I regularly speak with managed service providers (MSPs) and one of the biggest challenges I hear them share is selling the concept of managed services to prospects.
Many small and medium-sized businesses have yet to move past the concept of break-fix—only paying an IT company to fix things when they break. They don’t fully appreciate the value of the proactive approach that is managed services.
But I’m seeing an increasing number of European MSPs who are winning managed services clients—by not leading the sales conversation with managed services.
Instead, they’re leading the sales conversation by talking about cybersecurity. It’s a lead that any MSP worldwide can follow.
GDPR and the importance of cybersecurity to small businesses
I saw this shift in sales focus for European MSPs happen in the lead-up to the General Data Protection Regulation (GDPR) coming into effect. Love it or loathe it, GDPR has raised awareness of cybersecurity in a way that few other initiatives have.
Cybersecurity has always been important, and the financial implications for small businesses who’ve been breached have always been immense. But in the past, many businesses, especially smaller ones, simply shrugged off the possibility of attack with an “it will never happen to me” attitude. GDPR has changed that.
GDPR has helped shift cybersecurity from a “nice to have” option for small businesses to a “must-do” act of regulatory compliance. If ignored, GDPR can cost these businesses huge fines.
Even so, many SMBs are treating GDPR compliance as a tickbox exercise, something they can bring an external consultant in to help them achieve and then dust their hands.
Of course, MSPs know that GDPR compliance isn’t a one and done project at all. The smarter MSPs I’ve observed have used the door opened by GDPR to talk with their prospects about ongoing cybersecurity as part of a managed services offering.
Managed services and cybersecurity
Many of the things that will help a business become GDPR compliant are the fundamentals of good cybersecurity. Protecting the personal data of clients, employees, and suppliers isn’t achieved by any single action but by making sure:
- Internal data is secure (permissions)
- Data shared externally is shared securely (encryption)
- Internal networks are kept safe from intruders (firewalls, web filtering)
- and much more besides
I’ve seen a number of forward-thinking MSPs advertise their GDPR compliance services to small businesses as a packaged solution.
A compliance project is a lot easier to sell than managed services. The business has an immediate problem (becoming GDPR compliant) and the MSP is offering a defined solution (typically an audit).
As part of the project, the MSP can bring the client’s IT infrastructure up to date with better firewalls, encryption software, web filters, and so on. This is not dissimilar to the upgrade work that many new managed service clients are required to sign up for before an MSP will start supporting them.
At the end of the project, the business is considered GDPR compliant—at that point in time. Of course, the MSP then turns the conversation to ongoing compliance with questions such as:
- Employees come and go. How is the business going to ensure internal data security is maintained at all times?
- Web filtering and firewalls prevent many external attacks, but how is the business going to deal with an intrusion when (not if) it happens?
- If internal data is lost due to a breach, what backup and disaster recovery options does the business have?
Over the course of the compliance project, the customers will have slowly become aware that IT pervades every part of their business. They’re reliant on IT. It’s not a “nice to have,” it’s essential—and it needs ongoing maintenance.
And so the conversation between the business and MSP turns to managed services. It’s a conversation that, prior to the GDPR compliance project, the prospect didn’t want to have.
In this scenario, I’ve talked about how European-based MSPs are talking to their prospects and clients about GDPR. But in every geographical location around the world, there are regulatory compliance challenges.
No matter where your MSP is located, helping companies comply with relevant statutes gives you an opportunity to start a conversation about managed services. Will you use it?
But GDPR has pretty much been a complete joke. Only .25% of companies breaking the law have actually been fined. The whole point of the exercise was basically to go after Facebook and Google while threatening everyone else in the process. Speaking to the ICO, they are complete idiots. Apparently, it is up to the company to decide on what data is PII and what is not. Actually, its pretty simple what PII data is. Companies are also sick to death of hearing about GDPR so it is more likely to raise people’s hackles than it is to land you a sale.
Colin — my experience hasn’t been similar to yours. The majority of MSPs I’m working with are finding GDPR (and other similar compliance challenges) as an opportunity, rather than something clients get irritated about.
Rather than being treated as a joke, in my opinion, GDPR has been a good thing for MSPs. It’s helped raise awareness of security obligations with clients — an area that was extremely important, yet extremely frustrating for MSPs to try to convey the importance of to clients prior to GDPR.
Great article Richard! Colin, I hear your frustration, but that’s not what we’re experiencing in the market as a GDPR SaaS solution provider to MSPs. We’ve signed-up MSP partners, reselling the solution as part of their managed services offering, or to targeted customers as part of their compliance services offering, as they see this as a great way to strengthen their trusted adviser status, increase recurring revenue (as per Richard’s blog) and – as important – upsell and cross-sell their traditional service offering of encryption, secure storage and transfer, back up and disaster recovery etc etc. GDPR is the legislative reason MSPs can use to sell those services clients have often pushed back on without that legal requirement.
And GDPR isn’t about fines for most businesses as you note – that €20m figure is never going to be applied to an SME and regulators aren’t going to audit every business as you rightly point out. It’s about protecting the rights of the individual and ensuring organisations have the right measures in place to do that. The fine size has, however, made GDPR come into vendor due diligence. Cisco’s 2019 Privacy Maturity Benchmark Study state that 87% of orgs suffer sales delays of over a month due to privacy concerns, with GDPR-compliance reducing that delay. We even had a 4-person contractor say they couldn’t be a subbie to a main contractor to a housing association unless they had a GDPR policy and evidence in place. We’re seeing that due diligence pressure (and internal compliance requirements) as being the drivers for GDPR (and related security etc) compliance, not fines. Fines got it noticed by the board. Vendor due diligence is making it a business-as-usual requirement.