dell secureworks sale meeting presentation
TRANSCRIPT
Erwin (Chris) Louis Carrow https://www.academia.edu/3065509/Framework_for_Effective_Information_and_Information_System_Security https://www.academia.edu/1885148/Model_Analysis_Methods_and_tools_for_Case_Study_Research_-_generic https://www.academia.edu/225031/InfoSec_Managementhttps://www.linkedin.com/in/ecarrow
Dell SecureWorks 2015 Sales Conference –
Titled - “Eating Your Own Dog Food,” “Ordering off the Menu,” “What Right Looks Like,” or “My Way or the
Highway”
05/01/2023
Most Wanted List for being … “Vendor Unfriendly!”
Sometimes it becomes a professional hobby to just annoy vendors [you have been warned]
I engage in a strong offense, establish imbalance, and require an immediate response…
If you waste my time, it then becomes personal and you will know it!
Typically, I know more than they do and I know their business model …
I know what I want …! Let’s not waste time and effort in what you want…
Challenged by vendors who may know their product, but not their competition’s …
I exercise transparency that kills …2
Know Yourself and Know Your
Enemy!Sun Tzu’s Art of War
& Thirty Six Stratagems
05/01/2023
Unless WE are on the same Team …? It is Warfare! You MUST PROVE Otherwise
3
05/01/2023
1st Set of QuestionsWhat you like when working with Vendors; what you don’t like.
I don’t like vendors - in general (easy)Cold calls get ignored! Unless I initiate, it MUST be relational!
Messaging that resonates with you from vendors; messaging that doesn’t resonate well with you! “FREE” – never hear it!No affordable solution, service, or product, e.g., lack of flexibility
Vendor Onboarding- how you work with a new vendor and any best practices that you like to see; or anything that has been a problem in the past “We don’t needs no stinken vendors” – They need ME?
Security – how to build a business case when you are talking to upper management Partnership – which means together we share the successes and
failures; BRR Factor, End-Ways-Means,
4
05/01/2023
2nd Set of Questions Engaging with 3rd party vendors
-what messages [Quiet], positioning methods resonate [Cow Tow]? -what vendor approaches does are valued [Listen and don’t talk]? what approaches
are non-starters [Telling me something I already know]? -what advice would you give to sales reps who want to engage you to see if there
are areas of challenge in which they and their company can assist [Don’t call me, I will call you – I know what I want and what it should cost]?
InfoSec-centric -how do you go about building business cases to secure InfoSec funding? [BRR
Factor] -what type business cases work and which ones fail? [BRR Factor / “Shoot from the
Hip”] -real life examples, if available [BRR Factor]
Well-publicized breaches over the past 15 months -starting with Target in DEC ’13, how has the attention level on security from Exec
leadership changed since then? [Gamblers will always be gamblers!] -any examples of senior leadership placing new and/or recurring requests or
requirements on you? [“Mature Boards” are looking for creative ways of building accountability into operational practices with measurable outcomes!]
-how has your job changed? [Hasn’t - educate, educate, … push change from below and out. Very few exceptions. Head in the sand attitude used to mitigate “due-diligence” regarding risk [this works until things explode].
-what messaging to senior leadership have you seen work most effectively? Personality based! Likeability Factor!!! 5
05/01/2023 6
Taking a Different Approach…The “SHIH” of Security Vendor Management:
SHI is the situation, status, state of affairs / cultural, and confrontational impact
SHI is combination and integration of friendly situations, enemy situations, and environmental influences
SHI is trends in affairs / cultural and its integrated impact on the situation
SHI is the sum of all factors that impact performance, capability, efficiencies and outcomes
SHI is the posture, aspect, situation, circumstances, conditions, disposition, configuration, outward shape, force, influence, momentum, authority, strategic advantage, etc.YOU MUST Understand:
Decision-making (input, timelines, risk & ownership)
Essentials (values, principles, priorities, etc.)Business RequirementsEnablers, Governance, & Outcomes
05/01/2023
Decision-making: Input, Time, Risk …
7
05/01/2023
“Essentials” Required Homework
8
Control Objectives for Information and related Technology (COBIT®)
Business Functions and Characteristics
05/01/2023 9
05/01/2023
Enablers, Governance & Outcomes
10
Putting it all together…
05/01/2023 11
05/01/2023
Slide Desk Example
12
Proof of Concept - Product Name, andProduct Functional Category or ServicePresenters:
Targeted “Business Name” / Logo
ALL TEXT IN ITALICS IS EXPECTED TO BE MODIFIED
Introduction, Purpose, and Orientation – (2 MINUTES FOR THIS SLIDE)Guidelines• Total presentation time 20 minutes and limit dialogue and exchange till the final slide• All presentation materials are limited to the 5 page slide deck • The third page slide format may be customize per vendors’ desire or preference• Presentation is a partnership between ‘Business Name’ Representative and Vendor• Maintain font size and format as much as possible• Ensure simplicity and readability, the expectations is that show & tell with basic slide content will
demonstrate products capability• BRR Factor must be exemplified
o Benefit Realization - the Institution, Community, and Other Institutions, e.g., the footprint of impact. What added value will it bring?
o Resource Optimization – Manage Effectively and Efficiently. What will it improve? People – Develop and Manage Relationships; Promote Others Success Resources – Manage, Advise and Provide Technical Tools Time and Effort – Must be capture to determine capability and capacity
o Risk Mitigation – identify and address the risk. Challenges will we experience? Strategic: Affects the entities’ ability to achieve goals and objectives Compliance: Affects compliance with laws and regulations, safety and environmental
issues, litigation, conflicts of interest, etc. Reputational: Affects reputation, public perception, political issues, etc. Financial: Affects loss of assets, technology, etc. Operational: Affects on-going management processes and procedures
Product Name – Functional Category or Service
Practically “Qualify and Quantify” the “Problem and Solution” and how it applies to “Business Name” and Vendor Partnership [Friend or Foe?]
14
DO NOT PRESENT THE ENTIRE VENDOR CATALOGUE OR YOU WILL BE ASKED TO STOP!
Focus on -- Strategic, Tactical, and Operational Business and Technical functional Objectives, Critical Tasks, Expectations, and Outcomes must be clearly communicated (3 MINUTES FOR THIS SLIDE) What does the “partnership” REALLY LOOK LIKE? Are you a part of the team or the Enemy attempting to exploit my assets?
Objectives: The product or service provides information and information system needs – what, why, how, when, etc."Vision Statement" [WHY] – Answer the question: “Why is the product / service important or what does it significantly contribute to the success and well-being of ‘Business Name’?” Focuses on the alignment with Business Name values [Strategic]. "Mission(s) Statement" [WHAT] - Goal(s) that support the Vision for the product / service, e.g., the product / service scope of impact / footprints throughout ‘Business Name’ or the unit / department. The intended impact of activities throughout ‘Business Name’ or the unit / department (general not particulars). This statement does identifies the goal(s) and intent used (decision-making principles that guide or direct methodology) to support value delivery. [Tactical]. Business / Technical functional tasks that support your mission(s) [HOW] - what the product or service will do for ‘Business Name’ or Unit / department’s successful. This step should include the decision-making prioritization process and how those decisions drive ‘Business Name’, the Unit / department’s business practices. These typically are expressed as specific tasks based upon "service and support - rules and requirements" associated with the mission(s) - KPI’s Quantify measurable outcomes! [Operational]. Business / Technical owner’ roles and responsibilities [WHO] – what personnel are involved in the various key tasks, their role and responsibilities, to whom or what type of workflow would it support for notification, maintenance reporting, etc… , and whether it is interdependent with other product / service, internal or external entities to the technical unit / department (business function matrix) [Operational].
Free-flow Slide for Vendor to describe Case Use and Work Flow
Each Product or Service offering has unique characteristics – this slide is to support the vender's needs that exceed the guidelines already provided. (5 MINUTES FOR THIS SLIDE)
Ensure you address any interdependent and / or infrastructure context and associated requirements. You must contextualize your product or solution with relevance as it relates to ‘Business Name’. If you have not communicated effectively so that the audience believes that you understand the business / technical requirements it is a “lose lose” for the product or service being proposed
15
(5 MINUTES FOR THIS SLIDE)
Value Chain Management (VCM) – ensure you address the business / technical ownership needs and requirementsEnterprise Risk Management (ERM) – ensure you quantify how it impacts the big picture down to the particularsTotal Cost of Ownership (TCO) should not be a question and anything negotiable MUST be quantifiedhttps://www.academia.edu/3065509/Framework_for_Effective_Information_and_Information_System_Security https://www.academia.edu/1885148/Model_Analysis_Methods_and_tools_for_Case_Study_Research_-_generichttps://www.academia.edu/225031/InfoSec_Managementhttps://www.academia.edu/7267860/Information_Security_Strategy_-_Recall_White_Paperhttps://kennesaw.academia.edu/ecarrow
You MUST be able to explain succinctly --Present a methodology for the Product or Services’ implementation and what it should achieve (Ends, Ways, and Means):
ConsiderationsObjectives• Benefit, Resources, and Risk (Ends)
Process (Ways)• Expectations• Outcomes• Effective Practices from the Product or Service MUST ensure that:
o Expectations are meto Performance is measuredo Resources are managedo Risks are quantified and mitigated
Types of resources involved (Means):Information produced and utilized by various Business Name Business / Technical owners from various systems• Types of information (classification• What type of information, on which information systems, are to be accessed by which users?• People who use or interact with the Information will include:Other resources that may not be IT related. Solution should identify / Address (Ends, Ways, and Means):Risk Management Process Control Types: “Technical controls” are not always the answerImplementations will always be based upon industry standards, requirements, and practicesBuild list of high level objectives and outcomes to address risks associated with measurable outcomes
Product or Service Proposed Solution Problem statement Solution statement Total Cost of Ownership
(TCO) Licensing Environment and Resource
Requirements Professional Services Training Sustainment and Maintenance
Requirements Integration Automation,
Ticketing, and Tracking / Reporting
Ticketing / Wiki Cloud Traditional Data Center Other Service / Product
Integration
High-level Project Implementation Plan requirements and Outcomes
Should Identify Objectives, Critical Tasks, Expectations, Measurable Outcomes, and Timelines
16
Product or Service Summary, Decision-points, and DiscussionSummary Decision-points
17
BRR Factor Restatement (5 MINUTES FOR THIS SLIDE) If the discussion goes beyond 10 minutes after you have summarized and restated the discussion-points you presented, then you have not done your job!
05/01/2023
I AM DONE – Q&A(if desired)
18
"Life is like a box of chocolates. You never know what you're gonna get till you take a bite!"