Why Tech Companies Suck at Risk Analysis

By Adam Walter on July 11 2022

Apple Podcasts: https://apple.co/2NHRRDl
Spotify: https://spoti.fi/3AyHCUd
Youtube: https://youtu.be/7uIOwxWU_HU

In the tech world, we tend to focus on the tasks that directly correlate to our work. But if we only focus on things like fixing firewalls and cybersecurity without understanding our clients - that is what makes tech companies suck at risk analysis.

That is not to say that what we do is unimportant. Our clients would not have hired us if they did not need our services. What is important is that we understand that to our clients, there is a difference between technical risk and business risk.

It is only natural that tech companies focus on technical risk. It’s what we do! But, you must remember that business risk will always outweigh technical risk to your client. Make it a point to talk to your customers. Understand what they see as risks and threats to their company, and then align your services with their needs. For example, if you have a client that runs a dog kennel, their main concern is the health and safety of the animals. If you only talk to them about everything you have done to improve their cybersecurity, your words will fall on deaf ears. But, if you can explain to them how improvement to their cybersecurity helps oversee all dogs that they are caring for and allows owners to safely access live streams of their pets from work, you have proven how your goals match those of your customers. Now your client has more features to sell to their customers, and you have opened the door for your business to provide additional services to build an ongoing relationship.

Aligning technical risk with business risk benefits you and your customers by providing a clear path to success. It helps your clients prioritize the factors that threaten their business and enables you to understand how your services help them meet their goals. Use this as a foundation to expand your business.

Business Risk x Technical Risk = Opportunity

When your client understands how the risks and threats to their business can be resolved by addressing technical issues, it allows you to cultivate your business relationship and the opportunity to offer additional services. In turn, it is your responsibility to ensure that you understand your customers. Focus on what your clients care about and what is most important to them. Learn how to identify the problems they face and then mitigate them to how IT can help prevent problems from happening. This strengthens the trust your clients have in you, provides direction for you and your client and creates a base on which you can expand your services.

Tech companies don’t have to suck at risk analysis. We just need to listen and understand how our work impacts client businesses and reduces the threats they face. Building client rapport is more than just doing a good job. Remember, we have conversations, not presentations! Take the time to understand what they value. Turn your risk analysis from sucking to spectacular!

Holiday Security Tips

By Adam Walter on December 13 2021

Apple Podcasts: https://apple.co/2NHRRDl
Spotify: https://spoti.fi/3AyHCUd

The holiday season is in full swing, which means that you need to know security tips to protect
yourself from fraud and getting information stolen.

This time of year is so magical, but it’s also when people get duped and lose a lot of money
from internet scams or getting their information stolen. We’re here to help you avoid that or
prepare yourself for when it does happen.

The first tip we have for you is to stop using your debit card and start using another system like
ApplePay, PayPal or some other protected process. It is so easy for people to steal your card
number. You wouldn’t lay your card down on the counter at the mall or grocery store for anyone
to look at; having that same mindset online is very important. Anytime that you’re going to put
your card number into a website, think about whether you really trust the site or not. If you’re
unsure if the site is legitimate, then you should definitely not put any personal information into
the site.

The best thing to do is use PayPal or a protected service that will allow you to purchase without
using a card number. These services have teams of people that are specifically monitoring and
keeping track of your purchases to make sure everything checks out and looks good. These
services are the most up-to-date way to pay, making them the safest.

There have been a lot of changes and updates to cards over the years and that has allowed us
a lot more security. We need to train ourselves to use the most recent processes that will keep
your purchases secure and your information safe.

The second tip is to have a LastPass for your passwords to make it harder for your passwords
to get stolen. Password vaults are cheap if not free and they keep your passwords secure. It’s
an extra step and we know those aren’t fun, but they will give you an extra layer of security and
will help you out in the long run.

When using social media, you should have social awareness and be responsible. Hackers are
paying attention to what you post, and if you’re not careful, they will target you based on
information that you’re either posting or reposting. Make sure that you are aware of where you
are reposting information from and not linking any fishy sites. By doing this, you’re avoiding
putting a large target on yourself for hackers that are trying to steal your information or take your
account down based on what you’re posting.

Make sure you’re not buying anything on social media unless it’s from a site that you really trust.
Facebook ads are a great way for hackers to grab your attention and get you to put your card

information in. Pop-up websites were created to feature different popular items at a lower price
to trick people into purchasing, just to have the site disappear after 24 hours. Especially during
the holiday season, it is important to be aware of where you are purchasing presents from.
The third and final tip is to make sure you’re using something like LifeLock to have a team
actively making sure you’re protected.

Get a 6-month service to ensure people have your back. They will dig through the dark web and
make sure that your information isn’t up for purchase or available to be used. There are lists of
passwords that are common for people to use, and they will make sure that your passwords
aren’t on that list.

It’s easy to have the mindset that, “if people want to get in, then they will.” We get it. But, giving
yourself an extra level of protection with our three tips will make it so much harder for people to
actually want to hack your accounts. Since these criminals are really just looking for easy
money, making it harder for them will protect you.

Just remember, if it’s too good to be true, it probably is. When you’re shopping and browsing the
internet this month, be extremely careful and take precautions. If you do, you’ll have a magical
December.

The 4 Steps of Successful Cyber Security Service Monetization

By Caleb Christopher on August 16 2019

In my observation, previously working for an managed service provider and now with MSPs: for some, monetizing security is an elusive goal that seems to be reserved for those who already have connections, experience, and the right customers. Why?

Generate client engagement

with five NIST cyber security roadmaps in 30 days

 

Clients are confused

It is very common for managed services customers to believe their MSP is responsible for cyber security. They think it should be included in the price they already pay. This is just an extension of the misconception that Information Security is part of Information Technology.

MSPs are inadequate

Selling cyber security services is only for those “big” enough to have an in-house service because quality security talent is hard to find, expensive, and nearly impossible to retain. And without some experience on the team, many MSPs are not sure they have adequate expertise to build and run a security program anyway.

Some turn to third parties for assessments and services, but are concerned that having a 3rd party conduct assessments might reveal that somehow the MSP has been doing a bad job with security. Often, the MSP can't play a role of any significance to the customer in the assessment process, so without an option for a heads-up, many abandon the effort.

MSPs are overwhelmed

Big companies are snapping up all the qualified/experienced security staff, while the rest are playing “employment pinball” until they’ve got enough experience to be a senior analyst somewhere. From the outside looking in, there’s a strong “gotta have money to make money” vibe in cyber security.

There also don’t seem to be any partners focused on helping MSPs build cyber security programs. All the partners and products are focused on the Enterprise sector. What guidance is available costs $thousands and still takes 8-12 months to build out a cyber  security program and able to offer any services.

It shouldn’t be this hard

It just shouldn’t be this hard to build and monetize a cyber security program — especially if you actually care about it! There is a way. I’ve built a cyber security program designed for MSPs. This works for those who want to work on building their own in-house program as well as those who just want to be able to sell cyber security (and remain involved) without having to hire and retain their own cyber security experts.

 

4 Steps to Monetize Cyber security in your MSP

Essentially, the process goes like this: Educate → Sell → Assess (and prioritize) → Remediate (remediate, and remediate some more).

Once I show a business owner their need, they then typically ask me what they should about it, so I sell them an assessment in which we build a roadmap of risk reduction projects to execute in both the short and long term. Now in my case, I’m not actively an MSP, so someone else is making the money on those remediation projects, and those projects hold more revenue than any single assessment — especially if the remediation includes subscription services.

Educate

When it comes to selling cyber security assessments, the first thing you should want to avoid is being shopped on price, so instead of vying for position in the eyes of the few who already know they need cyber security, seek to educate just some of the many who don’t understand their need. 

Some will understand if only you can explain things in a way they can relate to. That is the secret sauce. I have found a way to effectively communicate the significance of cyber security to the ongoing success of their business in this internet-connected world. 

In the book Made to Stick by Chip and Dan Heath, they describe how to shortcut the learning process for complex or new topics. Essentially, the human brain learns based on what it already knows. My favorite example is where they attempt to describe an uncommon fruit in detail, from scratch. When they’re done, the reader may think he has a decent understanding of this fruit. Then they start over, but this time they start with a point of common shared understanding: “it’s like a grapefruit, but bigger.” Instantly, the reader understands the fruit even more clearly than by reading the detailed description. This is the technique we use in helping business owners understand their need for security.

See a short sample video: Making Security Make Sense - Teaser

Here’s why I start with education: In my experience, when I play the role of mentor by educating the asset owners, they tend also look to me for their next step. They ask “OK, well… so now what do I do? What’s my next step?” The obvious answer is: start with an assessment.

Sell

Since the business owner already knows his need for an assessment at this point, my job is to continue to guide him toward his goal of getting one. He already wants to buy, so I explain the “simple process” the assessment follows. I do this because visualizing a simple start-to-finish process takes the mystery (read that: uncertainty) out of the purchase.

Once the process is understood, other than presenting him with a quote with a Statement of Work for an NIST cyber security assessment, my job is to not give him any reason to think twice. Show him the process, then give them the quote + SOW. I am pretty firm on this not being the time to do special scoping discussions or negotiations. Keep it simple. Anything but a smooth path to purchase introduces risk of a lost sale.

Note: As a cyber security consulting firm, the sale of the assessment is my “win,” so I don’t really budge on pricing because I know what I need to get out of the transaction for it to be profitable. But for an MSP, there is another angle to consider: the assessment is just the beginning of the revenue stream from cyber security. For the MSP, remediation projects are more likely to be the real revenue source. So MSPs can flex on the front-end pricing (quite a bit in fact, if they know their typical remediation revenue). BUT, this bears repeating: Keep it simple. If you slow things down or introduce turbulence by debating numbers, the chance of losing the sale increases greatly.

So here’s what I suggest: Before you show them pricing, decide ahead of time what “deals” you’re willing to make. So if you’re willing to offer a half-price deal, be ready to cross through that initial price and put the half price number there. However, I wouldn’t start with a bid of several thousand dollars and be willing to go to free though… People don’t respect what they don’t have to pay for, and if they took you from $thousands to $0, “What kind of game are you playing?” Whatever your numbers, pick and stick so the process is quick.

Assess / Prioritize

Whether you’re running your own assessments in-house or you’ve outsourced them, they need to be timely and relevant, and they need to demonstrate business value.

Timely Assessments

If you’ve read this far, you’re probably not trying to run comprehensive assessments with complex requirements. That means there’s no good reason for these assessments to take long.

For relatively straightforward assessments, I shoot for two weeks as a maximum amount of time to gather data, prioritize findings, produce the summary with recommendations, and be presenting back to the client. I’ve found they typically tolerate three weeks, but at the fourth week and beyond, they’re impatient and much more likely to be critical of your findings, process, advice, etc, especially if you have any “critical findings” in your report which you took your sweet time to tell them about. So if your goal is to sell remediation services after the NIST cyber security assessment, be quick about the process.

Relevant, demonstrating business value

Unfortunately, many assessments have been delivered which had little more than the standard output from whatever scanning tool was used. That’s like a mechanic handing me a color-coded printout of the OBD2 readouts and telling me to fix all the red stuff first. Thanks a lot.

For an assessment to be relevant and have business value, it has to provide realistic guidance for the particular business for whom it was performed. A quality assessment delves into the risk tolerance, the whos, and the whys of the customer. Only when you have a good understanding of the business’ objectives can you make relevant recommendations. For example, there are plenty of critical severity findings which may pose no practical risk for a given business, while several low severity findings in combination pose immediate risk.

Relevance and business value go hand-in-hand. If you understand how the business operates, what it wants to achieve, and it’s mid-to-long term goals, you can offer practical guidance on risk reduction.

Remediate

Remediation is the sweetest part for an MSP. It’s additional revenue (maybe even monthly recurring revenue!) on top of whatever managed services are already in place. 

When it’s time to present findings and remediation guidance to the customer, it’s best to break it into timeframes. There may well be several relatively critical findings, but keep in mind: if this business owner only recently realized the need for cyber security, they don’t have a budget set for remediation. They bought the assessment to get a feel for what they need to do something about vs what they’re going to have to put off until later (or simply accept as inherent risk). So in my experience, it is very well received to provide them a “menu” of things to fix within different timeframes. Something like “Immediate,” “This Quarter,” and “This Year.” (Keep it simple.)

During the report presentation, I explain the implications of findings and my recommendations for immediate fixes, then I ask the business owner which ones they can / want to tackle first. Everything else in the “Immediate” section gets moved down into the “This Quarter” section, with anything else already there. Again, we discuss what would be practical to pursue within the next 60-90 days and move everything else down into the “This Year” section.

These discussions can’t really take place without some understanding of the price for the various remediation projects. So I recommend the MSP come to the meeting with individual quotes for each item in the “Immediate” section and rough price-only estimates for the items in the “This Quarter” section. This allows the business owner to do some quick mental math so we can plot a rough course for the next year during the presentation meeting. Estimates for the longer-term projects are optional, but aren’t very helpful during this meeting.

Once the business owner has decided the order of remediation projects, an Account Manager or vCIO can handle the roadmap without further need of a cyber security analyst. Any immediate actions for which the MSP brought quotes can be executed on the spot.

Note: MSPs need to be ready for the findings. Some findings may reflect poorly on the MSP, so be ready to step up and fix things ASAP. While this may be embarrassing at first, it is usually endearing to the customer when they see you doing your part, just like you’re recommending for them to do.

The 4 Steps of Successful Cyber security Service Monetization

FREE RECORDED SEMINAR

 

Webinar Takeaways on Selling IT Security and Compliance

By Denes Purnhauser on August 15 2014

It was a really engaging talk with Steve Rutkovitz CEO of Choice CyberSecurity. He is a very successful MSP practitioner specializing in IT Security and Compliance.

We were talking about MSP challenges, strategies, IT consultative sales processes, IT security and compliance opportunities and partnerships, and I learned the following:

 

Generate client engagement

with five cyber security roadmaps in 30 days

 

• there are surprising similarities between the mainframe to PC era shift and the PC to Cloud era shift
• To become a successful MSP one of the most important traits is having best-in-class partners
• When you move up streams, you have to make sure you are able to manage management type people
• You have to develop a solid marketing / sales engine to teach your clients and prospects
• The Challenger sales is a great way to leverage the natural teacher inside IT managed services providers
• You can sell NIST Cyber Security and Compliance solutions without doing the delivery side
• The business model of selling IT security solutions through a partner
• The best foot-in-the-door tips and tricks to get front of CEOs
• The complete MSP sales process from “access to address” that maintains the IT security issues
• The natural advisory mindset of IT companies and the potential contained within
  
  

 

Thanks to Steve Rutkovitz for the wisdom and the honest, straightforward answers. I believe his thoughts could help IT managed services providers in any size and any maturity. You can bet this won’t be our last discussion with him.

 

Nist Cyber security Framework Quickstarter Pack