IT and Business Insights for SMB Solution Providers

Use New International Warning about MSPs for Competitive Advantage: Page 3 of 3

Incorporate the 12 security action steps issued jointly by five countries in your marketing, proposals, and service offerings. By Mike Semel

Develop Trust with Prospects and Clients

Address the warning head-on. Before talking with clients, focus on your MSP business. Implement the recommendations and use the warning as a checklist to show prospects and clients that you are adhering to the international recommendations for MSP security.

Go another step and earn CompTIA’s Security Trustmark Plus, a business-level accreditation that validates your MSP business’s implementation of the NIST Cybersecurity Framework (CSF). I know it is achievable for MSPs because I have implemented it in three of my own companies and I have coached over 40 MSPs to earn it.

Being seen as a cybersecurity authority is a good way to counter warnings about MSPs. For example, Bryan Hornung, a New Jersey MSP, leveraged his Security Trustmark Plus into on-air interviews with CNN, Forbes, and Fox News, quickly establishing his authority as a go-to cybersecurity expert in his market.

Recommend Client Security Built on the 12 Steps

The warning recommends that MSP customer contracts transparently identify ownership of security roles and responsibilities. This is a good message from an independent credible source that a client cannot fully outsource all aspects of cybersecurity. Clients have responsibilities for things you can’t control, and it’s their responsibility to purchase cybersecurity services and tools that are reasonable for their situations—not just by their willingness to pay.

Use the warning in your marketing and proposals. Even though it talks about threats that MSPs pose to clients, it also includes specific things clients should do to protect their networks. Referencing outside sources like the cybersecurity agencies of five countries may get customers who are sitting on the fence to finally sign a proposal.

Managed services is a risk-based financial model. Clients who won’t pay for security services should not expect you to include incident response in their fees. For those who turn down your recommendations, you should reference the warning in a Decline of Services document you send them. Run your “attitude filter” to not make them look stupid, and include something like this: “The United States Cybersecurity and Infrastructure Security Agency (CISA) recommends ______, which you have declined to implement. We are therefore not responsible for any cybersecurity incidents and their direct or consequential damages. Incident response services are not included in your monthly fee, and will be charged at our prevailing hourly rate if needed.”

Make sure your terms and conditions limit your liability and exposure, and state that clients share in their cybersecurity responsibilities. 

And thank the governments of five countries for a way to convince clients to do the right things.

Opening image: Roxana Balint ©

About the Author

Mike Semel's picture

MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.