An interview with information security expert Jason Rorie.
Jason Rorie is the Founder and Chief Security Officer of a successful MSP and a former U.S. Navy Communication Specialist. Jason holds numerous certifications in security, and his decades of experience in the channel gives him immense insight into the MSP’s place in the cybersecurity landscape.
JP – Thanks for taking the time for this interview. If you would, fill us in on what makes you an information security expert.
Jason – I have 20+ years in the information security and IT services industry. I hold two undergraduate degrees in Computer Network Engineering and Management of Technology. I hold a Master’s Degree in Information Assurance and Cyber Security. I hold a few of the top security certifications in industry such as the CEH, CCSP, CISM and CISSP. Another fun project was authoring the book “Small Business – A Hacker’s Playground”.
JP – These days, every MSP is being told to “lead with cybersecurity”. The common thought is that the key to marketing and selling IT services right now is to make cyber the key focus. What do you think?
Jason – I think cyber should be a major focus in your sales process, but you have to ensure that you practice what you preach. I have seen too many cases where MSP owners were projecting themselves as cyber security experts through paid advertisements and not able to back up any claims with proof of processes. If you are going to talk the talk, make sure you are able to walk the walk. Make sure you are providing everything you are selling and have the ability to provide proof on demand.
JP – So it creates a problem where MSPs who aren’t actually experts in security are misrepresenting themselves?
Jason – It is a significant liability to run around and promote yourself as an “expert” and not be able to do expert level services. If a business buys into your claim and an incident occurs, they are going to wonder why the “expert” let that happen. It will infuriate the business and you as the MSP will find yourself in a tough position. Maybe a lawsuit! A survey by Continuum states that 74% of SMBs will file a suit against their MSP in the event of a cyber incident. MSPs need to focus on reducing risk, not creating additional avenues of liability.
JP – Yeah, you can’t “fake it until you make it” when critical data is on the line. What would you consider the bare minimum requirement for an MSP to play the “cybersecurity expert” card?
Jason – The minimum would be having security controls and documenting them. Formal training and certifications would help as well. Consider the other side of the coin. Would you trust a non-certified CPA to do your taxes? Will you take his word that “he is an expert”? Wouldn’t you want some type of proof? Same with doctors. Would you trust someone with your health that can’t produce credentials, but can show you their picture on a billboard?
JP – Good point. And with more MSPs being targeted, more people are going to want some real proof. Now, your MSP is very successful. How much of that success do you feel comes from your cyber offering?
Jason – A lot of our success is due to our security offering that is backed by tried and true processes. Also, focusing on the relationships with our clients, creating value for them, responding and resolving issues quickly has gone a long way as well.
JP – What are the biggest challenges you’ve run into when it comes to selling cybersecurity?
Jason – Education! Plain and simple. It is getting businesses to understand the severity of today’s threats, understand everyone is a target. A lot of business owners still think there is a guy in a hoodie hacking into computers and that guy isn’t after him. This is true, but they don’t realize today’s bad actor writes software that doesn’t discriminate. These botnets are cranking out malware, phishing emails en masse. Just looking for someone to click. They know that what you have is important to you and if they can get access to it, you might pay to get it back. Once people realize that a bad actor’s only focus is extortion, they get it and realize they need to protect themselves.
JP – Since you first started in the channel, has a lot changed in terms of how an MSP should sell cyber?
Jason – A lot has changed. The threats have increased in number and severity. The controls that need to be put in place to protect a business are not the same controls from even 5 years ago. The days of having firewalls and anti-virus and you are good, are long gone. Today, if you don’t look at your own network and your clients with a defense-in-depth strategy and deploy layers of security, you are leaving yourself vulnerable. With that being said, selling cyber has changed immensely. You have to be that educator, like I mentioned earlier, to adequately protect a client, you have to deploy multiple controls. It can be a hard sell, so you have to prepare yourself or your sales people with the proper approach in educating your target market.
JP – Proof is always good. I understand your firm, MSP Overwatch, helps MSPs establish that proof through a certification process.
Jason – Yes. MSP Overwatch is a security framework, assistance and certification platform where MSPs get guidance and help on building their internal security program. Through the program you lower your risk as an MSP, extend an additional layer of security to your clients and have a way to show proof on demand through our documentation, reporting and certification process. If you have the experience, credentials and actual hard proof of control implementation and processes, it is hard for a potential client to pass on you. Again, put the shoe on the other foot, if you are the buyer, who do you choose? The guy who only says he can do it or the guy with the proof to back up his claims? We want you to be the guy with proof and MSP Overwatch gives you an easy path to get there!
JP – Sounds like a great deal. From a sales and marketing standpoint, I can say that sort of proof is gold. Do you have any last words for our readers before we let you get back to work?
Jason – Sure. Cyber security is a hot topic and businesses need it, but it also carries a lot of liability if you get it wrong. Be careful with what you promise to close a deal. Be careful what the client assumes and what they can hold you liable for. Take the time to put controls in place to lower your risk. Practice good security posture, get the right insurance policies, have the right language in your contacts and don’t over promote and over promise. If anyone reading this is unsure where they stand, I’d love to help. Reach out and let’s have a conversation.