Archives For Solution Strategy

Thousands of People Have Bought My Book – The House & The Cloud…

However, Only a Few Ever Take Time To Read It.  So…

The Audio Book is Out! You can stop beating yourself up, trying to find a time to read The House & The Cloud…the full version is not available on MP3… Get IMMEDIATE ACCESS right here:

https://www.stelzl.us/HC-Audio-Special/

And for a limited time I’ll also send you two additional programs –

A video using The House & Cloud Message to convert an entire audience of decision makers to an assessment,

…And an exclusive interview with a Fortune 2000 CISO where I ask him “What he likes and dislikes sales people” and “Why he and his peers never return phone calls…”  His answers are eye opening to say the least!

© 2018, David Stelzl

Advertisements

In Dallas This Week Speaking at The 20 Conference…

…with over 200 attendees, all looking for one thing – growth!

What’s the number one factor? Not enough leads…I hear it everywhere I go….coaching calls, training classes, live events…

But as Tim said this morning, there’s more to it.

If you had dozens of leads this month, could your company deliver?

Do you have enough people, infrastructure, process?

What about conversion?

If I gave you 20 leads tomorrow, how many do you think you’d actually close – if there were competitors involved? What makes you better (or unique)?

These are the questions we’re addressing this week…I’ll be on stage tomorrow showing how security sets companies apart when they really get it – and how to take people from thinking, “We’re covered” or “We have an IT guy”, to ready-to-assess…

© 2018, David Stelzl

PS. Does your risk assessment close business? Check out my HIGH-CONVERSION RISK ASSESSMENT TEMPLATE… (Click).

Move from MSP to MSSP and you’ll immediately realize 3 benefits (that just might save you from impending doom).

Continue Reading...

What to ask when conducting your security risk assessment

Continue Reading...

Some of the Most Powerful Hacks Are Low Tech – But Extremely Creative

A Clever Ruse Is Priceless When It Comes to Justifying The Security Sale

Today I want to show you the one hack that always succeeds…with some practice, you’re assessment team will get in every time!

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Continuing on in a series of articles on Assessing Risk, no assessment would be complete without testing the users. Once simple test comes in the form of social engineering. The problem is, most assessments leave out end-users altogether!!!!

Get The Details On Selling With Assessments In My Book, The House & The Cloud – Here’s a special offer that’s almost FREE

In this short video, a woman (Cleverly disguised as mother w/ crying baby) takes over the guys phone account in just minutes. This is the kind of thing your business-leader clients have to see…it’s so simple, it’s unbelievable.

…So simple, my son did this very thing to me just a couple of weeks ago – needing to make a change to his account (under my name) while I was traveling!  (Shame on Verizon – they let him in!!!)

SE-1

The End-User Is Your Client’s Biggest Hole In The

The balance between customer service, time crunch/deadlines, and keeping the security policy is not an easy one.

The baby crying in the background (an MP3 playing on this woman’s computer) creates the perfect “I’m an innocent, ignorant mother just trying to get this done for my husband…” scenario.

Who wouldn’t feel compassion for this poor woman? What would your clients do?

The Guy In The Video Is The Skeptic…This Is Your Client – The Decision Maker

As the video begins, you know it’s only 2+ minutes long. How can this be possible.

However, once she fires up the baby-crying audio, and starts with her dumb-blond act, you know she’s going to win!  It’s almost unfair!

Watch the Video – It’s Short…any ideas on how you can incorporate this?

I’m not saying you should make a call to their phone company with a crying baby in the background. But look at her face – who’s NOT going to help her?

I AM saying, you want to test the end-user’s ability to spot a ruse. That’s where the attack is going to happen…

I’ve heard it a million times – we don’t do free assessments!

This, my friends, is an assessment done in under 3 minutes! How much did it cost?

It’s a pen test…It’s not comprehensive, but it doesn’t need to be. This 2+ minute example demonstrates how just about anyone (willing to play the role) can break in, in minutes, with ZERO hacking kills.

So what is the likelihood someone will break into your client’s data?

It’s 100% every time, because, every time, there’s at least one sympathetic, authorized user, who will eventually succumb to the ruse of a creative hacker. It’s time to start thinking more strategically about assessments and closing business.

Copyright 2017, David Stelzl

Get The ONLY BOOK on Selling Security and MSP services: The House & The Cloud

magHow Would Your Assessment-to-Business Conversion Rate Grow If You Had Access to This One Extremely Powerful Assessment Tool?

90% of the Assessments I Review Leave Out Asset-Owner Interviews – Leaving You (The Seller) With a Weak Deliverable and Little Justification to Remediate

In this article I’ll point you to the people you should be talking.  In addition,  I’m going to give you the exact questions and sequence to use if you plan on up-selling them on remediation steps and ongoing annuity services.

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

The Number One question I get when the topic of assessments comes up is, “What tools do you recommend?”  It’s a great question…however, I know what’s really being asked, and its the wrong question.

The Wrong Question to Be Asking On the Front End

“What scanner or analysis tool do your recommend?” That’s the question behind the “Tool” question. But its the wrong question.

The tool question stems from a misconception that assessments are technical iInitiatives that should be lead and delivered by technical people.

In most cases, the assessment is sold (or offered pro bono) by the seller, and then tossed over the fence to a technical team. The team may be well skilled in security concepts, network architecture, and more. But in most cases they lack business savvy.

Yet, the assessment, according to it’s first name – Risk, is by definition a measure of business risk. And it’s the asset owners (those who have true business liability) that need that measurement.

Note: Get the details on Asset Owners, gaining access and delivering value, in my book, The House & the Cloud – Almost FREE using this link.

The Question Framework

So what’s the right question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan.  It’s like a cancer patient recently diagnosed. The Oncologist who fails to move most of his patients to treatment should be seen as a failure.

Is he just not communicating? Do they just not understand they are dying? Something’s wrong if the prognosis would be positive with treatment, yet the doctor is not able to move his patients to action.

THE FRAMEWORK:

In my book, The House & the Cloud (Chapter 13), I provide three key questions as a guideline.

  1. What are you trying to protect
  2. What are you relevant threats
  3. How likely are you to be able to detect and respond to an incident of pending disaster before damage is done or data lost?

These three questions provide the basis for a longer, freeform discussion with Asset Owners.

Remember, Asset Owners are those with business liability. That means these special people are responsible for business functions critical to the profitability of the business, and live primarily on the profit-center side.  Think, C-Level, VPs, Directors, and key people in key divisions of the company.

…Doctors, lawyers, CPAs, Sales Managers, R&D Management, Investment Banker, Stock Broker…people who make (or significantly contribute to) profits.  When an asset owner’s data is compromised, deleted, or corrupted, that person is in trouble.

Customers will file lawsuits, stock prices go down, brand and reputation are tarnished, and heads roll.  You won’t see the director of IT, or their one-person IT support guy in the paper tomorrow – but chances are, an Asset Owner will be front page.  A few weeks later, you’ll read they have moved on to something new, by mutual agreement…code for, FIRED!

Questions Designed to Get Answers That Matter

Using the Framework, you can then divide your interviews among  three groups. (I provide more detail in The House & The Cloud, Pg. 195ff).

THREE GROUPS TO CONSIDER:

  1. Executives
  2. Power-Users
  3. IT

The assessment process starts with executives (whenever possible). My friends on the Disaster Recovery side of the business pointed me in this direction years ago…business risk starts with understanding business leader’s care-abouts.

EXECUTIVES:

Start your analysis with questions (using the 3-part framework above) to determine what matters and how much…Your first question is, “What are you trying to protect?” It might look something like this:

  • What applications / data are most important to this business – profit, stability, growth, customer satisfaction, etc.?
  • After identifying them: How long can this system be down? (hit the important ones)…drill down…the first answer is usually wrong – No Downtime! You and I know, zero downtime is nearly impossible and exponentially expensive!  Find out where the balance of cost and availability sit. – Think, Maximum Tolerable Downtime.
  • How about data loss? “Can you afford to lose any data – if so, how much?” This is a Restore Point Objective question, but stick with business language. Explain how data is lost (Ransomware, disk crash, corruption, etc.)
  • What are you most concerned about protecting against? There are three pillars of security to consider. Confidentiality, Integrity, and Availability. It might be one of these, or all three might be important. Make sure you know how the executive sees it.

Next, Move to question 2: What are your most relevant threats?” Again, you’re talking to an executive, so keep it at a business leader level. One bad question (technical in nature) could land you a demotion back to IT!

  • Who is allowed to see this data? Who can’t see it?
  • Who would want this data?
  • What happens if this data gets out (in the hands of other governments, competitors, the public, etc.?) – Speaking of impact here.
  • What concerns you most? Examples might be, data theft, downtime (from what?), loss of access (for instance, ransomware), etc.  What about soft costs such as loss of customer trust?

Finally, a simple question, “How would you know if your data were under attack, or on the verge of any disaster we’ve mentioned above? Would you know in time to stop it from happening?”

Expect executives to say, “I hope so, but don’t really know.”

POWER-USERS/KNOWLEDGE WORKERS

A similar line of questioning would be used with this group, with the addition of questions that reveal the lifecycle of their data.

More than one interview is desirable here.  You’ll want to talk to key department managers as well as those who create and use data to conduct business.

In a small business, this may involve 2 or 3. In a larger firm, make sure you build in adequate funding to visit 5 to 10, or more, depending on the size and complexity of the organization.

Discover their data flow.

Workflow means, understanding who is creating data, using data, and how it travels, is stored, archived, and finally deleted.  You’ll want to know who interacts with data inside and outside (customers / suppliers), and what kinds of access different groups should have.

Discover business climate.

In addition to workflow, you’ll want to know about any upcoming M&A activities, pending layoffs, volatile terminations, R&D announcements, etc. These all affect a company’s security posture.

WITHOUT this level of insight into the organization, moving forward to evaluate risk is nearly IMPOSSIBLE. True risk has everything to do with how workers create and treat data.

At this point I would recommend using a quiz – formal questions with scoring, to see how well-informed these users are when it comes to securing their most precious assets.

Completing the Process

The rest of this assessment deserves it’s own article…In short, your next step is to evaluate the data coming from your interviews, with security practices in mind.

Hold and internal meeting to ask your team – “What would need to be true in this company to keep their data secure at the levels identified by asset owners?”

With a list like this in hand, it is then easy to go into the IT areas and investigate. You now know exactly what you are looking for…

You can find out more on the consultative discovery process in my book, From Vendor to Adviser….

© David Stelzl, 2017

 

numbersHow Many Meetings Are You Getting Per Month?

How Many New Clients Have You Picked Up Over the Past 12 Months?

I hear this all the time, “It’s a number’s game.” If you make 60 calls, or some say 100, then you should get 4 – 6 meetings each month, and 1 will close. That’s the silliest thing I’ve hear in a long time. It’s like saying, if I put enough quarters in the slot machine, I’ll eventually win. Odds are odds. It doesn’t matter how many times you flip a coin, the odds of landing on heads are always 50%.

Not Numbers, Think Strategy and Value

Here’s the hard truth. If you have something people really need, know who to communicate to and how to communicate, you’ll connect. If they really need it, they’ll buy it. If you sell them something they really don’t need, they’ll figure it out. If your offering isn’t great, they’ll leave you shortly after signing.$1 HC Book Ad

In my newest book – Digital Money, due out in a couple of weeks, I explain to business leaders exactly why they need to rethink security. I show them what’s going on inside their organization that is destined to lead to disaster. And then I tell them why they can’t fix this internally, and what to look for in an IT service provider.

If you want to know what that service provider looks like, I explain the whole thing in my book, The House & The Cloud.

Don’t Be Fooled

The number’s game leads to business failure. Gartner, The WSJ, and many others are telling us, “The cloud is here, adapt or lose.” Margins on MSP business are shrinking. And don’t expect the data center business to come back next year. I heard that from someone yesterday. It’s not going to happen any time soon.

© 2016, David Stelzl