Framing cybersecurity as a tax on businesses

Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is a leading expert in the delivery of technology services, with broad experience in both technology and business.

In this video, Sobel outlines how he believes service providers should position security offerings to customers. He views cybersecurity as a tax -- something businesses must pay although they'd rather spend the money elsewhere. Business owners understand the distinction between an obligation and "something that's driving the business," Sobel noted.

Convincing clients to spend appropriately on data protection is just one of several cybersecurity trends challenging MSPs this year. The others include educating clients on the growing complexity of attack vectors and helping businesses assess zero-trust security approaches.

Editor's note: A transcript of this video follows below. Minor edits have been made for length and clarity.

I think IT security is a tax on business, and I'm going to walk you through why I think that's important and how to change your messaging.

IT security is a tax on businesses. It's not even a very good tax. Most business owners may grumble about taxes, but there are certain services you get for that tax -- like roads, police, fire departments, the justice systems, schools [and] all that common infrastructure. And we can have healthy debates about the allocation of resources, and yet still agree there are services as a business owner you want to have.

But IT security? Where does that fit into my profit and loss statement? Doesn't drive revenue. Doesn't reduce my costs of goods sold. Arguably, it adds complexity to my system, so it increases my cogs rather than reduces them. Frankly, it's not even something I want to have, like pens in the office. It's even worse than an expense. It's a tax. And it's a tax I pay to ensure that criminals don't break into my business and steal my stuff. And no matter how much I pay for that tax, I don't ever get a guarantee that it's enough.

At least when I pay my taxes, I know the roads will be at a basic level of service to make accessing the world possible. It's a lot more like a set of shakedown fees and Mafia protection money. And it is Mafia protection money, sort of. We know there's a world of criminal gangs using technology to take hostages, extort businesses and steal profit. Be a real shame if something were to happen to your business now, wouldn't it?

Microsoft Security has even pointed out that they're using gig workers. There's less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. The phrase is industrialization of the cybercrime economy. That's a whole economy.

Let's put this into the stack rank of where customers want to spend their money. Research from Cloudera on how money is spent when it comes to software, notably often the second largest expense after payroll. The top ranking spend? Well, productivity and collaboration at 18.8% of the budget. That's tools like Asana, Slack, Miro, and offerings from Microsoft and Google. Next up is marketing automation, followed by development tools, customer service and IT tools. So, they're a big pot too, and that includes stuff that varies depending on the industry.

Now, note how IT tools are fifth. 'Go where the money is' is never failing to be wise advice, and IT tools are not in the lead. That tells us what they want to spend their money on, and it's never taxes. A note, security isn't even specifically there. I suspect it's lumped into IT tools, which resonates with something that's a tax on the business rather than an enabler.

Now, why does this matter? It's about the way we talk about our solutions. First, think about the way vendors in this space talk to providers. It's always an opportunity. Well, they aren't wrong. It sounds really icky when considering that it's really a tax. It's an opportunity to tax your customers. Yuck. No, thank you.

I may not like the security tax, but I'll also note that I pay it. This is not a space to go cheap on because the consequences are now very targeted and I also believe that cybersecurity tax will be levied against businesses for a while, but I won't celebrate it. And thus, both as an end user myself and thinking about end users, please recognize that this is not where they want to spend their money. Yes, please sell me more locks to try and keep out the hoards without any actual guarantees of it working, said no one ever.

Remember if you're only selling security solutions, you're at the bottom of the food chain for value. This is good, and if you want more about the good, better, best approach for value, I have a video devoted to that. Because security is worse than good. It's a tax. So, talk about it in that sense. This is a necessary evil. None of us like it. We want to eliminate it. But we live in the real world, so let's ensure the money we spend is effective and appropriate for your business.

The advantages of framing it as a tax are substantial. Owners understand the construct: This is an obligation rather than something that's driving the business. By being explicit about the cost and where security goes, you're also well positioned to appropriately discuss your other services against the portion of the profit and loss statement. Other investments will drive revenue; here's how we measure that. Oh, yes, we have to pay the security tax too.

Owners will respect your understanding of their business goals, knowing that security is not explicitly their goal. Being a true business partner with your customers means serving their needs.

Let's call it out. Security products explicitly drain the business. None of us want to spend this money. Owning that truth builds trust, frames the conversation into a realistic one and ensures providers aren't positioned as arms dealers. Don't look like you're profiting off customers as victims. It's a bad look and it destroys trust. Because for every security vendor who calls it an opportunity, it starts to smell like exploitation of a bad situation. Don't be that.

About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.