Archives For security audit

Join me on June 8th at noon EST – Leveraging the Discovery Process to gain access to decision makers (CLICK to SIGN UP).  I will be building on material presented over the past several months, but you can always go back and review sessions you might have missed.  In this one hour session I will be covering important concepts such as:

1. Types of questions to ask asset owners and executive managers

2. How to avoid getting demoted to IT in the discovery process

3. When and how to engage the IT group in this process

4. What to do with data collected in both

5. How to deliver your findings

6. How to present your findings and recommendations

7. How to turn this process into fee based business and product sales

Don’t miss this!  It’s funded by Cisco and costs you nothing but time…sign up here (CLICK)

© 2011, David Stelzl


Why do so many Vulnerability tests fail to produce remediation business?

1. If the test is done for IT, you won’t have visibility into the executive ranks

2. If the process doesn’t involve the executive team they won’t care much about the results

3. The report is too technical

4. The report uses jargon that disguises the problem and it’s urgency

5. The provider appears to be more focused on analytics  than urgent issues

Eg.  If I come to you and say, this is the problem, I’ll put together some options and pricing and get back to you next week, do you feel like the issues are urgent? What if you plumber did that after discovering a leaking pipe in your wall?  You’d fire them! (But only because you know that is urgent.)

© 2010, David Stelzl


We are on day two of an intense business planning session in Kentucky – of key topic that always comes up is, “How do we create business, and do the assessments we’re currently using work for this sort of thing?”

There are three common assessments I see out there:

1.  The vulnerability assessment is most common – a technical paper that identifies as many holes in the security architecture as possible.  The resulting report is generally very technical in nature, product focused (meaning: Network, application, etc.) and appeals to the IT department.  Certainly there is a place for this.

2. The pen test – penetration that is.  A test to see if the assessment team can break in.  This is fun, expensive and obvious…at least to the team.  They can always get in if they’re good.

3. The risk assessment – this should measure the impact of a loss, but equally, the likelihood of such an issue.

The third one is always most effective in building new business.