Friday, February 02, 2007

Single-Digit Security Service Providers

Yesterday I learned that more friends of mine from Foundstone have departed to start their own companies. I could probably list a dozen such companies with whom I do work, from whom I get leads, or to whom I pass leads. It seems this is a really popular way for security specialists to do work they enjoy without the burden of corporate management.

I think clients like this approach because they always interact directly with the people doing the work. They can target specialists and only bring in the people they need. When I am hired for a project that extends beyond network-centric monitoring, response, and/or forensics, I call on one or more friends I trust. For example, one client needs help with monitoring, infrastructure, and applications, so I am driving to the client with the best guys I know for each subject.

I wonder if it might be useful for all of us "single-digit security service providers" (i.e., those of us with less than ten employees) to meet, perhaps at Black Hat USA? So many people asked if I was attending Black Hat last year, but I didn't make it. This year I think I will attend, and it might be cool for all of the security small business owners to meet and share war stories and capabilities. I'd like to expand my list of trusted colleagues, but I usually only feel comfortable recommending another person after I've met them and hopefully seen what skills they offer. This is related to my personal LinkedIn policy.

While I know a lot of people at bigger companies, I'm never really going to call on a large company for help unless the project is beyond what I could do with a small team. So, please don't be offended if you want to attend this meeting but work for a big consulting firm or defense contractor. Your company doesn't need any help from my company, believe me!

If there's interest in large companies looking to subcontract work to small companies, I think we can talk about arranging a second meeting for that sort of social networking. I do that too and so do my friends. If you work at a large company and want to meet potential subcontractors, also please email me and we'll set up a second meeting to accommodate those interests.

If either of these meetings at Black Hat sound like a good idea, please comment here and/or email taosecurity [at] gmail [dot] com. Thank you.


Tate Hansen said...

I’m for it.

I get some projects whereby it would be nice to get help on a particular part – let’s say, for example, when doing a security assessment and the client wants a review of their juniper router config or when another client adds a request to have all their MS SQL stored procedures analyzed for weaknesses. I frequently would much rather pump some hours to a trusted contact that knew whatever it is and at the same time feel better about the quality.

Andrew said...

Hey Richard,

I love the idea but unfortunately this isn't something that I'd be able to attend (cost to travel, time commitments, etc.)

What about scheduling an online meeting (IRC for example) where individuals could sign up ahead of time, provide some background information, and then show up and share.

Just a thought.

Joe said...

Hey Richard,

Of course the one year I'm NOT going to BlackHat (my coworker and I have to take turns so that one of us is always in the office), you are. Heh go figure. I'd hate to miss out, maybe an IRC meeting would be cool.

moonpie said...

This is just the thing I need as someone that is a very small business starting out. Turning away work is bad, but "faking" it just to be billable is worse IMHO.

Clint Laskowski said...

Put me on your list. I'm not set for BH USA this year, yet, but I'd consider it. Just me, myself and I.

-- Clint

. Clint Laskowski, CISSP
. BlueHat Security, LLC
. clint[at]bluehatsecurity(dot)com