Archives For how to price a risk assessment

chain break

After All The Work That Goes Into Security Assessments,  This One Thing, If Missed, Will Make The Entire Process a Waste of Time…

When the Truth is Clear…Cancer, Heart Attack,…Breach…People Act.  With Security Your Message Must Connect and Your Audience Must Feel The Pain.

You might think it’s callous of me to compare your own life (risk of cancer) to a data breach, but the truth is, data is what many companies see as their most precious asset.

Right or wrong, given a choice, companies will part with a few employees before facing business failure. And data loss often begins the downward spiral that can’t be stopped.

However, getting the company leadership to see these business-crushing threats, before they happen, is not easy.  Following is the strategy I’ve used to turn week-long assessments into annual contracts, and more.

(Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

Rule One: Don’t Present Without The Asset Owners!

Asset owners are those with liability. Have you ever presented a cost-saving solution to IT directors or middle managers? Tell them you can save them money, reduce FTE (Full Time Employees) by 50%, and improve quality of service, and they’ll quietly dismiss you as unqualified to do business at their firm. They’d rather build an empire than save money.

Take it one step further and show these cost-center agents how their personal role in the company (along with associated costs) is no longer needed with your new proposed automation process, and you might find an anonymous death threat in your mailbox.

Bring in the asset owners and something different begins to happen.

When it comes to security, technical staff rarely understand the value of corporate data, or the relationship between uptime and profit, according the several CISOs I’ve interviewed this year. And, they’re interest (probably driven by the need to make money) tends to be self serving (See Jack Eckerd’s book, Why America Doesn’t Work).

Tell executives their systems are likely infected with software, giving hackers the ability to listen in on private meetings, watch them in their office or bedroom, read their email (including personal mail), and track their whereabouts, and you’ll get a response similar to that of a home owner waking up to their fire alarm. That same bot detection among IT folks will call for some patching next week, and perhaps an AV product review.

The Underestimated Power of Free

But what happens when you show up and the asset owner is suddenly not available?

If you’ve charged $100K for this assessment, you’re in good shape. Meet, sell hard, and find a way back to the asset owners…you owe them the deliverable.

However, if you’ve conducted your assessment pro bono, you’re also in good shape!

As a free service, you control the deal.  You don’t owe them anything. And since you’re liable for what you deliver, you have the right to delay the meeting until your asset owner contacts are free. Just let them know there are urgent things they need to hear, so the sooner the better.

(Get more on why Free Assessments Are More Powerful in my book, The House & The Cloud 2nd Edition).

Your Meeting Agenda Re-Engineered to Convert

Sure, you could email executives your findings, but digital findings don’t convert. Face to face is the only way to deliver the devastating news that an attack or data loss is eminent if action is not taken.

Here’s Your Agenda:

Start with their words. You’ve interviewed them (hopefully). More importantly, you’ve spoken with both executives and the people driving the daily business (end-users). So you know how important their data is, how long they can be down, and what can’t be seen but the competition.

You also know what’s not urgent in their minds. So avoid spending time on the non-urgent, even if you think it’s urgent. (e.g. Policy).

Next, list the top priorities. Did you discover evidence of compromise? Any malware activity, or symptoms on the same, is urgent.  Note, patches, outdated systems, and EOL software are not urgent. A Failing backup solution (on the other hand) is urgent.  You’ll need to now why, and how to prove it.  Consider things you would want fixed this afternoon if you were the asset owner, and draw out the urgency.

Next, it’s time to create some vision. You know how they work and where they’re headed as a company (from the interview process). So, using their current set up, begin to pose a number of WHAT IF scenarios. This is how you create a vision – allowing the buyer to picture something they really do want.

“What if your end-users could work without ever having to guess whether or not an email was infected with malware?”

“What if, whenever someone tried to connect remotely, your network would verify who the user, check the system for malware and updated patches, etc. and only after approved, grant access?”

“What if we could take your restore time down from the estimated 5 days to the required 4 hours?”

In doing this, you’re watching for the nodding heads. Not those nodding off, but people in agreement. You want physical response / emotional response. This is your trial close. The power of trial closes is important. If you can get your audience nodding and saying yes along the way, you know, when you’re all done, they’ll keep nodding.

Finally, sell the vision – “We can get this done by the start of next month, etc.” The obvious question is, how much ($$$). Check out chapter 11 of my book, From Vendor to Advisor to see how to price this, and when to share the price.

© 2017, David Stelzl

Advertisements