Penetration Testing mailing list archives
Re: How do you monetize your skills?
From: storehouse99 () dacafe com
Date: Fri, 27 Oct 2006 06:08:45 -0700 (PDT)
Hi All, I fully agree with what Joe has to say and would like to share my bit. I had the opportunity to start up as an enterpreneur and also to work with organizations that were dedicate on only the Information Security Consultancy front. The key learnings were: pure play consultancy/ advisory in the information security domain is a line that is largely dependent on word of mouth and whereas attending seminars, et al could enhance visibility, the key factor stays on as personal contacts. Also, it is a better strategy to align with a bigger player on manageable alliance basis to compliment services. This results in a win-win situation for all and largely assists during initial stages. Finally the biggest challenge was to have reliable, dedicated team on the board or as partners. Even a handful could be adequate. This is essential because the pressure of running a one person shop could be unbearable and could have unwanted impacts. Nevertheless the experience of being an enterpreneur is the largest of all experiences and today when i'm working with a global firm the learnings assist in making me a cut above the lot. It also instills the highest level of self confidence and ability to take challenges, decisions and new roles. There were many other interesting and proable revealing experiences that I had that I would really have loved to share, but would prefer to receive a direct query for the same as it would be of interest to very few please feel free to contact regards I know it's not talked about all that much, but it's an important
subject. These kinds of questions more and more have been are popping up on this list (how much should I charge for an audit, how do I promote myself as a security consultant, etc). I'm not famous and I'm not rich so I'm no expert by any means but here are what I think are some important things to consider: 1. Name recognition/Credibility in the Security Industry 2. Referrals 3. Marketing/Advertising You might wanna check out www.isecom.org (Peter Herzog, and Robert Lee have a pretty good program in my opinion). Of course you can always go with the CISSP/CEH/CPTS/SANS stuff. Write papers for the community, make videos (this is becoming very popular), give talks at conventions, teach at universities, publish a security tool. This is what I consider to be Marketing/PR. Running ads in magazines, newsletters, banner ads, TV commercials, etc are what I consider to be advertising. As I've seen it: Consultancies tend to do a lot of advertising if they sell a product (Expensive Scanner/Security Tool, I{D|P}S Solution, etc). The ones that don't sell a product tend to do more of the PR type stuff (speaking at security conferences, authoring technical content, doing research). In sales you'll learn that customers that "want" your product/service are better to have than customers that "need" your product/service. If they "need" your product/service they will need to be educated so they will know and understand that they need it as opposed to someone that wants your service where half the sale is done for you already. Educating/converting customers over to your side is EXPENSIVE. It's cheaper to go after the customers that want your product/service and get them to promote you via testimonials/referrals than it is to advertise to new customers that "need" your product but need to be educated to the fact that they need it. The IT customer is the most expensive niche market customer to reach in all of marketing/advertising. If you pay for advertising you are competing with the likes of Micro$oft, Cisco, and all of the other big guns with advertising budgets higher than you can count. I spent more money than I care to admit doing this, but hey we all have to learn what works and what doesn't. Although security auditing is NOT my primary business (teaching is), the sincerity with my customers is what keeps our cyber doors open. There are a lot of hard lessons you will learn being in business - basic sales skills, lead generation, marketing/PR are hugely important. Oh - before I forget. Try to corner a security consultant at a security convention like BlackHat, DefCon, etc. Maybe you can find out how they are doing their lead generation, customer follow-up, retention programs, recurring services to current customers and the rest of that kind of stuff. I hope this helps.... -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access On Thu, 2006-10-26 at 19:05 +0000, pneedham1 () gmail com wrote:How do you monetize these skills you have acquired? What I mean is how does a security firm find clients? I know it is fun to do the work and their has been another post on doing a scan on a potential client and then coming to that client to help him fix his problems, which everyone here said is bad, and the legal issues. So that is out. How do you sell something to someone if you cannot pre-qualify them, that the problem has no visible business impact. (meaning if they have been hacked and there are no big things happening in the network, no spamserver, viruses, no downtime) and may never be impacted. do you do to sell something to a client if you or he doesn't know if he needs it? and getting over the "who cares" factor that seems to be so prevalent in corporate world. and getting over the fact that a inhouse network admin or CTO so he can look bad if I know of one company that does 750million a year in a competitive market, got broken into 3 times physically and did nothing because they didn't notice anything missing. The place is probably wired for sound better than the rolling stones recording studio. This post may get moded or flamed for being a bit off topic but at the end of the day if you don't get paid for this, it is really just a hobby and there is nothing wrong with that. Is everyone else doing to garner business? ----------------------------------------------------------------------- This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW -------------------------------------------------------------------------- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
----------------------------------------- Stay ahead of the information curve. Receive EDA news and jobs on your desktop daily. Subscribe today to the EDA CafeNews newsletter. [ http://www10.edacafe.com/nl/newsletter_subscribe.php ] It's informative and essential. This message was sent to you from a machine at 125.19.55.18 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- How do you monetize your skills? pneedham1 (Oct 26)
- Re: How do you monetize your skills? Joseph McCray (Oct 27)
- Re: How do you monetize your skills? storehouse99 (Oct 27)
- Re: How do you monetize your skills? crazy frog crazy frog (Oct 28)
- Re: How do you monetize your skills? storehouse99 (Oct 27)
- Re: How do you monetize your skills? Joseph McCray (Oct 27)