What to ask when conducting your security risk assessment
Archives For Solution Strategy
How Would Your Assessment-to-Business Conversion Rate Grow If You Had Access to This One Extremely Powerful Assessment Tool?
90% of the Assessments I Review Leave Out Asset-Owner Interviews – Leaving You (The Seller) With a Weak Deliverable and Little Justification to Remediate
In this article I’ll point you to the people you should be talking. In addition, I’m going to give you the exact questions and sequence to use if you plan on up-selling them on remediation steps and ongoing annuity services.
The Number One question I get when the topic of assessments comes up is, “What tools do you recommend?” It’s a great question…however, I know what’s really being asked, and its the wrong question.
The Wrong Question to Be Asking On the Front End
“What scanner or analysis tool do your recommend?” That’s the question behind the “Tool” question. But its the wrong question.
The tool question stems from a misconception that assessments are technical iInitiatives that should be lead and delivered by technical people.
In most cases, the assessment is sold (or offered pro bono) by the seller, and then tossed over the fence to a technical team. The team may be well skilled in security concepts, network architecture, and more. But in most cases they lack business savvy.
Yet, the assessment, according to it’s first name – Risk, is by definition a measure of business risk. And it’s the asset owners (those who have true business liability) that need that measurement.
Note: Get the details on Asset Owners, gaining access and delivering value, in my book, The House & the Cloud – Almost FREE using this link.
The Question Framework
So what’s the right question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan. It’s like a cancer patient recently diagnosed. The Oncologist who fails to move most of his patients to treatment should be seen as a failure.
Is he just not communicating? Do they just not understand they are dying? Something’s wrong if the prognosis would be positive with treatment, yet the doctor is not able to move his patients to action.
In my book, The House & the Cloud (Chapter 13), I provide three key questions as a guideline.
- What are you trying to protect
- What are you relevant threats
- How likely are you to be able to detect and respond to an incident of pending disaster before damage is done or data lost?
These three questions provide the basis for a longer, freeform discussion with Asset Owners.
Remember, Asset Owners are those with business liability. That means these special people are responsible for business functions critical to the profitability of the business, and live primarily on the profit-center side. Think, C-Level, VPs, Directors, and key people in key divisions of the company.
…Doctors, lawyers, CPAs, Sales Managers, R&D Management, Investment Banker, Stock Broker…people who make (or significantly contribute to) profits. When an asset owner’s data is compromised, deleted, or corrupted, that person is in trouble.
Customers will file lawsuits, stock prices go down, brand and reputation are tarnished, and heads roll. You won’t see the director of IT, or their one-person IT support guy in the paper tomorrow – but chances are, an Asset Owner will be front page. A few weeks later, you’ll read they have moved on to something new, by mutual agreement…code for, FIRED!
Questions Designed to Get Answers That Matter
Using the Framework, you can then divide your interviews among three groups. (I provide more detail in The House & The Cloud, Pg. 195ff).
THREE GROUPS TO CONSIDER:
The assessment process starts with executives (whenever possible). My friends on the Disaster Recovery side of the business pointed me in this direction years ago…business risk starts with understanding business leader’s care-abouts.
Start your analysis with questions (using the 3-part framework above) to determine what matters and how much…Your first question is, “What are you trying to protect?” It might look something like this:
- What applications / data are most important to this business – profit, stability, growth, customer satisfaction, etc.?
- After identifying them: How long can this system be down? (hit the important ones)…drill down…the first answer is usually wrong – No Downtime! You and I know, zero downtime is nearly impossible and exponentially expensive! Find out where the balance of cost and availability sit. – Think, Maximum Tolerable Downtime.
- How about data loss? “Can you afford to lose any data – if so, how much?” This is a Restore Point Objective question, but stick with business language. Explain how data is lost (Ransomware, disk crash, corruption, etc.)
- What are you most concerned about protecting against? There are three pillars of security to consider. Confidentiality, Integrity, and Availability. It might be one of these, or all three might be important. Make sure you know how the executive sees it.
Next, Move to question 2: What are your most relevant threats?” Again, you’re talking to an executive, so keep it at a business leader level. One bad question (technical in nature) could land you a demotion back to IT!
- Who is allowed to see this data? Who can’t see it?
- Who would want this data?
- What happens if this data gets out (in the hands of other governments, competitors, the public, etc.?) – Speaking of impact here.
- What concerns you most? Examples might be, data theft, downtime (from what?), loss of access (for instance, ransomware), etc. What about soft costs such as loss of customer trust?
Finally, a simple question, “How would you know if your data were under attack, or on the verge of any disaster we’ve mentioned above? Would you know in time to stop it from happening?”
Expect executives to say, “I hope so, but don’t really know.”
A similar line of questioning would be used with this group, with the addition of questions that reveal the lifecycle of their data.
More than one interview is desirable here. You’ll want to talk to key department managers as well as those who create and use data to conduct business.
In a small business, this may involve 2 or 3. In a larger firm, make sure you build in adequate funding to visit 5 to 10, or more, depending on the size and complexity of the organization.
Discover their data flow.
Workflow means, understanding who is creating data, using data, and how it travels, is stored, archived, and finally deleted. You’ll want to know who interacts with data inside and outside (customers / suppliers), and what kinds of access different groups should have.
Discover business climate.
In addition to workflow, you’ll want to know about any upcoming M&A activities, pending layoffs, volatile terminations, R&D announcements, etc. These all affect a company’s security posture.
WITHOUT this level of insight into the organization, moving forward to evaluate risk is nearly IMPOSSIBLE. True risk has everything to do with how workers create and treat data.
At this point I would recommend using a quiz – formal questions with scoring, to see how well-informed these users are when it comes to securing their most precious assets.
Completing the Process
The rest of this assessment deserves it’s own article…In short, your next step is to evaluate the data coming from your interviews, with security practices in mind.
Hold and internal meeting to ask your team – “What would need to be true in this company to keep their data secure at the levels identified by asset owners?”
With a list like this in hand, it is then easy to go into the IT areas and investigate. You now know exactly what you are looking for…
You can find out more on the consultative discovery process in my book, From Vendor to Adviser….
© David Stelzl, 2017
How Many Meetings Are You Getting Per Month?
How Many New Clients Have You Picked Up Over the Past 12 Months?
I hear this all the time, “It’s a number’s game.” If you make 60 calls, or some say 100, then you should get 4 – 6 meetings each month, and 1 will close. That’s the silliest thing I’ve hear in a long time. It’s like saying, if I put enough quarters in the slot machine, I’ll eventually win. Odds are odds. It doesn’t matter how many times you flip a coin, the odds of landing on heads are always 50%.
Not Numbers, Think Strategy and Value
Here’s the hard truth. If you have something people really need, know who to communicate to and how to communicate, you’ll connect. If they really need it, they’ll buy it. If you sell them something they really don’t need, they’ll figure it out. If your offering isn’t great, they’ll leave you shortly after signing.
In my newest book – Digital Money, due out in a couple of weeks, I explain to business leaders exactly why they need to rethink security. I show them what’s going on inside their organization that is destined to lead to disaster. And then I tell them why they can’t fix this internally, and what to look for in an IT service provider.
If you want to know what that service provider looks like, I explain the whole thing in my book, The House & The Cloud.
Don’t Be Fooled
The number’s game leads to business failure. Gartner, The WSJ, and many others are telling us, “The cloud is here, adapt or lose.” Margins on MSP business are shrinking. And don’t expect the data center business to come back next year. I heard that from someone yesterday. It’s not going to happen any time soon.
© 2016, David Stelzl
Assessments Just Might be Your Ticket to High Margin Business
Are you doing assessments? It might be security. But other assessments work just as well. Network, Cloud Readiness, Business Impact Analysis, etc.
You might be charging, or they might be free. Regardless, the assessment is not where the big payoff sits. Unless you’re a pure consulting firm (no product and no hosted services), you want this paper to convert to something.
Traditional sales models look at sales activities. I prefer to look at outcomes – in this case, conversion. The average assessment won’t convert to large project business or managed annuity contracts. If your in this boat, keep reading. A few questions you should be asking…
Why Don’t My Assessments Convert
The biggest mistake I see is one of being too technical.
The network engineer values the network. Bandwidth improvements, benefits that come with software defined networking (SDN), or the ability to provide secure access to many different types of devices, all make sense. But hand in a report that shows the inventory, IP addresses, and possible hardware/software upgrades won’t get you a project.
Instead, start thinking about the major initiatives CIOs are working through right now. Mergers and acquisitions, customer experience gains – such as providing guest access and portals, collaboration that involves more video, etc.
These are business drivers…if your assessment starts by looking for these initiatives, you can then move to end-users to discover how they use the network, and what they’ll want out of it in the near future.
This leads to justification for SDN or greater agility.
Who Should I Include In the Process?
It’s temping to make this all about technology – but don’t. From the above paragraph, you can see I am recommending you include executives responsible for business strategy, who will build their programs on this network.
From there you want to include end-users. This group is often left out of any technology sale. But they are your best influencers. Find out what they need to generate more business for their company and you’ll have the justification you need.
From there, you want to strategize with your team internally. Ask the question – what does this company really need to do what they want to do. Once you have the answers, you can then evaluate or assess their technology.
Your Deliverable Looks Like This…
Scrap the highly technical deliverable. You don’t have to throw it away, but think of it as reference material that goes in the back of the book. IT may want to see it – in fact it might be impressive to them. Let them have it.
But your primary deliverable is going to decision makers – business people.
So write the report to them. It’s not your executive summary – it’s your main report. It’s a business case. It’s the primary deliverable. Write it with care – make the case for the gains you’ve discovered, and show them what they need before they can get what they really want.
Hint: It might be worth hiring a copywriter to rewrite your report – once you have one that works, you can reuse the same language. Copywriting is a science used by marketers to move people through written content…don’t leave this to the high-tech people.
© 2016, David Stelzl
Last week I met Brian NeSmith, President of Arctic Wolf out in Sunnyvale California. Great solution for small and medium business resellers who need a detection solution supporting their MSSP offering! Take 2 minutes to watch this video…this is what I’ve been preaching for the last decade.
© 2016, David Stelzl
Here is the problem with most technology companies…
Actually there are four,
…and if you’re honest you’ll recognize that your company has all four.
- The Sales Problem. The sale is technical – too technical. Sales calls focus on technical people, technical products, and are conducted using technical presentations. The smarter your presales technical guy is, the better you feel about your chances of winning. On the other hand, there’s no pressing need and the deal often comes down to price comparisons as you respond to requests for proposals and quotations on products. You spend many hours working through issues that really don’t matter to a non-asset owner.
- The Marketing Problem. There’s a marketing disconnect. Most sales people are not happy with the marketing department, and marketing is not sure why sales won’t use their stuff. If you’re a marketing professional with real marketing expertise, or you have one in your company, you’re one of the few. Most of the resellers, and even smaller manufacturing companies don’t have marketing people who understand the power of direct response marketing, and how to make it work. Big companies spend millions on branding, but that won’t translate into sales in your region.
- The Assessment Problem. With compliance laws and uncertainty, people are assessing security. However, the assessments are not turning into remediation projects. Only about 20% of the assessments I see turn into projects or managed services contracts. Given that almost all assessments turn up issues I would call “urgent”, it doesn’t make sense that they wouldn’t convert to project work almost every time. Most assessments are too technical, focus on the wrong things, don’t highlight the urgency, and never reach the asset owner.
- The Presentation Problem. Chances are your company presentation is boring. It looks like every other technology-company presentation. It starts with your company name, how big you are, years in business, certifications, some great clients, and the products or services you provide. They all look the same. If you’ve had trouble booking new appointments with c-level executives, to show your corporate presentation, I’m not surprised.
The updated version of The House & the Cloud is nearly complete. I’ve added answers to all four problems described above, and demonstrated how a great security value proposition, with a security sales strategy can alleviate these issues. Stay tuned…it should be going to print soon!
© 2014, David Stelzl
If you don’t have the current House & the Cloud book, you can get it free in PDF Format right here (CLICK). Download it and you’ll be one of the first to know when the new version is out!