One of my favorite quotes of all time is, “If you are the smartest person in the room, then you are in the wrong room.” As it relates to cybersecurity, I would like to offer an offshoot of this: “If you are the only one in the room talking about risk, then you are in the wrong room.”
For managed IT service providers harnessing the opportunity to innovate and lead in cybersecurity, the ability to effectively explain security and the concept of cyber risk is the real key to success. Being on the forefront of cybersecurity today, serving up “what’s next,” comes down to differentiating—and MSPs talking about the right aspects of security to prepare their clients at the right time will win the race.
To be able to properly talk about cybersecurity, you must fully understand and be able to talk about the concept of risk. What are the risks that specific organization may be subject to? What are the potential solutions that can help mitigate those risks? The challenge is that the no two organizations face the same risks—they can vary widely based on industry, location, size and multitude of other factors. MSPs need to have a solid grasp on the risk principles—think compliance requirements—that apply to their client base and potential prospects.
The body of knowledge that is required can be a tall hurdle for a lot of MSPs to overcome. Personally, I think it is the single biggest factor that prevents the “traditional” MSP from transitioning into the MSSP arena. Short of hiring experts in these fields, the only real solution is to get educated. The good news is that there is a ton of training materials and programs that can help you get up to speed so you can have these risk discussions. The bad news? The rules are ever-changing, and new rules are coming up all the time—mostly from individual states as they try to protect their residents.
So, being knowledgeable about risk is just the first part of the equation. Now you need to make sure the right people from the client's business are in the room. The question of risk—what it is and how much an organization is willing to accept—is not a technical discussion, it’s a business discussion. To me, you really need to have either company owners (if a smaller company) or C-Level participation in these types of meetings.
All too many times, I have seen an IT manager make questionable decisions—typically based on cost justification—that causes an organization to take on my way more risk than they may intend to. While the desire to save money is a noble cause, the potential expenses that can come from a security event (especially an event in a company that has compliance requirements) can dwarf these operational “savings.”
One other word of guidance for the MSPs out there: be sure you document these meetings. While it is good to have the risk discussion with a client, make sure you get it all documented. It’s amazing how often folks “forget” our recommendations when the stuff hits the fan. I have personally seen the difference in what little documentation versus adequate documentation can have. Honestly, it can be the difference in keeping a client when the inevitable security event happens.
In the end, it’s our job to educate our clients so they can make the best decisions for their respective organizations. In the case of talking about risk, we just need to make sure it’s the people that have the big-picture focus that we are talking to. That way, your clients' businesses will be able to implement the advanced security it takes to see around corners and prepare for what lies ahead.
Want to see what's next in SMB cybersecurity? Download our new research report, The State of SMB Cybersecurity in 2019 today.
By Gretchen Hoffman
By Paula Griffin