MSPs are no strangers to creating network security proposals. These proposals must educate prospects on the complexities of modern protection methods. They also need to demonstrate how they can secure the business.
The challenge is that no two industries have the same security or compliance requirements. Reusing the same proposal for every prospect makes it much harder to demonstrate vertical expertise.
Industry expertise can make the difference between a proposal that gets a second look and one that gets set aside. That starts with demonstrating an understanding of the prospect’s regulatory and security environment.
“Tailoring your proposal is important to give the buyer the comfort that you truly understand their industry and their requirements,” said Mike Estep, chief client officer at Blackpoint Cyber. “Then, I would pay very close attention to the compliance requirements of the industry in my proposals. Talking about HIPAA to a defense contractor is not much help.”
Build proposals around industry requirements
Rather than leading with products or pricing, MSPs should first assess a prospect’s existing environment and compliance obligations. That’s according to Marc Prince, partner with Las Vegas-based 2MP Group LLC.
“We try and sell them an assessment. We spend more time figuring out what they have rather than what we need. Everybody has a budget, so we tell them, ‘These are the compliance requirements you have to meet, and here’s what it costs.’”
Don’t approach this as a line-by-line budget. Instead, show prospects how your recommendations help them meet compliance requirements in a cost-effective way. To do this, you must be familiar with the regulatory restrictions in the prospect’s industry.

Mike Estep
That knowledge benefits more than the proposal itself. It also helps MSPs understand how attackers target specific industries. “If you don’t understand fintech, you can’t easily explain security coverage to a financial services group,” Estep insisted.
Align security strategies with industry risks
Organized groups of hackers now specialize in what Estep calls “vertical criming.” Threat actors treat it like a business and focus on industries they know. They learn what works and repeat it.
That makes it critical for MSPs to understand not only a prospect’s compliance requirements but also the threats that industry is most likely to face. Those insights should shape how to explain common compliance frameworks to each prospect, said Estep.
“You don’t explain HIPAA to a car dealership, but they have HIPAA responsibilities. PCI compliance touches almost all industries, but it feels unique to the car dealership. You need to understand the industry and the relevant regulations, then paint a roadmap for your prospect.”
That roadmap should address both regulatory requirements and practical security controls. “Look at security from a layered perspective,” Prince recommended. “Compliance needs to have layers to cover the holes in each area.”

Marc Prince
In his case, training fills some of those gaps. “The hacker’s only job for eight-plus hours a day is to hack you.”
Take the approach using ‘compliance crosswalks’
Prince coined the term “compliance crosswalk” to refer to his approach of transferring regulatory requirements into similar ones in other industries.
For example, he settled on NIST as his primary framework. It’s flexible enough to mold to the needs of nearly all of 2MP Group’s clients. “You learn how things line up with NIST, then use a ‘crosswalk’ to other regulations like HIPAA.”
Developing expertise in one framework can also help MSPs build deeper specialization over time. Once an MSP dives into one set of regulations, it leads to more customers in that industry. “IT lives in the world of general practitioners, but many have become specialists in CMMC, HIPAA, PCI, and so on,” Estep shared.
Turn specialization into a competitive advantage
Jerry Kaner built his business on specialization. The CEO of Ciphertex Data Security focuses on serving government customers with products that meet stringent security requirements.

Jerry Kaner
“Starting with GSA is an involved process,” added Kaner. That led to more public sector business, including with the Air Force. “It’s easier to sell to the government now because they know all about us because we have so many certifications.”
The same principle applies across industries. But building true expertise takes more than certifications. Estep once hired a tech from an engineering/architecture client, who taught him the inside details of that industry, he recalled.
“We got one client, they referred us to another, then another. That’s when I began to understand the industry.”
Become the trusted expert
For service providers that want to create a more focused vertical strategy, Estep advised starting with the industry that has the most regulations. “Find the experts and learn what you would need to do to be the expert.”
MSPs that demonstrate a high level of expertise in both compliance and security can build proposals that resonate with prospects. That positions them as trusted advisors.
Featured image: Nuttapong punna — stock.adobe.com











