Archives For security assessments

magHow Would Your Assessment-to-Business Conversion Rate Grow If You Had Access to This One Extremely Powerful Assessment Tool?

90% of the Assessments I Review Leave Out Asset-Owner Interviews – Leaving You (The Seller) With a Weak Deliverable and Little Justification to Remediate

In this article I’ll point you to the people you should be talking.  In addition,  I’m going to give you the exact questions and sequence to use if you plan on up-selling them on remediation steps and ongoing annuity services.

(And Download my Free Assessment Report Template – We’re converting over 73% into MSP/MSSP contracts)

The Number One question I get when the topic of assessments comes up is, “What tools do you recommend?”  It’s a great question…however, I know what’s really being asked, and its the wrong question.

The Wrong Question to Be Asking On the Front End

“What scanner or analysis tool do your recommend?” That’s the question behind the “Tool” question. But its the wrong question.

The tool question stems from a misconception that assessments are technical iInitiatives that should be lead and delivered by technical people.

In most cases, the assessment is sold (or offered pro bono) by the seller, and then tossed over the fence to a technical team. The team may be well skilled in security concepts, network architecture, and more. But in most cases they lack business savvy.

Yet, the assessment, according to it’s first name – Risk, is by definition a measure of business risk. And it’s the asset owners (those who have true business liability) that need that measurement.

Note: Get the details on Asset Owners, gaining access and delivering value, in my book, The House & the Cloud – Almost FREE using this link.

The Question Framework

So what’s the right question? Well, it’s really an approach more than a question. The goal of the assessment (addressed in more detail here) is to move troubled customers to a remediation plan.  It’s like a cancer patient recently diagnosed. The Oncologist who fails to move most of his patients to treatment should be seen as a failure.

Is he just not communicating? Do they just not understand they are dying? Something’s wrong if the prognosis would be positive with treatment, yet the doctor is not able to move his patients to action.


In my book, The House & the Cloud (Chapter 13), I provide three key questions as a guideline.

  1. What are you trying to protect
  2. What are you relevant threats
  3. How likely are you to be able to detect and respond to an incident of pending disaster before damage is done or data lost?

These three questions provide the basis for a longer, freeform discussion with Asset Owners.

Remember, Asset Owners are those with business liability. That means these special people are responsible for business functions critical to the profitability of the business, and live primarily on the profit-center side.  Think, C-Level, VPs, Directors, and key people in key divisions of the company.

…Doctors, lawyers, CPAs, Sales Managers, R&D Management, Investment Banker, Stock Broker…people who make (or significantly contribute to) profits.  When an asset owner’s data is compromised, deleted, or corrupted, that person is in trouble.

Customers will file lawsuits, stock prices go down, brand and reputation are tarnished, and heads roll.  You won’t see the director of IT, or their one-person IT support guy in the paper tomorrow – but chances are, an Asset Owner will be front page.  A few weeks later, you’ll read they have moved on to something new, by mutual agreement…code for, FIRED!

Questions Designed to Get Answers That Matter

Using the Framework, you can then divide your interviews among  three groups. (I provide more detail in The House & The Cloud, Pg. 195ff).


  1. Executives
  2. Power-Users
  3. IT

The assessment process starts with executives (whenever possible). My friends on the Disaster Recovery side of the business pointed me in this direction years ago…business risk starts with understanding business leader’s care-abouts.


Start your analysis with questions (using the 3-part framework above) to determine what matters and how much…Your first question is, “What are you trying to protect?” It might look something like this:

  • What applications / data are most important to this business – profit, stability, growth, customer satisfaction, etc.?
  • After identifying them: How long can this system be down? (hit the important ones)…drill down…the first answer is usually wrong – No Downtime! You and I know, zero downtime is nearly impossible and exponentially expensive!  Find out where the balance of cost and availability sit. – Think, Maximum Tolerable Downtime.
  • How about data loss? “Can you afford to lose any data – if so, how much?” This is a Restore Point Objective question, but stick with business language. Explain how data is lost (Ransomware, disk crash, corruption, etc.)
  • What are you most concerned about protecting against? There are three pillars of security to consider. Confidentiality, Integrity, and Availability. It might be one of these, or all three might be important. Make sure you know how the executive sees it.

Next, Move to question 2: What are your most relevant threats?” Again, you’re talking to an executive, so keep it at a business leader level. One bad question (technical in nature) could land you a demotion back to IT!

  • Who is allowed to see this data? Who can’t see it?
  • Who would want this data?
  • What happens if this data gets out (in the hands of other governments, competitors, the public, etc.?) – Speaking of impact here.
  • What concerns you most? Examples might be, data theft, downtime (from what?), loss of access (for instance, ransomware), etc.  What about soft costs such as loss of customer trust?

Finally, a simple question, “How would you know if your data were under attack, or on the verge of any disaster we’ve mentioned above? Would you know in time to stop it from happening?”

Expect executives to say, “I hope so, but don’t really know.”


A similar line of questioning would be used with this group, with the addition of questions that reveal the lifecycle of their data.

More than one interview is desirable here.  You’ll want to talk to key department managers as well as those who create and use data to conduct business.

In a small business, this may involve 2 or 3. In a larger firm, make sure you build in adequate funding to visit 5 to 10, or more, depending on the size and complexity of the organization.

Discover their data flow.

Workflow means, understanding who is creating data, using data, and how it travels, is stored, archived, and finally deleted.  You’ll want to know who interacts with data inside and outside (customers / suppliers), and what kinds of access different groups should have.

Discover business climate.

In addition to workflow, you’ll want to know about any upcoming M&A activities, pending layoffs, volatile terminations, R&D announcements, etc. These all affect a company’s security posture.

WITHOUT this level of insight into the organization, moving forward to evaluate risk is nearly IMPOSSIBLE. True risk has everything to do with how workers create and treat data.

At this point I would recommend using a quiz – formal questions with scoring, to see how well-informed these users are when it comes to securing their most precious assets.

Completing the Process

The rest of this assessment deserves it’s own article…In short, your next step is to evaluate the data coming from your interviews, with security practices in mind.

Hold and internal meeting to ask your team – “What would need to be true in this company to keep their data secure at the levels identified by asset owners?”

With a list like this in hand, it is then easy to go into the IT areas and investigate. You now know exactly what you are looking for…

You can find out more on the consultative discovery process in my book, From Vendor to Adviser….

© David Stelzl, 2017



networkAssessments Just Might be Your Ticket to High Margin Business

Are you doing assessments?  It might be security.  But other assessments work just as well. Network, Cloud Readiness, Business Impact Analysis, etc.  

You might be charging, or they might be free.  Regardless, the assessment is not where the big payoff sits.  Unless you’re a pure consulting firm (no product and no hosted services), you want this paper to convert to something.

Traditional sales models look at sales activities.  I prefer to look at outcomes – in this case, conversion. The average assessment won’t convert to large project business or managed annuity contracts.  If your in this boat, keep reading. A few questions you should be asking…

Why Don’t My Assessments Convert

The biggest mistake I see is one of being too technical.

The network engineer values the network. Bandwidth improvements, benefits that come with software defined networking (SDN), or the ability to provide secure access to many different types of devices, all make sense.  But hand in a report that shows the inventory, IP addresses, and possible hardware/software upgrades won’t get you a project.

Instead, start thinking about the major initiatives CIOs are working through right now. Mergers and acquisitions, customer experience gains – such as providing guest access and portals, collaboration that involves more video, etc.

These are business drivers…if your assessment starts by looking for these initiatives, you can then move to end-users to discover how they use the network, and what they’ll want out of it in the near future.

This leads to justification for SDN or greater agility.

Who Should I Include In the Process?

It’s temping to make this all about technology – but don’t. From the above paragraph, you can see I am recommending you include executives responsible for business strategy, who will build their programs on this network.

From there you want to include end-users.  This group is often left out of any technology sale. But they are your best influencers. Find out what they need to generate more business for their company and you’ll have the justification you need.

From there, you want to strategize with your team internally. Ask the question – what does this company really need to do what they want to do.  Once you have the answers, you can then evaluate or assess their technology.

Your Deliverable Looks Like This…

Scrap the highly technical deliverable. You don’t have to throw it away, but think of it as reference material that goes in the back of the book. IT may want to see it – in fact it might be impressive to them. Let them have it.

But your primary deliverable is going to decision makers – business people.

So write the report to them. It’s not your executive summary – it’s your main report. It’s a business case. It’s the primary deliverable. Write it with care – make the case for the gains you’ve discovered, and show them what they need before they can get what they really want.

Hint: It might be worth hiring a copywriter to rewrite your report – once you have one that works, you can reuse the same language. Copywriting is a science used by marketers to move people through written content…don’t leave this to the high-tech people.

© 2016, David Stelzl


targetWhat One Simple Phrase Might Have Saved Target?

Well, I can tell you what, one simple phrase, crushed Target…it was, “We’ve got it covered.”

In this case, it wasn’t the security guy in Minneapolis saying it…it was someone higher up.  The root problem here might be the senior management team – unwilling to spend money $$$ on yet another assessment.  However, when I see a story like this unraveling, I first like to think about the technology providers serving that company.

What if The Value Proposition Worked?

What are the technology companies doing in there?  Are they recommending security assessments?  Probably – but are they more focused on compliance (Target was PCI compliant), or are they thinking about the preemptive security strategies that must be in place for any large retailer today?

Imagine how big a hero the sales rep would have been if he had only had compelling justification to do more assessing, or to sell Target on something more proactive than what they have in place right now.  Certainly there was a need…isn’t that evident?  And what would the ROI look like – when compared to the billions of dollars this fiasco is going to cost.

I’d be happy with just a small piece of that in commissions – how about you?

Did they really not have a need, or was the sales team just ill-equipped to sell them on it.  Apparently the security analyst knew there was a need.

What’s Your Client Doing About Security?

Chances are you have a client just like Target.  Maybe not as big…but with a need just as important to the stakeholders and customers of that company.  It doesn’t matter how big it is – cyberciminals are still interested, and the customers are still going encounter major life disruptions if their data gets stolen next week.

If you’re waiting for senior management to approve some sort of budget, or finally see a need – don’t hold your breath.  They’re too busy to think that way.  They’re thinking about up-time, customer experience, more sales, and competitive pressures.   If they are a big company, someone probably is thinking about security…but chances are it’s someone in IT who won’t have a strong enough message to sell senior management on immediate action.  Someone like the guy in Minneapolis.

Some executives will look over at Target and say, “We need to do something.” Most will just hope it doesn’t happen to them.

Bottom Line: Your Message Must Sell It

If your client is going to take steps of action, it’s probably going to take another sales call from you.  But this time, rather than going in with your old presentation on what your company does – asking them if they need help.  Go in with a mindset that they absolutely do need help…they just don’t realize how much help they really need.

If your message is good – it will wake someone up.  If it’s good, there will be an unexpected interruption in their day.  If it’s good, it will likely lead to action.

So what’s the One Simple Phrase?  It’s your re-crafted value proposition – the one that sells the senior managers on taking proactive steps to prevent this type of thing.

© 2014, David Stelzl

P.S. Read the House & the Cloud, and find out what Security Sales Messaging should look like…

IMG_0993It’s a recipe – not a numbers game.  (But wait!  Notice the picture on the left – somehow Hilton decided to select me as their guest of the day.  Little do they know, I’m a devout Marriott Elite customer – but the service here was excellent).  Last night I received a call from one of my clients – in one day he closed a new client deal for managed services! How?  He was so excited, he called me just to share the excitement.

It’s the conversion process I outlined in yesterday’s video blog post.  There’s some event – this can be anything that leads to an assessment.  I like 1-to-many events because they’re efficient, but it can be something one-on-one. It must be educational.  It leads the prospect to want to at least take a look.

Then there’s “Creating the urgency”.  This can’t be FFUD (fabricated fear, uncertainty, and doubt) – it must be real.  Usually, if you look closely at the business, in the security space, there is an urgent issue.  A high percentage of the companies you call on have a serious problem they don’t know about.  My client’s SE found it – they were running critical applications and their back up solution was failing.

Converting the next step – to fee based business, is a matter of persuasion; guiding truth around other’s mental road blocks.  My client executed on this flawlessly – the result…contract in hand…master the recipe and grow your value – this leads to business growth.

© 2013, David Stelzl