.png)
For most MSPs, the cybersecurity conversation is built on fear.
The pitches usually go, "The sky is falling, you're going to be breached, buy my tool... or else." But as clients become numb to these tactics, that approach is becoming less effective and can even damage the advisory relationship.
So, how do you shift the conversation?
We connected with Compliance Expert and 32-year MSP veteran Mark Jennings to discuss this topic. His advice was clear: stop selling fear and start guiding clients through a professional, repeatable MSP risk management process.
We’ll dive into that here.
From MSP Operator to Risk Advisor
Mark's journey to focusing on risk was born from decades of hands-on experience. After holding nearly every role in the MSP business, from Field Engineer to Managing Director, he realized the industry had a significant gap.
There was a real lack of groups focused on the risk aspect.
"We live in a society that has become very litigious," Mark explains. "The likelihood of being sued as an MSP has increased greatly... Managing risk means making sure your practices are not arbitrary but are founded in some established standard, such as a cybersecurity framework."
This realization is what sparked his shift in focus. He saw that aligning services with a cybersecurity framework was a core survival strategy, creating what he calls "a win-win for both the MSP and the client."
What Does MSP Risk Management Actually Mean?
Before you can build a process, you have to understand the goal. For a modern MSP, risk management is a complete business strategy.
Mark defines it as ensuring your internal practices and the way you manage your clients are in line with established best practices.
Effective MSP risk management is a layered defense against this, built on three pillars:
- A Technical Standard: Your practices must be founded on an established cybersecurity framework (like CIS, NIST, or CMMC), not arbitrary decisions.
- A Legal Standard: Your contract stack must be ironclad, making sure both you and your client truly understand the services provided and the protections they offer.
- An Insurance Standard: This includes your own cyber insurance. It also means guaranteeing your customers' protection.
According to Mark, these elements work together to either prevent a lawsuit entirely or significantly mitigate the potential damages.
Why Fear-Based Selling Backfires
But instead of building a professional, trust-based process like the one above, many MSPs take a dangerous shortcut and lead with fear.
Leading with fear is a common tactic, but Mark warns about its long-term consequences. "Fear tactics typically put clients or prospects on the defensive," he says. "They immediately begin to think you are simply there to make a sale."
Mark points out, "Information Technology is a big unknown for clients, and they look to their services providers to reassure them that their systems are safe."
Even though the cybersecurity world can be scary, the goal is to have a rational conversation about the risks, the likelihood of an incident, and the potential impact. This measured approach is what brings the client to the realization that improved security is a worthwhile investment. Leading with fear skips this crucial trust-building step.
"Either a couple of years later nothing bad has happened and the client feels they made a wasted investment... or something bad does happen and the client’s reaction is 'I thought you said this would protect me!'"
In both scenarios, the client's trust is broken.
The Solution: A Rational, Process-Driven Approach
The alternative to selling fear is to have a rational, professional conversation, and that requires a repeatable process.
Mark explains that clients already understand the impact of a disaster; they can imagine a fire or a flood. The problem, he says, is that "in the cyber security space, the client has no frame of reference to determine the likelihood that a cyber attack will happen."
The MSP's role must then shift from salesperson to expert advisor. "This is where the MSP must provide facts and evidence to help the client understand the likelihood," Mark says. "Again, the MSP must avoid resorting to fear."
So, how do you provide these facts and evidence without scaring the client?
You do it by building a professional process. As Mark explains, the first practical step is to adopt an established framework.
"I am a firm believer in the adoption of an established cyber security framework. There are several available. It doesn’t matter, just pick one. Any one cybersecurity framework will overlap the other by about 80%."
His recommended process is simple:
- Inventory and document your current practices.
- Select a framework (like NIST, CIS, or SOC2) that matches your clients' needs.
- Perform a gap assessment between your current state and the standard.
- Put a project plan together to remediate the gaps and execute.
This process transforms your security offerings. It’s no longer an arbitrary bundle of tools you're trying to sell, but a professional service designed to align the client with a recognized, defensible standard.
-1.png)
Your First Step to a Real Process
Moving from a fear-based pitch to a process-driven conversation is the key to building long-term trust and separating yourself from the competition.
So, if you're ready to get started building a more professional risk management process, the framework is waiting for you. In his foundational course on Empath, Introduction to Risk Management, Mark Jennings provides a complete, step-by-step guide to identifying threats and assessing their impact.
And if you're ready to get serious about the entire risk aspect of your MSP, Empath also features Mark's course on Mitigating Risk in the MSP Industry, plus a full catalog of courses by other Navigators designed for your entire team, from service desk fundamentals to high-level vCIO strategy and sales.
Book a demo or start your 14-day free trial and get immediate access to his courses and the entire library.
.png)
