Perception of Value in Security Consulting Projects

For consultants, it’s not enough to do great work for their clients. The clients also need to understand the value received from the service to truly appreciate the work. For instance, a security consultant might have been highly skilled and thorough at performing a penetration test. Yet, the client might be unhappy unless the pen tester’s report and related communications clearly describe not only the project’s results, but also the methodology and effort that went into it.

Behavioral psychologist Dan Ariely pointed out that “perception of value is often not about what we’re getting. It’s about how much effort the other person is putting in.” Dan described a locksmith who would receive great tips and praise when he was still inexperienced and took a long time to open a lock. Now that the locksmith mastered the skill and can open locks in seconds, his customers complain about high fees and don’t tip.

Dan also described a study that assessed how much people were willing to pay for a service to recover data from a crashed computer. You might theorize that the amount would be tied to the amount of data the person was at risk of permanently losing. Instead, people’s willingness to pay was mostly a function of the time the specialist put into the recovery process.

Since clients are rarely able to understand the intricacies of the work that requires specialized skills, they seem to estimate value by assessing the effort (usually time) that went into the project. I’m not suggesting that you should artificially stretch the time to conduct a pen test. Rather, I recommend making sure that your written and verbal communications allow the client to understand the effort you put into it.

This is another reminder that communication abilities are no less important than elite hacker skills.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser develops teams, solutions, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more