Surprisingly, cybersecurity is not always a top priority for end customers—they tend to prioritize other focus areas such as business transformation, social media strategy and new growth opportunities.
When it comes to allocating budgets, many customers are fully aware that cybersecurity needs to be right up there at the top of their priorities, but they are forced into a balancing act with other investment aims as they prioritize growth and winning new business.
It is the job of MSPs and solution providers to convince their customers how to best invest their resources to ensure they are fully protected against the growing number of increasingly complex security threats facing companies today, according to Carolyn April, senior industry analyst at CompTIA.
Presenting a snapshot of the CompTIA State of Cybersecurity 2024 report at the CompTIA EMEA Member and Partner Conference 2023 in London, April said the report this year focused on the viewpoint of end user customers, giving all channel players who read it a foundation to understand how well versed their customers are when it comes to cybersecurity.
Spoiler: They are not well versed at all and are increasingly turning to third-party providers to handhold and guide them through the minefield of cybersecurity.
“Sometimes as technologists we think that everybody has technology top of mind and they know what is going on, particularly around cybersecurity, but then you realize in a company of 100 people, 75 of them are in sales, marketing, HR and other roles, yet tech, especially cybersecurity really affects their lives and their daily work lives, but they don’t necessarily know much about it,” April said. She added that the report will give MSPs a better idea of how they can sell to customers, cater to their needs and ensure they are doing all the right things with regards to cybersecurity and their security posture.
“Even though cybersecurity should be a top priority, it can’t always be,” she said. “Companies have to balance the decision – how much cybersecurity should we have at the limitation of our innovation and our progress – how much money are we willing to take away from this piece of the pie?”
Many end user companies believe their current security posture is good enough, but this is because they haven’t experienced an attack, breach or any sort of event that has caused problems within their company, April said.
“No bad news has happened within their company, and they think that everything is operating,” she said. “But that is a very dangerous attitude to take. We need to be proactive when it comes to cybersecurity. We have moved away from always being defensive and reactive, waiting for something bad to happen and going into clean-up mode.”
“Today it is imperative for companies to be proactive and to anticipate the bad things,” April said. “The best reason for nothing bad to have happened is because you are on top of it proactively as opposed to just being lucky. In truth, if you think your security is good enough, then it probably is not good enough.”
A risk management approach with customers based on their answers in the report is one way to engage with them, April explained. Companies have a choice of doing it very formally using frameworks, or informally where a cybersecurity team has regular discussions around strategy. Or they could do nothing at all.
She said although larger companies that have a more formalized risk management approach tend to be the ones that get hit, they at least have the resources to recover.
“Smaller companies when they get hit are less likely to be able to recover,” she said. “A million-dollar mitigation to regain what they have lost is a one-way street to bankruptcy. The potential for something catastrophic to happen to a smaller company is far higher, yet they do not have that formalized approach.”
The Three P’s: Policy, Product, People
All businesses should focus on three areas: Policy, product and people, all of which require significant support from channel providers, April said.
The amount of compliance and regulation needed in each different country is a key consideration when putting together a successful cybersecurity strategy for customers, but MSPs often need expert help themselves, and they should not be afraid to take it.
“Keeping on top of this area isn’t always easy especially if you are a small service provider or MSP,” explained April. “It is changing all the time; you really need an expert out there to help you—maybe even your own cybersecurity legal eagle.”
Every product sale, regardless of what it is, needs to have a cybersecurity slant, added April. MSPs must talk about risk with their customers. Also key for MSPs when selling any new product—cybersecurity-focused or otherwise—is bringing business decision-makers along on the journey.
“It is very important not to silo cybersecurity among the IT department, it needs buy in from the CEO/principal/president of the company—you need businesspeople involved in the conversation,” she said. “Most customers, especially line-of-business [leaders], don’t understand the security risks. And it shouldn’t matter whether you are selling hardware, networking, services, doing an implementation; there should be some level of a cybersecurity conversation around every product sell.”
Finally, cybersecurity doesn’t mean a lot without people. MSPs must have employees on board that understand the technology, so they can share that expertise and a cyber-first philosophy with customers.
Many end user customers do not have the resources to have their own cybersecurity specialists, so they are increasingly turning to third parties, April added. And those customers are going to select providers that have the broadest knowledge in specific verticals along with that cyber expertise.
“When you are looking at hiring people for a security team, many companies will have a basic IT department and perhaps a couple of people who are good at cybersecurity, but they are not true cybersecurity specialists,” she said. “Think about how much more complex it is going to get and then think about upskilling or retraining your people. Have someone on your team who can do analytics and one who is process oriented. There are so many opportunity areas around cybersecurity to plug into if you are a third-party provider, and one of the biggest differentiations you can have from the competition is specialization.”