How many times have you approached a prospective client with a laundry list of issues on their network, trying to convince them that their IT is inadequate?
Maybe you call is a network assessment, network checkup, security assessment—this is what I tried to sell prospects on when I was running my MSP all the time. But with assessments or checkups come a slew of problems.
The first hurdle: getting them to sign up for the scan.
Hurdle 1: Getting a flat out rejection from IT.
Sometimes their IT guy shut down the conversation from the get-go. Even if the CEO, CFO, or someone on the executive team was sold into the idea of getting a second pair of eyes to check up on security-related issues that might jeopardize their reputations, someone was bound to object to running the assessment.
Hurdle 2: A typical vulnerability assessment requires administrator credentials.
Someone is knowingly scanning their network with admin creds and that someone often is the IT guy or gal in charge. And if you are dealing with a prospect that already has a managed services company managing their network, that MSP would likely get signaled to your assessment ahead of time (because your prospect doesn’t have the passwords to their network).
Hurdle 3: They might have gotten enough heads up to clean out the cobwebs.
It’s the typical scenario of having guests over to your house. You put away the clutter, tidy up your kitchen, bedrooms and living spaces to impress them. When you trigger an alarm to an audit or assessment, wouldn’t the IT team in place vacuum their carpets and shine the silver? You better believe it!
Hurdle 4: Technicians required?
As an outsider trying to get in, a typical vulnerability assessment is harder than it seems at first glance. Even when you get the administrative creds and even if you happen to have a prospect whose IT team doesn’t really care much that you’re snooping around, you still need to overcome the hurdle of having someone technical run the tool or tools to find issues on the network (and most likely have someone help explain those issues to your prospect in a way to get them concerned and ready to buy your services).
When I was running my MSP the biggest hurdle for our team in performing a security assessment was running the assessment. Yes, I was completely capable of doing these assessments myself, but in growing a sales team I really wanted something that any salesperson (or even marketing admin) could run.
Your problem today?
There really isn’t anything like that on the market today—something that an MSP could use to show issues with their prospect.
And even worse—most tools out there don’t really give a business people a complete understanding of their and their team’s security posture. You might have assessed parts of the network, but in my experience it was really hard to give your prospect an AHA moment. Rather, they were left with a book—and by book I don’t mean booklet. I mean 500 pages of details that no executive would want to trod through.
While that long report can certainly be effective, it dilutes giving them a concrete understanding of some of their root problems. There’s no distillation of what to do or how to do it. It’s an overwhelming feeling of nothing is really going to make this better.
What I learned was that vulnerability assessments were NOT the way to make prospects really understand their risks and see the immediate value in having you or someone else help them remediate those risks.
Now don’t get me wrong—these assessments often did work at driving a wedge or getting someone to start thinking about change in their IT management, but the hurdle of having to explain what was going on and classify problems in a manner that an executive or decision maker would typically understand was lost.
After years and years of experiencing these problems—selling prospects on free assessments, administrative credentials, technical workers to run, evaluate and compile scans (lots of time, money and effort by the way!) AND having to distill those findings into meaningful nuggets for clients or prospects to realize what was going on, I knew there had to be a better way.
Is there a better way?
I knew that we needed a better system to create awareness in our communities around cybersecurity—far outside of Dark Web password monitoring or hacker parlor tricks. I knew that we needed to new way of showing executive teams exactly how hackers were getting in and giving MSPs tools to create AHA moments that actually convince leaders into seeing a need to secure and maintain their networks.
One of the best drivers for that AHA moment has been a Mini Penetration Test.
Our team has developed an MSP-exclusive test that allows security-conscious MSP the ability to pen test prospects and show them if a hacker broke into their network, how they would do it and what they would find.
Passwords? Social Security Numbers? Credit Cards? That’s just the beginning. We’ve been able to expose advanced persistent threats (APTs), malicious employee actors and open doors (exploitable vulnerabilities) all without having any admin access to a network).
And the best part? Even your marketing admin could get your prospect to run the program as a basic user and compile the results for your readout (no engineers required!). No certifications needed.
