MSP owners: Why do we make our lives so hard?

Episode 253 September 16, 2024 00:27:05
MSP owners: Why do we make our lives so hard?
Paul Green's MSP Marketing Podcast
MSP owners: Why do we make our lives so hard?

Sep 16 2024 | 00:27:05

/

Hosted By

Paul Green

Show Notes

The podcast powered by the MSP Marketing Edge

Welcome to Episode 253 of the MSP Marketing Podcast with me, Paul Green. This week…

MSP owners: Why do we make our lives so hard?

You and I as business owners, we are in this for the long run, right? Whether this is your first year in business or your 30th, you know that owning a business is a marathon and not a sprint. So that being said, why do we constantly make life hard for ourselves? Far too many MSPs decide to run the marathon while carrying an anchor. It’s nuts. Let’s talk about why we do this and how to give ourselves a much easier life, yet still achieving the things that we want from our business.

So I was listening to this book a few months back. It was written by the guy who built up the Burger King chain back in the 1950s and 60s if you’re interested. It’s called The Burger King. It was, okay, not the most instructive business book in the world, but I do believe you can get huge value from any book as long as you get one big idea from it. Do you agree with me on that? Anyway, my big takeaway from this book was a phrase I’ve never heard before, but I instantly understood what it meant.

Business owners make life hard for themselves by running a marathon while carrying an anchor.

And I completely relate to this, do you? It means that even though we know it’s not a sprint race and we know we have to keep going for years and years and years, we seem to noble ourselves in as many ways as we can. Perhaps it’s by continuing to work 60 hours a week despite being surrounded by very competent staff who are actually looking for more things to do. Or perhaps it’s by not taking enough vacation, enough holiday time each year, which means that when we do take a break, we are utterly exhausted. Or perhaps it’s by thinking too small.

There are many ways that we hold ourselves back and don’t think this is just an MSP thing. All business owners everywhere in all sectors do exactly the same thing. But the thing is, the clues to long-term success are there if you go looking for them. Just listen back to any of the fantastic interviews that I’ve done in the MSP Marketing Podcast over the last five years, and you’ll hear very, very successful people talking about how they broke out of the “hell phase” of running a business, where you’re trapped doing 60 hours a week, and they entered a new phase where they’re working primarily on the business rather than in it. And often the massive growth of their business starts to happen at exactly that moment. And this is not really a surprise – there is a direct correlation.

So let me ask you – maybe it’s worth you pausing this podcast or this YouTube video to ask yourself this question – what do you do to hold yourself back? What’s the anchor that you are carrying during your marathon? The first step is to identify it, label it as what it is, and then dedicate yourself to finding ways to eliminate it. Maybe it’s a mindset issue. Maybe it’s a workload issue, maybe it’s a resourcing issue. You can’t fix these things until you know what the problem is. Then you can take proactive action to eliminate the problem. Let me finish with one more quote from that book, and I’m paraphrasing here, but this is the right sentiment. The greatest gift we can give ourselves as business owners is positivity, and that comes out of taking action against our problems. I love that. Don’t you? Come on then. Let’s do it. You and me. Let’s take some action.

The most powerful MSP marketing question to ask any lead

I recommend all MSPs focus their marketing efforts on building multiple audiences of people on LinkedIn and email, growing a relationship with those audiences through content marketing and then converting them from leads to clients. And the easiest way to do that is to offer them a 15 minute video call with you.

It’s a very low commitment first step that gives you the opportunity to ask them about their favourite subject, which is of course, themselves and their business. And then you can try to set up a proper, in real life, sales meeting. Now this video call is something you should offer on your website, offer it on your LinkedIn, offer it everywhere that you engage with people who are potential future prospects. And the call should consist of lots of open questions from you exploring them, their business, their needs, their wants, their fears and their desires.

The more they talk, the less you talk, then the more engaged they will be. But there’s also a very leading question that you absolutely must ask. They’ll give you a one word answer that will reveal exactly how likely they are to become a client. Here’s the question…

On a scale of 1 to 10 – where 1 is terrible and 10 is world class – how do you rank your current IT support company?

Ask this question and then go quiet. Give them space to think about it and answer it. You can colour grade this lead based on their answer because you’ll instantly know if they’re a great prospect or just a tyre kicker.

If they answer ten, nine or eight, then they’re a red lead and are very happy with their incumbent MSP, so add them to your email list, wish them well and call them back in a year to see if anything has changed.

If they answer seven or six, then they are an amber lead and there’s a high level of dissatisfaction with their incumbent MSP. Test if this is short-term and happiness, maybe a support call this week wasn’t handled very well, or whether it’s actual proper long-term dissatisfaction. If it is, then they could go on to be a super hot prospect for you.

And if they answer five or below, then they are a green lead. They are desperately unhappy and they’re very likely to take action on this unhappiness at some point. They are yours for the taking. So dedicate all of your sales attention on them.

By the way, for answers of seven or below, use this follow-up question to get some understanding – Can I ask what made you give them that score? Your lead may then tell you exactly what has created their unhappiness. And this is a very powerful thing to know in the sales process that you’re about to start with them.

How to do marketing within the CIS security framework

Featured guest: Zach Kromkowski, co-founder of Senteon and dedicated to transforming the cyber security landscape for MSPs and enterprises by delivering unparalleled automated solutions for endpoint hardening.

His mission is to simplify and enhance security measures across workstations, servers, and browsers, ensuring top-tier protection and regulatory compliance with minimal manual intervention.

I know how important cyber security is to you and what you do on a daily basis, and I also know that one of your challenges is trying to make ordinary business owners and managers realise how important good security is and how they need to invest in it. My special guest has a fantastic approach to this, using the framework laid out by the Center for Internet Security. Let’s explore how he uses that and how you can do the same in your MSP. This interview will show you that the CIS framework is perfect to build your marketing around.

I’m Zach Kromkowski, co-founder to Senteon manage endpoint hardening and first time security entrepreneur.

And congratulations for being a first time security entrepreneur. It’s awesome, right, isn’t it, running your own business. And also congratulations for coming in here on the show and we are going to talk today about how you can use cyber security frameworks actually as a marketing tool. So not just there to keep your clients safer, but to actually attract new people and to upsell your existing clients. Now, before we talk about that, Zach, let’s have a little bit of your history. So talk us through what you’ve been doing and what made you start this business.

Yeah, I mean, this is a long answer, but I will do my best to keep it concise. So security is ultimately something that everyone talks about, but we realise no one really knows where to start. And my co-founding team is actually a team of four. And when we were in university, we were told to configure our assets and do all these traditional best practices for security posture. But when we went to the real world, we realised it wasn’t happening. So why in school were we being told you have to configure your asset, you have to set it to the correct state, but it didn’t happen. So we realised there was a gap from what we learned in school versus the workforce today. And that gap made us question, why isn’t this happening. Is school wrong? Is this not important or is corporate wrong, why aren’t they doing this? What is that challenge. And that’s ultimately what we sought to figure out, what is that challenge as to why people don’t prioritise configuring their assets.

And what was the answer that you stumbled across?

That’s probably a good leading point for me to answer. So the challenges we found were really a few things. The first and foremost, if we’re talking about Microsoft devices, it simply put that Intune group policy and PowerShell scripts are too difficult to keep up to date, let alone doing it once. But the number one challenge that we identified was simply that there’s an innate fear of changing a setting on a machine that is being used because it might break something. It could break something on the end client end, or it could break one of the workflows you have internally at your MSP. And that is the key focus that Senteon really focused on to develop a learning mode that determines is this safe or is this not safe? And the goal here is to make the optimal solution that can change settings without causing disruption.

Got it. That’s a good pitch and what we’ll do is we’ll talk about Senteon and what it does and how people can have a look at it and try it out – we’ll talk about that towards the end of the interview. It’s always a good place to pop that, but that is a great pitch. What I want to really talk about is how to use a security framework as a marketing tool. Now, I never assume that every single person listening to this podcast and we have thousands and thousands of listeners, I never want to assume that everyone understands everything because we live in a very complex and a very big world. So you are going to talk about the CIS framework. Can you explain that to me, remembering that I’m not a technical person and I think if you can explain it well in a way that I understand, then everyone who listens to this podcast or watches the YouTube videos is going to understand it as well.

Absolutely. So CIS simply stands for Center for Internet Security. It’s a global non-profit that is dedicated to increasing cyber security readiness and response. They are most famous for what’s called the CIS controls, and they have 18 of these controls. What’s interesting about this is

they’re not just lists of things that make up security – they’re a prioritised list of 18 things you can do to increase your cyber security defences.

So it’s a step-by-step playbook on how if an MSP has never done security, it gives you step one of what you should focus on. If it’s a mature MSP who’s already offering security, it gives you a roadmap of, okay, let’s actually check what am I doing today and am I meeting this 18 point list.

I’ll give an example as well. Control 1.1 is knowing your hardware asset inventory, why is this control 1 or 0.1? Well if you don’t know your hardware assets, there’s probably no way you’re going to know what you need to secure. So knowing your asset inventory is literally control 1. Control 2 is software asset inventory then control 3 is data protection and control 4, to reel it back to exactly where Senteon lives is all about configuring your assets. You can’t configure your assets if you don’t know your assets. So that’s really, in a nutshell, what CIS is at a high level.

They do go way further than just this 18 point list with things called implementation groups, which is the prioritised minimum requirements of what to do. For example, these 18 controls. Some of them might take a little bit more understanding of security. So they also have implementation groups that say, Hey, start here.

The other piece that they have that’s really cool is called the CIS benchmarks. And this is a prescriptive list of do this to this setting. Take for example, machine inactivity, timeout, take that setting and best practices set it to 1500 seconds. So they provide one-to-one recommendations on how to secure something very specifically. That, in a nutshell, is CIS.

And where it gets really exciting – and I’ll let you ask a follow-up question, Paul, you know this is something I’m very passionate about – to take this a step further – and I’ve listened to the other episodes – not everyone is going to know what CIS is, especially your end clients.  So why do you want to align to a framework that your end clients, the people you’re selling to, aren’t going to know about? And the reason is this, CIS organisation takes their recommendations and they will actually crosswalk it to the framework you do care about. So whether this is ISO, DORA or in the US CMMC, NIST, there’s all these crosswalks that they take and say here’s our recommendation and here’s the requirement it meets in this recommendation or in this framework. So that’s really in a nutshell, CIS at a high level.

Well, I think you explained that brilliantly. So thank you for that, Zach. In fact, you’ve genuinely added something to my knowledge base there. My follow up question is of course about the end clients. So the ordinary business owners and managers that MSPs are trying to reach, and I’m guessing they’re not going to know about CIS and therefore an MSP coming in saying, Hey, I’ve got these 18 things. That’s not really something that’s going to appeal to them. So how do you recommend the MSPs take that CIS information and turn it into a framework, something useful that ordinary business owners and managers will understand?

Absolutely. So there’s two ways to look at this. If you’ve not offering security today, there’s kind of one way there. But if you’re already offering security today, there’s another way, and I’m going to lean into a previous episode of yours I caught, all about content marketing. So this list, I did say 18 controls. What I didn’t mention is there’s actually sub controls, substeps within these 18, and they add up to a total of 153 different controls. If you’re an MSP just starting out and you’re looking, how can I make this resonate with the customer. Well, the first choice goes back to my initial answer. You don’t necessarily talk about CIS. You use the CIS crosswalks to talk about the regulation and the requirements they do care about. That’s the easy answer. Now, talking from a demand generation perspective and marketing and making that ROI, taking the sub controls and the main controls, so a total of 153 things, you can create content around each of these.

Why does this matter? You’re positioning your MSP as the subject matter expert on frameworks without even really doing too much additional work. So I gave the examples of controls 1 through 4, we’ll stick on control 4. So talking about needing to configure assets. Well, we can make a content or a blog post or a graphic or just a LinkedIn post saying, Hey, something we do at MSP name is we focus on configuring your assets. This aligns to step 4 of this framework. So it’s now almost like a content roadmap of areas you can begin to slowly educate your customers on and say, Hey, this is why we’re doing the things when I talk to you or when you reach out to me, you’re not only going to hear the vendors I use or the security I provide, but you’ll actually give them contextual understanding. And it’s no longer you saying you’re doing this, it’s you’re doing this because this authoritative governance body told me to do this. Talk about protecting yourself and your business because it’s not just, oh, my engineer thinks I should do this. I’m following best practices from a respected source to guide me in supporting you.

And do you think that actually is an advantage to be able to say to a prospect, Hey, we take all of the best practice that’s laid out by this world organisation, but we’ve done all the hard work, we’ve set out our own roadmap from that, and essentially this is the best level of protection that you’ll be able to get for your business because we are going to work through this framework together. Do you think that works?

Yeah. I mean, let’s put it in a different perspective – I always try to relate things, this is something I’m personally trying to be better at – let’s just talk about getting your car worked on by a mechanic. If you go to this general mechanic shop who historically only works on cars he knows, but he goes, yeah, I could probably fix your car. I work on cars like this, but I know how things work. I can look at your car and I’m going to know what to do. He’s not an expert at your exact car model. He’s not an expert on all of your internals, but he’s worked on cars and he’s like, yeah, I can fix this. I can make it work. And maybe you do drive off that day and it works fine. But going into that conversation with that mechanic, would I rather have the mechanic saying, oh yeah, I specialise on this framework or this type of car. I specialise on these internals because it’s all I do day in, day out. Or would you rather go with the person who’s kind of a catchall does whatever? So when you present as an MSP to your prospects, to your customers, you can now say, Hey, we are not the experts. I understand. I do not know everything about security. If that’s what you’re looking for, I’m not your guy and the guy who says they are, they’re definitely not your guy. What I do to differentiate myself as an MSP is I leverage the best practices from documented standards, and this is how I facilitate the accomplishment of this roadmap for your business. So now you’re leaning into something that’s already globally accepted and positioning yourself with an existing brand.

Yeah, I love this. I guess all of this is just a Google search away anyway, right? You almost want the prospect looking it up and saying, oh yes, this CIS stuff, oh, okay, it is a big deal, it’s a global standard, etc, etc. And yes, I can see the power of essentially positioning yourself as we’re always going to be up to date because we follow these standards. We don’t miss anything because we’ve got this framework. But as you said, not everyone can be experts in absolutely everything. Zach, this is really good stuff. Thank you so much for this. We are definitely going to have to have you back on the show in the future,  because I can tell you’ve got loads to talk about with using security as a marketing tool, which is just brilliant. Tell us a little bit more about Senteon, what is it, what does it do, who should get it, and what’s the best way for us to get in touch with you and try it out?

The best way to get in touch is I’m hilariously active on LinkedIn. That’s my go-to source. Obviously I have the YouTube channel and a podcast, but to really give the behind the scenes on Senteon, we have the same methodology that I just proposed you leverage from your MSP to end clients. I have the same methodology as a vendor servicing MSPs. So that methodology is – hey, we remediate, we change settings on your workstation, on your server, on your browser. We’re changing over a thousand settings – Now, a company where maybe you have heard of us, maybe you haven’t heard of us. If you haven’t heard of me, and I say, we’re going to change a thousand settings. Do you want me to do that to your business… let alone your clients? Probably not. But when I say we’re going to change these thousand settings to align to a standard that exists and is proven, now do you trust me a little bit more? So I leverage this same best practice of putting my brand with a best practice brand that I’m encouraging you to do. Why would I encourage you to do it? Because it works. That’s what we do and it’s proven successful for us. So why can’t this translate to the MSP to end client level? So that’s exactly it. And Paul, you’re going to have to repeat your four questions. I got like two of them.

That’s fine. I think you’ve done a great pitch there for what Senteon does. Tell us just what’s the best way to get in touch with you and to try the product out.

To get in touch with us, connect on LinkedIn, we do have our website. Those are always best ways. And if you do want to learn more about the settings in specific that I’m talking about, I’ve said the word thousand more settings a few times today, but if you really want to understand about this, there’s a webinar series that I host actually with CIS so you can trust it. It’s literally with the authoritative body I’ve been talking about, and we have a PowerPoint slide per setting. So I’ve actually rewritten, I think to date about 700 different settings. I’ve rewritten them myself from a security point of view, from an easier to digest point of view. If you don’t have a security background, if you’re just starting out, I’ve rewritten all of these and I hold a weekly webinar series with CIS on my YouTube channel on LinkedIn, so you can connect with us there.

If you are looking to actually test out Senteon and see where your current configuration sits, which I will note, if you’re like everyone else we work with, by default, when you get a Microsoft Box, you’ll have 20% of your machine configured correctly. 20% in quantity terms is about 70 of 500 settings. It’s not a lot done correct by default. And Paul, we can have a whole other conversation of secure by design and why people don’t distribute products with a secure by design mindset, which they should. But you are welcome to toss a website inquiry to our contact us page, mention Paul, I will happily provide a hundred free assessments to anyone who mentions Paul. That’s my gift to anyone who lets me come onto the show and share our mission to build better awareness about defensive security and making security marketable. It should be a revenue item for you. It should be generating you profits. There’s no reason it can’t and it’s a good service. So mentioned you watched us on Paul’s webinar show, and you’ll get a hundred free assessments. You’ll get a full presentation and everything you need, these reports that you can get completely free will be internal usage, external usage, and they would literally have a button to export as PDF and have a whole little marketing campaign that you can distribute to your clients.

And give us your website address, Zach.

 Yep. So that is going to be Senteon.co.

Paul’s Personal Peer Group

This week we have Sean from an MSP in Houston, Texas, and his question is about something he’s confused about… “What is this AppSumo thing that I keep hearing about?”

Okay, stay calm and keep your hand closely on your wallet because AppSumo is going to prise it open and extract cash from it on a regular basis. What is it? Well, think Groupon. You remember Groupon, don’t you? Groupon, but for tech-savvy entrepreneurs and business owners, so people like you and me.

AppSumo is the place where new apps and other clever new businesses go to grab a whole load of customers in one go. In return, they offer a killer deal to AppSumo’s database, which is estimated to be more than a million people. One such great offer from my goodness, I think it was late 2020, was a lifetime deal on Publer, the social media scheduling platform. Of course, that’s been sold out for years and Publer has now become a mainstream tool.

Sometimes you buy a deal and the software turns out to be not quite as good as the marketing said it was. But that’s okay because with most deals, you can get a refund. Now, I’ve bought and kept more than 40 deals since April 2013. Yes, I did check the date and the number of deals, and I do love getting their regular email with new deals. And I think you might too, just be very, very careful. AppSumo is very good at getting you to buy software that you never actually use. You think you’re going to use it, but you never actually do.

Mentioned links
View Full Transcript

Episode Transcript

[00:00:03] Speaker A: Hmm. How do you like your eggs in the morning? I hope you like them freshly laid with yolks the color of marketing gold. [00:00:12] Speaker B: Oh, there you are. I've been waiting for you so we can get started. Cause here's what I've got coming up for you this week. Why you can't run a marathon carrying an anchor. The most powerful marketing question to ask any lead. And my guest expert this week will tell you how to do marketing within the CIS security framework. Welcome to episode 253, powered by mspmarketingedge.com. [00:00:35] Speaker A: Dot Paul Greens and MSP marketing podcast. [00:00:39] Speaker C: So you and I as business owners. [00:00:41] Speaker B: Were in this for the long run, right? Whether this is your first year in business or your 30th, you know that owning a business is a marathon and not a sprint. So that being said, why do we constantly make life hard for ourselves? Far too many MSP's decide to run the marathon while carrying an anchor. It's nuts. Lets talk about why we do this and how to give ourselves a much easier life, yet still achieving the things we want from our business. So I was listening to this book. [00:01:11] Speaker C: A few months back. [00:01:12] Speaker B: It was written by the guy who built up the Burger King chain back in the 1950s and sixties. If youre interested, its called the Burger King. It was ok. Not the most instructive business book in the world, but I do believe you can get huge value from any book as long as you get one big idea from it. Do you agree with me on that? Anyway, my big takeaway from this book was a phrase ive never heard before, but I instantly understood what it meant. It was that business owners make life hard for themselves by running a marathon while carrying an anchor. And I completely relate to this. Do you? It means that even though we know its not a sprint race and we know we have to keep going for years and years and years, we seem to nobble ourselves in as many ways as we can. Perhaps its by continuing to work 60 hours a week despite being surrounded by very competent staff who are actually looking. [00:02:02] Speaker C: For more things to do. [00:02:04] Speaker B: Or perhaps its by not taking enough vacation, enough holiday time each year. Which means that when we do take a break were utterly exhausted. Or perhaps its by thinking too small. There are many ways that we hold ourselves back and dont think that this is just an MSP thing. All business owners everywhere in all sectors do exactly the same thing. But the thing is, the clues to long term success are there if you go looking for them. Just listen back to any of the fantastic interviews that I've done in the MSP marketing podcast over the last five years. And you'll hear very, very successful people talking about how they broke out of the hell phase of running a business. [00:02:44] Speaker C: Where you're trapped doing 60 hours a week. [00:02:46] Speaker B: And they entered a new phase where they're working primarily on the business rather than in it. And often the massive growth of their business starts to happen at exactly that moment. And this is not really a surprise. There is a direct correlation. So let me ask you, maybe its worth you pausing this podcast or this. [00:03:04] Speaker C: YouTube video to ask yourself this. [00:03:07] Speaker B: What do you do to hold yourself back? Whats the anchor that youre carrying during your marathon? The first step is to identify it, label it as what it is, and then dedicate yourself to finding ways to eliminate it. Maybe it's a mindset issue, maybe it's a workload issue, maybe it's a resourcing issue. You can't fix these things until you know what the problem is. Then you can take proactive action to eliminate the problem. Let me finish with one more quote from that book, and I am paraphrasing. [00:03:38] Speaker C: Here, but this is the right sentiment. [00:03:41] Speaker B: The greatest gift we can give ourselves as business owners is positivity. And that comes out of taking action against our problems. [00:03:49] Speaker C: I love that, don't you? [00:03:51] Speaker B: Come on then. Let's do it. You and me. Let's take some action. [00:03:54] Speaker A: Paul Green's MSP marketing podcast still to. [00:03:58] Speaker B: Come so you know all about the center for Internet Security, I'm sure. But did you know that their benchmarks and their framework can be used in your marketing? Well, that's what my special guest is recommending this week, and he'll be here in the next five minutes. [00:04:13] Speaker C: You're gonna love this. [00:04:14] Speaker B: In the next 15 seconds, I'm gonna give you the most amazing sales question that you could ask of any project. It's the perfect question that immediately qualifies how hot they are as a prospect and tells you exactly what they don't like about their incumbent MSP. Hey, I'm Paul Green and don't forget, for all the content, tools and training to market and grow your MSP, check out mspmarketingedge.com. so I recommend all MSP's focus their marketing efforts on building multiple audiences of people on LinkedIn and email, growing a relationship with those audiences through content marketing, and then converting them from lead to client. And the easiest way to do that is to offer them a 15 minutes video call with you. It's a very low commitment first step that gives you the opportunity to ask them about their favorite subject, which is of course themselves and their business. And then you can try to set up a proper in real life sales meeting. Now this video call is something you should offer on your website. Offer it on your LinkedIn, offer it everywhere that you engage with people who are potential future prospects. And the call should consist of lots of open questions from you exploring them, their business, their needs, their wants, their fears and their desires. The more they talk, the less you. [00:05:36] Speaker C: Talk, then the more engaged they will be. [00:05:39] Speaker B: But there's also a very leading question that you absolutely must ask. They'll give you a one word answer that will reveal exactly how likely they are to become a client. Here's the question. On a scale of one to ten, where one is terrible and ten is world class, how do you rank your current it support company? Ask this question and then go quiet. Give them space to think about it and answer it. And you can colour grade this lead based on their answer because you'll instantly know if they're a great prospect or just a tire kicker. If they answer ten, nine or eight, then they're a red lead and are very happy with their incumbent MSP. So add them to your email list, wish them well and call them back in a year to see if anything has changed. If they answer seven or six then they are an amber lead. Theres a high level of dissatisfaction with their incumbent MSP test. If this is short term unhappiness perhaps, I dont know, maybe a support call this week wasnt handled very well or whether or not its actual proper long term dissatisfaction. If it is, then they could go on to be a super hot prospect for you and if they answer five or below then they are a green lead. They are desperately unhappy and they're very likely to take action on this unhappiness at some point. They are yours for the taking so dedicate all of your sales attention on them. By the way, for answers of seven or below, use this follow up question to get some understanding. Can I ask what made you give them that score? Your lead may then tell you exactly what has created their unhappiness and this is a very powerful thing to know in the sales process that you're about. [00:07:22] Speaker C: To start with them. [00:07:24] Speaker A: Paul Green's MSP marketing podcast still to. [00:07:27] Speaker B: Come, there's a website that sells amazing online tools for just a one off payment and with huge discounts. Now if you know about it, you'll know how addictive it can be for people like you and me, and especially when you're trying new marketing things. But if you've never heard about it, then be prepared to lose at least an hour of your life looking at all the amazing tools that you can buy. Im going to tell you what this website is in the next five minutes. I know how important cybersecurity is to you and what you do on a daily basis. And I also know that one of your challenges is trying to make ordinary business owners and managers realize how important good security is and how they need to invest in it. My special guest has a fantastic approach to this using the framework laid out by the Centre for Internet Security. Let's explore how he uses that and how you can do the same in your MSP. Today's interview will show you that the CIS framework is perfect to build your marketing around. [00:08:27] Speaker D: I'm Zach Krumkowski, co founder to cention managed, endpoint hardening and first time security entrepreneur. [00:08:34] Speaker C: And congratulations for a being a first time security entrepreneur because it's awesome, right? Isn't it, running your own business? And also, congratulations for coming in here on the show. And we're going to talk today about how you can use cyber security frameworks. [00:08:48] Speaker B: Actually as a marketing tool. [00:08:49] Speaker C: So not just there to keep your clients safer, but to actually attract new people and to upsell your existing clients. Now, before we talk about that, Zach, let's have a little bit of your history. So talk us through what you've been doing and what made you start this business. [00:09:04] Speaker D: Yeah, I mean, this is a long answer, but I will do my best to keep it concise. So security is ultimately something that everyone talks about, but we realized no one really knows where to start. And my co founding team is actually a team of four. And when we were in university, we were told to configure our assets and do all these traditional best practices for security posture. But when we went to the real world, we realized it wasn't happening. So why in school were we being told, you have to configure your asset, you have to set it to the correct state? But it didn't happen. So we realized there was a gap from what we learned in school versus the workforce today. And that gap made us question, why isn't this happening? Is school wrong? Is this not important? Or is corporate wrong? To where? Why aren't they doing this? What is that challenge? And that's ultimately what we sought out to figure out is what is that challenge as to why people don't prioritize configuring their assets? [00:10:07] Speaker C: And what was the answer that you stumbled across? [00:10:09] Speaker D: That's probably a good leading point for me to answer. So the challenges we found were really a few things. The first and foremost, if we're talking about Microsoft devices, it simply put that intune group policy and Powershell scripts is too difficult to keep up to date, let alone doing it once. But the number one challenge that we identified was simply that there's an innate fear of changing a setting on a machine that is being used because it might break something. It could break something on the end, client end, or it could break one of the workflows you have internally at your MSP. That is the key focus that sention really focused on to develop a learning mode that determines is this safe or is this not safe? And the goal here is to make the optimal solution that can change settings without causing disruption. [00:11:03] Speaker C: Got it? Got it. That's a good pitch. And what we'll do is we'll talk about sentient and what it does and how people can sort of have a look at it and try it out. We'll talk about that towards the end of the interview. It's always a good place to pop that, but that is a great pitch. What I want to really talk about is how to use a security framework as a marketing tool. Now, I never assume that every single person listens to this podcast, and we have thousands and thousands of listeners. I never want to assume that everyone understands everything because we live in a very complex and a very big world. [00:11:31] Speaker B: So you're going to talk about the CIS framework. Can you explain that to me, remembering. [00:11:37] Speaker C: That I'm not a technical person, and I think if you can explain it well in a way that I understand, then everyone who listens to this podcast or watches the YouTube videos is going to understand it as well. [00:11:47] Speaker D: Absolutely. So cis, well, simply stands for center for Internet Security. So this is a global nonprofit that is dedicated to just increasing cybersecurity readiness and response. So they are most famous for what's called the cIs controls, and they have 18 of these controls. What's interesting about this is they're not just lists of things that make up security. They are a prioritized list of 18 things you can do to increase your cybersecurity defenses. So it's a step by step playbook on how, if an MSP has never done security, it gives you step one of what you should focus on. If it's a mature MSP who's already offering security, it gives you a roadmap of, okay, let's actually check, what am I doing today? And am I meeting this 18 point list. I'll give an example as well. Control 1.1 is knowing your hardware asset inventory. Why is this control one or 0.1? If you don't know your hardware assets, there's probably no way you're going to know what you need to secure. Knowing your asset inventory is literally control one. Control two is software asset inventory. Then control three is data protection. Control four, to reel it back to exactly where sentient lives is all about configuring your assets. You can't configure your assets if you don't know your assets. That's really in a nutshell what CIS is. At a high level. They do go way further than just this 18 point list with things called implementation groups, which is a prioritized minimum requirements of what to do. For example, these 18 controls, some of them might take a little bit more understanding of security. So they also have implementation groups that say, hey, start here. One, start here too. So the other piece that they really have that's really cool is called the cis benchmarks. And this is a prescriptive list of do this to this setting. Right? Take for example, machine inactivity timeout. Take that setting and best practices to set it to 1500 seconds. So they provide one to one recommendations on how to secure something very specifically. So that, in a nutshell is CIS and where it gets really exciting. And I'll let you ask a follow up question, Paul. This is something I'm very passionate about. So to take this a step further, and I've listened to the other episodes, not everyone is going to know what CIS is, especially your end clients. So why do you want to align to a framework that your end clients, the people you're selling to, aren't going to know about? And the reason is this CIS organization takes their recommendations and they will actually crosswalk it to the framework you do care about. So whether this is ISO, Dora, or in the US CMMc, right, Nist, there's all these crosswalks that they take. Hey, here's our recommendation and here's the requirement. It meets in this recommendation or in this framework. So that's really in a nutshell, CIS at a high level. [00:15:01] Speaker B: Well, I think you explained that brilliantly. So thank you. [00:15:03] Speaker C: Thank you for that, Zach. In fact, you've genuinely added something to, to my knowledge base there. My follow up question is, of course, about the end clients. So the ordinary business owners and managers that MSP's are trying to reach, and. [00:15:17] Speaker B: I'm guessing they're not going to know. [00:15:18] Speaker C: About CIS and therefore an MSP coming. [00:15:21] Speaker B: In saying, hey, I've got these 18 things, that's not really something that's going. [00:15:25] Speaker C: To appeal to them. [00:15:26] Speaker B: So how do you recommend the MSP's take that CIS information and turn it. [00:15:30] Speaker C: Into a framework, something useful that ordinary business owners and managers will understand. [00:15:35] Speaker D: Absolutely. So there's kind of two ways to look about this. If you've not offering security today, there's kind of one way there. But if you're already offering security today, there's another way. And I'm going to lean into a previous episode of yours. I caught all about content marketing. So this list, I did say 18 controls. What I didn't mention is there's actually sub controls. So sub steps within these 18 and they add up to a total of 153 different controls. So if you're an MSP just starting out and you're looking, how can I make this resonate with the customer? Well, the first choice goes back to my initial answer. You don't necessarily talk about CIS. You use the CIS crosswalks to talk about the regulation and the requirements they do care about. That's the easy answer. Now, talking from a demand generation perspective and marketing and making that ROI, taking the sub controls and the main controls. So a total of 153 things, you can create content around each of these. Why does this matter? You're positioning your MSP as the subject matter expert on frameworks without even really doing too much additional work. So I gave the examples of controls one through four. We'll stick on control four. So talking about needing to configure assets, well, we can make a content or a blog post or a graphic or just a LinkedIn post about saying hey, something we do at MSP name is we focus on configuring your assets. This aligns to step four of this framework, right? So it's now almost like a content roadmap of areas you can begin to slowly educate your customers on. Hey, this is why we're doing the things. When I talk to you or when you reach out to me, you're not only going to hear the vendors I use or the security I provide, but you'll actually give them contextual understanding. And it's no longer you saying you're doing this, it's you're doing this because this authoritative governance body told me to do this. Right? Talk about protecting yourself and your business. Because it's not just, oh, my engineer thinks I should do this, it's I'm following best practices from a respected source to guide me in supporting you. [00:17:52] Speaker C: And do you think that actually is an advantage to be able to say to a prospect, hey, you know, we take all of the best practice that's laid out by this world organization, but we've done all the hard work. We've set out our own roadmap from that. And essentially this is the best level of protection that you'll be able to get for your business because we're going to. We're going to work through this framework together. Do you think that works? [00:18:13] Speaker D: Yeah, I mean, let's. Let's put it in a different perspective too. I always try to relate things. This is something I'm personally trying to be better about. But let's just talk about getting your car worked on. Right. A mechanic. So if you go to this general mechanic shop who historically only works on cars, he knows, but he goes, yeah, I could probably fix your car. I work on cars like this, but I know how things work. I can look at your car and I'm going to know what to do. He's not an expert at your exact car model. He's not an expert at all of your internals, but he's worked on cars and he's like, yeah, I can fix this. I can make it work. And maybe you do drive off that day and it works fine. Going into that conversation with that mechanic, would I rather have the mechanic saying, oh, yeah, I specialize on this framework or this type of car. I specialize on these internals because it's all I do day in, day out? Or would you rather go with the person who's kind of a catch all, does whatever? So when you present as an MSP to your prospects, to your customers, you can now say, hey, we are not the experts. I understand. I do not know everything about security, if that's what you're looking for. I'm not your guy. And the guy who says they are, they're definitely not your guy. What I do to differentiate myself as an MSP is I leverage the best practices from documented standards, and this is how I facilitate the accomplishment of this roadmap for your business. So now you're leaning into something that's already globally accepted and positioning yourself with an existing brand. [00:19:50] Speaker C: Yeah, I love this because I guess all of this is just a Google search away anyway, right? You almost want the prospect looking it up, saying, oh, yes, this cis stuff. Oh, okay, it is a big deal. It's a global standard, et cetera, et cetera. And yes, I can see the power of essentially you've positioned yourself as we're always going to be. Up to date because we follow these standards. We don't miss anything because we've got this framework. But as you said, not everyone can be experts in absolutely everything. Zach, this is really good stuff. Thank you so much for this. We are definitely going to have to have you back on the show in the future because I think we've got loads to talk about with using security as a marketing tool, which is just brilliant. [00:20:27] Speaker B: Tell us a little bit more about sention. What is it, what does it do? [00:20:31] Speaker C: Who should get it and what's the best way for us to get in touch with you and try it out? [00:20:35] Speaker D: So, best way to get in touch, always easy. Starting with the last question is, I'm hilariously active on LinkedIn. That is my go to source. Obviously I have the YouTube channel and a podcast, but to really give the behind the scenes on Senteon, we have the same methodology that I just proposed you leverage from your MSP to end clients. I have the same methodology as a vendor servicing MSP's. So that methodology is, hey, we remediate, we change settings on your workstation, on your server, on your browser. We're changing over 1000 settings. Now, a company where maybe you have heard of us, maybe you haven't heard of us, if you haven't heard of me, and I go, we're going to change 1000 settings. Do you want me to do that to your business, let alone your clients? Probably not. But when I say we're going to change these thousand settings to align to a standard that exists and is proven, now, do you trust me a little bit more? Right. So I leverage this same best practice of putting my brand with a best practice brand that I'm encouraging you to do. Why would I encourage you to do it? Because it works. That's what we do. And it's been proven successful for us. So why can't this translate to the MSP to end client level? So that's exactly that. Paul, you're going to have to repeat your four questions. I got like two of them. [00:21:56] Speaker C: It's fine. Just, just. I think you've done a great pitch there for what sentient does. Tell us just what's the best way to get in touch with you and to try the product out. [00:22:04] Speaker D: Yep. So to get in touch with us connecting on LinkedIn, we do have our website. Those are always best ways. And if you do want to learn more about the settings in specific that I'm talking about, I've said the word thousand more settings a few times today. But if you really want to understand about this, there's a webinar series that I host actually with CIS, so you can trust it, right. It's literally with the authoritative body I've been talking about. And we have a PowerPoint slide per setting. So I've actually rewritten, I think to date about 700 different settings. I've rewritten them myself from a security point of view, from an easier to digest point of view if you don't have a security background. Right. If you're just starting out, I've rewritten all of, and I hold a weekly webinar series with CIS on my YouTube channel on LinkedIn, so you can connect with us there. If you are looking to actually test out Senteon and see where your current configuration sit, which I will note if you're like everyone else we really work with, by default, when you get a Microsoft box, you will have 20% of your machine configured correctly. 20% in quantity terms is about 70 of 500 settings. It's not a lot done correct by default. And Paul, we can have a whole nother conversation of secure by design and why people don't distribute products with a secure by design mindset, which they should. But you are welcome to toss a website inquiry to our contact us page. Mention Paul I will happily provide 100 free assessments to anyone who mentions Paul. That's my gift to anyone who lets me come onto the show and share kind of our mission to build better awareness about defensive security and making security marketable. It should be a revenue item for you, it should be generating you profits. There's no reason it can't. And it's a good service. Mentioned you watched us on Paul's webinar show and you will get 100 free assessments, you'll get a full presentation and everything you need. These reports that you can get completely free will be internal usage, external usage, and they literally have a button to export as PDF and have a whole, whole little marketing campaign that you can distribute to your clients. [00:24:17] Speaker C: Just give us your website address. Site. [00:24:18] Speaker D: Yep. So that is going to be sention Co. So don't accidentally put the m, the M costed another ten grand. And we've put it off so far, so keep it just co. Paul Green's. [00:24:30] Speaker A: MSP marketing podcast Paul's personal peer group. [00:24:35] Speaker C: Well, it's always fun to answer questions on a subject that you're passionate about. [00:24:39] Speaker B: And that's why we do this part of the show. In a second, I'll tell you how to submit your own question, but first, producer James, what have we got this week? [00:24:47] Speaker E: Thanks, Paul. Well, there is an MSP in Houston, Texas that is owned by Shaun. And his question isn't to do with a subject he's passionate about, it's more that he's confused about. So he's heard about this for quite a while. And his question is, what's this appsumo thing that I keep hearing about? [00:25:08] Speaker B: Okay, stay calm, keep your hand closely on your wallet because Appsumo is going to prize it open and extract cash from it on a regular basis. What is it? Well, think Groupon. You remember Groupon, don't you? Groupon? But for tech savvy entrepreneurs and business owners, so people like you and me, Appsumo is the place where new apps and other clever new businesses go to grab a whole load of customers in one go. In return, they offer a killer deal to Appsumos database, which is estimated to be more than a million people. One such great offer from my goodness, I think it was late 2020 was a lifetime deal on Publa, the social media scheduling platform. [00:25:49] Speaker C: Of course thats been sold out for years and Publa has now become a mainstream tool. [00:25:53] Speaker B: So sure, sometimes you buy a deal. [00:25:56] Speaker C: And the software turns out to be. [00:25:57] Speaker B: Not quite as good as the marketing said it was. But that's okay because with most deals you can get a refund. [00:26:03] Speaker C: Now, I've bought and kept more than. [00:26:06] Speaker B: 40 deals since April 2013. [00:26:09] Speaker C: Yes, I did check the date and the number of deals and I do. [00:26:12] Speaker B: Love getting their regular email with new deals. And I think you might too. [00:26:16] Speaker C: Just be very, very careful that Appsumo is very good at getting you to buy software that you never actually use. [00:26:23] Speaker B: You think you're gonna use it, but. [00:26:25] Speaker C: You never actually do. [00:26:26] Speaker B: Now if you've got a question about anything in your MSP that you'd like help with, just go to the contact page at mspmo marketingedge.com. and for help finding new clients for your MSP, we've created an easy to follow marketing system. Get that and all the content to go in [email protected]. [00:26:44] Speaker A: Coming up. Coming up next week. [00:26:46] Speaker B: Thank you so much for listening this week. Next week I've got nine marketing ideas to help you break into a new. [00:26:52] Speaker A: Vertical for MSP's around the world. Around the world, the MSP marketing marketing podcast with Paul Green. See you next week for more tasty marketing nuggets.

Other Episodes

Episode 251

September 02, 2024 00:29:36
Episode Cover

Successful MSPs simplify EVERYTHING

The podcast powered by the MSP Marketing Edge Welcome to Episode 251 of the MSP Marketing Podcast with me, Paul Green. This week… Successful...

Listen

Episode 2

November 12, 2019 00:21:22
Episode Cover

Episode 2: Two MRR services you could easily re-sell

In this week’s episode MRR (Monthly Recurring Revenue) forms a CRITICAL part of your business, Paul tells you about two great services that could...

Listen

Episode 256

October 07, 2024 00:27:28
Episode Cover

Warning! This friction kills MSPs' sales

The podcast powered by the MSP Marketing Edge Welcome to Episode 256 of the MSP Marketing Podcast with me, Paul Green. This week… Warning!...

Listen