Decoding The Security Assessment Sales Opportunity

And Why You Can’t Afford Not to Know What Your Client Is Asking For (Or Actually Needing)

Most IT Services Companies do security assessments. Do you? Why or why not?

The Security Assessment (approached correctly) just might be the start of your BIGGEST sale this year!  Let’s take a look…

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Assessments Come in Many Flavors

15 Years ago I was leading a global reseller’s security team.  We were selling assessments (and more). But we where leaving a lot of money on the table.  If we had known what I know now, assessments would have doubled and tripled our profits.

Assessment can mean a lot of things. How you define this obscure project will determine if you get the long-tail (follow-on business resulting from this one door-opening engagement) or not.

The IT Director’s Definition

If you sell to IT directors, and they’re saying, “We need a security (or risk or vulnerability or pen test) assessment, this non-buyer could be saying different things. Chances are high, they don’t really know what they need.

Ask them, and you’re likely to get something like, “We need to know if our systems are secure – or accessible to hackers.”

You know the answer without looking. “No…hackers can always access your data”.

While they might need something for compliance, or are just carrying out orders from above, the IT Director’s ability to understand true business risk is limited at best.

If the director is defining assessment in their own words, they’re picturing a list of vulnerabilities and a punch list to patch things up.

You can’t let the IT director define your assessment.

Instead, you will want to EDUCATE your prospect on what board members (or executive management) really need. Educating and selling what’s really needed puts the deal back in your court, and allows you to sell from your home-court advantage point.

The CIO’s Definition

The CIO, if asked, would likely define Assessment differently. CIOs are being asked (quarterly) by the board to quantify business risk.  Risk is more a look at business impact and likelihood.

The request looks something like this: Give us…

• Our top 3-5 threats right now.
• How exposed are we (or what are the odds we’ll be compromised or suffer a major incident over the next 3 to 12 months)?
• How are we managing to our risk?

Can the CIO deliver? No. Not without some help from security analysts that understand how to put risk measurement into business-leader language.

Your Technical Person’s Definition

If you ask your SE or Security Consultant, they may be thinking pen test, vulnerability, compliance, or risk…each one has it’s own definition. This one question (what is a security assessment) can turn into a lengthy discussion (debate) riddled  with semantics…

What do technical people picture (Yes, I did come from the technical side)?

Probably the  NETWORK (architecture, segmentation, router/switch configuration, encryption levels, wireless exposure, etc.), SCANS inside and out, operating system  (O/S) reviews (hardening, active processes, access rights, patches, etc.), and perhaps the WEBSITES (code, SQL Injection vulnerabilities, etc.)

It’s all pretty technical…

Your Definition

Depending on how technical you are, your answer will vary. Probably one of the above…perhaps more or less technical…and depending on the market you sell into, highly profitable (as in large comprehensive risk assessments done for fortune 500 firms)…

…Or of little value, and full of margin crushing surprises (as in assessing risk for the rather stingy Small Business Market).

The Right Definition

The right definition (in my opinion) is a door opener…a marketing document.  The assessment should be the start of a long tail.

Only about 15% of the assessments I see ( and I see lots of them) convert to long-tail business (remediation and managed services).  But over 90%, according to my friends on the security consulting side, reveal what they would call, urgency.

This low conversion epidemic is like an oncologist, with a long line of patients, that show obvious signs on cancer in their blood work, but are unwilling to enter any treatment plan.

That doctor is a FAILURE. He’s correctly diagnosed (at least at a level that delivers a high degree of certainty) however, he seems unable to convince dying patients of their life-threatening disease.

Security is like cancer. It comes on suddenly, is hard to detect, but left untreated, will kill the victim.

If your assessments show urgency, yet fail to convert, it’s not an economy problem. It’s an epidemic.

Like with cancer, few people will consult their budget before entering treatment. They’ve heard the bad news, know they must take action, and therefore they do. Only when hit with the reality of what’s not covered by insurance, will they start looking at budgets…but this is an effort to reprioritize, not stop treatment.

(MORE ON SELLING SECURITY – THE HOUSE & THE CLOUD)

Making the Tail Longer

Over the next few weeks my goal is to expand on these concepts…and to lengthen the conversion tail that should follow any true risk assessment.  To answer questions like:

• How do  I sell this thing.
• Who do I sell it to.
• How should it be conducted .
• How do I convert it to business.
• Is there a way to make it recurring (hint, there is)
• When should it be free, and how much can I charge.

Stay tuned…

© 2017, David Stelzl