Getting clients to say “yes” to addressing cybersecurity
Throughout my years as a security professional, I’ve had the opportunity to talk to many managed service providers (MSPs) trying to transition into providing cybersecurity services. In these conversations I’ve noticed common themes and challenges companies face as they consider making the move. In this blog, I’ll share my techniques for getting clients to say yes to addressing the cybersecurity issues they inevitably face.
Our security background
ADNET has been delivering cybersecurity services since 2012. In 2018, we made security a separate, distinct practice within ADNET – with dedicated leadership and resources. Since then, we’ve grown our revenues almost 300%. With that success, we announced at IT Nation Secure 2021 that ADNET is expanding its security practice, launching an independent cybersecurity firm, MachBlue Defense.
Our team provides a wide range of cybersecurity services to end clients as well as to other MSPs (as a partner to leverage with end-clients). There are two areas where we’ve had tremendous success – risk assessments and managed EDR – both services that help clients say “yes”.
Just getting started in security?
Once you decide to get into cybersecurity, it’s time to determine what doing “Security” work means for your organization. Where are you going to focus? What’s your specialty going to be? Please don’t say you do “Security” if you’re just selling firewalls and anti-virus. That does a gigantic disservice to the entire cybersecurity community.
Knowing your focus area is key to the next step – education. To provide the right security solutions, services, and advice to your clients, you need to gain knowledge and refine your skills. This includes the technical aspects of security, but also learning about things like compliance standards. Knowing the types of requirements your clients might face helps you help them. They can look to you for trusted advice. Training doesn’t just end with the technical experts; you need to educate others in your organization such as your sales team. Everyone plays a role in offering cybersecurity to clients, it’s not just the responsibility of your “security person”.
Educate your clients
The most important group to educate isn’t within your company - it’s your clients. The biggest struggle we see with MSPs is when they have the cybersecurity conversation with a client. A percentage of clients inevitably say, “I thought you were already doing that for us…”
To combat that, we adopted a multi-prong approach. Some things we do to overcome this:
- Share blogs and other content around cybersecurity concerns, practices, and technology.
- Have dedicated cybersecurity conversations with clients, involving our Engagement Managers and a security team member.
- Offer Security Health Checks for clients that opt in. These no cost reviews include a “mini assessment” that covers approximately two dozen items. It helps highlight the type of things the client is protected from and where the gaps are. These are a great conversation starter.
Show the value
Our initial foray into the cybersecurity space was through a relationship with a local accounting firm. As a result, our focus getting started was being able to assess an organization’s cybersecurity posture. Our Risk Assessments were (and continue to be) designed using a combination of tools for scanning and reviewing systems, along with detailed checklists for the review of procedural items.
The real success comes from our reporting. We developed deliverables that provide technical details, but also offer a high-level picture of the current security status along with recommendations and a road map for remediation. It is important to provide context to the clients and decision makers to allow them to make the best decisions. This is where the education we mentioned comes into play. Knowing what types of risks/compliance issues the client should be concerned about, you can help them make the best decisions on what to address. Showing clients their current cybersecurity posture, along with recommendations for the future can clearly indicate areas of risk. This helps them make future decisions about their cybersecurity investment.
When we go over assessment deliverables with clients, we always stress that Security is a journey - not a destination. It’s a cliché, but it’s 100% true and it’s critical that organizations understand that cybersecurity is not a “one and done”. We always recommend that organizations perform assessments on an annual basis. To help remind them, we track these engagements the same way we track software renewals in our system.
Risk assessments aren’t just a good source of revenue themselves; they drive follow-up sales. Projects like legacy hardware replacement, software upgrades/cloud lifts and security awareness training have all been offshoots of these engagements.
Another area where we’ve seen success is managed endpoint detection and response (EDR). A few years ago, we adopted the ConnectWise Fortify Endpoint platform as our main endpoint protection solution. The appeal to us wasn’t just the technology (although SentinelOne does rock) – it was the 24x7 SOC watching alerts and being able to take the appropriate actions.
Getting clients to “yes”
The road to widespread adoption wasn’t initially an easy one. To take clients from legacy anti-virus software that was inexpensive (even “free” as it was bundled into other solutions) to something with an additional per-endpoint cost each month can be challenging. As with our initial move into security, we took a multi-faceted approach to help educate our clients (and our internal teams as well) and help them prioritize security.
Our education process hit on two main points:
- New threats require new solutions. From our perspective, legacy antivirus software was no longer enough to protect against the latest types of attacks. Organizations need solutions like EDR that look for unusual behavior to detect threats, not just counting on signature databases.
- The reason for the price jump was that there was now a person looking at these threats. We got this message out through blog posts and a short demo video we created to show EDR in action. This video has arguably been the single most effective piece of marketing content we’ve made. Our engagement team uses it in their sales process, allowing clients to watch at their leisure. It’s been a huge asset.
Ultimately, the confidence that our sales team has in the EDR platform and our services around it makes them successful in selling it. While we started off a bit slow in EDR sales, we saw almost 2,000% growth in the number of EDR endpoints in 2020. Our team believes in the solution and the level of protection that it brings to our clients. It has become a non-negotiable service for new clients coming on board.
Summary
Success as trusted advisors in the cybersecurity space doesn’t come overnight or without a lot of work. You must have the passion and commitment to get educated and educate your clients in turn. You CANNOT (for a myriad of liability issues) wing this and expect clients to get on board.
Don’t hesitate to reach out to others in the MSP community for help. Partnering is a great option as you are getting up to speed. While it is a lot of work, the feeling of being able to help organizations stay safe is wonderful. For me, it is why I truly love my job.