Infosec practitioner, Founder of EliteSec (https://elitesec.io), podcaster, father, and knowledge junkie. Defender of the Oxford comma, and lover of good BBQ. Posts are my own, but YMMV.
I toot about #cybersecurity topics and #entrepreneurship, plus random thoughts in between.
| EliteSec Consulting | https://elitesec.io |
Got my first Meshtasic LoRa device today. Naturally there are no other nodes nearby, but the fact I have something up-and-running is great. I'm going to take it to #AtlSecCon in a few weeks to see if anyone else is there, just as an experiment.
Lost a prospect to a new competitor today. Lesson learned, but I feel no ill will towards either of them. The client was not going to be a good fit, and the competitor is basically a GRC factory that offers pentesting as well. They were a few thousand dollars cheaper than me, but the prospect was a young startup and just not my typical client size.
I did, however, appreciate how honest they were both in terms of who they selected, why, and by how much they "beat" me. I wish them well, but honestly these numbers help a lot. Competitive analysis is expensive, I don't have the budget for it, and most people ghost me when they go with someone else, so this was all golden for me.
Do I think they're going to do a great job? No, it feels like they do pentesting as a bolt-on service, nor something core. And while they boast about their roots being in the "Big 4", I don't think that's quite the flex they're making it out to be, but I can see where it will work for some folks.
As for myself, I have 2 more prospects to take their place, so I'll just be here to fit with the right client when they come along. If this was in my first year or two of operating, I would have taken it much harder. Now? No, now it's just realizing that my instincts were right. They were a referral as well, so it's not like my marketing failed, just a friend trying to do me a favour without realizing that we weren't a good match.
Pricing is always a touchy subject. I have some clients who are thrilled with my pricing, others who don't question it, and then there are those that are looking to nickel-and-dime their way to get as much as they can for as little as possible.
Look, price is all relatiev. Compare me to another CREST accredited firm and I'll come in significantly less. Compare me to some kid in his mom's basement who will give you a report that's a glorified Greenbone report, then yes, I'll be more expensive.
The hardest part for me is getting people to know the difference. Some people just want to get the cheapest option and don't care about the thoroughness or the results. If you're okay with that, then I'm not a good fit. I have flexibility in my pricing, but we have to have some type of real discussion first. Sadly, I think today is the day that I close another prospect as "sale lost" due to their focus on price versus thoroughness. C'est la vie.
I've heard cyber compared to the medical field before. The argument is that botrh are constantly evolving and both cause it's practitioners to constantly learn new facts and techniques. This is accurate, but before the hubris takes over, remember one thing.
For the majority of cyber practitioners, we save livelihoods. For the majority of medical professionals, they save lives. Know the difference, and don't let your ego take over because of the similarities.
I acknowledge there are exceptions of course, but those exceptional individuals are not the ones who need this message.
So, a bit of a weird ask, but hear me out.
I wrote a book on gamified tabletop exercises, called "Gamified Tabletop Exercises for Effective Disaster Recovery Testing" It's a bit of a mouthful, but you do what the publishers demand.
Anywho, it's been out for nearly a year and I'm quite proud of it. Unfortunately I have no Amazon review for it yet! My ask is simple, if you have purchased a copy, read the book and enjoyed it, can you please leave an honest review?
Here's the link for those curious: https://www.amazon.com/Gamified-Tabletop-Exercises-Effective-Disaster/dp/B0DNLY6B5C/
Gamified Tabletop Exercises for Effective Disaster Recovery Testing: Preparing for Disasters with Dice [Svazic, John] on Amazon.com. *FREE* shipping on qualifying offers. Gamified Tabletop Exercises for Effective Disaster Recovery Testing: Preparing for Disasters with Dice
I'm starting to really hate my GRC vendor.
I used them last year to prep for an ISO27001 audit. They were great, helpful, regular communication, and just doing an outstanding job. I got my audit done in record time without issue.
Cut to this year for my surveillance audit (ISO is good for 3 years, but you need a "surveillance audit" for years 2 and 3), and I get word that they no longer recommend using the auditor that did the work for me last year. I let the auditor know that I'm cancelling this years audit with them, citing the GRC vendor, and they were caught off-guard, saying that they still had 700+ clients that they were working with. I pass their message on to the audit team at said vendor and never heard anything back.
Now they did switch the auditor for me, but I haven't heard from the new auditors at all. I'm now trying to get any type of update from them and getting silence back. Tried reaching out to my CSM as well, but he's been ghosting me on our monthly update calls for the last 3 months, so I don't hold much hope there.
I've just updated my G2 review for them so hopefully that triggers something, but I'm seriously thinking that this is going to be my last year with them. I'll move on to someone else if I have to because this is ridiculous. I'm technically only a week overdue, but I have other schedules to maintain and cant' keep babysitting this shit. I'll give them a few days to respond before making this a lot more public and doing some naming-and-shaming.