Archives For security assessment

heartbleedThis is the time to Schedule The Heartbleed Briefings…

Heartbleed is big news. For a week straight, The Wall Street Journal has been writing about it.  Are you leveraging this news – taking full advantage of the opportunity to help your clients and visit with prospects?

In my Making Money w/ Security Training Program I explain how to go about leveraging “The Briefing”. This is a powerful way to get into new accounts and move up in existing accounts with news and a clear, concise explanation of exactly what this is, as well as how companies should be responding to their clients.

Here are some ideas on how to do it.

Create the Executive Level Explanation – The Analogy

Last week, I happened to have scheduled a Lunch & Learn just a few days after the Heartbleed was announced. It was the perfect time to be meeting. In fact, several more people signed up to attend this meeting, probably thinking they would get some more insight on what this is all about.

How many executives really understand what OpenSSL and TLS is all about? Probably not many. Imagine being a C-Level leader in a business that uses the web extensively to interface with customers. It might be a lending organization, investments, or retail. Whatever it is, if your servers had the problem, you owe your customers an explanation.

Last week, 100% of the executives attending our lunch & learn signed up for an assessment. I wonder if Heartbleed had something to do with it. In my talk I went through the House & Cloud analogy from my books, Data@Risk and The House & the Cloud (which I am feverishly working to update this month!). This type of explanation works because it brings life and concrete understanding to a very complex subject of protocols that, otherwise, is just too hard to comprehend without going back to college for a computer science degree.

The person who can take the details of protocol handshakes and encryption, and turn it into simple, visual analogies is worth a lot of money.

What about Executives that Refuse to Take Your Calls?

We all have a list of executives we would like to get in front of, but who have not made themselves available. This is the perfect time to get their attention. What do you think a CIO would do if they received a FedEx package with a DVD titled, “The Executives Guide to Heartbleed?” Would they hand it to their IT department?

I’m thinking they would watch it!

What if it also demonstrated your unique value and had some stories and examples along with some practical steps executives should be taking to keep their online customers happy? This might be just the thing to help create a relationship at the adviser level.

Something Better than Another “Company Overview” Session.

If you’ve already tried getting face-to-face meetings, or perhaps are afraid to call into the executive offices because you have nothing interesting to say, this could be the ticket. This is interesting. If it’s not, it’s simply because you don’t understand it. This is the kind of thing that deserves working overtime to create books, DVDs, briefings, and any media that can make its way into the executive offices. Don’t let this moment slip away.

© 2014, David Stelzl

P.S. Attend my upcoming briefing on how to leverage this!  We will be covering this in more detail, with assessment ideas and more, Thursday this week at 4 PM ET in a Webinar. Anyone registered with the SVLC Insider’s Circle will be receiving Login Details.  Join us by signing up for a FREE trial membership – CLICK TO GET A FREE TRIAL MEMBERSHIP TO THE SVLC INSIDER’S CIRCLE – AND ATTEND MY BRIEFING ON HOW TO LEVERAGE HEARTBLEED and MORE…





fireImminent Danger, Not Compliance Requirements, Will Move CISOs

Undeniable justification is built when the client sees imminent danger.

The security sale is powerful simply because every company you deal with has inadequate security protection. And they always will because the hackers are always one step ahead of the rest of us. As technologies continue to evolve, you should be providing more DETECTION type controls, and upgrading your client to more sophisticated, and perhaps remotely managed security systems. Compliance concerns will not drive this initiative – but danger will.

Squashing the Typical IT Response

I’ll never forget a sales call I had with an electronics manufacturer in the southeast years ago. After weeks of trying to get a meeting, we finally made our way in to see the CIO and several members of the IT support staff. It seemed like every question we came up with, and every issue we referenced, they “Had if covered.”

That seems to be the common theme with IT people – they always have it covered.

After about 45 minutes of this back and forth conversation, we were clearly headed nowhere. This meeting was a waste of time. Gathering our documents, I made one last ditch effort. Looking at the CISO I simply said, “It sounds like your team has it covered. It’s amazing to me when a small company like yours has such as sophisticated security strategy. Over the past year NASA, the Pentagon, the FBI, and the CIA have all been compromised. I don’t think I’ve even been inside a company that had better security than these organizations. How do you do it?”

On my way out the CISO stopped me. “We need to talk,” he said. Apparently his team thought they had it covered, but he wasn’t so sure. Finally we were ready to engage is some honest discussion.

Compliance and Cyber Crime Threats Don’t Work – So What Does?

IT People, according the recent reports from the Wall Street Journal, are afraid to admit they have security problems. So, where do you take these meetings? If compliance and cyber-crime are not sufficient motivators, what will create the justification needed for the security sale?

Two Powerful Pathways to New Opportunities :

  1. Demand Generation Events: In my Event Marketing Success Kit, I lay out a complete strategy for inviting key decision makers to an educational event, with a well planned program that will convert them to clients using risk assessments. On average we see conversion rates of 75% or more from attending to participating in the assessment process.  Why? Because the need is real – but it requires some honest discussion at the asset owner level.
  2. Client Business Initiatives: Companies all around us are in the process of migrating to new, disruptive technology applications. We see a tremendous migration to cloud, BYOD (Bring Your Own Device,) big data, and collaborative technologies. Each of these represents a major change in the computing architecture, requiring a new look at security. This is the perfect time to raise the security issues.

In either case, asset risk levels are affected, and there’s an opportunity to review security with your clients. Notice that we’re not waiting for them to initiate the requisition of security product. That’s the third way to sell, but not a good one. Product proposals without proper justification only lead to price wars.

© 2014, David Stelzl

Master LockFirst, be sure to check out the rest of the fall 2013 training schedule right here (CLICK).  I have just two more Making Money w/ Security Classes before year end – and the sooner you attend, the sooner you can start applying these principles to growing your business.

This past week I was reviewing port scan results with a group of security experts and a sales team.  They had just completed a vulnerability scan ordered by one of the customers.  This is a common request – “Scan this set of addresses and let us know you find anything.”  The problem is, port scanning is a commodity offering, and without some sales strategy you might find yourself fulfilling these requests, taking several hundred, or perhaps a few thousand dollars in gross profit, but with little long term work or follow-up remediation work.  How should you handle this?

1. Up-sell: The first step is to try and up-sell this client on the need to do more than scan some ports.  When a request comes in like this, it may be hard to turn down a simple contract that is sure to result in a few dollars of profit, but the truth is, a simple scan just isn’t worth that much.  Find out why the client wants this testing done and what they need to get out of it.  If it’s a check mark for someone upstairs, perhaps there’s an opportunity to have a higher level conversation about what would be more beneficial, or at least to find out what applications are being looked at within this IP range.  In our case the company was lending – the addresses given to us were tied to web serves used to interface with customers.  That means – account information, loan information, and of course, sensitive information.

2. In our case the sales team was not able to up-sell, so they were stuck with the simple scan project.  After agreeing on price, they did their scan and compiled the results.  It was at this point that I got involved in the deal – my first questions centered around the kinds of applications were are dealing with.  It’s tempting to go right to the ports that are open, software versions that are out of date, and other anomalies that show up in a scan.  But without identify the kinds of applications and level of sensitivity of the data behind these IP addresses, it’s hard to put anything down in a report that speaks to people higher in the organization or on the business side.

3. After reviewing the results it was apparent that this company had some major holes in their armor.  Does that mean there is an emergency?  Not really.  Every company has this – but by looking at how these servers are being used, where the web apps sit, and what kinds of data are created, transmitted, stored, etc. we were able to put together some questions for the client to get them thinking about possible risk and exposure.  It is true that things need to be tightened up based on the results of the scans, but how does the client know they have not already been compromised?  They don’t.  When there are big holes, there is justification for going further.

4. So the final step is to use these results to build a case for going further.  To get the client to see that it’s now necessary to check to see if there are back-doors, root kits, and evidence of foul play in their organization.  Being a financial institution, it is reasonable to think someone has already taken advantage of these weaknesses in their security architecture.

Security should be a door opener.  No matter how small the deal is, consider it a opening and do whatever you can to leverage the small opportunities to find evidence of larger issues.  Most of the companies you call on have major holes, but getting them to let you in to look is not always easy.  Most are assuming everything is okay – and without finding something that would lead them think otherwise, changes are they will continue to do the minimum in order to pass the audits. Then, one day down the road, they’ll discover some major loss – it will be too late.

In our upcoming Making Money w/ Security workshops I cover several strategies for getting in deeper, accessing higher level people, and gaining access to build the justification you need to do the right thing for your clients.

© 2013, David Stelzl

old lockWe are just a week away from the first 2013 Making Money w/ Security (Virtual) Workshop!  And as I travel through the mid-west this week, I am gathering updated sound bites and trends for our workshop.  Looking forward to 2013, I expect to see continued growth in this market (providing security services and managed services).  In fact, on Jan 2, 2013, the Wall Street Journal posted an article on the daily attacks occurring on energy companies – this can’t be good!

“Malware is going undetected for weeks or months” – they stated, but in fact, it is often not detected for over a year according to FBI statistics (15 months as cited below).  Some important points from this article entitled, Cyber Threats to Energy Sector Happening at ‘Alarming Rate’. (posted on Jan 2, 2013 in The Wall Street Journal).

Here’s my favorite quote: “Executives are told the networks aren’t connected,…it’s not entirely true”  Isn’t that so often the case – senior management thinks everything is covered!  It’s not…

  • “Internet-based attacks on critical U.S. energy infrastructure are occurring at a greater rate than previously understood, according to a new government report.”
  • “the Department of Homeland Security, found that thousands of control systems used in critical infrastructure are linked directly to the Internet and are vulnerable to attack”
  • “The team “has been tracking threats and responding to intrusions into infrastructure such as oil and natural gas pipelines and electric power organizations at an alarming rate”
  • “On average, malicious software infections are not discovered for 15 months, according to ICS-CERT. That leaves hackers plenty of time to do damage.”

The purpose of next week’s class is to better understand how to get this kind of messaging into executive-ready format, and how to reach those higher-up people who need to know.  From there we talk about gaining approval to build the justification needed to sell larger security projects, and finally, how to present that justification in a way that leads to immediate business.  If you have not been through one of these workshops, you can start by learning more with my book, The House & the Cloud.  Get a free PDF version right here:

© 2013, David Stelzl

This week I am working hard on several items for next week – the Ingram Micro Webinar, Undeniable Justification Using Security Assessments, and another Pre-Event Webinar introducing my new ebook and workshop, 7 Secrets to Profitability Using Lunch & Learns and Sales Events (Now sold out – but get on the waiting list!).  It’s a busy week –  both are coming along nicely and I am looking forward to meeting with you next week to air this important educational material.  While preparing and working with the folks at Ingram to get our program organized, I’ve had numerous conversions with clients who use assessments in their sales process.  Some are paid for, and some are complementary…Here’s a tip I think a lot of people are missing on fee-based assessments, and as a result, are leaving money on the table – The Security Assessment Subscription.  This is something I started doing years ago while selling assessments, and it made a huge difference in both the gross profit I realized and the follow-on project work.

Security Assessment Subscriptions

An assessment measures risk – it’s a measure of impact vs. likelihood.  The problem is, it’s a point-in-time measurement, so once it’s over, the risk levels will change over time, and by the time the client decides to do it again, gets it approved, and signs a contract, a year will have gone by.  On top of this, many of the remediation  recommendations you made will be forgotten long before they make their way through the approval process.  You’ll be lucky if they take one of two of your recommendations and actually carry them out.  What about the other 4 or 5 critical issues?  And then there’s the long list of things that should take place that just never will.

When I started selling assessments, I did something I’ve not seen done by other sales reps.  I turned each assessment opportunity in a subscription offer.  When an assessment opportunity came up, I worked through the sales process as usual, but then on my proposal, I made it an option to do it as a subscription.  I would charge a flat fee for the assessment, let’s say 30K.  Then I would tack on a subscription fee of 5K to update it over the next three quarters.  Since the documents already exists in the 30K project, there is no need to rewrite the document.  The scope is fixed based on the original project.  So all we had to do was go in and revisit the original scope – updating new issues, noting remediation recommendations that were never followed, and adjusting the areas they did remediate.  The 5K may not represent a great deal of added GP…in fact, it’s kind of a break even deal…but…

  • It kept me in front of the decision makers for year.
  • Gave me a chance to remind them to follow through with the recommendations.
  • Allowed me to uncover new problems requiring attention.
  • Made me first in line when an issue did arise.
  • And allowed me to stay on top of any new opportunity that might affect the state of security.  (Meaning all new internal projects).
  • It also allowed me to possibly expand the scope, resulting in a fee increase.

The 5K was large enough to cover my cost, keeping me in there over the year.  It was also small enough to create a competitive edge when others proposed their assessments against mine.  I was the only one thinking about the year – ongoing security.  I proposed it as the default offering, meaning the client had to check a box to not include it, rather than having to add it. That may sound like a manipulation tactic, but the truth is, the company should do it by subscription.  Security assessments should be done quarterly.  I learned this from the pest control people.  Try hiring the termite guy to come out for one visit.  He won’t do it.  They sell their program by the year, not the visit.  The reason is, one treatment isn’t enough…the same is true of the security assessment.

Don’t miss this webinar next Wednesday….I’ll be giving a number of insightful tips like this one to help you grow your business.

© 2012, David Stelzl

We are just a little over a week away from my webinar with Ingram Micro on providing Undeniable Justification through the Security Assessment Process – a shortened version of my House & the Cloud sales process.  The more I work with companies on their proposals and assessment deliverables, the more I see the need to overhaul the process.  I was working with several people last week during individual sales coaching meetings to refine their documents.  Here are a few points to consider…

Re-engineering the Assessment Deliverable

  • These documents should be written to the decision maker, not IT.  If your SE is writing the deliverables, chances are that your documents are written to technical people, not economic buyers on the business side.  Most of these will not lead to larger remediation projects.
  • If your document is mostly lengthy paragraphs – and you have pages of paragraphs, it doesn’t really matter who you are writing to.  No one will have time to read it.  Stick to charts, graphs, diagrams, bullets, and a few paragraphs.  If your assessment was done at no charge – you don’t need a long written report.  You need something short, to the point (I recommend using a Power Point document), and supplemental to a great presentation on what you’ve found.
  • If your “Findings” section contains technical misconfiguration information, or possible vulnerabilities to some technical sounding Trojan, you might consider changing it.  Ask yourself, “So what?”  So, what will happen as a result.  I call this – the “So What?” test.  Keep asking yourself until you get to an urgent sounding issue with business impact.  For instance, on two documents I read last week, both reps were recommending managed services services on the basis that, one person can’t manage a group of 50 or 100 end-users.  I kept asking, “How do you know?”  The document made is sound obvious, but no justification was given.  You can’t do this.  Imagine you are the CFO, trying to save as much money as possible.  Someone with a sales business card comes into your office and tries to convince you to sign a contract for several thousand dollars per month.  You won’t do it unless you’re sure you need it.  There must be some pretty strong evidence.  I’m not saying you can’t find it – I’m simply stating that you need that evidence before proposing the solution.

I will be covering this and more, next week on a webinar sponsored by Ingram Micro – Wednesday, September 26th, at 1:00 PM ET.  You can sign up right here:

Looking forward to seeing you there!

© 2012, David Stelzl

Join Me Sept 26th!

When you engage your prospects, are you “Creating Undeniable Justification”, or pitching your products and features?  If your client truly has a need, it’s not hard – if you are trying to sell them something they really don’t need, it’s hard!  Avoid the latter and focus on the real needs…security technology is the first place I go when considering top needs of the companies around us.  In almost every company I meet, there is an undeniable need – and justification can be created.  However, you can’t just tell them, “You have a need.”

FREE Event Sponsored By Ingram Micro

On Sept 26th, Ingram Micro has asked me to present a special presentation on exactly how to provide Undeniable Justification by showing you how you can change your assessment process to address business decision makers and their needs.  The more I work with resellers the more convinced I am that the security business is central to success in network projects, server/storage projects, and especially managed services.  But it can’t look like most of the assessments I am seeing.  In this session I will show you exactly what to do…plan to join me for this 60 minute presentation.  Sign up here:


© 2012, David Stelzl