Today more than ever, MSPs need to have “the conversation” with customers … about cybersecurity. If your conversation sounds like a sales pitch, however, your client will tune you out. It could also undermine the trust you’ve worked so hard to build.
Clients don’t typically want to talk about products or services. They want to know about solutions and business outcomes. That’s why it’s critical to have this conversation, because cybersecurity is a business challenge and it presents both obstacles and opportunities for MSPs and their clients.
First and foremost, MSPs have a responsibility to help clients reduce their risk of a cybersecurity incident. While you do this as a responsible business partner, you also need to take reasonable and prudent precautions on behalf of your clients to avoid potential liability.
Second, cybersecurity is a critical and current business issue that drives technology spend, through you as the MSP. For instance, security audits and compliance programs can involve the MSP, a managed security services provider (MSSP), and/or a cybersecurity consultant. While bringing in a third party for an assessment can feel risky, recommendations from that exercise carry teeth. They are aligned with specific business objectives and advanced by a neutral consultant, positioning you to implement the resulting remediation solutions.
Finally, supporting the creation of a system security plan (SSP), which defines the compliance project and remediations, is billable time. Operationalizing the security program embeds you, the MSP, in the overall business operations. This makes your relationship sticky and sustainable.
The security plan, including risk management, incident response, and continuity of operations, adds business requirements to IT, based on specific and definable business objectives and ROI. It’s not about speeds and feeds or ports. It’s about how each IT investment supports the business objectives identified. As the MSP engaged in this strategic conversation, you cross the bridge into being a trusted adviser.
Focus on Challenges
So how do you start “the conversation”? Ask prudent business questions and lead with the client’s challenges rather than products. Once you’ve identified their challenges, you can align recommended products and services. Here are a few conversation starters:
- Have your clients started asking you about your cybersecurity posture through security questionnaires or RFP requirements?
Among the biggest drivers of comprehensive cybersecurity planning is cascading compliance requirements. More companies are focusing on vendor risk management to ensure their suppliers don’t put them at risk. (Hint: The recent SolarWinds supply chain attack will reverberate in this area.)
- Do you have clients in regulated industries that are required to implement cybersecurity standards, such as HIPAA (healthcare), PCI (finance), GDPR (privacy), SOC2 (SaaS), or CMMC (military)?
If their clients are regulated, cybersecurity compliance is headed their way, sooner rather than later.