Overcoming Security Objections — SolarWinds TechPod 011

Stream on:
It’s time for MSPs to have better security conversations with their customers—and SolarWinds VP of security Tim Brown and SolarWinds MSP senior channel sales specialist Stefanie Hammond know just how you can broach these terse topics. Listen in as they give you the security scoop.  Related Links  
Tim Brown

Guest | SolarWinds CISO and VP, Security

Tim Brown is at the front line of the most vexing challenge facing organizations today: IT security. Tim is currently the Chief Information Security Office… Read More

Episode Transcript

Announcer: On this episode of The Brown Report, SolarWinds MSP senior channel sales specialist Stefanie Hammond…

Stefanie” “How can we convince MSPs to stop being their own worst enemy?”

Announcer: …speaks to SolarWinds VP of Security Tim Brown…

Tim: “The great thing about security—and the bad thing about security—is it’s always changing”

Announcer: …about how MSPs can have the tough security conversations with their customers…and when to know when a customer is too unsafe to keep around.

Stefanie: Hello! I’m your host, Stefanie Hammond, senior channel sales specialist at SolarWinds MSP. And once again, I’m joined with our expert Tim Brown, VP of Security at SolarWinds. So welcome again, Tim.

Tim: Thanks, Stefanie.

Stefanie: So for today’s episode, I want to get your advice on how our MSP listeners can overcome objections, particularly objections they hear during the sales process. You know, when that topic of security should be coming up.I really wanted to shine a bright light on this topic today and give it its own dedicated episode—because sales, it’s a constant challenge. It’s a struggle for a lot of MSPs and I feel that any advice we can provide in helping MSPs have better conversations with their customers, especially around security, is going to be very helpful. So I’m hoping you’re up for this.

Tim: Absolutely. This is a great topic.

Stefanie: Excellent. Perfect. So, I’m going to draw on my own interactions for this with hundreds of MSPs over the years. And I actually see two separate sets of objections that I feel I want to get addressed today. And the obvious set of objections stem from the prospects themselves. You know, cash is precious. No business wants to spend more money than they have to, and we definitely want to provide some guidance on how MSPs can overcome their customers’ objections to allow them to have better conversations and position their services. You know, obviously to generate more sales. But the first set of objections I want to address with you stem from the MSPs themselves. You know, I’ve never seen an industry quite like ours where MSPs give away so many of their services for free, or practically free, or where they completely undervalue the services that are providing. So again, going back to my own experiences, when I try to talk to my partners—that I work with day in and day out—about modernizing their programs to have more of a security focus added into them, I get pushback because they don’t want to go back to their customers and have that conversation. They don’t want to have to go back and say, “We’re changing up our programs. We’re including more services. It’s going to cost a little bit more money.” Even when there’s substantially greater value being added to the new set of programs being offered. So here’s my question: How can we convince MSPs to stop being their own worst enemy, and “pre-objecting” that their customers won’t pay for these new services? How can we help them gain the confidence to start having these types of conversations and address something as serious as their customers’ overall security preparedness?

Tim: Yeah. If you think about what the MSPs are trying to do, right? They’re working with their customer, they’re trying to make them efficient, they’re trying to make them secure, they’re trying to make them have an effective business. All of those things are important. So when an MSP is, you know, talking to the client, they really need to be able to understand the risks that they face and have that risk conversation with them. Not be afraid to have the risk conversation. The great thing about security—and the bad thing about security—is it’s always changing, right? So there’s always change going on, but there’s always something to talk about, right? You know, everybody’s talking about Facebook and privacy right now. So when you think about Facebook and privacy and you see Uber coming on the TV and apologizing, you see Facebook apologizing, you see everybody apologizing for the practices that they’ve done. So what is your client thinking about that? They’re saying, “Hmm, I’m seeing it on TV.” They’re thinking, “So what does that mean to me? What does privacy mean to me? What does security mean to me?” Right? So don’t think that they’re in the dark, right? They’re seeing it on the news, you’re hearing it on the news, they want to know, “Am I doing the right thing?” And you know, privacy and security blur, right? So that’s a great area of conversation. The amount of stuff that’s going on the news is a great area of conversation. So just think about, from your client’s perspective, what that conversation would be. And don’t think you have to have all the answers, right? It’s not that you need to be the super expert in it, but talk through it with them, right? It’s okay to just have a conversation. “So what do you think about, you know, Facebook’s privacy policy and what’s going on? Do you think that, you know, we should be thinking about something like that for you? Are you sharing data with people? How are you doing things?” Use topical things that are going on and just have conversations with your customers. And once you start that conversation you end up saying, “Oh, okay, so for this we really need to understand what your risk is. We need to start taking security seriously and possibly spending more on security and doing the right things to make sure that you’re facing the appropriate risks for the business that you’re in.”

Stefanie: Right. And I think maybe the lack of confidence—again, speaking to my customers about security—might stem from the fact that, you know, our definition of security services is different than what an MSP might traditionally be thinking about security. And where this comes from or where my thought process here on this is: I had a conversation the other day with one of my partners about security, redesigning the programs to have more of a security focus. And he immediately panicked and said, “Oh, we’re, we’re not ready for that. Uh, we’re, yeah, we can’t do that. You know, we don’t have the tools. We don’t have the skill sets to be a security provider.” So maybe there’s a misconception about the term security that is scaring MSPs from having that conversation with them. You know, we’re not necessarily talking about specifically becoming an MSSP, you know, there’s basic security elements that can be incorporated into monthly packages.

Tim: Yeah, absolutely. Absolutely. So if you’re not doing security in this day to your clients or thinking about security, you’re simply doing them a disservice and doing yourselves a disservice. And when you think about what that means, what security means, it does not mean that you’re going to monitor 24/7, it doesn’t mean that you’re going to be necessarily the expert in everything. It doesn’t mean that you are going to be able to have the services to do full-blown risk assessments for people. But it does mean that you are appropriately patching the systems. It does mean that you have antivirus running on their systems. It does mean that you have things backed up, it does mean that you’re doing appropriate updates for those systems. So it means all of those things and it’s stuff that you should already be doing, right? Our tools help us do that and other things help do that. But this is just basic good management. You know what I usually say is that a well-managed environment is a secure environment, it all starts with that and then you step up and then you do additional things beyond that. But you always do the basics.

Stefanie: Right. And I think that’s what they’re overlooking is that the basics—all we’re doing is reframing it as security elements now, when maybe they were just managed service program elements in the past, so it’s just more of a rebranding than anything else.

Tim: Exactly, exactly. You know, one of the things the MSP needs to remember is that—you know, the number varies, but at a minimum. Over 80% of the effective exploits that occur have occurred because of bad hygiene, right? They’ve occurred because people haven’t had an effective patch program in place. They’ve occurred because they haven’t had an effective endpoint protection program in place. All the things that people are doing today, and the MSPs that are doing a good job are already doing today, effectively help with security. One of the most effective ways to thwart ransomware is backup, right? Patch, antivirus, and then backup in case something happens. If you do those things, do you have a security program? Yes. You absolutely have a security program. Are you an MSSP? No, no. But you have a security program and most clients don’t necessarily need the deep level of additional security components. Some do, but not for everybody.

Stefanie: Exactly, and I think you saying that really drives home the fact that most partners, like you’ve said, just need the basics. So just reframe what you’re doing and just make sure that all of your customers are having the basics being done. But one of the things—you know, again, these conversations day in and day out with my partners—I’ve actually had some MSPs say to me, “You know what, the status quo is working well. You know, my customers are happy. They’re not asking for it.”

Tim: Yep, absolutely. And you know, the one that we hear all the time, right? “I’m not asking for it. I’m already spending enough money. I don’t need anything more.” Right? And that’s a common objection. And one of the things that you have to remind the client is both what you’re doing for them. So you should be showing them their monthly report that says, “Here’s what we have in place, here’s what we’re protecting you against.” So you should be able to show them that. You should also be able to tell them that, you know, here’s the risk that they’re under and the risks that they’re facing if they’re not doing enough. So if you’ve got a client that’s not running backup, what risks do they face if not running backup? Can’t always stop ransomware; even the best tools in place can’t stop necessarily ransomware from coming in. So you can be running a great AV program, you can be doing those things, but you could still get infected because somebody goes and clicks the ‘Okay’ button at the wrong time. So how do you do that? You say, “Mr. Client, here’s the scenario. The scenario is that, you know, somebody browses out to the wrong site. They click ‘Okay,’ they get infected or they give up their credentials, then they get hit by ransomware and that machine gets taken over. Very viable and very real scenario that’s happening many times. So what do you do? If we don’t have backup, we’re in trouble. If we have backup, we can recover from it quickly and we can move forward.” So explaining to the client in the right terms—in terms that they can understand, in business-loss terms—they will understand what a level of acceptable risk is for them and, in some cases, they may be okay, but in other cases they may need to do a little bit more.

Stefanie: Yeah. And what I like to say back to my partners when they say, you know, “My customers aren’t asking for it so I can’t sell it to them because they’re not asking for it,” is: If you’re not talking to them about it, somebody else is because as you said, you know, they see it, they hear about it in the news every single day. They expect you, as their provider, to be having these conversations. So if you’re not, somebody else is going to be sending something, whether it’s a piece of mail, whether it’s an advertisement, whatever. And it’s going to tweak something and say, “Oh, maybe I should go talk to that person instead because my provider doesn’t seem to know.”

Tim: Exactly.

Stefanie: Exactly.

Tim: So you know, like what we talked about the beginning. It’s so important to have conversations with your clients and it doesn’t need to be deep conversations. It needs to be, you know, a regular touch base with the client to say, “So, yeah. Did you see this? This was going on. These events happened and, you know, here’s how I’m protecting you,” right? Because they also need to know and have a safety net saying, “Okay, you know, my MSP has got my back, right? My MSP’s taking care of me. They’re doing a good job.”

Stefanie: So they need to be aware. They need to be aware of the services you can offer them.

Tim: Absolutely.

Stefanie: And so I know we’ve also spoken in previous podcasts that MSPs should look to embrace compliancy and different compliancy regulations and not to be afraid of them. You’ve even gone as far as to say that regulated industries are a security person’s dreams. So, I’m thinking: if MSPs are having a tough time mustering up the courage to speak with their customers about the need to boost their security coverage, targeting organizations that have to comply to, say, HIPAA, or PCI, or GDPR, might be an easy way to start having these conversations.

Tim: Oh, absolutely. Regulations are a security guy’s dream, right? The reason why is pretty simple. When you look at a regulated industry and you look at their budget, the first thing on their budget list is “meet my regulation” because they can’t operate without it, right? They just can’t. So as part of just about every regulation is our security requirements. I can’t think of one that doesn’t have some level of security requirements embedded in it. So it’s important for the MSP to understand that regulation at a fairly good level and understand what they need to be able to do, what they can satisfy from the IT components of that regulation. Once they do that, they map into the security requirements for it and then they move forward from that. But absolutely going in with a little bit of knowledge and enough knowledge to say, “Yeah, so you’re trying to do HIPAA, therefore we need to make sure you have the appropriate users having the appropriate access. We need to make sure that that sensitive data is backed up appropriately and protected appropriately,” and go through with the basic things that they need to be able to do. So perfect opening for conversation, perfect opportunity to fill in gaps, perfect opportunity to be able to help the client. So everybody in the regulated industries are looking for an appropriate level of security that passes their regulation.

Stefanie: And so, the MSP gets the courage to start having these conversations. And what if the prospect says back to the MSP, “I’ve already passed my audit so I’m already secure.” You know, what’s the best way for an MSP to respond to that?

Tim: You know, it’s a real fact that basically an audit gives you a baseline and it’s good to have that baseline but it does not indicate that you’re secure. Right? So what they need to do is be able to point out the gap between passing the audit and what security within their system is. Right? So maybe they haven’t patched all the environment, maybe they have backup only on certain sets of machines. What are the gaps that they have within that environment? What I like to see as opposed to an audit program, is a security program that helps them pass an audit. Right? As opposed to an audit program.

Stefanie: Like a pre-audit.

Tim: Yeah. As opposed to an audit program that, you know, people will say, “Yep, I agree. I have a HIPAA program, right? And that HIPAA program happens to have security components in it.” You should really have a security program that helps you pass your HIPAA audit.

Stefanie: Right.

Tim: So you do it in the other direction. So I think it is again, talking about what level of risks they face and that just passing the audit is not necessarily enough because of, you know, the impact that breach could have been their environment. Just because you passed a HIPAA audit doesn’t mean that you’re going to not lose your healthcare information. And what would happen to your brand? What would happen to the company? What would happen to all of those things that got compromised?

Stefanie: And I almost think that an audit is kind of a point in time. So you passed it today, but something could happen tomorrow if there’s not a proper program in place.

Tim: Absolutely. So it’s a program and not a point in time check. That’s a great way to think of it.

Stefanie: Okay. And I also think part of the reason that MSPs have a difficult time with that security conversation with customers, you know, besides the fact that they have to ask for more money to have a new security contract, is that they’re lacking the proper toolsets and maybe the skills needed during the sales process that would help gather, you know, all of that empirical data to help justify the additional expense of implementing proper security coverage. You know, they’re lacking what’s needed to have a proper ROI conversation with their prospects. So how can we help MSPs address that?

Tim: Yeah, that’s always a hard one. You know, doing security for so long every once in a while you have to have the insurance conversation, right? And it is real. It says, “Yep, I’m selling you insurance. And by doing this, I’m protecting you against, you know, the potential of things happening, the potential of ransomware, the potential of malware. You’re getting insured against the potential of those things.” And that’s okay, right? I mean, that’s one of the things you have to do from a security perspective when you have that conversation. But the place I really like to go is using security as a business enabler, right? Whenever I can find those opportunities to say, here’s how security can help you, here’s how it can help you sell more. Here’s how it can help you…

Stefanie: Using it as a differentiator.

Tim: Use it as a differentiator against your competition, use it as a differentiator against others. So when you think about that, what does that mean? When can you do that? So, if you have a client that is manufacturing something, right, and they need to talk to their vendors and their customers, right? They need a security program in place to be able to satisfy that need. With GDPR—right now, under GDPR all vendors that you have need to have an appropriate security program, an appropriate security policy, a privacy policy in place. So as an MSP, if you’re allowing your customer and helping your customer with those things then they can satisfy their GDPR requirements, which will help their clients be able to do business with them. So it’s an enabler and a differentiator. And those models really, really work well because people say, “Oh, okay, I understand if I have security, I can sell more. If I have security, I can do more business. If I have security, I can get into other regions.” So whenever you can, you should look at that security as an enabler to their business.

Stefanie: Right, exactly. And kind of going back to the thought that compliancy regulations are an opportunity for you. They’re your friend. Don’t shy away from them.

Tim: Yep, exactly.

Stefanie: And then talk about it, promote it.

Tim: Talk about it, promote it, and use examples. Say, “Okay, yep, you’re in this area, you know, here’s how I can help you make security a differentiator for you. You have a great security programs, so now you can sell more.”

Stefanie: Excellent. Alright. So, switching gears, assuming we have MSPs on board now. They’re willing, able, anxious to go out there and speak security to everyone that they meet. There are some common objections that prospects, you know, businesses are going to throw at them around why they don’t need to pay or why they can’t pay for heightened security coverage. And I think one of the biggest objections that they might hear from a business is, “Why would I ever be a target? I’m too small. There’s nothing that anybody would ever want.”

Tim: Absolutely. Yes. That’s the one we hear all the time. “There was nothing that ever anybody would ever want. Why would I be a target?”

Stefanie: Yeah.

Tim: The bottom line is that a lot of customers don’t understand that you’re getting attacked every second of every day. You put a machine up on the open internet that is a vulnerable machine—that machine last hours at most. Right? So there’s instant compromise going on every single second of every day. As soon as you pop open your laptop, it’s trying to be attacked, right? Depending on where it is and what protections are behind it. Same thing with servers, same thing with your environment. So there are appropriate levels of controls around the outside if you have them configured right. So if you have a firewall in place and it’s configured appropriately, you’ll get some protection. If you have antivirus on the machine, you get some protection, right? If you have things appropriately patched, you get some protection. If you don’t have any protection, you will just be a target of circumstance. Nobody’s after you, nobody’s targeting you directly, but you will just be a target of circumstance which means that a broad scan picked you up, hit you and compromised your device. So you don’t need to be a target to be a victim.

Stefanie: Right. Okay. So going on, when you talked about the AV, the prospect comes back and says, “I have AV on my system. I’m covered, and my budget is already maxed out. Aren’t spending enough with you already?” You know, how does an MSP explain that a small increase is absolutely necessary for the supplemental coverage?

Tim: Yeah. And I think it’s back to our risk conversation that they have. So just having AV—is that enough, right? So we know that antivirus does not stop all attacks. We know that because of the major ransomware outbreaks that are going on that you may not have enough coverage and those things happened, right? So if you’re not running backup today, you’re really doing the customer a disservice because you can’t tell that that’s not going to happen. It could very likely happen. So you just need to present them with the risks that they still face when they’re running certain levels of components. At some point the MSP should get to a point and say, “You’re not a super targeted client, right? You are a target of opportunity. What we’ve done is we’ve patched your systems. We’ve got appropriately configured firewalls in place. We have antivirus on machines, we have backup on the machines. We’ve got a great patching program in place. We’re watching you pretty closely and you’re good. I would not have you spend more.” And that’s a fine place to be. Now if you jump over the edge of saying that you are in an environment that’s more targeted, you’re an unregulated industry, then there’s more beyond good hygiene that you should be doing. So explaining that to them makes that conversation about more risk than dollars.

Stefanie: Right. Okay. And again, kind of keep going back. Sometimes businesses just don’t understand and then they come back to the MSP and they say, “It’s just not a priority for us. Like, we just can’t make it fit.”

Tim: Yup. And that happens. That happens in large businesses. That’s how it happens in small businesses. And the question again is, you know, walking them through scenarios, walking them through scenarios and basically loss scenarios and saying, “Okay, your retail floor: what happens if you have an event that shuts you down for two days, what does that do? What does that do to your bottom line?”

Stefanie: That’s the ROI conversation.

Tim: Absolutely. The ROI conversation comes back to it and you can’t always get them to turn. You can’t always get them to do things right until an event occurs. And that’s just common human nature. But what you can do as an MSP is inform them of the risks that they are under, and if you believe that they aren’t even doing the basic good hygiene, then you need to decide whether you want them as a customer.

Stefanie: I was just going to ask you that question. I’m like, okay, so they’re an existing customer, they’re under contract, you’re trying to round out their security coverage, they’re pushing back. What’s the next step?

Tim: Yeah, and if you are very uncomfortable with the level of risks that they’re facing, that they do not have enough security in place to provide the basic coverage for, you know, essentially drive-bys, then you need to think about whether you want them as a client and you need to think of whether the liability—not legal liability, but just the reputation liability that you face by having them as a client–is worth the cost. Because if they’re not secure and they get compromised, they’re going to come back to you.

Stefanie: They’re going to blame somebody.

Tim: They’re going to blame you, probably, right? So you either cover yourself, but you should always think about, “Okay, well, if they’re not doing the basics, do I really want the risk associated with that?” Because in the end, depending on what your contract is, you could be on the hook to clean them up. Right? Depending on what you’ve said you’re going to do for them, it might be, “Okay. Yep. Oh, yeah. Your contract, you said I’m going to be secure. You said you’re going to manage it. So you’re cleaning it all up for me.” And that clean-up can cost weeks, days, months,

Stefanie: And you don’t have the opportunity to go back and bill additionally for it.

Tim: Absolutely. So you have to be careful on what clients you take and the approach that you take with them.

Stefanie: So thank you Tim, again, for spending time with us today providing our listeners with some great solid advice on how they can take control of the sales process and address, you know, a lot of the most common objections they hear when speaking to their prospects about security services. I think you did a great job of making the case that many small- and medium-sized businesses need help even if they don’t think that they do and it’s no longer about if a security breach will happen, but more about when and ignoring that and thinking that security threats are just the here and the now and that they’re just going to go away—it’s not really the smart business plan.

Tim: Yeah. I mean, when you look at some of the data that we’ve gathered from even last year, right? Fifty-eight percent of the attack targets were small and medium businesses. Huge number, right? And these are our MSPs customers. These are your customers, you know, and when you think about what we need to do is we need to take and get on a mission to make them better. Right? And that’s the bottom line. We have to get them better. We have to stop them from being a victim of circumstance and we have to do whatever we can do to make that happen because, you know, they are the low hanging fruit for our adversary. So they’re who they’re going after, they are the target of today and the target of the future. So it’s so important that the MSP takes that opportunity to talk to them about security, to get them moving the needle on security. And it’s so important that we can overcome the objections of both the MSPs and the clients to get there because the more of them we protect, the harder we make the bad guy’s life, right? And the more people are protected. So it’s a super important topic. I can’t stress too much that the MSP plays such an important role in this and really in protecting that whole segment of the market and such an important segment of the market.

Stefanie: Because there’s money to be made by having the security conversation and making it a priority and helping your customers to see that it is a priority. Because again, going back to what I said earlier, if you’re not having those conversations with your customers, somebody else is. Start it off, have the conversation, because it could be the springboard for a lot of other topics that might come up.

Tim: Yep. Absolutely. If you’re not having that conversation, you will not keep that customer. That’s kind of the bottom line.

Stefanie: Exactly. Exactly. So again, my name is Stephanie Hammond and thank you for tuning in and listening today. And we’ll see you soon on the next edition of The Brown Report.

Tim: Thanks, Stefanie. 

Announcer: Thanks for visiting. We’ll catch you on the next episode of The Brown Report. And remember, we want to hear what you think! You can subscribe, rate, and review SolarWinds TechPod wherever you listen to podcasts.