It’s been nearly 10 years since we began talking about how cloud computing and mobility will reshape the IT landscape. Over the last decade, cloud migrations have taken place, mobile devices have been distributed to the workforce, and companies are leveraging new platforms including Big Data, Internet of Things and more.

But why haven’t we made more progress? Security is one key reason. Consider the landscape today: Bad actors have new capabilities and motivations, and new technology models create unknown liabilities for those that embrace them. At CompTIA, we have seen a definite uptick in interest around security as companies realize they need a new approach to protect their assets and their reputation.

This is where you come in: There’s a huge opportunity for channel firms when it comes to security—more than you may realize. CompTIA’s latest study, Security in the IT Channel, examines the practices of MSSPs and MSPs to understand what steps should be taken in order to serve customers better. The report is full of good information, including the size of the security market, the growing prospects for InfoSec professionals, and the technologies that channel firms feature in their portfolios.

The most practical data, though, centers on the conversations that channel firms have with their clients about security. Increasingly, these conversations need to serve a dual purpose. First, they should educate the customer on the modern security landscape—not with doom-and-gloom scenarios, but with the reality of running a business today. Second, they should present a thorough description of the various options available and the process for implementing those options.

The conversation might get started by either party. Fifty-one percent of firms surveyed said that they typically initiate discussions with customers, and 49% said that customers bring concerns to them. The most common driver for the discussion, regardless of who makes the first move, is a change in IT operations. Obviously, cloud and mobility are forcing changes to IT architectures, and there must be corresponding changes to security.

Another element that channel firms should think about using in the discussion is the cost of security breaches. This doesn’t have to be a scare tactic. The cost of a breach is very real, especially for small businesses. The 2015 Global Report on the Cost of Cyber Crime conducted by the Ponemon Institute estimated the average annual cost to an individual company at $7.7 million. This average is skewed high by large enterprises, but the 2014 version of the study also found that the per capita cost for the smallest businesses was significantly higher than at the largest firms—$1601 vs. $437.

This figure is likely to have more impact with the person at the top of the company, and the good news there is that channel firms find themselves talking to the CEO about security almost as much as they are talking to the IT department. Other lines of business are involved as well, although our research has found that security is one technology decision that business units tend to defer to the IT team. Knowing who you’re talking to is a critical part of the conversation, as different groups will have different pain points.

Finally, solution providers need to be sure they are talking about value—particularly the value that they will bring in addition to the products that will be installed. While the channel is generally seeing a trend towards providers promoting the value of their own services, security seems to be a field where that promotion may be lagging. Fifty-six percent of security firms say that they primarily rely on the reputation of their vendor when selling, and only 11% primarily rely on the benefits of the services they bring to the table.

Security is not just a technology problem anymore. The days of only building a secure perimeter are gone, and modern security involves an array of technology along with business processes that establish safeguards and education that reaches the entire workforce. Channel firms focusing on security have a great opportunity to talk with their clients about gaps in their operations, then to deliver value by filling those gaps.