The Long Tail of Security Assessments

February 23, 2017 — 6 Comments

long-tail

Decoding The Security Assessment Sales Opportunity

And Why You Can’t Afford Not to Know What Your Client Is Asking For (Or Actually Needing)

Most IT Services Companies do security assessments. Do you? Why or why not?

The Security Assessment (approached correctly) just might be the start of your BIGGEST sale this year!  Let’s take a look…

Assessments Come in Many Flavors

15 Years ago I was leading a global reseller’s security team.  We were selling assessments (and more). But we where leaving a lot of money on the table.  If we had known what I know now, assessments would have doubled and tripled our profits.

Assessment can mean a lot of things. How you define this obscure project will determine if you get the long-tail (follow-on business resulting from this one door-opening engagement) or not.

The IT Director’s Definition

If you sell to IT directors, and they’re saying, “We need a security (or risk or vulnerability or pen test) assessment, this non-buyer could be saying different things. Chances are high, they don’t really know what they need.

Ask them, and you’re likely to get something like, “We need to know if our systems are secure – or accessible to hackers.”

You know the answer without looking. “No…hackers can always access your data”.

While they might need something for compliance, or are just carrying out orders from above, the IT Director’s ability to understand true business risk is limited at best.

If the director is defining assessment in their own words, they’re picturing a list of vulnerabilities and a punch list to patch things up.

You can’t let the IT director define your assessment.

Instead, you will want to EDUCATE your prospect on what board members (or executive management) really need. Educating and selling what’s really needed puts the deal back in your court, and allows you to sell from your home-court advantage point.

The CIO’s Definition

The CIO, if asked, would likely define Assessment differently. CIOs are being asked (quarterly) by the board to quantify business risk.  Risk is more a look at business impact and likelihood.

The request looks something like this: Give us…

  • Our top 3-5 threats right now.
  • How exposed are we (or what are the odds we’ll be compromised or suffer a major incident over the next 3 to 12 months)?
  • How are we managing to our risk?

Can the CIO deliver? No. Not without some help from security analysts that understand how to put risk measurement into business-leader language.

Your Technical Person’s Definition

If you ask your SE or Security Consultant, they may be thinking pen test, vulnerability, compliance, or risk…each one has it’s own definition. This one question (what is a security assessment) can turn into a lengthy discussion (debate) riddled  with semantics…

What do technical people picture (Yes, I did come from the technical side)?

Probably the  NETWORK (architecture, segmentation, router/switch configuration, encryption levels, wireless exposure, etc.), SCANS inside and out, operating system  (O/S) reviews (hardening, active processes, access rights, patches, etc.), and perhaps the WEBSITES (code, SQL Injection vulnerabilities, etc.)

It’s all pretty technical…

Your Definition

Depending on how technical you are, your answer will vary. Probably one of the above…perhaps more or less technical…and depending on the market you sell into, highly profitable (as in large comprehensive risk assessments done for fortune 500 firms)…

…Or of little value, and full of margin crushing surprises (as in assessing risk for the rather stingy Small Business Market).

The Right Definition

The right definition (in my opinion) is a door opener…a marketing document.  The assessment should be the start of a long tail.

Only about 15% of the assessments I see ( and I see lots of them) convert to long-tail business (remediation and managed services).  But over 90%, according to my friends on the security consulting side, reveal what they would call, urgency.

This low conversion epidemic is like an oncologist, with a long line of patients, that show obvious signs on cancer in their blood work, but are unwilling to enter any treatment plan.

That doctor is a FAILURE. He’s correctly diagnosed (at least at a level that delivers a high degree of certainty) however, he seems unable to convince dying patients of their life-threatening disease.

Security is like cancer. It comes on suddenly, is hard to detect, but left untreated, will kill the victim.

If your assessments show urgency, yet fail to convert, it’s not an economy problem. It’s an epidemic.

Like with cancer, few people will consult their budget before entering treatment. They’ve heard the bad news, know they must take action, and therefore they do. Only when hit with the reality of what’s not covered by insurance, will they start looking at budgets…but this is an effort to reprioritize, not stop treatment.

(MORE ON SELLING SECURITY – THE HOUSE & THE CLOUD)

Making the Tail Longer

Over the next few weeks my goal is to expand on these concepts…and to lengthen the conversion tail that should follow any true risk assessment.  To answer questions like:

  • How do  I sell this thing.
  • Who do I sell it to.
  • How should it be conducted .
  • How do I convert it to business.
  • Is there a way to make it recurring (hint, there is)
  • When should it be free, and how much can I charge.

Stay tuned…

© 2017, David Stelzl

Advertisements

Trackbacks and Pingbacks:

  1. The One Thing That Will Clients Reading Your Security Assessment Report… « Dave Stelzl's Blog - March 2, 2017

    […] week I wrote a post on defining Risk Assessments, and the Long Tail (that should be dragging product, projects, and managed services).  The problem is, only about […]

  2. Don’t Give Away Your Risk Assessments Until You Read This… « Dave Stelzl's Blog - March 16, 2017

    […] weeks ago I wrote an article defining the assessment (if you’ve not read it, I recommend going back to better understand the truth behind assessing […]

  3. Finding The Security Risks: The One Big Mistake Your Prospects Are Making Every Day!!! « Dave Stelzl's Blog - April 20, 2017

    […] purpose of an assessment was explained in an article I wrote earlier this year – the bottom line is, Assessments […]

  4. Security Assessments: Lessons From a Disaster Recovery Expert « Dave Stelzl's Blog - April 27, 2017

    […] the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business […]

  5. Your Most Powerful Tool For Conducting Risk Assessments « Dave Stelzl's Blog - May 11, 2017

    […] question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan.  It’s like a cancer patient recently […]

  6. If You Want To Find The Urgent Threats On Your Client’s Network… « Dave Stelzl's Blog - June 22, 2017

    […] Risk is the fastest way to land new logo business in the MSP arena. And if you want to build a long term, profitable business, you’re MSP is […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s