How Should MSPs Explain Cyber Security Risk?

In this new episode of MSP's Growth Show, we interviewed Caleb Christopher, founder of Infosec Consulting a security practice enabling SMB focused MSP's to deliver cyber security services to their clients. Caleb is a regular speaker for local business events, and regional IT and information security conferences. He's been published in Boardroom Magazine on the topic of cybersecurity, has 10 years experience in the security industry.


Time-Stamped Notes:

[05:35] 3 Main Things You Need to Master to Sell Cyber Security

[08:52] Understanding "Protect - Detect - Respond"

[09:40] Protect

[10:16] Detect

[10:39] Response

[119:21] Security budget

[12:44] "You are my MSP, are you my detector?"

[21:27] Turn an opportunity to sell an assessment

[27:59] You sell, I execute


3 Main Things You Need to Master to Sell Cyber Security

Derek: (05:35)

Say you're an MSP, you already in your mind and you've taken steps to invest in selling cybersecurity or more advanced security than what you currently offer clients, prospects, and you have an existing pipeline, but you're just not sure how to initiate that conversation with your clients or even with prospects on this. What Caleb is going to go through now is how he talks about security.

Caleb: (06:23)

Executives and salespeople at MSPs need to learn how to communicate the security concepts to business owners, or their customers, or potential customes  in a practical way, and part of that is I used a very heavily used the book “Made to stick” by Chip and Dan Heath, they go into things like “you've got to overcome what's called the curse of knowledge”, I've studied tons and tons, I know way too much to be able to talk to a lay person and make it make sense without relating these advanced concepts of things that they already understand.

You probably already do this in the sense of explaining how a network works, you talk about IP addresses and whatnot. We usually relate that to a neighborhood and what you're doing by saying “Hey, there's neighborhood, there's houses, there's a whole…”, there's years of understanding built into another person's head about what a network is, how it looks, how it works. “If I want to send a letter, I put it in my mailbox and somebody takes it to another house somewhere else”, that's how packets travel across the networks.

Those concepts if you can explain and use something they already understand as a starting point, then you can teach much more effectively. That's what we're going to see in this little model with the house, and these three columns “protect, detect and respond”.

The second thing that we need to be able to do is tell a story. If you can tell a real story or if you can help build one in their own heads, guide them through the creation of their own story, that's where the gut feeling, the secondary brain where they make the real decisions. If you can talk to that part of them and have them decide in your favor there, then everything else you say is just going to serve as ammunition for their real brain to make sense of why their gut chose you.

And then third, when you're doing this stuff, when you're building it tested on a lay person. My lovely wife puts up with a ton of my anecdotes while I try to figure out how to present something.


Understanding “Protect - Detect - Respond”

Caleb: (08:52)

So let's jump into this here and I'll work with you on this. During a business day you leave the house: what makes you comfortable enough to walk away from your home and know that it's not going to catch on fire? That somebody is not going to break in? What are the things that you do to protect your house?

Derek: (09:13)

Of course we have the locks on our doors, that's the bare minimum. We don't have ADT… so just talking to you makes me think I need to up my home security. Of course we have fire alarms, carbon monoxide... That's pretty much it, we don't have too much else going.

Caleb: (09:40)

This is one of the things I lead business owners through, either in person or in a group setting. We get answers like this and they'll tell me stuff all across the spectrum, right? There's protect, detect and respond. We're going to focus one column at a time.



To protect your house you may have a fence, you want to keep people out. The goal of protection is to keep people out, don't let them in, in the first place. You may have a scary dog and your house is up to electrical code, right? I don't want any fires because of something stupid happened in the walls.



You talked about Adt, you create an alarm systems, floodlights to light them up when they are, when they're walking through the yard, cameras if you have nosy neighbors maybe you should be thankful for them because they might detect a problem. If your dog barks, you have an alert system, you may have a smoke detector if there's problems like a fire.



Sometimes just yelling willll scare somebody off. You can call the police who will respond. You may have a safe room or carry a bat or keep one by the bed or whatever you've got there. If your dog bites kuddos, right? And then you may have to just evacuate. If there's a fire and it gets too bad or you can put it out with a fire extinguisher. But ultimately this is how you protect your house. When do you know how to use a fire extinguisher?

Derek: (11:12)

Right? You may not, you may just be waiting for it to actually happen and you assume you'll be able to figure it out. Which is probably not a good idea.

Caleb: (11:24)

I don't know anybody who has a home that does not have a smoke detector because my nose is not the thing I want to rely on to know that there's a fire when I'm asleep. A smoke detector is a very important part, without being alerted to a problem, you can't respond.

I would challenge someone to tell me that I can't get into their house if I really want to. Houses are made of stone and wood for the most part, a battery powered solves all will get me into your home if I really, really want to in one way or another. The point of that is that protection will always fail at some point. You know, you can protect and yoy need to, you need that fence, you need the locks on your doors, that's the standard stuff, you got to have it. But you also can't respond until you've done what, you have to detect.

You have to know that there's a problem before you can respond, the question here is, does your network have any smoke detectors? We transitioned from the house to a network, if you start this conversation with a business owner and talk about their house, if you can deliver it and they're, they're patient enough to go through the story with you, the real question becomes, do you have a smoke detector on your network?

Derek: (12:44)

If I were an existing client for an MSP, I might say, "well, you're my MSP, so you're kind of like my detector, right?" How would you articulate a response in that case where they're kind of pushing back on you a little bit?

Caleb: (13:10)

You can sell yourself a landmine if you go through this and don't expect that question, you have to look at this next chart, protect, detect, respond. Now we take it to a more technical network. You've got three types of controls, administrative, technical and physical controls.

When you're answering this, this business person who was asking, well, aren't you doing that detection? Who's doing that? You got to walk them through this chart, what are we doing to protect your network?

  • We've got some security policies
  • You've got some security awareness training -if you don't, you need it
  • You've got a firewall in place, that's your fence, that's your, your barking dog or whatever to alert on problems and try to keep things out. And that's the whole goal of this protect column is keep people out. Don't let the problem happen in the first place. You've got locks on your doors, you lock them at night, you may have a receptionist with a check in desk, all that stuff.

Then we've got this detect column, that's where the real question lies. And then as a customer of an MSP, you're generally more equipped, you're in a better spot as far as response goes because with an MSP in place, they've at least got more people if absolutely nothing else, but they'd probably have better response capabilities than any small business with one or two or three IT people does. You're pretty well equipped there.

Any MSP has alert mechanisms in place for technical problems, but that does not necessarily to security intelligence, it's a whole different ballgame, and the challenge is how do we explain to them that advanced security detection is not part of a standard managed security package.

Sometimes they feel betrayed or let down, I've done dozens and dozens of assessments, and when I get into explaining the problems that I find on the network, a lot of times I leave with a warning, “hey, don't go burning bridges just because of what you see here”. This is normal! You're going to see some problems and they're going to be real scary to you business owner, and this is normal!

Number one problem is that technical people don't know how to explain in a reasonable fashion to a business person the importance of real cyber security detection. Everybody knows they should, but they've got a firewall, right? That's not enough. Because again, go back to the house, look me in the eyes and tell me I can't get into your house if I really, really want to, the same is true of your network if somebody really wants in, they can and we'll get in at some point.

Are you comfortable right now based on the standard technology in place? Because managed services is a little bit of this, a little bit of this, and in some of this. Real security planning takes this whole matrix and this is the business owner's problem, not the MSP. There is a moral imperative on the MSP side to educate people so that they understand this and then to help provide it, but that doesn't mean it has to be free.

Cybersecurity again, is there's a shortage of talent, it's expensive and it's difficult to understand. And so it's a concentrated effort. I'd like to refer to the “Frankly, MSP” podcast-episode number 41, they interviewed somebody who was an MSP and they built a cybersecurity program from the ground up. The lady talks about how they spent a whole year preparing to deliver that, they built it, they did a lot of training. It takes a lot of time to transition to that. And while some of your competitors are doing that, what are you doing? That's the question.

To the business owner, yes, we're doing a little bit of all of this, but if you, you really need some advanced detection mechanisms in place, we can trip tickets on servers with too much storage or that are having problems, but those are symptoms of an underlying problem and not really like the blood test. We detect the cough and sneeze and not what's going on in the blood system if you want to take it from a medical analogy. It takes advanced testing, you've got to get some labs done to get this detection in place the way it's supposed to.

The central issue that we have to communicate to business owners, if we start with this house model, explain how it relates to the whole network there. Then we'd go to these questions:

    • What are you trying to protect? Which obviously is MSP, you can help them answer
    • What are your relevant threats? You're well positioned to help them answer that.
    • How comfortable are you, business owner, right now with your ability to detect and respond to threats? They need to be uncomfortable because it's a real problem that they're not facing.

When I go do cyber security assessments, one thing I stress to them is I'm not identifying new stuff, this was here before I got here. I'm shining light on risks you had before I got here. Whether you chose them or not, they exist, whether you chose to accept them or pursue things that caused the risk, they're here and you need to know about them so that you can decide what to do about them.

Guess who can't give the answer to how comfortable the business owner is with their ability to detect and respond to threats. It's not this guy, it's not the technician, it's not the MSP. Each business owner needs to be educated about this and face the question, how critical are you right now and what would you like to do about it?


Security Budget

Caleb (19:21)

When we look at this, with those questions in mind, we look at this now consider some dollar signs in here if your whole IT and security budget is wrapped up in this matrix, where is most of it's spent, I'll bet you can guess, if you're looking at it, firewalls in big bold, it's a protective control because people tend to think that protection is the most important thing, I want to keep people out in the first place, which is great that you have to keep people out, that's one of the basics. And then they think security is the IT guy's problem, that's the mistake that everybody makes. That security is not the specialty of a regular IT person, most of their budget is spent right here. You got eight more boxes to fill and you've spent 75 plus percent of your budget on this one box probably. Some people have different allocations, but this, this is a concept that business owners have to be introduced to.

Where are you spending your budget and where does it lie? Is it misallocated number one, are you spending enough? Number two, as you look at this chart and then number two, is it miss allocated? Do you need to move some of these dollar signs to other boxes? Generally yes, people do need to spend some more money in the detection column because you can respond, but only after you know there's a problem.

Would you rather find out by smelling with your nose when the house as well on fire or would you like to find out when the problem starts with smoke detector in their local area so you can put it out instead of letting the house burn down? Would you rather evacuate or put the fire out? Because we can always respond when we see the fire from the street, call the fire department but, you don't want to wait that long.

Derek: (21:10)

So what happens when you get to this point here? At least in your experience, you start showing the dollar signs and the business owners starts digging in a little bit more in terms of the budget allocation. What generally comes next?

Caleb: (21:27)

Well it usually turns into the opportunity to sell an assessment, going back to the doctor's analogy, “let's go do some blood tests, let's look and see what's going on under the hood and figure out where your most relevant threats are”. Only once you've assessed what's really going on, you can start a response plan.

What I do is I build a risk reduction roadmap, basically it's a three year budget, where we list all the projects. Nobody expects you to get an assessment and then fix everything on that list right away, not reasonable, not possible.

We've prioritized what are your highest priority things:

  • What do you do need to do today? If you don't have cyber insurance, get it today, get it yesterday!
  • What do we start doing in the next month? Usually password policies, it's unreal how many people have no complexity, short passwords enabled, and again, that goes back to the business owner. The business owner has to be comfortable with the settings that you choose and usually when I find that it's the business owner who says, no, I don't want to have to have people reset and passwords. If that's the tone that they set from the top, they need this education so that they can say, “oh yeah, it is worth it for Mary to have to reset her password once or twice a month because she keeps forgetting it, we need better password policies. So what do we do? What do we start doing yesterday? What do we start doing in the next 30 to 60 days? And then let's build a roadmap for the next, you know, 24, 36 months. While we know we need the upgrade, this, we know we need to add a 24, seven soc service because we can't staff at ourselves. How much does that cost? Can we plan for next year?”

If you build that and start working on it, then you're going to make continual progress and you're not going to be in the same spot you are this year because without that and without actually starting to move down that path in a year, you're going to be in the same spot. And that sucks.

Derek: (23:44)

This is great. This is a very reasonable conversation and important one to have with the client, but also with the prospect. Or it could be like the way to get your foot in the door with a company that has never met you before, they may already have someone internally or maybe another MSP that currently helps them. Is there a way that you open the conversation in a slightly different way? 

Caleb: (24:25)

I've given this on napkins next to people. It's weird, but rather than do a PowerPoint presentation with prepared slides, if you can get a whiteboard or a chalkboard, you can tap into that subconscious in people's mind. The person standing in the front of a room with a marker in their hand is the authority. If you can memorize this stuff and draw it, even if it doesn't look good and you forget some of the details, the fact that you're standing in front of a room or in front of somebody else and you're drawing this stuff for memory makes you an expert conversationally. Whether they like it or not there the back of their mind. 

This can be a door opener, I would caution those who want to open with this, they need to be able to deliver some of this yourself, nobody has to be perfect, nobody expects you to be perfect, but you do have to be able to deliver some of this stuff. That starts with an assessment. Go, go get an assessment from one of your customers. You can use it as a loss leader if you want to, but I think for the most part, they really should be paying for it. I don't give free doctor's visits if I know I need a checkup, I gotta go pay for it or pay my insurance that pays for it. That's when you start building the roadmap, it may be that when you start out, you have to outsource some of the stuff, you may not have to factory onto the authentication in house, but you know you can go find one and get you started up and next year we're going to have our own in house program and we'll move you to that you have to be able to deliver on this stuff. You can make people mad at their current MSP pretty easily, but you can also make a bad name for yourself if you just slinging mud going in and slinging mud.

Derek: (26:18)

Awesome. This has been very enlightening for me coming in as an outsider trying to support MSPs, many of them have an opportunity, unfortunately with the security risks that exist I find it a really important subject for me and I think for any MSP that doesn't have someone like you internally, the kind of help them take the next step in their business.

Caleb: (26:44)

I'm not interested in taking the market, I mean there's way more MSPs that need help than those I can help. Go learn stuff from the website I'm going to be adding more videos, training. I'll have this presentation, I'm working on making a video version of this presentation to have on there, it's not proprietary.

There's an author, David Stelzel, read his books they're really informative it gives the same talks with the same stuff. That's where I learned a lot of the stuff I'm doing here. It's a matter of education. Read, study, watch videos and learn to present.

Derek: (27:30)

I'll just say one more question or just a thought because the way you and I met was through our mutual client, Tom from NSI, and you described an MSP in another podcast that went around where it looks like she hire an internal Caleb and like build a department of Calebs?

Caleb: (27:59)

I think the lead generation with this model allows you to get up and running at low or no cost and you can partner with the right people and then start paying as you go. And in fact with my assessments that it doesn't cost you anything up front. You go sell it, let me know that you sold one based on the, a scope of work that I've built. Let me know that you sold it and then we'd go do it. You can sell it, I can execute it, and the same is true that marketing, we know how to open that door with the marketing from the security standpoint.

That was Avec, MSP podcast, episode 41, and this lady took a whole year, she hired quite a few people, he had like five new people. She took a whole year to do that.

What really clicked for me, why I'm doing this was when I left my previous job at the MSP, the owner had me write three job descriptions to replace me. And I realized, "Oh yeah, that's why I've been working in the evenings because there's so much to get done". I was working and studying a ton, we built a job description for security technician, we built a job description for a program manager, which you might be able to share that duty with somebody else, but they have to understand the implications of security and they have to be able to go evaluate cyber security products and services, and then you need a CISO, a Chief Information Security Officer or equivalent, somebody who understand security, who's got those high level concepts and can make business recommendations, not technical recommendations, because as security technician is going to recommend the best technical product that may not be the best fit for the business. I don't want advice from a technician on what to do with my business. So there's really three different roles that go into that, you're looking at what, $250,000 in salary between the three people that get started. And then you have to build a program when you guys sell it. Everybody should be working on developing that capability in house if they can, but it's not practical for everybody to just go do it. And meanwhile, some other people are figuring it out and they're going to start taking the market from you too.

You could start with a partner who has that capability and as you go through some of those assessments and salesmen and stuff and and start adding security products that are in line with the recommendations of those assessments, then you can start building that program out for yourself.

Derek: (30:27)

Yeah, I think that's been one of the most enlightening things for me is like, you know, my client, my MSP, like he has some technology partners that are fan, you know that are great and they provide a lot of sales enablement content, which is, which is fantastic, but sometimes it's a little bit the content that they provide as a little bit too salesy and I love how talking to someone who saw technology neutral, if you will like you who just who looks at it from a business standpoint, I think it's very helpful for me. So hopefully for, for whoever listens to this as well.

Caleb: (31:20)

One more thing, as we discussed yesterday, you were looking at some security product that was pretty fantastic had some great features and whatnot remind MSPs that while in business owners and MSPs are looking at these crazy fantastic security software, it's not a magic bullet, right? What they don't often tell you as those big fantastic softwares, they're either not multitenant or they require one or two dedicated full time staff to run them, which doesn't seem practical for the most part. You got to be careful about looking at this magic bullet software, their sale to you is there when your security or your implementation of security for somebody else is not necessarily the wind that they're trying to go for. Of course, they want to see you succeed, but they're done with the sale one once you've bought the software.

Derek: (32:14)

Absolutely. Great. Thanks again, and I'll make sure that we get some of those links that you mentioned in the APP in the final block for this.


Related Stories