Types of Security Services Vendors

In the lede, we spoke about the difficulties presented by the marketplace for security services. They include misleading sales tactics, evolving terminology, and an overwhelming array of vendors and services. To navigate the complexity as a buyer, it helps to understand the common vendor profiles. You can then take this knowledge and your understanding of your goals, and use it to narrow down the possible vendors for your contract.

Global/enterprise consulting

The biggest, name-brand companies offering security services are general professional services firms. They offer security services as a small part of their portfolio. For example, all the “Big Four” accounting firms (Deloitte, Ernst & Young, KPMG and PwC⁶ ) have cybersecurity practices that offer assessment services. IBM, Booz Allen Hamilton, and HPE fall into this category as well.

Cybersecurity services

A step-down in size and name recognition, you will find the large “pure play” cybersecurity services companies. These are organizations that focus on security and have a large staff of security consultants (generally in the hundreds). A couple examples would be NCC Group or Optiv.

Boutique

On an even smaller scale, you’ll find the boutique security consultancies. These consultancies have a shallow bench of consultants and offer a more limited range of services - frequently targeting a narrow customer base. They may work locally (like the consultancies that popped up in Seattle in Microsoft’s orbit in the Vista days⁷ ), or in a specific industry or vertical.

Examples here would be Include Security or Rhino Security Labs.

Specialty

The specialty vendor is a subclass of the boutique consultancy. These are consultancies that focus on a single service offering.

Luta Security is an example, offering services exclusively in the vulnerability coordination space. Latacora is another vendor which has carved out a niche, by offering a virtual security team to startups.

Sole Practitioner

At the smallest scale, you have vendors that are operating entities for sole practitioners. Most of the other types of vendors will have one or more cases where individual consultants have spun out independent practices. These vendors may enjoy working alone, or can grow over time into a larger team.

Researcher/Bug Hunter

A trend in this space involves independent security researchers and bug bounty hunters who also offer direct consulting services. Companies who run bug bounties may retain the most successful participants to do more targeted or collaborative assessments.

Low cost

These vendors are identifiable by competing primarily on price for contracts. They tend to prominently offer vulnerability assessments in addition to more comprehensive services. Their advertising and execution leans heavily on automation, driving cost-efficiencies.

Managed Security Service Provider

If you are looking for more than assessment services, or already have a relationship with a managed security service provider (MSSP), they may be an option. Many MSSPs have an assessment offering in house, or a trusted partner for consulting services.

While this relationship is already high-trust, consider the conflict of interest. Especially if you’re hoping to validate the risk reduction provided by your MSSP.

Value Added Reseller

While the line between MSSP and VAR has blurred in recent years, historically the clear difference lay with the period of engagement. A VAR performs a short term (generally under a year long) transactional service - offering third-party software and hardware, plus consulting, configuration, and customization services. A VAR may offer security assessment as part of their engagement. Consider the value proposition, as you are normally paying a premium for working through a VAR. However, it can be worthwhile to use one if your organization is already leaning on them, indicating a lack of resourcing or qualifications to manage the engagement internally.