Cybersecurity companies represent a type of business that has become vastly more prominent since the turn of the century, due to the massive increase in data and computer use and the hacking and cybersecurity attacks that those computer systems have attracted. Many people, especially those interested in a cybersecurity career, wonder how cybersecurity companies actually make money. I’d like to explain in this article.
So, how do cybersecuritycompanies make money? Cybersecuritycompanies earn money by offering any number of services to clients, including providingoutsourced technology support, managed services, software tools, penetrationtesting, systems auditing, vulnerability analysis and consulting. Cybersecurity companies may specialize in oneor even several of these areas.
For anyonegoing into the cybersecurity career field, it’s important to know more about thedifferent kinds of cybersecurity companies that are out there and what they do,so you can be better prepared when you join one of these companies, or evenstart your own.
Let’s diveinto just a few of the different types of cybersecurity services that companiesoffer.
Cybersecurity Service #1: Outsourced IT and Managed Service
Intoday’s corporate environment, one of the most popular services that cybersecurity companies offeris outsourced IT support, or what many call “managed service”. This service provides any non-technical companywith the opportunity to offload their technical support responsibilities andcosts that would otherwise be offered in house to a third-party provider (the cybersecuritycompany.)
The cybersecurity company makes money by offering this service at scale, thereby offering this service to dozens or hundreds (or even thousands) of client companies. The employees of the cybersecurity company are therefore supporting multiple companies and are dividing their time between them. Cybersecurity companies that offer this service often call themselves “managed service providers” or MSPs.
Types of Technical Support
For example,there are three different types of IT support that a regular company can have: Theseare Type 1, Type 2, or a hybrid between the two types. Type 1 technical supportis when the company has in house technicians on their own payroll that work solelyfor the company itself, and they only handle and support that company’stechnology. This is a common solutionfor very large companies that have substantial computer systems to support but isa very costly model for smaller companies with less technology to support. This is because the costs to hire, train, payand provide benefits for these technical employees can cost far than what asmaller organization can afford to invest in their technical support andmaintenance. Therefore, we also have thenext option – Type 2.
Type 2 technicalsupport is when a regular company doesn’t hire on a person or team internally tomanage their technologies as part of their own company, but rather hires a cybersecuritycompany to manage the maintenance and support of their technologies and the endusers that use them (hence the managed service mentioned above.) Instead they pay a cybersecurity company andoutsource that support and maintenance to them.This often comes with tiers of guaranteed service and response timesthat can vary from general email support to 24/7 phone support and beyond.
The thirdtype is a hybrid of type 1 and type 2 and is when a company has in housetechnicians on payroll supporting their systems, but they will outsource to athird party cybersecurity company for certain things, such as installations ofnew technology, certain auditing procedures on current technology or warrantytracking. In fact, just about anytechnical support task can be outsourced to a third-party company, so the optionsare unlimited are far as what can be kept in house and what is outsourced. Many large companies will use this model,especially for short term projects, or for tasks in which they are unable tofind an employee to perform internally.
Type 2 technicalsupport is the most prominent of the options and is what many large companiesturn to because it is easier and can cost less in the long run, but moreimportantly, the risk of maintaining and securing these systems is offloadedtoo. For example, the outsourced cybersecuritycompany can handle all of the hardware maintenance, security patching and systemsmonitoring, which helps ease the regular company’s mind about security breachesand other scenarios that could affect a company’s information confidentialityand downtime.
What Careers are Available at an OutsourcedManaged Service Provider Company?
Within a Type2 IT support company, there are usually at least three different types of jobs,depending on the size and services offered by the company. There are helpdesktechnicians, onsite technicians, and systems engineers.
Managed ServiceCareer Option #1: Helpdesk technician orUser Support Technician. Helpdesk technicians arethe ones that the client company more often interacts with. They are the oneswho the client calls when an application doesn’t work, a document isn’t saving,or if they forgot how to change their desktop image. These jobs require goodtechnical skills and excellent communication and customer service skills. They are often considered entry level, and arewhere many technicians begin their careers.
Managed ServiceCareer Option #1: Onsite Technician. Onsite technicians go to the physicallocations of the clients to fix problems that cannot be solved remotely. They overseethe replacing of computers, installing new systems, and fixing issues such asbroken fans, keyboards, projectors, cables and so on. The onsite technician positions require agreat deal of technical knowledge and customer service skills, but in many casesare easier in the sense that they know the tasks and issues they will beaddressing before they arrive at the customer site, while the helpdesk techniciandoes not have the advantage of knowing what the client needs before answeringthe call.
Managed ServiceCareer Option #1: Systems Engineers. Systems Engineers in a managed serviceprovider usually have the least interaction with the customer but areresponsible for the most important aspects of systems maintenance, includingany task that is conducted on the backend of the system itself. For example, they handle network maintenanceand security patches for the clients and are in charge of ensuring the securityof the client’s network, along with remediation, should their network bebreached. Systems Engineer positions oftenrequire several years of experience.
Cybersecurity Service #2: Penetration Testing
Anothercommon service cybersecurity companies offer is penetration testing.Penetration testing is when a cybersecurity company is contracted by a companyto test their security as it relates to their computer systems, in an attemptto determine which systems are vulnerable to an attack or a hacker. At theonset of a penetration test, the client company that is requesting apenetration test (often called pen test) will list out what aspects of itssystems and processes it wants tested, and what it does not want tested. This is defined as the penetration testscope.
Clearlydefining and staying within the limits of a scope are imperative to anypenetration test. If a company performs a penetration test and inadvertently commits“scope creep”, which is testing technology or processes outside the statedlimits of the scope, legal ramifications can befall the testing entity,especially if confidential information was leaked or systems were harmed by theaction.
During a penetrationtest, depending on the agreed upon measures, the penetrating entity willattempt to breach the client’s network, determine what systems and resourcesare available, and escalate their privilege.
Thepenetration testing itself is broken down into seven different steps by thePTES (Penetration Testing Execution Standard): Pre-engagement interactions, Intelligencegathering, Threat modeling, Vulnerability analysis, Exploitation, Post-exploitation,and Reporting. Testers use these steps to stay organized while documenting thetesting process and to ensure that quality work is done.
The synopsisof the seven steps is that the testers start by defining a scope, then moveonto doing research into the companies technologies used and employee techpolicies, analyzing what the company’s biggest threats to its security are,analyzing its weak points, exploiting its weak points, assessing the value ofthe compromised machines, and reporting all if the tester’s discoveries andsecurity remediation recommendations to the client company.
The paymentmethod for penetration testing varies, depending on how long the engagementlasts. If it is a shorter test, sometimes the testing entity will require asingle payment once the final report is submitted to the client. For mid-range tests, a common payment methodis that half of the payment will be required upfront and half after the job iscomplete. For longer or continual engagements (these could last one year ormore), recurring payments are often applied.
Cybersecurity Service #3: Systems Auditing
Another way cybersecuritycompanies make money if from auditing. Auditing is when a client asks a cybersecurityentity to check their security measures and policies and to make sure they are implementingsecure policy or are complying with their industry’s required standards. Note that this is different from penetrationtesting wherein auditing is done by comparing a company’s security measures toa security compliance standard while penetration testing is done by following aclient specified scope to try to compromise their computer systems.
A goodexample of a compliance standard is HIPAA. HIPAA is the Health InsurancePortability and Accountability Act that was passed to provide protection forpatient’s medical records. Medical offices will request HIPAA compliance auditsto be preformed as a way of showing that they are taking proper precautions tokeep patient information secure.
These auditsare performed by a cybersecurity entity being contracted to go down a HIPAAcompliance checklist and check off security measures like technical safeguards,physical safeguards, administrative safeguards, employee training andawareness, and the enforcement of the HIPAA standards.
Note thateven within the realm of cybersecurity auditing, many companies will specializein one area of auditing compliance, such as the aforementioned HIPAA, or other regulations,such as FERPA and PCI DSS. This is oftenbecause the regulations are quite often onerous, detailed, and ever changing,and therefore require a specialist to stay aware of updates imposed by the governmentor other agency.
Cybersecurity Service #4: Outsourced CTO, or Chief Technology Officer
Another typeof service offered by a cybersecurity company is to solely act as a client company’sCTO (chief technology officer) or CIO (chief information officer). This is an arrangement where the cybersecuritycompany provides minimal service to the client company but does act as their technologymanager or paper and in negotiations. Anoutsourced CTO service may include reviewing security policies, negotiatingsoftware purchases, and representing the company to outsiders during anytechnology issue. Some cybersecurity professionalsfind this role difficult as they are responsibility for representing a company butdo not have the ability to lead or direct their technology efforts in other waysthat impact the CTO role.
Cybersecurity Service #5: Tools or Servicesfor Other Cybersecurity Companies
One area of cybersecurity that is often overlooked is the group of cybersecurity companies that develop and provide products, software or other tools to cybersecurity companies themselves. A company such as Tenable, for example, provides cybersecurity analysis tools that can assess a system for vulnerabilities. Many of the intended customers of tools such as these are other cybersecurity companies that will then, in turn, use these tools to provide cybersecurity services to their own clients.
Conclusion
Hopefully, this article has shown that there are many ways in which cybersecurity companies make money (and we only touched on some of them), and those ways will increase in number as cybersecurity continues to evolve, and newer cybersecurity attacks and issues are discovered. The good news for cybersecurity professionals is that this variety of services offered by cybersecurity companies provides a variety of job opportunities with it.
