Leveraging Customer Assessments for Better Sales
By Mike Semel
K-12 school district and healthcare assessment projects have turned out to be the gift that keeps on giving for IT solution providers. Not only have the assessment projects themselves been profitable, but they have paid off well with managed services recurring revenue and projects. These are really easy, because we use the same methodologies as with all our business assessments, but make sure our reports to management focus on dollars and regulatory compliance, management’s two big worries. Ninety-five percent of our assessments are all the same, but our reports map our findings to the financial needs of the client, and the alphabet soup of regulations—HIPAA (never spell it with two Ps!) and JCAHO for healthcare, plus FERPA, CIPA, and E-rate for education.
Who is our Customer?
The first thing we had to do when developing an assessment strategy was to decide who to approach. Should we propose our services to the IT department or someone else within the school district or healthcare organization? We decided to go all the way to the top—superintendents, school boards, medical practice managing partners—because we wanted to position ourselves as executive level consultants, not just another technical services provider trying to sell services to an IT Director who feels threatened by outsourcing and doesn’t want anyone touching "his network." Our strategy worked.
What is an Assessment ?
Our assessment includes three sections – Security, Operations, and Financial. Security is the same as we would do for any business. Operations looks at the IT department to estimate whether it is staffed properly, how tickets are managed, and if internal customers are happy with the IT environment. This is the same process we use to evaluate our own company, which makes it easy to do for clients. Financial looks at budgets and funding sources. We make sure our reports are simple for non-technical executives to understand, and our recommendations are clear and concise. We also provide a separate document with the data we used to form our conclusions, with the facts, screen shots, and logs to validate our findings. This has helped with people who have tried to argue with us or cover up evidence of problems.
We developed a home-grown assessment framework for healthcare after becoming certified in the HIPAA Security Rule in 2003. Our Education Assessment is based on our HIPAA Assessment tools for healthcare for two reasons. First, school districts, unlike healthcare and financial organizations, have no auditing framework to follow. Second, two of the districts we evaluated surprisingly did have to meet the HIPAA guidelines. One district self-insured its employee healthcare, which made it a Payer in the healthcare system. Another district took advantage of insurance companies that were willing to pay school nurses to administer medications to special needs students. Charging for the nurses’ services made them a Healthcare Provider. Both were surprised when we informed that they were Covered Entities according to the HIPAA regulations, and they asked their school district legal counsel to verify our findings. We showed the attorneys where to look on the federal HIPAA website, and they agreed. Ka-ching—instant credibility with the top executives and their lawyers! We were no longer just IT guys, but true business consultants.
We perform the same types of security tests on school computers as with other businesses. We perform basic penetration testing (after getting an authorization letter) plus the usual tests—looking for unsecure access points; verifying Active Directory permissions; and looking in public folders for confidential information. (We are still surprised at what we find considering the IT department knows that we are coming to audit the network.) We have stopped assessments when we discovered serious security breaches and gotten authorization for some extra billable hours to fix the problems. Another credibility builder!
Management is always wondering if they are spending their IT dollars properly. They rely on the advice of their IT staff, many of whom are self-taught and have never had to manage a business. We review budgets, open tickets, staff-to-user ratios, training and certifications, and end-user satisfaction with the IT department. We interview district administrators, staff, groups of teachers, and the IT staff. We base our findings on the same criteria we use to run our own company. Often the hard part is trying to write a report listing facts without offering criticisms or opinions as part of our Recommended Actions.
This part of the assessment required training to understand education compliance requirements, grant, and the FCC E-rate program, but once we knew what to look for, we found many mistakes districts made and showed them how to correct the mistakes and get much more in funding than we charged for our assessments. One district had earned $27,000 in E-rate discounts and thought it was doing well. A year after our assessment, based on our recommendation that the district hire an E-rate consultant rather than allowing their inexperienced staff to continue managing their funding requests, the district qualified for over $2 million. We were paid well for the assessment, and then won over $300,000 in billable labor for E-rate projects. The gift that keeps on giving!
A good tool to use for security assessments is the CompTIA Security Trustmark Quick Reference guide. This is designed for small businesses but includes a lot of information that can be used to develop your assessment checklist.
In addition, here are some websites where you can learn more about compliance requirements and funding programs. (You can also get a lot from Wikipedia.)
CIPA (a compliance requirement for E-rate funding) - http://www.fcc.gov/guides/childrens-internet-protection-act
E-Rate - www.fcc.gov/learnnet/
Mike Semel is a Resident Expert at The ASCII Group, which provides consulting and other services to its VAR and IT solution provider members. Semmel also served as the (outsourced) Director of IT for a hospital for two years, improving the operation and making it HIPAA compliant.