Shifting gears: A cybersecurity journey for MSPs (Part 3)
How do I talk to my clients about security?
I think I speak for all of us when I say we could all stand to be a little more in shape. Let’s say you decided to splurge and get a personal trainer. You do some research, find someone, and set a time to meet. You put your new workout clothes on and head up to the gym. When your personal trainer arrives, you see that they weigh 400 lb, are shoving a Big Mac in their mouth, and are washing it down with a Mountain Dew. Would you be ready to take fitness advice from this person? Not a chance.
When MSPs think about selling security to their clients, they first must ensure that they’re doing well themselves. You can’t be the 400 lb personal trainer going out telling your clients what they need to do!
MSPs must secure their own environment before they go out and tell their clients that they need to improve their cybersecurity (we cover some of this in Shifting gears: A cybersecurity journey for MSPs (Part 2)). You should treat yourself as a client and go through the assessment, recommendation, and remediation process. A strong approach is to be transparent to the rest of the company as you assess your own environment as that builds credibility and general knowledge for the entire company.
How much more compelling is it for the sales team when they talk to clients if they can say, “Hey, we went through this same process ourselves. We thought we were doing a good job, but we found several things we needed to improve on. We would use the same process for you.” It builds credibility and allows the salesperson to speak from a place of experience.
Once you’ve done what was necessary to improve your own security posture, how do you talk to your clients about their security?
The first thing is to prepare your team to overcome the initial objection. Your client will most likely say, “you want to talk to me about security, are you not already doing that for me?” Most clients view cybersecurity not as a risk issue but as a technology issue. And they’re paying you to handle their technology, so they assume you’re handling all their security. Your sales team needs to be able to draw a distinction between standard and advanced security.
Basic security is signature-based and likely included in your MSP offerings. Things like antivirus, patching, and firewall rules. Advanced security is typically anomaly-based and includes things like intrusion detection, advanced threat protection, endpoint management, SIEM, and security operations. You’ll want to equip your sales team to have an education-oriented discussion where they explain the difference in the basic security that you have been providing, and the importance of the advanced security offerings that are needed as the security landscape continues to change.
Second, you’ll want your clients to act. Too many MSPs do a massive assessment and then tell the client all the ways that they’re inadequate and expect that to motivate them to action. Instead, seeing a gap that big typically results in inaction.
A better way is to show them an incremental path forward. I like this analogy: if I walked into the client’s den at their home and said, “let’s replace all this sheetrock,” the client would say, “well, that isn’t in the budget. We have a big family vacation scheduled this winter.” But, if I took my knife out and cut a small section of sheetrock out and shined my flashlight back there, I could show him that he has leaky pipes and mold is growing behind his sheetrock. At that point, he’s going to cancel his family vacation and reallocate the budget to fixing this previously unknown problem. We need to show the client that a problem exists, but not overwhelm them. And then give them reasonable and actionable steps to take to address their problems.
Last, your sales team needs to use the strategy of “Teach, Tailor, and Take Control”. This is a well-known sales strategy, but how does it play out here?
You need to teach your clients what they don’t understand about security. Explain to them some generally accepted best practices or a cybersecurity standard and show them how they stack up against those.
Security is not one size fits all. It’s important that you understand your client’s business, what regulatory and compliance guidelines may be applicable to them, and understand their specific tolerance of risks beyond compliance and regulatory. Once you have this understanding, you can tailor an offering that meets their specific needs.
You’ll need to show your client how inaction doesn’t serve them well and take them on a journey towards being more secure. Sales teams often struggle with overcoming the basic objections and fail to take control of the client interaction.
Selling security isn’t easy, even though every single one of your clients needs it and can improve what they are doing. Just like being “healthy” isn’t a state (you can only be “healthier,” per se), you cannot be “secure.” You can only be “increasingly more secure.” Your clients need you to be their personal trainer, but you need to look the part and have applied the approach to yourself before you try to get them on board!