Skip to main content
Right of Boom
January 30, 2025

03/01/2021

In this video, industry experts discuss the critical aspects of cybersecurity risk management and the role of Managed Service Providers (MSPs) in enhancing security frameworks for businesses. Through a series of interactive discussions and role-playing scenarios, they delve into the importance of aligning security strategies with business objectives, emphasizing the need for comprehensive risk assessments and effective communication with executive leadership. The video provides valuable insights into establishing robust security partnerships to mitigate risks and ensure business continuity.<ul><li>Cybersecurity awareness and incident response are crucial for IT professionals, particularly in sectors like healthcare, where data breaches can be catastrophic.</li><li>MSPs need to provide comprehensive security solutions that go beyond basic services to meet the evolving needs of clients, especially in regulated industries.</li><li>Effective communication and understanding of risk management between MSPs and clients are essential for a successful partnership and to ensure business continuity and security.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right, we are live week 39. Welcome everybody, and with always our co-host, Gary Pika. Ryan Weeks. Good to see all of you. What's up? What's up, my friends? Hey, Wes. Uh, we're one away from 2,600 subscribe. Oh, the channel. You think we'll get there today? Isn't that interesting?

So, uh, I, I don't ask things of our audience very often, but today I'm gonna, will you just take, all you gotta do is control C and control v, that URL up there, Crowdcast io Cyber call 39, pop it into LinkedIn and say, we're live. Come join us. And, uh, let's see who can bring us to 2,600, uh, Andrew. What, what are you gonna, what, what's gonna be your gift to the person that gets us to 26 oh Oh an hour. An hour with you telling 'em all about your cryptocurrency. There you go. Yeah.

And, uh, does anyone in chat know the significance of 2,600? Uh, there is a certain, uh, magazine. None of my other co-host will know. Maybe Ryan, maybe Ryan, Ryan will know, but the rest of you guys maybe not. There it is. 2,600. Bam. We did it. Alright, So What's the significance of 2,600? Does anybody read 2,600? The correct answer is, uh, I have no recollection of those facts. Senator, I don't know what you're talking about. Uh, a whistle. Yes. Tim Fornet. Yes. Okay.

We're getting way down deep into Nerd Igate or something going. So, 2,600 is a Hacker magazine, uh, and I was always told to, to buy it in cash. Uh, yes. There we go. Mihir Hacker quarterly. Yeah, we know. All right. All right. So real quick, Wes, um, few things I wanna kick off with you, but, uh, first off, if you joined us for the Cyber Resilience Workshop, uh, thank you, Ryan. Gary Wests, fantastic job. Thanks so much for your awesome contribution.

Mike Beard, Chris Laer, um, and then, uh, Matt, Solomon. Solomon over. We got overwhelmingly, um, you know, we're still rendering it to put it up into the true Methodist training portal, and we're just getting pinged all over the place. People ask. Oh, really? Yeah. They want it. They want other people to go through it. So, uh, I'm gonna say was a home run. Excellent. Alright, we're gonna have to start curating our next, next venture here. Alright.

Um, so, uh, before we kick things off, Wes, I put a link at the bottom in the call to action. I have a Wall Street Journal subscription. It's being real funky. I'll try and get it out to everybody. But Max, uh, I'm sorry, Wes, can you, can you tell everybody about a little bit about Yeah. You being, uh, more famous and more of a dictator than you've already been?

So, Yeah, so this is all part of my glorious campaign and, uh, I have now, uh, fooled the Wall Street Journal into thinking I'm smart. Uh, uh, so that was, that was a lot of fun. They'll figure it out soon enough. Uh, but, uh, no, I had a Wall Street Journal art, uh, uh, reporter reach out to me on, uh, last week and spent about an hour and a half with her. She's very concerned in, in diving into some of the, like, the latest cyber threats in the healthcare sector.

And she found out about Perch because we worked with a whole bunch of healthcare orgs. And, uh, long story short, I spent about an hour. She asked great questions and I got myself one sentence in her article. Nice. But, uh, that was pretty fun. I have, you know, I've done work with like dark reading and bleeping computer and others, um, SC Magazine, but never, uh, a top shelf agency or group news group like, uh, wall Street Journal. So that was really, really, really cool.

And, uh, you know, she may never talk to me ever again, but, uh, I got my sentence in, dang it. Bucket list check. So check that out. It's down below. It is paywall. Um, I will say a little Birdie mentioned, uh, in, um, cyber Nation. I did post the PDF of the whole article if you'd like to Check it out. Oh, good. Excellent. Thank you, Wes. Fantastic. Alright, so let's get going here.

I have a poll up, uh, regarding, uh, if you were part of the, um, cyber resilience, I put all the different sessions in there. We'd love to know which ones you liked, uh, you know, rank 'em or, you know, whatever, what your favorite one was. Um, and then, so let me just set the stage here before I introduce our guest, uh, which is Joe Clark. Joe, first off, thanks for being with us. And, um, you are the IT director for a small healthcare organization.

And I thought, as you know, I was talking to Wess offline. I go, Wes, I think Joe's the only quote unquote SMB with us non MSP and Wes is like, oh, no, there's others. I didn't realize that. Wes. Uh, Hey, well you guys, let's do this real quick. If you're watching right now and you are not working for an M-S-P-M-S-S-P var, any of that kind of stuff, like you're working for a single org, just like Joe, will you let us know in chat right now? I know John Nelson is in chat.

He may not be on today, but John is one of those. Anyone else that's watching this that's not a, uh, MSP of sorts, we'll just wait in case. Yeah. Yeah, I think that this, this will be great. I, you know, one of my questions to Joe shortly, uh, is around this, but Joe, starting things off. Um, so you are the IT director, you're responsible for security, uh, and some other things as well at your organization.

You guys, um, as far as I understand, do, um, management around risk, uh, for healthcare organizations. And I'm, and, and, and so one, can you tell us about yourself and two, a little bit about the role in the organization? Sure. Uh, so you already mentioned I'm the i IT director. Uh, I've been in, in, uh, it since, my goodness, early or late nineties professionally, but longer than that as a hobby. Uh, so it's been a long time.

Uh, the organization I'm with today, they take on risk based health, uh, contracts from the health plans. Uh, basically what, what the health plans will do is take a slice of, of their patients in smaller geographic areas, and they will ask, uh, independent physician organizations to manage those for them. They'll pay the claims, they'll refer to, you know, from primary doctors to specialists, uh, that sort of thing.

Uh, so these independent organizations will either do the work themselves or they will hire someone like us where we manage that work for them. So we manage two different independent physician organizations to do that sort of work. Excellent. Um, so Joe, you know, again, you, I think you've been with us almost the entire 39 weeks, give or take a few, but I remember you early on. Yeah. And, uh, always asking great questions.

Um, where would you say, you know, like is there one or two things, you know, from, again, sitting on the other side of the table, hearing all this MSP and MSSP stuff that's really helped you or, or, or, you know, you've been able to put to use? Yeah, absolutely. You know, when I came on, I think it was week six, okay, right about, about right when I came on, um, I learned things here that I never even thought about. Incident response is, is huge for me.

And cyber insurance was, was absolutely fascinating. I don't really get into the cyber insurance end of it, except when they send me a questionnaire. That's it. I don't know much about it. And so, when, when, uh, Chris LA is on, and, and when, uh, Ryan, when you're both talking about the legal parts of it, what happens during the legal aspect of a, of an incident? Wow, that's super fascinating for me because I am the IT guy.

I'm gonna fix things right away, get the restores going and, and go off on it. Well, wrong response now. I know. So, so I mean, that's gonna protect me in the future. And not just me, but the entirety. That's, that's excellent. Okay. Very cool. So last thing I'm going to just kind of bring up, and then I'm gonna turn it to Gary.

Um, you know, I'm not as prolific as Gary, but I have my, you know, kind of ran, uh, a peer group and, you know, prior to Covid and, and back in my days at, at ConnectWise, you know, we had this, this group of, you know, more mature MSPs and some MSPs. And one, I got this idea, and Wes, and again, Wes and I were talking about it. 'cause Wes would come in and we did this for about, I don't know, three years.

And one time, I, I said, you know, what, if we brought a prospect in to really get into their head of, uh, you know, an SMB, I said, I think it'll be cool. The, they, like, Joe can feel at ease. They're not gonna be sold regionally. The all these MSPs weren't in the area. And, um, conversely they could really get into the mind of the prospect. And, and so Joe, I really appreciate, you know, you coming on, but from your side, what are you hoping to walk away with?

Are there any like, things that you really want to, to get out of today's sessions? Well, one thing I, I have been thinking about, and, and probably one of the biggest reasons why I jumped on this to to begin with, you know, months and months ago, was a, I didn't realize it was for MSPs when I first joined, but when, when I did realize that, I was like, wow, well, what do MSPs have to go through?

Because I, I spent a long time looking for a, a company that would actually provide more service for me in the security space. You have to understand, at the time, I was actually looking to go down the road to High Trusts certification, which is, you know, a, a certification by health plans for health organizations. Very, you know, high-end, best of breed, very expensive to go down.

And in my experience, what I was finding is all these little ti little security companies and all their niche markets and all their specialized markets, I'm like, why isn't there a company that I can go to that does it all for me, you know, and can provide me the guidance and, and advisory role and, and necessary information so I can implement the stuff, uh, within my own organization. So now there's the MSP and MSSP.

And so I'm just hoping to find out, am I doing things right internally, should I farm some of it out? I don't know, maybe I should. And is it, is it going to be cost effective? Can we afford it? That's the other big piece. Got it. Fantastic. Okay. Can I, can I just jump in super quick?

So Joe, I love what you said there, like, if there's relevance on this call and in the industry for what we're all doing, it's what you just said, the third party and fourth party risk, because MSPs serve the entire SMB industry worldwide. I mean, that's powerful. It's unbelievable. And so when you think about, even if you're watching this call and you are not, um, using an MSP at all, there's a good chance some of your critical vendors are.

And so understanding things like how to talk to an MSP, the right questions to ask them would be like, that's really powerful. In fact, I think it would be really fun one day, Andrew, is for us to kind of consolidate together and do like a, a, like a, a call that's recorded and, and like, it'd be like questions I would like to ask my MSP. Yeah. Right.

And so all these, these businesses, Joe, the ones that you work with, like, you could send that to them and say, Hey, I know you use an MSP and you're critical to us. So that fourth party risk with that MSP, we want you to ask these questions. Here's a great video and whatever. Like, I love what you said, Joe, because that, it, it, it's, that fourth party risk is so critical here. Yeah. Thanks for pointing that out, Les. That's, that's excellent. Um, okay, Senator Pika, let's do it. Yes.

So, um, well first off, thanks for, uh, being here, Joe. Um, but, uh, and we're later, we're gonna do a little sales call role play, uh, you and I and Word has it, you're a pretty tough prospect. So, uh, we'll see if I, if I met my match, uh, uh, today. But the first thing I want you to do is, can you tell us a little bit about the current MSP you're working with and what that relationship is? Yeah. So we've had, uh, our MSP for, we're going on nine years now.

Um, in the way we're set up because we have our own IT department. Uh, we do most of the work internally as far as the day-to-day stuff. Uh, but we have them take care of the, the, the backups that's very important. And we have a, a nice backup strategy for that. We, they take care of the RMM, uh, high level management of the network, firewall changes, server patch management, that sort of thing.

So that's, that's what they were hired to do and that's what they've been doing for us for nine years. And if we have something that's, you know, beyond my expertise or is going to be a bigger project, then we'll bring them on, you know, kind of a time and materials sort of base. But internally, we do all of our, uh, day-to-day activity, user support, uh, even security of course, internally. We've kept that in for ourselves. Gotcha.

So some of the things you're doing in house, so when it comes to like active directory, is that your bailiwick? Yep, yep. We do the active directory 3, 3, 5 administration. Right. DNS changes, anything along those thoses, Those kind of things. Yeah, Correct. Alright. So from a security standpoint, it's kind of spread right? Between some of the things that impact security you're responsible for and some of the things they're responsible for. Yeah.

And, and they offer more security services than we utilize. For instance, they, you know, everyone's been offering antivirus and malware since the get go. Yeah. Um, but we've always kept that in house. So we have our own. And what's your Logic Protection? What's your logic? What's your logic on why you would keep it in house? Because it's always been that way. It's very simple. Yeah. Yeah. But a lot of things right. Have changed around you. Yeah. Yeah. Absolutely.

Um, yeah, so I, I know it's not time I'm building up my, I'm building up things. I can have to wait until the, uh, I'm gonna have to wait till the end, till I unleash all these little, this is going pretty good so far from the salesperson side, I can say so far it's, it's going, this is going pretty well. Um, alright. So I wanna talk about how they bill you, you have about 20 people in your organization and what's their bill per month?

Yeah, a little less, a little less than 20 people, but, uh, they don't bill us on a per person per seat basis. This was those back in those years when they billed for, here's your backup. So that's how they bill for the, for the backups X amount of storage. So it's a flat rate every month that, that includes the, uh, the, the backup services and their, all their other services.

And we also have an add-on of, of email encryption and spam filtering through them, which they farm out to a third party, of course. Um, and it, it's a flat rate every month except for the variable changes with time and materials Project. Like how much? Uh, about 2200, give or take. Okay, Gotcha. Oh, see. And how do you feel about the relationship? Like It's, it's actually mostly good. I think this, this past year has strained it a little bit just because of pandemic.

Uh, and they're super busy with, they have a lot of clients, so they're super, super busy with all their other clients. So I don't get as much time and care and immediate answers as I would prefer. But, uh, yeah, generally speaking, they do a fine job and we've had to, you know, we've had to utilize some of their restore services for, you know, lost files, lost folders, that sort of thing. So we know they're doing their job and they get things done for, Yeah.

So you said that maybe you're thinking you should be using an MSP for more than you're currently using. What is your gut telling you? Oh, I'm, I'm conflicted because we're such a small company and I'm the pretty much the sole IT guy and definitely sole responsible for it or for security. I'm thinking, well, what if I ever leave the company? If I'm doing it all, that doesn't make a whole lot of sense for the company, right.

Or if what if covid strikes, then I'm in trouble and the company's in trouble. So that makes sense for, for me to farm a lot of that out. But I still have to, being in the healthcare industry, I still have to own security internally. I have a lot of things to do that our MSP's gonna do. Policies, procedures, uh, all the auditing and reviews, things of that nature. So there's still a huge amount of stuff that I have to do internally that an MSP simply can't do. Okay.

Um, I'm gonna make one statement and then, um, I'm gonna move over to Wes 'cause I got kind of what I need. I'll come back at the end later. What I will say, you said, you know, you know, the vendor's busy. They have a lot of customers. Yeah. When you charge those prices, you need a lot of customers, right? Yep. That's why they have a lot of customers. You with me on that, Andrew? I'm with you. Yeah, yeah, yeah. Alright, so let's, let's move over to west here while I'll, while I ring my hands.

Wes, you're on mute, bud. Uh, yes, I am. There we go. So Gary, there's a lively discussion here about this, uh, term bailiwick that you used. Um, I'm not sure youngins like us, uh, understand that vernacular. So, uh, you might need to tone it down a little bit. Okay. I I gotcha. Did I use that term? Yes, you did. And I loved it. I'm like, the only time I hear bailiwick is when my daughter's watching, uh, princess Sophia or whatever it's called on Disney Glass. There's like some butler.

I I have so many saying, but I, I will say that sometimes, uh, my son and other people, I'll say, some of them, they're like, dad, you can't say that one anymore. You're not allowed to say that. I'm like, oh, okay. I gotta put that on my list. Like, I don't know. Yeah. We, we need a, we need a Gary Pika handler I think is what we need. Um, Hey Joe, thanks for, uh, thanks for joining us. Um, so what about A rat tattoo? Yeah, that's a whole rat tattoo.

That's, yeah, that's, I think that, is that Okay. Have read that one in like a Shakespeare book or something back in college? I don't know. Keep going. So Joe, question for you. Let's talk, uh, application development, uh, for just a little bit.

So I'm curious, tell us a little bit more about like, what you've learned in the cyber call so far, and if it's changed your approach to like coding itself, you know, like pin testing, secure development, lifecycle stuff, uh, secure code by design, all that kind of stuff. I'm very curious. Yeah, to some degree. Um, and, and I, I'm the primary application developer. We have three different applications.

The way I actually ended up in this particular role is through one of my applications that I built. It was a niche market, um, uh, product that the company I work for now became a client of mine back in 2007. And then eventually hired me full time and 2013, uh, it was a side hustle. I never, you know, was able to go off and make that a full-time gig. Unfortunately, uh, in my previous job, I went through two different pen tests and that was, that was great.

From a a developer perspective, it was very frustrating because I didn't understand at the time that there were such bad people out there trying to get into systems like that. I don't think like a criminal. Uh, so it really changed my mindset as to how I think I put a lot of stuff immediately into my own product. And I carried that over when I came here now on the cyber call. Uh, I think it was Dana that came on and we talked about, uh, of a variety of things that, that could be done.

And then again, in the cyber resiliency workshop, of course they talked about the oasp top 10. I've been using oasp for a while now. That's not a hundred percent perfect, but, but things that I learned, uh, have been really useful.

And I can't remember if it was Kyle or if it was, um, Chris Lair who talked about, uh, the fact that the security questions, like when you do the forgot password and, and answer your security questions, that that's no longer considered best practice because people are posting their stuff all, all over social media. So knowledge based questions. So I have that in one of my products and I immediately put a project in place to replace that with two-factor authentication, of course.

So, um, getting rid of the old stuff and putting in new. So one of the things that I realized and that, that was good, that kept you se secure for about 10 minutes, Uh, one of, one of the things that I, uh, realized is that security isn't one and done. You have to go back through your code every now and then keep up on what's going on and what's relevant and make the necessary adjustments going forward.

So you're, you're maintaining security even if it was secure considered back a few years ago. Yeah, that, I mean, and, and so coming from a software company myself, like these are big questions that we have to consider. And you look at like, so many of the, um, things that have happened of late and that hit the major news cycles and it's things where we just make hygiene mistakes. Like we talk about hygiene insecurity all the time.

We should probably talk more about hygiene as well and just like coding and how we build and write code, like lazy things that sometimes developers will do that they don't, they don't think, like you just mentioned, uh, Joe. Like, you know, how does a bad guy think how, how, how does a bad guy operate things like API keys and leaving credentials inside the code and it's sitting there in like a GitHub repo for anybody to pull out.

Or, um, things like, uh, um, uh, like, uh, I forgot some of the others I was gonna mention from some recent reaches. But yeah, like that's big stuff that we oftentimes see mistakes in her code design. Angie, did you have a comment? Well, I Just wanna say, I just wanted to recommend that Joe hires an intern in case something goes wrong. 'cause then, you know, he has an out, Okay, the fall guy is all good to Give him to 1, 2, 3 as a password. Yeah, exactly. Continue. Sorry. Yes.

Things like that, Joe, you're, If you're using oasp, um, top 10, you like the OAS framework. Um, something to look into. oasp co-authors, a software security maturity framework called Open sam, which is like a prescriptive set of things to do for secure software development. Highly, highly recommend you probe that. It's open source, it's all freely available and you can map and gap it just like any other framework. It's, um, it's really cool. Yeah. Oh, thank you.

Hey, Wes, to your point, that's, that was another thing that was brought up on the, on the cyber call was the, the, the keys, the secrets. Now I've always had a policy, our, our, uh, version control never goes outside the office walls. So I don't go out to to GitHub or anything like that. I do have GitLab internally, but that's it.

Uh, but the secrets, yeah, I had to do a little work around that because I'm, I'm one of those lazy developers where my secrets, they were in a file, but they were best of the web server. So now it's encrypted and, and off. So, Yeah, because, you know, writing code is honestly a lot like being just a regular IT guy. Like you mentioned this earlier, Joe, like the, the average IT person bins and, and lends themself towards, let me just fix a problem.

Let me get the easiest, you know, work smart, not hard. You know, do quick, you know, not security's not an issue 'cause I'm not thinking about it. Many software developers struggle with the same thing. And so oftentimes I have found it's not just, it's not only like I wouldn't chalk it up only to laziness. I just chalk it up to lack of awareness inside of this.

And, you know, oftentimes even this is a problem in our security awareness training, we talk about phishing and all these things that are generic of use for everybody, but like Ryan, like you just mentioned, we don't often get into like, what is secure coding by design and how does it look and how do we write code that we, and how does the testing process work for all of that? Like, those are things that like, are always top of mind for me at Perch.

Like I remember in the early days of perch thinking like, if there's one thing that would get us, like destroyed as a company would be us doing some egregious mistake, an open S3 bucket, you know, something like that. And, and like, you just don't survive from that as a security company, let alone as a small startup. Right. And so, you know, big questions. And so I guess that gets into Joe, like, my second question for you is like bug bounties vulnerability, uh, like, um, disclosure programs.

Any thoughts on any of that stuff on your end? Well, I, we haven't done any of that. Uh, I do, when vulnerability disclosure was brought up, I think Dana brought that up in, in one of his, uh, calls. I thought about doing that. Part of my audience is doctors. They're not usually technically savvy, not all of them, some of them the younger ones are.

Um, so I wasn't sure how well that would go over or if it would even be useful, but it's something I've considered doing is putting at least a vulnerability disclosure away for them to contact me and say, you, you have a vulnerability so we can rapidly fix it. Yeah. Okay. And, and it's, it's challenging and difficult to put those things in place to be sure. Uh, yeah.

Uh, but you know, and, and obviously there, there are ways you can do that through like vendor partners, like Hacker One or other groups like that, but mm-Hmm. Um, still the commitment to the process and understanding how to follow through with it, like those things are definitely really, really challenging. Um, let me ask you a question outta the blue. Uh, this one's like way off, uh, subject, but I'm kind of burning to know, Joe, let's put put your, I love that, that you're a client, right?

So you got your client hat on, um, whether it's your company now or just any generic company. If you were talk, if an MSP walked into the door and they wanted to pitch their services to you, what things would you want to hear from them? Like, what would you want them to clearly communicate to you to be confident and comfortable that yes, this MSP gets it and I would love for them to handle whatever those services may be. What, what things would you like to hear from them?

I think what I want want to hear from an SP is where they are at with, with security. And I'll, I'll tell you why. MSP to me is a kind of a relatively new term. I think I first heard it about a year and a half ago. We've always called it network management companies or IT vendors. Uh, and so everybody does that. Everybody does it. Those are just the normal things that you would expect any company to do the, the differentiator's price, right?

Um, but with it, with it today in today's landscape, I expect an MSP to do a lot more in the security space. And what that includes, I really don't know. I do wanna know what services they offer beyond endpoint protection. What are you, what are you gonna do for me beyond endpoint protection? I want to know perhaps that they've got some sort of log monitoring plate, 24 7 log monitoring and alerting. I don't have that. I want that.

I haven't been able to afford that at this point in time, but that's something I want. And I'd like my m ms P to do it for me. Which, which literally means sock as, you know, socket soc as a service, I guess that is. Yep. Um, I'm also interested to know what do they have in place internally for their own security? Are they following a set set of guidelines? Are they following hipaa, for example, they have to follow HIPAA in order to work for me first place.

Are they following other, perhaps frameworks like NIST or CIS at a higher level than just level one? The basic stuff? And have they been doing it for a while, not just new because I'm new. So can I, I ask you what the answer is. When you asked your MSP this, what did they say? Well, since our MSP has been with us for nine years, that question hasn't been asked of them by me personally.

Um, I, what I have done instead is I've asked them, what can you do for me as far as other services, which is why I haven't farmed out security to them. Their answer to me the years ago was, well, we can give you vulnerability scans, uh, every quarter. I don't need one of the blue scans every quarter. Yeah. That wasn't the question. Right? Okay. Yeah. And, and that really gets into something that's been boiling in my mind, Joe, for the longest time.

Is that what you just asked for and what they just said, like they're, they're coming to you saying, well, here's the thing I can sell. Does that help? And it's like, no, that doesn't help. Like, that's just a thing that you're comfortable doing. That's not what I'm asking for. My expectation as a client to you as an MSP, is how can you help me solve for this problem? Like a go to market solution of here's what I'm trying to solve.

I'm trying to increase and I need to show what I'm doing in my current, uh, security, what my gaps are, how I address them, how I grow it, and also how I sell and position this to my senior management who has to sign off on the budget. I'm not asking for you to, like, here's one thing that you sell. Like that doesn't help me.

And I love that conversation because these are things, I think as MSPs we're, we're, we're growing into or learning how to go beyond, well, here's a thing that I'm comfortable doing versus selling me a security, uh, package or set of services that align and provide value. Right? Yeah. And I'll make one point, which is this, I should not be the expert. I want my MSP to be smarter than I am in all things security. That's just the reality of it.

If I have to be the expert, then that means I am, I'm the tail wagging the dog. Right? I don't wanna be that. Hmm. I love it. I love it. Ryan. Really interest. I was gonna say, really, I, Jack, we really interesting one, Gary, I'm asked, we wanna ask you, are you surprised that the way Joe had the conversation, what the answer was, meaning legitimate question, but the answer was a thing. No, not surprised at all.

I mean, like, again, we have a lot of vendors and many of them, their job is to sell more stuff. So they're training it providers, MSPs to, to resell their crap. Some of it's good crap. Yeah, no, I mean, absolutely. No offense, Ryan. Yeah. Right. No offense we're, no offense, we're talking about the other guy's. Crap, not yours. Right. Okay. Okay. Alright. I say, I did say some of it's good crap. That's true. All right, Ryan, the floor's yours.

Um, yeah, so when we, when we started off, you said like, you know that attending a cyber call has made you rethink some of what you do or how you do it. We went, you know, if you caught the keynote with Wes and I and on the cyber resilience day, we talked a lot about cyber resilience and kind of right of boom and like the response and recovery areas. Has any of the, has any of this content, anything in the cyber call made you think differently about kind of respond and recover? Um, mm-Hmm.

In terms of your, your capabilities both for yourself and the services that your MSP is providing you? Yep, yep. Without a doubt. Um, before, before the cyber call, as I said before, I was going down the high trust path. And so a lot of that stuff was in my mind as far as respond and recover. But I, I hadn't gotten to that point yet.

I was still off on policies and procedures and trying to get, you know, some of the low hanging fruit that I had to get done, done in place, um, to improve our security posture over the last two years, it's improved quite, quite dramatically, which is, which is great. But as far as the respondent recover, I hadn't given it a whole lot more thought except for what it said in the, in the high trust requirements with the cyber call. That's just been enormous for me.

It's been, I mean, that, that, that particular graph, the left of boom, right of boom, that particular graph I've actually used started mapping some of our, our processes and, and technologies into what those areas are. Uh, and I've been able to take that information during our management meetings, go up to as far, you know, as high up as a CEO and say, this is what we gotta do. This is, it's a conversation I had just last week as far as, uh, incident response.

Listen, we can't, if we do incident response, we can't, um, we can't just fix it. We actually have to stop and have a good plan about it. I've been working on a plan for a while, but, but I'm, I am, you know, I'm just one person. So it's a, it's a slow process, unfortunately. I got a real quick, I'm sorry, Ryan, I gotta ask, you said your security's changed dramatically. Gimme the top one or two things really quickly.

One sentence when you say that, what are the top one or two things that have made the impact? Well, I would say number one is, is the application development stuff that I've been doing. And number two, our policies and procedures have, uh, have been, I won't, won't say they've been rewritten because I'm still writing them, but we, they've been, uh, geared more toward the higher end city stuff. The high trust requires far more than than hipaa.

And I'll give you a third one, security awareness and training. We weren't doing it before. We're doing it now. And that's a, that's been huge because now everybody is on board with it. Yeah. When you did that mapping, I'm gonna go off script a little bit here, but when you did that mapping, to what extent was your MSP involved in that mapping exercise?

Like, did, did they, were you saying my MSP provides this and, and so what was your confidence interval that they're actually providing you that? Okay. Well, yeah, we do say my MSP provides, you know, the backup services, backup and restores. Um, but they, again, they don't do anything else regarding security for us unless, you know, unless it's like firewall configurations or something like that. Um, does that answer your question? Yeah, ish.

I mean, like, yeah, I have this mental model of like, I don't like things that make me feel better. I like things that make me actually safer. And so when I do those gap exercises, the question I always ask myself is, am I, how confident am I in this answer? Do you know? Oh, yeah. Can I, is my, you know, is my position on this answer auditable? Like, can I actually prove what I think I know? Mm-Hmm. Um, and I think it gets back to asking your MSPA lot of questions, right?

You have used that framework, A MSP, I have you bucketed as providing all these things for me. Let's talk to me about the robustness with which you cover these given areas, right? That can be another, another huge way for you to assess, you know, whether or not your current MSP is providing you what you think you do. And the reason I say this is because a lot of times, you know, we, we talk about MSPs and SMBs expectations about what's being provided, not being completely aligned.

And I think that alignment conversation and is critically important. Um, yeah. So along, you know, along along those same lines, right? You said the MSP handles your backups. Um, do they play a role in business continuity and recovery and the, the planning and the determination of recovery time objectives, recovery point objectives, you know, meantime to repair? Are, are they doing any of that? Are they just like, we have your backups if you need them? It's, it's the latter.

We've asked them about how they test it. Um, we actually have not gone through a testing and planning phase with them, but, but we have asked the question, well, how do you test this? How do you know that the backups are are working? How do you know that you can restore it within, within a specific period of time? And they say, oh, yeah, we test it at least once a quarter. Okay. Um, Ryan, Are you Gonna, I have no proof of that. I was just curious, do you have a mean time to recovery?

Ryan, can you go down that path just a little bit for, with Joe and the audience And, yeah. So recovery time objective is basically the maximum amount of time that you could be down, right? Right. Before it causes material, uh, you know, significantly adverse impact to your business, borderline threatens your ability to continue to operate, right?

So it's like your worst scenario, meantime to repair is, okay, well, you know, that that's my maximum tolerable, but like, it doesn't mean that every single instance of a recovery event that I have, I wanna be pushing right up to my RTO. I would've ideally, like my meantime to repair would be something much less than my RTO, right? And then of course, your RPO is how much data you're willing to lose between the, uh, when you get restored and the, when you had the adverse event.

So those, those concepts are really critical to talk about with your, you know, when you talk about continuity planning, um, with your MSP, um, you know, assuming they're providing you that service, but you talked about doing a test, um, or, or table topping. Like I think your next step with your MSP would be scheduling an actual exercise to say, Hey, we just got ransomware. Let's recover my environment and walk through that.

And part of that should be, you know, okay, all the local backups have been encrypted as well, right? And, and, and going through those exercises. I think that's really important. And the other thing I'll add too, when you talk to someone like Chris Laer who deals with all these incidents all the time, one thing MSPs can be guilty of, if I can just say it, is sometimes we, uh, predict and choose what those RTOs and RPOs might be. And, uh, that can never be done without the consult of a client.

Um, how am I, who am I supposed to be as an MS P to tell my client that XY, Z system has an RTO of, you know, a week or a day or whatever, eight hours, whatever it may be. Um, they're the ones that know, they're the ones that are the business units, the business owners, and, and ultimately deal with the things like compliance and regulatory requirements around all of that. And I know why a lot of us choking you. I know why a lot of us don't always ask the question.

It's, we don't ask it because it, that takes time. It's very time consuming to go ask those questions when I'm building a BIA with them. But you must consult with, I remember at the bank every year we would go through and we would update, and I'd go to every business unit, uh, unit, and every owner of every business unit say, I need you to review this and tell me, is this accurate? Is this not? Because this is what we're gonna hold ourselves to.

If a big event happens, this BIA right here is the gold standard of what we will recover to. It's what we tested for, and it's what we planned for and what we built for. If you come in outta nowhere and says, you know, I know I said a week, but actually, can you get that thing done by Tuesday? No, I can't. That's why we have that document. So, uh, huge point there. Yeah.

I mean, a lot of times too, right, when, I'll get off my soapbox in a minute, but when an recovery of a backup, they're really talking about, you know, I, I picked a sample of your servers and I, and I prove that I could recover them, but in, in an event like a ransomware incident where every single one of your servers is down and all of them need to be recovered, you're in a whole different ballgame there.

Like, you need to know that your recovery capability isn't just designed for one or two servers, it's designed for all servers, and that that is critically important. Yeah. And that your environment is engineered that way. Yeah. Right? And, and that their recovery capability will meet your, our, your business impact assessment of how long you can operate. You know, the MSP might say, well, it's gonna take me four weeks to recover, and you're like, I can't operate for four weeks. Right.

Or recover. Yeah. Ryan, in that point, and I'm gonna use it, Gary Peak, uh, um, analogy here, Wes, let us know if this is applicable in the 2020s. It's like sucking peanut butter through a straw. But you know, with lair, you know, some of his white Wes, we've had these incidences where they're like, yeah, we can restore. And the data starts coming through 47 days. What's that? He said 47 days. Yeah, exactly. So, Joe, maybe you can charge your MSP on running the table tip type tabletop.

You probably know about more than they do. Um, Brian, go ahead. Yeah. Do you have any other Yeah, no, I mean, I, I was gonna transition to another comp, uh, another question, but if you wanna Keep on it, please. No, no, no. You, it's on, you're, you're up, please. It's yours. Yeah.

So I'm interested because you said, you know, your business is, your business is hipaa, and you're going after high trust and you selected this MSP, they're, you know, you've been, they've been with you for nine years in theory. You're, you've always been a healthcare company, you've always been subject to hipaa. So when you select this MSP, and when you talk to them, a lot has changed in nine years in the security landscape.

When you say you, when you talk to them about their security, are you saying, Hey, are, do you have a HIPAA compliant technology solution that you can provide me? Are you saying, well, are you willing to sign a BAA with me? Or are you saying, you know, you need to undergo some audit that proves to me that you do the things that I need to assure for under hipaa?

Like talk, talk to me about how you actually assure what your MSP is providing you is actually providing the security that you required to meet your regulatory allegations. Yeah, so I'm gonna hang my head in shame here. Um, uh, so we got this MSP back in 2012. Uh, I wasn't aware until actually relatively recently that the hipa, HIPAA omnibus rule that went into effect in 2013 required the MSPs be considered a business associate. Prior to that. They didn't have to be.

It was usually healthcare companies and healthcare companies. I have no idea if whoever selected them or, or was deal dealing with the security back in 2013. It wasn't me. I have no idea if they had these discussions with our M msp. I have no idea if they have a b if we have a BAA on file. I have that question out today to my, to our management team. If we do, great, and then we can continue the discussion. If we don't, we have a whole different problem to deal with. Yeah.

And then, then I'm gonna have 2,600, um, people calling me, get my business. Uh, no, but, but seriously, um, what I, what my intentions are, and this was part of what I was doing with the hitrust, um, requirements, was developing a third party risk assessment, kind of a light white one, which would say, Hey, what, what are your, the employees who access our systems, what have you done to vet them? Have you done background checks on them?

Do you know who they're, are you, are you tracking their access to our systems? Do you have back doors into our systems? What are the technologies besides what we've provided, the VPN or something like that. Are you using LogMeIn or, or, or case or something along the lines that we're just not familiar with and we don't know about if you are, do you have, are you logging because you gotta get this stuff approved, number one. Number two, you got answers Are no, no, yes, no, no. Right. Right.

Uh, I know those answers. Um, but we need them, we need them to say it. But then it's, it's also going to, to include, you know, any future ones. Do you have a set of security policies that reflect the, the HIPAA requirement? Because if you don't and you're not willing to sign a, B, A A, then I can't do business with you. It's very simple. Yeah. Yeah. Have you, have you sent your MSP, the 21 questions? Every prospect should ask their MSP. I've sent them 15 questions.

I don't know about this 21 question thing. Yeah, we, I mean, Andrew, Gary, why don't, why don't you inform go, go back and rewatch that episode. Yeah, we did a session on it. It was really good. Joe, I'll send, I'll send you the article too. It was fantastic. Okay. Yeah, maybe Ryan's article, if Ryan's there, uh, let us know Ryan, Ryan, uh, uh, Josh. Yeah.

The, the one thing I'll close off here is, um, from, yeah, it sounds like, sounds like you gotta talk to your MSP, but going back to what's concept of fourth party risk, your MSP is using services and vendors, right? And like Yep. How do you know that the backup solution that they're using has the security in place to meet your requirements? Does the MSP have BAAs in place right, with the, you know, their upstream vendor that might be helping them provide you the service? Yeah.

Um, there's a lot, you know, that, that, that kind of risk transfers. Um, and so definitely good to close that loop as well with them. And, and that's, that's been a, a much more higher focus in the past couple of years. Um, I, I went on a, a HITRUST webinar over the summer about third, third party and fourth party risk management. And it's, it's a very challenging one to deal with this. That's just a reality.

Yeah, I mean, there's a bunch of, like, you can go look at like state of third party risk reports. Most of them say a dedicated third party risk person can generally assess around 50 vendors. How many of you have just 50 vendors? And when you consider fourth party, you're in a whole different stratosphere. Right? So I think, you know, lightweight is definitely the right way to go.

Um, but definitely be asking them about themselves and, and help frame their thinking about the people that they rely on to provide you service as well. Right. Cool. Awesome job. So we've got about 14 minutes. I want, there's a few things left over, Gary, I'd love for you to kick off the sales call role play. Joe has, um, a question he'd like to ask. And then if we get to it, I answered some of your all questions out there. Not all of them, some of them.

Um, but, uh, let's go in that order because I think, yeah, so One little thing, I don't really want to call it a sales role play. Okay. Um, because this is an interview, I'm not sure whether I want to sell Joe yet based on what we heard. Okay. So, uh, he can interview me a little bit, but I think I need to interview him a little bit as well. So where would this be, Gary? Let, let's just say this was real life. This Is our initial meeting. Your Initial, got it. This is our initial meeting.

And so I wanna set the stage 'cause we have limited time that we have. Um, then I'm gonna do two things. Uh, one I wanna point out, if anybody can recognize, like obviously we've uncovered a lot of pain here, right? Can we all agree MSPs on that? There's a lot of things then many MSPs will be listening. They're making notes, probably they're selling along the way. Every time Joe gives them a pain, they hit Joe over the head until he doesn't want to give pain anymore.

That's usually the way this goes. Okay. Um, but what I want to try to do, um, is I want to try to make this more conceptual of, of how we walk through this logic to determine can I get Joe to see that he has potential risk and attach a value to them so that we can decide on a next step rather than, the biggest mistake people make is the uncovered pain, or next step they tell 'em, I'm, we're gonna come in and do, you know, some analysis. The analysis comes back that a bunch of people's wrong.

Now he's technical, we're technical, you know, and, and in the end he just goes back to his vendor and says, Hey, can you do this? Thanks. And you know what I mean? And they may or may not say yes, or you find out in the end that it all sounds great, but you're gonna be two or $3,000 more, you know, 20 or $30,000 more a month, and it's not in the budget. So I, I really want to try to use the time we have to kind of go through that.

And so let, let me start by, um, you know, asking you this, um, Joe, when you're breached, right? You notice I'm not saying if No, I know. Um, I'm saying when, when, when you're breached, there's two things I want to know. One, three, actually one in your mind, how confident are you at that point? You know, you've been breached based on what you have in place and the vendor you have. On a scale of one to 10 today, how confident are you that you're gonna navigate it in the best possible way?

Oh, probably about a two or three. Okay. And is there some value to getting to an eight? Like There's, of course, there's a value to getting to eight. Do you think you can get there without making changes on your side or maybe investing more in a vendor? No. Okay. Does your management team understand that, that there's a gap and you're probably gonna have to make some investments of either time or money to be able to close that gap? Yeah. The, the big question is what are those gaps?

Uh, we've identified all the gaps. A lot of them are, are people in processes? Yeah. Not necessarily technology. Yeah. Abs absolutely. Every time you're on the right track, man, you're, you, you're on the right track with that. The second question I want to ask is, you know, what would be the impact? Let's say that during this event that you were down for 2, 3, 5, 7 days, what a, does your management team understand that that's where it could be?

And what would be the impact on the, on the business? From a high level, I don't think they understand that it, that it could potentially be that long. Uh, I know that we have weathered a 48 hour downtime due to power outage in the area that we couldn't do anything about. 'cause our UPS went down at the same time, you And you live through it. We, we live through it because we don't provide critical patient care that allows us to weather it. Um, So that's not the worst thing in the world.

You're saying It's bad, it's not the worst thing in the world. What would be worse is if, if our data is filled. That was the next question. So what would be the impact if some of that sensitive data was exfiltrated? Yeah, I'm, I am, I don't, I can't speak for the company, but I would say we'd probably end up closing down Pretty, pretty significant. It's it's extinction level event. Yeah, absolutely.

So one of the things are, you know, you've been working with this vendor for nine years and, um, you know, the short thing I'll tell you is just based on what you described, a I think your, uh, the good news is I think you have a pretty good under, you've educated yourself and you have a pretty good understanding of, of some things, you know, and I think alluding to, there's, you don't know what you don't know, so that's exactly right. That's good news.

Um, the bad news is, and I can get into more detail on it, but based on the relationship your vendor provided, uh, provides to you and the amount they charged you, they're not really involved or responsible for anything in your security today. And so either you gotta get all the way there, which I can tell you in my experience of doing this for the last, you know, 20 years, really difficult, like to do it for you in one environment. Like we're doing it across 60 customers, right?

And so we get to see this in, you know, see this in, in real life. And so what we wanna kind of lay out for you, and we can get more information, but we wanna kind of lay out a journey for you. We wanna explain to you how we approach it, what standards we use, what policies we have in place, and then how we do that for each of our customers so that you can see the tools, the roles, the process, all those key things. And even how they match up across, you know, a standard like nist mm-Hmm.

So you can actually see where they fill in. Does that sound kind of what you're looking to do? Yeah, absolutely. Um, I'm trying to gather my thoughts on that one. If I had had that two years ago upfront, someone to come at me and say, look, this is the path you need to take instead of me having to discover it, I think I would've been in a much better position.

But at the same time, the education's been extremely valuable and now I actually have another chance for a different career path down the road just with the knowledge set that I have, which that's just kind of a silver lining plus. Well, I, I think the big thing here is that's all good, but what it's resulted in is that the level of risk that you have said that the company has today compared to a year or or more ago, is dramatically different.

And so let me tell you for us, like what a next step would be is we would want to come back out and I really want to kind of drill into some of the details about what you're doing, where you are in your business and, and and, and what, and what the vendor is doing so that we can start to tell you where we see those with those gaps. If we have to get into more detail, you know, uh, we can do, we can do that as well. But that would be the next step.

Um, so couple questions I had for you are, you know, um, let's just say we run through this process and you think that we're the best thing since, you know, sliced bread. Um, what would happen then? Well then we would need to probably have a proposal to figure out how we get from point A to point B, uh, within a budget. Awesome.

And what if I ballpark it for you today and told you you're spending 2200 bucks a month now we're probably gonna be between four and 5,000 a month, then what would you say? I would say I, I would definitely need to sell that to, to management because it doubles our cost. Um, but it may very well be worth it. Yeah. And if you're ball parking it for me, that's more than any MSP is able to do, typically speaking. Yeah.

Listen, there may be some projects or things to do that we'll uncover together, but yeah, you'll evaluate those and you, they're not really our issues, they're your issues. And you're gonna tell me as we uncover 'em that, that those things make sense and, and over what timeframe, uh, that we do 'em. So here's kind of what I'm suggesting. Um, I, I would like to go to the next step with you. I think that you're a perfect fit for us.

Um, a is this a conversation you need to have with somebody else just based on this high level framework? And is it one you want me involved with where we can kind of talk through this at a non-technical level with your team about where you are and where you need to be? Because really the question for them is, are your costs aren't really going up, you're just gonna pay for them differently? We both agreed there's a cost being a two on that scale, one to 10. Can we agree? Oh, absolutely.

No question. You understand it, but maybe the decision makers, you know, the people that hold the budget might not understand it. Do you think that's a good meeting that we could have together? Yeah, let me check with them off. I'll find out. Yeah. 'cause if we can have that conceptual meeting and prove that value and it makes sense, I I, you know, this is what we do, right? I'm talking to a couple business leaders a week.

I'm confident we can go and I can tell you, you won't have to look at us for red flags. We're gonna present any red flags that we see. 'cause we're looking for a long-term relationship. So I think we, we both have to be interviewing each other through this. That would be great. Yeah. Okay. So Andrew, when I tried to do there is not, you know, everyone on here can get down and talk about their firewall and, and shoot holes in their vendor.

Brian did, or you know, Ryan did a great job of taking apart just that backup piece and I can interrogate 'em for two hours, but in the end, that's always gonna be there. I wanna frame the decision, uh, that Joe has to make the decision process. I wanna start to test value. So I ask that question about one to 10 for a reason and I want to try to use it against my ballpark so that we can kind of set this high level structure for how you make decisions to move forward.

Because you got one, two choices. You can keep the risk that you have whatever value you attach to it, or you can solve it. And if you want to solve it, this is the investment and we're the people to do it. And I'm gonna show you that as we go through and I'm confident of it. So, so lemme just jump in here, Gary, with time remaining. First off, that was fantastic. Like Emmy award. Fantastic. We're gonna cut a piece of that and get it out to everybody.

Second of all, what I'd like everybody, and Gary, I obviously have years with you in understanding this one thing. I just wanna make sure everybody caught out there. Most people would've said, wow, success when you got the next step in the next meeting, Hey, I'd like to come back out, dig a little bit deeper. Most people would've stopped there.

You call it what happens next, but you did something else, which you teach and teach it masterfully and why you have thousands of MSPs do it, uh, very successfully now. And that is what happens after what happens next. Because you would've come out, had another nice conversation with Joe, however, you already knew it was four grand.

You had to get that up into the executive area and ideally that meeting, because guess what, if four grand isn't on the table, then you can sit there in that next meeting and tell them, Hey look, you're just gonna retain the risk. You're gonna be at a two. You're not willing to move that risk up and off of your plate, et cetera. So Yeah, and here's what that could mean. If we had a data exfiltration issue, it could be, you know, a, a death sentence. So it was really good.

But I wanna make the la the main point I wanna make and, uh, I, I'd like to thank the Emmy committee. I'd like to thank my cohost. Um, uh, but, uh, the main point I wanna make, and this is the hardest part for MSPs, you know so much about this. I see people that I know on here that know a lot about cyber cybersecurity. It's so hard when someone's giving us some pain not to just go right and start selling to it. And that's where deals go to die.

Doesn't mean you won't close anybody, but you're not gonna have it. I, I would rather find out now before two more steps that for whatever reason, we're not, Joe and I aren't gonna agree this time we did and it makes sense. And if we get past that next step, I I got a 90% chance of closing. Joe. I can tell you right now in my experience, if we get past, you know, one more step. And so I want people to hear that, that our job is not to sell Joe cybersecurity.

Our job is to think through based on our experience that we can share with him where he is, to frame it, to simply frame the solution so he feels good about, in a simple way, what it looks like, the big things about, you know, risk and money. Try to have a simple conversation around them, how they're gonna get it done. And once we do that, we can use all of our stuff.

We love to do all of our great technical stuff, it's awesome, but we're doing it in the context that we both agree on what this decision is. Yeah. Excellent. Joe, your last que your question to everybody, I think, correct me if I'm wrong, kind of got answered there in that conversation with Gary, right? In other words, you were wondering should you change MSPs hire an SSP?

I think Gary framed out that it's a bigger conversation for you right now and you need somebody like Gary quote unquote that's gonna be thoughtful enough and intelligent enough to have that with you. Yeah, yeah, that's exactly right. But again, stepping out of the sales role play, just as someone who is on here and consider a friend now, um, yeah, you do need to invest more and you do need to have a different relationship that you feel comfortable in this way. Absolutely. I can tell you that.

And that's gonna be the smart thing for, and and I'm confident based on how you present it today, that with the right vendor helping you through it, you're gonna be able to explain that to upper management and they're gonna thank you for it. Yep. Ryan, I think you have something to add.

And I know we're late, but Gary, I just wanna say, can I, can I just say this, Ryan, because I want you to comment on this, Joe, I believe you told me you're the acting security officer for the company now as well. Yeah, about two years now. So, so take that information, Ryan, in whatever you are also gonna say, 'cause Joe's got some risk here also acting. Yeah. I didn't have time to get his personal risk, right. Yeah.

So can you take that in Ryan, as a CISO of a public company and what, so let me let you finish it up here for us. Yeah, I was, yeah, I was just gonna say, and the, the way Joe had framed the question to us, it was, should I look at an MSP and MSSP and MDR? Um, I don't know that you should be worrying about the classifications right now. I think you should really be looking at it in terms of who can help me move the needle in, in reducing my systemic risk as a whole.

And I, you know, I don't care how they label themselves. You're really looking at how do they fulfill the various different needs that you have. Um, I think you're doing the right thing. You're think you're, you know, at the end of the day, even though you own the risk, but you don't technically the business does, right? You're just the person that kind of, you know, unearths it and then tries to help people make sense of it and decide what to do with it.

The key thing is driving those hard conversations at the executive level and the, and like, you know, I think Gary's spot on, you are starting to do that work of unearthing it. You're also starting to do the work of communicating that to your executive team.

That third thing now is that right partner that's gonna come in and help all of you make sense of it, but regardless of that third party, keep driving that conversation with executive leadership because you know, it, it really is a question about what risk do you wanna retain and what risk do you wanna reduce and, and in what order. Um, and as long as you're documenting it and you're having those conversations and they're explicit, you're managing the risk to you personally as well. Yeah, yeah.

And I'm doing that now to, to a I'm starting to do that. Uh, think someone mentioned chat joke. Get a real do a real BIA Thanks Wes for your basic BIA template. I mean, I'm, I'm starting to do that, get everything documented so we can get down this path properly. 'cause I'm struggling frankly. Yeah, and the thing I'll I'll note is, you know, Wes and I are both CISOs, uh, CISO should have a CISO network. So consider us and your CISO network and reach out to us anytime you need help. Great.

Thank you. Up. Yeah, I'm hoping what you came away feeling from our conversation was that for us to work together, we gotta be on the same team to do what Ryan said of figuring out where you are looking at your risk, your company's risk, dealing with management on your behalf.

You if, if we're not that partner in that vendor, if we're not together in that on the same side of the table, um, and I'm over here trying to sell you something that's not going to get you there in terms of a complete look at security. 'cause once we do that, we're sharing responsibility for this in the truest sense and we have each other's back. And so hopefully the questioning in the short time we had made you start to get that feeling about what we're trying to do with you. Yep.

And uh, I would sell you, but I'm currently between MSPs. That was fantastic. Well, Joe, um, thank you for coming out here, putting yourself on the line and just doing a fantastic job. Um, everybody out there getting us over 2,600. Thanks. Thank you so much and thanks again for all of your support, help, friends, peers, this is all for you guys. Ryan, west Gary, awesome job as always. Fun today, right? Does everybody agree? This was fun day. Oh, it's fantastic.

Thanks for helping us with a fun day. Yeah, Gary. Fantastic. Everybody have a have a, uh, super week. We'll see you back here, uh, in, in a week. Take care. See you guys.

Related Videos