Skip to main content
Right of Boom
September 30, 2024
777894

The Cybercall: Data Governance at scale with CIS

As Q4 begins, many Managed Service Providers are focused on closing out the year strong—but now is also the perfect time to sharpen your data protection strategy. On a recent Cyber Call, we explored the importance of CIS Control #3 and why it’s essential for MSPs to prioritize it moving forward. Data protection isn’t just a technical task—it’s a business-critical function. Today’s data is scattered across cloud services, SaaS applications, mobile devices, and remote endpoints, creating a vast and complex attack surface. For MSPs, this means stepping up your role as both protector and advisor.

The risks are high: data breaches can cause severe financial and reputational damage. Yet, the challenges remain. Many SMBs lack clear data governance, have no formal retention policies, and store data across unmanaged systems. To address this, MSPs must help clients build a strong foundation starting with data governance, classification, access controls, encryption, and secure disposal practices. It’s also vital to conduct business impact assessments (BIAs), inventory all data assets, and understand data flows.

One overlooked advantage lies in clients’ contractual obligations. Reviewing anonymized contracts can reveal built-in data security requirements, which MSPs can use as a roadmap to demonstrate value and tailor services. Tools like NetX and platforms with built-in automation can help streamline this process. Cloud-based environments such as Microsoft 365 also require specific attention, particularly around sharing defaults and access controls.

Ultimately, data protection isn’t just a checkbox—it’s a path to revenue and deeper client trust. By implementing CIS Control #3 with precision and aligning it with your clients’ business needs, you position your MSP as a true strategic partner. The opportunity is clear: protect data, educate clients, and monetize your expertise.

Guests

Andrew Morgan

Video Transcript

All right. Happy Monday and hard to believe we are in the final day of Q3. Nick, can you believe it as an ms, both you and Bob as MSPs, we are heading into Q4. Uh, this year has absolutely flown. Um, so, um, you know, I was reading something Gary Peaker published. Um, you know, it's like it's selling season and it is time. I know from a a, a revenue side, Bob, do you feel kind of some of the, the, the pressure, uh, uh, to, to, to bring in the, the bacon this time, uh, the year?

How are things going for you guys? Y you know how it is. And Nick, Nick can tell you your fourth quarter is really made by how well you do in the second quarter. You know what I mean? Yeah, yeah. Because that's just kind of how it works, the lead times and everything. So if you do the right amount of work, then yeah. Um, then you'll get here.

More importantly, though, is during this holiday quarter is you gotta push really hard because this is gonna dictate what your third quarter next year is gonna look like by how much you hustle right now between now and end the year. So that's kind of how that cycle worked for us. Yeah. Yeah. How about for you guys, Nick? Yeah, same thing.

Big push for strategic technology assessments, s TAs, what we call 'em internally, but, you know, just a bunch of VCIO concepts of, of trying to get ahead of that conversation 'cause nobody wants to hear it in December. Um, so it's like, you know, this is our month, uh, to really tackle that and get set up nicely for the next year to execute. Awesome. Hey, by the way, can you all of you, uh, hear us out there? Um, uh, I, Nick, I try and stay away from the STDs, but the STS sounded okay to me.

Um, all right, welcome. Uh, and, and, and just make, see if, if everybody can hear us okay. Um, Yeah, I don't see any messages. Yeah, that's what I'm wondering. Really quick here. I know we're live. Just wanna make sure, uh, hello. Gary's not here. That's what it is. I know. 'cause normally there are a lot of messages saying, hello Me. It's, oh no, we gotta fill in now. It's not gonna be worth it. Yeah, okay. We can, yeah. Okay, great. Eddie, thank you for letting us know.

Um, and we'll give it a few minutes here as, as people start to trickle in. So, um, you know, I'm gonna set the stage and, and then we can, you know, do some intros. Hey, deley, great to see you.

Um, so last week, um, you know, Nick, and, and starting off, we, you know, we, we talked a little bit about the, uh, what happened with the uk, you know, shutting down, um, uh, LinkedIn's use of LLMs and, and, and we had Brian Blakely on who's, um, you know, you know, you know, top notch when it comes to data and privacy. I don't know why I'm getting some feedback, but I am, yeah, I'm hearing an echo. Yeah, I dunno where it's coming from, but, uh, let's try and I think it went away. Alright.

Um, so, uh, it, it transitioned and, and Brian really kind of, I think nailed it when he started to talk about, you know, looking at data from the standpoint of how MSPs, um, should be looking at their customer's contracts.

And he basically, in kind of paraphrasing him, um, you know, Bob, he was saying, you know, there's a treasure trove of, you know, work and revenue packed in those, you know, your customers have signed up knowingly or unknowingly for a lot of things around data privacy, data retention, uh, data, um, uh, uh, uh, uh, you know, getting rid of data, data, sorry, data disposal is the right term. Phyllis in CIS terms, right? Um, and, and so that it was really, uh, he really unpacked it really well.

I don't know if you got to to catch any of that. Bob, uh, you're on mute, Bob, I think, Yeah, I'm a, I'm a, but I'm a huge fan of Brian. In fact, he and I are gonna be talking about that whole data processing, um, officer, sort of a, that's something we're gonna add here. So I wanted to talk to him about it and, um, go through that.

But yeah, he's, Brian's always man, he is a wealth of information and it's, you know, and I tell our people here, yes, we're, we're good at the physical layer, but this is up the application layer. You really need to think these things through. And so you need people like Brian to kind of illustrate, um, you know, the box around what that target really is and what the goals are. So, yeah, he's great. Yeah.

And he did such a good job of, um, what I Phyllis you, you weren't here, but what I love about Brian is, you know, you know, he sits there and, you know, virtually role plays, right? The conversation. And you, you're sitting there listening to him because this is the conversations he has with his customers and the, and they're, you, you never hear him start to talk about the tech, right?

It's business and tying risk to what business leaders, owners, the people that have the ability to spend money care about. And, um, so that, that kind of transitions us to today, I was speaking with Kelvin Gellar, one of our favorites, who's on the, on the show a lot. And I, you know, I said, you know, Kelvin, who are, who are the, you know, people that are, you know, really influencing the channel these days.

And he, you know, he's, Nick's came, Nick's name came up, and I said, I'd love to, I'd love to talk to Nick. Nick and I started talking, and you'll learn more momentarily as he introduces himself.

But, um, you know, um, you know, when we found out, you know, the work Nick's doing with the, with the controls and, and, you know, looking at, you know, M 365 and, and, and how he looks at data and educates MSPs, I was like, man, Nick, could we, could we really talk about a control that's really challenging for MSPs to implement? And I'll turn off my beeps in a second. Sorry, guys. Um, a a control that's really tough to, to implement. And that is number three, Phyllis.

I mean, the, the inventories are hard as they in and of themselves when it, when it comes to data, um, which, you know, I don't have to tell everybody here on the show, right, Bob, it's used to be, Hey, oh, we worry about data OnPrem. Well, that's not even close to the case anymore. Um, so, so with that, Nick, um, awesome to have you with us. Can you tell us a little about yourself, what you're doing? You got a lot of things going on.

I don't know how you sleep because between your day job, your, you know, your channels and, and you know, the product you're developing, man, you're, you're involved with a lot of stuff. Yeah, I appreciate it. I appreciate you guys having me on. Um, got a lot of inspiration just watching Kelvin, uh, in the early stages. He's actually inspiration for me starting, uh, T-minus, which is the blog and YouTube channel that many of you may out there follow or have heard of.

Um, if you've ever de federated GoDaddy tenant, you might have seen my blog post on that. It's probably the most popular article that I have had out there. But, um, I got started in the channel here at PAX eight, worked there for almost six years, helped build our PSA integrations, um, at that time, worked a lot in product and then moved out and have been at an MSP here, a couple different MSPs actually.

But the most recent, it is the VP of product and MSP called Source Pass, um, on, on Long Island. And there, um, I've been managing our third party product line card, um, also helping out with, uh, the product that we deliver, which is a customer portal to our, our downstream customer base. And it actively been trying to help institute, you know, some more of the CIS controls into our operations and, and everything like that.

But, um, also Microsoft MVP have the YouTube channel where I talk about Microsoft and the MSP space every week. And part of that, um, kind of led into mapping back to CIS and, and really the Microsoft standard. But, um, this is really kind of the genesis of, of what I'm transitioning into next, which is a company of started called Cloud Capsule, which helps automate the CIS controls back to Microsoft security. And so, um, certainly excited for that, just getting off the ground.

But, um, that's, that's a little bit about me and, and excited to, to talk about this one today in particular, because I do think it's one of the hardest to achieve, uh, for the MSP space, especially our SMB as a whole. Yeah, I couldn't agree more, Nick. Um, by the way, your, I just put your channel in chat.

Um, you do a great job with your YouTubes man, really, really well done, really, uh, articulated well, and yes, um, Nick and I, not only, uh, coordinated our backgrounds, our underwear shirts and other things that we're not gonna go into today. I wasn't gonna mention it, I wasn't gonna mention it, but now that you brought it up, Um, all right, so, um, Bob, um, you're taking over for Gary today. Gary, um, congrats. Uh, by the way, he had a first grand grandchild baby girl.

Uh, for those of you that know Gary Jr. Uh, it's his, his daughter. Um, so Gary is off for the day. And lastly, um, for those, I just wanted to share that, um, you know, I'm in Tampa, um, for those that may be in the south, uh, North Carolina, uh, Georgia areas, um, you know, we know what kind of devastation we just went through. So hearts out to all of you if you're dealing with the aftermath of Helene. So, Bob, you take it away, Far away.

All right, Nick, so, uh, you know, it, one thing about it, we all, you and I both know that there's probably a lot of MSPs on the channel that don't really know, don't really actually have ever thought about this concept, or heard a lot about it.

So let's, if, let's, for a minute, let's just take it back to the basics, and why don't you talk about the CIS control number three, data protection and what's critical, you know, what's critical for us MSPs to really know, to implement this, um, for our client base? What does that look like? Yeah.

Um, so really when you get down to the crux of it, we're talking about the processes and the technical controls you're implementing for really holistically the data lifecycle as it relates to the genesis of that data, you know, where we're storing it, the data classification aspects, you know, secure handling of it, and then also retention. And as, as alluded to earlier, the disposal of that information as well.

And I think it's a concept, you know, that's, that's been under adopted by a lot of us in this space, just because there is a lot of complexity to it, um, because there's a lot of human aspects involved with it, as well as some constraints around, we all get the, you know, the, the callback from our customers saying, I want to keep my data forever, right?

Um, and I also, you know, don't have data taxonomy labels and SMB, we don't have what Enterprise has, which is, you know, standard roles that are fully responsible for this, like a data governance officer, um, uh, chief Chief Data officer, even at these businesses. So over time, we've had a lot of sprawl with legacy file shares that maybe still exist today, or file shares that were migrated into SharePoint as is without articulating, like, this is a whole different architecture behind this.

And for our customers, it actually is, um, bringing up a lot of risk exposure for them as well, too, when we talk about just the general lack of protections they have, or if we look at some more of the sub safeguards, even things like basic, basic access controls into this data, um, as it exists today. So what I often find is we can go into an organization, we've been doing this more because AI has really pointed a, a targeted spotlight on how big of a problem that this is today.

And people wanting to buy copilot, you know, we're having a much harder conversation with them because we have had the use case of somebody using copilot and somebody who shouldn't have access, getting access to payroll information by just querying into copilot as an example. You know? So the concern is there, we try to educate in this way, but I think it's really good a point.

It's, it's good and bad in that, um, you know, it's causing us to kind of scramble up some offerings behind this, get ourselves educated in how we can uplift, but also it's pointing a spotlight at something that, that does cause a lot of risk.

And when we take a look at that, the organizational layer, it's not just, you know, we talk about financial risks, it extends both into that trust layer as well as, you know, just the actual IP or underlying data that could be exposed either internally or externally. So a lot to unpack there, but, um, that's kind of the, the high Level. Yeah. Nick, Nick, quick, quick, Phyllis, I mean, just, I, I, I want MSPs to not always feel like, Hey, you guys doing a crappy job at Control three.

Um, which, so that's why I wanna turn to you, Phyllis. You talked to companies, like, I think there's, what, arguably, I think there's like people that have used the, um, just the, um, CIS controls, um, um, online, gosh, I'm drawing a blank of, of the controls, not the navigator, but the, um, The CSAT hosted Thank, Thank you CSAT host 30,000, Yeah. 30,000 different organizations. Yep. Like, it's not just MSPs Philadelphia. No.

I mean, listen, I have worked with Fortune 100 organizations, big banks, transportation, every vertical. Um, it's very difficult, this control, um, because number one, like you said, not everyone has a chief data officer, but not everyone understands their responsibility in data protection, right? Additionally, a lot of these big companies, they acquire a lot of small companies and they have no idea what's going on there. And it's, it's, it's a lot of also cultural differences.

So, you know, when I first started here and I talked to these big, you know, I, I thought the CISO was like, okay, this is what we're gonna do. And it's a negotiation across the board everywhere, right? Because of acquisition. Because even if you were in the same company, you weren't acquired. There are cultural differences between here and South America, here in China, here, and all these other organiz, all these other countries, it's a negotiation.

So like, while MSPs also have to negotiate with their clients, even these large enterprises have to negotiate within their same organization, and they struggle a lot with data protection. Um, it's not just MSPs, it's everyone across the board. I worked for, um, a big government agency as you know, we also, you know, honestly like it, you know, it was like a, um, uh, what is it? Um, request for the freedom of information, a FOIA request would come through. Mm-hmm. Right?

And you'd have to go through, and for some reason, everyone thought I had good records management, you know, it'd be like, oh, a FOIA request came through for this, and you've gotta search through your records. You've got, you know, there's a legal obligation there. So it's just across the board Board. So, so Bob, before I turn back to you, I just wanna say this, I, that's why I, I wanted to start off, and I'm gonna put the three minute snippet in a momentarily in chat for you.

Please li listen to it afterwards. But Brian Blake Lee's, in essence, role play last week of when it comes to data. And, and I'd love your take on this, Bob, before you ask the next question Is, I think MSPs by having conversations with prospects or customers about the contracts they have with their customers, because that's where the money is.

Like if, again, like Brian says in the role, in the role play, and you're like, funny, your customers care about money like you do, you know, and, and he, and he's like, so talk to 'em about what they care about.

And if you get into that conversation about what they're, what they've contractually agreed to when it comes to data, I think it's a lot easier to get into this conversation than it is, you know, hey, let's talk about control three and let's talk about, you know, where your data is and the importance of it. And you know, the, as he talks about the boogeyman, like if you're encrypted and blah, blah, blah, blah, blah, and ransomware, I think it's a lot easier to come at it that way.

What are your thoughts on That? Oh, no, that was a hundred percent, that was the diamond that I took away from that out of, because everything was, you know, everything that Brian put forward was clearly well thought out and logical, but he handed us a practical tactic that I had not considered. And that was, Hey, before we get in deep into what we're doing, can I see a couple sample contracts that, that are anonymized, but some that you have with your customer?

We'll, we'll go under NDA, what if you need to, so we can take a look at it that'll tell us what kind of requirements you need to be operating under when we really get started. I thought that was a brilliant, that was a really brilliant piece of information. I made a note of it and highlighted it and stapled it and all, everything I could, because I wanna start incorporating that into our sales process.

So you're right, that was by far, to me, that was the biggest takeaway I had from his discussion was, Hey, look and see what your customers are, what they're contractually obligated to. Because I know, I know already that most of 'em have no idea what's in that contract other than the attorney they talked to, to get it pulled together to begin with. Or if someone was, like, in our case, if someone's involved in it, they may not still be there. So all of the ins and outs aren't well known.

Um, and I'll, to Phyllis's point to, before I go with Nick here, which your next question, Nick, to Phyllis's point, if I ever run into a company that actually has an asset inventory and a routing map and a change management process, then I'll start working on their data. You know, then I can go work on their data stuff, but I got it, right? I mean, those foundational three legs of the stool need to be there, but that's the price of entry for being able to step up and talk about that.

Everything's built on sand if it, if you don't have those pieces, right? And I don't, I can tell you out of a hundred people that I've talked to, maybe none of them had it all. One of 'em may had a device inventory 'cause they were using the system.

But this goes right to Nick to the next question for you is, you know, what are the components that really kind of make up the whole data protection, you know, process as it relates to both on-prem and cra, uh, you know, uh, cloud and, and those things. What are those? Break that down and talk about the elements that are involved in that, if you could do that. Yeah, and, and really there's, you know, 12 safeguards that are part of data protection today.

And fundamentally though, if we, we bucketize those into some high level concepts, it's really getting into that governed layer of having a data governance strategy and kind of some basic policy definitions that you can use as your North star to really structure, you know, the next things that you go take a look at. But this is why I love CIS as well, because it gives us this natural kind of progression that we could look to achieve and perform a gap analysis against our customers as well.

And for us, you know, when we take a look at that governed function, we are trying just like our baselines that we apply into our attendance, we are trying to find some agnostic similarities that we go into any customer. It's a repeatable process that we can help define. So we understand more about the operational overhead that would come to that, and we can perform that gap analysis for them.

But then as we keep going there, it gets into more of the, um, considerations for secure data handling. And that includes your basics, like your access control list. It includes things like your information protection, data taxonomy that you would wanna start applying to basically have a, a standard for what is considered sensitive or highly confidential within the organization.

And that allows you to kind of build a mental heat map around the risk that might be involved with the data as well too, as it relates to the data flows. And part of that, um, progression is also figuring out, you know, your approved data repositories, um, that exist within the organization.

And this is where they have, you know, you'll find that organizational difference in the sense that somebody may be all cloud, they may have on-prem file shares, they may have a, a third party SQL server that's involved, you know, in the, the business that they perform. And, and really that's where you get into some of this basic mapping and understanding where that sensitive data, um, flow diagram could start to begin to form.

And then you get into, you know, some of the high level controls you can in place, like your data taxonomy, your encryption of the documents, um, taking a look also at our retention policies. And even that is a massive conversation usually for a lot of people in SMB. Um, 'cause they wanna store things like I mentioned forever, and they wanted to just buy extra storage over and over again, uh, to keep their, you know, keep their files, keep their emails forever.

And we really have to come in and educate about how that's expanding their attack surface as well. So from, um, you know, from even the cloud perspective, I like to double click on, on some of the basics that usually anchor into, not to, to spark fear in the client, but just to show them kind of how they're at risk today that we can start to put in some basic policy protections to get them on the right path.

And usually, 'cause I'm a Microsoft guy, I just will allude to a lot of Microsoft examples in this, um, talk Feel free to, because most MSPs are yeah. Microsoft centric, so that's absolutely fine. No worries. Yeah, that's, that's great. Um, but you know, out of the box with Microsoft, your sharing, default sharing policy is to create an any one link, which means if anybody clicked on it, they can access it publicly. Um, so it's just some of the basic things like that.

If it can showcase, like, hey, you know, did you know your user could do this with your finance site in SharePoint where you have all this IP or you have these financial documents, it's usually pretty glaring. But for me personally, when I go into it with a client, I also take a look at, you know, what customer data did they actually absorb that downstream customer data that they capture as an example where a loan company recently and they captured, you know, loan applications, right?

Which include a lot of sensitive data, everything. Mm-hmm. And, you know, with that it was, I used some native tooling, but I also was able to kind of scan through the repositories and really highlight some eye-opening, uh, statistics or just information around, did you know that there's bank account information in this site? Did you know that this person has this document on their OneDrive?

And I did that with some more of the native tools in Microsoft, but you could do it, you know, just by, by manually scanning, just help speed up the process for us. But that's really what anchored in our emotional response for the, you know, the actual conversation to spark some interest and, and start to begin to formulate the ROI, you know, against, you know, these additional things that we need to start doing today. That will be a continuous improvement process. 'cause it's a lot to unpack.

Um, but for us it's, it's a significant part of the holistic MSP offer that we've typically neglected. You know, if we think about putting in identity protections, putting in email protections, putting in device and endpoint protection, that's a standard that we do today.

We don't typically take a look at this documentation layer or, you know, data layer and say that we're, you know, gonna give you the best guidelines and we have a, you know, a five year plan for you as it relates to that as well too. So there's a lot, you know, that's got to, I think, again, pour a lot of gas on it given the AI conversation that's happening too. Yep. I could see that.

So I'm, by the way, and I agree with you about this is where the strategic conversation should be taking place as it relates to these kinds of controls. But you start out, right, the way I always see it as starting out, this is a, in my opinion, it is a component of the business impact assessment that you need to do with the companies regardless, right?

So, but from your perspective, why don't you talk about the relationship of a business impact assessment versus, you know, doing a real data processing, uh, you know, DPO sort of a process and how that relates to a business impact assessment. I've always, it's always been, we're looking at the servers and the critical infrastructure, but that's assuming they know what's actually really important to 'em, right?

But you don't really know unless you do something like a BIA and then fit that into the overall conversation, you know, from a, from a cur a Charles standpoint. So why don't you talk about that relationship a little bit?

Yeah, and I, I certainly think there's, there's more complexity there given it's tangibly hard to quantify in some cases because it's like, well, you could have this exposure here, but I usually like to get into specifics so they can feel like there's some tangible anchors again, that they can lean into and for, for their data. And, and a lot of it we talk about, you know, what if your email was down? What if you had a business user compromise?

What if you had, um, you know, your network is down and users can access corporate documents? What's our RPO and RTO targets as it relates to that? And then, you know, with this conversation, you're really shifting that mindset into, well, again, I like to highlight the customer data that they have because it's usually the most impactful to them as well too. And it's saying, you know, if if this kind of customer data was leaked, what kind of impact would that have to your business?

And that could be, again, very much, uh, intrinsic in the sense of trust, credibility, um, you know, those types of things that would, would elicit, you know, either churn or it would elicit, um, non net new subscriptions or, you know, business because of the lack of, uh, you know, or the PR that comes about from that. But then from the financial sense, it could also be, you know, really sensitive information.

And this lens itself warrants a higher consideration because unlike others where we're thinking about just external threat, we also have to think about the insider threat, especially with this too. And with that, you know, again, this is where AI is both powerful and it creates a lot of, uh, a lot of new security concerns for us.

Because one of the biggest security concerns that I hear with copilot now as an example with Microsoft is that insider threat, being able to discover information, whether it's a malicious activity or they're inadvertently doing that, because even maybe let's go outside into other large language models, they're copying IP into something like chat GBT, and they're exposing, you know, sensitive corporate data into these, you know, these publicly trained large language models as an example.

So those, those are concepts that I like to bring to their attention, and we, we lean into that in the business impact analysis because in often cases it could be a much higher impact, um, than if you just had your email down for a few hours, right? And then you had to, you know, have, talk about uptime or your network, if you lost a sensitive document that had a launch of client data leaked, that's a much bigger impact to the business.

So it's just perceptionally getting them to understand the importance of that. Yeah, I, I mean, yeah. Yeah. They gotta learn to feel it, right? I mean, that's what always comes down to me. They gotta actually feel the risk. If it's just academic, then it's much harder to get 'em to do what they need to do. Go ahead, Andrew. No, Bob, I was just gonna say that I, I, I, I just keep leaning into this, what Nick just said, that I think we've gotta fundamentally shift away from fud.

You know, that yes, we know rants because I think due to all of the incidents we've had, the publicity, right? If people become numb to something, so we're just instilling more, if this were to happen, what would you do?

You know, when the bad men come, you know, the, the bad guy shifting it more to their, you know, critical business systems, what makes them money, you know, how that would impact them, what contractual obligations they have, what SLAs, you know, what would that do to that relationship, um, et cetera, et cetera. Um, I think, you know, Phyllis, I see you shaking your head. What are your, what Are your thoughts? I mean, I, I totally agree.

Um, you know, when I worked at the National Security Agency, we had the DOD and the IC as our main customer, and I will say fear never bothered anybody and really used to say, mission always wins over security, right? And it's the same thing. The business always wins over security, right? So organizations, um, are businesses and they wanna stay in business, right? And so that's why you really have to say, how does cyber actually affect the business?

Versus, you know, oh my god, you know, ransomware is gonna come, oh my gosh, AI is gonna come, you know, all these like, fear doesn't necessarily work, right? It never, you know, you can't scare people into, into implementing or purchasing cybersecurity. Um, and so that's why the BIA is so important. The no, well said Phyllis. I mean, if you, any last thing I'll say can please continue, Bob is like, just, just that. Like let's get outta our cyber world for a minute, right?

You know, I've been in enough corporate environments and I know you all have as well, when you'll often get, like, there'll be a department that's like, gosh, you know, sales got this and sales got this and sales got this, you know, like these resources, these systems, these investments. Well, we don't have to look at cyber to figure out where the company values putting money.

Like, it, it, so that's, that's all I'm suggesting is that let's figure out and align to, like you said, their mission, right? The mission ultimately, you know, not the only mission, right? But without revenue, right? Nick, you're shaking your head right with the mission is obviously, you know, we have to drive with the right intent, right? Maximizing revenue and shareholder value and et cetera, et cetera. That's where money gets spent. Nick, you're, I saw you shaking your head.

Yeah, I mean, and fundamentally that comes back to the value translation back to down to us as MSPs, right? I, I think that if we're, um, you know, diving in here at a deeper layer as far as this business advisor concept, but also taking a look at a broader stroke at their, their business and what drives profitability, it should extend into much more value driven offers that we can provide too, as their technology advisor.

Um, but also taking a look at, um, you know, what else could we begin to, to think about putting into place? What efficiencies can we drive based off of this knowledge transfer of this is how, you know, our, our engine works as far as making money, and this is what we want to do. This is the risk that we have as an organization because of the industry that we're in. Or, you know, the, the actions that we perform as well too.

So I think it just, what I found is in doing a lot of these engagements with customers, now we're trying to take it like the approach of, of a SpaceX launch, right? In the sense of, you know, we do a lot of repetitions really quickly to have a lot of learning. And whether or not they're all successful, it's dependent. 'cause this is a lot of this is learning for us as well at the same time, especially in this space. But, um, there's never been a call that hasn't been valuable, right?

From an intrinsic sense. 'cause we've learned a lot about the business itself, even if we didn't necessarily solve the data issue today, right? We, we still have a lot of value that, that comes from those calls. So it's a win-win. And that's a great place to be when you're investing time in this, um, at, at the same portion of trying to uplift them into a better security posture, but also better future-proof their business.

Nick, I I would say, you know, again, for all of us, you know, I'm, I'm bull more bullish than ever for all of us out there is for us to raise our standards and that, think about this like you take the Accentures of the world, right? Or, or any of those larger consulting organizations, right? Where are they born from? You know, they were born from having a relationship at the accounting level, right? Large accounting firms, audit firms with those customers, they understood their business.

And, and they're also driving the most money right now on the cyber and, you know, all of the tangential, um, at, at the larger organizations, right? That tangential services that go along with that. Um, so I, I think we need to, you know, elevate of how we look at ourselves as MSPs, not, you're not not the tech people, right? We're business people that happen to deliver business results through great technology and security, right? So anyway, that's off my soapbox today, Bob. That's okay.

Look, I mean, I'm with you. Um, it's always, and I will say this by the way, to implement these kinds of controls, especially here in MSP, one of the practical things you need to be aware of is that you have to use the systems that we have in place as MSPs to be able to support this. So you need to encode this behavior in the process so that your, your, your people don't have the opportunity to really make a mistake, right?

Because you have, you've got them funneled into our support systems in such a way that their interaction with data and notation taking and all the things that are associated with working with customers is a system process that requires 'em to just answer the questions, right? If you'll do that, you'll be able to stay safe. But you, this discussion is about, okay, well what do we need to put in place to kind to stay safe?

So that's the, the la the big, the last question I really have for Nick, for Phil's takes over is, you know, what's some in the broader con, you know, and when you're looking at MSPs, what's the, what's the biggest challenges they're gonna have as it relates to, to data protection strategies and, you know, how does that change things like, um, you know, business continuity as it relates to business continuity, those types of things?

Yeah, I, I think it's, it's, it's very daunting and there's kind of three buckets that I put that in. The first is that when you evaluate most customer environments, it's very overwhelming to think about, you know, how can I go in and, and begin to fix this? And that's where the data governance strategy begins to, to take foothold there.

Because whenever, you know, I've gone in and done an assessment, even if I've used, you know, first party or third party tools or done it manually, you end up finding thousands of documents. Like if we go and look for sensitive data as an example, we use some algorithms with RegX patterns to find credit card information or bank account data. It's in thousands of documents. And then you have to filter through all the false positives on that, and then you got to find the exact root cause.

And these documents could be spanning hundreds of SharePoint repositories. They could be in people's OneDrive. And so thinking about how do I retroactively go fix all this is like, it's impossible, you know, like to say that word often, but it, it is not feasible to go in and do that. So I think it's, it's having that strategy and moving into a place of, hey, we need to have a governance strategy and we need to put a foot in the or stake in the ground today.

So moving forward, we're progressively having a continuous improvement plan on getting these things into place. The other major constraint, if I talk about a second bucket, is the end user impact. You know, we, we deal with this and a lot of the baselines that we push out, MFA is a great example, right? When, when we went through this wave of MFA, we're still dealing with it today. Um, but a lot of pushback on that just 'cause of the end user disruption.

If we tighten down our policies too much on sharing restrictions, documentation access, people can't work. And so we just get a bunch of help desk tickets and we make the client angry. And that's, you know, progressively making this a harder thing to adopt, um, for, for everybody because it's causing us pain. It's causing them pain.

And there's just a mutual, you know, race to say, this isn't worth our time, uh, to go in and do we leave it as is the third one, you know, that, um, that Daley actually put into the chat most swa of men in the industry, as they say. Um, yeah, that's right. Education and, uh, and guidance, right? It's, it's really educating the client around, um, really, you know, what's the importance of putting a basic data taxonomy, you know, in place for organization to start to organize this?

How can we get away from legacy really nested permission sets into a modern hierarchy of access controls, uh, within, within the ecosystem? And how do we know, you know, that our sensitive documents are protected?

Nobody I asked that question to as a customer, anybody is able to tell me any confidence in all of our data is, is safe and we know that our users aren't plastic, have, uh, customer data, you know, that's, that's protected that we know it exists even with some of the, you know, the information that we can surface able to show some really enlightening data to the customer where they can see that, you know, tax information is really expo exposed and it's in people's OneDrive, um, ex incense as well too.

So, um, a lot of, lot of various challenges here that are harder to overcome, but it's, it's really about that micro progression and having that data governance strategy to holistically point to your North star about what you go and do next. And then, you know, educating the client much like cybersecurity is today, um, about that. So yeah, lot, lot to consider there. Alright, Phyllis, over to you. Thanks. Uh, yeah, I really appreciate that part of the data governance too.

'cause um, you know, it it, it's hard to figure out that big picture and say who's responsible for what data and where it is and all of that. So anyway, um, Nick, I know that, um, you recently worked on some projects where, um, you had to, um, focus on data disposal, which is something oftentimes we lose sight of. 'cause we're so busy trying to figure out where all the data is, how important it is, and how we're gonna protect that data.

But you even set up front, you know, do you really need to pay for keeping onto all the data all the time? So, um, how do you go about talking to clients and getting them to understand the importance of, you know, data disposal and was there a specific business driver or regulatory driver around this? Yeah, I certainly think that the regulatory driver makes it an easier conversation. Still not easy, um, in general, but it brings light to some of the things they just need to conform to.

Like, you know, a healthcare company I just worked with, um, last month had a basic retention policy in place because they're following HIPAA standards, you know, and for them that is something that they just need to follow and they, they just adhere to it because they're gonna get audited against that.

So we, we begin to have, what I did with them though is, is brought it down to a more micro layer of even looking at further granularity of those retention policies against different repositories that they had because of the classification of data that they were working with. And really it gets backed out into that conversation of talking to them about, you know, this attack surface, the risk to their business, right? And the continuity to their business being ever, you know, expanding.

If you wanna see an email from 2002, um, and you have fear about losing that email over the risk of, you know, all this other sensitive data that could basically collapse your business if it got exposed, would you take that risk? Would you take that bet? Most people would say no, um, in those use cases, but they continually will ping us and say, give me an exchange online plan, two license, bump up my quantities, turn on archiving.

You know, like, let me retain this data as long as I possibly can. So it's, uh, it's a harder conversation to go into there. I think in leaning into that, that attack surface motion. And then for the people who are financially motivated, which most of the SMB is, um, in this way, we try to pair that with the data storage cost. A lot of people are, are tacking on this additional cost every single month to hold terabytes worth of documentation and SharePoint as an example.

And we can usually point to the, the risks of the business plus cost savings as a way to institute basic retention policies, um, that they could begin to adopt. And having something is better than nothing. If they say it's 10 years, that's much better than indefinite. If they say it's seven years, you know, it's better than indefinite. So we're, we're gonna try to chip away at at that conversation as much as we can.

We also talk about just, you know, I don't know if you can touch upon this like securely disposing of data. Um, yeah. You know, it's not just like deleting it and then it's gone. You just wanna make sure also that um, you know, you don't want someone's credit card data if you're gonna get rid of it to get exposed. 'cause they still may have that credit card and all that kind of, um, you know, data that lasts a long time. Yeah.

And, and with that, you know, there, there's a lot of native, um, secure disposal concepts within Microsoft, which is great, you know, just for, um, you know, lightweight deletion and, and basically making sure we're ripping it out of these various repositories that exist or even the, the link sharing, you know, that's going on across internal and external participants over time.

Um, but generally speaking, you know, we, we, you, you really need to start to develop an SOP around that secure data disposal, especially as it relates to other third party data repositories that might exist as well that you're consuming out of like your file share or your SQL server or whatever that might look like for the customers.

Um, so in that way, you know, we take a look at, um, just, you know, hard deleting or, you know, even if we have cold storage for backups as an example to that, that's another way in which we have additional protections. And that cold storage concept also helps alleviate that conversation of retention if we need it. If we need to play that card in the sense of, well, you know, if you do need this email like it's retained here, you'll have to reach out to us to get access to it.

Um, but we have better protections over it than it just sitting in your mailbox or a file sitting in your OneDrive for 10 years, um, as an example. So, um, usually a little bit more unique, uh, consideration on a client by client basis. But, um, yeah, highly important, especially, especially for regulatory customers that have a lot of PII. Right. So, um, we also have talked about, um, data flow diagrams a lot on the cyber call.

And, um, we know that we've been talking about how data inventory is a challenge for everybody regardless of what size your organization is. Um, you know, and you just discussed 'cause data is is everywhere, right? It's in the cloud, it's in, you know, SaaS, SaaS products, all these things. So how do you approach, um, an on-prem? How do you approach your clients when it comes to these two critical areas?

Yeah, so we generally come in and, and you know, I follow the, the CIS control three and subsequent safeguards as kind of that checklist, you know, to really start working through, we, we got this data governance policy, would this apply to you? Let's tweak that a little bit. But then the, you know, 3.2 is really related to where does the sensitive data exist? Like where's your data inventory? And that's where we're really going in and defining the approved data repositories.

You know, do you approve Dropbox? Right? And it's, it's not the checklist that's that granular, but we're basically just whitelisting, um, the approved data repositories within the organization to understand what shouldn't be approved.

And then we can begin to put in some blanket level controls to begin to prevent access from those untrusted or unapproved locations like somebody's personal Dropbox as a, you know, third party cloud storage that they may be storing documents on, or downloading and saving documents locally to their BYOD personal laptop, um, is another data, common data exfiltration that They're not maybe maliciously doing that, but it's happening. Another common area for that piece of it.

Um, from there, you know, we're really taking a look at how can we begin to, um, start to start to diagram out the most sensitive information. And usually when I come at this, back to Andrew's point about being a, a business advisor, a business consultant, this is where we're kind of evolving as MSPs and we take a look at that and we come in and we say, what's the, what's the user journey? You know, when we absorb this data from our customer, how does that get ingested?

What is the genesis of that all the way through till we should be deleting it? You know, and, and how does that transfer between parties? How does it get processed? What repositories are we storing it in? Is it going into email? Is it going into teams? Um, what does that look like?

And if we have that in mind, we can have, in most cases what I've found is if you click and double click into that and you zoom in on the micro example, because the macro of thinking about how do we put in controls to fix everything is really just too much to consume. But if we double click and think on the macro and we say, okay, let's, let's think about this workflow.

Let's apply what we think would work here, and then zoom back out and see how much this would fix everything else at the macro level, in most cases, we can find 80 to 90% of the time that will flow through the rest of the business processes or business workflows of the organization. So there's a lot of common modies there, at least that I've found, you know, and in doing this, uh, hands-on approach with clients. Nick, quick question, if I may, um, two, I ask two questions come to mind.

One, um, let's go to, you know, you're down the line with a prospect and hopefully we're uncovering what you just say, we did a good job and we're uncovering how this potential new customer does handle data, whether they're, you know, handling it in a manner that they've thought about or it's, you know, ready, aim, you know, ready, fire, aim type mentality.

Did, does that, you know, inform you a little bit and, and Bob maybe you too as a, as a, you know, somebody in the space of, hey, this, this is the kind of client we might be taking on here. You know, like, in other words, what, what kind of relationship we're gonna have based on what we're hearing and how, how they do things? Does, does that kind of tip you off in that, that area? Yeah, I'd love to hear you too on this, Bob, but, um, I, I think so for sure.

I mean, this is usually, if this is really messy, everything's really messy, right? Right. That, that's where I'm getting, that's where I was getting back then. And, and what and how, what kind of, when we try to advise them how well that's gonna go Yeah. And that, that's the hardest conversation. 'cause if they're the person that says we need to retain data forever, they still have an on-prem file share. Um, you know, they, they typically in that case have on-prem exchange too, right?

It's like one of those things, or your propensity for having this legacy architecture just keeps branching out and it's a lot harder conversation. So you do have, you know, some hard decisions to make in the sense of, is this a client that I really want to take on, given that this is gonna ripple, you know, and, and this this educational gap that they have today, uh, of, of not wanting to move forward. Maybe they just, they, they need that.

The biggest, um, you know, bifurcation in my mind is if they're willing to invest and have the mentality that yes, we, we recognize that there's a lot of risk here, but we are investing for the future, and they're creating a bridge to do that.

Working with a client right now that has SharePoint online, you know, on or SharePoint on-prem, exchange on-prem, um, you know, has a lot of their workstations still, uh, tied to local ad, you know, it's just you're typical, like they haven't evolved much and, and they're running, you know, some legacy systems that are of support even. Um, but they want to invest and, and they're, they're moving forward on that and they just need help on that progression path.

So it's a good client to take on because they have that mindset. But is Shirt back in a second? Yeah. Um, No, there, you're Nick. I was just, Nick, I was just gonna ask before we ask Bob, we lost a little bit at there, is how is the windmill doing, keeping their, you know, ac running in this company? Yeah. Yeah. It's, uh, it, it does feel like that you're moving from a different era, right? It's a whole different mindset to, to wrap your head around for sure. Yeah. Yeah.

But I mean, yeah, well, look, we, you know, we are, our demographic are the, you know, our targeted customer profile, our enterprise customers, right? So these hybrid environments are the norm. Um, and I never call it, you know what, I always, there's two things. One is, uh, you know, for some people, if you start talking to 'em and they are doing it by looking at the math, like saying, well, one plus one is too damn much I don't wanna expend, right?

If you, if that's the conversation, then, then that's gonna limit, that's gonna limit how far you can go with 'em, right? If they're already in that, if they're already in that philosophical hole, then it's very difficult to move them from that, right? You have to really use different techniques to do. Um, now when you work with somebody who's willing, like Nick says, but just don't know how, that's not a problem.

People like that are pretty easy to work with, and you can, you can help work 'em outta the hole over time. But typically, uh, it's not 50 shades of gray, it's 50 shades of fire, right? How hot is the fire in most of these places when you go into 'em? Because there's, I've rarely met one that everything was, all the wheels were on that was working like it was supposed to. I I've, well lemme just be clear.

I've never met one where all the wheels were, you know, were where they were supposed to and planned out. So that, that means it's what degree of, uh, what degree of, you know, fire are we dealing with in a lot of cases, right? And I go back to those basic, and I, and I tell everybody this, I can size a customer up in 60 seconds. Do you have a device inventory? Do you have a network map including routing? And do you have a change management process?

And if a no to any one of those occurs, it's in the 50 degrees of flame that we're gonna be trying to figure out where they are in the spectrum, right? Because they're definitely in a spectrum at that point. If you get people who are willing to listen to the damn logic you're involved in because they know that they have risk, it's, those are people that are not hard to work with. I, we tend to have to work with people who are the, you know, I call 'em the sin.

You can't save those centers unless you go where they sin, right? So we've developed some tactics to be able to work with people who are in those hybrid environments that have a lot of risks that are, that has been organically grown over time, right? So, you know, that free document I did about a cyber constitution I worked with Eric Tills on, right? So we use that to kind of rope in and fence off what our roles and responsibilities are. It at least gets you going, right?

So you can start down the process of getting 'em where they need to be. But yeah, I'm, I, you know, I'm a hundred percent with Nick. It's always, I've never run into anybody that had it really all wired together.

And that's, and I'm saying even with CSOs and things, they know theoretically in a lot of cases what need to happen from a practical operational standpoint, that's a lot more difficult than you might think, especially these organizations with these legacy networks because they've, you know, I mean, you're talking about having to do a forklift upgrade on something that's just not that easy to do. So that's, that's really where we're at. Phyllis, quick over to you.

I know you have less than five minutes, you gotta run, but, we'll, but I'm curious, like I was reading about the City of Columbia and Kansas, you know, so let's, let's just turn, you know, your data set of the MSIs sac. Um, you know, we, we have a huge data set here out of MSPs. We know a lot of them work with, you know, s ltts, but is anything changing in mindset? Because it just, it seems that the on the margin s ltts have just been getting pretty hammered. Yeah. In 2024.

Are, you know, a, what's the mindset? B, are they more open to, you know, you know, collaborating with MSPs better. And you know, love, love your, love your thoughts here. Yeah, I mean, I think that's really, when you look at that, you definitely see the, the, um, the angst of mission versus, um, security, right? So s SLTs fa feel a very high obligation to make sure services are available, and that is the number one focus, right?

And so, um, if they feel like anything is going to impact that main mission, providing that service, whatever it may be, power water school, you know, um, whatever, um, you know, that's their number one thing that they're looking for. And then of course, there's the budget, right? Like all MSPs know no one wants to pay for cyber and s ltts their, um, money is, um, colored and it's like, this goes to this service, this goes to that service.

And um, you know, we, there's that, you know, billion dollar money that came down for cyber, and that's something that the SLTs can actually use, um, for cybersecurity. So, um, it is something that we need to encourage them to work with local MSPs, which we try to in the MSIs sac to say, what is it that we, um, can do? We often refer people, you know, go to an MSP if, because you don't know anything about cyber, you really need to leverage, um, your Ms P to manage all those services for you.

But I agree, I mean, it's difficult. People find religion after the fact. Um, and it's often that that is just way too late, right? It just seems like this year has been worse than ever for ed education and county government. They are, they just seem to be getting hammered. Um, but anyway, let me let you ask a question or two before you run. Yeah. So Nick, let's move on to, um, you know, uh, data encryption and data masking, which are important, you know, encryption at rest and in transit.

Um, what, what, um, what challenges do you see that, um, MSPs may have with this and how do you approach it? Yeah, I think, I think the biggest challenge today is more related to the, the hybrid in, in remote workforce concepts. So people wanting to work anywhere on any device, um, and really that opening up a lot of, of security holes for us, especially on the encryption front.

The data masking front is, is even further away from, you know, uh, being able to be achieved, given there's a lot more, um, controls that you would need to put into place to, to achieve that. But also, um, some advancements to be able to scale out, um, and, and do that across customers and repositories and things of that nature. So we're coming at it today just to give kind of our exposure. There's certainly many ways you could get, try to go tackle us.

I think many of us, you know, try to have all of our devices managed and have drive encryption, which is probably the, the most proliferation we see as far as like actually have encryption, uh, data's encrypted and rest and transit and Microsoft. So we have, you know, some components there. And then we we're doing, you know, third party backups that are encrypted as well too, um, for that data or those files within our ecosystem. It's kind of some standards we generally push out.

But, um, you know, the other concepts that we get into there is, is really, you know, ideally you're trying to lock down, um, access into just managed devices and restrict BYOD use.

And it's hard to get to because people will start shouting, you know, as soon as you start plugging those holes, and particularly it's usually the C staff members at these customer sites that just start squawking like crazy and they're the, the ones with the buying decision power and they influence you more than anybody as well. So you run up against a hard conversation, which is why it's very important to get ahead of and give expectation settings, obviously before turning those things on.

Um, but we do a mix of, you know, easing them into it with some BYOD restrictions where people can't download files locally. They have to have a limited session time in the web browser if they're doing that. So just kind of chips away at that being a good experience for them where they want to use a managed device, but it's not restricting them from getting access to it all together.

The same token, we are using MAM policies with Intune to apply application level encryption on BYOD personal cell phones. And that's another good baseline that only causes some significant disruption if people really like to, you know, use their native calendar application on the iPhone and the native mail app.

'cause we can force people into quote unquote client approved apps, um, that we manage and we can encrypt the data, we can prevent, um, jailbroken device access, some of the basic protections that really get into it.

Um, but I think, you know, holistically there, there has to be a push for driving a little bit more draconian, uh, policies around this just because, you know, that's our biggest, uh, threat, you know, is is an unmanaged device and, and really somebody getting coed on that device or we don't have any protection, so it should be just part of the standards that we talk about with customers. Cool.

Bob, you wanna wrap up with, uh, one or one more with, uh, that we have there and Yeah, sure, sure, we could do that because, uh, I, I, and, and actually I really wanted to circle back with it. I was waiting for Phyllis to do it, but now I'm glad I get to do it. But let's go back and talk about the, you know, the data's disposal part of that because I, I think that's actually, you know, an aspect of that's really important, right?

We had to go through, and I'll go ahead and dump mine on, on the table. We have data retention policies that are, you know, that that limit us on what we can keep even email retention. You know, we, we only keep what's absolutely necessary to do the job or we are required to do by some sort of, uh, legal regulatory action, right?

So we, we have those policies in place in our systems in force 'em, but from your perspective, Nick, I mean, what, what should those data disposal, you know, um, what's the right kinds of technologies to look at for doing that? Or how do you, you know, is there an automation process you can use? You've named some of the old 365 ones, maybe you could talk a little bit more about that.

Yeah, I mean, generally for, for data disposal, you know, primarily you're looking at the retention policy configurations within Microsoft. You know, there's some native ones that go on, but then you can further granularly apply them to different sites or to email to different data repositories and even have, you know, for hybrid considerations, some extensibility down into on-prem file servers or, you know, they, they can scan documents in those use cases.

So we typically try to use and leverage some of that to define or help define data retention. And then you get into, you know, sensitivity labels and Microsoft as well, which do come part of, you know, SMB subscriptions like business premium that not many people adopt.

But if we can apply a basic data taxonomy for, you know, highly confidential all the way down to public, then we can also apply granular retention policies to those documents as well that, that are part of the policy labels, uh, or the label policies I should say. Um, so those are the two biggest ones we use. I don't like to list off, you know, a ton. There's certainly third parties out there. A lot of them are cost inhibitive to SMB, like a varonis as an example.

I don't need to name drop a vendor, but, um, just one that's super expensive, that does a really good job. Um, but it's not, you know, not in the ballpark for, for SMB to be able to purchase or us as MSPs to be able to resell it. So, um, a lot of constraints there, but I think just the basics, you know, of just applying retention policy, that's a blanket one is a good place to start and move backwards, you know, over time as part of a QBR process, continuous planning and all of that. Yeah.

Well, I'll give a quick plug, Nick. I, I don't know if you guys have heard Nick, uh, NetX finally is got their multi-tenant cloud based solution out. And, um, so I'm, I'm excited to see how that, you know, penetrates throughout the MSP market. So, um, yeah. Um, I know we're at the top of the hour, Nick, that was awesome. I really appreciate you coming on, um, and, and really wishing you best of success and your upcoming ventures really excited for you.

Um, anytime, uh, you know, one you give back to the community again, um, uh, if you could just share, I put it up earlier, but what is the URL for your, um, your, or, you know, all your content that you share readily every week for free? Um, we're, we're always huge advocates of that. Feel free to share that out with everybody and chat. Oh, I'll, I'll share it if you want. 'cause you have to, you either have to be on, um, sorry. Um, you have to be on, um, YouTube to do that. Um, oh, no worries.

What is it again, Nick, real quick? The, uh, T minus T minus 360 five.com. Yep. Yeah, T minus 365, um, on YouTube. Um, so thanks, uh, pat. Good seeing you. Good seeing everybody. Bob, thanks so much for sitting in at, for Gary. Uh, you filled his shoes very well. Um, happy fourth quarter everybody. Here we come.

Related Videos

The Cybercall: Data Governance at scale with CIS | Right of Boom