Skip to main content
Right of Boom
January 30, 2025

CyberCall – June 29nd, 2020

In this video, Gary, Wes, and Joe Panettieri discuss the psychology of risk assessment and its impact on cybersecurity in small businesses. They explore how human brains are often poor judges of risk, leading to challenges in effectively managing cybersecurity. The conversation delves into real-world examples, industry insights, and the importance of adopting standardized practices and frameworks to enhance cybersecurity readiness.<ul><li>The human brain has two systems for reacting to risk: the primitive and intuitive amygdala and the analytical neocortex, which often struggle to operate effectively together.</li><li>The majority of security breaches are due to poor hygiene and known vulnerabilities, rather than new or zero-day threats.</li><li>Small businesses are more vulnerable to cyber attacks due to a lack of preparedness and often do not take basic steps to improve their security readiness.</li></ul>

Guests

Andrew Morgan

Video Transcript

Awesome. All right, we are live. Gary, you want to take us off or take us in as always. So, uh, we've got, uh, a lot going on in the backgrounds here. Wes, uh, you want to explain what you've got going on there? 45. Look, my boy. Hey, look, my boy Kyle is not on the call today and I couldn't bear being on a call without my boy Kyle. So my C boy Kyle is back on. How many of you guys follow him on LinkedIn?

You saw his video where I was daring him to do a belly flop after cyber call was over and he, at least he did a cannonball, right? So here he is. So someone needs to link in this and make sure he sees it. I rely on you. Cyber call. It is up to you guys to make sure he sees. Alright. Hey there, Felicia, thank you so much for joining. Hope you're doing well down in the south of Wes and I are up a little bit. What east? Uh, no West. Can't even remember. Anyway, we're up a little north of you.

Um, so, hey, we've got a really special guest today for those of you, I'm sure a lot of you know Joe Panari, but for those of you that don't, um, gosh, a friend in the industry for 15, 20 years here to all of us, uh, collectively here, Joe, just a maybe just a touch about yourself for those out there that don't know you.

Uh, probably not many, but I, I tell you what, I feel like the Ed McMahon of the program, that sort of the straight man compared to you guys, um, for those who remember Ed, yes, We Do. Um, now, hey, listen, first of all, thank you guys for, uh, not only having me on today, but your friendship over the years. I, I'm always learning so much from each of you. I, I really appreciate it. Uh, short and sweet.

Uh, I'm the co-founder and editor of Channel EDE, which covers it, service providers from entrepreneur to exit. And I'm also the co-founder and editor of MSSP Alert, which is 24 by seven managed security services, news and analysis. Really, really cool. Gary, as always, and thank you Joe Gary, as always, thanks for being here with us. Yeah, I'm excited for today. Uh, we usually have, what, six or eight people? So it's the four of us. Mm-Hmm.

We can talk, hopefully get some, uh, interaction going with everybody and um, I think it's good, right? We're eight, nine weeks in. We can take a little breath today, digest some of the stuff. You have a great topic. We can talk through and get people thinking in a different kind of way. That's why we're here. Yeah, absolutely.

Well, I, yeah, I, this topic is to me like one of these things that I just get really nerdy and like, I literally spent, you saw me, I sent you guys notes over the weekend on Saturday and, and just reading this and let, let me just kind of, we'll start off. This is about, you know, why the human brain is such a poor judge of risk. And I'll just read you guys a few anecdotes and then I'll set the stage. Um, I'm gonna, I apologize up front.

I'm gonna read a few things just because, um, it won't, I promise I won't bore you, but just to kind of set the stage into the questions for the panel. But here's a few anecdotes. Um, Gary, I thought you'd like this one. Um, these two, um, human brain, fascinating organ, but an absolute mess. That's anecdote number one. And these are from these articles, these research articles.

Um, second one, and this is, this gets into the heart of cell of sales, and I want you to hear what this one article said. He, using evidence or data to communicate risks can be a fool's errand. Interesting because right, we've, you know, we talked about why FUD doesn't work, et cetera, but that, I like that one, like kind of smacked me in the head like, 'cause that's what a lot of us do.

Well look, you know, here's your assessment and you don't have this, and let me tell you about all the data and no one's buying still. So just, I, I thought it was interesting. Um, so yeah, Well, lemme just jump in real quick and say that, you know, of all the sales calls as an MSP, I've been on probably 14 or 1500 and I've talked through probably five, 10,000 of them with MSPs over the past 10 years. It's so common where an Ms.

P, although they might not be great at sales, they are great at asking questions about technology. So they go in and they're saying like this, it's like, oh, that's wrong, that's wrong. I would do this differently. Like five minutes in, they're like, you know, who are these clowns? You know? And then they don't get the deal. Like basically the current vendor, everything they're doing is wrong and, but they don't get the deal. So it's because of what you're talking about.

It's like them knowing what's technically wrong has nothing to do with the decision maker making a decision, uh, of how that impacts their business. Now, that's in general, but now if we take it to just simply security, it's crazy that there's that gap, right? Because they have these real risks, Right? Right, right. But they're not attaching a value to that risk. Yeah. Yeah. And that, that's a really good point.

And we're gonna talk about, you know, the, the psychology today of the brain, but also then that article from Wall Street Journal on, you know, um, the most vulnerable, uh, organization. So let's get right into it. Lemme just give you a guys a touch of background. I won't read word for word, but I'll give you just the gist, the background and the biology. 'cause it's really important. And it says, assessing and reacting to risk is one of the most important things humans deal with.

Um, it's a, a function of the brain called the amygdala, and it's the oldest part of the, one of the oldest parts of the brains think, fight or flight lion or lizard. So, hey, you know, I've got to, you know, it is not a thinking thing. You're gonna die if you don't do something. So that's, that's part of the biology of the brain. The other part is where we come in as humans, it's unique to us, and it's something called the neocortex.

And then we've, it's been around for obviously several hundred million years. But, um, relative, it's newer, and this is a more, they talk about evolutionary only appearing in mantels. It's it's intellectual. It's, uh, it has intellect analytical capabilities, but it's slow relative to the amygdala. So here's the first fundamental problem. We've got two systems reacting to risk, one's primitive and intuitive, and the other one's analytical and more advanced, uh, trying to operate in parallel.

And, um, the bottom line is it's hard for the neocortex, the newer one to contradict the amygdala. So, um, lastly, experts used to believe that people gauge risks like actuaries, getting back to the data. Gary, right? They parse out cost benefit analysis, like every time emerging car comes close to you or crime rates spikes that, um, you know, will do something about it just based on that data.

However, researchers have found that we actually use mental shortcuts in dealing with risk and measuring danger. So in that, um, the shortcuts play a much bigger role than we realize. So let's get into it. So, um, psychology of shortcuts for assessing risks, one involves novelty. So Gary, I'm setting up the first question, actually, the first question for Wes. So if we're conditioned to focus heavily on new threats, right? Think of coronavirus, right?

When it first came out, everybody's like, boom, now no one come down to Florida, no one's wearing a mask. And we have 9,000 cases a day. So, right? So looking for, it's looking for, we, we look for cause for new alarm. Um, this can lead us to obsess over the scariest reports. Joe, you probably see that, right? For the media, right? Why does the media talk about the most scariest things and worst case scenarios, um, making the danger seem bigger, uh, bigger still.

So first question, if security starts with ourselves, um, and Wes, how many ms, how many RMM breaches were accomplished with some incredible new threat that no one's seen before? So some, right? There's definitely some, uh, and we're aware of some of those. Uh, but you know, when we use the term zero day, right? You guys have heard that term before.

And what we mean by that in the official accepted like security definition, is some kind of exploit, or really I should say a vulnerability for which an exploit exists that is unknown to the vendor. The software provider. Now, if you think about the window of zero day availability, they're usually around very few short days, right? There's zero days of noticing, and it only has a short shelf life before which it becomes known, and all of a sudden it's being patched for.

So let, before I say anything, let me say, I do know, and there have been historically RMM breaches that have occurred because of a zero day, but very quickly that data gets published. So perch and a number of other companies all have access to really good threat intel. And it's easy to see this being discussed on forums. For example, we have access where, uh, ConnectWise automate is actually being discussed on several dark web forms where they're, they're talking about these things.

What happens is when one of those is found, what happens? They sell it to the highest bidder. That highest bidder is able to use it in all kinds of dangerous, nefarious ways for a very short period of time before it becomes known information is published and patched. Right? And so I'm not saying that we shouldn't focus on that, right? Right, exactly. Yeah, It's patched, it's published, theoretically Patched. It should be, right? It should be patched, right?

It should be handled if you're, if you have good patching regimen in, in the security vendor, the software provider is good at, uh, making sure the data gets out to everybody, right? But, so I'm not saying don't focus on those things, but I am saying, I think oftentimes we end up shifting towards that because it's a scary thing. But the common thing is much more likely. And the common thing is things like, Hey, I don't have good security hygiene overall.

And if I'm not patching for something that's known, I'm never ever, ever, ever going to be able to stop some kind of attack. Like, for example, take Equifax and I dislike usually using like historical examples, but this one's very pertinent, right? So, uh, there was the, you guys know the Apache struts vulnerability that came out? There was information around it, it was patchable.

If you talk to the security guys at Equifax, and I know some of them actually, they're no longer there, they will tell you why this is political, and there's a lot more to the story at the base essence of it, there was one machine, one server that was not patched, and that was the entry door, right? And so we focus on these zero days in these apps and these nation state attacks, and that is a threat.

But so much more importantly, Andrew, is all the normal things we should be doing for building a true security hygiene around a true security program. And that's really what we need to focus on. I appreciate that wa yeah, and that, that's really was the point. I'm not saying, my point wasn't that there's no zero days, no nothing. But how, again, that's where our brain goes. What's new? What's, what's the hot new thing yet?

The majority of breaches are things that are here that we could take care of. Um, Joe, so, um, you've covered, I think, every single, uh, compromise for the, whether it's the MSPs, uh, and MSPs on this, um, program here, or some of the biggest, like the, you know, the WIP pros of the world. Um, has anything stood out to you like in these interviews as you covered them? You know, I, I think people have to, um, practice what they preach and, and, and here would be a prime example.

And, and, um, on the one, I'll start by saying I have a lot of respect for vendors in the industry across the board. You know, they're, they're doing some incredible automation. They're doing some incredible innovation, but they're, they're always preaching about, um, fire your worst customers. Um, make sure you have proper hygiene. And to Wes' point, so a a couple of trends that I've seen with these, with these breaches and or ongoing failures.

Let, let's start with the hygiene and then I'll come back to fire your worst customers. Um, hygiene, when we launched MSSP alert, everyone assumed, oh, it must be about every MSP becoming an MSSP. No, that's not the point. To Wes' point, figure out your hygiene first, you know, put the legs on the stool first. Uh, the endpoint security, the, the, uh, business continuity, the, the patching and, and those basics, the backup and disaster recovery.

Once you have a, a good hygiene foundation in place, then maybe start going into the deep end, deeper end of security. But if you don't have the basics in place, you, how can you go into that customer and say, I'm now an MSSP, yada, yada, yada, when you're not even taking care of, of your house. That's part one, part two, from the vendor side.

As, as these vendors tell the MSPs to fire their worst customers, the vendors should have been firing their worst MSPs, and the vendors should have been, instead of fearing two factor authentication and enforcing it, and all the MSPs will push back, and we're a little nervous about enforcing it. Fire your worst MSPs and say, you just have to come up to these security standards for the betterment of the entire industry. I think we're making a lot of progress finally.

I think there's been real progress in the last three to six months on that, but boy, late 2019 was, was just a, not a good se, uh, situation at all, to say the least. Well, 2020 kicked off with a bang. It's been awesome so far. I missed it all. I've been home for six months. What happened? Yeah, So I put in a poll, uh, and I, and Joe, to your point about the basics, but I put in a poll and ba basically, uh, said, Hey, have you had an external pen test specifically for your RMM?

I mean, and again, I'd love for you guys to answer. It's, it's anonymous. I can't see who answered what. But think about that. Like Joe's published again in the last two and a half years, every single one of these, and again, it comes back to, uh, this psychological thing is, you know, what's new or what is, you know, relevant and doing the fundamental things.

Gary, um, you've helped coach a number of the MSPs through, uh, the breaches and navigate their way and, and helped a lot of of 'em come out the other side. Um, any commonalities that you found, um, on the narrative or what happened that you could speak to? Yeah. In almost all the cases, right? And I've been through a handful of them, uh, with people, customers, not customers who find their way to me for some type of advice after, after the fact, right?

And it's usually the business advice, like what to do, you know, kind of with the business. Um, I always ask them like, could you, knowing what you know now, was this preventable? And almost every time it's not. It is Wes, it wasn't zero day, it was after the fact and it was a hygiene issue. Um, then I see them usually go the opposite way. So now they go in, they buy every single tool, and they go so far, it's like, okay, whatcha gonna do charge $500 a seat?

Like, it would be great if they could have that, but what's a framework we can use to draw a line and say, I have, I know that my tools need to be 30% of my seat cost, and so within that, based on my target price and my seat cost, I know that I have $18 a seat to spend on tools and put 'em in order and draw that line and say, is that reasonable for my core offering? And so I see 'em going from one end. It's always a whiplash to the other. They usually end up in a great place.

And the funny thing is, they keep many of their customers or most of them. And do you want to know why? Why is that? Because I tell 'em when you go see 'em, who do you think you're safer with? Me, you or someone else who hasn't been through this? Yeah. Right. And they're mainly good people and they have good relationships. Um, and they also always tell their customers, look, I can't guarantee this would never happen again. No one can make you that guarantee.

What I can say is, based on my experience, now, you are better off with me than anybody else in this town, and that's what I can say. And here's how much more I have to charge you in order to, here's all the things that I'm doing now that I wasn't doing before. Yeah. So they end up, in most of the cases, they end up being better MSPs, more profitable MSPs, and they also can open up new business because now they, they can tell someone what that risk is.

They can make it more real to prospect and create more, uh, separation. It's, it's funny right, how that works. It is. I I'm gonna say something and, and Wes you could probably comment on this, is that, you know, again, reading this, uh, in, in the research they talk about, you know, Hey, there's a good chance if you've had a line attack and survived it, you are pretty in tune with making sure you never had that happen again, right? I mean, what did you say? Lion? Lion, lion, yeah.

Io you know, as a kid, so I'm, I'm a Florida boy, right? Uh, I didn't live there all my life, but as a younger kid I did, and I do now. And, uh, we caught a gator one time in, uh, swamp near our house. Um, you know, he's about three and a half feet stuck my finger out and he bit, it kinda learned a lesson there that I haven't forgotten, right? Yeah, Right. Yeah.

But, but, um, anyway, the, the, I guess just the point is, is, um, you know, because they've experienced it, because it, it actually became real, to your point, Gary, it's changed everything. And, and as, as I di as I kind of transition to the next part of the question, interesting, I don't know if you guys can see the survey, but, um, the poll results. So I asked, have you had a external pen test specifically for your RMN, right? 23 nos one, yes. Yeah.

And, and there's a reason why the answer to that is no, right? It might be included in the scope, especially like a web app scan, right? And it's running like MySQL in the back and they do the normal things. But pen testers don't know MSPs and pen testers don't know the MSP space and pen testers don't know RMMs.

And we're seeing this at perch, uh, the same kind of thing where you look at some of the attacks, they are very, like, especially a lot of the ones that you've seen published recently are like SQL injections, things like that, that are kind of universal. We just don't see it included in the scope because we don't see a lot of, uh, pin testers really understand the r the the RMM at all, right?

And so this is something that does need to happen, and we need to, as a group together, and this is one of the things cyber calls all about, is pushing pen testers to understand this. And let's recommend those that understand the RMM and understand MSPs as a whole and can focus on them. I think that's important stuff. So, Wes, I put it in just to follow up, just to, to your point. I, I just said, Hey, have you had a pen test period? Let's see what the answers are there.

So, okay, moving on, let's jump to the article. You may not have got, I said, I'll send it to anybody. I download the Wall Street Journal journal article entitled The Indus Industry's Most Vulnerable to Cyber Attacks. And I'm gonna read an excerpt. It says A number, a number of important industries are dangerously vulnerable to cyber attacks.

Small businesses are far less prepared than big ones, and plenty of companies aren't taking basic steps to improve readiness, leaving them exposed to breaches that can threaten their very existence. Um, Gary, as you like to say, they're talking about everybody else's small business, not, Um, So, um, Gary, you've been hammering home over the past three weeks or so, two, three weeks with Wes. Uh, we, you know, the narrative is WES thousand employee company.

How many people specifically would they have in their security department? Somewhere between five to 10. Um, and, and you know, is an MSP supporting a thousand, as we know they have zero dedicated. Um, so here's a question. Um, will MSPs need to dedicate security roles into their business models the way they have with like B CIOs, net admins? You know, going back, Gary, you know, in 2 0 5, 2 0 6, you know, those things didn't exist today. Everybody's got A-B-C-I-O per se.

So your thoughts on that? I, you know, I we're, I don't think so. Here's what I think. I think that they have to have a relationship, right? With a company that has that knowledge. I don't know that an MSP can afford or attract the talent that they would wanna have, and then they would only have that talent, you know what I mean? So I think it's more what, and I would love to hear Joe's thought on this.

It's more having that hygiene and process where the things like, you know, Wes was saying security department does some things for those big companies, but a lot of what keeps 'em secure happens at the outside that department with what happens with hygiene, with the way they run it. And that's kind of the way that I'm seeing it. I call it a security first MSP, but I would like to hear Joe's thought on that. Yeah, listen, I agree. And I, I think it's dangerous.

Um, I think it's dangerous for MSPs to, um, some of 'em are even premature. They don't hire the talent and they, the, the CEO positions himself or herself as that virtual chief security officer, uh, he or she may not have any business positioning themselves that way. Um, they don't have the depth.

It's sort of like, imagine if you're, if you're a, uh, if you're a customer and you walk into your dentist and he or she has rotten teeth and, and now they're gonna look into your mouth and give you some advice on cleaning your teeth and everything else, take care of your own teeth first. I think the MSPs really have got to go and, and do a, a self checkup and, and get some third parties to do a checkup. These pen testings we're talking about.

Um, get the hygiene in place and then partner up where you need to. I, I think partnering is gonna be incredibly important in this market. Very true. Yeah. I, again, I don't know how you have an MSP today and don't have a relationship, um, with a, some, in some form or another. Like you said, Joe, once you, once you have an analysis of some type of security vendor, like there's just too much to know and it's moving too fast. Yeah. Yeah.

Wes, you probably could speak to that being, I mean, a pretty big dedicated company just to those roles. Yeah. You know, um, something I can think about when it comes to this idea of like, you know, practicing what you preach, it is true that confidence comes in repetition. And so if we're not practicing security internally, Joe, just like you said, I'm gonna struggle with becoming comfortable in discussing it. So that's one thing. The second thing too is go look at your market.

Like, here's a take home for you. Go look in your market at your competitors, how many of them are truly cyber enabled? And the way I would define that are not just looking at their service portfolio of what they offer clients, but like, how much are they out in their market? Do they do things like mentioning and talking at the chamber of commerce? Are they active in LinkedIn? Are they doing things in front of your community that says, wow, that person and that MSP really gets cybersecurity?

I bet most of your competitors the answer no. And you may be thinking, well, I'm also a no. Right? Well, how do I start that? How do I become known as my practice becoming cyber enabled in a cyber first MSP? We'll start doing it, right? It does start internally dog fooding first as we've been talking about, but then it gets into the community. And just like in marketing, steal a page from your marketers.

You guys know that term drip campaigns where we just slowly drip things out and we don't just like throw it all like a fire hydrant at somebody. That's what you need to start doing. So how can I start a drip campaign of cybersecurity? Start with small things. Start with easy things, you know, you can win with, and you will build confidence, you'll build understanding, you'll build brand awareness and marketing awareness, and you're going to start seeing that grow.

And I'm telling you, that works really, really well. We did this at the bank that I came from really starting adding in cybersecurity as a business enabler. And so we started doing things like, hey, as a bank, we're, you know, definitely cyber first. Most banks are. Um, and so we started doing that out in the community, and we started doing lunch and learns around all these things.

And before you knew it, we started getting, not 50, but hundreds of people coming to these events, wanting to hear what our bank was teaching them about cybersecurity, which then results in people saying, well, what bank would probably do a good job securing my funds, Wes' Bank? And I'm telling you, it worked really, really, really well. So those are some take homes, I think you can start with and just remember, it just begins with a single step, right? So just get it going.

I love the, uh, shy lab buff meme of like, just do it, right. Let's just do it. Good deal. Okay. So, um, Joe, this next excerpt, excerpt from the articles for you, and it says, even today, um, after so many documented cyber incidences, some lag behind their preparation, or worse, they kneejerk, uh, uh, they, they react in a kneejerk way to today's incidents with no vision strategy to address tomorrow's.

This comes from, uh, an Alan Levine, chairman of the Carnegie Mellon, uh, Chee, they're ciso. Um, uh, and, and, and so Joe, the, the research suggests that news by definition is anomalies. Um, you know, the trends are, Hey, the airplane crash. And everyone's like, wow. Yet the automobiles kill, you know, by far, you know, far, far greater.

So can you talk us through, as a journalist, um, with the journalist hat on, you know, um, why you feel it's the case and what, is there something the media could do? Because it's, you know, it's just become now everybody Yeah, we hear it over and over, yet the research shows we we're in the same place. Listen, I, I think, um, I think as a species we tend to complicate things. And I'll give you a prime example. Um, how many of us will go on crazy different diets? We've all done it.

I've done it. Um, when, and, and, and all these different routines to maybe get in better shape, maybe lose some weight, when, when really a wallet comes down to is cut your calories and increase activity, you, you know, you do those two things and there's gonna be a dramatic outcome. I think the media, myself included, sometimes, you know, we, we complicate it with these lists of 500 things you gotta do to get cyber ready, blah, blah, blah.

Well, what if you just did to Wes' point, get the four legs in the stool, right? And, and you get your hygiene in place, yada, yada. Good, good start. What further complicates it, I think are, um, the good news and bad news is Silicon Valley is constantly innovating. And one of the ways they wanna show that innovation is, um, 10 times a day, no less. I'll get a, a new research report about a new threat. And oh, by the way, here are all the stats around this threat.

And, and, and by the way, we have a brand new tool that'll solve for that threat. If you're the reader and, and the journalist, if you're anyone, that repetition of, of, of message, it becomes background noise. It's, it's just, it's just current and you don't hear it anymore. So you basically let your guard down and you get nailed. Yeah. Okay. Well, and it plays into the whole psychology. Yeah. We're de you get desensitized to it. Yeah.

You know, know, the frustrating thing for me is like, I can meet an MSP, ask 'em like three or four questions about how they're set up, their revenue, their seat price, how many people on their support desk. So I know how reactive they are, and I know how much risk they're at and how much their customer's at risk.

And there's just, there's part of this is a math problem, the same way it's a math problem for a thousand person, you know, company, they have to have certain amount of budget to put towards hygiene and, you know, and security. If they don't get that budget, they can't do it. Same thing for an MSP. They have to go to their customers and get budget. And it's not happening today, even at $150 a seat. It's not happening, right? Just the math doesn't work.

When you see tools, cost, support, costs, all the things that, that go into it. And so once I see people start down the road that Wes is talking about, they start to understand it. They start to build their self image, you, their culture changes, sales becomes easier, going back to their customers and asking for budget becomes easier. It becomes who they are, and they realize what seems so difficult is easier. It's easier than what they were living before.

Everything is in the company becomes easier. It's just associating the risk that they have and their customers have and making it meaningful to them to start down that path. It's really hard when you come in every day and there's 50 more tickets and two more projects that have to be delivered. It's a very noisy business. And because of that, it it's, it's hard to change the model in the beginning.

Well, Gary, just, this is just anecdotal, I'll just throw it in there and, and, and continue to move things on. I know we're already at a half hour, but, you know, I've got a relationship with some of the, you know, best MSPs, um, in the financial, you know, the hedge fund alternative market financial markets. They get three, $400 a seat All day long, All day long. And now granted, they have a very different model.

Like, you know, how they, the identity and access is enabled and everything, you know, comes through them without getting into the technology. But to the point, like, when the risk is understood, when the reregulate, when there are reg, when there are rules and regulations and on and on and on, it, it, it's really interesting the, the difference. So anyway, um, Wes just kind of closing this out.

You've been through many boardroom meetings over doing this, you know, can you share the psychology of what it's like, or as I would imagine you've witnessed kind of the hypocrisy of what decision makers think, uh, thinks important versus what actually is. Um, can you give insight as maybe both the professor, maybe not, people don't know that, but you're a professor and, and a practitioner, uh, Inside. Yeah. Yeah.

So, uh, I am an old school recovering banker and I'm also a recovering professor as well. And I still teach some adjunct classes and serve on, uh, two university boards for their cyber education programs. Um, but, uh, all of that being said, one of the things I've learned over the time as a CISO is it's also my job to be that educator. One of the reasons I think I've seen success as a CISO is I approach it as an education per first opportunity, right?

So when I walked into the bank, uh, this is the first time they were dedicated to cybersecurity, and they said that they were, but the budgets weren't there, the time wasn't there. The buy-in wasn't there. And so, you know, there's two reactions to that. One reaction is you throw your hands up and say, oh, they just don't get it. The other is to like, you know, strap up your boots and go to work and get dirty and get this thing going, right?

What I mean by that is not like playing dirty, I just mean like get in the trenches and, and take it as your mission to say, I'm gonna educate my, my decision makers. And I'm going, and this goes back to what I mentioned before, that drip campaign of slowly getting people to understand and getting 'em to turn their attention from what they think is important to what is important. So you see this all the time, right?

I remember in the early days sitting in the board meetings and, you know, all they wanted to do is see the pew, pew maps. And all they wanted to do was like, talk about, you know, Chinese nation state threat actors, right? And I'm looking at major issues that are in front of me that actually need to be handled, that require a budget and change. And so what you can't do is just run in there and just say, we gotta do all these things.

Everything's gonna go to, you know, you know, wear in a hand basket, right? We can't, can't do that. Instead of, our job is to change and shift that focus. And so we can do that slowly. And we've talked on cyber call a lot about how to do that using things like peer analysis, using things like talking in terms of risk, using business language to do all of that. But these are things that do take time, it takes effort. It is that drip campaign, but it can happen.

And I'll leave you with this one example. I remember sitting in my IT steering committee meetings at the bank. And so I was the chair of that, uh, that group. And what I started doing at the very beginnings of those meetings, a little five minute security article, some kind of article of some notable event that was important to the bank for some reason. And I would always just say, Hey, I wanna start with this news article, 'cause it's really interesting.

And I did that for month after month after month. My president of the bank was in on our IT theory committee, because this is an executive level thing. And one time he interrupted me and he just said, Wes, stop. He goes, everybody that knows me knows that is a banker. All I care about is asset quality. What's our asset quality? If you guys know anything about banks, it's what they really care about. And he goes, you know, today, he said, I think I'm changing my mind.

He said, now I think cybersecurity is more important than asset quality. And he kind of paused and he looked around my CFO was like, dumbfounded, right? And all of a sudden he's like, the light bulb went off, right? I didn't know it was gonna happen. I had no idea when it would happen, but it happened.

And it, for the rest of my career at the bank, I so much more buy-in because he understood it, and he got, and just that slow drip of not pressuring him, just getting to understand it, continuing to talk about it, and boom, some amazing things happen, right? So it's not gonna happen that time that way every time. Just as an encouragement for you to think about Andrew's, just some thoughts for you. Yeah. But Wes, we have 30 customers. We have to do that 30 times. Yeah. Right?

We have to do it 30 times. Yeah. So again, the same way you have to have a process, but that exact relationship, first off that you are running a, a strategic meeting, number one, and then two, that education has to happen with an MSP. And so like, uh, you know, Joe, and that's why kind of what you're doing is really important, like a place in our industry, right?

Where people can go and see what's going on and be up to date and, and, you know, kind of create, you know, create that awareness, right? Yeah. Hey, listen, I think the awareness is important. Um, but here, here's the irony of in all that, Gary, I think you hit the nail on the head earlier in terms of this is all a math problem.

Um, and, and, and I think one of the, one of the big challenges I have as a journalist and readers have as, as MSPs and SSPs is let's go chase the next dollar of revenue. But they haven't done the math problem. You always talk about where getting visibility into the business, understanding their current profit margins and everything else. Optimizing for current profit, optimizing for current cost, optimizing for current risk, closing the risk.

Once you do all that and, and you feel like you're in good shape now go chase growth. I, I don't think people are doing the first half. I think they're chasing the next dollar, The next dollar before they optimize the business. I'm with, listen, you, you, I, uh, I watched the webinar you do with, uh, you know, Paul Dipple, right? And when you talk about, you know, the bottom 25% of the marketplace, um, and that's people that respond.

So it's probably skewed in the wrong direction, but the bottom 25% are at or below, uh, break even after an owner's salary. Um, the mean is like 8%. So I'm gonna make an announcement at 10% net profit, you're not secure and either are your customers, yeah. Doesn't work that way. You don't have enough profitability to make the investments to get ahead above the noise to build the culture, right?

And so this is the hard part, you know, working with so many MSPs, they really are passionate about their teams and they're passionate about their customers and they're knowledgeable. But there is this math problem that exists when it comes to security and other things, right? Building strategic relationships, security, all these things that SMBs need right now.

Um, we have to get that moving and hopefully we're trying to do both on the cyber call, what's happening with security and what you need to do to actually operationalize this to make it real in your MSP of any scale, Gary, it's almost like, uh, and Joe, you, you both are kind of saying this, um, it's always the boring stuff and the fundamentals, when I say quote unquote boring, and you know, I'll give, give, you know, give a overused analogy, right? So Belichick just picks up Cam Newton.

He's gonna have a legitimate shot finally to win a Super Bowl, not because of him being Cam Newton, but guess what? He got plugged into the Patriot system system. And, and that, and, and so the analogy I'll use with you, Gary, is why didn't, why do so many people wanna do sales? Because it's, it's numbers, it's boring, it's process. But you take your top 20% of your MSPs, that's where all the money's made, right? Yep. Yeah. So, absolutely.

Alright, time-wise, I know we're, uh, you guys, you got, are you guys good on time, you know, on Gary West? Joe? I'm good. I'm good. Got my family coming through occasionally. I'm good. Alright. You guys out there okay with us going a little long? Um, yeah. Okay. They saying okay, west, 'cause I got something I'm gonna post. Um, so just, um, some key findings from the survey. I'm gonna put a table.

Um, I, I, um, again, by the way guys, if you want the article, just send me an email, Andrew at code Red msp. I'll send it to you from the Wall Street Journal if you don't have a subscription. But it talks about, um, organizations aren't necessarily prepared for threats. They're most concerned about ransomware is highly concerning. However, 80% viewing it as high risk, only 70% felt prepared.

So, you know, and shockingly, um, manufacturing and government were the, uh, and retail were the least prepared. I know we all feel a lot better about that. Um, and, and so I'll just put a quick anecdote. We'll have, ideally Ryan Bonner, I send him as something he's an expert on CMMC, like one of the nation's best experts. We'll have him on to talk about manufacturing and why the government, you know, all of a sudden decided to flip the switch.

The DOD decided to flip the switch on the supply chain because of this. Um, so, um, small businesses, as we said, lag behind large ones, uh, 63% of the companies you'll see under 50 million, et cetera, you'll see in the table. So, Gary, the research suggests that when you encounter a potential risk, um, your brain does a quick search for, you know, past references.

Like, and, um, if you can pull something up right away that, you know, it's got alarming memory, like I said, the line, but you know, the, the, the, there's a threat that the dangers high. So the question is, you know, you're familiar a little bit with the sales methodology, the challenger sales. How do we use this to better engage prospects and customers now that we've started to identify, you know, these key psychological things about how humans, you know, judge risk. Yeah.

So look, I think if you can, you know, it's so funny, we've been doing these calls and you hear how West worked with his board, how he did that.

And so I think it, it's so parallels, and for me, I think it's, as you start to build process, right, and roles and understand it, when you start to get in front of a prospect and you can start to explain what you're doing, and they put a gap between what you're doing and what's currently happening, you learn how to ask those questions, that's when they start to assume outcomes.

Because other than that, if they've been in business for 15 years and never had a breach, you know, security's not a problem until it is for them. So you have to have a way, and it's not just, you know, part of it is stories about what's happened to other people and what we know, but part of it then is understanding what you're doing, right? To make your approach tangibly different, right? Then what you're experiencing.

And that to me is where that gap starts and, and how you start to educate people. Yeah, I absolutely. Um, and and to your point, I think, you know, when you find out what they're doing today and starts to calculate, there's no way they could be secure as an example, if they were only paying x. Is that your point? You know, understanding the, the roles. Um, so, uh, yeah, sorry. No, that's it.

Go, I posted, you know, this, uh, this table out there and, um, you got a chance, I hope to look at that a little bit about, um, you know, how, you know, outlining threats based on size, the organization, and you know, what, what are your thoughts on the findings? You know, you'll see that, you know, often the small organizations, you know, as I said, they would see a risk, but then tend to be unprepared for it. Any, any thoughts on, on the analysis of that, of, of the findings?

Well, this is Joe, I, you know, I got a couple of thoughts in terms of, I guess, Can you still hear me okay? Yep. Wes, did you not hear me? No, sir. Yeah. Um, I, you, I was just gonna say that I think some of the challenges is data overload.

You know, we, we get infatuated with numbers, so we throw, we pepper people with data left and right, left and right, and we think we're impressing 'em and, and just nailing them with, well, now they'll buy it because they know x percent of risk and yada yada. But, you know, Andrew, you kicked off this call by, by quoting from the Wall Street Journal. Now in, in this, in this age of misinformation and, and what's the truth and what isn't?

Wall Street Journal is a pretty good source of information, right? Security coverage is now in the Wall Street Journal every day. Like yeah, nonstop, nonstop. I think, I think our, our viewers and listeners have to take it to the next level. If you're going into a healthcare company, you figure out who the most reputable source of healthcare news is, and that's when you go in and say, here are the three organizations that got hit in your market based on the publication you read every morning.

So whether it's healthcare or financial services with the Wall Street Journal, et cetera, I think you just have to bring it back to that person. And, and to your point, if, if that person is aware, they have a, they, they've already aware of the company in their industry that got hit, and now you're the MSP reinforcing that awareness, you've just strengthened a relationship and a conversation about the risk mitigation they're gonna have to do together.

Yeah, that's a, that's an excellent, excellent point. Um, we Listen, it's no different when we go back, this is exactly what I had to do in my MSP around backup. When data had outrun the ability to back up, right? It had outrun it and our solution worked great at $22 a gig. Okay? So think about that. And that's kind of where we are. Security is $22 a gig right now, right? Because everybody should be spending that same $400 seat west right now if they want it to really be where they should be.

Um, and so it's the same conversation and maybe over time that, you know, like it did with backup, like you said, there's a lot of smart people, a lot of fingers on keyboards trying to solve this. It will, it will come down and, and make it easier, right? For, for it to, it has to change at some point. We can't go on in this situation where the bad guys have such an advantage over SMBs and it's growing. Their advantage is growing. It's not shrinking.

They're getting, they're more mature and getting further ahead than the poor MSP and their customers. So something's gonna have to have to give, in the short term, it means there's a percentage of MSPs, probably 20, 25% of 'em that are listening to all the things we're saying, and, and they're creating this huge opportunity right now. They're growing faster, uh, their margins are better, everything is better for them, um, over time. Hey, Can, can I ask Wes something?

Um, I, I, you know, I almost think there's an irony here that, that SMBs are laggards when I think they could be leaders, you know, um, and the, the questions for Wes, but I'll start with a point from I think I've heard from Gary over the years is if the MSPs are going in and telling small business customers to standardize on this stack, you know, it's this vendor for laptops, it's this vendor for email, and, and you sh and you shrink the stack, you can do that much more quickly in a small business than you can in a sprawling enterprise.

And then you in, in today's cloud age, you can go find security solutions in the cloud that can now be the umbrella over that stack. So, so Wes, do you see a time when small business will actually be a leader in security rather than a laggard?

I, I think there, I think there are small businesses now that are leaders, like, uh, Joe, one example, going back to banking, I don't mean to oversell and overtalk banking, they've got problems on their own for sure, but look at how many breaches you see happening to a community bank. And those are SMBs, right? Right. Most community banks are about a hundred employees large right now.

Most of them granted, or some of them, and maybe half of them have managed IT services, uh, from outside, but half just don't. But look at how they're doing, right? So I think we're already there that it can be done. It is being done. But I think, Joe, you said the right thing. It's about standardizing and it's about truly getting MSPs operational on this.

And Gary, I know you can speak to this too, like one of the questions, Gary and I speak a lot at different places, and Gary, you'd agree, one of the things we hear the most from MSPs is what goes into the stack. Even someone even act actually asked this in the, the q and a section today. And it's a good question. I'm not demeaning, it's a great question. What goes into the stack? How do I standardize that? What goes into it? How do I build the margins on top?

And then how do I make that operationally deliverable to every single client, right? So it can be done, it is being done, there's evidence of SMBs doing it correctly. It's just getting there and figuring that out and getting comfortable. Gary, wouldn't you say that's really the process? Yeah. If you think about SMBs, Joe, like in manufacturing, there were some, you know, when, when manufacturing was really changing, right?

Implementing lean, there was actually a lot of SMBs that led the charge on that, right? Because they were smaller, more agile, and that was their, um, you know, that's their domain expertise. But when it comes to technology, they only go as fast as MSPs will take them. And what we've learned over the past 10 years, MSPs are very slow to change, right? Very hard to change the business model. Very hard to get to the things you're talking about, Wes, right? That's why we're here, right?

We're here to help hopefully help and give them some guidelines. And Wes, I don't think they do it overnight. We're trying to get them to, like you said, edge in that direction so that a year from now they're much further ahead. And then the further you go with, you know, whether it's building strategic relationships or security, the further you go, there's a point of critical mass where it gets easier, right?

Um, because your culture is in place to the point where you, you can start to get further down the line and you watch that happen, right? With your customers. We, Yep. This, this is a hundred percent why we're doing the cyber call, is to enable all MSPs to get to that standardized process. Some will be further along than others, some will have different clients that are just on the higher edge, closer to that three, $400 per seat. Some of us won't. That's okay. Yeah.

But the goal is getting us way further than we are today. And it's like speaking another language. It doesn't just happen overnight. It takes repetition, it takes practice. Uh, and that's how we get there. And so, again, you know, that journey of a thousand miles is a single step Chinese proverb holds so true today that this is how we begin it. This is why we're doing the call today. So I'm gonna start to wrap things up. If you have questions, throw 'em on in.

Jeff mentioned something that it literally, I was thinking, um, just through it in chat, frameworks out there help a lot. And you know, Wes, you just said banks, right? You know, relative right? Banks, you know, are doing leading the charge. Let's just say in theory, leading the charge and that Wall Street article, journal article, guess what? Healthcare was the best. Well, think about it.

Who's had the carrot and stick for the past X amount of years, let's just say the past 10 years, whether it was hipaa, whether it was the FFIE, right? Right. Where if you didn't do the audit and you didn't comply based on a framework, thank you, Jeff, for throwing it out there to get your home in order. There was consequences to it. There was a cha The problem is, is everybody else, there are no consequences right now that isn't regulated.

Um, you know, and you're like I said, that's you, you're gonna see it in manufacturing. That's why you're seeing CMM CMMC come at at this industry. So, in wrapping things up, you know, it's pretty clear, um, Wes that, you know, uh, data and facts and FUD to be, you know, missing the mark, um, humans, um, you know, be being, uh, poor judges of risk. What advice might you give an MSP, um, you know, when they're coming to, to, to focus better on their sales craft?

So if you were still a CISO and they're calling on you, what, what advice might you throw Out there? So, uh, I want to come back to Joe, one thing you said, because I thought it was really wise, um, which is, it is okay. And probably a good idea to start with this idea of at least understanding two or three, maybe just one or two industries, right? Like, say, I really wanna serve healthcare. I wanna learn healthcare. I wanna know what they're all about.

I want to understand everything about what, you know, HIPAA and high trusts is about, and how we build a program that is going to message to them, they're gonna listen to. But I also wanna become educated. I wanna be able to walk in the room. And even if I don't do the deal today, they still think, wow, that MSP really understands healthcare, and they really understand the predicaments.

And ultimately, at the end of the day, they, they can help me not get my name on the HHS breach list, which by the way, is a public list if you guys have never seen it, right? And so I do think that's an important thing to start is, is don't think about how do I just, you know, eat the elephant one, you know, one elephant at a time. I, it's one bite at a time. So picking an industry, picking something you know, you can tackle and you can work on.

And building the messaging, building the buy-in, building the clarity, all of those things that Gary, you mentioned earlier and how you enable your entire team, your V CIOs to do all that and have those, those strategic conversations, those are the things that really start building the security practice. Those are the things that e eventually get you to build the client uptake and people that are gonna say, yes, I do need this. I want this. This is where you start.

And so those are the things that I would, I would simply recommend on top of eating your own dog food and making sure that you are practicing what you preach first inside your own organization. That's how you start. Gary, any thoughts closing? Yeah. One, yeah. Uh, MSSP alert, uh, go check that out every day. I gotta give a plug to, to Joe. Um, but also when I think about it, you know, so we have a hundred companies right in our peer group, and a lot of what our focus is, it's Ms.

P obviously in our framework, but more than not, it's getting people to understand where they want to be, to be able to figure out what are the steps to get there, to look at their business. 13, in 13 weeks, four 13 week segments in getting something done. So breaking it down into pieces and just that's including this, that's how you get it done. 13 weeks at a time, knowing what to do, right? And then having the accountability and a system to be able to get it done.

So unfortunately for MSPs, they want the, they want to be more secure and they want their customers to be more secure. But like you said, Andrew, the boring work is, it's basically discipline around business planning and command. Joe, um, I'm gonna let you take it home for us. And, you know, you're a small business if you put small business hat on, you know, how do you, you know, how do you look at, you know, security from your lens and what you're willing to spend? And I, I, you know what?

I will actually connect the dots between Gary and Wes and, and, and here's how I would connect the dots, um, for those most people who know this, but for those who don't know Gary, he also, he often talks about the chocolate cake and the ingredients, right? And, and as a small business owner, I practice that every day, okay?

What's in our cake in terms of what we're gonna consume as it, what are we, what are we gonna standardize on in terms of our desktop hardware, our software, and our subscription services? That's the cake, right, that Gary talks about in terms of what the MSP's gonna deliver. I think you look at that, that cake and you say, okay, well what are we baking in to make sure these, these layers of the cake is secure?

And then to extend it to, to West's world, there's gonna be a portion of that cake that, that the MSP can bake, Dan bake in, in terms of security. There's gonna be another piece where, where the Ms P says, well, I'm offering that layer of, of technology, but I don't have the security know-how for it. So I need, at that point, I need to figure out co-managed services and I need to find another baker and someone who's gonna make sure that that layer of the cake is rock solid.

And oh, by the way, maybe they're gonna put icing around the whole thing for me and do co-manage. So, so to, I guess my takeaway point is this, I figure out what I can really do on my own. Then I figured out, you know, what is, what are co-managed security services and what does that mean in terms of what I'm gonna keep and what I'm gonna hand off to the MSSP or the co-managed provider. You good? That's why is Joe Pan Terry right there?

Yeah, I just repeat what everyone else tells me, basically. Hey, uh, question here, Joe. Question here in closing, mark, I forgot to ask this last week. I apologize. Mark said, you know, is there any cybersecurity book that you'd recommend, or, and, and anybody by the way in the chat, um, uh, that, that, you know, you, you would, you would recommend, uh, to, to mark anything come to mind, Matt, Coming up, which one is it? Wes and I put it on my list to order it.

It's come up like three or four times. Do you know what that one was? Uh, where, where was this hat, Gary? Yeah, it's come up in chat. People have recommended it the same book three or four times. Yeah. I don't know. You know, it's funny though. I, so this is the educator in me, right? I've read so many books and there are some really, really good ones that are out there. Often I find my favorites are very, very specific, um, and probably not great as a generalist.

In fact, I've got a book, uh, it's not in front of me right now, but it's upstairs that it's a, you know, a very specific book called the DAO of Network Security Monitoring. It's an old book. It's by Richard Bait Lick. It's one of my go-tos. It's where I cut my teeth on, but it's not a book that I think most people in this call would have any interest in. Right?

Uh, so I do think this is, um, these days I don't read like cybersecurity books as much as I'm always paying attention, paying attention to news sources, like dark reading and, uh, bleeping computer and others. That's really how I try to really stay up to date. And then just private threat sharing groups that I'm a member of, that's really how I stay up to date. Um, books, you know, I, gosh, I, I just find the journalist books. I'm looking for recommendations too. How about that? Awesome.

Alright, so let's take us home at the, we, we went right to the, just under the top of the hour. So first, Joe, thank you. And we'd love to have you on again. You're awesome and Well, thank you guys. You know, you are, you are the educators and I merely sort of connect the dots between what you say and, and hopefully share it in, in an informed way with our readers. But, but without you guys, I don't have content, so thank you. Well, we can, we can give you lots of that.

Gary, always great to have you with us. Anything you'd like to close out with? No, just this was a, a good, I'm glad we got a chance to kind of shift gears today and talk, you know, some really theories and concepts that have people have a deeper understanding. So, uh, really good job today, Andrew. Well, thank, thank you guys. Wes, Joe, all I wanted, I would just wanna talk to Joe. Joe, thanks for joining, uh, your, your, your insight and truly is awesome.

And you're even seeing this in the comments people want Joe back. Joe, if you had like to come back, we would love to have you. It is an open invite. Thank you so much. Yeah, John, appreciate it. I appreciate it. And maybe I can arrive with a pool in the back with, with, uh, someone jumping in next time And tell Amy we'd like to have her on. We could have her, you know, maybe, you know, some somehow pulled into this whole thing as well.

Well actually, um, so Amy, for those who don't know, Amy is my business partner. She's CEO of the company. So I'm, I'm sort of the pretend CIO who doesn't know enough about technology but still runs it and I call her in a panic about it, security all the time and gets the budget to make sure we address it. So there you go. Alright, well everyone have a fantastic week. Thanks as always. Send ideas to, you know, Andrew at, uh, code Red MSP, if you have any.

Invite others and make it a great day, everybody. Take care. Hey, thank you guys. Take care. Take care.

Related Videos

CyberCall – June 29nd, 2020 | Right of Boom