Skip to content

How to Price Your Cyber Security Services | EP 55

Connor Swalm: Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security. And welcome to Gone Phishing.

Connor Swalm: Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, CEO at Phin. And today I am joined by cybersecurity thought leader and founder of Fort Mesa, Matthew Fisch.

Matthew Fisch: How are you, Matthew? I'm doing okay.

Matthew Fisch: For those of you who don't know who I am, we're in this service provider segment with Phin helping people really deliver the best cybersecurity possible to their clients. And our angle is we help MSPs own the complete cybersecurity roadmap. So that's governance, risk planning, and vulnerability management, hygiene management, but really a chief cheerleader for good cyberservice delivery.

Connor Swalm: We definitely need a lot more of that, not only with MSPs calling themselves MSSPs or vice versa. What's very clear is your clients expect you to be able to help them with cybersecurity needs, not just cabling and networking and other IT infrastructure-related stuff. What are some trends you're seeing in cybersecurity spending? Is it going up? Is it going down? They're maintaining the same. What would you say?

Matthew Fisch: It's always going up. I would say that there's been a change, though, in the last couple of years, which is the money is smarter. So when I talk about smart money, I mean that people have begun to think of spending on cybersecurity as investments. They're not just dumping money down a hole anymore. They want visible return.

Connor Swalm: They want visible return. I always thought of if we could consider cybersecurity a lot like people consider water and electric. It's not a nice to have, it's a need. It's like a community good that if spending on cybersecurity, it's like, nobody spends money on water. And they're like, oh, my water budget is blown for the year. I can't spend money for that anymore. It's just like, no, yeah, that's not a commodity.

Matthew Fisch: It was for a lot of years. It's like, oh, here's my cyber budget. But then people were just getting destroyed, right? And their systems are down, and you open up the COVID of the situation. And you realize, well, they didn't spend the amount that they should have for their place in the industry, or they dumped money into some really questionable places to try to get to their budget spend line. But maybe they didn't get the best return, right?

Connor Swalm: They were looking for creative ways to maintain levels of cybersecurity that only a properly built-in spend budget would actually do for sure. Where does Fort Mesa help with this? Why Fort Mesa? What was the problem you had?

Matthew Fisch: So if you look at just the industry as a whole, it's undergoing this conversion moment where now even small businesses are becoming somewhat informed buyers. They don't necessarily understand how to battle a cyberattack, but they do understand investments in certain types of things have certain types of outcomes, and they look at their peers in the industry, they look at the guidance from the government, they look at guidance from insurers, and to understand. Am I investing the right amount or am I not investing the right amount? And so they're having that internal dialogue.

Connor Swalm: What do you view a service provider's place in this small to medium-sized business cybersecurity?

Matthew Fisch: Well, it depends on the service provider, right? We try to use the generic term service provider, and MSPs are our home turf. But there's a whole constellation of service providers out there that maybe don't do the full managed package. Maybe they only do a security overlay, or maybe they only do advisory, right? Or maybe they only build applications. But when we look at the center of that crosshair, like the full managed service, it outsource function. If it's your job to deliver managed technology, you should have the capability of managing it at the customer's desired level of reliability, safety, security. The customers should be able, just like they can go to you and say. I want a fast server, or. I really am happy just going with the value version of this thing. It's the MSP's job to be advisor to get the customer to that place, right?

Connor Swalm: It's their job to be an advisor. Actually, a conversation I was having today about this exact subject is every dollar that will come through the door, a dollar you should take, right. If a client's not willing to invest in their cybersecurity infrastructure properly, especially with the litigious environment that exists in the United States, at the very least. That puts an MSP between a few rocks and a few other hard places. Where it's like, well, do I want to work with this client? Because the money's green. But on the other side, this client is willingly accepting risk. I told them they should absolutely not accept because of the amount of risk that it represents. How do you think people should navigate that thought right now?

Matthew Fisch: I mean, this goes back to the service provider's business model, right. If you open up a book on how to run an MSP, one of the pieces of guidance you're going to get is define your target market, define your target customer, and if you're defining that widely, you need to deal with a diversity of security investment situations. If you're saying, well, I only want to deal with dentist offices, which is one of my favorite examples, because they're almost all completely the same, right? They're all like ten people, front office, a few hygienists, a dentist, like an X ray machine and a HIPAA security scope. Right. So I love talking about them because it's the ultimate example of all the clients look the same. But I think that it really depends on what the MSP is trying to do. So there are MSPs out there that only service clients at level three security, whatever that is. Some MSPs like to think they have all the security the customers need. And the reality is, well, you may have all the security your customers need. But do you have all the security all the customers need? Probably not. There's a level of security you're equipped to provide and you can service those clients effectively. You may not be able to service the security needs of a nuclear complex. Right. Yeah. And you may decide that a car wash's security needs are so low that the overhead of your standard service delivery pattern is too much for them. Right. And that will bracket you. But yeah, I mean, it goes right back to what are you targeting as a service provider?

Connor Swalm: I have seen a trend that specifically the partners that we work with that have a predefined, I don't want to say plan, but they have a package or maybe even a set of packages. But what's really important is a couple of things. The client decided on the level of security they wanted. The client did not decide on the tools that were included in that. So that lends itself more to get a framework. It's like, why should MSPs make packages like that? And it usually comes back to one of two things. Cyber insurance requires these. And also compliance frameworks recommend specifically if you're not in like ISO 27,000 and you don't need to do an audit, if it's self-attestation, it's like, well. If you want to say you're 871 compliant and don't want to go get an official audit, here's the package that will help you do that?

Matthew Fisch: Yeah. And I think if I just want to generalize a little bit on how to get clients in the right amount of security investment, I think down in the small business world organizations, less than 100 employees, oftentimes 25 or even under. The best way to talk about those clients is not based on technical products. It's based on security outcome. You should say, hey, client, how safe do you want to be? Could you afford this type of failure? Right. Basic questioning like that, but then also lead into other businesses of your size. Are here, and so you're less than them or you're safer than them. I think most business owners have a gut feeling of where they want to be versus other companies like them. So it's both, how safe do they want to be? What's their tolerance for risk, but also making them aware because they may not know. How does their investment in cybersecurity or it compare to other businesses that look exactly like them, or the guidance coming from the government for businesses exactly like them, compliance or the requirements of an insurer for businesses exactly like them. So it has to be relevant to both their tolerance for risk, but also relevant to other businesses that look like them. And I think that's the conversation to have for small businesses. And pointing back to compliance is actually really easy, because a lot of people think their customers don't know compliance. They don't understand compliance. And the reality is, no, they don't know cyber tooling. They don't know the names of cyber products, and they don't know what they do. What they do know is OSHA compliance. They know tax compliance, they know labor compliance. They're compliance to death, small business owners. So when you say cyber compliance, they're like, okay, yeah, that goes in the compliance bucket. I basically understand, and I'm medium compliance on most things. So if you're selling me the medium compliance package for someone in my industry. I basically understand that thing. And that's the small business discussion. For larger customers up in the mid-market, you need to get a little more consultative. Right. You need to ask them, how would you feel in this specific situation that I'm bringing to your attention? Right. If an attacker this, if you lost that, you need to dig into different types of business failures, and then you need to go through a comprehensive gap assessment and give the client a detailed understanding of all the things that they have in place and all the detailed things that a compliance standard may say that they should have. Right. Or that an insurer say that you have. So more detail, because they want to know as a mid-sized enterprise, that you've taken the consultative approach with them and that your recommendations aren't based on some bias that you have or the packages you want to shift at your favorite vendor. They want to know that this guidance is specific to them and specific to leadership from the industry that's external of you, right? Yeah. And I think that those are the two approaches for those size businesses and in terms of how to package and price that. Use the package and pricing tools that work best for you, bundling Ala carte, whatever works, you bring up a really good point, is that whether you're talking to a small or a medium or mid-sized business, all of them are almost acutely aware of the risk that they're currently tolerating. At the very least, they're aware of the risk they're willing tolerate. And it's your job to communicate that to them in such a way that they see the outcome that you can sell to them, which is, I am adequately tolerating the correct amount of risk. I'm not taking more risk than I should, and I'm not paying more than I should tolerate less risk than most of the businesses comparable to me are. On the mid-size piece, you bring up a really good point where if you're at 100 employees, 200, 300 employees already, I don't know what your definition of mid-size would be, but not. Only are they already aware of the risk they're tolerating because they're probably working with another service provider in some capacity. But now your job is to paint the future of, well, here's where you are in one year. If this happens, where are you in two years? If this happens, where are you in two years? How long does an interruption of service that lasts three weeks set you back? Does it ruin your whole quarter, your whole year? Potentially. And it's less of a risk tolerance and more of a, you have a solid base. Now let's build a house on top of this foundation. Let's start shopping together.

Matthew Fisch: Yeah. And I think that in those mid-sized clients, let's start shopping together is what they want to hear. They want to hear that you're there to support their process. They're not just consuming your pre-baked whatever it is. That's what the mid-enterprise expects. And as you said, they probably have other service providers. So a lot of service providers think they're the trusted advisor because they have this two-way trust with the customer. But the customer also has that two-way trust with a bunch of other service providers. So if you really want to win that first poll position, it's also critical to make sure that you've pre-sold all these ideas to the customer. You need to have these consultative gap analysis, these questions about what ifs long before that they are ready to invest. So when they finally are ready to invest, which will ultimately for both small business and mid-enterprises, it's going to be some kind of outside pressure. People are not going to buy a thing because you're like, you should spend more money, other companies are spending more money. It's going to be that. And, well, I'm trying to get cyber insurance. Well, my client is asking me to fill out this due diligence form. Well, we had a breach, right. And other clients of my size, you need to stack both of those. So that idea that this is responsive to their situation, that you're going to help them, I think that's really central to getting them to invest in cybersecurity, right? Get them to see you as the person that can really help them navigate this complex clients arena security requirements arena the same way their tax advisor, their general counsel attorney would help them.

Connor Swalm: If your accountant or your CPA comes to you on tax day, it's like, by the way, we should try all of these newfangled ideas that are going to cost you this much money and potentially save you this much. It's like, wait a second, we had 364 days to talk about this before we got, I'm not doing it today. Yeah, I'd be worried about that, too. And I think a lot of MSPs, I think a lot of service providers would have a way better outcome with all of their clients if they did this presales where it's mainly just about education, about, hey, this is my job. This is my bread and butter. I'm the trust advisor. You're running a business. You don't know cybersecurity like, I will. You're informed enough. But here's what I would recommend. Here's what you should do with the information that I'm presenting to you.

Matthew Fisch: So I'm glad I got a chance to talk to your partners about this subject. This is one of the things we focus on, really, cheerleading partners, helping them develop their processes and practices that are right for them and their clients. And yeah, thanks for the opportunity to come on today.

Connor Swalm: Anytime. If folks wanted to reach out to you, Matt, or Fort Mesa, where would you like them to find you?

Matthew Fisch: Head on over to Fortmesa.com. We got all the information on our products and partner programs there.

Connor Swalm: If you're listening or watching, all that information will be down in the show notes or on the YouTube video. Wherever you're consuming this, feel free to reach out and say, hey, saw you on Gone Phishing and learned a little bit about compliance and cybersecurity sales. Matt, thanks for joining us today.

Matthew Fisch: Thank you.

Connor Swalm: Thanks so much for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out at Phin Security at Phinsec IO. Or click all of the wonderful links in our show notes. Thanks for phishing with me today, and we'll see you next time.