Re: The business/marketing of pen-testing.

From: Aaron Drew (ripper@internode.on.net)
Date: Tue Nov 02 2004 - 06:02:43 EST


Thanks for all the great responses. From the responses I've received it is now
painstakingly obvious that I need to start with the small fish and offer
fairly simple services (basic vuln-testing/pen-testing). I should probably
have elaborated a little more however on my question.

The area I am most stuck on is *how* to approach potential customers.
Networking is good and well once a foot is in the door but how have
individuals as yourselves achieved that big 'first break'? Cold calling? Door
to door? Stumbling onto a vulnerable system and throwing the evidence in
their face? The much-condoned scare tactic method?

I've tried suiting up and walking into businesses offering a free test of
their network. I've tried calling businesses that I *know* have wide-open
wireless networks and explaining that anyone could read their emails. So far,
all of them have shown no interest - even when I've pointed out what data I
could conceivable capture given enough time. Do I really need to go in there
with something like an email sent from the owner to his wife?

I'm certain I could do a good job for cheap - even if a little unrefined in my
initial procedures. I am just lost as to how to convince a market that
doesn't *want* to see that they need security services.

On Fri, 29 Oct 2004 12:38 am, Randy Golly wrote:
> CORRECTION - Scare Tactics are NOT the way to do it ... lost the Not in
> editing ...
>
> Thanks,
> Randy Golly
>
>
>
> -----Original Message-----
> From: Randy Golly [mailto:rcgolly@vermeertexas.com]
> Sent: Tuesday, October 26, 2004 10:02 PM
> To: Jeff Gercken; Aaron Drew; pen-test@securityfocus.com
> Subject: RE: The business/marketing of pen-testing.
>
> Agree with Jeff's statements, you need to validate why someone needs your
> service. Scare tactics are the way to do it. If business's in your area
> are not being approached with this service yet, they need to be educated on
> why they need this done in the first place. If they are educated on what
> vulnerabilities are actually out there and how it could affect their
> business operations, then they will come to the right conclusions about why
> they need to secure their systems. Needs to come down to basic dollars and
> cents, not just theoretical BS, on how it could affect their productivity
> or customer satisfaction. If the business is big, they have been in the
> pen test loop and are looking at SOX compliance so need it. Smaller
> business don't need to stick within compliance regulations so do not have
> the need as much. But that is where you can come in to show why they need
> your services.
>
> Good luck ... Randy
>
> -----Original Message-----
> From: Jeff Gercken [mailto:JeffG@kizan.com]
> Sent: Tuesday, October 26, 2004 1:52 PM
> To: Aaron Drew; pen-test@securityfocus.com
> Subject: RE: The business/marketing of pen-testing.
>
> Don't use scare tactics. Salesmen prophesizing scenarios of impending
> doom and catastrophic failures have really hurt the security industry.
> Rational and quantitative risk analysis is what businesses need.
> Everyone has vulnerabilities and most know it. You should position
> yourself as the guy who will enumerate them and assign priority.
>
> Also, if you are asked, be open in your methods and tools. Be part
> teacher and you will be rewarded with trust and loyalty.
>
> Anyhow, just my $.02
> -Jeff
>
> -----Original Message-----
> From: Aaron Drew [mailto:ripper@internode.on.net]
> Sent: Sunday, October 24, 2004 6:20 PM
> To: pen-test@securityfocus.com
> Subject: The business/marketing of pen-testing.
>
> I've had an interest in computer security for some time and I'm now
> looking at
> starting a business around it. There are *no* other such businesses in
> my
> area but because of this, I'm not sure how to sell my services to
> potential
> customers or even what my target market should be (small, medium, or big
>
> business).
>
> Anyone have any suggestions as to where I could start looking for
> information
> on this side of things?
>
>
> ---------------------------------------------------------------------------
>- --
> Internet Security Systems. - Keeping You Ahead of the Threat
>
> When business losses are measured in seconds, Internet threats must be
> stopped before they impact your network. To learn how Internet Security
> Systems keeps organizations ahead of the threat with preemptive intrusion
> prevention, download the new whitepaper, Defining the Rules of Preemptive
> Protection, and end your reliance on reactive security technology.
>
> http://www.securityfocus.com/sponsor/ISS_pen-test_041001
> ---------------------------------------------------------------------------
>- ---

-- 
- Aaron
"Today's mighty oak is just yesterday's nut that held its ground."


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT