Re: The business/marketing of pen-testing.

From: Davi Ottenheimer (infosec@westmarine.com)
Date: Wed Nov 03 2004 - 19:55:57 EST


The best approach is to network and make connections, or find a place with people who want to hear your pitch. Attend local ISSA, ISACA, ISC2, etc. events and try to spend time talking with folks who are looking for someone to perform an external assessment. You could also do related contract engagements (e.g. network roll-outs, system upgrades, software enhancements, etc.) and make contact with as many people as possible to sell your security expertise. Just like any professional trying to build a practice, there are many online guides and books that deal directly with how to build your network of references and create a compelling sales pitch.

Hope that helps,

Davi

>>> Aaron Drew <ripper@internode.on.net> 11/02/04 03:02AM >>>
Thanks for all the great responses. From the responses I've received it is now
painstakingly obvious that I need to start with the small fish and offer
fairly simple services (basic vuln-testing/pen-testing). I should probably
have elaborated a little more however on my question.

The area I am most stuck on is *how* to approach potential customers.
Networking is good and well once a foot is in the door but how have
individuals as yourselves achieved that big 'first break'? Cold calling? Door
to door? Stumbling onto a vulnerable system and throwing the evidence in
their face? The much-condoned scare tactic method?

I've tried suiting up and walking into businesses offering a free test of
their network. I've tried calling businesses that I *know* have wide-open
wireless networks and explaining that anyone could read their emails. So far,
all of them have shown no interest - even when I've pointed out what data I
could conceivable capture given enough time. Do I really need to go in there
with something like an email sent from the owner to his wife?

I'm certain I could do a good job for cheap - even if a little unrefined in my
initial procedures. I am just lost as to how to convince a market that
doesn't *want* to see that they need security services.
************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.

This email was scanned for viruses, vandals and malicious content.
via mail3.westmarine.com
*************************************************************************************************



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT