courtroomSuccessful Security Assessments Conclude With Live Presentations…

If your firm provides outsourced IT services, or security-related products and services, then you know that assessments are often the first step in landing new business.

However, if you take the time to measure your actual business-drag, you may find it less than stellar.

The fact is, most security assessments don’t lead to additional business…They should, but they don’t. Why?  Because most security assessment leave out this one vital step…

…Live delivery to ASSET OWNERS. 

(Find out more about asset owners and executive sales calls in The House & The Cloud – 2nd Edition)

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Imagine a court case, where the evidence is presented in written technical reports…

No testimonies, no witnesses called…no emotional appeal, no angry outbursts or tears…just dry, unadulterated facts on paper.

How would this approach affect the decisions made on murder, rape, and other heinous crime cases?

Conversion & The Power of LIVE

There are three major people-groups you care about when performing a risk assessment: Information Technology (IT), End-Users (or Business-Level Asset Owners), and CIO/CISOs (Or anyone in the C-Suite).

All three groups must be moved to action, but each has different needs and will respond to different messaging. The one thing they all have in common is, emotion. In the end, all sales are emotional decisions. Crafting the right message for each is essential…

However, before going into the message, it’s important that we understand delivery and the power of live…(The media).

Reports are important. They provide the details behind what you present. However, they often go unread. Think of them as supporting documentation.

Like in a legal battle, it’s the LIVE testimonies that carry the weight. And the testimony of an eye witness is the most powerful testimony that jury will hear. Take the emotionally charged live testimony away, and you’ll see a much different outcome.

Delivering your results in person, to the right people, with the right message, can take your Assessment-To-Remediation conversion from 15% to 60% or 80% overnight…let’s take a look.

What Matters Most

Businesses have a need to measure their risk. Especially right now, as companies work to streamline operations, eliminate waste, and build stronger customer bonds in a highly competitive, global market…

New technologies offer amazing opportunities, while at the same time open major holes in the firm’s security architecture.

What matters most? Intelligence…insight.

Where is the data? Who has access? What are the relevant threats to that business? What are they odds something will happen? Can they recover in time if something does happen? Or would they know in time to stop a disaster?  These questions must be answered…

However, not all constituents have the same concerns or the same questions…

IT Care-Abouts

What does IT care about? I’m sure there are dozens of opinions out there. The opinion of C-Level Executives I’ve interviewed over the past year suggests that IT personnel are out of touch with business requirements and missions critical systems. So at the least, IT’s view of risk will be misaligned with the business in question.

It’s also my opinion (After having managed IT for a global bank, and working in IT for a global pharmaceuticals manufacturer) IT personnel are more concerned with their actual position, career opportunity, and life-work balance, than they are the risk-measurements of their employer.

So, while the details of security technology are of great interest, the actual impact of an attack has little long-term affect on the IT worker.

Even if they lose their job (which is unlikely), their personal brand and reputation only stand to blossom as they respond to an actual event.

Consider the following: If attacked, they now have actual cyber-forensics experience listed on their resume (even if they didn’t personally save the day).  The blame will go to those who didn’t approve IT’s most recent recommendations / budget requests. The CIO will be front page news, not IT…

So what does IT care about when it comes to cybersecurity…answers vary by individual (of course)…but, on average, the seller can assume…

They care about the experience… The approach to assessing risk, the vulnerabilities, the technologies, and the potential for new next-gen security products and security controls.

Security represents the IT worker’s greatest job-upgrade opportunity.

End-User Care-Abouts

Asset Owners come in two flavors…executives and knowledge workers. Let’s look at the knowledge worker first. This is the person who creates and uses data to make money for the business. They’re asset owners because they are liable for their data.

Examples might include  the investment banker working with wealthy clients, R&D looking at new cures for a disease other’s have not been able to stop, etc. Data is an asset – one The Wall Street Journal has called, the “Oil of The New Millennium”.

If this data were compromised, misused, or made unavailable for any reason, the Asset Owner would be out of business, at least for the short term. And any sort of outage would cost them personally and professionally.

CISO/CIO Care-Abouts

The third group, also an asset owner, is the C-Level (CIO/CISO). This group is much like the End-User Asset Owner…shareholder value is important here. The CISO, according to my recent CISO interviews, finally has a seat at the table. And they must earn it every day.

What’s the CISO’s job?

The CISO translates risk and compliance from technical to business. Great CISOs create awareness based on data coming from IT workers and your assessments.

The closer your report delivers relevant data in executive terms, the more likely they will be successful in their role.  In summary (from my book, The House & The Cloud Pg. 195), the CISO is looking for their top 3 to 5 threats, the impact associated with each, and the odds that any one of them will be realized.

It will up to the CISO to report the trends and present a plan to keep the company at an acceptable level of risk. Note, the CISO won’t have this intel in their head – they’ll need subject matter experts.

But as I’ve already stated, IT is ill-equipped and unlikely to add any real value to this plan, given their disconnect with the business side (Straight from the CIOs mouth…).

Next time you assess…include the knowledge workers, interview the execs, and schedule up front, your delivery meetings with asset owners in mind.

© 2017, David Stelzl

 

 

Advertisements

Businessman sinking in heap of documentsHere’s What Business Leaders Are Saying They Want in An Assessment Report (in Two Words).

“Security Intelligence”…

Will the CISO actually read your security assessment report? What about the small business owner? Law firm partner? Doctor running a clinic (where HIPAA is required)?

The likelihood of anyone reading your report is nearly ZERO!, unless you do this one thing first…

Separate the Technical from the Business Risk,…

That’s right, you need two reports. One written in the language of leaders, the other technical. But don’t just create a new report just yet…here’s a simple process that creates ONE REPORT, with two parts, giving your report better flow, while at the same time appealing to both audiences.

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Executive Reports Should Not Have Stop Lights In Them

Let’s start with the executive summary. First, drop the word summary…and delete that one page summary page in your report. Call it the Executive RISK ANALYSIS…with an appropriate subtitle.

I’m 99% confident your current one-page summary will not speak to executives…and if it has the RED STOP LIGHT on it…well, check out what one CISO said in a recent interview…

Tom Watson, CISO for Sealed Air Corp, told me just a couple of weeks ago, “The stop light approach is meaningless”.

Having a red light on the summary page does not lead to immediate action or follow-on business for the consultant. There is no business justification in a red light. PERIOD.

The CISO’s job, according to Watson is, “To bridge the gap between technical and the board.” “My seat at the table,” says Watson, “Is where risk gets delivered in business terms to board members and my C-Level Peers.”  In other words, the stoplight diagram does not quantify risk…the board won’t be moved by blinking lights.

Red Lights On Risk Reports = Idiot Lights On Your Dash

If you have an older car, the red light comes on when something is wrong… that could mean your gas cap is off, your catalytic converter malfunctioning (and you might not pass your next emissions test), or your entire transmission system is about to fall off while driving down I-95 and 70 mph.

In other words, anything from a simple 2-second turn of the gas cap, to the $3500 transmission replacement project will satisfy the red light. But which is it? No one seems to know. So the new cars tell you what’s wrong (in one of N languages).

Your executive risk report is the same. The light justifies nothing…instead, you need an explanation…(in one of two languages).

So what will you explanation look like?  A quantification of risk…a measure of Impact vs. Likelihood…Language ONE is BUSINESS…Consider the following…

  1. What assets were identified as having an associated risk? And what are the relevant threats, posing risk, which must be addressed?  Are you aware many companies don’t even know where their data is? And so figuring out where the assets are, what threats exist, and how big those threats are can bring tremendous value to your C-Level contact before meeting the board.
  2. What are the odds data will be affected? Going back to the three pillars of security: Confidentiality, Integrity, Availability…it makes sense to find out which of the three matter for any given digital asset, and to quantify the risk (as a percent likelihood) in a graph.
  3. Finally, what is the trend? Is business risk increasing? Or is the firm’s security posture improving over time? As the company adopts next-gen technologies, leadership need someone watching risk levels. As IoT projects, mobility, collaboration, etc. evolve, are business threats growing, remaining constant, or shrinking?

The report should be short, graphical, and written in business-eze. I highly recommend having someone with business-savvy right this report. But don’t stop there… have a copywriter review and edit it.

Copywriters will take a boring report and turn it into engaging content. They’ll trim it down, bring out the headlines, and bring it to life, keeping your overworked reader engaged.

With one solid report in hand, it won’t be difficult to duplicate. If you look at the popular business books on the NY Best Seller List, you’ll see they have a readable style unlike any college text book or legal document. It’s that level of readability you are looking for in your report.

NOTE: This means, when you use vendor-reports coming from SIEM, firewalls, etc. The reports they give you (while colorful and complete) will not land new business…Keep reading to see where your colorful-vendor report goes…

The Technical Stuff (Including the Vendor-Report) Belongs in Appendix A

While you might be tempted to combine your executive report with the details, handing in the 100 page (War and Peace) report is not going to bode well for you. No one in the C-Suite has time to read 100 pages!

Business owners are even less likely to read a report that looks like a 5 hour project.

At least a CIO or CISO is responsible for risk as a primary job function. The small business owner, while responsible for computer security, is more likely to be focused on today’s invoices, a major customer-sat issue, or this month’s cash flow crisis.  The 100 page report is likely going on a shelf…or in the round file.

If you create two reports, another problem emerges…the executive has one report, technical has another…are they different? Do they conflict?

The Solution is Easy…Appendix A!

Most of us skip the appendix when reading a book.  But knowing the data is there gives us assurance that there’s research behind the author’s claims. The technical team will have access to the main report, but will likely find the details in you appendix more interesting.

Here’s What You Should Include (Notice there’s no stop light here either):

  • Network diagrams
  • Applications / Digital Assets (Prioritized)
  • MTD/RPO requirements (Data they don’t have up to this point)
  • Any important business level requirements
  • Technical details on malware, configuration problems, etc.
  • Gap analysis against whatever standards you measure against – XTZ compliance, NIST, etc. (I highly recommend you base your assessment on something such as NIST to give your findings more credibility)
  • Major issues to address (project recommendations – keep this list short)
  • The punch list of everything else that should be addressed.  Prioritize this list, and segment by functional area.

Between these two reports, you have what you need – however, the move to remediation has more to do with your presentation than it does in these two documents.  Look for a future article on,…

“How to Master The Board Room Presentation, When Presenting Risk Findings…”

© 2017, David Stelzl

Downtime

How Long Can You Afford To Be Down?

Find Out What It Costs…Before Talking Budget…

MTD – Maximum Tolerable Downtime, is the first thing you should be thinking about. Data theft and misuse are equally important – but downtime (ransomware or failure) is unavoidable.

Remember What Security Trends Reports Where a Few Years Ago..

Older threat reports (Symantec, Verizon, FBI/CSI, etc.) focused on likelihood of an attack. They measured the number of companies hit by malware, reporting spam, or suffering DDOS.

Read today’s reports and you’ll discover something different…

Newer reports focus on types of malware, cost of downtime, cost of data exposure, and whether or not insiders were involved.  In this ongoing discussion on security assessments, DOWNTIME and COST are the focus.

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

The Companies Most Important Assets Used to Be People…Not Anymore

Talk to any DR (disaster recovery) specialist and they’ll tell you, People are (or were) a company’s most important asset.

Not any more.

Now it’s data…Not to minimize the value of a person, but even the WSJ calls DATA the Oil of the New Millennium, not people.

In security, there are three pillars to consider. Confidentiality, Integrity, and Availability. In this article, I’m talking about the third – AVAILABILITY.

80% of Cyber-Breaches Result in Downtime

Every major corporation has been breached at this point…and most smaller firms too. It’s just a matter of time. 8 out of 10 experience down time, and based on Cisco’s graph (from their 2017 Cybersecurity Trends Report), 90% of the 8 will be 8 or more hours…

How much downtime can your client stand on any given system?

Even with data moving to the cloud, downtime is a major factor.  MTD (Maximum Tolerable Downtime) speaks to the old DR metric that asks, how much downtime your firm can stand on any given application before it severely impacts the business.

The actual number has to be given to you as the assessor. You can discover it through observation…

And while it may seem arbitrary, there are numerous studies available online that tell us how likely a business is, to go out of business, given an outage.

Who Knows The Answer And What Does It Mean?

The problem is, most security assessments don’t actually measure tolerable outage, or the likelihood of exceeding executive management’s tolerance.

IT is generally the focus of these assessments…

To the IT Custodian, outage means, working late, not a failing business. The right approach to assessing risk involves assessing those things which create a risk of something bad happening – in this case, business failure, stock price drop, loss of shareholder value, or customer dissatisfaction (to name a few).

Remember, Customer Experience is the New Brand Metric…And downtime kills customer experience.

So who knows the MTD?

The asset owners know…the ones who use the data to drive the business. And different departments will add more or less value to the overall business success – executive management knows who they are. IT, on the other hand, does not. (Just ask any executive).

Ask the end users, and they’ll tell you they can’t stand any downtime!!!

Of course that’s not true. However, any business critical function probably requires more uptime than IT realizes, and is worth spending more to maintain than most executives would like to admit.

Uptime is always a cost-benefit analysis.  The first answer is usually, “No downtime”. Once an estimated cost of zero downtime is displayed, that downtime number suddenly goes up…

Getting Real With Risk And DownTime

What’s really happening here is, when faced with a large financial number, executive management suddenly wants to take on more risk than they can actually stand.

It’s no different than the person with no consistent income getting approved for the sub-prime mortgage, so they can finally get their house.

The house-buyer’s attention is on the house, not the payment.  With downtime, it’s the same. The buyer’s eyes are on spending where it feels good, not minimizing risk.

It’s the assessors job to convince asset owners, downtime is only a matter of time. Remember, most breaches (80%) will result in some downtime. Half will be in the range of one day or less…but about the same number will exceed one day by 1 to (pick a number) of days.

What’s the likelihood of downtime? Close to 80% – given the likelihood of being hit with some form of cyberattack is nearly 100% over some time period.

Solving The Problem

The problem of downtime used to be solved with EMC SRDF (mirrored NAS over a wide area connection), or at minimum, redundant systems running a highly available configuration. These are expensive solutions when talking to mid-market and down…

Does your MSP offering include virtual data servers in a hosted (protected) environment? Are you running a virtualized HA configuration?

What about using a dropbox-like solution in addition to backups?

In a recent sales call, one of my clients had a firewall opportunity. The vendor SE accompanied them on the call. When the client was asked about the need for redundant firewalls, they replied, “Not necessary”.

The vendor SE made a note and moved on…but my client, having been through the Security Sales Mastery Program knew better.

IT can’t answer this question!!! A single FW outage would shut down just about everything – all external communications including cloud app access, email, etc. Can any company actually work without their Internet connection anymore? Probably not…

Suddenly, downtime is a serious issue, and one that demands new services…hosted systems, redundancy, HA Internet access, data in the cloud, and more…The risk assessment, when focused on MTD, is your fastest road to up-selling services to your clients.

© 2017, David Stelzl

 

 

 

 

Some of the Most Powerful Hacks Are Low Tech – But Extremely Creative

A Clever Ruse Is Priceless When It Comes to Justifying The Security Sale

Today I want to show you the one hack that always succeeds…with some practice, you’re assessment team will get in every time!

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Continuing on in a series of articles on Assessing Risk, no assessment would be complete without testing the users. Once simple test comes in the form of social engineering. The problem is, most assessments leave out end-users altogether!!!!

Get The Details On Selling With Assessments In My Book, The House & The Cloud – Here’s a special offer that’s almost FREE

In this short video, a woman (Cleverly disguised as mother w/ crying baby) takes over the guys phone account in just minutes. This is the kind of thing your business-leader clients have to see…it’s so simple, it’s unbelievable.

…So simple, my son did this very thing to me just a couple of weeks ago – needing to make a change to his account (under my name) while I was traveling!  (Shame on Verizon – they let him in!!!)

SE-1

The End-User Is Your Client’s Biggest Hole In The

The balance between customer service, time crunch/deadlines, and keeping the security policy is not an easy one.

The baby crying in the background (an MP3 playing on this woman’s computer) creates the perfect “I’m an innocent, ignorant mother just trying to get this done for my husband…” scenario.

Who wouldn’t feel compassion for this poor woman? What would your clients do?

The Guy In The Video Is The Skeptic…This Is Your Client – The Decision Maker

As the video begins, you know it’s only 2+ minutes long. How can this be possible.

However, once she fires up the baby-crying audio, and starts with her dumb-blond act, you know she’s going to win!  It’s almost unfair!

Watch the Video – It’s Short…any ideas on how you can incorporate this?

I’m not saying you should make a call to their phone company with a crying baby in the background. But look at her face – who’s NOT going to help her?

I AM saying, you want to test the end-user’s ability to spot a ruse. That’s where the attack is going to happen…

I’ve heard it a million times – we don’t do free assessments!

This, my friends, is an assessment done in under 3 minutes! How much did it cost?

It’s a pen test…It’s not comprehensive, but it doesn’t need to be. This 2+ minute example demonstrates how just about anyone (willing to play the role) can break in, in minutes, with ZERO hacking kills.

So what is the likelihood someone will break into your client’s data?

It’s 100% every time, because, every time, there’s at least one sympathetic, authorized user, who will eventually succumb to the ruse of a creative hacker. It’s time to start thinking more strategically about assessments and closing business.

Copyright 2017, David Stelzl

Get The ONLY BOOK on Selling Security and MSP services: The House & The Cloud

SIEM viewpointWhat The Lazy MSP Companies Aren’t Showing Their Clients

Assessing Risk is the fastest way to land new logo business in the MSP arena. And if you want to build a long term, profitable business, you’re MSP is going to have to go MSSP…

(Note: I’ve purposely left out the heavy technical jargon to make this readable by sales – if you actually do the engineering work, you’re probably wanting a more technical deep dive. My goal here is to help sales reps sell the one thing that will overcome any IT budget objection.)

While 90% of the tech companies I speak to CLAIM they do security (on their website), only a handful actually do.  If you want to set yourself apart, learning to discover urgent issues (already present) on your client’s network will do it.

Over the past several months I’ve written numerous articles on how to sell, deliver, and convert assessments to long term annuity business.  This one last step in the actual assessing process is arguably the most important.

You Can’t Just Look At Perimeter Scans and Configurations

2017-06-22_07-57-50

In this YouTube video (published by Alienvault – below), the speaker is explaining the dangers of connecting to Tor or using BitTorrent, as examples of traffic symptomatic of botware. Check out 0:48 in the video below for more threats he uncovers…

These are the urgent issues you need to move deals forward!!!!

Traffic patterns also reveal reconnoissance efforts underway by hackers – thieves gathering information to be used in a future attack.

You also want to know if malware is already installed or in the process of being installed through phishing attacks or web-threats of any kind…port scans in most cases will not do this.

The problem is, most assessments I review in my coaching calls show nothing regarding traffic or connection activity between workstations and the outside.  Why?

Because it’s not easy.

In other words, the MSP providing the assessment is either too lazy or too cheap to do it, or just doesn’t know what they’re doing.

If you sell (or use pro bono) assessments, with the goal of opening new doors in the accounts you serve, make sure your professional services team understands the importance of traffic analysis and has the tools to do it….

Lots Of Data, No Connection, Equals Meaningless Data

AV SIEM

Today’s technology is great at logging data…but not so great at drawing out intelligence.

That is unless you know SIEM…Security Information & Event Management.

The ability to take all of that data from AV software, UTM firewalls, IPS devices, etc. and make sense of it has been a road block for just about any company short of large enterprise…

Until now…

There are several options including some UTM firewalls, products like AlienVault and Arctic Wolf (positioned for mid market), and BlackStratus’ recent entry into mid-market and SMB…Cybershark (Which can be white-labeled and offered with full SOC services – with little of no investment!)

With SIEM now available as a cloud offering, there’s really no excuse for not doing this.

Key Point in the video below (at 2:35) – None of this information is actually interesting unless you can get the analysis, and make the data actionable.

Unfortunately, most SIEM technology won’t really do this for you (Even  though AlienVault and others claim to). In the end, you (The Rep) must read the report and see if your client is going to be moved by it.

If not, rewrite the execute findings as a separate report – more to come on that in a future post.

This takes us back to an earlier article on QUESTIONS TO ASK…The most important part of the interview process is in gathering the mission critical data offered only by executive management.

MTD, RPO, Etc…think Business Impact Analysis…all security issues are disasters and should be viewed just like Disaster Recovery…But you’re competition isn’t doing this.

Key Moment In The Video (3:50)

2017-06-22_08-25-43

At 3:50, this video shows actual malware infections being installed – not only is this type of activity undetectable with simple observation, your Network Patrol Product is not going to see it either!

Only with something that looks at host intrusion does this become evident.  The good news – once you have an MSSP offering installed to do this type of analysis, it’s easy to justify keeping it there – this is annuity business that self-justifies.

Check Out The Entire Video Right Here

But Remember, this is not the most important tool – your QUESTIONS are.

Armed with the intelligence that comes from talking with executives and other asset owners, this information suddenly makes sense in helping a client determine their true threat levels, while providing you with the justification you need to move forward with MSSP.

Copyright 2017, David Stelzl

For more insights on how to sell assessments and larger security deals, check out one of the only books written to resellers and MSP providers on how to sell Security: The House & The Cloud…

datareviewAssessment Interviews Based on Actual Events

(The Names Have Been Changes to Protect The Innocent)

A couple of weeks I wrote an article on the ASSESSMENT FRAMEWORK – how to construct great questions for assessment interviews. But my readers have asked for more…

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Everyone Wants a List of Specific Questions, However…

You Really Don’t Want A List!!!

Even if you think you want a checklist of questions (for your prospect) on the front end of an assessment, you don’t. Why?…

  • You’ll sound scripted and canned – these meetings turn to BORING fast…
  • Your list can be handed in – the custodians can take if up the ladder for you… Then what?
  • You need face time with asset owners. Half to reason for doing the interview is to build a hunger for the findings, and establish yourself as the expert…
  • You’ll miss the most important things – the stuff that comes up in conversation.
  • The list will keep you from demonstrating creativity, enthusiasm, passion, etc.

And if none of that makes sense, just find a way to watch a high-end consultant in action…you can’t replicate consulting expertise with a list!

So, while I am not going to give you a list, I can give you some scenarios…

If you’ve not read my previous article on the Most Powerful Tools You Have To Assess (Your Questions/Interviews) this probably won’t make much sense, so go back and read it first…

Meeting with C-Level Asset Owners

The executive (Asset Owner)  interview should be first (however, that’s not always possible).  Let’s call him Al.

I scheduled my meeting with Al through an email introduction with my primary contact (the IT Director). I have to assume my contact is joining us. But my agenda is to talk only to Al.

I’ll keep this so meeting so high-level, my technical contact will go to sleep halfway through the meeting. We’ve planned 20 minutes – 30 at the most. This guy does not have 60 minutes to spend with me on this. So I’d better be well prepared!

First 5 minutes – a quick overview of what we’re measuring.

We’re here to look at risk – kind of like a DR Business Impact Analysis, but more focused on data confidentiality, integrity, and availability.  Our end result will come in the form of an impact vs. likelihood graph…A quick sketch helps at this point. (Learn more about building Impact vs. Likelihood Graphs in Chapter 13 of The House & the Cloud).

“Would like you like to know what the odds are that your most important applications / data will be compromised, misused, or become unavailable at some point in the next 12 months?” – This is a great opening question…

Expect Al to be drooling a little – no one has ever asked this question from the provider side. Point it out on the graph – so he can see what you mean…this is not the Red, Yellow, Green light assessment…this is RISK ANALYSIS DONE RIGHT.

GATHERING DATA

Data Value – Things You Must Protect (Ideas for questions)

  • What applications are most important to this company…(I should know some of them by now, and listing will help get us going. But I want Al’s opinion here).
  • What makes them so important – prioritize, and find out what value means.
  • For each asset (Application or database), find out whether the privacy/confidentiality, integrity, or availability is most important. Chances are it’s a combination, or all three, but try to discern the hot buttons. (This is gold! It’s what Al really cares about, and your recommendations should focus right on what Al gave you in these first few minutes).
  • What happens when each of these are hit by some unexpected disaster, like RANSOMWARE, or just downtime?
  • What about downtime? How much can each of these systems stand? What happens when this system is down? What about that system? Do you have to send people home, does your stock price go down, do you lose money? How much? What does downtime cost?
  • How much data can you afford to lose? What’s that going to cost you…etc.

Threats That Really Exist

  • Who would want this data – explore this…are you more concerned with internal misuse or outsider threats? Are there people who would want this data? Why? Or are you more likely to get hit with Ransomware for money?
  • What about internal issues – how would employees benefit from this data? Is there some way for them to leak information for profit, like insider trading? Can the data be sold easily? Or are there layoffs coming, encouraging people to gather data for their next opportunity? Or disgruntled employees who would take the company down?
  • Have you had issues in the past? What about other kinds of system disasters or failures?
  • Al, we need some information about your company –  to better understand your risk equation.  Are there mergers or acquisitions in the works? Layoffs? What about pending lawsuits? What do you think your competition would do to get their hands on your R&D? Is your company about to announce new projects or inventions that others would want intel on -and, would break the law to get?

NOTE: in a recent CIO meeting with a major manufacturer, I asked the CIO if he thought his IT people would be able to answer any of these questions? He laughed shaking his head, with an emphatic “No”. I could tell he wished they even cared to know, but he and I both knew the truth…they don’t know, they don’t care, and they never will…

Think of each question as a launch point for dialogue.

This is not a teaching time, it’s a listening time. Be sure to reflect back to Al along the way – make sure you understand what he has said, and that he knows you’re tracking with him.

Stick to your 30 minutes, unless he insists on pushing you over…Respect his time, knowing this guy has a million things to do, and 150 sales people calling every day.

Bottom line – leave while he still likes you.

The Likelihood You’ll Be Able to Detect and Respond Before It’s Too late

Don’t let them give you a round-about non-answer here. But the truth is, Al won’t know. The temptation will be to push this off on IT. They should know.

But the truth is, the CISO and CIO both need to know…so I’m not asking IT, I’m asking Al…”Do you know?” “Should you know?” Expect, “No,..” and “Yes, I do want to know.”.

Moving To Power Users and Other Asset Owners

Plan on 30 minutes per person – have someone come with you to take some notes, or record this on your iPhone if possible…

In the early days I would have had an assistance writing shorthand – remember shorthand? Today, I use Dropvox…an app on my phone that downloads an MP3 to Dropbox.

Meeting with Power Users (The end-users who drive business with technology) makes even less sense to the end-user you’re meeting with, and maybe even to you the sales person.

The thing is, end-users are the weak link. But understanding them and how they work will go a long way in understanding their weak areas.

Start the same way you did with the execs…figure you will need to talk with several managers and knowledge workers (those who really use the systems and data to make this business hum).

  • What applications and data are most important to your business?
  • Who would want this data – outside the company?
  • What happens when you’re systems are down, or you lose a day’s worth of data?

Find out if they’ve had down time, data loss, etc. Who get’s upset, what do these people do to keep going or to recover?  You’re looking for the company view – like a gear falling out of your watch – how does it impact the entire business landscape?

Workflow / Data Lifecycle

Now for some line of business specifics…Bob the knowledge worker…

  • Bob, tell me about your job. Do you work at home, on the road, or always in this office?
  • Are you always using this laptop? Or do you use other computers from home or perhaps a tablet of smartphone?
  • Do your family members use these same devices?  (How, when, etc.)?
  • Who else enters data, deletes data, or just accesses data on this application? Anyone outside the company?  (I’m looking at the data – asset focused!  I want to know, who accesses this, from where, and for what?)
  • Who do you interact with online? Other departments, clients, suppliers, … and how – instant message, email, webinar, etc. And how do you exchange data? (I want to know how data travels – and were it goes).
  • I also want to know who deletes data, when, and why – and what must be saved, archived, etc.
  • What happens if this data gets into the wrong hands – like competition, or someone with ill-intent, like an angry co-worker or X-employee?

Heading Home To Meet My Consultants – The INTERVIEW w/ TECH

Most assessments start with technical people diving into systems and networks…big mistake.

Not understanding data value and data flow, it’s like checking out an electrical system without knowing the load requirements, environmental conditions, or uptime requirements.

Instead, do this…

  • Consolidate your data – data assets prioritized, workflow, relevant threats, impact issues…
  • Meet with your technical masterminds – Here’s what the company does, here’s what matters, here’s how they work…what would need to be true for this to be secure???
  • We are looking at three things: Confidentiality, Integrity, Availability.  Your tech team needs to know which of these three matter most to the client….but they may also have their own opinions. For instance, the client may not have named RANSOMWARE as a major threat, but your tech team will surely bring it up!
  • Going through the systems piece by piece, your team’s job is to come up with the security controls that must be present to keep this company as secure as it needs to be – based on their data value, uptime requirements, data loss requirements, compliance, etc.

Once this is done, your team can head in, network diagrams in hand, to see how well this company measures up. Suddenly this assessment feels more like a Gap Analysis than Vulnerability Assessment. The good news: Gap Analysis is easy to report on … here’s what you said you need, here’s what you have, here’s the gap…

Time to put together findings, present to asset owners, and be prepared to draft your remediation recommendations…A deal much more likely to close.

© David Stelzl

PS. For more on how to conduct these interviews, see Pg. 194 – 200 in The House & Cloud

BookCover

How Relevant Will Your Skills Be Over the Next Five Years?

Are You Prepared to Take On The Digital World, and Still Make a Profit?

Yesterday I had the opportunity to speak  to Executives at a Packaging/Manufacturing Company headquartered in Charlotte NC. The topic, IT Transformation.

You’re probably on the technology provider side if you’re reading my blog regularly, but don’t reading just because I’m talking about…Internal IT.

These execs invited me because they want their internal people to act more like outside consultants than IT custodians.

The same must be true of your team. In the past, it was okay to be technically amazing, while lacking the consultative skills of the old BIG-6/8 firms. Not so any more.  Everyone must make the move, From Vendor to Advisor – whether and IT admin or  third-party provider.

So, in today’s post my goal is to unfold the map and show you how to get from here to there (here being the legacy VAR model, there – the HIGH PRICED CONSULTANT).

The Catalyst to Change

The Back Story….

My business is designed to help people make the move…but looking back, there was a time where I had to make the move.

I knew, graduating from Drexel University, with my Computer Science Degree in hand, that I wanted something a little different. My classmates were going off to large IT departments to code  (in COBOL). That was not me.

I had spent the last 3 years of school working CO-OP jobs with McNeil Consumer Products (Makers of Tylenol)…crawling under desks with COAX cables and early networks, and lugging heavy refrigerator-sized PCs through the halls to various departments.

After graduation I was working for Bank of America (Then NCNB), exploring Token Ring and Novell networks…the bank’s very first local area networks (While at the same time trying to start up a technology VAR called PC Professionals with my brother-in-law(.

It was Fred Deluca, President of Telesis, a third-party cable provider, that really stirred up my entrepreneurial juices. He was intent on getting me to leave the bank and join him in a new venture.

But it was hard to leave…the private jets, the spacious offices, the allure of working uptown in the largest building Charlotte had to offer – After all, I worked for THE BANK!

I was restless but afraid to leave…entrepreneurship was in my blood.

The schools systems try to beat it out of you, but mine wouldn’t die. I was born to do something a little more adventuresome.

Then one day the applecart was upset. My boss was leaving the company to go sell for Wellfleet Networks. He said he’d be happy to recommend me for his position – but the writing was on the wall, there were  greener pastures out there in the wild…

That was Chuck Robbins – yes, Cisco Systems’ CEO,….

Within 2 weeks I followed Chuck out to door. As a Wellfleet Reseller, I partnered with Chuck to open up new opportunities in the Charlotte area…Our first big win was Rexham Packaging – a global deal that put both of us on the map.

Looking back, Fred and Chuck, along with several other mentors, led the way, encouraging me to get out there and do something new…taking a risk.

Eventually I joined a small band of technologist to help start and grow a southeast integrator – Piedmont Technology Group…which would later be split into three companies – nGuard, Stalwart, and the remaining third, sold to Forsyth in Chicago.

5 Aspects of Technologist to Consultant Transformation

Not everyone is cut out to work as a consultant.

Transforming technologist (who like the stability of big company trimmings, or the regular paycheck that comes with salaries) may not make it.

There are 5 tests to help identify the consultant…In my presentation yesterday, this was my focus. We dove into each one in some detail to help separate those who will continue working to keep the lights on, and those will go on to discover new land!

  • Can they only talk tech, or do they think in terms of things (ROI, Competitive Advantage, Operational Efficiency, Risk Mitigation)?
  • Are the tactical or entrepreneurial? The entrepreneurial thinker is a student…they never pretend to know everything…they create 100 times, fail 99, and discover the one that works…They take risks (but calculated risks, not recklessness). They are trusted advisors – they are trusted, they are able to advise.
  • More Interested in infrastructure or Asset Owners?  Computers are tools to the consultant. They make the job easier, faster, better…or something. Computers fascinate the technician; they enable the consultant.
  • Certs or Skills? The technician is building a resume of certifications, but he often lacks the skills necessary to bridge the gap between business and automation…he speaks in TLAs and is proud to say he know to dissect the Windows Registry.
  • Which does he see as more important, his knowledge or his character? Dale Carnegie told us years ago, 90% of success is character, the remaining 10% is skill or know-how.

The Final Third…

In the last section of my talk, I addressed the conversion process…

Once you’ve identified those who can make the transition, a discipleship process is needed to take them over…

Look at any high-priced consulting model (such as KPMG or PWC). There’s always a mentor program. They don’t hire their people with skills, and then just let them go…the mentorship program is a program of indoctrination and evaluation

They learn the language, memorize and practice the methodologies, and carry the brand badge forward…

Those who won’t make PARTNER are identified along the way, and set out on new career paths, usually with one of the firm’s larger clients.

From time to time these alumni are included to keep the family in tact, and the brand growing inside these client organizations.

It’s a well thought-out strategy to recruit, indoctrinate, purify, and expand…

How will your organization fair through this age of transformation and digitalization? Get on track with making the move from vendor to advisor, and remain relevant through the coming years…your business depends on it.

© David Stelzl

PS. Your next step: Read From Vendor to Adviser, and get the details on pricing models, proposals that close, discovery and analysis tools, and so much more…it’s the transformation every third-party provider must make.