Skip to main content
Right of Boom
January 30, 2025

April 26th, 2021 – Packaging & Pricing your Respond & Recover Functions

In this video, Gary Pico, Ryan Weeks, Wes Spencer, and Chris Lair discuss the challenges and strategies of packaging and pricing in a post-boom era. They explore the importance of aligning responsibilities and roles within MSPs (Managed Service Providers) to effectively manage cybersecurity and operational processes. The conversation delves into the significance of incident response, risk management, and the evolving landscape of cybersecurity, emphasizing the need for MSPs to adapt and prepare for future changes.<ul><li>The importance of MSPs understanding and setting clear boundaries for their responsibilities in incident response and cybersecurity, particularly regarding data ownership and insurance requirements.</li><li>The evolving role of MSPs in cybersecurity, emphasizing the need for adaptation and the integration of automation to enhance security offerings.</li><li>The significance of practicing and preparing for incident response and recovery, including understanding one's own systems and dependencies.</li></ul>

Guests

Andrew Morgan

Video Transcript

Hey guys. Welcome to week 47. We are getting close to our one year anniversary. Do you think we can hit 3000 by then? I, I, it'd be a pretty cool, monumental thing. So great to see everybody. Hope you had a great weekend, as always. Joined with, uh, my guest or my host rather. Gary Pico. Ryan Weeks. Wes Spencer. How are y'all doing? Awesome. Whoa. That came in and then, uh, because of today's topic, uh, called the quick audible Chris Lair Kind enough to come on. Thanks for doing that, Chris.

Uh, 'cause uh, today's topic is packaging and pricing in, uh, I either call it a post boom or your respond and recover functions. Um, Gary got a lot of questions, uh, recently on packaging and pricing. I'm getting them, and I know interestingly you're getting them as well and doing a lot in the peer groups. Yeah. And so I thought it was timely. Um, kind of, it's kind of been great having you with us.

You know, we get very technical at times, get very deep into different subjects, but if we can't, again, bring it back to business and actually making money operationalizing it, it doesn't go so well. Um, so really that's what I, I gotta tell you one thing I'm feeling, and we had our peer meetings last week. Yeah. So, you know, I got to interact with 160 or 170, uh, MSP leaders in some form or another. The first thing I'll say is, for the first time in a long time, this business is exciting.

Yeah, right. It, it was slow to change for a long time. And although some people might be overwhelmed right now, and, and there's new winners and losers, we're here to make sure that everyone on the cyber call, and that's my job with my customers to make sure they're winners. But, um, I, I see people, a lot of business owners that've been doing this for a while. They're getting reengaged, Andrew. Yeah.

One is they have to, but, but, but they're, they're getting something, you know, from this and the topic we're gonna talk about today, um, around changing responsibilities, changing stack, changing, you know, uh, process and then how we go to market. It's complicated. It's complicated and, and it's, uh, and, and it, it's, it's a moving target at this point. So, um, I, I'm glad we're gonna, we're gonna give some answers, but honestly, some of it now is just knowing the right questions.

We don't, you know, not everything's gonna have a perfect answer to the way people like Fair. That's, that's a great point. And, and I think, uh, in setting the stage, Gary, you know, I'm gonna just do one few quick announcements, but it's a lot easier. I think what you're saying is it's a lot easier when we are just looking at technology and something's at a per seat and we can get, know that it's this many seats that are managed.

Here's the role, here's my hog cogs, and, and I can start to, that's e quote unquote. That's a lot easier than post boom. Yeah. Which is a lot more people processed. Um, so very cool. Alright, so quick few announcements. Gary, number one, both of 'em I think are around you. Uh, you gotta leave us at 1 55 Eastern. Yes, I do. Yep. I have a, I have a engagement that I can't miss at top of the Hour here, so I just wanted to let, let everybody know that Crystal sing for us from 1 55 to two.

So that'll be exciting. And then, um, Gary, um, I think we're getting pretty close to have the landing page up for your new portal. Yeah, We should have it for next week. Okay. Very cool. So We'll be able to start letting people who aren't part of True Methods, um, be able come in, get a free trial, get access not only to the cyber security track, but they can have access to everything we're doing, all 200 hours of role-based content. Right.

And you're gonna put some kind of specified period of time on that. I don't know. We're not, we'll come back. Yeah, yeah. We'll probably give people, they can come in for like 60 days. Like we're, we're, look, we're just trying to help people right now. Yep. So. Very cool. Okay. So I'm just gonna put up a first poll question for everybody and then we will, we will go. All right. So that poll question is up. And Gary, so, um, here's my thoughts, right? So I'm getting these questions.

You are getting questions on packaging and pricing. Yep. Um, you know, last week, you know, we had Forest on, we were talking about threat modeling. It was, it was great. And Ryan and Wes did a fantastic job really kind of walking us through that. And I said, Gary, is this opera? Can the MSPs eventually operationalize these things? Tabletops threat modeling, IR planning, things that are in essence planning and or right of boom functions. And you said it starts with roles.

So I wanted to start back there with you. Talk to us about that and, and maybe kind of engage from there if You would. Okay. So just at the highest level, think of it this way. Um, like you have certain roles and functions. If you are working with true methods, we teach five of them, right? Professional services, which normally is, that's the old school business that's billable. And then in our monthly fee, we have our centralized services. That's our tool stack and the labor to, to manage it.

Um, we have support. We should have some VCIO process built in. And now you have some type of, you know, compliance governance. We call that technology alignment. So as you start to say, okay, well we, we wanna offer these customers to help with their incident response. Okay, okay, well who is gonna do it? Does it fall into one of those existing delivery areas? 'cause if it does, they probably are gonna take a more time. They're gonna manage less customers. Our cost per seat's gonna go up.

Or is this a role outside of those delivery areas? In which case, how are we gonna charge for it? Is this something by customer, by price? Like, you have to make all of those decisions. So I think that at the highest level, you have to make that first choice. 'cause it's very different and you know, you may not know. And for, you know, if you have less than, you know, 20 or so employees, it's really hard to start to offer something outside those delivery areas.

Everyone's gonna try to get the current team to do as much of it as possible until, until they can't. 'cause we understand that. Right. Does that make sense everybody? Yeah, no, it makes a lot of sense.

And, um, so, so following that up, let's, let's just use centralized services, Gary, because I think it's something, And I'd like to also talk to someone, one of those people who said Yes, I, I'd like to, if we could today, Andrew, ask 'em how they're having those conversations and how they're looking at what their costs are and, and, and their pricing in this to get some real live examples we can talk through.

So how about we do this, let me just kind of ask you one more question and we can see if someone will come on while we're, we're going through this as, as you start to ask maybe Ryan some questions. And I'll work on that. Gary, let's use centralized services. Again, this is a true methods term. You, let's use this just to, if again, can you talk through, 'cause this is something again, typically left of boom, it's tool centric. People can relate to it. We've all been doing it for years.

It's like prevent, it's either like, as an example, your RMM tools or preventative tools, your EDR. Again, walk us through that, how you look at those calculations so that people can really quickly start to understand, quote unquote, something relatively easy to look at in a business model versus Yeah, you're saying relatively. 'cause most people don't have their arms around it, right? And the hard part is they're buying different tools that are in different increments.

It's, you know, this is per gig, this is per domain, this is per endpoint. Like, and, and, but we're selling some monthly fee. So we use a seat as a measure for those things. So we have to make those calculations. But also what we've been stressing with our peer members is when you look at a tool, okay, are you, first you gotta figure that out. This is gonna cost me on average six bucks a seat, three bucks a seat, seven bucks a seat. Then when I turn it on, what other responsibility do I have?

Like from a labor standpoint, is there more things? Am I getting more alerts, more things to follow up on? Do I have to contact the customer more? Because every time that happens, who, what role is gonna do that? And if they're gonna spend more time when you turn a tool on your cost per seat for the labor for that's gonna go up in that role. So that's number one. You gotta be able to have discipline about looking at that stack.

And as our, and as our, we get tool creep, you gotta almost be able to prioritize those tools because you don't have unlimited budget to be able to say, this is where I draw the line with our core offering. This is what I feel good about. And I gotta be honest, after seeing, you know, a bunch of updated packaging and pricing, you know, in our benchmarking tool, I'm seeing three pieces.

I'm seeing a core offering now with a lot more security process and tools, uh, like in, let's ballpark it in the 1 75 a seat range. That's not counting backup, right? So if they're at backup and they're using Datto and it's seven or eight bucks a seat, they maybe have that at 40% gross margins. So they're not able to put that in at 70. Then they have the things like some enhanced security offering. We see those anywhere from 30 to $50 a seat.

And a lot of times you, he that you, that's like perch and, and some additional things. And you haven't even gotten to dealing a hundred percent with the topic we have today around incident response, Andrew. So can you see one, we have to organize this in our head, but it's people that are delivering more of it. They're seeing how time consuming it is and that it, they have to learn how to have those conversations with customers. 'cause it, it'll get, it's getting real expensive real fast.

Yeah. Good stuff. Ryan, do you mind if I call a quick audible? Can a lot of people ask right, right of bloom left to boom, sorry for everybody out there that it hasn't heard those terms. Um, we've spoken a lot about it here on the cyber call. So if again, apologize, Ryan, can you just give a quick, quick synopsis of what that means? Yeah. So left of the boom and right of boom is another framework for talking about the activities we undertake and when we undertake them in a security program.

So boom is the bad event. A lot of current activities are focused on prevention of the bad event or prevention of boom, that's what we call left of boom, the things we do to prevent the bad outcome from occurring. And then there's a whole set of activities, right, of boom after the bad thing has occurred, which means like we need to be able to detect that the bad thing has occurred, then we need to respond and recover from the bad thing.

And so left of boom and right of boom is just a way of kind of bucketing two very broad, large sets of capabilities, um, in into, into kind of, um, you know, a methodology that ultimately leads to cyber resilience, which is, you know, kind of a different framework too. Yeah. And, and what I'm gonna do real quick here, Ryan, is uh, you and Wes did a fantastic, uh, session when we did the cyber resilience seminar about a month or so ago. If you want access to that, just email me here.

Uh, it's in, um, either in the cyber nation or I'll get you access to it in Crowdcast. So just, they did a fantastic job. Alright. So Gary, lastly, and then I'll turn it to you to be in essence the moderator with with Yeah. The team here. I'll look for some folks that may be interested in coming up and talking about how they're seeing it, what they may be doing. But, um, I'm gonna give you the crystal ball here.

And, you know, um, you know, again, Gary, think, you know, you and I originally all the way back when you became a customer, ConnectWise, you know, way back 2 0 5, we, you know, known each other. And then, so when you look at this, right? Over the years, MSPs have been able resilient, well, to use a very Yep. Pertinent term.

You know, you have your leaders who jump on cross the chasm quickly figure things out, typically the most profitable, uh, not always, but they're, they're the leaders and get things going. Yep. You know, and so whether it was cloud or whatever it is, what are you thinking here? Are we gonna, is the same thing gonna happen, you know, with cybersecurity, or do you think it's gonna play out differently? Uh, how MSPs go.

So here's what, here's what I think in the short to medium term, I mean, over the next, from now out for like probably at least three years, three to five years, um, this is gonna really force more winners and more losers. In other words, the people that are, are here today that are doing the hard work, that are trying to understand their cost drivers differently, driving process, becoming more professional business people, um, we're already seeing it.

Um, I, I mean, uh, our peer groups had the highest profitability in Q1 ever. Okay? Mm-Hmm. But I talked to a lot of MSPs that don't have the same command over their business. And so all this complication is making it harder, and I'm seeing it create that. So I think you'll see more of that longer term. And I wanna have everybody else's, you know, I'm anxious what, what everybody here thinks, especially, uh, Ryan and Wes.

I don't think our role in security will be the same in five years, because I don't think it can, like when you have a gap where MSPs and SMBs are so outmatched today and it's costing so much money, uh, that there has to be a, a different solution. And there's a lot of fingers on keyboards right now around the world, and there's hundreds and hundreds of millions of dollars pouring into Dev to be able to find services and software that are gonna more cost effectively deal with these things.

And so we've seen this, I watched it even with backup. You know, there was a time when, uh, you know, data grew much faster than the ability to back up. And we were charging people $22 a gig, right? It, it wasn't sustainable. So companies like Datto had to come in and the opportunity's big enough that you can raise money and do it and, and solve that problem.

So I wanna start with Wes and then Ryan, do you think what I'm saying is accurate that our role will change and we better make sure as we solve this, we're keeping our value tied to that relationship we have with the customer as we move forward? Yeah. I, I do. I mean, clearly it's changing. I mean, look at, just if you don't believe that, look at where you were at in 2017 compared to today. Yeah.

How many of your, your clients were getting breached and when they did the worst, it was maybe a $10,000 ransom, you know, something like that. Um, also yourself, back in 2017, no one cared about you. Uh, the game has changed. We all know that. Right? That's why perch calls those buffalo jump attacks. Like literally threat actors focusing on you, so to say in 2017 to 2021. Looking at the changes, Gary, just a few short years, what do we think the next five years might look like?

That's, that's eras in cybersecurity for sure. And so I think there's some things that we need to be focusing on for sure. Like, because we have the opportunity to drive the direction of where we're gonna go in the next five years, we can either be in the driver's seat or, or that driver's seat is gonna be somebody that's not of our choosing. Um, and that's a scary thing, right?

So I do think a couple things that just come up, and I haven't given this a ton of thought yet, but, but what comes initially to mind is automation is a huge driver for all of this. We've done such a good job at automation in it. Why should we not be doing more automation in security? And I'll give you an example of this, Gary. Um, good automation could push responsibility to a client. What happens if we notify a client of X, Y, Z, that we have no idea at the MSP whether this is right or not.

And they choose to say, yeah, no, we, we approve this, we think this is right. And then something happens that comes out of an output of that in in the middle. Netflix. Netflix does it. That's right. These things happen all the time. And I think those just as an example, like what a great way to put ourselves into the driver's seat to say, Hey, client, you're the one that authorized this. You're the one that saw this and approved this. You're the one that looked at this.

Those are things I think are really, really important, right? So I think automation, and not just automation in terms of getting the client to respond back to things, but automation in terms of all of our tools together. You know, I remembered the last IT nation I was at right before the pandemic. I was asking a bunch of partners, I'm like, Hey, what'd you think? What's been the theme to you?

And I hear the vendor sprawl and you know, API over everything, which is great, but how are we supposed to make this work? And we're still juggling these legacy vendors that don't support our integrations into all the things, right? So these are things that I think from an automation perspective in security, we really have to explore and say, what does it look like to go down this journey to have a truly automated pathway into this?

Because one thing I think, Gary, that is for sure in five years we're not going to have, um, a, a team of 15 to 25 security analysts at every MSP. That's not gonna happen in five years. No. So we're either gonna be driving the security seat or someone else is gonna drive it for us, and we're gonna lose that, that capability. Yep. Absolutely. Ryan, you see from a different, like, you know, you, you do this for a company for an, you know, enterprise.

So do you see this any differently or do you, are you thinking the same thing that the, the current situation and gaps, MSPs can't fill all of them and they're gonna need help? Um, I think it depends on how quickly each MS P can adapt to what's happening. Um, but I think for the most part there is, uh, kind of an acceleration of a lot of different things, a lot of different verticals.

You got kind of regulation acceleration, you have threat actor, um, acceleration, um, you have supply chain attack acceleration. And so it's really a question of whether or not the MSP is gonna be able to combat the battle across multiple fronts. And so I think there is going to be just like everything else, an assessment of where you wanna, you know, where you wanna invest your time versus where you wanna partner.

But I think, like, I don't really think of that as like, um, you know, does the MSP need to change? Because I almost view that's like an implicit assumption. Like if you're, if you're an MSP and trying to avoid change, you, you're not ex you don't exist in an ecosystem right now that's gonna allow you to stay static. And so it's really a question of how are you going to change? Um, rather than if, because I mean, just, you know, since Covid started there's been massive shifts Yeah.

Um, like, like very meaningful shifts in threat landscape and in in technology adoption. Um, you know, and so I I, I, yeah, I think, I think you have to change, and it's a question of how and how you want to go about it. And I don't think there's a formula for each MSP that's the same. I think they're gonna have to figure out, um, 'cause each, each company, even though you're MSPs, right? Um, think of it this way, that'd be like saying Datto and ConnectWise are the same company.

We may provide a similar service to MSPs, but we are not the same company. You Have a different risk profile, different priorities, And two MSPs are completely different. So you're gonna have to figure out how to manage that change for yourself. Yeah. Um, but if you're thinking you're gonna avoid change, you're, you're on the wrong ship. Yeah.

You know, um, one where we came away as I did the wrap up in our peer sessions was, look, we have to have these theories, like I'm presenting about where we think things will go, doesn't necessarily, but today all we can deal with is the current threat landscape, um, our current organization and process our current stack and make the best decisions. And then, and then we gotta beat on things like the cyber call. We gotta be in reading, we gotta be on top of things.

And we have to try to always be looking out further than we had in the past so that as we get to how things change in three or four years, we don't have the answers today, but each day and each month and each quarter, it'll start to be revealed little by little. Um, I had a question for you, Ryan. Let's talk about like, um, I think incident response is like a big thing, like right of boom. So we'll, we'll talk about that and that's why we have Chris here.

Um, what's the kind of, if MSPs not only for themselves, but they wanna start having this be something that they're doing with, for or with their customers, what does that look like from a skillset standpoint? Specifically regarding incident planning or, Yeah, so they have their customers and most of their customers, a lot of them may not have anything on that side and they wanna start moving them down there. And how much of it should be the responsibility of the msp, I guess? Yeah.

I mean, I, I think it's, the way I view it is I think it's the MSP's responsibility to help walk them through the conversation. Um, you know, and it also depends on the dependence of the SMB on the MSP, like, the extent to which they actually understand their IT systems will, will vary, right?

But I think at a minimum, the M MS P should be able to walk them through the thought exercise and that the capability to walk em through the FedEx thought exercise means you don't necessarily need to be even super technical, right? But you do need to understand how data moves through systems. You need to understand how it's used, why it's used the way it's used. And most importantly, dependency mapping.

Because if you're gonna do a BCP exercise or an IR exercise, it's really difficult to do it well if you don't really understand dependencies that exist on different systems, right? We all would pretty much know what would happen if our PSA went down, um, but maybe not so much if like our IT documentation store went down, right?

Um, so like you need to understand how those different things integrate because if you lose one tool, um, then that might have kind of cascading impacts for your business. And so the kind of ability to understand how data moves and the dependency mapping is, I think is really critical. Yeah. Um, and then the other skill is something you can develop, like, it's called failure mode analysis, right? It's, it's thinking through, okay, now that I understand how the system works, how can it fail?

And then how do I, um, you know, and then using those failure scenarios as things that you're actually gonna model in terms of incidents or disasters. And so usually before we even get to the point where we do A-A-A-B-C-P exercise or an IR exercise, we actually seek to understand the environment as fully as we need to, and then do failure mode analysis and then build their scenarios from there. Yeah, That sounds great.

But you're saying that as, as a guy who's owned a couple MSPs and knows a few, I'm thinking if my team came to me and told me that, I'm like, how the heck are we gonna do that? Like that, wait a minute, that doesn't fit into any of our clean boxes here. It's probably, and I would be saying like, well, who's gonna do it? How much time will it take? Like how, how do I go? Yeah. I mean, listen, I think for an MSP, right?

We've, we've, um, I've walked into MSPs that don't really understand how their systems integrate and depend on one another. And within four hours was able to build out a very deep understanding of all of their systems and how they integrated, right? Yeah. And then from there, we've done threat models where we actually say, okay, if I was going to attack you based off of what I know now, here is where I would go. Yeah.

And so I think like if you're studying your system and how it, how it works, um, you can probably get from not having a great understanding to having a decent understanding to do the exercise in a half a day. And I think the other half of the day is actually modeling exercise.

I think it's probably like a, a one day investment to say, here's a specific system, here's a specific incident, let's look at our environment, make sure we have the most recent understanding of it, and let's pick a couple scenarios to run through it. And I think you could do that in a day. If you want to break that into two, you know, you'd probably do the first half, which is understand the environment, build the scenarios one week, and then do the kind of scenarios the next week.

But I think you can do a fairly decent job in four to eight hours, uh, for some of these things. And then there are things you touch on regularly. So is that something you wanna revisit customers with quarterly? In which case we can start, we have the seeds are starting to build out, like, okay, how many hours is that? Like how many days we want 70% gross margin? How many customers can I touch if I'm doing that? And then making sure that our leverage cost numbers are there. Yeah.

Chris, Go ahead. Sorry. The one thing I was gonna say is like that four to eight hours might sound like a lot just to do a, B, CP or an IR exercise, but if you document the outcome of that, that starts to feed into change risk, right?

As you're gonna change the tech stack as you're going to introduce something new into the ecosystem and actually gives you something to go back to and say, because I'm doing this, how is that going to change my readiness for an incident or my readiness for a business continuity event? And so having that, doing that exercise is actually really useful because it becomes something you can refer back to as you're making changes that might change your risk profile. Yeah.

So I, I, I was gonna go to Chris, but I first wanna go to Wes and then the follow up question to Chris. So Wes, what I want to ask you is, and all the partners you deal with, how you feel MSPs are right now in terms of addressing this. And then I want to ask Chris, 'cause he's dealing with them after the fact, right? He's dealing with them, you know, uh, postpone how differently they view this.

So, but I wanna, I wanna start with what, when you say this, you mean like the incident response postpone? Yeah, yeah, yeah. Being prepared themselves, but also having these conversations and starting to make sure that their customers are prepared in the way that Ryan just described. Yeah. So it, it is across the board, right?

Like I've, I've personally been on conversations with an MSP, uh, that has been outta New York or one in New York who, um, was in the middle of a breach, no clue what was going on, didn't even know if they had cyber insurance or what it would do or mean for them, like literally unprepared.

And I'm, you know, here I am, fortunately this is off camera, but I'm like wanting to rip my hair out, being like, you guys are about to go through the worst journey of your entire life and you have no idea, um, all the way into highly enabled MSPs and MSPs that use a breach, um, almost offensively like, Hey, yeah, it happened. We're, we're recovering very quickly through the motions. We know what we're doing through all of this. We're clearly communicating.

Um, we've got all the right parties involved. We've gone through all of the IR steps prior to a breach to know how to handle this from attorney-client privilege to getting insurance involved, being speedy with incident response and handling this. I've personally seen that happen before. And, um, it's almost So they're using it as a way to build their value. Yeah. Y yes, exactly right. And, and they're not panicking. They're, it's like a general barking out orders in the middle of war, right?

Like, have you seen a war movie? And like, I I, a good example of this is, um, a band of brothers, right? And there was a, they were in ba stone and things were not going well. Uh, and all of a sudden, um, Colonel Winters comes in and here he goes, barking orders, and he takes command of the army, and all of a sudden a disastrous situation becomes clean and they, they win the battle, right? And like, I get goosebumps when I think about that.

Like thinking like a battle commander that knows what they're doing in the middle of, of war, that only comes through experience. That only comes through practice. That only comes from, you know, it, it preparation born. Yeah. You're not born into this. Like, there's nobody on this call today that's like, man, I'm just naturally talented. It's cybersecurity. It's just something I was born into. No, no, no. It doesn't happen that way. Right?

It happens by practice and regimen and, and knowing what you're doing and being serious about it before all those things happen. So Gary, I mean, I do, I see it across the board. Most of us are in the middle of that, right? Right. We, we thought we were prepared to some degree we were. But there's a lot of gotchas, and that's always a question I'm always asking lair, like, what are like the recent gotchas that people are not seeing?

And you know, lair, like in, in our threat report that we wrote, I remember Lair and I talking about this, and he was like, you know, I'll tell you something right now is MSPs are not prepared for, now that we have so many privacy laws and data exfiltration is standard, they're not prepared for the cost of how I handle that data. Exfiltration lair can talk more about that, but that was something that just went off in the top of my mind of like, he's exactly right.

Um, and this is why we, we constantly have to have our ear to the ground and the process and cycle of cybersecurity to understand who are threat actors, what are the adversaries, what, how do I threat model against all that so I can understand how to, how to handle a situation. Um, because they're always gonna be new, new and different. Yeah. And we're gonna work on that. We're gonna put together a session on threat modeling team, so that'll be coming up. You'll get more on that soon.

So Chris, couple questions for you. Um, the first one is, um, you're dealing with these MSPs, whether they're prepared or unprepared, um, uh, you know, once there's been a breach for themselves or their customers. So, um, how does their attitude towards dealing with this and what they need to do for their customers moving forward? Change, I guess would be the first question.

And then I have a follow up question about where's the low hanging fruit that they can get to first to try to, uh, make sure they're reducing their risk in their customers? So they're the two questions, Uh, two good questions. So what I would say is, you know, we we're seeing obviously a lot more cases where the MSP is, let's just say, not at fault or not the target, but their clients are. And I would say you kind of see 'em in three buckets.

You kind of see these MSPs, uh, that really are saying, Hey, look, this is not our area. We're here to help you take the charge and, and move on. And, and we'll play our part. You have that, you have some MSPs that, you know, absolutely just kind of freak out. They'll know what they're doing, you know, they are bubbling, stumbling, their signs of immaturity are apparent right up front. And so, you know, you're not gonna probably be able to count on them for much.

And then you have the other set of MSPs that, that, that have a said process, right? They know what they can do. They know their, they know their limitations. They know what, where they're gonna step and where they're not gonna step and so on and so forth. And so that's where they are. And I think that that's the most important thing is to just acknowledge where you're at. Obviously you may have a plan to get there some other place, but don't, don't jump too fast.

Um, you know, I was talking to Andrew earlier before this call, and there's a, there's a ton of people saying they do instant response, and it's, it's, it's a, it's not very clear on what they mean by that. Meaning like, you'll say, Hey, they'll tell somebody we do incident response, but then they don't do forensics, and then the attorneys and everybody are confused when, when there's, well, you said you did incident response.

Well, well, we didn't know you met, we forensics, we, we can do all the recovery stuff. No, no, no, no. Instant response. The, the total total deal. And then we see a lot of other people that do instant response, they do a recovery and stuff, and they don't even mention any of the things to their client about risk or possible exfiltration or stuff about there that's gonna, that may be posted, may not be posted.

The fact that they probably should be legal, just like what, um, Wes was alluding to earlier with all these laws. And just like on the cyber nation, we had not too long ago talking about that you, you're required to speak to the attorney general. Um, so I mean, those are the things that, that happened most. I would kind of point, here's kind of an interesting one too that's popped up, is this, this latest one with this qap vulnerability, right?

So this QAP vulnerability that got out, it's a ransomware type deal and it's, I think it's like $500, right? The challenge with that one is that $500 is like stupid cheap to do all the incident response and everything around that $500 is ridiculously expensive. Yeah. So that becomes an interesting situation. And so when I say you gotta know where you're doing and know what, and know how to react, you're not gonna know all the answers, but you have to have a set of people to do it.

I've also seen another, a number of service providers have one person and this one person, they've either brought in or he or she's been trained or whatever, and the, you're not gonna have one person that's gonna know it all, it just doesn't happen. I've talked about this before, being security, it's a broad umbrella, but you can't say that anybody's in security knows everything, right? It just doesn't happen.

Like, like I always tell people, my senior forensics people are, are, are the greatest forensics people you're gonna find. They care so much about it, about their name being signed at the bottom of that forensics report and everything like that. But are they gonna be the ones that tell you how to configure a firewall correctly? No.

So when you bring somebody in or you have somebody security and they say, yeah, no, all this security stuff and can do all these controls, and then I turn around and I can do forensics and all that type of stuff. I'm telling you, there's just that person does not exist the mind that that mind is not the thing. And If they did exist, they wouldn't wanna work for us. That's exactly right. Yeah. They're, They're not that kind of talent's not gonna work for the average or above average MSP. Yeah.

And so you can't dip your toe into the water. You're gonna have to be ready to, you know, roll up the anchor and be able to go into the water and face the weather, whatever it is. And, and that's really what the important side of it is. And so I think the, uh, you know, I I, this has been a topic I've talked with MSPs a lot about lately. You know, there's some ms you know, there's one MSP says, look, hey, incident response planning, incident response testing, I'm all on board.

But when it actually comes to an incident, incident situation that is, that is the, uh, cybersecurity insurances lane, they're gonna plan in it. All of my clients are gonna have a policy, and that's just the way it's gonna go. Yep. And Chris, they more have their team Say That again at that point on what not to do.

I mean, if they're More concerned when they're in that role that they're not gonna do anything that's gonna hinder that process, which is really the first reaction that most people have. Everything we were taught to do in the past is the wrong thing to do now as we destroy evidence. Yeah, that's exactly right. I mean, just like I've talked about rebooting, restarting, all that type of stuff.

I mean, I, we've had a number of 'em where they've said, yeah, we've, we've left the servers alone, but we wiped the seven or eight workstations that were affected. You know, that workstation is probably patients, one of those workstations is probably patient zero. And so, you know, and then, and then the other thing I want to talk about just to, just to back up a little bit is, Which hang on once, but I want everyone to listen.

If you're gonna go back and listen to this, go back and listen to the last two minutes, what Chris just said about that delineation that you have to build with your clients about what you're responsible for and what you won't be responsible. And you described it in a very clear way, Chris, so kudos on that. Yeah. And, and, and, and, and then, and you don't want any of your clients being a Guinea pig when it comes into, well, this is a small one, believe me. Unfortunately, there is a small one.

I would say this QAP one, maybe a small one, but that's a, that's an exception to the rule. The other thing I was gonna say, just thinking about incident response, thinking about security, one of the biggest blunders I see is lack of acknowledging that security and incident response needs to be brought in all the time.

So if you're doing, I, I cannot tell you how many times we've been on, on calls where somebody has, is in the process of, or has recently moved their stuff, moved the client's stuff into the cloud, and they get popped and you're like, well, why did you do this this way? Or whatever. And they're like, well, that was the second phase of our plan. The first phase of our plan was to move it to the cloud. The second phase was to do the security stuff. You're like, that doesn't make any sense.

You gotta have it up front and you have it, have it, you gotta have it in there. And if you don't, you're, I mean, I hate to use these legally loaded words, uh, like negligent, but in my opinion, in these days, in 2021, you're absolutely negligent for doing things that way because those bad guys, there's so many of 'em out there now, they're waiting for that one little window.

Do you mean like, when every customer calls you a, a year ago and in thir in a week, they need to, they need to be work from home. Oh, yeah, yeah, yeah. That's, that's, that's a perfect one. Right? And, and, and we had that and we told, and our customers were yelling and screaming, just do it. We don't care. And we're like, no, it's gonna be done a secure way and we're gonna get it done. We're gonna work extra hours and we're gonna get it done. So, no. Yeah, that's it. That's exactly the point.

So I think, uh, go ahead, Andrew. No, no, no. I was just, no, no. Finish up. Go. Oh, no, no. And so that, yeah, I mean, that's kind of it. You, you gotta be thinking about, just like we said, this instant response plan is a living thing. It's gotta be a living thing. Every change, material change you make in an environment, you gotta test. And you gotta make sure that instant response plan is updated or at least reviewed in, in reflection of that. Gary, uh, I just, Chris, that was awesome.

I brought Daniel Moyer on. Um, these guys have been doing a lot in cyber. And, um, so, so he brought up a question, um, on, you know, chief risk officer, but I thought it'd be a good time for you to have a quick interaction with one of the partners out here and answer some of his questions. So, Well, can I ask Daniel, can I instead turn the tables? I'd rather ask you a question. Sure. Uh, nice to meet you. Nice to meet you. First off.

Um, so from where your team sits, what we're talking about today, when you're having conversations with your customers about where that responsibility is around incident response, what you're responsible for, and when that really needs to go to the, in the insurance company, how do you, you set those?

Do you set those expectations and how, So we've, we've had some conversations and part of it is, um, discussing with the clients as far as who's the custodian of your data and who's the actual data owner themselves. So that, that's usually the, the biggest hurdle that we come across for discussions with clients is that that whole ownership, because it's, we're trying to get over that piece of, you do everything for us, so it's your responsibility. Well, at the end of the day, they own the data.

We're just helping them get to a more secure place. We're helping them manage it. But that, that's usually the biggest hurdle. Um, initially. And then as far as the incident response aspect, we do have some language around, um, that in our MSA as well as in our agreements that the, the everyday care and feeding of your environment, the aspects of a user calls in is, is at one point.

And then once it tips over into that incident area, it's, this is outside of scope of the agreement, um, this is where you need to start engaging in your insurance aspect. And that's usually the, as part of that conversation with the custodian, um, data ownership piece is like, when was the last time you've read your insurance?

Do you realize certain aspects such as some points that you guys have brought up before of, well, if you do need to pay a ransom, is it a reimbursement or is the insurance gonna pay for it? A lot of people don't, haven't even read their insurance policy to understand like, what's their responsibility and when to engage, how do engage a lot of the checks and pieces, because a lot of 'em will pencil whip it, for lack of a better term to just get through it.

So, So that brings up a question I want to ask, uh, Wes, but before that, did you, what questions do you have for us? So the question, uh, I've been reading in some of the more, uh, recent pieces is how cybersecurity is sort of relating in that risk area and may roll up to not necessarily a CIO or a CIO in that regard, and more to the risk officer if your organization has one, because it does encompass a high level of risk.

Granted, a risk officer is also accounting for different areas outside of it, but it's where do you, where do you start drawing the line of needing to have some subset of a risk officer aspect in your virtual CIO or CIS o components? Yeah. And having those discussions. So Right now, MSPs are just, they're driving butter knives through their heart as you're talking, as we speak. And I see, and I see Ryan's chopping. Yeah, Ryan, You got some thoughts, Rob? Uh, yeah.

So I'm the CISO for datto, but I'm also the chief risk officer for Datto. Um, and so I don't just track information security risk for the business, I track enterprise risk for the business with a, with a committee of other executives. Um, but I'm the, I'm the primary risk manager for the company. And, um, I, I think we're seeing that increasingly with CIOs and CISOs, because cyber risk is without a doubt in your top three risks. Mm-Hmm.

And I think it's, you know, and information security and CIOs are, are typically also in a place where they really understand the, the business, again, how the data flows, the systems that are used. So I think increasingly those CIOs and those CISOs are going to be taking chief risk off roles, even if they're part-time jobs, as I like to call, right? It's my nights and weekend stuff that I do, um, when I'm not c sailing, I'm ing.

Um, and, um, you know, and, and, and there's just, it's, it's really important because if you're just myopically looking at cybersecurity risk, you could really be like, you could, you could be missing some other really important, um, you know, risks in your business that need to be managed as well.

And so I think, you know, obviously I care a lot about cybersecurity, but um, when I do the CRO role, I take my security hat off and I say, is this security risk really more important than this other business risk? And how do we figure out how we're gonna prioritize efforts and resources across those different things?

And so, um, I don't know if that really answers your question fully, but like, I think if you're not doing it, it's, that's another one of those changes you should probably brace for. Um, 'cause I think it is coming the way of most CIOs and CFOs. Well, Ryan, Ryan, I think one of the things is, is like you obviously gotta be thinking about that as an MSP and be managing your risk.

You know, we keep talking about this incident response from the client's perspective, but there's a true difference between an incident response situation that you're the target versus, versus your clients or individually targets, right? So there's that side. So, so I think MSPs overall from a risk risk risk management perspective, need to be thinking about things differently for them, just like Ryan expressed.

Second of all, I think you need to be careful in when, you know, and I, I get what you're saying about rolling it up or, or, you know, including in this whatever category of, of of VCIO or whatever, but we have to be very careful when we're talking about risk. And it, it got talked, it got spoken about earlier about whose risk is it, it is the client's risk. So you definitely should be an input into that risk and be a part of that risk equation.

But you abs in my opinion, somebody here could argue with me, but I would not be trying to have my clients outsource, uh, overall enterprise risk. Uh, to me as an MSP, they gotta be in charge of that. They gotta be the ones accepting the risk or, uh, making the decisions on remediating the risk. You don't, you know, as MSPs, we wanna buy off, buy off on the whole enchilada, and in this case Not a good Idea.

You can, you can run 'em through the process, you can help them build the risk register, you can help them prioritize it. But what they do with that information is ultimately up to them. You're providing them visibility and options. You're not responsible for the outcomes of those risks. Yeah.

A couple things I'll add to all of this too is, um, sori, I like what I like how you said it, Ryan, like, because DA is a software company, it makes sense that the ciso, um, who's overseeing information security risk, the primary risk that you working through is, is that angle of like cyber risk, right? A bank is different. Like, let me just illustrate this to a bank. Very rarely would the CISO also be the CRO at a bank. Why?

Because a bank is dealing with plenty of other risks that are equal to cybersecurity. Might sound crazy, but they're holding a bunch of money. Um, you'll even see to that end, sometimes the CISO will report through the CRO. It's, But Yeah, just that's right. It's actually, that's very true. It's all sitting in the Fed. That's for another story. But the CISO will actually report in through the CRO. That's, in fact, that's the trend, right? Right.

Now we've been talking, one big theme that we've been talking about here is that segregation or separation of duties and how do we align and distinguish between IT operations and cybersecurity itself? Well, enterprise smart enterprise is starting to say, well, let's move it under risk because it's a subset of risk. It doesn't always work that way. And it can be very poor if you have a poor CRO or a poor risk team that doesn't understand cyber and doesn't support it.

But the key of this is to remember that what makes this function is two things, separation and authority. And this is true in an MSP as well. Like if you have somebody that's handling risk and they're underneath, like the CTO at the MSP, you're going to run into problems over and over and over unless that CTO is directly responsible for security and held responsible for an incident.

Like they're the one who's, you know, gonna be back on the chopping block and putting the resume out on the streets, which is rare. And so because of that, it's very common when you're thinking through, even at a small MSP, how do I make sure that person that handles risk in cyber also has the authority to do so? Not just the separation from that team, but the authority as well. Like, in other words, don't take a, you know, CRO CSO kind of person and put 'em three rungs below.

That's like literally like system analyst level has no authority. That's a terrible situation to be in. So that's kinda how I think we have to align it. Um, and I agree, like there's nothing wrong with having outside compliance come in and take a peek. We typically call this audit. So audit is when like a third party will come in and take a look at your compliance, take a look at your risk, and give you independent review of that, especially stacked up with their other clients.

But ultimately inside my MSP, I have to own it externally. Like Chris said, I have to guide my clients, but they're the ones that must own it. We must communicate that very clearly with them, that you own all of this because they don't, Gary, what's gonna happen when something occurs? They're gonna point their finger at us, right? Everything's our fault, right?

So Daniel, hopefully this helps you, but the, the takeaways that I heard from this are one, um, you have to separate how you look at that for yourself as a company from your customers. And, you know, if you think about it, we're not even really qualified to do that for our customers. Like we only understand some of, hopefully a lot of their technology, but we don't understand any of those other factors. I'll tell you what I'm thinking as this goes on.

You know, we mentioned like one of the big things, other takeaways from this that Chris made was you have to determine what your responsibility is, making sure you know what not to do and, and the client understands when you hand that over to the insurance company. Well, Andrew, we're thinking about that at a time when we do surveys of how many people have had a conversation about cyber insurance with their customers and 70% of 'em happen. Hello? Is this thing on, can anybody hear me?

Bridge out, turn back. So if that doesn't, right now, sum up exactly where we are, if people wanna know where to start, let's at least start by having the cybersecurity, I mean the cyber insurance conversation with every single customer. So they understand we, we don't have that. How possibly could they not think we're responsible for everything? Ah. So with that, Gary, let me, Daniel, thanks so much for coming up. I'm gonna see if we can get one more Thanks Daniel on with us.

That was awesome, bud. Thank you. Gotta bill, But we just came full circle. Yeah. So we're gonna see if we can get Ed up here. And by the way, you know, um, Ed's firm to a degree, Gary, this was, um, uh, Sy, which is now rolled up under Novatech. Uh, yeah. So we'll see if we can get Ed up here with us. He's a, he's been a, a regular with us. Your owner Dave, he's a great guy. Known him for, Yeah, Dave, Chaz, Brad, bro, those guys have been, uh, yeah. Awesome company. Yeah. Forever. Um, okay.

So we'll see if we can get him up in the meantime. This has been fantastic, Wes. It made me think of, you know, Microsoft and their shared responsibility, uh, documentation. Um, Why does Microsoft have that, you Know, think about that because The second this happens, we as EMSP might wanna point at Microsoft, and that's their way of saying, we communicated this to you. You agreed, you agreed to this. We, we were forthright about this from the beginning.

I almost wonder if it's good for us to have our own MSP shared responsibility model that each of us produce and share. I'm, I'm curious if like any MSPs today are doing something like that. Yeah. Very interesting. What's ING That would be aligned in the, in the agreement, you know, the managed service agreement, right? But how clearly is it aligned and how clearly is it communicated?

So, so interestingly, by the way, first poll Gary, um, 50, almost right down the line, 50 50 MSPs are rolling in, respond and recover functions into their support, support offers. Now, I didn't qualify those. Yeah. Whether they were tabletops incident response plans and things like that. So maybe, you know, I'd love if you did answer that, man. It'd be, it would be great if you could just throw into the chat here. We'll get going with Ed, but throw in the chat.

What, what things are you rolling into that offering? And then, um, we will, um, Hey, ed, how are you? Um, I'm, I'm okay. I'm, I'm doing fairly good. Okay. Yeah, you've been through a lot. And, uh, thanks for, uh, jumping on, on here with us. I appreciate your trooper, man. So, um, you had a question, I think, didn't you? And, and, yeah. Yeah. Let you start off, and then Gary will probably have, I don't know, maybe a question for you, knowing Gary. Yeah, yeah.

I, I, I'm, I'm looking at him here. Um, first of all, thank you for, uh, allowing me to be a part of the Brady Bunch. I'm looking around at the squares, but, um, my question, my question came up, um, basically we had an incident at one point, um, and without going of course into detail because of, of obviously information and it's security, but, um, we had a, we, you know, we had a, a, an issue where, for lack of a better term, they didn't trust us.

Of course, the finger pointing was, you know, right to us. But it was like, okay, so the first thing we need to do is forensics. We need to find out what in the world is going on with this particular system that we're dealing with. And what the only way we can do that is to use a, you know, to do forensics. So we used a third party, and I want to know, you know, what, what, what, what your guys' opinion is on that, on doing that.

I know that some, maybe some cyber insurance po uh, policy paragraph might come into play on that, but, um, that, that was just kind of what I was wondering, is that, what does everybody think about that? I think we'll Start with Chris on that one. Yeah, Yeah. So let's just take it from the insurance angle first. So, most of the, most policies and most carriers have a list, a short list of either of, of forensic firms that must be used by their policy.

And if you go and make a decision, and we are seeing a lot of this right now where MSPs have met somebody in, within their town or whatever, and they're bringing them in to do forensics, and then they get on the insurance call and we're like, uh, well, they're not on panel, they're not approved. We don't know who they are. We don't know their track record or anything. And then the, the MSP is p****d off.

The forensics firm is p****d off, and the client is really p****d off because they were told by the MSP, this is the way to go When we find out that their insurance says something different. A lot of times when those insurance carriers and those panels, it goes through some type of vetted process plus the law firms that are on there. I've already have a, a rapport and a working relationship with those forensic firms. So it's always a good idea to go that.

Now that's just from the ins insurance carrier perspective, right? So, and a lot of 'em, the list may be three forensics firms and maybe five. Some of 'em, they might only have law firms on there. And the law firms choose a forensics. That's fine. So that's just how it is. You wanna make sure that you play by those rules 'cause it looks really bad. And then you gotta explain why the, why the client just signed a bunch of expensive statements of work. I mentioned this a couple weeks ago.

We, I seen one where the, this, they brought somebody in and they put together $180,000 statement of work for about 25,000 worth of work. And we're like, well, why was this statement of work so large? And they said, well, that was to avoid us having to do any change orders in the future. Well, that doesn't look good to anybody, especially to the, the insurance carriers not gonna be happy about that at all. Now let's just talk about third party forensic firms.

You know, a couple of years ago, there weren't too many of them, right? You always knew that the, the, the, the big, the big accounting firms had 'em. Uh, so let's just take KPMG as a good example. Very well known. Uh, when we get cases that are too big, like there was a case that came in the other day, it was like 9,000 endpoints. Well, that's way too big for me. You bring those guys in, but they have a vetting process themselves.

A lot of times the KPMGs and those big guys won't take on very small companies that don't, don't meet their minimum requirements for a company, for a client, right? Mm-Hmm. But my point is, is back then you, you kind of knew everybody knew who it was, and those were pure forensic firms. They weren't pretenders. I'll just use that term loosely today. You have to be very careful, right? Because incident response firms are, are popping up all the time.

And so if you do have to use a third party incident response, either because it's optional with the carrier or because they don't have insurance or whatever, you just, just make sure that you kind of dig into it. How long have they been a forensics firm? You know, who they have doing the work, are they subbing that work out to somebody else? And those types of things. And, uh, and you'll be, but, but in the end, yeah. Real quick. Go Andrew, real Quick. Time out. Gary, you got five minutes?

You wanna Yeah, Yeah, I'm gonna, I, I don't wanna break. I'm, I'm gonna, I'm gonna bow out and, uh, I'm, I'm gonna let, uh, Chris handle this one, but, uh, really good today. I think we're starting to get closer to the center of the Tootsie Pop. Yeah, thanks, Gary. Okay, see you, Gary. But, and, and just, uh, and, but, but really, if you're gonna bring in a third party forensics firm, yeah, they, you better have an attorney. I mean, 99.99% of the time you're doing forensics for legal reasons.

And so there's no way you should just be doing forensics without that legal reasons, unless somebody just wants an answer, something like that. Uh, so usually if you don't have a forensics firm that you're comfortable with, find a breach counsel that you're comfortable with, and then they will bring in a forensics firm and, you know, there that they're, they're legit and, and they can operate in your client's best interest.

Is this kind of answering What you were hoping Ed, you know, based on the scenario? Yeah, Yeah. It, it, it really does because it, it's something that kind of, we, uh, if, if I'm reading our, our, um, you know, service agreement correctly, that is something that we work in there is that it's up to them. You know, that like, like, um, my colleagues said earlier, you know, they, they own the information. We just help them.

Um, like for example, like some of our clients, they, they have to deal with the HIPAA compliance and whatever. And basically what we do is say, Hey, listen, we'll help you be compliant, but we're not gonna make you compliant. You make yourself compliant. Right. Fair, fair. Well really appreciate up, up here, ed, Ryan, Wes, any comments, thoughts? Not, do you have to, just before I let, let Ed, uh, officer ed boot? No, No additional, no. Mr.

De Delayer handled that wonderfully as he typically does. Awesome, ed, thanks guys for us. Great to see you. Yeah, All good to see you. Alright. All right. So, um, in closing up here, I think we might actually, uh, end the cyber call where we can actually have some, some thoughts, Wes, and, and, and not just, hey, uh, it's two o'clock we gotta go. So, um, Chris, thanks for joining us.

First off for you takeaways that you might kind of leave MSPs, um, and if there's some ms, we do have some MSPs, but take takeaway thoughts that you might wanna share. Yeah, I mean, this is, this, what we've all been talking about is very strategic and needs to be well thought out and well planned and, and planned by committee and thought about it.

And then this is where, you know, Gary talked about peers, whether you have formal peer relationships or informal ones, I mean, this is where you're gonna do it, right? This is where the rubber meets the road and there is no, you know, if your client base is mixed, it's gonna be a different story than if your client base is specific, legal and those types of things.

So, um, you know, that's where I would say, and I would say just reading through the dialogue, it's always great on these cyber calls. But today, man, it's been, there's been a lot of great stuff. Go back and review what people have said if you couldn't read through it as quickly as you as it was scrolling by. Yeah, yeah, yeah. Good thing. Uh, Jason Slagel out there, doesn't he, he literally makes me laugh every, just about every other comment.

So Jason, if I had time, I would've pulled you up here. Uh, Ryan, how about you? Any, uh, closing thoughts? Oh, yeah, I, I, I'll double down on something Chris said, which is, again, focus on yourself. Um, and I, and another comment, I don't think maybe Wes said it, but like, I didn't wake up a professional in cybersecurity. It took, you know, you know, a dozen or more years to get to where I am in this field. And, um, I'm still not an expert, you know, in some areas of, of cybersecurity.

And so I got here by doing and by practicing and practicing is huge, right? You don't show up on game day and expect to win if you haven't practiced at all. Mm-Hmm. So the time spent doing the IR planning, um, for yourself, um, that you know, one that's gonna help you understand yourself, reduce some risk, and it might even turn into some response and recovery services that you can bundle in to sell to your customers once you get that process, uh, you know, kind of settled in. Yeah.

Really, really well said, Wes. Well, first of all, I, I do want to thank Chris Laer for joining us, and, uh, if you didn't see the question I asked him, you know, I asked him this till Mother's day's coming up and I asked him what he'd write in his card for her, and he wrote good camera, questionable wardrobe and well kept beard. Uh, so Chris, I might, might or might not have edited that question, uh, after you answered it, but I do appreciate your comments. Uh, so thank you very much.

And, uh, uh, more seriously as we, as we hit the two o'clock window, um, this is good discussion of how we handle, um, risk separation of duties, cybersecurity, how we communicate that to our clients. Um, these are really important things that we really have to have some ownership and understanding of in today's modern day. So great discussion. Uh, look forward to hearing how you guys develop, uh, all of this and how your own MSP goes down this journey. Fantastic. Thanks, Chris.

Again, thanks you for joining us. Everybody out there awesome communication and comments and chat. Um, make it a fantastic week. We'll look forward to seeing you next Monday. Take care. Thanks guys. Bye.

Related Videos