Archive for the 'Sound Bites' Category
Yesterday we completed day two of our Making Money w/ Security Workshop (Online). A couple of questions came up that might be helpful to anyone selling security solutions…
Sound Bites and Helpful Articles
One person asked about some of the sound bites I mentioned as we went through the session on how to effectively use sound bites.
1. I mentioned a WSJ article that describes how the CISO/CIO needs to be involved in the overall security architecture – Here’s the link.
2. In a recent interview with Richard Clarke, reported on by Ron Rosenbaum, the statement was made that Every Major US Company Has Already Been Hacked Into – where is the article? Here’s the link…
3. The WSJ article that references how 70% of small businesses think they are secure -I comment on this in one of my blog posts – here it is.
Typical Responses to the Question, “What are you trying to protect?”
One of the three questions I ask in my book, The House & the Cloud, is “What are you trying to protect?” When given the opportunity to sell a security product, this should be your first question. It’s an Asset Owner question. IT can’t answer this question – so don’t look for answers like – servers, storage, network, etc. Rather, you are looking for internal systems and applications business people rely on. Your best answers are going to be the internal names of systems they use. In one business I worked with, the company kept referring to their FIS system – FIS for Financial Information Systems. I worked on another project involving the ARMS systems – Account Relationship Management. These are the internal systems asset owners use every day to do their job.
Another possible answer might refer to intellectual capital, R&D data, trade secrets involving a new development or secret formula such as is used in Coke products or Michelin tires. The bottom line is, if you’re asking a technical person, you’re not likely to get what you need. Learn to speak the internal language and you’re likely to get a lot further down the road on the sales process.
Today we will be covering effective security assessment strategies. I will be going through several real assessment projects, looking at deliverables, and showing why a thorough security assessment that did uncover “Bad stuff” doesn’t necessarily lead to remediation work. I also want to show some simple ways to rewrite the assessment deliverable to drive that remediation process forward.
© 2013, David Stelzl
U.S. Eyes Pushback On China Hacking -
Reads the headline in today’s tech section of the Wall Street Journal. Over the past several months there have been numerous articles published in the Journal – some saying this is real, others denying it…I appreciate one article stating that these attacks are small enough for our government to ignore, so that there is no one single incident demanding a response, but big enough to threaten the long term viability of some of the major companies in the US. In another Journal article I read, “All major US companies have been successfully compromised…” Where is this all headed?
Companies who insist “They’ve got it covered…” are in trouble in my opinion. No company is really impenetrable. In fact, the idea of using a pen-test to show your clients that their data is safe is a false sense of security. A failure to break in simply shows the incompetence of the pen-testing team. It certainly doesn’t mean the company is well secured.
In today’s article the Journal reports – “The Obama administration is considering a raft of options to more aggressively confront China over cyberspying,…, a potentially rapid escalation of a conflict the White House has only recently acknowledged.” The key phrase here is, “Only recently.” Why have government officials denied this for so long? Perhaps for political and economic reasons. The Journal states it like this, “Before now, U.S. government officials and corporate executives had been reluctant to publicly confront China out of fear that stoking tension would harm U.S. national-security or business interests.”
Why are the Chinese on the attack? “China is stealing trade secrets as part of plans to bolster its industry.” It’s simple, the US has a greater capacity for innovation. By invading company’s intellectual capital, other nations can cut thousands of man-days out of the R&D process. Google, EMC, RSA New York Times, Wall Street Journal, and many other well-known companies, along with many federal organizations including the Pentagon, have reported problems traced back to China in recent years. However, things like “dependency on China to underwrite U.S. debt and to provide a market for U.S. businesses,” have allowed these nation-state sponsored attacks to go unchallenged.
Recently our government officials have come out saying, “Cybersecurity threats are the greatest threat to our security—economic security, political security, diplomatic security, military security.” No matter how big your customers are, cybersecurity is something you want to understand and engage them in. We’ll be covering more on this threat in the coming weeks as we approach the May, Making Money w/ Security workshop. I’m looking forward to seeing you there.
© 2013, David Stelzl
We completed our first day of Making Money w/ Security on Monday with a group here in downtown Melbourne. As we were discussing some of the global security trends, one of the attendees pointed me to this ted video which does an excellent job of breaking down the Stuxnet technology – I would encourage anyone selling security technology to take time to view this. It provides some in-depth understanding on what’s really possible out there.
Also, don’t forget to check out the upcoming May workshop – Making Money w/ Security – a public offering delivered online. Seating is limited and it’s filling up quickly…here’s the link.
http://securitysalesworkshop.eventbrite.com/
© 2013, David Stelzl
The Cybersecurity Job Market
This week I am up in Chicago working with a company to build differentiation and competitive advantage – it’s one of the four things buyers buy (something I wrote extensively about in my book, From Vendor to Adviser). Where is the growth opportunity?
From the Wall Street Journal this morning:
“Cybersecurity and Big Data are the dynamic duo of tech jobs. The demand for cybersecurity experts is growing at 12 times the overall job market, making it one of the most highly sought-after fields in the country, according to a report by Burning Glass International Inc., a Boston-based company that uses artificial intelligence to match jobs and job seekers. “Few job categories can match the explosive growth in demand for cyber security talent,” Burning Glass CEO Matthew Sigelman told CIO Journal in an email. “One of those may be Big Data, with demand for certain big data skills up 122% in the past year alone.” The growth in demand for cyber security expertise is closely related to the growth in demand for Big Data skills. “After all, as companies are focusing more and more on Big Data and the value that’s accrued within their customer databases, not surprisingly they have also come to focus more attention on managing the risks and the vulnerabilities,” he said.”
The security market is growing…but just saying security isn’t enough. Technology trends that revolve are big data, mobility and BYOD, and virtualization / cloud technologies are important applications of security. I hear people saying things like, “I don’t recommend cloud – it’s not secure.” Our opinion on this doesn’t really matter. What does matter is, companies are heading this direction and need someone to help them be as secure as possible.
There are thousands of sales people out there selling general technology products. If you want to be relevant in the coming decade, specialization is needed. This goes for both companies and their sales teams.
P.S. Really enjoying the snow storm in Chicago this week!
© 2013, David Stelzl
Important Sound Bites…. (Based on the Mandiant Report)
- “When they hack into a system, they do have the ability to crush the system…I think they’re there to steal the data.”
- “If the mission were to change, they [Chinese Hackers] do have all the tools in place to destroy…”
- “Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.” – SC Magazine
- APT1: “Mandiant named the group APT1 –…it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks.
- “Industries targeted by APT1 also “match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.” – Homeland Security Digital Library. – Reports show that this has been going on for 12 years, and that 12 major industries are targeted in these attacks.
- What does APT1 Consist of? “The size of APT1′s infrastructure indicates that hundreds, and possibly thousands, of people work for this group, including linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.” – Homeland Security Digital
Executive Summary Report – scroll halfway down this linked page to read dozens of findings concerning the involvement of the “2nd Bureau of the People’s Liberation army (PLa) General staff Department’s (GsD) 3rd Department (总参三部二局), which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398 (61398部队).”
© 2013, David Stelzl
Yesterday I completed day 1 of the Making Money w/ Security Virtual Workshop. One of the topics we discussed is that of using sound bites effectively.
What are sound bites? Sound bites are short, factual statements, that come from solid sources. They communicate something serious, alarming, insightful, or amazing. They build credibility. When a sales rep is armed with numerous sound bites from credible sources, they appear to be well educated, well read, and in touch with the trends. Over time, having read and memorized enough sound bites, that person will be knowledgeable. After all, knowledge is gained mostly through the study of good books. Isn’t that what changed most of us over the four to six years we spent in college? Here’s a quick overview of the process…
1. Determine what you aim to be an expert in. What will you be a trusted adviser of? Let’s assume is securing mission critical information – the focus of this week’s workshop.
2. Study newsworthy sources and discover the trends – pick out the sound bites. “If you think U.S. Military computer networks are secure, think again.” Security experts report to the U.S. Senate committee – March 23, 2012.
3. Memorize these quotes – if you spend 15 minutes each day, scan the news, and pick out just one, you’ll have countless up-to-date quotes at your fingertips the next time you meet with a CIO.
4. Use these sound bites to communicate truths to executives. Their IT people are telling them “We’ve got it covered.” In fact, 71% of mid-size companies believe (because their IT people tell them), that everything is fine. 90% of Visa’s reported fraud cases come from this same group, and the FBI tells us that it takes at least 15 months before people realize they’ve been attacked.
5. What did I just do? I defeated the IT person’s argument by quoting the Wall Street Journal – that is the appropriate use of a sound bite. Rather than bickering with IT about how secure they are, simply pull out a sound bite that suggests that they have been infiltrated, and that they probably wouldn’t know – so how can they be sure? Who will the executive believe? It’s no longer my word against theirs – it’s IT vs. The Wall Street Journal report, the FBI, DoD…etc.
Having been on many security sales calls over the past 20 years, I can attest to this idea – it works. Executives don’t trust sales people, but they don’t trust IT either…they do trust experts, The Wall Street Journal, Gartner, etc. Your job is the persuade, not argue. Persuasion is “Guiding truth ar0und other people’s mental roadblocks.” (Quoted from The Character Training Institute). Discover the truths written by the experts, memorize them, and then guide them around these roadblocks that resist knowing how insecure the network really is.
© 2013, David Stelzl
Malware is Going Undetected…
We are just a week away from the first 2013 Making Money w/ Security (Virtual) Workshop! And as I travel through the mid-west this week, I am gathering updated sound bites and trends for our workshop. Looking forward to 2013, I expect to see continued growth in this market (providing security services and managed services). In fact, on Jan 2, 2013, the Wall Street Journal posted an article on the daily attacks occurring on energy companies – this can’t be good!
“Malware is going undetected for weeks or months” – they stated, but in fact, it is often not detected for over a year according to FBI statistics (15 months as cited below). Some important points from this article entitled, Cyber Threats to Energy Sector Happening at ‘Alarming Rate’. (posted on Jan 2, 2013 in The Wall Street Journal).
Here’s my favorite quote: “Executives are told the networks aren’t connected,…it’s not entirely true” Isn’t that so often the case – senior management thinks everything is covered! It’s not…
- “Internet-based attacks on critical U.S. energy infrastructure are occurring at a greater rate than previously understood, according to a new government report.”
- “the Department of Homeland Security, found that thousands of control systems used in critical infrastructure are linked directly to the Internet and are vulnerable to attack”
- “The team “has been tracking threats and responding to intrusions into infrastructure such as oil and natural gas pipelines and electric power organizations at an alarming rate”
- “On average, malicious software infections are not discovered for 15 months, according to ICS-CERT. That leaves hackers plenty of time to do damage.”
The purpose of next week’s class is to better understand how to get this kind of messaging into executive-ready format, and how to reach those higher-up people who need to know. From there we talk about gaining approval to build the justification needed to sell larger security projects, and finally, how to present that justification in a way that leads to immediate business. If you have not been through one of these workshops, you can start by learning more with my book, The House & the Cloud. Get a free PDF version right here:
http://stelzl.us/store-2/house-the-cloud/
© 2013, David Stelzl
Hopefully you’re 2013 planning is underway and you are gearing up for a great New Year! I realize there is still business to take care of in December, and if your month is anything like mine, it’s busy. But don’t neglect your planning time. None of us can afford to just enter into the New Year without a plan.
While you’re at it, add training to your plan. Remember, great athletes train all year, almost every day, just to play a few games. On the other hand, most sales people play every day and train one or two days each year. If you don’t count product training, most probably don’t do any training (And I don’t count product training as sales training).
This year I am kicking off 2013 with an online Making Money w/ Security workshop. We already have a fantastic group signed up (with over 20 people). Don’t miss this opportunity to set your course in the right direction before business gets busy. You can read more right here:
http://stelzlsecurity.eventbrite.com/ – take advantage of early sign-up discounts, and if you are a mentor alumni, your tuition is nearly free!
© 2013, David Stelzl
The Blue Ocean of Buyers
I’ve spent my election week in Chicago, with over cast skies and a couple of busy days working on reseller business strategy. If you remember the best seller – Blue Ocean Strategy, co-author Kim offers several paths to creating a new break-through strategy for you industry. This is something VARs desperately need in today’s market, and of the 6 paths offered, one stands out as a way to help VARs re-engineer (Ref. Michael Hammer) their business. Path 3 – The Chain of Buyers.
The traditional var sells to IT – influencers with limited budgets. In the book, Kim writes about a strategy Bloomburg used to get around IT with their application. Here’s the quotes, “The traders and analysts wielded their power within their firms to force IT managers to purchase Bloomberg terminals.”
This is a powerful concept that is unleashed with sales people start thinking about “Asset Owners” – a term I introduced in The House & the Cloud. If you look across the multitudes of resellers, you’ll see they are all spending money to compete on the same things. They have technical talent, basic sales people, broad technology solutions, managed services, discounted prices, similar rates, etc. They call low, sell inexpensive projects in comparison to the big consulting firms, deliver product install, and carry vendor certifications. Their margins are low, and they are working to build valuation through managed services – annuity business.
The consulting firms on the other hand, hire high end people, big degrees, charge big prices, call on executives, do large projects, focus on large clients (mostly) and cost a fortune. They too compete on the same things.
This week we are are formulating new strategies to compete in the market place – with higher margin, higher level relationships, but without the high cost of entry, enormous project fees, very expensive people, and complexity. I believe their is a better way to build this business, but if the VAR continues to compete on the same things it’s focused on for the past twenty years – cloud trends, BOYD, and scaled down computers like smart phones and tablets will threaten future profits.
Join us later this month for an intense planning and strategy session in Charlotte NC. Read more here and sign up – I just have about 4 slots left: http://stelzlplan.eventbrite.com/#
© 2012, David Stelzl
