Archives For Risk

plug and playSelling Security is Not The Same As Selling Insurance

You can spin security a million ways to make it sound like there’s a return on investment, but you’re only kidding yourself.

So how exactly do you sell something that many people think they don’t need more of, and that really has no ROI?

I just wrapped up two training days with Brian NeSmith, President and CEO, and his team at Arctic Wolf, a security operation center that targets small and medium businesses.  As always I’m sure I learn more than anyone at these meetings.  And I have to say, I’m impressed with the technology and the team.

Arctic Wolf is exactly what small and medium businesses need as they move toward more IoT, mobility, and BYOD.  This morning as I’m wrapping things up and getting ready to head home for the weekend, a few key principles are on my mind…these are foundational mindsets every sales person must have if they want to sell security or managed services.

  • Security is not a product. Even if you are selling a product, don’t present it that way.
  • Every small and medium business needs more security. Specifically, they need the intelligence and insight into what’s going on in their network as they create and use data.  According to Gartner, 80% of these companies are working without any realtime detection element. Even if they have the UTM firewall, they probably don’t watch it. And if they did, they wouldn’t understand it. That means every one of these companies is a qualified prospect.
  • If budget comes up, something is wrong. Security is sold based on high impact of a likely event. Most decision makers won’t understand their risk, so start there. That means you’ll need to gain access to those decision makers early in the sales process – but not to show them your corporate presentation. Instead, talk to them about technology trends like IoT that will be used to grow their business.  That’s what they want to hear…then transition to the security risks that come with new technology.
  • The sale requires justification. Justification comes with getting them to see they have urgent issues – risk. Most assessments, like 90%, show urgent findings.  That’s justification. If you still can’t close, you are either talking to the wrong people, or hiding the urgency in the language you use. Be bold and upfront – be clear. People from China are potentially in your data!
  • Whatever you do, don’t get bogged down in the technology and how it works. This discussion can come later with the IT people – but the sale is made at the business level, and should be conceptually made before diving into the weeds.

For more on how to effectively sell security, check out The House & The Cloud…you can get it here for a limited time for $1.00 – free shipping, and no strings attached.

$1 HC Book Ad



August is almost here, and I want to thank Cisco for sponsoring me to speak to a select group of their partners…Seating is limited, but if you sell Cisco and plan to attend either the BlackHat or Defcon conferences this year, you can register here to attend this special session on selling security solutions.

We are meeting at the Rio on August 4th – in the evening; the location of this years BlackHat conference.  I’ll be covering some of the strategies and materials I personally use as I meet with executives all over the US, showing them why companies, no matter how much they spend on security, continue to be victimized by hackers.  I will also show you how my clients are leveraging this material to gain access to decision makers, and how justification is created to move forward.  Please plan to join me – I look forward to seeing you there!

Sign up Here (Click) while there are still seats available.

© 2011, David Stelzl

As a follow up to the RSA partner presentation  I did with Cisco last month, today I presented the first of 4 webex programs on building your business using security assessments.  You’ll be asked to enter you contact information to view this from the Cisco Webex server, here is the link:

© 2011, David Stelzl



The fastest way to inculcate the concepts from our Making Money with Security Class is to try it.  Last week I had opportunity to interact with one person attending the 3-day virtual class currently in process…

He writes, “I thought I would try to apply some of the nuggets I have learned this week, in a meeting I had earlier this morning.  It went really well!  I met with a CISO and we discussed assets and started applying the likelihood vs. impact philosophy.  As I was doing this, my customer said the biggest problem he has is understanding likelihood.”

…This is predictable.  As I stated in last Thursday’s session, everyone seems to focus on the impact side of the security equation, but CISO’s and asset owners are already well aware of this, and continue to hear the same ROI and Insurance sales pitches almost daily from your competition.  By taking the “Likelihood” approach, a new discussion evolves.

He continues with a great question, “Based on this approach, is determining likelihood done through risk assessment or are there more dimensions to consider?”

If you’re in the class, you know we have one more session to cover, and this is where we will address this in detail, …but, this is the right question to be asking…how do we move this conversation forward to create business?  Here is a portion of my reply:

“…it means starting with executives rather than IT, and interviewing them to understand the assets; how they’re used, who uses them, who can’t use them…etc.  Then, armed with a complete understanding of the data (the assets), the technical side of the assessment should be used to discover how the necessary security is being achieved, or how to reduce the likelihood to an acceptable level of risk.  The ‘’Impact vs. likelihood” graph from by book, The House & the Cloud becomes our primary deliverable, backed by data from the assessment.

His final comment: “Application to real world is the best way to learn… I personally missed focusing on the asset and pitched it more towards the vulnerability discovery.  The asset that has the vulnerability determines the impact and the level of the vulnerability determines the likelihood.  Starting to add up.’’

This is exactly right and leads to the justification this sales person needs to create new business.

© 2011, David Stelzl

It’s that time of year – time to rob our bee hives!  If you’ve seen me speak you know I am in the process of raising entrepreneurs.  Avoiding traditional learning programs that tend to produce “worker bees”, while searching out ways to develop my children’s creativity and business acumen.  Seth Godin writes about this in his latest book, “Linchpin” – urging us to move beyond the #2 pencil, to develop our problem solving skills and creative abilities.

Yesterday we suited up in our “almost” bee proof uniforms, and headed out to the bee hives.  They’ve been working all summer to make enough honey to survive the winter, and hopefully enough to support my apiculture team through the winter as they sell their honey.  But, like all business ventures, there are no guarantees.

The bees do most of the work.  They begin by building up the hive in the early spring.  We start to really see some activity in March as the queen is mating and recreating to build up her team.  As the first flowers appear, nectar flows and the bees collect pollen.  Comb is then built on frames, first in the lower brood boxes, then in “supers” which are added as the brood chambers are filled with both brood and honey.

But there’s a risk.  As the hive builds, the bees know its time to multiply.  They’ve been created with an instinct to raise up a new queen, and so some of the brood are targeted for this new role in the hive.  Royal jelly is applied to several eggs to raise up this new queen.  A queen cell develops from this application, and two-thirds of the hive members prepare to leave with the old queen!  That’s right, most of our hive will try to flee the hive, hunting for a new home somewhere out of our reach.  If we don’t find a way to stop them, they’re gone.  The new queen will then emerge and begin repopulating the hive.  All of this is natural, however it completely disrupts the honey production, leaving the bee farmers with only a small amount of honey at the end of the season.

There are other problems as well. Mites may infect the hive, killing it off.  There are other pests that may disrupt the hive, weather conditions such as drought or a freeze may disrupt the nectar flow leaving us empty. Or perhaps an animal will get into the hive and completely destroy it as they help themselves to the honey.

It turns out that this was one of those years.  After faithfully caring for the hives through the summer, we incurred a few swarms (this is how the bees take off with the new queen), one of our hives died last winter, and for some reason the hives just didn’t produce.  In fact, only one hive had enough honey to actually harvest.  The rest only made enough for next winter.

Of course the kids were disappointed!  But let’s not miss the important lesson here.  For the Stelzl family, keeping bees is less about profit and more about learning (at least that’s how I see it).  I don’t expect any of my kids to actually support their future families on bee farming, however I do want them to learn about investments, overhead, gross profit, marketing and selling, and the work required to produce their product.  This year we’ve learned a lesson on risk – there is no guarantee.  They’ve put in a great effort, however the pay plan is pure commission.  In fact, they’ve even spent their own money buying bees to replace past failures, purchasing equipment and hive repairs, and purchasing jars to sell the honey in.  Who will make up for their loss?  No one.  There are no bail-outs for this type of failure.  Instead they will have to rely on their other business ventures to support their coming year’s expenses.  And of course, there’s always next year’s honey if all goes well.  But there are no guarantees.

They all say they’ve got it covered…no one does!  Here is a summary article from one of my contacts at DiData…great info, thanks Matt.


  • “Our systems are probed thousands of times a day and scanned millions of times a day,” – speaking of government defense systems…
  • “We are experiencing damaging penetrations — damaging in the sense of loss of information. And we don’t fully understand our vulnerabilities,” – Now I feel safe!
  • Hackers have already penetrated the U.S. electrical grid and have stolen intellectual property, corporate secrets and money, according to the FBI’s cybercrime unit. In one incident, a bank lost $10 million in cash in a day. (Yet your clients all have it covered!)
  • “We’re talking about terabytes of data, equivalent to multiple libraries of Congress.” – (But those in the SMB don’t need to worry – right!)
  • United States military would need to prepare for fallout from a cyber attack, which could leave cities in the dark or disrupt communications. – (If you don’t offer DR planning, you might reconsider)

When your clients say, “We’ve got it covered”, remember, most are just ignorant, some are lying.  Don’t take no for an answer – instead educate them on what is really going on, and drive forward with the sale.  Take advantage of my latest ebook on selling through assessments… it’s free!

© David Stelzl, 2010


Listen in as Randy Sklar, president of Sklar Technology Partners and recent present of his regional VTN chapter interviews me – this clip was made specifically as a follow up to a very successful, decision maker level, educational seminar.  The event received strong sponsorship from companies such as Zenith Infotech – one of the only managed services companies I know of that financially supports this type of event.

© David Stelzl, 2010