MSPs have a significant opportunity to turn fear-led data security conversations into successful trust-driven partnerships.
Getting this right was the focus of ITEuropa’s panel at AvePoint’s latest OnPoint event, with MSP leaders concurring that those who win will engage the right stakeholders, whilst leading with education and a focus on business outcomes.
High-profile cyberattacks and increasingly sophisticated threat actors continue to dominate headlines and spread fear across boardrooms. According to panellists, this is leading to more proactive conversations, but not necessarily meaningful investment.
Keith Bucknall, Founder and CEO of Outbound, highlighted the disconnect. He stated: “Conversations have shifted from if a breach will happen to when a breach happens, proving they are seeing data security as a real problem. However, they want to do it for free or on tight budgets, so the challenge for today's solution providers is finding a way to tell that story in the right way to the right people.”
The first step is education around data, as organisations need to understand not just that risk that exists, but where their critical information resides and how it is governed. Bucknall added: “Businesses need to understand if their data is structured, unstructured, or in cloud environments. Once you’re in that position, you can do assessments, run tools, run solutions, and archive to know where you're going to go.”
Emma Rolfe, Data Protection Leader at CDW, highlighted that this approach expands the conversation and gives solution providers a more holistic view of their customers, aiding an outcome-led sell, as opposed to pushing products. She said: “You can’t talk about data without understanding what customers are doing in terms of their long-term plan and strategy, their cloud motion, and their digital transformation investment areas. You centre around these because they need to be protected when you talk about ransomware. Preparation and education around data is a key first step.”
After correct preparation and data understanding is established, conversations can shift to solutions that are right-sized. Derek Martin, Head of Content Services at Capgemini, said: “We need to ensure that the technology and defence are commensurate with the way the business is operating.” He talked on the panel about how this approach can lead to more appropriate backup and recovery solutions.
“Here, customer benefit from knowing their data before instrumenting widespread measures,” he said. “Not all data is born equal. So rather than backing up everything that is drawn on resources, we can talk about a proactive archival strategy which looks at the classification of known data and leads to a reduction in the amount of data that can be exploited.” Here, a strategic, outcome-led approach avoids overengineering while focusing on critical assets. “Just focus on the data required to support the business and its day-to-day running.”
What is critical is ensuring that these conversations are happening with the right stakeholders within the business. Rolfe emphasised the importance of board-level buy-in: “Getting through the important stakeholders is a big problem,” she said. “Infrastructure teams get the bigger picture but when things go wrong, incident response is a board-level issue. Everyone must buy into and understand their part in the process. This removes any barriers to implementing technology and systems.”
Bucknall echoed this point. He stated: “Try to pivot the conversations to the CFO and educate and coach them. Get the right people in the conversation because nothing can be implemented until it is fully understood that data isn't just an IT problem, or it isn't just a CEO problem. Establish ownership for each part of the process and then work backwards to integrate it into their business.”
Education should not stop at the boardroom, as end users remain the organisation’s largest vulnerability. As Bucknall noted: “Cyber Awareness training once a year will not do; this needs to be continuous and cultural. Humans are the first line of defence and last line of defence.” Martin added: “Users remain the best exploits. But ultimately it is the business that owns the data, so empower business users through day-to-day practices to mitigate those risks.”
