How many security program tiers should an MSP offer to customers?

The number of tiers should be determined by your customer base risk profile, not arbitrary structures. Conduct a customer review to assess each client's risk rating (high, medium, low) based on industry, compliance requirements, size, data type, and partnerships. Build program levels that align with these distinct risk categories and their mitigation needs, rather than creating tiers for the sake of having multiple options.

Handling Risk Conversations with MSP Customers

Name: Handling Risk Conversations with MSP Customers
Uploaded: 2026-05-12T20:28:39-04:00
Duration: 11 min 17 s
Description: Learn how the top MSPs hold the risk conversation with their customers and how customer security parallels MSP security. We’ll also answer questions like “How many programs should I have?”, “Do tier structures still work?” and more pressing topics you ...

N-able

05/12/2026

0 (0%)

Report Like Favorite

TL;DR

MSPs must shift from binary security conversations to risk-focused discussions covering risk identification, tolerance, mitigation, and ownership transfer, as weak customer security creates exponential risk for the MSP itself.
Customer segmentation should be based on industry, compliance requirements, company size, data type/volume, and partnerships to determine appropriate security program tiers — not arbitrary bronze/silver/gold structures.
Insider risk drives 82% of breaches, making end-user protection the primary design priority for MSP security programs through comprehensive coverage that addresses the human element.
Small businesses are three times more likely to be targeted by threat actors than larger organizations because they underinvest in security and MSPs accommodate inadequate protection to avoid losing revenue.

Shifting from Security to Risk-Based Conversations

This presentation reframes how MSPs should approach customer security discussions by focusing on risk rather than binary security status. The speaker emphasizes that weak customer security creates exponential risk for MSPs themselves, making proper program design critical. Rather than asking whether a customer is secure or not, MSPs should focus on risk identification, risk tolerance, risk mitigation, and risk ownership. The conversation centers on how much risk customers are exposed to and how much they want to manage themselves versus transferring to their MSP. This approach acknowledges that 82% of reported breaches involve employee-related causes, making insider risk mitigation a primary design priority for security programs.

Risk-Based Customer Segmentation Framework

The presentation introduces a three-tier risk classification system for MSP customers: high, medium, and low risk. High-risk businesses include those with regulatory compliance requirements (banking, financial, healthcare, education), large organizations with vast data stores, companies with extensive partnerships, or those where a breach could be an extinction event. Medium-risk businesses have attractive data and partnerships but smaller footprints in terms of data volume and company size. Low-risk businesses are typically smaller firms with limited employees, outsourced financial processing, no regulatory requirements, and lower breach impact. However, the speaker notes that CISA findings show small businesses are three times more likely to be targeted than larger organizations, as attackers know these companies underinvest in cybersecurity and MSPs often accommodate inadequate security to retain revenue.

Chapters

0:00 - Program Design Challenges
1:33 - Security vs Risk Conversations
3:05 - Risk Rating Factors
4:56 - Overcoming Customer Pushback
6:20 - Customer Risk Assessment Process
6:58 - High-Risk Business Criteria
8:27 - Medium and Low-Risk Segmentation
9:48 - Small Business Targeting Reality

Key Quotes

0:21 "... weak customer security leads to weak MSP security ..."
1:38 "... the conversation that MSPs really need to be having with their customers really shouldn't be so much on security, but more about risk ..."
2:41 "... 82% of the time, employees tend to be the cause, a lot of the reported breaches ..."
6:06 "... we can no longer absolve clients of their bad decisions ..."
9:48 "CISA's finding that small businesses are actually three times more likely to be targeted by threat actors than larger organizations ..."

Categories:

» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

05/12/2026

11:30 PM

05/12/2026

Implementing Effective Strategies for Active Directory Security and Data Protection

https://www.truthinit.com/index.php/channel/1888/implementing-effective-strategies-for-active-directory-security-and-data-protection/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Reveal Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-reveal-hidden-threats-and-ai-risks-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/19/2026

01:00 PM

05/19/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Deployment Phases

https://www.truthinit.com/index.php/channel/1936/establishing-a-robust-ai-governance-framework-for-genai-throughout-deployment-phases/
05/20/2026

08:00 AM

05/20/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1937/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/20/2026

10:00 PM

05/20/2026

Establishing a Robust AI Governance Framework for GenAI Throughout Its Lifecycle

https://www.truthinit.com/index.php/channel/1953/establishing-a-robust-ai-governance-framework-for-genai-throughout-its-lifecycle/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/
05/27/2026

04:00 AM

05/27/2026

Rivoluziona i rischi dell'AI in opportunità con Netskope AI Security

https://www.truthinit.com/index.php/channel/1925/rivoluziona-i-rischi-dellai-in-opportunità-con-netskope-ai-security/
05/27/2026

10:00 AM

05/27/2026

Adopting AI: From Illusion to Intentional Control

https://www.truthinit.com/index.php/channel/1924/harnessing-ai-transitioning-from-illusion-to-purposeful-mastery/
05/28/2026

01:00 PM

05/28/2026

Harnessing AI for Smaller Teams: Strategies for Secure Implementation

https://www.truthinit.com/index.php/channel/1951/harnessing-ai-for-smaller-teams-strategies-for-secure-implementation/
06/02/2026

01:00 PM

06/02/2026

Spring of Satori: Delving into Recent Findings and the 2026 Threat Landscape

https://www.truthinit.com/index.php/channel/1930/spring-of-satori-delving-into-recent-findings-and-the-2026-threat-landscape/
06/04/2026

02:00 AM

06/04/2026

Mastering the Unseen: Managing Shadow AI and Agentic MCP Traffic

https://www.truthinit.com/index.php/channel/1948/mastering-the-unseen-managing-shadow-ai-and-agentic-mcp-traffic/
06/16/2026

07:00 AM

06/16/2026

Transforming Data Risk into Actionable Priorities: Essential Fixes First

https://www.truthinit.com/index.php/channel/1952/transforming-data-risk-into-actionable-priorities-essential-fixes-first/