I am curious as to how other members market their services for corporate incident response and investigative services. Are there particular guides, groups or specific departments of a company that you present your services to? I think it would be interesting to see what marketing strategies are effective beyond the traditional "word of mouth"?
My experience as a buyer of forensic services,
Besides word-of-mouth, which is #1 I think in this industry,
2. free or minimal fee presentations of new technology services to IT
3. free or minimal fee "general public" security training
4. shows & conferences
I'd suggest that at this point, anyone purchasing response and investigative services only is far behind the power curve and is going to likely be a "difficult" customer to work with. In 2009, if someone isn't actively looking for assistance with a more proactive approach to the issue of data breaches and compromises, then they really don't know what's going on…and I'm saying this as someone who's done drive copying for customers.
Targeting who you're going to approach depends a great deal on the organization itself. Do you have references with someone the CIO knows? Who's responsible for regulatory (PCI, HIPAA, NCUA, etc.) compliance (having IR and a CSIRP are stated from compliance with these bodies)? Get in front of these folks by being visible in the trade journals they read, at conferences they go to, and in their forums. For example, I have some customers that are in the same vertical and have their own local meetings…find out about these and schedule time to make a presentation.
Also, look at what is needed in this line of work. What are your experiences? What kinds of work have you done? Is your response and investigative work only part of what you do, or is it all that you do? Find something…services, experience, offerings, etc…that differentiate you from the competition. Why are you a better choice? Remember, anyone can go on-site to a data center, image hundreds of systems, run Gargoyle and come back a couple of months later with a "no findings" report…but can you arrive on-site and provide a response that meets the customers' business needs?
Another way to approach this is to reach out within your current customers for other work. If you're working primarily with Legal and the CIO, maybe you can reach to HR and see what issues they have and how you might provide services to meet their needs.
Yet another approach is to find a venue, provide food, put seats in it, invite folks and give a presentation. Maybe have trinkets folks can walk away with. Give a presentation that is pertinent to the folks you're addressing. Medium to large companies won't necessarily feel the same pain as local and state LE. The same approach can be made with local commerce and technology group meetings, local HTCIA, etc.
A lot of this depends on your target audience, what businesses you're interested in supporting, and who you're willing to reach to. You're talking about services and not product, so it's a little different…but another approach is to partner with someone that already provides services to customers, only not the same services you provide. If you're providing response and investigative services, partner with someone who provides assessment services…I can't tell you how many times I've gotten called to an engagement b/c an on-site assessor was collecting data and found something weird in netstat output or network traffic.
If you want to go more in-depth on some of this, reach out to me at keydet89 at yahoo dot com
The one caveat that I have regarding marketing, especially when you are dealing with Incident Response, is that in my experience, my clients don't to read about their problems in the newspaper (if anyone reads them anymore), so it is hard for me to use them as references. If I do my job to perfection, nobody hears about it.
For example, if my specialty was treating leprosy it wouldn't be a good practice to publish my patient list.
Thus, I'm limited in what I can say vis a vis marketing since discretion is a big part of our business.
Sean,
You're right, but the cool thing about this work is that the customers, in many cases, talk amongst themselves. I've been to a number of locations across the country where local health care and financial services organizations participate in round tables, and share in formation about tools, vendors, etc. In fact, in one instance, I went between customers and found that they had shared information about a DLP product.
You're absolutely correct…if someone is called in for IR, then the customer likely does NOT want anyone to know about it. However, doing an excellent job for the customer, in that case, is it's own marketing. In addition, there are other services that can be offered by a firm beyond just emergency response that do lend themselves very well to marketing.
Harlan
Agreed. I was limiting my comments to the Subject line Corporate Incident Response and Investigations.
I've been involved in a couple of cases in the past six months which have achieved some degree of national notoriety and I am always amused by the trade publication accounts featuring comments by "industry experts" who are not at all involved in the case but think that they know all the details. Some of these guys are shameless in their self-promotion but completely off base with respect to the facts, which makes me wonder how they achieve such fame in the first place.