Lost a prospect to a new competitor today. Lesson learned, but I feel no ill will towards either of them. The client was not going to be a good fit, and the competitor is basically a GRC factory that offers pentesting as well. They were a few thousand dollars cheaper than me, but the prospect was a young startup and just not my typical client size.

I did, however, appreciate how honest they were both in terms of who they selected, why, and by how much they "beat" me. I wish them well, but honestly these numbers help a lot. Competitive analysis is expensive, I don't have the budget for it, and most people ghost me when they go with someone else, so this was all golden for me.

Do I think they're going to do a great job? No, it feels like they do pentesting as a bolt-on service, nor something core. And while they boast about their roots being in the "Big 4", I don't think that's quite the flex they're making it out to be, but I can see where it will work for some folks.

As for myself, I have 2 more prospects to take their place, so I'll just be here to fit with the right client when they come along. If this was in my first year or two of operating, I would have taken it much harder. Now? No, now it's just realizing that my instincts were right. They were a referral as well, so it's not like my marketing failed, just a friend trying to do me a favour without realizing that we weren't a good match.

#entrepreneurship #businesslessons

Pricing is always a touchy subject. I have some clients who are thrilled with my pricing, others who don't question it, and then there are those that are looking to nickel-and-dime their way to get as much as they can for as little as possible.

Look, price is all relatiev. Compare me to another CREST accredited firm and I'll come in significantly less. Compare me to some kid in his mom's basement who will give you a report that's a glorified Greenbone report, then yes, I'll be more expensive.

The hardest part for me is getting people to know the difference. Some people just want to get the cheapest option and don't care about the thoroughness or the results. If you're okay with that, then I'm not a good fit. I have flexibility in my pricing, but we have to have some type of real discussion first. Sadly, I think today is the day that I close another prospect as "sale lost" due to their focus on price versus thoroughness. C'est la vie.

I've heard cyber compared to the medical field before. The argument is that botrh are constantly evolving and both cause it's practitioners to constantly learn new facts and techniques. This is accurate, but before the hubris takes over, remember one thing.

For the majority of cyber practitioners, we save livelihoods. For the majority of medical professionals, they save lives. Know the difference, and don't let your ego take over because of the similarities.

I acknowledge there are exceptions of course, but those exceptional individuals are not the ones who need this message.

So, a bit of a weird ask, but hear me out.

I wrote a book on gamified tabletop exercises, called "Gamified Tabletop Exercises for Effective Disaster Recovery Testing" It's a bit of a mouthful, but you do what the publishers demand.

Anywho, it's been out for nearly a year and I'm quite proud of it. Unfortunately I have no Amazon review for it yet! My ask is simple, if you have purchased a copy, read the book and enjoyed it, can you please leave an honest review?

Here's the link for those curious: https://www.amazon.com/Gamified-Tabletop-Exercises-Effective-Disaster/dp/B0DNLY6B5C/

I'm starting to really hate my GRC vendor.

I used them last year to prep for an ISO27001 audit. They were great, helpful, regular communication, and just doing an outstanding job. I got my audit done in record time without issue.

Cut to this year for my surveillance audit (ISO is good for 3 years, but you need a "surveillance audit" for years 2 and 3), and I get word that they no longer recommend using the auditor that did the work for me last year. I let the auditor know that I'm cancelling this years audit with them, citing the GRC vendor, and they were caught off-guard, saying that they still had 700+ clients that they were working with. I pass their message on to the audit team at said vendor and never heard anything back.

Now they did switch the auditor for me, but I haven't heard from the new auditors at all. I'm now trying to get any type of update from them and getting silence back. Tried reaching out to my CSM as well, but he's been ghosting me on our monthly update calls for the last 3 months, so I don't hold much hope there.

I've just updated my G2 review for them so hopefully that triggers something, but I'm seriously thinking that this is going to be my last year with them. I'll move on to someone else if I have to because this is ridiculous. I'm technically only a week overdue, but I have other schedules to maintain and cant' keep babysitting this shit. I'll give them a few days to respond before making this a lot more public and doing some naming-and-shaming.

An old boss is retiring today. I was invited to join the festivities, but I declined. Why? We didn't leave on great terms, and my final years at that company were brutal.

Don't get me wrong, he's a nice guy and a good leader, but he has a bad habit of ignoring anything that doesn't interest him or that he doesn't understand. Case in point; I was their CSO (chief security officer), but I also did DevOps and was one of the first devs too (yay for startups!)

On my last day, he didn't show up, but told me that he wanted to work from home the day before. I didn't mind, and told him it was fine. I was sincere. What pissed me off is that he scheduled a "QA-blitz" with the entire team during lunch on my last day. This means no going away lunch with colleagues.

Prior to that, it had been at least 3 years since I had a proper performance review. I'm very self-sufficient, but some form of acknowledgement was appreciated at least.

About 2 years after I left, I offered my pentesting services to them at a discount. I was still fresh with EliteSec, but I wanted to milk my network. I had great success with others in my network, so I figured a place I helped build from the ground up (I was employee 13, left when they hit 200+), surely they'd be up for it. I was wrong.

I approached the guy who took over my responsibilities (poor bastard), and he was interested. But a few days later he told me that my old boss (his boss), had vetoed everything saying that "It wouldn't look good if people saw that our former CSO was the one doing the pentest now." That was almost 5 years now, and it still stings. Truth is I know where the bodies are buried, and they don't want them dug up.

Whatever. Most of the old leadership has now left (acquisitions, VC takeovers, etc.), so maybe one day they'll consider me again. One thing is certain, however, I still hold a grudge and sure as shit am not going to go out of my way to celebrate his retirement.

Friendly reminder, if they say you're a "family", get the fuck out. This place went from great to ick over many years, but I got out before it became ridiculous. Still, it hurts to see what it's turned into.