Archives For risk management

Security can transform your MSP – grow MRR – and open new doors…all you need is an assessment that converts, and a message that compels your prospect to act…

Continue Reading...

boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015

Today we finished Day 3 of the online Making Money with Security workshop – using an actual assessment sent to me by one of the attendees, we were able to walk through the process companies should go through to create the perfect assessment document and deliverable/presentation-one that will lead to more business.

By observing the information and writing style of the assessment, we were able to ascertain how the assessment might have been conducted, who would have been involved in the assessment process, and how the findings were put together to create justification to move forward.  Here is what we found:

1. Fees – given the size and detail of the assessment, the seller probably could have sold it for more.  However, most assessments are sold to IT people who have no liability.  Creating justification for more expensive assessments requires asset owner involvement, and a belief that things might not be as secure as originally thought.  On there other hand, there are ways to conduct complementary assessments that can result in even great long term gross profit.

2. Interviews – the discovery process was probably limited to more technical people, and did not involve business people, top performers who use mission critical data, or executives who ultimately carry liability for both the systems and data their companies depend on.

3. Executive Summery – Like most executive summaries I read, this one did not speak to executives.  Instead, it was a summary targeting a technical audience.  It was called an executive summary simply because it was a summary…it’s unlikely an executive will read it.

4. Recommendations – most of the findings were written in a passive format, stating that certain Trojans or other common attack vectors could gain access to data.  This rarely moves a buyer.  It’s like saying, eating fatty foods might contribute to heart disease.  No one will act unless the doctor says, “You’re on the verge of a heart attack!”  Every company has urgent issues, but rarely are they called out with passion and urgency.

5. The seller’s involvement – It appears that this document was put together without the involvement of the rep.  As a result, it will be difficult for the rep to own the information and lead the charge for remediation.  Great sales people are trained and skilled in selling – how can the remediation phase be sold without the rep leading the way?

By going through this process, we were able to redefine the roles of the seller and consulting team, reformat the assessment document, and talk through the proper delivery process to move forward with both remediation and managed services contracts.  The next step – each attendee will have a one hour private coaching session allowing us to make specific applications to their business using the tools and strategies learned over the past week.  Stay tuned for our next online class, and join the success.

© 2011, David Stelzl