Shifting from Security to Risk-Based Conversations
This presentation reframes how MSPs should approach customer security discussions by focusing on risk rather than binary security status. The speaker emphasizes that weak customer security creates exponential risk for MSPs themselves, making proper program design critical. Rather than asking whether a customer is secure or not, MSPs should focus on risk identification, risk tolerance, risk mitigation, and risk ownership. The conversation centers on how much risk customers are exposed to and how much they want to manage themselves versus transferring to their MSP. This approach acknowledges that 82% of reported breaches involve employee-related causes, making insider risk mitigation a primary design priority for security programs.
Risk-Based Customer Segmentation Framework
The presentation introduces a three-tier risk classification system for MSP customers: high, medium, and low risk. High-risk businesses include those with regulatory compliance requirements (banking, financial, healthcare, education), large organizations with vast data stores, companies with extensive partnerships, or those where a breach could be an extinction event. Medium-risk businesses have attractive data and partnerships but smaller footprints in terms of data volume and company size. Low-risk businesses are typically smaller firms with limited employees, outsourced financial processing, no regulatory requirements, and lower breach impact. However, the speaker notes that CISA findings show small businesses are three times more likely to be targeted than larger organizations, as attackers know these companies underinvest in cybersecurity and MSPs often accommodate inadequate security to retain revenue.
