Contents:
Your client is no longer just buying your security advice. They’re auditing whether you live by it.
That was the clearest message from the exclusive interview I had with Heather MacDonald, an MSP finance specialist and owner of Counting Creators.
Heather’s exactly the kind of customer MSPs should be paying attention to: informed, commercially minded, and willing to challenge vendors who cannot prove they practice what they preach.
And this is where security culture is heading.
Our talk revealed five key lessons about supplier trust, certification standards, workplace habits, community influence, and the financial reality behind better security decisions.
Security Culture Starts with Better Business Questions
Heather MacDonald does not separate security from the way she runs her business.
I openly care about cybersecurity because I care about my business and your business.
If someone gets stuck in a cyber incident, that’s hugely traumatic. And I don’t want that to happen to anybody I know or anybody that I’m going to be working with either.
A lot of security conversations focus on frameworks, tooling, acronyms, and compliance. All of those have their place. But the culture piece often starts somewhere much more human.
It starts when someone in the business cares enough to ask better questions.
Heather does that constantly.
For her, cybersecurity is not an IT project that sits somewhere in the background. It’s part of how she chooses suppliers, works with her MSP, and trains her team.
Vendors Need to Demonstrate They’re Trustworthy
Heather changed her IT provider last year.
She did it because she had become much more aware of what she needed from a security point of view.
I became what some people would have said paranoid if they aren’t in our space, but I wasn’t paranoid. I understood the requirement.
So, Heather started looking closely at her supply chain. She wanted every vendor in that chain to have a security certification. Where vendors did not meet that standard, they were moved out.
I moved MSPs because I wanted to look at my supply chain. I wanted to ensure that every vendor in my supply chain had a security certification. Some didn’t so they got shipped out and moved so that my stack was as secure as possible.
Heather chose an MSP with Cyber Essentials Plus or above.
That’s not a technical control in the traditional sense. It’s a business decision.
It’s a shift from talking about implementing security measures to actually doing it. In Heather’s case, this means filtering more carefully who her business interacts with.
If the Customer Needs to Be Secure, So Does the Vendor
Security culture is not just internal. It is shared.
Your business works with other businesses, so their behavior becomes part of your risk. Heather has taken that seriously.
It’s not my place to check on an MSP, but it is my place to check if you’re going to be sending and exchanging information into my environment. I need to check what your environment looks like. So, while we’re working together, if I need to be secure, so do you.
Here’s what happened when a software provider with no certifications wanted do business with her:
There was a software I wanted to adopt in my business and they didn’t have anything. So I went to one provider, had the big conversation.
I said “what’s your security certifications?”
He said “We’ve not got one.”
I went “I can’t use you. I cannot use you until you’ve got something.”
Later, that vendor came back to her and said they were ISO 27001 certified.
That is security culture spreading through buying behavior.
Heather is not selling cybersecurity. She is not delivering technical assessments. But she is using her position as a customer, supplier, and finance specialist to raise the bar.
What she does is ask simple, practical questions:
What is your password manager? How are you sharing information with me?
Caring about those answers helps keep her business safe.
Certifications and Box-ticking Exercises
Heather recognises that some people see Cyber Essentials as a box-ticking exercise. But she still believes the MSP space should hold itself to a higher standard.
Cyber Essentials could be looked at as a box ticking exercise. I believe that box ticking exercise we should all be at. Everyone in this space should be Cyber Essentials Plus or above. Everyone.
It’s not that a certification solves everything.
Her point is that if you are in the MSP industry, you need to demonstrate that you respect the standards you expect others to buy into.
You have to be able to demonstrate that you respect your own industry before you can sell it to someone else. You can’t sell me Cyber Plus if you’re not Cyber Essentials.
That is the kind of statement MSPs should sit with for a moment.
Heather liked how her new MSP led her business through the certification process.
When I joined them, within four weeks they basically took everything down to ground, built it all back up again and I was Cyber Plus.
What she appreciates most about them goes beyond fixing things.
They’re not just fixing something for me, they’re listening to my needs, they’re working with me. What does she need next? What’s the next move?
Security Conversations Outside the Security Bubble
Heather’s background is finance. She’s done finance since school and loves the predictability of it.
Cybersecurity came later.
It’s grown over time because I’ve been sitting in the rooms with the experts.
Previous to my career I wouldn’t know anything about it. I would have written a password down because I would have forgotten it.
This is an important reminder for MSPs that not all people outside the security bubble are careless.
Often, they simply have not been in the right rooms, heard the right conversations, or had the dots connected in a way that makes sense to them.
Heather now connects those dots for other people.
Building Security Culture Inside the Workplace
Heather does not only talk about security with suppliers and customers. She talks about it with her team as well.
My team needs to use password managers. They’re not allowed to work stuff on their phones at all, or other personal devices.
We’re training all the time and I’m always talking about security.
That is what culture looks like in practice.
It’s not a single annual training session.
It’s not a policy that you write and forget about.
It’s repetition. Conversation. Expectation. Reinforcement.
Community Makes the Message Travel Further
Heather is well known in the MSP community, which has clearly shaped the way she thinks.
She spends a lot of time in the space because “You can’t really help someone until you really know what they need help with.”
That mindset matches both her approach to finance and her approach to security.
It’s listen, learn, and sit in rooms with experts.
Then she talks to other people about it.
Everybody who I speak to. Everyone… I’ll talk about security all day long.
That may sound simple, but it is how culture spreads.
Heather also pushes back against the idea that every conversation must be commercial. Belonging to a community and building trust is about helping where you can.
I don’t believe that everybody you speak to is a prospect.
We need to help each other. They say it takes a village to raise a child, I think it also takes a village to build business.
So, she helps MSPs one-to-one, sometimes quietly, because she believes “everyone can do well” and she wants to give back.
When people trust that you’re trying to help, they are more willing to listen when you ask uncomfortable questions about passwords, certifications, systems, or processes.
Finance and Security Are More Connected Than MSPs Think
Towards the end of the conversation, we came back to the role of the MSP.
Should MSPs be doing the same thing Heather is doing? Should they be looking beyond the technical work and asking wider business questions?
Heather’s answer was that the MSP relationship is changing. It is not just about “the doing in the background.” It is about relationships.
That includes asking about operations. It includes connecting people. And, from Heather’s world, it includes finance.
Because if a customer’s finances are not where they need to be, that affects what they can invest in.
If you actually look at your finances and the profitability of your business, actually you’re more likely to be able to afford to invest in this additional cybersecurity.
Security is often positioned as an add-on. Something extra. Something the customer may or may not choose.
Heather sees that differently.
Some people look at SOC as a plus, as an add-on. I don’t. SOC should not be an add-on. Security should never just be a plus to a service. It is the service.
The Takeaway for MSPs
As a finance specialist, Heather MacDonald is building security culture.
She does it by choosing suppliers carefully, expecting certifications, and asking about password managers. By challenging how information is shared and talking about security with people who didn’t necessarily come to her for a security conversation.
She’s proof that clients are getting more educated.
People like Heather are not just listening to the pitch anymore. They need to see that the business making the recommendation is living by the same principles.
If you liked this article, follow us on LinkedIn, Reddit, X, Facebook, and Youtube.