How to Approach Customers with Security Issues?

← Back to Stories (view on slashdot.org)

How to Approach Customers with Security Issues?

Posted by Cliff on Tuesday September 20, 2005 @01:30PM from the break-it-to-them-gently dept.

stuntshell asks: "We're a group of IT Professionals and we're starting our own consulting firm. We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us. The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?"

2 of 73 comments (clear)

Min score:

Reason:

Sort:

Aaaarrrgghh... by tekiegreg · 2005-09-20 13:36 · Score: 4, Informative

Sniffing me, then emailing me to plug the holes for a price is almost the equivalent of blackmail. This may earn you one of 2 things:

1) A very nasty letter from either management or legal telling you to cease and desist
2) From the more nasty management/legal, a call to the police..

The best way really, is the more conventional way, advertise, network and otherwise legitimately promote your business, this gray area finding holes and near-blackmail will get you more grief than it's worth.

By the way and offtopic: I woulda probably had first post if my new kitten didn't continuously stomp on my keyboard. Cans of air certainly are handy...

--
...in bed
Might want to think about keeping your day jobs by hrbrmstr · 2005-09-20 13:52 · Score: 4, Informative

We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us.
Perhaps you "IT Professionals" might want to consider a few tech writing courses to help you beef up on grammar and, I suspect, spelling. If you approached my company with an cover letter that contained sentences like the one I just quoted, your firm would be placed near the bottom of the pile.
The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?
Do you have a security background or did you just manage to apt-get or rpm Nessus and nmap successfully? Are you certified (SANS, CISSP, MSIA, etc)? If you just plan on handing someone a default Nessus report, please - don't!

As far as "getting the sale", what worked for salespeople that sold goods/services - security or otherwise - to your previous company/companies? That might be a good place to start. If you were never brought into sales-discussions, you might want to ask yourselves "why not?".

What you *definitely* want to do is perform unauthorized scans and/or penetration attempts on a potential customer's external firewalls and/or servers. That will most assuredly endear you to them. Why, they might even ask to have a police escort for you!

One of the last things you should do is approach a new career in security consulting without really knowing that part of the IT world like the back of your hand (and not just the tech bits).

(Have you considered starting up a Starbucks franchise instead?)

--
Mind the gap...