Optimize Your Business Sales Process for Security

How to create outlook signature

thank you for tuning in to the talk show i am andra hedden today i am joined by the one and only david powell thank you for joining hey great to be here it is great to have him and i'm so excited for the conversation that we are going to tap into today really quick if you do not know david he is a an industry veteran today we're going to talk about security and why he is the perfect person to have in this conversation he's had 20 plus years in the space he was with three of the top 25 msps had a couple of stints also with vendors so he has a plethora of information to talk about and some great stories he's a great storyteller so you'll see a little bit of that today also so this is going to be this is going to be great so we're going to tap into security as i mentioned and really why the conversation is so important right now so start us off so yeah what does that conversation look like right now around security msps the vendor space ts up a little bit so security's really scary right is that i think the misperception a lot of people have is that if in your neighborhood if somebody's house got broken into the facebook page would light up people start texting their friends the homeowners association would come out and tell everybody hey there's a break-in be extra vigilant all this kind of stuff and no one would have like any negative thoughts about oh their house got broken into hahaha right well in the business world everyone thinks their business is in like a nice part of town when it's really in like the worst part of town right because no one's talking about businesses getting breached and having cyber security problems there's like a stigma related to that so the business community's been kind of quiet about it so this is false sense of security in the business community that oh well no one wants my stuff i'm too small when really everyone is getting breached the news is filled with story after story or story of companies being breached but no one's really kind of connecting those dots that it's well the people next door to me and the people down the street from me it's people like me that are get get them breached so the the awareness is kind of there but it hasn't quite translated into like action so you've got a lot of people who know the risk but is this kind of a femoral specter out there where they can't get their arms around it it seems big and scary but they can't like necessarily put their finger on what is it they don't know what to do to start it right so your large companies have security teams focused on that small to medium businesses don't they have msps that they rely on absolutely so now they're trying to figure out what do we do and it's up to the msp to come in and say hey here's what we think you ought to do to improve your security posture so i have not heard that type of analogy of the what neighborhood is your business but i think the thing i think is really interesting about that is the whole thought of oh it could never happen to me right i think that i think one of the things you're tapping into just like in a neighborhood where oh well it's not gonna happen to me i live in a great part of town so you don't hold it against others to not have a security system or have the most intricate you know alarms but when it comes to business the stigma that you're mentioning it is kind of a hush hush of okay it's not gonna happen to me and then we're we're we've got some things in place we think we're taken care of and so talk to me a little bit about um the conversation around it and then two how you think that msps should start to have that conversation internally for themselves and then how they should start building something something out to right to market so the conversation i think most msps are having is wrong yeah okay a lot of them are going to go what i call scare and sell so they're going doing an assessment and then they're coming in with this binder and saying android here's all the stuff you suck at you know you're like yeah so the way i kind of use it as an example to try to get sales people to move away from that is this idea like you know you've got two great boys and if you went and talked to a financial planner and said hey we're ready to start planning for college they're gonna say great you gotta save five thousand dollars a week and also if you go whoa i mean there's no way we can make this happen and so instead you're like oh forget it we'll just take out a bunch of loans and buy a big screen tv on the way home so feel better right instead hey can y'all just not go to dinner once a week let's start there and put fifty dollars away a week and build this little plan so what happens similarly is that msps go in and talk to their client and they give them like here's all the millions of things you gotta do and somebody hey here's three things let's focus on these three things we get those done i'll give you three more and focus on those so you got to give them a path to take this actionable because what happens is that when you scare and sell it the bridge seems so it's a bridge too far so then their like inaction comes from that not action and you really just want to get on this journey right get on this journey so that's where i think sales people for msps really kind of struggle with that the second thing is they're really really really concerned about how to overcome this objection that if you're my client and i'm the msp and i come in and say hey andrew i'm here to talk to you about cyber security and you're like whoa aren't you doing that for me already right and now all of a sudden because people equate technology and cyber security as tied together and what does an msp do well they do about technology so therefore they must be doing my cyber security right and it's really a whole different conversation around risk and risk mitigation and all this kind of stuff so you have to go oh wait now we do some of that for you let me let me explain what we do do for you patching an antivirus and stuff like that but here's all this other security you need to be considering and have that conversation that sales people are scared because they don't want to be on the receiving end of like whoa wait a minute i thought you're not you're already doing that so talk to me about really quick talk so so take it back to the msp for a second so so obviously sales teams we always say you know a sales person sells what they know best right a lot of times sales teams are scared to have that conversation as well because maybe the msp doesn't really have their fully baked security strategy in place so so one do you think that msps are doing this right for themselves do you think that they've got a great security you know are they eating their own dog food are they actually practicing what they preach talk to me about that for a second and then i want to go deeper into what they can do and offer you zero chance most msps are not doing this well at all right and so the analogy i like to use on that is you know if i wanted to get into shape and hired a personal trainer right and so i get all my new gym clothes i went to lululemon and got me some stuff you know some guy stuff and you'll look all ready to roll down at the gym and then here comes my personal trainer and he weighs like 400 pounds he's sweaty he's shoving a big mac in his face and watching it down with mountain dew i'd be like i'm not listening to a word this guy he has to say right is who takes advice from a 400 pound personal trainer who's slobbingly well that is unfortunately the msp going out talk to their clients they're the 400 pound personal trainer as they're going out and saying hey you need mr client to improve your cyber security and you need to get you know improvement in these areas but they haven't done any of that themselves right they've taken their scarce resources their security experts and they deployed them appropriately into revenue producing activities absolutely but they've ignored their own environment so i feel like it gives the sales people a lot more credibility that if you go through that process of self-assessment first so take your security guys and do all the things and be real open and honest with the rest of the company around what you're doing then the sales team can see how that process plays out so then they can go sit down with a client confidently and say hey andrew let me tell you we just put ourselves through this and we thought we had this thing lit and we found some things we had to improve let me tell you how that process played out in our own environment and then how this would play out in yours and then it's a little more vulnerable it draws them in a little more and it walks them through what the process would look like that you did yourself and it gives them comfort knowing that you have done the things that you're trying to get them to do and back to the other thing that you said too about the if if if you are going in too heavy right if you're if you're leading and you're going too strong into that sale and you're saying hey these are all the things you need to do this is everything in your security practice that you should have they're going to procrastinate they're going to be scared they're going to be overwhelmed it's going to be too much but with what you're just saying if you say hey we we just did this it wasn't so bad and and this is what we found out and we actually found two even though we are this space we found here were some gaps and this is how we filled them and so no i love that and then back to the the sales rep they get more confident and then they can sell it better as well so i think those are some great tips so do a quick internal audit if you haven't already done this internally and and i think those are some great tips for how they can get in place and i think that take them on the personal trainer right is it the personal trainer some people want to run a marathon some people just want to lose a little weight some people want to run a 5k right and you tailor your plan ingly and nobody one day goes from the couch to running 26 miles right so there's a process in between no one goes from the couch to run a 5k there's a process in between so how do you give them a process that's executable against this goal depending on their risk profile and risk tolerance maybe it's a 5k maybe it's a marathon but you got to give them an actual plan so how do you come alongside them as a personal trainer like hey let's go run them all together right as opposed to just like here's all the things you got to do and then they're again in action results absolutely no and i think that's such an easy way to explain that so thank you and and on on the flip side of that now okay so if now you're teed up david's giving you all the little nuggets to start the internal process so now let's take it to the flip side so let's if we've got everything internally set up we did our internal audit we know where we stand we filled our own holes our sales team is ramped up we feel good talk me through what it looks like to start to put together a security offering a secure is an offering yeah show me tell me and and tell everyone tuning in where we should go from here yeah so i think there's a couple ways to think about that one is are you are you creating an offering or a practice right so an offering would be we need a multi-factor authentication offering right so i have my standard core msp set of offering you know and some people have precious metals pricing or whatever and good better best whatever it may be and then we're going to have multi-factor authentication with a layer on top or advanced threat protection or whatever it may be as an offering so that's fine and that's a great intermediate step and that's usually vendor driven we select a vendor and that vendor provides this thing for us that we sell out and then i think most sophisticated msps really kind of move into that practice okay where they have a practice of security where maybe they can do the assessment beforehand maybe they have skills in that and they have a suite of offerings that they can offer depending on what the client profile looks like so what is their risk tolerance what's their compliance regulatory environment and that's really in the kind of classic challenger model that teach taylor take control is i want to teach you like hey android here's what you maybe didn't know that these regulatory requirements require a view okay and now i'm going to tailor my offering is like okay so here's based on these check boxes you have to check these 10 things that i'll offer will check these boxes for you and then take controls like and we need you to act you can't sit where you are you need to move so that idea of kind of coming in and understanding hey here's what their whole scope looks like here's what their profile looks like here's what their risk tolerance is here's what their compliance or regulatory environment looks like and then how do i build a suite of offerings that's flexible enough to meet what their requirements are and you know there's a whole bunch of different things in there i mean that can be you know cisco umbrella that can be multi-factor authentication that can be perched which is what we do you know it's a sim we have a sock that goes with it and so there's all these different things that you kind of layer in that stack um that are applicable to some all most whatever your client profile looks like based on who you serve do you have recommendations as far as you mentioned a couple if if partners are sitting there right now going okay we're getting into this game we want to be a you know a managed security provider as well what other you know vendor names do you think should be in that stack obviously perch you know pieces of cisco anything else well there's a bunch but i'll say it really kind of i mean as much as i would love to give you like a full name it really depends on who are your clients right right so if your clients if you focus on healthcare hipaa has some specific requirements right and so perch checks those boxes because those require log um log aggregation log reviews stuff like that financial services has some cmmc has some so i think it really kind of depends on who do you serve should determine what your suite is exactly because if you build the stack and then you go out that may or may not meet the demands of what your client base looks like so take your client first and say okay what do we need to do to serve them and then build your stack out of line based on that yeah no i love that that's a smarter so so so building a practice yeah is is the direction that that partners should take so which i love so you've got the the offerings are however you decide the precious metal it and and however your tiered programs look and then how do you i want to go back a little bit to that conversation that the sales rep that's scared to have the conversation how do you think that a successful savvy sales rep can position that chat with a current client when you're upsell cross-selling right you want to start and expand into the clients that you already have versus necessarily going out and finding new that's always wonderful but you can go deeper with the current ones you have how do you advise or how would you share with our partners to to not be afraid of that conversation and here are some quick lead-ins to how you can have that conversation without being worried that you're going to end up in an awkward situation because they thought you were already doing it it's a business it's a business conversation for business people okay right is i think that the problem in lots of companies is they view cyber security as a technology thing what is a risk thing right and all of us have to factor risk all the time i'm in a hurry but i'm also more likely to be in a car accident if i drive above the speed limit but am i going to accept that risk to get there on time or i could be a little late i mean people people plan for address and mitigate risk all the time right and that's not usually what the technical contact at your msp client is prepared to have that conversation right they think in ones and zeros and blinky green lights it's like that so you've got to go have that conversation with the business person and then the education component has to be there you have to educate them on okay here's what this looks like and then i really feel that you need a story to be able to tell them of how a breach would happen so that they can see themselves inside it because right now there's not a good way to make it like real so you know if you went to you know like a women's self-defense class right and they would talk to you about okay you're walking across the parking lot after coming out of you know the store and you're walking this guy comes up behind you grabs you behind the net what do you do and they like teach you you know what to do you need to think through what does a cyber security breach look like here right and so someone has got compromised credentials they have done this they've done this they've done this and all of a sudden being like oh so that's how it happens you have to take it from this like big scary thing that's hard to wrap your head around put it in the day to day and tell them this is what this would look like you're going to come in one day and 250 000 are going to be out of your account you're going to wonder why because your accounts payable clerk wired the money who they thought was you yeah but it wasn't you mr ceo it was to some bad actor somewhere so lots of times i feel like we don't do a good job of telling the story that the client can see themselves in that makes it real and then they're like uh i don't think i have a response to that i don't think i have a plan for that i don't know how i would address that what do i do to keep this from happening to me absolutely i think i think one of the so in putting things in that in that real term and the day in the life of whoever it is that you're talking to is so incredibly important and one of the one of the pieces i'll tag that into the the the communication lead gen piece as well because it's it's that constant you know figuring out how you need to turn that conversation for them and then dripping that to them as well having that sales conversation but dripping communications so that they can really start to understand whether it is a particular area so back to you know sending communications saying look what happened at your neighbor business look what happened over here so that they can start making it seem like wow it could happen to us it's not just someone over in a different state that we never come for a big business so talk to us a little bit about the you know it seems like big businesses have got it all figured out right you would think large enterprises they've got these massive security teams how do the smaller businesses right or the smaller msps figure out how to get these practices up off the ground to be competitive with security yeah so i think you know the misperception with a lot of small businesses is that who wants my stuff right but if you and i say we're idiots we decide we want to rob a bank okay right so i don't know if you've ever been in like the downtown building in downtown charlotte but it has facial recognition it has armed guards are we going to pick that one or are we going to pick the smallest bank in the most rural town of florida cheeto where the closest cop is an hour and a half away or something like that you know so when people think that well i'm too small that's a false sense of security because if i'm a bad guy do i want to go after the the armed bank or the one that nobody's looking at you're the one that nobody's looking at so and if i break into enough of those banks then there's a lot of money whereas you know maybe the has more in one but if the effort to break into 50 is pretty low well then maybe i've gotten a lot more money with a lot less risk from that so i think that the getting guys to realize okay it's not about being small it's not that your stuff isn't valuable because you know is 250 000 important to your business a lot of small businesses if they had to pay a ransom of 250 000 or someone had been phished and erroneously wired 25 000 250 000 for a small business is a lot of money and i know i mean i could rattle off countless companies that have been in the middle of that i'm aware of a mortgage company and they had money in escrow and stuff and the bad guys were sitting in their email just watching it was time to wire the money to this law firm and these guys have gone out and bought the domain the bad guys have bought the domain that looked just like the law firm but they used a capital i instead of an l and so they even looked and well that looks like the name of the law firm and so they wired the money to the wrong place right but the bad guys that sat there they had looked at all the transactions that were coming through for months and waited for one day when they found the right thing and that's 250 grand right and so that's a pile of money to your small to medium business that's the difference you're making payroll and not making payroll so you just have to think is you know the scale is different but the impact is probably greater in the smaller space you know that's a rounding error for definitely no absolutely and that's and i i love that tip for anyone tuning in too because even if you don't have the stories to tell you can use these examples and and share different things that that you've seen happen or heard happen and use that in your in your pitches in your upfront conversation so that when you're going out to find that new business it's it's it's really made apparent how lethal this can be to a small business and it's not just the targets of the world it's not just the banks of america that hackers are going after and that's story collecting so ask your team hey what what have you heard about what have we fixed that stuff and gather those stories and then socialize them so that everyone has those and you're not just kind of making it up on the fly what about what about from a standpoint of other trends that you're seeing that you think would be important for any partner watching right now to be taking advantage of yeah so uh the big ones are increased regulatory environments everywhere so a big one that just came out in january this year is called cmmc and cmmc is a standard for dod contractors and it basically says it has the elements of nist 800 171 plus other stuff okay and it's interesting is that it used to be where if you came online and you didn't meet a certain standard you could put it on your plan of action and measurements that your poem and say we don't we don't do that now but in eight months we'll have it done now cmmc is a pre-award certification so you have to prove that you have it done beforehand and it is a mad scramble anyone that does work with the gut with the dod is on it has to comply with this and it is a crazy scramble to get assessed and all kind of stuff so there's i think there's a lot of opportunity in cmmc there's a lot of uncertainty in that and it is a kind of a hot space where people are looking for help interestingly the dod has had an initiative in like the last decade around supplier diversity we don't want to just want to be raytheon and northrop grumman we have a lot more vendors and so they got a bunch of mom and pops right and now i have these mom and pops that have to adhere to the same stuff that raytheon and northrop grumman wow so it's a big it's a big deal so that and then i really think that you're hearing a lot more around um how do we get the smbs to improve their cyber security profile and so the government regulatory bodies have gone and looked at smbs and like well they don't have an i.t team so they have to then come to the msps and so i wouldn't it would not surprise me at all if there becomes like standards for msps that they have to adhere to um so i think that the more you can get ahead of that from a security standpoint the better off you are but i'll also say the talent is really kind of hard because it's a different type of nerd you know yeah your typical msp nerd is that in the most loving the nicest way possible i actually asked our team at a prior i mean do you prefer nerds or geeks against nerds and um but you know your typical msp nerd might be a scripting guy that he learned python on the side or something like that but they're going to be route and switch and server and vmware those kind of guys your security guys are entirely different kind of dude right um and so where do you go find them so that talent is scarce where you may have a guy on your team that just kind of learned python and scripting on the side right no one just learned security on the site right right so you're going to have to figure out how can i dedicate headcount to this and bring some headcount in to bring that knowledge um to there or it's just going to be a really long gap for your internal guys to kind of get up to speed you know on that so i think you probably need to go hire some talent internally because the winds are definitely blowing to where the small to medium businesses are going to have to meet certain requirements just because they're they're at risk too much right now and governments and the banks and all kinds of stuff we're kind of tired of dealing with them getting breached so i so i love this i hope you do too um so these are all amazing nuggets and and i hope that this has been really really really helpful before we part and i think we could talk about security for a really long time um but before we we we tune off talk me through some some quick tips anything else that you want to share any stories you want to tell anything that you think is is pertinent that that partners would need sure so i think the most important thing is at msp i've talked to hundreds and hundreds of msps over the years and they tend to get to a certain spot and they kind of stop okay and i'll always ask them you know and they'll tell me kind of where they are and i'm like ah it's the charlie story so okay uh the charlie story charlie's for it the charlie story so charlie was a guy that worked with me at a place called tech links and charlie was our best pre-sales engineer he was our best implementations guy he's our best tier three support guy he was just the best charlie surprisingly only wanted to work 40 to 50 hours a week right and so we reached this point we couldn't scale past charlie so we put him on pre-sales and tier three suffered we put him on tier three then pre-sales suffered or implementations and so we realized that we needed to scale charlie so the way that we talked about it was i said okay imagine if charlie opened a restaurant and his best dish is grouper of regrets right so the first night 20 people come charlie can plate 20 group of regrets the second night 40 people come he's kind of running around crazy but he can still get it done the third night he hires david and andrea to come in and help him but the restaurant people are not coming for david and andrew's group of regrets they want charlie's group forever grits so how does he create a recipe that if you're making it or i'm making is exactly the same that he did and so it's his conversion from people to process right is that you've got to stop selling charlie and our sales team was great at selling charlie hey andrew charlie will take care of you and you're like oh i like charlie that's gonna be good instead they had to grow like pivot towards the process like here's what's going to happen once you sign once you sign you're going to get a call from our onboarding team we're going to get assigned an onboarding engineer and you lay off this process and then you're looking at going okay i can trust that process is going to yield the result i want i don't have to be dependent on this guy right so most msps that struggle with scale is because they can't skill past their charlie whatever their charlie's name is is that charlie is the cog and they look at charlie as an asset they'll talk glowingly about charlie they're charlie but what they need to do is figure out okay how do we recipize right what he's doing so that we can um put that off so if you said what's about one great piece of msp advice it was it's how do you have a process that delivers the results instead of the people that deliver the results so that people become plug and play not that they aren't awesome and you don't want awesome people but you got to have an awesome process to plug awesome people into i think that is amazing advice so i i really hope that some of these nuggets resonated with you so process over people making sure that you're actually having practices not offerings and there's just there's so many good things that david just tapped into and i really really really hope that this challenges you and inspires you to go and perfect your security offering and practice and and putting it into play so if you've got any additional questions feel free to reach out we will make sure that they get answered for you and thank you for tuning in thanks