despite the rough US (and global) economy, PCI has injected a
pen-testing requirement into industry to the point that it's becoming
part of the contracting and business validation landscape even where
it's not actually mandated. We've seen a 20-50% increase in the cost
of pen-testing services across the board since 2005 with no dip in
2009.  So I think this is unrelated.

Additionally, the Akamai report doesn't mean China the people or China
the government, it means China the IP address ranges.  There is a huge
problem with attribution in this space.  I don't think anyone can say
with certainty that China is the brains behind most of the network
attacks and malware that we see on the Internet today.  In fact, as
far as the malware goes, the forensics continue to point to much of
the malware infrastructure (exploits, dropper packs, bots/C&C) being
written by English-speaking people.


> 3. Larger number of foreign, well educated and skilled computer
> scientists are entering an already crowded software market.

I think this probably is true, but I don't think, even now, that
security is the crowded end of the pool.


> 4. The few US trained network security specialists lost the monopoly on
> network penetration years ago and the economic slowdown makes it
> obvious.

There are multiple points of regulation in the US that restrict the
use of foreign-based service providers and consultants, especially in
the area of security.  If anything, the recent increase in
cybersecurity spending in the defense sector has created very high
demand for US-based consultants that can pass background checks and
achieve clearance.


> 5. Chinese experience in network penetration has put their penetration
> systems through more iterations. My guess is that the level of their
> penetration software and skill sets are advanced enough to cut costs
> immensely.

Microsoft's own research indicates that China and the former Sovient
Union have some of the highest malware infection rates (victim, not
attacker) in the world. That seems to indicate that their IT security
practices and capabilities are relatively immature, though it doesn't
address pen-testing capabilities directly.


> > A year ago, both pen tester and architect contract rates were in the $75 to $150
> > per hour range, and some pen tester rates were even higher. Can anyone explain
> > what is going on here?
> >
> > The one observation I will add is that most of the low rates seem to be coming
> > from either off-shore companies, or the on-shore face of an off-shore company.
> > Are they simply bidding on and winning a bunch of contracts by low-balling the
> > rate, and then struggling to find people to staff the jobs?

To Jon,

I suspect this is exactly the case.  Which is probably why you're
seeing the large volume of contacts made, because they're not finding
many takers.


> > Finally, I will add that there are still organizations looking for contractors
> > at reasonable rates, but they seem to have become a small minority.

That's contrary to what I'm hearing.  Though right now, federal
government is the hot sector for security.  There's something of a
bubble in the private sector from the PCI compliance deadline a year
ago, but it doesn't seem to be a very big one.  But combined with the
economic downturn in the US and there's not a lot of new hiring in
this space.  I've talked to a number of colleagues that have had to
choose this year between the security consulting they want to do and
the services PCI has forced them to outsource because of budget
constraints.  Once their money comes back online, I think we'll see
more growth in private sector security consulting.  Based on my own
experience, though, senior security engineers aren't falling from the
sky.  You still have to recruit them.  There's just not enough
unemployment among US-based security pros to make $40/hr a sustainable
contract rate, except maybe for a little extra side work.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------