MSPs: 10 Tips For the “Cybersecurity Conversation” with Clients

It’s past time for MSPs to have the “Cybersecurity Conversation” with their clients, gently but firmly insisting on their adoption of an enhanced level of cybersecurity services. The challenge is to frame the conversation properly with the client to gain their approval to strengthen their cybersecurity posture, and reduce their and the MSP’s risk.

I’ve come up with the following 10 tips to guide you during these discussions:

1. Evaluate Your Own Tolerance for Risk
   Are you prepared to risk your own company, your other clients’ businesses and your and your staff’s livelihoods? Think of the worst that could happen, should you not strengthen your and your clients’ cybersecurity posture, and I’ll bet you’ll ultimately place your own interests above your cybersecurity-averse clients’.
   
   
2. Take A Stand
   Remember the old adage: “If you don’t stand for something, you’ll fall for anything”? Now more than ever, it’s time for you to take a stand on cybersecurity and clearly communicate to your clients what your position is, and what they will have to adopt as a minimum cybersecurity bundle from you in order to continue being your client.
   
   
3. Evaluate Your Current Solution and Service Portfolio
   What’s in your wallet stack? When reviewing new cybersecurity services and solutions to strengthen your portfolio, I encourage you to re-evaluate your entire historical portfolio of services as well. Too often in working with MSPs to build their bundles I uncover legacy services in their stack that don’t hold up to today’s technical and cybersecurity standards. Do yours?
   
   
4. Build Cybersecurity Bundles for 2 Audiences
   You likely have 2 target audiences to engage with for cybersecurity – existing clients and new prospects. For existing managed services clients with agreements, you’ll want to create “good, better, best” cybersecurity-only SOWs to add to their existing contracted services. For new prospects, you’ll want to combine your existing MSP SOWs with your new cybersecurity SOWs for a hybrid “good, better, best” offering that covers all new prospects signed with your combined MSP and cybersecurity services.
   
   
5. Put Your Mask On First Before Helping Others
   I’m certain you’ve heard this said during pre-flight announcements if you’ve flown in an airplane. The typical phrase is “In the unlikely event of a loss of cabin pressure during flight, oxygen masks will drop from the ceiling. Should this occur, please put your mask on first before helping others.” This basically illustrates the reality that if you aren’t around, you can’t help others, so take care of yourself first. This is critically important when preparing to deliver enhanced cybersecurity services to your clients – strengthen your own cybersecurity posture first to ensure you are available to help your clients with theirs.
   
   
6. Don’t Make It Awkward…It’s Just a Conversation
   In coaching, training and enabling thousands of sales professionals throughout my career and participating in or assisting in just about every typical flavor of sales engagement, one of the most important elements of conducting successful sales conversations I’ve found is not to make the conversation bigger than it needs to be. This takes practice and experience – lots of it. The smoother you are at delivering the business case, benefits and options for enhancing your clients’ cybersecurity; along with their risks of preventing you to do so, the easier your conversations will go and the faster your clients will move forward.
   
   
7. Don’t “Sell” Cybersecurity
   Instead of carrying the mindset of selling cybersecurity, adopt the perspective that you and your clients are all in this together, and need to partner in this journey to reduce everyone’s risk – yours, theirs, and all of your other clients. This re-framing allows everyone to help each other collectively – as the risk to one is the risk to all.
   
   
8. There Are No Valid Client Objections
   I’m sure you have “A” and “B” clients, along with some “C” customers, where your “A” clients will take your direction and move forward with strengthening their cybersecurity quickly, and your “B”s will get there as well, but perhaps a bit more slowly. Your “C” customers; however, will resist and offer up any manner of objections, including “it’s not in the budget” and the always popular “nobody wants my data, why should I care”, as well as “I thought you were already handling this for us”. Remember – the risk to you and all of your other clients is simply too great to accept a “no” for an answer from any individual client. A the end of the day, if 90% of your clients move forward, and some of the 10% that did not experience a security incident, you still have to drop what you’re doing for everyone else and deal with that one client. And to top it off, the cost of your reactive, emergency remediation will potentially outweigh the fees you would have charged them for your minimum cybersecurity bundle, not to mention the potential risk of their going out of business altogether – we’ve all seen these stats and heard these horror stories.
   
   
9. Your Clients’ Lack of Adoption Should Not Create an Emergency for You
   Let’s face it, when one of your clients has a technical or security issue, it’s your immediate impulse to respond rapidly to help. But what happens when a stubborn “C” customer that has declined your petitions to strengthen their cybersecurity posture experiences an incident, breach or attack? You now have a tough decision to make – do they merit the same response as a “managed cybersecurity client” does, that is paying you for your SLA response time? If you do decide to accept the risk to continue serving these “C” customers (against my recommendation to fire them), make certain to inform them that you will prioritize other clients before them in these instances and have them sign a comprehensive waiver releasing you of any cybersecurity liability. 
   
   
10. Set a Date – And Stick to It
    I strongly encourage you to draw a line in the sand in 2022 for all of your clients and select a date by which all of them need to adopt at least your minimum recommended cybersecurity bundle or offering – and let them know that if they fail to do so, they will need to find another provider. Prioritize all of your clients based on risk (theirs and yours), and on-board them to your cybersecurity services according to that risk, highest risk first, until you’ve helped them all. Remember, you can’t afford to care more about your clients’ cybersecurity than they do – your business and personal risk is simply too great.