Why Cybersecurity's So Hard to Sell (And How To Do It Anyway)

Are you struggling to sell cybersecurity services to your clients?

Let’s talk.

If you’re a VAR or MSP leader frustrated by a ruthlessly competitive, saturated, and disrupted market — congratulations, you are not alone!

We’ve been working with a diverse roster of VARs and MSPs over the last five years. And when we start talking, the initial feedback we get is that they’ve been used to a sales framework where they go and educate the customer about the benefits and the ROI of investing in evergreening their IT infrastructure and bolstering their security. But it’s just not working like it used to.

The Reality is Your Sales Approach Needs to be Transformed 

When your marketing message is overly technical, you’ll sound like everyone else — and you’ll become a commodity like everyone else. So yes, you might give your extra three points (profit on product) as a discount hoping to make some profit on consulting and professional services, but you’re competing with another IT provider.

  • You might do more things as a value add, losing revenue and time that could be allocated to other prospects
  • You might lose the deal completely
  • You may sell your consulting contract with a discount — losing net profit

Please do not get me wrong: I respect technical blogs and technical marketing. I was a Double CCIE in my previous life. Those who have worked with Cisco platforms will understand how technical a CCIE certificate is — but the point is, this is not how successful selling is done anymore.

Let me give you a real example. Let’s say you want to build a digital marketing campaign around cybersecurity for a specific vertical market. You might hear a lot of these sorts of responses:


How do you get past that? You need to understand the nature of sales and the true motivation for the buyer. Without that, you can’t possibly be effective at selling your cybersecurity solution. The only thing you’ll achieve is becoming more and more frustrated as attempt after attempt fails.

Here’s Why Cybersecurity’s So Hard to Sell

At its core, cybersecurity is a “loss prevention” sale — like fire and burglar alarms, elective insurance plans, and retail theft-deterrent systems. The incidents these systems protect against can wreak severe damage upon organizations — but before a company actually experiences that damage, it can be very tempting for decision-makers to view the loss prevention measures as unnecessary costs. 

And that makes them very difficult to sell.

Most burglar alarm systems are sold after a home gets broken into, not before. Most generators and flood insurance policies are purchased after a major hurricane rips through an area — not the sunny days preceding it. 

To make matters worse, cybersecurity has been overhyped to the point of desensitization. There have been so many breaches that prospects don’t “hear” the threat anymore. Facebook, Marriot, Equifax. This effect happens everywhere. When the 9/11 terrorist attack happened, it practically shut down air travel for months. Today, despite there being more terrorist attacks than ever before in our history, people go about their lives with little to no concern. When you hear so much about something, it becomes very easy to tune out.

One more thing: there’s no ROI on cybersecurity solutions. If I spend money on marketing, there’s a tangible ROI. I get more customers who directly drive up my revenue. 

But when I invest a chunk of money on a ransomware-proof backup, there’s no ROI. Even when there is — when I actually need to restore from the backup, I’d still rather not be doing it at all.

Roll all these problems in with the belief that “it won’t happen to me,” and you’ve got a damnably difficult sale to make.


So how do you overcome this? Four quick strategies:

1: Target a High-Probability Persona 

All things equal, affluent, successful CEOs are more likely to buy cybersecurity solutions because first, they believe a breach would attract a lot of public attention due to the size of their organization, and second, they know they have a lot to lose.

Smaller, non-ambitious, non-entrepreneurial, price-sensitive “shopkeepers” may feel like easier sales to make. But the reality is they’re simply trying to survive — they don’t see themselves as likely targets and spending money on “prevention” is the last thing they want to do. 

Don’t be afraid to go upstream to larger, more affluent clients that are more likely to be receptive in the first place. 

2: Your Marketing Must Draw a Picture of the Actual Danger

You have to be able to talk accurately and convincingly about the scenarios you’re protecting against. Paint a picture of how a business can react to these attacks both with and without protection and a plan. Demonstrate the harm — and show how smart companies can avoid it.

Knowing, on a personal, company level, what actual attacks could occur, how likely they are, and how little a hacker sometimes needs to gain a foothold, is how leads begin to understand the value.

In other words: please, stop marketing like it’s still 2016!

That means:

  • Stop cutting and pasting technical blogs from your vendors
  • Stop focusing simply on the features
  • Stop working with digital agencies that have never sold technology solutions in their lives, and that treat you the same as B2C clients selling consumer goods online, competing on high-volume keywords that vendors already outspend you on 

If you don’t stop these tactics, you can maybe expect to see ROI on your marketing. Next century. 

Let’s talk about the Awareness, Consideration, and Decision stages in a cybersecurity buyer’s journey with a few quick questions. Are these your answers?

Q: “What’s an awareness stage cybersecurity campaign you have in place?”

A: “We have a technical blog we write each week focused on technical features of firewall solutions, and showcase vendors we got joint marketing funds from.”

Wrong answer.

Q: “What’s a consideration stage cybersecurity campaign and when should it should start running?

A: “We have a Contact Us page with a form and as soon as someone fills the form, a salesperson contacts them immediately with a pitch for our cybersecurity tools.” 

Wrong answer.

Q: “My final, killer question: how will your sales team follow-up on the outcomes and leads from these campaigns?”

A: “We went to an SEO agency and pay them $2,000 to $3,500 per month to do advanced on-page and online SEO. We will wait for three months to see results."

Wrong answer. Again. 

If your answers sound like these, you are seriously handicapping your sales and marketing efforts with outdated tactics that belong in 2016. The only prospects you’re attracting will never buy.

When your messages are inconsistent, boring, uninteresting, or unconvincing, don’t bother doing anything at all. Your marketing will have about as much impact as dieting for one meal has on your health.

Cyberthreats have given this industry a much-needed breath of fresh air, but if you don’t understand how the cybersecurity sale works, you won’t be the one making the deals.

3: Don’t Be Afraid to Go Back to the Drawing Board 

Stepping forward into a drastically different modern marketing paradigm may seem intimidating and risky — but there’s nothing worse for your business than sticking to broken methods that don’t work just because you’re worried about the risk of a new approach. 

Pull in your whole team and have them work with you on:

  1. Identifying a focused market segment that can actually be offered and appreciate your service.

  2. Building Awareness Stage campaigns that run all the time. Don’t give up on webinars just because you only have four attendees. Because here’s the secret: when your competition is running zero webinars, who do you think’s gaining the mindshare? Here’s my promise: keep that webinar series going and by webinar six, you’ll have 25 attendees with 60% of them being true qualified leads.

    How do I know? Because we’ve already seen this when helping plenty of VARs and MSPs focus on revenue-driven marketing and sales campaigns that deliver ROI to topline revenue.

  3. Building your Consideration Stage campaigns to focus on comparing and consulting without asking for commitment. Talk about vendor companies, share case studies, and invite existing clients to speak about their experiences, how you managing their projects helped them, and the lessons learned.

    “But Saher, I do not have clients yet!”

    Then invite your vendors to speak with you, or get a lead consultant able to speak non-technically to a business audience. They do exist — I was one! But the point is, there’s always something you can do. 



4: Revisit Your Sales Process 

Last thing. Have a proper, written, hand-off process that defines when a qualified lead is ready for your sales team.

And please do me a favour: coach your sales team to stop saying or doing these tired tactics:

  • Why you’re the best in the marketplace
  • Showing off in-house technical expertise and certificates
  • Going deeper quickly into technical conversation — your technical salesperson may feel great, but they’re probably just boring your prospects 

Have them only focus on one thing during this call.

The true, deep connection to the Why.

Why is the client even looking for security solutions? This is a discovery call. Discover the answer to this question. You may even reverse the conversation — talk about why your client might not need a security solution in order for them to realize themselves how much they actually do. There’s a lot you can try that gets away from the technical talk and addresses what they really care about. After all, at this point, they’ve already been on your website, they know about the projects you’ve done, they understand you have that expertise — that’s why they’re on the call. 

What they want at this stage is to know they’re making the right decision. Help them see that by talking directly to their pains and concerns.

I’ve helped countless VARs and MSPs reinvigorate their selling process thanks to my years of experience in the technical selling world — and having built a fantastic team that’s delivered results time and time again. If you’ve got more questions about building a revenue-driven sales and marketing process for your VAR or MSP, connect with me anytime. You can do that, and find out more about how we help MSPs and VARs, right here.

MSP, VAR, CSP growth marketing