With the threat landscape continuing to grow, Trend 2 in Gartner's latest report particularly caught my eye. We’ve been talking about how critical it is for MSPs to get in front of certain conversations with their clients, lately regarding AI, but Cybersecurity remains a top issue and one that MSPs are in an advantageous position to help improve.

Fostering a Partnership Mentality

At a recent event, I had an MSP tell me that they “hate QBRs”. Putting on my curiosity hat, I uncovered that the issue was this person hates “selling all the time” and doesn’t appreciate the salesy nature of QBRs. He wasn’t wrong, as the industry has certainly been telling us for years that QBRs are the primary mechanism for increasing wallet share. But there’s a lot more to QBRs than a sales agenda. Whether you subscribe to the QBR mantra, or you have monthly check-in calls, these critical outcomes should be prioritized:

1. Establish Common Goals: Begin every meeting by setting or revisiting common cybersecurity goals. It's not just about reviewing what has been done but aligning on what success looks like moving forward. Use these meetings to demystify cybersecurity jargon, making objectives clear and measurable. Both parties should leave with a shared understanding of the "why" behind each goal.
2. Adopt a Consultative Approach: Treat each interaction as a two-way street. Instead of dictating what needs to be done, engage in a consultative dialogue. Ask open-ended questions to understand their concerns, priorities, and perception of cybersecurity risks. This approach drives a partnership mentality, with MSPs and clients working hand-in-hand toward securing their environments.
3. Personalize Communication: Recognize the diversity in your client’s understanding and involvement in cybersecurity matters. Customize your communication to match their level of expertise, ensuring that technical explanations are accessible. This personalized approach encourages active participation and ownership of cybersecurity practices.

Leveraging Chris Voss Techniques

Chris Voss, a former FBI negotiator, has been quite popular as of late, but he offers invaluable insights into improving communication and negotiation. And “Negotiation” is not necessarily a price or a sale, by the way, it can simply be to get the client to agree that a risk exists, for instance. Many of his recommendations can be applied to MSP-client interactions:

1. Tactical Empathy: Show your clients that you understand their cybersecurity fears and challenges. Before diving into solutions, acknowledge their concerns with phrases like "It sounds like you're worried about..." This builds trust and opens up a more receptive dialogue.
2. Mirroring: This simple yet effective technique involves repeating the last few words your client has said. It encourages them to elaborate more on their concerns or views, giving you deeper insights into their priorities and how they perceive cybersecurity threats.
3. Labeling: Identify and name the emotions your client is experiencing. For example, "It seems like you're feeling overwhelmed by the potential cybersecurity risks." Labeling helps validate their feelings and moves the conversation towards solutions.
4. Calibrated Questions: Use open-ended questions that start with "how" or "what" to get your client thinking about solutions collaboratively. For instance, "How do you see this cybersecurity strategy aligning with your business objectives?" This not only involves them in the problem-solving process but also empowers them to take ownership of the cybersecurity strategies implemented.

Some thoughts on mirroring, specifically: This one’s tough because it’s easy to overdo when we’re thinking about how to use it effectively. I recommend perhaps aiming to use it once in a conversation, to get more comfortable identifying when to use it. Here’s an example conversation where you might use mirroring.

Client: "We're really concerned about the increasing number of phishing attacks. It seems like no matter what we do, they keep getting through."

You (Mirroring): "Keep getting through?"

This mirrored response does a few things. First, it signals to the client that you are actively listening and engaged in what they are saying. By repeating back a portion of their statement, you're prompting them to expand on their concern without directly asking a question or offering a solution immediately. This can lead the client to elaborate on specific incidents, express their feelings about the situation more deeply, or clarify what they mean by "keep getting through."

The conversation might continue with the client providing more details, such as

Client: "Yes, despite our efforts in training and implementing email filters, we still see a significant number of our staff clicking on links they shouldn't. It's frustrating."

This gives you a clearer picture of the problem and allows you to tailor your advice, solutions, or reassurance more effectively. You might then proceed to discuss more targeted strategies, such as advanced phishing simulation training, deploying MFA (you haven’t yet?!) to minimize the impact of compromised credentials, or enhancing your SAT programs to address the specific vulnerabilities your client is facing.

By mirroring, you've not only gathered valuable information but also reinforced the client's perception of your attentiveness and commitment to addressing their concerns.

Breaking Down Advice for Varied Expertise Levels

Implementing the above strategies requires a nuanced understanding of communication at different levels of an MSP organization. Here's how employees at various levels can start implementing this advice:

• For Technical Teams: Focus on translating cybersecurity jargon into business impacts. When discussing technical aspects, always link back to how it affects the client's business goals and operations. Develop empathy and listening skills to better understand client concerns and tailor your technical advice accordingly.
• For Sales and Account Management: Enhance your consultative selling skills with a deep understanding of cybersecurity trends and threats. Use empathy and calibrated questions to uncover the client's real concerns and align your solutions with their business objectives. Practice active listening and mirroring to build rapport and trust.
• For Leadership: Lead by example in adopting a partnership mentality with clients. Encourage your teams to employ Chris Voss's techniques in their communications. Foster an organizational culture that values empathy, clear communication, and a deep understanding of client needs and challenges in cybersecurity.

Calibrated Questions

The goal of calibrated questions is to engage the client in a conversation that leads them to reveal information, reconsider their position, or think more deeply about a solution.They’re designed to avoid simple yes or no answers and encourage more thoughtful and detailed responses.

This is an area where you can easily build a small library of items that help unblock conversations, but more importantly, are the types of questions that really help clients feel part of the process. Here are some examples of calibrated questions you might use with a prospective client:

1. What type of data are you using and creating on a daily basis?
2. How is your data being saved and stored (cloud solutions or hosted locally)?
3. What compliance impact do you anticipate from governance bodies (HIPAA, GDPR, etc.)?
4. How do staff currently store and use passwords?
5. What security processes have you implemented to integrate with current business ones?
6. What are the major security risks that you have identified in your business?
7. How might an unauthorized disclosure of data occur?
8. What controls have you implemented to mitigate identified risks?
9. How are you protecting access to your systems today (SSO, MFA)?
10. What customer PII (Personally Identifiable Information) do you currently store and work with?
11. Have you identified who might be interested in your data?
12. How are you equipped to handle all of these potential issues and risks on your own?
13. What strategy or response plan do you have in place to handle a security issue or breach?

Here is another set of questions suited for existing client conversations:

1. How have your cybersecurity needs changed since our last review, and how can we adapt our strategy to meet these evolving requirements?
2. Can you walk us through any specific cybersecurity concerns that have emerged in your industry recently?
3. What feedback do you have from your team about the current cybersecurity training and awareness programs?
4. How effective do you find the current incident response plan in a simulated cybersecurity breach scenario?
5. In what ways have the recent cybersecurity trends influenced your perception of our current cybersecurity posture?
6. What challenges are you facing in maintaining compliance with evolving regulations such as HIPAA, GDPR, etc.?
7. How has the integration of new technologies or platforms impacted your cybersecurity risk profile?
8. What improvements would you like to see in the way we manage and respond to cybersecurity alerts?
9. How do you perceive the current balance between cybersecurity measures and user convenience in your organization?
10. What are your key priorities for cybersecurity investment in the coming year?
11. How has your data usage and storage strategy evolved, and what implications does this have for our cybersecurity approach?
12. Can you share insights on any internal or external cybersecurity audits or assessments you've undergone since our last discussion?
13. What specific areas of your cybersecurity framework would you like to strengthen or reevaluate?
14. How are you currently monitoring and evaluating the effectiveness of your cybersecurity controls?
15. What role do you see cybersecurity playing in your overall business continuity and disaster recovery plans?
16. How do you assess the cybersecurity awareness and preparedness among your staff at various levels?
17. What has been your biggest challenge in implementing robust password management practices across the organization?
18. How would you describe your current capability to detect and respond to sophisticated phishing attacks?
19. What steps have you taken to ensure the security of customer PII, and where do you see potential vulnerabilities?
20. Looking ahead, what are your strategic objectives for cybersecurity, and how can we align our services to support these goals?

I get that some questions may not even have an answer, but that may be the point! For example, when asking “What steps have you taken to ensure the security of customer PII, and where do you see potential vulnerabilities?”, the answer might actually be “what do you mean?”...LOL 💀. At this point you might proceed to explain how the average PCI non-compliance fine is $XX,XXX, or how some compliance frameworks like PCI require self-attestation, or whatever.

Improving communication with clients, especially in cybersecurity, is not just about exchanging information; it's about building a strategic partnership based on trust, understanding, and collaboration. By aligning on common goals, adopting a consultative approach, and leveraging effective communication techniques, you can really work together with clients to navigate this complex cybersecurity stuff. The strategies outlined above provide a foundation for MSPs at all levels to enhance their communication skills, helping build a more secure and resilient environment for their clients.

There’s this one quote I always hark back to, which helps me stay off the ol’ soap box:

It’s a tall order, but guide the conversation in such a way that your clients come to their own conclusions about the initiatives required to improve their security posture. Leave your thoughts below, or connect with me on LinkedIn!