From: Joseph McCray (joe@learnsecurityonline.com)
Date: Fri Oct 27 2006 - 03:25:36 EDT
I know it's not talked about all that much, but it's an important
subject. These kinds of questions more and more have been are popping
up on this list (how much should I charge for an audit, how do I promote
myself as a security consultant, etc).
I'm not famous and I'm not rich so I'm no expert by any means but here
are what I think are some important things to consider:
1. Name recognition/Credibility in the Security Industry
2. Referrals
3. Marketing/Advertising
You might wanna check out www.isecom.org (Peter Herzog, and Robert Lee
have a pretty good program in my opinion). Of course you can always go
with the CISSP/CEH/CPTS/SANS stuff.
Write papers for the community, make videos (this is becoming very
popular), give talks at conventions, teach at universities, publish a
security tool. This is what I consider to be Marketing/PR. Running ads
in magazines, newsletters, banner ads, TV commercials, etc are what I
consider to be advertising.
As I've seen it:
Consultancies tend to do a lot of advertising if they sell a product
(Expensive Scanner/Security Tool, I{D|P}S Solution, etc). The ones that
don't sell a product tend to do more of the PR type stuff (speaking at
security conferences, authoring technical content, doing research).
In sales you'll learn that customers that "want" your product/service
are better to have than customers that "need" your product/service. If
they "need" your product/service they will need to be educated so they
will know and understand that they need it as opposed to someone that
wants your service where half the sale is done for you already.
Educating/converting customers over to your side is EXPENSIVE. It's
cheaper to go after the customers that want your product/service and get
them to promote you via testimonials/referrals than it is to advertise
to new customers that "need" your product but need to be educated to the
fact that they need it. The IT customer is the most expensive niche
market customer to reach in all of marketing/advertising. If you pay for
advertising you are competing with the likes of Micro$oft, Cisco, and
all of the other big guns with advertising budgets higher than you can
count. I spent more money than I care to admit doing this, but hey we
all have to learn what works and what doesn't.
Although security auditing is NOT my primary business (teaching is), the
sincerity with my customers is what keeps our cyber doors open. There
are a lot of hard lessons you will learn being in business - basic sales
skills, lead generation, marketing/PR are hugely important.
Oh - before I forget. Try to corner a security consultant at a security
convention like BlackHat, DefCon, etc. Maybe you can find out how they
are doing their lead generation, customer follow-up, retention programs,
recurring services to current customers and the rest of that kind of
stuff.
I hope this helps....
-- Joe McCray Toll Free: 1-866-892-2132 Email: joe@learnsecurityonline.com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access On Thu, 2006-10-26 at 19:05 +0000, pneedham1@gmail.com wrote: > How do you monetize these skills you have acquired? What I mean is how does a security firm find clients? > > I know it is fun to do the work and their has been another post on doing a scan on a potential client and then coming to that client to help him fix his problems, which everyone here said is bad, and the legal issues. So that is out. > > How do you sell something to someone if you cannot pre-qualify them, that the problem has no visible business impact. > (meaning if they have been hacked and there are no big things happening in the network, no spamserver, viruses, no downtime) > > and may never be impacted. > > > do you do to sell something to a client if you or he doesn't know if he needs it? > > and getting over the "who cares" factor that seems to be so prevalent in corporate world. and getting over the fact that a inhouse network admin or CTO so he can look bad if > > I know of one company that does 750million a year in a competitive market, got broken into 3 times physically and did nothing because they didn't notice anything missing. The place is probably wired for sound better than the rolling stones recording studio. > > > This post may get moded or flamed for being a bit off topic but at the end of the day if you don't get paid for this, it is really just a hobby and there is nothing wrong with that. > > Is everyone else doing to garner business? > > ----------------------------------------------------------------------- > This List Sponsored by: Cenzic > > Need to secure your web apps? > Cenzic Hailstorm finds vulnerabilities fast. > Click the link to buy it, try it or download Hailstorm for FREE. > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW > ------------------------------------------------------------------------ -- Joe McCray Toll Free: 1-866-892-2132 Email: joe@learnsecurityonline.com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:14 EDT