How to have the security conversation with your customers and make money

| By:
John Ford

Security is the hot topic of the day. Everyone’s talking about it. Your customers are asking about it, they’re expecting you to be the expert, and it’s a conversation you’d rather not have. Can you even make money offering security? You definitely can, if you approach the conversation the right way.

A risk assessment is the perfect security conversation starter, but how do you get started? You have questions, and we have answers.

What is a risk assessment?

According to the National Institute of Standards and Technology (NIST), a risk assessment is a process of identifying, estimating, and prioritizing information security risks.

Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.

How do I engage with my customer in this process?

You should introduce the risk assessment as part of your normal business activities with that customer, such as a monthly or QBR meeting. The assessment can be complicated for some of your customers who might not be as technical and security savvy, so we recommend you work with your customer to complete their first risk assessment.

Two risk assessments are included in a free 30-day trial of ConnectWise Identify®. We recommend doing one for yourself and one for a customer.

How do I choose which customer to try the risk assessment with first?

We recommend selecting a customer that you have a good working relationship with and who might have previously asked you about security risks to their business. If you don’t have a customer in that situation, you will want to select one who will be open to completing the risk assessment with the understanding that the output produces a roadmap for them to become more secure, therefore, better protecting their assets and business.

How do I explain why I’m doing a risk assessment?

As ChannelE2E recently noted in their article, “MSP Judgment Day: Ransomware Attacks Threaten Industry Credibility, Reputation,” more than 4,000 ransomware attacks are taking place daily since 2016 and they’re hitting MSPs hard—particularly in the pocketbook. As an MSP, you need to work quickly to protect your credibility.

Educate your customers on the NIST Cybersecurity Framework and how a risk assessment is the foundation of any security program. Let them know the current threat landscape is constantly changing, and by performing a risk assessment and understanding their risks, they will be better protected against those risks. Add an extra layer of credibility if you can say, “It’s the same assessment I perform regularly on my own company.”

How often should I perform risk assessments?

Risk assessments should be performed on an ongoing basis. Security threats are constantly evolving, and as such, the results of a risk assessment done today are not permanent and definitive. We recommend assessing your entire customer database. Perhaps try doing risk assessments on a quarterly cadence as a part of your QBRs.

What’s the value of performing a risk assessment?

Performing risk assessments will establish you as a competent security service provider and naturally leads the security conversation to recommended products/services to tighten up your customers’ security. The results of the risk assessment will help you to accomplish the following:

Prioritize risks

Not every risk is created equal. While you want to eliminate every risk and vulnerability to your clients’ networks, there are some risks that, if left unaddressed, could lead to greater loss. Performing an assessment will identify all risks across the entire business—not just the network—and categorize them based on their priority. Tackle the critical risks first, and you’ll be on the right path.

Focus your efforts

Using the data you have from the risk assessment, you can now get to work. You have an understanding of the overall security posture of your client and can build a security strategy around it. This strategy goes beyond a set of tools. Help your clients see cybersecurity from a new, more aware view and where they need to invest. Show them the actions they take—both big and small—can play a part in keeping their data secure.

Increase revenue through project work

Each ConnectWise Identify risk assessment report comes with remediation recommendations. Think of this like when you take your car to the mechanic. They look over your car and show you what needs to be fixed, the importance of each item, and next steps. You can do the same thing with your clients and their security. Each recommendation turns into a service you will provide to your client and an opportunity for additional revenue.

Upsell advanced security services

Cybersecurity isn’t a one-and-done service. Basic remediation will reduce risk at the moment, but threats constantly evolve. Your clients will need to be up to date on the latest protection best practices and solutions. As you continue to grow your security offerings, you’ll have the opportunity to introduce advanced services to current clients and prospects.

Reduce your liability

You’ve performed the assessment, had the conversation with your clients, and presented ways to reduce risk and provide protection against cyberattacks. Even with this information, some clients just aren’t interested in paying for security, or they don’t see the need. With the attestation letter included in every risk report, you’ll be able to show you presented specific recommendations, the client elected not to follow the advice, and they accept the risk.

Cybersecurity is always a tough subject to talk about with your clients. But with the right information, you can confidently talk to clients about their security risk and what they can do to reduce it.