Today more than ever, MSPs need to have “the conversation” with customers about cybersecurity. However, if your conversation sounds like a sales pitch, your client will tune you out. It could also undermine the trust you’ve worked so hard to build. Clients don’t typically want to talk about products or services. They want to know about solutions and business outcomes. It’s critical for MSPs to lead this conversation because cybersecurity is a business challenge. It presents both obstacles and opportunities for MSPs and their clients.
Cybersecurity Is a Business Risk — Not a Product Pitch
There are three main reasons why MSPs must lead the conversation when it comes to cybersecurity:
- MSPs have a responsibility to help clients reduce their risk of a cybersecurity incident. While you do this as a responsible business partner, you also need to take reasonable and prudent precautions on behalf of your clients to avoid potential liability.
- Cybersecurity is a critical and current business issue that drives technology spend through you as the MSP. For instance, security audits and compliance programs can involve the MSP, an MSSP, and/or a cybersecurity consultant. While bringing in a third party for an assessment can feel risky, recommendations from that exercise carry teeth. They are aligned with specific business objectives and advanced by a neutral consultant, positioning you to implement the resulting remediation solutions.
- Supporting the creation of a system security plan (SSP) is billable time. The security program defines the compliance project and remediations. Operationalizing it embeds you, the MSP, in the overall business operations. This makes your relationship sticky and sustainable.
The SSP — including risk management, incident response, and continuity of operations — adds business requirements to IT, based on specific and definable business objectives and ROI. It’s not about speeds and feeds or ports. It’s about how each IT investment supports the business objectives identified. As the MSP engaged in this strategic conversation, you cross the bridge into being a trusted adviser.
Focus on Resolving Customer Challenges
So how do you start the conversation? Ask prudent business questions and lead with the client’s challenges rather than products. Once you’ve identified their challenges, you can align recommended products and services. Let’s take a closer look at some conversation starters.
1. Have Your Clients Asked About Your Cybersecurity Posture through Security Questionnaires or RFP Requirements?
Cascading compliance requirements rank among the biggest drivers of comprehensive cybersecurity planning. More companies are focusing on vendor risk management to ensure that their suppliers don’t put them at risk.
2. Do You Have Clients in Regulated Industries that Are Required to Implement Cybersecurity Standards (e.g. HIPAA, PCI DSS, GDPR, SOC2, or CMMC)?
If their clients are regulated, cybersecurity compliance is headed their way, sooner rather than later.
3. We’ve Established Many Baseline Security Technology Solutions (e.g. firewalls, patching, backup). Have You Considered or Implemented More Business-oriented Practices, Such as Risk Management, Vendor Risk Management, Incident Response, or Business Continuity?
Many clients haven’t established what their maximum tolerable downtime is in the event of an incident. And most MSPs focus on Identify, Protect, and Detect (from the NIST Cybersecurity Framework).
Mark Kirstein
The second half of the security framework, Respond and Recover, is more than just restoring backups. It is people-intensive, focused on policies, plans, and roles. These days, a security incident is a matter of when, not if. Even the most sophisticated companies can fall victim. Dealing with when is incident response, continuity of operations, and more.
4. Have Your Competitors Highlighted their Security Posture in their Marketing or Were They Directly Impacted by a Security Incident?
Companies that invest in robust cybersecurity to keep their clients safe want them and their prospects to know about it. It’s a key differentiator that can drive revenue and ROI.
5. We Take Deliberate Steps and Make Recommendations to You for Security from an IT Perspective. Would You Consider a Third-party Cybersecurity Assessment to Independently Review Your IT Security Posture? It Would Also Review Your Cybersecurity Business Practices, Such as Policies, Procedures, and ROI for Risk Remediation.
Recommending a third-party security audit increases your clients’ security. It also reduces your liability by advancing reasonable and prudent recommendations.
From Service Provider to Trusted Adviser
Cybersecurity is more than blinking lights and white noise. You must consider strategy, ROI, and more. Turning “the conversation” into a business discussion shifts you from supplier to trusted adviser. It’s up to your client to act.
This article was updated on 12/30/2025.
Mark Kirstein is principal of CodeBook AI Advisors. The management consulting firm helps clients evaluate and develop an AI strategy while addressing risk, compliance and governance.
Featured image: iStock
