Archives For Risk Assessment

imagesOne of my clients in Tampa just completed a very successful marketing event…in fact, 90% of the CIOs who attended this lunch meeting signed up to have their data center infrastructure assessed.  How did they do it?

In this case they had a former CIO do the speaking.  Understanding the pressures on the CIO role is critical – things are rapidly changing for IT leadership.  Every day the CIO journal (your are reading this, right?) is reporting on trends that are forcing CIOs to become business level participants.  Rather than focusing on 5 9s up time and the next major OS upgrade, the new CIO has to be thinking, “How does my company become the next”

At the end of their presentation they offered a complementary assessment.  It’s important to note that this assessment is not really free – it’s complementary.  In other words, it has value and is worth paying for.  But as I explained to a senior VP of sales the other day, the trade off may be months of courting a new company.  Which is cheaper, two or three days of intense assessment work, or 3 to 6 months of lunches and golf outings?  They quickly agreed, the assessment makes sense.

You can find out more on how to put together an event like this – my new guide to Event Marketing is available right here in an ebook format (CLICK).

© 2013, David Stelzl


Join me on June 8th at noon EST – Leveraging the Discovery Process to gain access to decision makers (CLICK to SIGN UP).  I will be building on material presented over the past several months, but you can always go back and review sessions you might have missed.  In this one hour session I will be covering important concepts such as:

1. Types of questions to ask asset owners and executive managers

2. How to avoid getting demoted to IT in the discovery process

3. When and how to engage the IT group in this process

4. What to do with data collected in both

5. How to deliver your findings

6. How to present your findings and recommendations

7. How to turn this process into fee based business and product sales

Don’t miss this!  It’s funded by Cisco and costs you nothing but time…sign up here (CLICK)

© 2011, David Stelzl

The fastest way to inculcate the concepts from our Making Money with Security Class is to try it.  Last week I had opportunity to interact with one person attending the 3-day virtual class currently in process…

He writes, “I thought I would try to apply some of the nuggets I have learned this week, in a meeting I had earlier this morning.  It went really well!  I met with a CISO and we discussed assets and started applying the likelihood vs. impact philosophy.  As I was doing this, my customer said the biggest problem he has is understanding likelihood.”

…This is predictable.  As I stated in last Thursday’s session, everyone seems to focus on the impact side of the security equation, but CISO’s and asset owners are already well aware of this, and continue to hear the same ROI and Insurance sales pitches almost daily from your competition.  By taking the “Likelihood” approach, a new discussion evolves.

He continues with a great question, “Based on this approach, is determining likelihood done through risk assessment or are there more dimensions to consider?”

If you’re in the class, you know we have one more session to cover, and this is where we will address this in detail, …but, this is the right question to be asking…how do we move this conversation forward to create business?  Here is a portion of my reply:

“…it means starting with executives rather than IT, and interviewing them to understand the assets; how they’re used, who uses them, who can’t use them…etc.  Then, armed with a complete understanding of the data (the assets), the technical side of the assessment should be used to discover how the necessary security is being achieved, or how to reduce the likelihood to an acceptable level of risk.  The ‘’Impact vs. likelihood” graph from by book, The House & the Cloud becomes our primary deliverable, backed by data from the assessment.

His final comment: “Application to real world is the best way to learn… I personally missed focusing on the asset and pitched it more towards the vulnerability discovery.  The asset that has the vulnerability determines the impact and the level of the vulnerability determines the likelihood.  Starting to add up.’’

This is exactly right and leads to the justification this sales person needs to create new business.

© 2011, David Stelzl

Why do Assessments?

November 1, 2010 — Leave a comment

Almost every reseller does assessments, and now, many manufacturers are not only doing them, but equipping their reseller community through partner program trainings, and portals, and the creation of assessment tools.  Why?  If you don’t understand the core reasons for doing an assessment, chances are you are wasting your time.


© 2010, David Stelzl

Why do so many Vulnerability tests fail to produce remediation business?

1. If the test is done for IT, you won’t have visibility into the executive ranks

2. If the process doesn’t involve the executive team they won’t care much about the results

3. The report is too technical

4. The report uses jargon that disguises the problem and it’s urgency

5. The provider appears to be more focused on analytics  than urgent issues

Eg.  If I come to you and say, this is the problem, I’ll put together some options and pricing and get back to you next week, do you feel like the issues are urgent? What if you plumber did that after discovering a leaking pipe in your wall?  You’d fire them! (But only because you know that is urgent.)

© 2010, David Stelzl


We are on day two of an intense business planning session in Kentucky – of key topic that always comes up is, “How do we create business, and do the assessments we’re currently using work for this sort of thing?”

There are three common assessments I see out there:

1.  The vulnerability assessment is most common – a technical paper that identifies as many holes in the security architecture as possible.  The resulting report is generally very technical in nature, product focused (meaning: Network, application, etc.) and appeals to the IT department.  Certainly there is a place for this.

2. The pen test – penetration that is.  A test to see if the assessment team can break in.  This is fun, expensive and obvious…at least to the team.  They can always get in if they’re good.

3. The risk assessment – this should measure the impact of a loss, but equally, the likelihood of such an issue.

The third one is always most effective in building new business.

Just returning from my Dallas event with Ingram Micro…what a great trip and event!  Ingram Micro always does a great job hosting these types of programs for it’s reseller community…a few follow-up notes on my talk for those who attended and even those who did not…

There is a time to charge for assessments!

1. When the fee is commensurate with the sales effort

2. When the scope includes stake-holder level people who can see it through to remediation

3. When an assessment is required by law or internal policy

There is also a time to give it away…While some people hesitate to provide anything complementary, this may be short sighted…

1. Demonstrated by three assessments I was personally involved in, I showed one that sold for $125K – no remediation work followed, however the GP was extremely high given the efficiency of the deliverable.  In sample 2, I sold the deal for $36,000 – however, given my inexperience at the time (this was over 15 years ago), we disengaged from the buyer and produced a report that did not meet his expectations.  They never paid, and we took a loss.  In the third sample, the assessment was done for free, however it landed $32,000 in remediation and $7000/month in recurring managed services work with a three year contract.  Which would you choose?

2. For smaller assessment opportunities – SMB level business, it often makes sense to perform the assessment at no fee.  If your opportunity will sell for $2500 or $3500, an experience had by more than half of my audience, I showed that the amount of GP in the deal is not worth the trade off in control of the process.  While I do make somewhere in the range of $1500 to $2000 in GP (if I really know what I’m doing), the client controls the process simply because they’ve paid for it.  If I do it for free, I can demand time with any asset owner in the organization, both as part of the discovery as well as in the delivery, where I sell the remediation and managed services.  At any point, if management disengages, I can stop the process.  It’s free, so it’s my call.  In this case, the profit does not justify the sales time unless follow-up work is sold.

3. Finally, never give the assessment away – it’s not really free.  Not to contradict point 2, but to require a trade of services.  In the case of an event, executive attendance justifies a complementary assessment.  There may be other situations that do the same.  But don’t devalue your service by advertising free assessments.  Put a price tag on it and perform it as a gift for those willing to invest the time and energy at the right level.  Discernment is required – but in the end, you’ll create the justification needed.

4. Finally, the deliverable must sell the next step.  This is never a technical paper.  Data supports the case, however the measurement of risk must be delivered in a compelling business case document.  It’s like going for angel investor money.  You’ll need the support of economic buyers to move forward, so treat this as a marketing process and remember, it is your job to convince management if there’s a serious risk at hand, not IT’s.