It’s getting increasingly difficult to define one information security consulting firm from another; not that we’re all the same, it’s more to do with providing clients with what they really need. That can be tough, especially when they’re on a tight budget. However, even under tight budgets clients need to know clearly what they are getting and what they are not getting.
Recently, we scoped a project for a client and they came back and said we were significantly higher in price. The first thing we jump to is there is a disconnect between what the client is requesting versus what we are scoping or what other information security consulting firms are scoping. So whose responsibility is it to determine value versus cost? Ultimately it falls upon the client to determine it, but what can we do to increase that knowledge and what defines one offering from the other?
During a subsequent call with this client they asked us why we are higher? The trouble is the client really wants the lower price with the higher level of service. I can’t blame them for that at all; I like low prices and high value too. But information security consulting services aren't cut and dry and easy to compare one against the other. In fact the comparison may not even be against services, it may be services versus an automated tool.
We can’t tell a client someone is selling snake oil and that it’s not us. If we were to do that we’d look like we’re selling snake oil. So it’s bit of kerfuffle (I’ve wanted to use that word in a blog), how do we tell them they really need to look under the hood on what is being offered?
What I really to tell them to listen to us, take very good notes, ask great probing questions and make sure we define each and every item within our scope. Then they should turn around and do the same for the other information security consulting firms they are considering. They need to determine what the heck is going on, what is the difference and what are they about to pay for?
My gut is the lure of price is often the differentiator on final determination. I don’t think I can remember too many times where someone has asked us why we are significantly less expensive. If they did my thought would be the same, who missed something us or the other guy?
Bottom line: The need for accurate security measures shouldn’t be determined based on lowest bidder ever. Know what you are getting and if after speaking to all the companies in depth you still don’t know consider bringing in another person to help determine what’s going on.