Podcast  |  Sales,

1.9: How to Nail Your Next Cybersecurity Sales Pitch

cybersecurity sales bullseye dartboard

Photo: JD ‘s on Pexels

“You can’t fix that chasm of doom if they don’t realize that it’s there”

Struggling to convince clients on the value of your cybersecurity package? You might be missing out on a few key aspects of the deal that can change everything. MSP sales coach Jennifer Bleam reveals the secrets to persuasive cybersecurity sales. We dive into:

  • How to show your prospects the “chasm of doom” before them
  • Why discovery is never for you
  • How to use emotion in the sale without pushing on FUD (fear, uncertainty, doubt)
  • The cybersecurity sales lever that builds empathy and drives need
  • Positioning your bundle against competitors to seal the deal


Who’s on this episode

Host: Jennifer Tribe
Guest: Jennifer Bleam, MSP Sales Revolution

Jennifer Bleam is a best-selling author, an award-winning speaker, and a respected leader in the IT channel. She has coached over 1,000 MSPs on marketing and sales best practices, based on her real-life success as an MSP business owner. Jennifer also grew a channel-only cybersecurity software firm from start up to acquisition in less than 2 years. Part of her role included coaching MSPs on how to sell cybersecurity to small and medium-sized companies. She founded MSP Sales Revolution to help MSPs master the art of cybersecurity sales quickly, easily, and profitably.

Episode transcript

Jennifer B: They pull you in and they think they have this little rut in the asphalt and they’re like, Hey, can you help me patch this rut in the asphalt? And you walk in and you’re like, That is not a rut in the asphalt. That is this giant chasm of doom.

Jennifer T: Oh we have a fun show for you today. How can it not be fun when we start things off with a chasm of doom? We’re talking all about the thorny challenge that is selling cybersecurity and bridging that gap between what your prospect thinks they need and what you know they need.

I’m Jennifer Tribe and this is Workflow, the podcast about growing a happier, healthier MSP. More profit, less stress.

My guest today is another Jennifer, Jennifer Bleam, who you may have seen speak live. Side note: Syncro just released a report on the most popular resources, communities and thought leaders in the MSP industry and Jennifer was tied for first place with Ray Orsini for the thought leader that most people had seen speak live. Fun fact.

If you have not seen Jennifer speak, let me tell you a little about her. She is the author of Simplified Cybersecurity Sales for MSPs, and coaches MSPs through her MSP Sales Revolution program. Previously she grew a channel-only cybersecurity software company from start up to acquisition in less than two years, and she’s grown several other divisions and companies to multi-million dollars.

We started by talking about how selling cybersecurity is different and in many ways, more challenging than selling managed services, because it’s kind of like selling an insurance policy. It doesn’t guarantee a bad thing won’t happen, it just helps it sting less when it does.

Jennifer B: Managed services it’s intangible, but at least you can tie it to increased productivity. We’re going to give you dual monitors. We’re going to get rid of the fact that you have to reboot your computer every day and it takes 10 hours. All of those things are at least somewhat tangible to be able to say, okay, if I’m the end user, I understand that what I’m buying is increased productivity. When I’m buying cybersecurity, what I’m buying is a reduction of risk. I’m not even buying something that’s bullet proof. You’re not promising nothing will ever happen. You’re just reducing the risk that something horrible will happen.

“Discovery is not for you as the salesperson to discover anything”

Jennifer T: So how do you make the risk real? This is the million-dollar question at the heart of every cybersecurity sale. And it starts with discovery, but maybe not the discovery you’re thinking of. Jennifer says a lot of MSPs get it wrong right off the bat.

Jennifer B: There’s a lot of misconception and confusion around discovery. And a lot of times my clients are like, well, I did discovery and I’m like, okay, tell me what that looks like. Well, I asked a cursory set of three or four questions, found out there was a little bit of pain, and I was hoping it was enough pain and so I went straight into pitch mode.

That’s not what discovery is. That is completely the opposite of what discovery is, because discovery is not for you as the salesperson to discover anything. You’ve probably been on hopefully 10, 20, 50 or 100 discovery calls and they’re all largely the same. They’re not patching Office 365, they’re not looking at logs for 365. There’s this mystery server in the closet that no one seems to know what it does and hasn’t gotten patched in ten years. The backups have failed on something. We can all tell the stories. Like we’ve all been there.

So of course, if you are going in saying, Let me try to uncover something new, there’s almost nothing new under the sun. There’s always going to be one or two really odd, like you’ll never guess what happened to me. I have a friend who went in and did a discovery meeting and walked through the entire, it was an empty building and it was going to be managed services and an office move. And they walked through the whole building and he just kept saying, something isn’t right. The MSP was like something isn’t right. And it was near the end. He was like, take me back to the server closet for a minute, and they go back to the server closet and there’s no wiring. The previous tenant had ripped out every cable. There’s no internet, there’s no nothing. And he’s like, So that’s a problem. We’ll have to fix that. We can do that for you.

So that is definitely something new under the sun. But largely discovery is not going to help you discover anything. Discovery is for you to help the prospect discover where they are underserved. Discovery is for you as the salesperson to help the prospect realize that they’re standing on top of a frozen lake and that lake is not truly frozen over. And if they make the wrong move, that ice is going to crack. They’re going to go down and they’re going to drown. And when you walk in the door, they think they’re ice skating on an ice skating rink. Everything’s fine. Maybe it’s a little hard to do business here and there, but yeah, you’ll patch a few things up and maybe run a new cable so that the one little cable that’s droopy, you know, you’re going to make me happy. It’s going to be all good.

They think their problems are really small when in reality their problems are huge. And so that is what you’re doing in discovery is demonstrating that there is this massive gap. They pull you in and they think they kind of have this little rut in the asphalt and they’re like, Hey, can you help me patch this rut in the asphalt? And you walk in and you’re like, That is not a rut in the asphalt. That is this giant chasm of doom. And we need to fix that. But you can’t fix that chasm of doom if they don’t realize that it’s there. And that’s what discovery is, is so that they go, I had no idea. If you hear a prospect say, I had no idea it was that bad, you’re doing a great job with discovery.

You’re uncovering this chasm of doom. But you’re not just saying, oh no, you have a server that’s unpatched in the server closet. You’re explaining what that means to them. Like, who cares? That’s the opposite of a feature. That’s just a data point. Why do I care that there’s an unpatched server. It’s been unpatched clearly for ten years or six years or who knows how long? Why do I care? So help me care.

“Stories and analogies are very powerful”

Jennifer T: Got it. So through discovery, you get them to see the chasm of doom that is their current security posture. But how do you tackle that “so what” question?

Jennifer B: I love stories and analogies. The one that I usually will share is from my own life. It’s not cybersecurity related, which is good. It’s something that’s very relatable, which as you listen in the next couple of minutes, you’ll see how it’s easily relatable to the end user. But then to make the jump from that to cybersecurity is very easy. So whether you borrow this concept or you find another analogy that works in your life, stories and analogies are very powerful. So true story. About a year or so ago, my 20-year-old was in a car accident. Pretty serious car accident. It wasn’t his fault. He got T-boned, he got spun around, ended up facing south on a northbound lane, it was really, really bad. He ended up being fine.

But in that moment, when I got the phone call from my husband that said, Hey, our son’s been in an accident, I don’t know any more than that. They’re calling an ambulance. I’ll be there in 45 minutes. I’ll tell you what I find when I get there. In that moment, the emotions, the franticness, the sick feeling in my pit of my stomach, I wanted to cry. All of those things were very, very real in the moment. Now, if you had asked me the day before. Hey Jennifer, you have three boys. What are the chances that logically one of them will be in a car accident before the age of 25? I don’t know the statistics, but logically, I would have said that the chances are really high that at least one of my boys will be in a car accident before the age of 25. That’s just the way the cookie crumbles.

So logically, I know, hey, my kids might be in a car accident. Therefore we buy safe vehicles. And then we also have car insurance. So none of that protects the accident from happening. It just means we’re anticipating that it could and it probably will. And so how can we manage against that risk? That analogy is a relatively good analogy. Like listen, in life we all do things to mitigate risk and to plan for risk, even if it never happens. We at least feel better because we’ve planned for it.

I love to share stories, especially if there are some local stories, whether it’s in the news or whether you can say, Listen, I just got a phone call last week from a veterinarian. You don’t know them. They’re across town. You maintain confidentiality, but you explain what happened. Don’t make the story up. When I say stories, I’m not saying let’s tell lies. But if you know firsthand of some things that are happening or that just happened, especially if they’re in your town or they’re in the niche of the person that you’re talking to, even if they’re across the country. Niche specific becomes very easy for people to relate to.

“It’s emotion that ultimately creates a sale”

Jennifer T: The thing that I’m noticing as you tell your story of the car accident is the emotion you’re bringing into it, the emotion you felt when the terrible thing happened. Conventional wisdom is that humans like to think we’re these rational creatures but we most often make decisions based on emotion, including buying decisions. So is bringing in that emotion the key to making the story work?

Jennifer B: It’s a little bit of a slippery slope because we start to talk about emotions and we start to also need to understand features versus benefits. And then we get into the whole, well, I don’t want to sell based on FUD. So the first thing is any time you are selling anything, you’re selling the implication. If you do nothing, the next step will be blank. It doesn’t matter what you’re selling. You’re selling fitness memberships. If you do nothing, you’re going to be 80, if you even live that long, you’re going to be grossly overweight. You’re going to have no muscle tone. And that’s like the first level of implication.

But the second level of implication is: and you won’t be able to play with your grandkids. Ugh okay, lack of muscle tone and not having a healthy heart and all of that. That is legit. That is a level of implication. But then we want to go one level deeper, which is “and what that means is” and so we’re going from a feature I want you to buy – a fitness membership – to a benefit to an even deeper benefit. And so for cybersecurity, I hear a lot of MSPs and MSSPs talking features: I’m going to put on MFA, we’re going to map you to the CMC controls. We’re going to make sure you have EDR, MDR, XDR. Don’t sell that way to the end user, even if that’s how a vendor is selling to you. Understand it’s a completely different sale.

Explain risk mitigation at a high level but what you’re really selling is the benefit to them and the avoidance of the ultimate outcome. So the way that you lean into those emotions is what I call business implications, or some people call them impacts. And if I asked MSPs what is the impact to a business if they don’t have MFA turned on? What’s the impact of the business if they get a ransomware attack? We all know that intuitively. They’re dead in the water. They can’t access their files. They can’t access their bank. Downtime. What does downtime mean? Well, you won’t be able to pay your team. You won’t be able to track time. You won’t be able to manufacture your widget so now you can’t sell that widget to Nintendo. My client has a client that makes a widget for Nintendo. They’re the only company in the world that makes this widget. I’m saying Nintendo. It might be PlayStation. I don’t recall. But Nintendo told this small company, you need to get serious about cybersecurity because if you go down, you are our single point of failure for this thing, this chip or whatever it was that he made, a piece of the controller.

And so that is the kind of conversation that your client can relate to, your prospect can relate to, not MFA, not EDR, but oh, I’m an attorney and I won’t be able to show up to court. I’m going to lose all my clients. That’s the reality if your clients and prospects don’t take cybersecurity seriously. And so that’s what you need to talk about. That’s how you create the emotion, and it’s emotion that ultimately creates a sale.

“Out of curiosity, how would that impact you?”

Jennifer T: So it’s walking prospects through the impacts that pull out the emotions?

Jennifer B: Yes. The way I like to teach my clients is that you use a story and then you’re like, okay, out of curiosity, how would that impact you? They couldn’t pay their team. How long would your team be okay with working for you for free without getting a paycheck?

How would your employees deal with it? And they’re like, no, they all need to be paid every Friday, we’re on a weekly pay cycle. I know a couple of companies that hire people that are former felons. They are very tight financially, so they have to get paid every week. So how would that impact you? Uhhhh I don’t know. Well, let’s think it through. Your team has to get paid. Do you have this extra bank account? Can we pull from there for the time being?

And so you’re starting to walk them through almost an incident response plan at a high level. And they’re going to live in that moment and they’re going to be starting to realize how complex this is, how much this could impact them. And that’s one tiny little piece because all we did was talk about how is it going to impact your employees? Then you can say, how is it going to impact your clients? How is it going to impact your billables? How is it going to impact your sales and marketing? And so you can almost just walk through the org chart and unpack exactly what this would look like to them.

Inside of my book, I’ve got a very fun Venn diagram. That sounds so nerdy. How can a Venn diagram be fun? But it is. It’s fun. And I’ve had people say this was super helpful for them. We talked about discovery and how discovery is for the prospect and discovery is all about asking great questions and then showing the impact of that. And that’s where the emotion comes from. There’s really two arguments that you need to make in order to show that you can help them, like they have to know that there’s a problem. So the first thing is how likely is something to happen if you do nothing, which we talked a little bit about, framed from fitness, like if you do nothing, you will be 80 and not be able to play with your grandkids. So same thing. What’s the likelihood that something will happen to this company if they do nothing?

And then the second thing which we talked about was the impact, the impact to the company. And so those are the two circles of the Venn diagram. And if you only prove one of those, it’s much harder to make a sale. When you prove them both, they overlap and all of a sudden it’s like, Now I know why you’re selling me that. It could happen to me, it could impact me. I’m not okay with that impact. How can we reduce the risk of that happening? And so just logically, if you can walk out of a sales call and say, did I prove both of those arguments. If yes, then you probably closed the sale relatively easily. And so just keep that picture in your mind.

“It really does stink but it is what it is”

Jennifer T: In a previous episode, I talked to Wes Spencer about using insurance requirements as a lever for selling cybersecurity. He talked about how the requirements that cyber insurance providers are setting actually work in your favor during the sales process, because you can say to a prospect, look, your insurance company needs to see these five things in place. If you don’t have them in place, you’re not going to get insurance or it’s going to be really expensive. And by the way, we can do all five of those things for you. Can you talk to me about whether you think that’s a good lever to pull in the sales process.

Jennifer B: Yeah, I think it’s a great angle because any time you can commiserate with your prospect and almost be like, Listen, I know you don’t like it, but it’s not my fault. It’s the insurance carriers. I’m not the insurance company. I’m just telling you I can help you check these boxes. That is fantastic. We talk a lot about being thought leaders and what you’re really doing there is creating a tremendous relationship with your clients and your prospects by saying, I know where you are, I commiserate with you. You’re right. It really does stink but it is what it is. Like there’s no carrier out there that’s going to insure you without these five things. The great thing is I can do all of that and it’s a very reasonable investment. And we’re not just checking boxes for insurance, although we are doing that, but we’re also mitigating these risks. So I think it’s a great angle.

Jennifer T: Obviously an MSP is not an insurance agent or broker. They can’t sell insurance, but they want their clients to have the insurance in case something does go wrong so that the MSP is protected as well. Can you talk about to what extent you’re seeing MSPs are starting to mandate that their clients have appropriate levels of cyber insurance?

Jennifer B: I used to sell life insurance and health insurance. So I err on the side of if I was in MSP, I would not be making insurance recommendations. What I would do is form a relationship with an insurance broker and I would say, Hey, according to Richard, things are getting really dicey out there. And as I told you, this is not bulletproof. We’re doing the best we can. We’re mitigating your risk. But I highly recommend that you go talk to Richard because he’s got some great options for cyber insurance. I’m happy to make the warm intro and then you step out.

I’m a little bit leery of requiring that my clients have insurance because it feels like you’re potentially undercutting how effective your solution is. If you’re like, I’m going to mitigate your risk, but then go get this thing to mitigate it even further. If I’m the buyer, I’m starting to go, I don’t know how sure they are that their solution is really that good. But if you can frame it as we need to make sure that they understand what you have. We need to make sure you’ve answered the questions correctly. Then that’s a little bit of a different approach.

“I don’t like point solutioning prospects to death”

Jennifer T: So it’s not advisable to say clients must have cyber insurance but what about making your cybersecurity program mandatory with your managed services offering so the prospects can’t choose to not have it. If they’re going to take managed services from you they have to take cybersecurity as well.

Jennifer B: I really like when it is all bundled together. Now that reduces your risk as an MSP because now everybody has your preferred solution stack. It also reduces complexity on the operations side because everybody has your solution stack. There’s never a question, do we need to remediate this or not? Wait, let me go look up their agreement. And so it simplifies things on the ops side.

But on the sales side, you’ve got to be careful because if you’re pricing your solution correctly, which is a whole nother conversation, then you are going to be more expensive. The investment is going to be larger than perhaps the incumbent who is only doing managed services or other MSPs that they’re bringing in to talk to if all they have is managed services. So if they are selling this for 100 bucks a seat and you’re selling this for 150 or 200 or 225, you’ve got to make sure that you have said, Hey, what I’m selling you is completely different from the other guy.

Now what I like and I got this idea from another vendor in the space, he recommends bundling it all together but he presents it as, Listen, this is the package you’re getting. It is our managed services plus our cybersecurity. And typically, if you’re looking around, managed services you’re going to be paying 75 to 125 per month. We also have cybersecurity. It’s all one big bundle and we are 175 per month. What that does is you have just undercut the competition because now if they’re looking at a proposal that to them it’s all just gobbledygook. They have no idea what they’re looking at. And then if your proposal says with EDR and SIEM, they’re going, I don’t know if the other guy has EDR and SIEM. I mean, I would assume he does, right? And now they’re just going with the cheapest provider.

But if you’ve said, listen, we have A plus B and A is typically about $100 per seat, and they go and look at this proposal and they have ten computers and it’s $1,000. They’re like, that must be A but Jennifer said she has A plus B, so let me go with her instead, assuming that the value was proven and the pain points are there and you’ve done a great job showing that implication. So I love bundling. I don’t like point solutioning clients and prospects to death.

Jennifer T: That was Jennifer Bleam, cybersecurity sales consultant and author of Simplified Cybersecurity Sales for MSPs, which you can grab on Amazon or Audible for $5.

If you liked this episode, tell an MSP friend about the show—the more the merrier. Or shoot me a note to podcast@syncromsp.com to let me know how it helped you. I would really love to hear from you.

Until next time, this is Jennifer Tribe. Thanks for listening.

Listen, rate & subscribe

🔊 Listen on: Apple Podcasts | Spotify | Google Podcasts | Your podcast player of choice

➕ Follow and subscribe to get new episodes as they publish.

🤔 Tell us what you think with a review on your podcast platform. Send a screenshot of your review to podcast@syncromsp.com and we’ll send you a Workflow for MSPs t-shirt.

Resources from this episode

It’s time to find your flow

Workflow for MSPs is brought to you by Syncro, the integrated platform for running a profitable MSP. Enjoy PSA, RMM, and remote access in one affordable package. Start your free trial today

Jennifer Tribe

Jennifer Tribe

Syncro’s director of content. Espresso-fueled Canadian nerding out over plain language, productivity, and podcasts.

Leave a Reply

Your email address will not be published. Required fields are marked *