IMG_3217

We just wrapped up an awesome event in Vancouver, thanks to the Tech Data Team and Tech Select Members!

Yesterday I presented 4 key concepts resellers must execute on if they want to keep growing, or reignite a dying MSP business.

In case you missed it, I did provide a free Assessment Template you’ll want to download

(Click to download it here)

What are the 4 areas? 

First, how to use assessments. Over dinner, Dale Cline, President of BlackStratus (A Security Monitoring Firm based in NY) shared with me, that by changing their approach to an assessment based trial, conversion rates have gone from 30% to 80% in just a few months.  PWC, Accenture, KPMG – these firms have been using assessments and studies to sell for decades..it’s the key to avoiding price discussions.

Next, The Value Message. People take care of urgent threats before they expand and invest.  If you’re having a heart attack, you’re not stopping to check your budget. You just go to the hospital before it’s too late. In our session, using the messaging from The House & Cloud, I showed this group exactly how we converted over 25 business leaders in one hour earlier this week – a lunch & learn I did in Richmond VA.

Transformation also requires an ascension strategy – that means modifying your solution strategy. If your only real offering comes from MSP contracts, then how does the 80/20 rule apply. It turns out there’s a 5X growth strategy sitting above your MSP business…but most IT services providers don’t have one.

Finally, if you want to grow, you need a conversion strategy. Referrals are great, but there just aren’t enough of them…This is marketing…reaching out to the masses, building business-level awareness…then moving to trust, and finally to justification using your assessment.

For those of you who did attend – let me know how I can help as you move forward to implementation!

© 2017,  David Stelzl

PS. Get started with the Assessment Template – the fastest way to overcome objections like, “We’ve got it covered”…

 

 

Advertisements

stopMost Security Assessments Display a Stoplight In the Execution Summary…

Stoplights Don’t Close Business – CISOs Don’t Make Buying Decisions Based On Red Lights

The Person Who Can Show The Real Cost and Risk Of Downtime/Disaster Wins The Business…

impact-v-likeihood

Is Your Company Performing Risk Assessments? You Should Be…

That is, if you want to grow your security business.

With data now ranked as your client’s number one asset, and computers be integral to every major business function, downtime and data loss are your client’s biggest concerns, even if  they don’t yet know it.

Sure, competition, cash flow, and the economy are all factors, but one big data disaster is sure to put your client out of business in a heartbeat. However, getting them to act on necessary risk mitigation steps is not always easy, especially for those firms that sit in the SMB market. Budgets are tight and IT is often viewed as an unwelcome expense…no one wants to spend money just because someone says, “You need more security”.

(Get my free assessment template here)

Can Consultants Actually Provide a Measure Of Risk?

I hear it all the time, “You can’t provide a measure of risk when it comes to data security…”

But more often, it’s the amount of  work required or just a lack of understanding how, that leads to shortcuts on measuring risk. And so the final report simply shows a stoplight – Red Yellow Green…a meaningless measure of nothing.

If you’re questing the validity of a risk number (vs. a stoplight), a read through Douglas Hubbard’s book, You Can Measure Anything, might be worthwhile. I will warn you, it’s a bit technical…

Regardless, his point is clear, you can measure Cyber Security Risk,…

Stoplights Don’t Measure Risk

The problem with the stoplights is, it doesn’t actually measure risk. Can you imagine an Insurance company figuring out premiums, or an investor calculating risk based on yellow and red lights?  It’ll never happen…

Simply put, the Red light is not a measure of risk.  It doesn’t actually measure anything. So no wonder your assessments don’t lead to remediation efforts or convince a client to move on security upgrades.

Things to Think About Before You Measure Risk, Or Decide You Just Can’t

The Impact vs. Likelihood graph (pictured above) is a measure of risk.  This simple graph plots the value of data on the X Axis and a measure of likelihood – the odds something will go wrong.

Of course, before you can create such a graph, some data gathering will be required.  On page 194 in The House & The Cloud, I prescribe a sequence of meetings with asset owners, knowledge workers, consultants, and finally, IT…4 separate meetings that take you from the value of data, to the custodial aspects of data usage and protection.

While most assessments begin and end with scans and technical walkthroughs, my approach starts with an understanding of data value…

Next, a look at workflow and data creation and usage.

The third meeting is where a measure of risk begins…guessing at how vulnerable an ERP system is to an attack is not possible without some pre-work. First, the consultant must define what the possible risks are. This is where most of the nay-sayers are stuck. Without a clear list of relevant threats, they’re right. Risk can’t be measured. You can’t just say, “It’s risky”, “It’s not”. There has to be a WHAT…

Is there a risk of downtime, ransomware attacks, data theft,…?  You might be thinking, this list is endless. It’s not.

Consider only the relevant threats…based on type of data, trends in the news, and how systems and processes are set up.  Want the details? Read Hubbard’s book.  However, a thorough study won’t be necessary for the amount of detail needed in most of these assessments.

If you know the client has problems, the report only needs enough detail to convince them to move forward. We’re not building a spaceship here…

Facts and Soundbites You’ll Want On Hand

Also important to the process is a list of trends you know are relevant and up to date in the market you serve. For instance…

  • 75% of IT managers reported in 2017, they could not recover fully with their backups – Barkley Protects.
  • 47% of firms surveyed by MalwareBytes reported Ransomware attacks.
  • 79% reported malware attacks (including those resulting in Ransomeware Encryption).
  • Hardware failures occur on every system at some point, unless you replace them before the outage occurs – Just believe me on this one.
  • Annual downtime averages 14 hrs. per business. Costs are high but vary depending on company size.  Average cost of downtime was about 100K/hr, but obviously these numbers don’t speak to the SMB market.  Your asset owner contact should have the data you need on this one.
  • Add more issues if they’re relevant.  Each will be used to create a measurement.

Understanding the Graph (Above)

Your X-Axis represents digital assets. Think – Applications and data.  The Y-Axis measures risk. 100% means it’s in motion now. So if you find malware (or symptoms of malware) on your client’s network, mark it down at 100%. It happened…it’s urgent.

0% means it won’t happen. Using the issues above, your % will almost never be 0. There’s always some risk…

Based on your interviews, you should have some feel for what would be acceptable risk. For instance, you should know how much downtime any given application can afford, and how much data can be lost before management goes postal!

Don’t Get Wrapped Around The Axel On Normal Distribution Graphs

The computation is where everyone gets stuck. The sales people will want a number, the technical experts will claim it’s not possible. Hubbard says, without qualifiers, it’s possible…

Will your % be 100% accurate? No! It’s like any statistic. What’s the likelihood I’ll have an accident today driving. There’s a statistic out there, and it’s higher than zero – but I don’t plan on having an accident today – if I don’t does that mean the 20% was wrong? No…

Your goal is to provide your best guess…based on your expert opinion.

Helpful Assumptions  – Every Statistic Has Them

Getting a number is easier when you can make some assumptions.

  • There’s a list of relevant threats. That list is an assumption. You may miss one…but your expert opinion (with input from the client) is all you have, so go with it.
  • Security is only as strong as it’s weakest link. You learned that in the CISSP course…that means, you don’t need to compute all kinds of weighted averages or plot normal distribution curves (although you’ll use some of this, keep reading). The most likely threat is your threat level for any given application…
  • Digital assets will be on a server, end-node, or in a cloud. All on-prem servers will have similar threats, with some minor variations based on network segmentation, OS, and access control.
  • But each asset will have it’s own greatest concern (Confidentiality, Integrity, Or Availability). Your Asset Owner interviews will help quantify each.
  • Your client’s guess at cost of downtime is all you need – just go with it.

The Calculus

Lucky for you, there’s no calculus here…

Step One: First, you need to know what their key asset are…not hundreds of applications, just focus on a few. If you’re doing a comprehensive corporate assessment, charging big money, I would recommend reading Hubbard Cyber-Risk Book – You Can Measure Anything, first. But, for the average small/medium business risk assessment – you’ll have 5 to 7 key applications to consider.

Step Two: Next, you need a list of relevant threats.  In The House & Cloud book, as well as previous posts on my blog, I’ve outlined different approaches to asking questions and gathering data. Essentially, you want to know how long they can be down, how much data they can lose, and what’s going on around them that would affect risk, other than misconfigured systems. (A lawsuit, layoff, or upcoming product launch all come to mind).

Step Three:  A list of relevant threats or considerations for risk is needed. This is where you must define “Secure”.  You’ll want to consider the three pillars of security (Confidentiality, Integrity, and Availability). You’ll also want to consider your asset owner’s answers on downtime and data loss.  If the asset owner believes 4 hours is the max downtime – find out if that’s ever been tested. I bet it hasn’t. What are the odds of getting a given server back up and operational? – only a test will tell. That could be your next sale.

Step Four: Identify the controls needed in their situation to protect against the threats you believe are relevant. For instance, AV, Firewall Configuration, Sandbox, SEIM, etc. Is there someone there who can interpret SEIM output and alerts? Probably not – and if not, that control is somewhat useless.

Step Four: Collect data. You’re looking for symptoms of misuse or compromise. Bot traffic is a sure sign of compromise – so that would be 100% (or 99% if you can’t verify it in the scope of your assessment).

Step Five: A database of norms is needed, as Mack Hanan Points out in his book, Consultative Selling. In the event you don’t have such a database (and that’s probably the case when you’re just getting started), industry data will do. For instance, we know that 90% of email is spam, and probably contains phishing attacks. Do they have the controls in place to stop  these attacks? The average reports tell us, 87% (or whatever number you can come up with using your trusted sources) are reporting malware over the past 12 months. So, if in your expert opinion, this company is “Average” there’s an 87% chance.  Yes, this is simplistic, but it’s far better than a red light…

Step Six: At this point I would create a table using weighted averages…so there is some math. Taking each control, rank the controls for the given threats giving each control a % weight based on what you think is most important. The total should be 100% – making up their 100% security solution. Note, this list is pretty simple – yours may have 10 or 20 items, but don’t get carried away. Again, we’re not trying to fly to the moon with this process.

controls score

A score is given to each control, based on what you observe. Do they have UTM components configured and running? All of them? One of them?  How complete is their firewall configuration?  Don’t forget about things like  training, policy, disaster recovery plan, etc.

You’ll do this for each major asset…so with 5 data assets, you’ll have 5 different tables like this one.  Notice, training may be the same if the same people use that application. However, training may vary from department to department. Same with the importance of a control or additional controls for applications used at home or on mobile devices.

Step Seven: Okay, now you have a score…but what you need to know is, what’s an average score?  This is where your database of norms comes into play. Early on there may be more guess work, however there may also be data online.

For instance, we know that only 26% of iPhones and 60% of Android users are using any kinds of mobile security software, Kaspersky sales that 90% of Android phones are easily hacked with a certain exploit, and that 95% of of phone users access the Internet with them.  Use whatever stats you feel are valid based on their source.

I personally like to use Gartner Group, FBI, and WSJ first…but will draw from other sources such as the Verizon annual security report or well known vendor studies including Kaspersky, Cisco, Symantec…these represent industry averages. If your client has solid mobile security, they’re above average…if 50% have it, they’re average. If no one uses mobile security, or it’s not enough to measure, they’re below average.

Some Helpful Assumptions

As you review your scores, making some realistic assumptions can help you land on the right number. Remember, on the impact vs. likelihood graph, you are simply trying to land on a % likelihood of breach or problem for a given data set or application.  Consider these assumptions, and add your own…

  • What is the likelihood that a phishing email will enter your client’s internal network…nearly 100% since 90% of all email is spam, and most spam these days contains phishing links.
  • What is the likelihood that someone (probably and administrative assistant or office worker) will click a bad link over the next 12 months?  Nearly 100%…a simple phishing test will prove this out, but sharing some war stories may be enough to make your point.
  • What is the likelihood your client/prospects current security controls will detect that phishing attack or ransomware link before harm is done? You could test this, but your SE’s expert opinion is all you really need.

Putting It All Together

You’ve interviewed, observed, collected data, and now it’s time to put some numbers down.

(Download my Assessment Template Free)

If you have evidence of malware, you’re at 100% for any system susceptible to malware infections, and highly likely on future ransomware attacks.

You know malware will hit most companies over the next 12 months, and at least half will be hit with ransomware, based on statistics I’ve already given you. Is this company better or worse than most? That’s your expert opinion. So given they’re average, your servers and workstations on prem – are sitting at 50% or better.

You can see where I’m going here. Unless the company’s security is better than most, chances are high for just about every application.

Then, on top of that, you have the likelihood of email spoofing and invoice fraud, internal theft (averaging 75%), etc.  List out your applications, review your greatest threats, and assign your numbers based on your table above.

You’ll want to be able to show you have a method behind your madness, but don’t over complicate it.  The client just needs to see that there’s some science behind what you’re reporting. If you understand normal distribution, it can’t hurt to show some data based on one of two standard deviations of a normal occurrence…95% of companies fall within 2 standard deviations of any norm…if you don’t understand how that works, just leave it out.  Some further study on this will provide a greater level of proof, but just go with what you have now to complete the report…

Feel free to comment or ask questions below!

© 2017 David Stelzl

 

chain break

After All The Work That Goes Into Security Assessments,  This One Thing, If Missed, Will Make The Entire Process a Waste of Time…

When the Truth is Clear…Cancer, Heart Attack,…Breach…People Act.  With Security Your Message Must Connect and Your Audience Must Feel The Pain.

You might think it’s callous of me to compare your own life (risk of cancer) to a data breach, but the truth is, data is what many companies see as their most precious asset.

Right or wrong, given a choice, companies will part with a few employees before facing business failure. And data loss often begins the downward spiral that can’t be stopped.

However, getting the company leadership to see these business-crushing threats, before they happen, is not easy.  Following is the strategy I’ve used to turn week-long assessments into annual contracts, and more.

Rule One: Don’t Present Without The Asset Owners!

Asset owners are those with liability. Have you ever presented a cost-saving solution to IT directors or middle managers? Tell them you can save them money, reduce FTE (Full Time Employees) by 50%, and improve quality of service, and they’ll quietly dismiss you as unqualified to do business at their firm. They’d rather build an empire than save money.

Take it one step further and show these cost-center agents how their personal role in the company (along with associated costs) is no longer needed with your new proposed automation process, and you might find an anonymous death threat in your mailbox.

Bring in the asset owners and something different begins to happen.

When it comes to security, technical staff rarely understand the value of corporate data, or the relationship between uptime and profit, according the several CISOs I’ve interviewed this year. And, they’re interest (probably driven by the need to make money) tends to be self serving (See Jack Eckerd’s book, Why America Doesn’t Work).

Tell executives their systems are likely infected with software, giving hackers the ability to listen in on private meetings, watch them in their office or bedroom, read their email (including personal mail), and track their whereabouts, and you’ll get a response similar to that of a home owner waking up to their fire alarm. That same bot detection among IT folks will call for some patching next week, and perhaps an AV product review.

The Underestimated Power of Free

But what happens when you show up and the asset owner is suddenly not available?

If you’ve charged $100K for this assessment, you’re in good shape. Meet, sell hard, and find a way back to the asset owners…you owe them the deliverable.

However, if you’ve conducted your assessment pro bono, you’re also in good shape!

As a free service, you control the deal.  You don’t owe them anything. And since you’re liable for what you deliver, you have the right to delay the meeting until your asset owner contacts are free. Just let them know there are urgent things they need to hear, so the sooner the better.

(Get more on why Free Assessments Are More Powerful in my book, The House & The Cloud 2nd Edition).

Your Meeting Agenda Re-Engineered to Convert

Sure, you could email executives your findings, but digital findings don’t convert. Face to face is the only way to deliver the devastating news that an attack or data loss is eminent if action is not taken.

Here’s Your Agenda:

Start with their words. You’ve interviewed them (hopefully). More importantly, you’ve spoken with both executives and the people driving the daily business (end-users). So you know how important their data is, how long they can be down, and what can’t be seen but the competition.

You also know what’s not urgent in their minds. So avoid spending time on the non-urgent, even if you think it’s urgent. (e.g. Policy).

Next, list the top priorities. Did you discover evidence of compromise? Any malware activity, or symptoms on the same, is urgent.  Note, patches, outdated systems, and EOL software are not urgent. A Failing backup solution (on the other hand) is urgent.  You’ll need to now why, and how to prove it.  Consider things you would want fixed this afternoon if you were the asset owner, and draw out the urgency.

Next, it’s time to create some vision. You know how they work and where they’re headed as a company (from the interview process). So, using their current set up, begin to pose a number of WHAT IF scenarios. This is how you create a vision – allowing the buyer to picture something they really do want.

“What if your end-users could work without ever having to guess whether or not an email was infected with malware?”

“What if, whenever someone tried to connect remotely, your network would verify who the user, check the system for malware and updated patches, etc. and only after approved, grant access?”

“What if we could take your restore time down from the estimated 5 days to the required 4 hours?”

In doing this, you’re watching for the nodding heads. Not those nodding off, but people in agreement. You want physical response / emotional response. This is your trial close. The power of trial closes is important. If you can get your audience nodding and saying yes along the way, you know, when you’re all done, they’ll keep nodding.

Finally, sell the vision – “We can get this done by the start of next month, etc.” The obvious question is, how much ($$$). Check out chapter 11 of my book, From Vendor to Advisor to see how to price this, and when to share the price.

© 2017, David Stelzl

Need Something New To Send to Prospects?

Create An Amazing Lead Magnet In Under 30 Minutes!

Interviews Make Great Lead Magnets…This simple video received over 500 likes in just 3 days…

Here’s How To Create Your Next Lead Magnet:

  • Start with your target audience… Notice, there are no product sales pitches…
  • With your target people in mind, create a list of questions you think they are asking…make sure the person being interviewed is qualified to answer…
  • Set up a meeting on Zoom, or some other video conference platform that allows recording (Make sure it leaves you with a recording format easily uploaded to YouTube).
  • Upload – Remember, YouTube is not Google, it is the second largest search engine. Google is number one, but both YouTube and Google search stuff out when posted in YouTube!
  • Fill in your meta data – meaning, use tags, #marks, descriptions, and a great title…
  • Consider adding annotations such as contact info or a hotlink…
  • Finally, start sharing it…like I’m doing here. Post it in Facebook, LinkedIn, as a LinkedIn Article…blog post, on a website, etc…get it out there!

That’s all there is to it…if your content is educational, people will view it, and awareness will happen…And interviews are much easier to pull off than a talking head!

Next, consider using lead magnets to point people to your blog posts, or directly to a landing page to download (or watch) something  with more detail. Create this second step as gated content – meaning your viewer must first give you their email address.

If you’ve created something, post your link in the comments! I’d love to see it…

© 2017, David Stelzl

courtroomSuccessful Security Assessments Conclude With Live Presentations…

If your firm provides outsourced IT services, or security-related products and services, then you know that assessments are often the first step in landing new business.

However, if you take the time to measure your actual business-drag, you may find it less than stellar.

The fact is, most security assessments don’t lead to additional business…They should, but they don’t. Why?  Because most security assessment leave out this one vital step…

…Live delivery to ASSET OWNERS. 

(Find out more about asset owners and executive sales calls in The House & The Cloud – 2nd Edition)

Imagine a court case, where the evidence is presented in written technical reports…

No testimonies, no witnesses called…no emotional appeal, no angry outbursts or tears…just dry, unadulterated facts on paper.

How would this approach affect the decisions made on murder, rape, and other heinous crime cases?

Conversion & The Power of LIVE

There are three major people-groups you care about when performing a risk assessment: Information Technology (IT), End-Users (or Business-Level Asset Owners), and CIO/CISOs (Or anyone in the C-Suite).

All three groups must be moved to action, but each has different needs and will respond to different messaging. The one thing they all have in common is, emotion. In the end, all sales are emotional decisions. Crafting the right message for each is essential…

However, before going into the message, it’s important that we understand delivery and the power of live…(The media).

Reports are important. They provide the details behind what you present. However, they often go unread. Think of them as supporting documentation.

Like in a legal battle, it’s the LIVE testimonies that carry the weight. And the testimony of an eye witness is the most powerful testimony that jury will hear. Take the emotionally charged live testimony away, and you’ll see a much different outcome.

Delivering your results in person, to the right people, with the right message, can take your Assessment-To-Remediation conversion from 15% to 60% or 80% overnight…let’s take a look.

What Matters Most

Businesses have a need to measure their risk. Especially right now, as companies work to streamline operations, eliminate waste, and build stronger customer bonds in a highly competitive, global market…

New technologies offer amazing opportunities, while at the same time open major holes in the firm’s security architecture.

What matters most? Intelligence…insight.

Where is the data? Who has access? What are the relevant threats to that business? What are they odds something will happen? Can they recover in time if something does happen? Or would they know in time to stop a disaster?  These questions must be answered…

However, not all constituents have the same concerns or the same questions…

IT Care-Abouts

What does IT care about? I’m sure there are dozens of opinions out there. The opinion of C-Level Executives I’ve interviewed over the past year suggests that IT personnel are out of touch with business requirements and missions critical systems. So at the least, IT’s view of risk will be misaligned with the business in question.

It’s also my opinion (After having managed IT for a global bank, and working in IT for a global pharmaceuticals manufacturer) IT personnel are more concerned with their actual position, career opportunity, and life-work balance, than they are the risk-measurements of their employer.

So, while the details of security technology are of great interest, the actual impact of an attack has little long-term affect on the IT worker.

Even if they lose their job (which is unlikely), their personal brand and reputation only stand to blossom as they respond to an actual event.

Consider the following: If attacked, they now have actual cyber-forensics experience listed on their resume (even if they didn’t personally save the day).  The blame will go to those who didn’t approve IT’s most recent recommendations / budget requests. The CIO will be front page news, not IT…

So what does IT care about when it comes to cybersecurity…answers vary by individual (of course)…but, on average, the seller can assume…

They care about the experience… The approach to assessing risk, the vulnerabilities, the technologies, and the potential for new next-gen security products and security controls.

Security represents the IT worker’s greatest job-upgrade opportunity.

End-User Care-Abouts

Asset Owners come in two flavors…executives and knowledge workers. Let’s look at the knowledge worker first. This is the person who creates and uses data to make money for the business. They’re asset owners because they are liable for their data.

Examples might include  the investment banker working with wealthy clients, R&D looking at new cures for a disease other’s have not been able to stop, etc. Data is an asset – one The Wall Street Journal has called, the “Oil of The New Millennium”.

If this data were compromised, misused, or made unavailable for any reason, the Asset Owner would be out of business, at least for the short term. And any sort of outage would cost them personally and professionally.

CISO/CIO Care-Abouts

The third group, also an asset owner, is the C-Level (CIO/CISO). This group is much like the End-User Asset Owner…shareholder value is important here. The CISO, according to my recent CISO interviews, finally has a seat at the table. And they must earn it every day.

What’s the CISO’s job?

The CISO translates risk and compliance from technical to business. Great CISOs create awareness based on data coming from IT workers and your assessments.

The closer your report delivers relevant data in executive terms, the more likely they will be successful in their role.  In summary (from my book, The House & The Cloud Pg. 195), the CISO is looking for their top 3 to 5 threats, the impact associated with each, and the odds that any one of them will be realized.

It will up to the CISO to report the trends and present a plan to keep the company at an acceptable level of risk. Note, the CISO won’t have this intel in their head – they’ll need subject matter experts.

But as I’ve already stated, IT is ill-equipped and unlikely to add any real value to this plan, given their disconnect with the business side (Straight from the CIOs mouth…).

Next time you assess…include the knowledge workers, interview the execs, and schedule up front, your delivery meetings with asset owners in mind.

© 2017, David Stelzl

 

 

Businessman sinking in heap of documentsHere’s What Business Leaders Are Saying They Want in An Assessment Report (in Two Words).

“Security Intelligence”…

Will the CISO actually read your security assessment report? What about the small business owner? Law firm partner? Doctor running a clinic (where HIPAA is required)?

The likelihood of anyone reading your report is nearly ZERO!, unless you do this one thing first…

Separate the Technical from the Business Risk,…

That’s right, you need two reports. One written in the language of leaders, the other technical. But don’t just create a new report just yet…here’s a simple process that creates ONE REPORT, with two parts, giving your report better flow, while at the same time appealing to both audiences.

Executive Reports Should Not Have Stop Lights In Them

Let’s start with the executive summary. First, drop the word summary…and delete that one page summary page in your report. Call it the Executive RISK ANALYSIS…with an appropriate subtitle.

I’m 99% confident your current one-page summary will not speak to executives…and if it has the RED STOP LIGHT on it…well, check out what one CISO said in a recent interview…

Tom Watson, CISO for Sealed Air Corp, told me just a couple of weeks ago, “The stop light approach is meaningless”.

Having a red light on the summary page does not lead to immediate action or follow-on business for the consultant. There is no business justification in a red light. PERIOD.

The CISO’s job, according to Watson is, “To bridge the gap between technical and the board.” “My seat at the table,” says Watson, “Is where risk gets delivered in business terms to board members and my C-Level Peers.”  In other words, the stoplight diagram does not quantify risk…the board won’t be moved by blinking lights.

Red Lights On Risk Reports = Idiot Lights On Your Dash

If you have an older car, the red light comes on when something is wrong… that could mean your gas cap is off, your catalytic converter malfunctioning (and you might not pass your next emissions test), or your entire transmission system is about to fall off while driving down I-95 and 70 mph.

In other words, anything from a simple 2-second turn of the gas cap, to the $3500 transmission replacement project will satisfy the red light. But which is it? No one seems to know. So the new cars tell you what’s wrong (in one of N languages).

Your executive risk report is the same. The light justifies nothing…instead, you need an explanation…(in one of two languages).

So what will you explanation look like?  A quantification of risk…a measure of Impact vs. Likelihood…Language ONE is BUSINESS…Consider the following…

  1. What assets were identified as having an associated risk? And what are the relevant threats, posing risk, which must be addressed?  Are you aware many companies don’t even know where their data is? And so figuring out where the assets are, what threats exist, and how big those threats are can bring tremendous value to your C-Level contact before meeting the board.
  2. What are the odds data will be affected? Going back to the three pillars of security: Confidentiality, Integrity, Availability…it makes sense to find out which of the three matter for any given digital asset, and to quantify the risk (as a percent likelihood) in a graph.
  3. Finally, what is the trend? Is business risk increasing? Or is the firm’s security posture improving over time? As the company adopts next-gen technologies, leadership need someone watching risk levels. As IoT projects, mobility, collaboration, etc. evolve, are business threats growing, remaining constant, or shrinking?

The report should be short, graphical, and written in business-eze. I highly recommend having someone with business-savvy right this report. But don’t stop there… have a copywriter review and edit it.

Copywriters will take a boring report and turn it into engaging content. They’ll trim it down, bring out the headlines, and bring it to life, keeping your overworked reader engaged.

With one solid report in hand, it won’t be difficult to duplicate. If you look at the popular business books on the NY Best Seller List, you’ll see they have a readable style unlike any college text book or legal document. It’s that level of readability you are looking for in your report.

NOTE: This means, when you use vendor-reports coming from SIEM, firewalls, etc. The reports they give you (while colorful and complete) will not land new business…Keep reading to see where your colorful-vendor report goes…

The Technical Stuff (Including the Vendor-Report) Belongs in Appendix A

While you might be tempted to combine your executive report with the details, handing in the 100 page (War and Peace) report is not going to bode well for you. No one in the C-Suite has time to read 100 pages!

Business owners are even less likely to read a report that looks like a 5 hour project.

At least a CIO or CISO is responsible for risk as a primary job function. The small business owner, while responsible for computer security, is more likely to be focused on today’s invoices, a major customer-sat issue, or this month’s cash flow crisis.  The 100 page report is likely going on a shelf…or in the round file.

If you create two reports, another problem emerges…the executive has one report, technical has another…are they different? Do they conflict?

The Solution is Easy…Appendix A!

Most of us skip the appendix when reading a book.  But knowing the data is there gives us assurance that there’s research behind the author’s claims. The technical team will have access to the main report, but will likely find the details in you appendix more interesting.

Here’s What You Should Include (Notice there’s no stop light here either):

  • Network diagrams
  • Applications / Digital Assets (Prioritized)
  • MTD/RPO requirements (Data they don’t have up to this point)
  • Any important business level requirements
  • Technical details on malware, configuration problems, etc.
  • Gap analysis against whatever standards you measure against – XTZ compliance, NIST, etc. (I highly recommend you base your assessment on something such as NIST to give your findings more credibility)
  • Major issues to address (project recommendations – keep this list short)
  • The punch list of everything else that should be addressed.  Prioritize this list, and segment by functional area.

Between these two reports, you have what you need – however, the move to remediation has more to do with your presentation than it does in these two documents.  Look for a future article on,…

“How to Master The Board Room Presentation, When Presenting Risk Findings…”

© 2017, David Stelzl

Downtime

How Long Can You Afford To Be Down?

Find Out What It Costs…Before Talking Budget…

MTD – Maximum Tolerable Downtime, is the first thing you should be thinking about. Data theft and misuse are equally important – but downtime (ransomware or failure) is unavoidable.

Remember What Security Trends Reports Where a Few Years Ago..

Older threat reports (Symantec, Verizon, FBI/CSI, etc.) focused on likelihood of an attack. They measured the number of companies hit by malware, reporting spam, or suffering DDOS.

Read today’s reports and you’ll discover something different…

Newer reports focus on types of malware, cost of downtime, cost of data exposure, and whether or not insiders were involved.  In this ongoing discussion on security assessments, DOWNTIME and COST are the focus.

The Companies Most Important Assets Used to Be People…Not Anymore

Talk to any DR (disaster recovery) specialist and they’ll tell you, People are (or were) a company’s most important asset.

Not any more.

Now it’s data…Not to minimize the value of a person, but even the WSJ calls DATA the Oil of the New Millennium, not people.

In security, there are three pillars to consider. Confidentiality, Integrity, and Availability. In this article, I’m talking about the third – AVAILABILITY.

80% of Cyber-Breaches Result in Downtime

Every major corporation has been breached at this point…and most smaller firms too. It’s just a matter of time. 8 out of 10 experience down time, and based on Cisco’s graph (from their 2017 Cybersecurity Trends Report), 90% of the 8 will be 8 or more hours…

How much downtime can your client stand on any given system?

Even with data moving to the cloud, downtime is a major factor.  MTD (Maximum Tolerable Downtime) speaks to the old DR metric that asks, how much downtime your firm can stand on any given application before it severely impacts the business.

The actual number has to be given to you as the assessor. You can discover it through observation…

And while it may seem arbitrary, there are numerous studies available online that tell us how likely a business is, to go out of business, given an outage.

Who Knows The Answer And What Does It Mean?

The problem is, most security assessments don’t actually measure tolerable outage, or the likelihood of exceeding executive management’s tolerance.

IT is generally the focus of these assessments…

To the IT Custodian, outage means, working late, not a failing business. The right approach to assessing risk involves assessing those things which create a risk of something bad happening – in this case, business failure, stock price drop, loss of shareholder value, or customer dissatisfaction (to name a few).

Remember, Customer Experience is the New Brand Metric…And downtime kills customer experience.

So who knows the MTD?

The asset owners know…the ones who use the data to drive the business. And different departments will add more or less value to the overall business success – executive management knows who they are. IT, on the other hand, does not. (Just ask any executive).

Ask the end users, and they’ll tell you they can’t stand any downtime!!!

Of course that’s not true. However, any business critical function probably requires more uptime than IT realizes, and is worth spending more to maintain than most executives would like to admit.

Uptime is always a cost-benefit analysis.  The first answer is usually, “No downtime”. Once an estimated cost of zero downtime is displayed, that downtime number suddenly goes up…

Getting Real With Risk And DownTime

What’s really happening here is, when faced with a large financial number, executive management suddenly wants to take on more risk than they can actually stand.

It’s no different than the person with no consistent income getting approved for the sub-prime mortgage, so they can finally get their house.

The house-buyer’s attention is on the house, not the payment.  With downtime, it’s the same. The buyer’s eyes are on spending where it feels good, not minimizing risk.

It’s the assessors job to convince asset owners, downtime is only a matter of time. Remember, most breaches (80%) will result in some downtime. Half will be in the range of one day or less…but about the same number will exceed one day by 1 to (pick a number) of days.

What’s the likelihood of downtime? Close to 80% – given the likelihood of being hit with some form of cyberattack is nearly 100% over some time period.

Solving The Problem

The problem of downtime used to be solved with EMC SRDF (mirrored NAS over a wide area connection), or at minimum, redundant systems running a highly available configuration. These are expensive solutions when talking to mid-market and down…

Does your MSP offering include virtual data servers in a hosted (protected) environment? Are you running a virtualized HA configuration?

What about using a dropbox-like solution in addition to backups?

In a recent sales call, one of my clients had a firewall opportunity. The vendor SE accompanied them on the call. When the client was asked about the need for redundant firewalls, they replied, “Not necessary”.

The vendor SE made a note and moved on…but my client, having been through the Security Sales Mastery Program knew better.

IT can’t answer this question!!! A single FW outage would shut down just about everything – all external communications including cloud app access, email, etc. Can any company actually work without their Internet connection anymore? Probably not…

Suddenly, downtime is a serious issue, and one that demands new services…hosted systems, redundancy, HA Internet access, data in the cloud, and more…The risk assessment, when focused on MTD, is your fastest road to up-selling services to your clients.

© 2017, David Stelzl