Do you remember when you were looking to purchase your first home? If the seller simply said, I’ll do the inspection for you—no need to have a third party get involved, would you go ahead with it?
Maybe if you had a keen eye for problems and personally had experience with and understood the type of house you were buying, you’d be okay without the inspection. But if you weren’t versed in electrical, plumbing and structural red flags, if you were like me, you’d want a second opinion that was someone other than the homeowner who is trying to get top dollar.
Your clients and prospects are kind of like that first time home buyer. They aren’t experts at technology (at least not to the extent your team is). And they likely are going to be approaching investments in cybersecurity—investments that have invisible returns—with caution.
While they most likely trust you and your service, in the back of their mind, you better believe they’re thinking that you’re trying to sell them something.
Wouldn’t it be better to have someone else point out the problems and for you to be there to be the team that helped solve it?
Rather than being the salesman, you’d be the team providing just the right amount of security to meet their network. You’re not selling simply to make more money from them, and they understand why their making a sound investment without the suspicion of being sold to.
Think of your experience at the doctor’s office. If your doctor saw a potential problem, wouldn’t they refer you to get some sort of test to really understand the nature of the problem?
After getting a readout of results from the cardiologist, we were convinced of the problem and knew that we needed to do something about it. The doctor wasn’t pulling out his home-grown report. He used the data generated from the lab to show us why we needed to act now. We trusted the advice and thought it credible in part because he based his recommendations on data and information produced by a third party.
If you are generating your own reports for clients and prospects, you reduce your credibility.
You also show a blatant conflict of interest (you’ve got a financial stake in their decision). I’m not saying that the reports you create aren’t informative or accurate.
What I’m saying is the perception of a self-generated report when you’re trying to sell is a LOT more difficult than referring to a third-party report that leads to the same conclusion.
What your client or prospect needs is to be shown why they need to invest in their security or consider your managed services. What I’ve seen—having grown an MSP to 8.5 Million before selling it in early 2020 is that simply generating a report and reviewing it with clients often falls short. They aren’t convinced and have to think about it
That thinking about it time—whether they eventually upgraded their security or took us up on an engagement—left them vulnerable to serious security vulnerabilities. Vulnerabilities that if pointed out in a less biased format (like a 3rd party assessment) would have sped the decision-making process and alleviated objections to your motives of pointing out those issues.
What I’ve found is having a 3rd party helps your client wrap their heads around the actual problem. Having a 3rd party tell them that they have deficiencies in their stack goes a long way in showing them they need to invest more in their security. When I used to outsource this task to expensive pen testing shops annually for some high value customers, we’d end up with a ton of project work and increased MRR when all was said and done. The secret was having someone else lead them to the conclusion you may already have.
If you’d like to see how a third-party assessment works, see for yourself at www.galacticscan.com/stack.