3 MSPs Share Their Security Selling Secrets

By David Sylvester, Lumu

According to the 2021 Global State of the MSP Market report which polled 1,800 MSPs worldwide, 99% of MSPs said they offer managed security services, a surprising figure when compared to the previous year’s tally of 75%. Yet, despite this newfound appreciation, many MSPs are struggling to figure out how to best integrate security into their solution portfolio.

Recently, Lumu Technologies hosted its inaugural MSP Growth Lab, a virtual summit in which we invited three regional MSPs to discuss the current state of the MSP market and share some of their collective wisdom that comes from decades of channel experience. These three panelists included Elias Stucky, Director of Engineering & Security for Upward Technology, an MSP based in Portland, Oregon; Ryahn Toole, Cloud Security Specialist for Lehigh Valley Technology, an MSP serving the Eastern Pennsylvania region; and Sean Slatterly, Founder and CTO for Caribbean Solutions Lab, a leading IT managed services provider in the Grand Cayman Islands. The following has been edited for brevity and clarity.

Q: What’s one piece of advice you would offer other MSPs on selling security services?

Ryahn Toole (RT): One thing I would have focused on more, in the beginning, would have been education. Start educating your clients on some of the issues they are facing earlier in the engagement process.

Elias Stucky (ES): It’s become commonplace to say that the user is the weakest link. While there’s some truth to that, they’re also your best line of defense. So if you don't educate them and train them, you're always going to be playing catch up.

Sean Slattery (SS): While the uneducated user can certainly be regarded as the weakest link, the educated user can be thought of as a human firewall. These individuals are your security champions. And it can really be anyone - though, of course, it should be everyone.

Q: What are some common misconceptions around cybersecurity that you have to deal with?

ES: I’ve heard too many smaller businesses say something like, ‘I don't have anything valuable to steal – who's going to want to hack me? Sure, you may not collect PII or credit card information but that's really not the point. How much money are you going to lose if your site goes down for a week or a month because of ransomware?

RT: In a similar vein, we frequently hear customers say, ‘no one cares about us, we’re too small to attack.’ To that I say, it doesn’t matter how much your data is worth to somebody else. The question should be: how much is it worth to you? How much are you willing to pay me to get it back?

SS: One of the most common misconceptions that we see goes along the lines of, “I’ve got a good antivirus or firewall in place so therefore, I’m safe.” Well, guess what? Every major company that’s been breached had all of those tools in their toolbox. Security is so much bigger than products and it’s on us to help customers see through the marketing FUD and help them realize that security is more than deploying products, it’s a continuous process.

Q: How do you communicate the need for cybersecurity to improve the value of your customer's investment in cybersecurity? How do you show ROI for a security initiative?

SS: The Caribbean region hasn’t been particularly well regulated by governance frameworks, though that began to change during the pandemic. So now we’re seeing compliance driving interest around security. While compliance doesn’t equal security, it's a good way to start a conversation and move beyond this idea of security as a cost center.

RT: There’s always going to be a challenge of talking about ROI for something that you’re planning to prevent from happening. What's interesting is we've actually found an ally in the insurance industry, especially as it concerns the SMB market. Insurance providers are now doing a lot more due diligence than they were five years ago. Back then if you could find someone to provide you with cyber liability insurance, they just had a few questions. These days you're looking at a dozen or more pages of qualifying questions to assess the underwriting risk.

Q: What role does visibility play in your client’s security strategy?

ES: We're trying to talk about something that when it's working, you never see or hear about it. The more visibility you have across your environment, the more precise your actions are going to be and the more efficient you can be in remediating it. I operate on the assumption that everyone is compromised because chances are, there's somebody out there who’s smarter than me. So the more visibility we have, the more intelligence we have, the better we can respond to it.

SS: I always like relating the story of survivor bias to the classic story from World War II, where these planes are coming back from the Pacific theater, all being shot up. And so the initial reaction was to reinforce the planes around where all the holes were found. Well, no, those planes made it back and the bullet holes were evidence of their survivorship. You need to put the armor where there weren’t any holes because those planes clearly never made it back. And the same is true for protecting your network. Visibility can be really helpful to solving what wasn't a security problem but can help as well. So that's been a good added value that we can provide through visibility tools to say, “it looks like you might have a misconfiguration somewhere.” And even though it's not a security issue per se, we can point them in the right direction.

If you’re interested in hearing more about what our panelists discussed, you can watch a recording of the entire session here.

About The Author

David Sylvester is a bioengineer turned cybersecurity expert who has spent the last several years helping organizations find the right solutions for their challenges. David currently is responsible for defining and executing the global sales strategy for Lumu. Before Lumu, David led Easy Solution’s global expansion efforts from start-up through exit, reaching more than 465 customers and 125 million protected users worldwide. In his free time, David is an active rower, father of three, and creator of Tour de Dog, the first human-canine cyclist team to accomplish riding 4500 miles through the United States.