Archives For selling security solutions

00b4a67There’s Big Money In Risk Assessments

If You Know How To Sell Them…

But You Must Start Here If You Plan to Succeed:

A couple of weeks ago I wrote about free assessments – an incredibly fast (yet misunderstood) way to create business, when the prospect doesn’t understand their true needs (which seems to be more often than not).

The question is, is there a time to charge? And if so, how much, what scope, where do you start?

In this Part I article, I’ll show you where to begin when creating new business through fee based assessments…

What Your Client Needs, and Where to Begin Your Sales Process

First, it’s important to start where people are, and then take them to where they need to go. In other words, you can’t sell someone what they need, when they don’t yet know their needs. Great marketing starts by understanding the buyer’s desires, and then reframing that prospect’s thinking.

Most larger (fee based) assessment opportunities start with an IT person. If the prospect-company lacks an IT group, they’re probably too small to command a reasonable price for assessing. In that case, I’d go back to FREE ASSESSMENTS and sell them the recurring revenue-managed services & security program. That is what they really need…

Think Like a Psychologist, And Listen to Your Prospect’s Pressing Need…(But Don’t Sell Try to Sell Them Anything Yet) 

When asked to quote an assessment, you might be tempted to jump in and start your discovery; how many firewalls, how many servers, do you want applications assessed too?

This is the wrong approach!!!!

Leading with technical questions, leads to competing on price.

The IT person has something in mind…is it a true risk assessment? Did they call it something else; Pen Test, Vulnerability Assessment, Audit, etc. Do they know the difference? (Probably not).

Establish your contact’s desire first. Ask them…What is it you’re looking for?” And, “WHY do you need it?”

This second question is the more important question (WHY). Expect answers like, “To see if we’re secure,” or “To show our clients we are secure.” You see the problem here?

First, you know that there is no such thing as being “secure”. Second, the assessment is only going to reveal problems this company didn’t know existed. So the idea of certifying your buyer’s infrastructure is a fallacy.

It’s time to reframe (EDUCATE)!!!

Find out where this request is coming from and what’s been done in the past.


  • Is this request coming down from the CIO? The Board? The President?
  • Is there a compliance requirement here, or is this just about internal data security?
  • What are the stake holders looking for in terms of a deliverable? Have you done this before? (Getting a past deliverable can be invaluable).
  • Who else are you considering for this project (This is a key question most are afraid to ask)?
  • And be sure to ask about their selection criteria!

Avoiding the Price Game – And The Steve Jobs Wanna-Be

Chances are your IT contact doesn’t really know what’s going on. He needs an assessment or pen test, and probably doesn’t know the difference. At this point he’s looking to you for a comparison quote.  The last thing you want to do is give him what he’s asking for.

Your IT contact is just a cog in the larger wheel of technology bureaucracy. (Note, if your contact is actually part of a security team, the approach will be different.

I’m specifically talking about IT here – and I started my career in IT, working for two different F500 companies. I’ve seen this from the other side. Don’t over estimate what IT knows about security.

If you simply respond to a bid, or scope out what IT is requesting, the buyer will have nothing to match your price against (in terms of value) other than your competition’s bids and his budget.

Comparison’s against anything other than established need and value are meaningless, and simply lead to price wars.

In every competitive deal there’s at least one guy working out of his garage, offering low-ball prices (and they’re not Steve Jobs or Steve Wozniak). You don’t want the truck-slammers of the world to be the yardstick by which buyers vet your price.

Reframing Your Prospect’s Thinkingimpact-v-likeihood

Here’s what happened the last time I worked on a competitive assessment deal…

I was hired by a reseller to work closely with their sales team as a coach/advisor…

(Years ago I had built and led the Security Team for a large global integrator, where we primarily led with assessments – so this call was not new territory).

As expected, our new prospect was looking for an assessment – in his words, a vulnerability assessment. After going through the steps outlined above, we began our reframing process.

First, we asked him, “Do you know what your board is asking your CIO for?” His answer was predictably vague. How would he know?

Next, my client (the reseller) drew the Impact vs. Likelihood Graph on the whiteboard (Page 194 in my book, The House & The Cloud).  He began to review the five things board members demand:

  1. What are our most important data assets, and where are they?
  2. What are the odds we’ll suffer some major intrusion or outage?
  3. What our estimated impact?
  4. How are we working to minimize this risk?
  5. Are we getting better or worse over time? How are we managing to it?

Get the House & Cloud Book for $1.00 – Limited Time Offer

Time To Bring Out The One Thing That Sets You Apart From the 13…

Without calling out our competition (never a good thing to do), we began to describe what most vulnerability assessments look like, how they’re approached (something for a future article), and why they aren’t going to satisfy the board’s request.

At that point, my client (the reseller I had been working on the House & Cloud Concepts with) pulled out a sample deliverable (with no intention of leaving it with the prospect) and began to go through the type of deliverable that would make an IT Director a hero…

Deal closed…Well, There’s more to it, but this is just Part I of a predictable assessment sales process designed to front-end big profits and future business.

© David Stelzl, 2017



biometricsThe Follow Up Plan Determines Success or Failure

What happens After You Conduct a Live Lunch & Learn Event…Is It Successful?

In my last post I talked about raising your conversion numbers. Successful lunch & learns convert. Mine are converting at about 99% over the past 12 months. Meaning, if 30 people come to the event, I expect all of them to convert to an assessment – the one thing I find that regularly leads to ongoing business.

Today I’d like to look at the follow up plan. If you don’t follow up correctly, you can’t expect to get business out of it.

Follow Up Starts At The Event

Your follow up program starts right there at the event. Step one is asking your attendees to sign up for something at the event. The best time to do that is while you are speaking.

When I go out to speak I will often offer my audience something as I am speaking. As a speaker, I don’t have an assessment. But one strategy that works well is to offer a video to the audience.  For instance, when I see the audience is really engaged – there’s energy in the room and they’re on the the edge of their seats, I’ll say, “How many of you would like a summary video of what I am getting ready to explain right now?” 90% will raise their hands. At that point I will say, “Pull out your business card, write VIDEO on it, and pass it up to me.” The response is predictable.

You can do the same with assessments. And I am doing that every month as I go out and speak to business leaders on behalf of a hosting reseller…

(If you’d like some help putting something like this together – click here on my contact form and type – Help Me Convert! and press submit).

The Power of Free Assessments to Convert

I also recommend using a free or complementary assessment.  I get more push back on this than anything else I recommend. But the fact is, this converts 60 to 80% of the time. The ROI is there so try it.

Paid assessments are great – but if you’re selling low end, $2500 assessments, to the SMB, or assessments to larger firms for under $10K, you probably don’t have any margin left anyway. And your conversion is probably low. Your sales cycle on the other hand, is likely high.

The complementary assessment should only be offered in exchange for something – like a leader showing up at an event. Don’t advertise it on your website.

Use it as leverage. Insist on doing it your way – after all, they didn’t pay. So if the decision maker won’t invest any time, stop the process. If they refuse to show up to a final review meeting, don’t hand it in. Use the complementary assessment to gain the audience you need to close the business.  You can’t do this if they’ve paid you. Once you’re paid, they control the process.

You Have About Four Weeks

Time is short. When you make the conversion in the meeting, emotions are high. High conversion rates mean an emotional response it taking place. It’s no different than an old fashion revival meeting. The hands go up, and the more people see hands going up, the more they want to raise their hand.

But this emotion won’t last. You know they have a need. They don’t. But with this emotional response comes a willingness to let you look under the covers. It’s your chance to build a second emotional response that has substance behind it. Assess and find the urgent things.

You have about 4 weeks to get this done. Once that time expires, the emotions go down. It will be harder to get them to act at this point. So follow up quickly and get it done. Don’t invite more people to your event than you can effectively follow up on.

© 2016, David Stelzl

PS. Get more in The House & The Cloud! The only book with step by step instructions on closing security and managed services business.


fireImminent Danger, Not Compliance Requirements, Will Move CISOs

Undeniable justification is built when the client sees imminent danger.

The security sale is powerful simply because every company you deal with has inadequate security protection. And they always will because the hackers are always one step ahead of the rest of us. As technologies continue to evolve, you should be providing more DETECTION type controls, and upgrading your client to more sophisticated, and perhaps remotely managed security systems. Compliance concerns will not drive this initiative – but danger will.

Squashing the Typical IT Response

I’ll never forget a sales call I had with an electronics manufacturer in the southeast years ago. After weeks of trying to get a meeting, we finally made our way in to see the CIO and several members of the IT support staff. It seemed like every question we came up with, and every issue we referenced, they “Had if covered.”

That seems to be the common theme with IT people – they always have it covered.

After about 45 minutes of this back and forth conversation, we were clearly headed nowhere. This meeting was a waste of time. Gathering our documents, I made one last ditch effort. Looking at the CISO I simply said, “It sounds like your team has it covered. It’s amazing to me when a small company like yours has such as sophisticated security strategy. Over the past year NASA, the Pentagon, the FBI, and the CIA have all been compromised. I don’t think I’ve even been inside a company that had better security than these organizations. How do you do it?”

On my way out the CISO stopped me. “We need to talk,” he said. Apparently his team thought they had it covered, but he wasn’t so sure. Finally we were ready to engage is some honest discussion.

Compliance and Cyber Crime Threats Don’t Work – So What Does?

IT People, according the recent reports from the Wall Street Journal, are afraid to admit they have security problems. So, where do you take these meetings? If compliance and cyber-crime are not sufficient motivators, what will create the justification needed for the security sale?

Two Powerful Pathways to New Opportunities :

  1. Demand Generation Events: In my Event Marketing Success Kit, I lay out a complete strategy for inviting key decision makers to an educational event, with a well planned program that will convert them to clients using risk assessments. On average we see conversion rates of 75% or more from attending to participating in the assessment process.  Why? Because the need is real – but it requires some honest discussion at the asset owner level.
  2. Client Business Initiatives: Companies all around us are in the process of migrating to new, disruptive technology applications. We see a tremendous migration to cloud, BYOD (Bring Your Own Device,) big data, and collaborative technologies. Each of these represents a major change in the computing architecture, requiring a new look at security. This is the perfect time to raise the security issues.

In either case, asset risk levels are affected, and there’s an opportunity to review security with your clients. Notice that we’re not waiting for them to initiate the requisition of security product. That’s the third way to sell, but not a good one. Product proposals without proper justification only lead to price wars.

© 2014, David Stelzl

“If the financial institutions can’t reach the victims to ask about the suspicious activity, the transactions often go through” (WSJ)…Here’s how it works.  Hackers, using automated dial programs, bombard companies with calls, tying up their phone lines, while raiding brokerage and banking accounts.  The banks will try to contact the business if they suspect foul play, but if they can’t get through, they will likely let the transactions go through.   Knowing the trends puts you in the adviser role with your clients – here is just one more example of the simple, but effective tactics being used by cybercriminals right now.

In a recent string of crimes,  hackers “allegedly used a “malware” program called “Zeus Trojan” to hijack accounts, embedding it in email messages and attachments. Once installed, it grabbed user names and passwords from banking and brokerage accounts, enabling the alleged thieves to drain the accounts.”  Once again, firewalls were no match against tactics that use unsecured email systems to break in.  Another opportunity for securing email and monitoring network activity as well as end-node security.

And this went on for a week with some victims!  Read the article, it’s worth the 5 minutes it will take you: (CLICK)

© 2010, David S

The 9/23 Denver Post Article on Business Identity Theft is a “Must Read” (CLICK)!

Especially if you are calling on business owners or top executives of privately owned businesses.  The article focuses on Denver, however they explain that this is an easy hit, and likely happening all over the country!  Here are the basic sound bites, then read the article to fill in the details…if you know of other articles on this subject, please reference them in the comments section of this blog post…I think business owners will get this message if delivered properly.

It’s easy!  “Corporate information is hijacked and millions of dollars in phony credit purchases are made…”

1. Corporations are all registered online today, so with an Internet access point, anyone can access public records of a corporation.  The point of doing this is to make changes, which anyone can do if they pay the fee – which might be around $10.  By doing this you can simply add your name to the corporate records as an officer.  Another tact is to find the corporate records of a dormant account – a company that is not active, of which there are many.

2. Once this is in place, the new officer can apply for credit.  The credit checks will be done through D&B and of course they will be looking at the public records to verify that you are in fact an officer.  (Note, it is possible to protect this information, however it costs more money and many companies have not spent the extra money to do this).
3. Once credit is approved, and given this is a company, credit allowances are likely to be much larger that individual credit lines, the fake officer now has the ability to get credit cards and begin spending.    This is so easy, I’m surprised it took this long for someone to figure it out.
What’s the point?  If you sell information security solutions, you now have one more thing to advise executives on.  The key to selling security is demonstrating an ability to measure impact and likelihood of loss, and then showing that likelihood is higher than expected and high enough to demand action.  This is just one more area where likelihood is high, and business owners are in the dark.
© 2010 David Stelzl