MSP owners: Why do we make our lives so hard?


Episode Artwork
1.0x
0% played 00:00 00:00
Sep 16 2024 27 mins   17
The podcast powered by the MSP Marketing Edge

Welcome to Episode 253 of the MSP Marketing Podcast with me, Paul Green. This week…



  • MSP owners: Why do we make our lives so hard?: Business owners often hinder their own success by running a marathon while carrying an anchor, meaning they knowingly hold themselves back through overwork, limited thinking, or mismanagement.

  • The most powerful MSP marketing question to ask any lead: Asking this is a great way to prioritise your leads and create a follow-up list for the future.

  • How to do marketing within the CIS security framework: One of your challenges is making ordinary business owners and managers realise how important good security is. Find out how you can achieve this using the Center for Internet Security controls. My guest, Zach Kromkowski, explains all.

  • Paul’s Personal Peer Group: Sean, who runs as MSP in Houston, wants to learn more about AppSumo and what it has to offer.


MSP owners: Why do we make our lives so hard?


You and I as business owners, we are in this for the long run, right? Whether this is your first year in business or your 30th, you know that owning a business is a marathon and not a sprint. So that being said, why do we constantly make life hard for ourselves? Far too many MSPs decide to run the marathon while carrying an anchor. It’s nuts. Let’s talk about why we do this and how to give ourselves a much easier life, yet still achieving the things that we want from our business.


So I was listening to this book a few months back. It was written by the guy who built up the Burger King chain back in the 1950s and 60s if you’re interested. It’s called The Burger King. It was, okay, not the most instructive business book in the world, but I do believe you can get huge value from any book as long as you get one big idea from it. Do you agree with me on that? Anyway, my big takeaway from this book was a phrase I’ve never heard before, but I instantly understood what it meant.



Business owners make life hard for themselves by running a marathon while carrying an anchor.



And I completely relate to this, do you? It means that even though we know it’s not a sprint race and we know we have to keep going for years and years and years, we seem to noble ourselves in as many ways as we can. Perhaps it’s by continuing to work 60 hours a week despite being surrounded by very competent staff who are actually looking for more things to do. Or perhaps it’s by not taking enough vacation, enough holiday time each year, which means that when we do take a break, we are utterly exhausted. Or perhaps it’s by thinking too small.



There are many ways that we hold ourselves back and don’t think this is just an MSP thing. All business owners everywhere in all sectors do exactly the same thing. But the thing is, the clues to long-term success are there if you go looking for them. Just listen back to any of the fantastic interviews that I’ve done in the MSP Marketing Podcast over the last five years, and you’ll hear very, very successful people talking about how they broke out of the “hell phase” of running a business, where you’re trapped doing 60 hours a week, and they entered a new phase where they’re working primarily on the business rather than in it. And often the massive growth of their business starts to happen at exactly that moment. And this is not really a surprise – there is a direct correlation.


So let me ask you – maybe it’s worth you pausing this podcast or this YouTube video to ask yourself this question – what do you do to hold yourself back? What’s the anchor that you are carrying during your marathon? The first step is to identify it, label it as what it is, and then dedicate yourself to finding ways to eliminate it. Maybe it’s a mindset issue. Maybe it’s a workload issue, maybe it’s a resourcing issue. You can’t fix these things until you know what the problem is. Then you can take proactive action to eliminate the problem. Let me finish with one more quote from that book, and I’m paraphrasing here, but this is the right sentiment. The greatest gift we can give ourselves as business owners is positivity, and that comes out of taking action against our problems. I love that. Don’t you? Come on then. Let’s do it. You and me. Let’s take some action.


The most powerful MSP marketing question to ask any lead


I recommend all MSPs focus their marketing efforts on building multiple audiences of people on LinkedIn and email, growing a relationship with those audiences through content marketing and then converting them from leads to clients. And the easiest way to do that is to offer them a 15 minute video call with you.


It’s a very low commitment first step that gives you the opportunity to ask them about their favourite subject, which is of course, themselves and their business. And then you can try to set up a proper, in real life, sales meeting. Now this video call is something you should offer on your website, offer it on your LinkedIn, offer it everywhere that you engage with people who are potential future prospects. And the call should consist of lots of open questions from you exploring them, their business, their needs, their wants, their fears and their desires.


The more they talk, the less you talk, then the more engaged they will be. But there’s also a very leading question that you absolutely must ask. They’ll give you a one word answer that will reveal exactly how likely they are to become a client. Here’s the question…



On a scale of 1 to 10 – where 1 is terrible and 10 is world class – how do you rank your current IT support company?



Ask this question and then go quiet. Give them space to think about it and answer it. You can colour grade this lead based on their answer because you’ll instantly know if they’re a great prospect or just a tyre kicker.


If they answer ten, nine or eight, then they’re a red lead and are very happy with their incumbent MSP, so add them to your email list, wish them well and call them back in a year to see if anything has changed.



If they answer seven or six, then they are an amber lead and there’s a high level of dissatisfaction with their incumbent MSP. Test if this is short-term and happiness, maybe a support call this week wasn’t handled very well, or whether it’s actual proper long-term dissatisfaction. If it is, then they could go on to be a super hot prospect for you.


And if they answer five or below, then they are a green lead. They are desperately unhappy and they’re very likely to take action on this unhappiness at some point. They are yours for the taking. So dedicate all of your sales attention on them.


By the way, for answers of seven or below, use this follow-up question to get some understanding – Can I ask what made you give them that score? Your lead may then tell you exactly what has created their unhappiness. And this is a very powerful thing to know in the sales process that you’re about to start with them.


How to do marketing within the CIS security framework


Featured guest: Zach Kromkowski, co-founder of Senteon and dedicated to transforming the cyber security landscape for MSPs and enterprises by delivering unparalleled automated solutions for endpoint hardening.


His mission is to simplify and enhance security measures across workstations, servers, and browsers, ensuring top-tier protection and regulatory compliance with minimal manual intervention.



I know how important cyber security is to you and what you do on a daily basis, and I also know that one of your challenges is trying to make ordinary business owners and managers realise how important good security is and how they need to invest in it. My special guest has a fantastic approach to this, using the framework laid out by the Center for Internet Security. Let’s explore how he uses that and how you can do the same in your MSP. This interview will show you that the CIS framework is perfect to build your marketing around.


I’m Zach Kromkowski, co-founder to Senteon manage endpoint hardening and first time security entrepreneur.


And congratulations for being a first time security entrepreneur. It’s awesome, right, isn’t it, running your own business. And also congratulations for coming in here on the show and we are going to talk today about how you can use cyber security frameworks actually as a marketing tool. So not just there to keep your clients safer, but to actually attract new people and to upsell your existing clients. Now, before we talk about that, Zach, let’s have a little bit of your history. So talk us through what you’ve been doing and what made you start this business.


Yeah, I mean, this is a long answer, but I will do my best to keep it concise. So security is ultimately something that everyone talks about, but we realise no one really knows where to start. And my co-founding team is actually a team of four. And when we were in university, we were told to configure our assets and do all these traditional best practices for security posture. But when we went to the real world, we realised it wasn’t happening. So why in school were we being told you have to configure your asset, you have to set it to the correct state, but it didn’t happen. So we realised there was a gap from what we learned in school versus the workforce today. And that gap made us question, why isn’t this happening. Is school wrong? Is this not important or is corporate wrong, why aren’t they doing this? What is that challenge. And that’s ultimately what we sought to figure out, what is that challenge as to why people don’t prioritise configuring their assets.


And what was the answer that you stumbled across?


That’s probably a good leading point for me to answer. So the challenges we found were really a few things. The first and foremost, if we’re talking about Microsoft devices, it simply put that Intune group policy and PowerShell scripts are too difficult to keep up to date, let alone doing it once. But the number one challenge that we identified was simply that there’s an innate fear of changing a setting on a machine that is being used because it might break something. It could break something on the end client end, or it could break one of the workflows you have internally at your MSP. And that is the key focus that Senteon really focused on to develop a learning mode that determines is this safe or is this not safe? And the goal here is to make the optimal solution that can change settings without causing disruption.


Got it. That’s a good pitch and what we’ll do is we’ll talk about Senteon and what it does and how people can have a look at it and try it out – we’ll talk about that towards the end of the interview. It’s always a good place to pop that, but that is a great pitch. What I want to really talk about is how to use a security framework as a marketing tool. Now, I never assume that every single person listening to this podcast and we have thousands and thousands of listeners, I never want to assume that everyone understands everything because we live in a very complex and a very big world. So you are going to talk about the CIS framework. Can you explain that to me, remembering that I’m not a technical person and I think if you can explain it well in a way that I understand, then everyone who listens to this podcast or watches the YouTube videos is going to understand it as well.


Absolutely. So CIS simply stands for Center for Internet Security. It’s a global non-profit that is dedicated to increasing cyber security readiness and response. They are most famous for what’s called the CIS controls, and they have 18 of these controls. What’s interesting about this is



they’re not just lists of things that make up security – they’re a prioritised list of 18 things you can do to increase your cyber security defences.



So it’s a step-by-step playbook on how if an MSP has never done security, it gives you step one of what you should focus on. If it’s a mature MSP who’s already offering security, it gives you a roadmap of, okay, let’s actually check what am I doing today and am I meeting this 18 point list.


I’ll give an example as well. Control 1.1 is knowing your hardware asset inventory, why is this control 1 or 0.1? Well if you don’t know your hardware assets, there’s probably no way you’re going to know what you need to secure. So knowing your asset inventory is literally control 1. Control 2 is software asset inventory then control 3 is data protection and control 4, to reel it back to exactly where Senteon lives is all about configuring your assets. You can’t configure your assets if you don’t know your assets. So that’s really, in a nutshell, what CIS is at a high level.


They do go way further than just this 18 point list with things called implementation groups, which is the prioritised minimum requirements of what to do. For example, these 18 controls. Some of them might take a little bit more understanding of security. So they also have implementation groups that say, Hey, start here.


The other piece that they have that’s really cool is called the CIS benchmarks. And this is a prescriptive list of do this to this setting. Take for example, machine inactivity, timeout, take that setting and best practices set it to 1500 seconds. So they provide one-to-one recommendations on how to secure something very specifically. That, in a nutshell, is CIS.


And where it gets really exciting – and I’ll let you ask a follow-up question, Paul, you know this is something I’m very passionate about – to take this a step further – and I’ve listened to the other episodes – not everyone is going to know what CIS is, especially your end clients. So why do you want to align to a framework that your end clients, the people you’re selling to, aren’t going to know about? And the reason is this, CIS organisation takes their recommendations and they will actually crosswalk it to the framework you do care about. So whether this is ISO, DORA or in the US CMMC, NIST, there’s all these crosswalks that they take and say here’s our recommendation and here’s the requirement it meets in this recommendation or in this framework. So that’s really in a nutshell, CIS at a high level.


Well, I think you explained that brilliantly. So thank you for that, Zach. In fact, you’ve genuinely added something to my knowledge base there. My follow up question is of course about the end clients. So the ordinary business owners and managers that MSPs are trying to reach, and I’m guessing they’re not going to know about CIS and therefore an MSP coming in saying, Hey, I’ve got these 18 things. That’s not really something that’s going to appeal to them. So how do you recommend the MSPs take that CIS information and turn it into a framework, something useful that ordinary business owners and managers will understand?


Absolutely. So there’s two ways to look at this. If you’ve not offering security today, there’s kind of one way there. But if you’re already offering security today, there’s another way, and I’m going to lean into a previous episode of yours I caught, all about content marketing. So this list, I did say 18 controls. What I didn’t mention is there’s actually sub controls, substeps within these 18, and they add up to a total of 153 different controls. If you’re an MSP just starting out and you’re looking, how can I make this resonate with the customer. Well, the first choice goes back to my initial answer. You don’t necessarily talk about CIS. You use the CIS crosswalks to talk about the regulation and the requirements they do care about. That’s the easy answer. Now, talking from a demand generation perspective and marketing and making that ROI, taking the sub controls and the main controls, so a total of 153 things, you can create content around each of these.


Why does this matter? You’re positioning your MSP as the subject matter expert on frameworks without even really doing too much additional work. So I gave the examples of controls 1 through 4, we’ll stick on control 4. So talking about needing to configure assets. Well, we can make a content or a blog post or a graphic or just a LinkedIn post saying, Hey, something we do at MSP name is we focus on configuring your assets. This aligns to step 4 of this framework. So it’s now almost like a content roadmap of areas you can begin to slowly educate your customers on and say, Hey, this is why we’re doing the things when I talk to you or when you reach out to me, you’re not only going to hear the vendors I use or the security I provide, but you’ll actually give them contextual understanding. And it’s no longer you saying you’re doing this, it’s you’re doing this because this authoritative governance body told me to do this. Talk about protecting yourself and your business because it’s not just, oh, my engineer thinks I should do this. I’m following best practices from a respected source to guide me in supporting you.


And do you think that actually is an advantage to be able to say to a prospect, Hey, we take all of the best practice that’s laid out by this world organisation, but we’ve done all the hard work, we’ve set out our own roadmap from that, and essentially this is the best level of protection that you’ll be able to get for your business because we are going to work through this framework together. Do you think that works?


Yeah. I mean, let’s put it in a different perspective – I always try to relate things, this is something I’m personally trying to be better at – let’s just talk about getting your car worked on by a mechanic. If you go to this general mechanic shop who historically only works on cars he knows, but he goes, yeah, I could probably fix your car. I work on cars like this, but I know how things work. I can look at your car and I’m going to know what to do. He’s not an expert at your exact car model. He’s not an expert on all of your internals, but he’s worked on cars and he’s like, yeah, I can fix this. I can make it work. And maybe you do drive off that day and it works fine. But going into that conversation with that mechanic, would I rather have the mechanic saying, oh yeah, I specialise on this framework or this type of car. I specialise on these internals because it’s all I do day in, day out. Or would you rather go with the person who’s kind of a catchall does whatever? So when you present as an MSP to your prospects, to your customers, you can now say, Hey, we are not the experts. I understand. I do not know everything about security. If that’s what you’re looking for, I’m not your guy and the guy who says they are, they’re definitely not your guy. What I do to differentiate myself as an MSP is I leverage the best practices from documented standards, and this is how I facilitate the accomplishment of this roadmap for your business. So now you’re leaning into something that’s already globally accepted and positioning yourself with an existing brand.


Yeah, I love this. I guess all of this is just a Google search away anyway, right? You almost want the prospect looking it up and saying, oh yes, this CIS stuff, oh, okay, it is a big deal, it’s a global standard, etc, etc. And yes, I can see the power of essentially positioning yourself as we’re always going to be up to date because we follow these standards. We don’t miss anything because we’ve got this framework. But as you said, not everyone can be experts in absolutely everything. Zach, this is really good stuff. Thank you so much for this. We are definitely going to have to have you back on the show in the future, because I can tell you’ve got loads to talk about with using security as a marketing tool, which is just brilliant. Tell us a little bit more about Senteon, what is it, what does it do, who should get it, and what’s the best way for us to get in touch with you and try it out?


The best way to get in touch is I’m hilariously active on LinkedIn. That’s my go-to source. Obviously I have the YouTube channel and a podcast, but to really give the behind the scenes on Senteon, we have the same methodology that I just proposed you leverage from your MSP to end clients. I have the same methodology as a vendor servicing MSPs. So that methodology is – hey, we remediate, we change settings on your workstation, on your server, on your browser. We’re changing over a thousand settings – Now, a company where maybe you have heard of us, maybe you haven’t heard of us. If you haven’t heard of me, and I say, we’re going to change a thousand settings. Do you want me to do that to your business… let alone your clients? Probably not. But when I say we’re going to change these thousand settings to align to a standard that exists and is proven, now do you trust me a little bit more? So I leverage this same best practice of putting my brand with a best practice brand that I’m encouraging you to do. Why would I encourage you to do it? Because it works. That’s what we do and it’s proven successful for us. So why can’t this translate to the MSP to end client level? So that’s exactly it. And Paul, you’re going to have to repeat your four questions. I got like two of them.


That’s fine. I think you’ve done a great pitch there for what Senteon does. Tell us just what’s the best way to get in touch with you and to try the product out.


To get in touch with us, connect on LinkedIn, we do have our website. Those are always best ways. And if you do want to learn more about the settings in specific that I’m talking about, I’ve said the word thousand more settings a few times today, but if you really want to understand about this, there’s a webinar series that I host actually with CIS so you can trust it. It’s literally with the authoritative body I’ve been talking about, and we have a PowerPoint slide per setting. So I’ve actually rewritten, I think to date about 700 different settings. I’ve rewritten them myself from a security point of view, from an easier to digest point of view. If you don’t have a security background, if you’re just starting out, I’ve rewritten all of these and I hold a weekly webinar series with CIS on my YouTube channel on LinkedIn, so you can connect with us there.


If you are looking to actually test out Senteon and see where your current configuration sits, which I will note, if you’re like everyone else we work with, by default, when you get a Microsoft Box, you’ll have 20% of your machine configured correctly. 20% in quantity terms is about 70 of 500 settings. It’s not a lot done correct by default. And Paul, we can have a whole other conversation of secure by design and why people don’t distribute products with a secure by design mindset, which they should. But you are welcome to toss a website inquiry to our contact us page, mention Paul, I will happily provide a hundred free assessments to anyone who mentions Paul. That’s my gift to anyone who lets me come onto the show and share our mission to build better awareness about defensive security and making security marketable. It should be a revenue item for you. It should be generating you profits. There’s no reason it can’t and it’s a good service. So mentioned you watched us on Paul’s webinar show, and you’ll get a hundred free assessments. You’ll get a full presentation and everything you need, these reports that you can get completely free will be internal usage, external usage, and they would literally have a button to export as PDF and have a whole little marketing campaign that you can distribute to your clients.


And give us your website address, Zach.


Yep. So that is going to be Senteon.co.


Paul’s Personal Peer Group

This week we have Sean from an MSP in Houston, Texas, and his question is about something he’s confused about… “What is this AppSumo thing that I keep hearing about?”


Okay, stay calm and keep your hand closely on your wallet because AppSumo is going to prise it open and extract cash from it on a regular basis. What is it? Well, think Groupon. You remember Groupon, don’t you? Groupon, but for tech-savvy entrepreneurs and business owners, so people like you and me.


AppSumo is the place where new apps and other clever new businesses go to grab a whole load of customers in one go. In return, they offer a killer deal to AppSumo’s database, which is estimated to be more than a million people. One such great offer from my goodness, I think it was late 2020, was a lifetime deal on Publer, the social media scheduling platform. Of course, that’s been sold out for years and Publer has now become a mainstream tool.


Sometimes you buy a deal and the software turns out to be not quite as good as the marketing said it was. But that’s okay because with most deals, you can get a refund. Now, I’ve bought and kept more than 40 deals since April 2013. Yes, I did check the date and the number of deals, and I do love getting their regular email with new deals. And I think you might too, just be very, very careful. AppSumo is very good at getting you to buy software that you never actually use. You think you’re going to use it, but you never actually do.


Mentioned links


  • This podcast is in conjunction with the MSP Marketing Edge, the world’s leading white label content marketing and growth training subscription

  • Join me in MSP Marketing Facebook group.

  • Connect with me on LinkedIn

  • Mentioned booked: The Burger King by Jim McLamore.

  • Connect with my guest Zach Kromkowski on LinkedIn and check out the Senteon website.

  • Got a question about your MSP’s marketing? Submit one here for Paul’s Personal Peer Group.