Archives For selling risk assessments

1What’s The One Big Issue Behind Almost Every Hack?

Hint: Most Risk Assessments Ignore It!

One questions I always ask on our final coaching call (in The Security Sales Mastery Program)…
“What is your client’s number one security mistake?” Answers vary…
Is it… 
  • Poorly configured or managed firewalls,
  • Untested backup systems,
  • Improper network segmentation
All are important, but none are right, said Security Expert Thomas L. Norman (author of several security/risk analysis books and a recognized industry speaker).
In a recent interview, I asked Tom what he believes is corporate’s biggest mistake…
“Easy!” says Norman, “It’s a lack of user awareness training. Training is always treated as an afterthought, and a waste of time in the mind of employees”
He went on to explain that every security issue is rooted in a mistake made by an end-user, who just didn’t understand security.
In many cases the mistakes are made by hard-working end users doing their job, looking to be helpful and efficient, but out of touch with the surrounding threats.

Experts Without Experience, Opening the Doors To Destruction

Imagine going in for heart surgery. Your surgeon – an expert on IT and certified with his CISSP.
He’s earned his masters in computer science (with a specialty in data security), has designed networks, written books, and even designed his own operating system.
But this is heart surgery!
So while he is able to access everything he needs online, including the patients medical history, YouTube videos on how to perform the surgery, and perhaps even hacked into a paid channel online to observe an actual surgery, he has zero credentials when it comes to medicine and surgery. Are you going to let him proceed?
Now turn this scenario around. The doctor knows everything there is to know about heart disease and protocol. He’s performed hundreds of successful surgeries.  Yet, this degreed professional has zero IT experience. He’s used computers, but he has no idea how they work, where patient protected data is stored, or how that data can be used to harm him, the organization, or his patients.
The truth is, there are millions of professionals around you doing all kinds of specialty work.  They’re calculating taxes, auditing, designing bridges and buildings (earthquake proof and more), building airplanes and space ships, and performing intricate surgeries.
None of these professionals  took on these complex  projects without significant training and certifications.
Yet, every one of them is given access to the one device that (if used improperly) has the power to destroy an entire company.
Computers are the heartbeat of your prospect’s business, as well as the central nervous system of government, education, healthcare, and transportation (all critical infrastructure). One wrong move could bring lawsuits, expose data to the competition, threaten the stability of your countries economy, the military, and just about everything that matters – including life itself.

Stupid Things Smart People Do

My first IT job was a CO-OP position at Johnson & Johnson (McNeil Pharmaceuticals). I’ll never forget the day one coworkers deleted our entire poison control system (Highly sensitive data used in drug trials for government approval)!!!!
We were working on DOS back in those days (Window’s predecessor),a command line driven operating system. Just one missing parameter in his command-line ended up deleting everything. Keep in mind, we didn’t have a trash can on the desktop like you do in Windows.  Lucky for him, we did have a backup.  Still, it was a major ordeal. We had to restore from floppy disks – a painfully slow and risky process.
Smart People do stupid things on computers all the time. Not because they’re stupid. They just don’t know any better. Image how many mistakes you or I might make while performing major surgery using an instructive YouTube Video!!!
On any given day,…
Messages pop up saying your computer’s infected, call this number (a simple ruse used to take over ones computer by phone).
Perhaps you are at home, working on a late night project with an approaching deadline. What will you do? What would the average office worker do?
Another user receives an email from the bank requesting updated information, or a wire transfer request to a known supplier (with updated account numbers). What will they do? Will they check with someone first, or just move the money so they can be back on task?
How many people have been duped on Facebook to friend innocent or attractive looking people, only to be lured into giving up confidential information?
It’s been shown time after time, people trust people, even when they’ve only met online.  Office workers are busy. They don’t have time to check with IT every time an email comes in or a website looks different.
Do these knowledge workers ever leave mobile devices unprotected and unattended at Starbucks? Do they have personal data on their phones when the list them on eBay? Do they click on sites that have invalid security certificates, or click on links emailed by people they don’t recognize?
Do they download apps with little thought of malware, or work from home on unprotected systems and unencrypted networks.
Yes!
These are all common end-user habits. People are busy, and without some serious training, they won’t spot the clever ruse that comes through the firm’s various levels of security and insecurity.

The Only Reason to Measure Risk…Or You’re Wasting Your Time

The purpose of an assessment was explained in an article I wrote earlier this year – the bottom line is, Assessments should be performed to expose weaknesses, measure risk, and move the company toward remediation (the long tail of security assessments). If your assessments fail to do these three things, you’ve wasted your time.
So, while the misconfigurations (so often found in network devices and server)s are important, understanding the risk (Impact vs. Likelihood) of a user’s mistakes is more important.
Looking at risk, what is the impact of an enduser acting on email infected with spyware or ransomware? It’s extremely high!
How likely are they to act on it by clicking? Again, extremely high.
When the impact and likelihood are both high, the company has a major problem; one that must be addressed.
Take this same concept home or on the road. How likely are end-users (executives, sales people, office workers) to give into just about any social engineering effort – Phishing, infected websites, a fake support call,…? Higher than you can imagine.
You should expect that your client’s office workers are making mistakes every day.
Expect them to be downloading untested apps, letting their kids trade pirated music and videos, accessing high-risk sites such as gaming and porn, and more…
The average teen is probably friending all kids of predators disguised and prepared to steal and destroy. Employees regularly email confidential data, store data on personal devices, and use insecure home networks to conduct business. The end-user is the new firewall, and they’re failing.
After all, none of these workers have ever really been trained.
And if they have (through some ill designed, one-off training program) chances are they didn’t really pay attention. The training was probably boring, overly technical, and ineffective.
In the case your prospect company did bring in someone entertaining, or use one of the few attention-grabbing programs out there, everything they learned was out of date (or forgotten) within a month.
Remember, hackers are creative, stealth, and always one step ahead of the good guys. Training needs to be a high priority and frequently updated/repeated.

What’s At Stake? Your Prospect’s Most Valuable Assets

Looking at your client’s most important assets, it used to be the people. No longer.
Data is the most important asset. Everything your client does is digital. The money, the R&D, the customer lists, the strategies and processes; everything.
There are three areas to consider; confidentially, integrity, and availability.
Anything that would expose confidential data, affect the integrity of the business’s information, or reduce the reliability or performance of the company’s computer systems is at risk.
When building the impact vs. likelihood graph, (Find out more in my book, The House & The Cloud)  your first consideration is assets. Which applications and what data represent the greatest negative impact to the business, if made unavailable, corrupted, or exposed (to other governments or organizations, hackers, or the competition)?
What’s at stake? Loss of shareholder value and customer confidence, competitive advantage, operational efficiencies, quality, and perhaps fines or lawsuits for non-compliance.  The cost of any breach, according to Thomas Norman, is about 20X the cost of remediating that one threat!
So when a company refuses to secure something, in order to save $100,000, they can expect to spend about $2 Million on recovery when a “Boom” (the industry term for disaster) occurs.
Second, consider the likelihood.  The client needs a metric to understand their risk – and it can’t be three colors. These RED, YELLOW, GREEN system is over used, and of little value. CFO’s don’t approve large security budgets just because your report has a RED light on it.

Correcting The Course – How to Include People In Your Assessment

Security awareness training, like policy (the other root cause of security disasters according to Norman), should be a primary consideration when assessing risk. If the user/operator of a mission critical system is highly likely to cause disaster (through ignorance or an act of vengeance) it should be noted in the findings.
A few things to consider in your next assessment:
Make Time For People Interviews. 
There’s no point in scanning networks and looking for patches and open ports if you’re not going to assess risk. The chances of that company actually taking action on your remediation steps are nearly zero.  Build interviews into your assessment process, both with executives and end-users.
On the executive side, you need to know what they believe are their most mission critical systems. You’ll want to know what data matters, what applications are core to the business, and how much risk can be tolerated.
Find out who would want certain data, or what impact a down system would have on the profits and customers, for any given length of time.
Remember, IT can’t answer these questions. There are too many variables. Pending lawsuits, product announcements, M&A actives, and the competitive landscape all play a role in data asset value – it’s a moving target.
Once you know what really matters, it’s time to talk to their end-users. You want to understand their workflow; how and when data is created, used, transmitted, and stored. How about data disposal?
You also want to know how much these knowledge workers know about security. Is email encryption just an option on their email application, or are workers forced to comply with corporate security policies?
Do employees use personal devices, and do they understand how these handy devices are compromised, or what happens to data when they sell their iPhone of tablet online?
A security quiz issued to a sample population would be perfect (I’ve never seen this done – but it makes sense. A quiz would certainly set you apart from your competition).
There’s a lot more to cover when discussing risk assessment process. However, these ideas concerning end-users awareness, and likelihood of enabling a disaster, are a great place to begin.
Copyright 2017, David Stelzl

group-predator-fishes-hierarchy-fish-dominate-eat_121-73335Who Will Dominate the Future of Assessments? Security Experts or Business Risk Advisors?

Scope (what’s covered) has everything to do with differentiating the Security Assessment Sale.

In case you missed Part I , Read it Here:

The One Thing That Set My Client’s Assessment Apart From 13 Competitive Quotes

I’ve been writing a series of articles on risk assessments over the past couple of months. If you’re in the security business (or trying to break in on this growing cash cow) it’s time to get on board with how assessments work; how they’re sold, what they’re for, how to get them read, and how to make them work for you inside the accounts you sell to.

In Part I, I covered Differentiating Yourself in the Sales Call. (Note: if you’re looking for a technical read, this is not it…

So, next, let’s turn to the scope, and how what you cover in your engagement has a lot to do with who buys it and who reads it.  

If you want to grow your business, keep reading – the assessment is the best way  (and one of the only ways) to get engaged with decision makers (the people writing the checks).

Your Client Is Wrong About Scope 97% Of The Time 

I hear it all the time, “The client is always right.” No they’re not!!! Especially when it comes to security.

Remember (See my book, The House & The Cloud) your IT contacts are not liable. And your asset-owner contacts (who are liable) have very little understanding when it comes to security.

So don’t let the client dictate the scope.

In short, you can’t simply respond to an RFP and come up with a meaningful assessment project (I discuss RFP responses in detail in my book, From Vendor to Adviser).

Getting The Scope Right

When I bring up, Assessment. The first question I get is, which tools (scanners) do you recommend? I’ll cover the actual assessment process in a future article. But for now, set tools/scanners, etc. aside. There’s something far more important here to consider…

The typical approach to assessing risk is, Inside/Outside. But looking inside (trusted), and then out, is wrong thinking…

The truth is, your client doesn’t have and inside or outside anymore. Sure, your dream client has a perimeter, but half the office is on the road or working at home. They’re all outside on their mobile devices. Chances are these knowledge workers are going back and forth between personal (Facebook and shopping) and business, and on  breaks their kids are playing Counter Strike or World of Warcraft (or surfing porn and gambling sites).

(And then there’s the 75% of employees who admit they steal from their employers – all inside…WSJ)

Wrong Thinking

Every paid assessment should cover perimeter devices, end nodes, and network architecture/segmentation & configuration. The obvious, so I won’t elaborate.

Yet, when I read a scope document, and it breaks the assessment down into: Internal, External, Network, Perimeter, and Servers/Storage…I get concerned.

This infrastructure-centric approach is for the super-techies, not business leaders.

I can already imagine the deliverable with it’s endless tables and network diagrams. The Red, Yellow, Green light ratings that appear on every assessment. If you’re looking to differentiate yourself, this won’t do it.

Price will be the deciding factor!!!

Rethinking Your Scope – Make It Attractive to Business Leaders

The business people (Asset Owners) are the ones who will be writing this check. So, what is it they need? In my book, The House & The Cloud I spell out exactly what the board is looking for (see page 195). It’s restated in Selling Assessments Part I.

This type of deliverable requires a different approach. The final outcome is a measure of risk (illustrated in the Impact vs. Likelihood Chart). impact-v-likeihood

START HERE – DIGITAL ASSETS: Think like a Disaster Recovery Specialist…

Where is the data? Which of these assets are most important, and what can’t they do without?

It’s a fact that most companies have no idea where their data actually is, or who has access to it. When people travel, work from home, or use cloud apps, knowing gets even harder. Ad-hoc data is everywhere.

Tools such as those provided by RiskIQ are designed to find data. In some cases that data is sitting on someone else’s server (such as a competitor or in a darknet chat room, for sale).

Digital assets, not hardware infrastructure, is what assessing risk is all about. So Consider the following:

ACCESS CONTROL – ACCESS TO DIGITAL ASSETS: People(and now robots) access data. Behind every data breach is a person. Some people have access, so they’re authorized. But not all authorized people are doing things they’re authorized to do.

Does your assessment include the people inside the organization? It should. Remember, “75% of internal workers admit they steel from their employer (as referenced earlier)”.

PEOPLE: Given all that’s just been said, be sure to include interviews (more details on this in my book, The House & The Cloud pg. 196).

DATA ASSET TRANSMISSION & STORAGE: Once you know where the data is, you want to know who accesses it, from where, when, and why. Data transmission and storage is part of a company’s workflow. So include in your scope, an analysis of assets as follows:

  • Creation: Understanding who is creating assets, when, and where is important. Most end-users don’t see their data as valuable or desirable outside their department or work function (this is true even when it comes to medical data). More importantly, they fail to realize how much data they are actually creating, and how data aggregation and deep machine learning can extrapolate and derive all kinds of intelligence from their daily activities.
  • Application: Data is then used by various applications, requiring transmission between applications, people, cloud services, etc. Are these application secure? Who has access, and who controls that data when applications are hosted in another country?
  • Transmission: This includes all network, wireless (including bluetooth, etc.). Looking at transmission has to do with traffic and protocols. So include traffic analysis – what protocols are found? (e.g. Does IRC Chat traffic belong on this network? Probably not. Did you look for it?).
  • Storage: All data gets stored at some point – even if it’s just in memory. Did you know copy machines store images of everything (and then those leased machines get placed in new businesses as your client upgrades)? And then there’s personal devices, personal email accounts, and the list goes on…are these considered part of the scope?
  • Archival: Data retention policies are key here. Is this data encrypted and does it get deleted at some point (according to policy)? A subpoena at the wrong time, right after an unscheduled deletion, could raise some eyebrows. Are cloud service providers storing this data locally, or is it international – under some other country’s privacy laws? Who owns that data? What if the cloud provider goes out of business or is acquired?
  • Destruction: Then there’s data disposal. Do the end-users understand the difference between hitting the delete key and deleting a file? In most cases, no!

TRUE SECURITY (ALL THREE ASPECTS): Security can be looked at several ways. The CISSP ISC2.ORG common body of knowledge looks at 7 (and this varies over time) major disciplines. Most security professionals recognized three pillars:

  1. Confidentiality
  2. Integrity
  3. Availability

All three should be considered in the scope. I’ll provide more detail on approach in a future writing…but be sure to cover all three.

SOCIAL ENGINEERING: Social engineering is part of just about every cybercrime incident (probably all of them). However, it’s rarely part of the assessment. Again, go back to the purpose – identifying risk. The amount of risk a company has, has a lot to do with how susceptible it’s end-users are to a ruse.

Testing them is one way to uncover weaknesses – such as an email phishing test. In any case, some thought should be given to their current security awareness program, policy (covered below), and security culture.

POLICY: I’ve heard security experts say, all security breaches are the result of some policy not being followed, or not existing. I don’t know if that’s always true, but it does carry some weight.

Most policies are written to satisfy some compliance officer, not guide the daily activities of end-users, who create, use, and store digital assets all day long. Include a review, not only of the written policy, but how it’s used and enforced.

WHAT ABOUT AUDITS: This is not an audit, so don’t treat it like one. Audits are about being compliant (get your compliance offering going with HIPAA here) against some standard or law. They don’t measure risk.

So take time to educate your buyer on the difference. The goal should be to comply with the law, and then make sure things are secure. One does not satisfy the other.

Reference an Approach (NIST)

Finally, security can be differently by different people, so just what does it mean to be secure? Or to assess risk?

Having certifications such as the CISSP (ISC2.ORG) or GIAC (SANS.ORG) can go a long way in proving to your buyer that you understand security.

Security engineers are not required to have their PE or Engineering Certificate, or be authorized by a board in the way doctors or lawyers are.  While I am not in favor of more big government oversight (like what we’re seeing in the ever-frustrating world of healthcare), pointing to a standard or framework (such as NIST) is powerful when selling.

Most sales people (your competition) are not going to be able to articulate what standards/frameworks (such as NIST) mean. So take some time and educate yourself on what I call, The Wall Street Journal Version of NIST (or whatever standard your firm will follow.) You can check out my recent article on Understanding NIST here. (CLICK).

And the Winner Is…

Do you want to win your next sales opportunity????

Assessments open doors and allow you to prove your value…however,…

Assessing Risk is a business function. Like Disaster Recovery/ Business Impact Analysis (which are really just one of the security disciplines) it is the executive team that needs an understanding of their exposure and impact/likelihood…the odds they’ll suffer a loss.

And this explains why high-end consulting firms like PwC and KPMG have long been welcomed in the board room, while resellers and most hardware manufactures continue to hit the down button when getting on the elevator.

© 2017, David Stelzl

P.S. Get the entire security sales approach here (The House & The Cloud) – the only book out there with a clear methodology for selling high-margin security business.

 

 

 

00b4a67There’s Big Money In Risk Assessments

If You Know How To Sell Them…

But You Must Start Here If You Plan to Succeed:

A couple of weeks ago I wrote about free assessments – an incredibly fast (yet misunderstood) way to create business, when the prospect doesn’t understand their true needs (which seems to be more often than not).

The question is, is there a time to charge? And if so, how much, what scope, where do you start?

In this Part I article, I’ll show you where to begin when creating new business through fee based assessments…

What Your Client Needs, and Where to Begin Your Sales Process

First, it’s important to start where people are, and then take them to where they need to go. In other words, you can’t sell someone what they need, when they don’t yet know their needs. Great marketing starts by understanding the buyer’s desires, and then reframing that prospect’s thinking.

Most larger (fee based) assessment opportunities start with an IT person. If the prospect-company lacks an IT group, they’re probably too small to command a reasonable price for assessing. In that case, I’d go back to FREE ASSESSMENTS and sell them the recurring revenue-managed services & security program. That is what they really need…

Think Like a Psychologist, And Listen to Your Prospect’s Pressing Need…(But Don’t Sell Try to Sell Them Anything Yet) 

When asked to quote an assessment, you might be tempted to jump in and start your discovery; how many firewalls, how many servers, do you want applications assessed too?

This is the wrong approach!!!!

Leading with technical questions, leads to competing on price.

The IT person has something in mind…is it a true risk assessment? Did they call it something else; Pen Test, Vulnerability Assessment, Audit, etc. Do they know the difference? (Probably not).

Establish your contact’s desire first. Ask them…What is it you’re looking for?” And, “WHY do you need it?”

This second question is the more important question (WHY). Expect answers like, “To see if we’re secure,” or “To show our clients we are secure.” You see the problem here?

First, you know that there is no such thing as being “secure”. Second, the assessment is only going to reveal problems this company didn’t know existed. So the idea of certifying your buyer’s infrastructure is a fallacy.

It’s time to reframe (EDUCATE)!!!

Find out where this request is coming from and what’s been done in the past.

ASK THEM:

  • Is this request coming down from the CIO? The Board? The President?
  • Is there a compliance requirement here, or is this just about internal data security?
  • What are the stake holders looking for in terms of a deliverable? Have you done this before? (Getting a past deliverable can be invaluable).
  • Who else are you considering for this project (This is a key question most are afraid to ask)?
  • And be sure to ask about their selection criteria!

Avoiding the Price Game – And The Steve Jobs Wanna-Be

Chances are your IT contact doesn’t really know what’s going on. He needs an assessment or pen test, and probably doesn’t know the difference. At this point he’s looking to you for a comparison quote.  The last thing you want to do is give him what he’s asking for.

Your IT contact is just a cog in the larger wheel of technology bureaucracy. (Note, if your contact is actually part of a security team, the approach will be different.

I’m specifically talking about IT here – and I started my career in IT, working for two different F500 companies. I’ve seen this from the other side. Don’t over estimate what IT knows about security.

If you simply respond to a bid, or scope out what IT is requesting, the buyer will have nothing to match your price against (in terms of value) other than your competition’s bids and his budget.

Comparison’s against anything other than established need and value are meaningless, and simply lead to price wars.

In every competitive deal there’s at least one guy working out of his garage, offering low-ball prices (and they’re not Steve Jobs or Steve Wozniak). You don’t want the truck-slammers of the world to be the yardstick by which buyers vet your price.

Reframing Your Prospect’s Thinkingimpact-v-likeihood

Here’s what happened the last time I worked on a competitive assessment deal…

I was hired by a reseller to work closely with their sales team as a coach/advisor…

(Years ago I had built and led the Security Team for a large global integrator, where we primarily led with assessments – so this call was not new territory).

As expected, our new prospect was looking for an assessment – in his words, a vulnerability assessment. After going through the steps outlined above, we began our reframing process.

First, we asked him, “Do you know what your board is asking your CIO for?” His answer was predictably vague. How would he know?

Next, my client (the reseller) drew the Impact vs. Likelihood Graph on the whiteboard (Page 194 in my book, The House & The Cloud).  He began to review the five things board members demand:

  1. What are our most important data assets, and where are they?
  2. What are the odds we’ll suffer some major intrusion or outage?
  3. What our estimated impact?
  4. How are we working to minimize this risk?
  5. Are we getting better or worse over time? How are we managing to it?

Get the House & Cloud Book for $1.00 – Limited Time Offer

Time To Bring Out The One Thing That Sets You Apart From the 13…

Without calling out our competition (never a good thing to do), we began to describe what most vulnerability assessments look like, how they’re approached (something for a future article), and why they aren’t going to satisfy the board’s request.

At that point, my client (the reseller I had been working on the House & Cloud Concepts with) pulled out a sample deliverable (with no intention of leaving it with the prospect) and began to go through the type of deliverable that would make an IT Director a hero…

Deal closed…Well, There’s more to it, but this is just Part I of a predictable assessment sales process designed to front-end big profits and future business.

© David Stelzl, 2017

 

Just coming back to my hotel after delivering my keynote at the Ingram Micro Event…several asked if I recorded it, which I did not…however, here is a 10 min recap on some key concepts:

© 2010, David Stelzl

Share