At a glance: Tips and insights from Q-Data Service
Who do you mainly offer lywand to?
Mainly to our existing customers, but we also use the tool to acquire new customers in some cases.
To what extent is lywand useful for new customer acquisition?
A pre-scan of potential new customers - of course only with their permission - helps us to create a basis for discussion and to put together an MSP offer package that is comprehensible and meaningful for the customer. This makes the decision easier for the customer.
How can you position and market lywand in your offering?
For us, lywand is a component of our MSP service portfolio. This gives our customers the added value of making our managed security services more targeted and more efficient. The basic offer includes an external scan twice a month and our obligation to derive suitable measures from the results. Automatic remediation is not included. Internal scans can be booked additionally for subscribers of external scans.
How should negative results of a scan be handled?
Be transparent and explain to the customer in detail how the detected vulnerability came about or why it remained undetected. And always keep in mind: The scans primarily serve to improve security and not to prove errors to the service provider. If an error appears, it should be seen as an opportunity to do better. In fact, it can also be an occasion to fundamentally assess the current service level and adjust it in consultation with the client.
The success story: Q-Data Service in an interview
Markus Müller and Christian Goebel, Managing Directors of our partner Q-Data Service GmbH, share their experiences with lywand and how they use the solution to optimise their MSP offering and further increase service quality.
"Q-Data Service reveals its secrets of success"
Introduction
Who are you and what do you do?
I am Christian Göbel, I have been with Q-Data Service in Hamburg since 2007 and have been one of the three managing partners since 2017. I am responsible for the business area of project and new customers. And I am Markus Müller, also managing director at Q-Data Service. I have been with the company since 2008 and am responsible for the existing customers division.
Christian Göbel and Markus Müller - Managing Directors of Q-Data Service GmbH
Our system house was founded in 1979 and currently has 25 employees. We offer holistic consulting and conception in the areas of information and communication technology, as well as technical solutions for offices and businesses and intelligent flats and houses. We specialise in the support of IT infrastructures for small and medium-sized enterprises and offer them the entire spectrum of an IT service provider with our managed services: consulting, planning, implementation and system administration.
The following applies to both of us: We are enthusiastic technicians and love to make our customers happy.
Experiences with pentest offers for SMEs
Markus, you are also a certified security hacker (CSH) and have also offered security checks to your customers in the past.
Yes, as a CSH - although I would now call myself an IT security professional - I of course wanted to offer our customers a good service. For example, I suggested doing a network hardening, searching for leaked data on the darknet or carrying out a pentest now and then to find out what the attack surface looks like.
How did your customers react?
To be honest, incomprehension was the most common reaction. This was usually followed by questions like "why do you want to test your own security solutions? They should work, right? I don't need anything like that". If I had aroused at least mild interest, I usually got to hear "how long does it take you? What, three days? And that for an hourly rate of about 180 euros [common at the time]? I'll have to think about that", and so on.
However, you have carried out quite a number of pentests. What is your experience with them?
We quickly realised that we could only sell them to a limited extent. The rather low demand on the customer side was one reason, the lack of time on our side the other. The effort that goes into these projects is immense. You want to do the test conscientiously and you spend a lot of time in various forums checking scripts, making adjustments and reading things up again. You can spend days on that alone.
Once you have completed the testing phase, you have to summarise all the results in a document called the cyber report. In many cases, you have to consider different decision-makers in the company when preparing the results.
An IT manager may want a more technically detailed report, while management prefers a simple but coherent presentation. Depending on the size of the network environment being reviewed and the number of contacts with whom reporting had to be coordinated, it took at least one week and up to several weeks to complete a project. Our experience with pentests could be summed up somewhat exaggeratedly as follows: No time, no money and no understanding.
Approximately how often have you conducted pentests so far?
Rather sporadically. About every three years I have carried out a more extensive one, of course also internally at our company, to stay in practice, otherwise I have regularly carried out laboratory tests. The tools you use for this are tailored to enterprise environments and certainly have their justification for existence, but we could not pack the costs incurred for this into an attractive offer for SMEs. Therefore, we have not actively sold pentests to customers so far. However, that changed when we discovered lywand.
Integration into the portfolio and introduction to customers
How did you become aware of lywand?
It was around the end of 2021 when I noticed an article in IT-Business entitled: "lywand renovates corporate IT security".
Article about lywand in IT-Business
It sounded so interesting that I contacted lywand directly for a test licence. I then tried and tested it in-house. I was very impressed with the results I received: Compared to the enterprise tools I had cross-checked the lywand solution with, it delivered the same reliable results. However, I liked the presentation, i.e. the cyber report, much better: generally understandable, with an optional technically more detailed view. The lywand solution was ideal for us when it became available as an MSP model through Fokus MSP Distribution.
How did you introduce the lywand solution to your customers?
We invited our customers to a webinar and offered all registered participants a free security scan with lywand in advance, without obligation. At the webinar, when we presented the solution in more detail, they already had a short report. We then got into conversation with our customers about this. The majority of them were enthusiastic and said " it is great that you are doing something like this now" and then decided in favour of the solution.
How did you integrate lywand into your portfolio and how do you offer the solution?
We have put together a package for our customers in the area of "managed security audit": "managed security audit external" includes up to ten external targets and two standard scans per month in the basic package. The associated services on our part include the weekly review of the management reports and the derivation of appropriate actions.
For example, if lywand discovers that the WordPress version of the website is outdated and recommends an update, we contact the service provider responsible for the website and check whether and when the error was fixed.
An immediate error correction by us is not included in our basic package, because it also depends on which other services the customer has booked with us. Depending on the services the customer has booked with us, the error correction will be carried out in an existing contract framework or in a separate project. We also offer the internal scan, but the prerequisite for booking is that the customer has already subscribed to the external scan.
lywand in the consulting process
How does lywand affect your advisory process?
It is easier for me to approach my contacts on the client side. In general, it is important for me to find a common level of communication with my clients and to convey the facts of the matter to them without using technical jargon in a way that they understand. The management report and the additional pictorial representation of a house with defects provides me with an entry point that everyone can follow immediately.
Preview of the management report and the house analogy
If I talk to an IT manager, I can switch to the technical version of the report and go through it with him. I think for me it reduces the effort of having to build up understanding with the client, but at the same time the client is also in a better position to understand the whole thing and ask the questions that are relevant to him.
How do you deal with a bad security rating, or how do customers react?
That was one of the first things we heard about lywand from customers: " Are you not afraid to find bugs of yours?" And we can say that in the overwhelming majority of cases, the vulnerabilities discovered were in third-party solutions. Often you implement things that the customer urgently needs. That is just part of the everyday life of a service provider: we make the customer happy as quickly as possible, but in cases of urgency, comprehensive quality management falls by the wayside in advance. So far, there has only been one case where a security gap could be traced back to us. This was an older trainee project that had been set up in the DMZ, so it posed less of a risk. Nevertheless, we were not aware that it still existed for two years.
But: With the permanent use of lywand, we notice such "careless mistakes" earlier than usual and gain helpful insights for our future work. On the one hand, it is a tool for checking the quality of our work - and fortunately it regularly confirms our conviction that we do good IT - but also for long-term quality improvement. And to the client it shows conscientiousness and our commitment to achieving the best possible result. And the grading provided by the solution also helps, because most of the time the client says: "What do we have to do? I want an A here, or at least a B." So, if you know you have done well, you have nothing to fear. And discovered weaknesses should rather be seen as a chance to become even better.
How does lywand support your daily work?
The automation helps us to streamline and accelerate our processes. The operation of the tool does not require any training, each of our employees can handle it. The results of the scan not only tell them where there are which "construction sites" at our customers, but also, through the action plan, what needs to be done and which "tools" are necessary for this.
So they can just get started, applying the skills and craftsmanship they already excel at. We can get straight to work without having to teach our staff in-depth security analysis skills or recruit specialist staff. So we did not have to change anything organisationally, but we can now carry out security checks much more frequently and work more efficiently to close security gaps for our clients.
lywand as a sales tool
To what extent does lywand support your sales process?
First and foremost, we offer lywand to our existing customers. Our customers receive the solution monthly and we discuss management reports with them once a quarter in a personal meeting. Depending on the weaknesses we have discovered, we can discuss with the customer which service enhancements would still make sense for them. It also helps us to make our service offer more understandable and coherent for our customers. The lywand solution, so to speak, is the last piece of cake that completes our service package.
Managed security audit with lywand in the "MSSP-circle"
We have also used lywand several times for new customer business, which in itself is a laborious thing: You present your concepts there to the best of your knowledge and belief and everything is wonderful during the conversation, but after you are out the door, you often hear nothing more from the prospective customer. Or there are follow-up questions or requests for changes and you quickly make two or three appointments with the customer - but this invested time is usually at the expense of the product margin.
Now we ask interested parties if we can carry out a lywand scan in advance. This way we can find out what the customer's construction sites are and can then talk about a suitable service package in a targeted way - and in such a way that the customer also understands exactly what it is all about. I think this way, both sides leave the conversation with a higher level of satisfaction, because you have the feeling that you have developed a suitable solution together.
Dear Christian, dear Markus, thank you very much for the experience report and good luck with lywand!
