The MSP Game Plan To Selling Managed Security
By Travis Ray, Infogressive Inc.
Every business needs cybersecurity, right? The bad guys are out there and have shelved their shotguns for computer code. Then why is it so difficult for MSPs to sell cybersecurity? That’s the literal million-dollar question and Mount Everest for MSPs and I’m going to try and be your Sherpa to the glorious summit. Hold on to your butts and buckle up …
I’ve worked with dozens, probably a hundred or more, of MSPs trying to tackle managed security services (MSS). Most MSPs are offering some basic MSS such as next-gen firewall, antivirus, or email security because those are commoditized and easier to manage. Those services are also easier to sell.
Your typical MSP customer knows they need a firewall and have dealt with enough viruses or phishing emails to concede the necessity of those defenses. The good ol’ days of set-it-and-forget-it firewalls and sufficient prevention by antivirus are long gone. The landscape of cyber threats is constantly evolving, forcing businesses to deploy new advanced defenses to reduce their risk. That could be SIEM, Endpoint Detection and Response (EDR), Managed Detection and Response (EDR+SIEM), Vulnerability Management, SOCaaS, or Professional Services such as Penetration Testing and Incident Response. Those are the advanced cybersecurity services we’re discussing how to sell.
If you google “selling managed security services” you’ll find pages and pages of cybersecurity vendor content about how their product makes it easy to sell MSS. What you won’t find on those first few pages is an unbiased guide to selling MSS no matter what tools power your SOC. That is what we’re going to dig into here. Let’s assume you’re an MSP that has already figured out your MSS offering strategy, whether that was building and staffing your own SOC or partnering with an MSSP to re-sell their services (that’s a whole other challenge and if you’re at that stage you should check this out).
The most common approach I hear to selling MSS is educating customers and that is important, but you will struggle to sell MSS by just educating customers and not also holding them accountable. Without accountability, educating your customers is futile. Think of accountability as the hammer to the education nail.
The First Phase, Education
MSPs are their customer’s IT experts and trusted advisors — and that is critical to both education and accountability phases. You don’t have to be an ethical hacker or CISSP to educate your customers. Accountability goes both ways. If you are not confident in your cybersecurity expertise, be honest with them and disclose that. Your intentions can be good without being an industry leading expert. If cybersecurity is hard for you, the technology expert, imagine how impossible it is for your customers. Follow experts on social media and stay tuned to blogs that you can leverage thought leadership. Some places to start are:
Borrow from content you find and use it to educate your customer’s on threats they should be aware of — they rely on you to advise them. While we all know the stats about cyber threats, they probably do not. Position your education as something they need to be aware of and not another expense in their IT cost center.
This is also a prime opportunity to start creating expectations of accountability. Always assume a follow up discussion with your educational content, “We should chat about how these types of threats could affect you. Are you available Thursday?”
Here are some of the common challenges/objections in this phase and suggestions on how to handle them:
- Our customers expect we’re already protecting them with current managed services.
- If you are doing quarterly reviews with your customers start highlighting the security you are managing for them or lack of. It’s a guaranteed relationship killer if your client thinks they are protected and have an incident that brings business to a screeching halt.
- Some MSPs I’ve worked with have liability agreements they force clients to sign who elect not to buy MSS. I don’t recommend this from experience because post-breach/incident someone will get blamed and its always going to be the MSP. Right or wrong, documented or not, they’ll throw someone external under the bus rather than accept responsibility internally. The better option is to bundle layered security into your standard managed service agreements and walk away from a client who can’t see the value. Save yourself the inevitable headache of a client who poorly manages risk.
- SMB is not a target of cyber criminals.
- False. SUPER FALSE. Bad guys know SMBs rarely have the prevention and detection in place to make penetration difficult. SMBs are low-hanging fruit for ambitious or less sophisticated hackers not equipped to attack enterprise. To make matters worse, most SMBs will not survive a breach and you just lost a client that still has costs on your books for ongoing licenses.
- We can barely squeeze the dollars from customers that we get now, they won’t pay for it, or customers know they need more security but it's just too expensive.
- We’ll cover this more in the Accountability Phase, but it's not a matter of if, but when, clients will suffer a breach or cyber incident and MSPs are doing clients a disservice by not holding them accountable for security as their trusted technology advisor.
- Yes, security can be expensive, but it's not “Fort Knox or nothing.” Every bit of the attack surface you shrink and increase the difficulty of penetration counts. These layers can be stacked over time and there are inexpensive options such as phishing simulation and security awareness training that can make a huge difference. As clients see real world value in these less expensive services, their grip on the purse strings will relax.
- They’re already paying for back-ups, selling them more security will feel like overkill.
- Defense in-depth is key, and back-ups are one layer of that depth. Even if you have the strongest back up strategy possible many victims are finding their backups are inadequate — they may have omitted certain systems or data from their backups either accidentally or to reduce costs. Some organizations fail to test their backups, discovering only after an attack that the backups can't be restored. Attackers have other objectives than just your data, often hijacking a company's communications or website to spread the ransomware further. Don’t put all your eggs in one solution basket and never sell any technology as a cure-all.
- My client has cyber insurance, they don’t need to pay for security since they’re already protected.
- This is one of the most frustrating objections because it’s so dumb. Just plain dumb. You have car insurance, but you don’t drive recklessly and not wear a seat belt, right? Of course not, because insurance coverage or not, an accident (or incident) is disruptive and painful. Yes, cybersecurity insurance can be a smart investment, but only as a failsafe.
- Clients know they are not HIPAA/PCI/NIST compliant but don’t fear audits or fines.
- Security and compliance share some overlap but are not the same thing. Position MSS as mitigating risk to business and compliance as a framework to consider. If compliance is driving your clients need for more cybersecurity, be sure to explain that checking off boxes does not guarantee a breach or incident wont still happen. Implementing a security tool just to check off a box but isn't managed leads to a false sense of security.
The Second Phase, Accountability
Accountability is key. If your customers cannot admit that a cybersecurity incident is a risk, they need to proactively address then you will never sell them.
You’ve been educating your clients and deftly handling the typical objections like a Steph Curry crossover and you feel like the tide is turning, but your percentage is more like Shaq at the free throw line. Now is the time to get your accountability hammer and pound that education nail.
Changing hearts and minds is never easy. You have to apply pressure and there will be questions that are tough to ask. It’s going to be a little uncomfortable, but that is a good thing.
FUD (Fear, Uncertainty, Doubt)
FUD has become an acronym with bad connotations. It has value when recognized as a buying signal instead of used as a sales tactic. I’m not suggesting you become a used car salesman, but a cyber incident is scary and there is fear that needs to be addressed.
How you position FUD makes all the difference. Never use FUD as a scare tactic to pressure clients. It is something you should be gently creating in the education phase and watching for in order to respond as a trusted advisor. FUD from a client is a signal of urgency. When you sense FUD, take the opportunity to present a solution and ask the tough question: “Would this make you feel more certain about the future of your business from the risks we’ve discussed?”
Tell Their Story
Everyone loves a good story. More often than not when selling we tell our story. Clients want you to know their story. By knowing their story, you are handing accountability back to them.
Make your relationship more personal and ask the big picture questions to help you learn their story. Why have they been successful? What are their core values, how did they decide on those? What has motivated their previous business decisions? What are their goals for the future? It’s easier to force accountability when you tell a client their story: “Managing your cybersecurity risk will help you stay on track and accomplish these goals.”
I Rest My Case
Education is only successful if it has presented an undeniable truth: It’s not if but when a cybersecurity incident happens, which can be fatal to a client’s business. Use education as the path to accountability. You have presented the data and facts, it’s time to ask the uncomfortable question, “Do you agree that cyber threats are a risk that needs to be mitigated?”
KISS: Keep It Super Simple
Your client is now educated and has acknowledged the risk of not managing their cybersecurity and is ready to hear your solution. Tailor your proposal to their goals and concerns that you’ve heard. Keep it laser focused and succinct. Be sure you have walked them through their entire buyers journey so that everyone understands the needs your solution should align with. Presenting a half-baked proposal to soon could cost you their trust and the deal.
You don’t need to sell features and benefits at this stage, you’re selling a solution. Try to keep line items on your quote straightforward and easy to digest — quoting with bundles is a great way to do that. When presenting the proposal start with what you’ve heard, review your solution, wrap up with how your solution meets those needs you’ve heard, completing their buyers journey. Assuming the sale is the final piece of accountability: “Is there anything I missed that would keep us from moving forward?”
If you’ve made it this far I hope you have found something insightful in the last 1,800 words and I’ll leave you with this thought: What do you have to lose asking the uncomfortable question? What does your client have to lose if you don’t?
About The Author
Travis Ray is a Channel Account Manager at Infogressive Inc., a Master MSSP established in 2006 in Lincoln, NB. Prior to joining Infogressive, Travis has worked in the channel with MSPs and helped dozens of partners build security go-to-market strategies. Travis is an award-winning channel sales professional and worked the sales cycle from beginning to end as a dedicated sales resource for his partners, earning praise and recommendations on LinkedIn from partners, colleagues, and leadership.
About Infogressive Inc.
Infogressive Inc. is a cybersecurity provider that provides it’s MSP partners an effective and scalable full-suite of security services to protect their clients, the tools and resources to grow their reoccurring revenue and a direct line to highly trained engineers. Infogressive’s focus is their partners’ success by adding value to their clients with security, moving to a proactive state to save time from repairing compromises and staying on top of the ever-changing threat landscape so you don't have to.