Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Approach Customers with Security Issues?

Posted by Cliff on from the break-it-to-them-gently dept.

stuntshell asks: "We're a group of IT Professionals and we're starting our own consulting firm. We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us. The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?"

3 of 73 comments (clear)

  1. First hand experience with security business by gothzilla · · Score: 2, Interesting

    I worked for a network security business in Denver. We did good work but found something very interesting.
    Most businesses were not concerned with actual security but more interested in what name they could put on their website that says "Secured by _______"
    Because of this the business died since we hadn't made a name for ourselves. Sure some people were genuinely interested in security, but not enough to support a business.
    If you're going to deal with security, keep it on the down low and offer it as a secondary service. As expensive as security audits are, name means more than anything. If your company isn't widely known for security, you'll find doing security jobs hard to get as a primary offering.

  2. phenominally bad idea by Anonymous Coward · · Score: 1, Interesting

    these days, infiltrating a company's network is considered cyber-terrorism, and instead of a contract you'll get charged with a few felonies. I think someone suggested a sales manager. much better idea. I would suggest a sales manager who writes well.

  3. The impenetrable firewall by worf_mo · · Score: 3, Interesting

    This reminds me of a little story that happened to a customer who I was working for in the late nineties.

    Said customer wanted to have their (large) network audited for security issues and hired an "established security firm" to do the job. As a first step it was decided that these experts had to try to break into the network from the outside, and they promised to report within a certain time frame.

    When the time had come, the customer called them up and asked about the report. The experts said they were still working hard, but from what they had seen the network seemed completely impenetrable. The customer's network admins had not noticed any strange activity or alarming attempts, and asked about the methods used, and the experts gladly explained:

    They had gathered a list of public host names via DNS and found an entry firewall.customersdomain.com. From then on they had tried to gain access to or through firewall.customersdomain.com in all possible means and using every tool at hand, but they had not succeeded.

    This explanation caused a fair amount of laughter amongst the admins. The DNS entry firewall.customersdomain.com had been created a while ago to perform some tests, but the machine correspoding to the IP address had been disconnected from the net months ago.