Achieving a cybersecurity win is a great accomplishment that’s often only attainable following a significant struggle. What many MSSPs and MSPs don’t anticipate is that sharing their results and progress with clients can be just as tough, if not more challenging. However, if you’re to retain clients and grow your business, it’s one hurdle you can’t afford to skirt.
Need help ensuring that your cybersecurity reporting standards get the message across intelligently and accessibly? This breakdown might help you gauge where you currently stand and show you how to make improvements.
MSP or MSSP reporting comes in many forms. There’s no industry-wide standard, and because many service providers serve multinational clients, this is probably for the best – no single format or framework could cover all the possible bases. Also, different national and international regulatory schemes mandate distinct reporting requirements. Depending on where you do business, rule-makers might not even be sure about how long MSPs should have to report incidents after they occur.
So does all of this uncertainty mean your reporting to clients can be some kind of free-for-all? Not exactly. Although you’ve got plenty of leeway to decide when, how, and what you report, it’s also worth considering the endgame: Why are you reporting in the first place? Some viable motivations might include:
As this long and diverse list of motivations shows, putting in place a new reporting routine might help you stand out from the crowd. The real question is how to build an MSP technology framework that gives you the flexibility to communicate effectively on a case-by-case basis.
Your chosen goals should determine your reporting methodology. Here are some to consider:
Say you want to show a client how much you’ve saved them throughout a service contract period. Instead of just waiting until the end to reveal the results, you might create and share weekly or biweekly updates along the way.
Frequent reporting makes it easier for the customer to see the progress as it happens and keeps them more informed about their security posture – potentially reducing the number of fires you’ll need to extinguish later. Regular information sharing also lets clients know that you’re not trying to pull a fast one over on them, and they’ll almost certainly appreciate the transparency.
Your reports should never be raw data dumps. While it’s critical to build on accurate, thoroughly granular information, your clients aren’t likely to prove receptive to a massive CSV file or endless slideshow of charts.
Learn to speak the customer’s language, and do so fluently when you share data. If you want to go above and beyond, make it simple for the client to pass the information on by inquiring how they plan on using the reports and how they’d like them formatted. Offering additional perks, like including their branding on reports and catering to their preferred level of detail, is a great way to win the customer service competition.
Your reporting shouldn’t just be about revealing the improvements your efforts brought about. You should also share the problems and worst-case scenarios they prevented.
As you’re putting out IT fires, use a prioritisation system to highlight the biggest risks and tie this data to straightforward cost benefit analyses. For instance, if you patched a vulnerability to keep hackers from DDoSing a company email server, it would make sense to show how much the business might have lost if the server had been taken out.
Remember that business continuity is just as vital as immediate profit. Incorporate metrics like system downtime, security cost savings, and consumer goodwill into your reporting to come off as more well-rounded.
Focusing on the numbers works fine if your audience is comprised solely of your MSSP support team coworkers. In the real world, however, you need to talk to people who lack an understanding of how your work connects to their wellbeing.
Don’t be afraid to share a taste of the secret sauce – although obviously not the whole recipe – that makes your services worthwhile. Showcasing unique solutions, like automating your vulnerability prioritisation to free up threat management resources and focus on the most critical issues, can help you establish your expertise. Reports that disseminate this kind of information on top of sharing quantitative progress go down much more smoothly in settings like boardrooms and budget meetings.
Too often, reporting is an afterthought that completely downplays the incredible work MSP or MSSP teams do for their clients. Make it a priority to change the way you report to clients and watch your business grow.
By using RankedRight, teams save hours each day on manual triage, enabling them to get to critical remediation more quickly. You simply create users and assign them rules. Here's how it works.
Find out how to effectively set the service level agreement (SLA) for vulnerability management activities. Learn about the steps that are involved when setting levels of assurance and why these metrics matter.
While some risks can be mitigated with the right precautions, others are simply impossible to avoid. That is where risk acceptance comes in and RankedRight can help.
Are your vulnerability management services as good as you think they are? Try our checklist to find out.
Give your business the opportunity to engage with clients all year round by adding vulnerability management to your portfolio.