One thing that I don’t miss about being a Managed Service Provider is the constant tug of war that was required to get clients to adhere to best practices. In a lot of cases, these were merely slight infrastructure improvements that would improve connectivity and their overall workflow, a recommendation that has very little consequence beyond the status quo. 

When it comes to cybersecurity recommendations on the other hand, the consequences couldn’t be more severe. Failure to comply with best practice not only puts your client at-risk, but it puts you at risk as well (you already know this). Nevertheless, some clients resist change and cling-on to whatever reality suits them best at any given moment. 

Here are a few tips on how to treat these situations when selling cybersecurity products and services and ways you can restore faith on both sides in the process. 

Assess Your Trail Of Communication

When getting push back from a client on any recommendation, it is always a good idea to look inward first before reacting. Take a moment of pause to evaluate your communication with the client over time and find out if there are any disconnects that may have a product of your own doing. 

If you can prove that you repeatedly offered the same recommendation on multiple occasions in a way that was clear and consistent, then you certainly have some ground to stand on as you build your final case. If you don’t have any documented communication (in the form of tickets, emails, etc.) then that is an important starting point for any negotiation and will act as a “receipt” in the event that an incident occurs. 

VIPRE keeps businesses safe with a portfolio of protection including endpoint, email, network, user & data protection. Free Trial.

Find The Root Of Their Hesitation

As you evaluate your ongoing communication with the client, try to understand the root cause of why they do not want to move forward with your recommendation. Are they focused only on short term costs? Do they not trust you to implement? Do they assume their insurance covers their losses? Do they understand the consequence? 

If they have not offered a consistent objection, then you should keep asking them about it until you get one. If no objection is offered, then you know this is simply a matter of prioritization in which case you need to be more persistent in your recommendation. 

Leverage Data & Customer Advocates 

One way that has proven to be effective is to use data to demonstrate the financial impact of not accepting your recommendations. Some security vendors even offer calculators (such as the cost of downtime) which can help you pull a completely customized estimate of how much this company could potentially lose in the event of a security event. 

Another tactic that could be quite convincing is the use of a customer advocate that is in a similar industry. For example, if the resisting customer is a Lawyer, ask another Law Firm in your portfolio of a similar size to vouch for your solutions in writing or through conversation. If none of them are willing to advocate on your behalf, then rely on industry-wide data to help paint the picture of how most other firms of their size are trending in the recommended direction. 

Get An Opinion From A Third Party 

Should the recommendation in question be of a significant size or scope, it may be worth it to spend the money bringing on a third party auditor or arbitrator to assess the environment and confirm or deny your recommendations. This is not an uncommon practice for enterprise level security as there are a lot of consulting firms out there that do just this. 

While this is very likely to lead to a positive outcome, it does not always make financial sense to do so. If all of this back and forth is over a $100/month security add-on then this is probably not a feasible solution. Instead, consider going to your vendor that provides the solution in question and ask them to provide a sales engineer for this purpose. While this is obviously not as “neutral” as a third party, it is still an outside voice that may be able to move the conversation forward. 

VIPRE keeps businesses safe with a portfolio of protection including endpoint, email, network, user & data protection. Free Trial.

Ask Them To Sign A Waiver Of Liability 

As this game of ping-pong is taking place, I would recommend asking your client to sign a waiver of liability, essentially confirming in writing that they deny your recommendation and waive any liability in the case of an event. A simple Google search will yield several templated versions of these documents, many from well known consultants in the MSP industry (Erick Simpson and Karl Palachuk to name a few.) 

In my brief research, I was unable to find any evidence of this type of document actually holding up in court, but having it is better than not having it when all else fails. The act of presenting this document may be what is necessary to show your client the severity of the situation and could be what finally convinces them to act. 

Consider Walking Away For Good 

I am sure this isn’t the first time you have heard this (nor will it be the last), but sometimes you just have to cut a customer loose. If you can look yourself in the mirror and say with confidence that you did everything in your power to help the customer, then the rest is out of your hands. 

Break-ups are never easy, but I never recommend burning a bridge regardless of the circumstances. Whenever we had to break up with a client, we always offered them a warm introduction to one of our competitors who we explained the situation to and was willing to hear them out. This way they can ensure a smooth and civil transition and the professional relationship doesn’t become even more fractured than it already is.

Watch as Author Kevin Clune and VIPRE’s Jason Norton go “beyond the blog” to discuss what do when your client’s won’t accept your security recommendations.