Ask the CISOs Anything
In this video, industry experts discuss the evolving landscape of cybersecurity for managed service providers (MSPs) and the strategies necessary to navigate this complex environment. They delve into the importance of balancing technology with robust internal processes, emphasizing the need for MSPs to understand their unique security gaps and address them proactively. By sharing insights from their own experiences, the speakers highlight the critical role of transparency, vendor collaboration, and continuous improvement in building resilient security programs.<ul><li>The importance of building security programs based on threat-informed, data-centric, and risk-based approaches.</li><li>The significance of collaboration among major vendors to improve security standards across the industry.</li><li>The challenges and strategies for MSPs in balancing new security tools with the understanding and implementation of effective security processes.</li></ul>
Guests
Video Transcript
Welcome everybody, and it is week 74. We crossed over the 4,000 barrier between last week and this week. So really exciting times here on the cyber call. Welcome everybody. Uh, we've got a awesome, um, session today and, uh, some special guests with us. We're gonna do the ask the CISOs anything, which means you guys can send on in your questions. Um, I was hoping, uh, you know, that Crowdcast might have surprised me and said, now you can have eight windows, so we could bring people up here.
But so far it's only, only six. So, uh, Gary, we have no announcements today. Do you have any announcements you'd like to share with us? Yeah, I'd like to announce that there's no announcements. Fantastic. Um, hey Wes, it was great seeing both you and Jason Slagel, uh, at IT Nation. Wes, um, any kind of thoughts from you first and then from Jason? Well, on, Man, we, we had a great time. Almost 3000 people there seeing so many Awesome, awesome people. Was great. If I ran into you.
It was great talking to you, Andrew. I can barely saw you, man. Like, you're always like, roam around from one meeting to the next. I'm like, there goes Andrew. There goes Andrew, there goes Andrew. But it is great to see you as Well. Yeah, it's great seeing you Jason. Um, I know you're gonna share a little, uh, story with us, uh, when you have some questions coming up, but how was the event for you? It was good.
I mean, it, uh, it, it was the first time I think we came back without a fire hose and new tools we wanted and almost everything we learned was process related. So I feel like that's a, a hump we've gotten over an hour where it's like I'm over the shiny new tools syndrome. Excellent. Alright, so let's get right on into it in setting the stage today. Hey Jennifer, it was great seeing you as well. Adam, I'm really sorry I missed you.
Um, so, you know, just to set the stage, five years ago, um, there was not a CISO in any of the major tool vendors out there. Uh, Ryan was the first that are, I think, Ryan, you're just under five years now, right? Like four years and 11 months and 20, Yeah. I'm like a, a couple months away. Yeah, yeah, yeah. Did you get a watch or something in five years? Because at True Methods I gave everybody a watch in Five years. Hopefully I get what kinda watch, was it a Cassio?
It was probably a Cassio, wasn't it? Gary, come On. It's um, come on. I we need a watch. I just want a nap. A nap. Are you gonna get the Frenchie? Bring him in so he can calms down, put a little blanket On him. He'll, he'll do whatever he is gonna do. Alright, fair enough. So, so today every MSP vendor, I shouldn't say every, the major vendors does have a ciso, uh, Kiari. I know yours just came on board.
Um, I had a touch of communication with him during, uh, connect and, um, so I'm trying to still connect with, with Jason. So yeah, we'll get 'em, we'll get 'em on a future call. Awesome. So in the meantime, um, I'm gonna get right on into it for the ask the ciso, uh, anything session with a few quick introductions. By the way, send in your questions if you have some. So David, um, it was great getting to meet you.
Gosh, it's probably been a few months now, and I was really excited, uh, that you came on board at Enable. Um, and you, you know, you're a true practitioner, um, and, and know, uh, I, I think the I Cyber Nation and just the industries are gonna be really fortunate to have you involved. So if you could just give us a little background about yourself and, and, uh, uh, what you're doing there, uh, it'd be great. Sure, yeah. Awesome. So I appreciate you inviting me.
Uh, I know we've been trying to get this on the books for a while and I'll, I'll apologize. I've been traveling quite a bit, but, uh, so, so Dave, Dave McKinnon I joined Enable going right on six months ago, so I have lots of extra gray filling in over the last six months, um, really to kind of take things over as we spun outta SolarWinds and, and transition things away from, from Tim Brown and team.
So, um, I've been in the security space for the last 20 years, so I actually live in Atlanta and I've spent, uh, the first decade of my career with SecureWorks and then with ISS, who was eventually became IBM. Um, and then I, I've kind of jumped back and forth between the vendor space and the enterprise space. So, worked for large financials. Uh, most recently I was with, uh, with a media company.
So I was with Warner Media, so I was responsible for all security monitoring, incident response, you know, vm the whole slew of stuff. And then also, uh, some of those programs got folded into at and t, so we were acquired by at and t four years ago. I don't know, they're doing it now. So, um, but while I was there, um, you know, we, we were folding all of our SOC services and other pieces in for, for at t to run that program for them.
Um, so, so definitely excited to be here and, uh, appreciate you for having me. Were you forced to go with the Alien Vault? Uh, we were not, we were a big Splunk shop. Um, we, we actually had an unlimited Splunk license. It's pretty wonderful. Oh, Nice. They, They sell those If you're at t They do. Good point.
So, um, for those of you that most, most people would never know who you are, uh, Jason Slagel, so most, uh, if you could tell everybody, uh, a little bit about yourself, and thanks for joining us as always. Yeah. I'm, uh, Jason Slagel, uh, vice President of operations at CWR. We're, uh, MSP in Toledo, Ohio. Uh, I've been pretty involved in like, trying to make MSPs more secure for a little bit now, 'cause Oh, we need it. No, I'll leave it there. Yeah. Awesome. Very funny, Gary.
So Gary, I'm gonna turn it over to you and then you, and I'll go back and forth just a touch after, and then I'll turn it over to Jason again. Folks, send us in your questions, ask any, uh, ask. There's an ask a question section, um, and I'll be sure to bring them up and get in as many as you can. For those of you that sent me questions. Thank you so much for doing that ahead of time. So, Gary, I'll, I'll, uh, turn it to you, bud. Yeah. Uh, and I'll start with Ryan. And Ryan.
Um, we've gotten to hear a lot about your different philosophies that are so valuable to, you know, to MSPs, uh, over the past, uh, 70, whatever Andrew said, uh, weeks. But today coming officially from the Datto ciso, uh, point of view, can you describe a little bit about your approach to security and what you can share with MSPs about the Datto security program? Yeah, so normally this is where I would just start talking for four hours.
Um, but I, I, I, I, it really is, is actually pretty simple. Um, I believe in threat informed, data centric risk-based security programs. So when I say know your enemy, there's your threat informed, um, uh, data centric, knowing yourself, where your data is, where it resides, um, risk informed, uh, you know, knowing your battlefield, um, kind of comes, comes into mind there.
So like, tho that, that like know yourself, know your battlefield, know your, um, um, know your enemy, really kind of sums up how I think about building security programs because really you have to know all three of those things to really have a chance at, at building it. And, and you all know, I believe in people, process and technology. Um, I believe it's not even worth trying to build process and technology without having great people.
Uh, and so for me, the security program always starts and ends with, with people, um, and, uh, you know, try to hire people that are smarter than me in areas where we need, uh, a lot of focus. And so everything I do centers around that kind of gravitational force.
Um, you know, we've built out, so I was trying to take account last week, I think we have like 12 dedicated teams, um, within information security now focusing on business continuity, crisis management, disaster recovery, security and compliance, intrusion monitoring, offensive security, um, uh, threat management, security architecture, security engineering, application security.
Like we really, we have, and these are teams of people, multiple people, uh, driving kind of this across the whole organization. So, um, I guess the other thing I should say is I believe in decentralized security organizations. So yes, I have a fairly, what most people would consider a decent sized team. Um, but we actually believe that like my team is really here to empower other teams within the company to do the right thing. It's actually one of our core values is to do the right thing.
Um, and so part of doing the right thing is if you're building a system, a service and application, uh, whatever, it's your responsibility to do that thing securely. It's our responsibility to help you. Um, and so we really think a lot about how do we, how do we make sure that other people understand their obligations and that they're living up to them, and that we support them in that.
And sometimes that means giving them more money, getting them more headcount, getting, you know, making something easier for them to accomplish. Um, uh, which is kind of weird for a security person to say, right. Trying to make things easier. Um, but yeah, so I mean, there's just a lot that goes into the security program, but it all comes back to threatened informed data-centric risk-based security program.
Yeah, I guess pretty similar to what we're telling, you know, with MSPs, the same way that you're doing all this to protect your customers, right? Your customers, the MSPs are doing that to protect their customers. And so again, we want to keep SMD safe, and it takes the vendor, it takes the MSP, and it takes, ultimately it takes the customer. Uh, I like what you said about, you know, supporting the teams to do better. And again, I equate everything to running MSPs and the same thing.
We have to equate that to, we're trying to make things secure, but also better in helping our, in helping our customers. So I see all those, all those parallels. That's awesome. Um, David, so you're, you're newer into this, uh, into this role, at least here, right? At, um, at at Enable. And I want ask you, can you share like what your approach will be like to building the program and assessing where things are and, you know, like setting priorities? Sure. Yeah.
So I think, uh, you know, I think from a, from a program perspective, fortunately came with a, with a, a decent foundation from Tim. So I didn't walk into something that was brand new and we had to figure it all out. We have a lot to do just in terms of where I want the program to go. Um, you know, similar to Ryan, I think looking at it from a risk perspective and understanding, um, what, what the organizational risk looks like.
I think the other piece, and just something I've experienced in my career is, um, other places I've been, security is kind of in that hammer. They would walk in and drop the hammer and kind of p**s everybody off, um, which doesn't work. Um, so, you know, what I've told my teams is like, we're all partners in this.
I mean, you know, when you take the, the shift left mentality, whether we're, you know, we're doing security training for engineers, or we have security champions and met all the way through to, you know, to to where we're doing pen tests, red teams and things like that, it's making sure that we have security kind of balanced throughout the whole, the whole life cycle.
I mean, making the assumption one, that we're gonna do everything we can early on to protect our, our partners from having, you know, vulnerabilities in our code, but also making the assumption it's going to happen. I mean, I don't know any company out there who does not release vulnerabilities in their code, never on purpose, but it happens.
So, um, so we've been very focused on, you know, getting the foundation from a security perspective set, getting the team built, you know, hiring security people's really easy right now. Like they're just jumping out. They're Everywhere. Yeah, they're everywhere. They're the jobs. Yeah.
So, um, so definitely having, I'm sure challenges that other people on this call have where we're, um, you know, we're surging things out with contractors to fill some of those gaps, um, while we look for those fts to fill things out. Um, and really getting, you know, getting the threat management program underway. So we, we've, you know, we've brought in, we actually brought in Splunk, um, not that I'm a Splunk fan boy, but, uh, it's what I'm comfortable with.
So getting all our data, data collection and making sure we're able to do effective security monitoring, incident response, getting the security architecture and engineering teams set up, um, to where we can be more effective, um, you know, getting the AppSec teams built out, uh, and then all the GRC work that goes along with it. I mean, so lots of, uh, you know, I call it juggling flaming chainsaws.
Um, lots of juggling right now, but we're, uh, I feel like we're, you know, in six months, we've come a long way. We still have a long way to go. I actually had a partner ask me a few months ago, like, when are you gonna be done? I was like, never. This is the, this is the one environment where you keep iterating. I mean, you know, a friend of mine will always said it iterating to awesome. And, and that's what we do.
You know, we, we set the bar higher and higher and higher, and we just continue to grow as an organization. We're all better for it. So definitely a lot going on. Um, and pretty fun so far. Yeah, I mean, look, the, obviously compared to, you know, an enterprise, you have code and that code is constantly changing. Uh, but also, you know, every company, you know, all, I'll say the four big, you know, software vendors, uh, in the channel, they've all continued to make acquisitions, right?
And so now you have the risk profile of those acquisitions, things get more complex. Yeah. I don't think it's gonna get simpler for, uh, data or Kaseya or ConnectWise or enable moving forward. It's only going, it's only gonna get more complicated. And It's the same for MSPs too, right? 'cause m and a is happening in that, the MSP space as well. So like, as a, as an entire ecosystem, we need to learn how to manage that new level of complexities. Absolutely.
You know, I sit on a couple boards buying, uh, MSPs, and it's one of the main, you know, conversations continually is how to reduce rather than increase risk, uh, when you're, you know, when you're taking on customers, what to integrate, what not to integrate, uh, right away. It may be a good business decision, but it might not be a good security decision. So, yeah, definitely, uh, MSPs will deal with the same, same kind of thing.
So, um, Wesley, I understand a little different for you, you're an external, uh, CSO function for, for Kaseya, but what can, like, tell us a little about their security program wise? ConnectWise? ConnectWise? Yeah. Um, yeah, no, uh, here's a couple things that come to my mind. First, let's take a giant step backwards for a minute that we need to, we need to take, um, security f first. Let's start with this.
Isn't it awesome that you have CISOs from major fierce competitors all on this call today, Andrew, this may be the first time in history this has ever happened. Uh, so kudos to you on this. Uh, I can tell you, speaking for probably all of our CEOs, they're excited about calls like this, where we're getting together.
I think we've finally gotten to the point in the space where like, we can compete in products and services just like banks that I come out of, but we should and can work together for the common good of all partners when it comes to security. Uh, that's a big deal. So I'm excited that we're all on this call today, and I actually hope we do styles of these calls more often because, uh, I think it's a big deal.
The other thing I, I wanted to say as well is, like, for all of us on this call, security wasn't really a concern until maybe 2016 at the earliest. We, we have, we, we are way behind in this industry. Uh, both your folks on video today, and you guys as well, uh, behind the scenes listening, we are way behind and we're catching up. I would say we've made better strides in the past five to six years than any industry I've seen, because we've been forced into it.
And so I just want to have a little commentary there. Before I say anything, Gary, to say, like, I am so encouraged and heartened by this call, by our, our understanding of all of this, we got a ways to go. So like, uh, where ConnectWise is at and understand, I am external to the org, right? So, so I'm really very partner focused in, in what I do, but I'm pretty well caught to the ground on, on, on where we're at. And I will tell you a couple things.
One, um, Jason Art McGee, our, our CEO has started it with, we have about a whole bunch of corporate priorities, but there's one, and then there's everything else. And number one is, is security. Um, I think any organization that starts that way with CEO buy-in is a big, big deal, right? Because that really gives you the, the, um, motivation that we need to move forward. I can probably say every single one of us have a CEO that's equally saying the same thing.
And that's the starting point for all of us, which is good. Um, is ConnectWise anywhere close to where I think we need to be and should be? No, because we're still building from years and years and years. Just like, Jason, you said this in the chat just a minute ago. Legacy stuff everywhere, right? Many of us still have like, soap based APIs, just as an example. We got a long way to go, so we're getting there, right?
And a lot of the things that ConnectWise are doing, um, pretty well resourced, right? We have 20 to 30, like full-time FTEs just to security, just internal security, not counting soc, all that kind of stuff. Um, we are mapped to the oasp sim, which I think is really awesome. I think at some point I'm, I'm pushing our ConnectWise friends to like expose what we're doing there and some of that and showing it. I think that's a big deal for us to get some transparency.
If you haven't seen the ConnectWise Trust Center, um, that's a place where we're, we're showing and embedding a lot of things like hardening guides, how to get in touch with us, with incidents, things like that. Um, building much better security into the RMM, which has been a big focus. And we have a long way to go, as Jason on this call can say. Um, but one thing I think is exciting is, you know, I come outta perch, and PERCH is all about visibility.
And one thing that ConnectWise is doing that's pretty exciting to me is bringing the visibility from the RMM into perch so we can actually see what's going on. We can wrap the security operations and, and our CRU around all that so we can see what's happening, get insight into it, and build analytics and response around it. That's a big deal in terms of, um, visibility for you and the partner that's gonna happen with the new RMM as well.
Uh, and I'm pushing, and I think this will happen, but here I am just saying this, so keep it this in mind that, you know, this will be for the powers that be, but I'm pushing for every partner to get visibility into that security stack, whether they use perch or not. I think that's the right thing to do, so that anyone can see what's happening around in, in their ecosystem.
Um, so those are just a few things I think we're working on, but, um, keep in mind there are many miles to go in this journey for, for ConnectWise. Yeah, I mean, before I, um, before I hand it, uh, back to, uh, Andrew, you know, the one statement I'll make, it's great to see everybody here today because, uh, if you see where our industry is, right?
And the growth of SMB technology, um, you know, just to be able to service MSPs and SMBs, um, the four large software companies really are like, that's what distribution now looks like to MSPs, right? Um, startups can only get so far in terms of getting to the marketplace. And, uh, the four big companies have their distribution model, their sales teams, and, uh, that kind of thing.
So, um, they're gonna play the most, you know, pivotal role, uh, in terms of what MSP security looks like, uh, going forward. So this is encouraging. So an, uh, Andrew, I'll hand it back to you. Yeah, thanks Gary. Um, there's a few questions. Um, just gonna throw those out and see if we can, uh, knock a few of these out real quick. Ryan, I'm gonna start with you and then I'll, uh, come back to the question I had scheduled to ask you. But, uh, one of the questions came in from t uh, from Tim.
Uh, what role responsive slash responsibilities and duties does the CSO he do have, and what are the deliverables? Uh, it's gonna depend based on the company, I think at, uh, the, the CSO role. I'm gonna kind of, I'll give David a chance to, to chime in here, but him and I have talked quite a bit. I think the role that we're going for is, um, a combination of internal subject matter expert.
So, you know, anything that has to do with security internally from a corporate perspective, whether that's communication with the board of directors, the audit committee, the cybersecurity committee, um, whether that's, Hey, I'm building a new feature. How do I design this securely? Like that is, that's job number one, right?
Job number two is then, um, kind of this external CISO role, kind of the role that, that Wes is, is kind of filling, uh, at ConnectWise, um, which is this kind of person that's accessible to the partner base to help them understand what you're doing, to keep them safe, and to be a, a thought partner, um, in, in how you can kind of learn from the advanced things that we're doing and apply them to yourself.
And so I think a CISO in this space needs to embrace both the internal and exter external CISO responsibilities that this specific ecosystem needs. Um, it would be a lot easier if we could just do one or the other, but unfortunately, um, we can't spend all of our time focusing on, on, uh, on our own house. We have to, we have to help, uh, our, our partners, like we call them partners, right? Like, you're not a partner if you're not helping them solve their hardest business challenges too.
And so I think that's, that's a big part of it. Um, uh, yeah. So I don't know. David, do you have anything you wanted to add there? No, I, I, I, I think you hit the nail on the head. I mean, I definitely, I've learned a lot. Like I didn't know the MSP space when I started in it a couple months ago.
Uh, and I'm, I'm still not claiming to know it, but, um, but I definitely think having, having that influence at the partner level, I like, I've been on calls with partners during cyber incidents, talking to them, helping them research those things. Um, and it's largely because we are that trusted, that trusted partner to them.
And I, I think that that's important for myself and my team to play, not just internally, because they, they call us, and I'm sure that you guys, you guys have that same experience. You're gonna get that first phone call. Um, and if we're not here to help them, like, it's just not fair to them. So definitely, I think it all depends upon who's asking.
I know, you know, internally, John is very focused on, you know, where, where the security program sits and obviously at the board level and all those other places. But I, I think we, we need to be a partner across the business and to our partners. And that's the only way for security to be successful in MSP. Yeah. And Andrew, just how important that external piece of it is. Um, Ryan, I remember when you were first hired, uh, it was, uh, the first data ocon after you were on board.
And Rob was saying how, you know, he was really pushing you to get out, you know, do presentations and get out in, in front. And, uh, and just seeing how it's developed now, but what an important that role is for the companies and how you represent and, and like what that means to the education, uh, of the industry. So did he tell You what my answer was? Yeah. He said, you didn't wanna do it. I said, not until I get my house in order. Oh, he didn't tell me that part. Yeah.
Which to him meant, no, I'm not, I don't wanna do it. Yeah, I did wanna do it, but I'm not gonna come out here and talk to you until I have my house in order, then I'm just being a hypocrite, right? So like, I was like, dude, talk to me next year. I need like a full year to get my house in order before I can get out there. Um, which, you know, in retrospect, like I probably could have taken that line that I drew in the sand a little less seriously.
But for me to feel credible and to feel confident talking about it and helping, like, I needed to come from a place where I knew that we had started like seriously on a journey, and that I was ready to start bringing MSPs along for that. And yeah, so I actually didn't really poke my head out until almost two years after I was hired. Just like, you're, listen again, you're talking to MSPs, they gotta go out and talk to their customers. It's hard to do if they don't have their house in order.
Exactly Right. So take that, write that down everybody, what Ryan just said. Yeah. Excellent. So I'm gonna, um, come back to the questions in a second. Brian, since you brought getting the house in order and things, one of the things you mentioned with Dacon was Datto being assessed, uh, in the, uh, BI framework. Can you explain what that is to the community and the significance of that? And then I'll, Jason, I'm gonna pull, pull up a question here.
'cause it kind of goes right into your segue into you. So Ryan, your thoughts. So we had John Strand on, I don't know, a couple months ago for the first time, a few months ago, and we were talking, it was actually right after the 4th of July event. And we were asking him, John, how do you tell if your vendors have good application security? And his answer was simply just ask them about it. If they have, if they have a good application security program, they'll want to tell you about it.
I, I thought one that was genius in its simplicity, but also like, it's still like, take my word for it. And I think we've gotten to a point where we just can't take each other's words for it anymore. And so we had actually, before that incident been working towards beson, which is the building security and maturity model. Um, it's one of n different application security maturity frameworks.
Um, and so our goal was to get all DA products b sim assessed, um, and kind of benchmarked, uh, so that we could demonstrate through independent verification, the maturity of our application security program, um, really to start addressing what had become an apparent crisis in confidence, uh, in, in the MSP channel.
Um, and I also did it because I, I wanted to, um, you know, this may sound a little like hubris, but like, I wanted to raise the bar of what good application security looked like in the vendor landscape. And so, you know, as, as we said, we're now a class of one, but I know David is working very hard, uh, on application security. And I expect at some point he's gonna come out and say, this is the framework we're following, and, and now it's a class of two, right?
And so, like, that's, that's the ultimate goal that I want to get to. And maybe he follows beast, and maybe he doesn't, um, up to him, you know, how he wants to build his security program. But my thing was, uh, this is a way that we as a vendor can demonstrate that we not just take it seriously, but we're doing it. And that we're actually doing it at a level that is on par with the largest technology and financial services and healthcare companies in the world. And that's what we did.
And so, uh, that's another way that we kind of give people confidence in the security of the platform and that we can, can demonstrate to them that we're, we're doing things that are worthy of their trust. It's not a commitment that there will never be a breach, right? Because again, we, we sit here every day and we say, assume breach at some point you are have been or will be breached. So I'm not saying we're BI, therefore we'll never be breached.
I'm saying we're doing things that make that outcome less likely, but also, um, we're doing things that reduce the potential scope and impact of those events. And that's really what you wanna understand from your vendors. And one of the key areas that we've seen as a channel that vendors keep getting MSPs in trouble is with crappy software security. And now Jason Sego could go out for two hours about this topic, right?
Um, but this was a way for us to come back to the market and be like, we really are taking this seriously, right? And here's where we are. And I would like kind of doing what David said, like, there's a journey, there's a, you know, iterating towards awesome, whoever said that, like we are iterating towards awesome. But we got to a point where we're like, okay, this is where we are. This is what, you know, and, and you can, you can verify this through the in independent review that we had done.
So, um, the other thing cool thing about B SEM is it's not a static target. It's not like nist, CSF, you could think of it more like CIS controls where there's a new version that comes out periodically every year BS I changes and it pulls in the latest innovative things that people are doing to keep software secure and the bar for meeting that, that framework keeps getting more difficult.
And so committing to BS I was, was not only just like a, we want to attain some level, but it's also a commitment to continuous improvement based off of what Good continues to evolve into over time. Um, and so it's, it's an outcome that I'm, it's probably one of like the top five outcomes at Datto that I'm the most proud of, um, having built over our time here.
But like everyone will tell you here, we're not, you know, we can't, you celebrate the win one day and then get up and get back on the horse the next day because you gotta keep, gotta keep getting Better. Very cool. So I'm gonna state the question and then Jason, I'm gonna turn it to you. You've been really patient and the question by ED has to do with the FBI and thought.
So I thought it would be good for you to segue into what happened at IT Nation to you, maybe toss that as a question to the team. Um, yeah. And, but Ed's question is this weekend, the FB, he saw the FBI, uh, result of an incident brought by dad coating one of its sites. Uh, as a ciso what's your opinion on this incident? How do you suggest the m MSS P community handle and inflexible with clients? You had an incident in essence, like it's somewhat related. So talk to us about that.
Yeah, so we used to be, so we're different than a lot of MSPs. We used to be an internet service provider, right? So I actually have an air handle. Uh, so I woke up Saturday morning after probably a little too much fun Friday night at, uh, IT Nation Connect. Uh, to give you an idea, we turned one of West Weston session into a drinking game. Uh, it was so irresponsible. So, you know, I, I was, yeah.
So I wake up Sunday morning or Saturday morning at 6:30 AM and I look at my email and at 12:18 AM I get an email from the FBI, uh, urgent, you know, threat actors and systems. And I'm like, okay, who here, who here wanted me to go back to my room? Right? Like, who at the event is screwing with me, sending me email, presenting to me the FBI, like my brain's still a little bit foggy.
Uh, I, so I'm like, okay, like, let's, let's just disprove this thing and, and show that it's bad and I can, you know, go on with my day. You know, we had places to go, things to do. So I grabbed my laptop 'cause I can't do much on my phone. I pulled the email up, I look at the headers and D Kim and SPF passes and my heart sank, right? Like the, the email was very grammatically incorrect, right? And, and there were so many signs in the email that, uh, it, it probably wasn't legit.
But what do you do, right? Like, we have this entire system of email authentication in place that shows that the email actually came from an FBI system, right? So, you know, now I'm in a situation where this is a legitimate email or the FBI is breached. Like, one of these two things has to be true at this point. So I, I declared an incident, right? Like I, I took our incident response plan, like we, we have one, uh, uh, we have gone through it, right? Like it's, these things are iterations.
They always get better. I start running through it. I, I call, uh, we were going to Animal Kingdom Saturday morning as, as it would happen, uh, other parts of my leadership team are in Florida with me. So I'm sitting there going, man, how am I gonna run this incident from a hotel in Florida? This is gonna be absolutely terrible. I need to start looking for a flight home. Uh, I call, uh, one of my other leaders down. I'm like, you gotta come into our hotel room. We're going through this.
About 30 minutes later, uh, one of the other members of our leadership team came across the Newsweek story, uh, indicating that this was, uh, was a problem. Uh, it took me, I spent probably another 40 minutes after that just verifying that like our, uh, I-D-S-I-P-S didn't show anything. I didn't show anything in any of our virtualization cluster logs. I didn't show any exfiltration, right? And I finally stood down. So, to, to you Ryan, right?
You've done a lot with like instant response plans and instant response planning, right? But a lot of these things in our document assumes we have boom, right? It assumes we have a discreet event with which we're like responding to, in this case here, there was no discrete event. I've got some outside party in theory, trusted party telling me that we have an incident that we need to respond to, right? Like my incident response plan was a hundred percent unprepared for that situation.
So do you got any advice here that you can offer? Yeah, the, I'm, I, I do wonder what the phases of your IR plan are. Mm-Hmm. Um, step one for us is the identification phase. Yep. Us do. And the, the premise of the identification phase is confirm you were actually dealing with an incident before you try to scope it. Yeah. Um, and I think that is, you, you, you fell into the classic identification conundrum because a trusted third party is telling you you have a breach.
Um, but they haven't provided you enough information to verify. Yeah. And so you're, you're kind of in this situation where you're like, well, I don't, I don't, I wouldn't even begin to know how to know if I have that. And so you start picking apart the facts, right? Yeah. And I think that's, that's really where you have to go back to and understand. I think you do some reasonable things, right?
You go back and you look at your, you know, past few days worth of alert history and make sure you didn't miss anything and Right. You're, you're going back to the basics on that. Um, but yeah, until you can confirm that an incident is actually occurring through a verifiable fact Yeah. You're still in the identification phase. And so what that really means is you're not declaring an IR yet. You're in the pre i you're still in like a pre IR phase Yeah.
Where you're saying, okay, I'm, I'm, I'm starting to prepare the business for the fact that we might be heading into a serious incident, but I haven't declared it yet. I haven't hit the war room button. I haven't called in and maybe I've called in a few other people to help me search around, but you're still very much in the identification phase. And so, um, that's kind of how we, we normally treat those things because we get all sorts of false alarms all the time. Yeah.
Um, you have to take that identification phase seriously. If you went straight from identification to scoping and containment, you'd be ripping your air out. Yeah. I mean, I pretty much stayed in identification. Right. But it's one of those things that sometimes it's hard to prove a negative, right? So like, you've got somebody telling you they're seeing something. Right. And my logs look good. Right. But are the, are they just that good? Yeah.
I think there's a saying that I say to my team all the time, um, absence of evidence is not the same as evidence of absence. Yeah. So, yeah. And so really what that means is when you're in that situation where someone says you've had a security incident, but you can't, the evidence, there's an absence of evidence that you have, you as is responders, we're like, but that's not the same as evidence of absence. Like we, there's still that question mark that's there.
I think, I think you did the right thing. You scrambled resources, you tried to confirm and you kept in, like you kept this skepticism that maybe this isn't a real thing, but I'm gonna, I'm gonna engage in this. Like it's real, even though it might not be. Yeah. I think you need to go into every potential ir with the sense that this could be the big one, but before I hit the big red button, I'm gonna make sure I confirm that there's a fact pattern here that's a worthy of me hitting that button.
Yeah. I mean, I had only escalated it to a handful of people. Like it wasn't to our whole team yet, but it, I I, I had involved our entire leadership team. Right. Because they're the first ones that we need to know. Yeah.
I mean, especially, you know, the, that type of alert is like, that goes, if you think of like severity levels where you have like a sev 3, 2, 1 incident, and then there's like a seven one incident can also be a crisis that, that kind of email takes you straight to crisis, right? Yeah. So that's where you kind of wanna start reading people in, Hey, we have this thing, this could be really bad. We don't know what it is yet. We're trying to verify. We'll circle back with you when we know more.
And then yeah, then, then you start to figure out how do you, how do you prove the absence of of, of Sasquatch. Yeah. Especially less than 24 hours after watching Rus Wes interview Robert Chaffey about his incident. Right. Like, that was fresh in my mind. Yeah. Uh, David, do you have anything you'd add there? Yeah, I mean, having gone through this before I, and not to call out any three other agencies, but their intel is not usually like, this happened yesterday or today. Mm-Hmm.
Um, it's like, Hey, this happened 10 months ago and you should go be aware of it. And then, and then you're, you're backtracking a lot of times. So, uh, I've definitely gone through that before. I'm like, when this happened, they're like, oh yeah, it happened in 2019. I'm like, well, that was two years ago, like, with just getting this now. So, um, definitely information is often scarce. I mean, when you get that type of notification.
But even just having the dates around it, um, I've found extremely valuable and helping to, to scope where the potential incident may have been. Cool. I'll pick on you, David. Uh, I would've been quiet. I would've had said nothing If that was the case, I was the next target. Yeah. So I've been pretty, uh, vocal around our space about the need for, uh, vendors to, uh, get better vulnerability, dis disclosure programs and, uh, bug bounties.
And in the research for various talks I've given, uh, I haven't really found a lot about what Enable has in place right now. Like, there's a, there's a link to report things, but there's no guidelines around what is responsible disclosure or any of the other things I would expect to see in A VDP. Uh, does enable have a VDP at the moment or a bug bounty program? And if so, is there anything you can share with the community about it?
Yeah, so, so it's an area we're definitely, we're behind, um, in that we don't have a lot of stuff on the website. We haven't, um, we are literally in legal right now. Um, I mean, there's two major vendors in this place in the space for bug bounty and for, uh, for vulnerability disclosure. So we're, I don't want to announce the name because we're, we're not done with them from a contract perspective. Um, but we'll be moving forward with them immediately.
Um, full transparency, we're initially gonna start the bug bounty program as a closed bounty. Uh, I, I don't, I don't want to turn on a fire hose until I know what the fire hose looks like, so, um, but we do have the ability to add folks into, into that program if we want to. So we have been paying out bounties that actually comes outta my Bitcoin wallet, um, just because I've got one and it's, it's easy to pay people on reports, um, but we knew we needed to get something more formal in place.
So, so it's coming, it'll probably be announced sometime in, in early to mid-December. I mean, you know, Thanksgiving's gonna slow things down for us, but totally agree. It's not something we've done a good job about getting out there, but it'll get better. Okay. Awesome. Just Start, just start paying the bies in Shitcoin. Yeah. Dictator coin. Well, I was trying to figure out for the problem is I'm like, well, wait, what did I buy this coin at?
And then like, hang on, how much has Bitcoin gone up this month? Like, am I losing money? I'm paying these downies myself and I still don't know how to expense them. So I'm kind of losing on multiple levels here. Yeah. Not, probably not a good space. I mean, yeah, the close bounty, I think it's fine to start the close program so you get a feed around it. I know, I think Ryan, yours has done that similarly.
Uh, I I will be continue to beat on you around, uh, NDA if you NDA it after like responsible disclosure should allow researchers to publish. So if you close it and then like hide it behind an NDA, so if they get paid, they can never disclose. Uh, I, I will beat on you for that, but other than that, I mean, sounds great, right? Like anything should be on That. So you and I have talked about this, right? I think, and I think David shares the same opinion.
There needs to be a bug bounty and there needs to be a VDP. And I think there, it's the responsibility of the researcher to choose which one they want to go through. Okay. And it doesn't necessarily mean that your VDP shouldn't pay a bounty, it just means that maybe like the incentive is different, right? Maybe you get, if you're really after the reward, you go bug bounty, but you give up some of your disclosure rights because you're really after the bounty. Cool. Yeah.
Half of researchers are fall into that bucket. The other half of researchers are gonna say, cool, send me a T-shirt. But I really care about getting credit and, and like being able to do the disclosure. And so I think as vendors, we need to provide both options. Yeah. And I Think there's still more work to formalizing that. Yeah. That needs to happen for all, for all of us. Yeah, I think so. I mean, it, there's a, I for sure, there's a happy medium, right?
That involves, you know, the ability to disclose eventually, right? Like I, at geron, you know, I had 200 up and coming security researchers in the room that like, they're, they're happy to poke our stuff, which is a win for everybody. Uh, but I, I need to make sure that them poking our stuff goes the right way and not the wrong way as far as what they do with the results. Yeah. Yeah.
I think as a channel, there's been kind of a fear around bug bounties that somehow the state of the software security would, would become known. Um, and it's like, guess what? It's already known the ransomware attacks. So like get over it, start doing real bug bounties. And then I think the next level for us is industry-wide cooperation. Um, yeah. On unlike the level of like p to own, right? Yeah. There needs to be a p to own for channel technology.
And I know it's something I've talked to a few people about. It's something I want to get off the ground and, um, you know, I think the mechanics of that are gonna be interesting. But I think until we embrace this kind of, this kind of resource that's out there, just willing to spend time to find issues and help us fix them before bad guys can use them against us. Like, I don't know why we're afraid of that. We just need to get a little bit more organized around it. Yeah.
I mean, as long as you gate it correctly, it's like one of the few things you do that only pays on success, right? Like, you only pay if they bring you actionable items versus your own internal people you're paying whether or not they're finding stuff or not. Yeah, For sure.
So another thing I think too, I, I did a session, IT Nation my Brain is, is focused on this right now of like where cybersecurity regulation has gone over the past 15 years, really starting with, um, like nine 11 and moving forward. And if you look at some of the stuff that's in Senate right now that hasn't passed committee, there's a lot of stuff around notification. And I think what we're gonna see is an evolution and a progression at the national level into forced, uh, disclosures.
Uh, when someone just like how we handle like, um, uh, like, uh, GDPR kinds of privacy stuff, we're gonna see the same thing at a corporate level when those things are being published. I, I, I, for one, welcome that, uh, I think that's gonna be good. I think it's, we're probably three to four years away from regulators finally getting smart enough to adding into legislation saying you will share, publish, and make public, uh, vulnerability disclosures. Cool.
Ryan, or, uh, a should I pick on Wes or should we move on to time? Yeah, One more. Yeah, look, yeah, one more and then we'll maybe, okay. I know we have some stuff written and some questions in, but yeah. I think Wes is a good one. Okay, Wes. So MSPs traditionally have, uh, sometimes lacked in the knowledge, uh, space, right? Relying on vendors and tools to fill, uh, the gaining knowledge, right?
So as a result of that, uh, a whole bunch of vendors in the security space have popped up and they're feeding us a fire hose every week of a new product to solve a new widget that involves you just being able to build your clients more money without actually understanding how the widget works under the, under the hood. How can us lowly MSPs fend off, right?
Like, where is that balancing line to you between the shiny new tool that solves the problem and actually understanding the underlying risks so you can properly educate and protect your customers? I knew you were gonna ask me that question and I hate it. The reason I hate it is two reasons. I don't have enough time to answer it. And two, it really paints.
I think the reason you're asking the question, Jason, a real problem we have in this space, uh, I'm, let me just be really opinionated for a minute. Um, most MSPs do not have the capacity and the security expertise to properly, uh, do the divination, uh, to all these vendors on the floor and understand what they do and how they fit. And we vendors make it twice as bad because we surround it with marketing talk that means nothing.
And you guys know I've said this over and over and over, but some things that will help you in just a couple of minutes, uh, and then we can expand on this in future cyber calls. One, never let a vendor tell you what the problem is. If, if you walk to every vendor hall and you walk to every vendor and you let them share what the problem is and then tell you how they address it, you, you're playing defense and you're playing this like, uh, this game of like, do I really have this problem?
And, and what am I trying to solve for? What you should really be understanding is, and we say this over and over and over, what are our gaps? What are we trying to solve for? Where are weaknesses and how do we handle all of that? And I think at a high level, we know some things, right? We don't have as MSPs the size to properly do anything correctly in terms of like, um, you know, I don't have a sock, I don't have a huge security team, so how am I going to navigate those waters?
So we know that's the starting point, but where are the actual gaps we're trying to solve? I had this conversation, Jason, exactly this past week where someone's like, well, do I need EDR first? Do I need application whitelisting first? Do I need sim first? And I'm like, guys, why are you like, these set of questions is, is incorrect in and of itself.
And so we took a big step back and looked at the, the evolution of where these tools are coming from, where and how we need to solve these problems. What regulation is even saying like looking or, or looking at really like CIS and understanding, you know, where do these things exist inside of IG one and IG two and how to address 'em and, and get there. But Jason, this is so difficult as a problem that it's both sourced because MSPs typically don't have the security expertise and mentality.
And two, because we vendors make it much more difficult. And, and Jason, you wanna share the story, you can leave the names off. But to illustrate this, I'm gonna turn it back to you Jason, you wanna share the story about the MSP that took the new opportunity to sell like $4,000 a month of security and then reached out and said, what it is that, what do I sell? This is an exact example of the problem you just mentioned.
Yeah, I mean, I said we sat through a talk where, uh, a vendor basically came in and was telling us we all needed to be doing cybersecurity sales because, uh, and as an example, they had a client come in and MSP client come in, uh, that was breached. So they didn't know how to solve it. The MSP didn't. So they relied on the vendor to help them through the breach and, and through all the things, right?
But then they went and sold that client a $4,200 a month managed service security agreement, right? So to me, that's everything that's wrong with the industry right now that you've got an MSP that is so bad at this that they had to go to their vendor for help and then they went and sold the end user a $4,200 a month contract to do the thing they didn't know how to do. Hmm. I mean, listen, not to mention, you know, the average MSP now has like 25 tools, okay?
That in and of itself is, is a huge issue. Like the, that same average MSP is not large or sophisticated enough to understand the implications of of, of a tool stack that large. Yeah. Yeah. I'm gonna go, I'm gonna, I'm gonna quadruple whatever, five down, six down on this process before technology, the amount of security problems you can solve with process far outweigh technology, technology needs to come in when you have a process need or to make your people more efficient.
That's the purpose of technology, right? Technology should not be solving a problem for you that you don't have people in process already in place for. So it's a really good Segue. Can I tell you one quick thing, Andrew? So, uh, I was talking to someone, an MSP I've known for a while. They had, they had an incident and when we talk through it, they have a lot of tools and pretty sophisticated, um, it was from, uh, it was from a workstation that was missing tools, right?
So all that money that they spent didn't protect them. The one thing they needed to do, which was understand step one 'cause they missed step one, they spent a lot of money on step two through a hundred, uh, and didn't get the result they wanted. What, What's the name of your software? Gary Hashtag my IT process. Right? Right.
So, um, David, I'm gonna come to you because I think there's a really good segue the question that, uh, came up just now, um, about at that west kind of went into with, with Jason, but there's a question kind of that correlates to it from Keith Nelson who's an awesome practitioner and he talks about insourcing versus outsourcing the security services side of things.
You know, 'cause we have these so now and services, you know, how do you recommend an MSP vet that when they really don't have, again, the capabilities internally to do that? And 'cause you've been on obviously both the, you know, consuming side as a customer who probably gets a lot of pitches as well. So any, any thoughts on that? Yeah, so, um, building a security services hard, like, I like it's, it's overly simplistic, but you know, like our SOC team was 50 people.
I mean, to have 24 by seven operations, plus you have training, you have to make sure that So our platforms are working. So it's even internally, like when I started here, I told John, I, I don't wanna go build a soc. Like I don't want to build a 24 7 operational SOC for enable. It's not what we need. It's not money well spent. Um, what we can do is get the foundational layer set up with a third party and let them do what they do well.
Um, and then internally we build our, our team on top of that. So we have, you know, we have soc personnel who, who, who spread across the globe, who, who take those escalations. We have our folks who sit above them. Um, it is an investment in, in having that, the ability to respond to that too, though. I mean, so from a business perspective and, and candidly, you know, coming into enable, one of the things that I knew I was gonna get was funding.
Um, you know, John had, John had a recent experience at the end of last year with SolarWinds that he knows the pain that comes with it. Um, so I knew it wasn't gonna be like, John, we need to spend money on this. Can I please have it? It was pretty much, tell me what you need, uh, and we'll cut that check. So I think the challenge for MSPs is don't bite off more than you can chew. I mean, be real realistic about what you want to go build.
Um, and I think the second is, is making sure that you don't have, like, you have a very fin scope of what you want to support. Like, you don't want 30 different EDR tools with, you know, five different sims. Like, you need to kind of come up with a, you know, kind of a gold standard for this is what we're gonna do, this is how we're gonna do it. And if you wanna make that decision to move forward, you do.
But don't just like, I know everybody's here to make money and that's awesome, but, but don't, don't build something that's half-assed just, just to make a buck. Like, I I, you really do have to make a business commitment towards it. Yeah. And Ryan, that kind of parlays into your comment to when MSPs ask you, Ryan, what's next? Right. If you wanna just, could you just stamp that home for 30 seconds and, and we can kind of move on to some, some closing questions here? We got a lot. Yeah.
When, when they ask me what's next, I usually tell them, don't go buy something new. Go back and make sure the things you have are already operating effectively. 'cause nine times outta 10 buying something new, I would say 9.9, nine times out of 10, buying something new is not gonna be the thing that protects you from the breach. It's like we said, breakdown in an existing process. The application of existing technology to assets. It's, it's fundamental stuff.
Again, that's why I'll go back to the threat profiles that we published that are on Cyber Nation. Go through the, the TTPs that the threat actors use. 99% of them, again, map to IG one. IG one is it cybersecurity hygiene basics? It's the fundamental stuff. And so buying the latest zero trust, you know, XDR plus ultra to steal whoever said that, right? It's awesome. It's not the answer to your problem. The answer to your problem is, am I patching consistently everywhere?
Do I know what everywhere is? When was the last time I confirmed what everywhere is? Like, it's answering fundamental basic questions. And I, I do wanna endorse what David said because it's my philosophy too that third parties should be viewed as your first line, not your last line of defense on intrusion monitoring. They have a service that they provide that's, um, good and it's consistent across a certain swath of things.
You don't wanna spend your time recreating that because the real value for you internally is to recreate the monitoring that's specific to your business. And so that's where you wanna invest time in people, and you don't need an internal 24 by seven SOC to do that. You just need people that work nine to five, five days a week in a really good on-call and escalation procedure, uh, to, to declare that those situations for investigation.
So yeah, I think MSPs need to be working towards that as well. I think we're seeing a lot of people bringing in, uh, purchase and block points and, you know, rocket cybers and scouts and all these things to, and like, okay, now I have intrusion monitoring. No, you're viewing it like it's the last line of defense. It's your first step in maturity. You're gonna learn from those vendors and you need to build on top of that.
So Ryan, I'm going to take your, 'cause you mentioned IG one, Jason has been really steadfast in implementing CIS in terms of, I think, Jason, you probably through, and I know you're a csat, uh, subscriber. I don't know if you're all the way through into IG three yet. However, Gloria asks a question and, you know, I'd love your comment maybe on this, Jason.
Um, she says, you know, I, I, I've asked this repeatedly and I've gotten the action items that I've implemented in my small SP, but my question is, where do we start, you know, where, what list should we go from? I know we need to start with ourselves, however, you know, what actions, what lists. So maybe we could, you know, again, reiterate where to go from, you know, to start as client zero.
Yeah, I mean, if you're gonna take the CIS stuff, just go through the list and, uh, I, I don't know, IG one, uh, some of the asset based things are obviously the most important because you can't talk about things you don't know, but some of them are really hard, right? So where we really got hung up, right? Still don't think we have this a hundred percent right, is, uh, the software asset inventory stuff, I think that's a relatively unsolved problem still.
Uh, but something is better than nothing, right? So don't let, don't let that piece of it hang you up. Go through, assess yourself, find out where you're at, and this entire thing in industry is about making next week better than today, right? So pick something you think you can get done in a reasonable amount of time and do it. And, and then when that's done, find another one, right?
Like, you probably have, uh, reasonably good policies on say, remote access, but maybe you're not doing MFA for VPN, right? Well, that's the thing. You could just do, check it off, move on to the next one. If you can do a couple of 'em every couple of weeks, then pretty soon you're through it, right? And then, and then you can move on to IG two and move on to IG three. Uh, to answer your question, no, we are nowhere near IG three.
It's a, uh, that's a pretty, pretty tough lift, I think for most companies to get completely through it. Uh, but you know, every week we try to do a little better than the week before. Yeah. And I think Ryan did a really good job, and he's got a phenomenal deck where he talks about the, the kind of the progression of IG one, IG two, and over actually to NCSF and respond and recover where CIS falls down. Yeah.
Um, so we kind of did that work that Wes and I had done when we did the first cyber resilience thing where Wes kind of mapped it onto the cyber defense matrix. Yep. But I actually just, instead of doing like users applications, data network, et cetera, I just bucketed the controls into their five NCSF areas, protect, detect, respond, recover, identify. Right? And, um, and what you see is when you go to IG three, it's, it's double the complexity of IG one and IG two mm-Hmm.
But you actually still get almost no additional capability in respond and recover. And so I have posited and I, and I, and I maintain this at this point. When you get done with IG one, I think that's a decision point for you. Do I go IG two or do I go Miss csf? Yeah. And I, I think, you know, maybe, maybe it's some hybrid of both. Maybe you pick a handful of IG two things and then you go down CSF.
But I think you're more, the more important thing should be for you to round out capabilities in all five functional areas for left and right of boom capability, rather than just arbitrarily walking the CIS guidepost all the way up to IG three. Because even if you get there, which is incredibly difficult, you're still not done because you don't have capabilities and respond and recover. Right. So I know with one minute left here, there's a bunch of questions. I'll pose those if it's okay.
David Ryan West to you, and I'll circulate them out to the, to the group as a whole in the next email blast. Um, Gary, you always are awesome. Kind of wrapping things up, any kind of synopsis, closing thoughts you might wanna wanna put out there for everybody? Uh, no, just to, again, today what I took away is, um, drawing the parallels between, um, you know, what Ryan and David and, and these teams have to do on a grand scale to exactly what MSPs, uh, need to do. The philosophy is the same.
So a lot of really good advice, uh, today and then really encouraging to see all the vendors beginning to really work together. Yeah, a absolutely. And, and Zeb Yeah, I, I'll, I'll work on that. I'll just make sure Ryan's cool with it. It's a really, it's a really well done. Um, and I, I just want to thank, you know, David, you know, being new to the community, I really want to thank you for coming on and, you know, just being so open.
Um, and it's really great to have you as part of the community really Great. It's a, it's, it's a brave debut to set, to set yourself in the hot seat to let MSPs ask you anything. So Yeah, a great job. I, I'm happy to do it. I, I appreciate you guys envi inviting me. So, so definitely enjoyed it. Yeah. And Jason, as always, uh, thank you for your selfless contributions to the community. Um, man, you spend a ton of time helping a lot of MSPs, so I really, uh, thankful, uh, for you as well.
Uh, Ryan, Gary West, as always. Thanks my friends. We'll see everybody next week. Take care. Well.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois