Archives For Assessments & Discovery

chain break

After All The Work That Goes Into Security Assessments,  This One Thing, If Missed, Will Make The Entire Process a Waste of Time…

When the Truth is Clear…Cancer, Heart Attack,…Breach…People Act.  With Security Your Message Must Connect and Your Audience Must Feel The Pain.

You might think it’s callous of me to compare your own life (risk of cancer) to a data breach, but the truth is, data is what many companies see as their most precious asset.

Right or wrong, given a choice, companies will part with a few employees before facing business failure. And data loss often begins the downward spiral that can’t be stopped.

However, getting the company leadership to see these business-crushing threats, before they happen, is not easy.  Following is the strategy I’ve used to turn week-long assessments into annual contracts, and more.

Rule One: Don’t Present Without The Asset Owners!

Asset owners are those with liability. Have you ever presented a cost-saving solution to IT directors or middle managers? Tell them you can save them money, reduce FTE (Full Time Employees) by 50%, and improve quality of service, and they’ll quietly dismiss you as unqualified to do business at their firm. They’d rather build an empire than save money.

Take it one step further and show these cost-center agents how their personal role in the company (along with associated costs) is no longer needed with your new proposed automation process, and you might find an anonymous death threat in your mailbox.

Bring in the asset owners and something different begins to happen.

When it comes to security, technical staff rarely understand the value of corporate data, or the relationship between uptime and profit, according the several CISOs I’ve interviewed this year. And, they’re interest (probably driven by the need to make money) tends to be self serving (See Jack Eckerd’s book, Why America Doesn’t Work).

Tell executives their systems are likely infected with software, giving hackers the ability to listen in on private meetings, watch them in their office or bedroom, read their email (including personal mail), and track their whereabouts, and you’ll get a response similar to that of a home owner waking up to their fire alarm. That same bot detection among IT folks will call for some patching next week, and perhaps an AV product review.

The Underestimated Power of Free

But what happens when you show up and the asset owner is suddenly not available?

If you’ve charged $100K for this assessment, you’re in good shape. Meet, sell hard, and find a way back to the asset owners…you owe them the deliverable.

However, if you’ve conducted your assessment pro bono, you’re also in good shape!

As a free service, you control the deal.  You don’t owe them anything. And since you’re liable for what you deliver, you have the right to delay the meeting until your asset owner contacts are free. Just let them know there are urgent things they need to hear, so the sooner the better.

(Get more on why Free Assessments Are More Powerful in my book, The House & The Cloud 2nd Edition).

Your Meeting Agenda Re-Engineered to Convert

Sure, you could email executives your findings, but digital findings don’t convert. Face to face is the only way to deliver the devastating news that an attack or data loss is eminent if action is not taken.

Here’s Your Agenda:

Start with their words. You’ve interviewed them (hopefully). More importantly, you’ve spoken with both executives and the people driving the daily business (end-users). So you know how important their data is, how long they can be down, and what can’t be seen but the competition.

You also know what’s not urgent in their minds. So avoid spending time on the non-urgent, even if you think it’s urgent. (e.g. Policy).

Next, list the top priorities. Did you discover evidence of compromise? Any malware activity, or symptoms on the same, is urgent.  Note, patches, outdated systems, and EOL software are not urgent. A Failing backup solution (on the other hand) is urgent.  You’ll need to now why, and how to prove it.  Consider things you would want fixed this afternoon if you were the asset owner, and draw out the urgency.

Next, it’s time to create some vision. You know how they work and where they’re headed as a company (from the interview process). So, using their current set up, begin to pose a number of WHAT IF scenarios. This is how you create a vision – allowing the buyer to picture something they really do want.

“What if your end-users could work without ever having to guess whether or not an email was infected with malware?”

“What if, whenever someone tried to connect remotely, your network would verify who the user, check the system for malware and updated patches, etc. and only after approved, grant access?”

“What if we could take your restore time down from the estimated 5 days to the required 4 hours?”

In doing this, you’re watching for the nodding heads. Not those nodding off, but people in agreement. You want physical response / emotional response. This is your trial close. The power of trial closes is important. If you can get your audience nodding and saying yes along the way, you know, when you’re all done, they’ll keep nodding.

Finally, sell the vision – “We can get this done by the start of next month, etc.” The obvious question is, how much ($$$). Check out chapter 11 of my book, From Vendor to Advisor to see how to price this, and when to share the price.

© 2017, David Stelzl

Advertisements

Businessman sinking in heap of documentsHere’s What Business Leaders Are Saying They Want in An Assessment Report (in Two Words).

“Security Intelligence”…

Will the CISO actually read your security assessment report? What about the small business owner? Law firm partner? Doctor running a clinic (where HIPAA is required)?

The likelihood of anyone reading your report is nearly ZERO!, unless you do this one thing first…

Separate the Technical from the Business Risk,…

That’s right, you need two reports. One written in the language of leaders, the other technical. But don’t just create a new report just yet…here’s a simple process that creates ONE REPORT, with two parts, giving your report better flow, while at the same time appealing to both audiences.

Executive Reports Should Not Have Stop Lights In Them

Let’s start with the executive summary. First, drop the word summary…and delete that one page summary page in your report. Call it the Executive RISK ANALYSIS…with an appropriate subtitle.

I’m 99% confident your current one-page summary will not speak to executives…and if it has the RED STOP LIGHT on it…well, check out what one CISO said in a recent interview…

Tom Watson, CISO for Sealed Air Corp, told me just a couple of weeks ago, “The stop light approach is meaningless”.

Having a red light on the summary page does not lead to immediate action or follow-on business for the consultant. There is no business justification in a red light. PERIOD.

The CISO’s job, according to Watson is, “To bridge the gap between technical and the board.” “My seat at the table,” says Watson, “Is where risk gets delivered in business terms to board members and my C-Level Peers.”  In other words, the stoplight diagram does not quantify risk…the board won’t be moved by blinking lights.

Red Lights On Risk Reports = Idiot Lights On Your Dash

If you have an older car, the red light comes on when something is wrong… that could mean your gas cap is off, your catalytic converter malfunctioning (and you might not pass your next emissions test), or your entire transmission system is about to fall off while driving down I-95 and 70 mph.

In other words, anything from a simple 2-second turn of the gas cap, to the $3500 transmission replacement project will satisfy the red light. But which is it? No one seems to know. So the new cars tell you what’s wrong (in one of N languages).

Your executive risk report is the same. The light justifies nothing…instead, you need an explanation…(in one of two languages).

So what will you explanation look like?  A quantification of risk…a measure of Impact vs. Likelihood…Language ONE is BUSINESS…Consider the following…

  1. What assets were identified as having an associated risk? And what are the relevant threats, posing risk, which must be addressed?  Are you aware many companies don’t even know where their data is? And so figuring out where the assets are, what threats exist, and how big those threats are can bring tremendous value to your C-Level contact before meeting the board.
  2. What are the odds data will be affected? Going back to the three pillars of security: Confidentiality, Integrity, Availability…it makes sense to find out which of the three matter for any given digital asset, and to quantify the risk (as a percent likelihood) in a graph.
  3. Finally, what is the trend? Is business risk increasing? Or is the firm’s security posture improving over time? As the company adopts next-gen technologies, leadership need someone watching risk levels. As IoT projects, mobility, collaboration, etc. evolve, are business threats growing, remaining constant, or shrinking?

The report should be short, graphical, and written in business-eze. I highly recommend having someone with business-savvy right this report. But don’t stop there… have a copywriter review and edit it.

Copywriters will take a boring report and turn it into engaging content. They’ll trim it down, bring out the headlines, and bring it to life, keeping your overworked reader engaged.

With one solid report in hand, it won’t be difficult to duplicate. If you look at the popular business books on the NY Best Seller List, you’ll see they have a readable style unlike any college text book or legal document. It’s that level of readability you are looking for in your report.

NOTE: This means, when you use vendor-reports coming from SIEM, firewalls, etc. The reports they give you (while colorful and complete) will not land new business…Keep reading to see where your colorful-vendor report goes…

The Technical Stuff (Including the Vendor-Report) Belongs in Appendix A

While you might be tempted to combine your executive report with the details, handing in the 100 page (War and Peace) report is not going to bode well for you. No one in the C-Suite has time to read 100 pages!

Business owners are even less likely to read a report that looks like a 5 hour project.

At least a CIO or CISO is responsible for risk as a primary job function. The small business owner, while responsible for computer security, is more likely to be focused on today’s invoices, a major customer-sat issue, or this month’s cash flow crisis.  The 100 page report is likely going on a shelf…or in the round file.

If you create two reports, another problem emerges…the executive has one report, technical has another…are they different? Do they conflict?

The Solution is Easy…Appendix A!

Most of us skip the appendix when reading a book.  But knowing the data is there gives us assurance that there’s research behind the author’s claims. The technical team will have access to the main report, but will likely find the details in you appendix more interesting.

Here’s What You Should Include (Notice there’s no stop light here either):

  • Network diagrams
  • Applications / Digital Assets (Prioritized)
  • MTD/RPO requirements (Data they don’t have up to this point)
  • Any important business level requirements
  • Technical details on malware, configuration problems, etc.
  • Gap analysis against whatever standards you measure against – XTZ compliance, NIST, etc. (I highly recommend you base your assessment on something such as NIST to give your findings more credibility)
  • Major issues to address (project recommendations – keep this list short)
  • The punch list of everything else that should be addressed.  Prioritize this list, and segment by functional area.

Between these two reports, you have what you need – however, the move to remediation has more to do with your presentation than it does in these two documents.  Look for a future article on,…

“How to Master The Board Room Presentation, When Presenting Risk Findings…”

© 2017, David Stelzl

Downtime

How Long Can You Afford To Be Down?

Find Out What It Costs…Before Talking Budget…

MTD – Maximum Tolerable Downtime, is the first thing you should be thinking about. Data theft and misuse are equally important – but downtime (ransomware or failure) is unavoidable.

Remember What Security Trends Reports Where a Few Years Ago..

Older threat reports (Symantec, Verizon, FBI/CSI, etc.) focused on likelihood of an attack. They measured the number of companies hit by malware, reporting spam, or suffering DDOS.

Read today’s reports and you’ll discover something different…

Newer reports focus on types of malware, cost of downtime, cost of data exposure, and whether or not insiders were involved.  In this ongoing discussion on security assessments, DOWNTIME and COST are the focus.

The Companies Most Important Assets Used to Be People…Not Anymore

Talk to any DR (disaster recovery) specialist and they’ll tell you, People are (or were) a company’s most important asset.

Not any more.

Now it’s data…Not to minimize the value of a person, but even the WSJ calls DATA the Oil of the New Millennium, not people.

In security, there are three pillars to consider. Confidentiality, Integrity, and Availability. In this article, I’m talking about the third – AVAILABILITY.

80% of Cyber-Breaches Result in Downtime

Every major corporation has been breached at this point…and most smaller firms too. It’s just a matter of time. 8 out of 10 experience down time, and based on Cisco’s graph (from their 2017 Cybersecurity Trends Report), 90% of the 8 will be 8 or more hours…

How much downtime can your client stand on any given system?

Even with data moving to the cloud, downtime is a major factor.  MTD (Maximum Tolerable Downtime) speaks to the old DR metric that asks, how much downtime your firm can stand on any given application before it severely impacts the business.

The actual number has to be given to you as the assessor. You can discover it through observation…

And while it may seem arbitrary, there are numerous studies available online that tell us how likely a business is, to go out of business, given an outage.

Who Knows The Answer And What Does It Mean?

The problem is, most security assessments don’t actually measure tolerable outage, or the likelihood of exceeding executive management’s tolerance.

IT is generally the focus of these assessments…

To the IT Custodian, outage means, working late, not a failing business. The right approach to assessing risk involves assessing those things which create a risk of something bad happening – in this case, business failure, stock price drop, loss of shareholder value, or customer dissatisfaction (to name a few).

Remember, Customer Experience is the New Brand Metric…And downtime kills customer experience.

So who knows the MTD?

The asset owners know…the ones who use the data to drive the business. And different departments will add more or less value to the overall business success – executive management knows who they are. IT, on the other hand, does not. (Just ask any executive).

Ask the end users, and they’ll tell you they can’t stand any downtime!!!

Of course that’s not true. However, any business critical function probably requires more uptime than IT realizes, and is worth spending more to maintain than most executives would like to admit.

Uptime is always a cost-benefit analysis.  The first answer is usually, “No downtime”. Once an estimated cost of zero downtime is displayed, that downtime number suddenly goes up…

Getting Real With Risk And DownTime

What’s really happening here is, when faced with a large financial number, executive management suddenly wants to take on more risk than they can actually stand.

It’s no different than the person with no consistent income getting approved for the sub-prime mortgage, so they can finally get their house.

The house-buyer’s attention is on the house, not the payment.  With downtime, it’s the same. The buyer’s eyes are on spending where it feels good, not minimizing risk.

It’s the assessors job to convince asset owners, downtime is only a matter of time. Remember, most breaches (80%) will result in some downtime. Half will be in the range of one day or less…but about the same number will exceed one day by 1 to (pick a number) of days.

What’s the likelihood of downtime? Close to 80% – given the likelihood of being hit with some form of cyberattack is nearly 100% over some time period.

Solving The Problem

The problem of downtime used to be solved with EMC SRDF (mirrored NAS over a wide area connection), or at minimum, redundant systems running a highly available configuration. These are expensive solutions when talking to mid-market and down…

Does your MSP offering include virtual data servers in a hosted (protected) environment? Are you running a virtualized HA configuration?

What about using a dropbox-like solution in addition to backups?

In a recent sales call, one of my clients had a firewall opportunity. The vendor SE accompanied them on the call. When the client was asked about the need for redundant firewalls, they replied, “Not necessary”.

The vendor SE made a note and moved on…but my client, having been through the Security Sales Mastery Program knew better.

IT can’t answer this question!!! A single FW outage would shut down just about everything – all external communications including cloud app access, email, etc. Can any company actually work without their Internet connection anymore? Probably not…

Suddenly, downtime is a serious issue, and one that demands new services…hosted systems, redundancy, HA Internet access, data in the cloud, and more…The risk assessment, when focused on MTD, is your fastest road to up-selling services to your clients.

© 2017, David Stelzl

 

 

 

 

Some of the Most Powerful Hacks Are Low Tech – But Extremely Creative

A Clever Ruse Is Priceless When It Comes to Justifying The Security Sale

Today I want to show you the one hack that always succeeds…with some practice, you’re assessment team will get in every time!

Continuing on in a series of articles on Assessing Risk, no assessment would be complete without testing the users. Once simple test comes in the form of social engineering. The problem is, most assessments leave out end-users altogether!!!!

Get The Details On Selling With Assessments In My Book, The House & The Cloud – Here’s a special offer that’s almost FREE

In this short video, a woman (Cleverly disguised as mother w/ crying baby) takes over the guys phone account in just minutes. This is the kind of thing your business-leader clients have to see…it’s so simple, it’s unbelievable.

…So simple, my son did this very thing to me just a couple of weeks ago – needing to make a change to his account (under my name) while I was traveling!  (Shame on Verizon – they let him in!!!)

SE-1

The End-User Is Your Client’s Biggest Hole In The

The balance between customer service, time crunch/deadlines, and keeping the security policy is not an easy one.

The baby crying in the background (an MP3 playing on this woman’s computer) creates the perfect “I’m an innocent, ignorant mother just trying to get this done for my husband…” scenario.

Who wouldn’t feel compassion for this poor woman? What would your clients do?

The Guy In The Video Is The Skeptic…This Is Your Client – The Decision Maker

As the video begins, you know it’s only 2+ minutes long. How can this be possible.

However, once she fires up the baby-crying audio, and starts with her dumb-blond act, you know she’s going to win!  It’s almost unfair!

Watch the Video – It’s Short…any ideas on how you can incorporate this?

I’m not saying you should make a call to their phone company with a crying baby in the background. But look at her face – who’s NOT going to help her?

I AM saying, you want to test the end-user’s ability to spot a ruse. That’s where the attack is going to happen…

I’ve heard it a million times – we don’t do free assessments!

This, my friends, is an assessment done in under 3 minutes! How much did it cost?

It’s a pen test…It’s not comprehensive, but it doesn’t need to be. This 2+ minute example demonstrates how just about anyone (willing to play the role) can break in, in minutes, with ZERO hacking kills.

So what is the likelihood someone will break into your client’s data?

It’s 100% every time, because, every time, there’s at least one sympathetic, authorized user, who will eventually succumb to the ruse of a creative hacker. It’s time to start thinking more strategically about assessments and closing business.

Copyright 2017, David Stelzl

Get The ONLY BOOK on Selling Security and MSP services: The House & The Cloud

SIEM viewpointWhat The Lazy MSP Companies Aren’t Showing Their Clients

Assessing Risk is the fastest way to land new logo business in the MSP arena. And if you want to build a long term, profitable business, you’re MSP is going to have to go MSSP…

(Note: I’ve purposely left out the heavy technical jargon to make this readable by sales – if you actually do the engineering work, you’re probably wanting a more technical deep dive. My goal here is to help sales reps sell the one thing that will overcome any IT budget objection.)

While 90% of the tech companies I speak to CLAIM they do security (on their website), only a handful actually do.  If you want to set yourself apart, learning to discover urgent issues (already present) on your client’s network will do it.

Over the past several months I’ve written numerous articles on how to sell, deliver, and convert assessments to long term annuity business.  This one last step in the actual assessing process is arguably the most important.

You Can’t Just Look At Perimeter Scans and Configurations

2017-06-22_07-57-50

In this YouTube video (published by Alienvault – below), the speaker is explaining the dangers of connecting to Tor or using BitTorrent, as examples of traffic symptomatic of botware. Check out 0:48 in the video below for more threats he uncovers…

These are the urgent issues you need to move deals forward!!!!

Traffic patterns also reveal reconnoissance efforts underway by hackers – thieves gathering information to be used in a future attack.

You also want to know if malware is already installed or in the process of being installed through phishing attacks or web-threats of any kind…port scans in most cases will not do this.

The problem is, most assessments I review in my coaching calls show nothing regarding traffic or connection activity between workstations and the outside.  Why?

Because it’s not easy.

In other words, the MSP providing the assessment is either too lazy or too cheap to do it, or just doesn’t know what they’re doing.

If you sell (or use pro bono) assessments, with the goal of opening new doors in the accounts you serve, make sure your professional services team understands the importance of traffic analysis and has the tools to do it….

Lots Of Data, No Connection, Equals Meaningless Data

AV SIEM

Today’s technology is great at logging data…but not so great at drawing out intelligence.

That is unless you know SIEM…Security Information & Event Management.

The ability to take all of that data from AV software, UTM firewalls, IPS devices, etc. and make sense of it has been a road block for just about any company short of large enterprise…

Until now…

There are several options including some UTM firewalls, products like AlienVault and Arctic Wolf (positioned for mid market), and BlackStratus’ recent entry into mid-market and SMB…Cybershark (Which can be white-labeled and offered with full SOC services – with little of no investment!)

With SIEM now available as a cloud offering, there’s really no excuse for not doing this.

Key Point in the video below (at 2:35) – None of this information is actually interesting unless you can get the analysis, and make the data actionable.

Unfortunately, most SIEM technology won’t really do this for you (Even  though AlienVault and others claim to). In the end, you (The Rep) must read the report and see if your client is going to be moved by it.

If not, rewrite the execute findings as a separate report – more to come on that in a future post.

This takes us back to an earlier article on QUESTIONS TO ASK…The most important part of the interview process is in gathering the mission critical data offered only by executive management.

MTD, RPO, Etc…think Business Impact Analysis…all security issues are disasters and should be viewed just like Disaster Recovery…But you’re competition isn’t doing this.

Key Moment In The Video (3:50)

2017-06-22_08-25-43

At 3:50, this video shows actual malware infections being installed – not only is this type of activity undetectable with simple observation, your Network Patrol Product is not going to see it either!

Only with something that looks at host intrusion does this become evident.  The good news – once you have an MSSP offering installed to do this type of analysis, it’s easy to justify keeping it there – this is annuity business that self-justifies.

Check Out The Entire Video Right Here

But Remember, this is not the most important tool – your QUESTIONS are.

Armed with the intelligence that comes from talking with executives and other asset owners, this information suddenly makes sense in helping a client determine their true threat levels, while providing you with the justification you need to move forward with MSSP.

Copyright 2017, David Stelzl

For more insights on how to sell assessments and larger security deals, check out one of the only books written to resellers and MSP providers on how to sell Security: The House & The Cloud…

datareviewAssessment Interviews Based on Actual Events

(The Names Have Been Changes to Protect The Innocent)

A couple of weeks I wrote an article on the ASSESSMENT FRAMEWORK – how to construct great questions for assessment interviews. But my readers have asked for more…

Everyone Wants a List of Specific Questions, However…

You Really Don’t Want A List!!!

Even if you think you want a checklist of questions (for your prospect) on the front end of an assessment, you don’t. Why?…

  • You’ll sound scripted and canned – these meetings turn to BORING fast…
  • Your list can be handed in – the custodians can take if up the ladder for you… Then what?
  • You need face time with asset owners. Half to reason for doing the interview is to build a hunger for the findings, and establish yourself as the expert…
  • You’ll miss the most important things – the stuff that comes up in conversation.
  • The list will keep you from demonstrating creativity, enthusiasm, passion, etc.

And if none of that makes sense, just find a way to watch a high-end consultant in action…you can’t replicate consulting expertise with a list!

So, while I am not going to give you a list, I can give you some scenarios…

If you’ve not read my previous article on the Most Powerful Tools You Have To Assess (Your Questions/Interviews) this probably won’t make much sense, so go back and read it first…

Meeting with C-Level Asset Owners

The executive (Asset Owner)  interview should be first (however, that’s not always possible).  Let’s call him Al.

I scheduled my meeting with Al through an email introduction with my primary contact (the IT Director). I have to assume my contact is joining us. But my agenda is to talk only to Al.

I’ll keep this so meeting so high-level, my technical contact will go to sleep halfway through the meeting. We’ve planned 20 minutes – 30 at the most. This guy does not have 60 minutes to spend with me on this. So I’d better be well prepared!

First 5 minutes – a quick overview of what we’re measuring.

We’re here to look at risk – kind of like a DR Business Impact Analysis, but more focused on data confidentiality, integrity, and availability.  Our end result will come in the form of an impact vs. likelihood graph…A quick sketch helps at this point. (Learn more about building Impact vs. Likelihood Graphs in Chapter 13 of The House & the Cloud).

“Would like you like to know what the odds are that your most important applications / data will be compromised, misused, or become unavailable at some point in the next 12 months?” – This is a great opening question…

Expect Al to be drooling a little – no one has ever asked this question from the provider side. Point it out on the graph – so he can see what you mean…this is not the Red, Yellow, Green light assessment…this is RISK ANALYSIS DONE RIGHT.

GATHERING DATA

Data Value – Things You Must Protect (Ideas for questions)

  • What applications are most important to this company…(I should know some of them by now, and listing will help get us going. But I want Al’s opinion here).
  • What makes them so important – prioritize, and find out what value means.
  • For each asset (Application or database), find out whether the privacy/confidentiality, integrity, or availability is most important. Chances are it’s a combination, or all three, but try to discern the hot buttons. (This is gold! It’s what Al really cares about, and your recommendations should focus right on what Al gave you in these first few minutes).
  • What happens when each of these are hit by some unexpected disaster, like RANSOMWARE, or just downtime?
  • What about downtime? How much can each of these systems stand? What happens when this system is down? What about that system? Do you have to send people home, does your stock price go down, do you lose money? How much? What does downtime cost?
  • How much data can you afford to lose? What’s that going to cost you…etc.

Threats That Really Exist

  • Who would want this data – explore this…are you more concerned with internal misuse or outsider threats? Are there people who would want this data? Why? Or are you more likely to get hit with Ransomware for money?
  • What about internal issues – how would employees benefit from this data? Is there some way for them to leak information for profit, like insider trading? Can the data be sold easily? Or are there layoffs coming, encouraging people to gather data for their next opportunity? Or disgruntled employees who would take the company down?
  • Have you had issues in the past? What about other kinds of system disasters or failures?
  • Al, we need some information about your company –  to better understand your risk equation.  Are there mergers or acquisitions in the works? Layoffs? What about pending lawsuits? What do you think your competition would do to get their hands on your R&D? Is your company about to announce new projects or inventions that others would want intel on -and, would break the law to get?

NOTE: in a recent CIO meeting with a major manufacturer, I asked the CIO if he thought his IT people would be able to answer any of these questions? He laughed shaking his head, with an emphatic “No”. I could tell he wished they even cared to know, but he and I both knew the truth…they don’t know, they don’t care, and they never will…

Think of each question as a launch point for dialogue.

This is not a teaching time, it’s a listening time. Be sure to reflect back to Al along the way – make sure you understand what he has said, and that he knows you’re tracking with him.

Stick to your 30 minutes, unless he insists on pushing you over…Respect his time, knowing this guy has a million things to do, and 150 sales people calling every day.

Bottom line – leave while he still likes you.

The Likelihood You’ll Be Able to Detect and Respond Before It’s Too late

Don’t let them give you a round-about non-answer here. But the truth is, Al won’t know. The temptation will be to push this off on IT. They should know.

But the truth is, the CISO and CIO both need to know…so I’m not asking IT, I’m asking Al…”Do you know?” “Should you know?” Expect, “No,..” and “Yes, I do want to know.”.

Moving To Power Users and Other Asset Owners

Plan on 30 minutes per person – have someone come with you to take some notes, or record this on your iPhone if possible…

In the early days I would have had an assistance writing shorthand – remember shorthand? Today, I use Dropvox…an app on my phone that downloads an MP3 to Dropbox.

Meeting with Power Users (The end-users who drive business with technology) makes even less sense to the end-user you’re meeting with, and maybe even to you the sales person.

The thing is, end-users are the weak link. But understanding them and how they work will go a long way in understanding their weak areas.

Start the same way you did with the execs…figure you will need to talk with several managers and knowledge workers (those who really use the systems and data to make this business hum).

  • What applications and data are most important to your business?
  • Who would want this data – outside the company?
  • What happens when you’re systems are down, or you lose a day’s worth of data?

Find out if they’ve had down time, data loss, etc. Who get’s upset, what do these people do to keep going or to recover?  You’re looking for the company view – like a gear falling out of your watch – how does it impact the entire business landscape?

Workflow / Data Lifecycle

Now for some line of business specifics…Bob the knowledge worker…

  • Bob, tell me about your job. Do you work at home, on the road, or always in this office?
  • Are you always using this laptop? Or do you use other computers from home or perhaps a tablet of smartphone?
  • Do your family members use these same devices?  (How, when, etc.)?
  • Who else enters data, deletes data, or just accesses data on this application? Anyone outside the company?  (I’m looking at the data – asset focused!  I want to know, who accesses this, from where, and for what?)
  • Who do you interact with online? Other departments, clients, suppliers, … and how – instant message, email, webinar, etc. And how do you exchange data? (I want to know how data travels – and were it goes).
  • I also want to know who deletes data, when, and why – and what must be saved, archived, etc.
  • What happens if this data gets into the wrong hands – like competition, or someone with ill-intent, like an angry co-worker or X-employee?

Heading Home To Meet My Consultants – The INTERVIEW w/ TECH

Most assessments start with technical people diving into systems and networks…big mistake.

Not understanding data value and data flow, it’s like checking out an electrical system without knowing the load requirements, environmental conditions, or uptime requirements.

Instead, do this…

  • Consolidate your data – data assets prioritized, workflow, relevant threats, impact issues…
  • Meet with your technical masterminds – Here’s what the company does, here’s what matters, here’s how they work…what would need to be true for this to be secure???
  • We are looking at three things: Confidentiality, Integrity, Availability.  Your tech team needs to know which of these three matter most to the client….but they may also have their own opinions. For instance, the client may not have named RANSOMWARE as a major threat, but your tech team will surely bring it up!
  • Going through the systems piece by piece, your team’s job is to come up with the security controls that must be present to keep this company as secure as it needs to be – based on their data value, uptime requirements, data loss requirements, compliance, etc.

Once this is done, your team can head in, network diagrams in hand, to see how well this company measures up. Suddenly this assessment feels more like a Gap Analysis than Vulnerability Assessment. The good news: Gap Analysis is easy to report on … here’s what you said you need, here’s what you have, here’s the gap…

Time to put together findings, present to asset owners, and be prepared to draft your remediation recommendations…A deal much more likely to close.

© David Stelzl

PS. For more on how to conduct these interviews, see Pg. 194 – 200 in The House & Cloud

magHow Would Your Assessment-to-Business Conversion Rate Grow If You Had Access to This One Extremely Powerful Assessment Tool?

90% of the Assessments I Review Leave Out Asset-Owner Interviews – Leaving You (The Seller) With a Weak Deliverable and Little Justification to Remediate

In this article I’ll point you to the people you should be talking.  In addition,  I’m going to give you the exact questions and sequence to use if you plan on up-selling them on remediation steps and ongoing annuity services.

The Number One question I get when the topic of assessments comes up is, “What tools do you recommend?”  It’s a great question…however, I know what’s really being asked, and its the wrong question.

The Wrong Question to Be Asking On the Front End

“What scanner or analysis tool do your recommend?” That’s the question behind the “Tool” question. But its the wrong question.

The tool question stems from a misconception that assessments are technical iInitiatives that should be lead and delivered by technical people.

In most cases, the assessment is sold (or offered pro bono) by the seller, and then tossed over the fence to a technical team. The team may be well skilled in security concepts, network architecture, and more. But in most cases they lack business savvy.

Yet, the assessment, according to it’s first name – Risk, is by definition a measure of business risk. And it’s the asset owners (those who have true business liability) that need that measurement.

Note: Get the details on Asset Owners, gaining access and delivering value, in my book, The House & the Cloud – Almost FREE using this link.

The Question Framework

So what’s the right question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan.  It’s like a cancer patient recently diagnosed. The Oncologist who fails to move most of his patients to treatment should be seen as a failure.

Is he just not communicating? Do they just not understand they are dying? Something’s wrong if the prognosis would be positive with treatment, yet the doctor is not able to move his patients to action.

THE FRAMEWORK:

In my book, The House & the Cloud (Chapter 13), I provide three key questions as a guideline.

  1. What are you trying to protect
  2. What are you relevant threats
  3. How likely are you to be able to detect and respond to an incident of pending disaster before damage is done or data lost?

These three questions provide the basis for a longer, freeform discussion with Asset Owners.

Remember, Asset Owners are those with business liability. That means these special people are responsible for business functions critical to the profitability of the business, and live primarily on the profit-center side.  Think, C-Level, VPs, Directors, and key people in key divisions of the company.

…Doctors, lawyers, CPAs, Sales Managers, R&D Management, Investment Banker, Stock Broker…people who make (or significantly contribute to) profits.  When an asset owner’s data is compromised, deleted, or corrupted, that person is in trouble.

Customers will file lawsuits, stock prices go down, brand and reputation are tarnished, and heads roll.  You won’t see the director of IT, or their one-person IT support guy in the paper tomorrow – but chances are, an Asset Owner will be front page.  A few weeks later, you’ll read they have moved on to something new, by mutual agreement…code for, FIRED!

Questions Designed to Get Answers That Matter

Using the Framework, you can then divide your interviews among  three groups. (I provide more detail in The House & The Cloud, Pg. 195ff).

THREE GROUPS TO CONSIDER:

  1. Executives
  2. Power-Users
  3. IT

The assessment process starts with executives (whenever possible). My friends on the Disaster Recovery side of the business pointed me in this direction years ago…business risk starts with understanding business leader’s care-abouts.

EXECUTIVES:

Start your analysis with questions (using the 3-part framework above) to determine what matters and how much…Your first question is, “What are you trying to protect?” It might look something like this:

  • What applications / data are most important to this business – profit, stability, growth, customer satisfaction, etc.?
  • After identifying them: How long can this system be down? (hit the important ones)…drill down…the first answer is usually wrong – No Downtime! You and I know, zero downtime is nearly impossible and exponentially expensive!  Find out where the balance of cost and availability sit. – Think, Maximum Tolerable Downtime.
  • How about data loss? “Can you afford to lose any data – if so, how much?” This is a Restore Point Objective question, but stick with business language. Explain how data is lost (Ransomware, disk crash, corruption, etc.)
  • What are you most concerned about protecting against? There are three pillars of security to consider. Confidentiality, Integrity, and Availability. It might be one of these, or all three might be important. Make sure you know how the executive sees it.

Next, Move to question 2: What are your most relevant threats?” Again, you’re talking to an executive, so keep it at a business leader level. One bad question (technical in nature) could land you a demotion back to IT!

  • Who is allowed to see this data? Who can’t see it?
  • Who would want this data?
  • What happens if this data gets out (in the hands of other governments, competitors, the public, etc.?) – Speaking of impact here.
  • What concerns you most? Examples might be, data theft, downtime (from what?), loss of access (for instance, ransomware), etc.  What about soft costs such as loss of customer trust?

Finally, a simple question, “How would you know if your data were under attack, or on the verge of any disaster we’ve mentioned above? Would you know in time to stop it from happening?”

Expect executives to say, “I hope so, but don’t really know.”

POWER-USERS/KNOWLEDGE WORKERS

A similar line of questioning would be used with this group, with the addition of questions that reveal the lifecycle of their data.

More than one interview is desirable here.  You’ll want to talk to key department managers as well as those who create and use data to conduct business.

In a small business, this may involve 2 or 3. In a larger firm, make sure you build in adequate funding to visit 5 to 10, or more, depending on the size and complexity of the organization.

Discover their data flow.

Workflow means, understanding who is creating data, using data, and how it travels, is stored, archived, and finally deleted.  You’ll want to know who interacts with data inside and outside (customers / suppliers), and what kinds of access different groups should have.

Discover business climate.

In addition to workflow, you’ll want to know about any upcoming M&A activities, pending layoffs, volatile terminations, R&D announcements, etc. These all affect a company’s security posture.

WITHOUT this level of insight into the organization, moving forward to evaluate risk is nearly IMPOSSIBLE. True risk has everything to do with how workers create and treat data.

At this point I would recommend using a quiz – formal questions with scoring, to see how well-informed these users are when it comes to securing their most precious assets.

Completing the Process

The rest of this assessment deserves it’s own article…In short, your next step is to evaluate the data coming from your interviews, with security practices in mind.

Hold and internal meeting to ask your team – “What would need to be true in this company to keep their data secure at the levels identified by asset owners?”

With a list like this in hand, it is then easy to go into the IT areas and investigate. You now know exactly what you are looking for…

You can find out more on the consultative discovery process in my book, From Vendor to Adviser….

© David Stelzl, 2017