Archives For compliance

group-predator-fishes-hierarchy-fish-dominate-eat_121-73335Who Will Dominate the Future of Assessments? Security Experts or Business Risk Advisors?

Scope (what’s covered) has everything to do with differentiating the Security Assessment Sale.

In case you missed Part I , Read it Here:

The One Thing That Set My Client’s Assessment Apart From 13 Competitive Quotes

I’ve been writing a series of articles on risk assessments over the past couple of months. If you’re in the security business (or trying to break in on this growing cash cow) it’s time to get on board with how assessments work; how they’re sold, what they’re for, how to get them read, and how to make them work for you inside the accounts you sell to.

In Part I, I covered Differentiating Yourself in the Sales Call. (Note: if you’re looking for a technical read, this is not it…

So, next, let’s turn to the scope, and how what you cover in your engagement has a lot to do with who buys it and who reads it.  

If you want to grow your business, keep reading – the assessment is the best way  (and one of the only ways) to get engaged with decision makers (the people writing the checks).

Your Client Is Wrong About Scope 97% Of The Time 

I hear it all the time, “The client is always right.” No they’re not!!! Especially when it comes to security.

Remember (See my book, The House & The Cloud) your IT contacts are not liable. And your asset-owner contacts (who are liable) have very little understanding when it comes to security.

So don’t let the client dictate the scope.

In short, you can’t simply respond to an RFP and come up with a meaningful assessment project (I discuss RFP responses in detail in my book, From Vendor to Adviser).

Getting The Scope Right

When I bring up, Assessment. The first question I get is, which tools (scanners) do you recommend? I’ll cover the actual assessment process in a future article. But for now, set tools/scanners, etc. aside. There’s something far more important here to consider…

The typical approach to assessing risk is, Inside/Outside. But looking inside (trusted), and then out, is wrong thinking…

The truth is, your client doesn’t have and inside or outside anymore. Sure, your dream client has a perimeter, but half the office is on the road or working at home. They’re all outside on their mobile devices. Chances are these knowledge workers are going back and forth between personal (Facebook and shopping) and business, and on  breaks their kids are playing Counter Strike or World of Warcraft (or surfing porn and gambling sites).

(And then there’s the 75% of employees who admit they steal from their employers – all inside…WSJ)

Wrong Thinking

Every paid assessment should cover perimeter devices, end nodes, and network architecture/segmentation & configuration. The obvious, so I won’t elaborate.

Yet, when I read a scope document, and it breaks the assessment down into: Internal, External, Network, Perimeter, and Servers/Storage…I get concerned.

This infrastructure-centric approach is for the super-techies, not business leaders.

I can already imagine the deliverable with it’s endless tables and network diagrams. The Red, Yellow, Green light ratings that appear on every assessment. If you’re looking to differentiate yourself, this won’t do it.

Price will be the deciding factor!!!

Rethinking Your Scope – Make It Attractive to Business Leaders

The business people (Asset Owners) are the ones who will be writing this check. So, what is it they need? In my book, The House & The Cloud I spell out exactly what the board is looking for (see page 195). It’s restated in Selling Assessments Part I.

This type of deliverable requires a different approach. The final outcome is a measure of risk (illustrated in the Impact vs. Likelihood Chart). impact-v-likeihood

START HERE – DIGITAL ASSETS: Think like a Disaster Recovery Specialist…

Where is the data? Which of these assets are most important, and what can’t they do without?

It’s a fact that most companies have no idea where their data actually is, or who has access to it. When people travel, work from home, or use cloud apps, knowing gets even harder. Ad-hoc data is everywhere.

Tools such as those provided by RiskIQ are designed to find data. In some cases that data is sitting on someone else’s server (such as a competitor or in a darknet chat room, for sale).

Digital assets, not hardware infrastructure, is what assessing risk is all about. So Consider the following:

ACCESS CONTROL – ACCESS TO DIGITAL ASSETS: People(and now robots) access data. Behind every data breach is a person. Some people have access, so they’re authorized. But not all authorized people are doing things they’re authorized to do.

Does your assessment include the people inside the organization? It should. Remember, “75% of internal workers admit they steel from their employer (as referenced earlier)”.

PEOPLE: Given all that’s just been said, be sure to include interviews (more details on this in my book, The House & The Cloud pg. 196).

DATA ASSET TRANSMISSION & STORAGE: Once you know where the data is, you want to know who accesses it, from where, when, and why. Data transmission and storage is part of a company’s workflow. So include in your scope, an analysis of assets as follows:

  • Creation: Understanding who is creating assets, when, and where is important. Most end-users don’t see their data as valuable or desirable outside their department or work function (this is true even when it comes to medical data). More importantly, they fail to realize how much data they are actually creating, and how data aggregation and deep machine learning can extrapolate and derive all kinds of intelligence from their daily activities.
  • Application: Data is then used by various applications, requiring transmission between applications, people, cloud services, etc. Are these application secure? Who has access, and who controls that data when applications are hosted in another country?
  • Transmission: This includes all network, wireless (including bluetooth, etc.). Looking at transmission has to do with traffic and protocols. So include traffic analysis – what protocols are found? (e.g. Does IRC Chat traffic belong on this network? Probably not. Did you look for it?).
  • Storage: All data gets stored at some point – even if it’s just in memory. Did you know copy machines store images of everything (and then those leased machines get placed in new businesses as your client upgrades)? And then there’s personal devices, personal email accounts, and the list goes on…are these considered part of the scope?
  • Archival: Data retention policies are key here. Is this data encrypted and does it get deleted at some point (according to policy)? A subpoena at the wrong time, right after an unscheduled deletion, could raise some eyebrows. Are cloud service providers storing this data locally, or is it international – under some other country’s privacy laws? Who owns that data? What if the cloud provider goes out of business or is acquired?
  • Destruction: Then there’s data disposal. Do the end-users understand the difference between hitting the delete key and deleting a file? In most cases, no!

TRUE SECURITY (ALL THREE ASPECTS): Security can be looked at several ways. The CISSP ISC2.ORG common body of knowledge looks at 7 (and this varies over time) major disciplines. Most security professionals recognized three pillars:

  1. Confidentiality
  2. Integrity
  3. Availability

All three should be considered in the scope. I’ll provide more detail on approach in a future writing…but be sure to cover all three.

SOCIAL ENGINEERING: Social engineering is part of just about every cybercrime incident (probably all of them). However, it’s rarely part of the assessment. Again, go back to the purpose – identifying risk. The amount of risk a company has, has a lot to do with how susceptible it’s end-users are to a ruse.

Testing them is one way to uncover weaknesses – such as an email phishing test. In any case, some thought should be given to their current security awareness program, policy (covered below), and security culture.

POLICY: I’ve heard security experts say, all security breaches are the result of some policy not being followed, or not existing. I don’t know if that’s always true, but it does carry some weight.

Most policies are written to satisfy some compliance officer, not guide the daily activities of end-users, who create, use, and store digital assets all day long. Include a review, not only of the written policy, but how it’s used and enforced.

WHAT ABOUT AUDITS: This is not an audit, so don’t treat it like one. Audits are about being compliant (get your compliance offering going with HIPAA here) against some standard or law. They don’t measure risk.

So take time to educate your buyer on the difference. The goal should be to comply with the law, and then make sure things are secure. One does not satisfy the other.

Reference an Approach (NIST)

Finally, security can be differently by different people, so just what does it mean to be secure? Or to assess risk?

Having certifications such as the CISSP (ISC2.ORG) or GIAC (SANS.ORG) can go a long way in proving to your buyer that you understand security.

Security engineers are not required to have their PE or Engineering Certificate, or be authorized by a board in the way doctors or lawyers are.  While I am not in favor of more big government oversight (like what we’re seeing in the ever-frustrating world of healthcare), pointing to a standard or framework (such as NIST) is powerful when selling.

Most sales people (your competition) are not going to be able to articulate what standards/frameworks (such as NIST) mean. So take some time and educate yourself on what I call, The Wall Street Journal Version of NIST (or whatever standard your firm will follow.) You can check out my recent article on Understanding NIST here. (CLICK).

And the Winner Is…

Do you want to win your next sales opportunity????

Assessments open doors and allow you to prove your value…however,…

Assessing Risk is a business function. Like Disaster Recovery/ Business Impact Analysis (which are really just one of the security disciplines) it is the executive team that needs an understanding of their exposure and impact/likelihood…the odds they’ll suffer a loss.

And this explains why high-end consulting firms like PwC and KPMG have long been welcomed in the board room, while resellers and most hardware manufactures continue to hit the down button when getting on the elevator.

© 2017, David Stelzl

P.S. Get the entire security sales approach here (The House & The Cloud) – the only book out there with a clear methodology for selling high-margin security business.

 

 

 

Advertisements

data-security-picWhat’s The Point of Your Security Assessment?

Are Your Clients Actually Taking Any Relevant Action?

This week on a coaching call with one of our Mastery Security Training Attendees we were discussing the role of the consultant in the security assessment process. In this case the Assessment Sales were NOT closing.

In other cases we discussed conversions from Assessment to Remediation or Managed Service were weak.

The complaint: Can I rely on our security consultants to deliver, or should I sell something else?

The Problem is Sales, Not Technical

First, sales people should never turn the SELLING over to a consultant or engineer unless that technology expert has a track record of closing. Knowing a lot about security does NOT lead to selling assessments. Selling and marketing are not driven by sound bites, technical know-how, or certifications.

In the Security Sales Mastery Program we teach sales people to speak about security at the business level. Executive Management is where the assessment should be sold.

Assessments are about risk. They measure Impact vs. Likelihood. At least they should. 

The Point of the Assessment is NOT Just About Risk: It’s About Conversion

In a sense Assessments are a marketing effort.

The Sales person sells the deal to measure risk. The consultant measures risk. But then something salesy has to happen.

Like the Cardio Doctor, if your patients are about to die but don’t take on the treatment plan, the doctor is failing.  It’s the doc’s job to sell his patient on doing something. Yes, ultimately the patient is responsible for their health, but if the diagnosis is poorly communicated or risk poorly described, the doc is doing something wrong.

Look at the Deliverable.

In many cases it will be a 50 page paper (enterprise size deal) or something much shorter in the SMB.  But is it written to the person who cares about risk? In most cases the answer is NO.

This is a sales problem. If you, the sales person, sold the assessment, hopefully you sold it to to someone at the business level to help them measure something specific – risk.

It might be compliance like HIPAA or it might be to identify the likelihood of data theft, system disruption, or data misuse.  Theft, misuse, and disruption can all be in the same report, however your findings must be written to the asset owner. The person with liability.

Don’t let the consultant take this to the client before reading and understanding what it says.

Are there mistakes?

Was the paper written using an old assessment from another deal?

If so, are there facts left over such as a “company name” that just don’t belong in this paper?  Believe it or not these are common problems. But it’s the sales person’s job to read it and scrutinize the value of the report.

Sure, the technical team shouldn’t be making mistakes like labeling a diagram with Cisco routers when the client uses Juniper (Yes, I’ve seen this happen!). But technical people are rarely writers. They won’t write at the executive level, they’ll miss edits that are obvious to the sales person, and they’ll often use an older document rather than starting from scratch. It happens even with the best teams.

Should You Keep Selling Assessments?

Yes, your clients need them. And they’re one of the best avenues to big business.

But sell them at the business level. Don’t succumb to IT people wanting assessment quotes. Unless they’re high dollar projects, they’re not worth doing. Make your way upstairs and find out what’s really needed.

When it’s time to assess, make sure your technical team knows exactly what you sold. It should be a measure of risk as described in The House & the Cloud. And when it’s time to deliver. Read it. It’s your deal. It’s Your client. It’s your responsibility. And it’s your biggest up-sell opportunity.

© 2016

executive-1Three Things You Can Do To Earn A Seat At The Table

Continuing from yesterday’s topic on, Things Sales People Do That CIOs Hate, last week’s keynote also covered three things CIOs really need…and can’t easily get internally.

  • Security Intelligence.  Intelligence is the new security buzzword. Not that it’s new. But for years people have talked about “Defense in Depth”, “Zero Day Response”, “Layered Security,” etc.  Recent WSJ reports are telling us that just about every board meeting agenda allots about 30 minutes to security.  What do the leaders of that meeting want to know? They want a measure of risk – “What are the odds our company will get hit this year?”  Who, besides you can give them that information?
  • Advice on leveraging new technologies. In the interview I referenced yesterday, the CISO I was meeting with talked about his need for advisors. He can’t know everything, and his team is heads down on support issues, project implementations, and daily operations. They don’t have time to keep up with technology the way you do.  So rather than showing up with your corporate presentation, show up with research and examples. Knowing what other “like” companies are doing to compete will go a long way.  In the Interview he mentioned compliance as an area they constantly need more advice on…can you advise your clients on HIPAA, GLBA, PCI, etc.compliancy group
  • Trust. Most of the sales people out there are just trying to sell. Is that you? Do you care whether your product actually works, or delivers a benefit this client needs? If you do, and I hope you really do, you’re a minority. The great thing about security is, just about everyone needs new security. As threats evolve, and IT moves toward new disruptive technologies, the security strategy is constantly evolving. It’s safe to say that, regardless of who they end up buying from, they do need security. Make sure you are doing the things that earn that trusted advisor status. Security is a great place to start.

Copyright, 2016 David Stelzl

PS. Check out what Compliancy Group has to offer resellers…compliance offerings without going back to school for four years.

In case you missed my recent interview with Marc Haskelson

Here’s a short clip on the difference between security and compliance (Specially HIPAA, but Marc’s answer applies to just about every compliance regulation I can think of – PCI, GLBA, SOX, etc). The gap is big and healthcare companies are paying for their lack of knowledge on this subject! When there’s confusion in the marketplace, there’s also opportunity. You can learn more about how to tap this market right here.  Just click the Compliancy Box.

© 2015, David Stelzl

compliancy group

HIPAAHIPAA Isn’t Helping

If You Want To Help Sure Up Security, Start With HIPAA

As I mentioned in yesterday’s post, I’ll be interviewing Marc Haskelson later today, Founder and President of The Comliancy Group. He didn’t write the HIPAA requirements, but he understands them, and knows which of your clients need HIPAA.  He also knows where it falls short.

HIPAA Is Not Security – It’s A Government Law

Do you know what HIPAA stands for?  Google it and you’ll come up with more than one answer…if you’re going bring it up in a meeting, make sure you know.  Here it is: Health Insurance Portability and Accountability Act. (Note, it’s not the information portability act, and it’s not HIPPA).

It would have been great if the authors of HIPAA understood technology and security. The fact is, many of your clients either require HIPAA compliance, or will in the near future. The problem is, “HIPAA isn’t helping” healthcare security according to Gary McGraw, CTO of Cigital (a leading software development firm headquartered in Dulles, VA.)  If you’ve read my book, The House & The Cloud, 2nd Edition, you know I agree.  There’s a large chasm between compliance and security, but regardless, HIPAA is required.

In a recent study, “Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.” according to Kelly Jackson Higgins, in an article posted on DARKReading.

As McGraw states it, “All [HIPAA] did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy.”

The real problem with HIPAA is it has given doctors a false sense of security. In a recent healthcare conference I spoke at, every session that had something to do with security was all about HIPAA. When I gave my presentation, I started by asking the audience to forget about HIPAA for just one hour, and listen to what it means to be secure.  The response was one of surprise. No one had ever told these people that data, governed by HIPAA, was still at risk.

Over the past year we’ve seen numerous companies attacked, regardless of their HIPAA compliance efforts. To name just a couple; Anthem and UCLA Health come to mind.

I have a colleague who recently took a job with Websense.  This year they publised a study showing healthcare organizations are being hit 3 or 4 times as often as other firms by cyber attacks. Forbes noted in a recent article that healthcare data is worth 10 times that of credit card data on the black market.  A Trend Micro study shows that “nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks,” (Cited by the DARKReading article above).

Here’s The Problemcompliancy group

People think they are secure when they are compliant. HIPAA requires so much paperwork that the security issues get lost in the process. The financial companies know they’re a target, while a recent survey published by Trustwave reports that healthcare IT professionals don’t.

How can you get involved? First, where there’s a problem, there’s an opportunity.  I’m interviewing Marc today to get a better sense of what HIPAA really requires, and to show technology resellers how to get involved. Healthcare companies and their third-party providers both need help as well as education on HIPAA. The House & The Cloud Message was extremely effective in the healthcare conference I spoke at. For the first time their eyes were opened, and they saw the need. This kind of education opens doors of opportunity that are both helpful to your clients and profitable to your business.

Here are two things you can do…

First, visit the Compliancy Group Site to get more information on how to become a HIPAA Security Provider. Marc will do everything he can to help you get up and running with minimal time and investment.

Second, enroll in the Security Sales Mastery Program – If you qualify with one of the many sponsors supporting this program, I can get you a free seat (Normally $450).  Contact me and we’ll find a way to get you into the program.

© 2015, David Stelzl