9 questions that are key to selling cybersecurity
Selling security is hard enough when you can sit across from a prospect, but now the realities of lockdown and social distancing create even more roadblocks. How can managed service providers (MSPs) who want to add cybersecurity services to their offering get started in today’s virtual business world?
And considering many of the changes in how we do business, such as remote work, are long-term (if not permanent), how can MSPs alter what they are doing so they can still compete and thrive.
Recently, I virtually sat down with Erick Simpson, co-founder of one of the first pure-play MSPs in the industry and the creator of the MSP Mastered methodology, to get his insights into how MSPs can successfully sell security in a virtual environment. The takeaway from that conversation is that while there will always be challenges in any transitional period, the reality is that those changes have created unique selling opportunities for MSPs who know how to ask the right questions.
After all, security is the number one concern for business owners today, and MSPs are in a great position to address their concerns.
The key is getting those prospects to relax enough so you can have a conversation with a prospect about a sensitive topic like their security, qualify them as a lead, and then demonstrate you have the expertise to answer the concerns they have and issues they might not have on their radar.
“I want to have the prospect imagine the worst thing that could happen if we didn't address these needs,” he explained because that will inject the sense of urgency needed to raise the sales temperature.
Nine questions to sell security
Erick detailed several useful questions that MSPs can use to qualify a lead while also establishing expertise and building trust, some of which were drawn from the free Cybersecurity Assessment Questionnaire tool Acronis makes available to MSPs.
1. What security systems do you have in place today? This question can be the cornerstone of the conversation, allowing the MSP to drill down into the current needs and gaps as they get the response.
2. What regulations and standards apply to you? This may be obvious for those MSPs focused on vertical markets that are regulated. Erick calls it the sweet spot for security service providers. But even if a prospect doesn't need to adhere to any kind of regulations or regulatory compliance, it’s an opportunity to focus on the best security practices an MSP can deliver – enabling them to connect the best solution to strengthen the prospects security posture.
3. Is all of your sensitive data identified and encrypted? This question opens up a lot, notes Erick, because the prospect might not even know what it means or what the implications are. They've got personal identifiable information (PII) of their staff and customers, as well as things like credit card numbers in systems that they have no idea about. The MSP can educate them and establish their credibility.
4. What are your high-risk systems and platforms? “Let's see if they know what counts as high risk.” You'll be asking them questions about things they aren't even thinking about – things that should be on that list – which builds trust and credibility.
5. Do you provide security awareness training for staff? Erick points out that most organizations do not, which creates a great opportunity to reflect on the fact that once the issues mentioned above are addressed, the biggest potential for a security incident is generated by the staff themselves. If they don't know what a phishing email looks like or the risks fake websites pose for stealing their login credentials, the company's platforms and applications are put in immediate danger.
6. Are you regularly scanning all the data on your network, including backups and archives for malware? This question ensures that every client and prospect is maintaining pristine backups, and the MSP is preventing compromised data from being included in future backups and, more importantly, future restores.
7. Have you created and maintained a comprehensive incident response plan? The reality is a successful cyberattack isn’t a question of if, but rather of when. Having a guide in place that will guide a client’s response during a security breach is critical, but it’s surprising how many don’t have one. If they don’t, you have a service ready to sell.
8. How would a security breach affect your business? How about your company's morale? What about your customer relationships? What if your company and customer data were stolen and available on the dark web? What kind of a PR nightmare would that kind of breach create for them? Some MSPs following this question approach are even doing research in advance and showing prospects that their data already is on the dark web because that is a sure-fire way to get the appointment.
“The goal is to get the client thinking about things other beyond their immediate pain points – so layout the most significant business impact they are likely to face, but haven’t thought of,” Erick suggests. “As it pertains to security, I'm trying to get the prospect to give me more data that I can use to deliver a compelling sales presentation. And this is all valuable data that I'm going to use to win their business and get them the service and support they need.”
Another question that can help close the deal:
9. Do you have to ask your MSP to advise on improvements needed in your security posture, or are they providing that to you? This is a great wedge question because the reality is “I know they're not bringing it to you because you're sitting here with me right now.”
Practice breeds success
Asking these kinds of questions can make some people uncomfortable, so Erick’s stressed that MSPs need to practice them so they come out naturally when talking to a prospect.
“Practice these questions. You don't want these to feel awkward when you ask them, and you certainly don't want to feel so awkward that you don't ask them,” he notes. “These are the questions that really dig deep and get the client to increase their buying temperature – but you have to be completely in character when you ask them.”
In addition to helping uncover the vital facts needed to create a winning sales pitch, the MSP is underscoring the value they can provide to clients.
“You also need to let them know you can help, so give them that relief after you freak them out a bit,” Erick recommends. “Say ‘Don't worry. We got this. We can help.’”
More practical insights
As difficult as selling cybersecurity can be, the current environment of remote work puts security top of mind for most business owners. Erick’s suggests that makes it easier now.
“One thing that I love about leading with cybersecurity is that whether or not there's an incumbent IT provider in the mix, you can still set the appointment because you're bringing additional knowledge – and maybe evidence of a security issue – to your prospects that these other providers are not.”
Erick and other channel experts will be sharing more of these kinds of actionable insights at next month’s Acronis Global Cyber Summit 2020. This three-day, free virtual conference covers the advances in technologies and strategies that can help MSPs build a service offering delivering modern cyber protection.