What’s The Point of Your Security Assessment?
Are Your Clients Actually Taking Any Relevant Action?
This week on a coaching call with one of our Mastery Security Training Attendees we were discussing the role of the consultant in the security assessment process. In this case the Assessment Sales were NOT closing.
In other cases we discussed conversions from Assessment to Remediation or Managed Service were weak.
The complaint: Can I rely on our security consultants to deliver, or should I sell something else?
The Problem is Sales, Not Technical
First, sales people should never turn the SELLING over to a consultant or engineer unless that technology expert has a track record of closing. Knowing a lot about security does NOT lead to selling assessments. Selling and marketing are not driven by sound bites, technical know-how, or certifications.
In the Security Sales Mastery Program we teach sales people to speak about security at the business level. Executive Management is where the assessment should be sold.
Assessments are about risk. They measure Impact vs. Likelihood. At least they should.
The Point of the Assessment is NOT Just About Risk: It’s About Conversion
In a sense Assessments are a marketing effort.
The Sales person sells the deal to measure risk. The consultant measures risk. But then something salesy has to happen.
Like the Cardio Doctor, if your patients are about to die but don’t take on the treatment plan, the doctor is failing. It’s the doc’s job to sell his patient on doing something. Yes, ultimately the patient is responsible for their health, but if the diagnosis is poorly communicated or risk poorly described, the doc is doing something wrong.
Look at the Deliverable.
In many cases it will be a 50 page paper (enterprise size deal) or something much shorter in the SMB. But is it written to the person who cares about risk? In most cases the answer is NO.
This is a sales problem. If you, the sales person, sold the assessment, hopefully you sold it to to someone at the business level to help them measure something specific – risk.
It might be compliance like HIPAA or it might be to identify the likelihood of data theft, system disruption, or data misuse. Theft, misuse, and disruption can all be in the same report, however your findings must be written to the asset owner. The person with liability.
Don’t let the consultant take this to the client before reading and understanding what it says.
Are there mistakes?
Was the paper written using an old assessment from another deal?
If so, are there facts left over such as a “company name” that just don’t belong in this paper? Believe it or not these are common problems. But it’s the sales person’s job to read it and scrutinize the value of the report.
Sure, the technical team shouldn’t be making mistakes like labeling a diagram with Cisco routers when the client uses Juniper (Yes, I’ve seen this happen!). But technical people are rarely writers. They won’t write at the executive level, they’ll miss edits that are obvious to the sales person, and they’ll often use an older document rather than starting from scratch. It happens even with the best teams.
Should You Keep Selling Assessments?
Yes, your clients need them. And they’re one of the best avenues to big business.
But sell them at the business level. Don’t succumb to IT people wanting assessment quotes. Unless they’re high dollar projects, they’re not worth doing. Make your way upstairs and find out what’s really needed.
When it’s time to assess, make sure your technical team knows exactly what you sold. It should be a measure of risk as described in The House & the Cloud. And when it’s time to deliver. Read it. It’s your deal. It’s Your client. It’s your responsibility. And it’s your biggest up-sell opportunity.