What to ask when conducting your security risk assessment
Archives For Data Security
How to answer sales objections when selling MSP solutions using risk assessments [free assessment template]Continue Reading...
It’s Easy to Leave A Channels Event, Distributor Conference, or Mastermind Group feeling good about your MSP business. After all, your business is producing a profit.
You’ve been in business for 20 years or more. And you’ve managed to weather several economic downturns over the past couple of decades.
Don’t get too comfortable…
The high-tech business is a fickle thing…there are economic downturns (recessions, depressions, or whatever you want to call them…) and then there’s commoditization. The latter is your greater enemy.
Like medical and grocery sales, people need their computer. The high-tech business (servers, storage, data center, etc.) has been a high growth industry since I entered the business world out of college. It just has…perhaps it always will…tech is the lifeblood of most businesses today. We can’t work without it.
However, It commoditizes.
Building Sustainability Into Your Business
This week I’m attending a marketing conference in Cleveland OH. Over 1200 small business owners packed into an auditorium listening to some of the greatest entrepreneurial minds in world.
This morning’s session focused on sustainability.
As the speaker unfolded over an hour’s worth of strategies, the MSP business came to mind…a business that relies on long term customer retention.
MSP sales are not transactional. In fact, if your clients only stayed a month or two, your cost of sales would eat your business alive. You really need them to stay.
Historically, retention in the MSP business is 5 years (average). Yours might be more or less, but you should know your number. The goal is to increase it. If you could add just one year to your average (assume you have 100 clients signed on), that’s 1200 months of MRR (Monthly Recurring Revenue) added to your business in that one single act. Or think of it as signing a 1200 year contract with your next client!
5 Things You Should Be Doing To Create Sustainable MSP Business…
Build Evergreen Assets. If you’re taking care of your customer, you’re probably meeting quarterly to review their IT. Hopefully you’re also giving them guidance. During the initial sale you also had to review their business and create some sort of proposal.
However, building everything from scratch is destined to fail. The cost of customization is high, and the likelihood of messing up is high too…Better to productize your offerings…here’s how.
First, you should be selling packaged offerings. There’s your core MSP offering, and then there are add-ons (like riders on an insurance policy). However, when you buy a car, those extras are often bundled into packages. The electronics package with the stereo upgrades. By doing this the dealer eliminates the headache of creating a completing customized quote.
In this case you need at least one (but probably more) security package…one that can be added to their existing MSP agreement (if someone else holds that contract), or attached to yours (now or later).
There’s also a maturity model…if you were to create a maturity roadmap for security, when your new customer joined your program, you would figure out where they are right now, and begin taking them through your 24 step program…certain mail pieces, meetings, assessments, and sales efforts would be made along the way – all predetermined.
Building Identity. Customer loyalty is also a key to sustainability. Not everyone will be loyal, but the hotel and airline industries, as well as Amazon and Starbucks, have all proven that people will join the club if you sell it the right way.
It turns out identity (the people group, brand, or team I identify with) will drive my behavior faster than just about anything else. I’m a lifetime platinum member of Marriott…when it’s time for coffee, I’m waiting in line at Starbucks in the airport, even though there’s a coffee shop right across the hall with no wait. Why?
I’m part of the club. I identify myself as a Starbucks customer, I stay at Marriott unless there just isn’t one…and I’m not the only one. If you’re sitting there telling yourself you don’t do that, remember, you’re not you’re own customer…you want to sell to people who will sign on with a brand and stay.
Sell to The Right People. There is a people group out there worth your time…but there are also people not worth selling to.
Your job is to identify the people group you work well with, and go after them. I was talking to a very successful entrepreneur this week – he told me he sells to men, age 45 – 60, ambitious, hard working, leaners, who are already in business. He also noted it’s best if they are married, politically conservative, etc. You might think he’s too narrow. Yet he’s made millions (plural) of dollars in personal income annually over the past decade.
Signing the wrong people onto a business that demands retention is a recipe for failure.
When identifying your perfect customer (the customer avatar) you’ll want to know how they think…the more you know what’s on their mind, the better.
Today’s speaker said it like this…”Know what they are thinking about every day as they leave the office…know what they talk about around the dinner table each evening…and if they wake up at night worrying about stuff, you should know it.”
In the End They Need Hope. Dave Ramsey does one of the best jobs of selling hope. He tells his team, when you pack up a book or CD to ship out, it’s not a book, it’s a package of hope.
With MSP; remember, most small businesses are frustrated with computers. They don’t understand them, they don’t really trust them, and when it comes to security, they’ll do just about anything to avoid thinking about it. Security issues just create more stress…
Want To Build The Sustainable MSP Business?
Stop trying to copy the models presented by MSP cloud offerings around you. They don’t know how to sell to the SMB market. They know how to sell to you…I’m talking about the SolarWinds, Continuums, and nAbles of the world…
Be radical…start thinking about what a small business really needs…what would remove all the IT stress from their world. And then start providing it to your ideal customer avatar. Add one year to your average, and then continue to journey. It’s the road to MRR growth…And it’s sustainable.
© 2017, David Stelzl
P.S. Do you have my Security Assessment Report Template…Designed to move prospects into your program quickly?
Here’s What Business Leaders Are Saying They Want in An Assessment Report (in Two Words).
Will the CISO actually read your security assessment report? What about the small business owner? Law firm partner? Doctor running a clinic (where HIPAA is required)?
The likelihood of anyone reading your report is nearly ZERO!, unless you do this one thing first…
Separate the Technical from the Business Risk,…
That’s right, you need two reports. One written in the language of leaders, the other technical. But don’t just create a new report just yet…here’s a simple process that creates ONE REPORT, with two parts, giving your report better flow, while at the same time appealing to both audiences.
Executive Reports Should Not Have Stop Lights In Them
Let’s start with the executive summary. First, drop the word summary…and delete that one page summary page in your report. Call it the Executive RISK ANALYSIS…with an appropriate subtitle.
I’m 99% confident your current one-page summary will not speak to executives…and if it has the RED STOP LIGHT on it…well, check out what one CISO said in a recent interview…
Tom Watson, CISO for Sealed Air Corp, told me just a couple of weeks ago, “The stop light approach is meaningless”.
Having a red light on the summary page does not lead to immediate action or follow-on business for the consultant. There is no business justification in a red light. PERIOD.
The CISO’s job, according to Watson is, “To bridge the gap between technical and the board.” “My seat at the table,” says Watson, “Is where risk gets delivered in business terms to board members and my C-Level Peers.” In other words, the stoplight diagram does not quantify risk…the board won’t be moved by blinking lights.
Red Lights On Risk Reports = Idiot Lights On Your Dash
If you have an older car, the red light comes on when something is wrong… that could mean your gas cap is off, your catalytic converter malfunctioning (and you might not pass your next emissions test), or your entire transmission system is about to fall off while driving down I-95 and 70 mph.
In other words, anything from a simple 2-second turn of the gas cap, to the $3500 transmission replacement project will satisfy the red light. But which is it? No one seems to know. So the new cars tell you what’s wrong (in one of N languages).
Your executive risk report is the same. The light justifies nothing…instead, you need an explanation…(in one of two languages).
So what will you explanation look like? A quantification of risk…a measure of Impact vs. Likelihood…Language ONE is BUSINESS…Consider the following…
- What assets were identified as having an associated risk? And what are the relevant threats, posing risk, which must be addressed? Are you aware many companies don’t even know where their data is? And so figuring out where the assets are, what threats exist, and how big those threats are can bring tremendous value to your C-Level contact before meeting the board.
- What are the odds data will be affected? Going back to the three pillars of security: Confidentiality, Integrity, Availability…it makes sense to find out which of the three matter for any given digital asset, and to quantify the risk (as a percent likelihood) in a graph.
- Finally, what is the trend? Is business risk increasing? Or is the firm’s security posture improving over time? As the company adopts next-gen technologies, leadership need someone watching risk levels. As IoT projects, mobility, collaboration, etc. evolve, are business threats growing, remaining constant, or shrinking?
The report should be short, graphical, and written in business-eze. I highly recommend having someone with business-savvy right this report. But don’t stop there… have a copywriter review and edit it.
Copywriters will take a boring report and turn it into engaging content. They’ll trim it down, bring out the headlines, and bring it to life, keeping your overworked reader engaged.
With one solid report in hand, it won’t be difficult to duplicate. If you look at the popular business books on the NY Best Seller List, you’ll see they have a readable style unlike any college text book or legal document. It’s that level of readability you are looking for in your report.
NOTE: This means, when you use vendor-reports coming from SIEM, firewalls, etc. The reports they give you (while colorful and complete) will not land new business…Keep reading to see where your colorful-vendor report goes…
The Technical Stuff (Including the Vendor-Report) Belongs in Appendix A
While you might be tempted to combine your executive report with the details, handing in the 100 page (War and Peace) report is not going to bode well for you. No one in the C-Suite has time to read 100 pages!
Business owners are even less likely to read a report that looks like a 5 hour project.
At least a CIO or CISO is responsible for risk as a primary job function. The small business owner, while responsible for computer security, is more likely to be focused on today’s invoices, a major customer-sat issue, or this month’s cash flow crisis. The 100 page report is likely going on a shelf…or in the round file.
If you create two reports, another problem emerges…the executive has one report, technical has another…are they different? Do they conflict?
The Solution is Easy…Appendix A!
Most of us skip the appendix when reading a book. But knowing the data is there gives us assurance that there’s research behind the author’s claims. The technical team will have access to the main report, but will likely find the details in you appendix more interesting.
Here’s What You Should Include (Notice there’s no stop light here either):
- Network diagrams
- Applications / Digital Assets (Prioritized)
- MTD/RPO requirements (Data they don’t have up to this point)
- Any important business level requirements
- Technical details on malware, configuration problems, etc.
- Gap analysis against whatever standards you measure against – XTZ compliance, NIST, etc. (I highly recommend you base your assessment on something such as NIST to give your findings more credibility)
- Major issues to address (project recommendations – keep this list short)
- The punch list of everything else that should be addressed. Prioritize this list, and segment by functional area.
Between these two reports, you have what you need – however, the move to remediation has more to do with your presentation than it does in these two documents. Look for a future article on,…
“How to Master The Board Room Presentation, When Presenting Risk Findings…”
© 2017, David Stelzl
How Long Will Your Business Remain Relevant…
…As Companies Around You Are Transitioning to Cloud, Consolidating IT, and Buying Less Hardware???
This morning, in my TechSelect Business Pillars Session, I delivered urgent steps of action EVERY technology reseller should be jumping on…here’s a summary:
Over the past 12 months, live event, one-to-many selling, has produced more leads and deals than just about anything.
The value of one MSP client in the SMB market averages at about $1500/month, or $18,000 per year – with a 5 year average retention rate, that’s just short of $100,000 per client!
Add advanced security to that deal and you’re likely to push your average up 20%…(Mid market deals, although harder to close, offer even greater potential if you understand the sales process I describe here).
What would your business look like if you could hit the numbers I reference in this video? What would it be worth to you to achieve this level of sales?
Find out in this 25 minute video how to re-engineer your business, with a new breed of security, now becoming a necessity in the SMB and mid-market space.
© 2017, David Stelzl
P.S. Get the step by step process in written form – The House & The Cloud
If You Want The Right People Reading Your Report, You Have to Start With The Right People In Assessing The Risk
Too Many Security Assessments Start and End With Technology – Big Mistake!!!
Data Security is a BUSINESS RISK issue, not a technical exercise…
Technology Infrastructure supports the business, just like administrative assistants, the fleet department, or shipping – A mishmash of infrastructure, people, and process working in harmony to run a business.
The more we move toward digitalization, the more we’ll see robots and automation replacing people, and changing the way business operates…
With process change comes risk change. Don’t be fooled – The Network is not the endgame. The business is…
In this article I’ll show you exactly who to include, why, and how – when thinking about risk assessments and data security.
Over the past several months I’ve written a series of articles on how to approach data security risk assessments.
However, rather than addressing the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business opportunity.
The approach you take, and the people you include, have a lot to do with your conversion rates and business success.
Stop: The Traditional Approach To Selling Doesn’t Work!!! (When Talking SECURITY).
Remember, the purpose of assessing risk is to move the company forward on remediation efforts.
If you’ve been in security any length of time, you know it’s rare to come away from an assessment with NO URGENT ISSUES. Threats and security vulnerabilities are everywhere!!!
Whether it’s a gap analysis, pen test, or overall risk assessment, you’re going to find stuff – and it must be addressed. However, using the traditional vulnerability-assessment approach rarely leads to any significant change or remediation. If the stake holders don’t have justification (in their own language) they won’t write the check needed to remediate.
By traditional approach, I mean, heading in with scanners, looking at internal and external vulnerabilities, diving into O/S configurations and network segmentation, all without ever engaging the company’s leadership or end-users.
The First and Only Place to Discover a Company’s Most Valuable Assets
Years ago I was struggling with just how to get executive attention with security assessments.
We were working in mid-market and enterprise accounts, assessing risk. The projects were highly profitable. However, the long term business opportunities just weren’t coming through (See my recent article on the Long Tail of Assessments).
In DESPERATION I consulted with a friend in the Disaster Recovery Space (DR).
DR experts always start at the top. Why? Because DR is much more than data. It’s a business issue.
When a DR plan is constructed, it includes things like business failover. Will the company have a hot site, warm site, or cold site? The plan addresses the entire effort of moving critical business functions over to a new location in the event of any major disruption.
In order to create a successful failover, business people have to be involved. Every step must be planned and tested.
The DR consultant needs to know what processes exist, what roles people play, what the business can’t live without, and how much time they have to be up and running following the BOOM (Any major disaster).
DR planning starts with the identification of critical infrastructure, applications, data, and people. It’s all just part of the bigger picture. But DR is SECURITY! That’s right…in the ISC2 common body of knowledge, the CISSP (of which I am one), studies DR as one of the primary pillars of security.
In other words, security assessments are a form of BUSINESS IMPACT ANALYSIS. They consider risk (IMPACT vs. LIKELIHOOD) – the likelihood of experiencing the impact for an event.
Measuring risk, like we’re talking about here, demands an understanding of assets and critical infrastructure, which can only be had through interaction with the stakeholders…
And no, this can’t happen by submitting a list of 10 or 20 questions to the IT director to be passed up the ladder…the DR expert would never proceed without direct contact. It’s UNTHINKABLE.
Only These People Can Tell You How Data Gets Created and Where It Sits
Talk the End-Users – the one thing everyone seems to avoid doing during an assessment.
The executives should be able to tell you (the assessor) what is important. However, don’t expect them to know exactly how data gets created, used, or who needs access…
Maybe in a very small business…but go upstream and talking to end-users becomes necessary.
Only the end-user can tell you how data is getting entered or created. The problem is, these hands-on knowledge workers are almost never included in risk assessment interviews. Go over to the DR side and you’ll find these data-creators and users intimately involved in what goes on with the company’s daily operations.
Finally, It’s Time To Invite Technical People To The Party
It’s time to predict major holes…that’s right, PREDICT…(Do this before diving into the servers and network)
Enter the SECURITY technical subject matter expert(SME). In most risk assessments, the SME is first in line…but shouldn’t be. The assumption is, the network and servers need inspection, so let the tech guy do it.
Technical people are essential to a proper understanding of the company’s security architecture – and analysis of any scans or traffic…
However, risk has a lot to do with business process, types of data, market conditions, and business activities specific to your client. For instance, if there’s a merger in the works, a strategic announcement or product launch, or perhaps a layoff coming, the company’s risk will be affected.
You’ve taken time to review your client’s business (Through executives and end-users) – so now it’s time to merge your findings with technology…
Your technical team should now be reviewing everything you have discovered… with the goal of understanding how your client’s data should be protected… It’s an INTERNAL brainstorming exercise.
You and your team are asking the question: What would need to be true to keep this company safe?
DO THIS: Make a list of 20 things that a company like this (size, category, market, vertical focus, etc.) must have in place given the current relevant threats (for instance – Ransomware).
NOTE: More Details in on threats and security mistakes in my book, Digital Money (on Amazon).
It is from this list your technical team will begin their analysis.
You May Now Look At The Network
List in hand – it’s time for the deep dive. Notice, now you can ask the IT people specific questions about encryption, failover, access control, etc. with business relevance. Look at your competitors assessment deliverables and you’ll see almost no one does this sort of thing.
Your client’s workflow directs you through their systems and architecture…so rather than looking at this from an inside/outside perspective (which does still need to be considered) you are approaching from an asset perspective.
ASSET FOCUSED – I call this…
Where is the data? Who accesses it? Where does it travel and how? How is the precious cargo stored, archived, or deleted? And what must be true to keep the company’s secrets secure (considering CONFIDENTIALITY, INTEGRITY, and AVAILABILITY)?
In addition, you will want to scan for vulnerabilities…but MORE IMPORTANT is collecting traffic. Another step often missed on the assessments I see…If there’s malware or foul play, it’s going to show up in the traffic!
And, don’t leave out the ONE BIG HOLE so many companies fail to consider…End User Awareness Training…in fact, it might be wise to develop a quiz of some sort, and add a scoring system to show your asset owners where their data creators and accessors are with regard to security savvy.
Time To Deliver Results – Don’t Leave Out This One
You’ll need two reports to make this work. The executive summary, and the appendix…Who’s going to write this????
In most cases, your competition is only delivering the latter…O, they probably have a section in their 50 page document called, Executive Summary…but how many executives are actually reading that section. Take a look and see if it looks like executive reading material. (Hint: the Red Light, Yellow Light, Green Light was a clever invention, but I don’t see CFOs acting on it).
Executive summaries should be short, to the point, and easy for business people to digest. Check out Chip & Dan Heath’s book, Made to Stick, for some insightful tips on making reports consumable and memorable.
If you think your SME is going to write this document (the executive one), think again. This is an exercise requiring the skills of a copywriter – learn the skill or outsource it.
Important Factor: After All, You’re Liable!
Finally, make sure you get an audience with executive management during the initial stages and deliverable stages of your assessment. Insist on it! Don’t take NO for an answer.
After all, you’re liable in some sense. If your client gets hacked tomorrow, and you were in there today, someone is going to want to talk to you. If you’ve uncovered serious holes in the armor, and you were depending on IT to carry that message to the commanding officer, you just might be surprise to find out it didn’t really happen the way it was supposed to.
© 2017, David Stelzl
What’s The One Big Issue Behind Almost Every Hack?
Hint: Most Risk Assessments Ignore It!
- Poorly configured or managed firewalls,
- Untested backup systems,
- Improper network segmentation