What to ask when conducting your security risk assessment
Archives For how to assess risk
How to answer sales objections when selling MSP solutions using risk assessments [free assessment template]Continue Reading...
How Long Can You Afford To Be Down?
Find Out What It Costs…Before Talking Budget…
MTD – Maximum Tolerable Downtime, is the first thing you should be thinking about. Data theft and misuse are equally important – but downtime (ransomware or failure) is unavoidable.
Remember What Security Trends Reports Where a Few Years Ago..
Older threat reports (Symantec, Verizon, FBI/CSI, etc.) focused on likelihood of an attack. They measured the number of companies hit by malware, reporting spam, or suffering DDOS.
Read today’s reports and you’ll discover something different…
Newer reports focus on types of malware, cost of downtime, cost of data exposure, and whether or not insiders were involved. In this ongoing discussion on security assessments, DOWNTIME and COST are the focus.
The Companies Most Important Assets Used to Be People…Not Anymore
Talk to any DR (disaster recovery) specialist and they’ll tell you, People are (or were) a company’s most important asset.
Not any more.
Now it’s data…Not to minimize the value of a person, but even the WSJ calls DATA the Oil of the New Millennium, not people.
In security, there are three pillars to consider. Confidentiality, Integrity, and Availability. In this article, I’m talking about the third – AVAILABILITY.
80% of Cyber-Breaches Result in Downtime
Every major corporation has been breached at this point…and most smaller firms too. It’s just a matter of time. 8 out of 10 experience down time, and based on Cisco’s graph (from their 2017 Cybersecurity Trends Report), 90% of the 8 will be 8 or more hours…
How much downtime can your client stand on any given system?
Even with data moving to the cloud, downtime is a major factor. MTD (Maximum Tolerable Downtime) speaks to the old DR metric that asks, how much downtime your firm can stand on any given application before it severely impacts the business.
The actual number has to be given to you as the assessor. You can discover it through observation…
And while it may seem arbitrary, there are numerous studies available online that tell us how likely a business is, to go out of business, given an outage.
Who Knows The Answer And What Does It Mean?
The problem is, most security assessments don’t actually measure tolerable outage, or the likelihood of exceeding executive management’s tolerance.
IT is generally the focus of these assessments…
To the IT Custodian, outage means, working late, not a failing business. The right approach to assessing risk involves assessing those things which create a risk of something bad happening – in this case, business failure, stock price drop, loss of shareholder value, or customer dissatisfaction (to name a few).
Remember, Customer Experience is the New Brand Metric…And downtime kills customer experience.
So who knows the MTD?
The asset owners know…the ones who use the data to drive the business. And different departments will add more or less value to the overall business success – executive management knows who they are. IT, on the other hand, does not. (Just ask any executive).
Ask the end users, and they’ll tell you they can’t stand any downtime!!!
Of course that’s not true. However, any business critical function probably requires more uptime than IT realizes, and is worth spending more to maintain than most executives would like to admit.
Uptime is always a cost-benefit analysis. The first answer is usually, “No downtime”. Once an estimated cost of zero downtime is displayed, that downtime number suddenly goes up…
Getting Real With Risk And DownTime
What’s really happening here is, when faced with a large financial number, executive management suddenly wants to take on more risk than they can actually stand.
It’s no different than the person with no consistent income getting approved for the sub-prime mortgage, so they can finally get their house.
The house-buyer’s attention is on the house, not the payment. With downtime, it’s the same. The buyer’s eyes are on spending where it feels good, not minimizing risk.
It’s the assessors job to convince asset owners, downtime is only a matter of time. Remember, most breaches (80%) will result in some downtime. Half will be in the range of one day or less…but about the same number will exceed one day by 1 to (pick a number) of days.
What’s the likelihood of downtime? Close to 80% – given the likelihood of being hit with some form of cyberattack is nearly 100% over some time period.
Solving The Problem
The problem of downtime used to be solved with EMC SRDF (mirrored NAS over a wide area connection), or at minimum, redundant systems running a highly available configuration. These are expensive solutions when talking to mid-market and down…
Does your MSP offering include virtual data servers in a hosted (protected) environment? Are you running a virtualized HA configuration?
What about using a dropbox-like solution in addition to backups?
In a recent sales call, one of my clients had a firewall opportunity. The vendor SE accompanied them on the call. When the client was asked about the need for redundant firewalls, they replied, “Not necessary”.
The vendor SE made a note and moved on…but my client, having been through the Security Sales Mastery Program knew better.
IT can’t answer this question!!! A single FW outage would shut down just about everything – all external communications including cloud app access, email, etc. Can any company actually work without their Internet connection anymore? Probably not…
Suddenly, downtime is a serious issue, and one that demands new services…hosted systems, redundancy, HA Internet access, data in the cloud, and more…The risk assessment, when focused on MTD, is your fastest road to up-selling services to your clients.
© 2017, David Stelzl
What The Lazy MSP Companies Aren’t Showing Their Clients
Assessing Risk is the fastest way to land new logo business in the MSP arena. And if you want to build a long term, profitable business, you’re MSP is going to have to go MSSP…
(Note: I’ve purposely left out the heavy technical jargon to make this readable by sales – if you actually do the engineering work, you’re probably wanting a more technical deep dive. My goal here is to help sales reps sell the one thing that will overcome any IT budget objection.)
- Get More on How to Sell Profit-Rich Security Solutions in my book, The House & The Cloud
While 90% of the tech companies I speak to CLAIM they do security (on their website), only a handful actually do. If you want to set yourself apart, learning to discover urgent issues (already present) on your client’s network will do it.
Over the past several months I’ve written numerous articles on how to sell, deliver, and convert assessments to long term annuity business. This one last step in the actual assessing process is arguably the most important.
You Can’t Just Look At Perimeter Scans and Configurations
In this YouTube video (published by Alienvault – below), the speaker is explaining the dangers of connecting to Tor or using BitTorrent, as examples of traffic symptomatic of botware. Check out 0:48 in the video below for more threats he uncovers…
These are the urgent issues you need to move deals forward!!!!
Traffic patterns also reveal reconnoissance efforts underway by hackers – thieves gathering information to be used in a future attack.
You also want to know if malware is already installed or in the process of being installed through phishing attacks or web-threats of any kind…port scans in most cases will not do this.
The problem is, most assessments I review in my coaching calls show nothing regarding traffic or connection activity between workstations and the outside. Why?
Because it’s not easy.
In other words, the MSP providing the assessment is either too lazy or too cheap to do it, or just doesn’t know what they’re doing.
If you sell (or use pro bono) assessments, with the goal of opening new doors in the accounts you serve, make sure your professional services team understands the importance of traffic analysis and has the tools to do it….
Lots Of Data, No Connection, Equals Meaningless Data
Today’s technology is great at logging data…but not so great at drawing out intelligence.
That is unless you know SIEM…Security Information & Event Management.
The ability to take all of that data from AV software, UTM firewalls, IPS devices, etc. and make sense of it has been a road block for just about any company short of large enterprise…
There are several options including some UTM firewalls, products like AlienVault and Arctic Wolf (positioned for mid market), and BlackStratus’ recent entry into mid-market and SMB…Cybershark (Which can be white-labeled and offered with full SOC services – with little of no investment!)
With SIEM now available as a cloud offering, there’s really no excuse for not doing this.
Key Point in the video below (at 2:35) – None of this information is actually interesting unless you can get the analysis, and make the data actionable.
Unfortunately, most SIEM technology won’t really do this for you (Even though AlienVault and others claim to). In the end, you (The Rep) must read the report and see if your client is going to be moved by it.
If not, rewrite the execute findings as a separate report – more to come on that in a future post.
This takes us back to an earlier article on QUESTIONS TO ASK…The most important part of the interview process is in gathering the mission critical data offered only by executive management.
MTD, RPO, Etc…think Business Impact Analysis…all security issues are disasters and should be viewed just like Disaster Recovery…But you’re competition isn’t doing this.
Key Moment In The Video (3:50)
At 3:50, this video shows actual malware infections being installed – not only is this type of activity undetectable with simple observation, your Network Patrol Product is not going to see it either!
Only with something that looks at host intrusion does this become evident. The good news – once you have an MSSP offering installed to do this type of analysis, it’s easy to justify keeping it there – this is annuity business that self-justifies.
Check Out The Entire Video Right Here
But Remember, this is not the most important tool – your QUESTIONS are.
Armed with the intelligence that comes from talking with executives and other asset owners, this information suddenly makes sense in helping a client determine their true threat levels, while providing you with the justification you need to move forward with MSSP.
Copyright 2017, David Stelzl
For more insights on how to sell assessments and larger security deals, check out one of the only books written to resellers and MSP providers on how to sell Security: The House & The Cloud…