How to Deliver a Great Security Assessment Engagement and Get Referrals Too!
With the recent spates of security breaches happening around the internet realms. Security Service providers have seen a surge in the demand for security assessment request from both big corporate businesses and governments as well. Security assessment service is a valuable service for their customers by using a methodically approach assessing its’ infrastructure, processes and systems security. This is the easy part.
The tough part is when your report/s does not convince the customer to act on your recommendations. Your presentation and reports have to be understandable and unobjectionable to both the executives and technical management.
Below few tips hopefully will help you to deliver an outstanding engagement to your customer which books yourselves solid with referrals for more security assessment engagements.
Reports – Technical & Executive
In your scope of work, state that you provide 2 separate and customized report skewed towards management and technical staffs. One detailed technical report for the technical staff and a high level business oriented report for your customer’s management.
Presentations – Technical & Executive
In the same context as above, you will need to deliver 2 presentations to 2 different camps of audience, technical and executive staffs along aside with the 2 reports above. This is to re enforce the findings and recommendations written on the reports. This is also a forum for the customers to raise any questions or concerns that they may have.
To ease acceptance of your message, begin the presentation and report by focusing on the positive areas where the customer technical staff have done a great job in securing the customer security posture. The backlash will be damaging if you start listing the problems you have uncovered, resistance among the technical team might be irreparable.
After you have listed the positives, and then move on to describe the issues that you have undercover. Emphasis that the problems that you have uncovered was because you are dedicated to keep up with the latest security issues, such as the latest security trends, vulnerabilities and threats.
To stand yourselves in the good books with the technical folks, explain that the customer’s technical team has been very professional and are experts in their respective domain but does not have the required amount of time and resources to find the subtle security gaps.
It builds credibility when you structured your message in a manner that you understand with the big pictures and the minute details that impact your customer business. Critical gaps that have a severe impact on the customer must be address immediately e.g. failure to fulfill a regulatory compliance issue could cost your customer financial and reputation loss amounting to millions of dollars. And remember that the recommendations to the gaps must be tagged with an agreeable timeline to resolve the gaps under covered.
Benefits and Cost Analysis
In both your technical & executive reports and presentations, be sure to include and stress the costs – both financial and reputation loss that could incur as a result of a security breach. Do also include the Benefit and Costs analysis to implement your recommendations. This will give the customers a clear picture of how much the potential figures for them to justify the expenditure for any mitigation efforts from your recommendations.
More often than not, your findings will contain bad news, example the customers infrastructure was found to be vulnerable to attacks or have already been exposed to exploitation from malicious sources. Be adaptive and vigilant to the customer corporate culture and internal politics and adjust your delivery approach but stay within the boundaries of professionalism. If the vulnerabilities or gaps uncovered was due to the incompetence of a technical manager or the whole technical team, and you are recommending to replace the individual or team, be tactful and professional when handling such situation. My recommendation would be to speak to the higher authority to address the gaps rather than standing up in the presentation and recommending the manager to be replaced. In the case of understaffing, budget constraint that impede the implementation of the risks uncovered, speak to the manager first before presentation in front to the whole team.
Network and systems changes, new vulnerabilities emerge by the seconds. A one time assessment will not catch future problems. If you provide a thorough, thoughtful and sensitive reports and presentations, it will be very likely that the customer will be calling you again for future engagements and referrals.