As a sales expert, I consult with Managed Service Provider (MSPs) and Managed Security Service Providers (MSSPs) to package, price, and sell cybersecurity solutions. (Typically, they’re selling these solutions to small and medium-sized business owners.)

A haphazard approach to security solutions is a tremendous risk to both the service provider and the client. (And clearly, random acts of security will not keep companies safe – as evidenced by the growing number of threats and successful attacks.)

Gone are the days where simply a high-quality anti-virus or firewall was enough. Today, businesses must adopt a layered approach to security. But the prospect of selecting the right technology often feels overwhelming and complicated. Further, you’ll get a million different definitions or flavors for “the right” cybersecurity stack. And, to make matters worse, your peers have often gotten past this step, so they’ve tucked the memories into the back of their brains, hoping to never relive the trauma again.

All of this leads to analysis paralysis and the fact that this single step of “going to market with cybersecurity” often takes business owners close to 18 months…on their own.

As a consultant, I need different approaches to solving this challenge. Here are three ways I approach this with my clients:

Three approaches for building a Cybersecurity Stack

1. Use a Framework

One way to approach the challenge of building your cybersecurity stack is to choose a framework. You could use the NIST framework, the CIS controls, the Australian Essential Eight Maturity Model, or Cyber Essentials (in the UK). Most of these frameworks align well to NIST, so I always recommend doing a light study of NIST, simply to understand the five core tenants: Identify, Protect, Detect, Respond, and Recover.

For example, if you choose to align your service offering to NIST, then determine how you will mitigate risk inside each of the categories. The most important thing to remember about NIST – which you should apply to whatever standard you adopt – is that you must continually improve. Security is a cycle, which NIST illustrates well.

 2. Implement your solution

Many MSPs get stuck because they are looking for the perfect stack. Your goal is not perfection. If you wait for things to be 100% ideal before you start selling cybersecurity, you will NEVER start.

Decide how long this project will take and push to finish in that amount of time. Parkinson’s law states, “Work expands to fill the time available for its completion.” Part of what this law suggests is that you won’t finish early. Most MSPs take 90-180 days to figure out the technology part of their cybersecurity offering. Push yourself to finish in a set amount of time, and ask your peer group to hold you accountable. Once you’ve truly focused on this task (without getting distracted), you’ll likely consider your solution 85-90% done. This is truly enough for now. Ask yourself if you would be comfortable selling this solution to your best friend. If so, this is exactly what you’re looking for.

Consider this step of the process complete, and then table any improvements (except for truly emergent issues) for a full year. At that point, you’re allowed to reevaluate your solution, the threat landscape, and your overall strategy. Only then are you allowed to consider additional vendors. Having this level of discipline, whereby you schedule times to evaluate solutions, is the mark of a mature business organization.

3. Sell the Entire Package

Now comes the part I love the most: sales! This topic deserves its own blog post, but for now, you need to know a few things. First, you can sell anything that is valuable. Focus on building the value of your solution. One way to do this is by showing your prospects what could happen to their business if they do nothing. These business impacts (or implications) are large. It’s crucial that your prospects understand this. This is part of what you must demonstrate in selling based on risk.

Secondly, please do not “unbundle” your services. You took the time to create a comprehensive service offering, based on a specific framework. Do not invalidate your effort by selling components of security. Put simply: sell the chocolate pie; don’t sell the ingredients.

Finally, please sell your offering with a healthy margin. So many MSPs have been squeaking by the managed services world with razor thin margins. (This leads to poorly compensated owners, undervalued or subpar teams, and a lack of customer service.) Selling cybersecurity is a way to cure years of underpricing your services! Sell your offering at a fair, healthy margin. You likely created a premium solution. Sell it at a premium price!

To recap:

  • Base your technology stack on a framework
  • Set a deadline for yourself
  • Sell your solution profitably