How to Approach Customers with Security Issues?

stuntshell asks: "We're a group of IT Professionals and we're starting our own consulting firm. We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us. The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?"

Aaaarrrgghh...

[tekiegreg]

Sniffing me, then emailing me to plug the holes for a price is almost the equivalent of blackmail. This may earn you one of 2 things:

1) A very nasty letter from either management or legal telling you to cease and desist
2) From the more nasty management/legal, a call to the police..

The best way really, is the more conventional way, advertise, network and otherwise legitimately promote your business, this gray area finding holes and near-blackmail will get you more grief than it's worth.

By the way and offtopic: I woulda probably had first post if my new kitten didn't continuously stomp on my keyboard. Cans of air certainly are handy...

No, no, no!

[Otter]

Or do you go scanning and discovering holes on other's network for you to offer them your solution?

Absofreakinglutely do **NOT** any such thing. **NEVER** intrude on a network unless you have **EXPLICIT** **WRITTEN** authorization to do so. You're going to be very, very sorry if you make a practice of doing such things.

I realize that it's impossible to make this point here without a stream of common-sense-impaired nerds lining up to insist that some stupid analogy makes unauthorized intrusion a great idea. You can listen to them or listen to me...

Might want to think about keeping your day jobs

[hrbrmstr]

We're most systems administrators, and not business admin, nor lawyers, and we're all have worked on big companies and most of the time the job to be performed was just passed on to us.

Perhaps you "IT Professionals" might want to consider a few tech writing courses to help you beef up on grammar and, I suspect, spelling. If you approached my company with an cover letter that contained sentences like the one I just quoted, your firm would be placed near the bottom of the pile.

The scope of the work we're about to perform will be security related, so how do you approach a customer in this kind of business? Do you wait for them to come and ask you to test their firewall? Or do you go scanning and discovering holes on other's network for you to offer them your solution? Do write a letter/email or do you propose a meeting? What works?

Do you have a security background or did you just manage to apt-get or rpm Nessus and nmap successfully? Are you certified (SANS, CISSP, MSIA, etc)? If you just plan on handing someone a default Nessus report, please - don't!

As far as "getting the sale", what worked for salespeople that sold goods/services - security or otherwise - to your previous company/companies? That might be a good place to start. If you were never brought into sales-discussions, you might want to ask yourselves "why not?".

What you *definitely* want to do is perform unauthorized scans and/or penetration attempts on a potential customer's external firewalls and/or servers. That will most assuredly endear you to them. Why, they might even ask to have a police escort for you!

One of the last things you should do is approach a new career in security consulting without really knowing that part of the IT world like the back of your hand (and not just the tech bits).

(Have you considered starting up a Starbucks franchise instead?)

Re:You hire a Sales Manager

[Nasarius]

Really? I thought you could just put up a website and everyone will come and give you money.

I can't believe this got posted. Look, anyone with good advice to offer is running their own security consulting firm and probably doesn't want more competition. For more general advice, I've seen SmallBizGeeks [smallbizgeeks.com] linked on Slashdot, and it seems like a worthwhile community.

Re:Aaaarrrgghh...

[PunkOfLinux]

Kitten! Yay!
I wish i had a cat... that walked all over MY keyboard... but nO! my parents won't get a cat!

Here's my advice

[psiber]

DO NOT scan/test a company's network without their permission! This is the fast track to a jail cell. Like QuantumG said (albeit a little sarcastically), get a sales manager and expect to pay out a lot of money in advertising.

If you think you're post was well composed, I would recommend some English/technical writing classes. If you recognize your post has some grammar problems and you know your writing skills are good, I would not worry about it.

Check out Bruce Schneier [schneier.com], Counterpane Internet Security [counterpane.com], or SecurityFocus [securityfocus.com]. Gibson Research Corporation [grc.com] is another site to check out. This is just a start to getting some background on the basics and depth of IT "security".

I would say from the post you are not coming from a security background. Assuming you have an IT Bachelors degree, the minimum I would recommend is for you to study for some basic security certifications (such as the CompTIA Security+ and the MCSE/MCSA: Security on Windows Server 2003 specialization) and take them if you have not already. On top of this, I would recommend doing research into security conferences and possibly even local university classes on IT security (although I recommend these with a grain of salt as there is a lot of variance between the quality and type of information offered currently). There are whole books written on this subject, so visit your local bookstores and research what they have available. My rule of thumb in evaluating books is to see how in depth they get with their subjects. If they just talk in general about their subjects with no specific examples, I typically look for something else (unless it is an introductory book, of course).

Finally, just remember security is different to everyone (even in the business/corporate world). One company might just need you to identify their weak spots, patch them, and setup a plan to make sure they stay patched. Another company might need you to analyze everything from weak spots/patches to physical security of IT assets. Your job as a consultant would be to identify what they need (Business 101).

Hope this helps.

Re:Scanning? -- Forgot to add

[mengel]

Possibly -- but do not under any circumstances do anything to a customers system without permission in writing. This can be a "please give me an evaluation" on a pamphlet, or whatever, but get it in writing.

Otherwise you risk running afoul of computer trespass laws...