Archives For Sound Bites

courtroomSuccessful Security Assessments Conclude With Live Presentations…

If your firm provides outsourced IT services, or security-related products and services, then you know that assessments are often the first step in landing new business.

However, if you take the time to measure your actual business-drag, you may find it less than stellar.

The fact is, most security assessments don’t lead to additional business…They should, but they don’t. Why?  Because most security assessment leave out this one vital step…

…Live delivery to ASSET OWNERS. 

(Find out more about asset owners and executive sales calls in The House & The Cloud – 2nd Edition)

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Imagine a court case, where the evidence is presented in written technical reports…

No testimonies, no witnesses called…no emotional appeal, no angry outbursts or tears…just dry, unadulterated facts on paper.

How would this approach affect the decisions made on murder, rape, and other heinous crime cases?

Conversion & The Power of LIVE

There are three major people-groups you care about when performing a risk assessment: Information Technology (IT), End-Users (or Business-Level Asset Owners), and CIO/CISOs (Or anyone in the C-Suite).

All three groups must be moved to action, but each has different needs and will respond to different messaging. The one thing they all have in common is, emotion. In the end, all sales are emotional decisions. Crafting the right message for each is essential…

However, before going into the message, it’s important that we understand delivery and the power of live…(The media).

Reports are important. They provide the details behind what you present. However, they often go unread. Think of them as supporting documentation.

Like in a legal battle, it’s the LIVE testimonies that carry the weight. And the testimony of an eye witness is the most powerful testimony that jury will hear. Take the emotionally charged live testimony away, and you’ll see a much different outcome.

Delivering your results in person, to the right people, with the right message, can take your Assessment-To-Remediation conversion from 15% to 60% or 80% overnight…let’s take a look.

What Matters Most

Businesses have a need to measure their risk. Especially right now, as companies work to streamline operations, eliminate waste, and build stronger customer bonds in a highly competitive, global market…

New technologies offer amazing opportunities, while at the same time open major holes in the firm’s security architecture.

What matters most? Intelligence…insight.

Where is the data? Who has access? What are the relevant threats to that business? What are they odds something will happen? Can they recover in time if something does happen? Or would they know in time to stop a disaster?  These questions must be answered…

However, not all constituents have the same concerns or the same questions…

IT Care-Abouts

What does IT care about? I’m sure there are dozens of opinions out there. The opinion of C-Level Executives I’ve interviewed over the past year suggests that IT personnel are out of touch with business requirements and missions critical systems. So at the least, IT’s view of risk will be misaligned with the business in question.

It’s also my opinion (After having managed IT for a global bank, and working in IT for a global pharmaceuticals manufacturer) IT personnel are more concerned with their actual position, career opportunity, and life-work balance, than they are the risk-measurements of their employer.

So, while the details of security technology are of great interest, the actual impact of an attack has little long-term affect on the IT worker.

Even if they lose their job (which is unlikely), their personal brand and reputation only stand to blossom as they respond to an actual event.

Consider the following: If attacked, they now have actual cyber-forensics experience listed on their resume (even if they didn’t personally save the day).  The blame will go to those who didn’t approve IT’s most recent recommendations / budget requests. The CIO will be front page news, not IT…

So what does IT care about when it comes to cybersecurity…answers vary by individual (of course)…but, on average, the seller can assume…

They care about the experience… The approach to assessing risk, the vulnerabilities, the technologies, and the potential for new next-gen security products and security controls.

Security represents the IT worker’s greatest job-upgrade opportunity.

End-User Care-Abouts

Asset Owners come in two flavors…executives and knowledge workers. Let’s look at the knowledge worker first. This is the person who creates and uses data to make money for the business. They’re asset owners because they are liable for their data.

Examples might include  the investment banker working with wealthy clients, R&D looking at new cures for a disease other’s have not been able to stop, etc. Data is an asset – one The Wall Street Journal has called, the “Oil of The New Millennium”.

If this data were compromised, misused, or made unavailable for any reason, the Asset Owner would be out of business, at least for the short term. And any sort of outage would cost them personally and professionally.

CISO/CIO Care-Abouts

The third group, also an asset owner, is the C-Level (CIO/CISO). This group is much like the End-User Asset Owner…shareholder value is important here. The CISO, according to my recent CISO interviews, finally has a seat at the table. And they must earn it every day.

What’s the CISO’s job?

The CISO translates risk and compliance from technical to business. Great CISOs create awareness based on data coming from IT workers and your assessments.

The closer your report delivers relevant data in executive terms, the more likely they will be successful in their role.  In summary (from my book, The House & The Cloud Pg. 195), the CISO is looking for their top 3 to 5 threats, the impact associated with each, and the odds that any one of them will be realized.

It will up to the CISO to report the trends and present a plan to keep the company at an acceptable level of risk. Note, the CISO won’t have this intel in their head – they’ll need subject matter experts.

But as I’ve already stated, IT is ill-equipped and unlikely to add any real value to this plan, given their disconnect with the business side (Straight from the CIOs mouth…).

Next time you assess…include the knowledge workers, interview the execs, and schedule up front, your delivery meetings with asset owners in mind.

© 2017, David Stelzl




boredWait, Does Anybody Actually Read Your Risk Assessment Reports?

Assessing RISK is one thing. Writing readable reports is another.  And if no one is going to read your work, why write about it? So how can you change this trend of ignoring urgent findings?

Last week I wrote a post on defining Risk Assessments, and the Long Tail (that should be dragging product, projects, and managed services).  The problem is, only about 15% of the assessments are converting (according the the hundreds of sales people I interact with through coaching and training programs).

Why? Because no one actually reads them!

In a future post I plan to talk more about the report itself.  But the one piece of the assessment report that, if left out, makes the assessment useless, is a measure of risk.

If your report doesn’t report risk (and instead focuses on technical misconfigurations and outdated patching) chances of getting read are slim.

The One Thing You Can’t Afford to Leave Out of Your Next Risk Assessment Report

Not only can you not leave this one thing out, it actually defines your assessment approach.  If you’re looking for a way to report relevant security risks and recommendations to senior managers, keep reading…

Impact vs. Likelihood is a measure of risk. 90% of the reports I read leave out this quantitative measurement. Instead, executive summaries show Green-Yellow-Red bubbles, with esoteric techno babble beside each. The term EXECUTIVE SUMMARY is just, A-SUMMARY. There’s nothing EXECUTIVE about it.

Test your report…give it to an executive (one you know well) and ask them if it’s readable?impact-v-likeihood

While the colors are meant to alert the reader (RED=URGENT), the reader has nothing to compare this URGENT indicator to.

There’s no measure of LIKELIHOOD.

How To Measure Anything

The problem is, the analytical-technical mind refuses to put a number on LIKELIHOOD.

The argument is, Odds of and attack can’t be accurately quantified…The next time you hear this from your technical team members, point them to the book, How to Measure Anything. Risk can be quantified (with a number or percent-likelihood).

We read risk statistics everyday in the papers, and even pay doctors for their best guess – the Prognosis. Consider some of the current measurements reported by our (trusted) media:

  1. I’m expected to live to age 91 – say the actuarial data.
  2. 15% chance of getting pregnant three days prior to ovulation.
  3. 7.62% chance of a male smoker developing lung cancer.
  4. Fast-food doubles your risk of pre-Type-2 Diabetes.

Security risks are no different. They’re estimates that can be derived from data we have right now ( Reference  report from the FBI, NSA, Verizon, Etc).

The problem is, no one is taking time to work the math, and no one wants to be called out to defend their number.

Understanding the Power of an Impact vs. Likelihood Graph

If you agree with my Long-Tail definition of The Risk Assessment, you really want the person holding the checkbook to read your report. Absent that, your work is a waste of time.

If the newspaper says I’m more likely to develop Type-2 Diabetes or obesity because I eat at McDonalds, I’ll probably listen, but take no action. If I do take action, it’s because I already feel crummy and came across this data while searching for answers…I was ready to buy before the sales pitch was ever delivered.

On the other hand, if the doctor comes back with my blood work, tells me I have insulin resistance (which is the precursor to Type 2 Diabetes), and then goes on to explain what my life is going to be like if I don’t stop (they deliver a prognosis with a percent-likelihood)…suddenly I’m eating salads for lunch.

Note: Within a few weeks I’ll be back to McDonalds unless the doctor provides some sort of accountability.

The Underestimated Aftermath of Red and Green Circles

When the guy with the check book sees RED circles, don’t expect them to write a check. Instead, watch the buyer pass your report down to IT.

IT will flip through it, perhaps make a few configuration changes, and shelve it. When the executive asks, “Are we okay?” IT will answer, “We’ve got it covered.”

Tomorrow you’ll read about your client in the paper. The CIO will be front page news (Sudden job loss). The IT guy will be on the street as well, but hired within a week, enjoying his 20% raise.

You will no longer be their named account manager.

More to Come…

If you want to know…

  • How to sell the right kind of assessment
  • How assessments should be conducted and why the sales rep should be involved
  • What the report should look like
  • and How results should be delivered for maximum impact and conversion

Subscribe…click on the righthand side bar at the top. More to Come…

© 2017, David Stelzl

PS. Get My Step-By-Step Interview Process in my Book, The House & The Cloud




Decoding The Security Assessment Sales Opportunity

And Why You Can’t Afford Not to Know What Your Client Is Asking For (Or Actually Needing)

Most IT Services Companies do security assessments. Do you? Why or why not?

The Security Assessment (approached correctly) just might be the start of your BIGGEST sale this year!  Let’s take a look…

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Assessments Come in Many Flavors

15 Years ago I was leading a global reseller’s security team.  We were selling assessments (and more). But we where leaving a lot of money on the table.  If we had known what I know now, assessments would have doubled and tripled our profits.

Assessment can mean a lot of things. How you define this obscure project will determine if you get the long-tail (follow-on business resulting from this one door-opening engagement) or not.

The IT Director’s Definition

If you sell to IT directors, and they’re saying, “We need a security (or risk or vulnerability or pen test) assessment, this non-buyer could be saying different things. Chances are high, they don’t really know what they need.

Ask them, and you’re likely to get something like, “We need to know if our systems are secure – or accessible to hackers.”

You know the answer without looking. “No…hackers can always access your data”.

While they might need something for compliance, or are just carrying out orders from above, the IT Director’s ability to understand true business risk is limited at best.

If the director is defining assessment in their own words, they’re picturing a list of vulnerabilities and a punch list to patch things up.

You can’t let the IT director define your assessment.

Instead, you will want to EDUCATE your prospect on what board members (or executive management) really need. Educating and selling what’s really needed puts the deal back in your court, and allows you to sell from your home-court advantage point.

The CIO’s Definition

The CIO, if asked, would likely define Assessment differently. CIOs are being asked (quarterly) by the board to quantify business risk.  Risk is more a look at business impact and likelihood.

The request looks something like this: Give us…

  • Our top 3-5 threats right now.
  • How exposed are we (or what are the odds we’ll be compromised or suffer a major incident over the next 3 to 12 months)?
  • How are we managing to our risk?

Can the CIO deliver? No. Not without some help from security analysts that understand how to put risk measurement into business-leader language.

Your Technical Person’s Definition

If you ask your SE or Security Consultant, they may be thinking pen test, vulnerability, compliance, or risk…each one has it’s own definition. This one question (what is a security assessment) can turn into a lengthy discussion (debate) riddled  with semantics…

What do technical people picture (Yes, I did come from the technical side)?

Probably the  NETWORK (architecture, segmentation, router/switch configuration, encryption levels, wireless exposure, etc.), SCANS inside and out, operating system  (O/S) reviews (hardening, active processes, access rights, patches, etc.), and perhaps the WEBSITES (code, SQL Injection vulnerabilities, etc.)

It’s all pretty technical…

Your Definition

Depending on how technical you are, your answer will vary. Probably one of the above…perhaps more or less technical…and depending on the market you sell into, highly profitable (as in large comprehensive risk assessments done for fortune 500 firms)…

…Or of little value, and full of margin crushing surprises (as in assessing risk for the rather stingy Small Business Market).

The Right Definition

The right definition (in my opinion) is a door opener…a marketing document.  The assessment should be the start of a long tail.

Only about 15% of the assessments I see ( and I see lots of them) convert to long-tail business (remediation and managed services).  But over 90%, according to my friends on the security consulting side, reveal what they would call, urgency.

This low conversion epidemic is like an oncologist, with a long line of patients, that show obvious signs on cancer in their blood work, but are unwilling to enter any treatment plan.

That doctor is a FAILURE. He’s correctly diagnosed (at least at a level that delivers a high degree of certainty) however, he seems unable to convince dying patients of their life-threatening disease.

Security is like cancer. It comes on suddenly, is hard to detect, but left untreated, will kill the victim.

If your assessments show urgency, yet fail to convert, it’s not an economy problem. It’s an epidemic.

Like with cancer, few people will consult their budget before entering treatment. They’ve heard the bad news, know they must take action, and therefore they do. Only when hit with the reality of what’s not covered by insurance, will they start looking at budgets…but this is an effort to reprioritize, not stop treatment.


Making the Tail Longer

Over the next few weeks my goal is to expand on these concepts…and to lengthen the conversion tail that should follow any true risk assessment.  To answer questions like:

  • How do  I sell this thing.
  • Who do I sell it to.
  • How should it be conducted .
  • How do I convert it to business.
  • Is there a way to make it recurring (hint, there is)
  • When should it be free, and how much can I charge.

Stay tuned…

© 2017, David Stelzl

canstockphoto36882341Stuxnet Brought Disaster to Something That Needed to Die…

Why do Your Clients Need You?  After all, The Customer Is Always Right. Right?…Or Are They?  But before we get to that…

Iranian Nuclear Weapon Developments…Remember Stuxnet? The malware sent to DESTROY the Iranian Centrifuges?

When Stuxnet was unveiled, I predicted it would be back. STUXNET IS BACK!!!!

The developers claimed that Stuxnet would self-destruct after sabotaging the Iranian threat…of course the self-kill part of the program couldn’t be completely tested (for obvious reasons).

Everything that goes online eventually turns up in the WRONG hands.

It’s like a new Newton’s Law or something. (In case you’re really into science and think Newton’s Gravitational Law is his 4th, it’s not…but this might be).

Moving on…

Malware In Memory Is Nasty Stuff

Kaspersky discovered some really nasty stuff about two years ago; MALWARE in MEMORY. “Kaspersky eventually unearthed evidence that Duqu 2.0 (the never-before-seen malware) existed and was derived from Stuxnet.” Duqu is a form of malware stored primarily in MEMORY…

Malware in memory (not in a file) is called FILELESS, and according to security analysts, this type of threat is going MAINSTREAM.

Just to give you a feel for how bad this is, it took Kaspersky 6 months for detect Duqu 2.0…that’s bad news for anyone trying to keep systems free from hacker invasions.

According to Kaspersky, “At least 140 banks and other enterprises [across about 40 different countries] have been infected by fileless malware to date.” Meaning, these banks have been successfully infiltrated by an in-memory malware nearly invisible to their IT people (or service providers).

Of course, since this nasty-code is so hard to detect, the actual number has to be much larger.

So far, these attacks seem to be aimed at ATM machines, with the purpose of moving money out of the bank and into the hands of thieves. Stuxnet was unstoppable, simply because it was a surprise attack. FILELESS Malware is one more example of hacker-innovation being one step ahead. The criminals have the advantage.

Insight: Your Client Has No Idea What They Have or What They Need

Once again, it makes NO sense to ask your client if they are infected with malware or need more security. Unless it’s an obvious YES, they don’t know. How could they.

For the past month I’ve been writing about messaging and attracting new leads (Did you get our FREE Special Report Designed to Attract New Prospects?). Once leads start coming in, your job is to educate…

Just yesterday I was on a coaching call. My client was retelling her sales story of meeting with a new prospect. Supporting her call, she had her local channel SE.

When it came time to review their recommendations, the SE asked the prospect, “Do you need this firewall to have failover?”

The prospect said, “No”.

…the SE said, “Okay.”

My client was shocked!!! How does the prospect know what they need???

When my client questioned the prospect’s maximum tolerable downtime (MTD) it became evident – this company would be dead in the water if their firewall were to go down during business hours. Hundreds of people sitting at their desks with nothing to do. How much would that cost the company? Can you picture it?

Is the client always right? Sure, except when we’re talking security…Your clients need an advisor. So be one…

P.S. Remember, The Trusted Advisor is….Trusted (recommends the right stuff) and able to advise (knows things the client doesn’t know, but needs to know).

P.S.S. If you need more leads, download this special report designed to attract business leaders in need of security!!!!

© 2017, David Stelzl


rsaHaving a Value Proposition That Sounds Like Everyone’s

Or Just Being Completely Irrelevant…

Won’t sell anything. When asked,”What does your company do?” or “Tell me about your company.” What should you say?

Five Answers to Avoid

  1. We’re a Value-Added Reseller.  Every IT person knows this is code for “We’re one of Cisco’s 65,000 US based resellers” or “One of 2000 SMB resellers joining Check Point’s channel program this year.” Oh, there’s nothing wrong with their technology. In fact both companies have great technology. But trying to convince someone you “Add-Value” won’t go very far.
  2. We Design, Deploy, and Manage…Blah Blah Blah. Every reseller designs (code for sells a product), installs hardware and software, and offers some way to manage it. When I hear this answer there’s always a pride in their voice as though they’re the only one who can install and manage a firewall.
  3. We Have the Best People. No you don’t. No one can claim to have the best people. That fact is resellers rarely know anything about the team across town unless they’ve just recently hired someone from their closest competitor.
  4. We’re Check Point’s (insert whatever brand you carry) No. 1 Reseller. No one cares. At least the prospect doesn’t care. Being Check Point of Cisco’s best reseller usually means your sales people are great at selling stuff. But  there’s really no value to the customer in this self promotional statement.
  5. “Let Us Come In And Show You Our Corporate Presentation.” I’ve saved this one for last because it’s my favorite. Let me guess…Company name, products we sell, companies we’ve done business with, certifications we have. And oh, by the way we’re their number one reseller, our people are better…buy from us!

Over the next couple of week’s I’ll provide you with some ideas on how to answer these questions. More importantly we’ll take a look at how to construct a stronger value proposition that communicates relevance and trust with your prospect. Remember, no one wants to hear more about your company until they think you can solve a problem they have right now.

2016, David Stelzl

For more insights on how to present a compelling message that moves people, Check Out My Book, The House & The Cloud…This one book is so important I’ll send it to you almost free!

Al Hartmann/The Salt Lake Tribune  |  Tribue file photoIt All Started With Novell, High Margins, and Big Opportunity

It’s Channel Sales, But What’s The Next Big Thing?

Seth Godin, our key note speaker at last weeks Ingram One event, once wrote, “People don’t have great ideas, but the problem is, they don’t have any ideas.”

I’m quoting from memory, but it’s close. We’re all too busy to take time to THINK.

Remember when everything as all about Novell? Resellers nationwide were selling Novell software, installation, and LAN setup at high margins. The business was endless…until it ended.

The reseller industry is changing. Ray Noorda is no longer with us, along with the high margin, endless demand for Novell. It’s been gone for years…It’s 2017, Are you ready?

Expect less product business, longer sales cycles, and fewer qualified appointments. This isn’t the first time you’ve heard this. Looking back over the years the channel reseller business has been good. Strong growth with a few dips that some didn’t survive. If you’re reading this now you are to be congratulated. That probably means you survived Y2K and the 2008 slump.

What About 2017? Will Your Business Survive?

Do you have ideas? Do you know what to try next?

Two insights were passed on to me this quarter that deserve to be passed on.


Greg McKeown in his book Essentialism observes that people no longer take time to think. They stare at phones and email all day doing mindless work. It’s become an addiction for most. And it leads to failure at some point. Thinking just doesn’t happen while staring into a black hole of technology.

Greg sets aside time each week just to think. No computers, no phones, no people. It’s hard at first. I’ve started doing this 2 or 3 times a week since reading the book. Sitting quietly, note book and pen in hand ready for idea.

But what then? Ideas start to come.

So I jot them down. I plan an hour – sometimes less. But it’s s fixed amount of time that has a start and end. Greg says, when you run out of ideas just doodle and think. More ideas are sure to come. Just don’t give up. And sure enough the more I do this the more the ideas come.

It’s pretty cool. In fact, I find it’s theraputic.


Then I heard Craig Ballantyne, author of The Perfect Day Formula, speak at the GKIC Marketing Info Summit in November. Craig added something new to this THINKING IDEA.

He challenged us to think through our biggest problem – just 15 minutes every day. Five day work weeks suddenly turn into just over an hour of THINK TIME focused on solving that one big problem.

That’s 5 hours per month dedicated to fixing something I really need fixed.  Another great idea.

Seth Godin was right. People don’t have great ideas simply because they’re not really thinking. So Craig and Greg (hey that rhymes sort of) have given us a place and time to start brainstorming – coming up with ideas.

Some of that time might be on the BIG problem while some of the time might be more open ended. Both are essential…

If you sell technology or MSP / IT services one of your biggest problems is commoditization. Novell as a primary money maker for the reseller is over. The channel business is changing (so let’s not ignore it). And you need something new.

If you get struck, check out the House & the Cloud and see where the fastest growing opportunity is in the technology business right now. We’ve already thought about this.

©2016 David Stelzl


Budget Cuts and Cloud Just Might be The End of Product Growth As You Know It

So What Can You Do to Prepare?

Like any habit (and box pushing seems to be a habit among many sales reps) the first step to freedom is admission.  I’m out at  INGRAM ONE in Las Vegas this week. In case you’re not here I thought I’d pass on a few secrets to get you pointed toward profit – 2017 is just around the corner.

Are you ready?

Expect more budget cuts, less momentum to upgrade, more migration toward cloud. WSJ is event talking about more IT automation to get rid of the people. Expect commoditization and most of all expect…

Your Business to DECLINE over time unless…

You have something new to keep your clients interested and buying. What?

This week I’m talking about beating budgets with security. It’s just one problem you need to solve. Getting someone to part with hard earned dollars (especially small business owners) can be brutal.  But not impossible…

I met with Truman (one of our Peak Performer Members) for dinner last night. His recent lunch & learn converted 100% to an assessment. Now he’s doing the assessments. Is it working?

It is! 100% conversion so far. (Find out how – the STEPS are in The House & The Cloud)

He’s just getting started but he is doing it right. People question his bold move to security. Regardless, his hunch is paying off. He’s already covered his cost of sales, his event costs, and more. The big question for you right now is…

What Do I Do As Product Sales Decline?

Do you become a cloud provider? Go into software development and create better customer experience for your clients. Or is security the right road? The big hurdle will be sales, not technology.

Getting your product strategy in line is important, but getting your sales team retooled is essential…and painful.

I’ve already said it, product is a habit and a bad one. How long will it take to transform? A little longer than you think.

Today might be a great day to set a meeting with yourself to work on the 2017 business plan. Consider three things.

  • Do you have the right solution strategy (one your clients will continue to need and be willing to pay for),
  • Do you have the right people to sell and deliver (sales being the big question).
  • Are your business processes (including sales and marketing) working and helping you grow?

From there you need to know your value proposition….I’ll discuss that more in my next post.

© 2017, David Stelzl