Company X needs to get a network assessment of their environment.
Maybe they have an IT guy working on their team or someone managing their IT right now. They know they have problems, and they aren’t shy about telling you this when you follow up. They’re pretty sure an assessment would be a waste of time. After all, they’ll get around to fixing the problems…someday.
Even if they allow you to perform a vulnerability assessment, they tell you that they already know of the issues, so you keep hitting a wall. Worst of all, if you do the assessment, you become even more aware of the danger that Company X faces. Then you hit that wall even harder because you know that you could make a huge difference for them.
What do you do?
Reframe the problem and focus on risk.
They tell you that they’re hell bent on fixing the stuff, but let’s be honest. With their current mindset they’re probably never get around to it.
Risk is your way in.
Risk is the way you can refocus their laundry list of tasks. If you can start the conversation around risk, you’ll help them see that they can prioritize these issues. Then you can enable them to move forward in their security programs.
So, let’s say they’re against you analyzing their network because they know they have skeletons, fine. Instead, start with a conversation around risk. Our partners find success by using risk analyses to help alert their clients to serious problems before diving into the details. This lays the groundwork for an effective conversation when you actually end up getting an assessment done.
Then dive into some high-level issues
Here’s how this strategy works:
- Start small. Instead of moving from a discussion of risk directly into pages and pages of issues generated from a vulnerability assessment, why not get them to take a first step of testing their security on a few computers—may be users that they are concerned about?
- Discuss impact. Get them to see that some of the issues on their network are within reach and will have a big impact on people in the organization who might be at the most risk of being exploited. If you get them to run a third-party analysis on a few machines, you can show them how to address some very visible issues that will have a high impact.
- Present the results. Focus on the biggest 2-3 issues that came up from the simple analysis. Get them to see how you can help with those issues. Show how getting these things done will be perceived as huge wins and a way to get their leadership on board with investing in their security (which is where you will have a big impact!).
- Demonstrate expertise. During the readout meeting, you can demonstrate that you have experience in prioritizing and helping with big important issues. This meeting is your chance to show them how you can work together to protect their network.
Bottom line: if you are interested in getting more people interested in getting an assessment, help them wrap their heads around risk. Get them to run a simple analysis and then show them a path forward.
Need a path forward for your MSP? One of the easiest ways to test your cyber stack is to sign up for a free cyber stack assessment.
