Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Welcome back to the MSP Security Playbook, the podcast that helps Managed Service Providers (MSPs) build stronger, more profitable businesses. I’m your host, Jacob Hazelbaker, BDR here at Heimdal Security, your partner in unified AI-powered cybersecurity solutions.
In today’s episode, we’re talking about something every MSP struggles with at some point: selling security.
You might have the right tools in place, you might be protecting your clients from real threats, but when it comes to closing new deals or upselling existing clients, things can stall. That’s why today’s episode is all about building a system that helps you consistently generate leads, warm them up, and close more security deals, even with non-technical decision makers.
We’re joined by Paul Green, MSP marketing expert and host of the MSP Marketing podcast. Paul Green worked with hundreds of MSPs to help them shift from random acts of marketing to a repeatable, scalable system. And today he’s here to help you do the same. If you’re tired of chasing leads and you’re ready to close bigger, better-fit clients, this episode is for you.
But before all of that, let’s dive into today’s threat briefing. So, grab your coffee and let’s get to it.
Threat briefing with Adam Pilton
Adam Pilton: Thank you, Jacob. Here’s this episode’s leverage.
If your clients received a call from someone claiming to be their IT department, would they trust it? That’s exactly what the Silent Ransom Group is banking on right now. They’re running highly targeted social engineering-based attacks across the US, and law firms are in the crosshairs.
This could easily be one of your clients next. And you’re probably wondering who is the Silent Ransom Group? Well, they’re a financially motivated extortion gang that first showed up on the radar in 2022, and they’ve come a long way since then. They started out using classic callback phishing emails, the kind that looked like a fake subscription renewal.
The goal was to get the victim to call a number, and on the other end of the call, someone pretended to be tech support, guiding the target to install remote access software.
How does a Silent Ransom Group attack go?
But as of March, this year, they’ve shifted tactics, and it’s even more convincing now. They don’t bother with the email. They go straight for the call.
An employee gets a phone call from someone claiming to be their internal IT team. The attacker sounds confident, professional, completely plausible. They say there’s a maintenance task that needs to be done and they walk the person through joining a remote session, sometimes through a link sent via email and other times by guiding them to a webpage.
Once they’re in, they say something like “we’ll finish this work overnight” and the employee walks away from their machine. What the employee doesn’t realize is that they’ve just handed over full access and Silent Ransom Group wastes no time. They move fast using file ransom tools to quietly siphon off sensitive data – legal documents, client records, financials, whatever they can get their hands on.
Then comes the ransom note, usually via email, sometimes followed by a phone call. The message is clear “Hey, pay up, or your data goes public”. These demands aren’t small either. We’re talking 1 to $8 million, and that’s just the beginning of the fallout.
We’re seeing serious operational disruption, damage, reputations, and of course legal consequences. The human side of this, it’s tough. Imagine finding out it was you who let them in. The stress, that guilt, it sticks.
So, what do you do?
Lock down remote access tools and only allow what’s been approved. If someone suddenly installs AnyDesk or Zoho Assist or ScreenConnect, that should set off alarms.
It’s also important that we start looking at behavior, not just alerts. These attackers aren’t triggering antiviruses. Watch for unusual outbound data transfers. Watch for activity at weird types, and of course, tighten your access controls. Enforce MFA, review privileges, assume they’ll get in and limit the blast radius they can do.
And lastly, talk to your clients like a partner, by a checklist kind of way. Help them understand that the biggest threat isn’t some faceless hacker in the shadows. It’s someone who sounds just like you. Stay there, stay skeptical, stay secure. Back to you, Jacob.
Paul Green explains why focus on sales first
Jacob Hazelbaker: Paul Green, it’s great to meet you. I’ve been wanting to chat with you for a while. Your specialty is in marketing, particularly for MSP. So that really fascinates me and I’m really looking forward to our conversation.
One thing I noticed that’s trended across your different social media, your different platforms in which you communicate with MSPs is you often describe the marketing process as sort of systemized kind of habits. Almost a process in which you stick to doing it. So, I was really curious, for helping MSPs systemize their marketing, why do you think so many still approach sales and Legion in such a reactive sort of way?
Paul Green: Yeah, that’s a really great question, and MSPs are quite haphazard and disorganized with their marketing. And I think this is not their fault.
The problem is if you are the average MSP owner, you are a technician who loves what they do. You started your business to gain freedom over who you work with, the kind of work you do, how much money you make, and how much free time you have. And you know, in order to get those clients that you do that work for, you have to do this thing called marketing.
And marketing when you first glance at it appears to be the complete opposite of tech work.
The Three-Step System
So, tech work is very systemized. It’s, you know, there’s plenty of “how to guides”. Let’s be honest. Every technician has Googled it or looked to the standard operating procedure ’cause that’s how you get stuff done. And then you come to look at marketing. And marketing seems to be, certainly what you read online, is based on opinions “you could try this” and “here’s an experiment” and there’s no black or white, right or wrong, wrong way to do marketing.
I just told you; I’ve been in the channel for nine years. About three and a half, four years ago, I started talking about a three-step system.
This was like the crystallization of all of the work I’ve done, not just with MSPs. I’ve been doing marketing for other businesses for 20 years in different sectors before I landed in the channel.
It’s a crazy, simple system, but it’s also so powerful. It’s designed to make it super easy for MSPs by breaking it down into tasks. So, we’ve got three steps
Build, grow, convert
When you said you see me everywhere on the web, those are my audiences. So, my YouTube is an audience, podcast is an audience, LinkedIn is an audience.
I’ve got a Facebook group, et cetera, et cetera, et cetera. MSPs should do the same. But MSPs should start with LinkedIn and their email database. Those are the two most important databases for MSPs. Then the second step is to grow relationships with those audiences. And that’s what the content is for.
So, someone isn’t necessarily ready to buy today. You might have a conversation with them today, but we all know how slow the sales cycle is for MSPs. It can be years.
So, you keep putting good content in front of people on LinkedIn, any other social media platforms, you send out emails. Even if you’re going networking, you don’t go out networking and talk about yourself.
You talk about things that are relevant to your audience. So, you’ve got “build audience“, “grow relationships“, and that final step is to “convert relationships“.
And there’s a tiny window, Jacob. It can be from as small as two weeks up to two or three months where someone is thinking, genuinely thinking, and ready to take action on switching from their incumbent MSP over to someone new.
And your goal with all of your marketing is to get the right message, in front of the right person at the right time. Because it could be another 10 years before they’re ready to switch again. We all know MSPs have insanely good retention. That’s one of the positive side effects of the slow sales cycle.
People don’t leave you fast. They’re slow to join, slow to leave, which is great. So, the challenge for any MSPs to build up big, big audience, keep building a relationship with them and then be there at the point that they are potentially ready to switch.
J. H: I’m really, really curious. What an MSP owner does on year one, two, or three might change, especially as the MSP evolves. Do you have any advice you give to MSP owners for switching from the mindset of a purely technical role – what they’re used to – to the new mindset of “well, we also now need to do marketing”?
What kind of mindset shift do you normally see or recommend for MSP owners?
Mindset shift. Stop being the technician within the business
P. G: That’s a really great question, and you may be one of the first people to ask me that question, so thank you. I think you’re right. The mindset that you need does change as the business goes on. I have a
Podcast as well. I’ve had a podcast called Paul Green’s MSP podcast, MSP Marketing podcast, and over the last five and a half years I’ve done that. I’ve interviewed people who are at the 20, 30 year mark and there’s always a moment, like a pivotal moment where they realize:
“If I carry on working 80-hour weeks, I’m gonna die. I’m gonna have a heart attack or a stroke, or the business is gonna fail. There’s too much dependent on me. I can’t take a proper vacation. I’ve, I’m paying all these help desk stuff and they’re sitting around waiting for me to give them stuff to do. It’s nuts”.
And the successful ones, they reach that moment where they realize they’ve got to stop being the technician within the business. And by technician, I don’t mean the technical technician. I mean, doing the work. You can be a veterinarian and be caught in doing technical work if you are operating on dogs.
You can be a shopkeeper, and you’re caught in technical work if you are, or a storekeeper, if you are actually stacking the shelves. So, you have to have a mindset shift from “I’m the person doing this” to “I’m the person organizing this. I’m running it, I’m building it”. And then there’s another mindset shift to “I am the marketer of the business, the driver of growth in the business”.
In terms of mindset shifts, you eventually have to get to the point where you realize you personally cannot do it alone. You have to hire or partner with good people, and you have to almost start treating the business like a proper business. Even if you only ever want your MSP to be you and five or six people, you’ve gotta do exactly that.
You’ve gotta have a service desk manager who can do whatever it takes to keep the clients happy. You’ve gotta have a salesperson and the marketing people who do whatever it takes to stop prospects going to another MSP ’cause that would be a mistake.
You know what I mean? You’ve gotta have, you’ve gotta look at all the things that you want to do within your business, and you can’t do it all overnight, but that you can have a plan of, right?
Over the next three years, we’re gonna put some infrastructure, like an org chart, we’re gonna put an org chart in place. We’re gonna fill those roles. It might be that today I’m doing six of those roles, but within three years I’m gonna be doing one of those roles and then everyone can do their job brilliantly.
And that’s more of a mindset shift than it is actually a strategic shift.
Delegate, Outsource, Automate
J. H: That’s fascinating. ’cause I remember in some of your content, even the description of your book on Amazon, that you mentioned delegating, assigning some tasks out to people.
P. G: Yeah, I think there’s an acronym that I live by, which is, and let’s see if you know what this stands for, Jacob.
You’ll have heard of DOA, what does DOA stand for?
J. H: I would’ve guessed dead on arrival.
P. G: Correct. And as the business owner, that’s what you’ll be if you keep trying to do everything yourself, you know, for more than like two or three years. So, I’ve renamed DOA to Delegate, Outsource, Automate. So, you look at what you are doing, and you say to yourself, and again, this is part of that three-year plan of, of hiring other people to work with you.
You say, right, what can only I do? In fact, this was one of the pieces of advice I was given by an early mentor of mine. He said, you should only do what only you can do. So, it’s exactly the same for an MSP. You would look at that and say, any MSP who is setting up a new user for a client, you’re wasting your time.
And I know you have to do it in the first couple of years ’cause there’s no one else to do it, but it’s a waste of your time. Password resets. Right? When you’ve been in business for 10, 20 years, how keen are you to do a password reset? Well, you never want to do a password reset ever again because it’s a point that’s waste of your time.
But someone somewhere has to do it. And that’s why we delegate it. So, you know, your job is being either the senior tech or just being the salesperson or the service desk manager or whatever you do, you find other people to do these things that you don’t have to do.
You delegate tasks, or if you haven’t got the skillset set, you outsource them. And so, if you step outside of managed services, which most MSPs either want to outsource to help desk or keep in their bag. Actually there’s thousands of people out there that will do all of those little things.
So, delegate, outsource, and the final one is automation. MSPs are all over automation, and let’s be honest, Zapier is the best tool in the entire planet.
Anything that doesn’t have APIs that can link up to Zapier is not a tool that’s worth looking at in 2025. I think most MSPs are over that, but it’s the delegation and the outsourcing where MSPs typically need to get better.
People only buy when they’re ready to buy
J. H: There’s something you said that’s really gonna stick with me. You said only do the things that only you can do. That’s fascinating because there’s only so much you can delegate, outsource, and automate. And what’s left is the things that you yourself have to do.
I noticed you often talk about warming up leads, so I was really curious, what does that look like in the context of specifically cybersecurity services?
P. G: Yeah, absolutely. It’s another great question and the general principle is that people only buy when they’re ready to buy.
That’s a really important thing to remember. I’ve spoken to MSPs who’ve had sales calls with someone who said
“I hate my IT company. Everything’s changed. Everything’s got slower. They don’t pick up the phone anymore. It’s really slow to get a response. Everything takes ages. The price is going up. I’m definitely switching.”
And then two weeks later, the prospect calls them back and says:
“Yeah, I wasn’t quite sure about switching, so I’ve signed a new two-year contract with the people I hate.”
And everyone’s heads explode because they don’t understand it, but it’s because they don’t know what they don’t know.
Do the follow up
They’re scared. We call this inertia, loyalty. It seems easier to stay where you are than it is to move to someone new. So, to answer your question, most MSPs have a follow up failure. They don’t follow people up. They’ll have a conversation with them; they’ll put them in their email list and forget about them.
If people only buy when they’re ready to buy, we’ve got to talk to them regularly. So, we’ve got to have someone in the business that calls people on a regular basis. In fact, this is the third step of our three-step system, which is convert relationships. There is no other way for what we sell, for what MSPs sell.
There is no better way today. I think AI will provide us a better way, but it’s not now. That will be in the future, but today it’s someone picking up the phone and making outbound phone calls on your behalf to build the relationship, see what’s happening, and see at what point someone is almost ready to talk.
And just so you know, Jacob, we’re talking hundreds of phone calls to book one of those appointments. It’s a slog, right? This is not an easy thing, but what you have to remember is the big picture and MSPs always forget this big picture. Number one, when you get a client, you keep them for like 20 years, don’t you? Wow.
You win a client, you look after them well, and you keep them for years and years and years. You keep them until they go bust or until they get bought or until something goes wrong with your relationship. That’s the only three reasons that someone leaves an MSP. So that’s Big Picture 1.
Big Picture 2 is when they, over those 20 years, they’re going to give you 2 or $300,000. That’s what we call the lifetime value of a contract.
So yeah, sure, you’ve got to live for the next 30 years to collect that money. That is true. But there does come a point where you can sell that contract, right? If you’ve got someone in a three-year contract and you’ve just resigned them and you’re selling your business, that’s three years that the buyer is gonna keep that business.
So, never forget that you might not want to do this for the next 30 years, but you can sell those contracts or the business as a whole. So, I think MSPs miss the big picture. Other businesses find it easier to win clients, like super easy to win clients. But they benefit from a thousand, a thousand dollars lifetime value.
You find it super hard to sell clients, but you get 2, $300,000 lifetime value. And of course, the tech is the greatest changing sector ever.
What to do in the first 30 days of an MSP business
J. H: Unfortunately, most businesses do fail. It’s just how it goes. And then maybe on your next try you get another start at it. What it seems to me; time is really critical. As you mentioned earlier, only do what only you can do.
But let’s say you have 30 days; I give you one month to spin up an MSP. I’m really curious then. So, like to really get the security sales going. On this brand-new MSP, what three systems or tools would you implement first in the first 30 days?
P. G: So, first of all, before I look at systems or anything like that, I would adjust my life to give me time, time and cash to do it. And then in my first 30 days, I tell you what I would focus on Jacob, but I dunno about specific systems. I dunno if you’re asking me to say, well, I’d get a PSA or an RMM because I’m not an implementer. I’ve never run an MSP.
I’ll tell you what I’d focus on: sales. More than anything else, I would work 18 hours a day, seven days a week, no, six and a half days a week for the next 30 days.
And every single activity will be about sales. Because all I need to do is sign three clients. And that’s some going. To sign three managed services clients in 30 days is some going.
But you know what? I’m gonna go to every networking meeting.
I’m gonna do all of the marketing stuff we just talked about here.
So, at six in the morning, which is when I’m gonna start, I’m gonna be implementing marketing ’cause human, other humans aren’t around then. So, I’ve got from 6 till 10.
That’s four hours of hardcore marketing implementation. I can load social media stuff, I can build webpages, all that system I described to you, I can build that and more.
I can do all of that. At 10:00 AM I’m gonna get out there. I’m gonna go every single business meeting. I live in the outskirts of a city called Milton Keynes in the UK. There’s 200,000 people here.
There’s gonna be a business meeting every day. There’s gonna be something I can go to.
I’m gonna invite myself. I’m gonna go and do talks. I’m gonna go and just shake hands. I’m gonna have a business card, which stands out. I’m going to… Basically, I’m gonna hustle.
I’m gonna hustle at a scale which you could not keep hustling past those 30 days.
At the end of that 30 days, I’m gonna need 24 hours of sleep. A very large beer. And then I’ll put an apology to my girlfriend and child.
But do you know what? I’ll have my first two, three clients, then I’m gonna worry about a PSA and an RMM and all the others tech stack that you need.
Get the business first
That by the way, I think is opposite to the answer you would get from an MSP, and I reckon in any MSP starting out again, if they had to start tomorrow, they’d be like, oh, well I know instantly I’m gonna go with this PSA and I’m gonna get this RMM and I’m gonna get this tool and that tool. And the way I see it is, in an emergency situation like that, you get the business first. Then you figure out the delivery of it.
And do you know what? Do you know what I would do as well, Jacob? I’ve just, this has just occurred to me, those first three clients, I’m gonna charge them an onboarding fee because I’m gonna pick up some people who are either the wrong fit long term or they’re, they’re nuts, they’re stupid people I don’t wanna work with long term, or they’re desperate because no one else is gonna sign up to me within 30 days of meeting me.
And that’s fine. I’m just gonna take that hit. But do you know what? I’m gonna charge ’em an onboarding fee of as much as I can on top of their first month, a 2, $3,000 onboarding fee. Let’s say I generate an extra five grand cash. I’m then going to use that to either get an outsourced help desk or hire, a local technician or someone remotely to go and do a lot of that early work for me.
So, while in that second month while we are desperately trying to onboard these three nuts clients, I’ve got someone doing all of that for me. So, I can then go and build the proper business in the background, the PSA, the RMM and all the other tools. So, I suspect that’s not quite the answer you were looking for, but I think that’s what I’d do if I was starting again tomorrow.
J. H: That’s perfect. Because that’s, I never would’ve guessed your answer, but I think you’re right. Like focus on the sales, what actually brings in the money to keep your business going and growing instead of only focusing on the technical side of how to start a business, but never really focus on how to get those clients, how to do the marketing.
Mr. Paul Green, I really appreciate your time. It was wonderful chatting with you, and I really look forward to reading your book as well, so I thank you very much, sir.
Wrap up
It was really great chatting with Paul Green, I feel like I learned a lot just in that brief conversation. Only do the things that only you can do. That’s a quote I probably won’t forget anytime soon. It’s very true because as an MSP owner, you start out doing one thing and then you got to build out your business as your business continues to onboard new customers, and what do you do at that point? Apparently, you only do the things that only you can do.
Then you delegate out the rest, you outsource it, you automate it. I found that a really, really solid advice that Mr. Paul Green provided.
The other part that really surprised me was he mentioned if you only give him a little bit of time, say 30 days to start up an MSP, what is it that you really focus? What do you do?
And he said something I thought that was very, very insightful. He did not say, focus on building the best website ever. He did not say, focus on picking every single product you wanna provide for your customers. No. Instead he said, as a MSP owner, in the first 30 days, focus very, very intensely on marketing, on sales, and almost nothing else.
I found that fascinating. So, as you onboard your first, hopefully three customers, in those 30 days, that’s the focus. And I feel like a lot of MSP owners and business owners in general, often unfortunately, we get distracted by the technical side, the “how do I make my website look perfect” before I reach out to those first few potential clients?
And I just found that very, very insightful and very solid advice from Paul Green. So, it was a really wonderful conversation. I think I’ll remember some of those bits of advice for the rest of my life, and I hope you found it really useful too.
Watch the next MSP Security Playbook episode with Ross Bourne – From Frankenstack to Framework.
The MSP Hot Seat
And welcome to our section called the MSP Hot Seat. The question that was in my mind today was clients always push back on security costs. So how do we justify the investment? How do we communicate effectively to them that they do need this cybersecurity tool for their business? That’s a question I run into a lot, and I hear a lot of MSPs mention it as well.
What I find fascinating is Paul Green touched on how he brings in leads and how he keeps them engaged and interacts with them. So, what I found really, really interesting and relates to sales. In general, is a lot of times people need something, but they don’t know that they need it. It’s kind of like a doctors’, you go and chat with your doctor, they say:
Hey, how are you doing?
What kind of pain are you experiencing?
And then you describe to them what you’re experiencing, how your life is going, and perhaps what you would like to improve in your health. I often think that businesses are very similar. They have pain, they have points that they wanna improve, but they don’t necessarily know what the solution is.
And so that’s why I think what Paul Green does is so important because he doesn’t approach new clients as simply sales opportunities. He approaches it as a very open, curious conversation to learn more about their business, to learn more about what it is they do. How they can best improve it, how they can best help their potential customer.
And so, I find that as MSPs just starting your conversation with your potential clients in a more open manner instead of saying “Hey, you need this exact cybersecurity solution”. That would be a rough way to start the conversation. It’d be like walking into a doctor’s office is like “Hey, you need this medicine”.
You’re like, why do I need this medicine? You haven’t even touched on that, let alone identified my pain. So, I think that’s incredibly important. I love how Paul Green described bringing in clients, keeping them engaged, having an open, curious dialogue with them. Then relating those pain points to how it is that you could help solve that for them.
So that’s what I would say is a really useful approach for MSPs, focusing on that pain and how you can solve it for your clients.
That’s a wrap on this episode of MSP Security Playbook. Thanks for spending part of your day with us.
If you found today’s insights helpful, be sure to follow the show on your favorite podcast platform and leave us a review. It helps other MSPs find the playbook and level up their security game.
Got a question you want us to tackle in the MSP Hot Seat or a topic you’d like to hear more about? Drop us a line. We’d love to hear from you.
Until next time, stay sharp, stay secure, and keep building the future of your MSB business.
Watch the first episode of The MSP Security Playbook and all following ones here.
