02/22/2021
In this video, experts discuss the importance of cyber resilience in the assumed breach era, focusing on effective risk management and the need for comprehensive security frameworks. They share insights on integrating security controls and policies, emphasizing the necessity of incident response plans and vendor due diligence in protecting organizations from potential breaches. The discussion highlights the evolving landscape of IT services, urging businesses to prepare for complexities in the serverless and cloud-based environments.<ul><li>The importance of having a comprehensive assessment process for potential clients before offering services.</li><li>The significance of maintaining a high standard of security compliance and the value it brings to the clients and the business.</li><li>The evolution of IT services towards cloud-based and serverless solutions and the challenges they present.</li></ul>
Guests
Video Transcript
All right, week 38, let's take it out here. Want, want to take us out or take us in? Welcome everybody. Wonderful to see you all. First off, I was, you know, remiss in last week, and, you know, just kind of giving some thoughts. I hope everybody in the Texas region is okay. I've, I've spoken to some folks. It looks like everybody, not everybody, but a lot of our MSPs seem to be okay. Um, one person I was talking to, they're in their house. It was 20 degrees.
So if you are in that region again, uh, we are, um, we're sorry for what you went through and, and hope everybody's doing well in terms of, uh, announcements. Gary, real quick, and Ryan, um, we have the Cyber Resilience Workshops starting tomorrow. There you go. What, uh, and, uh, really looking forward to this, we've got close to 500 registered, um, and there is a link below. Should be at least. Yeah, if I, and again, the windows always look a little different.
Um, I see it below Ryan and Gary. Um, so really looking forward to that. Gary, anything you wanna quickly say about that? No, we had our last prep call, all of us, and so I'm really excited about both days of, uh, content and if you like, some of the things we're gonna touch on today around sales. Um, we'll have a great session on that on day two. Just like, again, I think all four sessions plus the technical, like that's the technical stuff for is the bonus at the end of the day. Yeah.
So, uh, yeah, I, and I, I really liked the tech. I just wanna talk about the technical real quick because Carl, you know, we asked, you know, your peer group, it's got, you know, we call it a CSO peer group. You got some mature MSPs in there. MSPs, and even they were saying they liked more of a teaching methodology versus the capture the flag this time. And so we're going to do one where, uh, we're bringing in some folks that are really knowledgeable.
Jason Slagel, if you, uh, know of or know hi him. He's won every single capture the flag. Um, and then, um, we've also bring in Bryson Medlock, who, uh, back in the day at, uh, alert Logic, I believe. Yeah, it was Alert Logic. He ran all their training. Um, so he runs from Capture the Flags, and he is, the, both of them are, are doing training specifically on vulnerability management, vulnerability, exploitation, and the second day, the top 10 web attacks.
And I, but I'm thinking, Andrew, I don't know, after, you know, having a call with those two guys with so much experience, whether people can really take us seriously in the cyber world unless we have really long beards. It's like, that's A very good point, Gary. I'm starting to grow my beard out. Yeah, even Ryan, you know who, who runs it. He's gotta have a little bit of this. You can, you can tell us more on the biz dev sales side. Gary, look, you know, over here. All right.
Yeah, there you go. Matt Lee. Uh, it definitely, uh, fits into that category, so, alright, so let me kind of frame things out. Um, we went from, over the past three weeks from frameworks to security controls to last week having Brian Blakely on who that was. I, I had a blast listening to him on security policy and I'm like, okay, so let's start to bring, go ahead Gary, are you gonna say something?
No, I was gonna say we had Brian on and at least four times in talking to MSP since then, I've said to, I've used his quote policies have nothing to do with the words on the page. How's that going by the way? It's going pretty well. Yeah. So, um, you know, I I, I thought, you know, I, I wanna bring this together from a sales perspective, Gary. 'cause look, you know, nothing happens until something's sold and we're, we're, you know, talking a lot about something very critical concepts.
Um, and, you know, I thought about who could I bring on? And, and it was, uh, Carl came to mind, he's been with us before. But the reason I wanted to bring Carl on also is, um, Carl, you are also a, in the process of ramping up your sales engine around it, you're, you know, you're an owner led sales model.
And, you know, I was wondering if, um, you could, maybe just before we get rolling here, I got a few questions for you and I'll hand it to Gary, but I was wondering if you could kind of just for those of out there that may not know you kind of give a little sense of your, your background and your MSP, if we could start there. Well, I, I like pina coladas and getting caught in the rain. So long walk from the wait, uh, no different, different thing, different background.
Um, yeah, so I'm the CEO of Snap Tech. It, we have a location in Phoenix, Arizona area where I'm at. We also have one in, uh, uh, at the Atlanta, uh, Georgia market and also San Francisco market. And, uh, you know, we're just, uh, I'm just a classic example of this guy that was a technician that started like having people want computer help on the side back in 2000. And by 2009 I was starting an MSP with, uh, a good buddy of mine, and we just started down the process of getting into it.
So I'm the classic case of a technician that's now running a business, trying to figure out all the other sides of it, and doing my best to learn from others and to grow. And I, I love these kind of communities where we can get together and really bolster everybody up and to, to really share. And, and, and Cole, I appreciate you sharing, I'm bringing Wes on.
Can you say, give a sense though, o one thing that I wanna wanna, you know, you, you, you downplay yourself a little bit that I was just a technician. Like you come from the financial services world, you know, you've been socked too for probably seven years. Security controls is something that it, it, it was, you had command over it, you thought about it in your own MSP.
And you know, and, and I'm gonna get ribbed here, I know from everyone on this call, but, uh, especially my friend, good friend Gary Pika. Um, uh, for those of you who don't know, I, I've done a little CrossFit in my day, but here's my point of analogizing this, hammer me in a second, lemme just get it out. So in, in 2012, you walk into a CrossFit gym and it's intimidating as hell because there are so many different facets to this fitness or this sport. And, and I won't go into 'em.
My point is this is you, you never, you think that you'll never in a million years be able to have any kind of command over this sport. And little by little you start doing different things, whether it's Olympic lifting, whether it's different, you know, odd objects, whether you name it.
And I, and I, and I thought about that analogy today, one because I wanted Gary to, you know, give me a lot of, you know, what grief after I gave that analogy, 'cause I know he is holding, but, but Carl, let, I'll let Gary give me some grief, but then can you kind of talk about that that's always been part of your business and then it's transpired into how you do your sales. So, um, Yeah, you know, well first I had to learn how to do sales or, or how to get some level of success.
And I listened to great guys in the industry, uh, might've heard Gary a time or two back in the past, back then, and definitely an industry s and, and peers and, and others. And, and I've really figured out early on that if we didn't figure out how to do this assessment style process, then we were framing the conversation wrong.
And, and so it started with first just like our self-created checklist of just things like, we need to know if a customer has this going on so that we can fix it or point it out. And so we kind of created this list and then we started to realizing this is a fair amount of work, we're gonna not just give this away. And I started seeing how as organizations mature, they start to see the value in this. And so we began charging for it.
And then we began really scoping them out and, and, uh, you're, you're right. We, we found ourselves scaling up because we're getting better at this process. And eventually we found ourselves into a client that was publicly traded, and suddenly they're like, Hey, where's your SOC two? We're like, uh, just a minute. Um, and, uh, so in 2014, we bit the bullet and we dove in headlong there, we got an audit, we saw the bloodiness of it, and we just started working at it.
And we've been SOC two type two compliance since 2014. Uh, that was our first year. But, you know, I'd say the latest developments that's been exciting in the last couple years, I've really realized the value of applying frameworks. I mean, this might be, you know, 1 0 1 to everybody else has been doing this, but from the MSP space, that was like, well, first of all, there is no required, uh, qualification to be an MSP or to to, there, there's no standard that's set out there.
And so you have to decide that you want to adopt one. But I'll tell you the value of it is that you become more comprehensive. You have, uh, more, uh, uh, of an authority in how you state and also, um, the assessments in general, the methodology becomes better and sharper and more valuable. Yeah. So last thing, and I'm gonna tee it all over to Gary just so people can understand.
I'm glad you brought up the large client that you had that required you to have a SOC two Carl, but by and large, when you and I, probably three and a half years ago when we started doing a, a pure group together, um, and you know, you were like, work Andrew working with mid-market companies that have IT departments really wasn't your cup of tea. And, uh, the reason I wanted to bring this up is, you know, we, I kind of said to you, Carl, but you know, these organizations are strapped.
They need help in vulnerability management and assessment. They need help in managing risks. They don't, they don't have those resources internally. And you, you, you know, you've always been open at looking at things differently. And now, correct me if I'm wrong, but you've been bringing in some big meatier clients up market, and, and I, uh, if you could just comment on that before we take it to Gary, because I think it's important to realize that this isn't just an SMB play. Yeah, yeah.
I mean, for, from, from our perspective, it's been a big vehicle to up marketing because to be perfectly frank, we're just learning things that a lot of them already knew, and now we're speaking their language in a better way. And, and, uh, we're doing a good job where we're keeping it practical, but we're also addressing the concerns of compliance or just giving them a meaningful way to manage their risk.
And really any business owner should be concerned about the risk in their business and the profit of their business. And if they, um, are are smart about their it, they see it as a risk play, they see that that's how they're gonna make their judgements.
And so the more you frame it that way, the more you're going to get traction, and the more you're gonna be able to point out how that's not how they're looking at it now, how their current IT team is just really running around, you know, Johnny Ponytail as, uh, Paul would say, uh, you know, trying to just fix things and they're, they're really never taking comprehensive looks.
They're not doing the identification, they're not doing the asset work, they're not doing the risk management piece of it, which is actually the f where you should start. Yeah. So, so Gary, oh, sorry. So, so Gary, the transition to you would be, I, I, I mean, I hear it when you said that, I hear Brian Yes, last week talking about what is, what does management want, what does management expect when they look at it, and how does it align to their business objective?
So, um, so with that, uh, let me let you take it on over. Yeah, Andrew, I, I, first I said that cybersecurity is like CrossFit, but with carbs, uh, but also with less callous hands. It's really what it is. So, man, this is a huge topic that we're getting into here. And I have so many things, like I, I gotta be careful, uh, to, to use my time wisely.
Number one, you mentioned SOC two more and more what we're hearing as we talk to our customers, they're getting phone calls that said, the customer calls them and says, one of our customers is a bank. They're asking these questions now. Okay. And so one thing that I'll tell everybody I think you need to do is, I think you need to understand what business every one of your customers is today, and also their customers.
And you better think about what compliance requirements are coming down the line to decide whether a, it might be, we're gonna need to have this or that SOC two or whatever, we better get to work. It's not, you can't do it when they call you, right? Uh, or you might say it, I, it's one customer. It doesn't make business sense for all that expense. We gotta know that we're not gonna be able to answer that question when the time comes.
Like, I'm not telling people what they should or shouldn't do, but you should be aware because that's what's gonna happen. And also, as you choose customers, you have to know, like Carl, you mentioned you're able to do business with some organizations now that two years ago when you were less mature in these areas, you couldn't have, they knew more than you, right? Yeah.
I, I, I think that, uh, the framework or the going through the audits has been a huge part in our us increasing our own maturity and it's made, adopting other frameworks or working within the frameworks that a client might need us to work within much easier. And, and I'll tell you the, you know, the other compelling piece for us is I, I, I really truly fear the, the, uh, the, my servers getting attacked and then dripping out to all my customers. And that all coming from me.
And, and I, I feel like it's been a legitimately very good way for us to do protecting our own systems, our own networks, and hence protecting our own customers from even us. And so, you know, I think that you, you have to be operating in a space where everybody can be compromised. Everything can happen. And so you have to have the policies, procedures, documentation, and things in place. And not only do we need it, our customers need it, and our customers customers need them to have it.
Those security questionnaires are just money in the bank, you know? And it's not because I'm trying to, you know, take a customer for a ride or anything, it just, it points out to them, oh my gosh, my customers are gonna require this of me, and now I need to really get serious about it. Yeah. So here's the thing. If, if you look at MSPs today, um, you see some that I'm lucky enough to work with, uh, they're selling more recurring revenue at a higher price right now than ever before.
'cause they're gonna combine two things we're gonna talk about, okay. That I want to ask you about. I think you have one of the two, uh, and you have the harder one, I think, uh, of those two. And then you have a lot that they are just 10, they're struggling with sales, right? They can't get customers, they can't get 'em to pay the right price. And so the first piece is everything you've said, all the work you've done has taught you all the work that has to be done.
So when you're in front of a customer, I'm guessing you can make a higher, I'm guessing you're usually a higher price than Almost always the highest bid, Highest price. Um, and you make that the reason, right? Why people, like no one's gonna tell you they can, that someone else can keep 'em just as secure or be a good provider for 30% less. What would you say if I told you that, Hey, they said they do the same thing, Carl, for 30% less, what would you say? Uh, it, oh, not a chance.
I mean, what, what scope are you gonna have me cut out? Because this is what it takes, you know, I would never discount like that. Yeah, yeah, absolutely. So what I'm saying is that's one piece of it is that the work that you've done, and I want to ask you some questions about it, it changes your self-image and your belief system that allows you to create separation in the marketplace.
Without that, I know people that spend tons of money on sales and marketing, and they get still gots in return for it, because at some point, that's the conversation that, that that has to happen. So the second piece is then you gotta be committed to the, the sales piece of it, which is understanding all the math, the lead generation, what kind of close ratios, resources, like, if you can combine those two pieces together, you can sell as much as you want to sell right?
Now, it's never been like this. You can sell as much as you want to sell. So I wanna talk about, briefly about both of those pieces with you. Yeah, I mean, look, look, I mean, the thing is, is, um, I make a strong case and with assessment, I have the evidence to prove it as to why it costs what it costs. And they, I, I would never shorten my value because, uh, that just means they're not gonna get what they need. I don't propose things they don't need, but I am always the most expensive.
And I would argue it's just because we're the most comprehensive and most complete solution for them. And, and that means, yes, more revenue for us, but it means the customer's getting more of the value that they actually need. And so I, I hang my head with a clear conscience knowing that we're only doing what is right for the customer. But that, that being said, it does mean that our, our hour, our hourly rates are higher, our per user price is higher.
The inclusion of the extra services and the, and the security things are charged on top. And there's all these other things going on. You're right, we, we need to be better about our sales motion. And that is actually a very cool part that we're working on now.
And I'm excited to dig into that, really finally address that and just see how much I can accelerate be, and I'm pouring all sorts of money into that right now because I see the economy, the covid economy is now primed and there's opportunity to be taken like never before. And so I'm putting more money into marketing and more money into sales than I ever have before because I feel like this is a great opportunity right now. Yeah. You know, Carl, you made a great point. I want everybody to hear.
You're not going in there and telling them it's 4,000 a month, but the other competitor's 30. And you're not saying, well, you can have my crappier program for 3000 because what, you know, is the only reason you would literally be saying to them, I have not been good at conveying what your actual risks are and the investments you need to make. 'cause you have like the truth on your side. That's what every business, there's some minimum that every business needs to do right now.
And you're saying, I'm standing with that truth and I'm not backing off of it. Right. And I'm confident in it, and I know that I'm right. You know, and I feel, feel like that makes all the difference in this, in the sales motion is because they know that, that you believe what you're saying and and it's true. Exactly right. And I, that's really, really the only way I've ever figured out how to sell is to sell what I believe in, you Know? Yeah, absolutely.
A a And so, so I wanna talk, I just, uh, a couple more minutes and, um, yeah, you're good. You're good. You're good. So, hey, I wanna, let's start, um, Carl with the sales process. So let's not talk about how you get a lead, we'll get to that after, but you, you, you end up in, in front of or on Zoom with somebody for whatever reason to have this conversation. Tell us what that looks like and how you use standards or assessments in that process. Well, I, I call it the Snap Tech way.
And so what I, what I'd say is like, look, we have a unique proven process here that's gonna tell us exactly what your needs are. I can give you generic quotes or I can tell you roundabout what things cost. But the honest, the honest truth is, is I don't know enough about you to tell you and anybody that tells you off the bat what it costs to your, it is being generic and disingenuine. They don't actually know. And I'd be very suspicious of what they actually do and don't do for you.
Because the, the fact of the matter is, is you need to have some type of assessment done. I'll even tell 'em, look, if you've got a great quality assessment to hand me, I'll take a look at it and maybe that'll shorten our process of understanding. But the reality of it is, is the first stop on the process is to identify and then to measure your risk and then to make the correct informed decisions upon that. And we will give you proposals after that.
Um, we actually will present them with an MSA and an NDA at the beginning. Um, and then we will sell them an assessment and it's assessment that's appropriate to their need at scope. How Much, what's the range? How much does that assessment normally cost? Oh, um, for a, you know, a 25 seat customer that's gonna be five or six grand, um, they go up to, to much more, depending on the size of the customer. Yeah. We scope it ba based on the need.
Uh, you know, like, uh, we did assessment, uh, uh, last year for, I don't know, a hundred seat, uh, uh, federal contractor subcontractor manufacturing. I think that assessment was 25 grand. You know, it's just what whatever the need is, uh, we, we, we scope it and spend the time to be thoughtful about it. Okay.
So at that time, they're probably not, when you're, if they commit to doing that, your close rate has to be high because, because at that point, they're not gonna do that with more than one vendor. And they're probably gonna ask a bunch of questions, um, before they spend that money if they, if they're gonna stay with the current vendor. So like, ballpark, what do you think your close rate is once someone's pays you for an assessment? Oh, 90%. Yeah. Yeah. 90%.
Alright, so I have some good news and some bad news. Which do you want first? I'll take it all, Gary. Yeah, yeah, yeah. So the good news is, um, you're awesome and the psychology of having a 90% close rate once someone's at the bottom of your funnel. And that is awesome. That's the good news.
The bad news is that process is not probably, depending upon what your sales goals are, if you want to add 50, a hundred or more thousand dollars a monthly recurring revenue a year, um, and you want to do it with someone who's not you in a scalable, there's probably some changes. You're gonna, you're going to, there's probably some changes you're gonna need to make to that. Yeah. I can See that.
I, I already can fill that as our marketing engine is developing more leads and we're not spending the time to work 'em, they come in differently. You know, the hot leads that come in for referral are much easier to get that assessment sold to. So I see that we have the maturity to grow there in our sales process and, and how we go to market.
What I do feel confident is that the point in time we're talking about the assessment and we get the assessment done, it's pretty much gonna happen from that point forward. I, I gotcha. And so let me, let me tell you how people that are scaling that also are pretty strong in these areas that you are, have done it. So what they're able to do is have a sales process where they can sit with the decision maker, right?
Um, be able to ask enough questions to identify risk right there, and then to be able to use samples of their process that ties back to that risk. Hey, you mentioned this issue that you had around passwords. Can I show you this piece just around passwords? What we do? Can I show you this? So here's what's involved with it. Here's the process, here's the roles we have. Do you get the idea that someone who's a thousand dollars less wouldn't be able to do this?
Does it make sense that my customers don't manage the same risk level or those things that we uncovered that you did? So I think what you'll learn is you can do a bunch of it, and if you get that far and you still wanna do an assessment, you can, I did 'em after the sale, uh, because it was just easier for me. 'cause I wanted to flip 'em like, you know, like hotcakes. Um, but I, I, I'll tell you, be open minded. Do you know what I mean?
Because I think your logic can be applied the same logic, but in a more scalable way. Yeah, yeah. The key thing is, is regardless of how I'm gonna build it, I do wanna make sure we're gonna do a good job. And that's, you know, one of my primary motivations in the assessment is to go out and really, truly learn it to do a great job. Yeah. I don't think, I don't see you doing a bad job, dude. Yeah, yeah. I mean, but it doesn't hurt. Yeah.
But it doesn't hurt my feelings if the assessment came before or after, um, I would just need to learn how to sell that way. Yep. Yeah. Abs and that's all it is. But the, the core logic of what is making you successful and people buying from you, it isn't based on that $5,000 or the assessment. Um, it, the logic is already there.
And so you can kind of use that lever and move it back and forth, and you're gonna be able to get to, you know, 80% of the way there without it with more people and then decide which ones you really need to do an assessment for, and which ones you, you know, just from going through it, basically what they're gonna need at least enough to get 'em enough to get 'em started.
Gary, quick question for you, you know, when you own, you know, had an interest in an MSP probably three and a half years ago, still Two Years ago. Yep. And, and, and you know, you'd on, you know, you'd have that sales process, you'd begin onboarding, knowing what you know today, knowing that it's gonna be ha far more of a comprehensive around controls and or a framework like Carl's talking about and how you're suggesting, does that just increase?
Is it, is it your increase per seat sales, your, in your, your increase in per seat price that's taking care of it? Or are you building a project into that upfront? Like how, what would you advice would? Yeah, So more and more the upfront become more important. Like, you can't just give away the upfront right on it. So it's more and more, and maybe it's not as, I don't really care whether I'm making money on it or covering my costs. Um, but I have to know where I'm taking that from.
So if I have someone that normally does alignment that's gonna do that work, then it goes into my cost per seat because they're gonna be able to manage less customers. And, and if I'm having someone from my professional service team do it, then there's a cost associated with when they're, when they don't have the same, uh, billable. So I have to know what delivery area I'm pulling from, and it's gotta be reflected in that cost.
And in reality, it comes out in a combination of higher seed price and sticking to the right upfront, uh, uh, fee for customers, which you can sell with the same beliefs. It's basically the same concept of what Carl's doing. Yeah. It's, you're doing it for every customer and you're requiring it as, and you're calling it this upfront, but basically the process is the, is the same. The timing of it's a little different, but the process is exactly the same.
I'd love, I'd love, as Wes maybe takes over here, I'd love your take on Wes. I'm gonna kind of, I don't know if this exactly aligns with where you're gonna go, but you know, you guys at, at, at Perch, you know, upmarket got involved in a lot of m and a stuff, and I, and I, and I'm wondering if you could touch on that with Carl.
It, you know, the risks that I think MSPs take on these days historically not thinking, well, this could be owned, and now we are living, you know, we are all about an assumed breach mentality that, hey, this customer we're inheriting or this new customer, good chance that they might be owned and we don't know. And so, can I hand that to you and, and Gary kind of keep keeping the ear out for this in terms of, is it Yeah, man, today. Go ahead. Yes, Sure.
Uh, I'll, I'll set the stage on that, but before I do, hi Carl, my name's Wes. It's nice to meet you. Oh, Who's this? Carl? Yeah. Carl, this is Wes. He's always late. Uh, yeah, I, I'm the late guy, uh, today in, in the never ending, uh, fund. I'll, I'll let you in on it. So, uh, last week's fund was new machine. This week's fund was, uh, all our email got rolled over this weekend to, uh, ConnectWise. So that was a lot of fun.
Uh, and we'll just leave it at that for how long it took me to get everything set back up and connected. So tune in for next week for, uh, whatever new adventure awaits my, uh, I, I truly need an in-house IT guy. So, Carl, uh, I do have bids out if you're interested. Yeah, I was gonna say we, do you need an assessment? Yeah, I do need an assessment. It's gonna be really bad. Uh, yeah. So, Uh, I used it, I used this tool to get in and check the perch security, if you've ever heard of it.
Never Heard of 'em. Yeah. A bunch of, bunch of jokers over there. Yeah. Uh, so let, let's set the stage for a minute. And, and I do have that, that was the, actually, Andrew, you read in my mind that was a question I wanted to ask you, Carl, is so, uh, we, we have gotten involved at Perch a number about a year and a half, maybe two years ago, with a very, very large healthcare org, um, that I would say, uh, about 200,000 employees, like super massive.
They have an entire m and a wing that does nothing but, um, acquisitions of new healthcare orgs that they bring into the fold, right? And I remember having a conversation with the, the, like, basically the vice CISO there, uh, and he said, you know, we, we really struggle. He's like, when we take a new organ and we've got them shields up under our umbrella, he's like, everything's great, right? We're fully positioned. If something happens, we can handle whatever comes out of it.
He said, what we get blasted with is, and this happens a few times every year, is in the m and a process. We bring them into the org. They've been running for three to six months, the deal has closed, then we bring them into the fold, so to speak, bring shields up, and we realize uhoh there's an active breach of some kind. And then the lawyers get together and they like to point fingers at each other.
And it gets into this nasty going all the way back to the, the paperwork of the m and a to find out when did this happen? How did it happen? What party is required to, to remediate and cover the cost? And he's like, it's a nightmare for us. And he goes, our team ends up getting eaten alive with unscheduled work that we're doing through that breach, because it doesn't matter who's guilty, we've gotta go take care of this thing. And it's, it's a nightmare for them.
And so that's where they bring Perin in the, uh, pre-acquisition stage to get an understanding. And Carl, that comes right back to what Andrew was saying for MSPs. This is becoming more and more common where you inherit a client that has some kind of issue that you had no idea was going on. There's a good chance that the client themselves had no issue going on.
And Carl, I know you're pretty upfront about this, you actually brought on a client, um, maybe a year ago that had a pretty significant breach. It was before Snap Tech's days, and, uh, you guys dealt with the aftermath. So talk to me about your experiences from that and, um, how that's affected your sales motions and sales processes moving forward. Yeah. Well, you know, it's, uh, it, it just, the evidence grows every day, right?
But, uh, Wes, Wes is being a little sneaky because Wes was one of the first people I called when I was saying, Hey, we, you think we might need to get the perch in a little earlier in our onboarding than we thought we were going to because we're seeing stuff, you know, uh, just, just cruising around in the system. And this particular customer is significant sized customer.
We, when it was all said known and dust cleared, we, we saw evidence that, that, uh, customer had been, uh, compromised since at least April. And we were in October when this was going down. And, and so, you know, they had all sorts of things going on, all sorts of back doors happening. There's little traps laid around all over the place. And, and we needed all the things we could do to get in there and make that happen. And it was a significant amount of additional work in that process.
Fortunately, we stopped, went to our incident response policy, we kicked out a, a, a proposal for it, and we did not give it away. Um, but, uh, at, at the same token, uh, it was, uh, very eyeopening. I, I mean, I always have known it, but I've just never felt it quite like that experience when, and we, when we collaborated with your team and some others on that particular customer.
And I could tell you, you know, if, if places like SolarWinds can get hacked with their Orion product, I mean, I just, there's so much evidence every day. You just gotta go into every conversation, assuming everybody is compromised, that there is nothing that isn't, uh, already a problem. And you should approach it like that. I remember we onboarded a client in here in Arizona that, uh, when, when they hired us, they had just had a ransomware event.
That's how they want, why they reached out to a new IT provider. And we're going in there and we're starting to do things like, okay, well, let's, uh, roll out our, you know, our, our RMM tool and that with the remote control capabilities. And we're like, holy smokes. How can we do that? That, that RMM connects to all of our other clients? How could we go into this environment and possibly think about rolling out that tool right now?
We had to think of different ways of doing it has completely changed our approach, and it's changed our MSAs as well around liability and the definition of incident response. I mean, I, I say changed.
That's actually actively a conversation we're having with our, our, uh, legal source about how to better define when it's an instance, when it's cost extra, and what the meaning of that is and the liability of it, because it's a, it's a very intense piece, and I can tell you we're all gonna be doing instant response for the rest of our careers, you know? Oh boy, everything you just mentioned sounds expensive. Yeah, right.
I know a guy As you're rolling all those things, you know, we all know the time, the effort, the amount of focus and proactive work, right, Wes, that it takes to do that. And in an industry where most MSPs are built in real life, in a reactive world of things they have to do. That's right. So really good. That's Right. Gimme a yes or no in chat. Um, does your MSP include in the MSA, uh, some kind of consideration and protection for a client you bring on that has an active breach?
Gimme a yes or no in chat. And the reason I'm asking is because to Carl's point, Carl, will you ever bring on an agreement without that being tightly? Yeah. You already said yes, right? You would never bring on a client without that being tightly defined because of the unknown cost and incident response. Even if you're not handling the incident response yourself, no doubt as the new IT provider, you're 10 times more busy, a thousand times more busy than you ever would before.
And so we get a lot of nos coming back. Carl, does any of that surprise you, or is this a a really good point? It's not an issue if you go find it. Hey, it's, It's where we've been and, and you know, we're, we're still fixing and making it better now. It, I I, I, what can I say?
You know, we're, we've been soc to since, uh, 2014 and we're only now thinking about how we need to, well, we've done it before, but we're only now getting new language into our incident response and carving it out and making that happen, right. Uh, the, uh, but I could tell you, you know, it was probably, I don't know, four year, five years ago that we started putting things in our MSA, like, we are not responsible for your data ever. Um, and, uh, we're not liable.
And, and we, we do not own your security. You, you have to as a customer own it. Those are the things that, uh, that, uh, you know, we, we started thinking about then it's just, it continues to evolve and we continue to realize the value and the benefit of setting the right expectation, which is what I view the power of the agreement is.
It's about going to the customer, saying, this is what happens, and you need to expect, and we should talk about how this is going to happen, not if it's going to happen. And by, by all means, we'll try to prevent it, but you should have the mindset and be prepared for when it happens. Yeah, that's really good. And that's coming from someone who's doing more to prevent it than most other MSPs that are 30% less. So that, and I would explain That too, right? Yeah. Uh, that's good.
And I wanna shift just a little bit, this kind of comes off the, the heels of the same conversation, Carl, is last week we had, um, we had Brian Blakely on, and he, we were talking a lot about policies. We were talking about the interplay inside of all of that. And I guess my question for you, I've got a couple policy based questions for you, Carl. One, what does the, the policy interplay look like between Snap Tech and your clients?
Do you guys have like written hard policies around some of this that we're talking about around like, like breach response, incident response that involves clients? Like, have you guys matured that process as well between you and your clients in the event of incidents occurring? Oh, I could tell you, you know, like we really got excited to think about that kind of stuff. About, um, about two and a half, three years ago is when we started down that path.
And we, uh, started, uh, we, it's, it's funny because we had an incident response policy, but as soon as we table topped it, we realized how none of our people really realized it. Only us that talked to the auditors kind of knew about it. And so, um, now we've taken on a process where we're doing regular table topping with our team, giving them scenarios, watching 'em work through the process. And to be perfectly frank, now we are using it when our customers have an issue. And it's been great.
And, and really it just comes down to that technician who first sees the incident happening, thinking this might be a thing, throwing up the flag and getting the process starting, and then that's it, you know? And then there you go.
And, and once the process has started, we're pretty good about following through on the process and involving the right people, the insurance, the legal or the customer's cybersecurity policy that all the different pieces that may need to happen that we used to never really think about, we would just get to fixing, you know, and, and, and missing with things, you know? So I, yeah, it, it's, it's an evolving part of our business.
It's something we're constantly working on, but we're really trying to do a better job with, and we're constantly improving that cycle through the tabletops and the regular policy review. And by the way, shout out to Brian. I didn't, I didn't get a listen to it last week, but, uh, Brian and I have known each other for a long time. He, he's here in the Arizona area too. Yeah. He told me he was heavily offended that you didn't, uh, listen. So, you know, yeah.
That's a, a, a, a, a wounded relationship. You're gonna have to repair there, Carl. Uh, yeah. So, uh, uh, I, I just, I, I tease and I kid, um, hey, one last question, then I want to give it over to, um, to Ryan and then, and I want you guys to ask Carl some questions. So make sure you start queuing some ask questions up in the, the app down below. You should be able to, uh, uh, queue a, a question up for Carl.
So, Carl, last question around policies themselves is do you get involved in writing them with your clients? Do you standardize policies or do you allow a lot of flexibility in each client to have their own? I mean, we definitely know in between different industries, there are certain things that must be in a policy that might be unique like healthcare, um, and you know, like patient notifications, things like that.
But just talk to us about how you guys work through policies, policy writing, and the interplay, um, on how you handle the uniqueness for each client. Yeah. So we've gone different ways, and I feel like we could be more mature here. And so that's a great question to ask you guys what you think is best. I'd love to hear your guys' take on that. But, but you know, what we've been doing is sometimes we help them, sometimes we help them buy, uh, templates that we then help them customize.
Sometimes we provide examples of what we've seen, and sometimes we work with what they have. Our clients that are more mature will already have them. But to be perfectly frank, the vast majority of 'em are kinda like, yeah, we've a meaning to get to that, and they've got practically nothing in place. And so we're kind of starting at scratch. And so I view it as a long-term thing. We, we create a project for it, it has its own billing cycle, uh, you know, as we work on it.
And I'd say the biggest problem that I have with that is that, you know, we don't have as enough people in our organization that are really gonna be savvy enough to write an effective policy that you wanna live with. And so guys like Brian are great. Uh, and we have a shared client. He just recently, he helped one of my clients with a, a policy, uh, uh, uh, situation because, uh, we just can't do it for all of our clients with the way we're currently designed.
And it's, it's a skillset that's not widely in, in our firm. You know, we have a few people can do it, so we do it sometimes, but a lot of times we're trying to help them find somebody that we can work with. Yeah. Yeah. And that's just Gary, that's part of the, the VCIO process, isn't it? Yeah. I mean, I don't think you have to, I don't think you have to.
MSPs have to be in the business of, they shouldn't be in the business of writing all the policies, uh, for their customers, pointing them in the right direction, asking them just exactly what Carl said, and then, you know, some of 'em are simple enough, you can help 'em. And then those others, there's expertise. There's, like I said, entire companies that, that just do that.
So it would be offensive to people like Brian to think that, it's almost like when accountants say, oh, we're your accountant. We'll also be your MSP, right? It's offensive. So, Hey, hey, uh, Wes, before we go to Ryan, or maybe again a transition to Ryan, Carl, can you talk a little bit about the relationship of alignment of the controls to the policy?
Like where, where and when, can you kind of share that interplay a little bit of, you know, hey, you're working with O'Brien, he's developing the policy. Can you talk about that handoff? Because there's, there's that whole relationship there to make sure, one, it's happening, but then two describing it. Yeah, go ahead. Yeah, so I, I mean, so in the relationship that I, I, I think I would try to ask your question.
I'm not a hundred percent sure I understood it, but when you say the relationship with the controls and making sure what we do is represented in their policies, is that what you Yeah, Absolutely. You know, a lot of times every Policy has one or two or three controls, right? Yeah. Yeah. I mean, generally the, the term is ITSP, right? IT service provider.
And, and there are several policies that will help 'em call out our ITSP is is, you know, is doing the audit or the control measurement or, or houses the notes on services and things like that. And so their policies are oftentimes written with us in mind that we're going to be there doing something and we get declared as the current ITSP. So that's how we've been doing that.
I, and, and as far as aligning the controls, like for, we just wanna make sure the policies are covering the things that we want to control, that we want controls in place. So for us, you know, the, the, the basic pieces, we like the CIS, uh, or the n the NIST CSF, uh, framework, and we really like the CIS controls that are out there as an implementation methodology. And so making sure we've Never heard of those, Yeah, yeah.
Making sure that that policies, uh, match, you know, for us, we're still in our infancy of adopting the CIS control, the CIS 20, but we see a lot of benefit in that. And so that's definitely an area we're moving towards.
But even in the meantime, we have our set of controls and policies that we do, and we have quite a few really, and we just, we just wanna make sure that the customer has the fundamental policies in place, so we have the justification and the business backing to do the controls that we're gonna wanna put in place and, and that it's stated as policy, you know? Cool. I'm sorry about that. I was, no, it's a great question. So, um, I'm doing a little bit of cleanup.
Um, uh, there, there's a lot of questions earlier with regard to what is in the assessment. Like is it a 10 question questionnaire, is it a hundred point, you know, full day, like kind of interactive thing? Um, some combination of both. And, you know, I, I think tying into that answer, like, does policy review, is that included in there?
And like, we've talked a lot about the need for, um, you know, asset inventory, software inventories, like just, just basic kind of scoping information, like the identify set of capabilities that you would have in, in like a missed framework or even even, you know, the security function mapping in CI IS Everything Assessment. Yeah, I mean, everything is basically around the CSF categories, right? So we have our identifying motions, we have a protect and detect analysis.
We looked at, at the, the response and the recover. And then we, we also have a section we add called manage, where we basically are doing that just standard IT discovery stuff so that we would know if they want us to propose to 'em, which is our goal, that what we would actually propose. Like what's the user count, how much data do they need?
What, how do we need to scope the backup and how many servers are involved and all, so, so, which is really asset stuff, but it's also laid out in a way that I just think it more as an IT discovery. So there's the, the, the cybersecurity framework that puts together the risk picture and puts together controls. And, you know, I, I think our question count of things to look for evidence is a little over 200.
Uh, the last I looked at it, I actually just had a meeting with, um, my team that does this this morning, and we were just going over that list, seeing where we need to improve it or do we all agree or where that's at and how we're gonna build our gap analysis and action plans off of it.
But the basic things is we do, you know, typically, uh, around a half day to a full day on site, uh, we're laying agents out, we do scanning, we, we use a product called cyber CNS, which does a lot of things similar in the vulnerability scan side of things that you might see in other products. Um, but we do a lot of interviewing and we do a lot of policy review.
We have a specific set of CSF questions and a specific set of best practice questions, uh, that our technicians go through a process to answer. And then what we're providing back to the client is an executive summary. We're providing a gap analysis and we give them action plans with some high level budgets. Uh, so, So I'm guessing if it's 5,000 bucks, like you're talking about all of that, for a small firm, maybe you're spending 25 to 30 hours. Yeah, that's exactly right. Yeah.
A small firm, it's gonna be about 20 hours. Yeah. Gotcha. At our, at our, at our assessment rate, which is right now is one 90. So, So that sounds like you've customized it a bit over time. Did, did it start off as like a NIST cybersecurity framework type of assessment and evolving? No, it started off as, you know, what Carl thought was a good idea to have in place before I'd even, you know, really thought of these things, right?
I mean, I'd worked in, I'd worked for Charles Schwab in their IT, and I'd worked at a school and, and done a few things. Uh, and there I just, there, you know, NCSF for, it wasn't created then PCI was kind of coming around back when this was going out, but there wasn't a lot of that when I started this concept of doing it. So we had a custom list of what we just call a SNAP Tech way. It's our best practices that we've built up.
And not only do we audit them an assessment when they're coming on board, but we do quarterly, monthly, and annual versions of this ongoing that they're our ongoing client with ongoing audits. Right. Um, but the, um, so we, we built it up and it was the putting it under the framework that I think made us more comprehensive, got us into other areas and gave us a lot more authority in how we speak or command and control the, of the conversation. Okay, awesome.
So we've been talking a lot about cyber resilience. In fact, we're gonna be talking a lot about cyber resilience the next two days. Um, and for everybody on the call are so lucky to get three days of all of us and more.
Um, you know, it really is becoming, you know, this, this concept has always been critical, but I think this idea that you need to have a security program that assures your operation with minimum downtime and loss through an adverse event, because we're in the assumed breach area, the adverse event will happen, right. Have you, have you been able to kind of land that concept with customers or prospects or like, how does that conversation tend to look? Is it, are they not there yet?
Is it like a couple layers higher up? Like what, does that just give us a sense of how that conversation works with the end customer? Yeah, I mean, this is probably an area that we could get better at. I, I think that it doesn't land particularly great with our, a lot of our customers in the sense that I, I really try to avoid the fear or uncertainty and doubt the fuds sell.
I really try to say, this is the process and, and this is the things you're gonna do and we're gonna reduce your risk significantly. And that's really the way forward and you really should have very little issues. But then again, I've really gotten into also the motion of saying, but we have to be prepared. This is gonna happen. And I don't get a lot of people that disagree with that. What it really comes down to is the meaning of what am I gonna propose because of that?
And I don't know that it really changes much now, other than I'm going to, I'm gonna approach the order of my assessment difference so that I'm protecting us and our customers as we go in there and start throwing technology around. And, and, uh, I, I, I just, I feel like, you know, it's just a bigger part of the overall conversation of just do it right, reduce your risk and accept that there's always a possibility that you could have a problem. So be prepared for it.
So on a similar vein to that, are, are they starting to understand the need for incident response plans or business continuity plans? Or is that still an abstract thought for them? N no, I, I would, I would say that, um, the concept of the incident response plan is its own thing is kind of a new thing for us to call out and say, let's do it that way. It's only been within our concept of a, a really strong process for a couple of years now.
And, and so we're only really getting to that conversation. But I would say that people are not resistant to it specifically, but one of the things that we're trying to figure out is how does that work in our sales cycle? 'cause we have this idea, well, we'll sell instant response plans, uh, we'll sell instant or, you know, create, helping them create it. We'll sell plan testing and we'll sell instant response and they could even, you know, prepay or buy in blocks.
That's something that we're really messing around in our head with right now. We're not really fully an instant response company, but we now have to recognize that we're all gonna be doing instant response. And so, um, it's good to have the policies in place. I don't get a lot of objections from the customers, like, of when we wanna do something like that, that generally by the time I'm having that conversation, they're already bought in that they need to do these sort of things.
I don't find out a particularly hard conversation. It's, for me, it's more like figuring out how I wanna place it and how does it make sense to charge for it. I think maybe some of it is just, uh, like you said, you're involved in incident response no matter what. You don't have to be an IR company, but you at least have to know enough to know what not to do. Yeah. Yeah. I mean, that's what I've learned. Listen, lure over and over again. Yeah. Don't change that. Make the call.
Talk to the iur, you know? Yeah. Just how to not make it worse. Right. That's a good point. All right. Let's, uh, let's either do some questions or take some questions from Carl. Oh Yeah. Can I, can I kick one off here? 'cause it's kind of what we were in talking about. Uh, yeah, Gary, I was just saying this. And then Carl, if you have some for, for the folks. Yeah, I got some. So I just want to give you this one, Gary.
It was, uh, Jason says, Hey, I was talking a good size MSP, and they hit them with just support only in the first meeting. Instead of doing a big in-depth assessment, they come back to it later, Gar versus, you know, Hey, this is how we engage with our customer. So let me equate it to, they have a bronze package. Can you keep, uh, so I would say, um, I would wanna know how profitable they are, uh, because, you know, I couldn't disagree more.
If I come in and just offer you support, you're not gonna know one more thing about what's great about me and all the work that Carl has done. Right? Sometimes the same people say, well, come in and do this, you know, install this new server for us. And, you know, and that's a way to show 'em how good we are. They're not gonna know anything more about your ongoing process, your discipline, your standards, your roles. I'm saying, no, sir. Yeah, just cut, cut your value off at the knees, right?
Yeah. I'd rather have one good fit customer than three bronze customers. 'cause by the way, by selling those other customers I have now resource supporting those that could be going to be awesome for my awesome customers who get it and pay me the right amount. Right. Sorry Jason, you got me fired up on that one. Carl, I have a question. Yeah, you go. Carl. I have a couple of things.
I, I think there's a, you know, a really strong trend, not to just the, uh, a cloud only, uh, play, but really the serverless play, you know, the Azure active directory of the junk cloud, uh, or some version of cloud-based directory, ser service, uh, play, and then strictly apps. From there, I am constantly thinking about how I have to approve my, identify my asset, my vendor due diligence package. I would love thoughts that you guys have around how to really get my arms around.
I find that that's a pretty immature space, and we're struggling to really get a hold and feel like we properly have a client in our, in our, our control. With so little centralization of anything. I, I can say it to anybody I don't know who wants to answer. What do you think about this serverless movement and what we should be thinking about as, as providers?
Well, I was gonna say, I'd love to bring Matt Lee up and who's amazing, but Matt will, I don't know if Matt, will we have enough time, let let me know in chat. But, um, because he's incredibly knowledgeable, incredibly comprehensive. They just built a PAM solution through, uh, Microsoft's lighthouse. Um, so, um, Well, one thing is this, without getting into the detail, 'cause we're getting towards the end here. Yeah, yeah, yeah.
The takeaway, Carl, is you're saying how do we prepare for one bit for what's happening there when 90, 80 plus percent of MSPs, their whole business is still geared on devices and those kind of things. I think that's what you're saying that That's right. I, I mean, I'm feeling this, uh, more and more we're talking to customers and why would we even do a server? There's no reason for that, you know?
And so now how this has security implications that are far more complex Now every single app is its own closed security world with its own set of risks, different vendors. There's No perimeter. Yeah. The perimeter. I, I heard Robert Hershe Beck on an interview today with Joe Penit Terry. He says, well, where's the perimeter? Yeah, there is none. There's no such difference anymore. And so I'm just wondering what your thoughts are on how that works from an MSP space.
Maybe it's not a very well formed question other than it's like, I'm struggling with this. Do you guys have any help? You know, it's like, I'm trying to figure out what we're going to do to get our handle on, on this. Maybe it's, uh, maybe the, the, the pieces that I just, um, need to become more standards focused and, and, and get my world into a certain alignment so that I feel like I got a handle on it.
But I feel like it's more complex than ever, you know, and it's only getting more complex. Well, I think you're already doing what you need to do, which is to get down the line on all this stuff and be on top of it and realize these issues that are being created, um, so that you can continue to adapt over time. So I think the most important thing, which you have command over that aspect of your business is the most important thing. Carl. Yeah, I mean, I'll, I'll jump in here a little bit.
I'll say that great. As a, as a ciso, you, you never know what's gonna get thrown at you next from a technology perspective, right? And you could think about it like the, everything's moving to the cloud conversation all over again, right? Like, oh no, it's moving to the cloud. How do I secure the cloud? Well, the beautiful thing is if you adopt the framework, right?
If, if you have a way of identifying the things of value, protecting them, detecting things that are trying to hit them, responding and recovering to those things, it's just a different problem, Right? Yeah. And so it's figuring out how to adapt your approach to that technology or that new class of problem. But if you have that framework, that way of thinking, it really, it, it kind of removes some of the fear or uncertainty out of it.
'cause you're like, all right, when it comes, I have a way of structuring this problem to solve it for me and for my customers. Yeah. To me, the problem, the, it comes down to, uh, it, it comes down to I guess recognizing who owns the authentication is the one that coordinates it, right? And so being really on top of the authentication piece and coordinating that.
And then, and the, but the other piece of it is, is, uh, like I would wonder maybe Ryan or you, Wes, to either of you, like, what is your vendor due diligence question pack. We've got a pretty good vendor due diligence package where we ask, uh, Wes has even felt one of those come his way for me before. But I just wonder, what are your thoughts or thi are key elements that we need to have in that vendor due diligence?
This is about policy, but it's also about procedure and security of making sure you're checking your, your, your, most of our clients don't have it. They're not doing it. We need to teach them how to do it, and we need to do it for them a lot of times. So I'll say a few things about it. Um, just from my background at, at the bank, I, I ran our due diligence or vendor due diligence process. And, uh, it's a lot of work to do it right? It really, really is.
Um, I, I happen to believe that there is a lightweight approach and then more of like a methodical approach that, like, it all comes down to these questions of like, what level of data do you have of your clients and how much do you store, process, transmit that. In other words, like, banks must go through a much more significant due diligence program than maybe a nonprofit.
And not to say that a nonprofit isn't important, but it is to say that, you know, they're not handling, you know, banking and PII for every single client that they have. I mean, by the nature of being a bank, every client of mine, I have all kinds of data on them. And so it drastically changes, right? And, and this could be a future call 'cause I realize we're about up on time. Um, but it must go down into that process of like, you know, who, who are those vendors that have my data?
What kind of data do they have and how much of it do they have? And what kind of entity am I as a client? All of those things will dictate how much work that I do in that process. And it's certainly not as simple as, do you have a SOC two check mark and move on? Because you know, Carl, you know this as well as anybody, anybody can hide anything they want in or out of a SOC two report.
Uh, and I could give you all kinds of stories of, you know, how we carve things out, how things could not be listed, that the TSPs of what's covered inside of them may or may not exist. Um, very easy to, to change and hide those things. And so this is probably something all in and of itself on another call. Um, but it is pretty complex. Yeah. And it is kind of a big question. I asked two kind of big open and questions.
And really more than anything, I think, how often do I get a chance to talk to these people and ask things? Think. So maybe more than anything, those are things I'm thinking about. Those are problems I feel like I need to solve better. Uh, yeah. Thoughts or future thoughts on it, you Know? Yeah. I think we should do a whole thing on vendor diligence and vendor management, but, um, yep. You know, in the meantime, if you wanna And also lead generation. Yeah, yeah, yeah. I'd be happy. I agree.
We didn't get to that. People were asking. We didn't get to, we went outta time. That's a great idea. So, so in wrapping things up, uh, you know, Joe, Joe Clark, who's been with us from the beginning. Joe, thank you so much. Joe asked a great question, but you know, from the customer side, it's in the q and a and, and I and Joe said, he'll come on. So Joe is with a, probably a mid-market company on the healthcare side. What are your thoughts on Gary?
And it'd be awesome, we're gonna bring Joe on from the customer side to hear what it's like from his perspective. 'cause he is dealing with it, somebody right now as an MSP and he's saying, Hey, I don't see the security yet. Yeah. A Andrew, I think it's a great conversation and we should do it maybe in the next week or two. Yep. Because I, I, I, I mean that's the, it's two o'clock and, uh, we, we've got three sessions just came out of this that we can do. Yeah, yeah. Okay.
So I know we gotta wrap it up. Great Job, Carl. Alright, Carl, awesome. Thank you, uh, for everything folks. Thanks for joining us again, week 38. On behalf of Wes Ryan and uh, Gary, we'll look forward to seeing you all next weekend. Take care everybody. Thanks guys.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois