How to Talk Cybersecurity Risks and Rewards with Your Customers

Talking to your customers about cybersecurity shouldn’t be stressful, it shouldn’t be one time, and it shouldn’t be after a breach or other incident has occurred. Too often however, that’s not the case for managed service providers.

Asking the right questions—beforehand—can be a determining factor between preventing or even recovering from a cyber-attack and disaster, according to panelists during a CompTIA Cybersecurity Community Meeting at CompTIA’s Communities & Councils Forum in Chicago.

Start the Conversation with a Common Pain Point

Starting a cybersecurity conversation with customers could entail bringing up a common pain point, including one that they don’t even know exists—like asset management, according to Chris Johnson, cybersecurity strategist for OnShore Security.

“A simple question like ‘What are your assets?’ is not given enough attention. There’s often an assumption on the client side that MSPs are already managing all the assets. But you can’t protect what you don’t know, and what you don’t know will be the downfall,” Johnson said.

If nothing else, take pen to paper to manually collect a list of all assets so you’ll have an idea of what the client should have. And don’t forget possible virtual assets like Azure or AWS servers offsite.

“You can’t rely on just technology to be the true truth. It has to be an intentional effort to get the real truth,” Johnson said.

Added moderator Nicole Upshur, regulatory compliance counsel for nContracts, “I like to say you can’t just rely on cybersecurity. Sometimes it’s nice to be hands on, to have something concrete in your hands like a list.”

Speak in Business Terms, Not Technology

Target business leaders—the owner or executive team—within your customer’s organization to strike a cyber conversation. Business leaders understand risks, not technology, so meet them on their common ground, said Alex Rutkovitz Spigel, cofounder and vice president of Choice Cybersecurity.

“Meet the client where they are, with key performance indicators or key risk indicators. It is different for everyone. Understand what the risks are and what would put a customer down. What’s their business objectives? How are they growing? Understand the business as a whole so you can better protect them as a whole,” Spigel said. “A friend asked me last night ‘What keeps me up at night?’ Ask them that.”

Added Vince Crisler, CEO of Dark Cubed, “When you talk to executives, it’s about breaking down the risks to their business. That way you can help them manage their risks and use people, policies and technology to reduce that risk.”

There's More to Talk About than Money

Deloitte has noted that businesses spend about 10% of their IT budget on cybersecurity. The problem is many companies don’t want to spend even near that, Crisler said.

“Any money budgeted for cyber is already a commitment, but most think they can’t put more money into it,” Crisler said “But there are a lot of things we can do that don’t involve money, but customers need to participate to make it a reality.”

For example, physical security training, getting employees to understand they can’t do things like leave PCs and other assets lying around.

“There’s some paralysis by analysis because it’s so daunting and overwhelming,” Crisler said. “It’s either downfall or success. I’ve seen users turn off two-factor authentication because they said it was too complicated. How complicated is it to punch in six numbers? It’s not complicated, it’s convenient.”

Overall, the key to a successful conversation with customers, according to the panelists, is to provide a consistent message and get them to understand that it’s not if they’ll be the target of a cybercriminal, but when.

"Cybersecurity is a game where offense always wins, and defense always loses. Assume you'll lose at some point. It's all about how you make it harder for the bad guys the win, how can you find out sooner that you lost, and reducing the impact when you lose,” Crisler said.

“We can’t prevent every bad thing from happening, but what you do is the difference from whether you come back or not,” Johnson said.

Finally, take customers through simulations and other table-top exercises to show them what can happen if they’re not adequately prepared. “I’d rather fail a simulation than lose hundreds of thousands of dollars to the wrong person,” Spigel said.