Liability Defense, Not Just Compliance, Is A Winning Security Sales Play: Galactic Advisors CEO

‘You’re changing the conversation You’re demonstrating the risk. And you’re helping them understand that lawsuits [can be] worse than ransomware,’ says Galactic Advisors CEO Bruce McCully.

https://www.youtube.com/watch?v=N5kg3du4UWs&t

Framing security tools as a liability defense rather than a way to achieve compliance is a better way to motivate customer spend, said Bruce McCully, founder and CEO of cybersecurity assessment firm Galactic Advisors.

Solution providers can look to plenty of examples in the news around cybersecurity incidents to show clients the publicity and expense of breach settlements for companies of all sizes while auditing prospective clients to show vulnerabilities and tailor the dialogue to their business and insurance policies, McCully said on stage during the XChange NexGen 2025 conference, hosted by CRN parent The Channel Company. The show goes through Tuesday in Houston.

“You’re changing the conversation,” Galactic Advisors’ CEO said. “You’re demonstrating the risk. And you’re helping them understand that lawsuits [can be] worse than ransomware. You’re helping them understand that without evidence, they’re vulnerable to lawsuits.”

Galactic Advisors Strategies

Manny Villa, CEO of San Antonio-based solution provider VIA Technology, told CRN in an interview that putting in a process for documenting a client’s security posture and how the solution provider is meeting its obligations are essential for doing business.

“My biggest fear as [a solution provider] owner is risk management,” Villa said.

In September, RSM—No. 68 on CRN’s 2025 Solution Provider 500—issued a report that analyzed more than 10,000 cyber claims for events that happened between 2020 and 2024. The solution provider found that 98 percent of the claims, totaling $2.4 billion, came from small and midsize enterprises with less than $2 billion in annual revenue.

Ransomware and business email compromise represented half of the claims for more than $1,000 by smaller enterprises. Smaller enterprises saw 395 claims over $1 million and another 341 claims between $500,000 and $1 million. Business interruption losses sometimes exceeded $90 million for companies with annual revenue below $700 million.

Payouts for all organization sizes covered about 30 percent of total incident cost. The five-year payout for smaller enterprises covered 69 percent of the cost, down from 81 percent last year. Average crisis services for smaller enterprises ranged from $121,000 in 2020 to $144,000 in 2024. The five-year total cost of crisis services grew 40 percent year on year.

Solution providers should want even their smaller clients to have incident response plans, evidence they went through cyber awareness training and signed acceptance use policies, Galactic Advisors’ McCully said. One in five ransomware events ends in a lawsuit, he estimated.

“We have a problem—it isn’t just the hackers. It’s a new breed of personal injury attorney that follows the hacker,” he said. “After a breach, you aren’t the victim, you become the defendant.”

He pitched solution providers in the room on the services Nashville, Tenn.-based Galactic Advisors brings for creating clients’ written information security plan with evidence for auditors, insurers and lawyers.

Galactic Advisors also promises the ability for solution providers to give clients acceptable use policy with tracked reviews and approvals tied to insurance requirements, a secure portal for documentation retrieval even when systems are offline, a customized incident response plan based on the partner’s playbooks, assigned security awareness training with completion evidence, technical defense training for IT staff, documented inventory of critical data assets and ongoing visibility into program progress.

Adopting these products could result in greater monthly recurring revenue and reduced liability for solution providers, he said.

“You’re helping them understand the liability, and you’re giving them a solution,” McCully said.