What value do research firms provide to their subscribing enterprises?

• The first is the "CYA" crowd. These are people looking to cover their backsides for decisions they want to make. They've done their homework, they know what they want to do, and they are looking for the name-brand research firm to validate their decisions so senior management will let them move forward.
• The second group is lazy. These people don't want to do any work, so they look to the research firm to tell them exactly what to do. They look at the quadrant reports and call the vendors in the top-right corner. To be clear, the research firms definitely frown upon this use of their research, but it happens every day.
• The third category includes those that are looking to get smarter and use the research firm as a broad and long educational process on a certain topic. Clearly every company is different, but most published research tends to be generic.

Depending on which category an organization falls into, what it needs out of a research company will differ. As a CYA, the big brand name is important. For someone in group two, i.e. looking to get out of work, then the brand name usually suffices, but there are a number of smaller specialists that do deep technical and architectural work.

For someone in the third group, most of the research firms will do a decent job because the process is run by the enterprise. The enterprise security officer can direct the analysts to give the needed information and then verify decisions as he or she learns more about the topic.

And yes, I think it's worth the money -- as long as the buyers are educated and actually use the information they purchase to make good decisions and take positive action toward building a better security program.

More information:

• Learn how to perform security assessments with the Open Source Security Testing Methodology Manual (OSSTMM).
• Read more about using exploit research to keep tabs on the hacker underground.