I know we’ve all been there.
You have a client or prospect, and you just can’t convince them that they need to take any action. Even if you have a report that communicates WHY security is important, they might have already put up some roadblocks to you getting through to them.
The big issue? Even though you might start hitting issues that mean something to them, they’re already convinced your solutions will not be right for them.
Unless you address their core objections up front, you probably will have a very slim chance of ever convincing them that they need to invest in you or your security solutions.
I’ve gotten a lot of folks reach out to me asking why do we need to worry about sales here! We are interested in security!
I personally am of the belief that sales is a major part of security. If your team cannot adequately communicate value of your security products, you’ll probably not convince your clients to invest in a more advanced security stack, ultimately hurting them and their security posture.
I am especially interested in you helping to protect a million people- our company mission. And one of the ways our MSP partners are doing this is by getting their prospects to understand why they should invest in security (and not just select the cheaper solution that cuts corners).
Today, I want to focus on the top five objections we see when it comes to investing in cyber stacks. To really confront objections is telling your client or prospect a story to get them to understand the implications behind their objection.
Objection 1: It wouldn’t matter if a hacker got our data.
The big issue here is that you haven’t helped them think through what will happen.
This specific objection reminds me of a story that we had to deal with a couple of months ago.
The office manager had her email compromised, and the attackers used the access to get to their payroll. They ended up tricking her into wiring $40,000 dollars to the wrong account.
Can you imagine if the person responsible for your payroll wired it to the wrong account? First, the office manager was devastated that she fell for the trick, and then there were all the employees who didn’t get paid on time. Not to mention they were not able to get their money back because as a business, you cannot just recover a wire.
Get your client involved in the story. Ask them:
Do you ever wire money? Do you have any employee information or account numbers?
They will most definitely have a better understanding of the situation.
Objection 2: I already have cyber insurance.
Issue: you didn’t illustrate to them the impact a breach will have on their organization
Address this issue by asking them about their cyber insurance (I would do this at the beginning of your meeting for a prospect or at an annual meeting for a client).
After you listen to their response. I would say something like:
You know, just because you have insurance doesn’t mean you want to actually want to experience using it.
I am sure you have health insurance; do you take unnecessary risks with your health?
I mean, just because you have health insurance doesn’t mean you want to go through an open-heart surgery, right?
Objection 3: My IT team handles our cybersecurity.
This might be some other company, their internal IT, or even you. Whatever their support currently looks like, they probably are expecting that everything is being handled (even if it isn’t).
The main issue here is you haven’t educated them on the difference between IT and Security.
I would mirror them here (repeat their phrase). Your IT team handles all of your cyber security?
Then I’d say:
We find that security is changing very fast, too fast for any one individual to keep up with.
We even have a third-party security team that audits our work, because we’ve seen the type of devastation a hacker can have on a person, or a community.
One thing we could do is help out by performing an assessment to see.
Objection 4: We haven’t been hacked yet.
This is a super common objection. If they can’t see it happening to them, it mustn’t be that bad. It is human nature to underestimate future risk.
Start by saying:
It sounds like you’ve been really lucky.
We’ve seen a huge uptick in hacking over the past few years. CISA and the FBI just issued a warning about a huge increase in ransomware.
I think it is related to all of the vulnerabilities AND the increased success ransomware gangs have had. Get in while the getting is good is the thought process. Think of it as fear of missing out for the attackers.
Objection 5: We are already [fill in the blank] compliant.
The big issue here is you haven’t delineated the difference between compliance and security.
I’d address this by saying:
Okay, it sounds like you are already investing a lot of money in compliance.
Our security team worked on a hospital recovery. Hospitals work very hard to be compliant. This particular hospital had a HIPAA risk assessment just a month before their ransomware event. They were doing all the right things according to HIPAA. How did the hackers get in? Phishing.
Get them to see by story that security is a completely different thing than compliance.
Heck, HIPAA is well over 20 years (which means it’s a dinosaur in tech years!). Can they really trust their security tactics complying with a law that might not have even conceived of what technology might be out there today? I typically bring in an old flip phone and ask hospital administrators to wrap their heads around applying a usage policy for flip phones to the smart phones we have today.
The easiest way to break through to people?
Bring up the objections before they do! Also show them what is at stake. The easiest way to see how this works? A cyber stack evaluation.
