What is an Assessment (Really)?

Does your firm do security assessments? Why or why not? The security assessment (done right) just might be the start of your BIGGEST sale this year! (Download my free template here.) It might also be a major source of high-cost selling. Let’s take a look…

Defining “Assessment” – The IT Director

Assessments Come in Many Flavors. 15 Years ago I was leading a global reseller’s security team. We sold assessments (among other things). But we were leaving money on the table. If we had known what I know now, assessments would have doubled and tripled our profits!

“Assessment” can mean a lot of things. How you define this obscure animal will determine whether it works for you or against you. Alan Weiss, in his book Million Dollar Consultant teaches us an important lesson. It’s not the first sale that matters, it’s the forth. If you view this assessment as the end-goal, you’ll find assessments aren’t all that profitable. It’s the fourth sale that matters.

Consider the last time someone asked you about assessments. If you sell to IT / IT Directors and they’re saying, “We need a security (or risk or vulnerability or pen test) assessment,” this non-buyer might be asking for just about anything. The fact is, most IT directors have no idea what they’re asking for. Chances are, they don’t really know what they need.

Ask your director-level prospect why they need one and you’re likely to get a response that goes something like this… “We need to know if our systems are secure – or accessible to hackers.”

You (the technical expert) should know the answer without looking. “You’re not secure…hackers can always get in.” In one Wall Street Journal study I read, 2000 companies were assessed (using pen-tests) to see how many could be compromised. The white-hat hacker told reporters, only 13% represented some challenge to break into. All 2000 were compromised…but only 13% were challenging!

When I speak to business leaders on securing business data, I tell them, “If your pen-tester fails to break in, fire them!” They are simply incompetent.

While your IT-prospect might need an assessment for compliance purposes, or they’re just carrying out orders from above, the Director’s ability to understand true business risk is weak at best. In most cases, nonexistent.

If the director were to define assessment in their own words, they’d be picturing a list of vulnerabilities and a punch list to patch things up.

You can’t let the IT director define your assessment.

Defining “Assessment” – The CIO/CISO

The CIO, if asked, would likely define Assessment differently. CIOs are asked quarterly (by the board) to quantify business risk. Risk should be defined as impact and likelihood.  What is the impact of any major disruption to the business, and what is the likelihood it will happen in some predefined time period?

The Wall Street Journal once put it like this:

  • What are our top 3-5 threats right now?
  • What are the odds something will happen in a given timeframe? (E.g. Will system XYZ be compromised over the next 12 months?)
  • How are we managing to these risks?

Can the CIO deliver risk to the board? No! Not without serious help from a security expert who understands how to quantify risk in business-leader language.  More coming on that later…But for now, understand, the chasm between a CIO’s definition and the Director’s is vast. One focused on technology and architecture (with little consideration for impact on profits), the other, all about giving the board members peace of mind – saving face and staying off the front page of their local newspaper.

In this stakeholder’s mind, threats are potential disasters striking at the core of their business, profits, shareholder value, and brand. Downtime is a cost – a disruption to business and customer experience. Ransoms are brand disabling shame messages propagating through national media. Data theft, a breach of customer confidence, potential fines, and lawsuits levied against the company – and perhaps the CIO himself!

Compare these to the Director, who’s goal in life sounds more like next pay raise, more time off, bigger office, more responsibility – you get the feeling Directors don’t have true liability in this equation. Sure, they might lose their job, but there’s another position around the corner… likely with a pay increase bigger than their upcoming annual review.

Defining “Assessment” – The Small Business Owner

For the small business owner, assessment is a cost they’d rather not incur. I speak at small business meetings often and always ask, “Who here has had their security assessed?” One or two in a crowd of 40-50 is normal.

Did they receive an actual measure of risk in their assessment? Not likely. In fact, in most cases they’re talking about someone scanning their perimeter, or perhaps the lame self-assessment required by PCI (Payment Card Industry). And yes, I mean lame.

As a small business owner myself, I can tell you first hand, my annual PCI required assessment is a joke. There is no measure of risk…even the security policy required by the PCI Police is a joke. Mine was sent to me via email by the company overseeing my annual audit. The rep on the line simply said, “Save this on your hard drive and you’re good.” Good? You mean I don’t have to read it, change it, or do anything with it? “It just needs to be accessible to your company,” he said. Funny – how does that have anything to do with how secure my systems are or how well protected my client’s credit card information is? It doesn’t.

To the small business owner, security is just another thing to do, distracting from business growth, customer service, and profitability. However, it’s no less important – they just don’t know it.

Don’t confuse this with an ambivalent attitude toward understanding risk. They just don’t know – so out of sight, out of mind. On the legal and financial side, you can bet they have some concerns. Even the business-ignorant owner is thinking risk, even if they have no idea how to manage it.

How Does Your Firm Define “Assessment”?

How does your firm define assessment? Probably depends on who you’re asking. But your entire team needs to know the answer if you’re going to leverage this amazing tool to grow your business. Everyone from the President, to sales leadership, to the engineers who perform the daily mundane administrative tasks, should know what the end-goal is when an assessment is in the works.

Does your engineering team think they lead the charge on assessments? Do sale reps disengage once an assessment is scheduled? Is “What scanner?” the first question being asked when you start out?

These are all indications of misunderstanding the role of assessment in sales. Assessments are the catalyst to business growth. They show the gap between what is and what should be. They open doors that would otherwise never be opened. They justify the expense of sophisticated security controls. They are the life-blood of your business. The very thing that will propel your company forward. And if your sales reps hate cold-calling and long drawn out sales cycles, this one tool should be their best friend.

Assessments are your most powerful marketing tool. They compel your prospects to take action, even when budgets are tight!

Is Your Prospect Giving You Pushback On Your Recommendation to Assess Risk?

This year, I’m urging your to drive toward assessments – in fact, I’m writing a book on it! More coming soon on how exactly to convince prospects to move forward. But to get us started, what happens when the prospect seems to resist this direction?

What do you do when your client/prospect sees your assessment as more cost, unnecessary, or is just too busy to take action? When I speak to business owners I expect them to be too busy, overwhelmed, and not focused on taking this next step. Yet, in almost every small, medium, or enterprise event I’ve spoken at in the past year (where we’ve offered some type of risk assessment) our conversion to an assessment has been nearly 100%. Meaning, if there were 43 business leaders in that audience, they all signed up to have their risk assessed by the hosting technology provider (my client)!

Did you catch that? 100%. Are these vanity metrics? Hyperbole? No! These are real numbers I track for every engagement I speak at. Understanding conversion, and how to measure and increase conversion numbers key to building your business, and with a qualified audience, you should be aiming high at this stage of the sales process. Everyone needs an assessment, few have had one, so it makes sense if the message is right – conversion should be high.

So don’t walk away when your prospect seems disengaged or hesitant. Instead, EDUCATE your prospect on what board members (or executive management) really need. Educate small business leaders on what’s at stake. And lead the way to safety.

The right education puts the deal back in your court.

In most cases, if someone has pitched assessments to your prospect in the past, they came from a technical frame of reference. Assume your prospect is there – thinking, network…

Your competitors tried to talk architecture, segmentation, router/switch configuration, encryption levels, wireless exposure, scans – inside and out, operating system (O/S) reviews (hardening, active processes, access rights, patches, etc.), and perhaps the website (code, SQL Injection vulnerabilities, etc.).

It’s all so technical…not at all interesting.

Only about 15% of the assessments I see ( and I see lots of them) convert to business (remediation and managed services). But over 90%, according to my friends on the security consulting side, reveal what they would call URGENCY.

This low conversion epidemic is like an oncologist, with a long line of patients, showing obvious signs on cancer in their blood work, but who are unwilling to enter any treatment plan!

Imagine such a doctor…he’s a failure!

He’s correctly diagnosed a deadly disease, yet his patients are failing to take action – even if the prognosis on treatment is good!

Security Breaches are Like Cancer!

They come on suddenly, are hard to detect, and left untreated, will kill the victim (your prospect). Understanding this makes all the difference. Every business leader you see is a possible cancer patient, ignorant of their fate. And your attitude has to convey urgency. Life and death.

What do you think? Leave your comments below…

PS. Trying to build the security side of your business? The Profit RICH Side? Get my free risk assessment template.

Need more clients? Read The House & The Cloud – the only book I know of written specifically to IT Services/MSP providers on how to grow the security business FAST!

© David Stelzl 2020



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s