Perception of Value in Security Consulting Projects

For consultants, it’s not enough to do great work for their clients. The clients also need to understand the value received from the service to truly appreciate the work. For instance, a security consultant might have been highly skilled and thorough at performing a penetration test. Yet, the client might be unhappy unless the pen tester’s report and related communications clearly describe not only the project’s results, but also the methodology and effort that went into it.

Behavioral psychologist Dan Ariely pointed out that “perception of value is often not about what we’re getting. It’s about how much effort the other person is putting in.” Dan described a locksmith who would receive great tips and praise when he was still inexperienced and took a long time to open a lock. Now that the locksmith mastered the skill and can open locks in seconds, his customers complain about high fees and don’t tip.

Dan also described a study that assessed how much people were willing to pay for a service to recover data from a crashed computer. You might theorize that the amount would be tied to the amount of data the person was at risk of permanently losing. Instead, people’s willingness to pay was mostly a function of the time the specialist put into the recovery process.

Since clients are rarely able to understand the intricacies of the work that requires specialized skills, they seem to estimate value by assessing the effort (usually time) that went into the project. I’m not suggesting that you should artificially stretch the time to conduct a pen test. Rather, I recommend making sure that your written and verbal communications allow the client to understand the effort you put into it.

This is another reminder that communication abilities are no less important than elite hacker skills.

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more