Folks, I’ve got to say, I’m seeing a lot of interest in ‘fixed fee’ “Security Architecture as a Service”.
As a result of one of my last blog posts, I received a lot of interest in making use of the “Security Architecture as a Service”. I’ve received 4 new contracts and 7 new and potential Channel Partners who all have end clients that they believe will want this. Why? Because the ability to provide cost certainty and fixed deliverables to end clients is of great interest to everyone.
For years, end clients have been hiring contractors to do ‘time and materials’ work. The result is that the end client has been getting billed multiple hours for work of varying degrees of quality. There are many good quality security architects out there that know exactly what they are doing. They can produce good quality artifacts and provide advice that can be relied on.
But there are quite a few more people out there that don’t understand or deliver security architecture. Or architecture in general. They think that they can deliver architecture artifacts and do the job of an architect but the quality of the work that they deliver leaves a lot to be desired and the client has had to pay for every single hour that these people have put in. Great in the interview but, when the pencil meets the paper, they can’t deliver. So the end client ends up taking on risk.
As someone that deals with risk everyday, I understand that there are a number of different ways of dealing with it. In this case, we are talking primarily about business risk, though in the wrong situation there can be enhanced cybersecurity risk. Yet again, this is something that the end client likes – the reduction of business risk and the enhanced ability to deal with cybersecurity risk.
Now, I know that a lot of you will be saying that you SHOULD be paid on a ‘time and materials’ basis. Your clients are inconsistent regarding their organizational ability or the non-core administrative tasks that they require from you. We’ve all been there, believe me. How many times have we been brought onto projects where the vast majority of time is spend in meetings that, honestly, we don’t really provide value to. But client has the expectation that we attend them because they view us as an extension of their workforce. The problem with that is that we are being treated as employees, not as suppliers. And that is the mentality that is shifting.
What the End Client Gets
So, let’s look at what End Clients are getting with ‘Fixed Fee’ “Security Architecture as a Service” and then let’s look at how we, as professionals, can deal with delivering these services. End Clients are getting the following:
- Known Costs – End Clients now know what their costs are going to be. This will deal with their financial risks and allow them to forecast and budget appropriately.
- Known Deliverables – End Clients can be shown, before you start working, what the end product will look like. Because of this, the ENd Client will know whether the quality of the work will meet their needs.
- Risk Transfer – The business risk associated with hiring a contractor will shift from the End Client to the Security Architect. If the Security Architect knows what they are doing, this shouldn’t be an issue.
What the End Client is NOT getting (and this is just as important to understand) is the following:
- Completely Customized Artifacts – Every End Client that I’ve worked with has had their own artifacts and templates that they want to use. They all want roughly the same information but always in different orders. For me to deliver a ‘Fixed Fee’ security architecture artifact, I need to be able to know what exactly it is that I’m delivering. If the End Client was custom, then go with a contractor. You can’t get them both at the same time.
- Extended Work Force – This business model is not about delivering bodies. It’s about delivering solutions and work products. So you don’t have a temporary employee.
At the end of the day, what do you want – an employee or a solution?
What the Security Architect Gets
For the Security Architect, we have to be able to deliver. So what we end up having is (and I write this so that the End Client understands this relationship as well) the following:
- Standardized Templates and Processes – For a security architect professional to deliver a fixed fee solution, we need to control the work product and the process. We do that and we can be that much more successful.
- Greater Risk, Greater Reward – The End Client is transferring the risk to us. As a result, we need to determine the actual costs of doing certain security architecture activities. If you’ve performed security architecture for any length of time, you should have a pretty good handle on how long it takes to do things and what the variables are (# of stakeholders, complexity of project, stability of the customer’s environment). Because there are risks, issues, constraints, and dependencies on everything that we do (recognize those terms from Architecture Design Documents?), we add on ‘fudge’ factors to take into consideration risk. Then if we deliver quicker than we expected, we have greater profit. But it’s on us to understand what it takes to deliver.
What we don’t get is job security. If you want a job, go get a job.
But if you want to run your own company, take this approach. And remember that your company’s core business is delivering security architecture, not bodies.
At the end of the day, we shift away from viewing the deliverable from being ‘We, the Contractor’ to ‘an actual work product’. And delivering a work product then means we have the ability to grow our business based on PRODUCTS and not on PEOPLE. Different business models completely.
To all you End Clients out there, if you want to reduce your risk, give me a call (my contact information is in my LinkedIn profile). And to all you PROFESSIONAL Security Architects out there, I highly recommend you shift your business model away from ‘time and materials’. Your clients will thank you for it.
Hope this helps …