Skip to main content
Right of Boom
January 30, 2025

Barn Door Security Assessments

In this video, Mark French discusses the Barn Door Security Assessment and its role in evaluating and improving cybersecurity practices for businesses. He emphasizes the importance of understanding business operations and aligning security measures with business goals. The conversation also touches on the challenges and opportunities in the cybersecurity landscape, particularly in relation to private equity firms and the evolving cyber insurance sector.<ul><li>The Barn Door Security Assessment is a quick method to identify critical security issues within an organization, focusing on immediate risks that need to be addressed in the short term.</li><li>Cyber insurance has become a driving force in improving cybersecurity measures, as failing to meet certain security standards can significantly increase insurance premiums.</li><li>Effective cybersecurity involves understanding both technical vulnerabilities and aligning security measures with business objectives to ensure the organization's strategic goals are supported.</li></ul>

Guests

Andrew Morgan

Video Transcript

Alright, welcome back everybody. I hope you all had a great Thanksgiving holiday, um, whatever you celebrate. Um, but, uh, it's great to have you back here. We've got an awesome show today, an awesome guest. Um, Robert, hello from New York as well. It's great to see you as always. Um, just a few quick announcements, Gary, I only have 10 today. I, I hope that's okay. Good, good. You're cutting down. Um, I put them all up in there. So again, awesome cyber cast is out.

Um, I encourage you all to listen to, I think it literally is one of the best, uh, that we've done. When I say we, you always say that. Well, this one included some comments, commentary from you, so, you know, it was clearly that probably was the best. Um, and then, um, what, um, just mentioned, uh, uh, write a boom. Uh, early bird ends the end of this week in a few days, November. And then the pre-day events are beginning to get announced. Um, I'm excited to hear what you guys are doing.

Gary, I'm gonna mention that call out Huntress pre-day 'cause that was posted and Wes is a quote unquote start in that. It's gonna be really interesting. Now again, you have to be registered for write a boom. It isn't free and it is gonna be first come first serve and it is gonna be a full out ir uh, tabletop. But it is gonna be intense in that, um, uh, there is gonna be literally, um, lawyers involved. There's going to be pressure, there's going to be intensity.

Uh, it is not just gonna be, let's talk through a tabletop. Uh, I saw Mark, uh, smiled about that one. I thought. I think Mark kind of likes that idea. Uh, not just your run tabletop. It's gonna good. It's gonna be good. Um, and then lastly, um, I put up, uh, John Strand is actually teaching live a, uh, intro to pen testing. It is pay what you can. Um, and that is out there as well. I just see also Wes, I'll go when he has the advance session. Absolutely.

Um, by the way, uh, I see Charles Sanders out there reminded me of I gotta reach out to Chris Sanders, Wes, and we gotta see if we can get him here for his end of year. Yeah. Uh, thing for rural tech, uh, foundation. Yep. Um, okay. Be great to on. Okay, awesome. Let me jump right in into it. Okay. So Gary, um, I'm going to, this, this is something I I think I heard you say.

So tell me if I'm wrong, but, um, you, you mentioned like, you know, for years, I've known you almost two decades and pulling down entrance barriers in sales was always like, first and foremost, like people would do assessments and network assessments and you'd be like, no, no, no, no. I can conceptualize what I'll find, I'll go to the end result. Absolutely. Yep, yep, yep.

But I think I heard you say recently that in today's environment you might, you might in certain instances use a security assessment as a wedge, as a differentiator, certainly charging for it. Yep. Um, and give us your thoughts on that as we, as I hand this over and intro mark. Yeah, well listen, in general, the reason I never did assessments is we could sell 10 or 15,000 a month of new MRR every month without doing them. Right. So why, why would I go through all that? Right?

And, and, you know, have a close ratio of is higher than most. But, uh, today what, what's what's changed is in some situ, and listen, you can do the same thing. Security is just another wedge. So I see, you know, uh, sales going up because of it. Same process, conceptualizing asking the right questions.

We've done the role plays here, but I think you get into certain situations where, um, taking it a step further and doing a paid assessment can be the thing that, you know, that cements that relationship. Again, as long as you're posturing it to what comes after, you know, I call it what happens after what happens next, right? So we're gonna come back, let me tell you what the results are gonna look like then what would we do? Yeah, very cool.

So when you said that, I was like, you know, that was, like I said, a little bit of a jaw dropping moment after knowing years and years and years of, you know, sales velocity was first. Um, and with that I'm like, you know, I gotta find someone who's awesome at assessments among, amongst other things. And I was fortunate enough to be introduced to, uh, Mark French, the, uh, founder, uh, chief ciso, I will call, I joking around Mark, but the head of product security group.

And Mark, you had a small role that I'll have you tell everybody about before that at a well-known security company. So welcome. And we are gonna be talking about Barn Do something. You created the Barn Door Security assessment momentarily, but tell us a little about yourself. Welcome to the cyber call. Sure. Uh, origin story, uh, started as a law enforcement guy. Hated it.

Went back, became a tech guy, came up through engineering and then for a while drifted over to ran operations for Dun and Bradstreet. Then fell into product management at Iron Mountain, ran parts of Iron Mountain Federal on the technology side, and then, uh, cut my teeth in security at that point. Had a bunch of different security gigs, CISO roles just before I started PSG here in 2019. I was a senior Vice President and Chief Trust officer over at Mimecast, the email security provider.

So done a bunch of different stuff and tech from ops to it to security to product management to hardcore kernel development back in the day. Um, been doing this a a long time, sir. Yeah, that's, it's really cool. And then, you know, we're gonna talk about it, um, as I hand it over to Gary, but I was really, really cool to hear, uh, about the barn door assessment. I know you do a bunch of different things. Maybe share some of that with us as we get going.

As you know, you kind of talk through, you know, the questions, but, uh, it's really, uh, uh, I think just a great concept and what you do with it and how you do it and, and the different components of security. So thrilled to have you, Gary. Let me hand it over to you. Yep. First off, mark, really thank you for being here today. Um, really interesting topic. How did you come up with, first off naming it Barn Door. Uh, that would be the first thing.

And then, um, is the assessment of this for like specific verticals, like who would be the target market? Sure. So we'll start with Barn Door. How at Genesis? So we were doing, uh, some work for a private equity firm and we were working with one of their portfolio companies and we were, I was sitting with the CEO trying to, you know, we had been brought in by the PE firm to go through their security processes. And he's like, you know what, mark, I understand we're gonna do this long assessment.

You gotta tell us where we need to go. Maybe bootstrap it. Hi Maria team. I just need to figure out whether the the barn's on fire. Like are there things that I need to worry about? So it occurred to me, I'm like, we've always been looking for a name of this kind of flash, almost call it a flash of assessment.

It's so flash equal fire to, to come up with this idea that hey, we want to get in there really, really quick and figure out whether or not there are things that you're in trouble with that you need to fix really quick. Usually within the next, in the first 90 days of our assessment and really we thought barn door and the idea was barn doors open, all the animals are running out.

Time to get all the animals, corral 'em all back, get 'em all back in the barn, shut the door and let's figure out what we're gonna do from there. So that's how we kinda genesis the barn door name for it kind of stuck. Everybody gets it. Everybody kind of gets the analogy saying, yep, animals are running in the field. Get 'em in there. Let's figure out what we need to do. And then once that's done, we'll move on to the next thing. Because my new product's called the arc. That's kind funny.

Kind of you like that, how I did that. I like that. That's good. So are there verticals you would focus on with this? Like specific or like who is the target? Generally? We, we deal with anybody. So whether they're a kind of technology focused organization, we do healthcare orgs, we do manufacturing companies. It's the, the way it's done is, is very generic and really we look across all the domains of information security and then we'll pick and choose.

So the example I'll give you is if you're a product tech company in the SaaS business will probably give you an application security flash assessment. Whereas if you're a manufacturing company, not so much, you're not building tech to deploy in the cloud. It's more kind of the back office side of it and your IT security space. So we look And these are kind of Ag Yeah. Is it kind of like base requirements? Yeah. So you Consider it. Yeah.

Really what it is, is the idea between behind the barn door is this is meant for any size organization in any vertical. These are the things that you should be doing regardless of the size of the organization. Whether you're a a $2 million a RR startup all the way to a billion dollar company and there's some stratification in there, but these, these are the things that you should be doing. It's kind of based on two things, Gary. Yeah, that was my next question based on, yeah, I know.

So it's based on two things. One is cyber insurance. So everybody wants one of those. Everybody's trying to get one of those. We are in a unique situation to probably negotiate a hundred or so of those every year for the portfolio companies we work with. So we see a broad spectrum from billion dollar companies to $5 million startups. So what we've done is curated the list, so to speak.

And there's a hierarchy in cyber insurance where you've got tier one carrier, say Lloyd's of London, that makes an announcement that they will no longer cover cyber warfare things going forward, all the way down to what we'll call the tier three player, which is kind of your regional cyber carrier.

What we see is folks that as we look at these things, we start to curate this list to say every one of the carriers from tier one to tier three is essentially asking that you do phishing simulation every year. In order for you to get your cyber policy at a reasonable rate, you better be able to produce something that says you do some phishing testing every year.

So after looking at a hundred of these for the last three years, we've got a pretty solid list of what everybody's going to ask you that you're gonna need to do to get a policy that you can afford. 'cause let's face it, cyber insurance policies over the last couple of years have tripled. I don't know what you guys have experienced, but that's what we see. You know, what was 20,000 is now a hundred thousand. And if you don't do some of those things on the list, it'll be 200,000.

And really for us, as we look at a lot of our customers, there's really no situation where they're gonna allow an organization to exist without a cyber policy. I mean, they're trying to protect their investment. So you gotta get one. So that's the first half curated list cyber stuff, if you're gonna get your Policy removed.

So kinda, if I can, if I can paraphrase that you deal with all, you deal with all levels, different types of providers, and you kind of look and see like pattern recognition. What are the things that no matter where you are, these are the things that everybody needs to deal with. And the other, the other benefit there is we can get ahead of it. So let's say, 'cause there's a progression that we see.

So tier one to tier two takes about 12 months for that control to percolate down into the next tier below that. So if you are doing a IG or Chubb as a second tier carrier, and you have Lloyd's, we know that Lloyd's is gonna have this warfare thing where they're gonna say they're not gonna accept it, it's not gonna show up in your Chubb renewal this year, but next year it probably will begin to creep in there. So you need to start getting ahead of it.

So what we'll try to say is, Hey, we know you're, you're with this provider, they're at this tier, you're gonna need to start thinking about this because if not, in 12 months when you go to your renewal or in three months when you're gonna go to the renewal, you're gonna be in trouble. 'cause you're not gonna have this control in place. You gotta get ahead of it and do it.

And then if you're moving down to a regional player, like, uh, someone here in the Boston area where I'm located, it'll probably be 24 to 30 months before it rolls down into you. Gotcha. So I have one more question for you, but before I get there, Andrew, uh, Dustin said, uh, cyber insurance is the best sales tool in 15 years he's been doing this. Dustin, I I agree with you ma'am. Um, can we maybe put up a little poll? We haven't done it in a while. We've asked it twice in the past.

You know, a couple years how many MSPs can tell us that they have had a conversation and know the cybersecurity, you know, situation, what, however you wanna word it with all of their customers, the MSP's customers. Let's, let's see where we are. Because in the past, um, there wasn't a lot of people that really knew, uh, where all their customers were when it came to, if they had what they had, those kind of things.

And so it just kind of speaks to what Dustin and Gary, do you want that answer to be a hundred percent yes. Or anything else? Yeah. Why don't you say a hundred percent, 50% or less. Okay. Make, make that, how's that? Is that good? You think Wes? Yeah. Yeah. You see what I'm getting at? I do. Okay. And while we Go ahead, I was Just gonna say, and can you guys actually answer it? 'cause like, Yeah, answer it Katie.

There's like, There'll be like foot mark, there'll be like close to a thousand people and there's like 60. That'll answer it. What were you gonna say? That's Not, I used to work, I used to work at constant contact and email marketing. That's not a bad return rate. My Friend generally can, What I was gonna say, Gary, is there's the other half. So that's kind of 50% of what goes into the secret sauce of, of the equation.

The second piece is we look twice a year, we go through kind of what I'll call the big three providers of kind of standard security controls. So we look, we, we look for guidance from DHS through cisa, you know, and they come back with NIST with a whole bunch of things that say, here are the basic things you should be doing. You should be protecting yourself against ransomware, blah, blah, blah, blah, blah.

We'll look at NCSC in the United Kingdoms, so the National Cybersecurity Center, and then we'll look at the Australian Signals Directorate down in Oz. We'll look at those three. 'cause we do deal with global customers, even at the small scale. As you never know where your customers are coming in from and what requirements they're gonna have. We'll take those three and we'll again, develop a baseline set of controls that everybody's asking for.

So if everybody says you should be doing annual security awareness training, if you didn't get it on the cyber side, you better get it on this side because if anything ever happened, there'll be an expectation that that's the low bar. So don't trip over the bar. That's, that's really what we're gonna expect to see in your organization. So those two things together, aggregated and unionized is kind of what we use for the base assessment. So, And I could give a couple times a year. Yeah.

Andrew, what do we got? I Was just, oh, oh, lemme look at the poll. We might have to give it a little more time. Um, wow. A hundred. Well, 52% are saying a hundred percent or, uh, uh, 39% or 50. And then about 8% are saying less than this Progress though, isn't it, Gary? It's a lot of Progress. Uh, Wes it's a lot of progress.

I hope that we have something small if we, you know, any small part that we've played in in, in moving those numbers and a hundred percent's our goal, but, um, wow, that's lot better. That, that's pretty good. But people still have more, uh, still have more work to do. Gary, can I just say one thing? I want you to continue 'cause I love your line, you know, your conversation with Mark.

But what I think is interesting, um, it's something we talk about often, which is the sales conversation, Gary. And you know, we've had people like, um, Brian Blakely on who's a master at, you know, speaking about what drives how people make money, right? And Mark, a lot of, you know, MSPs get very technical and lose the sale because they're not speaking about the business.

And I just find it fascinating in my head how a lot of your customers are big PE firms that are investing large sums of money or potentially large sums of money in companies. You're going in saying, are the barn doors open or not? Well, what couldn't speak more truthfully to what people care about than a PE firm ready to like shell out a bunch of money. You know what I mean? That are going, mark, we have no problem paying for your services because we have a lot of money on the line.

Does that make sense? I I mean that's, that's truly what it is. My friend, you know, they have capitalized these investments and they wanna make sure that there's gonna be a business on the other side to generate a return. So hence the side, the focus on cybersecurity policies. 'cause again, backstop, right? Insurance is a risk transfer mechanism.

I gotta have something, they want us to come in and make sure that that company still exists in the near term so that they can realize the investment that they've made in the organization. So if, if they, if they have lousy security and they get breached and it closes up tomorrow and they gotta pay $4 ahead because they're storing 8 million medical records and you just do the math and all of their investment puffs and smoke, that's not a good spot for them.

They've just flushed all of that investment. Yeah. Listen Andrew, you know, I sit on the board of a private equity company and you know, basically what I tell them is a catastrophic cyber event is the only thing that can keep us from our goals. Like, we have it figured out, we have it wired. We, we have all the great expertise on what to do with MSPs and that it's, it's the only thing.

I mean, investing and making sure we have knowledge, uh, and the approach to, to, you know, minimize that even if it costs us more, right? And it will, it's gonna cost us more. We're gonna have multiple, uh, you know, sessions of RMMs and all of these things that we have to put in place that are the opposite of, of efficiency. Do you know what I'm saying? Well, I Was gonna ask you that Gary, and again, mark, I'm just gonna frame this out for you. Yeah. Mark, I'll get back to your question.

Yeah, yeah. We're all good. We're just riffing. But I want everybody to hear this, Gary, because for years it was like, you know, standardizing tool sets and again, it's, it's fascinating how cyber has shifted your way of looking at business now that you are an investor. I mean, what percent of cost would you say has increased in, you know, mitigating risk and tools internally in the organization and process five, six years?

Listen, if you look at it, the easiest way to look at it is look at how much more we have had to, um, like we're charging customers 50% more, right? 50% more. At least sometimes more. So it's a, it's a massive, and it's really mainly been driven, uh, the, a bulk of it by, by security. So you say, Hey Gary, you said some things before you look at it differently. Yeah.

I better, we all better be looking at when, when something comes in that changes so much the cost structure of the approach, the way we do business, right? All the things we're talking about with Mark today. I, I'm hoping we're not looking at everything the same. Yeah, no, it's, it's, I just find it fascinating what, what, you know, a paradigm shift, right? You know, for something for 20 years that I've known you was one way and you could just churn money.

And the MSPs had it very good for years and years and years and years and years. Uh, yeah, it's still a money machine, but it's more like a watch now. It's got a lot of moving parts. It's like an automatic watch, uh, right. Yeah. Very cool. So Mark, I had one more question for you and then I'll pass it over to Phyllis. What is something like a barn door assessment? Like what does it cost? How long does it take?

Like gi give us a scope of how you, you would maybe explain that to me as a prospect or a customer? Yeah, so generally, uh, 15 business days, less than 10 grand. How's that for a synopsis? Yep. So, so generally we're gonna get in there, we're gonna do a very quick review. 'cause again, I can see the animals running out in the field. My job is to know where they're and just push 'em all back in again. So it's very focused, it's a very focused activity.

Um, but we try to deliver the finalized report with the executive summary in 15 business days. So from day one kickoff till the final delivery, 15 days. And usually it's south of 10,000 us Some of it, it doesn't usually go below five. So somewhere in that spectrum kind of depends on the scope of what we're looking at. You know, you got one division five divisions, or you just one small manufacturing company in Providence, Rhode Island. It's a much different rate than that. Yeah.

But usually that, that's what we're looking at. I have 50 more questions, but, um, I, I'm, if we have any time at, at, at the end, I, I'll ask those. But I'm gonna, I'm gonna pass it over to, to Phyllis to ask some questions. Great. Thanks Gary. So, um, mark, um, you said after a couple weeks you, you at least get a report. Um, so when you re so are you also, um, giving a brief out, what kind of, um, deliverables can a client expect?

And then do you help them, um, understand perhaps next steps what they should do to fix et cetera? Like maybe prioritization even? Yeah, so generally that there's a prioritization that happens as part of the report. You know, this is course grains. So these are the things that are mission critical for you guys to fix right now. So that the, the roadmap's pretty obvious get this done in the next 90 to 180 days, depending on what it's, you get, uh, the report.

You get executive comms and a PowerPoint essentially right outta the gate. Normally what will happen afterwards is one of two things. One, they'll take the report away, they'll say, yep, we've got it. Three months later they'll come back and say, Hey, we thought we had it. We really can't do that ourselves. Can you provide us support to do that? Or at that point in time, they will go, thank you for this. We don't have the expertise on how to do this. Can you help us right now?

So generally, almost every engagement that we do for barn door leads to a follow on sale. Those happen in one of two ways. One, it could be a, an additional kind of deep dive assessment that happens at the, you know, at an organization that's got a little bit more maturity. So think 25 million in a RR probably is around when that happens. And above, there'll be some bootstrap that could happen. Meaning that, Hey, thanks for the list. We don't know how to do any of this.

Can you just help us do this work? What we tell folks is, we are not your virtual ciso. We're not here to be your long-term security department. We will bootstrap your program up, maybe even hire your team for you, but if we're here in a year, we've done something wrong for you because that kind of engagement should not take that long. We should be teaching these folks how to do this. And then moving on to the next one. Especially when we deal with the portfolio companies.

'cause they have 50 people in their portfolio. They want us to to move on to the next one. But every one of 'em leads to a fall on sale. Almost a hundred percent. Very few don't. Do people ask you back like, oh, okay, we're gonna take a year to implement this or a year and a half, you know, a couple years and then can you come back and and do another quick assessment? We Do. So usually probably 18 months we're back doing another review to just see what progress they made.

Especially in the portfolio companies, they wanna, they want some progress reporting done and they don't necessarily believe everything that they hear from the folks there. Right. Um, and usually the other interesting thing about this is what we see happen over the course of the time that we've done been doing PSG is we'll do this bootstrap project and then they may disappear for 12 months and they're back again with another project.

So what we've seen is as we're cycling through now our first set of customers, 'cause we've only really been around in PSG since 19, they've all come back again. So we've done this process with them. They took a hiatus for 12 months and then they brought us back again for another round of, of kind of advanced implementation projects. So, you know, once you get on the ground, you prove your worth. They trust your decisioning.

We see that almost every one of our customers we're in this repeat cycle now. So they may take a little bit of time off in the middle, but we have a book of business that they keep coming back to us every couple, every year or so to procure more service. I'm curious how much improvement you see over time. I, I, you know, I worked for the NSAI used to help out blue team. We'd see the same things over and over again.

Now Blue team was free to other federal agencies, but it would always be, you know, you're not patched, blah blah. You know what I mean? It was always the same thing over and over again. I'm just curious, how was it for you? Do you see much Improvement? I would tell you back to our earlier comment, the cyber, the cyber insurance has pushed the momentum a little bit because if you answered no and the next time you answer no next year, insert an extra zero at the end of the premium dollar.

So that has been a four forcing function. We've seen in some organizations every org except one that we've done and we've done in a hundreds of these by now made, has made some progress back in the port in the, at least in the portfolio companies that have us come back through periodically. There was one that didn't. Right. There's always gotta be one or two that he can't have a hundred percent success rate and uh, those folks are no longer with us. We'll just, we'll just Leave it at that.

Right. Okay. That's that's good news. Too much risk. Yeah, no, it's good news actually. We were impressed. We didn't think that there was gonna be much delta of having come from the corporate world. I know how slow the machine can go. Right? Sometime, and I'll be honest with you, the bigger the company, the slower the machine. We find that, especially in the folks that are like south of a hundred million a RR can get stuff done, right?

They get two or three folks on the task and they can just turn it out. When we deal with folks that are, you know, 500 million plus the machine just goes slower. 'cause there's yes so many people that need to cross the t's and dot the i's Yes. That progress doesn't go as fast. Yeah, I've seen that as well. It's true. Yep.

Um, so, um, in all the assessments that you've done, um, is there, you know, the top five things that you'll always see across the board, um, uh, at every, you know, organization, I'm really curious to see 'cause um, I'm gonna cross compare that with, um, our top list of things you can do to fix, you know, the top safeguards you should implement on your network. Um, based on the top five attacks that we, um, at CIS documented, looking at a bunch of, um, threat reports, et cetera.

And so we, we ranked, um, our safeguards in the order of what you should be accomplishing, accomplishing or implementing to defend against those top threats. So I think we're gonna be, uh, we're gonna have a big overlap. So number one, folks don't know what they have. We see this all the time. Like, I dunno what ear I have on the ground. I have no idea what IP addresses I have. I didn't know I was in Azure.

I thought it was in AWS um, so like number one thing that we find all the time is that inventory, right Mark? Just basic inventory, whether it's software, like what IP addresses do you have? Well, I had a pen test. Okay, you had that ip but you have seven other ones did well we have seven other ones. I didn't know that. Or what domains do you own? I I don't know. I don't, I have no idea what, what domains I own.

So usually there's a lot of the, hey, we should probably figure out what you have first. 'cause it's hard for me to give you a protection strategy if you don't know what you got. Right. Um, second surprising not endpoint. We thought this was gonna be a big thing. The reality is, is most of the folks we have some have some endpoint protection process in place. I mean, it's become so ingrained we don't see anybody that doesn't have either EPP or EDR or something. Everybody's got something today.

Uh, what we see in, in product companies. So we'll, we'll take a little diversion to the right not securing their source code A not knowing where their source code is and B, not securing it. They, they don't have any idea that they're in Bitbucket and GitHub and they have no multifactor. And which is the good segue to the second one that we see multifactor not turn on everywhere, right? Uh, generally speaking not on any place. Or if it is they have an opportunity to turn SSO on.

They haven't, their privileged users are no, you know, they still have a root account on AWS with like no second factor on it. So number two, that usually shows up and that's the one that, I'll be honest with you, the cyber insurers laser focus on, if you answer that, you don't have multifactor two zeros on the end of your policy. 'cause that is a thing now that they're looking to try to figure out and make sure that you get in there.

Mark, can I just ask about multifactor because you know, we've talked a lot on, on, you know, the cyber call about cyber, cyber insurance questionnaires and obviously do you have multifactor, obviously that's a loaded question because there's so many areas that it could be. How do you break that down? Do I mean, do you get into the specificity? Because again, this is where, if you look at the traveler's case right now with specifically with an MSP, it has to do with this very thing.

Um, we could pull Colonial Pipeline out of the air and you know, yeah, we have, we sure we have multifactor except we forgot it over here on the VPN as an example. So how do you, how do you look at that? Does that make sense? So you gotta have something, uh, right. What we're trying to not make judgements out of the gate. So if you have SMS or nothing, I'll take SMS every day. Um, so yeah, it's not the best particularly, but I'll, you know, one's better than zero.

So we're trying not to make value judgements on the folks that we review as part of this flash assessment. 'cause I just wanna make sure that you've got something, if you do the full assessment, we'll dig in. Well, let's say, all right, you know, let's look at your whole risk profile. We'll go deep into those. But for this, it's just kind of are are you got things turned on? Are things not turned on? Um, and if it's SSMS, that's fine. It's better than not having Anything.

And is it more so on their, like their Azure and O 365 things that you're looking initially at versus, well That kind of brings us to the third, kind of the third big bucket productivity suite hardening. So everybody stands up their O 365 instance and their Google workspaces and don't do any kind of hardening on it. So they haven't locked down their one drives. They haven't necessarily restricted their teams environments. They don't have basic email security going back to my Mimecast days.

So all those things are not turned on. And you guys all know, you probably talked about it a hundred times on the show. Those are the primary vectors that come in for phishing attempts and everything else. So the folks just, they, they get their out of box 365 and they roll it out and they're like, I'm good. And we just want them to do some real basic level stuff like don't open OneDrive to the world. 'cause right now it's set up that anybody creates a OneDrive and anybody can access it. Okay.

Awesome. And then the last one we see is basic hygiene for those folks that have cloud instances. So open S3 buckets, or not even knowing what S3 buckets you have that are open. So those are the ones that we generally see more often than not. Very cool. Awesome. How does that line up? Yeah, that's pretty, that's pretty close. I think they line up really, really super well. I dunno if that's good or bad though. 'cause if we keep talking about 'em, you figure they get better over time.

Well, I mean, you think they get better. Yeah. So you know, this is what we always say is like, it's really just back to the basics. It really is that essential cyber hygiene, it's nothing fancy. It's, you know, not some kind of magical tool. Tooling is a part of it, but it's just those same things that are, you know, essential or basic that you have to implement. So, um, you know, and we are finding it over and over again. So what's it going to take, what is it going to take?

And that, and that's the reason for this. The whole idea for the barn door was these are the things that everybody should be doing, right? Regardless of the size that you're at or regardless of the vertical that you're in, you should probably have endpoint protection. You should probably harden your 365 instance. You probably should know your IP ranges. David, just, I'm sorry, mark. So hang on Andrew. Yeah, I can answer your question, Phil. It's, what's it gonna take?

I can answer it from an MSB perspective. $300 a seed. They're the sales guy. I like that. I like that. Yes. Yeah, that's what it's gonna take. Yeah. Mark, quick question. Um, do, so you have like, let's just say pick PE number one that you work with. They've got a hundred companies in their portfolio. Do you, um, build some type of data like data structuring on, hey, based on your portfolio, you know, you, this is how you compare to others. Like, do you, have you started to do that?

Because we find that like, you know, again, from a sales perspective, really powerful. Like, hey, based on this, like Wes, you can talk about this in the financial services, right? Coming from banks, right? This is where you rank compared to your peers, right? Isn't that a pretty powerful thing? And just curious if you thought of that or do that? We Do. We do actually. And we try, we try to. So we've, we've done a lot of these. So we actually have it sitting on a good corpus of data.

And what we'll try to do is as we think about scoring, you know, what's your score, Right? We started with A, B, C, D, F, the partners hated that. 'cause you know, we're getting f that, you know, visually that doesn't hit doesn't land very well, right? What we ended up doing is, um, you know, most PE firms want to be in the middle of the pack unless it's a product differentiator. They don't want you to be ahead of the pack. They also don't want to be the person that's way behind.

So they wanna sit somewhere in the middle. So what we generally find is, we'll, we'll have some semblance of, based on the size of the organization you're in, and the vertical in which you operate, what your score can be. And there's a few factors, you know, who's your target customer? Is it enterprise, is it consumer? Is it advanced consumer is an advanced enterprise? You know, healthcare records, PCI, and we'll give you a kind of a rough swag of where we think you should be.

So here's an example. You know, let's just say you are a, a consumer focused app on a mobile platform capturing very little PII, you know, your security score's probably gonna need to be like a 60 out of a hundred. So, you know, we colloquially call it striving for the D you may only be a 30, but you really need to get to a 60 in order to have a defensible security posture with respect to what your customer expectations are and what your market expectations are.

So no one goods a hundred generally speaking, right? And the bigger assessment for the barn door, we expect a hundred. But for the follow on assessment of maturity that we sell as a, as the second piece of this, that becomes where that folds in sir. It's okay. Now we're gonna put a little bit more secret sauce in there. But for barn door you gotta get a hundred. This is a a, this is binary. It's pass fail. You either get it all or you don't.

When you go to the next phase of assessments, that's when we start to inject that nuance of data to say, all right, so we think you're here. You should probably strive to be here. 'cause again, if you think about it from the PE firm, they don't wanna overcapitalize security. But let's face it, having been a CISO in the past, I will spend every dollar that you give me and then ask you for a hundred more. The reality of it is, is that that's not a good investment from a PE firm's perspective.

So I want to spend what I need to spend to meet market demand and customer demand. And sometimes that's a B, sometimes that's a D. Just make sure that you can close the gap. We have actually had, knock on wood, four instances where we've told them to spend less insecurity outta all the assessment we've done because they were overcapitalizing the investment.

They had an awesome security program, but it did, they were spending more than they needed to in order to protect the data assets in the organization that they have. So of the hundreds we've done, we've had four where we've actually had to tell 'em to spend less in security in general. Really Interesting. Was it interesting conversation at the board meeting? I bet.

So, um, so you've already covered, like you do, you do offer or you may recommend, um, hey you need to do, you know, um, kind of like that next level, um, where we are gonna provide a threat profile. And you sound like you do target the industry, healthcare, et cetera. When is it that you actually give that recommended? Do you give that recommendation? I guess I should ask or Absolutely. You ask you for that next level, like No, we always give It. What is the, um, rationale?

Like what prompts you to, um, you know, go to that next level? So generally speaking, there's some other pressure. So the barn door is meant to be really quick. Mm-Hmm. There's usually some other factor having us come into the conversation beyond just getting a barn door assessment. So barn door, we come in, we provide it, usually there's another driver, Phyllis, that is driving us to do this assessment us. And it's usually the second piece of it.

So they ha they had a breach, they are gonna move into a new business opportunity. All of a sudden, hey, we're gonna start taking credit cards. We should probably figure out what we're gonna do. Because historically we've only done a CH or hey, we're going to now work on defense materials and I ha I'm worried about IAR and I'm worried, worried about DFARS and all of these things I need to sign up for. What do I need to do?

So we come in, we flash it over, and then usually there's a follow on engagement beyond that. And then usually for that one we will provide you a detailed roadmap of how to get you to where you need to be based on what the business has said to us. So in that full assessment, we spend 80% of the time, I'll be honest with you, talking to the business and only 20% of the time talking to the technology. 'cause if I can't get the business rationale right, the tech will just follow through.

I mean, most of these folks have gone through some assessment. I don't need to be their auditor and look at their tenable scores. They already have them. But what they haven't necessarily done is spoken to the CEO, the CFO, the head of product, the head of operations and manufacturing to understand what they actually are going to do. That's where the real value comes back to the security team on the other side.

'cause we'll match that up with where they want to go from a business and then we'll just layer the tech on top of it. So I think that's so important, what you said about like really, um, showing what's speaking to the business and what the business needs to do, right? Because that's number one why they're in business and you need that buy-in and then, and then you lay the technology on top. So I I really like the way you said that.

We've seen many security teams are going this way and the business is going this way. Yeah. And they're asking for resources and they can't figure out why they can't get any. I'm like, well just That's right. Turn the ship this way a little bit. Or here's a, here's a basic one. If you're asking for this project, align it to one of the strategic initiatives that the company's doing it this year and HAA money will show up.

So if you're gonna go to Europe and you need to build a Privacy Pro program, you might say, in order to go to Europe team, because I know you want to do business there, we need to build a privacy program. So this is part of that budget. And I see a lot of security professionals don't do that. So they end up struggling because they'll, at the end of the day, they'll go to Europe and they'll say, well why didn't you ask me for the money for the privacy program? And you go about that.

Wait, wait a minute. Wait A minute. You gotta make some comments here. Yeah. Wait, are you guys saying that MSPs, we should waste time finding out how our customers do business and make money? This is outrageous. You can comment Mark. I'm not commenting. No, I'm gonna let him, I'm gonna let him have this moment. That's funny. Oh yeah, absolutely. Okay. Tell a quick story. Yes, please. Okay.

So like the first time when I bought my second MSP and I sat with their, um, V CIOs, like alleged V CIOs, um, good people by the way turned out that they became great V CIOs when they knew how. But I just went down all their customer lists and said, tell me who you deal with, like what their title is at every account and then tell me everything you know about that account. Nothing to do with their technology.

And mean, pretty soon we realized that they didn't know really other than what was in the title or the generic industry that they were in, that they knew nothing about those customers. And like, how are we gonna secure 'em? How are we gonna make recommendations? How were we gonna do anything? Like to be say, we're their IT department when we don't know anything about how they do business. Gary, what's interesting about it? You Know, it's not an option.

Like we could get away with it for many men for decades you could kind of get away with it. You just weren't as good or as valuable. We just can't get away with it now. Yeah. Wes, as we go over to you, I just wanted to say how, you know, it just speaks volumes to when Chris Laer goes in to a breach or an incident, sorry, an incident. And, um, there's an MSP and high 90% of the time when he turns to them and says, so where's their critical data? What's their mission critical systems?

What needs to be turned up first? Where is it? They're like, Yeah, They, you gotta ask them. Lemme Say, let me ask the customer. Like the customer's gonna know. Yeah. Right. Yeah. And, and then that's when I think we need to get Brian Blakely back on the cyber calls a refresh in 2023 as well, just for his, how do you make money talk? Because that's the, I I don't, I think the problem MSPs have with that Andrew, is they don't know the questions to ask. Mm-Hmm. They feel intimidated by that.

Like, where do I even start with this? Like, I understand you're a CPA, but I don't understand anything more about your business and I'm not gonna commit the time to learn it. How does, how am I supposed to operate efficiently? How am I supposed to hit my numbers if I'm spending all this time trying to figure out something that's way outside my wheelhouse? Uh, it's gotta be fixed. You know? Gary, I guess a quick question for you. Good idea, Gary.

A quick question for you is like how do you encourage your V CIOs to spend time learning the business? Because it seems like a lot of the metrics we've built for their success might be competitive to actually doing that, right? Yeah. So I'll give you the short answer, but I think this would make a whole great session that we can do before the end of the year, Andrew. Okay. Um, you know, we teach them how, um, that when they're meeting with customers, that's really how they build a relationship.

Because if they don't ask those kind of questions, the, the decision makers don't come back. Wes, they won't come back. They can't get 'em to come to the meeting because they're not interested in it. And we, you know, we teach a process where once you begin to do it, what kind of questions you should ask that after you've done it like 5, 8, 9 times, you start to see this pattern recognition and then it gets really easy. It's just like anything else.

You know, it's, the first couple steps are hard. Once you do them, everything else takes care of itself and it's actually easier and more efficient and more fun. It's the opposite of what you would think. Yep. Those learning hurdles are, are a challenge to begin with for sure. Yeah. Yeah. Alright, mark, uh, questions for you. I got a few that go through my mind.

We talked about cyber insurance at the very beginning of this and disclosure happened to work for a cyber insurance, um, work in the space, right? So it's near and dear to my heart. One of the, one of the things that's really frustrating when it comes to like this whole garbagey underwriting process is right now we know it's point in time, right?

Like give me this questionnaire, I'll fill out the questionnaire, but how much stuff are we missing outside the scope of what the questionnaire can and can't look at? Like we're not doing continuous underwriting, that's the future of the industry, right? But right now the approach is really terrible and how it's doing like vulnerability scans externally and all that.

How can we adopt and incorporate actual measurement like a barn door security assessment in because the carriers, here's the problem we have at the carrier level is they're like, I don't know what that is and I don't know how to incorporate that into my actuary tables, which really don't exist, right? So what are your thoughts on how do we get success? Uh, it's gonna be a multi-year thing, right? But how do we do that? What are your thoughts?

Oh boy, that's a heavy weighted question my Friend, isn't it? I, and I don't know that anyone has the answer, so I'm just curious to glean some wisdom here. Yeah, so a couple couple of things. So yes, actuarial process point in time, just like any third party vendor assessment program that you're gonna stand up in the security practice, my one and done annual is kind of what the carrier is doing. So sadly that's the state of art today.

Uh, with respect to kind of vendor due diligence, you know, there are stuff around the edges on the continuous side, you know, I hate to draw an analogy, but folks that are working a little bit better at this and Phyllis can appreciate this, is, you know, the FedRAMP process of continuous monitoring and submission back is actually could be a future process.

You know, if you've ever gone through the FedRAMP certification process, there is a continuous monitoring aspect to it where you need to submit a, a variety of things back to the federal government to improve, you know, to kind of ensure that your a TO or authorization to operate continues on going forward. It's not just me using one of the many vendors, BitSight, security scorecard, whoever that is to kind of glean over the top and do a, a flash, you know, attack surface review.

So there that could be there. I think the challenge with that, Wes it is that's a heavy lift for most organizations. Not Scalable. You're talking, it is not scalable for folks. It is for folks that have gone into the deep end of the pool, so to speak. But generally speaking, you know, your average person's not gonna be able to do that. So I don't know that have a good answer. It's a model that works for a certain segment of customer basis today.

But I know folks, I have gone through the, the accreditation process twice through Fed FedRAMP. It is arduous and expensive and painful and it continues to be many years after that. But at the end of the day, I actually probably have a pretty secure environment and I attest to that pretty much every quarter. Yeah. So Yeah, it's a model. I don't think it's the model that's gonna scale for this and I don't think No, I agree. I don't think carriers, carriers are not positioned to do this.

'cause the carrier, I, I've spoken, and you've probably spoken to these folks as well, they don't have a tremendous amount of boots on the ground security expertise in their teams either. So, right. You know, even if I were able to produce this evidence back to the carriers, I don't know that they could consume it to a level in which they could make true actuarial judgment on it. 'cause they just don't have the people to do it. Nah, There's like no magic very dust.

Uh, this is going to be what it's, yep. I almost wish we had, you know, we're so good in the world of it, of creating like standards and taxonomies for so many things. And we do it a little bit in security like, you know, threat intelligence for example. We've talked about that a lot. We've built a taxonomy to share this and standardize it. But when it comes to like vulnerability assessing, it comes to like security. Like we have great standards.

So you have CIS we have Phyllis on the call right now, but how does that map directly in, in a, in an assessment? I don't think we've solved for that and that becomes difficult. 'cause wouldn't it be awesome if we could just hand insurance a standardized, Hey, here's the barn door door assessment we did. Here's how it maps directly into this control framework. Here's how it's been attest and here's how you can understand and digest this MR or miscarried. That'd be awesome.

That doesn't exist today. But that'd really be awesome because right now, and this gets to my second question mark, is right now what it really exists in the channel is worse. It's just a bunch of like, here's a vulnerability scan, right? I'll pick on a company, you know, here's a, I just, and, and I'm not saying the company's bad, right? But here's a big rapid fire scan, bam, 500 pages right on your desk and everyone does that and it doesn't do anything.

And it, like you said earlier, mark doesn't speak to the industry, it doesn't speak to the business owner, it doesn't speak to the decision maker. It's generic and it's relatively, um, lightweight and everybody does it. So we've got this problem right now that that's, we've gotta solve this. And I'll be honest with you, as a ciso, I hate those things. I used to be on the receiving end of those all the time and they went in the bucket. 'cause I didn't find that they were a lot of value to me.

So I would end up just thank you for providing that to me. And unless there was something that really forced me to do any work, it would end up in the trash. 'cause it's a tool we don't like, I don't hire a, a like a professional come into my house and just show me all his tools and then say they are the job's done. Right? You, but we've, he's gotta finish the job. He's gotta do what his tools are there for. And this is I think where the gap exists.

Well, and unless, if I could just say this too, what, you know, and, you know, I think the, we're educating the market, but, and Mark maybe speak to this, I can give you, you know, a gazillion CBEs that I find on that are, are maybe on patch, but what's really being exploited in the wild and how do I prioritize that? 'cause otherwise this 500 page document is what, like, to your point, right? It's, it's useless per Se.

Well again, if you think about it, it's not just even exploitability, it's also, you know, reachability. So those two things together, which we haven't solved for now start to be interesting. So yes, I have a CVE Yes, it's exploitable in the wild, but if I can't reach it in my environment, it really doesn't matter if the, if they have an exploit and they actually have a, and it's a, you know, 10 on the CVSS score.

So those things all have to come to together for you to make a decision about whether you're gonna patch that or not. But unfortunately, Wes, you highlight an issue, you just toss it over the wall. Here's a crit because it's a CVS S 10, go fix it. You know, the clock starts now on your 30 day patch window. Go when the reality is, as we dig into folks, we usually find a third to two thirds of those don't have reachability, and they're really not exploitable at this point in time.

So yes, it says critical, but the reality of it is, is you probably shouldn't be investing time in that right Now. That maybe later point like that. That's my point, reachability or not, is like a lot of these high level, it may not even being exploited. So like, you know, people start investing large amounts of time that's not even actively exploited. That that's what I really, And they'll just, they'll just churn, right?

Because they, they, they bought into a vulnerability response policy that says they'll fix every critical in seven days, which no one follows. Very few, well, I won't say no one, but very few people follow. And the reality of it is, is they're patching for patch and sake because they put a policy together and it's not really the applicable piece to the business, but it's part of our job as assessors to come in and say, what's truly, what should you be doing? So are you patching?

So barn door, are you patching yes or no? Do you have a mechanism to actually deploy a patch? Yes. Okay. Past the barn door. Okay. So now when we do a further assessment, are you actually patching what you should patch in a, in a risk reduction method that's relevant for you, your customers and the market that you operate? Because just because you're at 30 days doesn't mean that the market expects 30 days.

Let's face it, if you're doing that Candy Crush app on mobile, I don't know that they're expecting you to patch that every 30 days. They may never update it on their phone in 10 years. So you, that all has to weigh in to what you're going to give back to the customer to actually make this work for them. Cool. Yep. So let's shift in. We got a few minutes left. Um, I wanna shift back to MSPs for a minute.

So, have you guys worked with Mark, have you worked with MSPs at all with the barn door assessments? Can they get involved? How can they get involved? Just give us some outlook on like how MSPs that are listening today can learn more, can get involved, all that. So we do, you know, a lot of our customers deliver through MSPs, MSPs and MSPs, excuse me. Um, because they don't necessarily have large staff.

So we generally engage with their customers, you know, their, their vendors in order to help them with a kind of remediation path for this. So let's, for instance, say for instance we do a full assessment or even the barn door and we say, Hey, you know, you need to do multifactor. We'll work with the MSSP before we put the recommendation together to say, are you, do you guys have the capability to even do this?

And if you don't, I'm gonna tell you that one of your largest customers is gonna get this from a recommendation. We ought to figure out how you get this capability, or they may no longer be your largest customer. Um, because we're gonna tell 'em that and the firm is gonna hear that and they're gonna expect the act action on that. And if you don't have the capability to deliver it, one of two things is gonna happen.

Either you're gonna need to get that capability or you're not gonna be, you're not gonna have that customer anymore. So, you know, prior to us delivering that report, if they do go through that process, we'll work directly with them to make sure that they're adequately prepared for the conversation that's gonna ensue after we deliver that report. Because it does nobody any good if I just hit 'em on the head with a tack hammer and, you know, basically say you didn't know about this.

And it just comes over the top and it gets dumped on them and they're trying to scramble around for it. So with respect to that, yes, as far as assessments for MSPs, we haven't really engaged with an SSP partner, MSP partner, excuse me. Um, because we've basically been servicing most of the firms, you know, we've got five PE VC firms that we deal with, doesn't mean that we're not open to having that conversation with folks. We just haven't had that option up to this point. Okay, got it.

So, so if someone is interested in having that conversation, they can reach out to you and at least chat. Yeah. Just hit us up on, um, what you can go to the website, whichever way you want. WhatsApp, telegram, discord, pick one Deal. Sounds good. Andrew. A couple things here.

I, first of off, I had a couple ideas for future shows, uh, that came out of this, but, um, you know, one thing you mentioned several times today was, um, pe you know, private equity and what I'm seeing dealing like with all of our peer members, more and more their customers, um, are in industries that are beginning to be rolled up, right? We're, we're living in the middle of the privatization of business. There's half the companies on NASDAQ than there was six years ago.

Like, think about that for a second. Mm-Hmm. And, um, Andrew, we don't have time today, but a conversation around that. Mm-Hmm. And what, what is good about dealing with a company that's acquired by private equity and that relationship and what's really bad about it?

'cause there's both equally, and I think a lot of people, we see a lot of companies, um, that we work with, MSPs getting impacted because they're not thinking it through, they don't understand it and they've never dealt in that world before. And I'll be honest, there's a tremendous amount of opportunity there, Gary, if you are the right provider, because like with us, what happened with us, and I'll just, I'll go off on the side for, I know we're running Outta time, but No, No, you're good.

We got in, they, they liked our delivery and they just expanded our footprint across the portfolio. So if you can be that person, you're gonna open up a whole bunch of business for you all. So, you know, If you, the other side of it is you get a customer, they're PE backed, they're doing acquisitions, they go, you know, they go from a $5,000 a month customer to a $35,000 a month customer, and then they get sold and that one's gone and you lose a $35,000 a month deal. Yep.

There's that side of it Every single quarter. Which again, if you understand it, there's ways you can deal with the PEs and other things you do, but, um, I I I'm just saying Andrew, it's something that comes up, especially with security now they're bringing us in more and we just, um, yeah. We need to make sure everybody's aware of it and has perspective. Yeah. No, I I I love what you just said. You know, we had Keith Bartol on a call, um, not too long ago. Yeah.

And, Uh, he runs a great MSP, um, and I love Keith's story because Gary, you told him seven years ago when he was working for Dell and he happened to show up at your schnoz fest, your event. He's like, yeah, I'm thinking of starting an MSP. And you said, you know, mark, he says, well burn the, you know, the saying burn the ships. And and Keith did, he actually runs an incredible Yeah, but he does over 10 million now. Yeah, yeah.

But, but interestingly, he, he spoke about like losing recently, I forget exactly. Last six months, right? Two, Two big accounts. Yeah. Yeah. Like, and, and he's like, what you need to be focused on is that risk of roll-ups. You could have a great customer and you might not next month or, you know, in the following month. So yeah, we just, you can't Tell 'em not to grow. They're, they're, they're, they are designed to acquire, grow, and then sell. Right.

That's, that's what they're designed to do. And that's one side of it we like. And the other side of it not, not as much. Right. Fair enough. A couple great sessions. This is awesome by the way, mark, we talked about the VCIO conversation today, Andrew. Um, I think another one that would tag onto this would be posturing assessments. Like how do we actually talk to customers and prospects? Like we, we didn't have much time to spend on that today. How, what, why, when, where?

Um, and then I had another session on, on actually how do we implement all these changes we've been talking about all year? Yeah, no, it's great. Well, I'm gonna hit you up for the um, VCIO one, which we'll do next Monday. And then Brian Blakely is back. Wes Oh, good. The following Monday. I love me some Brian. Yeah. So, wow. Mark, thank you for, uh, sharing. Uh, thank you for putting your email in. Uh, I put your website in further up. I put your LinkedIn.

Um, it was awesome having you with us. Thanks for sharing your knowledge, your willingness to be here, and, um, very grateful for your time. So, uh, appreciate You guys having me on. Yeah, it was great. Yeah. On behalf of Wes, Gary and uh, Phyllis, wishing you all a fantastic week. We'll see you next Monday. Take care. Thanks so much, everybody. Care folks. Bye-Bye. Bye.

Related Videos