Archives For Proposals

chain break

After All The Work That Goes Into Security Assessments,  This One Thing, If Missed, Will Make The Entire Process a Waste of Time…

When the Truth is Clear…Cancer, Heart Attack,…Breach…People Act.  With Security Your Message Must Connect and Your Audience Must Feel The Pain.

You might think it’s callous of me to compare your own life (risk of cancer) to a data breach, but the truth is, data is what many companies see as their most precious asset.

Right or wrong, given a choice, companies will part with a few employees before facing business failure. And data loss often begins the downward spiral that can’t be stopped.

However, getting the company leadership to see these business-crushing threats, before they happen, is not easy.  Following is the strategy I’ve used to turn week-long assessments into annual contracts, and more.

Rule One: Don’t Present Without The Asset Owners!

Asset owners are those with liability. Have you ever presented a cost-saving solution to IT directors or middle managers? Tell them you can save them money, reduce FTE (Full Time Employees) by 50%, and improve quality of service, and they’ll quietly dismiss you as unqualified to do business at their firm. They’d rather build an empire than save money.

Take it one step further and show these cost-center agents how their personal role in the company (along with associated costs) is no longer needed with your new proposed automation process, and you might find an anonymous death threat in your mailbox.

Bring in the asset owners and something different begins to happen.

When it comes to security, technical staff rarely understand the value of corporate data, or the relationship between uptime and profit, according the several CISOs I’ve interviewed this year. And, they’re interest (probably driven by the need to make money) tends to be self serving (See Jack Eckerd’s book, Why America Doesn’t Work).

Tell executives their systems are likely infected with software, giving hackers the ability to listen in on private meetings, watch them in their office or bedroom, read their email (including personal mail), and track their whereabouts, and you’ll get a response similar to that of a home owner waking up to their fire alarm. That same bot detection among IT folks will call for some patching next week, and perhaps an AV product review.

The Underestimated Power of Free

But what happens when you show up and the asset owner is suddenly not available?

If you’ve charged $100K for this assessment, you’re in good shape. Meet, sell hard, and find a way back to the asset owners…you owe them the deliverable.

However, if you’ve conducted your assessment pro bono, you’re also in good shape!

As a free service, you control the deal.  You don’t owe them anything. And since you’re liable for what you deliver, you have the right to delay the meeting until your asset owner contacts are free. Just let them know there are urgent things they need to hear, so the sooner the better.

(Get more on why Free Assessments Are More Powerful in my book, The House & The Cloud 2nd Edition).

Your Meeting Agenda Re-Engineered to Convert

Sure, you could email executives your findings, but digital findings don’t convert. Face to face is the only way to deliver the devastating news that an attack or data loss is eminent if action is not taken.

Here’s Your Agenda:

Start with their words. You’ve interviewed them (hopefully). More importantly, you’ve spoken with both executives and the people driving the daily business (end-users). So you know how important their data is, how long they can be down, and what can’t be seen but the competition.

You also know what’s not urgent in their minds. So avoid spending time on the non-urgent, even if you think it’s urgent. (e.g. Policy).

Next, list the top priorities. Did you discover evidence of compromise? Any malware activity, or symptoms on the same, is urgent.  Note, patches, outdated systems, and EOL software are not urgent. A Failing backup solution (on the other hand) is urgent.  You’ll need to now why, and how to prove it.  Consider things you would want fixed this afternoon if you were the asset owner, and draw out the urgency.

Next, it’s time to create some vision. You know how they work and where they’re headed as a company (from the interview process). So, using their current set up, begin to pose a number of WHAT IF scenarios. This is how you create a vision – allowing the buyer to picture something they really do want.

“What if your end-users could work without ever having to guess whether or not an email was infected with malware?”

“What if, whenever someone tried to connect remotely, your network would verify who the user, check the system for malware and updated patches, etc. and only after approved, grant access?”

“What if we could take your restore time down from the estimated 5 days to the required 4 hours?”

In doing this, you’re watching for the nodding heads. Not those nodding off, but people in agreement. You want physical response / emotional response. This is your trial close. The power of trial closes is important. If you can get your audience nodding and saying yes along the way, you know, when you’re all done, they’ll keep nodding.

Finally, sell the vision – “We can get this done by the start of next month, etc.” The obvious question is, how much ($$$). Check out chapter 11 of my book, From Vendor to Advisor to see how to price this, and when to share the price.

© 2017, David Stelzl

Advertisements

biometricsHow to Make Assessments Worth Selling

Think Like An Investor When Pricing

Most people invest at the wrong time (according to the Billionaire Investors Interviewed by Tony Robbins in his book, Money, Master The Game).  They jump on the bandwagon when things are high, and they sell when the market drops.

Running a for-profit assessment team in the early 2000s (for a global technology integrator) was more a lesson in financial management than sales for me.

Assessments are often sold at prices that leave little in gross profit.  Free assessments tend to offer no value, and simply leave the prospect disillusioned. And only a handful of these heavyweight documents ever result in any long-term financial gain.

Today I Want To Change This Lack-Luster Profit Prophecy Once And For All!

Here are Three Things to Consider That Will Change Your View of Assessment Profitability Forever.

  • Free Assessments Can Offer Some of The Greatest Returns on Your Investment.
  • High-end Assessments are Expensive To Sell – The Real Profit Is In The Aftermath.
  • Every Assessment Should and Can Lead to Annuity Business.

Free or High Stakes – Which Has The Bigger Payoff?

In my workshop, The Security Sales Mastery Program, assessments are central to the sales process. I covered some of this in an article on scope last week

When I bring up the idea of using free assessments to drive business, I often get pushback. In response, I offer up three examples of assessments I was personally involved in. Let’s take a look…

(Get More Details in My Book, The House & The Cloud)

The $125,000 Hospital Assessment

This first example comes from a large hospital assessment, sold and delivered in the southeast. If you know healthcare (and you work in security) you know it’s a match made in heaven. Lots of needs, endless compliance regulations (many unmet), and an industry with deep pockets.

Our assessment was priced for profit. It took a total of 40 man-hours onsite, and another 40 man-hours of analysis and documentation.  Total burden cost, about $10,000.  $125,000 with a cost of 10K is high margin business, even to lawyers.

However, there were NO follow-on projects.

It’s our fault!!! Back then I did not understand how to create business from an assessment. Most don’t – the conversion rates from assessments like these are low, averaging about 20 percent.

So our total gross profit landed at around $115,000. Not bad for a two week effort. However, the upside potential (had we closed just one of our recommended changes) would have more than doubled our take.

The $36,000 State University Assessment

The university deal was won on a last ditch effort to get in the door. The university was looking at a number of projects to upgrade both the administrative and student networks, however, largely undecided on their direction.

On the way out the door I casually suggested an assessment might bring clarity to their needs, and to my surprise, they agreed. A few days later we signed the $36,000 agreement and scheduled to begin work.

Our team spent about 3 man-weeks on this initiative, engaged with the IT team on campus. When the report was complete, a meeting was scheduled to review our findings with the university’s key stake holders.

Just 5 minutes into it, the leader of the pack put our document on his desk in a sudden pause, and complained, “This is not what we asked for.”

Keep in mind, our three weeks were spent, side by side, with their IT people. They were basically leading the charge…and here we were being reprimanded for missing the mark. As you might have guessed, the IT people stood back, nodding, as though they had nothing to do with our missing the mark. They effectively hung us out to dry.

The meeting ended abruptly, and the invoice was NEVER PAID.

Final gross profit: ZERO DOLLARS. Very disappointing…

Free Assessment: Thanks For Attending This Business Leader Event!

Finally, there’s the dreaded free assessment. My classroom example offers a total of five pages, including the cover letter. This particular example-giveaway was offered to small business owners on the heels of an educational event. Our audience was well qualified – mostly healthcare.

Our total time spent marketing and selling: About 2 Days plus a few days of phone follow up using call scripts from a product on my webstore

At the close of our risk-measuring initiatives (we closed about 30 assessments in that one event – in just 60 minutes!)…

One of the larger prospect-companies signed up for $36,000 in remediation work, signed an $8,000/month – 3 year agreement (and renewed for 3 more years), and went on to do at least two more projects worth $100,000 in revenue (figure 50% burden on projects and manage IT Services).

Total gross profit: $356,000 (and still going)…

It’s important to note the cost of sales. The first two projects required 3 to 6 months of selling. The third, 3 mailings, a couple of days on the phone (done by contractors),  1 live event (with speaker), and about 4 days between starting and delivering the assessment.

Which of these three deals would you choose to get paid on?  If you own a technology business, which would you choose to build your business on?

The Free Assessment Worked, So When Do You  Charge? What Would The Investor Do?

There is a time to charge!

So don’t just read the first half of this and think, “He always gives them away.” Free is RISKY.

Free requires the right audience, and a predictable conversion strategy – it requires knowing how to drive business through an assessment, just like choosing the right asset allocation has everything to do with an investor’s success.

All investments are tied to risk. Your paid assessment is largely a paper document, with a big price tag…If your paper offers tremendous value (like a stack of green paper with government markings on it) it’s worth a lot. On the other hand, if it has my child’s markings, it’s only worth something to me.

I’ve seen free assessments work in all size markets, however, as you scale the corporate ecosystem, closing gets harder. Client expectations grow as you engage with the more sophisticated organizations.

So, if the ROI looks great, you can afford to do assessments for free or for less. However, the likelihood of getting that follow-on business from a new, enterprise prospect is much lower than it would be in the SMB (Small/Medium Business) market.

So, in the larger markets, assume you’re going to charge when you assess.  But charge enough to make it worth your sales and delivery time.

Enterprise deals (like the first one mentioned above) are margin-rich. However, as you can see, we didn’t achieve our goal of long-term financial returns.

So, while the margin was high, the cost of sales was also high.

If you’re the selling agent, you may not care – you still get your fat commission check. On the other hand, if you get paid on bottom line performance, suddenly it matters.

How much does a 6 month sales cycle cost? Drive time, office time, lunches, etc. It all comes straight off the bottom line. Not to mention benefits, base salary, and opportunity costs associated with the seller.

In the SMB market, the financial picture is completely different. Small business prospects rarely spend much on remediation, however, the IT Services deal is there (unlike most enterprise accounts), so there’s your long-term profit.

There’s one more factor though. And it has to do with account control. Every sales person knows that controlling the deal is essential to the close. As soon as you hand in a proposal, you’re at the mercy of the prospect.

In the case of an assessment, once a contract is signed (with a fee attached), you no longer control the deal.

Don’t miss this…

Assessments are like proposals. Unless your company is highly specialized in audits/assessments (with high-end and frequent assessment/audit business), your quota achievement depends on closing follow-on business (projects and managed services). The fee-based assessment is controlled by the buyer – reducing your assessment-deliverable to a quote.

That’s were I went wrong on the University Deal…

IT was in charge – My team was directed by them, and executive involvement was not part of the plan. Yet, an asset owners’ inputs are the most important part of understanding risk! Without Asset Owner Understanding, closing follow on business (with a new prospect) is nearly impossible.

Assessing risk has everything to do with assets and their owners. Their business will live or die based on asset exposure and a realtime detection/response to cyberthreats.

Without leadership involvement, you can’t possibly understand the company’s data value, most crucial systems, and greatest threats. How often do IT staffers know how much down time can be absorbed or how much data can be lost before shareholder value is impacted?

Sure, IT has an opinion, but to deliver risk, your process must look more like a Business Impact Analysis Report than a typical Vulnerability Assessment.

Here’s the thing. When the assessment is free, you’re in control. What does that mean?

Since no one is paying you, you have the right (and authority) to proceed according to your recommended approach. If you’re wrong, you’ll pay for it on the back end. If the client balks, you can always stop the process. It’s free, so you’re in control.  Do it right, and business will follow (along with profits).

When money changes hands, the buyer is in control. If they want you to submit questions and take their written answers (without any face time), it’s their choice.

Since all sales have an emotional component, you know that face time is important to any high-involvement sale…even if that face time is virtual. There has to be trust and advice to be a trusted advisor. And that requires interaction with those making the decisions.

The final analysis – in the SMB market, lead with free assessments almost every time. The $500 to $2500 price tag on SMB assessments leaves no budget for IT services, and will take months to close.

In the enterprise, carefully weigh the risks, and what factors must be present to take on the risk of assessing pro bono. If the cards are stacked against you, go with the fee based, and sell them on the high-ticket approach to ensure your profits are worth doing the deal. Remember, you need asset-owner involvement to justify any assessment worth doing at this level.

Every Assessment Should Be Ongoing Business – Here’s Two Ways To Create Annuity Business

The biggest upside in both free and paid assessments is in the ongoing annuity business.

There are two ways to create annuity business with assessments (and maybe more that I haven’t thought of).

First, let’s look at the theory. Risk is a measure of impact vs. likelihood. You can’t affect impact; losing data or suffering downtime is going to cost the company, no matter how secure the company is.

Your variable is in likelihood. Solid security lowers likelihood (however, even GREAT security does not eliminate threats).

The assessment identifies (at least it should) the threats, and provides a measure of likelihood. Remediation is the process of reducing the likelihood to an acceptable level.

Managed services or MSSP, is your program designed to maintain an acceptable level of risk over a period of time – your long term annuity engagement.

So the first way to sell ongoing business through assessments is to demonstrate an organization’s unacceptable level of exposure, provide a way to reduce it.

And then show them how to maintain it by contracting with you to oversee, or detect and respond to issues as they arise.

The second way, generally better geared for enterprise accounts, and using fee based assessments, is to sell a quarterly update.

Keeping the same scope, and simply updating the document quarterly, can provide tremendous value to the client that houses sensitive data.

Two up-sells come with the ongoing assessment approach.  First, you’ll get a quarterly opportunity to check in on your recommended remediation steps. Over time, and given you are providing value, your client is likely to engage you to keep working on your recommendations as threats grow.

Second, the scope is likely to change over time as new IT initiatives invite you to consider added systems as part of your analysis.  One additional bonus, you’ll be up on all your client’s latest planned initiatives since new projects always affect the client’s security risk analysis.

Going forward, add this quarterly update with just enough money to cover your added cost (in other words, do it at break even). It adds value, costs you nothing, and offers great upside.

© David Stelzl, CISSP

 

business-mtgGetting Executive Buy-In Is Critical

If You Expect Your Clients to Take Action on Assessment Findings

Only about 15% of the risk assessments, from audience poles I conducted, are being acted on! Yet, over 95% of them show urgent issues, according to security experts I am in touch with.  There’s a major disconnect.$1 HC Book Ad

The Right Language Matters

One key reason I’ve observed, is the language being used to write the assessment reports. Not only are the reports too long to attract executive readers. Even if they did want to wade through the 50 page document, it would be like you or I wading through a technical journal to find out what to do about cancer risks. Chances are we would comprehend about 5% of it, giving up after the first few pages.

If you’ve worked in a large corporation, you know there’s a disconnect between IT and executive management. Don’t expect everyone to sit down to review your paper. In the small business the security expert doesn’t exist, and the small business owner is already running at top speed, trying to grow the business, manage cash flow, and build customer experience before their competition does. They don’t have time to sift through mounds of jargon.

Grabbing Their Attention Early

But the other issue is one of desire and priority. Does the business owner or executive see your report as urgent – must read now? If you have not involved them in the findings, chances are they don’t see it as urgent. If they have an IT group, they’ll delegate it. If they don’t it will sit on their desk (especially if you waved your fee – a common practice in the small business market).

All of this changes when you start your assessment at the Asset Owner level. (See my book, The House & the Cloud, Page 195).  Starting with those who have liability, with the goal of discovering their most important data as it relates to their business growth and profitability, is the best way to get them interested before you complete the assessment.

Find out what digital assets are most important to protect and why. Then look at who would want them. And based on how things are set up and who creates and uses this data, discover how unauthorized users might gain access. When you’re done, tie your findings to business issues. Leave out the technical jargon. And bring your report to the that executive with a short presentation on what it means to their business.

If your conversion rates on this process don’t go up to about 60% something is wrong. Consider reading through chapter 13 of The House & the Cloud – 2nd Edition, for ideas on how to convince your audience that this is important.

© 2016, David Stelzl

lockBoard members want to know!  The news is out – neighboring countries are stealing your client’s stuff.  Ten years of R&D investment can be out the window in a few seconds when another country decides to take their data and duplicate their products at a fraction of the cost.

I returned last night from a week in Chicago, having met with several business leaders; CEOs running financial companies, to directors overseeing the IT aspects of manufacturing. In several cases people were looking for some way to measure their risk – a directive given straight from the board of directors.  What is it exactly that the board wants to see?  If you have never presented to a board, you want to.  This is where the decision making happens, and it is guaranteed to short cut a lengthy decision making process if well presented.

1. First, they want to know what their exposure is.  Exposure is risk, not impact or vulnerability (which is what most people will present if asked).  A calculation of risk requires, not only understanding the impact on certain business metrics – such as production, shareholder value, stock price, and brand – but the likelihood it will happen.  If you can’t explain the likelihood, the value of the data is nearly zero.

2. Then, knowing the top 4 to 6 threats is important.  There are thousands of threats, but only a few matter.  The board wants to know what systems/data is at risk, and why.

3. Given a list of top threats relevant to this specific business, and an expert’s opinion on the likelihood, the question of trending must be addressed.  “Are things improving, or getting worse?”  “How do you know?” and “How are we managing this?”

4. Obviously, if things are getting worse, there needs to be a get well plan.  It takes an average of 14 months to detect a breach according to recent FBI reports, so how do we know this data is accurate, and we are not one of the average companies who will discover when it’s just too late that, “We’ve been hacked?”

Before going forward with an assessment, make sure you have the right people involved, make sure you are measuring the right things, and make sure you are putting this into a format that will make sense to your target audience.  If you’re target audience seems to be IT, chances are you are simply providing a security education to those looking to enhance their resumes.  On the other hand, if you are there to measure risk for those in charge, make sure you are delivering something that speaks to the executive level.  IT rarely gets what they need in  terms of support and funding on the security side – and it’s the fault of those making the case.  Change the approach and you’ll find a greater adoption of the things that matter.

I you are serious about getting this right the first time – I highly recommend attending my upcoming workshop, Making Money w/ Security…a nationally recognize program designed for those who want to advise executives on their data security strategy.

© 2013, David Stelzl

We are just a little over a week away from my webinar with Ingram Micro on providing Undeniable Justification through the Security Assessment Process – a shortened version of my House & the Cloud sales process.  The more I work with companies on their proposals and assessment deliverables, the more I see the need to overhaul the process.  I was working with several people last week during individual sales coaching meetings to refine their documents.  Here are a few points to consider…

Re-engineering the Assessment Deliverable

  • These documents should be written to the decision maker, not IT.  If your SE is writing the deliverables, chances are that your documents are written to technical people, not economic buyers on the business side.  Most of these will not lead to larger remediation projects.
  • If your document is mostly lengthy paragraphs – and you have pages of paragraphs, it doesn’t really matter who you are writing to.  No one will have time to read it.  Stick to charts, graphs, diagrams, bullets, and a few paragraphs.  If your assessment was done at no charge – you don’t need a long written report.  You need something short, to the point (I recommend using a Power Point document), and supplemental to a great presentation on what you’ve found.
  • If your “Findings” section contains technical misconfiguration information, or possible vulnerabilities to some technical sounding Trojan, you might consider changing it.  Ask yourself, “So what?”  So, what will happen as a result.  I call this – the “So What?” test.  Keep asking yourself until you get to an urgent sounding issue with business impact.  For instance, on two documents I read last week, both reps were recommending managed services services on the basis that, one person can’t manage a group of 50 or 100 end-users.  I kept asking, “How do you know?”  The document made is sound obvious, but no justification was given.  You can’t do this.  Imagine you are the CFO, trying to save as much money as possible.  Someone with a sales business card comes into your office and tries to convince you to sign a contract for several thousand dollars per month.  You won’t do it unless you’re sure you need it.  There must be some pretty strong evidence.  I’m not saying you can’t find it – I’m simply stating that you need that evidence before proposing the solution.

I will be covering this and more, next week on a webinar sponsored by Ingram Micro – Wednesday, September 26th, at 1:00 PM ET.  You can sign up right here:
SIGN UP FOR DAVE STELZL/WITH INGRAM MICRO

Looking forward to seeing you there!

© 2012, David Stelzl

Stop Wasting Time on Proposals Nobody Reads!

Sign up here: http://www.eventbrite.com/event/2571952780 (December 21st at 1:00 PM)

Nothing wastes more time than writing proposals that don’t sell.  The more you write, the more time you waste…I remember some of my early proposals, crafted after lengthy documents I had seen as an IT manager.  Then one day I remembered, “I never read those things, so why would anyone read mine?”  The fact is, most of the proposals being written never get read!  Why?  Simply put, no one has time to read anything but the essentials.  What’s in your proposal that really matters?  Price, parts list, stages of a proposed project, and perhaps some dates?  These things are important.  What about the rest?  Well, perhaps there are some things in there, buried deep within your project rhetoric.

Join me next week on December 21st at 1:00 ET to talk about proposals.  I’ll be drawing from my newly published book, From Vendor to Adviser (which contains an important chapter on how to put together quality proposals.)  Here is the link – sign up now! past events have filled up quickly….

http://www.eventbrite.com/event/2571952780

© 2010, David Stelzl

First, don’t miss these two sessions online – this is my Christmas gift to you just for being a regular reader….

1. http://stelzlvendoradviser4.eventbrite.com/ – Setting Fees with Profit in Mind!

2. http://www.eventbrite.com/event/2571952780 – Secrets to Writing Winning Proposals (Including RFP responses)

Two areas I see even some of the most successful sales people missing on are fees and proposals.

Fees are tricky – sometimes your company sets this for you, but if you have any control over this, it’s one of the places you must master.  Too much, and the client looks at you like you’re a thief, too little and you leave money on the table or worse, discredit your own value.  I often hear the comment, “When we fix price, we lose money.”  Wow, that tells me you haven’t learned to estimate, but I will show you the secret of pricing on December 9th…there are two ways to calculate fixed price fees, then there are block time sales (which may be the thing that keeps you from really profiting the way you should be – and I’ll show you exactly why that is.)  And of course T&M, but there are two ways to do T&M, and one of them results in you taking all the risk.  I cover this in detail in my new book, From Vendor to Adviser, along with calculations and examples, so I won’t go into it here…but this is critical stuff!

Get the Book here:  www.stelzl.us/store.asp (Note: this is a preorder special – you’ll be one of the first to have it)

Then there is the proposal…I see many making one of several mistakes.  They execute the sales process perfectly, and then get to the proposal, and…well, all that effort turns into a big negotiation process, and maybe a visit to the chief purchasing officer (who, no doubt, has a degree in Negotiation Strategies!)  Who needs that at the end of a long sales cycle, and especially here at year end?  One thing  I can tell you, the meeting you have right before you write this proposal is the key to success – but there are at least eight secrets I give in my book to make this go much more smoothly.  I don’t know about you, but I don’t really like writing proposals – especially when they don’t close!

Here is that link again – I’ll see you on the 8th and hopefully on the 21st for the second one.  There is no cost to you, other than time, so don’t miss this.

Fees: http://stelzlvendoradviser4.eventbrite.com/

Proposals: http://www.eventbrite.com/event/2571952780

© 2011, David Stelzl