RE: The business/marketing of pen-testing.

From: Randy Golly (rcgolly@vermeertexas.com)
Date: Thu Oct 28 2004 - 10:38:54 EDT

CORRECTION - Scare Tactics are NOT the way to do it ... lost the Not in
editing ...

Thanks,
Randy Golly

-----Original Message-----
From: Randy Golly [mailto:rcgolly@vermeertexas.com]
Sent: Tuesday, October 26, 2004 10:02 PM
To: Jeff Gercken; Aaron Drew; pen-test@securityfocus.com
Subject: RE: The business/marketing of pen-testing.

Agree with Jeff's statements, you need to validate why someone needs your
service. Scare tactics are the way to do it. If business's in your area
are not being approached with this service yet, they need to be educated on
why they need this done in the first place. If they are educated on what
vulnerabilities are actually out there and how it could affect their
business operations, then they will come to the right conclusions about why
they need to secure their systems. Needs to come down to basic dollars and
cents, not just theoretical BS, on how it could affect their productivity or
customer satisfaction. If the business is big, they have been in the pen
test loop and are looking at SOX compliance so need it. Smaller business
don't need to stick within compliance regulations so do not have the need as
much. But that is where you can come in to show why they need your
services.

Good luck ... Randy

-----Original Message-----
From: Jeff Gercken [mailto:JeffG@kizan.com]
Sent: Tuesday, October 26, 2004 1:52 PM
To: Aaron Drew; pen-test@securityfocus.com
Subject: RE: The business/marketing of pen-testing.

Don't use scare tactics. Salesmen prophesizing scenarios of impending
doom and catastrophic failures have really hurt the security industry.
Rational and quantitative risk analysis is what businesses need.
Everyone has vulnerabilities and most know it. You should position
yourself as the guy who will enumerate them and assign priority.

Also, if you are asked, be open in your methods and tools. Be part
teacher and you will be rewarded with trust and loyalty.

Anyhow, just my $.02
-Jeff

-----Original Message-----
From: Aaron Drew [mailto:ripper@internode.on.net]
Sent: Sunday, October 24, 2004 6:20 PM
To: pen-test@securityfocus.com
Subject: The business/marketing of pen-testing.

I've had an interest in computer security for some time and I'm now
looking at
starting a business around it. There are *no* other such businesses in
my
area but because of this, I'm not sure how to sell my services to
potential
customers or even what my target market should be (small, medium, or big

business).

Anyone have any suggestions as to where I could start looking for
information
on this side of things?

---------------------------------------------------------------------------- 

--
Internet Security Systems. - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be
stopped before they impact your network. To learn how Internet Security
Systems keeps organizations ahead of the threat with preemptive intrusion
prevention, download the new whitepaper, Defining the Rules of Preemptive
Protection, and end your reliance on reactive security technology. 
http://www.securityfocus.com/sponsor/ISS_pen-test_041001
----------------------------------------------------------------------------
---

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT