Up to Posts


As a startup doing consulting, we met to talk to clients about almost anything.

A conversation would start because some third party told them they needed a security assessment and we would end up with a totally customized plan to build them a security program. Sometimes we would build 100% custom security frameworks to drop into a client’s applications so that they might get say … standardized application security event handling and propogation to their SOC.

For those who don’t understand that, all you need to know is that it takes someone who knows security and application development intimately, and feels comfortable whiteboarding a plan on the fly to be able to effectively sell that.

We had a sales person at that time, and to his credit, he repeatedly pushed me to develop more standardized products and services. He couldn’t go into every conversation as a consultative sale. Even where he could, that process itself could scale. Our VP of Sales was going to be training a fleet of security consultants to do sales. Wow.

How do you know something is standardized

  1. If you can copy the description of the service from one proposal to another
  2. If you can come up with a common set of scoping questions
  3. If you can write down how it will work
  4. If you can train someone on how to do it

It turns out standardization wasn’t just important from a sales perspective, it was also critical from a growth perspective. How long can we rely on the few very specialized folks we have before we hit our max capacity. We need to be able to train.

Up to Posts