What’s The One Big Issue Behind Almost Every Hack?
Hint: Most Risk Assessments Ignore It!
- Poorly configured or managed firewalls,
- Untested backup systems,
- Improper network segmentation
NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.
How will you answer?
If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…
(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).
Either way, it’s important to know NIST if you’re going to talk security. So here’s the simple “sales person level” overview…
Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).
In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.
These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.
The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process. Your client/prospect won’t know my name, but they can Google NIST.
It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.
But getting buyers to part with money for NIST is a hard hill to climb. Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.
The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.
If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!
The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).
My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.
In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.
However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…
Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).
Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).
© 2017, David Stelzl
This week on a coaching call with one of our Mastery Security Training Attendees we were discussing the role of the consultant in the security assessment process. In this case the Assessment Sales were NOT closing.
In other cases we discussed conversions from Assessment to Remediation or Managed Service were weak.
The complaint: Can I rely on our security consultants to deliver, or should I sell something else?
First, sales people should never turn the SELLING over to a consultant or engineer unless that technology expert has a track record of closing. Knowing a lot about security does NOT lead to selling assessments. Selling and marketing are not driven by sound bites, technical know-how, or certifications.
In the Security Sales Mastery Program we teach sales people to speak about security at the business level. Executive Management is where the assessment should be sold.
Assessments are about risk. They measure Impact vs. Likelihood. At least they should.
In a sense Assessments are a marketing effort.
The Sales person sells the deal to measure risk. The consultant measures risk. But then something salesy has to happen.
Like the Cardio Doctor, if your patients are about to die but don’t take on the treatment plan, the doctor is failing. It’s the doc’s job to sell his patient on doing something. Yes, ultimately the patient is responsible for their health, but if the diagnosis is poorly communicated or risk poorly described, the doc is doing something wrong.
In many cases it will be a 50 page paper (enterprise size deal) or something much shorter in the SMB. But is it written to the person who cares about risk? In most cases the answer is NO.
This is a sales problem. If you, the sales person, sold the assessment, hopefully you sold it to to someone at the business level to help them measure something specific – risk.
It might be compliance like HIPAA or it might be to identify the likelihood of data theft, system disruption, or data misuse. Theft, misuse, and disruption can all be in the same report, however your findings must be written to the asset owner. The person with liability.
Don’t let the consultant take this to the client before reading and understanding what it says.
Are there mistakes?
Was the paper written using an old assessment from another deal?
If so, are there facts left over such as a “company name” that just don’t belong in this paper? Believe it or not these are common problems. But it’s the sales person’s job to read it and scrutinize the value of the report.
Sure, the technical team shouldn’t be making mistakes like labeling a diagram with Cisco routers when the client uses Juniper (Yes, I’ve seen this happen!). But technical people are rarely writers. They won’t write at the executive level, they’ll miss edits that are obvious to the sales person, and they’ll often use an older document rather than starting from scratch. It happens even with the best teams.
Yes, your clients need them. And they’re one of the best avenues to big business.
But sell them at the business level. Don’t succumb to IT people wanting assessment quotes. Unless they’re high dollar projects, they’re not worth doing. Make your way upstairs and find out what’s really needed.
When it’s time to assess, make sure your technical team knows exactly what you sold. It should be a measure of risk as described in The House & the Cloud. And when it’s time to deliver. Read it. It’s your deal. It’s Your client. It’s your responsibility. And it’s your biggest up-sell opportunity.
If you provide IT services to businesses, I hope you’ll consider doing one of these with me at some point. Every business needs it, and most don’t understand the threats they are up against.
It’s a busy fall for us. Last week we wrapped up a session in San Francisco with large reseller executives, then headed down to work with a large sales team in Irvine, CA. And tomorrow, Cincinnati, a session sponsored by InTrust-IT…
The big question always comes up, “Why would anyone want my data? After all, we’re just a local business. There’s nothing interesting here.” I think Verne Harnish answered that question last week. If you’ve read his books, Rockefeller Habits, and Scaling Up, you know he’s a small business with very little in the way of infrastructure. Like me, he’s a speaker and a business coach, supported by a small team. Yet his blog post tells the story of a $400K ruse that caught him and his team completely by surprise.
Why small business? Because small businesses still have money, take out loans, and process credit cards. They have bank accounts and payrolls. Today’s hacking tools are largely automated. So sending out hundreds or thousands of scamming emails takes the hacker very little time. When one lands, the hacker will follow up. Small businesses are also largely unprotected by this sort of thing.
It might be a fraudulent invoice or request for ACH wire transfer. In Verne’s case he writes, “They sent an email to my assistant completely imitating my style, subject line, and signature asking her to wire funds to three different places.” This is getting more and more common. The more data we put online about ourselves, the easier it is for someone to impersonate us!
Digital Money, my latest book, goes into detail on this. Data aggregation is in motion, pooling our data in one place where it can be analyzed.
There are several major data aggregators out there doing this. But the idea is to collect enough data to profile YOU. This is usually for the purpose of some analysis or marketing effort. We’re seeing it used right now in the election. That’s right. The candidates are leveraging this data to figure out who is likely to be on the edge, and needs a push. The data tells them both who to target and how to influence them.
That data in the hands of the hacker allows the hacker to act just like Verne, or whoever they need to be, to issue orders to the team. Verne’s on stage in Russia, meanwhile his team is getting instructions to transfer funds. Will they? Of course. They’ve received these requests in the past, and they were real. There’s no reason to question them now, and the hacker knows that. These attacks are well scripted and highly successful. And the likelihood of prosecution is low.
Can it be stopped? Not completely. But there are ways to reduce the risk…and that moves us to a managed security program that involves people and technology, well equipped to deal with these common attacks. A program that detects these threats early on, before data has been compromised, and stops them before damage is done. Tomorrow, my goal is to give our audience the business-level understanding they need to make wise decisions going forward. And then to point them to the tools and process they’ll need to combat these attacks in the coming year.
© 2016, David Stelzl
I’m just heading back from meeting with over 300 CISOs and CIOs, all part of the Florida International Banker’s Association – Celaes Event, at the Trump Hotel, Doral.
Great event, very well run, and an opportunity to connect with security leaders from all over Central and South America. I was also able to reconnect with old friends from Kaspersky and Dimension Data.
Here are a few pictures…You’ll notice Former Mayor Giuliani on stage as well! The living room shot was part of my amazing suite…
And I’m leaving just in time to avoid Matthew, the latest hurricane headed this way.
Only about 15% of the risk assessments, from audience poles I conducted, are being acted on! Yet, over 95% of them show urgent issues, according to security experts I am in touch with. There’s a major disconnect.
One key reason I’ve observed, is the language being used to write the assessment reports. Not only are the reports too long to attract executive readers. Even if they did want to wade through the 50 page document, it would be like you or I wading through a technical journal to find out what to do about cancer risks. Chances are we would comprehend about 5% of it, giving up after the first few pages.
If you’ve worked in a large corporation, you know there’s a disconnect between IT and executive management. Don’t expect everyone to sit down to review your paper. In the small business the security expert doesn’t exist, and the small business owner is already running at top speed, trying to grow the business, manage cash flow, and build customer experience before their competition does. They don’t have time to sift through mounds of jargon.
But the other issue is one of desire and priority. Does the business owner or executive see your report as urgent – must read now? If you have not involved them in the findings, chances are they don’t see it as urgent. If they have an IT group, they’ll delegate it. If they don’t it will sit on their desk (especially if you waved your fee – a common practice in the small business market).
All of this changes when you start your assessment at the Asset Owner level. (See my book, The House & the Cloud, Page 195). Starting with those who have liability, with the goal of discovering their most important data as it relates to their business growth and profitability, is the best way to get them interested before you complete the assessment.
Find out what digital assets are most important to protect and why. Then look at who would want them. And based on how things are set up and who creates and uses this data, discover how unauthorized users might gain access. When you’re done, tie your findings to business issues. Leave out the technical jargon. And bring your report to the that executive with a short presentation on what it means to their business.
If your conversion rates on this process don’t go up to about 60% something is wrong. Consider reading through chapter 13 of The House & the Cloud – 2nd Edition, for ideas on how to convince your audience that this is important.
© 2016, David Stelzl
But don’t be the middle priced offering either. There’s absolutely no benefit…
Your only option is to move upstream. Kmart, Walmart, Target…they’ve all worked hard to be the low cost provider. And how is that working out? Well, Kmart is closing dozens of stores before year-end. Walmart has been sweating over Amazon, their chief competitor, for the past 12 months. Month after month, these big box companies are fighting over pennies. Amazon’s model is the only one that makes sense. It’s membership driven, offering music, storage, and instant purchase options, and a growing level of subscription oriented, monthly recurring revenue.
But in the reseller technology business you can’t win on price. Keep lowering you per workstation price and you’ll soon have margins that are so thin, you’ll have to let your best people go. Don’t do it. (You can find more strategies on this in my book, The House & The Cloud!).
Instead, start asking, “How can I upgrade to a premium level of service?” Take this one step further and ask, “Where is my niche market?”
You probably already offer firewall management. But as firewall companies like Check Point and Fortinet add advanced services such as threat emulation, sandboxing, and SIEM like technology, there’s an up-sell opportunity to provide the 7 by 24 monitoring aspect. Something your clients just cannot afford to do internally.
Don’t have your own SOC (Security Operations Center), or the team to do this overnight? You can outsource it through channel-only security providers like Foresite. For a small fee, they’ll take over the management, offering different levels of service depending on the size and need of your client.
Don’t give this away. It’s your added value to the MSP program – something not many service providers are offering right now. Over time, begin adding security expertise to your team, and add some high-end security services to your offering. For instance, you might add virtual CISO services or take over the reporting and interface needed for auditors policing compliance regulations such as PCI and HIPAA.
One client I work with offers GLBA management to regional banks, leveraging new laws that require there be a compliance officer, independent of the IT department. How many small banks can afford to hire someone qualified to fill such a role? Not many. But a third-party provider is permitted and makes for a great add-on service offering.
If you’re getting beat on commodity pricing, start thinking about security services and how to add that premium level. If you just raise your prices, you’re likely to be out there with Kmart, closing down offices. If you only have one office, it might be a short ride to the end.
© 2016, David Stelzl