Decoding The Security Assessment Sales Opportunity
And Why You Can’t Afford Not to Know What Your Client Is Asking For (Or Actually Needing)
Most IT Services Companies do security assessments. Do you? Why or why not?
The Security Assessment (approached correctly) just might be the start of your BIGGEST sale this year! Let’s take a look…
Assessments Come in Many Flavors
15 Years ago I was leading a global reseller’s security team. We were selling assessments (and more). But we where leaving a lot of money on the table. If we had known what I know now, assessments would have doubled and tripled our profits.
Assessment can mean a lot of things. How you define this obscure project will determine if you get the long-tail (follow-on business resulting from this one door-opening engagement) or not.
The IT Director’s Definition
If you sell to IT directors, and they’re saying, “We need a security (or risk or vulnerability or pen test) assessment, this non-buyer could be saying different things. Chances are high, they don’t really know what they need.
Ask them, and you’re likely to get something like, “We need to know if our systems are secure – or accessible to hackers.”
You know the answer without looking. “No…hackers can always access your data”.
While they might need something for compliance, or are just carrying out orders from above, the IT Director’s ability to understand true business risk is limited at best.
If the director is defining assessment in their own words, they’re picturing a list of vulnerabilities and a punch list to patch things up.
You can’t let the IT director define your assessment.
Instead, you will want to EDUCATE your prospect on what board members (or executive management) really need. Educating and selling what’s really needed puts the deal back in your court, and allows you to sell from your home-court advantage point.
The CIO’s Definition
The CIO, if asked, would likely define Assessment differently. CIOs are being asked (quarterly) by the board to quantify business risk. Risk is more a look at business impact and likelihood.
The request looks something like this: Give us…
- Our top 3-5 threats right now.
- How exposed are we (or what are the odds we’ll be compromised or suffer a major incident over the next 3 to 12 months)?
- How are we managing to our risk?
Can the CIO deliver? No. Not without some help from security analysts that understand how to put risk measurement into business-leader language.
Your Technical Person’s Definition
If you ask your SE or Security Consultant, they may be thinking pen test, vulnerability, compliance, or risk…each one has it’s own definition. This one question (what is a security assessment) can turn into a lengthy discussion (debate) riddled with semantics…
What do technical people picture (Yes, I did come from the technical side)?
Probably the NETWORK (architecture, segmentation, router/switch configuration, encryption levels, wireless exposure, etc.), SCANS inside and out, operating system (O/S) reviews (hardening, active processes, access rights, patches, etc.), and perhaps the WEBSITES (code, SQL Injection vulnerabilities, etc.)
It’s all pretty technical…
Depending on how technical you are, your answer will vary. Probably one of the above…perhaps more or less technical…and depending on the market you sell into, highly profitable (as in large comprehensive risk assessments done for fortune 500 firms)…
…Or of little value, and full of margin crushing surprises (as in assessing risk for the rather stingy Small Business Market).
The Right Definition
The right definition (in my opinion) is a door opener…a marketing document. The assessment should be the start of a long tail.
Only about 15% of the assessments I see ( and I see lots of them) convert to long-tail business (remediation and managed services). But over 90%, according to my friends on the security consulting side, reveal what they would call, urgency.
This low conversion epidemic is like an oncologist, with a long line of patients, that show obvious signs on cancer in their blood work, but are unwilling to enter any treatment plan.
That doctor is a FAILURE. He’s correctly diagnosed (at least at a level that delivers a high degree of certainty) however, he seems unable to convince dying patients of their life-threatening disease.
Security is like cancer. It comes on suddenly, is hard to detect, but left untreated, will kill the victim.
If your assessments show urgency, yet fail to convert, it’s not an economy problem. It’s an epidemic.
Like with cancer, few people will consult their budget before entering treatment. They’ve heard the bad news, know they must take action, and therefore they do. Only when hit with the reality of what’s not covered by insurance, will they start looking at budgets…but this is an effort to reprioritize, not stop treatment.
Making the Tail Longer
Over the next few weeks my goal is to expand on these concepts…and to lengthen the conversion tail that should follow any true risk assessment. To answer questions like:
- How do I sell this thing.
- Who do I sell it to.
- How should it be conducted .
- How do I convert it to business.
- Is there a way to make it recurring (hint, there is)
- When should it be free, and how much can I charge.
© 2017, David Stelzl