Security-focused solution providers said they aren't talking about technology nearly as much as they are about defining and lowering business risk.
"Cybersecurity is really just a buzzword," Ted Clouser, executive vice president of Little Rock, Ark.-based PC Assistance. "It's really about the mitigation of risk."
Clouser, who has been with PC Assistance as it successfully transformed over the past year and a half into a managed security service provider, said risk is the most important piece of the conversation when it comes to cybersecurity. He said his business starts clients with a vulnerability assessment to pinpoint areas of security risk.
Jeremy Wittkop, CTO of Greenwood Village, Co.-based InteliSecure, said a move away from selling technology to a conversation of business risk is essential because the buyers of technology aren't necessarily the IT teams anymore.
"I don't think a technocentric message works because truthfully the people making the decisions are different than they were five to six years ago," Wittkop said. "Business folks are making business decisions, they just happen to be facilitated by technology."
Wittkop said InteliSecure moved to this new selling approach about five years ago. He said the solution provider is now looking to take that model to the next level with what he called the "holy grail," which he said is a return on investment model. He said InteliSecure is looking to provide realistic objectives and quantify how much different technology purchasing decisions reduce risk and ultimately reduce an executive's budget over time.
Michael Echols, CEO and board member of the International Association of Certified ISAOs (IACI), said in a presentation at XChange 2017 Security University in Orlando, Fla. this month that the language of risk management is one that all business executives understand, from the IT department up to the board of directors. He said it is key for partners to be the translator between technology language and what it means for risk management.
"Board of directors may not understand technology, but if they spent a certain amount of money they understand when you say it reduces risk by a certain percentage," Echols said in an interview with CRN. "If you're trying to sell these types of organization and you're talking to them in a way that you're educating them, you have now endeared yourself in a totally different way to the customer."
Echols said boards of directors know they need to increase cybersecurity investment, but struggle with getting into the weeds around the technology. He said a focus on risk management would help partners mature the industry and allow for greater investment across the business in improving cybersecurity posture.
"Cybersecurity is just a word that describes an environment. It's become just a big marketing word. That actually precludes us from moving forward from maturing cybersecurity," Echols said. "Increasing that environment where you're constantly trying to reduce risk and you can add in this idea of building a culture of cybersecurity to the organization."
Echols said a risk management conversation would security starts with understanding the threats and vulnerabilities through assessments and market knowledge. Then, he said partners can apply that knowledge to mitigate risk to a customer's specific environment.
A business risk-based conversation also expands the opportunity for MSSPs, Clouser said. He said business risk is a "different conversation than technology," extending beyond traditional cybersecurity areas to things like physical security, personal risk, and networking.
"Anytime you connect anything to the internet or network, security has to be at the forefront of everything you do. It's only going to continue to grow," Clouser said. "Cybersecurity has to be the first thing you look and think: where is the risk?"