The role of managed service providers (MSPs) in the tech industry is evolving. Gone are the days when they’re only expected to provide IT support. Now, they must provide cybersecurity recommendations to keep their clients and data safe.
Providing cybersecurity services is not enough with threat actors becoming more aggressive and attacks becoming increasingly sophisticated. You need to educate your clients on the importance of cyber hygiene.
But how do you communicate the value of cybersecurity to your clients without it sounding like just another sales pitch?
Today, we’ll guide you through making cybersecurity recommendations that feel genuine and client-focused. Keep reading to learn more about the importance of tone in cybersecurity communication.
Giving cybersecurity recommendations that feel genuine, not transactional
Lead with empathy, not features
Don’t start the conversation with a list of product specs or features; start with empathy. Empathy builds rapport and demonstrates genuine care about your client’s success.
Begin by asking them about any security concerns that’ve been keeping them up at night. These open-ended questions invite dialogue and can help you identify real pain points.
From there, you can guide the conversation toward solutions that will ease those worries.
Avoid focusing too much on the specs of these solutions; this approach will only overwhelm your clients further. Highlight how these solutions can help with their day-to-day problems.
Frame security risks as a business continuity issue
Most SMBs and SMEs see cybersecurity threats as an IT issue, not a business continuity issue. In reality, these risks affect every aspect of an organization’s operations.
That said, you should emphasize how your cybersecurity recommendations can help them reduce downtime, enhance customer trust, and prevent unexpected expenses.
This way, you can reframe cybersecurity as a productivity safeguard.
Use peer benchmarks, not vendor comparisons
Clients are more likely to trust what their peers are doing than what vendors sell because peer data feels more real than vendor comparisons.
Statements like “80% of MSP clients in your sector have adopted passwordless MFA. Do you want to explore what that could look like for you?” highlight trends. It creates a sense of urgency, causing clients to wonder whether they’re falling behind the competition.
More importantly, it builds credibility. Backing your cybersecurity recommendations with real-world adoption data shows your advice is grounded in reality. It’s not just theoretical because you have proof that it works for other businesses in similar situations.
Teach first, don’t pitch
Clients feel more confident about their decisions when they’re well informed, so it’s important that you educate them first.
Education builds trust. It demonstrates that you want your clients to understand a product or service rather than blindly buying it.
One way you can do this is by offering learning opportunities, such as:
- Free phishing simulations
- Short webinars on ransomware recovery
- Quick guide to Multi-Factor Authentication (MFA) best practices
Let them opt in instead of pressuring them. Provide them with resources that’ll help them build confidence in their decisions.
Use credible, external frameworks
Cite credible resources to give more weight to your cybersecurity recommendations. Use frameworks like NIST Cybersecurity, CISA threat advisories, and other industry-specific compliance standards as your reference.
For example, you can say: “CISA’s latest report shows that unpatched RMM tools are a growing risk. Let’s confirm yours are current.” Using trustworthy sources helps build authority without promoting a specific tool or service.
Prioritize lightweight automation and risk metrics
To avoid sounding like an alarmist, use data to highlight risks. Here’s a simple script you can use to gather data-driven insights for your cybersecurity recommendations:
$patches = Get-ExpiringPatches
if ($patches.Count -gt 10) {“Client is exposed, recommend immediate patch cycle.”}
Using automation to present evidence will help you present your case without pressuring your client.
Empower your clients through collaborative roadmapping
Finally, guide your clients through developing a cybersecurity plan. Don’t mandate them or push them towards a specific service or tool. Remember, you want to make cybersecurity recommendations, not a sales pitch.
To engage your clients, use statements like, “Would it help if we walked through your top alerts from last month—just for awareness?”
This approach ensures that the process is collaborative, not transactional. You’re not trying to sell your clients anything; you’re just inviting them to explore their current security posture.
📌 Best practices for providing security recommendations:
Component | Purpose/Value |
| Empathy-first framing | Builds rapport and trust |
| Business-oriented messaging | Aligns security with operations, not features |
| Industry benchmarks | Validates cybersecurity recommendations without vendor-centric bias |
| Education over pitching | Fosters understanding and voluntary adoption |
| Trusted frameworks | Enhances credibility through third-party alignment |
| Risk-driven prioritization | Replaces urgency with data-driven insights |
| Client-led reviews | Builds autonomy and positions MSPs as collaborators |
Client security talkflow: A guide to leading meaningful, low-pressure security conversations
Here’s a simple, repeatable workflow you can use for presenting cybersecurity recommendations to your clients:
Step 1: Identify a trending risk
Start the discussion by mentioning a current or trending threat that your client can resonate with. For instance, there has been a surge in ransomware targeting SMBs or an increase in phishing attacks aimed at finance departments.
Step 2: Invite dialogue
Instead of going straight into diagnostics or recommendations, invite your clients to review their current infrastructure with you.
Ask them to check their backup policy together or go over their top security alerts from last month. This kind of invitation sets the tone for a friendly and collaborative discussion.
Step 3: Use automation to gather data
Run the script below to gather quick, actionable data you can use to support your recommendations:
$exp = Get-ExpiringPatches
if ($exp.Count -gt 5) { “Critical patch backlog detected” }
Step 4: Share the results during your Quarterly Business Reviews (QBRs)
Incorporate the insights you’ve gathered into your regular QBRs instead of presenting them as a standalone pitch. Doing this helps frame cybersecurity as a strategic priority.
Step 5: Document the conversation and offer non-urgent recommendations
After the meeting, summarize the discussion in a follow-up email and include a few low-priority recommendations. Documenting the conversation keeps the momentum going without causing unnecessary pressure to the client.
You’re giving them space to review the insights you’ve presented on their own instead of pushing them towards a specific decision.
NinjaOne services for stronger cybersecurity client communication
NinjaOne offers excellent security and automation tools that allow MSPs to turn raw data into actionable cybersecurity recommendations.
NinjaOne Service | What it is | How it helps |
| NinjaOne Reporting + QBRs | Profiles real trends without the marketing fluff | Makes tracking metrics such as missed patch cycles, frequent failed login attempts, and specific vulnerability trends |
| Scripting Engine | Uses PowerShell outputs to surface actionable security risks | Allows you to create custom scripts for analyzing device health, detecting potential security vulnerabilities, and generating detailed reports on system configurations |
| Documentation Module | Stores security baselines and updates summaries for client transparency | Ensures consistent documentation across client environments |
| Alerting & Notification | Triggers “educational touchpoints” on repeated alerts, such as failed MFA attempts | Helps proactively communicate security risks to clients |
Strengthening client partnerships with thoughtful cybersecurity recommendations
Delivering cybersecurity recommendations to clients is not just about upselling services; it’s about helping clients see the value in building a strong and secure IT infrastructure.
By leading with empathy and reframing security as a major business concern, you can provide practical security advice in a way that feels genuine and supportive.
This approach not only strengthens client relationships but also positions your MSP as a proactive partner rather than just another vendor trying to sell to its clients.
Related topics:
