Archives For SE training

lockWhat does the CIO really need to hear?  I’m sure you’ve thought about this question before. Anyone going in to meet with a CIO or other high-level executive has to ask this question – you only get one shot at establishing this relationship.  This was central to yesterday’s workshop session on selling security and reaching for that “Trusted Adviser” status.

Yesterday’s WSJ article, “CIOs in the Boardroom: Don’t Be a ‘One-Note Piano” (by By George L. Davis, Jr. and Chris Patrick) offers some insight into what these execs need and where you might be able to help.  Authors Davis and Patrick are right on from what I can tell – but CIOs can’t easily pull this off alone.  The article calls for CIOs to step up and be strategic when serving as a board member – but this also goes for meeting with board members.  Some of the key sound bites from this article might be helpful if you can’t access it here.

  • First, the title of the article is explained: “We once heard a board chairman call a CIO serving on his board a “one-note piano,” because the CIO repeated his same theme over and over.”  In other words, the CIO can’t be too focused – but rather must offer a board level of expertise or insight.
  • Some of the key subtitles offer insight into the content: Be a translator – leave the techno-babel behind and give clear concrete information; Be inclusive – meaning you’re not  there just to give your opinion, but rather to generate dialogue and gather ideas; Remember your role – a reminder here that the CIO does not sit on the board to make all of the technical decisions; Check your biases at the door – this is clear; Seek Feed Back – everyone in that room likely has valuable experience – draw from it.

Yesterday in our class we discussed the idea that CIOs are plentiful out there – and many are looking for more ways to stay relevant to their organization (in an effort to keep their jobs).  As stated in the above article, operationally focused CIOs are no longer in vogue.  Companies need someone who thinks about the business; marketing, selling, customer experience, business valuation, etc.  While the CIO does oversee the operational side of the house – networks, servers, up-time, etc., it’s not enough to stay in that world.  The board meeting is just one example where they are called to break out of the daily fire drills and be strategic.

On all sides they are going to need advisers to stay on  top.  So who is going to help them?  Who is going to give them the input they need to sound prepared when it comes time to report on the state of the business and where to head from here. When questions about applying new technologies like BYOD and cloud come up, how will the CIO answer?  IT is not going to give them this insight.  Even if they could, the prophet is never welcome in his own town – the CIO is not likely to go to IT for this.

So who?  It could be you…if you’re in sales or the consulting side of the business, selling IT solutions of some kind.  This requires more than a willingness.  It requires some study time, reading up on the trends, staying in tune with business, and taking the opportunity to talk with more business people.  If I could encourage you to do one thing today, it would be to prepare to talk to more business leaders, listen to what they are saying, and remember it.  Become the one person who is getting input from all kinds of business leaders – the portal of information and understanding that sits between all of the business leaders you work with.  People often ask me how I stay up on all of the trends, especially security – the answer is simple.  It’s actually easier for me than most because I am talking to sales and consulting professionals every day, and meeting with CIOS and CISOs on a regular basis through the educational events I do – and by getting input from all sides on a daily basis, I learn more than just about anyone.

© 2013, David Stelzl




lockOur fall schedule is under way – in fact, I kicked off the bow hunting season last night with a successful hunting trip deep in the woods of my back yard!  (Sorry no pictures from last night’s events).  Needless to say, we were up late…but I digress.

The schedule I’m really talking about has to do with events and training programs – so we kicked off day 1 of our September Making Money w/ Security Class – if you’ve never been or have colleagues who would benefit, here’s the next two month’s worth of classes…sign up! 

Yesterday I was on the phone working with an attendee from last month’s class – you get a one hour coaching session as part of the class.  We spent some time reviewing  key concepts, but from there we dove into his particular territory challenges. New with his current consulting company, breaking into large accounts for the first time, and focusing on security…we looked at his messaging, use of the phone and email, how to maximize his time and hit rate, and who to be talking to about what.  Here’s what he wrote his manager after the call:

“I can’t speak highly enough about the quality of the training and how grateful I am to have been able to partake in it. It’s made a significant difference in my mentality regarding my job and how to go about it. The strategies I’ve learned as part of it I’m using every day and am continuing to put into practice lessons learned during the 3 sessions.

I would advise in the strongest and most staunch terms to continue the sessions for our sales personnel; … we’ll all make more money and have far greater relationships with our clients because of it.”

Thanks for your comments!

Low Hanging Fruit

On day one we always start by setting the stage with an overview of the latest security issues and trends.  Last night I asked attendees to come back with some of the low hanging fruit they see in the accounts they’re calling on.  Here are some of the responses….

  • Lack of incident response planning (CERT)
  • Failures in maintenance/patch/update processes
  • Lack of understanding of risk and impact. (Should be IMPACT & LIKLIHOOD)
  • Email issues – malware, lack of encryption, archival…
  • Backup issues –  sensitive data and generally backed up to tape or external hard drive
  • Network connectivity issues -???
  • Server failing and lack of business continuity best practices
  • BYOD – lack of management, access control, etc.
  • Current IT support provided by a single person or a really small IT firm that is based on the break/fix model
  • Businesses do not have disaster recovery options in place or they have not been tested
  • Data leakage

Some good thoughts here – but today we’ll cover predictable messaging and how a value proposition must be delivered in light of current customer needs and perceived needs…an important lesson on marketing and messaging.


Sound Bites

Of course we always cover sound bites on day one – it’s amazing to me how powerful a sound bite can be, yet how much of a set back there is in using a sound bite incorrectly.  I spoke with several people this past week about their resumes as they look for new job opportunities.  Some of the input they’ve received from human resource and recruiter types is just downright wrong with regard to sound bite usage…today we’ll be reviewing some of the sound bites to test them against what the marketing gurus tell us is the right way to think about sound bites.  Some of those submitted last night include:

  • BITE: According to the Sans Mobility/BYOD Security Survey over 61% of companies responding allowed employees to BYOD but less than 50% feel confident in their BYOD policies. – COMMENT: not a bad quote, all encompassing, and from a solid source (SANS).  However, will executives recognize or believe the source?  Probably not…I would not use it.
  • BITE: “About 40% of people are not taking the most basic security procedures, like setting up a screen lock or putting software on the phone that could find the phone if it’s lost or stolen. – Fox News”  COMMENT: This is good if we tie it to business and the BYOD movement…recognizable source, pervasive, and tied to what I would call one of the key initiatives out their for most midsized companies – mobility.
  • BITE: “Companies know they’re not spending anything close to what’s needed to make their networks invulnerable to attack, according to a 2012 study by Bloomberg Government. – Bloomberg” COMMENT: Strong source – and while it’s not that new, it’s new enough to stand up to the passive attitudes we see out there. The trick now is to tie this to some method of securing, or a mindset to be adopted by organizations.  If I can show them where companies are failing, I’ll have a place to take this sales discussion.  We’ll talk more about this in today’s class.

I hope to see you in an upcoming workshop…

© 2013, David Stelzl



747 Frankfurt to Bangalore

747 Frankfurt to Bangalore

I arrived this morning at 2 AM in Bangalore India – I’ve spent the last 9 hours on the plane to the left, a 747 Lufthansa aircraft (traveling from Frankfurt to Bangalore).  Note, that’s after spending 9 hours traveling on a USAirways Airbus 330, Charlotte to Frankfurt.  Tomorrow I will be working with SEs from Cisco Systems on executive level conversations around information security…everything from global cybersecurity trends, to creating justification, to presentation skills required when engaging executive level audiences.

Two Wall Street Journal articles grabbed my attention while laying over in Frankfurt yesterday.  One on the importance of training your employees, the other on the need for better presentation skills when working with executives on information security issues.

The ROI on Training SEs to Sell

The article on training didn’t concern SEs – however it did say that today’s employees, especially those with more desirable skill-sets, are going to demand further training.  Everyone wants to grow, everyone wants to improve – at least those employees worth keeping.  It’s a sign of poor character to accept the status quo.  The writer went on to say that the promise of training is important when trying to attract the right people to new jobs, and that attrition is significantly reduced when training is regularly offered.  My focus on the SE is just an observation.  It’s been my experience that SEs tend to like sales training.  They get the technology – and of course they want to continue to grow that, but adding the ability to sell to their resume is a big boost to their value. The person who is both tech-savvy and knows how to sells is rare and desirable.

A seat with a view

A seat with a view

When I teach sales classes I find that SEs are often more attentive, and more serious about learning the content than any other group of people attending.  I’ve seen some very technical people become superstars overnight simply by learning how the sales process works, and how marketing science is almost exactly the opposite of the way an SE tends to approach a sale.  When a technical person’s eyes are open to the influence they can have, simply by changing a few things about the way they approach sales, a powerful transformation begins to take place.  Both resellers and manufacturers of technology would do well to invest more into their SE’s training programs – specifically on sales and marketing strategies.  In fact, I know of two very successful resellers who have grown significantly, without the addition of more sales people, simply by empowering their SEs through this type of training.

An added benefit is that it helps sales people work more closely with their SE team on the sales process.  When both parties understand where the conversation is going and what it will take to close the sale, they stop stepping on each other’s toes in the sales process.

Board Level Presentations Have to change.

The article on Board-Level Presentations was specific to information security – the topic we’ll be addressing over the next two days.  Really, this applies to all executive level management.  The bottom line was that executives and board members need to know about security.  However, when IT people, and even CIOs and CISOs  approach these discussions, they tend to go into too much detail (according to the article).  I was excited to see that the very graph I use in my book, The House & the  Cloud, was described in the article as “What they need to know”.  I’m talking about the “Impact vs. Likelihood” graph. In my Making Money w/ Security workshop, I refer to this graph as “The Most Important Part of The Assessment Deliverable”.  Almost nothing else is needed other than some basic descriptions of what goes on the X and Y Axis of this graph.  If the technical part of the organization (or more importantly – you) could figure out what assets belong on the X-Axis (the high-impact applications), and how high on the Y-Axis to put them (the measure of likelihood – how likely the organization is to experience a breech or loss of data), executives would know what decisions must be made.  Of course they will need to believe your data is correct – but that’s the definition of Trusted Adviser – trustworthy and able to advise – as stated in my more recent book, from Vendor to Adviser.

My seat for 9 hours

My seat for 9 hours

On Friday this will be the topic of discussion in our SE workshop.  We’ll learn how to take the raw data and put in into this format – and then, more importantly, how to present it.  This is something every company that specializes in cybersecurity offerings should be doing.

© 2013, David Stelzl