Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Approach Customers with Security Issues?

Posted by Cliff on from the break-it-to-them-gently dept.

stuntshell asks: "We're a group of IT Professionals and we're starting our own consulting firm. We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us. The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?"

9 of 73 comments (clear)

  1. You hire a Sales Manager by QuantumG · · Score: 5, Insightful

    and you give him a budget big enough to do his job. You know, sales? The basis of business? Oh, didn't think you'd need that? Note to investors: GET OUT NOW.

    --
    How we know is more important than what we know.
  2. Scanning? by Monte · · Score: 5, Insightful

    Or do you go scanning and discovering holes on other's network for you to offer them your solution?

    Boy, does that sound like an astonishingly bad idea. Sorta like a locksmith picking the lock on your front door, coming inside and offering to sell you a better lock. Sounds to me like a great way to get shot.

    Figuratively speaking, of course.

    1. Re:Scanning? by TheWanderingHermit · · Score: 4, Insightful

      Yes, it is a bad idea. It is so incredibly bad an idea, you should *really* rethink how you're going to handle your business. This is a case of stereotypical geek behavior -- thinking more of how you can show off and what you want rather than what your customers or potential customers would want.

      Reverse it, and use an anology like the one in the parent post: how would you feel if someone came to see you, in your office, and said, "Hey, we looked at your locks, and found we could break into your office in less than 5 minutes. For a fee we can tell you how to protect yourself." Wouldn't you wonder if they're running a protection racket? What would you do if, somewhere in the next few months, your business was broken into? Who would the first suspect be? I know if someone came to me and told me how easily any of my systems could be broken into, I'd get all their info, ask them if they had a preliminary report, and tell them I had to talk to my partner. Once I had all their info, I'd turn it over to the cops, since I have NO idea if they are about to hit me up for money, or if they're just geeks that are too stupid to know how to deal with me as a human.

      Seriously, if you actually think this could, in any way, be a good idea, then either forget starting your own business or, before you do anything else, hire a sales person who can be your front line and keep you away from your customers so you don't drive them off.

      Ever since I started my own business, I've heard from a lot of people who tell me they think they have great ideas -- either for a business, a product, a service, or a way to market. In many years, the idea of scanning, then going up to people and saying they are vulnerable and you can fix it has to be the dumbest one I've heard yet.

      And I'm speaking without malice or cruel intent -- just stating it as experience tells me it is.

  3. re: What Works by xmas2003 · · Score: 4, Funny

    Get submittal about your company approved on Slashdot
    Every company reads about you and wants to hire you.
    Profit ... oh s*it ... forgot to post our URL!

    --
    Hulk SMASH Celiac Disease
  4. Aaaarrrgghh... by tekiegreg · · Score: 4, Informative

    Sniffing me, then emailing me to plug the holes for a price is almost the equivalent of blackmail. This may earn you one of 2 things:

    1) A very nasty letter from either management or legal telling you to cease and desist
    2) From the more nasty management/legal, a call to the police..

    The best way really, is the more conventional way, advertise, network and otherwise legitimately promote your business, this gray area finding holes and near-blackmail will get you more grief than it's worth.

    By the way and offtopic: I woulda probably had first post if my new kitten didn't continuously stomp on my keyboard. Cans of air certainly are handy...

    --
    ...in bed
    1. Re:Aaaarrrgghh... by Frantactical+Fruke · · Score: 4, Funny

      That's a very nice firewall you've got there. Would be a shame if something happened to it...

  5. Might want to think about keeping your day jobs by hrbrmstr · · Score: 4, Informative
    We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us.
    Perhaps you "IT Professionals" might want to consider a few tech writing courses to help you beef up on grammar and, I suspect, spelling. If you approached my company with an cover letter that contained sentences like the one I just quoted, your firm would be placed near the bottom of the pile.
    The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?
    Do you have a security background or did you just manage to apt-get or rpm Nessus and nmap successfully? Are you certified (SANS, CISSP, MSIA, etc)? If you just plan on handing someone a default Nessus report, please - don't!

    As far as "getting the sale", what worked for salespeople that sold goods/services - security or otherwise - to your previous company/companies? That might be a good place to start. If you were never brought into sales-discussions, you might want to ask yourselves "why not?".

    What you *definitely* want to do is perform unauthorized scans and/or penetration attempts on a potential customer's external firewalls and/or servers. That will most assuredly endear you to them. Why, they might even ask to have a police escort for you!

    One of the last things you should do is approach a new career in security consulting without really knowing that part of the IT world like the back of your hand (and not just the tech bits).

    (Have you considered starting up a Starbucks franchise instead?)
    --
    Mind the gap...
  6. Reputation first... by phamlen · · Score: 4, Insightful

    Well, speaking from my experience at a fairly successful consultancy business, I think there are a couple of strategies. First, there are some key skills you all need:

    1) Distinguish yourself as a group that provides "practical, effective" security. Never leave any of your first customers wondering why they paid you.

    2) Solve the problems they want solved rather than the problems you think should be solved. Don't go tell the customer what they need you to do; instead, listen to what they say are the problems and solve them.

    3) Brutally asses all the communication skills of your team. Know who your great communicators are, and who are the people you need to hide from the customer. Face it, as a consulting firm, it matters most how you interact with the customer.

    As far as strategies go:
    1) I bet your primary battle will be convincing people that it's worth investing in security. Start gathering factual stories of security failures so that you can talk about specific incidents and what happened. Be prepared to explain to a non-technical user why they should spend money - and make sure it's completely relevant to them.
        For instance, I worked at a web-firm that doesn't really care about security... but they also have about 12,000 social security numbers in one of their databases. When we tried to push "network security" in general, there was no traction. When we asked "what if we have to announce to all our customers that their SSN's were stolen from our database?", that allowed us to push for greater security controls.

    2) Consider focusing on the "virus-protection" market. I know a lot of small businesses completely struggle with Windows viruses that can bring down the network. Since good network security can help stop the spread of viruses, it might be a reasonable fit. "Stop the havoc that viruses cause" is a strong selling point.

    3) Maybe offer a "security review and emergency assistance when needed" package. Basically, you do a review of their network for a nominal fee and then you're available for emergency issues if they have a security issue. Sell it as "now you'll know who to call if you really have a problem."
            Once you get in to do the review, you can even make some suggestions to improve logging/auditing so that you can respond better in an emergency.

    4) Get some street cred. Publish some articles on security issues, find a security weakness in Mozilla (we just heard that it's buggier than IE, right?) and get your name out there as a "security firm".
            As an alternative, answer questions on newsgroups or forums. If you're good, you can get a rep as knowing your shit by answering people's questions. Sometimes, the sysadmin who asks for help could really use a consulting group instead.

    Finally, one last piece of advice:

    1) Always treat your clients' problems more seriously than they treat them. If your clients are a little concerned, you need to be very concerned. If they're satisfied, you need to be slightly concerned. And don't just sound like you're taking them more seriously - take them more seriously! If the client thinks it's a little problem, treat it like a big problem and get it fixed right away. If it's a big problem, treat it like it's the end of the world.
          I know it sounds silly, but it means that every time your customers contact you, they will always get the impression that you're more on top of the problem and solution than they are. And that, in the consulting world, is gold!

    Good luck.

    -Peter

  7. Lifecycle Management Approach by Midnight+Warrior · · Score: 4, Insightful

    Treat it just like any other project that uses a cyclic lifecycle management. I'm supposing you already have your foot in the door, you are just unsure as to how to conduct yourself. At the end of each round, the customer can decide if they like the kind of progress being made and has the option to cancel the contract after each round if they disagree with methods or results. Start small and simple and develop their trust. If they really have security problems, you are best off finding a way to make them want to change rather than just telling them off.

    Round 1: Spend one week writing a paper on the intellectual or physical property deemed essential to the company, and then document what measures the company believes they are practicing to protect them. At this point, you should also define your known enemies, be it a competitor or vast amounts of time wasted during virus outbreaks. Don't dwell on anything but the obvious as we all learned in the Six Dumbest Ideas In Computer Security document.

    Round 2: Propose a paper exercise approach to physical security, both in the server room and in the cubicle farms. Spend a week and not too much money. This will confirm or deny that declared in Round 1.

    Round 3: Address disaster recovery options because arson and other DOS techniques are just as bad for protecting IP as is an electronic attack. This is a check to see if the current protections methods covered this usually underfunded area. Don't forget offsites.

    Round 4: Propose, via contractual methods, solutions for closing gaping holes in the protection measures. That is, cover the areas for which no protection is provided, be it physical, procedural, or electronic. Implement if approved and have alternate, albeit less-effective approaches for those rejected due to cost or time.

    Round 5: Propose a development area be established to test current and future configurations of electronic equipment for known attack vectors (e.g. new patches on a firewall don't open new ports). [At this stage, your customer has confidence that you know what you're doing, but it took you this long before you really started touching the inside of their network.] You never subject the production network to most scans, except maybe for proper patch deployment. All the exploit attempts happen in the lab.

    Round 6: Like every good reader of Bruce Schneier's Secrets and Lies , you now propose methods and procedures for monitoring and reacting to attacks against the core intellectual or physical property documented in Round 1. Depending on your company goals, you can hope to win this one, or you can let them run the service while you move on to another customer.

    Tips: If you get lots of resistance at Round 1 telling you that you aren't moving fast enough, beware because you will be the victim of the blame game in Round 6. Don't forget that sometimes the attack vector is physical theft - encrypt core files anywhere they are found, most especially on laptops. Round 1 may have identified Internet access as a risk, so in Round 4, consider using a private, internal network and force all users to use thin-client tools for Internet access - no removable media, highly-enforced group policies, and the ability to quarantine viruses at the door. For that matter, proxy all Internet access and monitor it in Round 6.