Archives For Solution Strategy

networkAssessments Just Might be Your Ticket to High Margin Business

Are you doing assessments?  It might be security.  But other assessments work just as well. Network, Cloud Readiness, Business Impact Analysis, etc.  

You might be charging, or they might be free.  Regardless, the assessment is not where the big payoff sits.  Unless you’re a pure consulting firm (no product and no hosted services), you want this paper to convert to something.

Traditional sales models look at sales activities.  I prefer to look at outcomes – in this case, conversion. The average assessment won’t convert to large project business or managed annuity contracts.  If your in this boat, keep reading. A few questions you should be asking…

Why Don’t My Assessments Convert

The biggest mistake I see is one of being too technical.

The network engineer values the network. Bandwidth improvements, benefits that come with software defined networking (SDN), or the ability to provide secure access to many different types of devices, all make sense.  But hand in a report that shows the inventory, IP addresses, and possible hardware/software upgrades won’t get you a project.

Instead, start thinking about the major initiatives CIOs are working through right now. Mergers and acquisitions, customer experience gains – such as providing guest access and portals, collaboration that involves more video, etc.

These are business drivers…if your assessment starts by looking for these initiatives, you can then move to end-users to discover how they use the network, and what they’ll want out of it in the near future.

This leads to justification for SDN or greater agility.

Who Should I Include In the Process?

It’s temping to make this all about technology – but don’t. From the above paragraph, you can see I am recommending you include executives responsible for business strategy, who will build their programs on this network.

From there you want to include end-users.  This group is often left out of any technology sale. But they are your best influencers. Find out what they need to generate more business for their company and you’ll have the justification you need.

From there, you want to strategize with your team internally. Ask the question – what does this company really need to do what they want to do.  Once you have the answers, you can then evaluate or assess their technology.

Your Deliverable Looks Like This…

Scrap the highly technical deliverable. You don’t have to throw it away, but think of it as reference material that goes in the back of the book. IT may want to see it – in fact it might be impressive to them. Let them have it.

But your primary deliverable is going to decision makers – business people.

So write the report to them. It’s not your executive summary – it’s your main report. It’s a business case. It’s the primary deliverable. Write it with care – make the case for the gains you’ve discovered, and show them what they need before they can get what they really want.

Hint: It might be worth hiring a copywriter to rewrite your report – once you have one that works, you can reuse the same language. Copywriting is a science used by marketers to move people through written content…don’t leave this to the high-tech people.

© 2016, David Stelzl



Last week I met Brian NeSmith, President of Arctic Wolf out in Sunnyvale California. Great solution for small and medium business resellers who need a detection solution supporting their MSSP offering! Take 2 minutes to watch this video…this is what I’ve been preaching for the last decade.

© 2016, David Stelzl

trainFour Big Problems That Will Derail Your Sale

Here is the problem with most technology companies…

Actually there are four,

…and if you’re honest you’ll recognize that your company has all four.

  • The Sales Problem. The sale is technical – too technical. Sales calls focus on technical people, technical products, and are conducted using technical presentations. The smarter your presales technical guy is, the better you feel about your chances of winning. On the other hand, there’s no pressing need and the deal often comes down to price comparisons as you respond to requests for proposals and quotations on products. You spend many hours working through issues that really don’t matter to a non-asset owner.
  • The Marketing Problem. There’s a marketing disconnect. Most sales people are not happy with the marketing department, and marketing is not sure why sales won’t use their stuff. If you’re a marketing professional with real marketing expertise, or you have one in your company, you’re one of the few. Most of the resellers, and even smaller manufacturing companies don’t have marketing people who understand the power of direct response marketing, and how to make it work. Big companies spend millions on branding, but that won’t translate into sales in your region.Blog Subscribe Ad
  • The Assessment Problem. With compliance laws and uncertainty, people are assessing security. However, the assessments are not turning into remediation projects. Only about 20% of the assessments I see turn into projects or managed services contracts. Given that almost all assessments turn up issues I would call “urgent”, it doesn’t make sense that they wouldn’t convert to project work almost every time. Most assessments are too technical, focus on the wrong things, don’t highlight the urgency, and never reach the asset owner.
  • The Presentation Problem. Chances are your company presentation is boring. It looks like every other technology-company presentation. It starts with your company name, how big you are, years in business, certifications, some great clients, and the products or services you provide. They all look the same. If you’ve had trouble booking new appointments with c-level executives, to show your corporate presentation, I’m not surprised.

The updated version of The House & the Cloud is nearly complete.  I’ve added answers to all four problems described above, and demonstrated how a great security value proposition, with a security sales strategy can alleviate these issues.  Stay tuned…it should be going to print soon!

© 2014, David Stelzl

If you don’t have the current House & the Cloud book, you can get it free in PDF Format right here (CLICK). Download it and you’ll be one of the first to know when the new version is out!

What Should the CIO Be Doing in 2014?

NOTE: I’ve published much more detail on this in the SVLC Insider’s Circle PRIVATE FORUM under TRENDS.

Mike McConnell’s article published in the WSJ on Feb. 4th, 2014 was excellent – commenting on What CISOs should take away from Target’s recent loss – which is unknown, but might be measured in Billions of Dollars in losses.  Let’s not leave this event without some lessons-learned.

It turns out that Target’s malware problem persisted up to 15 days after the malware was cleaned up…this came out in a hearing yesterday.

One sound bite that came out of this: Malware often sits dormant on a system for up to 200 days before being used maliciously!  Another quote from the FBI – it takes an average of 14 months for companies to detect an attack.

What shouls C-Level leadership be being in the area of security?  Strategy and business growth are key leadership responsibilities, but as stated in one of my earlier posts, all of these forward thinking things require technology, and if the technology isn’t secure, the customer soon won’t care that you have a new line-busting application, or that you offer some type of Telepresence interaction to help decorate your home.

Proactive Leadership Is Required

Cybercrime, as we’ve just witnessed will be a growing cost to organizations around the world – but expect the U.S. to be particularly hard hit without chip and pin technology in place. And this is just one example of a weakness in security measures.

McConnell states in his article – business leaders must have a proactive response in place, know what to say to their customers the moment it happens, and “Determine the right steps to take to ensure damage to the organization is fully contained.”

He goes on to talk about remediation, stating, “Even the best remediation efforts fall short if the organization operates from an outdated security model.” What is that outdated model – that is one of the key points from my 2007 edition of The House & the Cloud.  Somewhat before it’s time, some people thought I was making some outrageous claims in my book, but here in 2014 they don’t seem so bold.  The key point is that, Perimeter security always fails eventually, and besides, the data isn’t really sitting in the data center anyway.  I wrote this in 2007 as well, but now with BYOD trends, no one can argue differently.

McConnell recommends companies move quickly to a “Predictive edge to sense and preempt coming attacks.” This fits well with the detection strategy I’ve recommended in my book.  I go on in The House & the Cloud to discuss what the response plan must look like.  McConnell agrees with these insights, stating that this is more of a “Tradecraft” than a degree or education. We need people with experience.

His article calls on CISOs to “Accept and understand that remediation-centric cyber defense is not enough…Organizations need to change their entire security model from one of compliance (meeting basic standards for data protection) to a holistic multifaceted program…”  This is what my book calls, The Coverage Model.

Many of these steps are being taken in the largest banks and energy companies. But what about the mid-market and SMB companies.  While plenty of innovation is taking place in smaller companies – meaning there are large high-valued repositories of data in these companies, they can’t really afford the kind of technology McConnell is promoting – nor can they staff the people with the tradecraft he recommends.

This is clearly an opportunity for the solution provider…consider Virtual CISO services, detection oriented managed services, and a well trained response team that works with companies not only after the fact, but prior to an incident to establish a proactive plan.

© 2014, David Stelzl

Let us help you make the move to Security Adviser – join the SVLC Insider’s Circle Today…









lockBoard members want to know!  The news is out – neighboring countries are stealing your client’s stuff.  Ten years of R&D investment can be out the window in a few seconds when another country decides to take their data and duplicate their products at a fraction of the cost.

I returned last night from a week in Chicago, having met with several business leaders; CEOs running financial companies, to directors overseeing the IT aspects of manufacturing. In several cases people were looking for some way to measure their risk – a directive given straight from the board of directors.  What is it exactly that the board wants to see?  If you have never presented to a board, you want to.  This is where the decision making happens, and it is guaranteed to short cut a lengthy decision making process if well presented.

1. First, they want to know what their exposure is.  Exposure is risk, not impact or vulnerability (which is what most people will present if asked).  A calculation of risk requires, not only understanding the impact on certain business metrics – such as production, shareholder value, stock price, and brand – but the likelihood it will happen.  If you can’t explain the likelihood, the value of the data is nearly zero.

2. Then, knowing the top 4 to 6 threats is important.  There are thousands of threats, but only a few matter.  The board wants to know what systems/data is at risk, and why.

3. Given a list of top threats relevant to this specific business, and an expert’s opinion on the likelihood, the question of trending must be addressed.  “Are things improving, or getting worse?”  “How do you know?” and “How are we managing this?”

4. Obviously, if things are getting worse, there needs to be a get well plan.  It takes an average of 14 months to detect a breach according to recent FBI reports, so how do we know this data is accurate, and we are not one of the average companies who will discover when it’s just too late that, “We’ve been hacked?”

Before going forward with an assessment, make sure you have the right people involved, make sure you are measuring the right things, and make sure you are putting this into a format that will make sense to your target audience.  If you’re target audience seems to be IT, chances are you are simply providing a security education to those looking to enhance their resumes.  On the other hand, if you are there to measure risk for those in charge, make sure you are delivering something that speaks to the executive level.  IT rarely gets what they need in  terms of support and funding on the security side – and it’s the fault of those making the case.  Change the approach and you’ll find a greater adoption of the things that matter.

I you are serious about getting this right the first time – I highly recommend attending my upcoming workshop, Making Money w/ Security…a nationally recognize program designed for those who want to advise executives on their data security strategy.

© 2013, David Stelzl

Snow in ChicagoWell in Denver earlier this week I was out and about with just a suite jacket…it was close to 60 degrees during the day.  That was the first half of my week.  On to Chicago, and it’s definitely winter (as you can see from my snowy car picture).

Today I’ll be working with a company on their security business strategy – their go-to-market plan to grow security sales in 2013.  Hopefully you have one of these…if not, it’s not too late.  But don’t go into February without one.

This morning’s Wall Street Journal answers the question on how relevant this business direction is: “Security is moving from a functional IT area, often below the paygrade of CIOs, to strategic importance at the highest levels of corporations.  IT security’s rise from being a functional area to a board level concern is maybe the fastest I’ve ever seen,”  say’s Thomas Sanzone, senior vice president of consulting firm Booz Allen Hamilton Inc…so is this a smart direction?  Yes!

I had the privilege of sharing the stage with Bob Bragdon of CSO magazine earlier this week (in Denver), and he shared with us that only about half of Fortune 2000 executives belief they are well equipped in their security strategy. He then showed us a study CSO conducted, showing that really, only about 8% of them actually have something in place – the rest are in big trouble.  In an article I referenced last week, Wall Street reported on security, quoting  cybersecurity experts who believe that every major company in the US has been infiltrated by hackers – the new wave of threats, according to Bragdon, is more focused on stealing intellectual capital than credit card fraud.  Other countries are slowly shifting us of our innovation and intellectual capital.  There is no one single incident big enough to lead us into a war, but if we don’t do something soon, we’ll find ourselves completely exposed and crushed in a market of copycats and cheap overseas products.  This is not good.  (Worse, they are in our DoD systems!)

In a recent meeting with the former CIO of a large Florida university system, who also served in the military working with intelligence, I was told  that, “Our country is behind in the area of cyberwarfare.”  Other countries are attacking – note the recent attacks on major banks in this country, yet we are unable to prove who is responsible.  “It’s no longer a 2-dimensional war” he said, “That’s all our military leadership really understands…”

So is security still relevant?  It’s probably more relevant today than it was 10 years ago when organized crime began raiding databases to steal credit card information.

© 2013, David Stelzl