From: storehouse99@dacafe.com
Date: Fri Oct 27 2006 - 09:08:45 EDT
Hi All,
I fully agree with what Joe has to say and would like to share my bit.
I had the opportunity to start up as an enterpreneur and also to work with
organizations that were dedicate on only the Information Security
Consultancy front.
The key learnings were:
pure play consultancy/ advisory in the information security domain is a
line that is largely dependent on word of mouth and whereas attending
seminars, et al could enhance visibility, the key factor stays on as
personal contacts.
Also, it is a better strategy to align with a bigger player on manageable
alliance basis to compliment services. This results in a win-win situation
for all and largely assists during initial stages.
Finally the biggest challenge was to have reliable, dedicated team on the
board or as partners. Even a handful could be adequate. This is essential
because the pressure of running a one person shop could be unbearable and
could have unwanted impacts.
Nevertheless the experience of being an enterpreneur is the largest of all
experiences and today when i'm working with a global firm the learnings
assist in making me a cut above the lot. It also instills the highest
level of self confidence and ability to take challenges, decisions and new
roles.
There were many other interesting and proable revealing experiences that I
had that I would really have loved to share, but would prefer to receive a
direct query for the same as it would be of interest to very few
please feel free to contact
regards
I know it's not talked about all that much, but it's an important
> subject. These kinds of questions more and more have been are popping
> up on this list (how much should I charge for an audit, how do I promote
> myself as a security consultant, etc).
>
> I'm not famous and I'm not rich so I'm no expert by any means but here
> are what I think are some important things to consider:
>
> 1. Name recognition/Credibility in the Security Industry
> 2. Referrals
> 3. Marketing/Advertising
>
>
> You might wanna check out www.isecom.org (Peter Herzog, and Robert Lee
> have a pretty good program in my opinion). Of course you can always go
> with the CISSP/CEH/CPTS/SANS stuff.
>
> Write papers for the community, make videos (this is becoming very
> popular), give talks at conventions, teach at universities, publish a
> security tool. This is what I consider to be Marketing/PR. Running ads
> in magazines, newsletters, banner ads, TV commercials, etc are what I
> consider to be advertising.
>
>
> As I've seen it:
> Consultancies tend to do a lot of advertising if they sell a product
> (Expensive Scanner/Security Tool, I{D|P}S Solution, etc). The ones that
> don't sell a product tend to do more of the PR type stuff (speaking at
> security conferences, authoring technical content, doing research).
>
> In sales you'll learn that customers that "want" your product/service
> are better to have than customers that "need" your product/service. If
> they "need" your product/service they will need to be educated so they
> will know and understand that they need it as opposed to someone that
> wants your service where half the sale is done for you already.
>
> Educating/converting customers over to your side is EXPENSIVE. It's
> cheaper to go after the customers that want your product/service and get
> them to promote you via testimonials/referrals than it is to advertise
> to new customers that "need" your product but need to be educated to the
> fact that they need it. The IT customer is the most expensive niche
> market customer to reach in all of marketing/advertising. If you pay for
> advertising you are competing with the likes of Micro$oft, Cisco, and
> all of the other big guns with advertising budgets higher than you can
> count. I spent more money than I care to admit doing this, but hey we
> all have to learn what works and what doesn't.
>
>
> Although security auditing is NOT my primary business (teaching is), the
> sincerity with my customers is what keeps our cyber doors open. There
> are a lot of hard lessons you will learn being in business - basic sales
> skills, lead generation, marketing/PR are hugely important.
>
> Oh - before I forget. Try to corner a security consultant at a security
> convention like BlackHat, DefCon, etc. Maybe you can find out how they
> are doing their lead generation, customer follow-up, retention programs,
> recurring services to current customers and the rest of that kind of
> stuff.
>
>
> I hope this helps....
>
>
> --
> Joe McCray
> Toll Free: 1-866-892-2132
> Email: joe@learnsecurityonline.com
> Web: https://www.learnsecurityonline.com
>
>
> Learn Security Online, Inc.
>
> * Security Games * Simulators
> * Challenge Servers * Courses
> * Hacking Competitions * Hacklab Access
>
>
>
>
> On Thu, 2006-10-26 at 19:05 +0000, pneedham1@gmail.com wrote:
>> How do you monetize these skills you have acquired? What I mean is how
>> does a security firm find clients?
>>
>> I know it is fun to do the work and their has been another post on doing
>> a scan on a potential client and then coming to that client to help him
>> fix his problems, which everyone here said is bad, and the legal issues.
>> So that is out.
>>
>> How do you sell something to someone if you cannot pre-qualify them,
>> that the problem has no visible business impact.
>> (meaning if they have been hacked and there are no big things happening
>> in the network, no spamserver, viruses, no downtime)
>>
>> and may never be impacted.
>>
>>
>> do you do to sell something to a client if you or he doesn't know if he
>> needs it?
>>
>> and getting over the "who cares" factor that seems to be so prevalent in
>> corporate world. and getting over the fact that a inhouse network admin
>> or CTO so he can look bad if
>>
>> I know of one company that does 750million a year in a competitive
>> market, got broken into 3 times physically and did nothing because they
>> didn't notice anything missing. The place is probably wired for sound
>> better than the rolling stones recording studio.
>>
>>
>> This post may get moded or flamed for being a bit off topic but at the
>> end of the day if you don't get paid for this, it is really just a hobby
>> and there is nothing wrong with that.
>>
>> Is everyone else doing to garner business?
>>
>> -----------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>> ------------------------------------------------------------------------
> --
> Joe McCray
> Toll Free: 1-866-892-2132
> Email: joe@learnsecurityonline.com
> Web: https://www.learnsecurityonline.com
>
>
> Learn Security Online, Inc.
>
> * Security Games * Simulators
> * Challenge Servers * Courses
> * Hacking Competitions * Hacklab Access
>
-----------------------------------------
Stay ahead of the information curve.
Receive EDA news and jobs on your desktop daily.
Subscribe today to the EDA CafeNews newsletter.
[ http://www10.edacafe.com/nl/newsletter_subscribe.php ]
It's informative and essential.
This message was sent to you from a machine at 125.19.55.18
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:14 EDT