Re: The business/marketing of pen-testing.

In-Reply-To: <200411022202.44012.ripper@internode.on.net>

Hi Aaron Drew,

The essence of security is about trust, reliability, and the peace of mind.  
Investing in security of the system is like buying your life insurance.  Would 
you buy insurance from a small company via a cheap agent?

Penetration testing is a broad field, do you plan to specialize in one 
particular technology?  For instance, another thread in this discussion group 
is talking about VoIP penetration test, VoIP security is certainly a very 
interested technology to focus on.

In the IT field, your professional reputation becomes your competitive edge.  
What I am doing to increase my professional reputation is to prepare white 
papers and (hopefully), one day you will see me as a speaker in BlackHat 
Briefings.  Then, companies will hire your company to do penetration testing 
for them.

Good luck Aaron!


> Thanks for all the great responses. From the responses I've received it is now 
> painstakingly obvious that I need to start with the small fish and offer 
> fairly simple services (basic vuln-testing/pen-testing). I should probably 
> have elaborated a little more however on my question.
>
> The area I am most stuck on is *how* to approach potential customers. 
> Networking is good and well once a foot is in the door but how have 
> individuals as yourselves achieved that big 'first break'? Cold calling? Door 
> to door? Stumbling onto a vulnerable system and throwing the evidence in 
> their face? The much-condoned scare tactic method?
>
> I've tried suiting up and walking into businesses offering a free test of 
> their network. I've tried calling businesses that I *know* have wide-open 
> wireless networks and explaining that anyone could read their emails. So far, 
> all of them have shown no interest - even when I've pointed out what data I 
> could conceivable capture given enough time. Do I really need to go in there 
> with something like an email sent from the owner to his wife?
>
> I'm certain I could do a good job for cheap - even if a little unrefined in my 
> initial procedures. I am just lost as to how to convince a market that 
> doesn't *want* to see that they need security services.
>
> On Fri, 29 Oct 2004 12:38 am, Randy Golly wrote:
> > CORRECTION - Scare Tactics are NOT the way to do it ... lost the Not in
> > editing ...
> >
> > Thanks,
> > Randy Golly
> >
> >
> >
> > -----Original Message-----
> > From: Randy Golly [mailto:rcgolly@vermeertexas.com]
> > Sent: Tuesday, October 26, 2004 10:02 PM
> > To: Jeff Gercken; Aaron Drew; pen-test@securityfocus.com
> > Subject: RE: The business/marketing of pen-testing.
> >
> > Agree with Jeff's statements, you need to validate why someone needs your
> > service.  Scare tactics are the way to do it.  If business's in your area
> > are not being approached with this service yet, they need to be educated on
> > why they need this done in the first place.  If they are educated on what
> > vulnerabilities are actually out there and how it could affect their
> > business operations, then they will come to the right conclusions about why
> > they need to secure their systems.  Needs to come down to basic dollars and
> > cents, not just theoretical BS, on how it could affect their productivity
> > or customer satisfaction.  If the business is big, they have been in the
> > pen test loop and are looking at SOX compliance so need it.  Smaller
> > business don't need to stick within compliance regulations so do not have
> > the need as much.  But that is where you can come in to show why they need
> > your services.
> >
> > Good luck ... Randy
> >
> > -----Original Message-----
> > From: Jeff Gercken [mailto:JeffG@kizan.com]
> > Sent: Tuesday, October 26, 2004 1:52 PM
> > To: Aaron Drew; pen-test@securityfocus.com
> > Subject: RE: The business/marketing of pen-testing.
> >
> > Don't use scare tactics.  Salesmen prophesizing scenarios of impending
> > doom and catastrophic failures have really hurt the security industry.
> > Rational and quantitative risk analysis is what businesses need.
> > Everyone has vulnerabilities and most know it.  You should position
> > yourself as the guy who will enumerate them and assign priority.
> >
> > Also, if you are asked, be open in your methods and tools.  Be part
> > teacher and you will be rewarded with trust and loyalty.
> >
> > Anyhow, just my $.02
> > -Jeff
> >
> > -----Original Message-----
> > From: Aaron Drew [mailto:ripper@internode.on.net]
> > Sent: Sunday, October 24, 2004 6:20 PM
> > To: pen-test@securityfocus.com
> > Subject: The business/marketing of pen-testing.
> >
> > I've had an interest in computer security for some time and I'm now
> > looking at
> > starting a business around it. There are *no* other such businesses in
> > my
> > area but because of this, I'm not sure how to sell my services to
> > potential
> > customers or even what my target market should be (small, medium, or big
> >
> > business).
> >
> > Anyone have any suggestions as to where I could start looking for
> > information
> > on this side of things?
> >
> >
> > ---------------------------------------------------------------------------
> > - --
> > Internet Security Systems. - Keeping You Ahead of the Threat
> >
> > When business losses are measured in seconds, Internet threats must be
> > stopped before they impact your network. To learn how Internet Security
> > Systems keeps organizations ahead of the threat with preemptive intrusion
> > prevention, download the new whitepaper, Defining the Rules of Preemptive
> > Protection, and end your reliance on reactive security technology.
> >
> > http://www.securityfocus.com/sponsor/ISS_pen-test_041001
> > ---------------------------------------------------------------------------
> > - ---
>
> -- 
> - Aaron
>
> "Today's mighty oak is just yesterday's nut that held its ground."