Cybersecurity companies represent a type of business that has become vastly more prominent since the turn of the century, due to the massive increase in data and computer use and the hacking and cybersecurity attacks that those computer systems have attracted. Many people, especially those interested in a cybersecurity career, wonder how cybersecurity companies actually make money. I’d like to explain in this article.
So, how do cybersecurity companies make money? Cybersecurity companies earn money by offering any number of services to clients, including providing outsourced technology support, managed services, software tools, penetration testing, systems auditing, vulnerability analysis and consulting. Cybersecurity companies may specialize in one or even several of these areas.
For anyone going into the cybersecurity career field, it’s important to know more about the different kinds of cybersecurity companies that are out there and what they do, so you can be better prepared when you join one of these companies, or even start your own.
Ready to Start Your Cybersecurity Career?
If you're serious about starting your cybersecurity career, enroll in my FREE 5-part series "Strategies for New Cyber Careers". These strategies can help you determine your best path forward. I'll also send you my weekly cyber career newsletter with resources that every cyber professional needs to know.
Let’s dive into just a few of the different types of cybersecurity services that companies offer.
Cybersecurity Service #1: Outsourced IT and Managed Service
In today’s corporate environment, one of the most popular services that cybersecurity companies offer is outsourced IT support, or what many call “managed service”. This service provides any non-technical company with the opportunity to offload their technical support responsibilities and costs that would otherwise be offered in house to a third-party provider (the cybersecurity company.)
The cybersecurity company makes money by offering this service at scale, thereby offering this service to dozens or hundreds (or even thousands) of client companies. The employees of the cybersecurity company are therefore supporting multiple companies and are dividing their time between them. Cybersecurity companies that offer this service often call themselves “managed service providers” or MSPs.
Types of Technical Support
For example, there are three different types of IT support that a regular company can have: These are Type 1, Type 2, or a hybrid between the two types. Type 1 technical support is when the company has in house technicians on their own payroll that work solely for the company itself, and they only handle and support that company’s technology. This is a common solution for very large companies that have substantial computer systems to support but is a very costly model for smaller companies with less technology to support. This is because the costs to hire, train, pay and provide benefits for these technical employees can cost far than what a smaller organization can afford to invest in their technical support and maintenance. Therefore, we also have the next option – Type 2.
Type 2 technical support is when a regular company doesn’t hire on a person or team internally to manage their technologies as part of their own company, but rather hires a cybersecurity company to manage the maintenance and support of their technologies and the end users that use them (hence the managed service mentioned above.) Instead they pay a cybersecurity company and outsource that support and maintenance to them. This often comes with tiers of guaranteed service and response times that can vary from general email support to 24/7 phone support and beyond.
The third type is a hybrid of type 1 and type 2 and is when a company has in house technicians on payroll supporting their systems, but they will outsource to a third party cybersecurity company for certain things, such as installations of new technology, certain auditing procedures on current technology or warranty tracking. In fact, just about any technical support task can be outsourced to a third-party company, so the options are unlimited are far as what can be kept in house and what is outsourced. Many large companies will use this model, especially for short term projects, or for tasks in which they are unable to find an employee to perform internally.
Type 2 technical support is the most prominent of the options and is what many large companies turn to because it is easier and can cost less in the long run, but more importantly, the risk of maintaining and securing these systems is offloaded too. For example, the outsourced cybersecurity company can handle all of the hardware maintenance, security patching and systems monitoring, which helps ease the regular company’s mind about security breaches and other scenarios that could affect a company’s information confidentiality and downtime.
What Careers are Available at an Outsourced Managed Service Provider Company?
Within a Type 2 IT support company, there are usually at least three different types of jobs, depending on the size and services offered by the company. There are helpdesk technicians, onsite technicians, and systems engineers.
Managed Service Career Option #1: Helpdesk technician or User Support Technician. Helpdesk technicians are the ones that the client company more often interacts with. They are the ones who the client calls when an application doesn’t work, a document isn’t saving, or if they forgot how to change their desktop image. These jobs require good technical skills and excellent communication and customer service skills. They are often considered entry level, and are where many technicians begin their careers.
Managed Service Career Option #1: Onsite Technician. Onsite technicians go to the physical locations of the clients to fix problems that cannot be solved remotely. They oversee the replacing of computers, installing new systems, and fixing issues such as broken fans, keyboards, projectors, cables and so on. The onsite technician positions require a great deal of technical knowledge and customer service skills, but in many cases are easier in the sense that they know the tasks and issues they will be addressing before they arrive at the customer site, while the helpdesk technician does not have the advantage of knowing what the client needs before answering the call.
Managed Service Career Option #1: Systems Engineers. Systems Engineers in a managed service provider usually have the least interaction with the customer but are responsible for the most important aspects of systems maintenance, including any task that is conducted on the backend of the system itself. For example, they handle network maintenance and security patches for the clients and are in charge of ensuring the security of the client’s network, along with remediation, should their network be breached. Systems Engineer positions often require several years of experience.
Cybersecurity Service #2: Penetration Testing
Another common service cybersecurity companies offer is penetration testing. Penetration testing is when a cybersecurity company is contracted by a company to test their security as it relates to their computer systems, in an attempt to determine which systems are vulnerable to an attack or a hacker. At the onset of a penetration test, the client company that is requesting a penetration test (often called pen test) will list out what aspects of its systems and processes it wants tested, and what it does not want tested. This is defined as the penetration test scope.
Clearly defining and staying within the limits of a scope are imperative to any penetration test. If a company performs a penetration test and inadvertently commits “scope creep”, which is testing technology or processes outside the stated limits of the scope, legal ramifications can befall the testing entity, especially if confidential information was leaked or systems were harmed by the action.
During a penetration test, depending on the agreed upon measures, the penetrating entity will attempt to breach the client’s network, determine what systems and resources are available, and escalate their privilege.
The penetration testing itself is broken down into seven different steps by the PTES (Penetration Testing Execution Standard): Pre-engagement interactions, Intelligence gathering, Threat modeling, Vulnerability analysis, Exploitation, Post-exploitation, and Reporting. Testers use these steps to stay organized while documenting the testing process and to ensure that quality work is done.
The synopsis of the seven steps is that the testers start by defining a scope, then move onto doing research into the companies technologies used and employee tech policies, analyzing what the company’s biggest threats to its security are, analyzing its weak points, exploiting its weak points, assessing the value of the compromised machines, and reporting all if the tester’s discoveries and security remediation recommendations to the client company.
The payment method for penetration testing varies, depending on how long the engagement lasts. If it is a shorter test, sometimes the testing entity will require a single payment once the final report is submitted to the client. For mid-range tests, a common payment method is that half of the payment will be required upfront and half after the job is complete. For longer or continual engagements (these could last one year or more), recurring payments are often applied.
Cybersecurity Service #3: Systems Auditing
Another way cybersecurity companies make money if from auditing. Auditing is when a client asks a cybersecurity entity to check their security measures and policies and to make sure they are implementing secure policy or are complying with their industry’s required standards. Note that this is different from penetration testing wherein auditing is done by comparing a company’s security measures to a security compliance standard while penetration testing is done by following a client specified scope to try to compromise their computer systems.
A good example of a compliance standard is HIPAA. HIPAA is the Health Insurance Portability and Accountability Act that was passed to provide protection for patient’s medical records. Medical offices will request HIPAA compliance audits to be preformed as a way of showing that they are taking proper precautions to keep patient information secure.
These audits are performed by a cybersecurity entity being contracted to go down a HIPAA compliance checklist and check off security measures like technical safeguards, physical safeguards, administrative safeguards, employee training and awareness, and the enforcement of the HIPAA standards.
Note that even within the realm of cybersecurity auditing, many companies will specialize in one area of auditing compliance, such as the aforementioned HIPAA, or other regulations, such as FERPA and PCI DSS. This is often because the regulations are quite often onerous, detailed, and ever changing, and therefore require a specialist to stay aware of updates imposed by the government or other agency.
Cybersecurity Service #4: Outsourced CTO, or Chief Technology Officer
Another type of service offered by a cybersecurity company is to solely act as a client company’s CTO (chief technology officer) or CIO (chief information officer). This is an arrangement where the cybersecurity company provides minimal service to the client company but does act as their technology manager or paper and in negotiations. An outsourced CTO service may include reviewing security policies, negotiating software purchases, and representing the company to outsiders during any technology issue. Some cybersecurity professionals find this role difficult as they are responsibility for representing a company but do not have the ability to lead or direct their technology efforts in other ways that impact the CTO role.
Cybersecurity Service #5: Tools or Services for Other Cybersecurity Companies
One area of cybersecurity that is often overlooked is the group of cybersecurity companies that develop and provide products, software or other tools to cybersecurity companies themselves. A company such as Tenable, for example, provides cybersecurity analysis tools that can assess a system for vulnerabilities. Many of the intended customers of tools such as these are other cybersecurity companies that will then, in turn, use these tools to provide cybersecurity services to their own clients.
Hopefully, this article has shown that there are many ways in which cybersecurity companies make money (and we only touched on some of them), and those ways will increase in number as cybersecurity continues to evolve, and newer cybersecurity attacks and issues are discovered. The good news for cybersecurity professionals is that this variety of services offered by cybersecurity companies provides a variety of job opportunities with it.