Zero Trust for MSPs: Getting Client Buy-In

This article is the second in a series of three posts on Zero Trust for MSPs. Check out our first post on the benefits of Zero Trust, and our third post on implementing Zero Trust for your clients.

As a Managed Service Provider (MSP), you’re more than a software partner or an IT expert; you also have a business to grow. To get your clients onboard with implementing a Zero Trust framework, you need to first understand their past experiences, their understanding of the concept, and any objections they may have.

Take your Client’s Security Pulse

To begin, you need to understand how your clients currently view security and how open they are to changing their thinking or biases. You need to gauge their mood related to security, and identify any roadblocks that may prevent Zero Trust from being positioned as the logical approach. 

A great first step is to simply start a conversation. Talk to your clients about their current security posture, and where you see room for improvement in their strategy. Hint: there is always more to be done from a security perspective–especially if a business has yet to implement Zero Trust. 

Here’s a few questions you may ask to get the conversation rolling: 

• “What is your organization currently doing well? What are you struggling with, or where do you see the greatest opportunity for improvement?” 
  • These questions help you take the temperature of a clients’ overall happiness with the way their business is going, and reveal both what they value and what they perceive as their pain points. 
• “What are your organization’s most valuable assets? How are they currently being protected, and how could you protect them better?”
  • Zero Trust’s biggest benefit is increased security. Find the things your client is the most committed to protecting to build an emotional case around those assets.
• “How happy are you with your current level of security?”
  • This question drills down into the frontlines of Zero Trust. If they report pain points around security, Zero Trust is an obvious solution.
  • Note: They may not know enough about their current security strategy to answer this, and that’s ok! Lack of knowledge is just an opportunity for you to educate them. 
• “Are you familiar with the Zero Trust security model? If so, what have you heard about it?” 
  • This question helps you gauge your clients’ mood on Zero Trust. Is it a new concept for them, do they understand its value but not how to sell it to their organization, or does it leave a bad impression? 

These questions help you understand your customers’ starting point and create a pathway to framing your future Zero Trust conversations. 

Say you’re interviewing a current customer who reports that they’re very happy with their current security strategy, and have no interest in changing it. They may be a tough sell for a Zero Trust overhaul. In these instances, identify activities they may already be doing (or are interested in doing) that align with Zero Trust principles.

For example, implementing multi-factor authentication (MFA) has become an essential component of any Zero Trust model, but it’s beneficial even outside of this framework. Instances like these can open the conversation back up to Zero Trust principles, which allows you to further your position and build more trust as an advisor and expert. 

On the flip side, if the customer reports they’ve been struggling with maintaining security in their new remote workplace environment, or they’ve heard of Zero Trust but don’t entirely understand it… you’re in. Note: regardless of where they land after this conversation, if they aren’t currently using Zero Trust, find a way to frame it as the ultimate solution. 

Address any Objections 

If your SMBs have heard of Zero Trust but haven’t yet implemented it, you need to find out why. Let’s go over a few common objections to Zero Trust implementation. 

Inconvenience of Changing Legacy Systems 

• Objection: “It will take too long or cost too much to completely change our existing security approach.” Because your clients may not have highly technical employees or an IT department, they likely know how to use their current systems, and little else. Or, they may have so much on their plate that the thought of also taking on a major migration seems impossible. Transferring what they know into a whole different platform can feel overwhelming. 

• How to Counteract It: Acknowledge their feelings. Yes – if you’re currently running an on-prem system, switching to cloud-based does represent a hefty initial investment. But because the future is in the cloud, this is a sound financial decision that will make future growth and scalability as easy as pushing a button. On-prem security is costly year-over-year, so the sooner you make the switch, the better. 

Cost Constraints 

• Objection: “Our (legacy) system is already fully paid for. I don’t want to spend money on something new.” Changing to a cloud-based platform that’s more Zero-Trust compatible with its corresponding subscription fees may cost more money initially. Without understanding the benefits, this can feel like an unnecessary investment to make. 

• How to counteract it: Like the first argument, this is best understood as an initial investment that will pay for itself over time with a streamlined user experience, increased  efficiency, less IT personnel, and heightened security. If you aren’t getting anywhere with future investment language, try a few facts. 
  • Security breaches cost businesses an estimated $200,000 on average. Can they afford the risk of leaving their systems vulnerable? 
  • 60% of SMBs go out of business within 6 months of a security breach. If you can’t afford heightened security, do you have enough in the piggy bank to pay the $200,000 and not go under in the process? 
    
    In addition, you may find that they are already investing (or have a desire to invest) in technology platforms that already align with Zero Trust principles. Walking through their wishlist and plans could help reframe what an investment in Zero Trust actually means, and reduce any perceived sticker shock they have.

“Security through Obscurity”

• Objection: “All this stuff is for bigger companies. No one is trying to hack my small business.” Many SMBs don’t think cybercriminals will bother to target a smaller company, so they think they aren’t at risk. 

• How to counteract it: Security through obscurity is not security at all. And small businesses are actually some of the most common targets for cybercriminals, because they’re counting on a weaker security posture than a larger enterprise. 
  • 6/10 small business owners don’t think they’re at risk of a security breach. Not coincidentally, 6/10 small business owners don’t have a digital security strategy in place. 
  • 43% of security breaches specifically target small businesses.

Misunderstanding Zero-Trust Benefits 

• Objection: “Oh, I’ve heard of that. It’s probably just the latest trend that’ll blow over.” Due to a knowledge gap or misunderstanding, your clients may have a negative connotation toward Zero Trust, or think it’s too much of a hassle for not enough results. Or they think it’s “just another buzzword”.
  
• How to Counteract It: This kind of objection just needs better education. If you have any case studies or client success stories from moving to a Zero Trust model, this is a great time to share them. If not, check out a few of our Zero Trust resources to give your clients a more thorough understanding. 

While these are just a few examples of common arguments against Zero Trust, the pattern of listening to your clients’ objections and figuring out how the framework fits into their business can be applied to many different situations. 

Share the Benefits 

Once you’ve listened to any objections, rebut by sharing the benefits of Zero Trust, included in the first installment of this series. 

Remember: the goal in discussing the benefits should be to make your clients see that it is in their best interest to make the change, despite any upfront work that may be required. Helping them envision a secure future will not only set them up for a more streamlined, compliant approach to security, but will position you as the ideal long-term partner on this journey. 

Develop a Marketing Plan

While explaining Zero Trust and getting buy-in from your current customers is a critical component of implementing the framework, existing customers aren’t the only opportunity you have. 

It’s just as important –in fact, perhaps more so – to get the word out about Zero Trust beyond your existing client base to future potential clients. The key to expanding your reach successfully lies in thought leadership. Presenting yourself as a Zero Trust expert gives your business additional credibility and helps build trust with potential clients, even before your very first conversation. Here’s a few ways to corner the market on Zero Trust knowledge: 

• Make an appearance on industry podcasts such as Where’s the Any Key, the SaaS Podcast, or Unsupervised Learning. Podcasts reach a broad range of audiences, show your organization keeps up on the latest trends, and gives you a platform to evangelize Zero Trust from your perspective. It’s also a great way to reach new customer segments and network with other industry professionals. 

• Consider hosting a webinar or lunch and learn that educates viewers on the benefits of implementing Zero Trust. This type of “freemium” content is a great way to suss out potential warm leads, and sign-ups give you access to email addresses for continued visibility and conversations. 
  
  Tip: Make sure you think carefully through who you invite to these events to ensure the content is relevant to their business. It’s far better to have a smaller audience who feels the content is tailored to them than a larger turnout with information that doesn’t resonate. Be targeted with these activities, and consider hosting multiple events for different audiences. 

• To expand your reach, build out your social diagram. This means being involved in Zero Trust-specific conversations on social media, joining groups, and connecting with other Zero Trust practitioners on platforms like LinkedIn. Look at your connections and strategically share content relevant to them, so they will further share it with their networks. It’s the basic concept of “going viral,” and it can be just as effective in business as it is with cat memes on instagram. Strategically growing your social and business networks can also help you break into new customer segments and influence additional connections. 

If this seems overwhelming, don’t panic. Many of these tasks can easily be outsourced to a marketing company if you don’t have in-house marketing resources available. 

Continue Growing Your Zero Trust Knowledge

To accompany this article series, we’ve recently released a free whitepaper, Zero Trust for MSPs. This roadmap explains what Zero Trust is (and isn’t), the key benefits of using the framework, how to package and sell it to clients, and the three critical steps to implementation. The resource also includes suggestions for further reading, and free downloadable templates for use in your business. Download the whitepaper today.