Almost a year ago, Gartner published an article, authored by Kasey Panetta, titled “5 Security Questions Your Board Will Inevitably Ask”. In the spirit of spring cleaning, today is a good day to dust off this article and revisit. You can read the [Full Article Here] but I’ll summarize below.
The premise of the article was that the leadership teams of public and private companies are going to be asked more and more security questions, and they should be prepared for the answers. I know what you’re thinking – “My MSP does a great job of securing our customers, this doesn’t apply to me!” Here’s why you’re wrong: Because “stuff” flows downhill – When that CEO gets asked those questions and doesn’t have the right answers at his fingertips, his first call will be to the outsourced IT company. He or she will be embarrassed that they didn’t have the right answers and will be expecting immediate, well-crafted responses to take back to their board – because he/she is in the hot seat! I want to enable you to avoid this phone call all together, because I believe it damages your client relationship and creates an urgent issue that was 100% preventable.
For a quick summary, here are the questions covered in the article:
- The incident question – What it sounds like: How did this happen? I thought you had this under control? What went wrong?
- The trade-off question – What it sounds like: Are we 100% secure? Are you sure?
- The landscape question – What it sounds like: How bad is it out there? What about what happened at X company? How are we compared to others?
- The risk question – What it sounds like: Do we know what our risks are? What keeps you up at night?
- The performance question – What it sounds like: Are we appropriately allocating resources? Are we spending enough? Why are we spending so much?
The article does a nice job of explaining “why do we care” from your customer’s point of view, but as an MSP a lot of our job is the education (think: care and feeding) of our clients. I would argue that it is your job to make sure your clients are prepared for these questions before they are asked. If you’re the 1% of MSPs who is 100% confident you’ve already delivered this value to your client – stop reading, go crack a beer and relax – your MSP is probably already running on auto-pilot. The next several paragraphs are for the other 99% of you…
The Gartner article was written from the perspective of the CEO or other leadership team members being prepared to answer questions around the security posture of their organization. I am, instead, looking at this from the perspective of the MSP and how you can enable your customers to answer these questions – so let’s start with asking “what do all of these questions have in common?”
The answer is simply, “The Answer”.
(I’m so happy that for once, I didn’t have to say, “it depends”)
When your clients can answer any and all of the questions proposed by the author, you are winning. In my mind, the perfect answer sounds something like this:
“We have regular cyber security reviews with our MSP. They explain the current threat landscape to us in plain English and help us to understand the trade-offs of action vs. inaction when addressing new threats and even new opportunities around technology. With their help we are addressing regulation and vendor risk management in a proactive fashion and are on track to meet our goals. Our MSP also works with us to create and manage the technology portion of the budget and to prepare our incident response plans for when a breach does inevitably occur. Our most recent tabletop exercises were performed last quarter and remediation steps have been taken to address several identified deficiencies. While we want to prevent it at all cost, our leadership team feels we are in the know, aware, and prepared to address a breach or other technology incident when it happens.”
Improve upon it as you will, but when your clients can formulate a response similar to this one when talking to their board of directors, you have achieved MSP nirvana – it’s your mic drop moment. Game over, you win, this is a customer for life. So let’s break down that answer to talk about why this answer to these questions is such a winner.
First, the ability of your customer to formulate this answer shows that they are operating at a level of operational maturity beyond most of their competitors – you have given them a competitive advantage in their own market segment. The answer demonstrates that your customer understands that breach is inevitable. Wes Spencer from Perch Cyber Security has been talking a lot about the Assume Breach mentality. If your client still thinks that breach is something they can avoid, then you have failed them. If your clients are having regular incident response conversations about how the organization will react (with your help) WHEN a breach occurs, then you are already in a better place than most – congratulations. If you aren’t, follow Wes on social, but also follow his lead. He’s articulating a message that many of us have known for a long time but haven’t been able to put into such well formulated dialog.
Second, the ability to formulate an answer like the one above shows that your customer’s entire leadership team is involved and actively participating in a culture of improving technology outcomes (on the P&L and as it relates to security, stability, and reliability). The best part is that in order to answer these questions well, your customers must be deeply engaged with you and consuming tons of your products, services, and best practices! These should be profitable clients to your MSP who are also raving fans because they are consuming enough of your solution that they are getting predictable outcomes (back to security, stability, and reliability).
Finally, these customers will be more likely to accept your recommendations and best practices because you are essentially helping them address the concerns of their bosses and the pains of their businesses. This creates a more mature environment around information security where significant investments can be made into the people, processes, and products deployed in the organization… Take note that I put people first in that statement. As my friend and infosec thought leader, Brian Blakely says, “People are the MOST important part of your infosec program. Not the weak link. Invest your resources in people. Help people. Educate people. Support people.”
To your clients, that means investing in their people. As an MSP, that extends to taking the time to invest in the leadership teams within your client organizations. Present them with forward looking strategic information at every interaction. Coach them, help them, lead them and prepare them for questions like the ones above. If you have a client who has their head buried in the sand and is trying to ignore technology, ask them how comfortable they would be answering these questions to their board of directors (or their spouse, investors, or business partners, if they don’t have a board). These topics should be a door opener for you to engage your clients and to mature how their companies handle technology. Don’t use them to create fear, use them to create culture.
If your MSP is struggling to figure out how to have these conversations with your customers, schedule a call so we can discuss how Lifecycle Insights can help you lay the groundwork for having more proactive and strategic conversations with your clients.
