Episode 153 includes:
-
00:00 The 2% mindset for successful people
-
07:19 How to grab anyone's attention on LinkedIn
-
14:43 A potential new automated Pen Test revenue stream
-
26:37 A great book recommendation about realising any goal
Featured guest:
Thank you to Alton Johnson from Vonahi Security for joining Paul to discuss a potential new automated Pen Test revenue stream.
Prior to Vonahi Security, Alton has worked at several large and small cybersecurity consulting firms as a Principal Security Consultant. Throughout his professional career, he has performed hundreds of security assessments for organisations ranging from small businesses to Fortune 10. He also regularly attends information security conferences and have spoken at DerbyCon as well as local communities.
Connect with Alton on LinkedIn:
https://www.linkedin.com/in/altonjx
Extra show notes:
Episode transcription
Voiceover:
Fresh every Tuesday for MSPs around the world. Around the world. This is Paul Green's MSP Marketing Podcast. Podcast.
Paul Green:
Hello and welcome back to the show. This is what we've got lined up for you this week.
Alton Johnson:
I want to talk to you about how you can use VPN test to generate additional revenue for your customers by performing automated network penetration testing engagements.
Paul Green:
That's Alton Johnson. He's an ethical hacker who's created a fully automated pen testing tool. It could go on to be a brand new revenue stream for your MSP. We're also going to be talking about messaging using LinkedIn. I believe this is underutilized by most MSPs. So today I've got some specific guidelines for you, including how to catch anyone's attention.
Voiceover:
Paul Green's MSP Marketing Podcast.
Paul Green:
I want to start this week by talking about success and successful people, and the mindset that those people have. Now, before we can start doing this, I think you and I need to have a clear definition of what I mean by success. I do not see success as having a 17 bedroom house and long gravel driveway and a James Bond Aston Martin parked on it. I don't see success as a private jet or constantly being on holiday or having your own yacht, or anything like that. I see success as a very clear and simple thing, something that's achievable by every single person. My definition of success is where you have more than enough cash and more than enough time to do exactly what you want to do with your life. That's it. It's an absolute simple measure of success, and you can now apply that to yourself and say, "Am I successful?
Paul Green:
Have I got more than enough cash and more than enough time to do the things I want to do with my life?" I consider myself to be partially successful, well, on the way. I have more than enough cash, which is a lovely position to be in, and I've been in that position for a number of years. Time wise, perhaps a little bit squeezed, and that's more to do with my life. I'm a sole parent of an epic 12 year old. Yes, I'm talking about you. And that tends to squeeze your time more than work stuff does. But I would, I guess, on that measure, consider myself to be reasonably successful. There's very few things that I want to do that I can't do, and I'm certainly not held back by lack of cash. It's perhaps more lack of time. Just schools and things get in the way of going to the seashore for a month. Anyway, that's to come in the years ahead.
Paul Green:
Now, the reason I have gone to such lengths of how defining what success is, is because I have deliberately and systematically over the last 10 to 15 years, surrounding myself with successful people. Virtually all of my close friends are always wildly successful in their respects. Now, some of them happen also to be rich, but I remember that's not my definition of success. All of them have more than enough cash, and most of them have more than enough time to do all of the things that they want to do with their lives. And as I say, I systematically gathered these people and have gone out of my way to be friends with them because I believe, as I think I've said on the podcast before, and this comes from, I think it's Jim Rohn who's an entrepreneur, and he said, "You are the sum total of the five people you spend the most time with."
Paul Green:
So if I'm going to be talking to people on a regular basis or going to see them or hanging out with them, I want them to be the right kind of thinkers. I want them to be people who are going to add to my life and I can add to their life. I have no time for people who aren't contributing. I'm nearly 50. I haven't got time to hang out with negative people. I've only got time to hang out with successful people. And you can learn from those people and they can inspire you and they can challenge you to do more. Now, what I've noticed of successful people is that the vast majority of them have the 2% mindset. Now, this is something I read about on a website years ago, can't remember the website, but I remember the theory. The theory is that 98% of people are scared to change the status quo.
Paul Green:
They're scared to do something different. They're stuck in their own comfort zone. And the only thing that will push them out of that comfort zone is external events happening to them. And certainly if I think of some of my other friends, some really good people that I've known for years and years, and talked to once or twice a year, most of them, they don't run their own business. They work for someone else. And most of them will just sit and stay happily in their comfortable jobs for a number of years until something comes along and disrupts them. They may be redundant or the business moves, or typically it's some kind of interruption to their comfort levels, perhaps they have a new boss or something like that, or they have another child and suddenly the house isn't big enough for three kids, whereas before it was for two.
Paul Green:
But essentially they are reacting to external events moving them out of their comfort zone. That's the 98% of people, and the risk for you is that you get stuck in that 98%. The top two percent of people who think very differently and act very differently, these are the people who are most likely to be successful, to have more than enough cash and time. The top two percent of people, they go for their dreams, they embrace the unknown, They push themselves out of their comfort zone, and they do this systematically again and again and again. And actually these two percent thinkers, they actually experience more failure than everyone else because they're trying harder. They're pushing themselves, they're doing new things. If you didn't experience failure on a regular basis, it's because you're not trying enough new stuff. In fact, perhaps this is the big takeaway from this week's show for you, ask yourself, "When was the last time we failed at something?"
Paul Green:
Failed at something new. I don't mean just things going wrong in the business, but when did you try something new and it didn't work? Now, if you consider that lots of new things shouldn't work until we try lots of different ways to get to where we want to go, and to try this different thing, then obviously you've got to limit the possibility of the cost of failure. I fail at stuff all the time, but I won't throw $10,000 at a new idea. I'll throw perhaps $1,000s or $500 at a new idea to test it, because I know it's likely to fail. But I also then know, tweak, tweak, tweak, tweak, tweak, tweak, tweak and keep going, and eventually you'll find some version of that, that will work in some way.
Paul Green:
That's what the two percent mindset is. Give yourself an audit throughout the rest of this week and the weekend. You, your partner, your family, your business partner, if you've got one, are you in the 98% of people who are just comfortable waiting to be disrupted or are you in that two percent, that magical two percent of big thinkers who are willing to move themselves out of their comfort zone and get towards that wonderful success?
Voiceover:
Here's this week's clever idea.
Paul Green:
Tell me, have you built LinkedIn messaging into your MSP's marketing system? Because LinkedIn messaging is gorgeous. First of all, you benefit from 100% guaranteed deliverability. You can't say that about email, can you? You have no idea whether or not your email gets to someone. But you know when you send a message within LinkedIn, it's an internal message. It's an internal system so you know that your message is delivered. You can't guarantee they'll read it, of course, because some people don't check their LinkedIn messages often, but hey ho, at least we know has actually got into their inbox. The next thing that makes LinkedIn messaging beautiful, is the fact you've got people who kind of know each other, messaging each other, even though they don't actually know each other. And what I mean by that is you connect to people on LinkedIn and you're now connected, you're friends. You're not really friends on LinkedIn, are you? You're just connections. But once you're connected with someone and you send them a message, they obviously they're more likely to open or read your message, which is just what makes it beautiful.
Paul Green:
I think the other beautiful thing about LinkedIn messaging is that LinkedIn wants it to work. You'll notice if you go in... And by that I mean algorithmically and design-wise, it's constantly interrupting your LinkedIn experience to tell you you've got a message. Drives me crazy when I go into LinkedIn. I check my LinkedIn once every day, sometimes twice a day, and it drives me crazy to go in and look at my LinkedIn screen. And then you've got all those new messages that stack up at the bottom. So I don't know what it's like in the mobile view cause I very rarely do it on mobile, but certainly on desktop it's just they're interrupting.
Paul Green:
I don't know if it's deliberate UX usability design or just poor UX, but it interrupts my use of LinkedIn, which is fine, I can live with that. It shows that LinkedIn is keen for you to use messaging a lot. So everything is in your favor with LinkedIn. I'll tell you what else is in your favor is, you'd be surprised how few messages are sent. So I'm connected to a roundabout, I think it's about 7,000, might be a little more MSPs, mostly MSPs and some vendors as well. And I get two or three messages a day. And by that I mean messages where I'm not already in a conversation thread. Someone new who's connected to me has sent me a message. I don't get that many emails, which are the sponsored messaging. I wouldn't bother with those at all. But even with seven odd thousand connections, I'm not being bombarded with new messages every day. I'm getting a very small amount of new messages.
Paul Green:
That's the opportunity for you, because if I'm not being bombarded, then your prospects aren't being bombarded either. Send LinkedIn messages, don't try and sell to them on LinkedIn. There's nowhere in an MSP's marketing channels where you should be out and out selling to them. You've got to educate them, you've got to entertain them, which is edutainment. Now, the beautiful thing about LinkedIn messaging is you know exactly who you're sending the message to, and because of that, you can make sure that that message is highly relevant. In fact, all good marketing works primarily because it is highly relevant to the person who is seeing that marketing.
Paul Green:
So if for example, you were messaging a lawyer and you wanted to draw their attention to, I don't know, let's say you worked with other lawyers and you knew there was a tweak or setting in some lawyer software, which you wanted to educate them about. You wanted to show off your expertise by telling them that you'd found this and here's how to do the settings and here's how to change it. If you know they're a lawyer, and you know that their primary interest in technology is bound to be, "How can technology help me sue people or ambulance chase faster?" Then you put that into your message right down to at the start of, "Hi Steven, tell me, do you use..." insert software name question mark. "Because if you do, there's a useful setting we've discovered for our lawyer clients, which you might find useful."
Paul Green:
Now, even if they don't use that particular software, they will still read that message. Will be more likely to read that message because it seems relevant to them. In the same way that if someone sent you a message, let's say you used Autotask and someone sent you a message about Halo and HaloPSA and how to change your setting on that, you wouldn't read it all in great detail, but it would register for you that here is an expert in PSAs. So, it doesn't matter that you don't have to hit exactly the software that they're using, but just taking stuff from their world.
Paul Green:
I think case management software is what lawyers use. So, if you wanted loads more lawyers or you had some lawyers, you just find out the names of all the case management software that's popular and you build that into some kind of blog article and then you send that out to the lawyers via LinkedIn messaging, highly relevant. They're highly likely to open it and maybe to read it, and maybe some of them will even go onto your website and have a look. And isn't that the goal? The goal here is engagement. Some of them will also hit reply to you and just ask you a question or just engage with you in some way. Remember, the whole point of all the things that we're trying to do in our marketing system is about finding groups of people, audiences to listen to you. And then we're trying to build a relationship with those people. That relationship is done through communication, is done through content marketing, and through engagement. And if you're not already using it, I highly recommend that you pick up LinkedIn messaging as one of your distribution channels.
Alton Johnson:
Paul's Blatant plug. Blatant Plug.
Paul Green:
If you're here because you are truly serious about growing your MSP by improving its marketing, then come and join me and 1,700 other MSPs to talk about exactly how you do this. We have a great free resource, it's a Facebook group. It's the MSP marketing Facebook group, and I run this. I'm in there every single day answering your questions and inspiring you with more great content like we have here on the podcast. Just tracking through some of the recent posts. They've got a question here for me, "How do you track how much technician capacity you have available to sell?" Steven says, "That's an interesting question. Maybe it's all down to time for us. Each engineer has a 40 hour work week. We expect 35 of those to be billable in one shape or another." That's a great reply there. Another question here. Oh, this is about a story that was in the news a few months ago about a government minister in Japan, declaring war on floppy discs.
Paul Green:
I didn't know floppy discs still existed. Here's another one for me, "As the MSP owner, your most precious commodity is your personal time, it must be protected above all else, discuss." There's tons of inspirational posts in there and practical help as well. If you are an MSP, you are welcome to join. I'm sorry, vendors, that's the one thing that we ask you not to join because it is a vendor-free zone. So go into your Facebook app on your phone, type in MSP marketing at the top, go to groups and you'll see my little face. Stab your finger right onto the top of my face and that will get you into the group. A few quick qualifying questions and I look forward to seeing you in the MSP marketing Facebook group.
Voiceover:
The big interview.
Alton Johnson:
Hey, my name is Alton Johnson and I'm the founder and principal security consultant here at Vonahi Security. And we have an automated network penetration testing platform that fully automates network penetration test engagements. So, basically replacing what I used to do full time as a pen tester for the last 10 years.
Paul Green:
And we're going to talk about pen testing and how to actually turn it into a profit center today. Before we get started though, you and I have something in common, Alton. We've actually only met today for the first time, but back in July this year you won the Channel Program Pitch with Matt Solomon and with Kevin, and I then won the August one. And I'll let you into a little secret, because the way... If you haven't heard about the Channel Program Pitch is a load of vendors come on and they pitch their product and then the MSPs who are there, and we're talking several hundred, they then get to vote for who's the best pitch. I'll let you into a secret, Alton, as part of my prep for my pitch, my winning pitch, I watched your winning pitch. So thank you. Thank you very much.
Paul Green:
I actually watched yours three times over and broke down what you've done and your secret, which I'll reveal now for all the other vendors who are doing it. Your secret, which is what I stole, is you talked about MSPs, you didn't talk about what you do. You talked about them, which is a pretty smart move. So, let's talk about pen testing. Now, as you know, I'm not a technical person. I've never owned an MSP. And just hearing a phrase like pen testing just makes my eye twitch. It makes me feel funny cause it feels too technical. But I am conscious that from all the conversations I've had with hundreds and hundreds of MSPs, everyone's aware of it, but very few people are actually doing it. Why is that?
Alton Johnson:
Yeah, so I think there's two things, right? There's a lack of understanding of the value of penetration testing, and I think for the MSPs that do understand what a pen test is, there's just a lot of challenges. So for example, they kind of touched on the first point, a penetration test is basically going in... Not just finding the vulnerability, but actually exploiting the vulnerability to show the impact. Because a lot of MSPs are doing vulnerability assessments, so they're aware of the vulnerabilities that exist, but they're not aware of how those vulnerabilities will actually impact the business if they were to get compromised.
Alton Johnson:
So that's where a pen test comes in. The pen test goes, "All right, yeah, you have a lot of vulnerabilities, but let me show you exactly what this means if an attacker was able to compromise this." So the pen test is focused mostly on the impact. Here's confidential data because of this vulnerability. Here's a low vulnerability, that's your vulnerability scanner told you wasn't a big problem, but here's the proof that it is a big problem because here's your social security numbers that are in your database. So it truly hits home.
Paul Green:
Which of course has more impacts, doesn't it? Because if you can show someone data that they think no one else can access, that's going to utterly... Well, I was going to say terrify them. It's a level more than terrify, I'd imagine.
Alton Johnson:
Exactly. So it really hits home a lot more. There's a lot of companies that have been doing vulnerability assessments for years and they get their first pen test, and they're just like, "Wow, I didn't even realize it was this bad," because there's so much focus on the impact. But then the other thing too is the cost. So traditional cybersecurity companies, they charge a ton of money for pen test engagements. I mean, it's so expensive that SMBs typically can't afford to go spend 10 grand for a pen test. It's just not a thing. So there's the MSPs that do understand that their customers need pen test engagements, but they just can't satisfy that need because it's too expensive. It takes a really long time to get it going.
Alton Johnson:
For example, if they can afford it, when now there's a four or five week process of just scheduling and scoping and logistics. And then once the project actually gets started, there's another month or two. So it's a long, tedious, expensive process that it's just a huge headache at the end of the day. But yeah, I think those are really the two biggest reasons behind it.
Paul Green:
So, tell us about your career as a manual pen tester. How did you get into this in the first place?
Alton Johnson:
Yeah, so I've actually been hacking since I was a kid. I was just a bored kid, didn't really care for school too much. I was just wanted to go back home and get on the computer. Somebody hacked me, showed me how they did it and I became very curious about getting access to computers. And so I got my first cybersecurity job when I was around 19 or so. And I've been doing pen testing for a while. I really got started just doing IT stuff, like securing and managing a network, deploying hardware, things like that. Then we had a cybersecurity company come in to do a security assessment for us. And I was just mind blown. I was like, "You can actually get paid to hack? This is a real legit profession? I want to do this." So that's kind of how I got started into the industry. I got my first opportunity and I just took it and just ran with it.
Paul Green:
And what's the best reaction you've ever had from someone when you have got through their defenses and you've physically shown them, "Here's some data that I acquired from your business?"
Alton Johnson:
I think one of my favorite things that I'll never forget is we did a penetration physical assessment for a gas company. And basically our goal was to get in and get as much assets as possible, and we did before we even... because we went on site and we basically walked into the headquarters, got beyond the physical security controls, got access to the network, went back to the hotel, and compromised the entire domain from the hotel. And so when we finally went back on site to meet the client, he was basically, "Hey, my name's Alton," and I had a coworker. And we were like, "We have access to everything." And he was just mind blown at all of the different security layers that we went past. So, that to me was always one of my favorites.
Paul Green:
Yeah, I bet you've heard... There's a book I've read, or actually I listened to it, couple years ago now and I can't quite remember what it's called, might be Ghost in the Wire. This guy called Kevin Mitnick, I think. And at one point he was the FBI's most wanted hacker. And you talk in there about how you just went in somewhere. Often his hacks were as simple as just social engineering his way into a building or onto a phone call, or something like that. And obviously there's some technical expertise. Have you read that before?
Alton Johnson:
Yeah, I've read two of them by Kevin Mitnick, and I've actually met him at Defcon once before and it was pretty cool. So yeah, I definitely know a lot about him.
Paul Green:
Yeah, and it's an interesting book, even if you're not in technology. As a non-tech person myself, I found it fascinating and horrifying at the same time. So Alton, you've developed an automated platform. So as we said right at start, pen testing is perceived as difficult. Many MSPs don't really know how to implement it properly. What made you want to create this automated platform?
Alton Johnson:
Yeah, so it was pretty interesting. I proposed the idea of automating what I was doing as a pen tester at previous companies, but at bigger companies it's kind of hard to move thanks quickly. You have to do a lot of meeting and talking, and discussing and it just never gets done. So for me, when I started started Vonahi Security, my goal was to basically make myself as a pen tester much more efficient. In fact, when I started creating a lot of the code for vPenTest, it was really to make myself a better pen tester. I just hated reporting. Every pen tester hates reporting. It's just a lot. We all hate it. So I wanted to create something that would make life easier for me as a pen tester. And we finally had our first demo. We got our first demo and it came from place we didn't even expect.
Alton Johnson:
And that's when we started talking to MSPs like, wow, there's MSPs that actually want this type of solution. Here I am making a tool for myself to make myself a better pen tester, but all we have to do is put our front end interface to it and to give access to other people to use the same thing. And so that's kind of how it really took off. I really wanted to just make pen testing just better, easier, quicker, more efficient, because no pen tester is perfect, but we all want to do things better. And so for me, I just really wanted to take that initiative and get it going.
Paul Green:
Now, we're not going to go into the technicalities of how your pen test works or how an MSP would use it, because that's not what this podcast is. But tell me how you would recommend an MSP uses pen testing as a revenue generator, as a profit center.
Alton Johnson:
Yeah, so absolutely. So one of the biggest things a lot of MSPs ask is we have a potential... We have a prospect and we want to know how do we fit vPenTest into the picture? And one of the good things about our licensing model is it's super flexible. So they can sign up and they could run assessments on customers, on any company they want to, obviously with contracts and everything like that. But one of the things that really get customers in the door for our MSP's is the ability to perform a free vulnerability assessment for their customer. And typically the way that goes is they perform the vulnerability assessment, they show their customer, "Hey, here are the vulnerabilities that we found. We could actually potentially find more if we did a pen test." But the vulnerability assessment is kind of a way in. It's a way to say, "Hey, here's what we know from the external side and here are the possible things that could come out of this."
Alton Johnson:
So, that's the first one. It's really just a pre-sales tool. But then the other part is after the pen test is complete, we actually don't perform the remediation. We instruct the MSPs on how to do it, what setting to click and stuff like that. But for an MSP, this could provide some other opportunities because for example, our pen test may have identified that they didn't detect something happening or there's a huge issue that's pretty common across the network. So an MSP can take that opportunity to fix the issue. Sometimes they may run across opportunities to plug in other solutions to further increase the environment. So there's a lot of opportunities on the remediation side for an MSP to get in and find ways to better secure their network as well.
Paul Green:
Let's say for a mature MSP that's got an impressive client base, at what point would you recommend they introduce the concept of pen testing? Would it be when they're doing strategic reviews or quarterly business reviews with clients? Would it be introduced as a new tool or is it something that's perhaps they should use to test a new security installation even in the knowledge that obviously you potentially are going to find some weaknesses?
Alton Johnson:
Yeah, absolutely. So traditionally penetration testing is something that the industry recommends to do once a year. That's a kind of standard, right once a year. But with the ability to perform automated penetration testing, we typically recommend a lot more frequent, so at least quarterly. We have some partners that are doing it monthly as well. But I would say doing it frequently at least quarterly is probably the best bet. Even monthly, just depending on the environment. But there are other cases as well to where, for example, to your point, if there's a new environment that they're trying to migrate with, they may want to make sure that the other environment is secure. So they may want to do a pen test on that network before they go with their process. And then of course too on the acquisition side, is kind of very similar. You just want to make sure that that other company is secure before you start to go forward and migrate data and things like that.
Paul Green:
Yeah. This is Alton's sleep at night pill. That's what this is certainly for the MSPs anyway. You can steal that as a strap line if you want to. That one's on me. And give us a broad overview then of what you do, what you sell, and what's the best way to get in touch with you.
Alton Johnson:
Yeah, so Vonahi Security, we do specialize in the automated pen testing platform, which is vPenTest. We do offer other cybersecurity services to social engineering, but we heavily focus on the automated pen test. We do offer a free proof of concept as well. So we know we understand automated pen testing, "Is it really true," things like that. And, "Let me just see how it works." So they could definitely reach out to us as well and get set up with a free trial. They could run a trial for up to 25 IP addresses, any of their customers and experience what the whole process is like. And then they can also obviously book a demo at our website as well to get in touch with somebody and learn more information about it. But yeah, definitely take advantage of the free proof of concept. It's an eye opener.
Paul Green:
Cool. And go on, give us the website address.
Alton Johnson:
Yeah, it's www.vonahi, so that's V-O-N-A-H-I.io.
Voiceover:
Paul Green's MSP marketing podcast. This week's recommended book.
Blaine Oelkers:
Blaine Oelkers here, your Chief Results Officer. And my book recommendation would be Think and Grow Rich, the book study edition. Now this book has created more millionaires than any other book. But in the book study edition, it kind of takes you through week by week, by week and you realize what you think about, you bring about. And so I think that's going to help you to bring about whatever you are thinking about
Voiceover:
Coming up. Coming up next week.
Speaker 5:
Hello, my name is Shyanne, the CEO of [inaudible 00:27:12] and I will be in the next week to show you how you can take the compliance edit for MSPs and make a real revenue from it. See you.
Paul Green:
Do subscribe wherever you listen to this podcast so you never miss an episode, because also on the show next week we'll discuss a clever marketing psychology idea called Pre-Suasion. It's another way to influence prospects to choose you. We'll also be talking about work from home setups and how you can actually leverage them into being a sales tool, not just to get on new clients, but also to persuade your existing clients to upgrade. All of that will be on next week's show. Now, in the meantime, if you want more marketing ideas for your MSP, we've got tons of content on YouTube. Just go to youtube.com/mspmarketing. Join me on this podcast next Tuesday and have a very profitable week in your business
Voiceover:
Made in the UK for MSPs around the world. Paul Green's, MSP Marketing podcast.