How to Get Customer Buy-In for Cybersecurity

Most Organizations Are Overconfident When it Comes to Security

Infosec, cybersecurity, call it what you will; IT security is now firmly on the agenda of every business, right? You would certainly think so given the spate of high-profile attacks in recent months, such as those involving WannaCry and NotPetya. Yet for those organizations that managed to escape the attention of those particular threats, and for whom a legacy in-house data defence solution appears to be working just fine, a false sense of overconfidence often prevails (our recent survey found seven key areas where companies were failing with security—check out the full report here). Convincing these clients, who may already be happy with your other managed service offerings, to buy into security as a service can often feel like a Herculean task. 

But it doesn't have to be that way. The argument for managed security has never been stronger, and it's essential you get decision-makers to understand the reasons why.

The Wider Impact of a Security Breach

An unsecure customer risks playing Russian Roulette with its own data, but you also have to consider whether  the lack of security could also negatively impact you as a  managed service provider (MSP)—in terms of legal liability, resource wastage, and brand reputation. Although your client contracts can minimize legal liability through clauses regarding security, enforcing your contract clauses comes at a financial and reputational cost. The former can get out of hand if you are caught up in the investigatory process, despite not actually providing security services to the reluctant client. Reputational damage also impacts your bottom line, given that your embarrassed customer organization will be likely throwing blame in every direction except internally. The social media machine soon starts grinding when a breach is made public and can be very hard to stop. 

Educating customers on the benefits of buying into managed security services is key to your own good standing as well as that of the organization concerned. So where do you start? At the beginning, with threat denial syndrome, is the obvious place.

Breaking Through Threat Denial 

The problem with an “it won't happen to us” approach to security is that when the unthinkable happens, the organization is already on the reactive back foot. It's a bit like arguing against taking out an insurance policy by saying “if nothing happens for 10 years I will have enough to cover any losses and still be in profit,” which relies upon an awful big “if.” From a data protection perspective, that “if” becomes exponentially larger in the current climate of rampant cybercrime, state-sponsored actors, and hacktivist chancers. 

Being proactive is the only option that makes sense, by doing this you can help prevent breaches from happening in the first place. Demonstrate to the client your ability to do this providing examples of organizations using legacy solutions as leverage, and half the buy-in battle is won. It’s important to push the 360-degree nature of the managed offering, including web protection against malicious sites; patch management (particularly apt with the WannaCry threat); and mail security, which helps stop both phishing attacks and malware attachments. Explain how active device discovery measures can spot rogue/shadow IT before it does any damage; how your login checks can keep brute force attacks at bay, and how managed antivirus adds yet another layer to the defensive “onion.”

Why You Need a Fully Rounded Security Strategy

This doesn't mean that a managed service cannot also be reactive, and you'll need to explain to your cynical client that you have them covered even if a worst-case scenario becomes reality. Honesty is always the best policy, and admitting that no security system can guarantee 100% success should not be seen as a negative. Use it to bring up the fact that a fully rounded security strategy has to be prepared for such things, and demonstrate how virtual server recovery, hybrid cloud recovery, and other managed resources can help prevent a data disaster becoming a corporate crisis.

The technical solutions hurdle is a relatively easy one to jump, but budgetary concerns raise the bar. But again, this is an argument where the chips are stacked in your favour as an MSP. The bottom line is a universally understood bargaining tool, and connecting the risk of data breach to business finances is a relatively simple argument to make. Especially if your risk intelligence solution can make that argument for you. By placing a clear financial value on the liability inherent in client systems from vulnerabilities and poor access permissions (for example), it paints a picture that even the most security-blasé director can appreciate.

Making sure that security is part of your ongoing customer conversation is the way forward. It shouldn't need to be a hard sell, but it sure should be an essential one.

Davey has been writing about IT security for more than two decades, and is a three times winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious 'Enigma' award for his 'lifetime contribution' to information security journalism in 2011.  You can follow Davey on Twitter^® at @happygeek

Find out how SolarWinds MSP’s layered protection can help you help your customers… click here

© 2017 SolarWinds MSP UK Ltd. All rights reserved.