I would like to start off by saying that I am not a Pen. Tester by trade, I am also not in sales. However the following has been compiled from podcasts, talks, and conversations with people who are.

That being said I have put together a few conclusions
1: The days of walking in, owning a network, saying “your shit sucks”, then collecting a check are over, this has been beaten to death by everyone.
2: Companies are demanding value from an engagement they pay for.
3: The demanded value is more often than we would like, a checkbox.
4: Thank you for voting for Wim Remes for the ISC2 board.
5: Sales people tend to not have conceptual Knowledge about the industry.

I would like to ignore the first four conclusions, and pay attention to number 5.
I have heard from educators, that there are two types of Knowledge, Procedural and Conceptual.

Procedural Knowledge is basically knowing that 2*2 is 4 and 2*3 is 6 2*4 is 8 and so on.  I would compare this to the rote memorization of your multiplication tables that you did when you were in elementary school.  You could also compare this to how most people know the OSI model for the CISSP.  Although I do agree People Don’t Need To See Paula Abdul.

Conceptual Knowledge is different, it is understanding that the reason 2*2 is 4 is because there are 2 sets of 2 individual somethings, and when you add that all together you get 4 individual sometings.  It is understanding why each of the OSI layers are different, and that there is a reason for it.

I would like to argue that there is a third kind of Knowledge.

When Conceptual Knowledge Sales

Mythic Knowledge is different than the other two, it is when you don’t care what 2*2 is, so long as someone else can find it out somewhere. You don’t care about any of the OSI layers, you don’t even care that there are layers.

I would argue that the sales people have mythic Knowledge about information security.

The real issue here is that the people selling the product don’t know anything about it.  The only reason that they are able to get away with this is because the people they are selling the product to don’t know what the product that they are buying is either, they just know that they need it.

There is a wide field of concepts to get a grasp on in just one of the areas of study in said line of work. We have sales people who are responsible for selling all kinds of things from Vulnerability scans, to penetration tests, to PCI and HIPPA and Ad Nauseam compliance. So this is not entirely their fault, it is a lot to learn, from the complaints I hear it seems aren’t even trying, other than to meet their quotas.

But at the same time it seems that most of us are not trying to help. Which we shouldn’t have to, people selling your products should be willing to get to know the products. But when they are able to sell them without having to learn anything, why should they even bother?

A whole lack of conceptual Knowledge is the reason that the information security industry has such a snake oil salesman reputation.

In saying all of this I am not implying that every sales person should go out and go get a CISSP in order to be able to do business in this field. Because that doesn’t solve the issue, and only pads a budget that is not your companies.  Much like Compliance is not Security, Certification is not Knowledge.

At the same time though you should also not just bend over and take it, you need to pull your sales people who you think are lacking in the Knowledge aside, and offer to teach them a few things.  Perhaps print out the IPv4 CIDR chart from Wikipedia and stick it on their wall. The next time that your sales guy trys to pass off something ridiculous you have to “nip it in the bud” or else you are going to continue to work those 130 hour or more weeks, which one isn’t healthy, and two is not what your client is paying for.

The moral of the story here I guess is if you can’t get someone to learn a topic conceptually, at the very least beat them out of the mythic Knowledge section as quickly as possible.  It really is better off for everyone.