By Travis Ray, Infogressive Inc.
Every business needs cybersecurity, right? The bad guys are out there and have shelved their shotguns for computer code. Then why is it so difficult for MSPs to sell cybersecurity? That’s the literal million-dollar question and Mount Everest for MSPs and I’m going to try and be your Sherpa to the glorious summit. Hold on to your butts and buckle up …
I’ve worked with dozens, probably a hundred or more, of MSPs trying to tackle managed security services (MSS). Most MSPs are offering some basic MSS such as next-gen firewall, antivirus, or email security because those are commoditized and easier to manage. Those services are also easier to sell.
Your typical MSP customer knows they need a firewall and have dealt with enough viruses or phishing emails to concede the necessity of those defenses. The good ol’ days of set-it-and-forget-it firewalls and sufficient prevention by antivirus are long gone. The landscape of cyber threats is constantly evolving, forcing businesses to deploy new advanced defenses to reduce their risk. That could be SIEM, Endpoint Detection and Response (EDR), Managed Detection and Response (EDR+SIEM), Vulnerability Management, SOCaaS, or Professional Services such as Penetration Testing and Incident Response. Those are the advanced cybersecurity services we’re discussing how to sell.
If you google “selling managed security services” you’ll find pages and pages of cybersecurity vendor content about how their product makes it easy to sell MSS. What you won’t find on those first few pages is an unbiased guide to selling MSS no matter what tools power your SOC. That is what we’re going to dig into here. Let’s assume you’re an MSP that has already figured out your MSS offering strategy, whether that was building and staffing your own SOC or partnering with an MSSP to re-sell their services (that’s a whole other challenge and if you’re at that stage you should check this out).
The most common approach I hear to selling MSS is educating customers and that is important, but you will struggle to sell MSS by just educating customers and not also holding them accountable. Without accountability, educating your customers is futile. Think of accountability as the hammer to the education nail.
The First Phase, Education
MSPs are their customer’s IT experts and trusted advisors — and that is critical to both education and accountability phases. You don’t have to be an ethical hacker or CISSP to educate your customers. Accountability goes both ways. If you are not confident in your cybersecurity expertise, be honest with them and disclose that. Your intentions can be good without being an industry leading expert. If cybersecurity is hard for you, the technology expert, imagine how impossible it is for your customers. Follow experts on social media and stay tuned to blogs that you can leverage thought leadership. Some places to start are:
Borrow from content you find and use it to educate your customer’s on threats they should be aware of — they rely on you to advise them. While we all know the stats about cyber threats, they probably do not. Position your education as something they need to be aware of and not another expense in their IT cost center.
This is also a prime opportunity to start creating expectations of accountability. Always assume a follow up discussion with your educational content, “We should chat about how these types of threats could affect you. Are you available Thursday?”
Here are some of the common challenges/objections in this phase and suggestions on how to handle them:
The Second Phase, Accountability
Accountability is key. If your customers cannot admit that a cybersecurity incident is a risk, they need to proactively address then you will never sell them.
You’ve been educating your clients and deftly handling the typical objections like a Steph Curry crossover and you feel like the tide is turning, but your percentage is more like Shaq at the free throw line. Now is the time to get your accountability hammer and pound that education nail.
Changing hearts and minds is never easy. You have to apply pressure and there will be questions that are tough to ask. It’s going to be a little uncomfortable, but that is a good thing.
FUD (Fear, Uncertainty, Doubt)
FUD has become an acronym with bad connotations. It has value when recognized as a buying signal instead of used as a sales tactic. I’m not suggesting you become a used car salesman, but a cyber incident is scary and there is fear that needs to be addressed.
How you position FUD makes all the difference. Never use FUD as a scare tactic to pressure clients. It is something you should be gently creating in the education phase and watching for in order to respond as a trusted advisor. FUD from a client is a signal of urgency. When you sense FUD, take the opportunity to present a solution and ask the tough question: “Would this make you feel more certain about the future of your business from the risks we’ve discussed?”
Tell Their Story
Everyone loves a good story. More often than not when selling we tell our story. Clients want you to know their story. By knowing their story, you are handing accountability back to them.
Make your relationship more personal and ask the big picture questions to help you learn their story. Why have they been successful? What are their core values, how did they decide on those? What has motivated their previous business decisions? What are their goals for the future? It’s easier to force accountability when you tell a client their story: “Managing your cybersecurity risk will help you stay on track and accomplish these goals.”
I Rest My Case
Education is only successful if it has presented an undeniable truth: It’s not if but when a cybersecurity incident happens, which can be fatal to a client’s business. Use education as the path to accountability. You have presented the data and facts, it’s time to ask the uncomfortable question, “Do you agree that cyber threats are a risk that needs to be mitigated?”
KISS: Keep It Super Simple
Your client is now educated and has acknowledged the risk of not managing their cybersecurity and is ready to hear your solution. Tailor your proposal to their goals and concerns that you’ve heard. Keep it laser focused and succinct. Be sure you have walked them through their entire buyers journey so that everyone understands the needs your solution should align with. Presenting a half-baked proposal to soon could cost you their trust and the deal.
You don’t need to sell features and benefits at this stage, you’re selling a solution. Try to keep line items on your quote straightforward and easy to digest — quoting with bundles is a great way to do that. When presenting the proposal start with what you’ve heard, review your solution, wrap up with how your solution meets those needs you’ve heard, completing their buyers journey. Assuming the sale is the final piece of accountability: “Is there anything I missed that would keep us from moving forward?”
If you’ve made it this far I hope you have found something insightful in the last 1,800 words and I’ll leave you with this thought: What do you have to lose asking the uncomfortable question? What does your client have to lose if you don’t?
About The Author
Travis Ray is a Channel Account Manager at Infogressive Inc., a Master MSSP established in 2006 in Lincoln, NB. Prior to joining Infogressive, Travis has worked in the channel with MSPs and helped dozens of partners build security go-to-market strategies. Travis is an award-winning channel sales professional and worked the sales cycle from beginning to end as a dedicated sales resource for his partners, earning praise and recommendations on LinkedIn from partners, colleagues, and leadership.
About Infogressive Inc.
Infogressive Inc. is a cybersecurity provider that provides it’s MSP partners an effective and scalable full-suite of security services to protect their clients, the tools and resources to grow their reoccurring revenue and a direct line to highly trained engineers. Infogressive’s focus is their partners’ success by adding value to their clients with security, moving to a proactive state to save time from repairing compromises and staying on top of the ever-changing threat landscape so you don't have to.