Cybersecurity Assessments & Projects

How to get help with your your next cybersecurity initiative

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Cybersecurity | Penetration Tests

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A organization recently wanted me to help them create a cybersecurity metrics program. Another requested customized Azure training. These are the types of projects that fits nicely into the type of work I do through IANS Research or 2nd Sight Lab. I haven’t had time to update the 2nd Sight Lab website as I’ve been too busy, so here’s a quick blog post explaining how I can help and how 2nd Sight Lab operates. If you are facing hiring challenges for cybersecurity professionals, I explained how hiring outside consultants or obtaining cybersecurity training for existing employees can help in this blog post:

Services provided through IANS Research only

First of all, what 2nd Sight Lab does not do. I only answer one-off security questions through IANS Research. If you have a security question, reach out to IANS Research. You’ll work with a client services representative who will get you scheduled on my calendar. I can also do consulting projects through IANS. If you have an IANS agreement you may have to work with me through them due to our arrangement. It might also be easier for large companies to work through IANS if your contractual needs don’t align with the description below. They may or may not be able to accommodate something different.

By the way, stay tuned as I’ll be speaking at some upcoming IANS events! I hope you can join.

Cybersecurity Projects

I own 2nd Sight Lab. We work on cybersecurity projects. The project involves either developing training or some type of due diligence, assessment, analysis, or research.

Preventative Cybersecurity

My mom tends to call and ask if I’m helping with the latest big breach in the news. Although I often write some analysis on this blog to try to help out, 2nd Sight Lab works with customers to prevent data breaches. Some companies specialize in helping organizations after a breach to deal with the aftermath such as analyzing the malware, determining how many records the attackers accessed and related fines, dealing with law enforcement, and sending out breach notifications. We want to help you prevent a breach to avoid all of that. That said, we have had a number of companies reach out to us after a data breach or security incident to review their security and help them improve it going forward. I wish more companies would contact me before that happens!

Types of cybersecurity projects

2nd Sight Lab focuses on cloud and application security at this time, though I’m certified in a lot of other areas. All of our work must be done from or within a cloud environment. If we can connect from the cloud to the environment that needs an assessment we can likely do it. We do not install things on our local network or laptops. We can make on-site visits in limited circumstances, but in general, our work is almost always done remotely. We do not write code or implement security for you, but we can assist with projects as an architect, interim CISO, or advisor.

Sample cybersecurity projects:

• Cybersecurity strategy
• Cloud and application penetration tests
• Cloud and application security assessments
• Customized cloud and application security training
• M & A cybersecurity due diligence
• Venture Capital due diligence
• Risk analysis and metrics
• Application architecture security assessment
• Cybersecurity process assessment
• Deployment system architecture and assessment
• Governance models, design, and implementation assistance
• Cybersecurity architecture and design projects
• Cybersecurity research
• Virtual CISO guidance to create a short term cybersecurity plan (e.g. Steps to take until a startup can hire a full-time CISO)

Scope:

If you are an IANS Research customer you will work with one of their client services employees to define the scope. Otherwise, you will likely work with me, for the time being, to define the scope. The scope of the project relates to a number of hours. The things I use to scope the project vary by type of project but it always equates to hours required to complete the work, which I multiply by an hourly rate to come up with a price for the project.

Deliverables

• The deliverable for training is a class.
• The deliverable for any other project is a report.

Project Billing

2nd Sight Lab always bills for a project the same way to keep it simple. We require 50% upfront and 50% on the delivery of a report or class. With training, we need to request the upfront payment at least 2–4 weeks prior to the class to cover the cost of work performed before scheduled class dates. The minimum project fee is $8,000 at this time but is often $15,000 and up. Private 40-hour classes with labs start at $25,000 for 10 students.

Why No Hourly Rates

We do not use an hourly-rate billing model and here’s why. First of all, if you don’t know how many hours you’re going to spend you could end up paying a lawyer $1000 to negotiate a contract and the project lasts two hours. You lost money. Secondly, I used to bill hourly through my software company. Tracking and billing time on invoices created a lot of overhead. I’d rather spend that time helping clients. Finally, it takes time to chase down payments. I had a client who consistently argued with me about every. single. bill. I finally just told her to scratch off what she had a problem with on each bill and just pay the rest. She would mark off something like $300 on a $15,000 invoice. It was very stressful and time-consuming. It’s not worth the hassle.

About Cash Flow

In addition to the problems I already mentioned with hourly rates, there is too much lag when trying to maintain consistent cash flow. One customer pays in advance. Another pays with a term of 60 days. Now you have a window with no cash flow. Gaps in cash flow impact small business owners more than large companies. Last year I took time off to get my house in Seattle ready to sell. The drop in income over that time period caused by my time off and the contractor’s failure to complete work on time affected my ability to get a loan for my new home. I ended up finding a way to pay cash, but it was not ideal. Even though with the sale of my home in Seattle, I had a higher income than ever in my life, banks will only look at business cash flow with their rigid underwriting formulas. All they see is a gap with no income. There’s your mini business lesson on cash flow for the day. It’s one of the number one reasons startups go out of business.

Focused Deliverables

Another reason I focus on fixed-rate projects is that I don’t want to waste customers’ time. I did one hourly rate project, and I would spend hours on-site working for someone revising spreadsheets. I don’t think that was a good use of my time. It also tied me up for a long time doing busy work instead of actively solving security problems. That was an interesting project, and I was grateful to participate, but in the end, I felt like I could deliver what I gave to that client in six weeks instead of three months. I like to work on focused deliverables and get them done as quickly as possible. I’m not one for milking clocks.

A company, not an employee

When you hire me, you hire my company, not me personally. If you’re working on an hourly rate, you’re basically a short-term employee paid an hourly rate. 2nd Sight Lab offers a product — our classes. We also offer analysis services that include a deliverable — a report. Those products are delivered using the processes, tools, and documentation we have developed.

Why I don’t want to be an employee

One of the reasons I choose not to be an employee of a large company is that it comes with too many restrictions and roadblocks to delivering effective security assistance. I was not allowed to say certain things for political reasons or simply ignored. I couldn’t fix things I wanted to fix. When 2nd Sight Lab assists a company, we provide the analysis and deliver a report or training. When the company receives the deliverable, it is up to them to fix the issues. If they don’t, I won’t be caught up as an employee of the company involved in the next big breach over something out of my control to fix. By coming in as an external advisor we can speak truth to power for employees who hire us to improve security. I often work with CISOs prior to pentests and security assessments to deliver the desired message in our report and provide the data to back it up.

Who does the work?

I’ve never wanted a large company. I had five employees in my previous company, Radical Software, and that was OK. I managed a team of 30 as director of SAAS engineering for a company. I don’t want to do that again. I spent a lot of time dealing with “people issues” (not to mention politics) instead of getting a project delivered. At this moment, I’m doing the majority of the work. Someone I used to work with helped me create some class labs for the first class I delivered when I was in a time crunch. In the past, I hired interns to help with basic penetration testing, class material review, editing, and accounting.

Who are the interns and assistants?

In the past, the people helping me most of the time were my nieces and nephews, but they went off to college to be teachers and doctors and got too busy for me. Cybersecurity was not their passion. Now I’m looking into working with local colleges. I reached out to Savannah State University last year to hire an intern. I never heard back from the department where I sent the job description. I may pursue that again later through some different schools. Other than that, I’ve only received help from people I know personally. If a client doesn’t want anyone else to do the work or see their report, we can work that out.

Security for Interns and Employees

I am working with a human resources company that performs background and reference checks. When I have someone work on a penetration test for 2nd Sight Lab, they get a separate cloud account and must follow our security standards and instructions. After they finish, we terminate their access to any customer information on that project. Currently, I’m only using interns who are friends or friends’ kids. They are helping me test new cybersecurity training, proofreading documents, and will review books. Employees receive access through our cloud accounts, and that is one of the reasons we can only do projects from the cloud. It limits the exposure of customer data to other systems and networks.

Ownership

2nd Sight Lab owns all training materials we produce or use for client training. We often will revise or rearrange our training material for a client to focus on their specific needs. That material contractually remains the property of 2nd Sight Lab and according to our agreement should remain confidential. In addition, any tools, processes, or materials we use on penetration tests or assessments remain the property of 2nd Sight Lab. However, our clients own the report we deliver. We are obligated to keep reports and any client information confidential unless explicitly allowed in our contract. For example, a customer requesting a product assessment of the efficacy of their product may want 2nd Sight Lab to publish our findings, if we find that it solves a particular problem very well.

How to contact me about a cybersecurity project — LinkedIn

At this time, the best way to reach me for a project is through LinkedIn. I’ve explained this before but using LinkedIn I can see some information about the person with whom I am doing business. I had some very sketchy people contact me while running my past company, Radical Software, Inc. I always wondered if they were legitimate or they were having me perform work for a nefarious organization. That is one of the ways I attempt to verify clients, other than those I meet in person or who are referred by someone else. Unfortunately, I cannot provide training to organizations in certain countries at this time.

Starting a cybersecurity project

Once you contact me on LinkedIn, I’ll send you information to set up a call to discuss your project. I only do phone calls, not Zoom or video calls, until after I have a signed contract. Even then, I require a week’s advance notice for video calls as my network is not set up to handled those at this time. After I understand a bit about the scope, you’ll receive a proposal and a contract for review. We may work to revise it to meet your specific needs. We’ll define a schedule and deliverables and payment terms in the contract. If I need to explain how to get set up for a penetration test or class those instructions come after receipt of the upfront payment.

Completing a cybersecurity project

Prior to signing a contract we’ll discuss arrangements for communication over the course of the project. Often that will be via email for an on-going penetration test. For a security assessment, I will typically include phone interviews to ask questions up front and further discuss findings after reviewing the assessed environment, but this can vary as needed based on customer needs. Once we’ve completed our work, you’ll receive a report. I try to wait a few days before sending the final invoice to make sure the customer received and could open the report.

Additional support after report delivery

Once a class is complete 2nd Sight Lab doesn’t generally provide any additional assistance, though in some cases we had a lab fail and provided a working version after class to the client. I have taken many cybersecurity classes in my time and never had another company do that for me. I usually don’t charge extra for a few questions after the report gets delivered. However, extensive questions or support would require an additional fee. Often, customers will ask us to verify their fixes for findings after completion of a penetration test report. We include that on our penetration report contracts at an hourly rate and can cap the time we spend reviewing the findings as needed.

If you are thinking of hiring a company to perform a cybersecurity assessment, penetration test, research project, or due diligence related to a cybersecurity investment hopefully this information helps you understand how 2nd Sight Lab operates. You can reach out to me on LinkedIn if you have any additional questions about assessments, penetration test, or training.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab