network-assessmentsAre you communicating prospect through your problem prevention audits in a way they’ll understand— or even care about— what you’re telling them?

Using the information you get from your assessment tool in the right way will help identify their gaps and find paths forward are critical to their perceived value of you and your services. I know you probably have a long list of issues standard to bring up in your network readout, but is all of that detail helping (or hurting) you from closing new deals and protecting more networks?

Yes, user account information, router, firewall and IDS should all be apart of your assessment. Same with who is able to access what, what third-party vendors are doing (or could be doing), along with their vulnerabilities. I definitely think you need to bring up some information about employee cyber hygiene.

But when does your assessment get too crammed with detail that really ends up killing your chances in engaging with a new deal? How much information is enough to get the job done? To realize that you know your stuff and have solutions that will actually help shore up network security?

When to get granular?

I’m not saying that your complete report should just give an owner, CEO, or decision maker a simple high 10,000- foot level of their network. There is a place and time for some granularity. There are certain pieces of information—certain details that will hit home to any decision maker. This might be especially true now with more remote workers.

Remember, detail is meant to provide context to problems with their network.

When you get down to the nitty gritty details, here are 5 BIG areas I would focus on:

Public WiFi Connections— point out where team members have been connecting to public WiFi and elucidate the problem with a story. I’m sure you can think (or at least Google) airport WiFi man in the middle attacks and get the details on some juicy (and frightening truths) about trusting public WiFi.

Un-Expiring Passwords— you probably will see unexpired passwords in the computer list that you’ve analyzed. Focus on telling a story why password hygiene is still important.

Cracked Passwords— having identified unexpired passwords is a great introduction to cracked passwords. Pick out some key people that might need some password updates and show leadership that you have the capabilities of cleaning their house.

PII Out In The Open— as you assess key individuals in payroll, accounting and HR (these are gold mines of PII), make sure to point out risks with having PII wide open for a hacker to see with just one clicked link.

Security Not Working As Planned— every issue that you can make personal will tie back to broader security issues. There’s no question in my mind, if you can glean WiFi, Password, PII, Search History, or other data from a machine, that there are underlying security problems with their network—security issues you can help talk through with them.

Get singular

Even more than simply reading out detail, try to pinpoint single issues that will pack a punch and really communicate the issues. Pick out a couple of issues that personally relate to a CEO, CFO, or other decision maker. Make sure to ask questions about what they are doing and tie in other problems on the network to those specific points.

For instance, when you are pointing out PII or passwords found on the network, focus in on a couple that might hit home to the people making the decision and then dig a little deeper. Relate the very personal issue back to other issues on the network, like firewalls not blocking the information from leaving their network, or alerting that should have triggered when the executable started scanning the computer (such as antivirus or a SIEM).

Get consistent (in your review process)

If you’re not consistent in your readout, you probably are missing key communication points with your attentive audience. If you aren’t relaying horror stories that dive into explain why the issues you discuss are big problems, you probably are losing interest quickly. If you sidestep topics because they didn’t come up in your analysis, that’s one thing, but what I’ve found useful is having some canned storytelling to simply get people aware of risks and reinforce that they at least they are doing some things right (no one wants a problem picker—they want someone who will lay out the facts and come off as an authority. An authority’s opinion will be more respected when they discuss BOTH the problems AND the areas that are currently being done well.

The more consistent you are in your readout—focusing on key security areas, even when some may not be of concern—will definitely set you apart as being less of a biased sales call and more of a person perceived as adding value and helping the organization.

The Bottom Line: your prospects want to be told what’s happening. They don’t just want the problems. They need to relate to the issues in order to make an internal decision on how to move forward. If they don’t go with your offer, if you stick to your talk tracks and readout strategy, you will be able to get them to value the service you’re providing (even referrals!).

Sign up for a free cyber stack assessment to find out how pen tests are revolutionizing how MSPs educate their clients on cybersecurity.