Archives For Solution Strategy

magHow Would Your Assessment-to-Business Conversion Rate Grow If You Had Access to This One Extremely Powerful Assessment Tool?

90% of the Assessments I Review Leave Out Asset-Owner Interviews – Leaving You (The Seller) With a Weak Deliverable and Little Justification to Remediate

In this article I’ll point you to the people you should be talking.  In addition,  I’m going to give you the exact questions and sequence to use if you plan on up-selling them on remediation steps and ongoing annuity services.

The Number One question I get when the topic of assessments comes up is, “What tools do you recommend?”  It’s a great question…however, I know what’s really being asked, and its the wrong question.

The Wrong Question to Be Asking On the Front End

“What scanner or analysis tool do your recommend?” That’s the question behind the “Tool” question. But its the wrong question.

The tool question stems from a misconception that assessments are technical iInitiatives that should be lead and delivered by technical people.

In most cases, the assessment is sold (or offered pro bono) by the seller, and then tossed over the fence to a technical team. The team may be well skilled in security concepts, network architecture, and more. But in most cases they lack business savvy.

Yet, the assessment, according to it’s first name – Risk, is by definition a measure of business risk. And it’s the asset owners (those who have true business liability) that need that measurement.

Note: Get the details on Asset Owners, gaining access and delivering value, in my book, The House & the Cloud – Almost FREE using this link.

The Question Framework

So what’s the right question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan.  It’s like a cancer patient recently diagnosed. The Oncologist who fails to move most of his patients to treatment should be seen as a failure.

Is he just not communicating? Do they just not understand they are dying? Something’s wrong if the prognosis would be positive with treatment, yet the doctor is not able to move his patients to action.

THE FRAMEWORK:

In my book, The House & the Cloud (Chapter 13), I provide three key questions as a guideline.

  1. What are you trying to protect
  2. What are you relevant threats
  3. How likely are you to be able to detect and respond to an incident of pending disaster before damage is done or data lost?

These three questions provide the basis for a longer, freeform discussion with Asset Owners.

Remember, Asset Owners are those with business liability. That means these special people are responsible for business functions critical to the profitability of the business, and live primarily on the profit-center side.  Think, C-Level, VPs, Directors, and key people in key divisions of the company.

…Doctors, lawyers, CPAs, Sales Managers, R&D Management, Investment Banker, Stock Broker…people who make (or significantly contribute to) profits.  When an asset owner’s data is compromised, deleted, or corrupted, that person is in trouble.

Customers will file lawsuits, stock prices go down, brand and reputation are tarnished, and heads roll.  You won’t see the director of IT, or their one-person IT support guy in the paper tomorrow – but chances are, an Asset Owner will be front page.  A few weeks later, you’ll read they have moved on to something new, by mutual agreement…code for, FIRED!

Questions Designed to Get Answers That Matter

Using the Framework, you can then divide your interviews among  three groups. (I provide more detail in The House & The Cloud, Pg. 195ff).

THREE GROUPS TO CONSIDER:

  1. Executives
  2. Power-Users
  3. IT

The assessment process starts with executives (whenever possible). My friends on the Disaster Recovery side of the business pointed me in this direction years ago…business risk starts with understanding business leader’s care-abouts.

EXECUTIVES:

Start your analysis with questions (using the 3-part framework above) to determine what matters and how much…Your first question is, “What are you trying to protect?” It might look something like this:

  • What applications / data are most important to this business – profit, stability, growth, customer satisfaction, etc.?
  • After identifying them: How long can this system be down? (hit the important ones)…drill down…the first answer is usually wrong – No Downtime! You and I know, zero downtime is nearly impossible and exponentially expensive!  Find out where the balance of cost and availability sit. – Think, Maximum Tolerable Downtime.
  • How about data loss? “Can you afford to lose any data – if so, how much?” This is a Restore Point Objective question, but stick with business language. Explain how data is lost (Ransomware, disk crash, corruption, etc.)
  • What are you most concerned about protecting against? There are three pillars of security to consider. Confidentiality, Integrity, and Availability. It might be one of these, or all three might be important. Make sure you know how the executive sees it.

Next, Move to question 2: What are your most relevant threats?” Again, you’re talking to an executive, so keep it at a business leader level. One bad question (technical in nature) could land you a demotion back to IT!

  • Who is allowed to see this data? Who can’t see it?
  • Who would want this data?
  • What happens if this data gets out (in the hands of other governments, competitors, the public, etc.?) – Speaking of impact here.
  • What concerns you most? Examples might be, data theft, downtime (from what?), loss of access (for instance, ransomware), etc.  What about soft costs such as loss of customer trust?

Finally, a simple question, “How would you know if your data were under attack, or on the verge of any disaster we’ve mentioned above? Would you know in time to stop it from happening?”

Expect executives to say, “I hope so, but don’t really know.”

POWER-USERS/KNOWLEDGE WORKERS

A similar line of questioning would be used with this group, with the addition of questions that reveal the lifecycle of their data.

More than one interview is desirable here.  You’ll want to talk to key department managers as well as those who create and use data to conduct business.

In a small business, this may involve 2 or 3. In a larger firm, make sure you build in adequate funding to visit 5 to 10, or more, depending on the size and complexity of the organization.

Discover their data flow.

Workflow means, understanding who is creating data, using data, and how it travels, is stored, archived, and finally deleted.  You’ll want to know who interacts with data inside and outside (customers / suppliers), and what kinds of access different groups should have.

Discover business climate.

In addition to workflow, you’ll want to know about any upcoming M&A activities, pending layoffs, volatile terminations, R&D announcements, etc. These all affect a company’s security posture.

WITHOUT this level of insight into the organization, moving forward to evaluate risk is nearly IMPOSSIBLE. True risk has everything to do with how workers create and treat data.

At this point I would recommend using a quiz – formal questions with scoring, to see how well-informed these users are when it comes to securing their most precious assets.

Completing the Process

The rest of this assessment deserves it’s own article…In short, your next step is to evaluate the data coming from your interviews, with security practices in mind.

Hold and internal meeting to ask your team – “What would need to be true in this company to keep their data secure at the levels identified by asset owners?”

With a list like this in hand, it is then easy to go into the IT areas and investigate. You now know exactly what you are looking for…

You can find out more on the consultative discovery process in my book, From Vendor to Adviser….

© David Stelzl, 2017

 

numbersHow Many Meetings Are You Getting Per Month?

How Many New Clients Have You Picked Up Over the Past 12 Months?

I hear this all the time, “It’s a number’s game.” If you make 60 calls, or some say 100, then you should get 4 – 6 meetings each month, and 1 will close. That’s the silliest thing I’ve hear in a long time. It’s like saying, if I put enough quarters in the slot machine, I’ll eventually win. Odds are odds. It doesn’t matter how many times you flip a coin, the odds of landing on heads are always 50%.

Not Numbers, Think Strategy and Value

Here’s the hard truth. If you have something people really need, know who to communicate to and how to communicate, you’ll connect. If they really need it, they’ll buy it. If you sell them something they really don’t need, they’ll figure it out. If your offering isn’t great, they’ll leave you shortly after signing.$1 HC Book Ad

In my newest book – Digital Money, due out in a couple of weeks, I explain to business leaders exactly why they need to rethink security. I show them what’s going on inside their organization that is destined to lead to disaster. And then I tell them why they can’t fix this internally, and what to look for in an IT service provider.

If you want to know what that service provider looks like, I explain the whole thing in my book, The House & The Cloud.

Don’t Be Fooled

The number’s game leads to business failure. Gartner, The WSJ, and many others are telling us, “The cloud is here, adapt or lose.” Margins on MSP business are shrinking. And don’t expect the data center business to come back next year. I heard that from someone yesterday. It’s not going to happen any time soon.

© 2016, David Stelzl

networkAssessments Just Might be Your Ticket to High Margin Business

Are you doing assessments?  It might be security.  But other assessments work just as well. Network, Cloud Readiness, Business Impact Analysis, etc.  

You might be charging, or they might be free.  Regardless, the assessment is not where the big payoff sits.  Unless you’re a pure consulting firm (no product and no hosted services), you want this paper to convert to something.

Traditional sales models look at sales activities.  I prefer to look at outcomes – in this case, conversion. The average assessment won’t convert to large project business or managed annuity contracts.  If your in this boat, keep reading. A few questions you should be asking…

Why Don’t My Assessments Convert

The biggest mistake I see is one of being too technical.

The network engineer values the network. Bandwidth improvements, benefits that come with software defined networking (SDN), or the ability to provide secure access to many different types of devices, all make sense.  But hand in a report that shows the inventory, IP addresses, and possible hardware/software upgrades won’t get you a project.

Instead, start thinking about the major initiatives CIOs are working through right now. Mergers and acquisitions, customer experience gains – such as providing guest access and portals, collaboration that involves more video, etc.

These are business drivers…if your assessment starts by looking for these initiatives, you can then move to end-users to discover how they use the network, and what they’ll want out of it in the near future.

This leads to justification for SDN or greater agility.

Who Should I Include In the Process?

It’s temping to make this all about technology – but don’t. From the above paragraph, you can see I am recommending you include executives responsible for business strategy, who will build their programs on this network.

From there you want to include end-users.  This group is often left out of any technology sale. But they are your best influencers. Find out what they need to generate more business for their company and you’ll have the justification you need.

From there, you want to strategize with your team internally. Ask the question – what does this company really need to do what they want to do.  Once you have the answers, you can then evaluate or assess their technology.

Your Deliverable Looks Like This…

Scrap the highly technical deliverable. You don’t have to throw it away, but think of it as reference material that goes in the back of the book. IT may want to see it – in fact it might be impressive to them. Let them have it.

But your primary deliverable is going to decision makers – business people.

So write the report to them. It’s not your executive summary – it’s your main report. It’s a business case. It’s the primary deliverable. Write it with care – make the case for the gains you’ve discovered, and show them what they need before they can get what they really want.

Hint: It might be worth hiring a copywriter to rewrite your report – once you have one that works, you can reuse the same language. Copywriting is a science used by marketers to move people through written content…don’t leave this to the high-tech people.

© 2016, David Stelzl

 

Last week I met Brian NeSmith, President of Arctic Wolf out in Sunnyvale California. Great solution for small and medium business resellers who need a detection solution supporting their MSSP offering! Take 2 minutes to watch this video…this is what I’ve been preaching for the last decade.

© 2016, David Stelzl

trainFour Big Problems That Will Derail Your Sale

Here is the problem with most technology companies…

Actually there are four,

…and if you’re honest you’ll recognize that your company has all four.

  • The Sales Problem. The sale is technical – too technical. Sales calls focus on technical people, technical products, and are conducted using technical presentations. The smarter your presales technical guy is, the better you feel about your chances of winning. On the other hand, there’s no pressing need and the deal often comes down to price comparisons as you respond to requests for proposals and quotations on products. You spend many hours working through issues that really don’t matter to a non-asset owner.
  • The Marketing Problem. There’s a marketing disconnect. Most sales people are not happy with the marketing department, and marketing is not sure why sales won’t use their stuff. If you’re a marketing professional with real marketing expertise, or you have one in your company, you’re one of the few. Most of the resellers, and even smaller manufacturing companies don’t have marketing people who understand the power of direct response marketing, and how to make it work. Big companies spend millions on branding, but that won’t translate into sales in your region.Blog Subscribe Ad
  • The Assessment Problem. With compliance laws and uncertainty, people are assessing security. However, the assessments are not turning into remediation projects. Only about 20% of the assessments I see turn into projects or managed services contracts. Given that almost all assessments turn up issues I would call “urgent”, it doesn’t make sense that they wouldn’t convert to project work almost every time. Most assessments are too technical, focus on the wrong things, don’t highlight the urgency, and never reach the asset owner.
  • The Presentation Problem. Chances are your company presentation is boring. It looks like every other technology-company presentation. It starts with your company name, how big you are, years in business, certifications, some great clients, and the products or services you provide. They all look the same. If you’ve had trouble booking new appointments with c-level executives, to show your corporate presentation, I’m not surprised.

The updated version of The House & the Cloud is nearly complete.  I’ve added answers to all four problems described above, and demonstrated how a great security value proposition, with a security sales strategy can alleviate these issues.  Stay tuned…it should be going to print soon!

© 2014, David Stelzl

If you don’t have the current House & the Cloud book, you can get it free in PDF Format right here (CLICK). Download it and you’ll be one of the first to know when the new version is out!

What Should the CIO Be Doing in 2014?

NOTE: I’ve published much more detail on this in the SVLC Insider’s Circle PRIVATE FORUM under TRENDS.

Mike McConnell’s article published in the WSJ on Feb. 4th, 2014 was excellent – commenting on What CISOs should take away from Target’s recent loss – which is unknown, but might be measured in Billions of Dollars in losses.  Let’s not leave this event without some lessons-learned.

It turns out that Target’s malware problem persisted up to 15 days after the malware was cleaned up…this came out in a hearing yesterday.

One sound bite that came out of this: Malware often sits dormant on a system for up to 200 days before being used maliciously!  Another quote from the FBI – it takes an average of 14 months for companies to detect an attack.

What shouls C-Level leadership be being in the area of security?  Strategy and business growth are key leadership responsibilities, but as stated in one of my earlier posts, all of these forward thinking things require technology, and if the technology isn’t secure, the customer soon won’t care that you have a new line-busting application, or that you offer some type of Telepresence interaction to help decorate your home.

Proactive Leadership Is Required

Cybercrime, as we’ve just witnessed will be a growing cost to organizations around the world – but expect the U.S. to be particularly hard hit without chip and pin technology in place. And this is just one example of a weakness in security measures.

McConnell states in his article – business leaders must have a proactive response in place, know what to say to their customers the moment it happens, and “Determine the right steps to take to ensure damage to the organization is fully contained.”

He goes on to talk about remediation, stating, “Even the best remediation efforts fall short if the organization operates from an outdated security model.” What is that outdated model – that is one of the key points from my 2007 edition of The House & the Cloud.  Somewhat before it’s time, some people thought I was making some outrageous claims in my book, but here in 2014 they don’t seem so bold.  The key point is that, Perimeter security always fails eventually, and besides, the data isn’t really sitting in the data center anyway.  I wrote this in 2007 as well, but now with BYOD trends, no one can argue differently.

McConnell recommends companies move quickly to a “Predictive edge to sense and preempt coming attacks.” This fits well with the detection strategy I’ve recommended in my book.  I go on in The House & the Cloud to discuss what the response plan must look like.  McConnell agrees with these insights, stating that this is more of a “Tradecraft” than a degree or education. We need people with experience.

His article calls on CISOs to “Accept and understand that remediation-centric cyber defense is not enough…Organizations need to change their entire security model from one of compliance (meeting basic standards for data protection) to a holistic multifaceted program…”  This is what my book calls, The Coverage Model.

Many of these steps are being taken in the largest banks and energy companies. But what about the mid-market and SMB companies.  While plenty of innovation is taking place in smaller companies – meaning there are large high-valued repositories of data in these companies, they can’t really afford the kind of technology McConnell is promoting – nor can they staff the people with the tradecraft he recommends.

This is clearly an opportunity for the solution provider…consider Virtual CISO services, detection oriented managed services, and a well trained response team that works with companies not only after the fact, but prior to an incident to establish a proactive plan.

© 2014, David Stelzl

Let us help you make the move to Security Adviser – join the SVLC Insider’s Circle Today…

 

 

 

 

 

 

 

 

lockBoard members want to know!  The news is out – neighboring countries are stealing your client’s stuff.  Ten years of R&D investment can be out the window in a few seconds when another country decides to take their data and duplicate their products at a fraction of the cost.

I returned last night from a week in Chicago, having met with several business leaders; CEOs running financial companies, to directors overseeing the IT aspects of manufacturing. In several cases people were looking for some way to measure their risk – a directive given straight from the board of directors.  What is it exactly that the board wants to see?  If you have never presented to a board, you want to.  This is where the decision making happens, and it is guaranteed to short cut a lengthy decision making process if well presented.

1. First, they want to know what their exposure is.  Exposure is risk, not impact or vulnerability (which is what most people will present if asked).  A calculation of risk requires, not only understanding the impact on certain business metrics – such as production, shareholder value, stock price, and brand – but the likelihood it will happen.  If you can’t explain the likelihood, the value of the data is nearly zero.

2. Then, knowing the top 4 to 6 threats is important.  There are thousands of threats, but only a few matter.  The board wants to know what systems/data is at risk, and why.

3. Given a list of top threats relevant to this specific business, and an expert’s opinion on the likelihood, the question of trending must be addressed.  “Are things improving, or getting worse?”  “How do you know?” and “How are we managing this?”

4. Obviously, if things are getting worse, there needs to be a get well plan.  It takes an average of 14 months to detect a breach according to recent FBI reports, so how do we know this data is accurate, and we are not one of the average companies who will discover when it’s just too late that, “We’ve been hacked?”

Before going forward with an assessment, make sure you have the right people involved, make sure you are measuring the right things, and make sure you are putting this into a format that will make sense to your target audience.  If you’re target audience seems to be IT, chances are you are simply providing a security education to those looking to enhance their resumes.  On the other hand, if you are there to measure risk for those in charge, make sure you are delivering something that speaks to the executive level.  IT rarely gets what they need in  terms of support and funding on the security side – and it’s the fault of those making the case.  Change the approach and you’ll find a greater adoption of the things that matter.

I you are serious about getting this right the first time – I highly recommend attending my upcoming workshop, Making Money w/ Security…a nationally recognize program designed for those who want to advise executives on their data security strategy.

© 2013, David Stelzl