How to Talk Cybersecurity Risks and Rewards with Your Customers
Talking to your customers about cybersecurity shouldn’t be stressful, it shouldn’t be one time, and it shouldn’t be after a breach or other incident has occurred. Too often however, that’s not the case for managed service providers.
Asking the right questions—beforehand—can be a determining factor between preventing or even recovering from a cyber-attack and disaster, according to panelists during a CompTIA Cybersecurity Community Meeting at CompTIA’s Communities & Councils Forum in Chicago.
Start the Conversation with a Common Pain Point
Starting a cybersecurity conversation with customers could entail bringing up a common pain point, including one that they don’t even know exists—like asset management, according to Chris Johnson, cybersecurity strategist for OnShore Security.
“A simple question like ‘What are your assets?’ is not given enough attention. There’s often an assumption on the client side that MSPs are already managing all the assets. But you can’t protect what you don’t know, and what you don’t know will be the downfall,” Johnson said.
If nothing else, take pen to paper to manually collect a list of all assets so you’ll have an idea of what the client should have. And don’t forget possible virtual assets like Azure or AWS servers offsite.
“You can’t rely on just technology to be the true truth. It has to be an intentional effort to get the real truth,” Johnson said.
Added moderator Nicole Upshur, regulatory compliance counsel for nContracts, “I like to say you can’t just rely on cybersecurity. Sometimes it’s nice to be hands on, to have something concrete in your hands like a list.”
Speak in Business Terms, Not Technology
Target business leaders—the owner or executive team—within your customer’s organization to strike a cyber conversation. Business leaders understand risks, not technology, so meet them on their common ground, said Alex Rutkovitz Spigel, cofounder and vice president of Choice Cybersecurity.
“Meet the client where they are, with key performance indicators or key risk indicators. It is different for everyone. Understand what the risks are and what would put a customer down. What’s their business objectives? How are they growing? Understand the business as a whole so you can better protect them as a whole,” Spigel said. “A friend asked me last night ‘What keeps me up at night?’ Ask them that.”
Added Vince Crisler, CEO of Dark Cubed, “When you talk to executives, it’s about breaking down the risks to their business. That way you can help them manage their risks and use people, policies and technology to reduce that risk.”
There's More to Talk About than Money
Deloitte has noted that businesses spend about 10% of their IT budget on cybersecurity. The problem is many companies don’t want to spend even near that, Crisler said.
“Any money budgeted for cyber is already a commitment, but most think they can’t put more money into it,” Crisler said “But there are a lot of things we can do that don’t involve money, but customers need to participate to make it a reality.”