How MSPs are Communicating with Clients who handle Critical Infrastructure & the DIB
In this video, Gary, Wes, and Ryan discuss the critical topic of third and fourth party risk in cybersecurity, especially in light of the current geopolitical climate involving the Russia-Ukraine conflict. They explore how organizations can manage their vendor and customer risks, particularly for those operating in sensitive areas like the Defense Industrial Base (DIB). The conversation also highlights the importance of having robust incident response plans and maintaining regulatory compliance to safeguard against potential cyber threats.<ul><li>The importance of third and fourth party risk management in the context of geopolitical conflicts, such as the Russia-Ukraine conflict, and its implications for cybersecurity.</li><li>The need for companies, especially those in regulated industries like the Defense Industrial Base (DIB), to comply with security and compliance requirements despite the financial burden.</li><li>The evolving threat landscape for US companies and the potential impact of state-sponsored cyber attacks, emphasizing the necessity for robust cybersecurity measures and insurance coverage.</li></ul>
Guests
Video Transcript
All right. Welcome everybody to episode 86. Thrilled to have Gary, Wes, Ryan, and a special guest today. How are my co-hosts doing? Good to see you guys. Awesome. Hey, fantastic. Ryan, by the way, that was a great interview. I'm gonna put that in chat on the ransomware task force. I really enjoyed, uh, listening to that. Really well done. Um, okay, Gary. Um, as always, um, four or five announcements and we'll get on into it around one 30. How's that sound? All right, Sounds good. All right.
So, um, one thing I wanted to mention is we are going to do, um, I dub it, Gary, the four families. We are going to have the four CISOs of the majors on the 28th for a special cyber call. And we're going to do it because we need lots of, you know, cyber, cyber, uh, Crowdcast only has six. We're gonna do it with Kevin Lancaster and his new platform, uh, on the channel program. So, awesome. We'll be, uh, cyber call, jumping over with Kevin Lancaster at the channel program.
Um, yeah, so very excited. Listen, really great job on this, Andrew. And, you know, really important when you think about, you know, there's four companies obviously, that, um, really represent a big portion of distribution, right? Uh, uh, of software. And, uh, to see that on one side, like all companies, you know, they compete. But on the security side, uh, to have everybody willing to participate and step up because it's com, you know, that's completely different. It's really good message.
Yeah. Well, thanks for that, Gary. And in fact, Ryan, maybe I could just segue, I, I, I think one of the big topics that, you know, you've really enlightened me about is third and fourth party risk. We're gonna talk a little about that today with Scott, who I'm gonna introduce shortly. But Ryan, give us a little, maybe a little preview of what it is and why it's, why, why is it such on high radar for you? Yeah, especially right now with the Russia, Ukraine conflict.
I think third and fourth party risk, fourth party risk is actually a lot on my mind. Um, and it's actually in two demen, two directions, right? So there's my third and fourth party risk from my vendor chain, but then I also think of it down with my customers, um, MSPs and their customers, which is a, for technically a fourth party to us, even though they're the ones ultimately using the service.
And so trying to get not only this, this kind of third party, like this direct ring, are my customers in a region that's hostile, um, or being attacked? Are my vendors in a region that's hostile, are being attacked to kinda ring one? Ring Two is do their vendors, uh, do my vendors vendors operate in those regions? And what's the downstream impact to me? And do my customers customers operate in that region? And what's the downstream impact to me?
And I think it's difficult right now, you know, obviously this is still somewhat contained to those regions, but, um, as this thing expands, as things get more interesting from a geopolitical landscape, it kind of behooves us to understand that. And so last week we, we started having, uh, one-on-one conversations with a bunch of MSPs that we think might have potential exposure to that region in order to better understand our third and fourth party risk.
And so I think that's gonna continue to be a big conversation. And I will say this, normally I complain that no MSPs ever asked me these questions. I actually had three or four last week, so we're getting better. But I think three or four out of, uh, 18,500 is still not a good percentage. So, Um, well, I love, I'll close the, this segment with this, Ryan, I love the example you gave me about, well, okay, you're an MSP, you service a nonprofit. That may seem benign, right? That's not a utility.
And we're gonna talk critical infrastructure, Scott, but what about if that nonprofit provides humanitarian relief or aid into the Ukraine? Yeah, I don't, I don't know how widely that's really been published, but open source intelligence has been indicating that Russian and Belarus are targeting humanitarian aid organizations that are providing aid and relief to refugees.
And so one of the first things we did was go out and look at our database of, of MSPs and see who's providing services to nonprofits, um, in order to start doing that, that specific assessment. Yeah, really, really good stuff, Ryan. Thank you for that, Scott. Alright, so in light of, um, last week we talked about kind of like a, a segue into bringing you on.
Um, you know, we, we talked about, you know, the history of, you know, the GRU, the, you know, Russia's, um, nation state as a cyber threat actor. There are ATPs associated. We talked about what's happened so far, and then we kind of talked about, you know, what should your MSP be doing? So I thought, you know, as we know, things haven't changed dramatically yet here on our soil, but, um, that could change very quickly, uh, as this conflict changes day by day, minute by minute.
I wanted to bring somebody on that, uh, has a lot of clients in the dib, also clients in critical infrastructure and how you're communicating, um, and, and what might change along the way. So with that, Scott, welcome. Can you tell us a little about yourself, your company, your background, and, uh, we'll get right into it. Sure. Thanks Andrew. Thanks for having me on the call. Uh, my first time on the call, obviously. And so, uh, very excited about it.
So, um, yeah, a little bit about me, my background, um, I, uh, I grew up in, in Alabama. Uh, went to, um, went to college at West Point, uh, after graduating West Point. Went in the military, was in the military for a number of years, was, uh, signal Corps. Uh, so got to work with a lot of communic communication, computer networks, that kind of thing. Uh, which is kind of how I got my start in, uh, in, in it, uh, was in the, was in the Army.
Um, eventually got outta the Army after doing, you know, some, some, you know, deployments to, to Bosnia. And, um, and then in that, in that area of the world, um, that was a great experience. Got out, um, went to work at nasa. Worked at NASA for about eight years, got a master's degree in information security, uh, and then ultimately ended up starting Summit seven and, uh, in 2000, because there's no better time to start a company than in the middle of a, of a recession.
So I thought, you know, that'd be a great time. And, uh, so that's what we did, started seven in 2008, and, um, and been been growing it for almost 14 years now. Um, we pivoted in the 2016 timeframe to, um, basically nothing but defense industrial base. Uh, so all we do is support DIB companies for the most part. And, um, and helping them, you know, meet, uh, security and compliance requirements.
And then, you know, obviously their operational support of their platforms, you know, once they've, uh, once they've met those, those, those needs. So once. Okay. Very cool. Yeah, you have, Uh, lessons, Very cool. You do, you do have some utilities I believe as well. So you do deal with critical infrastructure. Is is that, that, if my memory serves me as well, right? Is It?
Yeah, we, we have a few utilities as well, um, Are you guys hearing, but We're about 90, 99% dib, uh, with a few utilities. Okay. Just a quick check, Ryan, you hear me? Okay? Okay. Um, so, uh, Scott, um, it might be on your side a little bit, uh, but, uh, just FYI, um, let me just do quick sound check with you. Scott, can you hear us? Hello? Um, hey buddy. Buer, uh, okay. Thank you for that Ray. Uh, I'm gonna put it in here for Scott. Um, Ryan, can you hear me? We, we can hear you.
Scott, You may wanna exit and rejoin Scott. Yeah. Is it, is it me? Am I causing the problem? Um, we think, we think so. Can you hear us Okay? We might be back. Are you back, Scott? It's funny. We can hear him. Hello? Yeah. Oh no, he's got some like JI or lost going On. Uh, he's, yeah, he is frozen again. Okay. Um, Maybe keep his video off. Do you want me to Get out and go back in? Yeah, Please.
So, one thing, Andrew, while we're waiting for, uh, Scott to reboot there, um, with, you know, dealing with the kind of customers, uh, that he does, it'll be interesting, make sure I ask him about how those customers look at the investments they make in it, Right. Uh, is customers Yeah. Because it's, you know, it it is part of their doing business, right? It's a prerequisite for certain, certain of the requirements are a prerequisite, right?
And certainly if they were to have an issue, um, much more risk in terms of the impact of the company once it happens. Sure, sure, sure. Let me just see if I can get 'em again. Bear with me guys. Thank you. Sorry folks for the, I don't see him online yet, but I will keep my eye out here. Oh, here he is. Okay, let's try this again, folks. Yes, you're correct. We, you Don't have, uh, internet in Alabama. He, he's on a, it's a string in a can.
Well, I come from, I talked you where you use smoke Signals. Jen, Jennifer might be, uh, targeting him. She might Be. Yeah, Around. Let's see. So I'm trying to bring 'em up. Let's try again. So, while we're waiting, Ryan, have you seen some of the Twitter reports coming out, uh, around like, allegedly Russia considering pulling their internet access completely? Yeah, I mean, I, I'm kind of surprised, honestly, they hadn't already.
Um, it was, uh, they were doing drills like a year or two ago to, to prepare themselves to remove themselves from the internet. So, um, I mean, they may not have a choice. 'cause I don't know if you saw over the weekend cogent actually, um, or I think it was cogent. Cogent, yeah. Actually drop them off the backbone. So it doesn't mean they're gonna be removed from the internet from that, but it does mean there's, you know, they're gonna rely on other carriers.
So it might just be a matter of time. They may not have a choice. Could be. Alright, Scott, let's do a quick, quick sound check. You hear us? Yep. Check one two. Perfect. Alright. Sorry About that guys. Dunno what happened. No sweat at all. Um, Gary, for time's sake, let me hand it right to you. Um, one of the things while Scott, you, you went off, Gary, wanna just, you know, at some point early on here, talk About Yeah.
You know, Scott, I I had some other questions for you that, that we prepared, but, you know, as I heard you talking about your customer base and, you know, securities baked into their requirements, how do your customers look at like, price and, and the investment they need to make you it, you know, relative to maybe how a business that's not regulated would, Well, they look at the price just like any other business does, right?
Um, they certainly don't like the price and, and, and the cost of having to meet, you know, this, the necessary, you know, security and compliance requirements. It's a really a huge issue for the d um, you know, they, they have to spend this money, they have to do these things.
The government will not allow them to move forward, you know, looking forward, uh, with, with government contracts, with DOD contracts if they don't, you know, put these, you know, put these sets of requirements in place. And, um, and it's a significant burden, especially for the small, for the small businesses. Um, it's a really significant burden. I mean, you're talking, it doesn't matter. It doesn't matter if you're a two person company.
You've got, you know, you've got six figures worth of investment to do. Um, you know, it, it's a very significant investment for these small companies. And, um, yeah, so, so prices, price sensitivity is everywhere. Um, you know, in the dib, obviously just like everywhere else, um, it's just in a regular business, you may be able to continue forward and, and, and execute your business, you know, by, uh, you know, bringing prices down or, or not investing here or there.
Uh, whereas in the DIB market, you know, they don't have a choice if they wanna stay, if they wanna continue doing contracting with the DOD, they have to make the investment. It's just a non-negotiable. It's, it's table stakes. Yeah. And then, so as a percentage, how much more, right, with all the changes in security, like on on average, how much more do are your customers, you know, all things being equal having to spend with you now compared to maybe two or three years ago?
Like in terms of percentage wise, how much More? Well, if, if you look at, if you look at a general manufacturing, uh, you know, general manufacturing business, you know, they're usually spending somewhere between one and 2% of their revenue is typically gonna be spent on it, right? Um, whereas if you compare that to a regulated industry, uh, a fully regulated industry, they're usually sitting somewhere between six and 8%.
Um, so, you know, it can be a significant, uh, a significant increase in, uh, in, in cost, uh, to maintain, you know, environments that, that meet all these different regulatory requirements. Um, so yeah, it, it can be significant, But do you need to charge, like I I was trying to get to what you are charging a client today. How much more do you need to charge them based on today's requirements? It's not so much in the day-to-Day operations.
Um, you know, our, our costs are relatively in line with the general, with the general industry MSP industry. Um, they're pretty in line. Um, it's just that the, the cost to get compliant are higher. Um, so it's, you've got that first entry level cost and then, you know, kind of moving forward. Um, you know, I would say that, you know, we're, we're probably toward the upper end of cost from a general MSP standpoint. Yeah.
Uh, we're certainly not going to be a, a budget provider or anything like that, uh, simply because there's so much more to do. Um, but, you know, our, our pricings, you know, I had some conversations actually at the ride of boom conference, uh, with some of the other MSPs there, and it was just kind of feeling out, you know, what do you guys, you know, what are you guys charging per user? And their numbers were ba about in line with what we are doing.
And, uh, and so, you know, it's, it's not that much on, you know, from a monthly standpoint, difference. Difference. Gotcha. Okay. So, um, you, I wanted to ask you about, have you seen, like some of the primes like Lockheed, are they pushing any messaging down their supply chain about enhanced security or communication at this time? Yeah, there is a, a lot of communication being sent out, uh, from primes from the government themselves.
Um, most of the conversation right now is, is centered around the CISA Shields Up notice that went out. I don't know if you guys have seen that or not. Um, but CISA sent out a Shields up. And, um, you know, as part of that, um, you know, there's also a joint cybersecurity advisory, uh, with that has threat de uh, three threat details and mitigation approaches and those kinds of things. That has gone out as well.
Um, You know, our customers aren't getting requests for additional security or those kinds of things. What they're, what they're just really trying to do is make sense of what's going on in the landscape and ensure that, you know, they're, they're maintaining their environment in a way that it was meant to be maintained. Uh, so that, uh, you know, they're as well protected as they can be.
You know, some of the information that's coming out, um, you know, a lot of it's coming out from the DOD Cyber Crime Center, uh, from the, uh, from the, the DIB collaboration, information sharing, uh, environment, also called dice, um, and also the NSA is sending out information. So yeah, our customers are getting a lot of information coming from them, from the government and from their primes. Um, and then obviously, you know, we get the, we get that information as well.
And so we make sure that, you know, that gets well published, uh, internally and with our customers. So, So are you doing anything differently right now in terms of like vulnerability scams, security awareness, phishing simulations? Are you doing anything differently? So we're not really doing things differently because there's certain ways that we have to do things already that are very security and compliance focused. So I wouldn't say we're doing anything differently.
I will say that we have, um, upped the amount of, um, you know, phishing, uh, training that we're doing. Uh, so we have, you know, some, some, you know, some solutions that we used, uh, you know, know before. You guys are probably familiar with them, uh, have a great, great product. Um, and we use that with some of our customers.
And internally for ourselves, uh, we do a lot of, uh, a lot of training around, um, you know, phishing and spear phishing and all the different, different types of attacks, uh, to, to prepare the user base. Um, but as far as day-to-Day operations go our day-to-Day operations haven't really changed very much. 'cause we were already kind of in that heightened state of alert, uh, just because the types of customers that we deal with. Nice.
Uh, I had one more question, but I'm looking at the time and we're, we took a little bit longer, Andrew, I'm gonna, uh, I'm gonna let Ryan take over, uh, and ask his questions and then I'll circle back if there's time at the end with one more question. Okay? Okay, sure, sure thing. Cool.
So overall, the threat landscape, uh, has changed, I would say pretty dramatically for US companies in the past year or two, and especially since the conflict, I think, um, primarily defense, industrial base, ot, financial services. Um, what would have to happen from your perspective to change what and how you are communicating with your, your customers? Yeah, so that, you know, we would have to have some verified, uh, verified, you know, significant increases in our specific community.
Um, once we can verify that there has been that significant increase in attacks, uh, on the dib on the clear defense contractor community, um, we will start communicating that to our customers and saying, Hey, we're seeing in, you know, enhanced, um, threats or we're seeing actual attacks take place, um, on, you know, companies in the United States in this community. We will do that at that point. We haven't seen an uptick in attacks at this point.
Um, I, I, I think that, um, I was talking with Andrew earlier, I think he's, you know, basically seeing the same thing with his conversations is, um, you know, we haven't seen an uptick yet. Um, I think we're actually in a little bit of a lull from what we have seen historically.
Um, and, and the reason, and, and this is complete supposition on my part, um, maybe, maybe some you guys can, you know, can, you know, add to it, but I think that all of the different hacker groups right now are either focused on attacking each other or attacking the Ukraine or, or Russia based on, you know, what side of the conflict they may be on.
Um, you know, I was reading a great article earlier this weekend, uh, that basically, um, outlined all the different, uh, known, uh, known threat actors out there and, um, basically which side of the conflict that they were on, and then what they have said publicly about how they're, they're going to be either attacking the, the, the hacker groups on the other side of the conflict, or they're gonna be attacking Russia or Ukraine infrastructure specifically.
So I think that we're actually seeing a little bit of a lull right now, uh, because of that. Yeah, it's, I mean, it's observable. Like I can look at the number of incidents across SMBs and it's actually gone down in the past week and a half. Mm-Hmm. I think it's for that same reason. I think, Yeah, They're be one another. I, I've been relating this to covid major world event.
It's almost like there's, there's a shock factor at the beginning of the event where the activity kind of dropped off, but then all of a sudden it just took off, you know, maybe a month or two in. So, right. We'll see.
And, and that's, that's what I'm concerned about is, you know, I'm concerned if, you know, um, we get to the next phase of that and they turn their attention away from, you know, they've done what they, they, what they wanted to get done directly or, or what have you, and then they turn their attention to, um, to us because, uh, you know, maybe we're more deeply involved in the conflict or what have you.
Um, and that's, that's, that's kind of what I'm concerned about is, is more, you know, two, two weeks a month in the future. Something like that. Yeah. Ryan, can I just interject here? One thing that John Strand said during write a boom that I think is really important, and it relates to what you and Scott just said and what SANS is saying, um, be careful where you look at news sources.
You know, he was joking around about USA today and these other, you know, popular sources and there's sensationalism. I was, I was reading articles on it, and these articles about these, you know, immense spikes and, you know, threat, threat and attacks, and they're completely unwarranted and untrue. Um, so just, I, I say that to everybody to keep in mind, you know, what you're reading and seeing. Yeah. Or, or they exist in a very narrow space. Right.
There's what, um, what Scott was just saying, where there's a lot, there's a large increase in activity in hacktivism, but it's all localized. Mm-Hmm. There's nothing affecting his customers yet. And so that's what I think everybody needs to be monitoring for is when does this start to leak out? Um, yeah, for sure.
So, uh, so I, I, you know, Scott, if things escalated and you have, you know, known threat actors, uh, you know, apps, you know, 28, 29, uh, trying to target the defense industrial waste as they usually do, um, would you consider any changes to your customer preparedness, DR plans, changes in architecture, stronger alignment with frameworks?
You know, what, like what, what would you, if and when you start to see that trickle into your customer base, what are you gonna be doing to respond to that? Well, you know, there's always plans and then the first shot's fired, right? Um, but, you know, for us, NIST 801 71 and CMMC level two, um, those are our baselines. There are configurations and, and capabilities and processes that we recommend that go beyond, uh, what's required by N 801, 800, 1 71.
Um, but to be honest, right now, most companies are just trying to get to that baseline. Um, you know, they have come from, you know, most companies do not have anywhere near the level of security baseline put in place and this state 1 71 requires. And so getting them to that point is the first hurdle. So we, we want to get them to that point so that they are, um, you know, they are secure to that level.
And then once we, once we're able to get the DIB to that point, then we can start looking at adding, you know, additional layers on top of it for, you know, new capabilities or new new security capabilities or what have you. There's just too many companies out there right now, um, in the dib and, and outside the DIB that just still don't get it.
Um, even with all the, you know, even with all of the, the press and all the sensationalism that you were talking about, everybody always to be my stuff isn't that important. Right? Even, even in the dib, you know, companies, companies think that, oh, I just make a bolt. Well, you make a bolt that goes on the underside of the F 35 that Russia really wants to get the plans to so that they can make the same kind of bolt. Right? I mean, you know, it's that, it's that kind of stuff.
Um, and so, but they just look at it as a bolt. And so we really have to, you know, it's a really an education process that we have to go through to get them to where they need to be. Um, but once we get to that point, yes, absolutely. We have best practices that go beyond that, you know, um, believe it or not, because so many of these companies are so focused on meeting the standard and only meeting the necessary requirements and not thinking about true security.
Um, I know you guys aren't really deep into the CMMC world, but you know, cmmc 2.0 actually removed about 20 requirements from the, from the necessary base that you had to implement to be compliant, right? Well, we have actually had customers come to us because backup, backing up, your data was pulled out of the requirement set. We've actually had people come to us and say, I want you to stop backing up my data 'cause it's no longer a requirement.
I mean, that's the mindset that we deal with in a lot of cases, and it's very difficult to get them across that line. So we're trying to get people the baseline and then think beyond the baseline once we get there. Yeah. You're referring to the Delta 20, right? As most people Yeah. The Delta 20 controls backup is one of them. By the way. If it's data, don't worry about it. You can tell him Scott, to take it out. Ryan won't mind.
Um, no, seriously, Ryan, I got a con controversial question asked with you and Scott, and as a thing about this, let's just say, you know, one o'clock Scott's client is attacked, they're in the dib and it's, I don't know, considered right? A, um, uh, uh, uh, you know, a a basically a, um, the, the, the cyber carrier d dubs them as a true, um, what, what's the term they're using where they would say, we're not covering it, terrorist. Yeah. War exclusion, War like war time exclusion.
What, what are your thoughts are, do you think cyber carriers might play that card here? Oh yeah, absolutely. This is a huge, huge issue right now. It is so funny because I was literally like sitting on the couch yesterday thinking about this. I dropped a note off to my teams to reach out to cyber, to a couple cyber carriers.
We know to ask them, um, if any of these wiper attacks are, are, you know, if they were to affect, um, data or its customers, if that would be considered as part of the wartime exclusion, or what is the criteria under which the policy can actually invoke the wartime? Uh, so, 'cause we know that was a big problem with not chu, which was again related to the Ukraine Russia conflict.
So, um, I think it's an important question, and I think the only way you can get an answer is to ask your insurance broker. Yeah. So I was actually reading, um, reading some content this morning, um, because this is something that basically the morning of, of, you know, the Ukraine when everything happened. Sorry, Gary, my apologies. Not you, Scott, it's Gary's comments that are making me laugh. Oh, okay.
So, so, you know, the morning of the Ukraine, uh, you know, the invasion Russia went into Ukraine, you know, I started making calls specifically to insurance peoples just because of this wartime exclusion.
And, you know, through the research I've done the last two weeks, I found out that back in November, Lloyds of London, who is one of the major underwriters for lots of cyber cares, um, they actually released four new, uh, wartime exclusion clauses, uh, that they are, they're encouraging all of their carriers to use. And every one of those exclusion clauses specifically says that if an attack, if the attack can be tied back, if the, if the state that the company is in.
So if the United States government basically says that cyber attack was a state sponsored attack, then it would be considered, uh, non coverable, Which Scott, you know, I gotta tell, you know, again, we've said this on the cyber call 4,000 times with, especially with Chris Lair, more than ever be cognizant if there is an attack on a customer about keeping forensic data.
Because let me tell you, you wipe that data, I guarantee you that's gonna be the default response, is that if it has to do with one of these things. Is that fair? Yeah, It is. And you know, and, and this is one of the things that we really, you know, being in the market that we're in, you know, we kind of have a really big target on our back, right? Um, because, you know, adversaries are looking for those MSPs that are in critical infrastructure that are in the DIB and those kinds of things.
And so we have to really, you know, you know, really pay attention to that. You know, those kinds of things specifically. And this cyber, you know, these, these cyber, uh, cyber sec, uh, um, cyber insurance exclusions are a really big issue. Um, because, you know, state sponsors do go after these companies, um, on a regular basis without a Ukraine conflict. Great. Go ahead Ryan. Sorry about that.
I just was on my mind about the, the carriers and what, what It reminded me to follow up with our, our, uh, tax and insurance guy. So I was just dropping him a slack, seeing if he heard back. Um, Hey, and Andrew, real quickly, maybe we could get, um, like Justin and maybe Dustin Bolander on a cyber call soon to talk about these kinds of exclusions and what's happening inside the industry there. It'd be cool. Yeah. Um, remember the guys also from, um, oh, what was the big, big carrier? Lockton.
Lockton, those guys are awesome. Alright, so go ahead. Yeah, go. Yeah. So, um, third party risk Andrew talked about at the top, uh, are you doing anything extra to assess your vendor's exposure and your customer's exposure from a third party Perspective? Yeah, this is just a matter of course of our business. It's, it's, it's, you know, something we have to do for everything.
You know, the conflict hasn't changed anything there for us because our market, you know, we have a very, very limited set of vendors that we can work with. Our tech stack has, is much, much smaller than many MSPs simply because if you look at all the, you know, software that's out there, um, the vast majority of the software built for MSPs is not built to FedRAMP standards. And so it doesn't have a FedRAMP certification, so we can't use it at all, period.
And so, um, you know, anytime a vendor brings me a tool and wants to talk about us using that tool set, the very first question I ask them is, are you on, are you in the FedRAMP marketplace? Are you FedRAMP moderate? If they can't quickly and confidently answer that with a yes, um, which I can then go verify on the FedRAMP marketplace, the conversation just ends.
It just doesn't even matter anymore because we simply can't use that software, which makes our lives a lot di a lot more difficult as an MSP, uh, because we don't have access to all the new cool, you know, whizzbang, you know, SaaS capabilities that are out there. Um, you know, we have, uh, we have, um, you know, we've had to build some of our own stack, you know, everything that we've built out is, is kind of built in house on the, on the customer side. That That sounds expensive.
It it is, it is, uh, it is very expensive to build out. And so not only do we have to build it out ourselves, we then have to build out our entire infrastructure to meet, you know, C-M-M-C-L two ourselves, right? And so not only are we at a limited set of tool sets that we can leverage, but then we have to bring those up to a higher security level than most, you know, MSPs are sitting at. So yeah, it is very expensive. Alright.
On the customer Side, while you guys are finishing that, I'm gonna think about that for a minute and decide how I feel about it. Okay. So on the customer side, uh, we, we recently started talking to our customers about their status with cyber insurance, back to the cyber insurance discussion. Um, and we wanna make sure that they have the necessary coverage that they need.
Um, this is not something that's obviously required by the government for them to have, but it's something that we strongly recommend that they have in place. We haven't, we have insurance for ourselves and that insurance, you know, covers third parties as well. So, you know, our customers will be covered as well with our insurance.
Um, but, you know, in, in the case of a, of a ma a massive attack, a SolarWinds type situation or something like that, you know it, they're gonna need their own insurance too. Ryan, can I jump in real quick here, Scott? Like one of the conversations we a we've had a lot on the call is about, we know Gary started this, we've a we pulled it, you know, do you know if all your customers have cyber?
Um, ironically, you know, as a, we hope it's getting better, but it was a very low percent for you and the kinds of companies you're dealing with, what percent have it? And if they don't in the prospect phase, what kind of yellow, red light is that for you? How do you handle it? Yeah, we actually, uh, we actually asked that as part of our assessment process for bringing a customer on from a managed services standpoint.
We don't really ask that for customers that we're just doing projects for, that we're just providing software for. But if we're gonna bring them on and we're gonna be their managed service provider, then you know, that's a question that we're asking now. Um, and that's actually a recent addition to our assessment process specifically because of, you know, everything that we're seeing happening.
Um, because most companies, you know, there's been so many companies that have been dropped from cyber insurance this year, um, and, and you know, rates are just skyrocketing on it. And so, you know, there are companies that just simply don't have it. Um, as far as a percentage, um, I don't, I don't know that I could really give you a percentage. I don't know that I've, I've calculated the numbers. Um, but you know, there are a lot of companies that just don't, don't have it.
And so we're, we're trying to help them through the process of, of, you know, going and getting it and explaining to them why they need this insurance because even though we have insurance in, in a super large, you know, situa in a super large attack, um, you know, our insurance may not be enough to cover everything. Got it. No, that's fair. Alright, Ryan, back to back to you. You're on, uh, yeah, Too many, too many microphones.
Um, same question, but for fourth party risk, are you doing anything on a, you know, is it business as usual for fourth party or are you spending a little bit more time trying to dig into fourth party risk? Well, you know, being in the market that we're in, our fourth party is the DOD. Right? Um, largely, you know, the ultimate fourth party for all of our customers is the Department of Defense. Um, so, you know, yeah. You know, they're, they, they're kind of self-insured, right?
The, the taxpayers, uh, insure, you know, those fourth parties, uh, because it's pretty much DOD, um, then you have the primes. Um, we haven't, you know, that that web is so large, um, you know, when you start talking about, you know, subcontractor to prime relationships, uh, very, very difficult to map that and to try and figure out who has insurance or what have you. Uh, but yeah, from a risk standpoint, it's certain, certainly something we think about.
But, you know, DOD being our ultimate fourth party, um, you know, risk owner, um, they kind of self-insure on that. And they're, and I think fourth parties also, your vendors and service providers, their vendors and service providers. Um, is that something you constantly keep a pulse on or are you, you know, Well that's, that's what we really rely on FedRAMP for.
Um, you know, we, we rely on the FedRAMP, you know, the FedRAMP, uh, framework to essentially ensure that if they're staying in line with the FedRAMP requirements, that that fourth party risk on the vendor side is handled, or at least mitigated to some degree by that FedRAMP certification, because they have to main, you know, there's certain standards they have to maintain there. Um, and, and so we rely on that, on that FedRAMP, uh, certification for that. Okay.
That, that's, I mean, that's exactly why, you know, when we start talking to vendors about software, if they can't say yes to the FedRAMP question, I just, we just stopped talking to 'em because we just can't go there. Right. Um, I was gonna hand it to Wes, but he's, he's in ma a, Uh, Wes, where are you? We see him in the corner Muted inspector in today. Be right back. So, um, Yeah, if you had to use the men's room, So I mean, I'll, I'll, I'll, I'll sub in for I guess his first question.
Perfect, perfect. Um, he, you know, one of his questions was, um, are your employees asking questions to you and to your executive team about the conflict, you know, asking you to, what your position is, um, uh, you know, and if not, you know, are you communicating to them any differently since this started? Yeah, absolutely.
Um, the morning of the invasion, um, I actually sent a message out to our entire team, um, about, you know, the importance of maintaining vigilance and preparing them for what may come. If Russia turned its, you know, turned its eyes or its cyber teams on the dib, um, and what we would, we would going through, you know, being in the role that we are in helping protect those DIB companies. Um, so yeah, we've certainly, you know, communicated with our, with our team about that.
Um, we've, and we've continued to maintain that drumbeat internally, um, so that people are continually aware that we have to have that, uh, heightened state of awareness, uh, during, you know, during this, you know, very vulnerable or, um, you know, very, uh, um, Uh, Difficult time. You muted Andrew, Gary, you want to take one a question or two? Or did you have something?
I know you were kind of, yeah, yeah, Well, I had two questions, but one of 'em, Scott, would you mind sharing, like, when you look at per user pricing, what range you focus on for new customers? I'm sorry, say again. Um, for new customers, what's the range of your per user pricing on average? So, um, our, our price, it depends on the types of users. Um, I mean, we have pricing that goes everywhere, everything from like nine bucks a user up to, you know, $250 a user.
And so it just kind of depends on the type of user and what services we're doing for them. Let's go with two 50. Okay. Yeah, Go with that. Good. I mean, I, I I, I assumed you're gonna say something o well over 200 and I, I just want everybody, you know, to hear that. And like you said, when you were at write a boom, you met other MSPs that are in that, you know, two to $300 range, right? Yeah, yeah, yeah, for sure. Yeah, we did.
Um, you know, it, there, there are a lot of MSPs that are in that range, and it just depends on what services you're providing to the, to the, to the community. So another question I had for you is you not only need to get talent, you need to get security talent, and there's very little of it, right? Talent in general in it is the number one issue. We work with a couple hundred companies, right? In our peer group. It's, it's, it's with everyone.
Does that impact your ability to scale or take on new customers because, you know, you can't run too hot, you have to have enough people to deal with whatever comes along? Yeah, I mean, you're, you're right. Um, it's very difficult to find qualified people at the moment, especially in the mid to senior levels. Um, you know, we have contingency in place now for how we, you know, leverage existing team if, you know, we have to bring more people to the fight, if you will.
Um, you know, the way, the way our team is set up is, you know, we have a very large project based work, uh, uh, group we call our professional services group. Um, and you know, they are primarily mid and senior, you know, senior level, uh, uh, team members. And so if we had a situation where we needed to, um, you know, move resources from that team into our managed services team, uh, for a period of time, we could do that to be able to scale on the, on the managed services side.
So, um, you know, because we're about, you know, our technical team is basically split in half, you know, half kind of on the managed services side and half on the professional services side. And so that gives us the ability to, to, to flex as needed, um, you know, for short periods of time. And, uh, the pro service people like do remediation and, and that kind of thing. They do, they do, uh, all project based work.
I mean, they do all the in initial implementations and configurations of the platforms that we put in place. Um, and then, you know, when they transition into managed services, then, you know, our managed services team kind of takes over the o and m of the environments that would go into play. So, so it's interesting, right? The based on your business model, the customers, and for you, you're used to going in and having some kind of fee, probably pretty large, right?
Before you get to, um, your, your support and your managed services. Yeah. And Andrew MSPs historically have pushed back, you know, and on that, and even early on, now, if you go back 10 years ago, things weren't the same. We could fix things as we go more, and I would say take the entrance barriers out, but I don't think those upfront projects are an entrance barrier now. In fact, sometimes for an MSP, they're the reason a customer would do business with you.
And so, uh, I, I just want to, to make that point. Scott does it because it's part of the business model, but I think we all gotta start thinking that way. Gary, can you, you know, for those that don't know your history and legacy, you know, can you just talk about the velocity early on, you built, you know, you went in the early to mid two thousands, you scale quickly to 10,000 I endpoint.
I think it's important for everybody to hear how you looked at assessments and, you know, things of that nature where you were like more interested in entrance barriers or down, you're just pulling people on today. How do you look at it? So can you just give that good comparison to everybody for the, over the past few years and now how you're looking at things? Yeah. Even through my first MSP and my second one, right? Things change in the first MSP, we didn't charge a lot upfront.
We didn't have a lot of requirements. We went to flip 'em like pancakes. Once we got them, you know, we had a couple sets of, as, you know, standards and assessments that we did. We started with the most critical ones first, made those recommendations. And the, so the project work would usually come over the first, you know, 90 to, you know, uh, 180 days of a new customer, right?
Rather than before as we, I got into the second MSP, um, more of it, we would start to be, you know, start to look for critical things that we need to put up, you know, put up front. And so more and more, and that's mainly driven by security. It's one thing if the only risk is, you know, downtime because they had that before we met 'em, right? And so we can fix it over time.
But now, uh, and, and if you're in Scott's line of work, you know, you're required, like you're making a commitment, right, uh, to their alignment. So, uh, and I can tell you that we see MSPs being able to get, you know, um, pretty significant upfront fees now, uh, uh, and they're, and they're selling more now than we ever were in in the last, you know, 15 years. Yeah. Well, and, and I'll say this one last thing and we'll bring it back to Wes.
Now these with us, Gary, you know, you've talked many times about your costs have already gone up. You're saying that not only to the, the customer, right? Your costs have already gone up. It's not, has nothing to do with us, but I think for MSPs too, you know, MSPs have to look at onboarding customers. The way in which, like West and and Perch were doing things with, uh, organizations that we're doing large scale acquisitions in regulated spaces.
You, you have to be deploying things upfront to figure out what potential threat actors exist before you pull that customer into your normal onboarding. There's a lot that's changed. So with that, we, let's segue.
Well, I, I was gonna say, it makes me think about, you know, on stage at, um, write a boom, John Murchison, um, talked about how often they get new customers in MSP, they deploy the tool and a number of their customers, they find out they've already been breached and they would not have known. So yeah, definitely, um, you have to look at things a little different. But the mar again, the great part is you can do it and you can still sell more. That's where we are today.
And part of it is just a growing, growing market. If you're getting a $35,000 market adjustment on a new vehicle, you know, why not? I mean, look, if, if people are spending crazy money like that, think about it from your perspective out there as an MSP, you know, inflation's happening and, and you guys are critical to the success of those organizations. So with that, Wes, Yeah. Hey, and speaking of, uh, right of boom, Scott, I'm glad you were there.
I hope you had a, a good time there at the event. Yeah, it was a great event. Um, you know, uh, you guys put together a great, uh, a great lineup and had some great topics. So it was, it was, I, I look forward to the next one. Right on. Yeah. Awesome. So, um, this is a question. I was actually chatting with Anne a little bit in, um, the, the livestream chat over there. And I realize you as the guest, you have to be zoned in on us.
You probably didn't see it, but you know, Anne said she made mention of, you know, she's had a lot of her clients reach out to her and just ask her, Hey, what's going on? What do we need to do about all this?
And maybe that's my question for you to get us kicked off to kind of go in a bit of a different direction today, Scott, is do you see your employee, I'm sorry, do you see your clients act asking you guys questions about what's happening here with the conflict and if things have changed and if not, are you guys communicating differently to your clients in any sort of way? So, you know, we have, our customers haven't been asking, you know, any differently than they were before.
Um, you know, most of our customers are pretty focused in right now on, you know, the security and the compliance requirements and those kinds of things. And so those conversations really haven't changed very much. Um, you know, they're still trying to get, you know, get to that secure and compliant state. Um, and, and so the Ukraine conflict doesn't really change that calculus for them. They already are trying to get there, and they just want to get there and get there as fast as they can.
But is it, do you think it's a motivator for them to get there faster? Is it, like increase their importance for it or the priorities For it? No, I can tell you, I can tell you that we had one customer that actually closed, uh, last week, um, who actually told us and stated the reason that, that he, he was planning on doing this in third or fourth quarter of this year.
And he said, I went ahead and pulled the trigger because, um, because specifically of the, um, the shields up announced, uh, uh, the shields up that came out, uh, from CSA and some of the, some of the information that came out from dice. And he said, you know, that, that basically scared me and, you know, we, we wanna get this thing done and we don't wanna wait anymore.
Um, you know, he had, he had budgeted for the work to be done in third or fourth quarter, but he wanted to go ahead and get it started. Okay. And, and I don't know if you have like V CIOs or V CSOs that, you know, work in front of your clients, but how do you keep them trained in like the latest? So what's happening and making sure they're conveying the message from Summit seven all the way back over to the client? You, you have to train 'em.
I mean, you have to talk with 'em continuously, right? Um, you know, we're, you know, our, our, uh, uh, vcso will be, you know, going through CMMC training, you know, so that they know the same training that all the assessors are going through. Um, you know, we, we continually, we, we teach, we teach them or treat them as if they are technical resources, even though they're not.
Um, and you know, from a, you know, from a execution standpoint, they're really more advisory, uh, you know, services and, um, but we, you have to, you have to continually talk to them and train them as well, you know, you can't, you can't forget about 'em for sure. Yeah, absolutely. Because if you don't, then the message gets diluted, right? Mm-Hmm. Or, or it goes in a different direction, which is really unhealthy. So that, that's really, really good feedback.
Um, let's talk about your relationship with Microsoft for a little bit. You know, I know on your website you guys mentioned that you work pretty heavily with them. I know inside of like the DIB themselves, you're sort of looked at as like one of those go-to partners for DIB. Um, do you interface and talk to Microsoft a lot about all of this? And if so, what can you tell us any questions they're asking you guys about security controls and other things?
Yeah, we have continuous conversation discussion with Microsoft about our capabilities, our configurations, you know, coming product announcements and what, how those products are gonna impact those configurations. Um, you know, Microsoft has really done an excellent job of building a secure and and scalable platform for the DIB to leverage within the Microsoft government platform.
Uh, you know, they've been investing, you know, billions of dollars for a long time in, in specifically in their security infrastructure. Um, you know, one of the reasons that we are, you know, we are so focused on the Microsoft stack is because they have committed, um, you know, they have really committed to, um, support these types of users with these types of requirements, uh, for the long term.
You know, I don't know if you guys know or not, but they committed $20 billion last year, $20 billion in security infrastructure that they were gonna be spending by 2026, um, in building out and, and building these types of environments. Um, that's that investment, you know, that we're able to leverage by being a partner of theirs.
And, and then our customers are gonna be able to leverage because we're able to use those products that they're able to turn out by building that security infrastructure that's gonna, you know, that that really helps our customer, helps our customers long term to be able to lean in on that and benefit from that infrastructure.
Um, it's really second to none, you know, I don't believe there's any other, any other company out there that is making the investment that Microsoft is making into this, in this environment. Yeah, I, I tend to agree with you for sure. Um, and that's encouraging that you, you guys have a voice of influence with Microsoft, right? And, um, I'm guessing you're also doing that for the better part of the industry as a whole inside the channel, right? Yeah, we are.
And you know, we, we have a great relationship. You know, I really started developing a, a solid relationship with the, with the d the different teams back in the 20 fifteens, 2016 timeframe. And, you know, we've just been able to continually, you know, have a voice there as we have, uh, you know, continued to, to build out these infrastructures for this community. Uh, and it is, it's a very strong, you know, relationship that is both get, you know, back and forth.
So, you know, we, we listen to them and, and, and leverage their capabilities and, uh, they listen to us and what we deal with on a daily basis out in the dib. And, um, it's a great, it's a great relationship. Yeah. Okay. Awesome. Um, okay, so what about, uh, how about your clients, right? Like, this is something Ryan mentioned early onto the calls fourth party risk.
While MSPs may engage with their clients, especially inside the DIB space and CMMC solution solving as a whole, they still own the responsibility of their own third party relationships, right? That become fourth party to us. And as MSPs, we're definitely, it's important for us to make sure they're doing the right things and assessing, but they're the ones that have to make the call on the vendors that they choose to work with inside their supply chain management. So how do you deal with that?
Because you get incorporated into the challenges and the risks you inherit with that a lot. And I don't know that we talk about that, like, talk about any words of wisdom on how you're handling fourth party view, third party to them, um, themselves and their own supply chain. Yeah, so, so we, and the DOD, um, uh, separately are, are pushing our customers start asking these types of questions of all of their third party vendors.
Um, you know, our customers have to know that the companies that they're relying on, um, have put in place the necessary security and compliance infrastructure so that they can do two things. One, they wanna stay in business, right? They wanna stay in business as, as part, as part of the dib, they wanna be able to do contracting with the government. Um, and two, they wanna be able to protect against bad actors.
So, you know, you gotta have the security piece and you gotta have the compliance piece. Um, and so, you know, to that, you know, summit seven has built out a shared responsibility matrix all the way down to the C today, 1 71 assessment, objective level, um, for, so to show our customers, you know, what are we responsible for? What are you responsible for? You know, you know, where, where do we talk, where do we consult with one another? Those all those kinds of questions.
Um, you know, and, and when we put it together, it's like 1100 lines long, right? I mean, it's an enormous matrix. Um, but that is what's required to be able to have a consistent communication with your customer about, you know, the, these are the things that we're doing and these are things that you have to do, uh, you know, as part of an assessment or just part as day-to-day operations.
Um, and, and then we ask them to make sure that they are getting that same level of information from any other third party provider that they're dealing with. Because if they can't get that kind of information from that third party, then it's, it's highly likely that that third party doesn't know what they're doing from an operational standpoint or from a compliance standpoint. And in those situations of Scott, let's assume that they don't, that they're having struggles there.
What do you guys do in the middle of that? Do you advise them that they terminate the relationship or look for other options? Do they even care what you think? Like how do you deal with that? No, they do care. They very much care because their business is literally on the line. I mean, it's not like, it's not like they can accept the risk. They are not in a position to accept that risk, right? If they want to stay in the business that they're in, they have to fix the problem. Okay, that's good.
Yeah, They're, they're, Oh, I think we lost Scott again. Well, oh, Gary or, uh, Andrew, you're on mute too, my friend. I got it. I was gonna say what cliffhanger, Wes, right? Yeah, right there. Yeah. Um, but I, I do think that's a differentiator. Um, you know, I think, I think healthcare and I think finance are by and large, pretty good at, um, handling third party risk management because they have to in, in their chain of events, right?
Because BAAs and, and medical, like EPHI force it in healthcare and then regulators force it because they actually put eyes on it every year inside finance. But outside of those two industries, I don't think we see a lot of that actually taken seriously. That's why I asked Scott the question, because I was curious to see what you'd say and, and very glad to hear a yes. Looks like you're back, Scott. I am back. Can you hear me? Yeah, we gotcha. Okay, cool.
So that's really my last question for you, and then I'll flip it back over to in, we got a ton of questions, so maybe let's just spend 30 seconds on this so we can answer a bunch of questions. So, um, talk to us about like testing of controls, IR testing, DR testing at scale. Do you guys do those things? Do you do them with your clients? And do you expect to sort of scale those things up this year? Yeah, you know, that is something that we're ramping up right now and doing more of.
We just did another revision of our incident response plan last week and, and we're, you know, working and to ensure that our customers are doing the same thing. Um, and so, you know, that is part of, you know, the shared responsibility that you have, um, with, uh, you know, when you have customers in this market is making sure that, you know, you're working together to get that done. Fantastic. Good.
Um, Andrew, I'm gonna turn it back over to you for, there's a bunch of questions that all came in, and I'll let you kind of pick some. Perfect. Andrew, Can I ask one more? Yeah. So Scott, you, you get a new customer, you go in, you do an assessment, you do some remediation, right? To make sure that all the controls are in place, you go on and do the support. What's the process by which you can maintain that alignment? In other words, things drift, right?
Like they're, they're in alignment that first day when you leave. Oh. But so how, how do you, how do you keep, uh, companies in, in, in alignment? Well, this is part of doing what we do. Um, change control. Uh, change control is absolutely critical. We don't get to have drift, right? Um, anything that we do, and this is part of being in a regulated industry, you have to change control it.
Um, so that, you know, you've gotta make sure that the, the, the configuration that was put in place stays in place. And if it does get changed to something else, that there's a documented reason why it got changed. And it has to go through that process so that you make sure that that change then gets entered into their system security plan. That that basically documents their current, you know, their current status. Uh, you, you, you don't get to have drift in this industry.
Interesting, right? Yeah, It's, it's, it's so far from how most companies operate and, and MSPs operate today. Well, as I bring up a question or two, maybe I was just, I was just thinking of this when we talked about more, right? Of boom type things like tabletops and PR and things like that. Scott, any change in how you look at MSA and legal? I know we had, you know, Eric and Spencer on it, right? Of boom. So as I look at a, pick a question here, has any of that changed for you?
Well, I tell you, you know, it's really interesting that you bring that up because after sitting through Eric and you know, their session, um, I actually got in touch with both of them. And Eric has actually already done a full review of our MSA. Oh, has he? Yeah, he has. And so, you know, we're, we're leveraging him, uh, to do that.
And, you know, I'm basically stepping through all of our documents right now, um, and having him do reviews and, and we're making updates as necessary, uh, to make sure that, you know, everything on the left of boom side, if you will, is in place and, and, and, and the best it can possibly be. And then we'll be working on the right of boom side next. So, Uh, very, very cool to hear.
Um, alright, so in term, and for the last few minutes here, um, I'm going to pick, you know, I, I posed this question out to everybody. I, I thought it was a good one by Todd, which was, you know, if you're an MSP onboarding a client and found out they were compromised, breached, um, what would you do, you know, during that process? And, and I've seen, I liked Matt Lee's comment, uh, out there.
Um, you know, he'd stop and, you know, you know, I think he was, get an IR plan, you know, get a, a dr, you know, get IR in, in place. But lemme see if I can pull Matt on real quick if for the last few seconds here. But, um, Scott, any thoughts?
Hey, you're onboarding a customer, they're compromised, you know, how would you, uh, Well, the first thing, you know, the first thing that we would do is we would, you know, have them go through their incident response plan if they had one, you know, if they had an instant response plan, we would ensure that they, you know, that they followed that, um, go through, you know, follow it to its natural conclusion.
And then once that, you know, natural conclusion has taken place, then we would work to remediate the problem. Um, and, uh, and get them, you know, get them back to a point where they're, uh, you know, where they're stable again. And, um, and then we would look to, you know, re redo onboarding. We certainly would not onboard a a currently compromised client. Um, we would, we'd have to, you know, work them through their process first. I, I love your answer, Matt. What are your thoughts on that?
Man? Uh, you, you spent a year on the MSP side. Uh, yeah. This triggers this basic concept of, of having an IR plan on how you protect your entity as an MSP in addition to how you protect a client, right? The duality of that. And so for me, it would be an immediate pause, right? And then this understanding of trying to educate the client, just like most of this, even just an email breach or, or, or, or incident or even just a a, a single machine ransomware, you have a decision to make, right?
You either are going to go down the incident response plan that that's followed by your insurer if they're going to be paying for it, right? Or some external IR team to say, we've contained the threat, right? We've eradicated the threat and we've brought you back to some state of normalcy before I would finish onboarding them. I think you just risk too much exposure, you know, cross-contamination wise against you and against your client base by continuing that.
And you know, I like to tell people your job right now is to meet, you know, do care, but really it's just this reasonable person rule right now. There's not a lot of court precedence. And so it's really about, well, why the hell did you continue? Right? Right. Which is interesting. I know we're over, but I'm just gonna ask this question I think to, to, to Scott. Scott shared responsibility with Microsoft.
I mean, if, if you kept bringing 'em into Azure, let's just say what, what, what kind of implications? I'm not putting this on you, this is what would happen with Microsoft, but I gotta believe there's implications there, right? Let's just say they were on-prem and your migrating 'em, you know about it. You keep doing it, right? Well, Yeah. I mean, if we would, if we identified an in a potential incident, we would just stop, right? You just stop.
You don't, you don't, you don't, you don't continue forward. You've got to figure out what's going on, normalize the situation before anything else happens. Yeah. Very awesome point. Alright, so with that, um, I know we went one over first. Scott, thank you so much, uh, for jumping on. I didn't, I know we didn't get to it, but I put a link about this really cool event you guys put on for the dib. Uh, and you're gonna be at where we head, right a boom, which mm-Hmm.
Um, I'm gonna run over there and register and see. It would be very, very, very cool. Um, Matt Lee, thanks for jump jumping on real quick. We have to have you on, um, maybe with Tim Fornet and that whole dr thing, Ryan knows, maybe we could do a two, a thing or two about a, um, a cyber called dedicated to Dr. I think that'd be really, really cool. Um, Gary, as always, great questions. Always appreciate your perspective and Wes, uh, always have awesome having you on.
Until next week, everybody, uh, have a great one again, Scott, much appreciated. Take care everybody. Thanks Very much.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois