December 21st, 2020 – Business Planning
In this video, Gary, Ryan, and Wes discuss the importance of business planning and cybersecurity maturity for MSPs as they head into 2021. They emphasize the need for MSPs to shift focus from just tools to building capabilities through people, process, and technology to better protect their clients. The conversation also highlights the necessity of having proactive roles and a well-thought-out plan to achieve operational maturity and maintain client relationships in an evolving cybersecurity landscape.<ul><li>The importance of business planning for MSPs, focusing on sales, financial, and operational maturity plans.</li><li>The need for MSPs to prioritize cybersecurity capabilities over simply acquiring new tools.</li><li>The significance of understanding and managing existing tools and processes effectively before adding new technologies.</li></ul>
Guests
Video Transcript
All right. Gary Ryan, last cyber call of 2020. Can't Woo. Hey. Hey. Got a lot of, come on, Ryan. All right. Not that you're surprised, but Mr. Spencer is gonna be a few minutes late here. He's finding a barista, uh, in Kentucky somewhere. Gary, last time he was on, he said the DSL bandwidth wasn't good enough, so he's trying to find a little extra. Um, so he'll let us know when he is here.
Yeah, I don't even want to know where, what part, like, you know what little nook or cran he's in where they don't have internet. I know. I know. Hey, you don't have internet. You're a lot more secure, Ryan. Right? It's a very, very good, very good point. Um, so where's your guys green and red? My girlfriend. I have to thank her. She hooked me up here. Gary, usually I have to, you know, do Granal or something like that to, you know, look good. She actually, uh, hooked me up.
So I'm all green and festive, and it's an awesome shirt I'm Wearing on Friday afternoon. We had our virtual holiday party, uh, and everybody wore, you know, ugly sweaters. Ah, okay. Christmas gear was fun. Fair enough, Fair enough. Okay, well let's get on into it here. Um, few housekeeping things. I got a poll question in there, if you guys could take a look at that. Um, also, um, as you guys know, cyber Nation is live. I always wanna mention that we're almost at a thousand people there.
That's really bustling. Ryan's been contributing in there. Um, last week, Ryan, I want to ask you to just touch on this briefly, what you guys distributed out to everybody in one moment. The other thing is, um, in the call to action, the little green, uh, box below there that'll take you, Gary was kind enough to, uh, put up a landing page for us. Um, and you guys can get his, uh, business planning blueprint. He can tell us a little bit about that.
But hey, Ryan, can you just, I know I'm putting you on the spot here, but it's fine. Can you talk a little bit about what you and the did, um, and, uh, uh, in terms of allowing everybody to check if those tools were, uh, the, the firewall FireEye tools might be being used in their environments? That was really cool. Yeah. So yeah, we, I talked to a bunch of MSPs last week and, you know, some of them are like, yeah, we've already done X, Y, and Z. Anything else you recommend?
And others were like, what do I do? Where do I start? Um, and it, you know, as we got thinking about it more, we realized that this is not the type of thing that should only be accessible to MSPs with a traditional security stack. Um, it really should be something that all MSPs can do. And so what is one thing that all MSPs have an RMM.
And so what we, you know, rather than relying on EDR or, uh, you know, av and there's nuance even there, like, not every EDR AV is implementing all the scans or all the checks or whatever. And so we decided that one, we were gonna make it, uh, a scanner. Um, and really it's not anything fancy. It's some PowerShell, the open source Yara engine from virus total and the FireEye signatures that they released.
And we packaged them up in a way that all MSPs, um, could, uh, could check their environments with data RMM. But then as me and our CTO were talking, um, yeah, I was like, what about building this tool for the broader community? Like, so we could send it out to all MSPs, regardless of their tech stack. And everybody super excited about that. So we wrote a set of scripts, we published them on our GitHub page, which I just put in the chat.
Um, you can download that tool, uh, and publish it out to your endpoints in RMM and use it to check, uh, for whatever the FireEye signature is checked for. Um, I will caveat this with, we did not create the signatures or the checks. We're just creating a method for you to distribute those to your environment and analyze the results. Um, so if there are any false positives, um, you know, that would be on whatever FireEye, uh, provided. So, uh, if There's false positive, just email them to Ryan.
Yeah, please don't do that. Uh, but I mean, it's honestly, the community engagement in the, in the scripts has been phenomenal. It's, um, you know, it's one of the, in terms of, you know, RMM components, it's one of the fastest, uh, kind of time to market, time to deploy, um, you know, in terms of our internal, uh, you know, platform. But then we're seeing tremendous engagement in the GitHub too. So, you know, I think Wes and, um, Kyle like to talk about cybersecurity poverty line.
Our goal was to provide a tool that helps anybody, even if they're below the cybersecurity poverty line. Um, and so if you haven't seen it, or if you don't know the extent to which you've checked your environment for those FireEye red team tools or the vulnerabilities they seek, go ahead and download that tool and, and see what you're working with.
I really appreciate, it was really, really kind to you guys to do, uh, you know, ubiquitously for whatever RMM people are using Ryan, that speaks volumes of your, um, just your, your character and, uh, credibility. And I really appreciate it. Um, yeah, My, my hope, you know, my hope is that people realize you don't have to be a datto to do something like this, right? Like, I just texted Andrew and said, I made this tool for the community. Can you publish it? Right? And, um, he jumped to action.
So like, you don't need to be a datto to do this. You just need to be someone that wants to help with community defense. And so everyone on this call can do a similar thing in the future. And so, you know, just a big believer in making sure that we, we band together as a community in this, and this is one way to do it and lead from the front. And so that's what we wanted to do. That's awesome. Awesome. Great. Thanks again. Um, and then just, um, I'll, I'll, at some point, I'll put it up.
We, one of the questions that came in was, um, hey, you know, we check our environments out. We're good. But one of my clients is a bank and their core processor, you know, I'm not saying it's Jack Henry, but if Fiserv a Jack Henry, their core processor that they did use Orion, and what should we be doing? So, uh, Wes, um, a gentleman named Zach Duke, the CEO of Finac, who was along, he, he was at, uh, a big MSP built.
He was a partner and built, they were community bank focused, uh, nationwide, one of the biggest. We did a video on what you can do and what you should be doing there. Lastly, Wes should be here any moment. Um, as we were talking earlier on, I don't know where Ryan went. Oh, he looks like he went off video. Um, but, so that is it.
Um, Gary, one last thing I'll say is, um, for those of you out there, again, thank you for the support all year long, we're, um, what I was gonna say is email me, Andrew, at the cyber nation.com, let us know what topics, things that you want in 2021 and really appreciate it. Um, so with that, Gary, we are talking business plan now. Um, I've had the pleasure to do a lot of these over the years with you when I worked for you. Um, yeah, they were awesome.
It's one of the, that and packaging and pricing always are the two really like massively attended, uh, events. That's okay, Ryan, just bring the dog on. We'll all listen to it. Yeah. Uh, incessantly. Um, so Gary, you know, historically business plans are, hey, revenue targets, what new services I'm gonna implement. Maybe it's, I'm switching my RMM this year, my PSA, I'm putting in new reporting, et cetera, et cetera, et cetera. But last week I wanna pick up on something that you said.
You said, going forward, MSPs are going to have to be much better business people. Let, let's pick up there. Yeah. What do you mean? Why is that statement coming up over and over for you? Yeah, so, uh, when you and I were prepping for this, I used an example, you know, if you, if you've ever read the E myth, right? It talks about, um, most, many businesses like an MSP are started by someone who was a tech and started it. They were a plumber and they were an electrician, whatever that might be.
And then they go out on their own and do it. And most of them, like I'm dealing with, I deal with more contractors in my life that, that I would like to, right? Um, but, you know, and I'm, I always ask 'em questions, you know, about their business, and I figure out right away and watching them work that they really just have a job. You know what I mean? Even if they have some employees, because they never developed, um, the, the, the profession of being a professional business person, okay?
And you could do that as an IT provider and make a pretty good living, you know, these past 10 years. But with all the changes that we've seen, and we're gonna focus on the security aspect of it here, um, it's gonna be very difficult not to come to the realization. You have to have more commander over your business. You have to understand your cost drivers. You gotta understand how to go to market and command the right price.
And then you gotta be able to set goals, not just revenue goals, but operational goals. And again, if we use this example of, you know, security in terms of where you are in your maturation process, like that has to be part of your business plan moving forward. And if it's not, you're gonna increase risk.
And then others who are, um, you're gonna have more and more competitive pressure as SMBs become more educated and they're gonna start asking you questions, uh, and things like what happened with solar winds that just lifts it and now it's at a government level, so the government is gonna be doing public relations for us now moving forward. Right? Right. Does that make sense? Yeah, No, it makes, it makes a ton of sense.
Um, in fact, uh, um, one, one thing that, uh, just just kind of struck me, Gary, was um, and I'm, and I'm blanking on it, so I'm gonna come back to it, but, um, anyway, let me, lemme go on to the next, next, uh, question for you, which is sales planning, you know, revenue targets, again, we're gonna come back to, to to security here in a moment, but you've said over and over and over, adding new customers at the right price solves a lot of issues.
Yeah, it, uh, look, I, I get asked probably as many questions from MSP as anybody the past decade, right? And part, almost no matter what question I'm asked, part of the answer is, new customers at the right price.
It's just, and now more than ever, um, and I've been through some, I've been through through two economic downturns when I owned an MSP and, and having a sales engine, and right now having a sales engine and a product that protects your customers and is at the right price, you understanding it, it's critical. You have to go in to 2021 with a really well thought out sales plan. Got it. Did really Well thought out. Yeah.
Um, and I did remember what I was gonna say 'cause you kind of alluded to it in that previous statement, which is ro there's a gentleman, and I'm gonna butcher his last name. I the guy's awesome. Ryan Hedo from Steel Root. He's gonna be on, he's one of the partners, um, M-S-P-M-S-S-P focuses on, um, the DIB, right? You know, defense industrial base solely, they're, they're, so they're, they're pretty mature.
And he wrote an article, Gary, and you and I circulated it back and forth, the 21 questions your customers should be asking MSP. So he authored this like, Hey, these are the things you should be asking us. And these are things you're asking your MSP, and it's like, Hey, I've gotta even hold myself accountable and move myself up to a higher standard. Ryan's gonna be obvious in early or mid-January, which is gonna be really, really well, um, timed.
But, but Gary, to your point on maturation, I mean, we're seeing more third parties, whether it's customers, whether it's, you know, their customers downstream that are gonna start to come to you as the MSP. And you know, since when did we need a process internally to be able to rapidly answer those questions? Yeah, absolutely.
Listen, I, we have all these peer companies, we're training them how to train SMBs, not just their customers to ask the right question, but they're going after their prospects and they're educating their prospects on what questions they should be answering their MSP. Yeah. Right? And so you're gonna see that. And the more these big national and global things that happen, the more it's, it's, that message is gonna be really easier and easier, uh, for people to receive.
So the point here is, and why we're talking about business planning today is it's not just, we're gonna talk to Ryan in a minute about some of the things you should be thinking about for 2000, you know, 21 in term terms of, you know, your journey of security. I love that line he used about the cybersecurity, you know, poverty line. So, we'll, we'll talk about some of those things, but the fact of the matter is, when you're an MSP, it's not that easy.
Like you have to have the revenue to drive the roles and process and tools to, in order to be able to do it. So this year, your business plan is one that has to have a sales focus. You better make sure you have an operational focus of maturing this, and then the financial plan that supports that so that you'll be able to, um, you know, to be able to get there. So, you know, it's much more complex.
Like Wes and I always talk about it, like, you know, all he had to do was go to the board and show them why he had to do it, and then their revenue came in. Our board is all of our clients as an MSP, we have to go to our board. And so without a really well thought out plan, we're gonna talk about in a minute, you know, the way you set that up, um, you're, you're not gonna be, you'll have good intentions, but you're not really gonna mature your security posture in the way that you need to.
Right, Right. Gary, um, and kind of wrapping it up with you as you take over here, um, skills, roles for operations, operational maturity, what, what are you seeing the top performers doing? What, what's changed in those particular areas? Particular Areas? Yeah. So the ones we've seen do the best, like, you know, obviously we've been teaching people how to build dedicated, proactive roles, like a true proactive roles. And so that really, if you're not there, that's the first thing.
I, security is very hard. Not just your own, but your customer security. Um, if no, if there isn't a role that's accountable on the process side, it's just this business is too noisy. You're either building projects or doing tickets. So if you don't carve out and can't afford to carve out that role, that's a big deal. And one of the things you have to think about why business planning is so important.
You know, I, I teach our, you know, true methods, uh, members, you run your business every year in four 13 week periods, right? Four quarters. And so you look at something, you say, oh my God, we have 20 things we need to do just related to security. Well, I can tell you now, you're not gonna do 20 things, or at least you're not gonna do 'em, complete 'em do 'em right this quarter. So now you're gonna have to decide like, which of those things and plan them out quarter by quarter.
And then you gotta be able to make sure you're executing, and at least your top priority gets done every quarter. That's what great business leaders do. Yeah, that's great. Just to comment, Gary, and then I'm gonna hand it to you.
Um, it's interesting, you know, you've been talking for years about proactive roles and process, and I don't know if you out there can visualize, or we're here when Sunil Yu was on of the cyber defense matrix, but we're gonna be talking more about assumed breach, because that's really what he gets into. This is what Ryan's been talking about more on cyber resilience. Here's my point, as he uses cybersecurity frameworks, CSF across the top, and then people process technology on the bottom.
And as you look across, you'll see us moving from the identify, uh, protect, detect in a very, you know, 19 90, 19 80, 19 90 2000. And then when we get into respond and recover, you see it's much more people process intensive, right? And that's in the assume breach area. And so the point is, is if you don't have roles and process, I mean, think about our tabletop, we're gonna talk about that later. Gary Ryan, you've touched on tabletop.
If we're in an assumed breach world and you don't have process, man, right, Gary, it's gonna be Yeah. And, and, and listen, just some quick math, like off the top of my head. Like, if you have like one, like you wanna implement one proactive role, and that role maybe can manage 20 clients where they're doing your alignment and those kind of things, um, you know, that's probably gonna be, that could cost you, you know, eight to $10 a seat. So think about that.
That's like over 30 bucks, uh, per seat. You need to charge, right? To maintain the 70% gross margins, you should be tar targeting.
And so when I say to you that the deals I'm seeing right now are at such a higher seat price, that's the reason why, because people that are actually operationally do starting to do these things for their customers, they're figuring out what the cost is, and they're using that, you know, when they get in front of customers and prospects to translate that value as the reason why they have to do this. And now we're seeing seat price really being no longer an issue.
Yeah, I mean, on little deals, I saw three deals come across for our, our members this week, um, you know, under like couple of 'em, less than like 15 to 20 desktops, and they're at like 250, 270 $5 a seat on those small deals. And because there's a base cost to do this stuff, Right? Right. Well, we got Wes coming on, Gary, let me hand it to you.
Um, and, and at some point I'd love Wes and or Ryan, Eric, Eric makes a good point actually in chat about, you know, how pro how proactive can you be, you know, with sim a lot of partners don't respond in a timely manner. I think you can say that for any monitoring tool because Yep. Talking about detection, right? And, and, and then you're, you know, how, how process driven is your SOC and are you doing it internally?
You know, do you have a team that you're partnering with, like a perch who's got, you know, that's, that's, that's their, what they do. So, great. Great point you're bringing up there, Eric. So Gary, let me, um, let me, uh, bring that to, uh, to you and to take over here with Ryan and Wes. Yeah, look, and, and, and this is again, we get back to business planning part of decision.
When you look at where you are right in, in your security posture, how mature, um, you're gonna have to decide which things are we gonna implement. And there are some things that we're gonna need some help with, with someone, you know, uh, who's further down the line with this, like, you know, an MSSP. So, and you have to plan. It's not just easy just finding a vendor who's the right vendor. How is that gonna play into your business model moving forward? How are you going to implement it?
Are you prepared to take advantage? 'cause every relationship, you know, I mean, I, I think Wes, that's one question I'll ask him, is that how effective, you know, perk services are. I have to think it has something to do also with each of the customers he works with. And because they're the ones that have to communicate with customers, do a lot of other, you know, things. So I don't know. Does that make sense? Yeah. So for, for me, I just, uh, just got on and finally got audio working.
So, uh, I'll, uh, just say yes, Carrie, I was gonna have to get my beard and, uh, we glasses if you didn't show up. Yeah, here, I'm, I was gonna interview myself. He's in Kentucky. You gotta believe he's got Bailey's in that thing right there. Yeah. So I, I am in Kentucky and I'm at a coffee shop, and even their coffee is, uh, bourbon barrel aged coffee. I'm telling you what a great place to be. That's awesome.
So I want to go on here and, uh, Ryan, I wanna start with you because, um, you know, in, in thinking about, again, we're saying everyone has to have some operational, uh, to-dos, right? This year priorities, uh, to mature their, their security posture. So how should MSPs consider, you know, like those top things of how to protect their business?
Like the difference between like, if you had 20 things and said you should do all these, which ones are important and which ones you think are urgent that everybody needs to get to in 2021? And I know it's a hard question. I'm not looking for an exact answer, just conceptually. Yeah. I mean, I think there's, there's several different entry points there.
Um, you know, I shared last time, I'm a huge believer in having a third party come in and do a framework benchmarking exercise with you to understand where you have gaps. I fundamentally still believe that that's the thing that every MSP should do. Um, but there are other indicators of, of gap, um, or risk, right? And so you, you can look at any adverse cyber event that has occurred to you or an SMB this year in your portfolio speaks to a gap gap.
And so you can look to those adverse events for information about where you need to mature capabilities, right? So if you have SMBs that get hit with a ransomware, you're probably gonna wanna invest more in technologies that help you prevent, detect, and recover from ransomware. Um, and, you know, that again, can take the form of people, process and technology. Uh, and so you have to decide again, where was the deficiency?
Um, but really when I, I think, think about that, it's really like a risk assessment. And the benchmarking exercise is a form of a risk assessment, right? It's saying, where do I have capabilities and where do I not have capabilities? And an area where you don't have capability or your capability is immature, you are likely to have a higher risk. And so at the end of the day, it's all a question about how do I identify risk? And there really is no wrong approach other than to not try, right?
And, and, yeah, I think we shouldn't get too hung up on like letting great be be be the enemy of good. Like, you don't have to do a perfect risk assessment. You should try and be as inclusive as possible, but don't let that take you too far to the point of not doing anything because you don't think you have a, a wide enough stance like it's, you, you can only act on the information you have in front of you and the time you have to, to interact with that information.
And so, you know, just look to your past incidents, look to what's happening with your peers in your peer groups. Um, look at what's happening in the, in the technology space overall for SMBs. Um, and, um, you know, and let that, um, how you are going to approach adding capabilities. And I, I'm starting to use the word capabilities more and more because I don't think, you know, I've said this before, we should not be talking about technologies. We should be talking about capabilities. Yeah.
Capabilities are driven by people and those people drive process and technology that ultimately make you more cyber resilient. And so, you know, it's a kind of a non answer answer. I mean, the only other way to do it is we've talked about a lot about cyber defense matrix and Mitre attack framework. Um, there are open source tools, uh, I believe we talked about on a previous call, atomic red, um, and calera.
Those are great tools to emulate kind of adversary behavior in your environment, see where your defenses fail, and, you know, figure out what types of improvements you wanna make and ultimately how you can translate that into sales down to your SMB customers. Um, 'cause my prediction after this, uh, this Orion, uh, you know, federal government hack is, um, there's gonna be a lot more appetite for IT security spend in 2021, like it's coming like a tsunami.
And so we better be prepared for answers because SMBs are gonna start asking us, what more do we need to do to be safe? And as an MSP, you want to be ready to have that conversation. Yeah, Ryan, a follow up to that, how I look at this, right? Uh, and I agree everyone, whether you're doing some self-assessment or better yet third party assessment, either using tools or, or services, even better yet who do that.
So you come back and you see where those gaps are, then you gotta figure out how to prioritize those gaps. And one of the ways you do that, I feel, is ha for yourself and your customers being able to prioritize their information assets. So can you maybe talk a little bit about that, about information assets? 'cause that's really what we're protecting, right? Yeah. I did a whole, I did a two hour talk on this with, uh, peer group. Um, We have 33 minutes. Yeah.
They were focusing on, uh, cis, uh, 20. Yeah. And the first thing in CIS 20 is asset inventory, right? And, uh, even if you are not doing CI IS 20, you are doing missed cybersecurity framework. The first functional areas identification, right? You can't protect what you don't know you have or if you don't know where it is.
And so, like, it doesn't matter how much technology you have, if you don't have a fundamental understanding of what you're protecting and where it's, And, and how important it is, right? And some of that you can only get from the customer. Yes. And so that should definitely be part of the conversation that you have when you're talking about your customers, about security, because you, not every environment or every part of the network is going to need the same level of security, right?
Some things are gonna need extremely high and some are gonna need baseline security. And so the only way you figure that out and you kind of apply the controls in the, and the capabilities in the right way, is just to know what you have and where you have it. And so that's really step one. I, I argue you can't really do anything else. Well, if you haven't done that, or you can and you can do it well, but you're not really making yourself more secure. You're making yourself feel more secure.
Yeah. And, and again, what I see is for, you know, many MSPs that don't really have a business relationship, right, with their customers, it's more of a technical relationship. Like, it's hard for you without having that business relationship to even put the, the risk factor on, on, on that customer overall, or their data in terms of their, you know, how you need to prioritize, um, the protection, the backup, everything revolving around, you know, their information, uh, assets.
So that's definitely one thing that's, that's gonna change. You know, Wes, we did that was, uh, telling Andrea, you know, we did that survey and I've done it a couple places now with the same results. Hey, how many people here could tell me, have had a conversation with every one of those customers, of your customers about cyber insurance? You know, and 70 to 80% of MSPs consistently say they haven't done that. Can we agree?
Like, let's just one example, when we're sitting here a year from now, we need a hundred percent to say yes, right? That's just one example. Like, you can't be in the same posture a year from now. Yeah. Yes. And, and I wanna ask this question. Go, go and do a thought exercise in your own company and, and find out why you haven't done it. And I suspect, and I wanna see in chat too, for those of you that feel like that's a challenge, I wanna know what that, where that's coming from.
Because Gary, where I suspect where it's coming from is not that MSPs don't want to do it. Um, maybe not even that they don't have time to do it, it's more that they don't have somebody designated to do it, right? We talk about that VCIO process and management of technology and management of your clients.
And I think that's where sometimes the, the, the difficulty is you have a sales team that's good at meeting at Q bs, uh, you have the technical team that's good smashing tickets, but who actually handles that relationship and that governance side. And that may be something you need to visit in 2021 to say, we're gonna have those conversations and a lot of other things as part of A-V-C-I-O process that's not necessarily attached to a bottom line and a ticket that has to be triaged.
Gary, we talk about this often, right? And I suspect that may be one of the big problems, but I wanna see in chat if you guys agree or think it's different. Yep. Yeah. And, and some people they find these things and, and they come on this call and they, you know, they come away with maybe an aha moment and they're like, oh, I'm gonna do that. I'm gonna do that, I'm gonna do that.
It's like, if someone said to me, someone asked me, Hey, I guess next quarter I gotta go out and have a conversation about cybersecurity. I'm like, I don't know. I have no idea where you are. Like, are there other things you need to put ahead of that this quarter? Do you have a business plan? Do you have a cybersecurity maturity plan and, and that are tied in? And this first quarter, I don't know if that'll make your list. Like I, it's just not, that's, this is what this is about.
Like, I don't know, maybe you could talk to Wes looking at where people are on their journey and being realistic that if you're, and, uh, Ryan used the term below the cybersecurity poverty line, you're not gonna fix everything in a quarter, so you better prioritize. Yeah, I agree. And maybe here's an analogy for a minute.
So I have fired financial planners on my, that work for me, Gary, and one of the things I look for in a financial planner is somebody that doesn't just wanna meet with me once a quarter and, you know, sell me something, but they actually wanna talk about my future. They wanna talk about where things are going. They wanna hear from me of, Hey, what are you involved in right now? What's working well for you? Anything that's changed over the past?
And sometimes they'll just take me to lunch for an hour just to catch up and say, I just wanna make sure I'm on the same page as you. And I think that analogy works well in a relationship that we can have inside of our client base. And, and I know it's difficult, right? Because if you're thinking, well, how am I supposed to take an hour out of my time to go do something like that just to maintain relationships and talk about cybersecurity risk without it translating into a sale right away?
You may have a little bit of a structure problem. You may have this problem of, Hey, every single person I have is tied to a revenue line, and I get that. But, you know, cybersecurity is a little bit different in that regard.
And I'm not saying it shouldn't generate revenue, but I am saying that that should be something you think about for 2021, because it will pay dividends in other ways when you have those discussions and you're continually talking about where a client, uh, currently sits and where they need to go. And I see this, Gary, like I, I see our most successful partners at Perch do a really, really good job of this. I see Tim Fernet as an example kind of chatting about that a little bit, right?
That's a difficult thing to have. And I know it's, you're probably thinking, Wes, it's easy for you to say it's difficult for me to obtain and get there. I get it. But, um, definitely something to think about for 2021. Yeah. R Ryan, you, when I was talking, uh, there, I saw you kind of shaking your head, uh, up and down. We were saying you can't fix everything right in a quarter. Yeah. I mean, I, it goes back to a capability and maturity model, right?
So like, whenever we look at, you know, wherever you determine your gap is, right? If it's vulnerability, um, scanning and management, right? If you have nothing, you shouldn't expect that you're gonna go from a zero on a capability and maturity scale to a five in a single year. It is possible, but you need to get on your horse early in the year and you're gonna be spending a lot of money, uh, to, to do that and a lot of time.
And so you gotta, you gotta manage your expectations and break that down in a reasonable chunk, right? Say, what is it gonna take me to be able to do this from, you know, go from nothing to ad hoc? And then how do I go from ad hoc to repeatable? Um, right? And then just move your way up that maturity scale. Don't expect that you're gonna be able to make that leap all in one year. And, and don't expect that even once you have achieved your desired and maturity state that you're done, right?
These things require, as many people here know constant care and feeding to maintain or to improve as the landscape changes. And so you need a kind of a continuous level of, uh, engagement and investment there. Yeah. Think about where we are now. You might, if you're doing the exact same thing and felt like, you know, you had reasonable risk a year ago and you had changed nothing in a year, you wouldn't be able to say that anymore. Yeah. Right. Andrew? Yeah. Just two quick comments.
'cause of seeing chat. Um, something came up. So earlier on, you know, look, C I'm just gonna put out CIS that was, that was described, you know, they've broken down things into what are called implementation groups, one, two, and three. You can quickly evaluate, you know, and they have a great cloud-based solution. It's free. So there's no no sales pitch here, but it will compare you to others, um, you know, thousands upon thousands upon thousands, uh, of your size and complexity.
And at least you're looking internally now and can think, okay, if I'm doing this internally, have I done something like this for all my, my clients? Do I know, you know, how they align in an implementation group one, and do they have those security controls really quick you could do? And then they have a CSAT Pro, by the way, which is multi-tenanted, which again, I don't get anything for, I'm just saying. So you can take it at next level. And true methods MIT process has CIS in it as well.
Point number one, point number two, Ryan's talking about capability. Just go, I don't know, it's like probably like page 16 and NIST CSFs guide. Uh, PI think it's their version 1.1, Wes, uh, and Orion, and they talk about implementation groups. 'cause that's really what Ryan was just kind of alluding to. You know, where are you, you know, are you, you know, partial, are you repeatable?
And there's a, there's a, there's a a scale, but at least you know, these are things you can do very quickly, um, without, you know, west. Is that fair? Yeah, It is, it is fair. And I think it's a natural outcome as we begin, as MSPs begin to go down this journey of truly building maturity into their cybersecurity offering. It's not just I'm selling AV and firewall and some other things.
I'm actually developing a cybersecurity practice that includes risk and framework alignment, all of these things. The natural thing that comes out of this is what we're discussing today, which is the governance piece. And how do I maintain it and how do I, it's, it's, it's exponentially more difficult for an MSP because they're dealing often with multiple industries. They're dealing with, uh, multiple, uh, clients of different maturity levels and different willingness to participate.
That is extremely challenging. And I don't think anybody's cracked that code yet. But I will say this is the natural evolution that comes out of this. And I suspected that this would happen. Um, you know, as we go down this journey, you've at some point gotta get into this governance piece and, and make sure we're keeping track of where we sit and our clients sit. Because one of the things we've talked about over and over on this call is we, we inherit some of the risks of our clients, right?
That's a fact of the, of the matter I think is unique to MSPs. And so, uh, yes, this is a big challenge, uh, that that does exist for us. It needs to be solved. And I suspect we'll talk a lot about this next year. Yeah. And, and here's the reality of it. A a a lot of MSPs I deal with, um, there 10% profit, they gotta get their projects billed 'cause they're below their, they don't get a break even without projects.
And, you know, the non-recurring revenue, they got tickets, too many tickets on their board. And so when you talk about, you know, changing the tires while the car is rolling down the highway, truly not only is the car rolling down the highway, but for an MSP many times it's rolling downhill and they don't, and their brakes aren't that great. Okay? I mean, literally that's where they are.
And that's why getting back to this topic of business planning, you have to decide each quarter those one or two priorities that you are gonna focus on or you will not every, I, I always tell, I tell, uh, salespeople that I train this and I tell business owners, Wes, every day in business and life looks a lot like the one before it, right? Today looks a lot like yesterday, my to-do list or a lot of things are very similar.
So if we don't have a mechanism to put in place to be able to know that hey, this quarter we're gonna do these things. So Wes, if you look at that, and again, I know it's so different for, you know, you know, where people are on their journey, but are there one or two common things outside the assessment? Are there one or two common things that, that you should prioritize early in 2021 if you haven't already gotten there? Yeah.
What a, that's such an open question 'cause it's difficult to answer given that there's so many MSPs that are in this journey. Some are just starting out, some have been doing this for many, many years. Um, so I do think you've gotta think through and it's Gary, it's funny you mentioned this because I was thinking about this. I'm just gonna let, this is not a cat outta the bag or anything, but something I've been thinking about a lot.
I think it would be helpful at some point for a number of us to map. And this should not be something that just West does. This should be something that community does to map out a journey of what a cybersecurity maturity pathway would be for an MSP, right? In other words, if you're one to three years old as an MSP and you've got, you know, less than 30 clients and none regulated or maybe one regulated bank, something like that, here are the things you should be focusing on.
Here are the things that you need to, you need to really start working towards deliverables on and your security and your maturity pathway, and then you get to this level, then here's your next steps. I feel like something like that would be really, really important for us, because I get into these conversations all the time where people ask me, you know, what should go into the stack? Or, you know, what should I be focusing on from a security, uh, perspective first?
And I think those are good, honest questions. So, you know, Gary, what I would say, just a high level, I would say if you're within a few years old and you, um, you know, you have less than 20, 30 clients, you probably are not the person that's doing the VCIO kind of work to align is probably you on this call. The fact that you're on this call listening to us, whether you're the CEO or you're somebody else, it's probably your job to do.
Um, but if you're a little bit of a larger MSP, you really need to think through a model and framework. And Gary, I would lean on you for the data on this, but what does it look like to build out A-V-C-I-O practice and at least start with my highest performing, most regulated clients, to build that out and attach a, you know, a a a a line to it that we understand, hey, you know, this VCIO can, um, uh, can handle this many clients.
We want to see a revenue increase in return and goals target of X, Y, Z if we're doing this properly, because we should see new investments that come along in this, uh, and just better client retention. Um, so I would, I would think through some kind of model like that for sure. But I would also say the other thing too is we've been talking about security mapping.
And I ask this question a lot in a lot of the webinars I do with partners is, how many of you have fully aligned to something like the CSF and I continuously, even in today's day and age, Gary, get most MSPs say, yeah, we're 50% aligned. We still have a long way to go. It's time to finish that, it's time to truly align ourselves to that or CSF whatever direction you want to go. I'm sorry, CIS whatever direction you wanna go.
But I think that's the other big thing too, and I don't want it to be repetitive sounding, but I do think that's where we've gotta start, for sure. Yeah, I mean, one thing is, look, three of us on this call have companies that have some tool or service, right? That we offer and sell to, to, to MSPs.
But one, I think one of the hardest things a lot of MSPs are dealing with, and I want to hear from both Ryan and Wes on this, is just picking out more tools and then going out and selling that tool to your customer is not going get them in alignment. This is not one of those things we were able to solve backup at that time. 'cause we could just sell people data, right? And we could go, we could solve 70% of it, right? Still process even around that.
But now we're dealing with something where the process is probably, you know, 70%. So Ryan, that's a shift in thinking, right? For MSPs, they like, they like problems they can solve by just selling their customer another tool. Yeah, I think that's fair. But again, I think that's why the conversation needs to shift away from tools to capabilities, right? Yeah.
As a security minded MSP, I'm gonna provide you the following capabilities, um, and you sell that as part of your silver, gold, platinum package, right? And it doesn't matter if that's, you know, you're gonna be paying for 10 hours a week of a text time on security, um, just for process related stuff, or you're gonna be paying, you know, 20 bucks for an advanced, uh, antivirus slash EDR tool. Um, you know, it, it really doesn't, you know, really doesn't matter.
I think, you know, from Yeah, at the end of the day, um, you know, how you, how you communicate that, but I think the problem is our conversations to date have been stuck in technology and tools. Yeah. Yeah. And that we really need to put that conversation to bed and we need to start having these conversations about frameworks or benchmarks.
Um, and, and I don't, I I say CSF all the time because that's just the one that I think is kind of good, robust enough, um, you know, challenging enough, um, but not to the level of like, you know, CMMC or something like that, right? Um, it doesn't matter. You, you pick CIS 20 or NCSF, you're gonna wind up doing this same things. So you just need to pick whichever one makes the most sense for you that you can work through in a structured way and apply to your environment. Yep.
Y yes, I agree with that a thousand fold. And did you guys hear in initially when Gary, you asked me that first question, I dodged vendors. I like, I work for a vendor, right? But I dodged this idea of go choose and find the latest, greatest, neatest, coolest thing that's out there. Because I do think, and this is not an MSP only problem, enterprise does the same thing. Uh, enterprise very commonly will go out and say, I just need, if I can get this one last thing.
And it's like they know there's no silver bullet, but they sure act like it, and they're budgeting and buying decisions. And rather than pushing for a tool that seems cool and new and unique, um, we're making a mistake by doing that because we're not thinking about where we're at. Like Mihir said in chat here is, you know, actually utilizing what we have in place and maximizing and mastering what we have in place, it's not about running to the latest, greatest tool.
And you just heard a vendor say that, right? What it's really about is maximizing what we have in place, making sure that it's mapped correctly, and then using our security framework and our maturity to then dictate where we need to go in a budgeting and buying decision. And see, I'll give you an example of this.
Those of you that know me well, we come from big banks at Perch, and I remember my CEO Aaron, you know, he came from JP Morgan, and we would always joke at conferences, we would talk about leave no vendor left behind and leave no budget uncovered. And we would joke about spending millions of dollars on any vendor that came in because it was the latest greatest. And do you really think it made anything more mature? No. What it did is made things more complex and a whole lot more people involved.
And that's why big orgs have breaches as commonly as small orgs is because just, you know, an unlimited budget doesn't fix things. Yeah. Yeah.
I mean, I'll tell you my, my personal perspective is if you told me you have enough money to buy one technology, hire one person, or build X processes, I would take the person every day of the week because there's a lot, a lot of the things that we need, you know, there's not an open source EDR, but there are so many tools that can allow you to do the things that an EDR does when you stack them together, and people can figure that out and glue that together with process, right?
And so, um, you know, that's, to me, it really all starts with people. And that's the challenge I think MSPs need to really overcome, is not not thinking about what processes are missing or what technologies to buy, but how am I going to staff these activities? Am I gonna partner with an MSSP? Am I gonna hire someone, um, part-time, full-time, um, you know, what, what am I doing?
Because to me, you really don't move down a pathway of, you know, increasing maturity and reducing risk if you don't staff for it. It just, nothing is going to happen if you don't have the people. Yeah, and listen, I, I talk a lot about three drivers, right?
All your, all in average, all in seed price, your average MRR, which is your average, uh, contract size, you know, per, per customer, taking out maybe a big anomaly or whatever you, you might have, have in there and your rim that's measured how reactive you are, like the reactive noise that's generated relative to the number of seats.
And if you think about 'em in this context, and we're talking about business planning and I, you know, we, I, I, you know, love you to use, you know, our concepts of economics, right down to seat pricing. But think about it from the opposite end. And Ryan says, look, I would start with a person. So think about that. Hey, based on where I'm in my size, I'd like to add a person and these kind of things and look and say, wow, all those three things I want to do are gonna cost me about $200,000.
Then say, well, $200,000 a cost. What is that at list price at 70% gross margin? And then look at your customer base and say, wow, I, I'm gonna have to look across my customers and get an extra x, you know, dollars. And if I look at, break that down on average, I, I'm gonna have to get an extra, you know, a thousand dollars per client and my average client size is 3,500.
That tells you from a high level where you need, and then when you go back in your business plan and you go back to, you know, plan to go to those customers and you have those risk conversations, raise their price. I don't hate to say raise their price, raise their investment, okay. In chunks. Do it in chunks. Especially right now when we have these big publicity stories that are out, you have that leverage.
They don't care about frigging a thousand dollars, $12,000 a year is nothing to any of our clients relative to what they're dealing with. Yeah. So when we talk about business planning, this is the kind of things Andrew that I'm talking about is thinking all this through and having a plan on how to execute on this. Yeah.
And you know, I'll, I'll acknowledge maybe you don't have the funds to hire a full-time engineer, but, or, or maybe you only have funds to hire another technical member of your staff. You can do things to make your existing staff more security minded, right? You can support them to go through certifications and education and expose them to some of these concepts.
Um, and you know, I'm gonna double down on the people thing because every single MSP that, that we went to, um, so back up, we went to, uh, me and three members of my team went to half a dozen MSPs for multi-day assessments. We did CSF benchmark test, uh, and whiteboard threat modeling for, uh, two or three days. And what we found was, um, while a lot of MSPs were looking at new tools, they not effectively engaging with the tools they already had.
The tools they already had were not providing them the ROI that they thought they were, they were either running in default configurations or the alerts were going to an email inbox that got triaged for a half hour every, every day or for an hour on Friday. And like that is not what good looks like when it comes to security technology. You have to be looking at those things, um, you know, as close to real time as possible.
Um, which again, is difficult unless you're using like a co-managed service like, uh, you know, an MDR provider or a, like a per, um, but you know, there's a lot of opportunity to improve what you already have. Um, and one last story, and then I'll shut up my, but the, the company I came from before data was a, uh, in the financial services space in FinTech. So we were a financial services technology company. We provided software.
Um, and I took over the security team and I was, you know, talking to our CTO and I was like, oh, you know, we need to do this, we need to do this, we need to do that. And he said he looked, he said, you need to get your house in order before you do any of that. I just kind of looked at him and he's like, he just rattled off three or four things. He's like, we need to do better at this.
We need better, you know, and like, and that kind of stuck with me that like, you don't start doing net new things until the things you're already supposed to be doing well, you're doing well, right? And so don't add complexity to your life if you can't manage the complexity you already have people help you do that. And managing, I can tell you, managing the, the technology stack for an MSP is a weak point for a lot, a lot, lot, lot of MSPs. Uh, so that's really a great point.
Ryan, you're, I can, I always tell when Wes is thinking something, he's got that. Oh, he's on mute. You're on mute, Wes. Yeah. It, it hearkens back to a discussion. I remember having very similarly to what Ryan had. Like, I just wanna give a lot of you a picture of the way enterprise struggles with this.
And I was answering some questions back that Jason was asking and ask a question if you guys wanna open that and see, but you know, where big enterprise struggle, and I'm talking like Fortune 50 big, right? That, um, that's what I'm talking, where they really, really, really struggle is yes, they have every tool known to man. And I know that argument of, you know, they can afford any tool and generally they do, like you just walk in and sell anything left and right because they don't have it.
They want it, no vendor left behind. But you know, where they really struggle is they struggle in the fact that they have massive, massive networks that is literally impossible for them to do anything about. And what Ryan, you're saying really rings true with me is even enterprise struggles with this rush. The latest, greatest cool thing when the basics are not in place and their own house is not in order. Let me give you two examples.
One example there was, and I, uh, I guess I won't list the name even though this is public data now, but there was a very large banking provider, um, one of the five largest banking providers in the US to think massive. Uh, they got in some regulatory hot water because they, they were not just, they were not just doing, uh, or the absence of vulnerability management. They were entire subnets of thousands of IP addresses that they were doing.
No vulnerability management on, no scanning, uh, gross negligence, right? Well, I don't care what latest, greatest whatever you have threat, threat preventer you have, if you're not scanning your networks, you can't protect them. Like Ryan said earlier, a second example is a friend of mine that works for a very large bank, uh, in the UK one time said to me, he said, you know, I value greatly my small orgs that participate in threat sharing with me. And I asked him why.
And he said, because you guys know your networks. He said, as a smaller company, you know everything about your network where I have thousands and thousands of subnets I've never even logged into. I have no idea what's there and where and why. And he goes, imagine trying to protect that.
And so my point with all of that is, yeah, it really is about getting your house in order and doing the right things first because we actually stand great advantage being in a smaller organization and being as MSPs and that we still know our clients and we know what is normal for them and what's not. And we see this at Perch all the time and we escalate something over to one of our partners.
We don't necessarily know what the significance is and they usually know right away or they're one phone call away from determining whether that's legitimate or not. And so that's my point is maybe the encouragement that comes outta this, you may feel like you're behind because you don't have the big massive budgets. But if I brought one of those folks on the call with us today, they would say the opposite.
They would say, oh, I wish I were in your shoes because you know what your networks look like and you know what's normal. And I have no idea what's normal when I'm managing networks across five continents and you know, millions of IP addresses. Yeah. Gary. Yeah, Andrew, I wanted to just one, I'm sorry.
One, one thing I wanna make sure I say before we end today, if there was ever a year as an MSP when you were gonna sit down, if you haven't done it already, do it over these next couple weeks, right? Spend a day or more on the business planning, you can download. Our guide will help you. But it's gotta be a sales plan. It's gotta be a financial plan and it's gotta be an operational maturity plan.
And if you think in that way, then decide realistically where you are, how much you can accomplish in one year, and then prioritize that and make your Q1 quarterly action plan. Don't have any more than five, you know, items on that. And make sure you know one of five, if the s**t hits the fan, you lose your biggest customer, best employee. Know the one thing that you're gonna get done. Come hell or high water, then reload on it again and go after Q2. That's what business people do.
They have a plan and they work that plan, they execute it, they know what priorities are and they execute on them. And even if they miss the priorities a little bit, like which are most, and even if they don't execute on all of them in every quarter, that process is enough to move your business forward in a way that other businesses don't. And right now it's showing 'cause those people have a huge competitive advantage in the marketplace. Yeah, well said Gary.
So let me just, if I could say some, just a few things real quick before everybody leaves. And and Ed I agree with you. I need coffee too. Um, so Daniel Moyer asked a question in the ask a question section about inventory, asset inventory, which comes back to the simple things like to, to Ryan mention this first thing. What does every framework talk about? Asset, inventory, hardware, software? No, you can't protect, we don't know. So look into continuous monitoring for that. Figure that out.
Your RMM, here's a hint, it's not gonna do it. No, that's no disrespect to an RMN. We're gonna have to evolve into a continuous monitoring company. The analogies I thought about though, Gary, some things you just said and, and there's really number one, even if you lost your biggest client, et cetera, et cetera, you know, I think about Bill Belichick just for a moment. Well, who did he lose? He lost Brady. He lost, right? He lost his top star.
But they keep discipline, they keep doing what they're doing. And my guess is over in the next few years, they're gonna be back in it again. 'cause they keep doing the things. And you know, I'll probably take some heat for this because, uh, and I'll just, if you could hold off on giving me the heat, Gary, 'cause I know you're giving me, uh, things, but it has to do with fitness. And here's the thing, the latest and greatest, right?
How many people, and maybe this is something you can talk to your clients about. This is the point of an analogy. Look more tools. Is it gonna be the treadmill this year? Is it gonna be the Bowflex you see? Is it gonna be this that the other people want the end result? They wanna look like that person, right? That lady, that man, they want fitness, they want health, right? He's gonna rip off his shirt, But Right. But most people, another tool, true or false, Gary isn't gonna do it.
The next new thing, yeah, it, but what will do it is process, discipline. And you being that, you know, coach and, and now talking to 'em about look for years, you know, maybe you're in a prospect call. They've been talking about tools, right? Prevention and detection tools, identification tools. Look, Ryan's been mentioning cyber resilience. We have gotta get on the same side of the table, right? Be coach and player.
Um, and if we know what we are gonna protect, coming back to inventory, you know, maybe there's no room for more budget. We know there is Gary, but if in the case of no room for more budget in closing, what controls do we need to put around your most important assets, then we may probably need to shift what things can get blown up, right?
I'm being a little, you know, facetious here, but what things can get blown up and what things can't because we're gonna have to move budget around if that's the case Anyway, so that, that's, that's my takeaway. Does that make sense to you guys at all? Yeah. A a absolutely. Andrew and your, uh, you, your analogy around, you know, fitness as a go and it kind of ties in what Ryan was saying, it's like, use the equipment that you have man, and you'll get in shape. You know what I mean?
Uh, and you can use things that aren't expensive and you can get in shape. Andrew, you helped me with some fitness stuff. Just like I just, you don't need any equipment to do a burpee, right? You know what I mean? And with a, a kettle ball and two or three little things that probably cost 200 bucks, you had 20 different workouts, right, that you could do with them. And so it's the same thing that Ryan was saying about your tools. And that's a great thing.
If you think about quarter one, how do we go in, look at our tools matrix and, and say, okay, where are the opportunities here and what are some of the things if I can't afford tools that I can use that are, that are out there? Definitely. Yep. Alright, so with that our last, um, cyber call of 2020, we'll look forward to seeing everybody in 2021. Gary West Ryan, happy holidays to, to all of you. Thank you so much for your participation. Everybody in the audience.
Thank you so much for your support. Wish you all happy and healthy. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois