Clients don't want to know or talk about MDR, firewall log reading, or security training, but they do want their business to be completely secure. Communicating the right message makes all the difference.
How many of us look forward to our next meeting with our insurance agents to discuss our plans? Sadly, that is a good analogy for how our clients feel about the next IT security discussion we want to have with them. If you cannot relate, you either have great relationships, communicate regularly and well, or are overlooking something very big.
Build the relationship
One of the toughest things about being an MSP, and particularly when the topic of IT security arises, is that we must deliver a lot of news that clients don’t want to hear. Whether it be the expense, the inconvenience, or just the general discomfort of discussing various worst-case scenarios, these are often not well-received discussions.
The first step towards addressing this unease is to build rapport with your clients around issues unrelated to IT security. That includes helping them gain insight into their own business processes, quantify the value of their data and associated risk, and improve their profitability. Once you have that groundwork laid and have earned their trust, all other recommendations and associated admonitions will carry more weight. Think about your own experiences; when someone brings you bad or challenging news, how do you evaluate its veracity and import? My guess is that you accord far more credence to those whom you already trust before the bad news arrives. You need to have earned their trust before delivering bad news.
Communicate more effectively
Most of us tend to focus on facts and figures, on technical details, and on bringing the bad news. But most of our clients are more focused on business outcomes, on growth, and on stability. These worldviews don’t mesh, and if we cannot learn to mold our message appropriately, it will get lost in the noise, or worse, it will diminish our stature.
That means we must find ways to heighten their focus on security by assuring them that a more secure business is a more productive and profitable business. You have probably heard that nobody wants to buy a 3/8” drill bit (9mm for some of you), they just want to have that size of a hole drilled. Though very few of our clients want MDR, firewall log reading and response, or security training, they do want to keep their business running and protect their reputation. While most business owners do have general liability, errors and omissions, workers’ compensation, and other insurance, it is not because they want it. But they do these things because they want their business to run smoothly and to be protected from risk.
It is that protection from risk, that we must focus upon. Risk protection is a business outcome, staying secure is a means to that end, and that is how we must communicate it. What we do is not what matters, rather, what that provides is. Owners don’t want two-factor authentication, vulnerability scanning, or log reading. They want their business to be secure and productive.
Visit reality more often
One of the most striking things I see is the endless barrage of marketers and vendors telling us how to charge more per seat, sell more deeply into our sites, and increase our rates. I won’t argue that these aren’t desirable goals, but it is important to note that most of our clients aren’t asking us how they can spend more every month.
What we really want to find is where their needs overlap with our desires. None of us has a client that wants to spend more money and time on security, but none of them wants to become the victim of a ruinous data breach or suffer a business email compromise that leads to a six-figure loss. Clients don’t want “more security,” they just want to feel more secure. This desire is the emotional lever we need to pull. Note, this is not the same as using the FUD techniques that many of us were “raised” on to sell more security. The reality is that between the escalation of both the number and sophistication of attacks and the changes that our much more distributed work styles have brought, securing your clients is tougher than ever. But they know that.
If you are in the small minority of MSPs that have great client relationships, easily communicate, and are well-grounded in today’s business reality, there is little you can learn from this. But few small MSPs have mastered the concept of business outcomes as a deliverable. We all know that securing small businesses requires a wide variety of tools, processes, and practices. But the only thing our clients know is that they want to get on with their business. The next time you want to reach for an acronym or a technical term, remember what really drives your audience.