Managed services News

MSPs Can Boost Profitability With Third-Party Security Assessments: Galactic Advisors

Joseph F. Kovar

‘We don’t need administrative credentials. ... And we provide you with a report that you can sit down with [prospective customers to discuss their needs],’ says Bruce McCully, chief security officer of cybersecurity auditing company Galactic Advisors.


Third-party security assessments for prospective customers are an important way to differentiate an MSP’s offerings and stay away from competing solely on price.

That’s the message from Bruce McCully, chief security officer of Galactic Advisors, who Sunday told an audience of MSPs at CRN parent The Channel Company’s XChange 2022 conference being held this week in Denver that third-party services are key to MSPs being able to close deals.

Before he started with Galactic Advisors, McCully had his own MSP business that he grew to about $8.5 million in revenue before selling it. He said that as an MSP, he had to deal with customers such as hospitals that, when impacted by a ransomware attack, were already being supported by MSPs or MSSPs.


That experience led McCully to help found Galactic Advisors, which assists MSPs in offering a third-party assessment of their prospective customers’ security, he said.

“You don’t have to worry about your competitors going in and doing an analysis of your work or somebody coming in and selling something else,” he said. “We provide you the tools, scripts and training to reduce risk and increase profit.”

Galactic Advisors, a Nashville, Tenn.-based cybersecurity auditing firm, looks to support MSPs, McCully said. If the typical MSP has an advanced security stack in place, offers the right technology and trains its personnel the right way, its offerings will probably be more expensive than the next MSP, he said.

“If you don’t have a way to show them why they should invest in the security that you’ve worked so hard to build, they won’t,” he said. “And you’ll be left without any clients.”

Security starts with building a security stack, providing assessments and finishing the details, McCully said.

A lot of MSPs build an advanced security stack that they use to make a competitive proposal to customers but can cost twice that of their competitors, he said.

Instead, McCully said, it is better to split the proposal into two parts, one with a standard security stack and one with an advanced security stack.

“[You can say,] ‘Look, I’m recommending that you purchase this entire stack because it’s further than where you are today.’ And that’s what we’re trying to communicate by saying should you have an advanced security stack.”

An MSP’s goal is to help educate people and move them from basic needs to become more security-minded, McCully said.

“Security-minded clients … put in place the tools that you want them to put in place,” he said. “And they understand that this is a shared responsibility when it comes to protecting [them].”

“Always use an assessment,” McCully said. “It doesn’t matter if it’s a cold lead or a referral from somebody that you know or trust.”

The first step, he said, is to fill out an incoming lead form for every lead that asks one simple question: ‘Why now?’

“You want to ask something like, ‘How’s it going?’ Or, ‘What’s going on?’ Ultimately, you want to understand why are they doing this right now. Why did they think about stopping with their current provider and pick up the phone and call you? And while you’re on this call, you’re going to schedule your 26-minute assessment,” he said.

Second, immediately send a credibility email including three to five testimonials and a non-disclosure agreement to prospective customers before talking about their security environment in detail, McCully said.

The third is a follow-up phone call, the 26-minute call referred to earlier, McCully said, with questions about customers’ requirements that help illustrate their risks, which sets up the fourth step, the discussion about the security analysis regardless of whether it’s using Galactic Advisors or another third-party assessment provider, he said.

If the MSP works with Galactic Advisors, it will send the customer a link that lets it analyze its security environment and send a third-party assessment report within two business days, McCully said.

“And this is a true third-party assessment done by a separate team, by folks that are not in their security network,” he said. “We don’t need administrative credentials. We don’t need access to their network. And we provide you with a report that you can sit down with [prospective customers to discuss their needs].”

The final step is to use the assessment to close the deal, McCully said.

“You can pick up the phone and say, ‘Hey, I’m a little concerned about our findings,’” he said. “[But] you don’t want to scare the [heck]out of them. You’re not trying to sell them something. You’re not trying to force them. When it comes down to it, we’re talking about getting in front of them. We’re talking about having this meeting. And what is the goal? The goal isn’t to scare them. The goal is to educate them.”

McCully said that education doesn’t mean talking about the technology or about how hacking works.

“Educate them on the business impact,” he said. “What is the impact of what you’re doing when it comes to security?”

After that, it’s important to provide stories that illustrate business risk, McCully said.

“You have stories about this,” he said. “Just talk about the stories and how they impacted the client or the prospect. Can you share how they changed and impacted their reputations?”

McCully also shared what he learned from a used car salesperson who he knew really well.

“’Besides price, what would stop you from agreeing to work with us?” he said. “All of a sudden, you’re finding out all those little things that they’re not telling you. … You need to find out before you tell them that price.”

McCully had a few other tips to close the deal. For instance, he suggested presenting customers with a “magic pen” with the MSP’s corporate logo and explain that waving the pen in a certain way, such as by signing the agreement, will solve their security issues.

Also, he said, go a little crazy and ask for a referral even before the prospective customer signs a deal, and find out who the customer knows who might also benefit from enhanced security

Ryan Heath, senior project administrator at Dymin Systems, told CRN the Des Moines, Iowa-based MSP has worked with a couple of third-party assessment security tools but has yet to find the right tool to meet the needs of its customers, which primarily have been smaller businesses.

“It was very interesting when McCully said no client credentials were needed for an assessment, just a simple link,” Heath said. “I’m very curious to see how that’s going to work and what it looks like. And I have questions for them regarding tools such as ThreatLocker or other zero trust things like that.”

Most of Dymin Systems’ customers, which are in the 10-seat to 20-seat range, don’t really understand the need for security assessments, but as the MSP shifts toward customers in the 25-seat to 50-seat range, it finds those customers understand the need, Heath said.

McCully’s five-step assessment plan had a couple of really interesting points, Heath said.

“I liked the referral piece and also the breakout of pricing,” he said. “We’ve always very much believed in, if we only offer one service, we’re not going to allow you to pick and choose. You get everything or you get nothing. But it does hurt us because we come in higher than someone else because we do have good tools that cost money, and we have good people that cost money.”

Having that breakout could be a valuable sales tool, Heath said.

“It’s one thing to have a conversation and say, ‘Yes, we’re more expensive because we do all the cybersecurity stuff,” he said. “It’s another to say, ‘Here’s our cybersecurity stack, this is what it costs per user, here’s our rate, this is all the tools you’re getting from the other guy, and this is our price,’ so we can show the different value. It makes it a little more clear-cut than pushing the salesperson to have to explain it better.”

Joseph F. Kovar

Joseph F. Kovar is a senior editor and reporter for the storage and the non-tech-focused channel beats for CRN. He keeps readers abreast of the latest issues related to such areas as data life-cycle, business continuity and disaster recovery, and data centers, along with related services and software, while highlighting some of the key trends that impact the IT channel overall. He can be reached at

Sponsored Post