Scenario #2: The prospect has already had a bad security experience
This one is a bit easier because if they already understand the threat and the risk they do not need to be convinced. The key here is to listen first. Do not assume that you know what they have been through. By listening to their story, you will assuredly pick up which pain points were their biggest concerns so you can address them specifically when you begin your pitch.
The presentation: How to present a security-forward sales pitch
As usual, remember to present benefits rather than features. Only a handful of prospects will actually understand your features. When explained in the context of how they prevent the risks mentioned above, they can apply those features to their needs. You can frame a presentation around the three key ideas of prevention, remediation, and recovery.
- Prevention is all of the proactive services you put in place to prevent threats from breaking in. This includes user education, firewalls, web filtering, email filtering, and patch management to name a few.
- Remediation is what happens when something gets in. Managed antivirus and endpoint detection and response (EDR) are the prime components of this more reactive component.
- Recovery is the final layer of security. When all else fails, how are you going to restore a customer from a devastating breach, hardware failure, or catastrophic event such as fire or water damage.
Presenting within this framework shows prospects what you are prepared to do—not only to prevent a threat from affecting their business but also in the event that it does. Most security experts agree that it is not a matter of if, but when a business will have some type of security breach. Because of this, it is extremely important that remediation and recovery be part of your security offering.
The close: Never forget to ask for the sale
Yes, I know it sounds cheesy, but so many of us have done a great presentation and then simply asked the prospect what they want to do. As an expert, it is up to you to tell them what they should do. Once you finish with the presentation, ask a few probing questions, like:
- How much would it cost them to be down for a day? A week? A month?
- Do they have access to customer data like credit cards, health information, etc. that could be stolen and used against their customers? What do they think the liability is if they are breached?
- Are they a vendor with access to the systems of other businesses? What do they think the liability is if those businesses are breached by way of their business?
- What is their tolerance for risk?
Once you have had a conversation around these, present your plan of action. Most likely you are not prepared on the spot to present them with a quote so you must determine the call to action appropriate for this point. If you have enough information to start preparing a quote, schedule the next meeting to present a quote. If you need to do some basic reconnaissance of their systems first, schedule that. Whatever you do, always ensure you have a concrete next action that will move the process forward.
Security is no longer the luxury add-on as it was previously. The most likely threat to a business is no longer hardware failure, fire, or storm. The threat will most likely come from an outside actor, an internal employee, or vendor with access to their systems. It is for this reason that security must be a primary concern and is absolutely vital to business continuity. It is your job as IT service providers to educate the owners and decision makers of these threats and more importantly how you can mitigate those risks.
Eric Anthony is principal of customer experience at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed services provider business for over six years.
You can follow Eric on Twitter at @EricAnthonyMSP