At this point in 2022, I’m sure you have a cybersecurity stack. But is it good enough? Does it fit your clients’ needs? Is it what they expect?
I’ve been asked about cyber stacks so much lately—especially with the uptick in ransomware attacks stemming out of the Russia-Ukraine conflict—that I thought I’d clear the air a little bit.
You probably have a variety of clients. Some may be watching other businesses getting attacked and are picking up the phone and insisting that they invest in something better. They’re the ones that proactively want to protect their data and see value in having you help them. I call these folks security conscious. They want to do the right thing and they value their investment.
On the other side of the spectrum, as you likely have experienced, are the organizations that don’t really think it necessary to do anything. Maybe they simply want their printers to work and their internet up. They are laser-focused on making sure they are getting bang for their buck. They don’t want to invest in more than they have to. I call these guys the basic needs clients.
I want to first focus on what these basic needs clients really need when it comes to their stack.
I’m sure you’re thinking they need support. When someone has a problem, they need the ability to speak with someone.
You’re probably also thinking they need maintenance. Applying patches, updating applications that you’re supporting for them. You are probably making sure everything is running as well as it can, based on security patches released. You are probably also including some sort of backup solution.
If you’re not offering backups, you probably will not have a chance of recovery in the case something goes wrong. I’m sure most of your basic needs clients will appreciate a need for some basic backup solution.
You may even have a solution in place that allows you to recover them if the client messes something up if they get if they do get phished. If somebody does get in and causes damage, or maybe one of their employees is malicious and just does bad things, right? You’d have to have some sort of backups to ensure that they are able to recover.
Note here that I'm not saying that backups are part of their security solution, but I am saying it's important from the standpoint of ‘what if something goes wrong’.
And, by the way, hardware still fails.
An issue could be hardware issue that's causing them to need those backups.
Finally, you probably have some sort of antivirus in place for them. This is your basic needs solution. No bells or whistles. Mainly checking off some requirements that will keep you as their provider out of the finger pointing if something were to go wrong and the client more or less happy they get to keep their piggy banks slightly more full.
What About A Security Stack For The Security-Minded?
For the security-minded, you should have application whitelisting M365, hardening, security training, and ongoing third-party security assessment.
We typically recommend that you have an on-going assessment going on that shows them that their security is working as expected and points out to employees why good hygiene is really a necessity today. Typically, we recommend—and many cyber insurance policies require—is a third-party assessment. [Note: one way to see an assessment like this in action is by getting a cyber stack assessment for your own environment].
You will likely compliance side for these types of clients. You will probably have some sort of managed compliance, some sort of SIEM, and XDR, and micro-segmentation. So that would be the three different pieces that you have in place.
What does that mean for you? You're going to have to probably build out some sort of, security solution, some sort of advanced security solution.
I recommend something simple, like Advanced Security 2022.
I'm not calling this my advanced security solution and then listing out all the individual products by name. I'm not listing out all of the different products. What I want you to do is package a solution and show them value in the solution.
Instead, I'm saying, here's Advanced Security 2022, and here are the things it does for you.
Why am I doing this?
At some point, maybe in 2023, you're going to increment the Advanced Security 2022 to 2023. Hackers will be up to different tactics and the stack that works the best today may not cut it tomorrow.
When you do that, you're probably going to change some stuff. And when you change some stuff, you don't want to have to go rewrite or re communicate what you have in the stack.
Instead, you're focusing on the overall Advanced Security 2022 solution, and what it does for your clients and your prospects.
The last thing that I want to mention here is, as you're creating your special cocktail of tools, we want to make sure that we focus on keeping this separate from your managed services offering.
And then your managed security offering.
You’re probably going to have some sort of benefit that comes along with your Advanced security 2022. Now we will talk about how to figure out what those benefits are.
Now, what does it look like when you get this together for a proposal?
You're going to go through and you're going to have a price point for each one of your offerings and then present security and support in two different lines.
One more thing to remember—your clients and prospects are always at a certain point in the buyer’s journey. And when it comes to security, no one has really defined a buying period—as in, there is no amount of time where they’re satisfied with their current solutions and waiting to buy something else. If you are able to show them why they need security and they understand and appreciate the risks involved in doing nothing, they’ll be ready to sign on for your added security services.
One of the easiest was to communicate risk? Through a third-party cyber stack evaluation.
