Archives For selling security

Home Depot In the Headlines

Expect This to be a Daily Thing Over the Next Several Weeks

How would your customers like to be Home Depot right now?

Who’s at risk? Remember Sound Bites? I talk about this extensively in The House & the Cloud. And the new edition has an entire chapter on how to effectively use sound bites, and how to not use them.

Home Depot is heating up and overtaking the stage from Target. The number might exceed 60 million identities on this one – up from 40 million with Target. The amount of time these hackers had access is certainly longer. Let’s look at some key sound bites coming to the forefront of this story…

  • “U.S. states probe Home Depot breach, senators seek FTC investigation” – How about this for a headline? This should wake up just about any CIO. How would your customers like to have the FTC investgating.  It gets worse…(Read the entire article).
  • “Two senators asked the federal government to investigate a data breach on the payment-card processing systems,” – If the FTC isn’t enough, how about having senators and other governmental officials requesting more investigation. This makes it sound like Home Depot isn’t really on top of this.
  • “An Illinois customer sued Home Depot saying the company failed to properly safeguard customer data from hackers.” – The lawsuits are just starting…Home Depot didn’t properly safeguard the data? That’s  a due care issue and a serious one if they prove it.
  • “The news also caught the attention of credit ratings agency Moody’s, which said the attack is a “negative” factor.” – Credit ratings are taking a hit?
  • “If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information,” the senators said in a statement. “Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act.” – speaking of  the two senators above.
  • “When asked if investigators had confirmed the attackers had been removed from the company’s network, Drake declined to comment.” – Translation; they don’t really know. If Home Depot’s networks is under control now, don’t you think they would be broadcasting that fact loud and clear?  This has to be bad for business.
  • “Home Depot shares fell 2.1 percent to $88.93” – and of course a fall in stock price. Expect to see some numbers on how much this is going to cost the company.  It was 1.4 million last time I saw numbers on Target. Will this exceed that?

The Really Scary Part of this is that Home Depot did not Detect the Attack!

These hackers have been in the systems for at least 4 months according to WSJ reports, but it was the banks reporting fraudulent activity that brought this to light. In The House & the Cloud I discuss the need for detection – I point out that perimeter protection only keeps the honest people out. At least Target detected their attackers within weeks of the attack. This is a disaster.

How can shoppers go back to Home Depot if they’re not sure things are repaired. The company says card holders won’t be responsible for fraudulent charges. Will that be the case on debit card transactions too?  And what about those who don’t take the time to scrub through all of their cards and transactions? Will the bank notice a wrong transaction and call it to the consumer’s attention? Maybe, but maybe not.

What To Do With This…

This is the perfect time to create some sort of briefing! You have Target, Home Depot, Chip & Pin trends, PCI and compliance…was Home Depot PCI compliant? I didn’t see that mentioned, but I bet they were!  If that’s the case, what does that say about PCI compliance? Does compliance make a company secure?

Next week I’ll be speaking to CIOs in the DC area at a reseller lunch & learn. (Thanks to Check Point for sponsoring this event!) What are you doing to do with it? It’s not all about Home Depot – it’s about hackers, their tools, and the weak security programs these companies have in place.

If you provide security solutions and managed services, don’t just go in spouting off about Home Depot. Instead, consider the briefing approach. What trends are relevant right now? What mistakes are companies making? What does this have to do with PCI compliance? What tools, education, and processes, should be put in place to prevent this sort of thing. We can’t change the dates on Chip & Pin requirements, but we can show business leaders how to become a less attractive target for hackers.

© 2014, David Stelzl

P.S. Are you signed up for my session tomorrow on Making the Move From Vendor to Advisor?

Save me a seat!  << Get a seat now!

DO you have my special report?  Don’t Get Fired!!!!

Don’t Get Fired – Retool Yourself! << Download it!

What Questions will get the CIO’s attention?

The better you know what it means to be a CIO, the better chance you have of making it through a meeting with one. 

If you know something about information security – you’re in luck.  It’s time to strike. With Target in mind and Home Depot in question, Rachael King writer for the WSJ tells us, board members are asking lots of questions. I suspect the CIOs don’t have the answers. How could they?

In a recent interview, John Stewart, chief security officer at Cisco Systems was asked, “What questions are being asked?” So maybe its less about asking the CIO questions and more about knowing the questions CIOs are being asked – questions they don’t have answers to. This is the heart of what I call Predictable Messaging.

If you know what CIOs are being hit with – if you know the questions they’ll be asked, and that they probably don’t have answers to,…and you know how to get answers, you might become one of their most valuable assets.

Here are three questions reported this week by the WSJ (from Stewart’s Interview):


  1. “Do you have a set of security controls that are provably in place, are measurable and are actually effective for the state of business and all the business types you’re currently operating? Even if the answer is no, Mr. Stewart said that he hopes this question starts a conversation in the business about how cybersecurity needs to be approached.”
  2. “Have you ever had any material breaches that have or have not been reported to the board and should have been?”
  3. “With regard to cybersecurity is there anything else I should know right now?”

Chances are the CIO won’t give you answers to these questions…however, knowing what they’re being asked for is the key. Can you help them answer these questions? Going back to an earlier post – do you know the top 3-5 threats, how likely they are to hit this company, and how the company is trending with security – up or down…how do we know. These are all things the board wants to know.

Do you want to be the chosen technology and risk advisor for the companies you call on?  Check out my most recent report on staying relevant in the technology sales industry…

Download the Report << Click to Get it!

© 2014, David Stelzl

P.S. Join me on 9/11 for a live online workshop where I will be discussing key strategies for working with top level executives in the technology world. Specifically Designed for Technology Resellers.

Save me a seat!  << Read more and register…


trainFour Big Problems That Will Derail Your Sale

Here is the problem with most technology companies…

Actually there are four,

…and if you’re honest you’ll recognize that your company has all four.

  • The Sales Problem. The sale is technical – too technical. Sales calls focus on technical people, technical products, and are conducted using technical presentations. The smarter your presales technical guy is, the better you feel about your chances of winning. On the other hand, there’s no pressing need and the deal often comes down to price comparisons as you respond to requests for proposals and quotations on products. You spend many hours working through issues that really don’t matter to a non-asset owner.
  • The Marketing Problem. There’s a marketing disconnect. Most sales people are not happy with the marketing department, and marketing is not sure why sales won’t use their stuff. If you’re a marketing professional with real marketing expertise, or you have one in your company, you’re one of the few. Most of the resellers, and even smaller manufacturing companies don’t have marketing people who understand the power of direct response marketing, and how to make it work. Big companies spend millions on branding, but that won’t translate into sales in your region.Blog Subscribe Ad
  • The Assessment Problem. With compliance laws and uncertainty, people are assessing security. However, the assessments are not turning into remediation projects. Only about 20% of the assessments I see turn into projects or managed services contracts. Given that almost all assessments turn up issues I would call “urgent”, it doesn’t make sense that they wouldn’t convert to project work almost every time. Most assessments are too technical, focus on the wrong things, don’t highlight the urgency, and never reach the asset owner.
  • The Presentation Problem. Chances are your company presentation is boring. It looks like every other technology-company presentation. It starts with your company name, how big you are, years in business, certifications, some great clients, and the products or services you provide. They all look the same. If you’ve had trouble booking new appointments with c-level executives, to show your corporate presentation, I’m not surprised.

The updated version of The House & the Cloud is nearly complete.  I’ve added answers to all four problems described above, and demonstrated how a great security value proposition, with a security sales strategy can alleviate these issues.  Stay tuned…it should be going to print soon!

© 2014, David Stelzl

If you don’t have the current House & the Cloud book, you can get it free in PDF Format right here (CLICK). Download it and you’ll be one of the first to know when the new version is out!

heartbleedA Big Thanks to ePlus and Their Partners for Hosting Yesterday’s Security Event!

Yesterday, ePlus, along with their vendor partners hosted an executive lunch meeting to discuss security and the future of disruptive technologies, and how security must change in 2014.

This just happened to coincide with Heartbleed – on of the biggest disasters we’ve seen yet on the Internet.  At the end of the session, ePlus offered to provide an assessment to those who attended, helping them uncover anything that might not be inline with the protection needed to guard against current threats.

The Biggest Problem With Security

In my keynote, I addressed what I believe are some of the biggest problems with companys’ security strategies right now.  There are all kinds of problems out there, but I firmly believe the biggest one is that corporate leaders think their systems and networks are more secure than they really are.

Target thought they were PCI compliant, until they were hacked – and I guess since the PCI people said they were, they were. Are they still?

66% of the Internet Webserver Administrators probably had no idea that OpenSSL was broken, and has been for two years…so for two years they’ve been saying, “We’ve got it covered,” and for two years, they’ve been dead wrong.  Could they have known? Probably not, since the bug wasn’t known.  But it’s that attitude that bothers me. The arrogant answer of, “We’re all set,” that makes the company leaders think they are more secure than they are.

Great Time To Review the Rest of Your Strategy

There are some great tips out there on what to do now.  I suspect that most companies will jump on this update and get their webservers in order. Somehow the Heartbleed patch needs to be validated by the PCI police.  Will the users all change their passwords too? Probably not.  But this is a great time for companies to reevaluate their security overall.  Don’t stop at SSL – consider looking at the rest of it. If you’re a technology reseller or consulting company, I would recommend contacting every one of your customers by Monday with a simple plan to help them ensure their systems are set up correctly. If the end-users of that company are using outside websites (which of course they are) for shopping, social media, daycare, and who knows what else, their credentials are now compromised. If they don’t update them, they are creating an avenue back into their company’s secure systems.  Chances are they are using the same password on everything they touch from email to Yahoo, and their ERP systems.

© 2014, David Stelzl


The weakest Firewall is the Human Firewall!

The Human Firewall. That’s the person sitting behind the screen, creating, using, and sending digital assets.  It doesn’t matter how great your client’s perimeter defense is, when their end-users are traveling all over the world, sporting the latest mobile devices, full of highly sensitive data. Or just plain ignorant of the risks involved in processing sensitive data.  It’s time to move beyond IT…to the place where it happens.

Example: My Credit Card Number

Just this week one of my employees was setting up travel – I’ll be delivering the keynote at Westcon’s upcoming security conference in Park City, Utah, just about a month from now.  In the process of scheduling transportation to and from the airport with the hotel concierge, we received back a confirmation email.  I’m sure the hotel has a firewall – maybe a great one!  But the email they sent contains just about everything a hacker would want to know about me – including my entire credit card number and expiration date.

I responded by contacting the manager over the concierge services…Naming the person who sent the email, I was told that the sender was new.  They started their job just two weeks ago – he was sorry about the mishap.  Not completely happy with this answer, I asked him if he knew why this was a problem…his response was about half-right.  He seemed to get the fact that people can see email content.  Pressing further, I asked him if he understood what PCI Compliance was, what a violation would mean to his hotel, and how Visa might respond if I were to put a call into them.  He was clueless.

Somewhat enjoying this conversation (despite the fact that my credit card is probably posted on various websites around the world by now), I mentioned my keynote next month…speaking on this very thing.  I noted that this might make an excellent example…again he apologized and we ended the call.

The opportunity Sits with the Business Side Managers

Stories like this one create opportunities.  The business side managers are liable for what their employees are doing.  If this type of thing creates a real problem, it’s going to cost the company money – big money.  Target is going to pay for credit reporting, and Target customers were thinking twice about pulling out their credit card a week before Christmas last month.  Companies can’t afford this – and it’s far more expensive than your proposals to fix it.  But you can’t sell this to IT.  It’s time to move out to the business units.  Arm yourself with stories of disaster – learn to communicate the impact vs. likelihood message from my House & the Cloud book.  IT does not have this one covered!

© 2014, David Stelzl

P.S. Learn more about selling to the Business Side…get a free copy of The House & the Cloud, along with my Value Proposition Keynote.



Snow in ChicagoWell in Denver earlier this week I was out and about with just a suite jacket…it was close to 60 degrees during the day.  That was the first half of my week.  On to Chicago, and it’s definitely winter (as you can see from my snowy car picture).

Today I’ll be working with a company on their security business strategy – their go-to-market plan to grow security sales in 2013.  Hopefully you have one of these…if not, it’s not too late.  But don’t go into February without one.

This morning’s Wall Street Journal answers the question on how relevant this business direction is: “Security is moving from a functional IT area, often below the paygrade of CIOs, to strategic importance at the highest levels of corporations.  IT security’s rise from being a functional area to a board level concern is maybe the fastest I’ve ever seen,”  say’s Thomas Sanzone, senior vice president of consulting firm Booz Allen Hamilton Inc…so is this a smart direction?  Yes!

I had the privilege of sharing the stage with Bob Bragdon of CSO magazine earlier this week (in Denver), and he shared with us that only about half of Fortune 2000 executives belief they are well equipped in their security strategy. He then showed us a study CSO conducted, showing that really, only about 8% of them actually have something in place – the rest are in big trouble.  In an article I referenced last week, Wall Street reported on security, quoting  cybersecurity experts who believe that every major company in the US has been infiltrated by hackers – the new wave of threats, according to Bragdon, is more focused on stealing intellectual capital than credit card fraud.  Other countries are slowly shifting us of our innovation and intellectual capital.  There is no one single incident big enough to lead us into a war, but if we don’t do something soon, we’ll find ourselves completely exposed and crushed in a market of copycats and cheap overseas products.  This is not good.  (Worse, they are in our DoD systems!)

In a recent meeting with the former CIO of a large Florida university system, who also served in the military working with intelligence, I was told  that, “Our country is behind in the area of cyberwarfare.”  Other countries are attacking – note the recent attacks on major banks in this country, yet we are unable to prove who is responsible.  “It’s no longer a 2-dimensional war” he said, “That’s all our military leadership really understands…”

So is security still relevant?  It’s probably more relevant today than it was 10 years ago when organized crime began raiding databases to steal credit card information.

© 2013, David Stelzl

Spkr-web1Yesterday I completed day 1 of the Making Money w/ Security Virtual Workshop.  One of the topics we discussed is that of using sound bites effectively.

What are sound bites?  Sound bites are short, factual statements, that come from solid sources.  They communicate something serious, alarming, insightful, or amazing.  They build credibility.  When a sales rep is armed with numerous sound bites from credible sources, they appear to be well educated, well read, and in touch with the trends.  Over time, having read and memorized enough sound bites, that person will be knowledgeable. After all, knowledge is gained mostly through the study of good books.  Isn’t that what changed most of us over the four to six years we spent in college?  Here’s a quick overview of the process…

1. Determine what you aim to be an expert in.  What will you be a trusted adviser of?  Let’s assume is securing mission critical information – the focus of this week’s workshop.

2. Study newsworthy sources and discover the trends – pick out the sound bites.  “If you think U.S. Military computer networks are secure, think again.”  Security experts report to the U.S. Senate committee – March 23, 2012.

3. Memorize these quotes – if you spend 15 minutes each day, scan the news, and pick out just one, you’ll have countless up-to-date quotes at your fingertips the next time you meet with a CIO.

4. Use these sound bites to communicate truths to executives.  Their IT people are telling them “We’ve got it covered.”  In fact, 71% of mid-size companies believe (because their IT people tell them), that everything is fine.  90% of Visa’s reported fraud cases come from this same group, and the FBI tells us that it takes at least 15 months before people realize they’ve been attacked.

5. What did I just do?  I defeated the IT person’s argument by quoting the Wall Street Journal – that is the appropriate use of a sound bite.  Rather than bickering with IT about how secure they are, simply pull out a sound bite that suggests that they have been infiltrated, and that they probably wouldn’t know – so how can they be sure?  Who will the executive believe?  It’s no longer my word against theirs – it’s IT vs. The Wall Street Journal report, the FBI, DoD…etc.

Having been on many security sales calls over the past 20 years, I can attest to this idea – it works.  Executives don’t trust sales people, but they don’t trust IT either…they do trust experts, The Wall Street Journal, Gartner, etc.  Your job is the persuade, not argue.  Persuasion is “Guiding truth ar0und other people’s mental roadblocks.” (Quoted from The Character Training Institute).  Discover the truths written by the experts, memorize them, and then guide them around these roadblocks that resist knowing how insecure the network really is.

© 2013, David Stelzl