Archives For security assessment

canstockphoto6246530

Your Risk Assessment Is The Fastest Way to Drive New Business, But Only if You Follow This Formula…

On one hand, risk assessments are a great way to start an engagement, or close a sale. On the other hand, they offer great value. Should you give all your value and insight away???

It’s a hard question that demands an answer!

The Point of Assessing Risk Is…

Several weeks ago I wrote an article defining the assessment (if you’ve not read it, I recommend going back to better understand the truth behind assessing risk and growing your business).

The bottom line is, Assessments are like health checkups. If the patient has URGENT issues, yet chooses to NOT take action, the doctor’s efforts are wasted.  Even more, if most of that doctor’s patients never enter treatment (and are dying), he has failed.

(More on the Assessment Sales Process – Pg. 194, The House & The Cloud)

If there are urgent issues, action is required.

And it’s your job to sell the customer on taking action – not for money, but for the livelihood of that customer’s business. With remediation in mind, your risk report is a marketing document. You goal is to sell your customer on doing something!

Amateurs Focus On Front-End Selling

When I hear, “We don’t give away the assessment”, I think to myself, “Amateur Thinking”. Front-end, is a funnelology term – It is the process of capturing a lead and ascending that lead up your value ladder.

The sales process starts with a lead magnet (some freemium offering) to attract qualified prospects (Think: Opt-in). You provide value and your buyer wants more. So they ascend over hurdles of indecision to the point of becoming a buyer.

Some prospects will drop out immediately, grabbing the free stuff and moving on (grab and dash). It’s okay…I’ll explain in a minute. Others will buy your initial offer, or perhaps engage with you in basic managed services (New Customers).

A select few will become hyper-buyers…your best customers. Hyper-buyers buy whatever you recommend because they see your value and trust you to advise them.

The front-end has to be easy (think, free or close to it). You might offer a white paper (which I seriously don’t recommend). Better choices include, special reports, quizzes, assessments, lunch & learns, etc. 

Some front-end options convert quickly. Others, not so much. Signing up for your mailing list or free e-zine doesn’t make much sense these days. No one is choosing to get more spam email.

All great front-ends cost money.  The idea is to spend your money with ROI in mind. The company that can spend more upfront (marketing), and still measure a strong return on the back end, wins.

Did you catch that? You’re not trying to minimize the front-end cost (or your marketing budget). You’re trying to maximize conversion and ascension.  If your backend works, you can spend more upfront, beating your competition.

The assessment may be costly, but done right, it can have an extremely high ROI on the backend.

Qualified Prospects Only

Conversion (like getting people to a lunch & learn) is one thing, converting from free to fee is another. You don’t want to invite people for a free iPad…you’ll end up with a bunch of IT folks that want free gadgets (these are not buyers).

If you want qualified prospects, you won’t give your free assessment to just anyone. And that means you won’t advertise it on your webpage. Freemium means high-value and special, and should be guarded.

To qualify, you want to have a freemium offer, like an assessment, and have a clear avatar of your target prospect.

Let’s say its the SMB business owner with 25 to 250 users. Inviting that person to a lunch & learn is a qualifying step that gives you the opportunity to actually meet face to face. It’s costly, but if your conversion is high, you won’t care.

Then converting them (given the right message in your lunch & learn meeting) is easy…We’re converting over 90% right now with a security message designed to instill urgency. It leads to an assessment – we offer this analysis right there in the meeting. But our description is vague…on purpose. You see, we have one more step; it’s a phone call.

On our initial call we have the opportunity to ask them about their business and their role. If they turn out to be someone other than a qualified buyer, we make the assessment a simple over-the-phone questionnaire. If that person is a business owner, in charge of a possible qualified company, we move forward.

Our assessment engagement involves that decision maker all the way through to the deliverable. If our key contact (asset owner, I call them) drops out at any point in time, we stop the process.

Our conversions to business range from 60% to 80%, and our sales cycles averages a couple weeks to a couple of months. (But not 6 to 9 months). These contracts range from $1000 to $5000/month, with a 5 year expected lifetime value. So how much can I spend on customer acquisition (in this case a lunch & learn and assessment)? Do the math, it’s a big number.

Selling The Free One Isn’t Always Easy

But there’s still one more hurdle. Selling free assessments has it’s challenges. Free sometimes means no value. And getting that initial meeting may also prove to be a challenge.

The 60% to 80% close rate is attractive, so I know I want to sell the risk assessment. I am willing to give it away, because my ascension process works predictably well, and the ROI is there. I can afford it and the return is evident.

However, the assessment can’t be the first step in my sales process (or funnel).

Most of my clients sell assessments by using something upfront to attract clients. eBooks, followed by webinars, with an offer to assess, can work. Live lunch & learns, using a hard copy letter invitation work extremely well. And any excuse to get a meeting (such as referrals, product or quotation requests, etc.) can be turned into an assessment.

In my book, The House & the Cloud, I explain how to transition just about any meeting into an assessment (chapter 13), and then later in the book (Pg. 194 – 200) I explain how to move  through the assessment in a way that engages asset owners, and leads to a sale.

The most important thing in this whole process is to track your conversion metrics. Make sure you are at least breaking even. Once you break even, start tweaking your funnel to modify and grow your ascension process.

As you perfect your conversion metrics you will be creating a long term, predictable profit machine.

©2017, David Stelzl

Get more insights on this process in my book, The House & The Cloud..limited time offer $1.00! / Free Shipping in the US.

 

2017-03-03_13-54-13NIST Framework: You’ve Heard It, Lot’s of People Refer to It, But Do You Know What the NIST Security Framework is…

If forced to… (sales person to client) could you explain what the NIST Security Framework is?

NIST is important to the Assessment process as it gives you an easy reference point from which to assess and define risk. In a sales situation, the customer (if they have any knowledge at all) should be asking you how you approach assessments.

How will you answer?

If you’ve read my book, The House & The Cloud, You already know most of the NIST Security Framework…

(I wrote version one of The House & The Cloud in 2007, so you know I wasn’t just copying NIST – it’s a 2014 publication – of course I’m not claiming to be the author of NIST either).

Either way, it’s important to know NIST if you’re going to talk security.  So here’s the simple “sales person level” overview…

Notice the outline below. There are 5 major components. You’ll remember from The House & The Cloud, PDR – Protection, Detection, Response (Chapter 13)…NIST simply adds IDENTIFY (on the front end) and RECOVER (on the back end).

2017-03-03_07-23-01

In my 2007 book (updated in 2015), I develop The IDENTIFY aspect in more detail (just under a different heading – the Three Important Questions You Should Be Asking Asset Owners). – See Chapter 13, The Three Questions.

  • What are you trying to protect?
  • What are your relevant threats?
  • How likely are you to be able to detect and respond before damage is done?

These three questions provide a clear understanding of just how asset owners (and IT) view their data, their threats, and their current approach to security. In most cases they have no idea that certain digital assets even exist, and chances are, IT cannot define their firm’s most pressing threats.

PDR – The Core of NIST, But Selling It Requires Strategy

Understanding PDR. 

The House & The Cloud is a sales training book, not an SE’s Handbook. So use NIST as the foundation for your security approach to provide credibility in the sales process.  Your client/prospect won’t know my name, but they can Google NIST.

It’s not necessary for you, the sales person) to be fluent in security architecture and the various approaches to remediate risk.

But getting buyers to part with money for NIST is a hard hill to climb.  Chapter 13 of The House & Cloud provides the science behind the marketing approach. In my presentation (the one outlined in chapter 13) I first must break the preconception that my prospect has security “Covered”.

The conversion happens when the client sees their investment tied to column ONE – the NIST protection column (as is explained in The House & Cloud). Protection alone (keeping people out) won’t stop hackers…but until the client sees the truth (and admits their mistake) they won’t move forward.

If you want to be the Trusted Advisor, you must be TRUSTED, and ABLE TO ADVISE…and that means you client must first admit they need advice!

The House & the Cloud solves the problem of how to explain what security should look like, while getting the prospect to admit they have it wrong (Assuming they do).

Finally -Recovery…As in Disaster Recovery

My response calls for Realtime Response…I make the point (in The House & Cloud book) that faster response is needed – even realtime response to stop the threat before harm is done.

In other words, if I could somehow stop the ransomware before my data gets encrypted – I would be a lot better off.

However, stopping disasters is not always possible…and so the Disaster Recovery Plan is essential…developed, documented, and tested regularly. This last component needs work, especially in the small/medium business markets…

Disaster Recovery offers another great opportunity for resellers in the IT Management / MSP business! (And I’m talking about a lot more than just Backup and Recovery Services).

Check out this short NIST video from Rapid 7 for the overview…(Thanks Rapid 7, this clears up a lot of confusion).

© 2017, David Stelzl

santa-clara-marriott

Aggregated Data In The Hands of The Hacker

Is Allowing Hackers to Become You…

Yesterday I presented to business leaders in Santa Clara California, and the Santa Clara Marriott Hotel…I was surprised, but not so surprised, at how few of our attendees had recently performed risk assessments. Many of them had never had an actual risk assessment!

In our session we covered a number of evolving  trends – one important one is the trend of aggregated data and deep machine learning. If you remember the recent report from Verne Harnish – the emails used to steal over $400,000 sounded like they came right from Verne’s desk. How does that happen?

We’re all being watched. Our data is being both monitored and collected. It’s being aggregated and analyzed.  

Our data describes everything about us. Where we go, what we do, what we view online, where we eat and shop, and everything we write. This data is stored, aggregated, sold, and stolen…in the hands of the wrong people, it can be disastrous.

Using deep machine learning computers create an amazingly accurate profile, exposing things we would never share openly. For instance, who has posted their salary on Facebook? Probably no one – yet Facebook advertising can easily target and audience in a specific income range. How does it know?

2016-11-11_10-44-10

With the right data, just about anyone can become you online.

That means they’re sending email, giving directives, and even interfacing with your customers and suppliers. But don’t think for a minute that they’re helping you out. In Verne’s case they were ordering Accounts Payable to wire $400,000. His team had no way of checking the validity of this request – other than making a call. But given hundreds of request just like this, who would question it?

Several attendees came up after the session sharing similar stories in their own businesses.  In the end, our sponsor, Truman Roe, President of  TruTechnical offered each attendee a risk assessment. From my count, every company in attendance took him up on the offer!  This is the best place to start…with a clear measurement of risk, companies can be more confident in how they approach their security strategy.

© 2016, David Stelzl

 

 

Digital Money

July 29, 2016 — Leave a comment

2016-07-26_16-21-40Digital Money

The Book Cover…And More

Where making headway…a few things you’ll want to know.

First, the target audience – business leadership. This is not a technical read. Instead, it answers the question, who’s at risk and how much risk do they have.

If you provide security solutions, especially assessments and managed security solutions, you’ll want every one of your customers to read this. Without beating around the bush, I clearly tell business leaders, they need your help! Not only can they NOT afford to maintain the right level of security people, they can’t afford the ongoing detection technology. Except with very large F500 accounts, they’ll want to outsource to you.

But I also provide insight into the kinds of things service providers must provide to small and mid-market companies.  Study what I say in this book and begin equipping your company to meet the core needs outlined in this book.

Due out in August!

© 2016, David Stelzl

 

graph - downAre Your MSP Clients Staying?

The Average Stay is 5 Years According to Those Deep Into the MSP Offerings

So how do you keep clients longer, or avoid having even shorter retention. If you could stop just 5% of your clients from leaving – increasing their lifetime value by one of more years, you would see an immediate uptick in profitability.

Do the math…client retention is perhaps one of the fastest ways to increase your income.

Yesterday, my partners over at Ingram Micro sponsored a live online training where I was to present 4 things you should be doing to increase retention.  Unfortunately we had some technical difficulties and will be rescheduling.  In the mean time, here are a few things to consider…

Welcoming Your New Clients.  This is perhaps the weak point in any annuity business. You spend months on selling, sign them up, and then set them up. The assumption is, they need your services, and as long as you perform, they’ll stay. That’s not the case. Chances are they signed up because they had pressing issues. 3 or 4 years after fixing those issues, they’ll forget.

Your welcome kit should be special, and it should be lasting. It might include posters, booklets, and more. Hard-copy materials that they refer to regularly to get the help they need.  Consider issues like; getting most out of your technology, maintaining performance on systems, and tips to keep data secure.

Staying In Touch.  Do you send them a newsletter? If you don’t, you should.  But don’t write about Microsoft and Dell.  They don’t care. Give them information they can use. I posted on this topic a few days ago – it might be worth going back to review.

Start with an Assessment. You might think this lengthens the sales process. It doesn’t. Not only does it speed up approval, it increases retention. Show them they have major holes, and keep them up to date on who’s attacking what. Suddenly they need you long term.

Provide vCISO/CIO services. Today’s CIO is responsible for helping their companies stay on track with technology. As the Digitalization Megatrend takes shape, every company needs this function, however, small businesses can not afford to hire qualified CIOs.  On the Security side, the same is true.

© 2016, David Stelzl

 

shadowShadow IT – It’s Everywhere

CIOs see Shadow IT  as another aggravation in the way of them doing their job.  

Shadow IT is much more serious than job aggravation. Like Spam (something end users see as a time waste) it’s more of a threat than inconvenience.

Where there’s a threat, there’s an opportunity…an urgency to fix the emerging security holes.

What Is Shadow IT?

It’s Hillary using gmail. It’s IT using back doors to managed their systems from home. It’s end users downloading unauthorized apps to get their jobs done faster. It’s the giant DEC VAX Implementation I discovered at a large pharmaceutical manufacturer (one you would surely recognize if I were to name it) during an assessment years ago.  No kidding, the IT department swore the entire company was IBM – little did they know, R&D had installed a global VAX network behind the scenes, and no one knew about it!

Here’s The Problem – And It’s Big

Sound Bites: According to a study published by Cisco Systems this year,…

  • 38% of business and 32% of IT workers use non-approved apps because IT approval processes are too slow.
  • 24% of those surveyed use non-approved SaaS apps because they are better than the approved alternative.
  • 18% of business and 14% of IT workers use these apps because the approved tools don’t perform needed functions.

In another study published by Second Watch, 93 percent of enterprise business units are using the cloud, while a substantial 61 percent of them are bypassing their IT departments and doing it themselves.”$1 HC Book Ad

The two big Issues Named in both studies are Cost and Security. The cost represents about 20% of the IT budget – which is a big number. But the security is the bigger issue. At least 30% of the study respondents were concerned with what this does to security. But think about it, who’s securing these applications if IT isn’t?

This is the perfect lead in to an assessment.  First, to discover where a company’s data is – many larger companies have no idea where their data is. Unstructured data is out of control as soon as Shadow IT enters the picture – reference Hillary’s email issues…Second, looking at end node security is now more important than ever. You can be sure much of this computing is being done on personal devices…so how secure are they?

Please comment – where are you seeing new opportunities with Shadow IT, and how are your IT and CIO contacts reacting to this expanding problem?

© 2016, David Stelzl

 

virus blueWhy Urgent Issues On Your Security Assessment Report Don’t Sell The Next Step

Have you ever wondered why the client doesn’t jump on the chance to implement your recommendations when you complete an assessment?

One of the most frustrating things in the security business happens when you complete an assessment. It seems like at least 90% of the assessments I’ve been involved in or read the report from, have several urgent issues. Gartner and I both have stated that 80% of the security budget is spent on keeping people out, but in my book, The House & the Cloud, I make it clear that detection-response is the only strategy that works.  Yet, clients rarely implement the recommendations that come from these reports.  They pay to have them done, listen to your findings, and then move on to other things. Why?

What’s Really Urgent? Hint: It’s Not Old Equipment or Missing Patches

I was meeting with the President of a technology  reseller two weeks ago in a 6-Hats Strategy session, going over the assessement process.  This fall he’s signed up to do at least 15 assessments before year-end, but if they don’t convert to managed services contracts, he won’t be happy.  History shows us that only about 15% will convert to more business unless he changes something.MMS Blog Ad

As we went through the 6 Thinking Hats Brainstorming Session, his list included things like missing patches, open ports, and free or non-existant Anti-Virus software. These all sound urgent, but they’re not! Not unless you can tie these issues to something more concrete. For instance, if you’re assessment comes up with no Anti-Virus software (of course most companies today would have something for AV), but there’s no sign of malware, you’re going to have a hard time convincing the CFO or frugal business-owner to spend more money.  Same thing with outdated software or hardware. If there’s no sign of danger, they probably won’t move to remediate.

Assessment Sales Depend On Impact and Likelihood

If you want to sell the next step, you have to take the next step in the assessment process. This is clearly spelled out on page 194 – 199 in The House & The Cloud, 2nd Edition. The next step is looking for the issues that should exist when a company fails to do the right thing.  Symptoms are enough to get a response. You don’t need the deep dive technical  analysis on what a particular botware application is doing. If they have one, it’s bad even if a marketing company put it there. If the marketing company is able to install bots on a network, the bad guys can do it too. Don’t worry about what the bot is, just find it.

If the systems are missing security patches, look for evidence of tampering, foul play, or unauthorized activity.  Keep asking yourself, “So what” for each issue you find, and tie it to a business problem. Find evidence of that problem, and you’ll have justification.  Don’t just say – your port is open. No one cares.

© 2015, David Stelzl

P.S. If you want to sell larger security deals, click the ad above and see if you qualify for a free seat through one of the many hardware vendors who sponsor this training!