All Episodes

How to Talk About Cybersecurity to Clients & Prospects with Mark Lamb from HighGround.io

June 5, 2024 • 46 mins

Mastering Client Conversations: Selling Cybersecurity with Mark Lamb

In this episode of MSP Tutor, host Steve Taylor is joined by Mark Lamb, CEO of High Ground and M3 Networks, to discuss the strategies behind selling cybersecurity services to clients. The conversation covers topics such as building trust, the importance of an educational consultative approach, and understanding clients' needs and budgets.

Mark emphasizes the role of storytelling over statistics, the use of frameworks like the NIST Cybersecurity Framework, and how to handle objections and misconceptions. The episode also highlights the importance of aligning cybersecurity with business goals and utilizing social proof to validate services.

Essential for any managed service provider (MSP) looking to improve their sales and client relationships in the cybersecurity domain.

Learn More

Learn more about Mark Lamb on LinkedIn

Check out HighGround for smarter cybersecurity conversations with clients and prospects.

Chapter Markers

00:00 Introduction to MSP Tutor

00:17 Meet Mark Lamb: CEO and Cybersecurity Expert

01:53 The Importance of Educating Clients

03:52 Understanding Client Goals and Constraints

05:30 Handling Client Frustrations and Misconceptions

13:06 Explaining Financial and Reputational Risks

15:18 Using Frameworks to Assess Cybersecurity

19:35 Key Questions for New Prospects

21:53 Differentiating Your MSP Services

23:08 Building Trust with Clients

23:37 Cybersecurity and Insurance Audits

24:00 Creating Urgency Without Fear

28:40 Tailoring Cybersecurity to Industries

32:14 The Power of Storytelling in Cybersecurity

40:15 Addressing Client Compliance and Risk

42:47 Discussing IT Budgets with Clients

45:55 Conclusion and Contact Information

Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Steve (00:00):
Welcome, everyone, to MSP Tutor, the show where we want

(00:04):
to teach MSPs something useful.
We've got no sales pitches,vendor agnostic material.
It's going to be something thatyou can use no matter what stage
you are in in your business.
So without further ado, I'mjoined today by Mark Lamb.
Mark is the CEO of High Ground and also ofM3 Networks, if I, understand correctly.

(00:29):
Welcome, Mark.

00;00;00_Mark Lamb (00:30):
that's great.
Thank you, Steve.

Steve (00:32):
us a little bit of background about you so that way I want them to
know, like, why should we trust Mark?
we're going to talk today about sellingcybersecurity, and want to make sure
that they believe what you have to say.

00;00;00_Mark Lamb (00:46):
Yeah, well, hopefully you can trust me.
Yeah, so my backgroundis actually technical.
We, me and my business partner setup an MSP in Scotland called M3
Networks about 14, 15 years ago now.
And, for the longest time I was theCTO, technical director and founder.
, it was only in the last five or six yearsthat I sort of transitioned from that

(01:09):
to, the CEO role and I've been buildingout HighGround as a product to help MSPs,
deal with the cybersecurity problem.
So, that's my sort of background.
Definitely more of a creative technicalperson, they want to And how you describe
that, you know, two sides of the brainare connected, which is immensely
frustrating at times, but I would supposeto the point of thrust, I would say I

(01:31):
have lived through, I continue to livethrough the problems that you experience
and, have to face that customer faceto face in a real meeting, and really
sell that stuff that, and get them tounderstand the problems and get them to
make Decisions and also deal with it.
When they don't and they leave, they leaveus with the problem instead, and you're
left wrangling with that problem too.

Steve (01:53):
We're going to talk today about having a conversation with clients
and prospects about cybersecurity.
The end goal is to sell them something.
I'm of the opinion that you needto educate, instead of sell, and,
allow that prospect or client tomake an informed decision, and almost
come to their own conclusion that,hey, I need to do this thing, is

(02:16):
this something you can do for me?
Maybe that's why I wasnever great at sales.
What's your take on that, Mark?

00;00;00_Mark Lamb (02:23):
Yeah, I mean, you are right, because if you go in there
all guns blazing, with an agenda thatyou're going to sell this stuff and
the customer's going to buy it they'regoing to be a white knuckle ride as
they're petrified about what's goingto come next and how scared they are.
It doesn't go well.
The customer's just shut down.
And so this educational, you know,consultative approach, which is

(02:43):
typical of us as MSPs, right?
It's always been, I think it alwayswill be a consultative sell in
what you do, which means educationis naturally a part of that.
But I think the conversation begins,or I should say, where the battles
won and lost is before you go tospeak to your customer about security.
And actually, I suppose this is true foranything, but in security in particular.

(03:06):
I think you have to understandthat it's not us, as the MSP,
it's not our place to judge thecustomer and where they are, right?
The customer, it's our job to informthem of where they are and of what the
risks are, position cybersecurity as abusiness risk, advise them on what we
think they should do and help them toidentify what they need to do because
there'll be lots of things that they haveto do, don't want to do, but have to do.

(03:30):
Which we'll probably come to later, andthen support them to make that decision
and do that consultatively througheducation, through guidance, but not
to have an agenda that they must buythis thing, otherwise it'll break your
heart because they'll probably notdo exactly what you want them to do.

Steve (03:45):
Is there like a process that you found, works more often than it doesn't?

00;00;00_Mark Lamb (03:51):
I think so, yeah.
I mean, I think you've got togo in there with a mindset of
like, I'm here to understand.
You've got to start back in that placewhere, You're trying to understand what
the customer's goals are, what any oftheir constraints are going to be, what
their triggers are going to be, recappingthe past, I think that's a key thing, you

(04:11):
know, like taking a walk down memory lane.
I think as MSPs, we're always so keento want to go in there and sell the
next thing because our world moves fast.
Right.
And, I'm sure everyone's world moves toa certain pace, but I really do believe
that in IT, our world moves faster thanmost people because of the rate of change.
And we're used to change.
And we go into these meetingswith customers locked and
loaded, ready to do these things.

(04:32):
And the customer wants to kind of meanderdown a path instead and talk about, what
they've done in the past, how we got here,what that thing is that they bought, why
things aren't working, so on and so forth.
We've got to be prepared to do that.
So I think often we haveto, we have to slow down.
We have to try and understand andget on the same page with them.
I think there's just so much tensionand friction in some of these customer

(04:56):
meetings because the both sideswant out of it is broadly the same.
But their approaches are verydifferent and they clash and that's
what I see more often than not.
And it takes somebody to have to take thereins and that approach, that process that
you talk about, it begins with going inthere with a completely different mindset.
And I think that you have toleave the frustration at the door.

(05:18):
No matter how many times you've beenhere, had this conversation with
the customer, being annoyed withmaybe decisions that they've made,
you've got to leave all that behind.
Because if you take that into yourmeeting, it's just going to be even worse.

Steve (05:30):
Yeah, I gotta say, getting, getting annoyed with clients is
really easy to do, and I'm gonnashare something I probably shouldn't.
So I treat.
Like my family, unfortunately,kind of like clients in a way, but
unfortunately, because they're family,they don't get filtered correctly.

(05:54):
My filters off.
So, if you've ever watched SaturdayNight Live, there was that,
gosh, it was 20, 30 years ago.
The IT guy, MOVE!
Like, he would just beso rude and abrasive.
That is unfortunately how Iam with my family, and I think
that's how I would want to be.
with my clients.

(06:15):
So with that said, how can I effectivelycommunicate, the importance of
cybersecurity to my clients withoutsounding like too technical or
overwhelming them with a plethora ofinformation because I found that that's

(06:36):
what I do with my family is I overwhelmthem with things that doesn't necessarily
concern them because I get excitedabout the tech and that's my biggest
problem is I'm excited about the tech.

00;00;00_Mark Lamb (06:48):
Yeah.
. Totally.
I think you made mention to it,slightly earlier on, I think the way
to go about it, the way to approachthe conversation with the client, is
understanding, first of all that theydon't care about buying cybersecurity.
In actual fact, I think you could probablysay that for most things we sell them.
Like, nobody set up a business and says,I'm going to set up this company so I

(07:10):
can buy lots of IT and spend lots ofmoney on all this stuff that I could
rather be spending on whatever, right?
Return on investment to stakeholders.
In most cases, in SMEs, it's having moremoney for myself, I think if you go
in with that mindset and realize thatyou have to understand that customers
look to you as a trusted advisor to takecare of and advise them on what to do.
And I think that thefrustration comes from us.

(07:32):
Get an annoyed that they are now notlistening to what we're saying to them.
So we're your trust advisor, but you'renot, you're not listening to our advice.
So do you really trust us at all?
And a lot of frustration comes from that.
So understanding that actually whatwe need to do is come down to a level
where we can tie this to the customers,Goals, Objectives, Risks, Requirements,
Compliance, why compliance is so good?

(07:53):
Because we can tie it to somebody else.
Everyone wants to blamesomebody else, right?
Say, well, such and such tells you youhave to do that, so you've got to do it.
Customer will often say, well, our back'sup against the wall, have to do it.
Because I've got no choice andeveryone wants the decision
to be taken away from them.
So they have to do it.
I think when you leave thecustomer with the decision,
they'll just choose not to do it.
So we have to somehow achieve thesame thing that compliance achieves.

(08:14):
And often that way is to be ableto draw that line of sight from
what they're trying to do withhow that matters in security.
And if we can connect the dots forthem so they can understand that, then
they can make risk based decisions.
So for example, say the customer is Goalis to expand the business into China.
Okay, and it's IT people now, alarmbells are ringing in all, corners

(08:36):
of our head about, oh my goodness,me, all the things that we have to
think about now because of this.
The customer does not think, oh,so China, I better do something
more with cybersecurity.
So we come along, we need to do this,but the customer's thinking, yeah,
Mark, but I've got to spend money on.
All this other stuff to openan organization in China.
And the last thing I want to be doingis spending even more money on security.
I don't think that's important.
But if we can make them realize therisks associated with that, and therefore

(08:58):
the impacts, and how that can derailthe successful expansion into that
region, or how it could destabilizewhat they've built already, they can
start to realize why this is necessary.
So security just becomes a, it's notbuying security because we want to buy
security, or even because we need to.
We're buying it because It's goingto affect the outcomes, the goals
that we're trying to achieve.

(09:18):
Does that make sense?

Steve (09:19):
I gotta say.
Traveling to China, like, while I wouldlove the idea of going to China, it
terrifies me because I think as soon asyou arrive, all of your electronic devices
that you've brought have been hacked.

00;00;00_Mark Lamb (09:32):
Yeah, I've not been to China either,

Steve (09:34):
yeah, so, what are some of the common misconceptions that clients
are going to have about cybersecurity?
You said that.
They're not going to lookat this as important.
I want to kind of dig into this more,like why don't they think it's important?
what are those misconceptionsthey have that are giving them
that false sense of security?

00;00;00_Mark Lamb (09:54):
I think there's two sides to this.
The first one is the obviousones that we've probably all
heard people say before, right?
It's

Steve (10:01):
Yeah, I'm, I'm too, I'm too small, it's not going to
happen to me is the one I assume.

00;00;00_Mark Lamb (10:06):
Yeah, exactly, too small, not important, they don't know
who I am, then you've got the more firmobjections like too expensive, we'll do
it next quarter, we'll do it next year,I'm not doing it unless somebody makes me.
All these kinds of things.
It's just resistance, pure resistance.
They don't want to do it.
And it comes down to like, it's thesame thing with the media, right?

(10:27):
We listen to so much of themedia that eventually we become
completely desensitized to it.
To use a sad but real example,during COVID times, we would read
the news and for the first few daysand weeks and the number of deaths
there were, it was devastating.
And then somehow, a few weeks later,we The number just becomes, oh, it's
only that today, but you forget theseare real people in real lives, right?

(10:48):
And you become completely desensitizedto what's really going on.
And security, cyber, hasbecome very much like that.
You know, we've seen so many peoplebeing attacked, so much money being lost.
Eventually, people start saying, well,you know what, if those guys can't protect
themselves, what chance have I got?
And then it becomes, they just stop.
They stopped eventhinking it's believable.
They don't even think it's achievable.

(11:10):
They just resign themselves to it.
And that's dangerous.
But there's nothing really we cando about that, other than obviously
try to make them realize that theydon't need to make heroic efforts
in order to, make it happen.
You just need to do the basicgood things right and that they
shouldn't, give up that fight.
But the second side of it thatI think a lot of people don't
really recognize and it's a thunk.

(11:31):
I think it's the fundamental differencebetween the enterprise and the SME
space and that is that in the enterprisepeople build Relatively mature
organizations that are governed, thathave got compliance, that people are
running that business as professionalsin their jobs, so they're appointed by
stakeholders and leadership and theyrun that business in a certain way.

(11:52):
In the SME world though, you're dealingwith a very different type of owner.
You're dealing with opportunisticentrepreneurs often.
Businesses that are held privately by theperson that can make the ultimate decision
don't have the level of management,almost definitely don't have the level
of governance and risk management.
And so, you're free to What you'reactually being weighed up against is not,

(12:14):
should we do this to mitigate the risk?
And in those people's minds,they're thinking, if I spent that
money on another sales guy, Icould increase my revenue by X.
So what do I do?
Do I go for the opportunityor do I mitigate the risk?
Am I going to, these creative,entrepreneurial type people
want to charge ahead.
They're not typically worried about, theygot to where they are by taking risk.

(12:36):
Right.
And so they're not sitting here thinking.
I guess that they, they think they're alittle bit more untouchable than the
average company or the average person.
And so.
all sorts of crazy decisions get madethat we can't sometimes compute why
they're not understanding this risk.
It's not because they don't, it's justthey choose to make, take a different
decision because they think that it'snot happened to me and it plays into
the first thing that we talked aboutwhich is it's not going to happen

(12:56):
to me or I can't stop it anyway.
I'll deal with it if it happens.
So screw it.
I'll do this other thing instead.

Steve (13:02):
you mentioned risk, so let's talk about that for a moment.
there are like two big types ofrisks that I can think of that
clients should be worried about, andthat's financial and reputational.
I'm sure there are other typesof risks, but those are the two
that I think would resonate wellwith these non-technical folks.

(13:24):
How do we explain that potentialrisk to them in a way that makes
sense to them, that resonates?

00;00;00_Mark Lamb (13:33):
I think that when it comes to financial, we
do need to try and steer clear oftalking about the big numbers because
they're not really believable.
I mean, I've been in realconversations with customers where
I've said the average cost of acyber attack is going to be like 1.
5 million.
And the customer laughs and says, well,I don't have one and a half million,
so, it's not going to cost me that.

(13:55):
And that is really difficult.
So we have to try and make thosefinancial costs believable to them.
So we have to, comes back to theearlier point about understanding
how their business operates andhow they make or lose money.
And so we need to try and tie it to Realnumbers and often times most businesses
will not be completely dead in thewater, especially now because of hybrid

(14:18):
IT, infrastructure, you know, back inthe day when there was lots of exchange
servers on premise, you know, if yournetwork went down, your email went down
and the world was came to an end, whereasnow, in the UK, we have a thing called
Exercise in a Box, which is a frameworkby the National Cybersecurity Centre.
You can get it on their website,but it's quite a useful tool to

(14:39):
approach both of these things.
And it helps, what, it's essentially,taking the executive team through
a real incident and having themreally think through what's happened.
So it's like situational awareness, reallythinking about the implications of, oh
my goodness, this has just happened.
So it's okay to say, Steve, yourreputation is going to be in pieces
if this happens, but words are cheap.

(15:00):
But if they go through the experiencethemselves by working through the
realities of what's happened andhow they're going to recover, it's
much more impactful for how they'regoing to learn and remember that.
I suppose the essence to both ofthose things is you need to make both
of the things really believable bymaking it specific and unique to them.

Steve (15:18):
is there like a framework that you use when you sit down
with clients or prospects?
And I guess I should further, ask,do you talk to clients differently
than you talk to prospects?
So let's start there.

00;00;00_Mark Lamb (15:30):
Oh, that's a good question.
When you talk to prospects, of course,you're trying to understand, where they
are today, and that's actually arguablymore challenging because they often don't
know where they are either, they think,oh, well, I've got this thing and we've
got MFA turned on and you're treadingthat line between trying to say, No, you
don't have what you think you have, andit's definitely a difficult thing to do.

(15:50):
But in both cases, it's about trying tomake things visible and understandable.
So the NIST Cybersecurity Frameworkis a fantastic tool for that.
And if you can align where theyare today to the NIST Cybersecurity
Framework, all the better.
And some of you watching this might knowthat they've just released version 2.
0.
So there's a new version ofthat framework, which has

(16:10):
previously had five pillars.
And now they've got a sixthpillar, which is governance.
And they've moved quite a lot of thecontrols around, but governance is
all about a lot of what we're talkingabout here which is helping the
organization to really understand theirposition and manage this as a risk.
So, a lot of actions must bemanaged by them and they must
have active involvement in it.
They can't just think that the MSP aloneis somehow going to just solve all the

(16:35):
problems by buying technology to solve it.
That's, not going to crack the issue.
So then that works on both sides, right?
So talking with prospects, they'reoften more open to that because
they're in that phase, you know,they're talking to you because they're
maybe unhappy with who they're with.
And so they're kind of getting a gripon where they are, what they need to do.
Peace of governance by trying tomanage the risk, manage the problem.

(16:55):
With these existing customers, that canbe a bit more challenging because they
just think you're doing it all ready, andyou're trying to open up that subject.
So using a framework definitelyhelps them understand that there's
a lot of thought going into thesethings, and their best practices.

Steve (17:08):
is there like a framework or a set?
I always go through this orderof operations, when talking
cybersecurity with people.

00;00;00_Mark Lamb (17:17):
starting by understanding, Where they are now and
their role in that, so understanding whatthey are, and if you use the cybersecurity
framework, if we tie that into whatwe've just said, right, so identifying
what their security risks are today,identifying what their needs are, what
they need to achieve, protecting againstthat, so buying security solutions and
services, or selling security solutionsand services to your clients that

(17:39):
meet those particular needs, desires,and the customer's appetite for risk.
ensuring that they can respondto anything that happens.
And that doesn't mean a complete incident.
It also means just any activity,whether it's good, whether
it's a false alarm or not.
Being able to recover from thatand being able to learn from that.
And with the application of, NIST 2.
there's also the govern piece, whichhas managed and governed that risk

(18:02):
over time to make sure that thecustomer, we'll use the word customer
here, the framework really talksabout governing risk from within.
as an organization, but we could use thatas a customer and say the customer should
be involved and understand their appetitefor risk, understand their risks they're
taking, which risks they're accepting,which ones they're going to mitigate,
and what the MSP is doing for them inorder to achieve that so that they don't

(18:23):
just think that we're doing it all.
And if you go through that journey withyour cust Customer by approaching it
through a position of understanding.
Is it the matters to you?
What are you trying to achieve?
How can we align this?
We can take care of most of thatourselves as MSPs without having
to expose the customer to the wholeframework and the whole journey.

Steve (18:42):
Got it.
When it's a prospect, you need to ask,a lot more questions because you don't
necessarily understand their currentcybersecurity posture, especially, some
MSPs want to install their agent andglean all The information they can glean
and doing a technical discovery that way.

(19:02):
Other MSPs don't want to put anythingon a prospect's network until there's a
signed agreement for liability purposes.
not here to argue which of thosemethods are right, because I
think there's merits with both.
But with that said, when it's aprospect, you don't necessarily

(19:25):
Crespo Roman, and I'm here totalk to you about how we can help
you know all the things, right?
Especially if you're doing thisagentless, and you're going in
there blind, and you're only gettingthe information from the prospect.
can you give me some questions thatwe should be asking every single
time we sit down with somebody new?

00;00;00_Mark Lamb (19:41):
if you can get it, I would be asking for a
copy of an existing invoice thatthey're paying a provider for.
That's a big shortcut, but that's hardto get and the trust has to be there.
They're not always gonna wanna passthat information to you ' cause they
might think that you're going to thenprice based on what they're paying.
but that is definitely useful I havethis opinion that we can just figure

(20:02):
everything out when we turn up, lookat computers and somehow determine
what's going on and there's frictionthere, because the MSP is careful.
They don't want to end up, signingthemselves up to something that they don't
know what they're getting involved in.
I would, definitely start with askingand understanding, what products and
services they might know the name of.
So things like, do you getan email quarantine report?

(20:22):
Several times a day or once a day.
That can have a good lead intowhether or not they are using an
email filter or email protection tool,
Are you having to enter six digit multifactor codes or respond to alerts on
your phone when you try to log in?
Yes or no.
That's going to give you an idea ofwhether MFA is turned on or whether
it's just I've never seen a six digitcode in my life might tell you, okay,

(20:45):
they don't have that turned on, right?
Especially now with the massiveboom and MDR on endpoints, maybe
using some common product names.
Like are you familiar with, give anexample, like SentinelOne for example.
Customer is likely to have heardthe name of some of these tools
being mentioned by the help deskof companies they're working with.
So mentioning product namescan sometimes be helpful.

(21:06):
And same thing goes forfirewalls and things like that.
Asking them if they're using, if youknow that they have servers on site,
you might say, are you using a VPN?
Do you use remote desktops?
So using some of these keywords thattrigger the customers, oh, we've got that.
These are all very useful.
Gain content filtering.
Do you ever get blocked pageswhen you try to go to websites?
Or can you just getonto anything you want?
Oh yeah, we can get onto anything.

(21:27):
You know, there's nothingthat's stopped us.
Four or five questions in.
Steve, you're going to be pretty clearof how good or bad this situation
is looking, and you 60 seconds.

Steve (21:51):
cybersecurity in place.
They're getting servicesfrom one of my competitors.
How do I differentiate my cybersecurityservices from the competitor?
Because let's be honest, this isbecoming a heavily commoditized
industry at this point where there'sa very low, barrier to entry.

(22:13):
Anyone can be an MSP.
You don't have to go getcertified or a degree or anything.
And, more and more often, it feels likethe tools are doing the work for us.
So how do I differentiate what I'mdoing from my competitors in the area?

00;00;00_Mark Lamb (22:28):
Yeah, and I think the answer to that
question, it's really simple.
It's you.
You are the differentiator.
It's how you do your business.
Because you're right.
They're always going to sell the dream,sell the product, everyone that's going
in there along with you because they'relikely not only talking to just you
they're probably talking to two threeother providers as well you're very
conscious of what they're saying andit's always going to be led in on the

(22:50):
products the customer then ultimatelyjust can't actually tell the difference.
The difference has to be you.
It's the way you do your business, theway that you're going to work with them in
partnership to take them on this journey.
Pay homage to the fact that, this is ajourney, it's not a one and done thing.
You're not just going to buy a productthat's going to solve all your problems.
And what we sell you today is going tohave to change in 12, 18, 24 months.

(23:13):
You want to be doing thatwith a partner you can trust.
It's going to give you the rightadvice and go on that journey with you.
And we are the people to do that, notbecause we're going to consult with you.
We're going to help you understand.
We're going to understand your businessand we're going to make sure that we're,
selling your products, services, Thatyou need and that you're not wasting
budget because let's be honest You'vegot lots of stuff to spend your money
on in technology and everything else.

(23:35):
Then it comes down to that trust factor

Steve (23:37):
Anthony in the chat said, something I agree with completely.
A number of clients, or prospects for thatmatter, will only consider a cybersecurity
strategy and implementation during theinflection point of an insurance audit.
Have you seen that across the pond?

00;00;00_Mark Lamb (23:53):
I agree because it's that point we made earlier.
My back's up against the wall.
I have to do it now.
And if I don't have to do it, I won't.

Steve (24:00):
So then how do I create a sense of urgency around cybersecurity without
resorting to fear mongering and FUD?

00;00;00_Mark Lamb (24:08):
I think you basically take the same approach,
but you do it in intentional way.
what Anthony said there is like,that's an accidental thing, right?
You know, going along, doing our business,and then, oh no, this has happened.
We have to do something.
We have to respond.
If we just don't Turn the tables andapproach the conversation in that way
and say, have you got cyber insurance?
It's cause they

Steve (24:28):
answered all the questions the way the insurance company
wants to hear it, not the way

00;00;00_Mark Lamb (24:33):
Exactly, exactly.
so if you then say, would you mind if Ihave a copy of that policy, let's have
a look and see what your obligations arethat you've signed up to, and then you
depict that and realize they should bedoing A, B, C, and D, and they're not.
Then you're able toforce the issue, right?
You can say, look, stop payingbecause they ain't going to pay out.
You're actually justthrowing that money away.

(24:54):
You need to do these things.
And the same thing applies forcontractual and legal obligations.
So if the customer is involved inhealthcare or they're in legal,
understanding what the problems are inthat industry, what they may already have
agreed to, Same ideas as cyber insurance.
What have you agreed to?
What are you having to do, but actuallyfind the real black and white writing?

(25:16):
Don't just say, oh, you're in healthcare.
You're in legal, so you have to dothis, this, and this, because they
kind of already know that and they'vealready chosen to ignore it too.
we're gonna get your hands onsomething solid and say, look,
what could you've signed up to?
We're not doing this for you.
We're not gonna be responsiblefor this if it goes wrong.
we need to address thisproblem and go from there.

Steve (25:33):
help me out here.
just came up with this one.
Nobody's ever thought ofthis before, I'm sure of it.
Because all ideas I have are original.
All let's say, yeah, so let's say Isit down with a company, and I say,
do you have cyber insurance work?
and if they say yes, it's prettyboilerplate at this point that cyber

(25:53):
insurance is going to ask a numberof questions like, do you have
MFA enabled on all admin accounts?
so on and so forth, right?
I'm sure you could even potentiallyFind that list somewhere of, What
are some of the more common cyberinsurance policy questions that the

(26:14):
insurance company is going to ask tounderstand your cyber posture and risk?
Because that's what insurancecompanies are doing.
They're measuring risk to determineif your business is worth insuring.
When you sit down with that company andthey say, yes, we've got cyber insurance,
then start asking them about things like,do you use the little six digit codes?

(26:36):
can you go to any website you want?
So on and so forth.
now you've got a baseline for whattheir cybersecurity actually looks like.
And then, unfortunately, this is a bit offear mongering, but I think sometimes you
got to tell people the hard truths andsay, Hey, look, you are wasting your money
because if you have a cyber incident,which based on your current cyber security

(26:58):
posture, it's not an if, it's a when,You're going to try and make a claim,
the insurance company is going to do aninvestigation and find that you don't have
all of these things in place, that youmaybe told them that you do have in place,
and they're going to deny your claim.
I think that type of information ispowerful because once you explain to a

(27:22):
person that, hey, did you know you'rewasting, thousands of dollars a year
on this policy that's not going tohelp you, I think that, that starts
to open eyes and ears for people.

00;00;00_Mark Lamb (27:33):
Yeah, it's a false economy, right?
They don't, for some reason,I don't know why, but they're
not sitting there thinking thatthey're throwing that money away.
Because they don't ever believe it'snot going to pay out, which I don't
know why, because I've never met aninsurance company that likes to pay out.
And I was talking to a claims managerof an insurance company a few days ago.
He said to me, I've beenin this industry 18 years.
And he says, I can tell you,you're absolutely right.

(27:55):
we all feel it.
But that's from somebody within,who's obviously confirming it.
I think the customers oftenjust don't think that's going to
happen, because they've got itreally messed up in their mind.
They just think, oh, you knowthat, they've just forgotten.
They've just, to them, the cyberinsurance was just a stepping stone that
they needed to get in place to win somecontract, to win some work, and off they
are now busy delivering that work withcompletely, Now, but now they've got the

(28:17):
cost, but they're not thinking about,they're not associating the cost with
claiming, they're associating the costof that with doing business, which they
had to do to win the work and push ahead.
So it's very powerful when you go backto the customer and explain to them,
let's say they're spending 20, 000 ayear on an insurance policy, which is
not uncommon now, and say, look, youmight as well set that money on fire
in a car park because you're nevergoing to see it, you're never going

(28:39):
to see it back if you need to use it.

Steve (28:40):
one of the things that often sit and wonder about is how do
we pitch different services todifferent industries or verticals?
So, When you go and sit down witha law firm, you're going to have a
different cybersecurity conversationthan if you were to sit down with
a construction company, how do youtailor your cybersecurity pitch

(29:04):
to these different industries?
and I'm going to back up and assumethat you're an MSP that, still is
a generalist and you'll supportall these different industries.
You haven't specialized on a niche yet.

00;00;00_Mark Lamb (29:18):
some of the very topical actually, um, I've been dealing
with in the last few weeks, both in my MSPand, and with HighGround and that is, so.
And I'll share this.
Actually, no, I've not told anybodythis, so this is a new, a new thing.
Actually, we're here, and I mentionedon MSP Tutor, we've actually devised
a strategy that I think anyone canuse, and we call it, Packs and Tracks.

(29:38):
if you've been selling products, oryou're selling products with service.
So, uh, Endpoint Protection, or EndpointProtection with a SOC, and there's
a service attached, and you're doingsomething, that's the hardest thing
of all to sell, because the customerhas no idea what it is, you might
be selling things bundled together,like email and web protection.
Those things go really well together.
They are kind of always,they always have done, right?
You know, you have email protectionand you have web protection because

(29:59):
those are big sources of threats, orEDR and MDR, they go well together.
IAM and PAM and passwordmanagement, they go nicely together.
Now, in a technical team, They're sittinghere trying to deliver all these different
products and services and they have reallyno consideration or regard for what the
sales team or account management areselling to customers but they get very
upset when someone in sales sells thecustomer something they can't deliver

(30:22):
and that becomes very frustrating andall these little nuances and anomalies
between what one customer is supposedto get and what the other one gets.
at the end of the day, It's alwaysthe same products that typically
that we're selling to customers.
The only difference is how differentcustomers need different products
and services for particular needs.
So you mentioned a coupleof industries there.
Construction is typically, certainlyhere in the UK, is typically

(30:43):
focused around the public sector.
Therefore, there's often a lot ofcompliance involved in that, aligning
to frameworks and making sure that youare either, if there's something that's
regulated, that, standardized that youmeet that compliance requirement or there
might be particularly niche standardsand requirements you have to meet.
Whereas legal is an alternative exampleis we all, we all know largely that
it's heavily focused in the feederson data loss prevention, that we have

(31:05):
lots of sensitive data and if thatinformation is to get out into the
public domain, we're toast, So wehave to stop that from happening.
Based on that, by creating these,what I call tracks, we're essentially
taking the same products and serviceportfolio that we may have as an MSP
and determining the ways in which weneed to use them in order to deliver
the outcomes the customer needs.
And they're largely, broadly, ifyou look at it from an industry

(31:28):
perspective, pretty much the same.
Financial services has a veryheavy focus on detection because
they're largely targeted.
Data loss, legal was kind of the same.
If also a strong focus onDLP, but you could largely put
them both in the same place.
Encryption plays a big part as well.
Encryption of data at rest and in transit.
I guess to a certain extent,medical is the same in healthcare.
whereas you go to some otherorganizations that are maybe a bit

(31:50):
like the construction, deal withlots, much larger organizations.
They expect, therefore, because thegovernments and councils and places
like that are running Like a government,they expect good compliance, good
governance, good risk management, and weneed to address those problems for them.
as much as we can say they'rekind of unique, they're really
largely just turnkey solutions.
Like you need to figure out what theflavor is of legal and just package

(32:11):
them in a way that meets their needs.

Steve (32:13):
I like that.
Now, one of the things that I wouldlike to think you've heard of by now,
if, if you do any type of marketingfor your MSP, there's something called
social proof, and when you're building awebsite, you do social proof by putting
testimonials and reviews, Case studies.
so there's, all different ways to putsocial proof on your website, and maybe

(32:34):
even on like printed material, likeflyers, you maybe put on a little quote
from a client who's using it, right?
So, how do you implement social proofwhen you're, Trying to demonstrate
the value of your cybersecurityservices to clients and prospects.

00;00;00_Mark Lamb (32:51):
That is probably one of the hardest things to do, because
you could say, hey, look at customer A,Steve at Channel Programs never had a
breach because he's bought our securitypackage, but no MSP wants to say that,
right, because they feel like you're,uh, touching wood when you say that.
Well, no, it's going to happen now.
If I say it, you don't want to jinx it.
at the same time as, but those kindof are the security stories that.

(33:12):
We need to tell, because thoseare the good news stories.
I think one thing we do need to dois need to try and steer clear of the
bad news stories, because people oftenseem to, I don't know how, but they
seem to be able to kind of remove thatfrom their mind and forget that it ever
happened, and they don't tend to have theimpact that we think that they should.
I think that, Focusing case studiesand stories, customer testimonials,

(33:35):
if you can get them, that really talkabout the challenges that the customer
was having and achieving their goalsand how security was a part of that.
It could also be that fear of, youknow, losing everything that the
customer's built over all theseyears and not wanting to lose that
and how much better they feel now.
About, I've bought the securitypackage and I can sleep a
little bit better at night.
I feel like I'm more involved and Iunderstand my risks and my MSP works

(33:56):
with me to make sure that I'm keepingon top of that and moving forward.
Those are the stories that people thatresonate with people because that's
the gain that they want to achieve.
They want to feel like that same way.
So you're kind of selling it onfeeling but selling it on the
positive feeling rather than the fear.
If you sell it on fear,it really doesn't work.

Steve (34:12):
Now that makes perfect sense, yeah.
I think that whenever you're doingtestimonials or case studies or anything,
you should never include, well, it'sokay to include some fear, like, I had
no idea that I was so vulnerable, and Isigned up with, Steve Taylor's computer
whizbang and now everything's magicallybetter, you know, like it's, it's okay for

(34:37):
the, for the customer to, to be genuineand say, Hey, you know, I didn't realize
I was, I was so open to, Bye for now.
To attack and now I feel likeI'm, much better and it's not that
they couldn't sleep well at nightbefore because they, they were, you
know, blissfully ignorant before.

(34:59):
And, and I think, I think it's okayto have a conversation with a, with a
customer and, Make them feel blissfullyignorant without making them feel stupid.
I think there is a way to do both,when you get them to open their
eyes and go, wow, like I get it now.
that's when you have thebreakthrough and that's when they
say, who do I write the check to?

(35:20):
You know what I mean?
Another way that you can accomplishthis, besides social proof, is by
sharing some key metrics or statistics.
And that's hard because,you know, what do they say?
87 percent of all facts and statisticsare made up, made that one up, right?
So, uh,

00;00;00_Mark Lamb (35:39):
and lies, as they say.

Steve (35:40):
I guess what I'm asking is, do you share any metrics or statistics to support
your cybersecurity recommendations?
And then how do you present those ina way that they seem factual and not
like some crap you're just tryingto say to get them to buy something?

00;00;00_Mark Lamb (36:00):
and the irony of this answer is I'm going to answer with
a statistic, because, I read somethingfascinating a few weeks ago, all about
storytelling, I'm actually personallysat, um, fascinated by storytelling
and the impact that it has on people.
And, they use it a lotin marketing, right?
the reality is I don't talk statistics.
Our team don't talk statistics at allbecause customers forget them, the thing

(36:21):
I read about statistics, Which is astatistic, is that apparently only 14
percent of people remember the statistics.
But you see, if you tell in a story aboutSteve who ran Whizbang Computers, who had
this problem, he was trying to win thiscontract with X organization who needed
him to do this, and he didn't know whatto do, and he couldn't afford it, and he

(36:41):
was worried, and he spoke to us, and weworked with him, and we showed him this.
They say that over 60 percentof people remember a story.
And if that story is relatableto them, it's even better.
If they're that like, they're justlike me, you know, I'm a Steve.
I know how he felt because I'm theretoo, and my story is very similar.
So we tell stories aboutsecurity, about people.

(37:02):
That's why the case studies are powerful.
because quite frankly, the statistics areeither unbelievable or just not memorable.
And they don't incite any action.
And what we want people todo is go on this journey.
the thing is really important thatyou get your customers to understand
going on a journey, that you'renot selling them the destination.
They're going on this journey with you.
That's why they need someone they cantrust, someone that they feel they can

(37:23):
work with, and that you're going to behere in three months, six months, nine,
two years, the same conversation, tellingthem what else they need to do now,
because it's not just going to be over.
And the statistics are going to change,but, whatever they happen to be, they're
still going to have to deal with them.
So can I, and the thing about storytellingis you've got to make the customer, the
main character and the hero in that story.
So you want them to feel likethey're succeeding, that they're

(37:44):
winning, that they are achievingtheir goals and you need to go to
take yourself out of it as the MSP.
You don't matter.
You're just a facilitatorto help them get there.
That's when the customersreally get, really get engaged.

Steve (37:54):
if you were to get, A client to do just one cybersecurity change.
and you had to pick just one service toget them on board with what is it and why
is it, cybersecurity awareness training?

00;00;00_Mark Lamb (38:10):
Security, we're in a straight end.

Steve (38:12):
Yeah.
do you think that's probably like,if, if you sat down with a company and
they don't have MFA, They don't haveDNS filtering, and you know, they,
they click on freaking everything.
where do you start?
What's the first thing you do?
Is it training them, or is it, I'mgonna implement a baseline of changes
that, implementing some of these changesis going to drastically affect how

(38:37):
they do things on a day to day basis,whereas the training, I always feel
like educating people is less frictionthan I'm going to make you all type
in six digit codes and I'm going tomake it so you can't access all your
websites and so on and so forth, right?

00;00;00_Mark Lamb (38:52):
and you know, on that point about awareness training, I think
that, and we do see organizations, weall see organizations like that, right?
I, I'm a believer in getting their workin front of them, but you roll out a
program of security awareness trainingand just think that people are going to
adopt this, if the problem is that bad.
You really want to be getting themcollectively in a room together or

(39:13):
even identifying the individuals andspeaking to them and really helping
them understand and then enroll them intraining rather than simply Here you go.
Do some training because theythink oh, I already know this.
I've seen this, you know, youcan't teach me I understand.
They can even get through the test, butthen you go and do something stupid anyway
Make them understand and realize that therisk that they pose to the business and
the impact that could have and that theyneed to sometimes slow down and think.

(39:36):
as for the technology that I wouldimplement, for a single technology
an organization's systems, I think, Imean, MFA would obviously have to be
one of those things, but I really thinkthat we're leaning now much more into,
IAM solutions, so Identity and AccessManagement, and extending that out with
SSO to as many places as possible, becausethen we're really trying to reduce the

(39:57):
number of times the customer's likelyto be doing that, So we're trying to
leapfrog the current problem and getthem to a place where they're using
these credentials less and less and ifyou turn on MFA on to that, then you can
have a significant impact on likelihoodof the things that are happening.
So basically trying to problemrather than treating the symptoms,

Steve (40:14):
That makes perfect sense.
now let's talk about somethinga little more complex.
I'm going to simplify thecomplex as best as I can.
Let's say you sit down with a dentistand you're here in the States.
So that means patient data, right?
presently, They don't know if they'recompliant with HIPAA guidelines.
they don't know all thethings they should be doing.

(40:35):
They don't necessarily care.
How do I have a conversation withthem to either get them on board
or figure out if I need to run?
because we don't want to stick around ifthey're not going to be compliant because
that puts us, the MSP, at risk, right?
if we're going to talk to ourclients about risk, we got to
talk to ourselves about risk, too.
if you take on a client that.

(40:56):
is supposed to be compliant, andthey're not, and they don't give a darn,
then do you really want that client?
Because now you're opening yourselfup to risk, and maybe your own claims
won't be approved in the future.

00;00;00_Mark Lamb (41:10):
this is a good question because I think it's actually
the answer to it kind of dependson the size you are as an MSP.
You know, the smaller ones are muchhungrier for work and they're much more
likely to take on the risk and believethe customer is going to make the change.
Whereas the larger ones, particularlythe ones that are now getting involved
in like M& A and now getting bought up.
then, much larger organizations arethinking, oh, do we want that risk?

(41:33):
And so they're much more likelyto just shun it and turn it away.
if the middle ground is somewherein between those two extremes, then,
I think you really need to sit downwith, during that sales process.
If you have not addressed it in thesales process, which you really should
have, then you definitely need toaddress it at the onboarding phase with
the customer to understand, document,Do you understand your obligations?

(41:53):
What are your intentions?
And put that down onto a risk register.
You know, develop a risk register withyour client on that same risk register
as the old 2008 or 2012 server thatneeds to be replaced and what that means
and the Windows 7 computers that arestill kicking around and any operational
technology might take the business down.
But document that and have thecustomer recognize that This is a

(42:14):
risk and you need to do somethingabout it and put a date on that.
So when you get to that next QBR, ifyou really, really want to take on
that business, but you're just not surethey're going to do it, and you don't
want to get caught up in this for along time, make sure that you address
that risk register at the first QBR.
That's going to be yourfirst warning sign.
If you're getting two, three QBRs downthe road and things are not changing,
Then you've got, you've got an out.

(42:34):
And not only that, you'vedocumented it at the start.
So if someone comes knocking and says,hang on, you were involved in this,
you say, look, we documented that.
They knew.
We told them, we advised them, and theydidn't want to do anything about it.
Then it does give you some, Iguess some comfort in knowing
that you've addressed it.

Steve (42:47):
the last question I want to ask you is about budget.
So when you sit down, whetherit's a client or a prospect, you
need to understand the budget.
How they budget for IT, here's whereit starts to get a little nuanced.
because some companies do theiraccounting differently, but, if they're
running a halfway successful company,they should have a budget for the

(43:11):
year, and they should be planningtheir budget for the following year.
So, how do you have that conversation withthem and say, hey, look, I need to know
what your IT budget is, so that way I canhelp you prioritize, different expenses
and upgrades and purchases based on yourbudget, because the budget can't just

(43:34):
be, I'm paying 4, 000 a month to my MSP.
There, there should be a largerbudget than that 48, 000 a year.
because projects and upgrades also needto happen, So get that question answered
tactfully as early as possible so thatway you can help them be successful?

00;00;00_Mark Lamb (43:57):
if it's the first year you're working with
a customer, that should be theonly year you ask that question.
because you're, In a cycle now, but whatyou really should be doing is sitting
down with the customer saying Steve Weneed to work on your budget for next year.
That's what vCIO toolsare trying to do, right?
It's like we've got all this stuffneeds to be done and we've documented
these risks and we know these projectsand we know that you Can't just put a

(44:17):
hundred thousand two hundred thousandinto it So we need to Make priority
based decisions, and you need to beinvolved in that, because you need to
understand what risks you're taking.
And they're not just security risks,could be operational risks as well.
Compliance and regulatory riskslike we've talked about already.
And from there, help them build abudget that's going to achieve it.
So if they say, look, sorry Steve,but the budget's 60, 000, there's
nothing more I can do this year.

(44:37):
You say, okay, wellwhat are we going to do?
And we're going to address those.
And work on them on a 2, year planto start addressing those things.
If you try to make their problems fitinto their budget, you're in for a hard
time because it's never going to fit.

Steve (44:50):
follow up budget question.
How do you explain to them their ITbudget needs to increase every year?
Do you say, hey, we need to, we need tobuild in a 10 percent annual increase
or what's your strategy for that?

00;00;00_Mark Lamb (45:05):
Yeah, I mean, you need, I think you definitely need to
make sure that it's tracking inflation.
I guess there's never been a, there'snever been a more realistic to be having
that conversation right, right now.
so addressing that for sure.
But I think it has to also be on, onlike, what do they want to achieve?
How does that align to businessgoals and the risks that are there
and build it towards that ratherthan, and then on top of that, also

(45:25):
add in the inflationary aspect of,look, everything's going to cost more
next year than it costs this year.
That's just a fact of life addressingit in that way and being open
and honest and upfront with them.
I think most people, I thinkwe're all quite lucky right now.
It's been hard living throughthis time of inflation, but it's
also people are a lot more awareof it where they weren't before.
But people have seen eye wateringinflation over the last two years.

(45:47):
So they're a lot more open to it.
And now would probably be a greattime to broach that subject with
them again and just make sure they'reon, that they're understanding.

Steve (45:54):
Wonderful.
Mark, thank you so much for comingon here and doing this with me, man.
I really appreciate it.
if you guys are interested in.
Connecting with Mark, look him upon LinkedIn, Mark Lamb, just like
the animal, L A M B, check out hiscompany, High Ground, you can go to
High Ground, uh, H I G H, ground.

(46:15):
io, is that right?

00;00;00_Mark Lamb (46:17):
That's right.
Yep.
High

Steve (46:19):
Yeah, check that out, and what does High Ground do for MSPs real quickly?

00;00;00_Mark Lamb (46:23):
ground helps better security conversations with your
clients to sell more them reduce your

Steve (46:28):
Wow, how fitting!
Thanks, everyone, for listening.
And we'll catch you nextweek at the next MSPTutor.
Take care.
Advertise With Us

Popular Podcasts

Stuff You Should Know

Stuff You Should Know

If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.

The Joe Rogan Experience

The Joe Rogan Experience

The official podcast of comedian Joe Rogan.

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

Explore

iHeart

Live Radio

Podcasts

Artist Radio

Exclusives

News

Features

Events

Contests

Photos

Information

About

Advertise

Blog

Brand Guidelines

Contest Guidelines

Subscription Offers

Jobs

Get the App

Automotive

Home

Mobile

Wearables

© 2025 iHeartMedia, Inc.