Initiating a conversation about business risk with your clients isn’t always comfortable—but it’s necessary. Your customer can never be 100% secure. Risk happens every day at every organization. But if you can confidently explain risk to your customers in a way that resonates with them, you’re well on your way to discussing mitigation strategies and making informed decisions about managing that risk.
“Risk assessments make these things in the environment visible so we can have a conversation. Risk assessments get rid of ‘we thought you did that for us.’ We have to have those uncomfortable conversations,” said Alex Farling, co-founder, Empath in a ChannelCon 2024 session with Jesse Miller, founder, PowerPSA, LLC.
How Do We Approach Risk?
Farling and Miller likened risk to what they called a “janky chair,” using the analogy of walking into a room and seeing a nice chair and a chair of questionable quality. It’s your decision which chair you choose to sit in—and these are the choices your customers are making every day.
Choosing to sit in the janky chair is a micro-second decision. The choices are:
- Accept: You sit in the chair
- Transfer: You make a friend sit in the chair
- Mitigate: You prop the chair up with book or wear a bike helmet to protect yourself
- Avoid: You find a better chair
“This is a human conversation,” Miller said. “Our customers don’t speak our language, so we have to translate it into a language they understand. Our job is to present risk so that the client can make a business decision. Once we identify a risk, we go back to these four steps to figure out what to do with it.”
In other words, if there’s a blanket over the proverbial chair, it’s your job to uncover it.
“When you do it well, and remove the shroud, the customer says, ‘holy cow, I can’t believe I’ve been sitting in this thing,” Farling said.
Driving the Discussion
There are different chairs for different functions for different things. Do you know which chair your customer is going to sit in?
“This is where it’s important that we know our customers’ business and let the business goals lead the cybersecurity outcomes,” Farling said.
The desired outcomes for the client should drive the discussion. “They don’t know what they don’t know. It has to be you as an advisor. But they won’t listen to you if you’re not starting with the business outcomes,” Farling said.
Miller agreed. “As an MSP, we layer service over top of our programs and that becomes our offering. Build a solution for your customers that can help them achieve their business outcomes,” he said.
At the core of assessing a client’s cybersecurity maturity is the ability to engage in meaningful conversations that go beyond surface level inquiries. That’s why the CompTIA Community released the Cybersecurity Guidebook for MSPs: Best Practices for Protecting Clients.
In addition to talking about current business outcomes, the guidebook suggests discussing the client’s future plans as well:
- Use of advanced technologies: Discuss the client’s use of AI and other advanced technologies. This can reveal both opportunities and vulnerabilities.
- Data management practices: Understanding where and how sensitive data is stored and managed can highlight potential security gaps.
- Future business changes: Explore any anticipated changes in the client’s business, such as new services, compliance requirements or acquisitions, and how these might impact their cybersecurity needs
Key Takeaways
When it comes to discussing risk with your customers, there are a few things to keep in mind. Farling and Miller outlined these key takeaways:
The risk assessment creates shared consensus within the organization. You don’t get shared consensus without having the conversation.
A finding doesn’t mean a fix is needed. Try to find the things you cannot do for the customer and still make them feel comfortable about the environment.
Clients own the risk, the MSP advises. The client needs to be the one making an informed decision. But the MSP should provide direction and support.
Business value drives risk. When you learn what’s important to your clients, you’ll be able to identify where the risk lies.
Focus is your friend. You’ll want to do some research within your own client base to determine what clients you’re getting the best outcomes for.
In a perfect world there wouldn’t be a “janky chair.” But we all know that’s not reality. There are janky chairs hiding in odd places and ones in plain sight. The goal is to be able to spot the risk and figure out what you want to do with it before it becomes a problem.
Get more tips on talking to your clients about cybersecurity.
Download the CompTIA Community Cybersecurity Guidebook for MSPs.
Add CompTIA to your favorite RSS reader
