CIS Guide to Reasonable Cybersecurity with Phyllis Lee
The cybersecurity industry is evolving—and fast. For Managed Service Providers, the emerging standard of “reasonable cybersecurity” is becoming more than a buzzword; it’s a legal and operational imperative. In this week’s Cyber Call, industry leaders broke down how MSPs can adapt and thrive in this new environment by aligning with frameworks, focusing on documentation, and reshaping how they communicate value.
State-level laws are starting to define what “reasonable” security actually looks like, and it’s becoming clear that MSPs will be expected to meet these standards. Relying on intuition or patchwork solutions isn’t going to cut it anymore. The CIS Critical Security Controls provide a structured, proven framework that gives MSPs a clear roadmap for protecting clients in a way that’s legally defensible. As Phyllis from CIS emphasized, following a framework is the most important step you can take.
But it’s not just about doing the right things—it’s about proving it. Documentation is now the cornerstone of defensibility. Lawrence Khanna, of Corporate Information Technologies, stressed that recording your processes, decisions, and even exceptions is essential. This isn’t just internal hygiene—it’s part of your legal protection and your client deliverables.
The conversation also emphasized a shift in messaging. Clients aren’t looking for a long list of tools; they want outcomes. MSPs must position their services in terms of roles, risk mitigation, and business value—not features. This shift also justifies pricing that reflects the complexity and accountability required for today’s cybersecurity standards. “Reasonable” doesn’t mean cheap—it means professional, measured, and documented.
Implementing security frameworks requires cultural buy-in across your team. Sales, admin, and technical staff all need to understand the framework and how to communicate its value. Embedding security into your culture makes your entire organization more aligned, responsive, and credible.
For those ready to go a step further, certification in CIS Controls offers a competitive edge. It’s a serious investment, but it proves your MSP is committed to excellence and compliance in a rapidly maturing industry.
In the end, “reasonable cybersecurity” is not a regulatory burden—it’s a growth opportunity. The MSPs who embrace these standards, document their process, and deliver clear, defensible value will be the ones who lead the next wave of secure, profitable service delivery
Guests
Video Transcript
All right. Welcome everybody. Uh, happy Monday. Lemme just get my chat going here. Make sure everybody, Hey, Eric. Welcome. Uh, welcome, welcome. Make sure you can all, can everybody hear, see, uh, just give us a, uh, a thumbs up, uh, uh, in chat. And, uh, I'll give it a minute or so here, just while we're, um, uh, waiting for, for a few minutes. Um, Gary Phyllis, thanks for filling in yesterday, uh, yesterday, last Monday. Um, I got to hear a little bit of it from the airplane.
It was really cool to hear The beginning. We're gonna have an extra 10 minutes of call 'cause there's no announcements. That's awesome. But it sounded great. I mean, yeah, Tyler and Mark did a great job. Um, I sent it out. That one I sent out, um, as my weekly audio message to all my, you know, peer members. Oh, neat.
Because you get to hear about their journey in business, but also, like Phyllis, I thought they did a good job of like weaving in the impact of cybersecurity as, you know, such a huge lever in their success. Uh, I agree. I mean, I think it was great to hear like, hey, it, it wasn't like, Hey, we're great. It was like we weren't great. We had nothing. And, and what we did was we looked internal first. Mm-hmm. You know, and then it was critical for them to hire certain roles.
Um, and in some sense, like it wasn't easy. It was a culture shift, you know, it was, you know, I like how they talked about, you know, the reality of the situation and like, having that role was important. And it also, in my opinion, shows commitment. Right. Um, It, it does.
So Andrew, they talked about that they were working, trying to mature and at one point they made the investment in bringing on someone, you know, with, you know, more cybersecurity background than anybody on the team, but not just the knowledge, but made that person accountable. And like, that was like a turning point in terms of changing their culture. 'cause there was someone who was accountable in all areas that things moved forward. So I thought that was a good call out, Phyllis. Yeah.
I think, and some of the things I picked up from 30 thou, 33,000 feet, Gary, that went in and out. But, you know, they definitely spoke about roles and process and I, I think Phyllis, you know, you, you, you're, you called something out that I think is really important.
Um, you typically, and I'll ask Lawrence about this to confirm, you know, you in my years of doing this, you typically know some, uh, an MSP is on the fairway, Gary in cybersecurity, when they talk about they were nowhere and they struggled and, you know, talk about, you know, the, the process of getting better at it, and then they're still not probably where they wanna be. You know, then, you know, you're talking to somebody with maturity.
It's, um, when you ask somebody about their cybersecurity journey or where they are and they start talking about tools, that's when, you know, they're very early in the process. Yeah. Ab absolutely. And listen, everybody, I think unless you started your business, you came out of somewhere else that already had that culture and then you started your business in the past two to three years, anyone other than that who's been in business longer has, has had to go on this journey.
Like, that's just the reality of it. Mm-hmm. Yeah. The cool thing is, Gary, and we've highlighted a lot on this, um, you know, we've now in our fifth season, um, is that, you know, post covid man, it, it, it really gave this boon, like if you rode this journey of maturity, right? Of, and, and you were an MSP that was dedicated to process going in into it.
Like, you know, I picture riding a wave like you were, you started, you were riding the wave in 20 18, 20 19, and you were have roles process. You were starting to, you know, align to a framework, et cetera, et cetera. Um, I, I think that's why, you know, companies like Pace and a lot of the ones you've been involved with have been able to, you know, if they wanted to exit, exited pretty substantially. Yeah, absolutely. Or have way better businesses.
And I feel like it's gonna happen faster this time, but we're at the beginning of that same impact, uh, with automation. Mm, yeah. Automated. Very true. Except that it's going to happen faster than cybersecurity. Um, and the revenue upside, like, it's not just our current rev streams adding to it, but I, it's gonna be new revenue streams, which changes the TAM dramatically. And I think that is gonna be part of it. And again, it's intertwined with security. Yeah, I agree. Really good point.
Alright, so let's get on into it today. Give it a few minutes here to get, let people get in. Um, and, and Carl, if you're asking about last week's session, all the, all the sessions are, um, in the live feed of each Of, oh, I think what he's sa he's saying is that, that he opened the link and instead of coming to this, it pointed him to last week's session, is what he's saying. Oh, wow. Huh. The link, the link that must have been sent out Was, oh, I'm sorry about that, Carl. Yeah. Alright.
Um, alright. So last week, you know, again, if you were here, if you were here, um, like, like I said, it was a fantastic session talking about, you know, an organization that their, their entire journey, right? Uh, how they acquired and merged with a, a company. Then they just went through being acquired by a company that Gary's on the board of. Um, and, and, uh, they talked about the role security played in that process. Um, today I wanted to kind of, I double click as it were.
And there's two things that I wanted to talk about today, both ironically, um, Phyllis is, is gonna be a bit of a guest star today, as well as Lawrence. Well, I'll let introduce himself momentarily. And that is, well, first I'm gonna talk about this guide to reasonable cybersecurity and the role it's starting to play in corporations. Uh, I think it's important for our, our, um, our, our community to hear about this, uh, how they might be able to leverage it.
And then also, since Lawrence has been like arguably one of the most vested MSPs in the CIS controls, um, the first to go fully through the CIS accreditation process, um, we wanted to talk about that journey, um, and how it's setting him apart, uh, as well. So, with that, Lawrence, um, I think everybody knows Phyllis, so I'm gonna skip that intro, but I think this is your first time on It is I recall. So welcome. Well, thank you. Yeah, absolutely. Tell us a little about yourself and your MSP.
Oh, sure. Um, first, it's, uh, it's fantastic to be on this side of the cyber call, um, uh, for everyone that is, uh, uh, is, is watching this, um, the fact that this is everyone's community, right? I mean, Andrew and Nick, you and your team have done an amazing job of making this truly a community effort where it's the voices of this amazing community. Um, so it's, it's awesome. It's great to be here. Um, uh, so a little bit of background on me. Um, uh, so like, my name's Lawrence Khanna.
I'm the founder and president of Corporate Information Technologies in Charlotte, North Carolina. Uh, started the business back in, uh, the late nineties, 98. Um, and it was a very, very different organization than it is today. Um, we have and continue to serve mostly regulated, uh, entities, regulated industries, a lot in, uh, in finance, a little bit in pharma, a lot of defense, um, and, uh, non-regulated, uh, organizations that have high value in intellectual properties.
So that cybersecurity really is, uh, uh, is, is central to their, like, to their, uh, their culture and their, their values. Um, for a very long time, I was the, like, charter member of the Uncool Kids Club, um, in the fact that everything we did was, uh, centered around, uh, this crazy thing that we now have of cybersecurity. Um, so while, like, the rest of the there cool MSPs, They're definitely cool MSPs.
I, I like to think that we're one of them now, but there are a lot of cool MSPs, um, uh, and, uh, uh, but no really like, it, it's, it's, uh, um, it was, it was one of the, you know, like, while the rest of the industry was like, we make, you know, it easy, just plug it in and everything just magically works. Um, we're like, oh, that's not gonna be the experience you have with, with us. Like, nothing is gonna work. It's gonna be authorization based.
There's a totally completely contrary to, uh, uh, to the rest of the industry. But it really reflected back to our journey of, and the genesis of the, of the company where we started the business. I mean, I started the business serving enterprise organizations. Um, you know, the, um, uh, those that are, that are Fortune 100 companies, uh, we were serving inside of, inside of their, their supply chain. Uh, and, and those shenanigans didn't, right. Didn't fly.
And over the course of time, we moved into, uh, into the upper end of small all the bid market, which is where we sit today. H how many people on your team? Uh, 22 people. Gotcha. So small, small MSP Well, 22 employees is, and there's some big ones now, but, you know, 50, 60% or, you know, under 10 or more could be 70%. So, Good point. That's very True. Good job. Congratulations on your business. Thank you, Lawrence. Just quick question before I turn it over to Gary.
He's got some questions to ask Phyllis about the reasonable, but I am curious, because of your focus in CMMC, is it, are, are, would the ruling and finally things starting to get going, is, is it kicking up in terms of workload for you? Um, it is, uh, so I, I appreciate you bringing that up, Andrew. Uh, we, we are actually, uh, in line to be the first, if not one of the first Right. Uh, um, certified MSPs inside of CMMC.
Uh, the final rule goes officially into effect December 16th, and our assessment begins at 12:01 AM on December 16th. Um, so in Florida, we're, No, it's, it's, it's wild, right? I mean, we're, we're, we're, we're, uh, um, we, I have long been a proponent of, um, um, of like, you know, put up show up, like be present in, in the, in the, uh, uh, the, the world that we choose to live. We chose and have chosen to live inside of regulated industries.
Um, and it's, it's core to our culture that, uh, um, that we're gonna be on the leading edge of these things, uh, much to the chagrin of most of my team. Uh, uh, 'cause I know, like even when we, when we, uh, um, uh, when the CIS accreditation, uh, was first announced, I'm not sure, I, I don't think it, I don't even think it had been officially published on the CIS website, and I was like, Hey, film this. Count me in.
Um, and, you know, not, not knowing anything about what the requirements were, but, uh, you know, we've, we've used the CIS controls for, uh, back before it was the CIS controls, back when it was the Sands Project. Um, uh, we've used it for a very long time. And I said, you know what? It's, it's our North Star. We really should, for the, for the benefit of the organization, we should be willing to be the first one.
And the same thing, instead of CMMC, uh, you know, we, we serve inside of all of the major primes, uh, inside of their supply chain. And, uh, um, you know, I think we owe it to our, to our clients to, to have a 801 71 compliant, uh, system and be, uh, be able to be entrusted inside of their supply chain. Uh, and so as soon as there was, uh, the ability for certification, um, I did the same thing. I'm like, all right, count us then. We're, we're gonna, we're gonna do this.
So it is definitely picking up, uh, I think as the final rule, uh, kind of congeals and, and people start getting, uh, uh, uh, you know, get past the cmmc deniers. There's a lot of that.
Uh, and now that we have clarification of the relationship between MSPs and or ESPs as they are and, and CMMC, uh, and, uh, and the, the OSCs the organizations that are subject to it, I think as that kind of, you know, now we have some clarity on it, uh, there's, there's a, a lot more certainty so people can, can, uh, use that certainty to move forward and make business plans. Yeah. We can't agree on, we can't even agree on what shape the earth is.
So, I, I'll, I'll tell you, Gary, every it, it is, it is amazing. I just just came back from, uh, A-C-M-M-C conference, uh, last week and, uh, uh, the, the level of intellectual prowess that is just poured into the final rule, uh, every comma period, like every word and every intention that is there, uh, has been scrutinized and analyzed and compared to other rules. And I'm like, man, like you all are, that's way above my pay grade.
I'm gonna take it for what it, what it, what it's, you know, what the requirements are, and we're gonna like go with what the, what state's requirements are. But there is so much consideration that's gone into this. And I'm like, man, like at the end of the day, let's just agree that this is what the DOD, right? Like this is what the DOD wants. So we're gonna have to pursue that. All of this other like, nuance and fine point detail. If it matters to your business, great. Go go to that extent.
But for the rest of the 99%, let's just agree with what it says and, and move on. So, uh, Andrew, people are commenting that you two, and it is distracting that you guys have the same background. It's just a virtual background. Yep. I'll see if I can, I'll see if, I'll see if there's another one to make everybody less. Uh, I, yeah, I, I, I saw that. I was like, yeah, an Andrew invited me to his beach house. Alright, let's, so I'm gonna start off here with, uh, Phyllis.
Um, Phyllis, you've been around the cybersecurity place for a long time, even though you're a very young woman. Thank you. Thank you, crew. Facts. Facts. Yep. Uh, give us a quick rundown on what CIS Reasonable Cybersecurity Guide is and why you think it's become a critical resource, or do you think it's become a critical resource? Yeah, sure. Um, so, um, just some background.
So what we've been seeing, we monitor, of course, federal law, um, executive orders as well as state law and state legislation to, to, to monitor what is it that cybersecurity is gonna look like, what's being mandated. And, and that helps us, um, that informs us on what kind of products that we create. 'cause of course, we always wanna stay relevant.
What we saw is in six states, um, they created, um, safe Harbor laws, um, meaning that if you implement a cybersecurity framework, they were, they were incentivizing the implementation of a cybersecurity framework in order to get Safe harbor. So you either could get indemnified from the, from, uh, a high fine if you're breached, or you can only get sued up to a certain amount. And all of these states, um, said, you know, you had to have implemented a reasonable cybersecurity program.
And of course, CIS critical security controls was one of the frameworks mentioned. And then of course, um, uh, no one defined reasonable, just kind of like, we always talk about cyber hygiene. No one defined cyber hygiene. So like, you know, what is it that you can do to achieve cyber hygiene, which is why we defined essential cyber hygiene. But the same thing was reasonable. What does it mean to reasonably implement a cybersecurity framework?
And so that's why we recreated the, the Reasonableness Guide to guide folks. Um, you know, and what I like about how we created it, because we got to use a community, 'cause that's how we create all our guidance. We had lawyers who have gone to court about cybersecurity expert witnesses who are also lawyers as well as a judge. So we could say, Hey, how is it that this should be worded to help not just a consumer like an organization, but lawyers and judges to interpret what does the law mean?
Because, um, reasonable is kind of a, um, while it's legal term, it's loosely defined right now for cybersecurity, we talk about a reasonable defense, like in the physical world. So basically, are you saying like you're, this is really the beginning of trying to put some guidelines, like around what's reasonable Yes. When implementing a cybersecurity, Trying to attach something to that definition for cybersecurity. Yes. So we defined it in the paper. Yep. Yeah. And that's good.
And, and so like, that's how everything starts, right? There has to be some starting point that people can, um, you know, have discussions around, agree with, disagree, fight in court, whatever it might be. Yep, Exactly. Exactly. And that's why I think it was so critical. We had lawyers When was this? And judges, I'm sorry, what? When, when was this? Um, we did it last year. We wrote it last year. It was published, I think in the summer or in the spring. In the spring of last year. Yep.
And, and, uh, one, one thing I'll run there was actually, uh, Tony Sager with, uh, CIS did a, uh, an excellent, uh, panel on, on this at RSA last year. Yeah. Uh, and, and it was, it was fascinating to hear two jurist, or two judges, uh, comment about how absolutely clueless they were about what cybersecurity was and how difficult it is as a jurist, uh, to, to make any rule or like reasonable application of law to an area and practice that they have so little professional training about. Mm-hmm.
Um, and I know that that conversation really opened my eyes around, like, to, to all of us here, like we might say, a reasonable cybersecurity is that you change your password once a year. Um, but, and to others changing your password every, every 60 days is reasonable. And, and as a, as a jurist, they just had, there was literally no basis for them to pull anything from. Yeah. It's not like, It's not like even judges deal with like, malpractice, right.
At this point, they've been through so many cases and so many expert witnesses, and it's so much better to find, even though it's still complicated. And they're not doctors, but they, they can get there because they've had, you know, decades of experience with it. Yep. Yes, exactly. But Gary Lawrence's point, and, and I, and Lawrence, I put the URL in the, uh, in the chat of Tony's. Perfect. Oh, yep. Yeah, because that's internal chat.
But Gary, this, this goes, not that I'm gonna go down this path, but this man, if this doesn't hammer the importance of having your legalese in, in your MSP, between you and your clients, really well-defined. I mean, like, I I, I, I can't underscore what does and, and A hundred percent Yeah. I don't know. I ask people how many here, people here have looked at and updated their MSA with someone who understands the cybersecurity impact.
And you'll be surprised, Andrew, how many just have not addressed it. They have the same, basically the same MSA, um, or they don't have one, or they've had the same one for three to five years, and you are completely at risk.
If that's the case, It, it's the reason that that, you know, case that Eric Tilt was asked to talk about, um, um, in, in several publications about LandTech, uh, the, the, the MSP in California, who is being sued by their customer, who is a law firm north of a million dollars, right. Because what they had in place was very loose. And if you leave things loose in interpretation in a court of law, whoa. The, like, to to to, to Lawrence's point, and I'll let you get on Gary here.
I mean, you, you want somebody that has like an, like this much knowledge of our industry making a decision, because that's pretty much what you're doing. Yep. So, Phyllis, this is the lens by which you see right. The world. Mm-hmm. So with that and what you've learned being on this call the past five years, what's the main thing organizations like MSPs and IT departments, what's the top few things they're getting wrong when it comes to cybersecurity?
When you look through that lens, that reasonable lens, right? Right. So the number one thing that, and we've done studies here with the MSI sac, we know that if you actually implement a cybersecurity framework, whichever one you choose, you are, you're saying Even more of the lesser, even more of the lesser ones. Yeah. Yeah. Even one of the ones that Aren Yeah, exactly. Start somewhere, of course, like, you know, I have my preference.
Um, but, um, you should, number one, follow a cybersecurity framework. Doing it on your own with your feels and your, Hey, I know this is a good idea, is a bad idea. Number one thing you should do is follow a cybersecurity framework. Number two is document, document, document. Right. You must understand why you implemented, how you implemented, what process you have in place to implement a control, or, and you must document why you didn't implement that control, right?
So you could say, I didn't conduct a pen test because it would bankrupt my business, and that's good enough, right? Did you make a reasonable choice at the time? Yeah. If you're gonna say you're gonna go outta business, that's reasonable.
And that's defensible in a court of law, Or, or as an example, a lot of times, Gary, like with, you know, you talk about, you know, things like, you know, with the OT or, uh, you know, antiquated manufacturer equipment and you're running Windows 98 or Windows 95, it's like, Hey, we have this compensating control. Well, why didn't you upgrade it? Well, because it costs $4 million to retrofit it and would put us out of business. Right?
So we put this compensating control in place for this highly antiquated system. Fair, Phyllis, That's 100% fair. We also talk about if you put in a compensating control, that also is good enough. So what you have to do is you have to at least document that you thought about it and you made a quote unquote, reasonable decision at that time. Right? So, and then you're constantly revisiting that decision. Yeah. Every year or every six, whatever your cadence may be. So a couple points here.
One something else that stood out last week when we were talking to, to Tyler Sanders from pace. The one thing he said that, um, when they implemented change control Yes. Mm-hmm. That, that, that was the hardest thing. Yep. Because at that point, they were actually holding themselves accountable, like you said, for this. Mm-hmm.
And that was like a big ma, like an eyeopener for everyone who thought that they, like, I guess they thought they were doing pretty good until they did that, and they realized how much work it was and how many things, you know, we, it uncovered. And I think the same thing happens the first time people start to, and you know, you know Phyllis, right? I literally built by it process before the standards, right? Mm-hmm.
Um, to, we were developing, having people, and we were developing standards until the other standards came along. And because there's no way without a comparison across your client base to a set of standards, there's no scenario where, where you're doing the right thing. Like, it, it, you, you, you can't, it's like, I call it the box and the blob and the box is the standard. And if you have 50 customers, all you have is 50 blobs. Right? Right.
It is the box that, that allows you to communicate with and communicate with customers. 'cause they understand what's in and out of that, of that box and can attach a risk to it. So it, it's, it, it's huge.
Um, the next question I have for you is you emphasize reasonable, and you started to alluded at this, but maybe dive a little bit deeper into, in this context, how an organization, kind of like they have to balance security with practicality that their customer or customers have to do business. Exactly. And so, you know, reasonable is, you know, is kind of loose or, or, or left open to interpretation for a reason. Right.
And, um, that's why we wanted to say, let's draw the line in the sand and say what is reasonable? So if you look at those, someone said there are six laws. There are six laws, and, you know, there's also a ton of privacy law, which we'll go into later. But even within the law, when you look at those six laws, they talk about the fact that, um, you know, you have to protect, you know, the security and confidentiality you have to protect against threats and hazards.
You have to make sure people's privacy information isn't leaked. But even within that, you have to take in, into consideration the size of the organization. Yeah. What your organization is supposed to do. The, you know, ity, uh, sensitivity of the data that needs to be protected, and the resources that that organization has to dedicate to cybersecurity. So even the law recognizes that there's a disparity in the organizations that have to implement cybersecurity.
So we have to, we have to be understanding of that. But again, what is reasonable in that context? Phyllis, quick question. Since since C CIS is so involved with CIS and you know, obviously you're the home of the MS isac, you're bringing all this to light these disparities, you know, these states having contradictory things, but you guys kind of putting a line in the stand about what's reasonable and is this, have you heard anything?
Hey, maybe we should put the federal standards in place since, you know, we're seeing the need for commonality here is, Right. So, so this is typically what happens. If you were to look at federal law and federal, um, and the executive orders and those that do pertain to cybersecurity, and we actually have a graphic in the paper. What you'll see is most of those statutes, or most of that legislation has to do with a certain vertical. Like, you know, um, CMC, Yeah.
CMMC or like Sarbanes Oxley, like health financial, fisma, fisma, or if you wanna do, which FISMA is an example of if you wanna do business with the federal government, right? Right. FedRAMP, fsma, those kinds of things. And so that's like that top down approach. But it's only been, um, concentrated in those areas lacking a federal standard. What did the states do? You've got every state has state privacy law, and now you're, now you're seeing these, um, safe harbor laws.
And of course, there's these breach laws where you have to inform organizations of a breach. And so, you know, we discussed this, what ends up happening is once the state law gets to a certain point, what is that tipping point? Then you'll have this national law. Now, ONCD, office of National Cyber Defense also put out, um, an RFI for, hey, we are getting a lot of feedback that everyone wants one standard. Now we all sit back and we're like, ha ha. We all knew that. Right?
But then down the pike, which is kind of like a reinterpretation of the 1 71. So, um, and, and, and so, you know, ONCD has put out, you know, something to say, Hey, we heard you people want just one standard. What could that one standard be? Of course we've responded, you know, a CIS. But, um, that's a long-winded answer to say, yeah, we're not at that tipping point. We'll see the uprising in the state uprising, not an uprising, but, you know, we'll see an uptick mm-hmm.
In the state legislation. And then the federal government, um, hopefully, um, this new administration, if it gets to a certain point, we'll, we'll, we'll do something. So you, you alluded to this about every state has different, you know, requirements right now. Like how does that, what does that mean to an MSP? Like many MSPs today, more than ever, are doing business with companies in many states. Yes. Right. We're not as tied geographically.
You know, I was here in my MSPs, were in New Jersey and, and, and Philadelphia, like basically on the, along the Delaware. So we don't, we're only really dealt in two states, but now, you know, you could deal in 5, 6, 7, 20 different states. Like how does that patchwork impact you think, you know, Ms. P and also SMBs that have locations in multiple states? Yeah, I mean, I think it's very confusing, right? And organizations don't know which way to go and what to do.
And so I think, you know, one of the reasons why we felt like it was a tipping point for the reasonableness guide is that when you look at the state legislation, and there's lots of states that have this kind of legislation waiting in the works, we thought the great state of Florida was gonna be the next one. But the government, the governor punted on signing it. So we're hoping it'll come around again. So see what you can do about that. Andrew, Are we talking about marijuana or cyber?
Because marijuana got voted down. Phyllis Cyber security. So anyway, um, so, you know, I think the guidance is because also, you know, we heard a lot also because of the, the different state privacy laws, right? A lot of organizations like financial organizations, um, and, and insurance organizations are like, oh, we're multi-state, and then of course we're multi, you know, nation, what do we do?
And I, the, and I would say, you know, really follow the guide because you really need to have that cybersecurity framework as your North star, as Lawrence says that you're using, um, so that you can actually prove that you have done something reasonable in order to, you know, show if you are breached. I reasonably protected people's data. Yeah.
A quick question to you, you know, as you hear this, you know, for MSPs dealing with non-regulated customers, would, how would, and how might you use this? Like, hey, um, this, this thought on reasonableness, right? And defensibility, would that potentially be a wedge and, and a talk track for you in the sales process?
Yeah, I would, in my, you know, I, I would have that as part of how I talk to my customers the same way we want to have, um, you know, assume breach, like these are all the kind of concepts and words need to have with every customer. 'cause the fact of the matter is, many MSPs, they have some regulated customers to some degree, you know, or people that require a higher level of support, like Tyler talked about, have his company's legal vertical, right? Well, you know, that costs money.
You now really need to charge all your customers pretty much the same. It's like you, it's very hard to deliver a different service to two different levels of customers. Oh, yeah. There's pieces of it you can add on that, that, that lend themselves to it. But in terms of your core offering, you need now to be able to use what you're doing for those other customers to explain to every customer.
It's like, listen, as soon as anyone who cares looks at people who really care about their data and don't want to breach, here's what they deem as reasonable. You are not in that industry, but isn't it just as reasonable, like, you, like, isn't your data and your risk just as the same as a lawyer? Do you know what I'm saying? It's really almost no different. Yeah. We'll get In more trouble.
Well, one thing I'll, I'll, I'll throw in here, I think, and, and I'm, uh, I'm glad you mentioned the, like the insurance industry, uh, right, the insurance business, they are professional risk mitigators, right? They, they identify all of these things, um, at a macro level, and then their contract language gets updated accordingly on a very regular basis.
And, and I would encourage anyone who hasn't looked at their business, uh, e and o policy, uh, or their business, uh, uh, cyber policy recently to go back and look at it, and, and they, they talk, the insurance industry has pushed this out where they defined their own level of reasonableness despite what the state laws were. Um, and often in conflict with, with some of the state minimum requirements.
Um, they, they've defined their own, you know, set of reasonableness because like they know if you implement multifactor authentication, um, a X percent of of these attacks are just completely moot. Um, and, and I think that is something that as an MSP, we can look to that and surely we, we direct our clients to do the same thing.
Like, look at your insurance, your insurance policies, all of those exclusions, all of those things, all those requirements, all those questionnaires that they send you every year. There's a reason behind that. And if, if you can't answer yes to all of the questions, right? In the affirmative that we're doing these things, then are, are you accepting the risk, uh, that someone else is, is at least telling you that you have here.
And I think MSPs, we can be the ones that can share what there is risk are. 'cause we do have a little more visibility into this than, than most. Yeah. La last thing real quick, 'cause I have a time, Gary, but really important one, if you haven't seen the conversation Gary had with Brian Blakely, I think he highlighted it that Gary recall the conversation regardless of regulated or non-regulated.
Um, Lawrence, he spoke about, look in the, ask your customers, if you can look at the contracts between them and their largest customers. That's a great point. I'm paraphrasing. And he's like, there's a treasure trove of things in there that your clients probably signed off on that they have no clue about. Data privacy, data security breach notifications, and on and on and on. Yeah. So even the customers or prospects have pushed back and go, yeah, but we're not regulated. We don't need this.
That, okay, let's talk about the largest, your largest piece of your revenue that, that you would let, would you be willing to risk, right? Your biggest customers. Let's, let's look at what you've signed up for there. Um, That's, that's an incredible point, Andrew. And, and like, even the point you just made there, like, like breach notification, um, like breach has a formal legal term, right? It has a, a, a very clear legal definition that's, that's generally accepted.
Um, but what constitutes an incident? What constitutes a breach? There's a lot of contracts that have language in there that, uh, moves that line. And, uh, um, and, and to your point, right? If as an MSP, you don't know that, and if your customer doesn't know that and their contracts, man, that is, that is, that is a, uh, uh, I'll use your words. That's a treasure trove right there.
I'm gonna guess that a very, very small percentage of MSPs have gotten to that point where their relationship is with their customers, that they're having those conversations. And look, I I, you know how I can tell that there's a lot of Captain Obviouses still out there? Uh, I, I watch what happens right now around, um, non-recurring revenue, non-recurring services as a percentage of MRRI see it declining.
And the reason why is you move, uh, the exchange server to the cloud once you don't do it again. Right? But what NRR has been changing since the beginning of time is just changing faster. So that tells me, Andrew, they don't have a relationship where they're finding the other and new services to recommend they're falling behind because it's being exposed now. 'cause the one thing they could depend on was a refresh cycle.
And you don't need to know much about people's businesses for a refresh cycle. And to me, that tells me there's a security risk. 'cause those same questions that generate additional revenue are the ones that secure and reduce risk for our customers. Yeah. Gary, and you pointed out whether it's security or governance, right?
Data governance within security privacy, or as you spoke about immaturity and automation, because you're seeing the, the most mature MSPs now start, you know, that have very solid security practices, they're starting to pull away now with automation practice. Yes. And I would say regardless of whether or not you're in a regulated industry, if you live in a state you're subject to that state's privacy law, if you live in one of these other states, you can benefit from these safe harbor laws.
Um, there is this growing expectation that my data is private. Mm-hmm. So, um, you know, MSPs need to understand that, um, people are expecting that my email isn't read by a stranger, that my credit card data isn't compromised. Like all these things. There is that growing expectation of privacy. Andrew, is my lettering backwards? Uh, it may be. You can, all you have Yes, it's do. Gary is you see the little blue, the the little three dots? There you go. That's better. There we go. That's better.
Okay. There we go. Yeah. Good. Thank you for telling me someone over there. Yeah, I'm, I had a couple other things. Now you're, again, for sake of time, I, I'll, I think it's 'cause I use this camera that's like a thousand zillion megapixels. Yeah. You're frozen again now. I'll turn it off and on again. Yeah, turn it off and on. You take it. Okay. Yeah. So let's move on to Lawrence. And I have to say Lawrence, um, is, you know, is, is, is a, is a great partner to have. I love learning from him.
He has been a great supporter of, um, the controls. I'll ask you Gary's question, what should MSPs know about the guide versus following the implementation of IG one and essential cyber hygiene? Um, I love that. And, and first I'll say, uh, fill this, um, uh, the controls into your leadership have been amazing. Um, and as that continues and you continue to evangelize the, uh, the vision of CIS like we are, we are absolutely in line with that.
It is, uh, uh, I have, I have long pointed to the controls as, uh, um, as like the easiest, most digestible place to start in cybersecurity. Um, I have a lot of background in enterprise, uh, and, and all of the, the risk management frameworks where you have to like, know that language to even start to understand. And the controls are, you know, written by humans for humans.
Um, so in incredible, uh, um, I love, love the partnership that we have, uh, um, with CIS uh, and so thank you for doing what, what you do and what CIS does as a whole. 'cause it is so important to this community. Um, but to your question, and, uh, uh, and I, I think, um, uh, so for anyone who hasn't taken the time to read the guide, uh, go out, read it, it's not very long. It's a, it's a, um, uh, it's actually a very informative read.
I know for me it was, uh, um, uh, reading it and then trying to like say, what can I learn and what can I apply from this, uh, um, that, that was, um, uh, that was where the value was. Um, you know, I've, I've been, I've been in this space in the controls for a very, very long time.
Um, and, and there's definitely good actions and takeaways of consideration because some of the, I mean, if, if you just, just look at the contributors to the guide, you're gonna see it's not a lot of people who are, are geeks or technologists or engineers. Uh, um, I mean, there's, there's so many diverse, uh, uh, inputs and opinions in this. It's, it's, it's great. Um, so what should, uh, um, uh, what should, should people take? I think the, the baseline of, of like, what is reasonable?
Uh, um, you know, the, the, the takeaway that I would offer here is, uh, if we as an MSP don't define what we understand as reasonable, um, then it's left to interpretation, it's left to someone else. And whether that be a customer, whether that be a a, uh, um, a legal team, someone else is gonna make that determination for us. And usually when they're making that determination, bad things are already happening.
Um, and so the, um, uh, the, the, the application defining of what we feel as an organization is reasonable is, is like the place to start. Um, one of the, one of the concepts that that, uh, uh, that kinda gets foot stomped in there is the duty of care risk analysis. Mm-hmm. Um, that's a lot of words, right? But, but, uh, um, uh, you know, and, uh, we, we've already, we should spoken about a little bit of it now, uh, just in this conversation.
But, uh, um, like considering the risk of the information of the assets of the business that's there and saying, Hey, I'm going to use everything in my power to make appropriate and reasonable, like safeguards to find those safeguards and consider the risks that are, that are applied to them.
Um, I, I think that that is probably the most important takeaway in this because if we define what's reasonable, we define what we're going to do to secure and safeguard those things that are reasonable, um, that really lets us be proactive and not reactive. Um, and really it says it, it's, if we, if we kinda look at the old axiom of say what you do and do what you say, that's, that's the takeaway here is, uh, define that, that state of reasonableness, and then live up to it, execute on it.
That's awesome. Thanks. Yeah. Um, so let's kind of switch a little bit. Um, you know, Lawrence is the first one, um, who became, um, CIS CER certified against the controls. And, um, please tell us about your experience as the first one process. I know it wasn't a smooth trans, it was not a smooth process.
So, Um, uh, you know, it, it, it, it wasn't, uh, I think anyone who's gone through any, any type of, uh, third party audit and certification, um, uh, right, they, it's very, it was very similar, um, with the exception that, uh, uh, this was a little more, I use the word sporty, I use that word, uh, a a lot. Uh, but it, it was a little more sporty.
Uh, um, and the fact that this, this wasn't, uh, go take a test and you're certified, it, it was, um, a quantification of the people, their qualifications to do the jobs that they're, um, that they're in, the processes that we have identified and how we apply those processes. Um, the means that we have and take assurance for the work that we're doing inside of the, inside of the controls.
Um, I mean, it went through like service delivery documentation, uh, spent a lot of time on, on quality management, you know, like, uh, uh, going back to the, what we were talking about at the top of the call, uh, um, you know, like that was, that was one of the areas that we, we struggled with. Like, we did all this stuff. Uh, like we had a, we have a very vibrant culture of, of just wanting to not just do the right thing, but do the best thing, do it the best possible way.
But writing that down, like, like where, where we, we just like struggled was writing that down in a way that someone that wasn't in the situation could understand, uh, was really difficult. Um, but, uh, uh, uh, all, all in all the, the process did involve understanding how, how we handled information, how we measure things, uh, having the right certifications and all of the things internally.
Uh, um, and then at the end of the day, uh, that, that third party, uh, attestation that we are doing what we doing, what we say that we're doing, Yeah. I mean, just FYI for the group Crest is, um, an organization that does certifications most notably for, um, in my opinion, well, from my experience for pen testers. So the US government looks for CREST certifications when, um, when I worked there to say, okay, who can we hire as a third party pen tester for this organization?
So they really go into, are you a credible business? For example, have you, has there been a complaint lodged against you in Better Business Bureau? And it talks about ethics as well. So the accreditation is not for an individual, it's for the whole entire organization. So the whole entire organization is accredited to, um, uh, assess, do assessments using the CIS controls.
Um, so then next question, one of the requirements is, of course, the SANS 5, 6, 6, 'cause they're only game in town, right? It's not, it's not cheap. Um, do you think that this is a barrier for MSPs to get accredited? Um, you know, that's, that's, that's a, a, um, a difficult question.
And, and, and I'll, I'll only, I'll answer it from kind of my perspective and, and, uh, as evidenced by the fact that we're so early in the controls accreditation, we're so early in, in the CMMC accreditation, um, this is what we do. Um, and our culture is to, to do right? Like, to, to just get stuff done, uh, but do it in, in the best possible way that we can. Uh, and so it, what the second best, the yeah, we, we strive for, for, for like a number one. But, uh, but yeah, it, it's, it's hard.
And, and so this is a matter of prioritizing time and, and, um, and, and resources. I mean, it, it really is, it's a matter of prioritizing that and saying, all right, for us to live up to our core values, this is something we have to do. And I mean, even we're, we're a small team, um, and it's, it's not even just the cost. 'cause the cost is, is not insignificant.
Um, but it's living it and, and applying it and understanding it and getting the time to really understand what sans wants you to understand what the controls want you to do, um, and, and really changing that, uh, that lexicon. So is it a barrier? Yes, but it's, it's also something that I, um, I can, I can speak personally. It changes, it changes, uh, the individuals and it changes the organization in a very positive way. So surely, surely worth it.
Do you do more co-managed or like full fixed fee where you, you're everything for a business? Um, so we are, uh, almost equally split 50 50. Um, uh, most of our larger clients, as you'd expect are, um, are co-managed. Um, and then most of the small organizations we are, we're fully managing them. Um, but we have one, uh, one standard of care that we apply for all of them and one customer responsibility model that we apply for all of them, uh, even in those, those co-managed environments.
So What is, for a full fixed fee, what do you on average target as a seat price to do all this? Uh, um, somewhere north of, uh, uh, north of 2 75 a seat. Gotcha. Because if you would've told me anything less than two 50, I would've called bs. Yeah. Yeah. When you, when you say time, I think money, Oh, a hundred Percent takes time to do this. It takes time to do that. It takes commitment. Like to me, all, you can only do that as if you can afford to. Oh, absolutely.
Well, and, and you know, the, the point that you made earlier, and I, I'm, I'm I, I held my tongue, but I'm really glad you did it. That was in like the change management process, right? Like implementing proper change management slows the organization down. Um, right. MSPs are, are made for throughput and efficiency, and then when all of a sudden there's now some kind of review or approval or, Hey, I have to pivot off of a ticket to get that approved, man, I mean, that gets expensive fast.
Um, but with the, with the, uh, the implementation of the controls, like, and, and I'm, I'm glad you brought this up, Gary, because it, it's, it's, uh, um, the, uh, the emotional and intellectual investment that it takes through the whole organization. This is not just a a c-suite thing. This is not just a engineer thing. This is from the frontline person answering the phone all the way through the organization.
Um, it, it fundamentally changes how, how we do things, our communication with our clients, the lexicon that we, that we use. And, and you're right, that, that is expensive. It's more expensive than if it was just, Hey, yeah, we can go fix all your, all of the, the blinking lights and make them blink better. Good. Interesting. So you talked a little bit about this, but how did the accreditation process change the culture, um, within your organization?
And, um, what was the impact on your operational efficiency, your Security, your sales? Um, what a great question. Um, uh, so I'll, I'll say, uh, culturally, it was probably the, uh, the most significant impact in the fact that, uh, now, like we have used the CIS controls as our North Star for 14 years. Um, right. We, we lived them, breed them. Um, it was written into our MSA, um, we defined IG one as kind of like our minimum standard to do business with us.
Um, we, we had done all of those things, but then, then when, when we changed, hey, and now this is the exact process we're going to use for the implementation, um, and the defining those minimum requirements and timelines, uh, that really made a, a huge difference because now it affects sales, it affects admin. Uh, it, it affects how we do things. So the, uh, the cultural shift of having a more regimented process was big.
The other shift, and, and I, I think this is, this is important, uh, um, documenting the intention of the things that we do, um, or why a certain choice was made, uh, you know, that that was, that was also something that was, uh, uh, a little bit unexpected. And it actually was organic. It, it didn't come from me.
It came from our service delivery team, um, of them saying, oh, hey, like if, if we include this in our ticket, like if we, if if the customer's accepting the risk, then we should probably say the customer is accepting this risk and it's a qualified person based on, um, and it's like, wow. Like everyone got it. Everyone was on board with it.
Um, and, and so that, that was, that was, uh, um, uh, for me, that was the, the moment where I knew that everyone was actually in line and understood the intention of what we were doing. Mm-hmm. Not just a checklist, not just a, oh yeah, go do this because someone says to do it, but really getting behind it. So, um, so how do you Do that to a prospect who says, you $5,000 a month and the other people are 3000 a month? Uh, and it, that, that is a conversation we have all day every day.
And, and I think it goes to, uh, narrowing the target customers that we, that we actively and aggressively pursue. Uh, um, there's some, there's some organizations that they, they legitimately don't care, especially in the small business space. They don't, they want the lowest price, uh, or they want a very specific feature. Um, and, and like, we will approach 'em and say like, if, if you're looking for price, then we're, we're probably not gonna be the right fit.
Uh, if you're looking for quality, if you're looking for like a, a regimented structure for how things are done that has, has been evaluated and accredited by a third party, then we're, we're your fit. Um, you know, we, we evolve, we adopt, we do these things on a meaningful basis every day. And if that is in line with that prospect's culture and their, like their, their internal North star, whatever that might be, then it, it's an alignment.
But it is, it, it, it absolutely filters out, um, a lot of prospects. Um, and it, it narrows the, the sales conversation that we have, uh, every day. Lawrence, I wanna ask Gary something, Gary, I Still laugh you. Oh, to that, I would say, Gary, I, I still laugh at your sales role play that you did a few months back where you're like, I'm trying to figure out why I don't wanna show up for the second meeting. Right? Absolutely.
I, I, I would say like, Hey, listen, you know, we normally, here's what we do in a second meeting, you're not convincing me I should come back, but because it sounds like I care more about your risk than you do, and I'm not sure why. Yeah. Right. Right. And I was gonna ask you, Gary, would, would you, you use this early and upfront in the first call, meaning, Hey, look, there are low price providers out there. I just wanted to share whether that's not us.
Let me tell you, you know, why what we charge. I mean, ballpark, what we charge, why we charge it, et cetera. And, and, you know, just to kind of calibrate what you're looking for, is that something you're gonna pull out early in the, and, you know, to set the stage of who you are? Yeah.
And listen, and I've shared this, but the secret to how I've done it and talk many people how to do it, is to go right to show, get, take a couple examples of pain that you uncover, security, you know, that, that you've uncovered. Then I go right at a high level to show 'em what our roles look like mm-hmm. And just explain to 'em how we've solved it conceptually with a role and what that role does and why they can't get that result without it.
'cause you gotta paint in big, broad strokes, not in like a whole list of features and tools and stuff. Right? And someone else has a different long list, and you're trying to tell 'em, like, you long list is way better. And so if you can do it at a conceptual level, if you can take him through what Lawrence just said, like, Hey, we consider us one of the top firms, we just, can I tell you a story? We just went through this accreditation process.
Can I tell you what we learned and why we're better? But guess what, all of it took, it took time and process. My customers are better off and we're happy to make a little bit more investment. Do you really care whether you spend 5,000 or whether you spend 4,200 in this scenario? If what I'm saying is true, if we're on the fairway, that this makes logical sense, but you have to do it. The word I always use with our members, big paint and big, broad strokes. Got it.
So Lawrence, how did your, you know, we often talk on this call about the culture of security, and we talk about, you know, I think what's bringing to light in my mind with this conversation, we often talk about like the technologists, but you brought up the sales team and how you have that conversation every day. How was it with your sales team to tell them, well, you're just gonna walk away from that sale? Yeah. Uh, wild. Um, no real really. It's, it's, it's interesting.
Um, uh, so if, if we, if we, if we go, oh, yes, yes, yes. Gary, uh, um, uh, what, what I, what I learned is, uh, uh, salespeople really don't like when you say no. Like, we, we can't, we can't do this, uh, or this is just a bad fit, or there's just, you know, there's a, there's an opportunity for some revenue, but it's bad revenue.
Um, uh, and, uh, but what, what's, what's interesting, if we go in the way back machine, um, uh, years ago, we, we have had these, uh, um, authorized processes, authorized people, processes, um, and, and, right, it's, it's, you know, who can make a request and what type of request up to what authorization and all this stuff, very enterprise IT ish. Um, you start making application to that mid-market, uh, it gets really difficult. Um, uh, because, you know, you may not have three approvers.
They're, they're very blurred lines for who can approve what, and who's a data owner and all, all these things. Um, but all, all of that, uh, um, all that, that kind of, uh, put together the, uh, uh, the sales team used to, to look at that and just go, oh, this is so hard. This is an impediment to sales. And I knew when this all got in alignment that the sales team would pull that process and those documents out unlike the second meeting.
And they'd be like, so this is how we go through an authorization to make sure that there's not these horror stories that happen or that are pulled straight from the headlines. Like we, we've built these controls in. Um, and so it, it went from a, a, not adversarial, but a, but definitely a, a contentious and tension relationship to, Hey, I get it, I, I all these bad things that, that are happening out there. We're not just passively going, oh, that, that's awful for those that are involved.
We are evolving, we're getting in front of it. We're implementing processes that are risk-based and, and this is, this thing is, uh, is how we are, how we're making the changes. And then they use that in front of a customer, um, or bring it up into QBR and say, oh yeah, by the way, you know, like, we sent that, that, that email out about this thing before, um, uh, that this is why and the customers love it. Mm-hmm.
And so it's, it's completely changed our sales culture, um, and also our admin culture. So like now when, uh, um, when vendors call in, um, that's like, and they're like, oh, we wanna sell you the new flashy whizzbang thing where it's like, well, we, you know, we onboard new vendors one time a year. There's a Rubicon of of need. They have to align to the CIIS controls. How do you align to the ci IS controls and, and specific practices or assessment objectives there?
And they're just like left speechless. Um, but there ha, it, it's not just about buying new flashy, cool tools. They're amazing vendors in this marketplace, but for the vendor and for our team to understand what do they do for us? Like what do they do for our customers through the lens, through the north star of the CIS controls for a security function, um, that also is a, a major change for, uh, uh, for just how we worked internally. So Andrew, there's our signal. We're at the top of the hour.
Gary. Gary's bringing it with all the different Sound effects. I love that. Right? You crack me up, Gareth. Um, anyway, Lawrence, thank you so much. In fact, yeah, thanks man. Um, and thank you for your kind words said it wasn't the best cyber calls Jordan agreed. And, and, uh, Lawrence really appreciate you making it one And Phyllis, uh, cool that you were not only the co-host but also a guest today and, and Sharon, um, the reasonableness.
Um, Gary has always appreciate you joining Wish, wanted to wish everybody healthy, happy, uh, Thanksgiving to all. Yeah. For Everybody in the us Yeah, right. Um, and, uh, uh, all the best to you. Look forward to seeing you next Monday. Bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois