Educating Prospects on IT Security: To Instill Fear or Not?

In the cyber world, businesses are constantly being hammered with fear, uncertainty, and doubt (FUD)—with the hope that someone will come along and reassure them that it’ll all be OK. When selling security services, however, MSPs typically play on this FUD factor. We take advantage of the opportunity to “scare” prospects into buying IT security, yet in many cases, this approach may backfire.

The reason why I think this backfires boils down to one thing: the human condition. When we are threatened and backed into a corner, we tend to fight. And, when it comes to cyber security, our prospective clients are often so far backed into the corner that they begin to fight the wrong fight. To prevent this from happening, there are five key areas you need to focus on.

Where Are Prospects Now With Their IT Security?

Before we dive in, it’s important to understand that for many prospective clients, their approach to security means buying a make-shift solution with bunch of blinking lights—with or without input from their third party IT vendor(s). In turn, this causes them to place false hope in the solution—being drowned in more and more alerts that they ultimately start focusing on the wrong problems.

Now, I think we can all agree that no matter how much investment we make in proactive and preventative security, it will never be 100 percent secure. There are still people involved, and people will continue to make mistakes. However, I am going to propose that we start selling security services without using FUD. Here’s are five things you need to focus on to get this to work:

1. Regulations and Compliance

We live in a day and age where almost every vertical MSPs decide to work with has some sort of regulatory compliance—they have to comply with and be able to show evidence of compliance in the event of an audit. That said, many of your prospective and existing clients have no idea what those requirements are and/or how to go about meeting those requirements.

If we look at the requirements in these different regulatory recommendations, most of them are about protecting the business and keeping the data safe. Therefore, we should focus on how our solution improves the security of the business that they built. This conversation then becomes about what can the business afford to get done, and developing a plan of action to meet the other controls in the requirement framework as is fiscally possible.

2. Security as a Process, Not a Product

Going back to my first point, meeting GDPR or HIPAA compliance—or any of them for that matter—is all about process and procedure. While products like firewalls or security information and event management (SIEM) tools might help you in the compliance process, they can’t make you compliant or secure on their own.

When selling security, it should always be about the business process first, before it needs to be considered through the lens of IT security. Watch out for the trap that many vendors use when trying to sell a product as a solution to a problem. Not every common problem needs to be fixed—only if it pertains to the prospective client and their business.

3. Derive From Real-World Examples

I hate it when I hear the sales pitch about, “My ______ product would have prevented that breach from happening.” Maybe this is true, but at the end of the day, cyber criminals are very sophisticated and don’t have to play by the rules. They will find a way to break through, while throwing all morals or ethics out the window.

Instead, focus the selling conversation on the assumption that their business is going to be breached at some point in the future. There’s a saying that there are two kinds of businesses today; those who have been breached, and those who don’t know they’ve been breached. Whether you buy into that or not, think about what the company is willing to part with. How much data can they lose and survive? Could they deal with the financial and reputational consequences? Then, you can propose solutions and services around reducing downtime, diminishing the amount of compromised data, and catching the breach early.

4. Educate, Educate, Educate

Education is key to a strengthened security posture. If you aren’t focused on cyber security education now, my advice would be to start immediately.

Prospective clients are in great need of security and threat education, so make it known that it’s something you offer. You can display it on your website, or even point to it in a newsletter. If you don’t educate your existing and potential clients on what threats are out there, then the solutions or processes you have in place are bound to be circumvented. Essentially, what we don’t know can and does hurt us in the cyber security space.

5. Hopes and Dreams

It shouldn’t all be doom and gloom when selling IT security, you should also be discussing the business goals of your prospective or existing client. Do they want to be the number one or number two in their vertical? What level of legal, reputational and operational risk are they willing to accept? How will the solution fit into their business two years from now? Answering these questions will make sure you’re both on the same page, which can lead to increased satisfaction.


Are you struggling with how to sell security services, or just don’t know where to start? Let us know in the comments below, or feel free to contact me directly at


Handpicked for you:

Download Cyber Security eBook