Written by: Charles Weaver, co-founder of MSPAlliance
There are many reasons you might lose a managed services deal. The customer thinks you’re too expensive. Customer doesn’t want to invest in proper IT management controls. Or, you just are not a good fit.
There are, however, some reasons for losing a deal that are just not acceptable. Not understanding how customers view your MSP risk profile should not be among the reasons for you to lose a sale. For example, many MSPs do not understand the difference between physical and logical security and how customers view those two elements.
More importantly, during the sales process, if the MSP diminishes one of these because they meet the other, it tends to frighten clients who reasonably want to understand how the MSP approaches security and privacy themes in general.
Physical vs. Logical Access Explained
I will oversimplify this for purposes of this article, but physical and logical security are two sides of the same coin:
Physical security deals with physical access to a place, like a NOC, office building, or data center.
Logical access deals with how your MSP team accesses the data and objects you are managing; think of remote access to a server that resides at a third-party data center.
Many MSPs respond to compliance and security requests from clients with a distinction between physical and logical access. For example, your data is safe with us because we use a Microsoft Azure as our cloud.
This is an excellent example because it is so commonly used as an excuse to pass along the formidable physical security attributes of Microsoft Azure, while mostly ignoring the logical access of the MSP. You cannot satisfy logical security solely by explaining where your cloud environment is.
In my opinion, clients can be quite sophisticated when it comes to asking general questions around security and data privacy. I believe it is generally well known amongst clients that data centers, co-location facilities, and cloud platforms are very different from the MSP and the access they have to the data and objects being managed. When a client asks you for an audit report, for instance, and you hand them the Amazon Web Services SOC audit report, this is not a complete or satisfactory response.
MSPs need to be transparent in almost everything they do; this includes responding to security and compliance requests. Understanding that most clients simply want to know how you do things is important. Providing direct answers to those questions is the best policy. Attempting to satisfy a customer or prospect by passing off one of your external service providers as evidence of your security is not enough and could end up backfiring.
So, do not risk losing another deal due to an ill-advised compliance response. Understand the differences between physical and logical security. Know where the risks are and communicate them efficiently to your customers. They will respect you for it, and it might help you close that next big deal.