How MSPs and MSSPs should market cybersecurity to find success

It's time for MSPs and MSSPs to reevaluate how they sell their security solutions. Dave Sobel offers his recommendations, such as emphasizing the human aspect of cyber attacks.

Dave Sobel is the host of the podcast "The Business of Tech" and co-host of the podcast "Killing IT." In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

For this article, Sobel looks at how MSPs market their cybersecurity solutions to customers, explaining how they should focus on their wording. He suggests looking at how best to differentiate yourself from other providers.

Transcript follows below

Let's talk about words and a mirage. But first, a headline: "The billionaire founder of the world's biggest appliance manufacturer, Midea Group, was held hostage by intruders in his home . . . but was rescued by police."

That was a recent headline from ABC News. It's very much a security story, as your instant thought is to all the ways your own home might be compromised.

Now, think about the words -- the way the story is written. It's about a person, and it uses the word intruder. "Intruder" is a synonym for burglar or criminal. You relate to the story on a very human level.

Then I pulled a story from the same site about a ransomware attack. "New Jersey's largest hospital system said Friday that a ransomware attack last week disrupted its computer network and that it paid a ransom to stop it."

Listen to the way the two stories are different. There's no personification. The attack is not linked to people at all -- the attack itself is the noun, not those behind it. The victim here -- despite working with the FBI, authorities, cybersecurity and forensic experts -- the victim is the one who is viewed as resolving this. It's not visceral in the same way.

Let me rewrite that headline. "New Jersey's largest hospital system was held hostage by intruders within their facility, and cybersecurity experts and authorities intervened unsuccessfully. The hospital was forced to pay the ransom."

There is a huge difference. The words we use really matter. The reporting and discussion of breaches is all wrong. Ransomware doesn't do an attack, people do attacks. These breaches are done by humans -- specifically criminals, organized crime, vandals and nation states.

We're all talking about "security" like it's a feature or a product that you can buy. It's even implied -- a singular attack that can be stopped, rather than a sentient opponent. We're not up against software, we are up against human adversaries.

Now, why do we care?

Consider the people aspect over just security technology

Guns require people to do harm. So do cars, knives, chainsaws. That's what weapons require -- even a drone or missile requires a human to issue the order. In technology's case, however, we often bestow a certain degree of independent intelligence -- and even more so now with phrases like "artificial intelligence" and "machine learning." It's no wonder that with that personification of the technology, one might be led to believe you could solve this with more technology.

And, for the record, vendors love this. Selling more features and functions is ripe for exactly this. If you lead with the idea that the problem is just technology and so more technology solves it, you imply that you just need that, and all your problems go away . . . but that's just not true.

I'll reference some Techaisle research. Their recommendation -- a combination of technology with management and IT actions delivered by skilled suppliers. Management gives the rules of the road, and ensures the needs are addressed. The IT team creates controls, and then the suppliers bring solutions. Without the people portions of this, it doesn't matter how many technologies you throw at this.

You can have all the technology in the world, but unless you get the rules, needs and controls in place, it's all irrelevant. Just this week, I reported on data from Sophos -- 66% of attacks in the cloud . . . due to exploited misconfiguration. Not that the tools couldn't protect -- but having things configured wrong.

Think about that. The major cause was misconfiguration. The protections are there, just not set correctly.

The word "security" itself is even part of the problem

You know what the definition of security is? "Freedom from danger." "Freedom from care, anxiety or doubt." Security is a mirage. You will never arrive at a place of security, you will never achieve security, and you will not get to freedom from danger, nor freedom from care, anxiety or doubt.

Using the word implies a destination that is unattainable.

In The Matrix, Neo learns that he cannot change the environment -- only himself -- encapsulated in the idea that there is no spoon. You don't change the spoon; you bend yourself and the reality shifts.

You don't sell security. You just don't. You sell process management. You sell risk mitigation. Stop talking "security" because it's not working and it's not positioning you for success.

Information systems breach protection is a real problem in the marketplace . . . but it's not one that's solved by technology. We don't need more technology here. We have to take on the people and process.

Here's how to take action

Stop talking about security. It's a lie. Everything is cake. There is no spoon.

Change your conversation from attacks and talk about criminals. The ransomware is the weapon, not the perp. You were not compromised; you were held hostage. Broken into. Use the right words to describe the crime.

Emphasize the human element in every conversation, because both sides are what we are dealing with. You are managing the attackers and the attacked. Your resolution is human -- what controls and process are you putting in place to protect.

With that, it's far easier to talk about the desires of management, and ensure they are bought in on what they are willing to commit to. IT will then address the needs, leading with process and procedure. Technologies will automate, augment and enforce those.

Here's the good news -- business process is far more lucrative than selling technology stuff. This is hard, ongoing work. You'll differentiate in the way you approach the market, and you'll stand out from your competitors who are selling their mirage.

Remember. There is no spoon. Bend the people, not the product.

About the author
Dave Sobel is the host of the podcast "The Business of Tech," co-host of the podcast "Killing IT" and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing, and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Next Steps

How threat modeling technology fits into modern security

Why and how MSPs adopt cybersecurity industry standards

Dig Deeper on MSP business strategy