The borders of the network have disappeared, and people have moved out of the office with minimal focus on securing their remote environment. Ransomware events are increasing in both frequency and amounts demanded. Compliance and certification is getting more focus as governments move to support cyber security initiatives. The news is full of talk about security concerns.
Despite all the trends favouring cyber security related services, the gap is still growing between the real value of cyber security Services and their perceived business value.
In this article we go after why MSPs still seem to be struggling to articulate the business value of higher cyber security standards, creating proper business development plans and capturing the market opportunity. That leads to all kinds of problems for clients, including not being protected. Bad executive decisions mean MSPs cannot monetize cyber security services and end up hurting their bottom lines.
We are going to go through the 4 main challenges creating the gap between the technology service providers and the clients. The interesting thing is that all the four major challenges are related to miscommunication.
Just a step back before we jump in on the communication issues and the potential fixes.
We all know that cyber security issues have increased because technology affects personal lives and businesses deeper and wider.
Most of the cyber security related issues are invisible to users and business owners.
Most of these issues can not be solved by implementing another technology, but need to change user and executive behaviour.
That means solving the problem is not really a technology problem but a leadership one. Solving the issues won’t come by just implementing more solutions. They need to actually take leadership and guide the clients through this transformation.
Most service providers, though they’ve shown years of excellence providing best of class services, have no experience in stepping forward to lead people through behaviour changes.
Therefore the root of the problem to solve cyber security problems is NOT applying a technology solution but applying business leadership. The gap is getting wider between cyber security services and perceived business value as the service providers are applying more tech instead of more leadership.
Let’s see how MSPs are making this happen.
COMMUNICATION ISSUE 1 - TECHNOLOGY CONTEXT
MSPs often see and communicate the issues from the technology perspective.
- firewall needs replacement
- MFA should be adopted
- stronger passwords need to be implemented
These are all technology related solutions and so they create a technology context for the conversation. Many of these are acute issues so the MSPs try everything to convince these executives to implement those solutions.
The problem is that clients get turned off, maybe seeing MSPs as pitching products and services taking advantage of their lack of knowledge. Of course this is the opposite of the original intent.
How to fix: Apply Business Context
If the communication generates a business context then MSPs can apply the solutions in the client’s frame of reference rather than their own. MSPs should ask questions to lead executives toward better decisions.
- How comfortable are you with your current ability to respond to a detected cyber incident?
- What does that mean to your reputation, client’s perception or the organization’s day if a ransomware attack could lock up your systems?
- What do you think your role as a business owner is in providing a secure and low risk environment to your employees, clients and stakeholders?
The result is a business conversation where the MSP can understand the executive’s thinking process and give their input about a potential false assumption or offer more help in understanding the potential impact of issues. The goal is not to convince them that cyber security is important but to furnish them with the perceptual framework so they understand the risks and their role.
Communication Issue 2 - Technology Assessments
The market has been flooded with different kinds of cyber security assessments. The better ones follow a framework such as NIST CSF (US) / Essential Eight (AU) / Cyber Essentials (UK). These assessment software solutions help MSPs to streamline and automate a conversation about cyber security, risk assessments and remediation plans.
Although we believe this is the way to go, the major issue of these attempts is that it is driven by technology people in a technology context. These assessments check the security posture against various threats and try to convince executives to fix those with various technology tricks.
How to fix: Business Assessments
These assessments should be backed by cyber security frameworks such as NIST CSF (US) however the recommendations should be easy to understand business action plans for executives. These reports should be delivered by account managers and not technology people purposefully. If the results and recommendations are delivered from a business perspective there is always an option to go in depth with technology people. However the conversation stays on a business level in general.
The benefit is that the Account Managers are forced to look for the business use cases and can filter out the unnecessary tech talk from these assessments. Obviously the preparation of these assessments comes from the technology side but the presentation, and the leadership will be on the business level.
That gives relief to the executives of speaking the same language and forces the account managers to effectively communicate the business value instead of listing technology recommendations.
Communication Issue 3 - Technology Solutions
Most cyber security assessments list an overwhelming amount of technology recommendations - systems to implement, hardware to purchase, upgrades, policy and compliance activities and other things an average client will not comprehend. This leads to confusion and confused people make default decisions. The default decision is obviously to do nothing. This is very easy to do as most of these technology recommendations yield benefits that are not tangible.
How to fix: Business Action Plan
Instead of listing recommendations such as: “Implement Multi Factor Authentication Solution” which is a “solution” to a business benefit narrative to “Prevent unauthorized access even with a password breach”. Or Instead of “Security Awareness Training” which is a solution to a benefit “Building a Cyber Vigilant Employee Culture”.
Now you are able to list those benefits as projects, and you can list the activities behind the projects such as implementing technologies, but the narrative is business friendly. That communication encourages better decisions and demonstrates the benefits of the initiatives instead of leaving clients confused by a plethora of technology solutions.
Communication Issue 4 - Development Projects
Many MSPs are longing for a “big bang” revolutionary cyber security project to be purchased by the client. The assessment remediation projects can be done from the technology perspective in weeks or months. They try to sell the project and probably try to move the client from a low maturity to a super high maturity level quickly. Yes, when companies had to face lockdowns they reacted and adopted change quickly. However if external forces are not that powerful the adoption of change is very slow.
How to fix: Development Process
Seeing cyber security as a “never-ending development process” instead of a “one-off project” gives many advantages. The MSP does not have to force all changes quickly, they can distribute the projects over months and prioritize the low hanging fruit. It also allows the MSP to bring up cyber security-related initiatives to sign off quarterly. That makes it a standard agenda based on the bigger roadmap. So account managers do not have to convince executives all the time, but help them take one step at a time to establish a less risky business over time.
As you can see, these 4 communication challenges and potential fixes are nothing but a change in your perspective.
- think about the client’s point of view
- have a business conversation instead of technology presentation
- enforce a benefit narrative rather than a solution narrative
- think about a slow burn culture change instead of a quick revolution
That turns you into a true advisor, sought after business partner and a communication expert. It will enable you to secure all your clients, reduce your business risk and make your business more profitable.
If you cannot break those old habits then the gap will widen between your technology services and the perceived business value your clients see. That leads to endless arguments with your clients about why they need to invest more in technology and a stagnating and less profitable business.