Building a Threat Informed Security Program with CIS Controls
In this video, Kurt Dukes and Eric from Protech discuss the critical role of managed service providers (MSPs) in ensuring cybersecurity for small and medium enterprises. They delve into the importance of implementing CIS Critical Security Controls and share success stories and challenges faced by organizations in adopting these frameworks. Eric emphasizes the cultural and operational shifts within Protech as they embraced security best practices, highlighting the benefits of collaboration and community support in strengthening cybersecurity defenses.<ul><li>The Cyber Call episode emphasized the importance of implementing the CIS Critical Security Controls, especially Implementation Group 1, as a foundational cybersecurity measure.</li><li>Managed Service Providers (MSPs) are seen as vital to providing IT and cybersecurity services to small and medium enterprises and local government entities, acting as the first and last line of defense.</li><li>The Community Defense Model by CIS links threat intelligence and attack patterns to security controls, offering a data-backed approach to prioritizing cybersecurity measures.</li></ul>
Guests
Video Transcript
Welcome everybody, and we are back episode 1 0 8 here on the cyber call. And we have a awesome show today. All the Hollywood squares are taken. Um, I'll introduce our guests momentarily. If you have peers that you know, peer group members, I would highly encourage you to message them and tell them to join. Uh, today, it's, it's gonna be a great one. A few things. Um, we're gonna be throwing some of course acronym soup around. I put some resources.
Um, I'll, I'll try and copy and paste them again if need be. Although Crowdcast has this thing where you can't send the same thing twice. But if you look up in comments, you'll see CIS Center for Internet Security Resources, as well as the podcast that we do, uh, on the critical security controls. Um, we'll have actually control 13 out here in the next probably week or so. One other announcement, um, we will ink today, write a boom, uh, the location. I'll announce it next week.
Um, we're thrilled about what's gonna happen there. Um, alright, getting on into it. I have a poll up. Um, please answer it if you can. It's just a yes or no. It, it's, Yeah, everyone, yeah, I would, I really want to get some accurate results on that. It's a really, yeah. It's not Fundamental. Yeah, absolutely. Okay, so lemme set the stage quickly, get some intros, and we'll get right in into this because, uh, I wanna get as much of this conversation and interaction with you all, uh, as we can.
Uh, welcome nar. I'm right here with you in Tampa. Okay. Alright. So last week, what, what really kind of inspired me to do this episode was Wes, you know, toward midway through, or actually there's probably three quarters through turn to Garrett and is like, Hey, there's this modern day weapon, RMM solution for bad guys. Now, dark utilities, and what's an MSP? You know, what's their best defense? What should they do?
And, you know, not that I was surprised by the comment, but again, it's, it's, it's, wes, it's always the same fundamentals. Um, you know, he started listening off and you started listening off things that MSPs should be doing as well as obviously their clients. And therefore, um, we haven't had Kurt Dukes on with us yet. And so I really wanted to bring Kurt on as a real treat for everybody, um, and, uh, get on into it.
So, um, I'll put the clip momentarily for the two minute clip between Wes and, uh, Garrett last week momentarily, uh, the YouTube clip for you to listen to. But in light of that, I want to introduce Kurt Dukes. Kurt, um, real wow, real treat for us to have a former director of the NSA, um, now EVP and GM at, uh, at CIS. Please share a little bit about yourself and welcome to the cyber call.
Uh, you might be on, you're On mute, but while you're on muting, also, if you could share any unclassified information with us, we Appreciate it. It's in Margo, isn't it? Gary? Gary, that question's never been asked of me, my friend. Yeah. Um, uh, so first, um, Andrew, uh, thank you for, uh, letting me come, uh, crash the, uh, the cyber call, uh, and be part of the, uh, cyber nation.
I, uh, I really enjoyed my time getting to learn about, uh, you know, what, you know, what managed service providers do on behalf of the nation. Um, and, you know, and then really you guys are that, if you will, first and possibly last line of defense when it comes to providing, uh, cybersecurity for, uh, for the, you know, the, the engine that propels this nation, which is a small and medium enterprises. So, a little bit about me.
I'm, um, you know, I'm, um, I'm a computer scientist by formal education. Um, I did, I I went into computer science back in the, in the early, uh, early eighties, uh, graduated from the University of Florida. You know, go Gators. Go Gators. Um, and thank God we, you know, the, the long desolate summer is over and we're, we're actually getting to fall football, uh, starting on, uh, on Thursday, although, Hey, Curtis. Yes, Sir.
Just wanna let you know, I, I looked you up on LinkedIn when you were at U of FI was born in Alachua when you were a student there. Just just let you know, my dad went to UF too at the same time that you did. Uh, so we were in the same town together, except I was born there while you were getting your degree. Hey, Wes, uh, pleasure. Always, uh, great to meet a fellow, a Floridian, and yeah, I'm not sure if that was cool, Wes.
Uh, I don't know if that was a compliment or I don't know what it was. I just looked at like, holy crap, I was in the same town as him. I'm drag or something. But hey, you know, I I will say this, you know, it, uh, you know, nothing against, uh, I mean, the Florida School are great. You know, Florida's a a top five public university, Florida state's a great university as well.
I'll even throw a bone to the, uh, uni, the, the u the University of Miami and up that up and comer, the University of Central Florida. But they're all great, great schools. But, you know, I, I went into a field, you know, called computer science knowing very little about it in, in the early, mid eighties. It really was kind of taking off.
And, um, I had been in the Air Force for five years, and so I wanted to kind of get back, and I knew about this agency called the National Security Agency from my time in the Air Force. And, um, you know, really, um, it just seemed like a great logical fit for me. And so interviewed with them and signed on as a, a lowly, uh, computer programming. But really it was in this new and emerging field, um, called, um, you know, called, uh, computer security.
I was actually, uh, I'm a plank holder for the DOD, uh, computer security center that, that came, the National Cybersecurity Center from that. But I spent a little over three decades there. Never had a bad day there. Had plenty of long days. Um, and I'm proud of my, my federal government service. I'm, um, I'm a product of the government, both my undergraduate and graduate degrees or, or paid, um, you know, the government paid for my degrees.
But, uh, it got to a point, uh, within the National Security Agency, we have two, there's two missions there. You know, one signals intelligence. The other at the time was called Information Security Now, information Insurance, and now cybersecurity. Um, and I had the privilege of actually leading that one directorate, um, in my, in my last job at the agency. And so it got time, uh, to retire. I could only go maybe one more level up. And unfortunately, that level is the deputy director.
Um, and they never give it to the defense guys. They always give it to offense. So, you know, a ser will always win that position. So I, um, I chose to, uh, to retire. And at the time, there was a small non scruffy nonprofit called the Center for Internet Security. It was really doing what I thought, amazing work when in the field of, um, of Secur, um, uh, computer security. And so, um, it, uh, and, and cybersecurity. And so I, I joined with them.
It's been, gosh, uh, over five and a half years now with them. Um, and I tell you, I am, I'm not looking back. Um, I still have plenty of runway ahead of me, uh, to actually preach best practices. Um, and, you know, I wanna, I wanna give back to the community. And for Wes, I'm gonna, I'm gonna give you one tidbit. I'm sorry for, uh, Gary, I'm gonna give you one tidbit. Um, I did check, and at Wright Patterson Air Force Base, I could not find any, si any signs of alien be, uh, beings there.
So, uh, you know, con uh, con, um, you know, uh, yeah, in retrospect people talk. Yeah, people talk about, uh, you know, the grays and, and all that, but I just couldn't find any signs of them there at, uh, at, at Wright Patterson. And as for, for folks that maybe not get the connection, um, there was the event in Roswell, New Mexico, and supposedly the grays were transported to, to Wright Patterson Air Force Base, but I could, I could not find any sciences Now, Kurt.
Kurt, thank you so much for, for sharing. That was a great kind of lo love, love your background and the story. It was, it was awesome. Just one quick question for you. Did you have any employees that were really challenging to, that you, you know, reported to you during your tenure at the NSAI? I did. Uh, I gotta tell you, um, you know, NSA, uh, has a, has a great, um, great employment record.
Um, uh, they, they hire some really in incredibly intelligent and bright, um, brilliant, uh, individuals. Um, and actually one of 'em, one of 'em is on this call, um, but I'll also say that Phyllis was, was problematic as a child at, at NSA. And so, so much so that I took one for the team and, and brought her over to CIS from NSA to save them from her. Everyone on the cyber call is a little problematic.
Hey, before I get into question special, can you, uh, Andrew, just make a quick intro of Eric? Yeah, no, no, I'm gonna, that's Eric's next. Yeah. Yeah. Eric, awesome to see you. Um, you know, the other part of this is we wanted to have the voice of the MSP. Um, you are walking your walk when it comes to building security programs, specifically around CIS and, uh, most recently, uh, got a SAN certificate, uh, and passed an exam. Pretty challenging one around the critical security control.
So you've been on before. It's awesome to have you back again. Tell us a little bit about yourself and I'll let Gary get on into it. Alright, well, Eric from ProTech, uh, own A MSP outta Salt Lake City, Utah, uh, about 3.3 in revenue, million in revenue. Uh, 17 people, very security focused, uh, as some you may recognize from, uh, previous cyber calls. We did have a cybersecurity incident in, uh, 2019 that we recovered from.
Uh, we were security conscious then, and now we're really security conscious. And so we've dug deep into the CIS controls. I'm happy to Be here. Awesome. Thank you. Gar, you want me to do any other announcements? 'cause I know you love 'em. No, that, that's all. So, uh, Kurt, uh, you know, I want to ask you a couple questions, you and Eric, and then we'll pass it on to someone who's got a lot less experience than you and I to ask questions after this. How does that sound? Sounds great. Awesome.
So, um, one, before I ask you the question, uh, just real quick, I look at that poll, it's almost 50 50 and the poll was our MSP has implemented CIS controls IG one or equivalent. Um, I don't know, I guess we can look at that glass half full or empty glass half full. We've worked hard here to make, you know, have a increase awareness around CIS and so that's really great progress compared to a year ago. Or we can look at it and say, wow, we, we got a lot of work to do.
'cause that's just on the MSP before we get to our clients, right? Yeah, no, I, but I, I'm a glass half full kind of guy. Um, and I gotta tell you, it's just been, uh, been phenomenal. The relationship with, um, with you and others, uh, that make up MSPs and, uh, and certainly the cyber nation for that. I mean, 50%, that's pretty darn good. I mean, um, you know, from my lens, what we're trying to offer the community really is a set of prioritized actions that we want you to take.
We, we took the hard step, uh, a couple years ago to actually move to implementation groups. Um, and really for that, we wanted you, you know, to, to be very specific on where you should start your cybersecurity journal and that, uh, journey that's with, uh, implementation group one, what we call essential cyber hygiene.
Um, and I'm glad to hear that, um, that the MSPs have picked up, you know, the baton and actually are now implementing that, you know, within, um, within the organization and, uh, and the, um, the services they're providing for their, uh, you know, for their, uh, constituents. Yep. So most of our audience, uh, now has heard of and is aware of CIS, um, but can you tell us about, um, community defense model and why it's important to supporting the controls? Yeah, so absolutely.
You know, I mean, you know, the, the foundational piece for the, um, the critical security controls, it, it really is a, a prioritized set of, uh, actions or, or safeguards that, you know, we want you to take that would mitigate mid mitigate the, the most common cyber attacks against systems and networks.
You know, that, that community of, of volunteer experts, so it's not just CIS publishing this, there is a, there is a, a fully fledged, uh, community out there that, uh, that are providing their expertise on, on, on what we now, you know, form the basis for, for the critical security controls. Um, what we tried to achieve with the, um, the community defense model, uh, it's our way to bring more rigor, analytics, and transparency to the security recommendations found in the controls.
I mean, too many frameworks, you know, they're, you know, they're, they're filled with things that, um, they want you to do, but they haven't backed it up with any, any sort of data for why those, those controls and underlying safeguards matter. And so that's what we're trying to do with the, uh, the community defense model.
You know, what we've done is we've leveraged the, the open availability of, uh, of comprehensive, uh, threat intelligence summaries, uh, of attacks, um, and the, and, and also security incidents that we, that we read about, you know, seems like on a daily or weekly basis. Um, and then we, we formed that with the industry endorsed, uh, ecosystem that's kind, that's developing around the, the MITRE attack, uh, model.
You know, for version one of the community defense model, you know, we, we relied primarily on the Verizon Data Breach Investigations report, uh, as well as, um, some of the, um, the anonymized data that we get through the MSI Act, the multi-State Information Sharing Analysis center. Um, and then from that we derived, you know, five attack patterns, um, and then, and then gauged how well the, um, the controls and underlying safeguards, uh, were implemented against that.
For version two, we upped our game. We actually expanded that list of, uh, threat summaries to 35. Um, what we found was is that, um, you know, not none of those threat summaries list, you know, the same top five you got, it's somewhat subjective and you gotta kinda, you know, match things up. So there was a fair amount of work, but we, we felt it important that we actually look at, um, additional threat summaries for that.
Um, and, you know, and again, the linkage to Mitre attack, um, that really, um, what they've done is they've, um, they give a comprehensive list of, of the tactics used by adversaries, you know, roughly the steps in a, in an attack, as well as the many techniques that an attacker could use in each of those steps.
And so by, by looking at threat summaries, um, tying it to Mitre attack, you know, it gave us, um, what were the top five attack patterns, uh, that adversaries are using against every, um, industry segment, uh, for that. And so then we, we said, okay, well just how you know, effective are the controls and the underlying safeguards, um, and, and actually mitigating one or more of those techniques and or tactics, uh, used by an adversary.
And lo and behold, you know, uh, implementation group one is really highly effective against the top five attack patterns. And for most organizations, that's probably what an adversary is going to use against you. Um, you know, yes, there's nation states out there, they're more disciplined, um, but where possible they're gonna use run of the mill, um, attacks.
Um, and, and, and basically, you know, um, you know, try to, um, you know, out, uh, out outrun you when it comes to your defensive measures in that, in that regard. And so the community defense model really is that is the basis. It's the data that supports our individual safeguard recommendations and the underlying, um, uh, underlying controls for that. And like I said, it's publicly available on our website.
Uh, we give, uh, statistics on the effectiveness against, uh, the, the top five attack patterns. Um, and, you know, and again, that, um, for both implementation group one, which is where you should start all the way up through all implementation groups two and implementation group three, And I and Gary, I did put the URL in there for anybody. If you just scroll up a bit. And again, um, Gary mentioned in the beginning here, the poll, gosh, there's hundreds of you guys on.
Is there any chance you could just hit a yes or no? Um, it's, you know, again, Gary, nice improvement so far from last year and the year before. Yeah. Um, but, uh, I'd love it if people could actually just hit a yes or no. Um, yeah. All right, Gary, continue. You know, one point I wanted to make on this is that this point that you're making, that, um, you've gone through the trouble of taking all this data and tying it back, right, uh, to the controls is really important.
'cause I feel like a a any of the people that answered no to that question, if you're spending time doing 50 other things around security, uh, buying more software, like don't, like first do the things that impact. And I've heard stuff from different vendors that have been, like, people have come on here are knowledgeable, like in the 85 plus percent range, right? Just based on, uh, on, on, on this critical hygiene. And so, um, I think that's one message. You know, Kurt, we wanna get it.
The people, like, we gotta get MSPs all, well, anyone, like, we're happen to be MSPs, but IT departments are no different. We, we gotta be putting first things first. I mean, we've been beating that drum now for how many, 130, what shows 108. But Gary, can I just say, you know, Chris Laer just to, and then we go back. Chris Laer ISS out there. Chris, what percentage of attacks that you're handling are could have been stopped with essential Hi, cyber hygiene. So go ahead, Gar.
'cause we're, you're gonna hear, he's Gonna say 90%. Yeah, I'll go with 91. Okay. So while he's jumping on that, Kurt, um, I was listening to a, a podcast you did with Andrew. I made a note of it that, um, you were asked, uh, what to do, uh, what you expect from the organization to do with the CDM. And you gave an analogy of the CDC recommendations around things like covid. Can you just share with everybody that analogy? Yeah, sure.
Uh, you know, well, so as everyone knows, the Centers for Disease Control and Prevention, even though they go with CDC, they actually have, um, prevention in there in their title as well. It really speaks to, you know, just basic, uh, hygiene that every human on the planet should be adopting to prevent preventable, um, illnesses.
You know, as, as we've kind of evolved the, um, the critical security controls, we've kind of adopted that the lingua lingua ffr, uh, franca, um, that a major component of cybersecurity is really about just basic, uh, basic cyber hygiene. And so, um, the control specifically implementation group one again, and we, we factored the, the, um, what was at the time, 174 safeguards to, uh, implementation groups. Um, you know, and so implementation group one is our answer to basic cyber hygiene.
We call it, um, uh, essential cyber hygiene. Uh, and the reason i, we changed the title is, is even though I really prefer the, the title basic, um, you know, for some folks, you know, it just didn't seem important enough. And so if we said essential, uh, it may be put a little more, you know, gravity to the situation, uh, for that.
So, so, you know, the bottom line is, is every person or, or organization, uh, in this case, you know, they should be implementing the, the safeguards contained in IG one as that standard or reasonableness. And now let me, let me probe on that. What that term standard or reasonableness real quick.
Um, there's been, um, a number of, um, state governments, um, through either leg, uh, legislation or executive order, you know, they've been incentivizing, um, you know, um, you know, cybersecurity programs, right?
And so, um, you know, the states of, uh, Ohio and Utah and Connecticut, you know, the, there's been executive orders in California and uh, in, um, North Dakota, um, where they, where they actually say, Hey, you know, if you, um, if you business in my state, you know, implement a cybersecurity program based on, you know, one of several frameworks, um, and again, you only need to pick one of those.
Uh, and of course, the cis critical security controls is one of those frameworks that they've referenced. Um, then should you suffer a breach, um, then, you know, we're going to, um, indemnify you against, um, you know, uh, a lawsuit for that. Now, Connecticut's slightly different, uh, they're not gonna fully indemnify, they're going to limit liability for that.
And so they really are pushing, pushing that envelope, um, that, you know, that to get behind a cybersecurity framework, implement it, um, and then, and then let's all raise the bar when it comes to protecting ourselves against, you know, cybersecurity, um, cybersecurity attacks. And so that was kind of the basis, um, you know, for that, you know, so CD C's been very important about, you know, providing, you know, basic hygiene advice. Yeah.
Um, so, you know, we, uh, at the CIS we wanna do similarly for, uh, for, uh, cybersecurity. Yeah. And if you think about it, uh, and you think about like what government is good at or not good at, probably is a bigger list.
But, um, you know, it it, it being able to leverage things that are already out there and be, you know, without a lot of, without too much red tape, you, you mentioned all those states where they can put incentives in place quickly and leverage, uh, you know, frameworks that are already there. Like, that seemed to be the shortest distance. So I think, you know, hopefully we're going to see more of that. Maybe we'll see it at a federal level at some point. So that's really good. Thanks.
That, that was awesome, Eric. Yes, my man. It is great to see you as always, Gary. So first question I had for you, you're, you're deep into to CIS Why did you fo, you know, start and focus there? Because there's other frameworks you could choose from that are effective. So what, what made you decide that, You know, in, in full transparency? We started with the nist, uh, CFF, um, great framework.
I, we really don't have anything negative to say about it, but it was a lot harder to follow, um, and to turn into kind of a product offering for Us, like less prescriptive. Yes, very much, very vague actually. And so for us, um, you know, not to sound like a commercial for CIS, but the things that brought us to CIS are, you know, the, the controls are born out of blood, right? Attacks are what determine what the controls are. That was really appealing to us.
Um, another thing is it's updated more frequently. Um, the NIST CFS is what 2018 was the last time it was touched. And so, you know, the CISI believe it's like an every two year cadence or something to that effect. Um, you hit the nail on the head with prioritizing, um, both in the numbers and also in the implementation groups, because, you know, it, it's put it in bite-sized chunks. It's really hard to have this dropped on you. Here's 108 things, go do 'em. Just go do 'em all.
We're not gonna tell you which one's more important. We're not gonna help, you know, kind of guide that in any way. Um, the other thing is it's size for small business better, from my opinion, than some of the other certifications. So that was the, the main drivers for us to, uh, actually pivot from using the, the CFF to, uh, the CIS controls. Awesome. So, uh, I, I'm reading Mark's question and comment. He was, and it kind of leads into my question.
Uh, he's saying it's kind of get, it's, it's hard to get customers sometimes to buy into this mark. I'm gonna say it's hard to get customers and prospects to do it until you can. And then once you can, I, I don't think it's hard 'cause I see people on both sides. And that kind of leads to my next question for you, Eric, which is all this knowledge that you have and, and how you used the framework. How do you use that in a prospect situation to create what I call separation in, in Sure.
In that process. And then I guess the same thing would apply to working with customers when they have to invest more, You know, to still, some things I've learned from you, Gary, is our prospects are not qualified to cha to select an IT provider, and they're not qualified to select what security they should have. They're, and frankly, I'm not, Can everyone write that down please? Um, I'm not, frankly, I'm not qualified to tell them what to do for security. Yeah.
I might have some initials and some things, but am I really qualified to do that? So the first thing I bring up is, hey, we're gonna follow a framework. Um, I'm, I'm posting something in the chat right here, and it's a slide that I usually bring up and I say, Hey look, here's 600 security vendors, and this is clear back from 18. I'm sure it's three or four or five times this many now. And I go, do you wanna try to wade through this together and try to figure out which ones we need?
Or should we follow a framework where we get hundreds of, uh, security professionals that help us guide down the path, what we should be doing? Okay. So that's where I kind of start the, the talk process. Now, you know, this is a new thing for us to go out to market with, right? We've been doing it for a while with current clients, but going out there, I mean, it just right from the gate, we, this is what we're doing and we're not gonna wade through this sea of products.
We're going to take you down this, this road to get you to IG one. And this is the reason why, right? And so that's how we create that separation. And you know, then, you know, it's gonna cost more to do this, but you're not just relying on what I think or what product I get the best margin from, or whatever is cool out there right now.
Um, I get to take this lens of the CIS controls and put it on way through the sea of products and say, is this gonna help them get to IG one or is this gonna help them get to IG two? Great. It's in the, it's in the list to be evaluated. If it's not, guess what? That, it takes so much of the ease of walking through a vendor floor and trying to, you know, which product should I look at? Yeah. All find it safe. All that guess work's kind of gone by because we're following the framework. Yeah.
And now to be able to have some statistics around, you know, these attacks and how closely, you know, they map to that is, again, we're trying to paint a picture with customers and prospects so that they see the landscape the same way that we do. 'cause if they did, they wouldn't care whether they spend 3000 or 5,000 a month with you. They literally, literally wouldn't, you know, wouldn't, wouldn't care. And so that, that's really critical.
I want to add one other thing, and maybe you can talk about this as something that, you know, I I, I'm big on, I think one piece you just said, which is, hey, here's what the landscape is. Here's why we look through this lens and how powerful it is. And some of its products, a lot of it is, is governance.
And if you can then turn that back and say, let me tell you how we've built roles around this and you've built a couple, one, a couple roles around it, to me that's the link so that they can't say that other people can do it if they don't have those same roles around that. Maybe just touch on that for a minute. Yeah.
So I, I, the, one of the other things I say is, as you meet with my competitors, they're gonna come in, they're gonna throw EDR at the wall and they're gonna throw a little sim and then mix it in with a little, uh, bone scan and they're gonna say, Hey, I'm secure. Just because I said you're secure. Right? And so we talk about when we bring in a product, it's one third product, two thirds process, right? And then we have defined roles that, that make that process, right?
And, and what we do when we do get this alert, cool, we could put a hundred tools out there. We get all these alerts. If we're not working 'em, why bother putting the tool in? We're actually in worse shape have putting the tool in and not dealing with alerts and having a process afterwards. Right? And so, yeah, it, it's a, you know, we call it the six service delivery areas. 'cause we have a a distinct security role as well. Yeah.
But we talk about how all you know, really we have a, a tagline it or it takes a village, meaning it takes all these different things to secure your network and to give you the proper IT support that you need. Yeah. So the message here is you don't want to compete with Eric because I asked Andrew to kick off everyone that's in Utah get kicked off the call. Just Kidding.
Yeah, no, because, and here's the reason is because this is what frustrates MSPs who say they're having problems raising their price, they're losing the people that have, because they've learned, like, Eric, if you hear this, how to weaponize your competitors' low price. And that's what we need to do. You, you need to make the difference between what they spend now and what they're gonna invest to get really the results they need to be the reason that they would buy from you.
And that same logic applies from A-V-C-I-O standpoint with your current customer. So really excellent. Excellent. And you were nice enough to share what you were working on with adding your block with me and we got to review it together and, uh, I'm excited for you. One, one other thing, Gary, is we, I break out the IT support portion from the security portion so they can actually see what they're spending on security. Yeah.
Because I don't want it to be compared to the person that's a hundred dollars user. Okay? We're a hundred dollars a user on the IT support, but you need a hundred dollars a month on security, right? And so that's one other thing we've done is to kind of break that apart. Awesome. Great. Just really great job. So, uh, go ahead. Um, Andrew, I, Young whipper snapper, Wes. Yeah.
As I handed over to Wes, you know, um, one of the things that we're really focused on for right of BOOM two is a lot of what we're talking about, which is, you know, looking at, you know, attack patterns, right? Which community defense model does the efficacy of controls against those attack patterns?
And then what kind of business case and business risk and impact do those have so that you can take that kind of lens that you're talking about, Eric, and say, look, what would it do to your business? Because that's ultimately what they're gonna understand, right? Reputation in terms of, uh, you know, their revenue, et cetera. And we could go on there, but Gary, does that make sense to you? Like pulling it and tying that all together?
'cause that's ultimately what the business owner's gonna understand. Yeah. Because what you're describing, Andrew, is how you get to have our customers and prospects who don't know the security landscape, they're not on the cyber call, uh, you know, every week and, and, and not living this every day to see and understand how that applies to their business. Yeah. And that's a great, and that's a great way to do it. So yeah. Awesome. Awesome. Wes. Yeah.
Kurt got a just a visibility or a comparison question. I'm curious about, um, when you look at, so you guys have, we, we have good visibility into MSPs, right? And we understand even though the cyber call is not really a great, um, uh, what is it like synopsis of the entire industry? You got people here that are carving out a Monday to, to spend time and really grow their business, right?
And it comes to security, but many MSPs are not, and, um, they're not nearly into this CIS journey at all, right? Or any control framework journey, right? But I'm curious, like comparison wise, do you see MSPs as sort of like the state, local tribal that you guys serve inside of MS. isac? Are they in similar positions? Are they further ahead, further behind in some ways? I'm curious what you see on your side of the fence. Yeah, no. Hey, Wes, um, great qu great question.
So I, you know, I think there's, um, sim there's a lot of similarities between MSPs and, uh, and the, um, the SLTT community. Now, let me expand on that a little bit. Uh, and so when I think of, um, you know, when I look at it from a resource perspective, so, you know, if you think about, uh, the s ltts, and I'm gonna add the federal government, and for just for a moment, think about resources as, as a triangle. And so that bottom third to a half is the, is the federal spend, right?
What they're, what they're providing, you know, for, um, federal institutions. That middle third is just states what the state, um, uh, spending is. And then that, that small, you know, what's remaining is for localities, tribal areas and territories. And so it, it's, it really is, um, it's, um, a study in the haves versus the have nots. So most, uh, localities and tribal areas and territories simply don't have the resources to, um, to invest in, um, um, a functioning cybersecurity program.
Um, you know, and so, um, you know, they, their, their trade, their trade off is, is, you know, providing, you know, services for their, for their local, uh, constituents. And so I think, you know, I think there's similarities with that from an MSP perspective.
What I mean by that is, is that, and I think, uh, you know, um, Eric, um, you know, brought it up, which is really around, you know, you know, the, you know, what is the lowest price point I can get IT services I know, by the way, you know, should or I shouldn't add, uh, um, security services as part of it. And of course the answer is you have to today because, you know, adversaries are equal employer, um, equal employer attackers, uh, in that regard.
And so, from my lens, a lot of similarities between, between the two. Um, I think, uh, within the SLTT community, at the, at the, uh, local level, uh, the travel area and the territories, they are struggling mightily for that.
Um, and I think a win-win is, is for those MSPs, um, you know, which are already providing a lot of those IT services, um, to, you know, for us to work more closely with you and how, and how we can build up a baseline set of security services that are offered within the, within the SLTT community. Um, and again, we measure ourselves against that. Um, we look at how the adversary is attacking us, and then we, we adapt and, and change as necessary. I, I like it.
Phyllis, I'm gonna, uh, offshoot a question to you. It feels like CIS sees all of that, right? Of that, what's the right word? A symbiotic symbiosis between MSPs and state, local, local tribal territories. And is that even why CIS has, what is it, uh, control 15 now that even talks in specifics about managed service providers? Do you see this all kind of culminating together in some form or fashion? Yes, absolutely. So I think that's a great observation.
So, um, as you pointed out, Oh, I hit mute somehow. You muted. There we go. Oh, oh, it's muted again. Darn. I dunno what's going on. Okay, there, I won't touch my, I won't touch my pad again. Okay. So my touch pad again. So, um, no, you're absolutely right.
Just like you pointed out prior, and Kurt, um, you know, elucidated on is that, you know, we have the ms iec, so we have that data around how s ltts, especially those ltts, um, are unable to implement any kind of cybersecurity program or framework. And oftentimes we do push them to MSPs, um, because our expectation is MSPs have more knowledge than those ltts. And in fact, at this last MSS I SAC annual meeting, there was an emphasis on, Hey, are you using MSPs? How are you using them?
Um, et cetera. And so there is that close tie, like Kurt said, we believe the MSPs are that last mile, um, you know, for providing not just it, um, services, but also security or cybersecurity, um, services to, you know, the backbone of this country. Small medium enterprises who include, um, those small local and travel Territorial governance. Okay. I I, I love that. I think that's exciting.
Um, and I have to think that, you know, Andrea, what you've done in the cyber call and uniting so many people together has had a part in that. And I just think that's exciting. Um, that's the direction we all need to go is probably the best way to say it. Kurt, question back for you. Tell us about a success story. I think we all can use them. I mean, obviously Eric is a success story to be quite honest. I mean, I love, I said this on LinkedIn.
I love listening to Eric's journey and how they've grown. And I mean, you guys truly are a leader, but, um, Kurt, I'd love to hear another success story on your part of an organization that maybe struggled and came through it and where they're at now, just so we can all take some encouragement. Yeah, no. Hey, great. Great question. Wes, uh, Wes and Eric as well.
I mean, Eric is the success story here, uh, you know, on this program, but I'll give you one, I'll give you one, which is in, in the great state of, uh, New Hampshire, uh, and as many of you know, um, New Hampshire, they, they try to, you know, um, limit, you know, government costs, you know, within, within their state. And so, so there was a local, um, uh, academic or a local, um, education jurisdiction, uh, I forget the name of the county.
And, uh, in New Hampshire, which, uh, they actually, um, only one person was for that entire, uh, school district. Um, basically says, Hey, I'm going to, I'm going to A, adopt the controls and b I'm gonna start with implementation group one, and I'm gonna do this through my, my entire school district.
Um, and so that one person, um, you know, reached out to us, you know, had had several conversations with the person and he did it, uh, he just rolled up his sleeves and actually says, what, you know, what does control one mean? And, and, uh, and safeguard 1.1 and 1.2 mean, and he just walked through the, um, what are now the 56, um, um, you know, safeguards that make up implementation group one.
It was so important, um, and such a in, in incredible story that, you know, with our, with our partnership with the Sands Institution, um, they have what they call Difference Maker awards. And they do this once, uh, once a year. They, you know, for different categories, they'll list, you know, folks that really are making a difference when it comes to cybersecurity.
Um, and so that individual actually won the award from Sands, uh, for implementing implementation group one within a school district in the state of, uh, of New Hampshire. And I gotta tell you, I mean, that's something that we can all model, uh, how, uh, how he went about actually implementing it. Um, and so other school dis um, districts can, can do that as well. I'll give you one that's currently playing.
I'll give you another one that's currently playing out, uh, the great state of California. Um, you know, again, what what drove them to, uh, to CIS and the critical security controls was, uh, privacy requirements, right? So we got CCPA, um, and, you know, and so they, they realized that, oh my God, I have to, you know, I have to be measured against, uh, you know, uh, legislation enacted in the, in the state of California from a privacy perspective.
And so they said, wow, the, the CIS critical security controls do that for me. And so, hey, we're gonna do the exact same thing. We're going, we're gonna assess every academic, uh, every K through 12 organization in the state of California against, uh, implementation group one. They've taken it a step further. They're actually using, uh, the California State National Guard to actually do this assessment.
Uh, they're gonna use, uh, our tool, the control self-assessment tool as kind of the, um, the tool that they use to, you know, to measure every, every one of those, um, academic institutions that, that make up the K two 12 within the, within the state of California. Um, and then from that, you know, they'll have a baseline, uh, to, um, to make, um, changes as necessary to secure up, uh, organizations that may be behind, if you will, the, the state baseline for that.
But I think those are wonderful examples of what's, what's occurring, where people wrap, roll up their sleeves and actually just say, I'm gonna do this. Um, and if I need help, I'm gonna, I'm gonna engage my MSP or I'm gonna engage, uh, the friendly folks at CIS and, uh, and, uh, you know, we're gonna, we're gonna, we're actually gonna measure ourselves against implementation group one. I, I love it. Those stories are encouraging and they're great to hear.
I, I posted a link to the SAN Success stories there, and, um, Hey, Wes, can I just tease one thing after that that I heard? Yeah. The key to that story is somebody became accountable. And I think too many times in an MSP, it's a team project and it's a concept, and there isn't someone, and in business and in life for that matter, until there's someone who's accountable for something and and metric on it, it usually doesn't happen.
And you're not able to go figure out how to get the resources and that leads with your customers the met, how you gotta increase price 'cause, you know, but some, it has to start somewhere. And I think I would take that little seed away from it. And if you were in that 50% that, that hasn't gotten there with CIS ask yourself that question, who's accountable? And if it's everyone, that means no one, You could write a book on that, Gary.
Uh, I went from a small security startup to a different company, and I saw this over and over and over at that other company of like, no one wanted to be accountable, and they all just wanted to sort of like group think everything together and, and group assess and let's, let's set a meeting up for all these people to discuss. And no one takes the lead and no one takes the accountability. And of course, nothing happens. It's, yeah, well said. Well said Eric. Yes.
So I see the C-I-S-S-P cert behind you, that's awesome. Uh, but those that don't follow you on LinkedIn don't know about you. And you mentioned this at the beginning of cyber Call, of the, the new cert that you got, and I'm gonna post a link to it here in chat so people can see. But can you kind of tell us a little bit about it? Um, was it easy, hard, and what did it mean for you, and what did it mean for ProTech? Sure.
So, you know, like any cert, uh, there's the people that fake their way through it, and there's the people that wanna learn. Um, this was a learning quest, um, to learn a deeper understanding of the controls. Uh, so as far as the difficulty level, it was easier than the C-I-S-S-P, um, but it was not an easy, it wasn't a walk in the park, right? So, um, you know, a step above below C-I-S-S-P, it was one of the more practical certifications I've done.
In other words, I could come back to work the next week and actually put things in place. So that part was really cool. Um, not to cast the negative light or anything, but this was my second sans course, and they do an amazing job and some amazing organization, but probably 20% of the dialogue was like, this is how we would do different, or this is why this test is stupid, or this is why this is that. So I had to kind of tune that out a little bit.
Um, but as far as the, the takeaway it would, I had a much deeper, uh, understanding of the controls, and we learned a lot about the history, how they got to there, as well as how to audit in general. So there was other kind of tangible takeaways besides just learning the controls. I guess I'm curious to know, this is my final question I wanna make sure Phyllis gets, um, a lot of time too, is talk to me about like culture changes for you guys at ProTech.
Whether, you know, whether it was before the security incident you guys had, or now, or even the progression of saying, darn it, we're gonna go through CIS and we're gonna pull ourselves through a bootstraps from IG one, even into IG two in, in a lot of ways.
Like how, just tell me more about the culture changes that you guys saw at ProTech, whether it's internal, it's external lessons learned, ways that MSPs can, can pull out some wisdom from those culture changes for you guys, and Is there a tipping point? Yeah, Yeah. So I can tell you we have never had more alignment in the history of ProTech. We've been around 11 years than doing this together. So we brought in all the managers, so I can go a hundred ways. I've done things wrong.
Let me tell you one thing I've done somewhat right here. All right. So we brought in all the managers and we assign them different, uh, controls based on which one would fit their, uh, their role, the closest, right? Or what would benefit their role. And then they had to write a policy, a proce, uh, a, a process and a procedure.
And we have, and then we would get the group, get the group together every week, and we would look at it and we would blow holes in each other's processes and, and, uh, policies to make sure that we're all on the same page. And as a whole, the thing that's probably one of the best parts about CIS is there's a why behind it, right? When you're just having things put on you like, Hey, you just need to go comply to this insurance, uh, form, or here's nist, just go do it.
There's not that why with the CIS we're like, okay, these actually block attacks, we don't wanna live through that again. Um, we have really rallied together.
So I'd say that's one of the better things that have come from this is we are very aligned and we can talk in detail about what do we need to do for IG one, or, oh, we can't do this, we don't wanna bring this onto our corporate land because then we have to put it in IG one, let's keep this on the IOT network and we don't have to do anything with it, right? So we have this common, uh, framework to, or yeah, framework, nice pun there, uh, this common language to kind of talk about things.
And it's been awesome for the culture. Um, I've actually had other MSPs like, reach out, say, Hey, how can you help us to do this? And I, you know, just to kind of put it out there, I'm in this over a thousand hours this year, and then my team is probably in a, just about the same. So this has been no small undertaking. Um, it's been a very worthwhile undertaking, but, uh, yeah, it's a, it's a big project, but it has paid some, some big rewards. And I've seen you through the process.
Get I I've seen times when you were frustrated. Yeah. I mean, so, you know, just in our tools and SP tools were not tools very well to meet these controls. So it was meeting the vendor saying, I need you to alert when something comes on the network. I need you to do this. And so there was a lot of push back and forth and searching out different products to able to, to meet the requirements because it was very much, you know, our tools were not adequate.
I'm, I'm seeing that, you know, for you as a pioneer and others like Jason Slagel and others, that sometimes you're going up to enterprise and you're pulling them down, down market by saying, I need these features rolled up. 'cause you're the one that does it. Sometimes it's coming down market and sort of pulling them up of like, this is a great channel vendor, but I gotta have these things. Right? And I love that.
And just wanna say on behalf of MSPs that may not ever know you're one of those, thank you for going through that mission and really paving that way. Um, because I'm seeing that all the time. I'm talking to vendors left and right that are having those same kinds of conversations. How do we get into the channel and how do we make this work? And is there actual interest for what we're doing? I'm like, yes, there is. We're getting there very, very quickly. So I love it, Phyllis.
Yeah, thanks and thanks Eric for that. I mean, so often, um, you know, you often hear people talk about the culture of security and how you really have to have that within your organization. We kind of cartoon that and say, you know, um, security is a, is a team sport, but it's true. And, and, um, we often hear that as well, how do I convince these other people?
And, you know, um, and, um, I really like what you've done trying to make it more of a, a teamwork type effort to get people to care, because you can try to scare the pants off people and it never works. Like I, I never believed that a scare tactic works. I tried that for 20, 20 some years at the National Security Agency. There were some pretty scary things, and no one seems to care because everyone's so busy trying to get their job done. So, um, I can really appreciate what you've done.
Yes, yes ma'am. So Curtis, um, nice to see you here today. Um, so, um, as you know, there are, you know, one of the things that we pride ourselves at CIS is having a lot of free offerings and resources to all organizations, including MSPs, as well as we have some, um, new things from memberships. Um, can you tell us about how you would recommend, um, someone begin, especially in MSP, um, their journey in implementing, uh, CIS critical service? Yeah, sure.
Hey, great, great seeing you as well, Phyllis. Um, the, um, you know, we only see each other maybe, I don't know, uh, a dozen times a week or so, but, uh, always good seeing you and in this new yeah, remote work environment. Um, yeah, I mean, there's, there's a ton of best practice guidance out there available to MSPs and, and, and users. Uh, I would argue that, you know, selfishly that what CIS produces is probably, you know, in that top 1%.
Um, and, and, and that specifically is really around our best practice guidance around, um, you know, um, the critical security controls and why we believe so strongly in them, but also, um, you know, our CIS benchmarks and for, for folks in the audience, um, a cis benchmark is really a set of configuration recommendations for individual vendor products, uh, for that.
And so, um, if I, where I would start, you know, I would always start with, you know, first you need to identify with a, with a security framework. Again, for us, it's the critical security controls. Um, and then, you know, you really should do, um, an assessment, um, of your organization against that framework. And what's that's gonna tell you is, is just how well you meet up against again, um, attack, um, patterns and techniques that, uh, that adversaries are using.
Um, and maybe identify where you've got gaps in your, in your cybersecurity program. I think earlier in the call we talked about, you know, you know, running out and buying more security tools, but not actually having a plan. You know, and again, I think by doing that initial assessment, you at least now have a plan where you've got, you've identified gaps, uh, in your program, uh, in that regard.
So for us, you know, do that assessment, um, as I said earlier, we, um, we offer both a, um, a free, a free hosted, uh, control self self-assessment tool, um, as well as a, an on-prem version. Uh, if you want, uh, if you wanna, if you don't trust ci IS with, with your data for that, I will say that there's, uh, on the order of 23,000 global organizations that actually are using the free tool.
Um, so that tells me that, you know, hey, they, they feel comfortable with us, a ci IS above us, uh, managing their data for them. But what it really does is establishes that baseline and then you can start effectively managing, um, your program, you know, uh, based off of that. And then, um, as I said earlier, within the community defense model, one of the key findings was really around the importance of, uh, configuration management.
Again, um, you know, I'm speaking to either, uh, the CIS benchmarks or within, if you're within the federal space, the, um, the defense departments have what they call security technical implementation guides. They're, they're some very similar to our, our benchmarks, uh, in that. But configuration really does matter, and I think you need to, you need to, um, establish that, uh, you know, and, uh, and, and have that as a core part of your problem.
Um, I, I will leave you with, you know, um, from a CIS perspective, it's really about knowing your environment.
And so this is, this is, this is absolutely 100%, uh, and you know, that MSPs can, can aid if they're, they're providing that, that infrastructure for, uh, for those, um, um, you know, those, uh, uh, small and medium enterprises, um, and too often, you know, organizations are, you know, they forgot about, uh, a piece of hardware that was internet facing, or they're not, uh, you know, they're out of date with their software.
Again, an adversary, you know, it, it cost them the, you know, the price of, uh, scanning, um, scanning a network to find, you know, uh, um, open and, uh, unpatched and, uh, unconfigured, uh, um, devices from which to, to get a, to get a full hold. So this is an area where, uh, MSPs can, they know it already. Why? Because, you know, they're, they're, they've costed this out for the organization, so absolutely.
They know configuration, um, and they know what, what's on the infrastructure for them. So my belief is, is that this really helps, uh, and it, and it, it takes away, you know, as you know, Phyllis, one of the biggest burdens, uh, that organizations have, they always struggle with, with controls one, one, and two, right? Which is hardware and software.
Um, but there's prime examples where some of this, you know, that it, it's, you know, it, it's probably not as difficult as folks, um, folks think about. And then final, final comment really is around, um, understanding, you know, you know, data protection, where that, where that, where your data is that you're trying to protect and the sensitivity of that data, and making sure that, uh, you're actually doing an adequate job, uh, of protecting that data.
And that data could be data that you have to maintain for, um, you know, maybe, um, customer data that, you know, you have to maintain from a privacy, uh, perspective. Yeah. Thanks, Kurt. And that really leads into, you know, the next question. We often get feedback that the knowing your environment is the hardest thing you can do. And, um, we often get asked, but if you only had to narrow it down, what are the, what are the top three things we could do besides those top three?
And, you know, where's the easy button? You and I have talked about that, the magic bullet. Um, how do you respond, and, you know, what is your advice to those orgs that ask that? How is it that we should all respond? Because MSPs may get that same question, um, from their customers. Um, do you think it's as easy as just getting started? Yeah. You know, so, ah, yes, the, uh, the classic easy button, right? You know, I, I, I'm afraid it, it is just simply, it's, it's not that simple.
Um, you know, there's no, there's no one control that you implement or no one tool that you implement and, and you've solved your, uh, you know, your, your, you know, your cybersecurity problem, or you've, you've implemented your cybersecurity program. It really, as I said earlier, it really starts with knowing your environment. Um, and, um, and again, that, that takes diligence, that takes, you know, processes in place.
Um, if you're working through an MSP, good news is they've already captured a lot of that data for you. Um, you know, and, and again, um, then also knowing, um, knowing where your data actually resides. And I'll, I'll talk about, you know, this new, um, you know, pandemic world and post pandemic world that we're in, right? Where everyone's working remote.
I'm sitting in my study today, you know, and, uh, and, you know, so sensitive data is, is, is, is that boundary has been expend, uh, ex uh, extended away from corporate, uh, assets, um, out to, uh, out to either BYOD devices and things of that nature. And so, so data protection is, is, is, has become very important. So if I had, if I had to tell you, um, three, three steps, number one, no environment, so that's controls one, two, and three.
Uh, number two is going to be, uh, configuration, right? Yeah. That's control four. Um, and number three is really about, um, um, uh, account and access management, right?
And so that's limiting who's, uh, who's got admin privileges on your, on your network, um, and just kind of managing that entire thing because, you know, we all read the, uh, reports where, you know, credential harvesting is, uh, is, you know, is one of the, one of the methods that a, uh, adversaries use to get that initial, um, initial access, you know, for that. And if I had to go one more to number four, it actually monitoring your enterprise, right?
And, and actually look, you know, looking at those logs that are, uh, that are being created, uh, maybe you wanna invest in a sim tool or, or depending on the size of the organization, you, maybe you don't need to. There's other, there's enough free, um, free and open source tools available that would actually help you with, uh, with, um, you know, audit, logging and, and actually understanding, um, those logs calls too many times.
Um, an adversary left, you know, left fingerprints, uh, that, uh, that if you'd just been monitoring your, um, your network, you would've seen, uh, you'd seen the adversary. Awesome. Thank you. And real quick to Eric, in the last few minutes we have, um, when we talked at Write a Boom, and we've been in touch a little bit afterwards, you were considering, um, building a peer group around the CIS controls. Um, can you tell us a little bit more about that? Give us your thoughts.
Yeah, so in, uh, a little embarrassed by this, but apparently Proofpoint didn't like me getting emails from Phyllis. And so there has been some delays with that. Uh, no fall of either one of us. And I, apparently you can, someone can be, uh, blocked and allowed in the same, uh, email platform anyways, uh, got the legalese stuff back from Phyllis, it's now our attorney.
And yeah, so I'm in a peer group on Evolve and, you know, it's just a accelerator to learn from people's mistakes, learn from their experiences, uh, learn from each other is kind of the idea behind it, because this is not tool, you know, MSP tools are not tooled very well. So getting down the tools of, you know, how are we gonna do this? How are we gonna meet this control? What's your understanding? And so on.
So, um, anyways, that's the, the kind of the concept be behind the, you know, looking into a peer group. I threw it out on the cyber call before, and we have about 25 people that are, are interested in or wanting to uptake on that. Um, it's gonna be a very much, uh, you know, down to work. Uh, there won't be much more than just really focusing on the CIS controls, so still have a work in progress Andrew's offered to, to lend his assistance, uh, as well as Robert Chaffey.
And so, yeah, it's, uh, hopefully to be out soon. Um, but yeah, that's the idea behind it. I love that idea. Andrew, you're on mute. Thanks, fellas. I was gonna say, Eric, if they act now before this call's over, what did you throw in in addition? No, Uh, unlimited zoom calls. I don't know. Stickers. Yeah.
You know, one, one quick comment onto to Kurt's, uh, comments is we're a member of the CIS and this is, uh, not a, no one asked me to say this, but number four, the configuration is a really powerful control, and that's where we got a lot of value from joining, right? We get these GPOs or these Intune settings, or we're doing it with PowerShell, with our RMM to harden the images. And so it's like four or 500 settings for Windows 11, and now we're moving to Mac on browsers and things like that.
So any of that's one thing that's, that's been a huge value for us. Yeah. Yeah. And, and I'll tell you what, the community, you, you, you'll, you put the nail on the head here or hit the nail on the head, Eric, in closing, read the community defense model. It, it, it's an easy read, but it's really eye-opening and secure configuration safeguard 4.1. Um, what it can do in the amount of TTPs that it addresses is, is pretty staggering.
So, Gary, um, I love how you always sum things up before I thank, you know, Kurt for, and Eric for his time. Takeaways for you, my friend. Yeah, I, I think what we did today with the help of our guests is really kind of step back and put our arms around some really usable stuff in terms of where to start in your company, how to communicate with customers and prospects. This is one I said in chat that I would have this session.
Everyone at your MSP listen to this, and I would do a book club on it. Yeah. Very good. Really good. Curtis, really, uh, thank you so much for coming on. It's, it's awesome to, to see you over zoom, but so looking forward to seeing you it write a boom two, um, any closing thoughts or comments? Hey, no, just, um, thank you for allowing me to come on and, uh, to wax politically or poetically for, uh, for an hour. Uh, really enjoy the, um, the discussion.
Again, from my lens, I can't, I can't say this enough. Uh, managed service providers really are provide, or that, you know, providing the, the, the core to what is the, uh, economic engine for this country. Um, and so you guys do a very powerful job. And, uh, anything that we, from the Center for Internet Security can do to help you count us in, um, Eric with that community, we're all in. We'll help help you moderate, we'll help adjudicate however we can on that.
But again, thanks, thanks for letting me come on for an hour. It's awesome to have you, Eric, again, selfless as can be, man. Thank you, uh, once again for, uh, for being so, uh, open with your time, uh, to help others. Um, any closing comments for you, my friend? No, just the thanks to the CISI mean, they're showing up, right? They're here to help us, uh, get ourselves, our MSPs better as well as, uh, protect our clients. So I really appreciate their support to this community.
And, uh, it's uh, it's fun to have MSPs on the map, per se. Yeah, so thank you. Yeah, I really appreciate it, Phyllis. Wes, thanks a million. Wishing you all a great week ahead. We'll look forward to seeing you back here next Monday. Take oh, not next Monday, labor Day, right? We and Phillips. That's right. So we'll take Monday off. We'll see you the following. All right. Bye now. Bye everybody. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois