This question comes up more than just about any – how do we collect data onsite during a security assessment. Those of you in the SMB market may have more questions on this than larger companies…the tools aren’t cheap, and some are not that easy to use. The important thing to remember is the order of progression. The tools are important, but not as important as asking the right questions of the asset owners. So let’s review the process, which is also outlined in more detail in my book, From Vendor to Adviser:
Interview the Asset Owners:
Discover your client’s most critical applications, how they are used, how data is created, and why the assets in question matter. This is your opportunity to be a consultant, exploring your client’s business systems from your client’s perspective. I recently had a call with a solution provider owner who has been in my coaching program for the better part of this year. He called me just to say, “I just had the best call I’ve had in 20 years!” What happened? He had gone through this process with the COO of a mid-sized company, which led to a larger meeting including the CFO and CEO! A sales call turned into a strategy meeting, opening up all kinds of new opportunities. This is exactly what we are looking for.
Review Your Findings with Your Team:
Okay, so you have the C-Level information from your meeting, now what? Now it is time to do some “What if” thinking with your team. It would be a mistake to go in with the technical team before first taking this step. Sure, you can collect some random technical data, but it is much more powerful to take their business findings and create scenarios – “I wonder how they are connected to these third-party companies that process their financial data?” or “I wonder how these people working from home are set up, and what kinds of malware exist on their home computers?” This is a time to look for places that are probably not set up correctly for the kind of work they are doing. For instance, if they use tablets and smartphones to do some of their work, I am betting their smart phones don’t have passwords on them – I wonder if they have sensitive company information on them.
Send in the Technical Team For Interviews:
Armed with these scenarios, the technical team knows where to look for low hanging fruit. The is what most assessments start, but it really should be step three. You know there are lots of people working from home, so let’s ask IT how they are set up and who else might have access to those some systems. Do they have some way to check the state of those home systems before issuing a connection? If it’s an SMB company, chances are low. Through this process, the technical team validates your hunch, that things are not as secure as they should be for the kind of data be created and transported.
Finally, Collect the Data:
While on site, the technical team should collect some data to validate their findings. This might include some scans, diagrams, and other log data. Some tools are in order here…
This might take some time, but you don’t have to be there for the entire collection process. In fact, it would be better to leave something on site that later turns into a product sale, and hopefully something you create a long-term managed contract to maintain and watch. One of my clients uses the following tools for data collection and analysis:
GFI (Various tools including a hosted MSP model) which can then be resold.
Spectorsoft onsite which can also be sold after the assessment. This requires a server or laptop which can be used in the analysis phase and resold as part of the solution. They also have an MSP model.
Your clients will also need an RMM (remote monitoring and management) and end-node security solution once you are done. Many vendors will do a trial of both of these which will help in the reporting.
From here it is time to put together a compelling deliverable, which is also detailed in the From Vendor to Adviser book.
© 2012, David Stelzl