Archives For security training

lockOur fall schedule is under way – in fact, I kicked off the bow hunting season last night with a successful hunting trip deep in the woods of my back yard!  (Sorry no pictures from last night’s events).  Needless to say, we were up late…but I digress.

The schedule I’m really talking about has to do with events and training programs – so we kicked off day 1 of our September Making Money w/ Security Class – if you’ve never been or have colleagues who would benefit, here’s the next two month’s worth of classes…sign up! 

Yesterday I was on the phone working with an attendee from last month’s class – you get a one hour coaching session as part of the class.  We spent some time reviewing  key concepts, but from there we dove into his particular territory challenges. New with his current consulting company, breaking into large accounts for the first time, and focusing on security…we looked at his messaging, use of the phone and email, how to maximize his time and hit rate, and who to be talking to about what.  Here’s what he wrote his manager after the call:

“I can’t speak highly enough about the quality of the training and how grateful I am to have been able to partake in it. It’s made a significant difference in my mentality regarding my job and how to go about it. The strategies I’ve learned as part of it I’m using every day and am continuing to put into practice lessons learned during the 3 sessions.

I would advise in the strongest and most staunch terms to continue the sessions for our sales personnel; … we’ll all make more money and have far greater relationships with our clients because of it.”

Thanks for your comments!

Low Hanging Fruit

On day one we always start by setting the stage with an overview of the latest security issues and trends.  Last night I asked attendees to come back with some of the low hanging fruit they see in the accounts they’re calling on.  Here are some of the responses….

  • Lack of incident response planning (CERT)
  • Failures in maintenance/patch/update processes
  • Lack of understanding of risk and impact. (Should be IMPACT & LIKLIHOOD)
  • Email issues – malware, lack of encryption, archival…
  • Backup issues –  sensitive data and generally backed up to tape or external hard drive
  • Network connectivity issues -???
  • Server failing and lack of business continuity best practices
  • BYOD – lack of management, access control, etc.
  • Current IT support provided by a single person or a really small IT firm that is based on the break/fix model
  • Businesses do not have disaster recovery options in place or they have not been tested
  • Data leakage

Some good thoughts here – but today we’ll cover predictable messaging and how a value proposition must be delivered in light of current customer needs and perceived needs…an important lesson on marketing and messaging.

 

Sound Bites

Of course we always cover sound bites on day one – it’s amazing to me how powerful a sound bite can be, yet how much of a set back there is in using a sound bite incorrectly.  I spoke with several people this past week about their resumes as they look for new job opportunities.  Some of the input they’ve received from human resource and recruiter types is just downright wrong with regard to sound bite usage…today we’ll be reviewing some of the sound bites to test them against what the marketing gurus tell us is the right way to think about sound bites.  Some of those submitted last night include:

  • BITE: According to the Sans Mobility/BYOD Security Survey over 61% of companies responding allowed employees to BYOD but less than 50% feel confident in their BYOD policies. – COMMENT: not a bad quote, all encompassing, and from a solid source (SANS).  However, will executives recognize or believe the source?  Probably not…I would not use it.
  • BITE: “About 40% of people are not taking the most basic security procedures, like setting up a screen lock or putting software on the phone that could find the phone if it’s lost or stolen. – Fox News”  COMMENT: This is good if we tie it to business and the BYOD movement…recognizable source, pervasive, and tied to what I would call one of the key initiatives out their for most midsized companies – mobility.
  • BITE: “Companies know they’re not spending anything close to what’s needed to make their networks invulnerable to attack, according to a 2012 study by Bloomberg Government. – Bloomberg” COMMENT: Strong source – and while it’s not that new, it’s new enough to stand up to the passive attitudes we see out there. The trick now is to tie this to some method of securing, or a mindset to be adopted by organizations.  If I can show them where companies are failing, I’ll have a place to take this sales discussion.  We’ll talk more about this in today’s class.

I hope to see you in an upcoming workshop…

© 2013, David Stelzl

 

 

Advertisements
747 Frankfurt to Bangalore

747 Frankfurt to Bangalore

I arrived this morning at 2 AM in Bangalore India – I’ve spent the last 9 hours on the plane to the left, a 747 Lufthansa aircraft (traveling from Frankfurt to Bangalore).  Note, that’s after spending 9 hours traveling on a USAirways Airbus 330, Charlotte to Frankfurt.  Tomorrow I will be working with SEs from Cisco Systems on executive level conversations around information security…everything from global cybersecurity trends, to creating justification, to presentation skills required when engaging executive level audiences.

Two Wall Street Journal articles grabbed my attention while laying over in Frankfurt yesterday.  One on the importance of training your employees, the other on the need for better presentation skills when working with executives on information security issues.

The ROI on Training SEs to Sell

The article on training didn’t concern SEs – however it did say that today’s employees, especially those with more desirable skill-sets, are going to demand further training.  Everyone wants to grow, everyone wants to improve – at least those employees worth keeping.  It’s a sign of poor character to accept the status quo.  The writer went on to say that the promise of training is important when trying to attract the right people to new jobs, and that attrition is significantly reduced when training is regularly offered.  My focus on the SE is just an observation.  It’s been my experience that SEs tend to like sales training.  They get the technology – and of course they want to continue to grow that, but adding the ability to sell to their resume is a big boost to their value. The person who is both tech-savvy and knows how to sells is rare and desirable.

A seat with a view

A seat with a view

When I teach sales classes I find that SEs are often more attentive, and more serious about learning the content than any other group of people attending.  I’ve seen some very technical people become superstars overnight simply by learning how the sales process works, and how marketing science is almost exactly the opposite of the way an SE tends to approach a sale.  When a technical person’s eyes are open to the influence they can have, simply by changing a few things about the way they approach sales, a powerful transformation begins to take place.  Both resellers and manufacturers of technology would do well to invest more into their SE’s training programs – specifically on sales and marketing strategies.  In fact, I know of two very successful resellers who have grown significantly, without the addition of more sales people, simply by empowering their SEs through this type of training.

An added benefit is that it helps sales people work more closely with their SE team on the sales process.  When both parties understand where the conversation is going and what it will take to close the sale, they stop stepping on each other’s toes in the sales process.

Board Level Presentations Have to change.

The article on Board-Level Presentations was specific to information security – the topic we’ll be addressing over the next two days.  Really, this applies to all executive level management.  The bottom line was that executives and board members need to know about security.  However, when IT people, and even CIOs and CISOs  approach these discussions, they tend to go into too much detail (according to the article).  I was excited to see that the very graph I use in my book, The House & the  Cloud, was described in the article as “What they need to know”.  I’m talking about the “Impact vs. Likelihood” graph. In my Making Money w/ Security workshop, I refer to this graph as “The Most Important Part of The Assessment Deliverable”.  Almost nothing else is needed other than some basic descriptions of what goes on the X and Y Axis of this graph.  If the technical part of the organization (or more importantly – you) could figure out what assets belong on the X-Axis (the high-impact applications), and how high on the Y-Axis to put them (the measure of likelihood – how likely the organization is to experience a breech or loss of data), executives would know what decisions must be made.  Of course they will need to believe your data is correct – but that’s the definition of Trusted Adviser – trustworthy and able to advise – as stated in my more recent book, from Vendor to Adviser.

My seat for 9 hours

My seat for 9 hours

On Friday this will be the topic of discussion in our SE workshop.  We’ll learn how to take the raw data and put in into this format – and then, more importantly, how to present it.  This is something every company that specializes in cybersecurity offerings should be doing.

© 2013, David Stelzl

I’ve just scheduled the next Making Money with Security Workshop.  If you haven’t attended one of these, you need to…there are just too many security opportunities out there; unfortunately I routinely see people leaving money on the table simply because they are not prepared to sell the entire project.  In fact, the entire project is often not obvious because the client doesn’t know what they need, and the discovery process on the sales side is lacking. I am posting this along with the LinkedIn news, because I believe there is a tremendous opportunity here to really make a difference – I want every person I work with to have access to “Asset Owners” – to have access to the most important security issues their client have.  I am passionate about this…because I know it works.

Get More Information

Read more here and sign up using the early bird discount. – for dates and times, outline, etc.

 

The LinkedIn Issue So Far

This recent issue with LinkedIn is big.  It’s just one social network, but 6.5 Million passwords is huge, and most of these people use these passwords on every online account they have.  Look at some of the issues posted in a recent PC Magazine article:

  • A file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far – it’s just a matter of time for the rest.
  • This breach is so serious that security professionals advise people to change their LinkedIn passwords immediately – in fact, I recommend you change yours right now!
  • This was amazing:  “One common way people create passwords for different websites is to add the name of the site into the passphrase, says Thorsheim. So some people may use the password “1234Facebook” for the world’s largest social network, and then “1234LinkedIn” for LinkedIn and so on.”  This is a foolish way to create a password – something to educate your clients on.
  • If you know the password is hashed with SHA-1 (Which in this case – these passwords are), you can quickly uncover some of the more basic passwords that people commonly use – in other words, encryption is not that secure if you know what it translates to.

© 2012, David Stelzl

Guatemala City: Day 2

February 1, 2012 — Leave a comment

Tuesday was full day, kicking off the morning with several sessions on selling security including, discovering new opportunities, learning to effectively use sound bites, and a review of the security briefing material I have been using at executive facing lunch and dinner meetings.  Our sessions were held high in the mountains in a house my client has turned into their company conference center (Pictured on the left).

After a hearty lunch of steak and potatoes we continued working through the House & the Cloud model, discovering the secrets behind effective messaging and marketing approaches.  In every country I visit, it is important to understand some of the cultural barriers in marketing and selling – for instance, in Guatemala, there really is no middle class.  The barriers between the lower and upper classes make interfacing with higher level executives more difficult than some countries such as the US.

This same barrier may exist in any country when dealing with very large corporations where high-level executives refuse to see the sales person as an adviser regardless of their advisory capabilities.  One way to deal with this is to find other people in the organization that are also “Asset Owners” – people with liability, but perhaps not the highest level executives.  My book, The House & the Cloud describes an asset owner as someone with real or perceived liability – not necessarily the CIO or CEO.  In any case, it would be rare for the IT Director to be counted in this group.

PS. I should have planned more time to sight see and take pictures.  This is a beautiful country!

© 2012, David Stelzl

Here’s a common question that came up in our class yesterday…

Question: What about clients who understand there is a risk, but are comfortable with their current solution?

Answer:  If a company really has what they need, there is no reason to up-sell them.  However, it is rare to find a company that has a reasonable security solution, particularly in the mid and smaller market companies.  Reports from the WSJ and other sources tell us that even those who are under strict compliance regulations such as PCI are far from compliant, and experience tells me that if were to conduct a simple risk analysis, not only would there be many vulnerabilities, but it is highly likely that desktops and servers would be compromised by bots – something some dismiss as trivial, but shouldn’t take lightly.

An article this week from Wall Street underscored the importance of having more than just protective barriers in place.  75% of employees admit to stealing data when leaving a company, and 75% of those involved in a recent study gave into online predators (disguised as a 25 year old female,) to the point of giving up online passwords in some cases, and other sensitive information in all cases!  And a review of 2011 news articles reporting data compromises will tell us that bot technology and web threats are behind a high percentage of all hacker attacks.

Looking back on the marketing events I have conducted this year, far more that half of the business-level attendees have agreed to conduct risk assessments, and while these assessments were often provided as a complementary service, they almost always led to remediation projects and managed service contracts when performed and presented correctly (Key point here.)

So for the few companies out there that don’t want to know, and don’t really care – either you are talking to someone who is not really an asset owner, or the person you are talking to is suffering from a case of “foolish thinking” – time to move on to another prospect.

© 2011, David Stelzl