When a client’s budget tightens, the cybersecurity line is usually the first one with a target on it. Executives see it as overhead. Nobody except the IT director can measure what it prevented. And the people who benefit most from the investment, the board and the CEO, rarely feel the risk directly until something goes wrong.
Attackers know this. Heather, a Cynomi partner account manager, puts it plainly: when the economy wobbles, one of the first things companies cut is cybersecurity, and the hackers know that better than anyone. If you are an MSP selling into that environment, hoping the client will stay committed on their own is not a plan. You need to give them the questions that make cutting the budget feel more expensive than keeping it.
This post is for MSP owners and sellers who are tired of watching good programs get defunded at the worst possible moment. The four questions that follow are ones Heather uses, in some form, on almost every hard client conversation. They are outcome-oriented, they make the risk concrete, and they put the decision where it belongs: on the person whose job is on the line.
Question One: If You Get Hit Tomorrow, Who Handles It?
Most clients have a loose answer to this. “We have backups.” “We have cyber insurance.” “Our MSP would handle it.” Press on any of those and the answer gets shakier. Which vectors are you covered for: data leak, website defacement, ransomware, or business email compromise? Who calls the forensic firm? Who decides whether to pay? Who tells the clients? Who tells the regulators?
The point is not to trap the client. The point is to make them answer the question out loud, in specifics, so they can hear themselves. Most executives have never had to articulate the full response plan, because nobody has ever walked them through it. When they do, the gap between what they believe they have and what they have gets visible in a hurry.
An MSP who can guide a client through that scenario, calmly and in plain language, becomes a different kind of vendor. You are no longer providing a service line. You are acting as the advisor the client should have had all along.
Question Two: How Long Until You Are Back Up, and Can You Survive It?
Downtime tolerance is a better budget conversation than threat frequency, because it is something the business side of the house understands. Ask the CFO what the company’s revenue looks like on a bad day offline, and they can tell you. Ask them whether the company can afford that number for a week, and they will start to do the math in their head.
Heather’s version of this question goes further. How long until you are back up and running? Can you survive that? And for how long? That last part is the one that usually lands hardest. A business that can absorb three days of disruption may not be able to absorb three weeks, and most incidents are closer to the second number than the first. Ransomware recovery timelines of one to three weeks are common. Cyber insurance payouts can take months.
When the client sees that their downtime tolerance and their incident survival window do not match, the cost of the gap becomes easier to quantify. And once you are talking about cost, the cybersecurity spend stops being overhead and starts being a hedge against a larger loss.
Question Three: Whose Job Is on the Line?
This is the question most sellers skip because it feels too personal. That is exactly why it works.
Every serious incident comes with a blame conversation inside the organization. The CEO wants an answer. The board wants an answer. The regulators want an answer. And whoever was responsible for the decision that left the gap open is the person who gets asked. In most mid-market companies, that person is the IT director, the CIO, or the CFO who signed off on the budget.
Asking “who is going to be held responsible if this happens” functions as a service rather than a scare tactic. You are helping the client see their own exposure before an incident does. And once they see it, the budget conversation changes. They are no longer deciding whether to spend money on security. They are deciding whether to carry risk on their own shoulders or distribute it across the security program you are proposing.
Heather’s framing on this is that the conversation has to be realistic. “Do you trust every employee at your organization with your job in their hands?” That is not a rhetorical question. Most clients have never thought about their workforce that way, and when they do, the answer usually surfaces a weakness they had been quietly ignoring.
Question Four: If You Do Not Have the Budget, Who Inside Your Organization Does?
When a client says they cannot afford the program you are recommending, the conversation has just gotten more useful, not less.
Instead of discounting, instead of dropping services, instead of walking away, ask the client who inside the company can unlock the budget. There is almost always somebody, and it is almost always someone the client has not approached yet. Sometimes it is the CEO. Sometimes it is a board member. Sometimes it is the insurance broker who is about to deny coverage unless specific controls are in place.
Then you offer to build the case with them. What do they need to take to that person? What data, what scenarios, what comparisons to peers? The conversation pivots from a no to a joint project. The client is no longer trying to cut you out of the budget. They are trying to help you both justify it.
Heather’s phrasing makes the pivot explicit: “How do we help you afford this? What do you need to take to your company to get you the budget?” It is a small shift. It keeps the two of you on the same side.
Outcome-Oriented Questions, Not Fear-Based Pitches
None of these questions comes from a place of fear. None of them predicts an attack. They ask the client to think through a scenario and answer honestly about what would happen. That posture is the difference between a pitch that shuts down the conversation and a consultation that keeps it open.
If you use these four questions regularly, two things happen. Your client conversations get harder in the first ten minutes and easier for the next ninety. And the budget conversations you had been dreading start producing different outcomes.
Cynomi’s GTM Academy Sales Kit includes full discovery frameworks, talk tracks, and client-facing materials designed to help MSPs run conversations like these at scale. If you want the supporting materials to turn these questions into a repeatable motion, they are available here.