MSPs, Are We Losing the Cyber Revenue War to 'Tech-Speak'?
Just caught the latest report projecting the managed security market hitting $69B by 2030. It’s frustrating to think we’re leaving revenue on the table simply because we can't bridge the gap between technical expertise and business needs.
We see this constantly in the field. We identify critical risks, like the recent CVE-2024-1708 (ConnectWise ScreenConnect Authentication Bypass) or the CVE-2024-1709 ScreenConnect Path Traversal, but the pitch often stalls at "technical jargon." Clients don't buy CVEs; they buy risk mitigation.
To fix this execution gap, I've started leading sales meetings with raw data rather than slide decks. I run a pre-audit script to enumerate potentially vulnerable remote access tools on their network. This shifts the conversation from hypotheticals to immediate exposure.
Here is a quick PowerShell snippet I use to identify outdated ConnectWise Control agents that might be vulnerable to the recent auth bypass:
Get-WmiObject -Class Win32_Product | Where-Object {
$_.Name -like "*ConnectWise*Control*" -and
[version]$_..Version -lt [version]"23.9.8.8858"
} | Select-Object Name, Version, PSComputerName
Showing them a list of vulnerable endpoints in real-time usually changes the tone immediately.
How are you handling this? Are you finding success translating technical exploits like ScreenConnect or SimpleHelp into business value for executives, or is the sales gap still your biggest hurdle?
Totally agree with the approach. We found that the 'executive summary' PDFs were getting ignored. Now, we use a similar automated scan but feed the results into a dashboard.
We specifically flag RCEs like the ConnectWise issues. When they see a 'Critical' flag next to a machine hostname in the demo, they sign the MSA. It stops being a 'maybe next quarter' IT upgrade and becomes a 'fix this today' business continuity issue.
The technical gap is real, but don't forget the compliance angle. For many of our clients, they don't care about the exploit itself, but they care deeply about the audit failure.
We reference CISA KEV entries (like the recent SimpleHelp RCE alerts) to prove due diligence. If we can show that we actively monitored for CVE-2024-1709 and patched it before the audit, the value proposition is clear.
I've tried the script approach, but be careful with WMI querying Win32_Product across a large subnet—it can trigger MSI repair processes and bog down the network.
I prefer checking the registry or file versions directly for a lighter touch. Also, ensure you're checking for the ScreenConnect web server component separately if they host it themselves, as that was the primary vector for the path traversal.
Nina is spot on about Win32_Product triggering repairs. To bridge that technical gap for the ScreenConnect CVEs mentioned, I use this registry check. It allows you to find unpatched versions instantly and present a clear remediation status instead of raw technical risk.
Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*', 'HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like '*ScreenConnect*' } | Select-Object DisplayName, DisplayVersion
Translating 'Auth Bypass' to 'Financial Impact' is crucial. I frame these risks as a failure in Asset Protection, similar to a propped-open server room door—it makes the threat tangible to executives.
For a quicker verification than registry spelunking, query the executable version directly:
(Get-Item "$env:ProgramFiles(x86)\ScreenConnect\App\Web\ScreenConnect.Service.exe").VersionInfo.FileVersion
To validate the patch without triggering those WMI repairs Nina warned about, use the file system object. It’s faster and safer for scanning the network.
Get-Item 'C:\Program Files (x86)\ScreenConnect\ScreenConnect.Service.exe' | Select-Object FullName, VersionInfo
Pairing this verification with a "Ransomware Readiness" narrative—explaining that Auth Bypass is the #1 vector for encryption attacks—usually converts the tech talk into a budget approval instantly.
We shouldn't wait for clients to understand the jargon; show them the market for their data. We correlate vulnerable instances with active dark web listings. If exploit code for a specific CVE is trending, we report that immediate exposure. It changes the conversation from 'fix this bug' to 'attackers are selling access to your network right now.'
def check_dark_web_trends(cve):
active_markets = monitor.darkweb_scan(query=cve)
return len(active_markets) > 0
Contextual urgency drives action better than technical definitions.
Validating versions efficiently lets us speak the language of "Risk Exposure." Instead of listing a CVE, we can say, "40% of your endpoints are currently exposed to unauthorized access." This turns a technical bug into a business metric they need to budget for. Here is the PS snippet I use to gather that data quickly for executive summaries:
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object {$_.DisplayName -like '*ScreenConnect*'} | Select-Object PSComputerName, DisplayName, DisplayVersion
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access