Perception of Value in Security Consulting Projects

For consultants, it’s not enough to do great work for their clients. The clients also need to understand the value received from the service to truly appreciate the work. For instance, a security consultant might have been highly skilled and thorough at performing a penetration test. Yet, the client might be unhappy unless the pen tester’s report and related communications clearly describe not only the project’s results, but also the methodology and effort that went into it.

Behavioral psychologist Dan Ariely pointed out that “perception of value is often not about what we’re getting. It’s about how much effort the other person is putting in.” Dan described a locksmith who would receive great tips and praise when he was still inexperienced and took a long time to open a lock. Now that the locksmith mastered the skill and can open locks in seconds, his customers complain about high fees and don’t tip.

Dan also described a study that assessed how much people were willing to pay for a service to recover data from a crashed computer. You might theorize that the amount would be tied to the amount of data the person was at risk of permanently losing. Instead, people’s willingness to pay was mostly a function of the time the specialist put into the recovery process.

Since clients are rarely able to understand the intricacies of the work that requires specialized skills, they seem to estimate value by assessing the effort (usually time) that went into the project. I’m not suggesting that you should artificially stretch the time to conduct a pen test. Rather, I recommend making sure that your written and verbal communications allow the client to understand the effort you put into it.

This is another reminder that communication abilities are no less important than elite hacker skills.

Lenny Zeltser


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more