Archives For vulnerability assessment

00b4a67There’s Big Money In Risk Assessments

If You Know How To Sell Them…

But You Must Start Here If You Plan to Succeed:

A couple of weeks ago I wrote about free assessments – an incredibly fast (yet misunderstood) way to create business, when the prospect doesn’t understand their true needs (which seems to be more often than not).

The question is, is there a time to charge? And if so, how much, what scope, where do you start?

In this Part I article, I’ll show you where to begin when creating new business through fee based assessments…

What Your Client Needs, and Where to Begin Your Sales Process

First, it’s important to start where people are, and then take them to where they need to go. In other words, you can’t sell someone what they need, when they don’t yet know their needs. Great marketing starts by understanding the buyer’s desires, and then reframing that prospect’s thinking.

Most larger (fee based) assessment opportunities start with an IT person. If the prospect-company lacks an IT group, they’re probably too small to command a reasonable price for assessing. In that case, I’d go back to FREE ASSESSMENTS and sell them the recurring revenue-managed services & security program. That is what they really need…

Think Like a Psychologist, And Listen to Your Prospect’s Pressing Need…(But Don’t Sell Try to Sell Them Anything Yet) 

When asked to quote an assessment, you might be tempted to jump in and start your discovery; how many firewalls, how many servers, do you want applications assessed too?

This is the wrong approach!!!!

Leading with technical questions, leads to competing on price.

The IT person has something in mind…is it a true risk assessment? Did they call it something else; Pen Test, Vulnerability Assessment, Audit, etc. Do they know the difference? (Probably not).

Establish your contact’s desire first. Ask them…What is it you’re looking for?” And, “WHY do you need it?”

This second question is the more important question (WHY). Expect answers like, “To see if we’re secure,” or “To show our clients we are secure.” You see the problem here?

First, you know that there is no such thing as being “secure”. Second, the assessment is only going to reveal problems this company didn’t know existed. So the idea of certifying your buyer’s infrastructure is a fallacy.

It’s time to reframe (EDUCATE)!!!

Find out where this request is coming from and what’s been done in the past.

ASK THEM:

  • Is this request coming down from the CIO? The Board? The President?
  • Is there a compliance requirement here, or is this just about internal data security?
  • What are the stake holders looking for in terms of a deliverable? Have you done this before? (Getting a past deliverable can be invaluable).
  • Who else are you considering for this project (This is a key question most are afraid to ask)?
  • And be sure to ask about their selection criteria!

Avoiding the Price Game – And The Steve Jobs Wanna-Be

Chances are your IT contact doesn’t really know what’s going on. He needs an assessment or pen test, and probably doesn’t know the difference. At this point he’s looking to you for a comparison quote.  The last thing you want to do is give him what he’s asking for.

Your IT contact is just a cog in the larger wheel of technology bureaucracy. (Note, if your contact is actually part of a security team, the approach will be different.

I’m specifically talking about IT here – and I started my career in IT, working for two different F500 companies. I’ve seen this from the other side. Don’t over estimate what IT knows about security.

If you simply respond to a bid, or scope out what IT is requesting, the buyer will have nothing to match your price against (in terms of value) other than your competition’s bids and his budget.

Comparison’s against anything other than established need and value are meaningless, and simply lead to price wars.

In every competitive deal there’s at least one guy working out of his garage, offering low-ball prices (and they’re not Steve Jobs or Steve Wozniak). You don’t want the truck-slammers of the world to be the yardstick by which buyers vet your price.

Reframing Your Prospect’s Thinkingimpact-v-likeihood

Here’s what happened the last time I worked on a competitive assessment deal…

I was hired by a reseller to work closely with their sales team as a coach/advisor…

(Years ago I had built and led the Security Team for a large global integrator, where we primarily led with assessments – so this call was not new territory).

As expected, our new prospect was looking for an assessment – in his words, a vulnerability assessment. After going through the steps outlined above, we began our reframing process.

First, we asked him, “Do you know what your board is asking your CIO for?” His answer was predictably vague. How would he know?

Next, my client (the reseller) drew the Impact vs. Likelihood Graph on the whiteboard (Page 194 in my book, The House & The Cloud).  He began to review the five things board members demand:

  1. What are our most important data assets, and where are they?
  2. What are the odds we’ll suffer some major intrusion or outage?
  3. What our estimated impact?
  4. How are we working to minimize this risk?
  5. Are we getting better or worse over time? How are we managing to it?

Get the House & Cloud Book for $1.00 – Limited Time Offer

Time To Bring Out The One Thing That Sets You Apart From the 13…

Without calling out our competition (never a good thing to do), we began to describe what most vulnerability assessments look like, how they’re approached (something for a future article), and why they aren’t going to satisfy the board’s request.

At that point, my client (the reseller I had been working on the House & Cloud Concepts with) pulled out a sample deliverable (with no intention of leaving it with the prospect) and began to go through the type of deliverable that would make an IT Director a hero…

Deal closed…Well, There’s more to it, but this is just Part I of a predictable assessment sales process designed to front-end big profits and future business.

© David Stelzl, 2017

 

We are just a little over a week away from my webinar with Ingram Micro on providing Undeniable Justification through the Security Assessment Process – a shortened version of my House & the Cloud sales process.  The more I work with companies on their proposals and assessment deliverables, the more I see the need to overhaul the process.  I was working with several people last week during individual sales coaching meetings to refine their documents.  Here are a few points to consider…

Re-engineering the Assessment Deliverable

  • These documents should be written to the decision maker, not IT.  If your SE is writing the deliverables, chances are that your documents are written to technical people, not economic buyers on the business side.  Most of these will not lead to larger remediation projects.
  • If your document is mostly lengthy paragraphs – and you have pages of paragraphs, it doesn’t really matter who you are writing to.  No one will have time to read it.  Stick to charts, graphs, diagrams, bullets, and a few paragraphs.  If your assessment was done at no charge – you don’t need a long written report.  You need something short, to the point (I recommend using a Power Point document), and supplemental to a great presentation on what you’ve found.
  • If your “Findings” section contains technical misconfiguration information, or possible vulnerabilities to some technical sounding Trojan, you might consider changing it.  Ask yourself, “So what?”  So, what will happen as a result.  I call this – the “So What?” test.  Keep asking yourself until you get to an urgent sounding issue with business impact.  For instance, on two documents I read last week, both reps were recommending managed services services on the basis that, one person can’t manage a group of 50 or 100 end-users.  I kept asking, “How do you know?”  The document made is sound obvious, but no justification was given.  You can’t do this.  Imagine you are the CFO, trying to save as much money as possible.  Someone with a sales business card comes into your office and tries to convince you to sign a contract for several thousand dollars per month.  You won’t do it unless you’re sure you need it.  There must be some pretty strong evidence.  I’m not saying you can’t find it – I’m simply stating that you need that evidence before proposing the solution.

I will be covering this and more, next week on a webinar sponsored by Ingram Micro – Wednesday, September 26th, at 1:00 PM ET.  You can sign up right here:
SIGN UP FOR DAVE STELZL/WITH INGRAM MICRO

Looking forward to seeing you there!

© 2012, David Stelzl

Get a free copy of the House & the Cloud – click on the sidebar House & Cloud Link!

And make sure you check out the online training programs coming up in April – both are linked on the right-hand side bar!

© 2011, David Stelzl

The fastest way to inculcate the concepts from our Making Money with Security Class is to try it.  Last week I had opportunity to interact with one person attending the 3-day virtual class currently in process…

He writes, “I thought I would try to apply some of the nuggets I have learned this week, in a meeting I had earlier this morning.  It went really well!  I met with a CISO and we discussed assets and started applying the likelihood vs. impact philosophy.  As I was doing this, my customer said the biggest problem he has is understanding likelihood.”

…This is predictable.  As I stated in last Thursday’s session, everyone seems to focus on the impact side of the security equation, but CISO’s and asset owners are already well aware of this, and continue to hear the same ROI and Insurance sales pitches almost daily from your competition.  By taking the “Likelihood” approach, a new discussion evolves.

He continues with a great question, “Based on this approach, is determining likelihood done through risk assessment or are there more dimensions to consider?”

If you’re in the class, you know we have one more session to cover, and this is where we will address this in detail, …but, this is the right question to be asking…how do we move this conversation forward to create business?  Here is a portion of my reply:

“…it means starting with executives rather than IT, and interviewing them to understand the assets; how they’re used, who uses them, who can’t use them…etc.  Then, armed with a complete understanding of the data (the assets), the technical side of the assessment should be used to discover how the necessary security is being achieved, or how to reduce the likelihood to an acceptable level of risk.  The ‘’Impact vs. likelihood” graph from by book, The House & the Cloud becomes our primary deliverable, backed by data from the assessment.

His final comment: “Application to real world is the best way to learn… I personally missed focusing on the asset and pitched it more towards the vulnerability discovery.  The asset that has the vulnerability determines the impact and the level of the vulnerability determines the likelihood.  Starting to add up.’’

This is exactly right and leads to the justification this sales person needs to create new business.

© 2011, David Stelzl

Why do so many Vulnerability tests fail to produce remediation business?

1. If the test is done for IT, you won’t have visibility into the executive ranks

2. If the process doesn’t involve the executive team they won’t care much about the results

3. The report is too technical

4. The report uses jargon that disguises the problem and it’s urgency

5. The provider appears to be more focused on analytics  than urgent issues

Eg.  If I come to you and say, this is the problem, I’ll put together some options and pricing and get back to you next week, do you feel like the issues are urgent? What if you plumber did that after discovering a leaking pipe in your wall?  You’d fire them! (But only because you know that is urgent.)

© 2010, David Stelzl

Share