datareviewAssessment Interviews Based on Actual Events

(The Names Have Been Changes to Protect The Innocent)

A couple of weeks I wrote an article on the ASSESSMENT FRAMEWORK – how to construct great questions for assessment interviews. But my readers have asked for more…

Everyone Wants a List of Specific Questions, However…

You Really Don’t Want A List!!!

Even if you think you want a checklist of questions (for your prospect) on the front end of an assessment, you don’t. Why?…

  • You’ll sound scripted and canned – these meetings turn to BORING fast…
  • Your list can be handed in – the custodians can take if up the ladder for you… Then what?
  • You need face time with asset owners. Half to reason for doing the interview is to build a hunger for the findings, and establish yourself as the expert…
  • You’ll miss the most important things – the stuff that comes up in conversation.
  • The list will keep you from demonstrating creativity, enthusiasm, passion, etc.

And if none of that makes sense, just find a way to watch a high-end consultant in action…you can’t replicate consulting expertise with a list!

So, while I am not going to give you a list, I can give you some scenarios…

If you’ve not read my previous article on the Most Powerful Tools You Have To Assess (Your Questions/Interviews) this probably won’t make much sense, so go back and read it first…

Meeting with C-Level Asset Owners

The executive (Asset Owner)  interview should be first (however, that’s not always possible).  Let’s call him Al.

I scheduled my meeting with Al through an email introduction with my primary contact (the IT Director). I have to assume my contact is joining us. But my agenda is to talk only to Al.

I’ll keep this so meeting so high-level, my technical contact will go to sleep halfway through the meeting. We’ve planned 20 minutes – 30 at the most. This guy does not have 60 minutes to spend with me on this. So I’d better be well prepared!

First 5 minutes – a quick overview of what we’re measuring.

We’re here to look at risk – kind of like a DR Business Impact Analysis, but more focused on data confidentiality, integrity, and availability.  Our end result will come in the form of an impact vs. likelihood graph…A quick sketch helps at this point. (Learn more about building Impact vs. Likelihood Graphs in Chapter 13 of The House & the Cloud).

“Would like you like to know what the odds are that your most important applications / data will be compromised, misused, or become unavailable at some point in the next 12 months?” – This is a great opening question…

Expect Al to be drooling a little – no one has ever asked this question from the provider side. Point it out on the graph – so he can see what you mean…this is not the Red, Yellow, Green light assessment…this is RISK ANALYSIS DONE RIGHT.

GATHERING DATA

Data Value – Things You Must Protect (Ideas for questions)

  • What applications are most important to this company…(I should know some of them by now, and listing will help get us going. But I want Al’s opinion here).
  • What makes them so important – prioritize, and find out what value means.
  • For each asset (Application or database), find out whether the privacy/confidentiality, integrity, or availability is most important. Chances are it’s a combination, or all three, but try to discern the hot buttons. (This is gold! It’s what Al really cares about, and your recommendations should focus right on what Al gave you in these first few minutes).
  • What happens when each of these are hit by some unexpected disaster, like RANSOMWARE, or just downtime?
  • What about downtime? How much can each of these systems stand? What happens when this system is down? What about that system? Do you have to send people home, does your stock price go down, do you lose money? How much? What does downtime cost?
  • How much data can you afford to lose? What’s that going to cost you…etc.

Threats That Really Exist

  • Who would want this data – explore this…are you more concerned with internal misuse or outsider threats? Are there people who would want this data? Why? Or are you more likely to get hit with Ransomware for money?
  • What about internal issues – how would employees benefit from this data? Is there some way for them to leak information for profit, like insider trading? Can the data be sold easily? Or are there layoffs coming, encouraging people to gather data for their next opportunity? Or disgruntled employees who would take the company down?
  • Have you had issues in the past? What about other kinds of system disasters or failures?
  • Al, we need some information about your company –  to better understand your risk equation.  Are there mergers or acquisitions in the works? Layoffs? What about pending lawsuits? What do you think your competition would do to get their hands on your R&D? Is your company about to announce new projects or inventions that others would want intel on -and, would break the law to get?

NOTE: in a recent CIO meeting with a major manufacturer, I asked the CIO if he thought his IT people would be able to answer any of these questions? He laughed shaking his head, with an emphatic “No”. I could tell he wished they even cared to know, but he and I both knew the truth…they don’t know, they don’t care, and they never will…

Think of each question as a launch point for dialogue.

This is not a teaching time, it’s a listening time. Be sure to reflect back to Al along the way – make sure you understand what he has said, and that he knows you’re tracking with him.

Stick to your 30 minutes, unless he insists on pushing you over…Respect his time, knowing this guy has a million things to do, and 150 sales people calling every day.

Bottom line – leave while he still likes you.

The Likelihood You’ll Be Able to Detect and Respond Before It’s Too late

Don’t let them give you a round-about non-answer here. But the truth is, Al won’t know. The temptation will be to push this off on IT. They should know.

But the truth is, the CISO and CIO both need to know…so I’m not asking IT, I’m asking Al…”Do you know?” “Should you know?” Expect, “No,..” and “Yes, I do want to know.”.

Moving To Power Users and Other Asset Owners

Plan on 30 minutes per person – have someone come with you to take some notes, or record this on your iPhone if possible…

In the early days I would have had an assistance writing shorthand – remember shorthand? Today, I use Dropvox…an app on my phone that downloads an MP3 to Dropbox.

Meeting with Power Users (The end-users who drive business with technology) makes even less sense to the end-user you’re meeting with, and maybe even to you the sales person.

The thing is, end-users are the weak link. But understanding them and how they work will go a long way in understanding their weak areas.

Start the same way you did with the execs…figure you will need to talk with several managers and knowledge workers (those who really use the systems and data to make this business hum).

  • What applications and data are most important to your business?
  • Who would want this data – outside the company?
  • What happens when you’re systems are down, or you lose a day’s worth of data?

Find out if they’ve had down time, data loss, etc. Who get’s upset, what do these people do to keep going or to recover?  You’re looking for the company view – like a gear falling out of your watch – how does it impact the entire business landscape?

Workflow / Data Lifecycle

Now for some line of business specifics…Bob the knowledge worker…

  • Bob, tell me about your job. Do you work at home, on the road, or always in this office?
  • Are you always using this laptop? Or do you use other computers from home or perhaps a tablet of smartphone?
  • Do your family members use these same devices?  (How, when, etc.)?
  • Who else enters data, deletes data, or just accesses data on this application? Anyone outside the company?  (I’m looking at the data – asset focused!  I want to know, who accesses this, from where, and for what?)
  • Who do you interact with online? Other departments, clients, suppliers, … and how – instant message, email, webinar, etc. And how do you exchange data? (I want to know how data travels – and were it goes).
  • I also want to know who deletes data, when, and why – and what must be saved, archived, etc.
  • What happens if this data gets into the wrong hands – like competition, or someone with ill-intent, like an angry co-worker or X-employee?

Heading Home To Meet My Consultants – The INTERVIEW w/ TECH

Most assessments start with technical people diving into systems and networks…big mistake.

Not understanding data value and data flow, it’s like checking out an electrical system without knowing the load requirements, environmental conditions, or uptime requirements.

Instead, do this…

  • Consolidate your data – data assets prioritized, workflow, relevant threats, impact issues…
  • Meet with your technical masterminds – Here’s what the company does, here’s what matters, here’s how they work…what would need to be true for this to be secure???
  • We are looking at three things: Confidentiality, Integrity, Availability.  Your tech team needs to know which of these three matter most to the client….but they may also have their own opinions. For instance, the client may not have named RANSOMWARE as a major threat, but your tech team will surely bring it up!
  • Going through the systems piece by piece, your team’s job is to come up with the security controls that must be present to keep this company as secure as it needs to be – based on their data value, uptime requirements, data loss requirements, compliance, etc.

Once this is done, your team can head in, network diagrams in hand, to see how well this company measures up. Suddenly this assessment feels more like a Gap Analysis than Vulnerability Assessment. The good news: Gap Analysis is easy to report on … here’s what you said you need, here’s what you have, here’s the gap…

Time to put together findings, present to asset owners, and be prepared to draft your remediation recommendations…A deal much more likely to close.

© David Stelzl

PS. For more on how to conduct these interviews, see Pg. 194 – 200 in The House & Cloud

Advertisements

BookCover

How Relevant Will Your Skills Be Over the Next Five Years?

Are You Prepared to Take On The Digital World, and Still Make a Profit?

Yesterday I had the opportunity to speak  to Executives at a Packaging/Manufacturing Company headquartered in Charlotte NC. The topic, IT Transformation.

You’re probably on the technology provider side if you’re reading my blog regularly, but don’t reading just because I’m talking about…Internal IT.

These execs invited me because they want their internal people to act more like outside consultants than IT custodians.

The same must be true of your team. In the past, it was okay to be technically amazing, while lacking the consultative skills of the old BIG-6/8 firms. Not so any more.  Everyone must make the move, From Vendor to Advisor – whether and IT admin or  third-party provider.

So, in today’s post my goal is to unfold the map and show you how to get from here to there (here being the legacy VAR model, there – the HIGH PRICED CONSULTANT).

The Catalyst to Change

The Back Story….

My business is designed to help people make the move…but looking back, there was a time where I had to make the move.

I knew, graduating from Drexel University, with my Computer Science Degree in hand, that I wanted something a little different. My classmates were going off to large IT departments to code  (in COBOL). That was not me.

I had spent the last 3 years of school working CO-OP jobs with McNeil Consumer Products (Makers of Tylenol)…crawling under desks with COAX cables and early networks, and lugging heavy refrigerator-sized PCs through the halls to various departments.

After graduation I was working for Bank of America (Then NCNB), exploring Token Ring and Novell networks…the bank’s very first local area networks (While at the same time trying to start up a technology VAR called PC Professionals with my brother-in-law(.

It was Fred Deluca, President of Telesis, a third-party cable provider, that really stirred up my entrepreneurial juices. He was intent on getting me to leave the bank and join him in a new venture.

But it was hard to leave…the private jets, the spacious offices, the allure of working uptown in the largest building Charlotte had to offer – After all, I worked for THE BANK!

I was restless but afraid to leave…entrepreneurship was in my blood.

The schools systems try to beat it out of you, but mine wouldn’t die. I was born to do something a little more adventuresome.

Then one day the applecart was upset. My boss was leaving the company to go sell for Wellfleet Networks. He said he’d be happy to recommend me for his position – but the writing was on the wall, there were  greener pastures out there in the wild…

That was Chuck Robbins – yes, Cisco Systems’ CEO,….

Within 2 weeks I followed Chuck out to door. As a Wellfleet Reseller, I partnered with Chuck to open up new opportunities in the Charlotte area…Our first big win was Rexham Packaging – a global deal that put both of us on the map.

Looking back, Fred and Chuck, along with several other mentors, led the way, encouraging me to get out there and do something new…taking a risk.

Eventually I joined a small band of technologist to help start and grow a southeast integrator – Piedmont Technology Group…which would later be split into three companies – nGuard, Stalwart, and the remaining third, sold to Forsyth in Chicago.

5 Aspects of Technologist to Consultant Transformation

Not everyone is cut out to work as a consultant.

Transforming technologist (who like the stability of big company trimmings, or the regular paycheck that comes with salaries) may not make it.

There are 5 tests to help identify the consultant…In my presentation yesterday, this was my focus. We dove into each one in some detail to help separate those who will continue working to keep the lights on, and those will go on to discover new land!

  • Can they only talk tech, or do they think in terms of things (ROI, Competitive Advantage, Operational Efficiency, Risk Mitigation)?
  • Are the tactical or entrepreneurial? The entrepreneurial thinker is a student…they never pretend to know everything…they create 100 times, fail 99, and discover the one that works…They take risks (but calculated risks, not recklessness). They are trusted advisors – they are trusted, they are able to advise.
  • More Interested in infrastructure or Asset Owners?  Computers are tools to the consultant. They make the job easier, faster, better…or something. Computers fascinate the technician; they enable the consultant.
  • Certs or Skills? The technician is building a resume of certifications, but he often lacks the skills necessary to bridge the gap between business and automation…he speaks in TLAs and is proud to say he know to dissect the Windows Registry.
  • Which does he see as more important, his knowledge or his character? Dale Carnegie told us years ago, 90% of success is character, the remaining 10% is skill or know-how.

The Final Third…

In the last section of my talk, I addressed the conversion process…

Once you’ve identified those who can make the transition, a discipleship process is needed to take them over…

Look at any high-priced consulting model (such as KPMG or PWC). There’s always a mentor program. They don’t hire their people with skills, and then just let them go…the mentorship program is a program of indoctrination and evaluation

They learn the language, memorize and practice the methodologies, and carry the brand badge forward…

Those who won’t make PARTNER are identified along the way, and set out on new career paths, usually with one of the firm’s larger clients.

From time to time these alumni are included to keep the family in tact, and the brand growing inside these client organizations.

It’s a well thought-out strategy to recruit, indoctrinate, purify, and expand…

How will your organization fair through this age of transformation and digitalization? Get on track with making the move from vendor to advisor, and remain relevant through the coming years…your business depends on it.

© David Stelzl

PS. Your next step: Read From Vendor to Adviser, and get the details on pricing models, proposals that close, discovery and analysis tools, and so much more…it’s the transformation every third-party provider must make.

magHow Would Your Assessment-to-Business Conversion Rate Grow If You Had Access to This One Extremely Powerful Assessment Tool?

90% of the Assessments I Review Leave Out Asset-Owner Interviews – Leaving You (The Seller) With a Weak Deliverable and Little Justification to Remediate

In this article I’ll point you to the people you should be talking.  In addition,  I’m going to give you the exact questions and sequence to use if you plan on up-selling them on remediation steps and ongoing annuity services.

The Number One question I get when the topic of assessments comes up is, “What tools do you recommend?”  It’s a great question…however, I know what’s really being asked, and its the wrong question.

The Wrong Question to Be Asking On the Front End

“What scanner or analysis tool do your recommend?” That’s the question behind the “Tool” question. But its the wrong question.

The tool question stems from a misconception that assessments are technical iInitiatives that should be lead and delivered by technical people.

In most cases, the assessment is sold (or offered pro bono) by the seller, and then tossed over the fence to a technical team. The team may be well skilled in security concepts, network architecture, and more. But in most cases they lack business savvy.

Yet, the assessment, according to it’s first name – Risk, is by definition a measure of business risk. And it’s the asset owners (those who have true business liability) that need that measurement.

Note: Get the details on Asset Owners, gaining access and delivering value, in my book, The House & the Cloud – Almost FREE using this link.

The Question Framework

So what’s the right question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan.  It’s like a cancer patient recently diagnosed. The Oncologist who fails to move most of his patients to treatment should be seen as a failure.

Is he just not communicating? Do they just not understand they are dying? Something’s wrong if the prognosis would be positive with treatment, yet the doctor is not able to move his patients to action.

THE FRAMEWORK:

In my book, The House & the Cloud (Chapter 13), I provide three key questions as a guideline.

  1. What are you trying to protect
  2. What are you relevant threats
  3. How likely are you to be able to detect and respond to an incident of pending disaster before damage is done or data lost?

These three questions provide the basis for a longer, freeform discussion with Asset Owners.

Remember, Asset Owners are those with business liability. That means these special people are responsible for business functions critical to the profitability of the business, and live primarily on the profit-center side.  Think, C-Level, VPs, Directors, and key people in key divisions of the company.

…Doctors, lawyers, CPAs, Sales Managers, R&D Management, Investment Banker, Stock Broker…people who make (or significantly contribute to) profits.  When an asset owner’s data is compromised, deleted, or corrupted, that person is in trouble.

Customers will file lawsuits, stock prices go down, brand and reputation are tarnished, and heads roll.  You won’t see the director of IT, or their one-person IT support guy in the paper tomorrow – but chances are, an Asset Owner will be front page.  A few weeks later, you’ll read they have moved on to something new, by mutual agreement…code for, FIRED!

Questions Designed to Get Answers That Matter

Using the Framework, you can then divide your interviews among  three groups. (I provide more detail in The House & The Cloud, Pg. 195ff).

THREE GROUPS TO CONSIDER:

  1. Executives
  2. Power-Users
  3. IT

The assessment process starts with executives (whenever possible). My friends on the Disaster Recovery side of the business pointed me in this direction years ago…business risk starts with understanding business leader’s care-abouts.

EXECUTIVES:

Start your analysis with questions (using the 3-part framework above) to determine what matters and how much…Your first question is, “What are you trying to protect?” It might look something like this:

  • What applications / data are most important to this business – profit, stability, growth, customer satisfaction, etc.?
  • After identifying them: How long can this system be down? (hit the important ones)…drill down…the first answer is usually wrong – No Downtime! You and I know, zero downtime is nearly impossible and exponentially expensive!  Find out where the balance of cost and availability sit. – Think, Maximum Tolerable Downtime.
  • How about data loss? “Can you afford to lose any data – if so, how much?” This is a Restore Point Objective question, but stick with business language. Explain how data is lost (Ransomware, disk crash, corruption, etc.)
  • What are you most concerned about protecting against? There are three pillars of security to consider. Confidentiality, Integrity, and Availability. It might be one of these, or all three might be important. Make sure you know how the executive sees it.

Next, Move to question 2: What are your most relevant threats?” Again, you’re talking to an executive, so keep it at a business leader level. One bad question (technical in nature) could land you a demotion back to IT!

  • Who is allowed to see this data? Who can’t see it?
  • Who would want this data?
  • What happens if this data gets out (in the hands of other governments, competitors, the public, etc.?) – Speaking of impact here.
  • What concerns you most? Examples might be, data theft, downtime (from what?), loss of access (for instance, ransomware), etc.  What about soft costs such as loss of customer trust?

Finally, a simple question, “How would you know if your data were under attack, or on the verge of any disaster we’ve mentioned above? Would you know in time to stop it from happening?”

Expect executives to say, “I hope so, but don’t really know.”

POWER-USERS/KNOWLEDGE WORKERS

A similar line of questioning would be used with this group, with the addition of questions that reveal the lifecycle of their data.

More than one interview is desirable here.  You’ll want to talk to key department managers as well as those who create and use data to conduct business.

In a small business, this may involve 2 or 3. In a larger firm, make sure you build in adequate funding to visit 5 to 10, or more, depending on the size and complexity of the organization.

Discover their data flow.

Workflow means, understanding who is creating data, using data, and how it travels, is stored, archived, and finally deleted.  You’ll want to know who interacts with data inside and outside (customers / suppliers), and what kinds of access different groups should have.

Discover business climate.

In addition to workflow, you’ll want to know about any upcoming M&A activities, pending layoffs, volatile terminations, R&D announcements, etc. These all affect a company’s security posture.

WITHOUT this level of insight into the organization, moving forward to evaluate risk is nearly IMPOSSIBLE. True risk has everything to do with how workers create and treat data.

At this point I would recommend using a quiz – formal questions with scoring, to see how well-informed these users are when it comes to securing their most precious assets.

Completing the Process

The rest of this assessment deserves it’s own article…In short, your next step is to evaluate the data coming from your interviews, with security practices in mind.

Hold and internal meeting to ask your team – “What would need to be true in this company to keep their data secure at the levels identified by asset owners?”

With a list like this in hand, it is then easy to go into the IT areas and investigate. You now know exactly what you are looking for…

You can find out more on the consultative discovery process in my book, From Vendor to Adviser….

© David Stelzl, 2017

 

How Long Will Your Business Remain Relevant…

…As Companies Around You Are Transitioning to Cloud, Consolidating IT, and Buying Less Hardware???

This morning, in my TechSelect Business Pillars Session, I delivered urgent steps of action EVERY technology reseller should be jumping on…here’s a summary:

Over the past 12 months, live event, one-to-many selling, has produced more leads and deals than just about anything.

The value of one MSP client in the SMB market averages at about $1500/month, or $18,000 per year – with a 5 year average retention rate, that’s just short of $100,000 per client!

Add advanced security to that deal and you’re likely to push your average up 20%…(Mid market deals, although harder to close, offer even greater potential if you understand the sales process I describe here).

What would your business look like if you could hit the numbers I reference in this video? What would it be worth to you to achieve this level of sales?

Find out in this 25 minute video how to re-engineer your business, with a new breed of security, now becoming a necessity in the SMB and mid-market space.

© 2017, David Stelzl

P.S. Get the step by step process in written form – The House & The Cloud

cloud diagramIf You Want The Right People Reading Your Report, You Have to Start With The Right People In Assessing The Risk

Too Many Security Assessments Start and End With Technology – Big Mistake!!!

Data Security is a BUSINESS RISK issue, not a technical exercise…

Technology Infrastructure supports the business, just like administrative assistants, the fleet department, or shipping – A mishmash of infrastructure, people, and process working in harmony to run a business.

The more we move toward digitalization, the more we’ll see robots and automation replacing people, and changing the way business operates…

With process change comes risk change. Don’t be fooled – The Network is not the endgame. The business is…

In this article I’ll show you exactly who to include, why, and how – when thinking about risk assessments and data security.

(For More In-depth, Step By Step Selling Ideas… See Page 194 of The House & The Cloud – Get The Book for Just $1 Right Here!) <<< Click For More Info!

Over the past several months I’ve written a series of articles on how to approach data security risk assessments.

However, rather than addressing the bits and bytes, I’ve intentionally focused on the selling, business interaction, and conversion strategies designed to drive new business opportunity.

The approach you take, and the people you include, have a lot to do with your conversion rates and business success.

Stop: The Traditional Approach To Selling Doesn’t Work!!! (When Talking SECURITY).

Remember, the purpose of assessing risk is to move the company forward on remediation efforts.

If you’ve been in security any length of time, you know it’s rare to come away from an assessment with NO URGENT ISSUES.  Threats and security vulnerabilities are everywhere!!!

Whether it’s a gap analysis, pen test, or overall risk assessment, you’re going to find stuff – and it must be addressed. However, using the traditional vulnerability-assessment approach rarely leads to any significant change or remediation. If the stake holders don’t have justification (in their own language) they won’t write the check needed to remediate.

By traditional approach, I mean, heading in with scanners, looking at internal and external vulnerabilities, diving into O/S configurations and network segmentation, all without ever engaging the company’s leadership or end-users.

The First and Only Place to Discover a Company’s Most Valuable Assets

Years ago I was struggling with just how to get executive attention with security assessments.

We were working in mid-market and enterprise accounts, assessing risk. The projects were highly profitable. However, the long term business opportunities just weren’t coming through (See my recent article on the Long Tail of Assessments).

In DESPERATION I consulted with a friend in the Disaster Recovery Space (DR).cloud computing

DR experts always start at the top. Why? Because DR is much more than data. It’s a business issue.

When a DR plan is constructed, it includes things like business failover. Will the company have a hot site, warm site, or cold site? The plan addresses the entire effort of moving critical business functions over to a new location in the event of any major disruption.

In order to create a successful failover, business people have to be involved. Every step must be planned and tested.

The DR consultant needs to know what processes exist, what roles people play, what the business can’t live without, and how much time they have to be up and running following the BOOM (Any major disaster).

DR planning starts with the identification of critical infrastructure, applications, data, and people. It’s all just part of the bigger picture.  But DR is SECURITY!  That’s right…in the ISC2 common body of knowledge, the CISSP (of which I am one), studies DR as one of the primary pillars of security.

In other words, security assessments are a form of BUSINESS IMPACT ANALYSIS.  They consider risk (IMPACT vs. LIKELIHOOD) – the likelihood of experiencing the impact for an event.

Measuring risk, like we’re talking about here, demands an understanding of assets and critical infrastructure, which can only be had through interaction with the stakeholders…

And no, this can’t happen by submitting a list of 10 or 20 questions to the IT director to be passed up the ladder…the DR expert would never proceed without direct contact.  It’s UNTHINKABLE.

Only These People Can Tell You How Data Gets Created and Where It Sits

Talk the End-Users – the one thing everyone seems to avoid doing during an assessment.

The executives should be able to tell you (the assessor) what is important. However, don’t expect them to know exactly how data gets created, used, or who needs access…

Maybe in a very small business…but go upstream and talking to end-users becomes necessary.

Only the end-user can tell you how data is getting entered or created. The problem is, these hands-on knowledge workers are almost never included in risk assessment interviews.  Go over to the DR side and you’ll find these data-creators and users intimately involved in what goes on with the company’s daily operations.

Finally, It’s Time To Invite Technical People To The Party

It’s time to predict major holes…that’s right, PREDICT…(Do this before diving into the servers and network)

Enter the SECURITY technical subject matter expert(SME).  In most risk assessments, the SME is first in line…but shouldn’t be. The assumption is, the network and servers need inspection, so let  the tech guy do it.

Technical people are essential to a proper understanding of the company’s security architecture – and analysis of any scans or traffic…

However, risk has a lot to do with business process, types of data, market conditions, and business activities specific to your client. For instance, if there’s a merger in the works, a strategic announcement or product launch, or perhaps a layoff coming, the company’s risk will be affected.

You’ve taken time to review your client’s business (Through executives and end-users) – so now it’s time to merge your findings with technology…

Your technical team should now be reviewing everything you have discovered… with the goal of understanding how your client’s data should be protected… It’s an INTERNAL brainstorming exercise.

You and your team are asking the question: What would need to be true to keep this company safe?

DO THIS: Make a list of 20 things that a company like this (size, category, market, vertical focus, etc.) must have in place given the current relevant threats (for instance – Ransomware).

NOTE: More Details in on threats and security mistakes in my book, Digital Money (on Amazon).

It is from this list your technical team will begin their analysis.

You May Now Look At The Network

List in hand – it’s time for the deep dive. Notice, now you can ask the IT people specific questions about encryption, failover, access control, etc. with business relevance.  Look at your competitors assessment deliverables and you’ll see almost no one does this sort of thing.

Your client’s workflow directs you through their systems and architecture…so rather than looking at this from an inside/outside perspective (which does still need to be considered) you are approaching from an asset perspective.

ASSET FOCUSED – I call this…

Where is the data? Who accesses it? Where does it travel and how? How is the precious cargo stored, archived, or deleted? And what must be true to keep the company’s secrets secure (considering CONFIDENTIALITY, INTEGRITY, and AVAILABILITY)?

In addition, you will want to scan for vulnerabilities…but MORE IMPORTANT is collecting traffic. Another step often missed on the assessments I see…If there’s malware or foul play, it’s going to show up in the traffic!

And, don’t leave out the ONE BIG HOLE so many companies fail to consider…End User Awareness Training…in fact, it might be wise to develop a quiz of some sort, and add a scoring system to show your asset owners where their data creators and accessors are with regard to security savvy.

Time To Deliver Results – Don’t Leave Out This One

You’ll need two reports to make this work. The executive summary, and the appendix…Who’s going to write this????

In most cases, your competition is only delivering the latter…O, they probably have a section in their 50 page document called, Executive Summary…but how many executives are actually reading that section. Take a look and see if it looks like executive reading material. (Hint: the Red Light, Yellow Light, Green Light was a clever invention, but I don’t see CFOs acting on it).

Executive summaries should be short, to the point, and easy for business people to digest. Check out Chip & Dan Heath’s book, Made to Stick, for some insightful tips on making reports consumable and memorable.

If you think your SME is going to write this document (the executive one), think again. This is an exercise requiring the skills of a copywriter – learn the skill or outsource it.

Important Factor: After All, You’re Liable!

Finally, make sure you get an audience with executive management during the initial stages and deliverable stages of your assessment.  Insist on it! Don’t take NO for an answer.

After all, you’re liable in some sense. If your client gets hacked tomorrow, and you were in there today, someone is going to want to talk to you. If you’ve uncovered serious holes in the armor, and you were depending on IT to carry that message to the commanding officer, you just might be surprise to find out it didn’t really happen the way it was supposed to.

© 2017, David Stelzl

 

1What’s The One Big Issue Behind Almost Every Hack?

Hint: Most Risk Assessments Ignore It!

One questions I always ask on our final coaching call (in The Security Sales Mastery Program)…
“What is your client’s number one security mistake?” Answers vary…
Is it… 
  • Poorly configured or managed firewalls,
  • Untested backup systems,
  • Improper network segmentation
All are important, but none are right, said Security Expert Thomas L. Norman (author of several security/risk analysis books and a recognized industry speaker).
In a recent interview, I asked Tom what he believes is corporate’s biggest mistake…
“Easy!” says Norman, “It’s a lack of user awareness training. Training is always treated as an afterthought, and a waste of time in the mind of employees”
He went on to explain that every security issue is rooted in a mistake made by an end-user, who just didn’t understand security.
In many cases the mistakes are made by hard-working end users doing their job, looking to be helpful and efficient, but out of touch with the surrounding threats.

Experts Without Experience, Opening the Doors To Destruction

Imagine going in for heart surgery. Your surgeon – an expert on IT and certified with his CISSP.
He’s earned his masters in computer science (with a specialty in data security), has designed networks, written books, and even designed his own operating system.
But this is heart surgery!
So while he is able to access everything he needs online, including the patients medical history, YouTube videos on how to perform the surgery, and perhaps even hacked into a paid channel online to observe an actual surgery, he has zero credentials when it comes to medicine and surgery. Are you going to let him proceed?
Now turn this scenario around. The doctor knows everything there is to know about heart disease and protocol. He’s performed hundreds of successful surgeries.  Yet, this degreed professional has zero IT experience. He’s used computers, but he has no idea how they work, where patient protected data is stored, or how that data can be used to harm him, the organization, or his patients.
The truth is, there are millions of professionals around you doing all kinds of specialty work.  They’re calculating taxes, auditing, designing bridges and buildings (earthquake proof and more), building airplanes and space ships, and performing intricate surgeries.
None of these professionals  took on these complex  projects without significant training and certifications.
Yet, every one of them is given access to the one device that (if used improperly) has the power to destroy an entire company.
Computers are the heartbeat of your prospect’s business, as well as the central nervous system of government, education, healthcare, and transportation (all critical infrastructure). One wrong move could bring lawsuits, expose data to the competition, threaten the stability of your countries economy, the military, and just about everything that matters – including life itself.

Stupid Things Smart People Do

My first IT job was a CO-OP position at Johnson & Johnson (McNeil Pharmaceuticals). I’ll never forget the day one coworkers deleted our entire poison control system (Highly sensitive data used in drug trials for government approval)!!!!
We were working on DOS back in those days (Window’s predecessor),a command line driven operating system. Just one missing parameter in his command-line ended up deleting everything. Keep in mind, we didn’t have a trash can on the desktop like you do in Windows.  Lucky for him, we did have a backup.  Still, it was a major ordeal. We had to restore from floppy disks – a painfully slow and risky process.
Smart People do stupid things on computers all the time. Not because they’re stupid. They just don’t know any better. Image how many mistakes you or I might make while performing major surgery using an instructive YouTube Video!!!
On any given day,…
Messages pop up saying your computer’s infected, call this number (a simple ruse used to take over ones computer by phone).
Perhaps you are at home, working on a late night project with an approaching deadline. What will you do? What would the average office worker do?
Another user receives an email from the bank requesting updated information, or a wire transfer request to a known supplier (with updated account numbers). What will they do? Will they check with someone first, or just move the money so they can be back on task?
How many people have been duped on Facebook to friend innocent or attractive looking people, only to be lured into giving up confidential information?
It’s been shown time after time, people trust people, even when they’ve only met online.  Office workers are busy. They don’t have time to check with IT every time an email comes in or a website looks different.
Do these knowledge workers ever leave mobile devices unprotected and unattended at Starbucks? Do they have personal data on their phones when the list them on eBay? Do they click on sites that have invalid security certificates, or click on links emailed by people they don’t recognize?
Do they download apps with little thought of malware, or work from home on unprotected systems and unencrypted networks.
Yes!
These are all common end-user habits. People are busy, and without some serious training, they won’t spot the clever ruse that comes through the firm’s various levels of security and insecurity.

The Only Reason to Measure Risk…Or You’re Wasting Your Time

The purpose of an assessment was explained in an article I wrote earlier this year – the bottom line is, Assessments should be performed to expose weaknesses, measure risk, and move the company toward remediation (the long tail of security assessments). If your assessments fail to do these three things, you’ve wasted your time.
So, while the misconfigurations (so often found in network devices and server)s are important, understanding the risk (Impact vs. Likelihood) of a user’s mistakes is more important.
Looking at risk, what is the impact of an enduser acting on email infected with spyware or ransomware? It’s extremely high!
How likely are they to act on it by clicking? Again, extremely high.
When the impact and likelihood are both high, the company has a major problem; one that must be addressed.
Take this same concept home or on the road. How likely are end-users (executives, sales people, office workers) to give into just about any social engineering effort – Phishing, infected websites, a fake support call,…? Higher than you can imagine.
You should expect that your client’s office workers are making mistakes every day.
Expect them to be downloading untested apps, letting their kids trade pirated music and videos, accessing high-risk sites such as gaming and porn, and more…
The average teen is probably friending all kids of predators disguised and prepared to steal and destroy. Employees regularly email confidential data, store data on personal devices, and use insecure home networks to conduct business. The end-user is the new firewall, and they’re failing.
After all, none of these workers have ever really been trained.
And if they have (through some ill designed, one-off training program) chances are they didn’t really pay attention. The training was probably boring, overly technical, and ineffective.
In the case your prospect company did bring in someone entertaining, or use one of the few attention-grabbing programs out there, everything they learned was out of date (or forgotten) within a month.
Remember, hackers are creative, stealth, and always one step ahead of the good guys. Training needs to be a high priority and frequently updated/repeated.

What’s At Stake? Your Prospect’s Most Valuable Assets

Looking at your client’s most important assets, it used to be the people. No longer.
Data is the most important asset. Everything your client does is digital. The money, the R&D, the customer lists, the strategies and processes; everything.
There are three areas to consider; confidentially, integrity, and availability.
Anything that would expose confidential data, affect the integrity of the business’s information, or reduce the reliability or performance of the company’s computer systems is at risk.
When building the impact vs. likelihood graph, (Find out more in my book, The House & The Cloud)  your first consideration is assets. Which applications and what data represent the greatest negative impact to the business, if made unavailable, corrupted, or exposed (to other governments or organizations, hackers, or the competition)?
What’s at stake? Loss of shareholder value and customer confidence, competitive advantage, operational efficiencies, quality, and perhaps fines or lawsuits for non-compliance.  The cost of any breach, according to Thomas Norman, is about 20X the cost of remediating that one threat!
So when a company refuses to secure something, in order to save $100,000, they can expect to spend about $2 Million on recovery when a “Boom” (the industry term for disaster) occurs.
Second, consider the likelihood.  The client needs a metric to understand their risk – and it can’t be three colors. These RED, YELLOW, GREEN system is over used, and of little value. CFO’s don’t approve large security budgets just because your report has a RED light on it.

Correcting The Course – How to Include People In Your Assessment

Security awareness training, like policy (the other root cause of security disasters according to Norman), should be a primary consideration when assessing risk. If the user/operator of a mission critical system is highly likely to cause disaster (through ignorance or an act of vengeance) it should be noted in the findings.
A few things to consider in your next assessment:
Make Time For People Interviews. 
There’s no point in scanning networks and looking for patches and open ports if you’re not going to assess risk. The chances of that company actually taking action on your remediation steps are nearly zero.  Build interviews into your assessment process, both with executives and end-users.
On the executive side, you need to know what they believe are their most mission critical systems. You’ll want to know what data matters, what applications are core to the business, and how much risk can be tolerated.
Find out who would want certain data, or what impact a down system would have on the profits and customers, for any given length of time.
Remember, IT can’t answer these questions. There are too many variables. Pending lawsuits, product announcements, M&A actives, and the competitive landscape all play a role in data asset value – it’s a moving target.
Once you know what really matters, it’s time to talk to their end-users. You want to understand their workflow; how and when data is created, used, transmitted, and stored. How about data disposal?
You also want to know how much these knowledge workers know about security. Is email encryption just an option on their email application, or are workers forced to comply with corporate security policies?
Do employees use personal devices, and do they understand how these handy devices are compromised, or what happens to data when they sell their iPhone of tablet online?
A security quiz issued to a sample population would be perfect (I’ve never seen this done – but it makes sense. A quiz would certainly set you apart from your competition).
There’s a lot more to cover when discussing risk assessment process. However, these ideas concerning end-users awareness, and likelihood of enabling a disaster, are a great place to begin.
Copyright 2017, David Stelzl

biometricsHow to Make Assessments Worth Selling

Think Like An Investor When Pricing

Most people invest at the wrong time (according to the Billionaire Investors Interviewed by Tony Robbins in his book, Money, Master The Game).  They jump on the bandwagon when things are high, and they sell when the market drops.

Running a for-profit assessment team in the early 2000s (for a global technology integrator) was more a lesson in financial management than sales for me.

Assessments are often sold at prices that leave little in gross profit.  Free assessments tend to offer no value, and simply leave the prospect disillusioned. And only a handful of these heavyweight documents ever result in any long-term financial gain.

Today I Want To Change This Lack-Luster Profit Prophecy Once And For All!

Here are Three Things to Consider That Will Change Your View of Assessment Profitability Forever.

  • Free Assessments Can Offer Some of The Greatest Returns on Your Investment.
  • High-end Assessments are Expensive To Sell – The Real Profit Is In The Aftermath.
  • Every Assessment Should and Can Lead to Annuity Business.

Free or High Stakes – Which Has The Bigger Payoff?

In my workshop, The Security Sales Mastery Program, assessments are central to the sales process. I covered some of this in an article on scope last week

When I bring up the idea of using free assessments to drive business, I often get pushback. In response, I offer up three examples of assessments I was personally involved in. Let’s take a look…

(Get More Details in My Book, The House & The Cloud)

The $125,000 Hospital Assessment

This first example comes from a large hospital assessment, sold and delivered in the southeast. If you know healthcare (and you work in security) you know it’s a match made in heaven. Lots of needs, endless compliance regulations (many unmet), and an industry with deep pockets.

Our assessment was priced for profit. It took a total of 40 man-hours onsite, and another 40 man-hours of analysis and documentation.  Total burden cost, about $10,000.  $125,000 with a cost of 10K is high margin business, even to lawyers.

However, there were NO follow-on projects.

It’s our fault!!! Back then I did not understand how to create business from an assessment. Most don’t – the conversion rates from assessments like these are low, averaging about 20 percent.

So our total gross profit landed at around $115,000. Not bad for a two week effort. However, the upside potential (had we closed just one of our recommended changes) would have more than doubled our take.

The $36,000 State University Assessment

The university deal was won on a last ditch effort to get in the door. The university was looking at a number of projects to upgrade both the administrative and student networks, however, largely undecided on their direction.

On the way out the door I casually suggested an assessment might bring clarity to their needs, and to my surprise, they agreed. A few days later we signed the $36,000 agreement and scheduled to begin work.

Our team spent about 3 man-weeks on this initiative, engaged with the IT team on campus. When the report was complete, a meeting was scheduled to review our findings with the university’s key stake holders.

Just 5 minutes into it, the leader of the pack put our document on his desk in a sudden pause, and complained, “This is not what we asked for.”

Keep in mind, our three weeks were spent, side by side, with their IT people. They were basically leading the charge…and here we were being reprimanded for missing the mark. As you might have guessed, the IT people stood back, nodding, as though they had nothing to do with our missing the mark. They effectively hung us out to dry.

The meeting ended abruptly, and the invoice was NEVER PAID.

Final gross profit: ZERO DOLLARS. Very disappointing…

Free Assessment: Thanks For Attending This Business Leader Event!

Finally, there’s the dreaded free assessment. My classroom example offers a total of five pages, including the cover letter. This particular example-giveaway was offered to small business owners on the heels of an educational event. Our audience was well qualified – mostly healthcare.

Our total time spent marketing and selling: About 2 Days plus a few days of phone follow up using call scripts from a product on my webstore

At the close of our risk-measuring initiatives (we closed about 30 assessments in that one event – in just 60 minutes!)…

One of the larger prospect-companies signed up for $36,000 in remediation work, signed an $8,000/month – 3 year agreement (and renewed for 3 more years), and went on to do at least two more projects worth $100,000 in revenue (figure 50% burden on projects and manage IT Services).

Total gross profit: $356,000 (and still going)…

It’s important to note the cost of sales. The first two projects required 3 to 6 months of selling. The third, 3 mailings, a couple of days on the phone (done by contractors),  1 live event (with speaker), and about 4 days between starting and delivering the assessment.

Which of these three deals would you choose to get paid on?  If you own a technology business, which would you choose to build your business on?

The Free Assessment Worked, So When Do You  Charge? What Would The Investor Do?

There is a time to charge!

So don’t just read the first half of this and think, “He always gives them away.” Free is RISKY.

Free requires the right audience, and a predictable conversion strategy – it requires knowing how to drive business through an assessment, just like choosing the right asset allocation has everything to do with an investor’s success.

All investments are tied to risk. Your paid assessment is largely a paper document, with a big price tag…If your paper offers tremendous value (like a stack of green paper with government markings on it) it’s worth a lot. On the other hand, if it has my child’s markings, it’s only worth something to me.

I’ve seen free assessments work in all size markets, however, as you scale the corporate ecosystem, closing gets harder. Client expectations grow as you engage with the more sophisticated organizations.

So, if the ROI looks great, you can afford to do assessments for free or for less. However, the likelihood of getting that follow-on business from a new, enterprise prospect is much lower than it would be in the SMB (Small/Medium Business) market.

So, in the larger markets, assume you’re going to charge when you assess.  But charge enough to make it worth your sales and delivery time.

Enterprise deals (like the first one mentioned above) are margin-rich. However, as you can see, we didn’t achieve our goal of long-term financial returns.

So, while the margin was high, the cost of sales was also high.

If you’re the selling agent, you may not care – you still get your fat commission check. On the other hand, if you get paid on bottom line performance, suddenly it matters.

How much does a 6 month sales cycle cost? Drive time, office time, lunches, etc. It all comes straight off the bottom line. Not to mention benefits, base salary, and opportunity costs associated with the seller.

In the SMB market, the financial picture is completely different. Small business prospects rarely spend much on remediation, however, the IT Services deal is there (unlike most enterprise accounts), so there’s your long-term profit.

There’s one more factor though. And it has to do with account control. Every sales person knows that controlling the deal is essential to the close. As soon as you hand in a proposal, you’re at the mercy of the prospect.

In the case of an assessment, once a contract is signed (with a fee attached), you no longer control the deal.

Don’t miss this…

Assessments are like proposals. Unless your company is highly specialized in audits/assessments (with high-end and frequent assessment/audit business), your quota achievement depends on closing follow-on business (projects and managed services). The fee-based assessment is controlled by the buyer – reducing your assessment-deliverable to a quote.

That’s were I went wrong on the University Deal…

IT was in charge – My team was directed by them, and executive involvement was not part of the plan. Yet, an asset owners’ inputs are the most important part of understanding risk! Without Asset Owner Understanding, closing follow on business (with a new prospect) is nearly impossible.

Assessing risk has everything to do with assets and their owners. Their business will live or die based on asset exposure and a realtime detection/response to cyberthreats.

Without leadership involvement, you can’t possibly understand the company’s data value, most crucial systems, and greatest threats. How often do IT staffers know how much down time can be absorbed or how much data can be lost before shareholder value is impacted?

Sure, IT has an opinion, but to deliver risk, your process must look more like a Business Impact Analysis Report than a typical Vulnerability Assessment.

Here’s the thing. When the assessment is free, you’re in control. What does that mean?

Since no one is paying you, you have the right (and authority) to proceed according to your recommended approach. If you’re wrong, you’ll pay for it on the back end. If the client balks, you can always stop the process. It’s free, so you’re in control.  Do it right, and business will follow (along with profits).

When money changes hands, the buyer is in control. If they want you to submit questions and take their written answers (without any face time), it’s their choice.

Since all sales have an emotional component, you know that face time is important to any high-involvement sale…even if that face time is virtual. There has to be trust and advice to be a trusted advisor. And that requires interaction with those making the decisions.

The final analysis – in the SMB market, lead with free assessments almost every time. The $500 to $2500 price tag on SMB assessments leaves no budget for IT services, and will take months to close.

In the enterprise, carefully weigh the risks, and what factors must be present to take on the risk of assessing pro bono. If the cards are stacked against you, go with the fee based, and sell them on the high-ticket approach to ensure your profits are worth doing the deal. Remember, you need asset-owner involvement to justify any assessment worth doing at this level.

Every Assessment Should Be Ongoing Business – Here’s Two Ways To Create Annuity Business

The biggest upside in both free and paid assessments is in the ongoing annuity business.

There are two ways to create annuity business with assessments (and maybe more that I haven’t thought of).

First, let’s look at the theory. Risk is a measure of impact vs. likelihood. You can’t affect impact; losing data or suffering downtime is going to cost the company, no matter how secure the company is.

Your variable is in likelihood. Solid security lowers likelihood (however, even GREAT security does not eliminate threats).

The assessment identifies (at least it should) the threats, and provides a measure of likelihood. Remediation is the process of reducing the likelihood to an acceptable level.

Managed services or MSSP, is your program designed to maintain an acceptable level of risk over a period of time – your long term annuity engagement.

So the first way to sell ongoing business through assessments is to demonstrate an organization’s unacceptable level of exposure, provide a way to reduce it.

And then show them how to maintain it by contracting with you to oversee, or detect and respond to issues as they arise.

The second way, generally better geared for enterprise accounts, and using fee based assessments, is to sell a quarterly update.

Keeping the same scope, and simply updating the document quarterly, can provide tremendous value to the client that houses sensitive data.

Two up-sells come with the ongoing assessment approach.  First, you’ll get a quarterly opportunity to check in on your recommended remediation steps. Over time, and given you are providing value, your client is likely to engage you to keep working on your recommendations as threats grow.

Second, the scope is likely to change over time as new IT initiatives invite you to consider added systems as part of your analysis.  One additional bonus, you’ll be up on all your client’s latest planned initiatives since new projects always affect the client’s security risk analysis.

Going forward, add this quarterly update with just enough money to cover your added cost (in other words, do it at break even). It adds value, costs you nothing, and offers great upside.

© David Stelzl, CISSP