What to ask when conducting your security risk assessment
How to answer sales objections when selling MSP solutions using risk assessments [free assessment template]Continue Reading...
It’s Easy to Leave A Channels Event, Distributor Conference, or Mastermind Group feeling good about your MSP business. After all, your business is producing a profit.
You’ve been in business for 20 years or more. And you’ve managed to weather several economic downturns over the past couple of decades.
Don’t get too comfortable…
The high-tech business is a fickle thing…there are economic downturns (recessions, depressions, or whatever you want to call them…) and then there’s commoditization. The latter is your greater enemy.
Like medical and grocery sales, people need their computer. The high-tech business (servers, storage, data center, etc.) has been a high growth industry since I entered the business world out of college. It just has…perhaps it always will…tech is the lifeblood of most businesses today. We can’t work without it.
However, It commoditizes.
Building Sustainability Into Your Business
This week I’m attending a marketing conference in Cleveland OH. Over 1200 small business owners packed into an auditorium listening to some of the greatest entrepreneurial minds in world.
This morning’s session focused on sustainability.
As the speaker unfolded over an hour’s worth of strategies, the MSP business came to mind…a business that relies on long term customer retention.
MSP sales are not transactional. In fact, if your clients only stayed a month or two, your cost of sales would eat your business alive. You really need them to stay.
Historically, retention in the MSP business is 5 years (average). Yours might be more or less, but you should know your number. The goal is to increase it. If you could add just one year to your average (assume you have 100 clients signed on), that’s 1200 months of MRR (Monthly Recurring Revenue) added to your business in that one single act. Or think of it as signing a 1200 year contract with your next client!
5 Things You Should Be Doing To Create Sustainable MSP Business…
Build Evergreen Assets. If you’re taking care of your customer, you’re probably meeting quarterly to review their IT. Hopefully you’re also giving them guidance. During the initial sale you also had to review their business and create some sort of proposal.
However, building everything from scratch is destined to fail. The cost of customization is high, and the likelihood of messing up is high too…Better to productize your offerings…here’s how.
First, you should be selling packaged offerings. There’s your core MSP offering, and then there are add-ons (like riders on an insurance policy). However, when you buy a car, those extras are often bundled into packages. The electronics package with the stereo upgrades. By doing this the dealer eliminates the headache of creating a completing customized quote.
In this case you need at least one (but probably more) security package…one that can be added to their existing MSP agreement (if someone else holds that contract), or attached to yours (now or later).
There’s also a maturity model…if you were to create a maturity roadmap for security, when your new customer joined your program, you would figure out where they are right now, and begin taking them through your 24 step program…certain mail pieces, meetings, assessments, and sales efforts would be made along the way – all predetermined.
Building Identity. Customer loyalty is also a key to sustainability. Not everyone will be loyal, but the hotel and airline industries, as well as Amazon and Starbucks, have all proven that people will join the club if you sell it the right way.
It turns out identity (the people group, brand, or team I identify with) will drive my behavior faster than just about anything else. I’m a lifetime platinum member of Marriott…when it’s time for coffee, I’m waiting in line at Starbucks in the airport, even though there’s a coffee shop right across the hall with no wait. Why?
I’m part of the club. I identify myself as a Starbucks customer, I stay at Marriott unless there just isn’t one…and I’m not the only one. If you’re sitting there telling yourself you don’t do that, remember, you’re not you’re own customer…you want to sell to people who will sign on with a brand and stay.
Sell to The Right People. There is a people group out there worth your time…but there are also people not worth selling to.
Your job is to identify the people group you work well with, and go after them. I was talking to a very successful entrepreneur this week – he told me he sells to men, age 45 – 60, ambitious, hard working, leaners, who are already in business. He also noted it’s best if they are married, politically conservative, etc. You might think he’s too narrow. Yet he’s made millions (plural) of dollars in personal income annually over the past decade.
Signing the wrong people onto a business that demands retention is a recipe for failure.
When identifying your perfect customer (the customer avatar) you’ll want to know how they think…the more you know what’s on their mind, the better.
Today’s speaker said it like this…”Know what they are thinking about every day as they leave the office…know what they talk about around the dinner table each evening…and if they wake up at night worrying about stuff, you should know it.”
In the End They Need Hope. Dave Ramsey does one of the best jobs of selling hope. He tells his team, when you pack up a book or CD to ship out, it’s not a book, it’s a package of hope.
With MSP; remember, most small businesses are frustrated with computers. They don’t understand them, they don’t really trust them, and when it comes to security, they’ll do just about anything to avoid thinking about it. Security issues just create more stress…
Want To Build The Sustainable MSP Business?
Stop trying to copy the models presented by MSP cloud offerings around you. They don’t know how to sell to the SMB market. They know how to sell to you…I’m talking about the SolarWinds, Continuums, and nAbles of the world…
Be radical…start thinking about what a small business really needs…what would remove all the IT stress from their world. And then start providing it to your ideal customer avatar. Add one year to your average, and then continue to journey. It’s the road to MRR growth…And it’s sustainable.
© 2017, David Stelzl
P.S. Do you have my Security Assessment Report Template…Designed to move prospects into your program quickly?
We just wrapped up an awesome event in Vancouver, thanks to the Tech Data Team and Tech Select Members!
Yesterday I presented 4 key concepts resellers must execute on if they want to keep growing, or reignite a dying MSP business.
In case you missed it, I did provide a free Assessment Template you’ll want to download
What are the 4 areas?
First, how to use assessments. Over dinner, Dale Cline, President of BlackStratus (A Security Monitoring Firm based in NY) shared with me, that by changing their approach to an assessment based trial, conversion rates have gone from 30% to 80% in just a few months. PWC, Accenture, KPMG – these firms have been using assessments and studies to sell for decades..it’s the key to avoiding price discussions.
Next, The Value Message. People take care of urgent threats before they expand and invest. If you’re having a heart attack, you’re not stopping to check your budget. You just go to the hospital before it’s too late. In our session, using the messaging from The House & Cloud, I showed this group exactly how we converted over 25 business leaders in one hour earlier this week – a lunch & learn I did in Richmond VA.
Transformation also requires an ascension strategy – that means modifying your solution strategy. If your only real offering comes from MSP contracts, then how does the 80/20 rule apply. It turns out there’s a 5X growth strategy sitting above your MSP business…but most IT services providers don’t have one.
Finally, if you want to grow, you need a conversion strategy. Referrals are great, but there just aren’t enough of them…This is marketing…reaching out to the masses, building business-level awareness…then moving to trust, and finally to justification using your assessment.
For those of you who did attend – let me know how I can help as you move forward to implementation!
© 2017, David Stelzl
PS. Get started with the Assessment Template – the fastest way to overcome objections like, “We’ve got it covered”…
Most Security Assessments Display a Stoplight In the Execution Summary…
Stoplights Don’t Close Business – CISOs Don’t Make Buying Decisions Based On Red Lights
The Person Who Can Show The Real Cost and Risk Of Downtime/Disaster Wins The Business…
Is Your Company Performing Risk Assessments? You Should Be…
That is, if you want to grow your security business.
With data now ranked as your client’s number one asset, and computers be integral to every major business function, downtime and data loss are your client’s biggest concerns, even if they don’t yet know it.
Sure, competition, cash flow, and the economy are all factors, but one big data disaster is sure to put your client out of business in a heartbeat. However, getting them to act on necessary risk mitigation steps is not always easy, especially for those firms that sit in the SMB market. Budgets are tight and IT is often viewed as an unwelcome expense…no one wants to spend money just because someone says, “You need more security”.
Can Consultants Actually Provide a Measure Of Risk?
I hear it all the time, “You can’t provide a measure of risk when it comes to data security…”
But more often, it’s the amount of work required or just a lack of understanding how, that leads to shortcuts on measuring risk. And so the final report simply shows a stoplight – Red Yellow Green…a meaningless measure of nothing.
If you’re questing the validity of a risk number (vs. a stoplight), a read through Douglas Hubbard’s book, You Can Measure Anything, might be worthwhile. I will warn you, it’s a bit technical…
Regardless, his point is clear, you can measure Cyber Security Risk,…
Stoplights Don’t Measure Risk
The problem with the stoplights is, it doesn’t actually measure risk. Can you imagine an Insurance company figuring out premiums, or an investor calculating risk based on yellow and red lights? It’ll never happen…
Simply put, the Red light is not a measure of risk. It doesn’t actually measure anything. So no wonder your assessments don’t lead to remediation efforts or convince a client to move on security upgrades.
Things to Think About Before You Measure Risk, Or Decide You Just Can’t
The Impact vs. Likelihood graph (pictured above) is a measure of risk. This simple graph plots the value of data on the X Axis and a measure of likelihood – the odds something will go wrong.
Of course, before you can create such a graph, some data gathering will be required. On page 194 in The House & The Cloud, I prescribe a sequence of meetings with asset owners, knowledge workers, consultants, and finally, IT…4 separate meetings that take you from the value of data, to the custodial aspects of data usage and protection.
While most assessments begin and end with scans and technical walkthroughs, my approach starts with an understanding of data value…
Next, a look at workflow and data creation and usage.
The third meeting is where a measure of risk begins…guessing at how vulnerable an ERP system is to an attack is not possible without some pre-work. First, the consultant must define what the possible risks are. This is where most of the nay-sayers are stuck. Without a clear list of relevant threats, they’re right. Risk can’t be measured. You can’t just say, “It’s risky”, “It’s not”. There has to be a WHAT…
Is there a risk of downtime, ransomware attacks, data theft,…? You might be thinking, this list is endless. It’s not.
Consider only the relevant threats…based on type of data, trends in the news, and how systems and processes are set up. Want the details? Read Hubbard’s book. However, a thorough study won’t be necessary for the amount of detail needed in most of these assessments.
If you know the client has problems, the report only needs enough detail to convince them to move forward. We’re not building a spaceship here…
Facts and Soundbites You’ll Want On Hand
Also important to the process is a list of trends you know are relevant and up to date in the market you serve. For instance…
- 75% of IT managers reported in 2017, they could not recover fully with their backups – Barkley Protects.
- 47% of firms surveyed by MalwareBytes reported Ransomware attacks.
- 79% reported malware attacks (including those resulting in Ransomeware Encryption).
- Hardware failures occur on every system at some point, unless you replace them before the outage occurs – Just believe me on this one.
- Annual downtime averages 14 hrs. per business. Costs are high but vary depending on company size. Average cost of downtime was about 100K/hr, but obviously these numbers don’t speak to the SMB market. Your asset owner contact should have the data you need on this one.
- Add more issues if they’re relevant. Each will be used to create a measurement.
Understanding the Graph (Above)
Your X-Axis represents digital assets. Think – Applications and data. The Y-Axis measures risk. 100% means it’s in motion now. So if you find malware (or symptoms of malware) on your client’s network, mark it down at 100%. It happened…it’s urgent.
0% means it won’t happen. Using the issues above, your % will almost never be 0. There’s always some risk…
Based on your interviews, you should have some feel for what would be acceptable risk. For instance, you should know how much downtime any given application can afford, and how much data can be lost before management goes postal!
Don’t Get Wrapped Around The Axel On Normal Distribution Graphs
The computation is where everyone gets stuck. The sales people will want a number, the technical experts will claim it’s not possible. Hubbard says, without qualifiers, it’s possible…
Will your % be 100% accurate? No! It’s like any statistic. What’s the likelihood I’ll have an accident today driving. There’s a statistic out there, and it’s higher than zero – but I don’t plan on having an accident today – if I don’t does that mean the 20% was wrong? No…
Your goal is to provide your best guess…based on your expert opinion.
Helpful Assumptions – Every Statistic Has Them
Getting a number is easier when you can make some assumptions.
- There’s a list of relevant threats. That list is an assumption. You may miss one…but your expert opinion (with input from the client) is all you have, so go with it.
- Security is only as strong as it’s weakest link. You learned that in the CISSP course…that means, you don’t need to compute all kinds of weighted averages or plot normal distribution curves (although you’ll use some of this, keep reading). The most likely threat is your threat level for any given application…
- Digital assets will be on a server, end-node, or in a cloud. All on-prem servers will have similar threats, with some minor variations based on network segmentation, OS, and access control.
- But each asset will have it’s own greatest concern (Confidentiality, Integrity, Or Availability). Your Asset Owner interviews will help quantify each.
- Your client’s guess at cost of downtime is all you need – just go with it.
Lucky for you, there’s no calculus here…
Step One: First, you need to know what their key asset are…not hundreds of applications, just focus on a few. If you’re doing a comprehensive corporate assessment, charging big money, I would recommend reading Hubbard Cyber-Risk Book – You Can Measure Anything, first. But, for the average small/medium business risk assessment – you’ll have 5 to 7 key applications to consider.
Step Two: Next, you need a list of relevant threats. In The House & Cloud book, as well as previous posts on my blog, I’ve outlined different approaches to asking questions and gathering data. Essentially, you want to know how long they can be down, how much data they can lose, and what’s going on around them that would affect risk, other than misconfigured systems. (A lawsuit, layoff, or upcoming product launch all come to mind).
Step Three: A list of relevant threats or considerations for risk is needed. This is where you must define “Secure”. You’ll want to consider the three pillars of security (Confidentiality, Integrity, and Availability). You’ll also want to consider your asset owner’s answers on downtime and data loss. If the asset owner believes 4 hours is the max downtime – find out if that’s ever been tested. I bet it hasn’t. What are the odds of getting a given server back up and operational? – only a test will tell. That could be your next sale.
Step Four: Identify the controls needed in their situation to protect against the threats you believe are relevant. For instance, AV, Firewall Configuration, Sandbox, SEIM, etc. Is there someone there who can interpret SEIM output and alerts? Probably not – and if not, that control is somewhat useless.
Step Four: Collect data. You’re looking for symptoms of misuse or compromise. Bot traffic is a sure sign of compromise – so that would be 100% (or 99% if you can’t verify it in the scope of your assessment).
Step Five: A database of norms is needed, as Mack Hanan Points out in his book, Consultative Selling. In the event you don’t have such a database (and that’s probably the case when you’re just getting started), industry data will do. For instance, we know that 90% of email is spam, and probably contains phishing attacks. Do they have the controls in place to stop these attacks? The average reports tell us, 87% (or whatever number you can come up with using your trusted sources) are reporting malware over the past 12 months. So, if in your expert opinion, this company is “Average” there’s an 87% chance. Yes, this is simplistic, but it’s far better than a red light…
Step Six: At this point I would create a table using weighted averages…so there is some math. Taking each control, rank the controls for the given threats giving each control a % weight based on what you think is most important. The total should be 100% – making up their 100% security solution. Note, this list is pretty simple – yours may have 10 or 20 items, but don’t get carried away. Again, we’re not trying to fly to the moon with this process.
A score is given to each control, based on what you observe. Do they have UTM components configured and running? All of them? One of them? How complete is their firewall configuration? Don’t forget about things like training, policy, disaster recovery plan, etc.
You’ll do this for each major asset…so with 5 data assets, you’ll have 5 different tables like this one. Notice, training may be the same if the same people use that application. However, training may vary from department to department. Same with the importance of a control or additional controls for applications used at home or on mobile devices.
Step Seven: Okay, now you have a score…but what you need to know is, what’s an average score? This is where your database of norms comes into play. Early on there may be more guess work, however there may also be data online.
For instance, we know that only 26% of iPhones and 60% of Android users are using any kinds of mobile security software, Kaspersky sales that 90% of Android phones are easily hacked with a certain exploit, and that 95% of of phone users access the Internet with them. Use whatever stats you feel are valid based on their source.
I personally like to use Gartner Group, FBI, and WSJ first…but will draw from other sources such as the Verizon annual security report or well known vendor studies including Kaspersky, Cisco, Symantec…these represent industry averages. If your client has solid mobile security, they’re above average…if 50% have it, they’re average. If no one uses mobile security, or it’s not enough to measure, they’re below average.
Some Helpful Assumptions
As you review your scores, making some realistic assumptions can help you land on the right number. Remember, on the impact vs. likelihood graph, you are simply trying to land on a % likelihood of breach or problem for a given data set or application. Consider these assumptions, and add your own…
- What is the likelihood that a phishing email will enter your client’s internal network…nearly 100% since 90% of all email is spam, and most spam these days contains phishing links.
- What is the likelihood that someone (probably and administrative assistant or office worker) will click a bad link over the next 12 months? Nearly 100%…a simple phishing test will prove this out, but sharing some war stories may be enough to make your point.
- What is the likelihood your client/prospects current security controls will detect that phishing attack or ransomware link before harm is done? You could test this, but your SE’s expert opinion is all you really need.
Putting It All Together
You’ve interviewed, observed, collected data, and now it’s time to put some numbers down.
If you have evidence of malware, you’re at 100% for any system susceptible to malware infections, and highly likely on future ransomware attacks.
You know malware will hit most companies over the next 12 months, and at least half will be hit with ransomware, based on statistics I’ve already given you. Is this company better or worse than most? That’s your expert opinion. So given they’re average, your servers and workstations on prem – are sitting at 50% or better.
You can see where I’m going here. Unless the company’s security is better than most, chances are high for just about every application.
Then, on top of that, you have the likelihood of email spoofing and invoice fraud, internal theft (averaging 75%), etc. List out your applications, review your greatest threats, and assign your numbers based on your table above.
You’ll want to be able to show you have a method behind your madness, but don’t over complicate it. The client just needs to see that there’s some science behind what you’re reporting. If you understand normal distribution, it can’t hurt to show some data based on one of two standard deviations of a normal occurrence…95% of companies fall within 2 standard deviations of any norm…if you don’t understand how that works, just leave it out. Some further study on this will provide a greater level of proof, but just go with what you have now to complete the report…
Feel free to comment or ask questions below!
© 2017 David Stelzl
After All The Work That Goes Into Security Assessments, This One Thing, If Missed, Will Make The Entire Process a Waste of Time…
When the Truth is Clear…Cancer, Heart Attack,…Breach…People Act. With Security Your Message Must Connect and Your Audience Must Feel The Pain.
You might think it’s callous of me to compare your own life (risk of cancer) to a data breach, but the truth is, data is what many companies see as their most precious asset.
Right or wrong, given a choice, companies will part with a few employees before facing business failure. And data loss often begins the downward spiral that can’t be stopped.
However, getting the company leadership to see these business-crushing threats, before they happen, is not easy. Following is the strategy I’ve used to turn week-long assessments into annual contracts, and more.
Rule One: Don’t Present Without The Asset Owners!
Asset owners are those with liability. Have you ever presented a cost-saving solution to IT directors or middle managers? Tell them you can save them money, reduce FTE (Full Time Employees) by 50%, and improve quality of service, and they’ll quietly dismiss you as unqualified to do business at their firm. They’d rather build an empire than save money.
Take it one step further and show these cost-center agents how their personal role in the company (along with associated costs) is no longer needed with your new proposed automation process, and you might find an anonymous death threat in your mailbox.
Bring in the asset owners and something different begins to happen.
When it comes to security, technical staff rarely understand the value of corporate data, or the relationship between uptime and profit, according the several CISOs I’ve interviewed this year. And, they’re interest (probably driven by the need to make money) tends to be self serving (See Jack Eckerd’s book, Why America Doesn’t Work).
Tell executives their systems are likely infected with software, giving hackers the ability to listen in on private meetings, watch them in their office or bedroom, read their email (including personal mail), and track their whereabouts, and you’ll get a response similar to that of a home owner waking up to their fire alarm. That same bot detection among IT folks will call for some patching next week, and perhaps an AV product review.
The Underestimated Power of Free
But what happens when you show up and the asset owner is suddenly not available?
If you’ve charged $100K for this assessment, you’re in good shape. Meet, sell hard, and find a way back to the asset owners…you owe them the deliverable.
However, if you’ve conducted your assessment pro bono, you’re also in good shape!
As a free service, you control the deal. You don’t owe them anything. And since you’re liable for what you deliver, you have the right to delay the meeting until your asset owner contacts are free. Just let them know there are urgent things they need to hear, so the sooner the better.
(Get more on why Free Assessments Are More Powerful in my book, The House & The Cloud 2nd Edition).
Your Meeting Agenda Re-Engineered to Convert
Sure, you could email executives your findings, but digital findings don’t convert. Face to face is the only way to deliver the devastating news that an attack or data loss is eminent if action is not taken.
Here’s Your Agenda:
Start with their words. You’ve interviewed them (hopefully). More importantly, you’ve spoken with both executives and the people driving the daily business (end-users). So you know how important their data is, how long they can be down, and what can’t be seen but the competition.
You also know what’s not urgent in their minds. So avoid spending time on the non-urgent, even if you think it’s urgent. (e.g. Policy).
Next, list the top priorities. Did you discover evidence of compromise? Any malware activity, or symptoms on the same, is urgent. Note, patches, outdated systems, and EOL software are not urgent. A Failing backup solution (on the other hand) is urgent. You’ll need to now why, and how to prove it. Consider things you would want fixed this afternoon if you were the asset owner, and draw out the urgency.
Next, it’s time to create some vision. You know how they work and where they’re headed as a company (from the interview process). So, using their current set up, begin to pose a number of WHAT IF scenarios. This is how you create a vision – allowing the buyer to picture something they really do want.
“What if your end-users could work without ever having to guess whether or not an email was infected with malware?”
“What if, whenever someone tried to connect remotely, your network would verify who the user, check the system for malware and updated patches, etc. and only after approved, grant access?”
“What if we could take your restore time down from the estimated 5 days to the required 4 hours?”
In doing this, you’re watching for the nodding heads. Not those nodding off, but people in agreement. You want physical response / emotional response. This is your trial close. The power of trial closes is important. If you can get your audience nodding and saying yes along the way, you know, when you’re all done, they’ll keep nodding.
Finally, sell the vision – “We can get this done by the start of next month, etc.” The obvious question is, how much ($$$). Check out chapter 11 of my book, From Vendor to Advisor to see how to price this, and when to share the price.
© 2017, David Stelzl