Managed service providers (MSPs) often find themselves caught between two conflicting interests when it comes to cybersecurity. On the one hand they want to deliver cybersecurity services. But on the other hand, MSPs don’t necessarily want to seem to be encouraging customers to divert existing budget dollars to security.
The cybersecurity compromise
In a new survey by Cygilant of 165 IT and security professionals at medium sized companies, illustrates the extent of the challenge. In the study, 17 percent said they were confident and 16.6 percent were very confident in their ability to protect customer data, while only 15 percent said they are confident in current cybersecurity technologies. That roughly means over 80 percent have a cybersecurity issue that would be better served by an MSP. In fact, over half (53 percent) suspect their company was breached once or more in 2017.
The problem is 81 percent of the respondents say they have either underfunded IT security budgets or no budget at all. The real issue, of course, is the overall size of their IT budget. Most IT budgets wind up being a percentage of revenue. How those dollars get allocated depends on the number of IT projects that need to be supported. Every dollar allocated to cybersecurity means there is less money available for other projects. Most IT leaders don’t want to tell business leaders they need to reduce the total number of IT projects being supported to address cybersecurity issues. They know they are whistling past the proverbial graveyard every day. But many would rather play a game of risk arbitrage than have what amounts to a difficult conversation with their boss.
Of course, business leaders often subtly encourage that behavior. In their minds, cybersecurity is a cost of business to be contained. The more money spent on IT projects that increase revenue and profits the better. Savvier business executives are starting to realize there is a direct correlation between cybersecurity and any digital business ambitions they might have. But by and large, those business executives are still a distinct minority. In fact, only 46 percent of organizations review their cybersecurity program—once a year or less—with the board of directors or senior executives.
What this means to MSPs
None of this means MSPs should give up on selling managed security services. But it does mean they need to refocus their efforts. Most IT leaders know full well the tradeoffs involved. The focus needs to be on business executives that are disinclined for a variety of reasons to adequately fund cybersecurity. Most of them really don’t understand the true nature of the existential threat to their business. MSPs without being overly dramatic need to provide compelling examples of real-world scenarios where businesses were not just disrupted by a cybersecurity breach, but also incurred meaningful losses. Theoretical scenarios almost never make an impression on the mind of a business executive.
Just as importantly, however, that conversation is going to tell the MSP whether that customer is going to be a profitable engagement or wind up being more a lot more trouble than their worth.
Photo: Mikko Lemola / Shutterstock.