This article was written by guest contributor Jon DePerro. DePerro is the chief compliance officer at Vector Choice, an MSP headquartered in Atlanta, and VisibilityMSP, a white glove cybersecurity and compliance service for MSPs.
Compliance is the MSP’s wedge to midmarket, higher-value clients.
Why? Because compliance is a business sell, not a technology sell. And midmarket companies see the value of having a partner who understands the business case they’re trying to solve for—and they actually have the money to pay for the solution.
Compliance is also not an easily commoditized widget that businesses will just price shop. That expertise is your unique value proposition. How many MSPs have already come knocking with offers of a free cybersecurity assessment or vulnerability scan? If you want to reach the decision makers in a midmarket company, compliance will open doors a lot faster than offering free scans. Compliance gets you to the clients you want, not the ones you already have access to.
Why Medium-Size Companies Are Dying To Hear From You
With compliance, and by extension cybersecurity, you are selling a desired end state and a plan to get there. This is not about managing computers. You’re not there to replace a network cable or reset a password. You’re there to understand the midsize company’s contractual, legal, and governance obligations that they have around information security and business continuity.
That’s not something the local IT guy or even their in-house IT staff can do. These midmarket companies need a business partner who understands their industry and can help them architect and design a risk management and information security program based on input from all the stakeholders—HR, finance, sales, etc. You’ll find they are willing to bring you in to have that discussion. They’re dying for it, even.
Try These Talking Points
Here’s what that conversation should look like. Start with, “Let me understand your business. Do you take credit cards? Does your company have insurance? Do you have medical records? Are you selling to the defense industry? Do your clients expect you to protect their data? Are you a high-risk vendor because you could be hit with ransomware at any time? How do you show value to your clients?
If data is critical to their business, it’s a critical business function.
Even if a business isn’t in a regulated industry, they’re aware that somebody in their organization, likely their IT department, filled out a questionnaire for their cyber insurance policy. If they operate in states with Safe Harbor laws, you can talk with them about how they could limit their financial liability if they were to have a cyber incident. Or if they operate in states with privacy laws, ask if they understand what they need to do to protect customer information.
Here’s another talking point. Compliance with standards like SOC 2, HIPAA, the FTC Safeguards Rule, SEC requirements, etc., requires that a qualified person be in charge of enforcing the security controls. Ask them who on their team is responsible for this. It’s likely that no one is, if they even know what you’re talking about.
They can’t solve this problem on their own. Even if they could find a qualified information security manager, it’s very expensive to hire that resource full-time. Here’s where you fill the gap by charging them a fraction of that, and they’ll be willing to pay for it.
RELATED: Why It Just Got Easier to Sell Cybersecurity to Healthcare Clients
Make Internal IT Your Biggest Advocate
In addition to getting the ear of decision makers, you’ll need to gain the trust of internal IT. Convey that you understand the budget constraints and staffing challenges they’ve faced when it comes to cybersecurity and compliance. Tell them that you know they’re so swamped with supporting users they don’t have time to run a vulnerability scan or do a pen test or other advanced cybersecurity functions. You can easily handle security and a strategic risk management program while they focus on the day-to-day of keeping the networks and applications running.
Coming in as a partner rather than a threat is key to a great co-managed IT engagement.
Become Compliant Yourself First
If you’re not already offering compliance as a service, get your own house in order before you start prospecting for co-managed engagements. Choose a standard, whether it’s SOC 2, NIST, PCI, or something else, and go through the process of implementing the required security controls and receiving certification in cases where that’s offered. That will give you a precise handle on the time, effort, and resources required—something you’ll be able to convey to customers with confidence. Every client environment is a little different, but 85% of the methods and documented procedures you’ve created should be applicable.
Once you’ve mastered one standard or framework you can start adding knowledge on another. Since you’ve already got a handle on a lot of the foundational elements, you may just need a few more resources. Expanding actually gets easier.
RELATED: Uncover Lucrative Opportunities With SOC 2 Certification
The “Soothsayer” Effect
Even if you demonstrate the trends in lawsuits and liabilities for companies that fail to be compliant with state and federal regulations or even their own cyber securities policy requirements, it may take midmarket prospects six months or more to feel the pain and buy from you. However, if you’ve detailed the compliance and risk problems that they’re now facing because they didn’t take action, you’re going to look like a soothsayer.
This is what makes your message different and defines your unique value proposition. It’s why they’ll take your call.
A Better ROI
Too many MSPs today are beating their heads against the wall, hoping four-person companies will invest in cybersecurity and compliance. You’re expending a lot of energy for very little return! Spend less energy hounding your very small clients to spend five more dollars per user on MFA and more time on going up market to sell risk management solutions. The return will be well worth your investment.