Ask yourself this question: Who's responsible for your customer’s cybersecurity? You or the customer? Does your customer expect that since they have you as their MSP, they won't have a security incident? If so, you may have set very unrealistic expectations.
Many of the MSPs I work with don't understand the concept of a shared-risk relationship. Ultimately, your customer is responsible for their security posture. Your role is to educate them on the best decisions and deliver on the part that your actually responsible for.
As most of you know, I co-host a weekly cybersecurity podcast called “The Weekly CyberCall.” We’ve asked our audience the following question a couple of times now: “How many of you have had a cyber insurance conversation with every one of your customers?” Typically, between 75 and 85 percent of our audience responds with a resounding “no.”
This is a huge red flag! There is no scenario where you have a shared-risk relationship with a customer and not talk with them about their cybersecurity insurance. Not having these kinds of conversations is a bigger risk than the actual risk of breach.
I was talking to Chris Loehr of Solis Security, an incident response company, and he said that there are a couple types of incidents that he gets involved with: MSPs that are prepared, and those that are unprepared. Those in which the client is aware of what is going to happen and needs to happen, and the ones where the MSP is having those conversations for the first time.
Your customers need to understand that they are on a security journey, whether they like it or not, and you are their guide. You can't absolve them of risk. Just help them manage it effectively. You need to teach them what an assumed breach mentality is and deliver this message clearly and often. Instead of being afraid to discuss their risks with them, use it as a way to forge stronger business relationships. This approach works not only with customers, but also with prospects.
In sum, start defining the role you should play in your customers’ cybersecurity strategies, and making sure all team members and customers have the same view.