Archives For Sound Bites

Small Businesses Are Under Attack – Daniel DeFay, Provider of Security and IT Services to the Legal Industry, Interviews David Stelzl, CISSP, Author of The House & the Cloud.  Find out what Stelzl has to say about threats and security….

  • Small business security threats…
  • Vertical industry threats specifically …
  • BOYD  – is it safe?
  • The right approach for small businesses
  • What about cloud?

© 2018, David Stelzl

Advertisements

Interviews – The Fastest Way to Start Marketing With Video…

Face it, video is the media people consume. There’s so much to read online,…people can’t read it all.  Yes, I still write posts.

When there’s something requiring detailed instructions, lists, etc. you want to write it so your readers can follow it…

Video anything that’s more story line-like…In a recent workshop I led (on getting more assessments booked) – Prospecting Secrets, I talked about mixing media to attract new clients – email, hardcopy, video.  Video is powerful – it’s time to start using it.

However, if you’re just getting started, you might not feel confident doing your own program / video on YouTube…so try an interview.  Here’s an example – Ron Cousins (Sr. Partner and Founder of NowX) shares his insights as he poses questions about small business cybersecurity trends to me, his guest speaker/ author…

These types of videos are easy to produce, offer great content to your target market, and allow you to create associations with industry experts, executives, authors, and anyone you can land an interview with – without having to carry the entire program…

© 2018, David Stelzl

 

If you’re having trouble getting prospects, it’s not just you…people are tired of sales-vmails…In fact many of us (including me) have turned our ringers off on office phones to stop the madness.

I’d never get anything done if I answered them.  However, there is something you can do about it. As I’m preparing for a workshop I’m conducting in July, I thought I’d post this on my blog…there’s a lot more to it than can be said here, but at least start thinking about it.

© 2018, David Stelzl

Hey Everyone, I’m just getting putting the final touches on my WatchGuard keynote for next week’s partner event in Miami…and then on to Ibiza Spain for their EMEA conference!

Also, you’ll want to download my free Cybersecurity Risk Assessment Template – it’t he key to closing with bickering over price!

https://davidstelzl.net/free-report-download

© 2018, David Stelzl

Merry Christmas, Happy Hanukah, and Happy Holidays From All of Us…

Thanks everyone who’s been a part of our 2017 year – Celebrating 14 years in business this month!

IMG_2387 Copyright 2017 David Stelzl

courtroomSuccessful Security Assessments Conclude With Live Presentations…

If your firm provides outsourced IT services, or security-related products and services, then you know that assessments are often the first step in landing new business.

However, if you take the time to measure your actual business-drag, you may find it less than stellar.

The fact is, most security assessments don’t lead to additional business…They should, but they don’t. Why?  Because most security assessment leave out this one vital step…

…Live delivery to ASSET OWNERS. 

(Find out more about asset owners and executive sales calls in The House & The Cloud – 2nd Edition)

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Imagine a court case, where the evidence is presented in written technical reports…

No testimonies, no witnesses called…no emotional appeal, no angry outbursts or tears…just dry, unadulterated facts on paper.

How would this approach affect the decisions made on murder, rape, and other heinous crime cases?

Conversion & The Power of LIVE

There are three major people-groups you care about when performing a risk assessment: Information Technology (IT), End-Users (or Business-Level Asset Owners), and CIO/CISOs (Or anyone in the C-Suite).

All three groups must be moved to action, but each has different needs and will respond to different messaging. The one thing they all have in common is, emotion. In the end, all sales are emotional decisions. Crafting the right message for each is essential…

However, before going into the message, it’s important that we understand delivery and the power of live…(The media).

Reports are important. They provide the details behind what you present. However, they often go unread. Think of them as supporting documentation.

Like in a legal battle, it’s the LIVE testimonies that carry the weight. And the testimony of an eye witness is the most powerful testimony that jury will hear. Take the emotionally charged live testimony away, and you’ll see a much different outcome.

Delivering your results in person, to the right people, with the right message, can take your Assessment-To-Remediation conversion from 15% to 60% or 80% overnight…let’s take a look.

What Matters Most

Businesses have a need to measure their risk. Especially right now, as companies work to streamline operations, eliminate waste, and build stronger customer bonds in a highly competitive, global market…

New technologies offer amazing opportunities, while at the same time open major holes in the firm’s security architecture.

What matters most? Intelligence…insight.

Where is the data? Who has access? What are the relevant threats to that business? What are they odds something will happen? Can they recover in time if something does happen? Or would they know in time to stop a disaster?  These questions must be answered…

However, not all constituents have the same concerns or the same questions…

IT Care-Abouts

What does IT care about? I’m sure there are dozens of opinions out there. The opinion of C-Level Executives I’ve interviewed over the past year suggests that IT personnel are out of touch with business requirements and missions critical systems. So at the least, IT’s view of risk will be misaligned with the business in question.

It’s also my opinion (After having managed IT for a global bank, and working in IT for a global pharmaceuticals manufacturer) IT personnel are more concerned with their actual position, career opportunity, and life-work balance, than they are the risk-measurements of their employer.

So, while the details of security technology are of great interest, the actual impact of an attack has little long-term affect on the IT worker.

Even if they lose their job (which is unlikely), their personal brand and reputation only stand to blossom as they respond to an actual event.

Consider the following: If attacked, they now have actual cyber-forensics experience listed on their resume (even if they didn’t personally save the day).  The blame will go to those who didn’t approve IT’s most recent recommendations / budget requests. The CIO will be front page news, not IT…

So what does IT care about when it comes to cybersecurity…answers vary by individual (of course)…but, on average, the seller can assume…

They care about the experience… The approach to assessing risk, the vulnerabilities, the technologies, and the potential for new next-gen security products and security controls.

Security represents the IT worker’s greatest job-upgrade opportunity.

End-User Care-Abouts

Asset Owners come in two flavors…executives and knowledge workers. Let’s look at the knowledge worker first. This is the person who creates and uses data to make money for the business. They’re asset owners because they are liable for their data.

Examples might include  the investment banker working with wealthy clients, R&D looking at new cures for a disease other’s have not been able to stop, etc. Data is an asset – one The Wall Street Journal has called, the “Oil of The New Millennium”.

If this data were compromised, misused, or made unavailable for any reason, the Asset Owner would be out of business, at least for the short term. And any sort of outage would cost them personally and professionally.

CISO/CIO Care-Abouts

The third group, also an asset owner, is the C-Level (CIO/CISO). This group is much like the End-User Asset Owner…shareholder value is important here. The CISO, according to my recent CISO interviews, finally has a seat at the table. And they must earn it every day.

What’s the CISO’s job?

The CISO translates risk and compliance from technical to business. Great CISOs create awareness based on data coming from IT workers and your assessments.

The closer your report delivers relevant data in executive terms, the more likely they will be successful in their role.  In summary (from my book, The House & The Cloud Pg. 195), the CISO is looking for their top 3 to 5 threats, the impact associated with each, and the odds that any one of them will be realized.

It will up to the CISO to report the trends and present a plan to keep the company at an acceptable level of risk. Note, the CISO won’t have this intel in their head – they’ll need subject matter experts.

But as I’ve already stated, IT is ill-equipped and unlikely to add any real value to this plan, given their disconnect with the business side (Straight from the CIOs mouth…).

Next time you assess…include the knowledge workers, interview the execs, and schedule up front, your delivery meetings with asset owners in mind.

© 2017, David Stelzl

 

 

boredWait, Does Anybody Actually Read Your Risk Assessment Reports?

Assessing RISK is one thing. Writing readable reports is another.  And if no one is going to read your work, why write about it? So how can you change this trend of ignoring urgent findings?

Last week I wrote a post on defining Risk Assessments, and the Long Tail (that should be dragging product, projects, and managed services).  The problem is, only about 15% of the assessments are converting (according the the hundreds of sales people I interact with through coaching and training programs).

Why? Because no one actually reads them!

In a future post I plan to talk more about the report itself.  But the one piece of the assessment report that, if left out, makes the assessment useless, is a measure of risk.

If your report doesn’t report risk (and instead focuses on technical misconfigurations and outdated patching) chances of getting read are slim.

The One Thing You Can’t Afford to Leave Out of Your Next Risk Assessment Report

Not only can you not leave this one thing out, it actually defines your assessment approach.  If you’re looking for a way to report relevant security risks and recommendations to senior managers, keep reading…

Impact vs. Likelihood is a measure of risk. 90% of the reports I read leave out this quantitative measurement. Instead, executive summaries show Green-Yellow-Red bubbles, with esoteric techno babble beside each. The term EXECUTIVE SUMMARY is just, A-SUMMARY. There’s nothing EXECUTIVE about it.

Test your report…give it to an executive (one you know well) and ask them if it’s readable?impact-v-likeihood

While the colors are meant to alert the reader (RED=URGENT), the reader has nothing to compare this URGENT indicator to.

There’s no measure of LIKELIHOOD.

How To Measure Anything

The problem is, the analytical-technical mind refuses to put a number on LIKELIHOOD.

The argument is, Odds of and attack can’t be accurately quantified…The next time you hear this from your technical team members, point them to the book, How to Measure Anything. Risk can be quantified (with a number or percent-likelihood).

We read risk statistics everyday in the papers, and even pay doctors for their best guess – the Prognosis. Consider some of the current measurements reported by our (trusted) media:

  1. I’m expected to live to age 91 – say the actuarial data.
  2. 15% chance of getting pregnant three days prior to ovulation.
  3. 7.62% chance of a male smoker developing lung cancer.
  4. Fast-food doubles your risk of pre-Type-2 Diabetes.

Security risks are no different. They’re estimates that can be derived from data we have right now ( Reference  report from the FBI, NSA, Verizon, Etc).

The problem is, no one is taking time to work the math, and no one wants to be called out to defend their number.

Understanding the Power of an Impact vs. Likelihood Graph

If you agree with my Long-Tail definition of The Risk Assessment, you really want the person holding the checkbook to read your report. Absent that, your work is a waste of time.

If the newspaper says I’m more likely to develop Type-2 Diabetes or obesity because I eat at McDonalds, I’ll probably listen, but take no action. If I do take action, it’s because I already feel crummy and came across this data while searching for answers…I was ready to buy before the sales pitch was ever delivered.

On the other hand, if the doctor comes back with my blood work, tells me I have insulin resistance (which is the precursor to Type 2 Diabetes), and then goes on to explain what my life is going to be like if I don’t stop (they deliver a prognosis with a percent-likelihood)…suddenly I’m eating salads for lunch.

Note: Within a few weeks I’ll be back to McDonalds unless the doctor provides some sort of accountability.

The Underestimated Aftermath of Red and Green Circles

When the guy with the check book sees RED circles, don’t expect them to write a check. Instead, watch the buyer pass your report down to IT.

IT will flip through it, perhaps make a few configuration changes, and shelve it. When the executive asks, “Are we okay?” IT will answer, “We’ve got it covered.”

Tomorrow you’ll read about your client in the paper. The CIO will be front page news (Sudden job loss). The IT guy will be on the street as well, but hired within a week, enjoying his 20% raise.

You will no longer be their named account manager.

More to Come…

If you want to know…

  • How to sell the right kind of assessment
  • How assessments should be conducted and why the sales rep should be involved
  • What the report should look like
  • and How results should be delivered for maximum impact and conversion

Subscribe…click on the righthand side bar at the top. More to Come…

© 2017, David Stelzl

PS. Get My Step-By-Step Interview Process in my Book, The House & The Cloud