Skip to content

How to Make Selling Security Awareness Training Easier | EP 036


Connor Swalm

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different, and every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security. Welcome to Gone Phishing. Hey everyone, welcome back. I am Connor, CEO at Phin Security and host of the Gone Fishing podcast. Thanks for joining us today. I actually just got back from a conference where I listened to a bunch of different people talk about selling specifically related to MSPs. How can MSPs sell better? How can they communicate differently to be better sales individuals? And I'd like to bring not only some of the realizations I had at that conference, but some of the tools and some of the ways that I've communicated to end up selling in the past to you all today, and specifically centered around security awareness.

So when you're selling security services, awareness training is an interesting piece of that stack. The reason I say that is it is usually the only security tool that your clients know that you're selling to them. Like the end user at the client knows, and that's because they have to take training in a certain place. They're getting fished from certain places most often, and reporting and generating certificates of completion. It all usually happens at this tool. So every individual in the client you're working with usually knows which tool you, as the MSP, are selling them that they're using. And so that can do a couple of things. That can provide a host of issues that other tools, nobody usually knows what firewalls are being used at their company, but they will know which awareness training tool is. So there are some problems it can cause, and there are also some benefits it can create. Some problems are that people know what tool you're using.

Everyone has an opinion on everything, and so you might have to defend the tool that you've chosen for awareness training. That's fine. If you've had that conversation with stakeholders, usually they can head that off for you. So you can explain to the stakeholders, we use these tools for this x, Y, and Z reason. It'll help you do it'll help provide a better outcome for you and your employees, and it'll do it in less time. So you'll end up providing less effort and getting the same amount or better levels of security. That's why we've chosen it. So where are some ways MSPs go wrong in trying to sell cybersecurity? This isn't MSP specific. This is just like sales stuff that I've seen in the past. I actually just did a podcast talking with Tom Lawrence about this. Don't sell tools. Sell the value. If you are a trusted relationship, if you are a security or an IT advisor to this company, that's what you are. They're outsourcing their IT and their security to you because they don't want to in-house it for a variety of reasons. So you are becoming that expert resource for them. Don't sell the tools you use. Sell the value you provide. So the value that tool provides. You're selling firewalls. Why is it important? A lot of people don't even know what a firewall does. They know it's involved in technology in some way, shape, or form. So if you explain to them the technology and the tools you're using for firewalls, they don't get any additional information that they could use. But then if you sell the value of firewalls, we're blocking malicious traffic both inside and outside of your network. And here's how we're doing it. And here's why that's important, because most attacks come through x, Y, and z forms, and these are the ones we're preventing. What's a way different conversation that anyone, of any level, can usually latch onto and recognize what's happening?

The second mistake I usually see is not communicating effectively. Now, that is a very grandiose, large topic, not communicating effectively. So a couple of things that I've seen that contribute to wires getting crossed or people not understanding, however you'd like to phrase it, are using acronyms when you don't need to. I've been in the MSP industry for three, four years now, and there are some acronyms that every time I hear them, I'm like, I don't even remember what that is. And so if I'm at that point, if you're at that point, imagine what somebody who just wants to show up to their work and do a good job is at when you start using acronyms. And a lot of people won't ask questions about things they don't know because they'll feel stupid when they do that. And you need to recognize that if you're selling to them, a lot of people won't ask questions, even though they'll have them, and you need to head that off. The second thing is explaining the technology in such terms that nobody but you could possibly understand it. I totally forget who said this, but if you're not able to explain something, you know, so that a five-year-old can understand, you don't know enough about the topic to consider yourself an expert. And I think that's just a good rule of thumb.

If you can explain to a child or somebody not even in cybersecurity, whoever has no understanding of security, what it is that the tool you're trying to sell them is going to do, then you probably don't understand it well enough to sell it. It's just a good rule of thumb. I employed this when I was in real estate. I employ this to this day at Phin and various other places, and it's a trap. That's the third problem with trying to sell cybersecurity tools that I see, and awareness training specifically, is you sell using fear, uncertainty, and doubt, the acronym FUD. F-U-D. And while I guess it could have its time and its place in all different kinds of sales conversations, at the end of the day, I believe, and what I think I've demonstrated so far is if you sell the positive of the relationship with you, if you sell the positive outcome of the services you're providing, you'll just have a way better relationship with your clients, and they'll end up buying in a way, but they would not if you just use fear, uncertainty, and doubt. A lot of people make decisions using fear. Sometimes it's not the client or not the relationship you'd like, because if somebody joins the relationship with you fearful, they might never leave that place of being fearful, and you'll spend the entirety of your time with them trying to convince them otherwise. So it's just a hard place to get into, get out of, once you've gotten into rather. So again, sell the values, don't use acronyms, and communicate effectively. Communicate in such a way that they understand.

A great book on this, by the way, is a book called Gap Selling. It's essentially this. If your client is at point A and they want to get to point B, there is a gap between A and B, and your job is to communicate to them in such a way that everything you are doing and you're going to be providing for them and with them in that relationship is going to get them to B. Essentially, you are the puzzle piece that fits between the gap between A and B. That's it. You're selling the gap. You're like, well, with us, you're going to be over here at B. I don't know where you'll be with other people, but it's probably not at B, and here's how I know that. So it's just very effective. You don't sell based on your company's values and your history and the founder's story, and this person invented the Internet, and that's why you should work with us. Like, well, you have these problems. I know I can solve them in X, Y, and Z ways. And that's why I know we're going to be working well together.

That's much more valuable than using fear, uncertainty, and doubt. So one thing to keep in mind, and I've touched on this lightly in a few other episodes, is almost nobody understands. Almost no one you're working with, your clients and your clients' employees, understands security better than you. I hope your clients don't understand security better than you. So when you're having a conversation with them about it, don't sell the tools, sell the outcome and sell the value. Because that's the thing they care about. They're coming to you because they don't understand something, but they know they need it, whether it's their cyber insurance compliance framework or they see something in the news that says, oh, I need to care about security. So here I am at your doorstep, caring a little bit more about it today. Whatever the reason they're there is, you need to sell the value. So why are they more secure working with you, and how is that possible? And again, communicating that in such a way that anyone could understand it is incredibly important. So what are some steps that you could take to get better buy-in from potential customers? A statement that I heard at this conference that I passed, that I just went to, is be a person that somebody likes.

People buy from people they like. It is as simple as that. If you're trying to have a conversation with a prospect or a client and it comes across that you are being, I'll use the word, slimy, you're just trying to get them into a corner so that they'll have to decide to buy with you based upon some previous statements they've said. If you're using these old-school sales tactics that most consider to be obtrusive, you're probably not going to have a client that likes you. And most of the time, if this business owner or these managers or companies are reaching out to try and work with you, if you just start off the relationship, even if they don't end up being a client just by being somebody they like, you'll end up having a way better chance of winning that business long term. I've already said these two things on this podcast, but I will bring it back home again. Don't use acronyms and use words people understand.

An average individual understands a big thing. With MSP folk that are super tactical, and that's probably why you started an MSP in the first place. That's why you're working in the cybersecurity industry. You forget how much you really know, you forget how deep into a lot of these topics your understanding goes, and you forget how much the average person has not dove into the world that you've decided to make a living in. And so that comes about in describing complex tools and security principles in such a way that people aren't going to be able to understand them.

They're not going to track or follow. But again, a statement I made earlier as well, they'll have questions, they just won't ask them because they'll feel dumb. And so creating this place of safety and security for them when you're having this conversation by using words and communicating effectively at their level with them and their understanding is going to be incredibly important to helping them voice their own concerns. So overall, if I could do one thing, people buy from people they like. So be a person that somebody likes. Uplifting, encouraging, educational, helpful, all those adjectives.

If you or your sales folk aren't described as those things, then you're probably not focusing quite in the right place first, which is creating a relationship with the person that you'd like to work with. At the end of the day, if you have any comments, questions, concerns, you can always find me on LinkedIn. You could find us on our website if you want to reach out. P-H-I-N-S-E-C IO. Talk about everything cybersecurity, security awareness, company culture, and a lot of things in between. Once again, I'm your host, Connor, CEO at Phin Security. Thank you so much for joining me on this episode of Gone Phishing. I'll see you next time. Thanks so much!