Archives For ISC2

stock exchangeUptime – Something Every Client Needs

The New York Stock Exchange was down this week!  How many people lost money, or at least lost sleep over this?

United Airlines had 1400 delayed fights and 76 cancelation in just one hour this week – all due to down time.

Remember the old phone system? It was always up. Now that everything runs on networks and Microsoft, 5 – Nines uptime is hard to achieve. We have more functionality, but less reliability. Yet we have become far more dependent on these systems.  Everything is on the computer – including my alarm clock, and my personal trainer.

Downtime is a security issue.

The ISC2.ORG common body of knowledge includes three pillars in their CISSP training programs.

  • Confidentiality
  • Integrity
  • Availability

You can remember that by remembering the CIA…which has a “security” ring to it.  Some things need to be right (integrity), but don’t need to be confidential. For instance, the prices on  If a hacker up’d Amazon’s prices by 20%, they would starting losing sales.  The integrity of those prices is critical. Uptime is also critical. If I go to buy something on Amazon, and the system is down, I’ll probably look for another place to buy.  If your client needs any one of these three – it’s security.

MSP is Security, If You Sell It That Way

Most managed services offerings provide some level of monitoring, with the promise of detecting problems before they result in downtime or data loss. This service is becoming more and more of a commodity. Just about every reseller I know has an offering, and they all sound pretty much the same.

The difference is coming down to price. 

The root of this price problem is in how the proposal was originally sold. If it was sold as a more cost effective way to keep systems up and running, the client is already thinking about cost savings and price. If a cheaper solution comes along, it would seem right to move to it.  After all, they signed your contract to save money. Why not look for ways to save more?

But if your contract was sold to mitigate risk – some impending threat, justification was built on stopping that threat. The key to keeping the first contract is keeping your price below the competition’s. The key to keeping the second contract is keeping the client focused on the threats you are stopping.  The more you can show that, without you there would be problems with one of the C-I-A pillars, the more likely they’ll stick with you.

Stop selling the commodity offering based on price, and start thinking about MSP as part of the operational security equation. From there, start thinking about the rest of the C-I-A puzzle. What other risks are your clients facing, and what is the likelihood they’ll encounter big problems if not well protected?

© 2015, David Stelzl

Finding the Pain

February 13, 2009 — Leave a comment

In our marketing strategy workshop yesterday we recognized that security pain is often not seen by the client – it must be proven.  Today’s attacks are mostly stealth, and so the likelihood of your client having experienced any true security pain over the past year is low.  Gaining agreement to assess security is not always easy; however it can be done as part of other infrastructure projects you are engaged in.  If you’re a solution provider, you may have an advantage here because you touch so many different aspects of a clients IT investment. 

Which brings me to today’s podcast – the 10 Domains of Security.  Limiting security sales to firewalls and IDS or AV applications is short sighted.  Take a look at the enormous scope of security through the discussion I offer on these 10 domains.  Chances are you’re well positioned already to take advantage of these – it’s just a matter of knowing where to look.  Check it out at  and select “Subscribe to Premium Content” on the right.