{"id":43705,"date":"2023-03-14T11:38:32","date_gmt":"2023-03-14T11:38:32","guid":{"rendered":"https:\/\/www.n-able.com\/?p=43705"},"modified":"2023-04-13T11:14:44","modified_gmt":"2023-04-13T10:14:44","slug":"how-msps-can-own-risk-management-conversation","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/it\/blog\/how-msps-can-own-risk-management-conversation","title":{"rendered":"How MSPs Can Own the Risk Management Conversation"},"content":{"rendered":"

Against a backdrop of constantly evolving cybersecurity threats<\/span><\/a>, it\u2019s essential that MSPs understand how to own the risk conversation if they are to really help their customers effectively manage their security posture.<\/span><\/p>\n

In this blog, I want to look at what we mean by \u201cowning the risk conversation\u201d, and how MSPs can achieve this.<\/span><\/p>\n

For me, I look at it from the perspective of my own job. When most people think about their security team, they view them as the team that effectively says yes or no to projects or requests. However, in reality, our job is far more complex than simply saying yes or no to something; it starts with assessing and quantifying the risk of that request. <\/span><\/p>\n

When faced with a proposed project, we need to look at what the risk is to the business, our partners, and our partners\u2019 customers. Ultimately, any business decisions need to be made based on what our company\u2019s risk tolerance is as it relates to the risk itself.<\/span><\/p>\n

I’m in the fortunate position of working for a mature organization that understands these business risks. We understand what the potential impact a cybersecurity incident could have on our business, and I’m working across the organization with folks who have insight into how our end-to-end operations work. <\/span><\/p>\n

For the majority of MSPs, things are often a little bit different. MSPs are supporting those end-to-end operations for their customers and have a clear and concise understanding of a large number of the technologies and controls that support those businesses. This means they also understand the threat cyber-attacks pose to their effective operation. On the other hand, the business owners themselves often may not actually have that understanding. So, a critical part of the MSP\u2019s role is to not only identify risk for their customers, but also to effectively communicate that risk to them. <\/span><\/p>\n

Moving the focus from how to why<\/span><\/h2>\n

Communicating that risk to your MSP customers ultimately helps you shift the conversation away from talking about \u2018how\u2019 a specific technology will protect their business to \u2018why\u2019 they need that specific technology at all. One of the toughest challenges with security evolution is that there is no clear finish line. Companies may feel like they\u2019re able to invest and get to a point where they’re done, but the reality is that’s not how security works: the risks are ever evolving, and so their investments into mitigation and protection needs to evolve with it.\u00a0 <\/span><\/p>\n

This can make the constant evolution of the security stack an awkward conversation to have if the customer doesn\u2019t understand how their risk has changed. However, when you need to ask for more budget to upgrade hardware, to invest in different software, to add on EDR, or whatever the case may be, if the customer can see that you\u2019re doing this to mitigate a commensurate level of risk for them, then it will make the conversation much easier. <\/span><\/p>\n

It’s not just telling them what they need, but explaining why they need it that makes the difference here:<\/span><\/p>\n