Trust is very important, and sometimes very challenging.
As a service provider you are walking a thin line.
When you point out problems on your client’s network, will they think you aren’t doing your job and stop trusting you? Will they have second thoughts on whether your team is doing the right things? Will they want a second opinion?
Pointing out problems can most definitely backfire. Leaving you with more serious problems to address than simply technical issues. You have a trust problem.
I’ve seen this scenario strike many MSPs.
Think of one of your clients for a minute, one that might not be willing to invest in more security. You know the client I’m talking about here; the one who is satisfied with spending 300 dollars a month for antivirus. That’s it.
Most of us have had that client who simply doesn’t value security. So, how would they react if you did an automated assessment of their network and generated a report with all sorts of findings? Before you answer that, imagine finding a major issue that should be closed up, so you decide to submit some emergency tickets to your team to get low hanging fruit addressed. And then you decide to present some serious problems with the goal of getting them to invest in a security program. And then you ended up with a laundry list of of to-do's for their network.
Now picture telling them that they have a laundry list of things needing to be done on their network. If you were that client, what would the first reaction be?
If I were that client, I would be thinking that you were asleep at the wheel. I’d think that you’re wasting my time showing me all the things you’re NOT getting done. I’m thinking maybe I’m spending too much money on this IT stuff. Should I look for a replacement?
Obviously, I’m going into worst-case scenario here, but even if you have a very understanding client, you’d probably expect them to be at least a little surprised. They also might be wondering why you haven’t pointed this stuff out earlier OR why you haven’t been addressing the issues in the first place.
If you are coming to your client meetings with a branded report that you auto-generated—whether it is an automated pen test or a vulnerability assessment—you are putting your MSP’s reputation at risk.
And they will not listen.
Yes, they will see the problems. And yes, they may be worried about doing something about them. But they won’t understand why you’re bringing them up now and they won’t trust that you have their back.
I’ve had dozens of conversations over the last few weeks with problem clients who will not budge or are giving tremendous push back to investing in security after trying to convince them with auto-generated branded reports.
The solution?
Take the action you would with any serious condition: Get an outside, unbiased opinion. In other words, a simple third-party analysis. Give them a third-party expert to see what is working and where security issues may lie.
Your approach?
Education. Help them to understand that you value your clients’ security, and you take it so seriously that you invest in having a third-party evaluate security on your network and those of your clients.
Explain that that third-party will uncover some things—that’s exactly why you’ve engaged with them—to identify and help prioritize issues within their environment.
You haven’t fallen asleep at the wheel. On the contrary, you can show them that a third-party assessment is about being proactive, and being even more attuned to the services you provide them.
By using a third-party assessment, one where a team evaluates the results and helps present problems, you are driving them down a pathway towards success alert to all of the challenges on the roadway. You’re showing them where their risks are and working with them to address risks they find unacceptable.
A third-party assessment will help them see that you are interested in finding blind spots and that you can indeed be trusted. It will help them value your opinion and help you resolve security items.
If you are interested in seeing how a third-party assessment can get decision makers to take action, consider a free cyber stack assessment of your network.
