Cybersecurity is not a catch-all solution. When it comes to protecting a business and its interests, we can plan for every potential scenario; but no matter what systems are put in place or how much money is thrown at the problem, there will be a breach, and there are always holes that hackers will find. That’s not to say that we shouldn’t still try. But it’s something that any responsible MSP needs to explain to clients. Because the truth is, your clients love you until they hate you.
Managing Expectations
The approach that MSPs should take with clients is managing expectations—be clear that no matter what, a breach will occur at some point, and explain how you will handle it when it does. You are preemptively making them feel safe when you have a plan in place, and you are setting clear and realistic expectations for the real world of cybersecurity.
I even make sure this is in my contracts with clients. There’s a clause that says there is no such thing as a 100% secure network. It sets the expectation that a breach most definitely will happen at some point in time. But when it does, this is how we respond. It’s so key to tell them, “Here’s what you can expect from us when something does go really bad.”
From a sales perspective, there’s a lot of focus on protection, which is how you secure yourself. But next to nobody talks about how they might react when the breach does happen. Nor do they prepare the client by setting the expectations around that. Steps must be in place, and your clients need to know exactly what those steps are. So even when something happens, they already feel safe, even in the midst of the hack, because they know exactly what you are going to do. It’s preemptively making them feel safe and snug.
Don’t Be the Hype
Again, when it comes to selling MSP services, the pitch is all over the place, offering piecemeal solutions that just can’t cover all the necessary ground. MSPs hype all their offerings at once. They might provide 18 different tools with monthly subscription services, but the focus is on selling more products and gaining more subscribers to premium package offerings because that’s the bread and butter of their business model. But then something blows up, and you never set the expectations ahead of time regarding whether each resource actually covers all the cybersecurity bases. So, you sold them products A and B, but really what they needed for this particular threat was C or D, and now they’re left scrambling.
This should have been the starting line for the MSP. And while some are trying to take advantage of a client’s lack of knowledge, unfortunately, only 18% of managed service providers really know what’s going on when it comes to cybersecurity (according to the Department of Homeland Security). That means 82% don’t have a clue. And they’re going to take you along for an expensive ride.
The security landscape has constantly evolved and morphed over the past five years. You cannot wave a magic wand and hope to keep up. You need to be able to scale, offer a premium service, and have one offer for every type of business.
Making It Work
It can be overwhelming. It is extremely overwhelming to try to piece all of this together to formulate the right process tools and be able to scale. But as the landscape changes, we keep modifying and morphing. It’s important to reassure clients that you’re going to continue to grow with the moving landscape because it’s not just going to stay the way it is today.
The only way to raise confidence is changing client fear into teaching moments and educating them about your company and the service you’re providing—then discuss the pricing strategy. The pricing structure shouldn’t be the first thing out of the gate, especially if you can’t back up your promises with the skills and knowledge required. And the required background could be more niche than an MSP is prepared to handle.
For example, healthcare brings in a different set of rules. Law firms bring in a different set of rules. It has to do functionally with different types of verticals that will need different types of protection. I’m not going to tell an auto shop that it needs to be HIPAA compliant. Therefore, an MSP needs to understand its limits and capabilities before promising the world.
The Secret Sauce
For some reason, there’s a misconception that if you educate the client that you’re somehow giving away the “secret sauce.”
I’ve found in my sales engagements, and even on stage, where if I tell everybody everything that I know, they’re still going to be like, “goodness, I need to hire you because you obviously know what you’re talking about.”
There’s a reservation within the MSP community not to disclose their secret sauce because they think that the prospect or the customer is going to go try to figure it out themselves. Sure, maybe a small percentage might, like 2%. That’s about it. But the rest are going to be grateful you walked in the door. You are building up their confidence in your expertise.
And not just your specific expertise, but the multiple competencies among your team in the cybersecurity space that you just can’t get with one person. Different competencies exist. There’s no way for one person to cover all those individual areas like infrastructure security, network security, individual endpoint security, the human elements, and insider threats.
Ultimately, actionable security is less about preventing the breach and more about having a plan for what to do when it does happen. Security systems should be a single plan that fits an organization’s needs and industry. Customizing your cyber offering is the next shift in the cyber landscape.