Re: My Frustrations

["Adriel T. Desautels" <ad_lists () netragard com>]

Again, this is not an issue of communication, or geeks versus business  
men. This is not an issue of proving or demonstrating the quality of  
ones self or service.  This is an issue of enabling the customer to  
make the right decision.

Take this into consideration:

You have ten men in suits. Each of them are holding suit cases that  
you can buy for 100 dollars. Each suit case is packed full of money  
based on what the ten men are telling you. The problem is that one of  
them is a liar and you don't know it..  How do you know which suit  
case to purchase? There a 9 out of 10 chance that you're going to be  
out 100 bucks.

So, is the problem that the one real man is not communicating right?  
Or is it that all of the others are copy cats? Think a little...

On Dec 19, 2008, at 2:40 PM, Shenk, Jerry A wrote:

> That's a "life question" - in any walk of life, how do you tell the
> frauds from the real thing.  We just went though an election cycle  
> where
> half of the population voted for the most incompetent person...or at
> least that's what the other half though...including me.
>
> I think somehow those of us who think we aren't the frauds need to  
> learn
> to communicate the value of what we do in business terms.  Typically,
> "geeks" really don't do very well at that.  We say things like, "that
> needs to be upgraded 'cuz it's not secure." While the business man  
> says,
> "hey, my order entry people can enter orders just fine on that win98
> box...it's worked for years, why change it."  Maybe there is a  
> technical
> reason to upgrade, maybe not but whatever, we need to be able to  
> EXPLAIN
> why it's better.  And, in pen-testing, we need to explain WHY a pen- 
> test
> is better than a vulnerability scan and explain what the difference
> is...'cuz that "fraud" is gonna just run a VA scan, call it a pen-test
> and collect his fee.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ]
> On Behalf Of Adriel T. Desautels
> Sent: Friday, December 19, 2008 7:37 AM
> To: Joseph McCray
> Cc: pen-test list
> Subject: Re: My Frustrations
>
> Hi Joe,
>         While I appreciate your response I only partially agree with
> you; and
> frankly I wasn't asking you for a lesson in business.  What I feel
> that you are missing in your post is the problem of inaccuracy and
> even lies.  That problem confuses the customer and often times ends up
> landing the customer in a very poor security state, then they wonder
> why they get hacked.
>
>         If you have two providers, one of which is very high quality and
> one
> is a copy-cat fraud, how does the customer tell the difference between
> the two? The problem isn't really a problem until the copy-cat starts
> presenting the same face and message as the quality provider.  At that
> point it is not a matter of the good provider conveying the message
> better (because the message gets copied) its a matter of the customers
> learning how to tell fact from fiction, but they can't do that without
> being educated first.
>
>         But what happens when ten more copy-cat providers surface and
> they
> follow the same exact messaging as the quality provider? What happens
> when those providers then offer services at a cost that is 30-80% less
> than the cost of services being delivered by the quality provider? The
> answer isn't that the quality provider gets too hurt because "we"
> don't, the answer is that customers get hurt by a false sense of
> security.  After all the cost of a single compromise can cost people
> their jobs and even put businesses under.
>
>         Joe, just to be clear here, my motivation isn't to create a
> clear
> marketing message or to establish my companies name, thats been done
> very successfully.  My goal is to educate the customers so that they
> can avoid being scammed.  I can't tell you how many times we've seen
> third party deliverables that were the massaged product of automated
> tools and scanners.  Hell, we've even seen deliverables with great big
> yellow smile faces at the bottom!!!
>
>         So in closing, no the incompetent security professional does not
>
> convey their message better but instead they convey the exact same
> message and undercut the real provider thus hurting their customers.
> But what do they care, they are in it for the money not for the
> customer's sake right?
>
>         Anyway, like I said before, we're working on a white paper that
>
> should help customers to draw the line. When its finished I'll make
> sure to post it to the list for all to read and comment on.
>
>
>
>
> On Dec 19, 2008, at 1:58 AM, Joseph McCray wrote:
>
> > Last year I posted a similar message to this list titled "I want the
> > PT
> > list back....":
> http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2007-12/ms
> g00052.html
> > My frustration was similar to yours. I just missed how much I used to
> > learn on this list.
> >
> > The security community has changed, and now the bleeding edge
> > information is spread out across tons of blogs and the IRC servers
> > where
> > people dropped 0-day in the channel has transitioned to private silc
> > servers.
> >
> > As I said in my previous post there are some REALLY smart people on
> > this
> > list that have forgotten more about security than I and a lot of  
> > other
> > people on this list will ever learn.
> >
> > I used to b*tch about how I was so tired of reading the "I've just
> > been
> > hired to do a pentest - how do I scan a host behind a firewall" posts
> > questions that I was about to swear myself off of this list.
> >
> > I had a buddy that pulled me aside and just told me - "You are just
> > getting better as a security professional so you aren't in awe like
> > you
> > used to be." There is still plenty of stuff talked about on this list
> > for newbies to learn from. Occasionally there is something that even
> > pretty experienced people can learn from as well.
> >
> > As far as how you handle competing against incompetent security
> > professionals (that often underbid you - no I'm not
> > bitter...heheheheh...) and how that affects your business - now that
> > I'm
> > dealing with a lot of business development - I'm really learning that
> > you are only as good as what you can convey to the customer.
> >
> > The customer isn't a security expert, and often can't differentiate
> > between you and someone that's not as technical as you.
> >
> > In terms of business - that incompetent security professional either
> > conveyed his value to the customer better than you did, or got the
> > customer to believe that they didn't need to go with a larger more
> > well
> > known firm.
> >
> > As much as we are geeks and love geeky stuff - this is business. You
> > have to be able to convey your firm's value to the customer.
> >
> > Show them the books you've written, the tools you've developed, your
> > whitepapers, conference presentations, and demonstrate your
> > knowledge of
> > regulatory compliance. Provide credible references in your customer's
> > industry, and most importantly prove how you add value with your
> > professionalism, your customer service, your attention to detail, and
> > your ability to explain complex problems to developers and
> > administrators.
> >
> > If you are really that much better than someone you think is
> > incompetent
> > you shouldn't have an issue conveying that to the customer.
> >
> >
> > I'm not saying all of this to be harsh - this has been a hard lesson
> > for
> > me to learn as well and I still struggle with it a lot.
> >
> > Hope this helps.....
> >
> >
> > Joe
> >
> > On Wed, 2008-12-17 at 14:19 -0500, Adriel T. Desautels wrote:
> > > I recently wrote this blog entry and wanted to get some comments  
> > > from
> > > readers of this list. I'm frustrated with the caliber of the people
> > > that are offering security services and posing as experts, thats the
> > > subject of the post. Please comment, insult, whatever... I'm
> > > interested.
> > >
> > > http://snosoft.blogspot.com/
> > >
> > >
> > > Adriel T. Desautels
> > > ad_lists () netragard com
> ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
> > --
> > Joe McCray
> > Toll Free:  1-866-892-2132
> > Email:      joe () learnsecurityonline com
> > Web:        https://www.learnsecurityonline.com
> >
> >
> > Learn Security Online, Inc.
> >
> > * Security Games        * Simulators
> > * Challenge Servers     * Courses
> > * Hacking Competitions  * Hacklab Access
> >
> > "The only thing worse than training good employees and losing them
> > is NOT training your employees and keeping them."
> >
> >       - Zig Ziglar
>
> Adriel T. Desautels
> ad_lists () netragard com
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended  
> for the use of the individual or entity to which they are addressed  
> and may contain information that is privileged, proprietary and  
> confidential. If you are not the intended recipient, you may not  
> use, copy or disclose to anyone the message or any information  
> contained in the message. If you have received this communication in  
> error, please notify the sender and delete this e-mail message. The  
> contents do not represent the opinion of D&E except to the extent  
> that it relates to their official business.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------