What’s The One Big Issue Behind Almost Every Hack?
Hint: Most Risk Assessments Ignore It!
- Poorly configured or managed firewalls,
- Untested backup systems,
- Improper network segmentation
Most people invest at the wrong time (according to the Billionaire Investors Interviewed by Tony Robbins in his book, Money, Master The Game). They jump on the bandwagon when things are high, and they sell when the market drops.
Running a for-profit assessment team in the early 2000s (for a global technology integrator) was more a lesson in financial management than sales for me.
Assessments are often sold at prices that leave little in gross profit. Free assessments tend to offer no value, and simply leave the prospect disillusioned. And only a handful of these heavyweight documents ever result in any long-term financial gain.
Here are Three Things to Consider That Will Change Your View of Assessment Profitability Forever.
In my workshop, The Security Sales Mastery Program, assessments are central to the sales process. I covered some of this in an article on scope last week…
When I bring up the idea of using free assessments to drive business, I often get pushback. In response, I offer up three examples of assessments I was personally involved in. Let’s take a look…
The $125,000 Hospital Assessment
This first example comes from a large hospital assessment, sold and delivered in the southeast. If you know healthcare (and you work in security) you know it’s a match made in heaven. Lots of needs, endless compliance regulations (many unmet), and an industry with deep pockets.
Our assessment was priced for profit. It took a total of 40 man-hours onsite, and another 40 man-hours of analysis and documentation. Total burden cost, about $10,000. $125,000 with a cost of 10K is high margin business, even to lawyers.
However, there were NO follow-on projects.
It’s our fault!!! Back then I did not understand how to create business from an assessment. Most don’t – the conversion rates from assessments like these are low, averaging about 20 percent.
So our total gross profit landed at around $115,000. Not bad for a two week effort. However, the upside potential (had we closed just one of our recommended changes) would have more than doubled our take.
The $36,000 State University Assessment
The university deal was won on a last ditch effort to get in the door. The university was looking at a number of projects to upgrade both the administrative and student networks, however, largely undecided on their direction.
On the way out the door I casually suggested an assessment might bring clarity to their needs, and to my surprise, they agreed. A few days later we signed the $36,000 agreement and scheduled to begin work.
Our team spent about 3 man-weeks on this initiative, engaged with the IT team on campus. When the report was complete, a meeting was scheduled to review our findings with the university’s key stake holders.
Just 5 minutes into it, the leader of the pack put our document on his desk in a sudden pause, and complained, “This is not what we asked for.”
Keep in mind, our three weeks were spent, side by side, with their IT people. They were basically leading the charge…and here we were being reprimanded for missing the mark. As you might have guessed, the IT people stood back, nodding, as though they had nothing to do with our missing the mark. They effectively hung us out to dry.
The meeting ended abruptly, and the invoice was NEVER PAID.
Final gross profit: ZERO DOLLARS. Very disappointing…
Free Assessment: Thanks For Attending This Business Leader Event!
Finally, there’s the dreaded free assessment. My classroom example offers a total of five pages, including the cover letter. This particular example-giveaway was offered to small business owners on the heels of an educational event. Our audience was well qualified – mostly healthcare.
Our total time spent marketing and selling: About 2 Days plus a few days of phone follow up using call scripts from a product on my webstore…
At the close of our risk-measuring initiatives (we closed about 30 assessments in that one event – in just 60 minutes!)…
One of the larger prospect-companies signed up for $36,000 in remediation work, signed an $8,000/month – 3 year agreement (and renewed for 3 more years), and went on to do at least two more projects worth $100,000 in revenue (figure 50% burden on projects and manage IT Services).
Total gross profit: $356,000 (and still going)…
It’s important to note the cost of sales. The first two projects required 3 to 6 months of selling. The third, 3 mailings, a couple of days on the phone (done by contractors), 1 live event (with speaker), and about 4 days between starting and delivering the assessment.
Which of these three deals would you choose to get paid on? If you own a technology business, which would you choose to build your business on?
There is a time to charge!
So don’t just read the first half of this and think, “He always gives them away.” Free is RISKY.
Free requires the right audience, and a predictable conversion strategy – it requires knowing how to drive business through an assessment, just like choosing the right asset allocation has everything to do with an investor’s success.
All investments are tied to risk. Your paid assessment is largely a paper document, with a big price tag…If your paper offers tremendous value (like a stack of green paper with government markings on it) it’s worth a lot. On the other hand, if it has my child’s markings, it’s only worth something to me.
I’ve seen free assessments work in all size markets, however, as you scale the corporate ecosystem, closing gets harder. Client expectations grow as you engage with the more sophisticated organizations.
So, if the ROI looks great, you can afford to do assessments for free or for less. However, the likelihood of getting that follow-on business from a new, enterprise prospect is much lower than it would be in the SMB (Small/Medium Business) market.
So, in the larger markets, assume you’re going to charge when you assess. But charge enough to make it worth your sales and delivery time.
Enterprise deals (like the first one mentioned above) are margin-rich. However, as you can see, we didn’t achieve our goal of long-term financial returns.
So, while the margin was high, the cost of sales was also high.
If you’re the selling agent, you may not care – you still get your fat commission check. On the other hand, if you get paid on bottom line performance, suddenly it matters.
How much does a 6 month sales cycle cost? Drive time, office time, lunches, etc. It all comes straight off the bottom line. Not to mention benefits, base salary, and opportunity costs associated with the seller.
In the SMB market, the financial picture is completely different. Small business prospects rarely spend much on remediation, however, the IT Services deal is there (unlike most enterprise accounts), so there’s your long-term profit.
There’s one more factor though. And it has to do with account control. Every sales person knows that controlling the deal is essential to the close. As soon as you hand in a proposal, you’re at the mercy of the prospect.
In the case of an assessment, once a contract is signed (with a fee attached), you no longer control the deal.
Don’t miss this…
Assessments are like proposals. Unless your company is highly specialized in audits/assessments (with high-end and frequent assessment/audit business), your quota achievement depends on closing follow-on business (projects and managed services). The fee-based assessment is controlled by the buyer – reducing your assessment-deliverable to a quote.
That’s were I went wrong on the University Deal…
IT was in charge – My team was directed by them, and executive involvement was not part of the plan. Yet, an asset owners’ inputs are the most important part of understanding risk! Without Asset Owner Understanding, closing follow on business (with a new prospect) is nearly impossible.
Assessing risk has everything to do with assets and their owners. Their business will live or die based on asset exposure and a realtime detection/response to cyberthreats.
Without leadership involvement, you can’t possibly understand the company’s data value, most crucial systems, and greatest threats. How often do IT staffers know how much down time can be absorbed or how much data can be lost before shareholder value is impacted?
Sure, IT has an opinion, but to deliver risk, your process must look more like a Business Impact Analysis Report than a typical Vulnerability Assessment.
Here’s the thing. When the assessment is free, you’re in control. What does that mean?
Since no one is paying you, you have the right (and authority) to proceed according to your recommended approach. If you’re wrong, you’ll pay for it on the back end. If the client balks, you can always stop the process. It’s free, so you’re in control. Do it right, and business will follow (along with profits).
When money changes hands, the buyer is in control. If they want you to submit questions and take their written answers (without any face time), it’s their choice.
Since all sales have an emotional component, you know that face time is important to any high-involvement sale…even if that face time is virtual. There has to be trust and advice to be a trusted advisor. And that requires interaction with those making the decisions.
The final analysis – in the SMB market, lead with free assessments almost every time. The $500 to $2500 price tag on SMB assessments leaves no budget for IT services, and will take months to close.
In the enterprise, carefully weigh the risks, and what factors must be present to take on the risk of assessing pro bono. If the cards are stacked against you, go with the fee based, and sell them on the high-ticket approach to ensure your profits are worth doing the deal. Remember, you need asset-owner involvement to justify any assessment worth doing at this level.
The biggest upside in both free and paid assessments is in the ongoing annuity business.
There are two ways to create annuity business with assessments (and maybe more that I haven’t thought of).
First, let’s look at the theory. Risk is a measure of impact vs. likelihood. You can’t affect impact; losing data or suffering downtime is going to cost the company, no matter how secure the company is.
Your variable is in likelihood. Solid security lowers likelihood (however, even GREAT security does not eliminate threats).
The assessment identifies (at least it should) the threats, and provides a measure of likelihood. Remediation is the process of reducing the likelihood to an acceptable level.
Managed services or MSSP, is your program designed to maintain an acceptable level of risk over a period of time – your long term annuity engagement.
So the first way to sell ongoing business through assessments is to demonstrate an organization’s unacceptable level of exposure, provide a way to reduce it.
And then show them how to maintain it by contracting with you to oversee, or detect and respond to issues as they arise.
The second way, generally better geared for enterprise accounts, and using fee based assessments, is to sell a quarterly update.
Keeping the same scope, and simply updating the document quarterly, can provide tremendous value to the client that houses sensitive data.
Two up-sells come with the ongoing assessment approach. First, you’ll get a quarterly opportunity to check in on your recommended remediation steps. Over time, and given you are providing value, your client is likely to engage you to keep working on your recommendations as threats grow.
Second, the scope is likely to change over time as new IT initiatives invite you to consider added systems as part of your analysis. One additional bonus, you’ll be up on all your client’s latest planned initiatives since new projects always affect the client’s security risk analysis.
Going forward, add this quarterly update with just enough money to cover your added cost (in other words, do it at break even). It adds value, costs you nothing, and offers great upside.
© David Stelzl, CISSP
In case you missed Part I , Read it Here:
I’ve been writing a series of articles on risk assessments over the past couple of months. If you’re in the security business (or trying to break in on this growing cash cow) it’s time to get on board with how assessments work; how they’re sold, what they’re for, how to get them read, and how to make them work for you inside the accounts you sell to.
In Part I, I covered Differentiating Yourself in the Sales Call. (Note: if you’re looking for a technical read, this is not it…
So, next, let’s turn to the scope, and how what you cover in your engagement has a lot to do with who buys it and who reads it.
If you want to grow your business, keep reading – the assessment is the best way (and one of the only ways) to get engaged with decision makers (the people writing the checks).
I hear it all the time, “The client is always right.” No they’re not!!! Especially when it comes to security.
Remember (See my book, The House & The Cloud) your IT contacts are not liable. And your asset-owner contacts (who are liable) have very little understanding when it comes to security.
So don’t let the client dictate the scope.
In short, you can’t simply respond to an RFP and come up with a meaningful assessment project (I discuss RFP responses in detail in my book, From Vendor to Adviser).
When I bring up, Assessment. The first question I get is, which tools (scanners) do you recommend? I’ll cover the actual assessment process in a future article. But for now, set tools/scanners, etc. aside. There’s something far more important here to consider…
The typical approach to assessing risk is, Inside/Outside. But looking inside (trusted), and then out, is wrong thinking…
The truth is, your client doesn’t have and inside or outside anymore. Sure, your dream client has a perimeter, but half the office is on the road or working at home. They’re all outside on their mobile devices. Chances are these knowledge workers are going back and forth between personal (Facebook and shopping) and business, and on breaks their kids are playing Counter Strike or World of Warcraft (or surfing porn and gambling sites).
(And then there’s the 75% of employees who admit they steal from their employers – all inside…WSJ)
Every paid assessment should cover perimeter devices, end nodes, and network architecture/segmentation & configuration. The obvious, so I won’t elaborate.
Yet, when I read a scope document, and it breaks the assessment down into: Internal, External, Network, Perimeter, and Servers/Storage…I get concerned.
This infrastructure-centric approach is for the super-techies, not business leaders.
I can already imagine the deliverable with it’s endless tables and network diagrams. The Red, Yellow, Green light ratings that appear on every assessment. If you’re looking to differentiate yourself, this won’t do it.
Price will be the deciding factor!!!
The business people (Asset Owners) are the ones who will be writing this check. So, what is it they need? In my book, The House & The Cloud I spell out exactly what the board is looking for (see page 195). It’s restated in Selling Assessments Part I.
This type of deliverable requires a different approach. The final outcome is a measure of risk (illustrated in the Impact vs. Likelihood Chart).
START HERE – DIGITAL ASSETS: Think like a Disaster Recovery Specialist…
Where is the data? Which of these assets are most important, and what can’t they do without?
It’s a fact that most companies have no idea where their data actually is, or who has access to it. When people travel, work from home, or use cloud apps, knowing gets even harder. Ad-hoc data is everywhere.
Tools such as those provided by RiskIQ are designed to find data. In some cases that data is sitting on someone else’s server (such as a competitor or in a darknet chat room, for sale).
Digital assets, not hardware infrastructure, is what assessing risk is all about. So Consider the following:
ACCESS CONTROL – ACCESS TO DIGITAL ASSETS: People(and now robots) access data. Behind every data breach is a person. Some people have access, so they’re authorized. But not all authorized people are doing things they’re authorized to do.
Does your assessment include the people inside the organization? It should. Remember, “75% of internal workers admit they steel from their employer (as referenced earlier)”.
PEOPLE: Given all that’s just been said, be sure to include interviews (more details on this in my book, The House & The Cloud pg. 196).
DATA ASSET TRANSMISSION & STORAGE: Once you know where the data is, you want to know who accesses it, from where, when, and why. Data transmission and storage is part of a company’s workflow. So include in your scope, an analysis of assets as follows:
TRUE SECURITY (ALL THREE ASPECTS): Security can be looked at several ways. The CISSP ISC2.ORG common body of knowledge looks at 7 (and this varies over time) major disciplines. Most security professionals recognized three pillars:
All three should be considered in the scope. I’ll provide more detail on approach in a future writing…but be sure to cover all three.
SOCIAL ENGINEERING: Social engineering is part of just about every cybercrime incident (probably all of them). However, it’s rarely part of the assessment. Again, go back to the purpose – identifying risk. The amount of risk a company has, has a lot to do with how susceptible it’s end-users are to a ruse.
Testing them is one way to uncover weaknesses – such as an email phishing test. In any case, some thought should be given to their current security awareness program, policy (covered below), and security culture.
POLICY: I’ve heard security experts say, all security breaches are the result of some policy not being followed, or not existing. I don’t know if that’s always true, but it does carry some weight.
Most policies are written to satisfy some compliance officer, not guide the daily activities of end-users, who create, use, and store digital assets all day long. Include a review, not only of the written policy, but how it’s used and enforced.
WHAT ABOUT AUDITS: This is not an audit, so don’t treat it like one. Audits are about being compliant (get your compliance offering going with HIPAA here) against some standard or law. They don’t measure risk.
So take time to educate your buyer on the difference. The goal should be to comply with the law, and then make sure things are secure. One does not satisfy the other.
Finally, security can be differently by different people, so just what does it mean to be secure? Or to assess risk?
Having certifications such as the CISSP (ISC2.ORG) or GIAC (SANS.ORG) can go a long way in proving to your buyer that you understand security.
Security engineers are not required to have their PE or Engineering Certificate, or be authorized by a board in the way doctors or lawyers are. While I am not in favor of more big government oversight (like what we’re seeing in the ever-frustrating world of healthcare), pointing to a standard or framework (such as NIST) is powerful when selling.
Most sales people (your competition) are not going to be able to articulate what standards/frameworks (such as NIST) mean. So take some time and educate yourself on what I call, The Wall Street Journal Version of NIST (or whatever standard your firm will follow.) You can check out my recent article on Understanding NIST here. (CLICK).
Do you want to win your next sales opportunity????
Assessments open doors and allow you to prove your value…however,…
Assessing Risk is a business function. Like Disaster Recovery/ Business Impact Analysis (which are really just one of the security disciplines) it is the executive team that needs an understanding of their exposure and impact/likelihood…the odds they’ll suffer a loss.
And this explains why high-end consulting firms like PwC and KPMG have long been welcomed in the board room, while resellers and most hardware manufactures continue to hit the down button when getting on the elevator.
© 2017, David Stelzl
P.S. Get the entire security sales approach here (The House & The Cloud) – the only book out there with a clear methodology for selling high-margin security business.
A couple of weeks ago I wrote about free assessments – an incredibly fast (yet misunderstood) way to create business, when the prospect doesn’t understand their true needs (which seems to be more often than not).
The question is, is there a time to charge? And if so, how much, what scope, where do you start?
In this Part I article, I’ll show you where to begin when creating new business through fee based assessments…
First, it’s important to start where people are, and then take them to where they need to go. In other words, you can’t sell someone what they need, when they don’t yet know their needs. Great marketing starts by understanding the buyer’s desires, and then reframing that prospect’s thinking.
Most larger (fee based) assessment opportunities start with an IT person. If the prospect-company lacks an IT group, they’re probably too small to command a reasonable price for assessing. In that case, I’d go back to FREE ASSESSMENTS and sell them the recurring revenue-managed services & security program. That is what they really need…
When asked to quote an assessment, you might be tempted to jump in and start your discovery; how many firewalls, how many servers, do you want applications assessed too?
This is the wrong approach!!!!
Leading with technical questions, leads to competing on price.
The IT person has something in mind…is it a true risk assessment? Did they call it something else; Pen Test, Vulnerability Assessment, Audit, etc. Do they know the difference? (Probably not).
Establish your contact’s desire first. Ask them…What is it you’re looking for?” And, “WHY do you need it?”
This second question is the more important question (WHY). Expect answers like, “To see if we’re secure,” or “To show our clients we are secure.” You see the problem here?
First, you know that there is no such thing as being “secure”. Second, the assessment is only going to reveal problems this company didn’t know existed. So the idea of certifying your buyer’s infrastructure is a fallacy.
It’s time to reframe (EDUCATE)!!!
Find out where this request is coming from and what’s been done in the past.
Chances are your IT contact doesn’t really know what’s going on. He needs an assessment or pen test, and probably doesn’t know the difference. At this point he’s looking to you for a comparison quote. The last thing you want to do is give him what he’s asking for.
Your IT contact is just a cog in the larger wheel of technology bureaucracy. (Note, if your contact is actually part of a security team, the approach will be different.
I’m specifically talking about IT here – and I started my career in IT, working for two different F500 companies. I’ve seen this from the other side. Don’t over estimate what IT knows about security.
If you simply respond to a bid, or scope out what IT is requesting, the buyer will have nothing to match your price against (in terms of value) other than your competition’s bids and his budget.
Comparison’s against anything other than established need and value are meaningless, and simply lead to price wars.
In every competitive deal there’s at least one guy working out of his garage, offering low-ball prices (and they’re not Steve Jobs or Steve Wozniak). You don’t want the truck-slammers of the world to be the yardstick by which buyers vet your price.
Here’s what happened the last time I worked on a competitive assessment deal…
I was hired by a reseller to work closely with their sales team as a coach/advisor…
(Years ago I had built and led the Security Team for a large global integrator, where we primarily led with assessments – so this call was not new territory).
As expected, our new prospect was looking for an assessment – in his words, a vulnerability assessment. After going through the steps outlined above, we began our reframing process.
First, we asked him, “Do you know what your board is asking your CIO for?” His answer was predictably vague. How would he know?
Next, my client (the reseller) drew the Impact vs. Likelihood Graph on the whiteboard (Page 194 in my book, The House & The Cloud). He began to review the five things board members demand:
Without calling out our competition (never a good thing to do), we began to describe what most vulnerability assessments look like, how they’re approached (something for a future article), and why they aren’t going to satisfy the board’s request.
At that point, my client (the reseller I had been working on the House & Cloud Concepts with) pulled out a sample deliverable (with no intention of leaving it with the prospect) and began to go through the type of deliverable that would make an IT Director a hero…
Deal closed…Well, There’s more to it, but this is just Part I of a predictable assessment sales process designed to front-end big profits and future business.
© David Stelzl, 2017
On one hand, risk assessments are a great way to start an engagement, or close a sale. On the other hand, they offer great value. Should you give all your value and insight away???
It’s a hard question that demands an answer!
The Point of Assessing Risk Is…
Several weeks ago I wrote an article defining the assessment (if you’ve not read it, I recommend going back to better understand the truth behind assessing risk and growing your business).
The bottom line is, Assessments are like health checkups. If the patient has URGENT issues, yet chooses to NOT take action, the doctor’s efforts are wasted. Even more, if most of that doctor’s patients never enter treatment (and are dying), he has failed.
If there are urgent issues, action is required.
And it’s your job to sell the customer on taking action – not for money, but for the livelihood of that customer’s business. With remediation in mind, your risk report is a marketing document. You goal is to sell your customer on doing something!
When I hear, “We don’t give away the assessment”, I think to myself, “Amateur Thinking”. Front-end, is a funnelology term – It is the process of capturing a lead and ascending that lead up your value ladder.
The sales process starts with a lead magnet (some freemium offering) to attract qualified prospects (Think: Opt-in). You provide value and your buyer wants more. So they ascend over hurdles of indecision to the point of becoming a buyer.
Some prospects will drop out immediately, grabbing the free stuff and moving on (grab and dash). It’s okay…I’ll explain in a minute. Others will buy your initial offer, or perhaps engage with you in basic managed services (New Customers).
A select few will become hyper-buyers…your best customers. Hyper-buyers buy whatever you recommend because they see your value and trust you to advise them.
The front-end has to be easy (think, free or close to it). You might offer a white paper (which I seriously don’t recommend). Better choices include, special reports, quizzes, assessments, lunch & learns, etc.
Some front-end options convert quickly. Others, not so much. Signing up for your mailing list or free e-zine doesn’t make much sense these days. No one is choosing to get more spam email.
All great front-ends cost money. The idea is to spend your money with ROI in mind. The company that can spend more upfront (marketing), and still measure a strong return on the back end, wins.
Did you catch that? You’re not trying to minimize the front-end cost (or your marketing budget). You’re trying to maximize conversion and ascension. If your backend works, you can spend more upfront, beating your competition.
The assessment may be costly, but done right, it can have an extremely high ROI on the backend.
Conversion (like getting people to a lunch & learn) is one thing, converting from free to fee is another. You don’t want to invite people for a free iPad…you’ll end up with a bunch of IT folks that want free gadgets (these are not buyers).
If you want qualified prospects, you won’t give your free assessment to just anyone. And that means you won’t advertise it on your webpage. Freemium means high-value and special, and should be guarded.
To qualify, you want to have a freemium offer, like an assessment, and have a clear avatar of your target prospect.
Let’s say its the SMB business owner with 25 to 250 users. Inviting that person to a lunch & learn is a qualifying step that gives you the opportunity to actually meet face to face. It’s costly, but if your conversion is high, you won’t care.
Then converting them (given the right message in your lunch & learn meeting) is easy…We’re converting over 90% right now with a security message designed to instill urgency. It leads to an assessment – we offer this analysis right there in the meeting. But our description is vague…on purpose. You see, we have one more step; it’s a phone call.
On our initial call we have the opportunity to ask them about their business and their role. If they turn out to be someone other than a qualified buyer, we make the assessment a simple over-the-phone questionnaire. If that person is a business owner, in charge of a possible qualified company, we move forward.
Our assessment engagement involves that decision maker all the way through to the deliverable. If our key contact (asset owner, I call them) drops out at any point in time, we stop the process.
Our conversions to business range from 60% to 80%, and our sales cycles averages a couple weeks to a couple of months. (But not 6 to 9 months). These contracts range from $1000 to $5000/month, with a 5 year expected lifetime value. So how much can I spend on customer acquisition (in this case a lunch & learn and assessment)? Do the math, it’s a big number.
But there’s still one more hurdle. Selling free assessments has it’s challenges. Free sometimes means no value. And getting that initial meeting may also prove to be a challenge.
The 60% to 80% close rate is attractive, so I know I want to sell the risk assessment. I am willing to give it away, because my ascension process works predictably well, and the ROI is there. I can afford it and the return is evident.
However, the assessment can’t be the first step in my sales process (or funnel).
Most of my clients sell assessments by using something upfront to attract clients. eBooks, followed by webinars, with an offer to assess, can work. Live lunch & learns, using a hard copy letter invitation work extremely well. And any excuse to get a meeting (such as referrals, product or quotation requests, etc.) can be turned into an assessment.
In my book, The House & the Cloud, I explain how to transition just about any meeting into an assessment (chapter 13), and then later in the book (Pg. 194 – 200) I explain how to move through the assessment in a way that engages asset owners, and leads to a sale.
The most important thing in this whole process is to track your conversion metrics. Make sure you are at least breaking even. Once you break even, start tweaking your funnel to modify and grow your ascension process.
As you perfect your conversion metrics you will be creating a long term, predictable profit machine.
©2017, David Stelzl
NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.
How will you answer?
If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…
(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).
Either way, it’s important to know NIST if you’re going to talk security. So here’s the simple “sales person level” overview…
Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).
In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.
These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.
The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process. Your client/prospect won’t know my name, but they can Google NIST.
It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.
But getting buyers to part with money for NIST is a hard hill to climb. Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.
The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.
If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!
The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).
My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.
In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.
However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…
Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).
Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).
© 2017, David Stelzl
This week on a coaching call with one of our Mastery Security Training Attendees we were discussing the role of the consultant in the security assessment process. In this case the Assessment Sales were NOT closing.
In other cases we discussed conversions from Assessment to Remediation or Managed Service were weak.
The complaint: Can I rely on our security consultants to deliver, or should I sell something else?
First, sales people should never turn the SELLING over to a consultant or engineer unless that technology expert has a track record of closing. Knowing a lot about security does NOT lead to selling assessments. Selling and marketing are not driven by sound bites, technical know-how, or certifications.
In the Security Sales Mastery Program we teach sales people to speak about security at the business level. Executive Management is where the assessment should be sold.
Assessments are about risk. They measure Impact vs. Likelihood. At least they should.
In a sense Assessments are a marketing effort.
The Sales person sells the deal to measure risk. The consultant measures risk. But then something salesy has to happen.
Like the Cardio Doctor, if your patients are about to die but don’t take on the treatment plan, the doctor is failing. It’s the doc’s job to sell his patient on doing something. Yes, ultimately the patient is responsible for their health, but if the diagnosis is poorly communicated or risk poorly described, the doc is doing something wrong.
In many cases it will be a 50 page paper (enterprise size deal) or something much shorter in the SMB. But is it written to the person who cares about risk? In most cases the answer is NO.
This is a sales problem. If you, the sales person, sold the assessment, hopefully you sold it to to someone at the business level to help them measure something specific – risk.
It might be compliance like HIPAA or it might be to identify the likelihood of data theft, system disruption, or data misuse. Theft, misuse, and disruption can all be in the same report, however your findings must be written to the asset owner. The person with liability.
Don’t let the consultant take this to the client before reading and understanding what it says.
Are there mistakes?
Was the paper written using an old assessment from another deal?
If so, are there facts left over such as a “company name” that just don’t belong in this paper? Believe it or not these are common problems. But it’s the sales person’s job to read it and scrutinize the value of the report.
Sure, the technical team shouldn’t be making mistakes like labeling a diagram with Cisco routers when the client uses Juniper (Yes, I’ve seen this happen!). But technical people are rarely writers. They won’t write at the executive level, they’ll miss edits that are obvious to the sales person, and they’ll often use an older document rather than starting from scratch. It happens even with the best teams.
Yes, your clients need them. And they’re one of the best avenues to big business.
But sell them at the business level. Don’t succumb to IT people wanting assessment quotes. Unless they’re high dollar projects, they’re not worth doing. Make your way upstairs and find out what’s really needed.
When it’s time to assess, make sure your technical team knows exactly what you sold. It should be a measure of risk as described in The House & the Cloud. And when it’s time to deliver. Read it. It’s your deal. It’s Your client. It’s your responsibility. And it’s your biggest up-sell opportunity.