Re: How do you monetize your skills?





Hi All,

I fully agree with what Joe has to say and would like to share my bit.

I had the opportunity to start up as an enterpreneur and also to work with
organizations that were dedicate on only the Information Security
Consultancy front.

The key learnings were:

pure play consultancy/ advisory in the information security domain is a
line that is largely dependent on word of mouth and whereas attending
seminars, et al could enhance visibility, the key factor stays on as
personal contacts.

Also, it is a better strategy to align with a bigger player on manageable
alliance basis to compliment services. This results in a win-win situation
for all and largely assists during initial stages.

Finally the biggest challenge was to have reliable, dedicated team on the
board or as partners. Even a handful could be adequate. This is essential
because the pressure of running a one person shop could be unbearable and
could have unwanted impacts.

Nevertheless the experience of being an enterpreneur is the largest of all
experiences and today when i'm working with a global firm the learnings
assist in making me a cut above the lot. It also instills the highest
level of self confidence and ability to take challenges, decisions and new
roles.

There were many other interesting and proable revealing experiences that I
had that I would really have loved to share, but would prefer to receive a
direct query for the same as it would be of interest to very few


please feel free to contact

regards











I know it's not talked about all that much, but it's an important
subject. These kinds of questions more and more have been are popping
up on this list (how much should I charge for an audit, how do I promote
myself as a security consultant, etc).

I'm not famous and I'm not rich so I'm no expert by any means but here
are what I think are some important things to consider:

1. Name recognition/Credibility in the Security Industry
2. Referrals
3. Marketing/Advertising


You might wanna check out www.isecom.org (Peter Herzog, and Robert Lee
have a pretty good program in my opinion). Of course you can always go
with the CISSP/CEH/CPTS/SANS stuff.

Write papers for the community, make videos (this is becoming very
popular), give talks at conventions, teach at universities, publish a
security tool. This is what I consider to be Marketing/PR. Running ads
in magazines, newsletters, banner ads, TV commercials, etc are what I
consider to be advertising.


As I've seen it:
Consultancies tend to do a lot of advertising if they sell a product
(Expensive Scanner/Security Tool, I{D|P}S Solution, etc). The ones that
don't sell a product tend to do more of the PR type stuff (speaking at
security conferences, authoring technical content, doing research).

In sales you'll learn that customers that "want" your product/service
are better to have than customers that "need" your product/service. If
they "need" your product/service they will need to be educated so they
will know and understand that they need it as opposed to someone that
wants your service where half the sale is done for you already.

Educating/converting customers over to your side is EXPENSIVE. It's
cheaper to go after the customers that want your product/service and get
them to promote you via testimonials/referrals than it is to advertise
to new customers that "need" your product but need to be educated to the
fact that they need it. The IT customer is the most expensive niche
market customer to reach in all of marketing/advertising. If you pay for
advertising you are competing with the likes of Micro$oft, Cisco, and
all of the other big guns with advertising budgets higher than you can
count. I spent more money than I care to admit doing this, but hey we
all have to learn what works and what doesn't.


Although security auditing is NOT my primary business (teaching is), the
sincerity with my customers is what keeps our cyber doors open. There
are a lot of hard lessons you will learn being in business - basic sales
skills, lead generation, marketing/PR are hugely important.

Oh - before I forget. Try to corner a security consultant at a security
convention like BlackHat, DefCon, etc. Maybe you can find out how they
are doing their lead generation, customer follow-up, retention programs,
recurring services to current customers and the rest of that kind of
stuff.


I hope this helps....


--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx
Web: https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access




On Thu, 2006-10-26 at 19:05 +0000, pneedham1@xxxxxxxxx wrote:
How do you monetize these skills you have acquired? What I mean is how
does a security firm find clients?

I know it is fun to do the work and their has been another post on doing
a scan on a potential client and then coming to that client to help him
fix his problems, which everyone here said is bad, and the legal issues.
So that is out.

How do you sell something to someone if you cannot pre-qualify them,
that the problem has no visible business impact.
(meaning if they have been hacked and there are no big things happening
in the network, no spamserver, viruses, no downtime)

and may never be impacted.


do you do to sell something to a client if you or he doesn't know if he
needs it?

and getting over the "who cares" factor that seems to be so prevalent in
corporate world. and getting over the fact that a inhouse network admin
or CTO so he can look bad if

I know of one company that does 750million a year in a competitive
market, got broken into 3 times physically and did nothing because they
didn't notice anything missing. The place is probably wired for sound
better than the rolling stones recording studio.


This post may get moded or flamed for being a bit off topic but at the
end of the day if you don't get paid for this, it is really just a hobby
and there is nothing wrong with that.

Is everyone else doing to garner business?

-----------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx
Web: https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access




-----------------------------------------
Stay ahead of the information curve.
Receive EDA news and jobs on your desktop daily.
Subscribe today to the EDA CafeNews newsletter.
[ http://www10.edacafe.com/nl/newsletter_subscribe.php ]
It's informative and essential.
This message was sent to you from a machine at 125.19.55.18

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------