Have you ever wondered why the client doesn’t jump on the chance to implement your recommendations when you complete an assessment?
One of the most frustrating things in the security business happens when you complete an assessment. It seems like at least 90% of the assessments I’ve been involved in or read the report from, have several urgent issues. Gartner and I both have stated that 80% of the security budget is spent on keeping people out, but in my book, The House & the Cloud, I make it clear that detection-response is the only strategy that works. Yet, clients rarely implement the recommendations that come from these reports. They pay to have them done, listen to your findings, and then move on to other things. Why?
What’s Really Urgent? Hint: It’s Not Old Equipment or Missing Patches
I was meeting with the President of a technology reseller two weeks ago in a 6-Hats Strategy session, going over the assessement process. This fall he’s signed up to do at least 15 assessments before year-end, but if they don’t convert to managed services contracts, he won’t be happy. History shows us that only about 15% will convert to more business unless he changes something.
As we went through the 6 Thinking Hats Brainstorming Session, his list included things like missing patches, open ports, and free or non-existant Anti-Virus software. These all sound urgent, but they’re not! Not unless you can tie these issues to something more concrete. For instance, if you’re assessment comes up with no Anti-Virus software (of course most companies today would have something for AV), but there’s no sign of malware, you’re going to have a hard time convincing the CFO or frugal business-owner to spend more money. Same thing with outdated software or hardware. If there’s no sign of danger, they probably won’t move to remediate.
Assessment Sales Depend On Impact and Likelihood
If you want to sell the next step, you have to take the next step in the assessment process. This is clearly spelled out on page 194 – 199 in The House & The Cloud, 2nd Edition. The next step is looking for the issues that should exist when a company fails to do the right thing. Symptoms are enough to get a response. You don’t need the deep dive technical analysis on what a particular botware application is doing. If they have one, it’s bad even if a marketing company put it there. If the marketing company is able to install bots on a network, the bad guys can do it too. Don’t worry about what the bot is, just find it.
If the systems are missing security patches, look for evidence of tampering, foul play, or unauthorized activity. Keep asking yourself, “So what” for each issue you find, and tie it to a business problem. Find evidence of that problem, and you’ll have justification. Don’t just say – your port is open. No one cares.
© 2015, David Stelzl
P.S. If you want to sell larger security deals, click the ad above and see if you qualify for a free seat through one of the many hardware vendors who sponsor this training!