Had an email exchange with an unknown sales person from a company I have never heard of before:
Email 1:
PSG: We are blah blah managed security provider doing SIEM, IPS monitoring, etc. Do you have 15 minutes for a call?
Me: No. We do these inhouse and have no need for your services.
Email 2:
PSG:
Thank you for the feedback. Generally, when a client has an in-house SIEM tool, I like to always ask the following questions to help better understand if the tool is effective.
I know these are tough question to address over an email. Would you be available for a 15 minute call this week?
Me: No. This is information I would not discuss without an NDA and a legitimate business reason.
Email 3:
PSG: You are right. Here is our mutual NDA--please sign an send back and then we can discuss.
Me: No. I have no "legitimate business reason" to discuss this with you. Please take my name off your list.
Emails are a bit abridged except for email 2, which is a copy-paste of the original.
I could answer 4 I suppose, but 1-3 would be considered highly confidential information.
Perhaps my first mistake was engaging with him in the first email, but I sympathize with sales people and wanted him to use his time efficiently by knowing that he will not make a sale here.
But the subsequent emails, apart from putting himself firmly in my blackhole list, got me thinking.
How much does it take to set up a website, print some business cards and get a 800 number? I think $1000 is adequate. Even better--invite a number of local security people to a lunch-and-learn. At about $50/head (3 course meal at mid-range steak house in the Metro Boston area), an attacker can get pretty good information by asking just one question: "What keeps you up at night?"
I've been to area meetups where security people describe internal controls or security problems in front of a room full of strangers.
We do awareness training for general users. Is it time to do a specialized awareness training for security people?
Email 1:
PSG: We are blah blah managed security provider doing SIEM, IPS monitoring, etc. Do you have 15 minutes for a call?
Me: No. We do these inhouse and have no need for your services.
Email 2:
PSG:
Thank you for the feedback. Generally, when a client has an in-house SIEM tool, I like to always ask the following questions to help better understand if the tool is effective.
- What are you doing for alerting for all your critical device?
- If you had a breach, how quickly would you know about it? How effectively would you be able to react?
- Do you feel that you have it fully deployed in your environment for all your critical devices?
- Do you have a dedicated staff to support this tool effectively?
I know these are tough question to address over an email. Would you be available for a 15 minute call this week?
Me: No. This is information I would not discuss without an NDA and a legitimate business reason.
Email 3:
PSG: You are right. Here is our mutual NDA--please sign an send back and then we can discuss.
Me: No. I have no "legitimate business reason" to discuss this with you. Please take my name off your list.
Emails are a bit abridged except for email 2, which is a copy-paste of the original.
I could answer 4 I suppose, but 1-3 would be considered highly confidential information.
Perhaps my first mistake was engaging with him in the first email, but I sympathize with sales people and wanted him to use his time efficiently by knowing that he will not make a sale here.
But the subsequent emails, apart from putting himself firmly in my blackhole list, got me thinking.
How much does it take to set up a website, print some business cards and get a 800 number? I think $1000 is adequate. Even better--invite a number of local security people to a lunch-and-learn. At about $50/head (3 course meal at mid-range steak house in the Metro Boston area), an attacker can get pretty good information by asking just one question: "What keeps you up at night?"
I've been to area meetups where security people describe internal controls or security problems in front of a room full of strangers.
We do awareness training for general users. Is it time to do a specialized awareness training for security people?