Client Engagement in 2021 New Features
At Managed Services Platform our vision has always been to turn technically heavy client meetings into engaging value added business conversations.
2020 has brought new challenges for Account Managers and vCIOs. Client meetings became remote, the duration of sessions shrank, the topics in QBRs steadily increased and clients got very apprehensive about investing in general.
We would like to go through the upcoming new features to make sure you can solve those challenge.
#1 - Communicate cyber security with executives
Despite all the trends favouring cyber security related services, the gap is still growing between the real value of cyber security services and their perceived business value. The cyber security assessments are technical, executives do not see the value of investing in cyber security and often expect it to be covered by the service providers already.
One of the major features is focusing on cyber security communication. We have not just created a new solution set for NIST Cyber Security Communication but the Essential 8 for Australia and Cyber Essentials (EU) is on the way. The report’s proposal section with the proposal feature supports a complete communication tool to make sure executives get to the point of making decisions and you can demonstrate the value over time.
These new functions not only enable a better conversation about cyber security but makes you more productive too.
#2 - COMMUNICATING HW/SW ASSET UPGRADES TO EXECUTIVES WITHOUT BEING SALESY
Hardware lifecycle management is critical. Careful though - explaining the investments needed as a result of out-of-warranty issues can feel salesy and lack the business sense of hardware replacements.
The new asset management features allow you to import both hardware and software assets from your various systems. You can associate the assets with project templates. This way you can use the project templates to explain the business cases for the hardware upgrades in an easier way. For example, amend the communication from a “servers out of warranty” technology narrative to a “server modernization” business narrative.
These new functions not only enable a better conversation about hardware asset and lifecycle management but make you more productive too.
#3 - GET PROJECTS APPROVED AFTER QBRS WITHOUT A LENGTHY QUOTE PROCESS
The more time passes between the client meeting and proposal/quote the less likely the project will be authorized. The quicker you can let them sign a proposal the greater the likelihood of winning projects will be.
The new proposal features allow you to generate a proposal in seconds based on your projects in the report. You can list the projects for which you need authorization, send a tokenized link and let the client sign off. These proposals can be considered as letters of intent and also means you can block the budget for projects quickly. This lets you get the ball rolling as soon as possible.
The new functions not only help to close more project and service revenues but saves time for both you and your clients.
#4 - SPENDING TOO MUCH TIME SETTING PRIORITIES TO MAKE SURE ALL CLIENT MEETINGS ARE DONE ON TIME?
Most of your clients need more touchpoints with you remotely. The more client meetings you need to handle the more likely clients will slip between the cracks.
The new Client Touchpoint features help you to seal those cracks. It allows you to set reminders for clients based on their annual, quarterly or even monthly touchpoint segments. We remind your team about the clients who need to be contacted in the given period and we list the clients who are at risk. We also let you send all client touchpoints to your Connectwise/Autotask as tickets.
These new functions not only deliver peace of mind but also increase the execution of client meetings.
#5 - STREAMLINE THE COMPLETE CLIENT MEETING PROCESS ACROSS PSAS
To streamline your client meetings you need to get information from your PSA before the session and usually have to pass info back for the team to execute. Now both PSAs have the complete workflow.
Before your meeting you can sync the projects, opportunities and assets from clients so that you can prepare for the meetings in minutes. Then after your session you are able to pass back tickets, projects, opportunities to your team closing the loop. We add more functions to Connectwise and revamp the complete Autotask integration.
These functions are not only speeding up the process but provide a complete repeatable process for client meetings.
We release the functions starting in December 2020 till early February 2021. Keep an eye on the blog for the upcoming functions.
How to bridge the gap between cyber security technologies and business value
The borders of the network have disappeared, and people have moved out of the office with minimal focus on securing their remote environment. Ransomware events are increasing in both frequency and amounts demanded. Compliance and certification is getting more focus as governments move to support cyber security initiatives. The news is full of talk about security concerns.
Despite all the trends favouring cyber security related services, the gap is still growing between the real value of cyber security Services and their perceived business value.
In this article we go after why MSPs still seem to be struggling to articulate the business value of higher cyber security standards, creating proper business development plans and capturing the market opportunity. That leads to all kinds of problems for clients, including not being protected. Bad executive decisions mean MSPs cannot monetize cyber security services and end up hurting their bottom lines.
We are going to go through the 4 main challenges creating the gap between the technology service providers and the clients. The interesting thing is that all the four major challenges are related to miscommunication.
Just a step back before we jump in on the communication issues and the potential fixes.
We all know that cyber security issues have increased because technology affects personal lives and businesses deeper and wider.
Most of the cyber security related issues are invisible to users and business owners.
Most of these issues can not be solved by implementing another technology, but need to change user and executive behaviour.
That means solving the problem is not really a technology problem but a leadership one. Solving the issues won’t come by just implementing more solutions. They need to actually take leadership and guide the clients through this transformation.
Most service providers, though they’ve shown years of excellence providing best of class services, have no experience in stepping forward to lead people through behaviour changes.
Therefore the root of the problem to solve cyber security problems is NOT applying a technology solution but applying business leadership. The gap is getting wider between cyber security services and perceived business value as the service providers are applying more tech instead of more leadership.
Let’s see how MSPs are making this happen.
COMMUNICATION ISSUE 1 - TECHNOLOGY CONTEXT
MSPs often see and communicate the issues from the technology perspective.
- firewall needs replacement
- MFA should be adopted
- stronger passwords need to be implemented
These are all technology related solutions and so they create a technology context for the conversation. Many of these are acute issues so the MSPs try everything to convince these executives to implement those solutions.
The problem is that clients get turned off, maybe seeing MSPs as pitching products and services taking advantage of their lack of knowledge. Of course this is the opposite of the original intent.
How to fix: Apply Business Context
If the communication generates a business context then MSPs can apply the solutions in the client’s frame of reference rather than their own. MSPs should ask questions to lead executives toward better decisions.
- How comfortable are you with your current ability to respond to a detected cyber incident?
- What does that mean to your reputation, client’s perception or the organization’s day if a ransomware attack could lock up your systems?
- What do you think your role as a business owner is in providing a secure and low risk environment to your employees, clients and stakeholders?
The result is a business conversation where the MSP can understand the executive’s thinking process and give their input about a potential false assumption or offer more help in understanding the potential impact of issues. The goal is not to convince them that cyber security is important but to furnish them with the perceptual framework so they understand the risks and their role.
Communication Issue 2 - Technology Assessments
The market has been flooded with different kinds of cyber security assessments. The better ones follow a framework such as NIST CSF (US) / Essential Eight (AU) / Cyber Essentials (UK). These assessment software solutions help MSPs to streamline and automate a conversation about cyber security, risk assessments and remediation plans.
Although we believe this is the way to go, the major issue of these attempts is that it is driven by technology people in a technology context. These assessments check the security posture against various threats and try to convince executives to fix those with various technology tricks.
How to fix: Business Assessments
These assessments should be backed by cyber security frameworks such as NIST CSF (US) however the recommendations should be easy to understand business action plans for executives. These reports should be delivered by account managers and not technology people purposefully. If the results and recommendations are delivered from a business perspective there is always an option to go in depth with technology people. However the conversation stays on a business level in general.
The benefit is that the Account Managers are forced to look for the business use cases and can filter out the unnecessary tech talk from these assessments. Obviously the preparation of these assessments comes from the technology side but the presentation, and the leadership will be on the business level.
That gives relief to the executives of speaking the same language and forces the account managers to effectively communicate the business value instead of listing technology recommendations.
Communication Issue 3 - Technology Solutions
Most cyber security assessments list an overwhelming amount of technology recommendations - systems to implement, hardware to purchase, upgrades, policy and compliance activities and other things an average client will not comprehend. This leads to confusion and confused people make default decisions. The default decision is obviously to do nothing. This is very easy to do as most of these technology recommendations yield benefits that are not tangible.
How to fix: Business Action Plan
Instead of listing recommendations such as: “Implement Multi Factor Authentication Solution” which is a “solution” to a business benefit narrative to “Prevent unauthorized access even with a password breach”. Or Instead of “Security Awareness Training” which is a solution to a benefit “Building a Cyber Vigilant Employee Culture”.
Now you are able to list those benefits as projects, and you can list the activities behind the projects such as implementing technologies, but the narrative is business friendly. That communication encourages better decisions and demonstrates the benefits of the initiatives instead of leaving clients confused by a plethora of technology solutions.
Communication Issue 4 - Development Projects
Many MSPs are longing for a “big bang” revolutionary cyber security project to be purchased by the client. The assessment remediation projects can be done from the technology perspective in weeks or months. They try to sell the project and probably try to move the client from a low maturity to a super high maturity level quickly. Yes, when companies had to face lockdowns they reacted and adopted change quickly. However if external forces are not that powerful the adoption of change is very slow.
How to fix: Development Process
Seeing cyber security as a “never-ending development process” instead of a “one-off project” gives many advantages. The MSP does not have to force all changes quickly, they can distribute the projects over months and prioritize the low hanging fruit. It also allows the MSP to bring up cyber security-related initiatives to sign off quarterly. That makes it a standard agenda based on the bigger roadmap. So account managers do not have to convince executives all the time, but help them take one step at a time to establish a less risky business over time.
As you can see, these 4 communication challenges and potential fixes are nothing but a change in your perspective.
- think about the client’s point of view
- have a business conversation instead of technology presentation
- enforce a benefit narrative rather than a solution narrative
- think about a slow burn culture change instead of a quick revolution
That turns you into a true advisor, sought after business partner and a communication expert. It will enable you to secure all your clients, reduce your business risk and make your business more profitable.
If you cannot break those old habits then the gap will widen between your technology services and the perceived business value your clients see. That leads to endless arguments with your clients about why they need to invest more in technology and a stagnating and less profitable business.
Debate on All In vs. Modular MSP pricing
The Managed Services business was created from the traditional suite of desktop management, backup, network and server support. Most MSPs now are offering various services outside the traditional managed infrastructure scope: application management, additional cyber security or virtual CIO services. This is the evolution of managed services, and the right way, however many MSPs have just reactively added some of these services to stay relevant to their customers and protect the core MSP services. They might call themselves "your IT department." Let's check out why it’s a problem and what to do about it.
The problems
Here’s a quick overview of the pitfall of adding more to our managed services delivery without proportional monetization.
- Application Management, IT Security, and vCIO services don’t fall into the core MSP value proposition. Mixing them into the Managed Infrastructure Services creates confusion. The current IT infrastructure expertise was not always so convertible to process, business, or security expertise. Clients may have trouble believing you’re qualified for the others.
- These additional services create confusion in your messaging as well. What makes you better than your competition if you can’t clearly differentiate ourselves? If you just mesh these services into the MSP package, they and the value perceived get lost as "features of the MSP program" rather than stand-alone products.
- As you add services, your MSP offering becomes more expensive. Your competition can still claim the same offering, though it isn’t, and at a lower price point. Clients will see no differentiation and not understand what makes you more expensive.
- If you stack all these services together, you lose flexibility. Clients may not need some of what they’re paying for, so you’ll lose the ability to deliver packages suited to the primary need/lower maturity/small client segment.
Differentiate yourself from your competition and become sales ready in 30 days
This all means if you keep doing the one-size-fits-all "we are your IT department" package, you’ll be lowering your shield to where the competition can hurt you and also dulling your sword in terms of new client acquisition.
What to do
Let's quickly cover some strategies you can apply to make this trend your friend and not your enemy.
- List out the value propositions you’re offering. Managed Infrastructure, Managed Applications, Managed NIST Cyber Security or vCIO. You can add to the list if you need, just make sure you define each as a value category that makes sense to the end client.
- List out all the services you do for your clients and try to place them into the categories. What you’ll see is your complex offering start to make more sense, with an internal consistency that’s both easier to describe and to get the client invested.
- Treat your listed services as your modular (e.g. LEGO) building blocks. Now you can start building up different service bundles based on those blocks. If you focus on the differentiation between Application Management, IT security or vCIO, you will see how you can actually have service bundles as stand-alone products rather than just added features.
Because all your services are going to be in bundles your tech people will have no difficulty knowing what each client has. Also because most of the categories are not related to their infrastructure job, you aren’t creating more complexity on the execution side.
- If you’ve crafted some bundles, you may consider create a basic and a premium offering for each product line. You can end up, for example, with four product lines, two versions each. A basic package will be good for entry level stuff like a small advisory as a vCIO and some starting IT security in the packages.
- Now you can deliver a proper service offering for each client and prospect based on their needs. For example, an accounting firm will have Premium IT Security, Managed Service and Basic vCIO and Application management, whereas an engineering firm will need Premium App management, vCIO, MSP and a basic security package.
Benefits and tradeoffs
Let's see some pros and cons for this strategy
Benefits:
- Now you’re able to give your clients a more tailored offering, and they’ll see that it suits them best, because you could give them a choice.
- Now you can maximize the monetization and profit for each package, because you don’t have to deal with competitive pricing.
- Now you can keep up-selling as their maturity grows, and eventually offer them all premium offerings in years to come.
- Now you can differentiate yourself and get into the battle where the prospect has a strong MSP but the IT Security, App management or vCIO is weak.
- Now you can communicate online and better convert on your website, as three value propositions are not commodities (only the infrastructure component is).
Tradeoffs:
- You have to productize the services and define each clearly (we’ve already defined 100+ services for you in high level of detail)
- You have to keep clients in their swimming lanes with proper account management and internal service management (quarterly business review with discussion is enough in most cases)
- You need a discipline to sell what you deliver and deliver what you sell. With production it’s not a problem, but still a new item.
Just for fun...remember… in 2008 it was only one iPhone available…. How about today? Why do you think Apple has more options in colour, size and storage today?
Conclusion
Consider the benefits and tradeoffs of moving to a different pricing model. Your managed service will be evolving in a more rapid pace as client needs evolve. It’s up to you to create a model which will manage these changes reliably. If not, you’ll have a very stiff and rigid model giving away a tremendous amount of value and sacrificing opportunity and service all at once.
Accelerate Your Growth with the new features just released
I am happy to introduce the sets of software features, updated templates, expert guide content and super specific programs to accelerate your growth! If your Account Management is not producing project revenues, your vCIO is not getting paid for advice, your Sales people are not getting leads or your cyber security services are not being sold then this release is for you! This is what we are going to cover:
- New Software Features for Growth
- Expert Guides for Growth
- Role Specific Programs for Growth
- Quarterly Sprints for Growth
1. New software features for Growth
One competitive advantage can be to build your MSP faster, design and communicate services better, create better client experience and become a high-value business partner.
Integrating these functions into one platform will generate momentum and even solving one bottleneck at a time keeps that momentum building. You don’t need to master everything all at once - just one at a time - then ride the momentum to reap the results as you move on to the next bottleneck.
New Features to Help Inspire High-Value Client Conversations
During the 2019 Q4 release we were focused on making you a master communicator as an Account Manager, vCIO, Technical Account Manager, Owner, Salesperson or even as a virtual Chief Information Officer.
Click on the circles!
Some of the major focus areas:
Sections: Organize your reports better into sections, open them for clients and focus on the content you are about to deliver or their decisions you want to support.
Questionnaire: Get involvement by conducting questionnaires up front. Use the results for an audit, checklist or a general progress report. More involvement leads to more commitment.
Calculators: Turning vague ideas into specific numbers, percentages or dollar amounts will facilitate communication. Use calculators with clients together for clarity and collect evidence to support their decisions.
Snapshot: Taking occasional snapshots will build a story about the problems they had, the solutions you provided and the growth they achieved with your help.
Integrations: Use more tools from your stack like BrightGauge, Office365 or SmileBack to pull out detailed data whenever you want to underline your message or show evidence.
Audience: Communicate to the right audience by selecting client side roles such as CEO, CFO, Office Manager or IT Coordinator. Log the meeting based on their seniority and collect Client Engagement Scores.
Infographics: Get your ideas across with modern visuals, interactive drawings, timelines, processes or charts. Customize your own graphics or embed auto updating partner infographics for changing content.
Scorecards: Simplify things with quick ratings. Gather user feedback, executive opinion or even the internal team's perception of scorecards. Send surveys or complete within the report and showcase scorecards.
New Features Help You Focus and Boost Productivity
The other big focus is on your execution efficiency with the 2019 Q4 release. There’s dashboards show aggregated information, a renewed Connectwise integration and many small workflow related UI enhancements to do more with less.
Click on the circles!
Standard Adoption Score Dashboard: Have a quick glance at the current rate of the adoption of your technology stack. You can set different scores for different segments and measure with attention to your diverse clientiele.
Growth Score Dashboard: Identify the amount of revenue in your deal pipeline and where revenues are stuck. Find out why you can’t move from planning to approval or why projects aren’t closed and billed.
Client Engagement Dashboard: Keep tabs on your high-value clients and be confident they all have regular meetings and are engaged. Even a substantially cheaper offer won’t undermine your value and they’ll stay.
Master Roadmap Portfolio: Forecast workload, budget and analyze projects together to be able to push certain initiatives further or close them faster to meet your resource allocation needs.
New Connectwise integration: Generate Connectwise opportunities and projects from the platform and keep those opportunities and projects synced with your PSA and your roadmap. This is a true two-way integration to sync account management with the service team.
Task Library: Simplify operations and communications by predefining tasks needed to meet the technology best practices. Connect library items to your scores and auto-generate tickets in Connectwise.
Multiple Seniorities: Assign different client-side roles to your contacts to make sure you have all types of conversations you need with the strategic, tactical and technical business roles.
Expanded New Templates: Updated templates for the Client Engagement Excellence Program are ready for you. A brand new Quarterly Business Review with visuals, dashboards and partner content will help you get inspired and build the report that will support your goals.
2. Expert Guides for Growth
Choose a role you want to explore further and watch the short video for inspiration. Expert guides will walk you through how to grow your business with that role.
How to grow with Account Management
Sell High-Value, standard projects with a proactive process - by Myles Olson
How to grow with vCIO
Drive Strategic Conversations and take on the execution by Adam Walter
How to grow with Technical Account Management
Develop Technology Standards and get all your clients to adopt - by Skip Ziegler
How to grow with Sales
Generate qualified leads and differentiate with client experience - by Mark Woldman
How to grow with cyber security
Make cyber security make sense to clients and offer packages they can buy - by Caleb Christopher
How to grow with Focus on Execution
Create structures for AM/vCIO, keep the team in focus and ensure accountability - by Elissa Kulczycki
3. Role Specific Programs for Growth
We are introducing role specific SMART goals for you to accelerate your growth with one role at a time.
- Account Managers: Generate $100.000 project revenues in 10 strategy driven QBRs
- How to grow with vCIO: Upgrade 3 clients to a paid stand alone vCIO package with $3.000 MRR
- Technical Account Management: Approve a Technology Roadmap with all key clients to adopt your Technology Standards
- Sales: Get in front of 5 high-value prospects and close 2 deals with $5.000 MRR
- Cyber security: Upgrade 10 clients to a paid stand alone cyber security package with $25/user/month
- Managers: Structure your Account Management and vCIO Operation with Client Engagement Score
4. Process for a Sustainable Growth
Growing your business can be done with quick high-intensity bursts. These results unsustainable growth with short peaks of results. We want to make sure you have a long term vision, break those to quarter long rocks you can deliver. Those rocks are focusing on one area, fix the bottleneck and keep it sustainable. Then you move your attention to the next goal but build on top of the previous efforts.
- Platform Orientation Meeting - if you have no membership yet, let's start exploring your goals and discover how the platform might serve your growth
- Growth Readiness Assessment - assess your readiness of growth and identify the bottlenecks holding you back preventing your breakthrough
- Smart Growth Action Plan - build a SMART goal and plan your next steps to achieve those goals with an action plan
- Execute your Rock - do it by yourself, pick an expert guide's education or engage with a 1-many or 1-1 program to make things change
- Repeat - go back to the drawing board, choose your next goal and get started on the next quarter....
Grow your enterprise one quarter at a time
Hope you are excited to get your MSP to the next level and start building your SMART goals and action plans!
The 4 Steps of Successful Cyber Security Service Monetization
In my observation, previously working for an managed service provider and now with MSPs: for some, monetizing security is an elusive goal that seems to be reserved for those who already have connections, experience, and the right customers. Why?
Generate client engagement
with five NIST cyber security roadmaps in 30 days
Clients are confused
It is very common for managed services customers to believe their MSP is responsible for cyber security. They think it should be included in the price they already pay. This is just an extension of the misconception that Information Security is part of Information Technology.
MSPs are inadequate
Selling cyber security services is only for those “big” enough to have an in-house service because quality security talent is hard to find, expensive, and nearly impossible to retain. And without some experience on the team, many MSPs are not sure they have adequate expertise to build and run a security program anyway.
Some turn to third parties for assessments and services, but are concerned that having a 3rd party conduct assessments might reveal that somehow the MSP has been doing a bad job with security. Often, the MSP can't play a role of any significance to the customer in the assessment process, so without an option for a heads-up, many abandon the effort.
MSPs are overwhelmed
Big companies are snapping up all the qualified/experienced security staff, while the rest are playing “employment pinball” until they’ve got enough experience to be a senior analyst somewhere. From the outside looking in, there’s a strong “gotta have money to make money” vibe in cyber security.
There also don’t seem to be any partners focused on helping MSPs build cyber security programs. All the partners and products are focused on the Enterprise sector. What guidance is available costs $thousands and still takes 8-12 months to build out a cyber security program and able to offer any services.
It shouldn’t be this hard
It just shouldn’t be this hard to build and monetize a cyber security program — especially if you actually care about it! There is a way. I’ve built a cyber security program designed for MSPs. This works for those who want to work on building their own in-house program as well as those who just want to be able to sell cyber security (and remain involved) without having to hire and retain their own cyber security experts.
4 Steps to Monetize Cyber security in your MSP
Essentially, the process goes like this: Educate → Sell → Assess (and prioritize) → Remediate (remediate, and remediate some more).
Once I show a business owner their need, they then typically ask me what they should about it, so I sell them an assessment in which we build a roadmap of risk reduction projects to execute in both the short and long term. Now in my case, I’m not actively an MSP, so someone else is making the money on those remediation projects, and those projects hold more revenue than any single assessment — especially if the remediation includes subscription services.
Educate
When it comes to selling cyber security assessments, the first thing you should want to avoid is being shopped on price, so instead of vying for position in the eyes of the few who already know they need cyber security, seek to educate just some of the many who don’t understand their need.
Some will understand if only you can explain things in a way they can relate to. That is the secret sauce. I have found a way to effectively communicate the significance of cyber security to the ongoing success of their business in this internet-connected world.
In the book Made to Stick by Chip and Dan Heath, they describe how to shortcut the learning process for complex or new topics. Essentially, the human brain learns based on what it already knows. My favorite example is where they attempt to describe an uncommon fruit in detail, from scratch. When they’re done, the reader may think he has a decent understanding of this fruit. Then they start over, but this time they start with a point of common shared understanding: “it’s like a grapefruit, but bigger.” Instantly, the reader understands the fruit even more clearly than by reading the detailed description. This is the technique we use in helping business owners understand their need for security.
See a short sample video: Making Security Make Sense - Teaser
Here’s why I start with education: In my experience, when I play the role of mentor by educating the asset owners, they tend also look to me for their next step. They ask “OK, well… so now what do I do? What’s my next step?” The obvious answer is: start with an assessment.
Sell
Since the business owner already knows his need for an assessment at this point, my job is to continue to guide him toward his goal of getting one. He already wants to buy, so I explain the “simple process” the assessment follows. I do this because visualizing a simple start-to-finish process takes the mystery (read that: uncertainty) out of the purchase.
Once the process is understood, other than presenting him with a quote with a Statement of Work for an NIST cyber security assessment, my job is to not give him any reason to think twice. Show him the process, then give them the quote + SOW. I am pretty firm on this not being the time to do special scoping discussions or negotiations. Keep it simple. Anything but a smooth path to purchase introduces risk of a lost sale.
Note: As a cyber security consulting firm, the sale of the assessment is my “win,” so I don’t really budge on pricing because I know what I need to get out of the transaction for it to be profitable. But for an MSP, there is another angle to consider: the assessment is just the beginning of the revenue stream from cyber security. For the MSP, remediation projects are more likely to be the real revenue source. So MSPs can flex on the front-end pricing (quite a bit in fact, if they know their typical remediation revenue). BUT, this bears repeating: Keep it simple. If you slow things down or introduce turbulence by debating numbers, the chance of losing the sale increases greatly.
So here’s what I suggest: Before you show them pricing, decide ahead of time what “deals” you’re willing to make. So if you’re willing to offer a half-price deal, be ready to cross through that initial price and put the half price number there. However, I wouldn’t start with a bid of several thousand dollars and be willing to go to free though… People don’t respect what they don’t have to pay for, and if they took you from $thousands to $0, “What kind of game are you playing?” Whatever your numbers, pick and stick so the process is quick.
Assess / Prioritize
Whether you’re running your own assessments in-house or you’ve outsourced them, they need to be timely and relevant, and they need to demonstrate business value.
Timely Assessments
If you’ve read this far, you’re probably not trying to run comprehensive assessments with complex requirements. That means there’s no good reason for these assessments to take long.
For relatively straightforward assessments, I shoot for two weeks as a maximum amount of time to gather data, prioritize findings, produce the summary with recommendations, and be presenting back to the client. I’ve found they typically tolerate three weeks, but at the fourth week and beyond, they’re impatient and much more likely to be critical of your findings, process, advice, etc, especially if you have any “critical findings” in your report which you took your sweet time to tell them about. So if your goal is to sell remediation services after the NIST cyber security assessment, be quick about the process.
Relevant, demonstrating business value
Unfortunately, many assessments have been delivered which had little more than the standard output from whatever scanning tool was used. That’s like a mechanic handing me a color-coded printout of the OBD2 readouts and telling me to fix all the red stuff first. Thanks a lot.
For an assessment to be relevant and have business value, it has to provide realistic guidance for the particular business for whom it was performed. A quality assessment delves into the risk tolerance, the whos, and the whys of the customer. Only when you have a good understanding of the business’ objectives can you make relevant recommendations. For example, there are plenty of critical severity findings which may pose no practical risk for a given business, while several low severity findings in combination pose immediate risk.
Relevance and business value go hand-in-hand. If you understand how the business operates, what it wants to achieve, and it’s mid-to-long term goals, you can offer practical guidance on risk reduction.
Remediate
Remediation is the sweetest part for an MSP. It’s additional revenue (maybe even monthly recurring revenue!) on top of whatever managed services are already in place.
When it’s time to present findings and remediation guidance to the customer, it’s best to break it into timeframes. There may well be several relatively critical findings, but keep in mind: if this business owner only recently realized the need for cyber security, they don’t have a budget set for remediation. They bought the assessment to get a feel for what they need to do something about vs what they’re going to have to put off until later (or simply accept as inherent risk). So in my experience, it is very well received to provide them a “menu” of things to fix within different timeframes. Something like “Immediate,” “This Quarter,” and “This Year.” (Keep it simple.)
During the report presentation, I explain the implications of findings and my recommendations for immediate fixes, then I ask the business owner which ones they can / want to tackle first. Everything else in the “Immediate” section gets moved down into the “This Quarter” section, with anything else already there. Again, we discuss what would be practical to pursue within the next 60-90 days and move everything else down into the “This Year” section.
These discussions can’t really take place without some understanding of the price for the various remediation projects. So I recommend the MSP come to the meeting with individual quotes for each item in the “Immediate” section and rough price-only estimates for the items in the “This Quarter” section. This allows the business owner to do some quick mental math so we can plot a rough course for the next year during the presentation meeting. Estimates for the longer-term projects are optional, but aren’t very helpful during this meeting.
Once the business owner has decided the order of remediation projects, an Account Manager or vCIO can handle the roadmap without further need of a cyber security analyst. Any immediate actions for which the MSP brought quotes can be executed on the spot.
Note: MSPs need to be ready for the findings. Some findings may reflect poorly on the MSP, so be ready to step up and fix things ASAP. While this may be embarrassing at first, it is usually endearing to the customer when they see you doing your part, just like you’re recommending for them to do.
The 4 Steps of Successful Cyber security Service Monetization
FREE RECORDED SEMINAR
Webinar Takeaways on Selling IT Security and Compliance
It was a really engaging talk with Steve Rutkovitz CEO of Choice CyberSecurity. He is a very successful MSP practitioner specializing in IT Security and Compliance.
We were talking about MSP challenges, strategies, IT consultative sales processes, IT security and compliance opportunities and partnerships, and I learned the following:
Generate client engagement
with five cyber security roadmaps in 30 days
- there are surprising similarities between the mainframe to PC era shift and the PC to Cloud era shift
- To become a successful MSP one of the most important traits is having best-in-class partners
- When you move up streams, you have to make sure you are able to manage management type people
- You have to develop a solid marketing / sales engine to teach your clients and prospects
- The Challenger sales is a great way to leverage the natural teacher inside IT managed services providers
- You can sell NIST Cyber Security and Compliance solutions without doing the delivery side
- The business model of selling IT security solutions through a partner
- The best foot-in-the-door tips and tricks to get front of CEOs
- The complete MSP sales process from “access to address” that maintains the IT security issues
- The natural advisory mindset of IT companies and the potential contained within
Thanks to Steve Rutkovitz for the wisdom and the honest, straightforward answers. I believe his thoughts could help IT managed services providers in any size and any maturity. You can bet this won’t be our last discussion with him.
Nist Cyber security Framework Quickstarter Pack