The following is an edited excerpt from the book Simplified Security Sales for MSPs.
Cybersecurity sales is about selling risk mitigation, and there are two arguments you must prove. First, a cybersecurity incident will be highly impactful to the organization. Second, an incident is highly likely to happen. If you fail to prove either point, you are in the “”zone of think about it.””
Look at these two arguments through the lens of an attorney in a high-profile court case. First, you must prove that a cybersecurity incident would have a disastrous impact on the prospect’s business. We (as technology professionals) are at a disadvantage, because we have lived through the reality of a cyber incident. We know firsthand how a company is affected during and after an attack. But your clients and prospects have not walked that mile in your shoes. They have not experienced the absolute devastation, frustration, and sense of violation that come from a cybersecurity incident. You must convince them.
Some of the argument can be made through your discovery process. But another part should be made through your marketing. Use emails, blogs, and social media posts. Share news stories of companies in your niche or in your town that have been through a ransomware incident or a breach of some type. Especially relevant are public interest pieces where a practice manager or office manager was interviewed.
These individuals will share the kinds of implications that help your prospects and clients truly understand the impact of a cybersecurity attack at the personal level—such as needing to bill manually or searching printed files for phone numbers because electronic records weren’t accessible. They will tell how their CEO or managing partner had to work 20 hours each day (for a week or more) and that they still don’t know how bad the damage is or how long the CEO can keep burning the midnight oil. This unsung hero will also recount how they could not manufacture their product, track time, or bill clients. Most of all, they will share how they felt during the whole ordeal.
These very real stories underscore the fact that you can’t simply write a check for $50,000 to pay the ransom and move on. Recovering from an incident is significantly more difficult than that.
Have you presented enough evidence to convince the jury (in this case, your prospect) beyond a resonable doubt that they should care about cybersecurity because of the implications to their business? If you have not proven your case, then you must continue the conversation, because you almost certainly will not make the sale.
Now, you must prove the likelihood an attack will occur. This part is a bit tougher using only conversation or sharing newspaper articles, because the prospect will likely feel it can’t happen to them. This is why you must perform a risk assessment. It is impossible to argue with the black-and-white results of a risk assessment, which present an objective reality of their current state.
You will be able to show the prospect clearly defined results that will make your case for you. This should be enough to convince them that (should they stay in their current unprotected or underprotected state) a significant security incident is likely to happen. Incidentally, more than 80% of companies had a security event in the past year, according to industry research. The vast majority did not know they were vulnerable—likely because they did not have a risk assessment performed.
Once your prospect realizes that an incident is highly likely to happen to them and that there will be a highly probable, significant impact on their company, then you have enough leverage to ask for the sale.
JENNIFER BLEAM, owner and founder of MSP Sales Revolution, is the author of Simplified Security Sales for MSPs. She is an award-winning speaker and respected leader in the channel, having coached over 1,000 MSPs on marketing and sales best practices.