Most MSPs are accidentally talking prospects out of buying cybersecurity and compliance. By leaning on “shock” statistics about how few businesses take security seriously, they normalize doing nothing instead of making action feel urgent and expected.
Stop selling security like a bad cheeseburger
Imagine trying to sell a burger by saying, “Did you know 80% of people don’t eat our cheeseburgers?”
Ridiculous, right? You’ve just told the customer that the safe, normal thing to do is walk away.
That’s exactly what happens when MSPs sell with lines like:
- “Most SMBs don’t have a cybersecurity program.”
- “The majority of small businesses aren’t compliant with basic standards.”
- “Hardly anyone is prepared for an incident.”
You think you’re raising urgency. Maybe even trying to put some kind of Veblen-esque exclusivity spin on it…
What the buyer hears is: “People like me usually ignore this. So I can, too.”
The social proof backfire
MSPs sell into an environment of uncertainty. Most owners, CFOs, and even IT managers aren’t security experts. When people are unsure, they look around and ask: “What do others like me do?”
That’s social proof in a nutshell: we use other people’s behavior as a shortcut for “the right move” when we don’t fully understand the situation. And the truth is that social proof has been proven to be the most powerful lever you can pull when it comes to human behavior.
So when you lead with, “Most businesses are underprepared,” you’re not just sharing a stat. You’re painting a picture of a world where neglect is normal, expected, and apparently tolerated. Your prospect takes that as social permission to stick with the status quo a little longer.
You meant: “This is a serious problem.”
They hear: “Everyone else is putting this off, so I’m not behind.”
As Dr. Robert B. Cialdini, author of Influence: The Psychology of Persuasion, would say, you want to normalize the desired behavior and marginalize the undesired option.
tl;dr: By broadcasting how many businesses are behind in compliance and cybersecurity, we’re not raising awareness — we’re making it easier for businesses to fall behind.
The Petrified Forest lesson for MSPs
There’s a famous experiment from Petrified Forest National Park that nails this point. (Cialdini conducted this experiment and references it in his book.)
Visitors kept stealing pieces of petrified wood. To stop it, the park put up signs that basically said: “Many past visitors have taken wood from the park, damaging this natural wonder.”
The logic: show people the problem, they’ll stop.
The result: theft increased.
Why? Because the sign told every new visitor, “Lots of people take wood.” It accidentally reassured them that stealing a piece was normal. The message became negative social proof.
When researchers tested a different sign — one that said, in effect, “The vast majority of visitors leave the wood where it is” — theft dropped. The new sign made the desired behavior the norm, not the exception.
The first sign delivers what is called an injunctive norm. It tells us what the rules are, how we should behave. But just like when we’re told we should stop smoking, eat vegetables, or abide by the speed limit, we often do not do what we should do. The second sign communicates what’s normal in terms of what people are actually doing, which is called a descriptive norm. Let’s call them should norms and do norms. Do norms are very powerful. But unfortunately, the second sign makes it sound quite normal to steal a wood chip. It might as well say, “Get yours before it’s too late!” It normalizes the very behavior it is trying to prevent. (Psychology Today)
Now map that to your sales deck:
- Old park sign: “Many visitors steal wood.”
- Old MSP pitch: “Most businesses don’t take cybersecurity or compliance seriously enough.”
Same error. You’re highlighting how common the wrong behavior is, then expecting people to choose differently.
How MSPs talk prospects out of security
If you sell or market for an MSP, you’ve probably used some version of these:
- “Most SMBs don’t even have a formal incident response plan.”
- “Only a small percentage are compliant with regulation X.”
- “The majority don’t train their users on phishing.”
On a slide, these feel powerful. They’re big, dramatic numbers.
But they quietly answer your prospect’s unspoken question: “Am I weird if I don’t fix this?”
You’re supposed to make your buyer feel like they’re falling behind their peers. Instead, you’re telling them their peers are right there with them, ignoring the same problem.
In other words, you are:
- Reinforcing inaction as normal.
- Making delay feel socially safe.
- Putting your offer in the “outlier” bucket.
That’s a brutal handicap to give yourself before you even talk about price.
Use the statistic, change the story
This doesn’t mean “never use statistics.” It means stop using them to show how rare good behavior is.
You have three levers you can reframe:
Direction of the trend
If today’s number is bad, emphasize the movement, not the current neglect.
- Instead of: “Only 20% of SMBs have a formal cybersecurity plan.”
- Try: “More SMBs are formalizing cybersecurity plans every year as customers and insurers demand proof — and that shift is accelerating.”
You’re no longer saying “almost no one does this.” You’re saying “your peers are starting to move; this is where the market is going.”
Who you point to
Social proof works best when it’s about “people like me.” For MSPs, that means:
- Same industry.
- Similar size/stage.
- Similar regulatory or vendor pressure.
Use lines like:
- “Most of the manufacturing firms we support now run at least annual security awareness training.”
- “Owners in your vertical are tightening controls because their largest customers started asking for evidence.”
Outcome, not just adoption
Don’t just say “clients bought X.” Tie the behavior to a concrete benefit:
- “Clients who implemented continuous monitoring cut the time to detect incidents by weeks.”
- “Teams running quarterly phishing simulations consistently see fewer successful attacks over time.”
Now the stat isn’t a horror story about how few people buy your cheeseburger. It’s a proof point that people like your prospect are taking specific actions and seeing results.
From “aren’t doing it” to “are doing it”
Here are a few copy pivots you can steal directly into your deck, emails, or one‑pagers.
Risk posture
- Don’t lead with: “Most businesses will experience a breach, and the majority are underprepared.”
- Try: “More of your peers are assuming a breach will eventually happen — and they’re investing in detection and response so a bad day doesn’t become a bad year.”
You shift from, “Everyone’s unprepared” to “Prepared is what smart peers are becoming.”
Training and human risk
- Don’t lead with: “Most employees can’t spot a phishing email.”
- Try: “Teams that run regular phishing simulations train employees to spot attacks — and over time, your users become part of your defense instead of your biggest risk.”
Same underlying reality, totally different implied norm.
Compliance
- Don’t lead with: “Only a minority of businesses are fully compliant with regulation X.”
- Try: “Regulators and large customers increasingly assume a basic level of compliance is in place — and more of your competitors are treating it as standard operating procedure.”
The first message says, “Almost nobody is compliant, so you’re fine for now.”
The second says, “Compliance is becoming table stakes; falling behind is risky.”
A simple rule for your next security campaign
When you write copy for your MSP website, sales deck, or outbound sequence, run every stat and every “most businesses” sentence through this filter:
- Does this make it sound like normal people ignore this problem?
- Could this be rephrased as “80% of people don’t do this and they’re getting away with it”?
If the answer is yes, cut it or reframe it.
Your job as an MSP isn’t to prove that neglect is common. Your job is to make responsible behavior feel:
- Normal.
- Expected.
- Already in motion among people like your prospect.
That’s how you use social proof to sell cybersecurity and compliance — by putting your offer on the side of “this is just what companies like yours do now,” not “only a tiny, paranoid minority buys this.”