Skip to main content
Right of Boom
January 30, 2025

How MSPs Should be Engaging CISA & US Govt. for guidance and funding

In this video, industry experts discuss the role of Managed Service Providers (MSPs) in cybersecurity and their engagement with government agencies like CISA. They delve into the importance of sharing threat intelligence and the need for actionable data to enhance security practices across different sectors. The conversation also highlights the necessity of prescriptive security frameworks and the potential for increased collaboration between MSPs and government bodies to strengthen the nation's cybersecurity posture.<ul><li>The importance of managed service providers (MSPs) in the economic engine of the US, especially in supporting small and medium enterprises.</li><li>The need for better engagement between CISA and MSPs to enhance cybersecurity measures across various industry verticals.</li><li>The role of the Center for Internet Security (CIS) in providing prescriptive guidance through its critical security controls and the development of a costing model for cybersecurity implementation.</li></ul>

Guests

Andrew Morgan

Video Transcript

Back to the same bat time, same bat channel. And, um, man, Gary, uh, let's just start off, before we get into today, um, I just want to thank you for having us all in Phoenix. Oh, I thought you were gonna say to start off with the Eagles. Oh, that's, Hey. Go Pittsburgh. Eagles. All the sports ball. Yeah. No, still. Yeah, Man. Yeah, no, we could certainly talk Eagles. Uh, congrats to you guys, Gary. That's, that's exciting stuff. Yeah, absolutely.

I had a great day with my family, uh, at the game and, uh, yeah, it's fun, right? When teams don't often win, uh, when they do, it's super fun. Not often. Also, Andy Reed won with Eagles and now Mm-Hmm. Is on the, uh, opposing side. There a kind of a little history for us, right? Yeah. It's kind of a, it's a cool story.

I, I'm gonna feel bad when we crush 'em in the Super Bowl, Not, but, uh, so Gary, how about a recap for those that may not have, um, been at SCH Fest last week, maybe, you know, just bring us together 30, 60 seconds, what you may have learned, what you've taken away There was, what, 500 MSPs there in the room? Many in your peer group. Yeah, it was, well, just a great week from SCH Fest into our peer meetings.

And, um, really, I spent the morning Andrew talking about, I think we're at a different point right, in this industry. And, um, the core of the business hasn't changed, but I think there's a lot of new technology that's gonna impact, you know, key things you've always done around support and security and, and project projects, uh, you know, professional services.

So we really got, it's a chance to step back and gain perspective about what we need to do to stay ahead of things, and then, um, to have the cyber call live. Uh, I mentioned when we were in the green room that, um, the ratings are coming in the surveys, and everyone really loved this team, uh, and the perspective that the three of you, um, bring really valuable. So it just was really fun. It was fun to go live, uh, and kind of do things in a different way and be able to do it from stage.

We should, we should do it live once in a while more often, right? Sure. That's awesome. Yeah, It, it was also refreshing just for us to have a, like us all the talk. And Andrew, I heard a lot of people say, I loved hearing Andrew's comments, like he's always the one that kicks it off. But, you know, you kind of, being, we flipped the seats with, with Gary interviewing you, that was a lot of fun. And so, oh, thanks. I think people really enjoyed hearing directly from you too, Andrew.

Thanks, Bud. I appreciate it. Yeah, it was a lot of fun. Thank you for that opportunity, Gary. And then we'll all be together, all of us right here, all and many of you in three weeks. Uh, three, not two, but, uh, yeah. So we're gonna be, uh, together in Dallas and we did our final walkthrough at the Gaylord. It's gonna be phenomenal, um, phenomenal event. So, uh, alright, let's get into today. Um, first off, uh, just a quick announcement.

I'll put it up momentarily, but we did get control 15, Kurt 15. Now on the cyber cast is out. Um, just so you all know where we're headed with the cyber cast, when we get to control 18 and finish there, we're going to kind of circle in with the respond and recover functions that are missing to a degree in the controls and look at how we can, uh, bridge that gap. Um, so we're gonna, we're gonna really focus in there.

I know, uh, Phyllis has been really open, um, about feedback and, and seeing if, you know, CIS would be more acom, you know, accommodated, for lack of a better word, and bring maybe that some of that in, in version nine or eight dot whatever. But, um, so that's where we're headed, um, for the next stage of the cyber cast. Um, okay, uh, in setting the stage, before I introduce our awesome guest who's been with us before, not often you get a former CI, uh, NSA, sorry, Kurt NSA director with you.

Um, let me just set the stage. Um, and the reason I wanted to do this, um, event on how MSPs should be engaging with CS a and government for guidance and funding is, um, CSA once again last week, put out another publication, for lack of a better word. It was in conjunction with Ms. isac, but I did a little history digging, and I'm sure I probably am even missing something, but I'm gonna kind of look down. I'll put all these URLs in there for you to take a look at.

But as early as May, 2016, and this Wes was when you and I started working together in our days at back at Perch on go to market and everything, CISA says, CISA is aware of ongoing A PT act, uh, a PT actor actively attempting to infiltrate the networks of global MSPs. It goes on, but there, that's one publication. It's May of 2016. I remember that. I remember that. Yeah, yeah, yeah. Then in May of 2017, CISA puts out, and I forget the exact acronym, but it's part of a, a commission within csa.

While the N-C-C-I-C continues to work with a variety of victims across different sectors, the adversaries in this campaign to continue to affect several IT service providers to achieve operational efficiencies and effectively it, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients. And that's in 2017. 2018. CSIS says, uh, it's the National Cybersecurity and Communications Integration Center.

N-C-C-I-C is aware of ongoing a PT actor activity attempting to infiltrate networks of global managed service providers. In 2019, we had SolarWinds in 2020 CIS, and the MSIs SAC released a ransomware guide noting, uh, MSPs, uh, throughout a section there. In 2021, we had the Kaseya incident, and most recently, in 2022, just last week, cisa and the MSIs SAC published cisa says, federal agencies attacked in a ran run refund scam through remote monitoring and management software.

I'm gonna leave a, um, Gary, for the first comment for you. I would love to say it, but it's perfect for you. But with that, Kurt, always awesome to have you, um, can't wait to see you in person in a few weeks. Tell us a little about yourself, um, your background at a small agency that we know about and what you're doing these days. Yeah. Hey, no, uh, thank you, uh, Andrews.

But first, you know, I gotta say, uh, kudos to, uh, to yourself and, and to, uh, you know, the, the cyber call and, and cyber nation, everything that you guys do. 'cause really you're forcing, um, security best practices through your, um, you know, through your channels to actually help each and every, uh, managed security service provider as well as managed service provider. And so, I, I just really want to give a shout out to you and the, and the team here for that, uh, a little bit about me.

Um, I'm, um, executive vice president and general manager for what we call security best practices here at the Center for Internet Security. God, I've been here for, uh, over five years. I think I'm just now starting my sixth year at, uh, at CIS. Congrats. Yeah. Prior to that though, I spent, uh, a little over three decades, and yes, I, uh, I ticked the box on being old.

Um, so a little over three decades at the National Security Agency, I started off as, um, a computer scientist, uh, quickly realized that although I could program, it was not my passion. So I, I moved into, uh, into management. And, uh, my last position was leading the, um, what we call the information assurance mission. There at, at N-S-A-N-S-A has two missions. There's that much smaller, externally focused, uh, you know, mission around, uh, signals intelligence.

And then there's the more important one, which is really about protecting the homeland, which is, uh, which is what we call the information insurance mission for that, uh, um, one of, maybe just two other quick tidbits. Uh, I, uh, also served in the military. Um, I went the country club route to my military service. So I went in the Air Force. I did five years there. So, uh, aim, high fly, fight win. Um, I'm also a runner and a cyclist. Uh, I will admit, my running days are mostly behind me.

Uh, you know, as you get up to a certain age, age group, you know, you wanna keep those joints, you know, it's, you know, without having to be having any artificial, um, attachments to them. So, uh, I do minimize my running, but I still do, uh, a fair amount of cycling. So, with that, I'll hand it back to you, sir. Awesome. Well, it's awesome to have you, Kurt, and, and thank you for all your service to our country, many, many decades of it.

Gary, um, this, uh, I'm gonna hand it over to you, my friend. Yeah. Again, thank you for your service. Um, so Andrew thought that I'd start off today and lead things mainly because of all the co-hosts. I am, I'm, I'm the most mild mannered, I'm the least sarcastic, let's face it. I'm the nicest one. Right. So he thought it was best for me to, to start off. So my question, you heard Andrew, with that lead in, right? Yep. Every year, right? Everythings are coming.

So I mean, in terms of cisa, there's nothing to worry about, right? Like with MSPs and SMBs, like we got it cover. Do you feel like you could just go focus on other things or, Yeah, no. Uh, from a, if I were in cisa, you know, I think I would be doubling down on, uh, reach out to, um, to managed service providers. Um, I think, um, you, um, um, you provide a very important role for, you know, the economic engine here in the us, which is those small and medium enterprises, uh, for that.

Um, and I, so I, I, I really do think they could, they could do more in this area. Um, that said, you know, I mean, if you look at their mission statement, it really is around critical infrastructure. And, you know, and fortunately, or unfortunately, those, you know, managed service providers kind of cut across every one of those industry verticals. Um, so, you know, you're, you're, you're, you got one foot almost every camp, so you're, you know, in pretty much every one of them.

Um, yeah, Well, we're only 55% of GDP and 80% of new jobs. Yeah, just a, just a small part, Pretty critical infrastructure, I would say. Yeah, no, I, I, I tend to agree, and that's kind of why I, you know, I, I think there, uh, really is a need for, um, for better, uh, engagement, um, between CSA and, and the managed service providers.

I'll give you just one other quick comment, and that is, is, you know, about, uh, I guess a little over a decade or so ago, maybe it's approaching two decades, uh, Maha how time flies, but, you know, they created this, these information sharing in analysis centers, ISACs, um, and they, and they kind of tiered it, uh, tied it originally to critical infrastructure. It's since kind of broadened to almost every in in industry vertical.

You know, my, my question would be is, is, you know, should there not be a managed service provider, um, isac, I, I know there's, there's sort of kind one, but I really think, um, it, it, it would create a forcing function for CISA to, to leverage, uh, the MSP ISAC to kind of actually help promulgate better, um, threat intelligence, uh, to protect pretty much every industry vertical in that, in that sense. Yeah. Listen, I mean, I, we said we're, we're looking for ways, right?

To get your organization more involved in our space, other than Andrew being such a nudge, uh, right. And constantly asking, uh, for things. Um, but what you're talking about there, um, I think it's something important. You know, what we've seen in the past is because we don't have anything really strong in that area, when things happen, you end up seeing different vendors actually become like a source or, or, or control the narrative on things. And I think it's dangerous.

So, um, yeah, we, we definitely would be, uh, we're, we're supportive o of, of that, uh, you know, uh, for sure. Is there anything else that we can do to, to help get more engagement and, and, and get more people to understand, you know, what you're doing or, or, or any other ways that you can help our community? Yeah, I think there's, you know, a couple things now. First I'll talk first about cisa and then maybe a little bit about the, the Center for Internet Security.

And so I think when it comes to cisa, it really is, is that, uh, I don't, you know, I don't think it's blind ne neglect on their end. I think they just, their, their focus has been in a, a couple of different areas, but I don't think they understand their, the importance of, of what the MS MSPs do for the nation, uh, in that regard.

And so I think there's an opportunity to, to not only use, uh, forms like, like this, but also use some of your, uh, the customers of MSPs, many of which are, um, in industry, but, uh, an equal number probably are in the, uh, in state and local government, uh, as well.

And, and, and have them start channeling the need for better engagement between CISA and the, and the organizations that actually underpin and create the, uh, the IT and manage the IT for, uh, uh, you know, for the SLTT community, as well as for, uh, the, uh, industry vertical as well for that.

And so I think that's an opportunity, um, you know, for you when it comes to, uh, the Center for Internet Security, you know, we, we, uh, operate both the multi-state information sharing analysis Center Center, and as well as the elections infrastructure isac. Um, you know, again, you know, we, you know, since we're funded by CSA to provide that service to, to those two communities, you know, it, it has to be, you know, A-S-L-T-T member break break.

Uh, my view is, is that an MSP is an extension of the SLTT member. If, if, if you're providing services for that, for that SLTT member, then there should be a relationship between, uh, the ms I Sac and you, uh, especially when it comes to sharing threat intelligence Mm-Hmm. Because who's actually going to, uh, who's best posture to protect that infrastructure the industry is? Yeah.

Well, just so, I mean, I, I would say, just so you know, Andrew and I, and the team, and, and, and people here that we, we work with in our community, you know, we're happy to come to Washington. Uh, I mean, you would need to send your plane for me, but assuming you raise Your hand if you wanna see Gary, uh, being interviewed by the Senate. Yeah. So any, anytime you always, you always have access, uh, you always have access to us.

So, but, uh, real, really good work, and it's really, uh, really important work. I think there's emerging here, right? That has to happen. And this is not gonna get solved, uh, by private business alone. It's not gonna get solved by agencies alone. And, uh, so the more we can be part of that partnership, I think the more we're doing, uh, to be able to help you know, our people. And that is the IT providers, uh, and their customers. So, uh, with that, Wes, go ahead.

Yeah, I was just gonna say, Wes, I'd like you to comment on this. Um, it has to do with the, in information sharing. Um, Wes, you know, FS IEC has 7,500 banks, but really only the biggest, the big or set up and our setup to consume, hence what, what the original intention of PERCH was. Um, is it wrong to say to cisa, like, Hey, if there was funding, one of the areas that you could help us in is build maturity, you know, to help that piece of it.

And again, I, if you're in the CompTIA isac, I, I'm, I'm supportive. It's not about like one versus another. To me, it's about maturity. And do you have the capability to consume threat intelligence and understand the, you know, the, the sharing of it? I mean, I mean, I argue most people don't even understand sticks and taxi to be able to, you know, start there. So there's this whole crawl, walk, run. So can you just give us your perspective? You chaired a board at the FSI SAC around this?

Yeah. W when I complained loud enough, because, so here's what happened. You talk to anyone out there in the, in the financial, uh, system, and you're like, Hey, do you, you a member of F SSIS sac? Yes. Do you like it? Yes. It's awesome. Why do you like it? Oh, I get all this information about all these cool threats. Wow. What do you do? How do you get those? Oh, I get 'em over email. How many emails do you get every day? About 200. What are you doing with all 200 of 'em? Uh, nothing.

You know, like, I try to spot check them. I mean, that's, it's a problem still to this day. And Andrew, I would complain about it and complain about it, and complain about it as a member. And those punks ended up electing me as the member chair. So here I am as, um, with 4,000 banks and credit unions that are 10 billion assets and below, and we're all stuck. We're all not able to do anything with it.

And, and so I would just say that there's a difference between like, um, when we talk about threat intelligence, about sharing these indicators, these raw ips and domains, and like, it's great to have a fire hose of all this stuff everyone's seeing, but 99.9% of businesses can do nothing with that. There is not a way to automate it in a way that is actionable. And so I think what we have to do is we have to say, look, it's great to have that the threat intel analysts of the world need it.

Let's put it into their veins and let 'em come in Matrix style and do something with it, and their threat intel platforms. But at the end of the day, MSPs and small business need actionability. Tell me what's emerging. Tell me what to do about it, make sure it's not, it's doesn't have false positives everywhere. We, Andrew, we are in 2023, and we've not solved that problem. And that is part of why, and I, if I can just say this, I think CISA doesn't know this.

I think so many big orgs are just sort of like, well, how is this a problem? Just hand this to your threat Intel analysts, and off you go, right? It's like, that doesn't exist. Most of us don't have a single person dedicated to security. So we gotta, we gotta solve that problem. One of those ways I think we solve it is focusing a little less on, um, act like, uh, IOCs and a little bit more on incident data. What incidents are we seeing? How are those incidents happening?

What are the top TTPs that the bad guys are using? Like, what are T tactics, right? Uh, what styles are they using? The, if we focus more on incident based data, I think we can move the needle a lot further. And we're not doing that yet. And I, sorry, Phyllis, you said That's okay. Phyllis, you said preach it. I, I'm curious what you think about that, Phyllis. 'cause I respect you deeply with your knowledge and would love to hear what you think. No, I 1000% agree with you.

So when I was at the NSA, I worked with, um, many issacs, and it's, I, I agree with you. The, the FSIS SAC has a great reputation, but if you're not in the clique, you're not in the clique, and it's all the big banks. And that's, that's pretty much true across almost all the ISACs, I would say Red isac. The, the colleges are pretty, are, are, are, are a little bit better, I would say. Um, and it's true.

You know, I was there when sticks and taxi was made, and I was like, okay, but who's ingesting all this data? And, you know, um, what do we call them? Automated courses of action. Like, who, who is actually doing that? Nobody. Not even a big bank, Right? It reminds me when, um, the first time when we first installed an R Amendment in the beginning, and we thought, this is great, we turned on all these alarms and we got flooded with so many alerts that literally we couldn't even open 'em.

Like you said, we were spot checking 'em, and it was worse, not better, right? So we had to figure out like, like just what you said, we can't look at everything. What is it that we can look at that's actually gonna be an indicator of something that we would do or take action on? And even though there might be important data in the rest, we're not gonna, we're not gonna be able to review it in that way.

Maybe we can look at it in bulk and do other things with it, but day to day, we need to figure out how to turn this into data that we're actually learning from or doing something from. And I think this is the same kind of concept. I agree with you there as well, because it's, you know, people always, like people, many people think they need more data so they understand what's going on. No one needs more data. There is a ton of data.

It's exactly what Wes, you and Gary talked about, is we need to distill the data so we can get actionable data. Um, you know, that's, um, simple, you know, or easier to consume than what we have now. So I agree with everything that you said, Wes, and, and, and we have been struggling with this for decades. Yeah. I, I'm curious, Kurt, if you could give us some of your thoughts. I think We're asking Kurt to help solve it. Yeah, yeah. Fix our problems. But Kurt Yeah, we're changing.

I'm curious, curious, Kurt, what you think about crc. You know, the cyber Incident reporting Act, to me, I look at this as like, okay, this is the federal government at least starting to signal that we need incident data. So you better start sharing it with us at some point soon.

Um, is I, I think it's a step in the right direction, but I'm curious that your commentary is around ccia and its impact that, that it'll have to this challenge we have of like, not knowing what's around us and what to do about it in a flood of information. Yeah, no, I, I, I'm, I'm largely supportive of it. And, and the reason being is, is 'cause we all learn from others, uh, misfortune. Um, but I, I also believe though, uh, that we're, we're lacking in some context on, on the incident.

And again, I think, uh, Wes, you nailed it when you said, you know, less about the IOCs, more about, well, about the incident, you know, from my lens, you know, I'm always gonna be interested in, you know, what, you know, what defenses were working, were, were not working, and, and more importantly, are not working. And, and so, so I kind of need to understand, you know, hey, you know, did I have an effective patch management program?

Did I have a, uh, were I, was I configuring to a to a known standard? What, what defensive tools, um, you know, did I have in place? Um, things of that nature. Um, and then, and that truly is gonna help us better understand the adversary and their, and their TTPs. I mean, today, frankly, it's just too darn easy for them.

I mean, they, they throw out some, you know, some phishing, some smishing, some, um, phishing, uh, type of, uh, you know, uh, content, you know, and, and there's always gonna be one in individual that, that, you know, that connects or connect, uh, connects on the, uh, on that. And, and they get, um, initial foothold. And then, then from there, the poor state of security within the environment allows them to, um, to elevate and then, uh, move laterally across, across the, uh, enterprise.

So, fan of incident data, again, you know, we have to be careful here because there, there will be liability concerns for, for organizations that have to kind of work through that. But, uh, but also the context of what was the, if you will, the defensive state of that enterprise when, when they were attacked.

Um, so that we can then maybe come up with ways to actually automate, uh, defensive measures, uh, to remove certain classes of, um, of attacks that, uh, that adversaries use to, to ruthless effect today. I mean, let's, let's be real here. I mean, ransomware, you know, still, still a huge problem. And oh, by the way, everyone wants to talk about ransomware in K 12 or ransomware in, in healthcare.

Name me a a vertical that's not been subject to a ransomware, um, or have not been victims of a ransomware attack. There are none. There are none. Exactly. So, so the point is, is the, the, you know, the defenses are, are known. It's just not, we're not, we're not implementing them, and we're not measuring ourselves against the, against them. That's well said. Gary, I think I stepped over all your questions. Sorry, my friend. No, No, I was handing it over to you. You're Good. Oh, okay. Okay.

Yeah. Well, you know, I don't wanna start when you get This fired up. I, I, I, I just, I'm getting outta your way, man. Fair, my friend. Uh, so I don't wanna start a, a hate session on csec 'cause I love what they're doing, and I think we all do, and they're needed, and I love seeing how they're growing, right?

But I do think at the same time, you look at the recent publication that just came out and everyone started talking about this and, you know, is this, you know, one of my friends was like, is this the end of RMM? You know, and I'm like, no, of course not. It's not the end of RMM. And, uh, but, but even looking at the, the publication itself, an EMSP probably took a peek at that and said, that's not exactly what we classify as RMM, right?

Like, we co count that more like, you know, like the automate and the auto task and, and those types of things. Um, less, you know, these screen connect kind of, uh, platforms, right? So we kinda look at them and we're like, this just doesn't even like, seem to understand our industry. Right? Are we just taking another bludge bludgeoning for, for this? I'm just curious what your, your thoughts are.

Like, what, what will it take for CSA to genuinely understand and, and maybe hard to answer this, but to genuinely understand the MS. MSP space. What, how are they, what do they need to do to better understand us? Yeah, so first and foremost, it's really around dialogue, you know, with, with the msp.

So this is kind of the theme, you know, if, uh, for me today is really around this is gotta get engaged, uh, with MSPs, again, whether it's through, you know, um, a confab like, uh, or, uh, you know, consortium like, uh, cyber Nation or, or somewhere else. But there's an opportunity here for, for CISA to actually learn, uh, about how, um, infrastructure is actually managed by MSPs, uh, in, in that regard.

I, like you, Wes, I, um, I read the, um, the alert or the advisory, I forget what the term was for it. Um, and you know, for me it was, well, this is nothing more than yet another run of the mill, you know, phishing attack, you know, where they're trying to, or, you know, I guess, um, you know, I guess the new term is, uh, ving as well for voice.

Um, but, um, but bottom line is they're trying to get, you know, the un unsuspecting user to either go to a, um, you know, um, a website or to, to download, um, uh, some type of portable, portable executable. In this case, it happened to be in a, you know, A RMM, you know, portable executable. But that was really not the focus of the attack.

It was really about, again, getting the initial foothold and then, you know, being able to sidestep any type of administrative controls in order for them to, um, you know, establish and then, and then, um, evade it at that point and, and create that back door, you know, for that. And so the, uh, at best the alert or the advisory was misleading. I mean, they, they, they had all the different components, but it was, the topic was really on RMM. And, and, and that really wasn't the topic.

It was still about, you know, they're using run of the mills ways to get, uh, unsuspecting users to, uh, I hate to say it, have a bad, bad moment, in which case then depending on the state of the, um, of the, um, security on, on the enterprise, you know, they're able to, um, evade and, um, and elevate. Yeah. And I, I, you're right. Um, and, and I think, you know, I see a lot of comments in the chat about, well, bring us to the table. We want to talk. And I think we all would say that, right?

We all designate, um, you know, Gary Pika being our, uh, spokesperson. He will, he will testify in front of Congress on our behalf. I would love that. I, I think we don't have a seat at the table, and I think we all kind of get a little frustrated because we serve just this massive industry. I did this data study recently with looking at census data from 2017, which is the latest, and looking at how many small businesses there are and how many employees there are in those small businesses.

And of course, I don't remember the numbers anymore. I could go dig the data up, but you're talking millions upon millions upon millions, and we're just sort of like, why is such a huge, colossal size of industry just completely, I don't wanna say completely ignored, but not truly understood. That's probably the best way to say it. And I think we're all saying we wanna be understood, we wanna do better.

Um, I'll even say, Kurt, from my perspective, whenever I speak about security to end users and clients, which I do all the time, and I reference the cybersecurity framework, I can say things like, this was created by the federal government, right? This is thousands of people hours that went into its creation. And even if they don't understand it, they still respect it. They still come back and say, wow, that's, that's good. I mean, I guess that makes sense, right?

And I think, I think CISA has so much potential to be able to do these things. Um, but but they're not leveraging it in the right way. Yeah. They, they are. And I, I'll, I'll give you maybe two other examples where, you know, and first thing I'll tell you is, is creating best practice guidance. You know, creating the guidance, uh, is is not that difficult.

But really the, the, the proof is, is actually ease of implementation and, and, and measuring yourself against, against that guidance, uh, in, in, in this regard. Now, you know, thankfully, you know, um, uh, Phyllis is part of your calls, and, and we think we try to help in that regard from a, from a CIS perspective with our, with our critical security controls.

The other piece though, that really is, uh, is a, a bit mind numbing to me is, is that, you know, there's not one set of guidance coming outta the federal government. Yes, you have the NIST cybersecurity framework. Yes, we have a national standards organization called nist. Um, but you know, when it comes to certain industry verticals, there's other, uh, government agencies that are creating best practice guidance there and, and sets of requirements.

Now, um, on this call, I, I guess if I guarantee if I polled each and every one of you, you would probably say, Kurt, you know, 80 to 90% of those of the recommendations independent, uh, industry vertical are, should be the same and, and are the, are the same. So why can't we just create one set of, you know, um, requirements that we wanna measure, uh, industry verticals against, and then actually help automate, uh, how do you actually implement and, uh, and measure yourself against that.

And so that's, that's really where we, we need to go. Kurt, I know, if I could just interject, I know Wes is involved in cyber insurance now quite a bit, and no cyber, you know, insurance carrier has said, you know, we're aligning our questionnaires to CIS, but implementation group one, but I mean, it doesn't take a rocket science to look at the questionnaires, and they're pretty aligned. So, you know, it's interesting that insurance is taking that lead, but not necessarily others.

And, and so just a comment, um, Wes is, is that fair what you see in the questionnaires? Yeah, if you are, let's just say it this way. If you're already going, if you've gone down the CIS journey and you've got through IG two, you're ready to go for cyber insurance, you just are.

And we could probably do some work around, like, the problem is every carrier has their own underwriting and their own specific questions, but they all boiled, most of them boiled down to a large subset of certain things. And I've already looked at it, Phyllis, you and I have talked about this. You look at what insurance is requiring, and you look at the CIS journey, I look at CIS is the Rosetta Stone, right?

Like, this lets me translate between what I need and every other third party, be it insurance, be it federal government, be my supply chain, be all the industries I serve, if I, if I go down that it is the one, um, middleware that gets me, I'd say 90% of the way, if not a hundred percent of the way. And insurance is no different.

Um, and, and so yeah, I, I do think that Andrew, but the problem I think insurance has, and, and Kurt, I'm curious your thoughts on this is how do we know, you can say that you're CIS you've gone down IG two, but how do I know who's attesting to that? Is it just you, are we gonna bank on this and, and say, you're an insurable risk for us when you just set it and we don't know it?

And I think that's a problem that insurance has, and that's why they want to ask control specific questions instead of just like, hand me, tell me your C-I-S-I-G two, you know, fully aligned. They, they want to ask specific questions, they can come back in the aftermath of an incident and say, you said you had MFA everywhere, which you didn't. Right? So that, that seems to be the problem that we have. What do you, what do you think about that, uh, Kurt? Is there like an alignment?

How do we, how do we solve that? Yeah. I, uh, to be honest with you, um, I think the stars are actually starting to, to go into alignment. Um, over the last two plus years, maybe three years now, a number of states have actually enacted legislation, right? And again, they're, they're trying to incentivize, um, you know, cybersecurity programs within their state. And, and, and not only within government, but also within the private sector, within the state.

Ohio was the very first one to actually, to enact that, followed by Utah and etiquette, uh, even here in the great state of Maryland, you know, we're, we're hoping to get, um, legislation, uh, introduced, uh, this year as well. But really what it's all moving to is, is first aligning with a, with a standard within a framework, right? You know, and, and yes, the cis critical security controls are one, at least one of the ones listed as well as NCSF and, uh, 801 71, and, uh, 853.

Um, but, you know, the, the piece that I think has been missing is, is, okay, well, I'm, I'm, as you point out, Wes, I, I'm, I'm saying I'm aligned to the cis critical security controls if I suffer a breach, well, how do I prove that I, you know, that what I aligned and actually did what I said I did.

And so, so what, you know, you know, and Phyllis is kinda leading the charge here within CI IS is we're working towards, is creating, you know, um, guidelines that would be used within a court, you know, to say, we believe that, to prove that you'd implemented the CIS controls, and these things should be part of that, you know? And so we're gonna be somewhat specific, and we'll make these guidelines available to, um, both defense as well as prosecution, as well as, uh, to, um, to a judge.

Ultimately, the judge will decide on what is that standard or reasonableness. Um, but there's nothing wrong with providing guidelines on, you know, from a technical perspective, what we think are right. I think once we have those in place, then you're gonna start seeing more and more alignment, um, and saying, okay, here's what I need to do. Here's how I prove it. Should I ever suffer a breach? Um, and I, I get hauled into, into court, uh, in that, in that regard.

And so I think we're moving in that direction. We're not there yet, but I, I am hopeful You, I think you use the R word Kurt, uh, reasonableness and I, that was where my brain was going to is, um, and maybe this is a question for Eric Tills, Spencer P*****k, Brad Gross, and others that sort of look at this more from a legal perspective than I do.

But you know, Gary, you just mentioned this earlier in the comments, be careful about like the, you know, one pager, get outta jail free sign this thing. And I'm, you know, okay with it, the literal live stream I just did an hour ago, we were talking about this. Exactly. And I don't know that that holds up really well in a lot of courts of law in the aftermath of a breach. When they say, you, you let them exclude away MFA, and now they had a breach because of it. How are you not liable?

Oh, I got this one pager. They said they didn't, you know, they don't backfires. Yeah. So, right. Have the opposite effect. Bingo. Who's, who's responsible here? Again, tell me who's the one that's actually responsible delivering the services, what's reasonable here? But we still don't have Kurt, to your point, that like, maybe we just need more, um, case law here of what's reasonable. But I do think that goes a long way if we have courts finally decide this, these 10 things are reasonable.

And, and I think that solves a huge part of this problem. No more do we argue of, well, A CEO just doesn't like this. Well, I don't care. CEO, that's not reasonable. It's not gonna hold up in a court. You have to have it. And we walk. Um, I, I think that's a problem that we have right now.

And a lot of MSPs, Gary, are probably happy to take someone's money and give them the one pager instead of trying to sell them and teach 'em what they really need in security because they want the money, and they're afraid, well, I would have to fire 'em and I lose the money out of it. And that's a problem. Yeah. And you shouldn't have to use that as a sales technique. Yeah.

In other words, if you understand it and you're able, that means you need to understand more and be able to communicate better the landscape that we're living in, the landscape that they're living in. Like we're just helping them. Our customers are living in that landscape. And, um, yeah. So I think you almost get thrown off when these, when, when people and, and then they're all well-meaning of why you should use this, but we need to be better.

So yeah, just maybe just one quick comment, you know, and, and, and it has to be more than, uh, okay. You know, um, you know, at, at day one, I've implemented a program, and here I, you know, I, I, I can print out, you know, how I've implemented it. But at day two to day, you know, 365, you gotta continue. You, you gotta be able to demonstrate continuous, uh, you know, measurement against, against that, that standard.

And I think that's where I think, you know, um, we have opportunities with tools and, and where you can actually do samples every so often that you've done that.

The other point was that you bring up, you know, is, you know, excluding away a con a controller, a individual safeguard, that may be okay if you've actually implemented a, I've done a risk assess assessment and says, you know, for that control, I've got, uh, other contributing, um, security controls in, in place, therefore I don't have to do that investment. But the key point here is you've done a risk assessment, and that's why you excluded that, that control.

And so it's, it's part and parcel, not only the framework and implementing it, but also the risk assessment. Uh, and, and then, and then measuring yourself continuously, continuously doesn't mean every minute, every day, but you know, periodically you're, you're, you're, you're revalidating the state of your, of the security within your, within your enterprise. And once again, the sage curt speaks because this is where, this is where insurance is going.

You just mentioned that word continuous, and that's where they're pushing heavily into is how do we do continuous underwriting? We are ready to dump this point in time. Ridiculous. Give me a questionnaire and a PDF, and I assess the answers. They're going as fast as they can towards continuous underwriting. They don't really know how to get there. Uh, but that's where they're going for that exact same reason. I think this all kind of, the puzzle pieces are aligning, aren't they?

Definitely aligning. That's why I said I'm, I'm, you know, I gotta tell you, for having been in this business for, I guess my, my NSA time plus my CIS time, I'm, I'm approaching, you know, four decades now. But, uh, I, I'm, I'm hopeful that, you know, in the next year or two, we we're gonna be much further along and, and we're gonna, uh, we're gonna put a cost on the adversary to attack us, uh, which I think is gonna flip the dynamic here.

It doesn't mean they're still not gonna be successful, but you're gonna at least remove certain actors from the, from the playing field at that point in time. Yep. Agree. Um, my last question before I hand over to Phyllis is, let's talk about threat modeling a little bit. You know, Ryan Weeks did such a good job recently over the past couple of years, around what threat modeling is and teaching us really how to start thinking about it. And even the flexibility that exists.

I don't have to do threat modeling the same way, like large enterprise does, and that's okay, right? Um, but I think one of the things that we need help with within the channel, and maybe CIS can provide some of this for us, is, can you help us threat model, like, help me as an MSP understand how could I work with my clients and truly threat model, maybe the finance industry, healthcare industry, state and local tribal territories.

Like, take each of these industries and just teach us more about like, who those adversaries are, how they would go after us, what that would look like, what defenses we should align on, what we should be focusing on. I think that's a gap. That's something I'd love to see us really start focusing on in the next couple of years. Do you have any commentary or thoughts on that? I know I'm putting you on the spot here, but just curious what your thoughts are.

Yeah, I mean, uh, uh, first thing I gotta tell you, I think, um, we have more in common than not. So when it comes to threat modeling, I mean, again, just picking ransomware as one example, every industry vertical, you know, they're not, they're not just, there's not one ransomware gang that's just targeting this sector. They target whatever's available to them again, and 'cause they're looking for a, a payout or a payday for that.

And so, but I do think that between the, uh, federal government and, you know, you know, the Center for Internet Security and the MS isac, uh, as well as other ISACs, you know, there could be more that's done to kinda, um, break these into more discrete points that, so that then, you know, depending on who, who you as an MS P are talking with, then here's the what's in common. But here's what's unique to that, um, to that sector.

And so I think that's where the, the ISACs, um, could come into play. Now, Wes, I'm, I'm, um, I'm a pragmatist. I'm a realist. Um, we're not there yet today. I don't know, uh, not every ISAC is equal. Um, you know, the, as the FSI SAC is operating at a much higher level than say, um, the retail isac.

Um, and so this is, uh, an example where I think we owe it to ourselves, uh, to actually start equipping some of the smaller ISACs with that, with that, so that they can have some of the conversation. And maybe that conduit for that discussion is really through the MSPs, because again, you're in, you're in every industry vertical for that. But I do think there's more that could be done. I think, you know, we, we understand the ransomware gangs, we understand their TTPs.

Um, you know, and I, I'll admit, I, um, I contribute to, um, a twice weekly, um, um, news, news service. You know, I, I provide, you know, uh, Kurt commentary, if you will. Um, and, you know, and, and every time I see a ransomware attack, and then, oh, it's was the healthcare sector, my, my, my answer back is, is same, same attack would've worked in any other, any of the other verticals. Let's not make this specific to the healthcare sector.

Let's actually, we need to do basic things across every, every vertical. And I think, I think the ISAC model could be something that helps that, uh, in, in partnership with, uh, with, with the MSPs. Agree. Before we, Hey, Wes, before we go to Phyllis, I had my most important question, I forgot to really ask You better throw It out, is that, um, you know, Kurt, we've seen the impact now of so many people who know your organization, mainly because of Phyllis.

And my question was, will this be reflected in her annual raise? Ooh, Thank you. That, that I mean, Asking for a friend. Yes. So, uh, as I, you know, it's, you know, it's funny, you know, it seems to be a common theme with, uh, Phyllis, whoever she talks to, somehow it gets to compensation with her. And I gotta admit, um, she's been very, um, um, uh, very surgical and, and the ability to actually get them to actually lobby for her.

So, uh, so Gary, to answer your question, is, is yes, it did reflect in a promotion for her, um, last year as well as a, uh, as well as a, um, a, you know, salary increase as well as a bonus for her. Uh, that doesn't mean that she doesn't have more work to do this year, but at least it was recognized last year, uh, that her, her skills were, uh, were sought after, uh, by, uh, by the Center for Internet Security. All right. That's all I have.

So, um, Yeah, Phyllis, you do have to tell everybody you're no longer a director. Can you? Many don't Know. Oh, thanks. I'm vice president now. Yeah, big, big, Like the show beep. Thank you, Gary. You know, Andrew, next year, um, we'll have to have Kurt, no, this year we'll have to have him on around November, December timeframe. 'cause that's, you know, that's around our promotion time. And like, Gary, you can ask again.

We'll, you know, We'll, we'll, we'll, should we ask for John Gilligan to come on as well? I mean, is that, I mean, we, we can have the entire CIS executive team and board. If you'd like, Phil, you could just make the cyber call about your raise if You'd Okay, cool. Alright, I love that. I love this community. Of course you do. Alright, and with that Floor's yours, Phyllis. Thank you.

So, um, we know, um, you know, obviously MSS ISAC is the other half of CIS and you know, we've talked a a lot about the power of an ISAC or the potential power of an isac or IS is a o um, how is it that, um, you know, MS IAC could be interacting better with the M-S-E-M-S-P community? What is it that, um, MSIs SAC should be doing, perhaps what MSPs could be doing, et cetera? Yeah. Um, two answers to that question. The first one is just specific to the MSIs sac.

You know, again, I, I think leveraging, um, the, the customers that, uh, MSPs already have, as long as they're within the SLTT community, then that, that, you know, then the MSSP is an extension of that SLTT, um, community member. And, you know, there's absolutely no reason why, um, the MS ISAC can't be sharing, you know, threat, um, data with, with that msp, uh, in that regard. And again, it just, it takes that, if you will, three-way connection with the SLTT member. Uh, in that regard.

It's unfortunately that, you know, that's highly retail. Um, and we need, really need to move to more of a wholesale, uh, type of opportunity for that. And so, you know, maybe that's becomes a discussion with between the MSIs SAC and csa, uh, on hey, you know, acknowledge the vital role that msp, um, play within our economy. Um, and, you know, we've got to be able to share with them, uh, active threats.

Um, and again, regardless of industry vertical, because every industry is gonna be subject to that, uh, that attack at some point in the, uh, or, or the other. And so I, I think that's the opportunity for us, and maybe that requires creating, um, a more active, um, if you will, MSP isa, um, isac or is a o uh, to actually help help the government form, um, you know, um, uh, organize around that. Uh, so maybe that's the next step as well, or, uh, or as part of that two step process. Great.

Thanks. You know, you talk about like MSPs getting access, um, to, um, you know, some of the data that, um, MS. IAC puts out. And so, you know, there are a lot of, um, committees within an isac.

What do you think about, um, you know, if there are any committees perhaps that focus on service providers, as you know, um, we did put in control 15 focused on service providers specifically, because so many organizations, especially during the pandemic went to third party service providers for so many services is, Yeah, I mean, I, I think again, um, why not have a MSP community, right?

You know, then, and again, whether it's sponsored through the MS IAC or sponsored through CIS, which brings in both parts of, of, you know, the MS Iacs as well as security best practices, and you can actually start doing, um, you know, a lot of collaboration, uh, in that venue. I mean, we are moving towards a, uh, a portal here in, uh, uh, within CIS, um, this year. And so I think that's gonna help, help generate more, more of that.

But in the interim, there, you know, we do have a, a collaboration platform where you could actually do that. Any anyone's invited to that. And again, um, I think that's an opportunity for us to, to collaborate, uh, as well. So, um, you know, of course cyber call has been a great partner to the controls. I mean, this is our softball question to you, Curtis.

Um, should the controls become a criteria for our cisa, um, to provide, to help with MSPs, for example, at a minimum, would we ask MSPs to, to, um, implement IG one and show that they implemented it properly, similar to the way state agencies will have to demonstrate a cybersecurity program in order to receive CISA funding? And part of that is, you know, um, I think part of the question also is about MSPs trying to also get, as a funding, as MSPs are, are, you know, supporting SLTs.

Yeah, I mean, you know, um, you asking that, the, the very difficult question, and I kind of go back to an, uh, earlier statement I made, which was is that, you know, when it comes to pro or creating security, best practice, you know, guidance, you know, again, everyone wants to provide the guidance. No one actually wants to help you with the implementation and measurement of that.

You know, from my lens, you know, um, I, I think what we've tried to do at the Center for Internet Security with, you know, you know, we kind of put it in four buckets, bucket ones really around what are, what are the prioritized set of actions that we want you to take. They're called the controls and the underlying safeguards. We break it out by implementation group so that depending on where, where your resource level is, you can do that.

Bucket two was actually defending, um, those requirements, right? And so we, the community defense model, right, where we look at, um, a large number of threat intelligence reports, mostly of them annual reports, we kind of distill that down to five, um, top attack, uh, patterns that we see across every industry vertical, and then measure the effectiveness of the controls against that.

As far as I can tell, we're the only, the only organization that actually is trying to back up our choices with actual data, uh, in that regard. The third component, and it's coming soon, um, but it really is around, you know, and Phyllis knows this, we, we've been working on a draft of this is around the cost. What does it actually cost to, if you will implement, um, basic cyber hygiene or essential cyber hygiene.

And so here in the next few weeks, we will come out with what we call a costing paper that kinda sets that up so that, you know, it gives folks an understanding of, Hey, here's what you can think about from a cost perspective as you budget for, for cybersecurity. And then that fourth component really is around, and this is where West kind of led off around cyber insurance, um, which in, in this, if you will, emerging standard of reasonableness, right?

You know, and so I think, you know, you can't, you shouldn't be able, organizations shouldn't be punished if they are actually were doing reasonable things from a cybersecurity perspective, uh, because who knows, it could have been a nation state, it could have been a, an off zero day attack that, you know, and they had no defenses against that. But yet for the majority of attacks, they were actually practicing, practicing what we would call reasonable, uh, cybersecurity, uh, within again.

And so from a ci IS perspective, those kind of the four areas that we're focused on, I think, you know, biasly, I think we have it about right, uh, in that regard. We did reduce from 20 controls 18 with the release of version eight. Uh, we did release the number of safeguards from 170 something down to a hundred fifty one three in that regard. And so we are, we're basing what our choices based on, on data from that.

So, and long-winded, uh, answer is, is that I just wish we could get to one standard when it comes to cybersecurity because frankly, uh, it, it, it's probably 89 80 to 90% effective across every industry vertical. I would say if you really wanna prioritize your cybersecurity program, look at the critical security controls. Yeah. If, if I could just chime in, Kurt, I love what you just said. Um, you know, a lot of people like, oh, this framework's better, that framework's better.

I have to say, um, you know, when it comes to some of the frameworks where they are not willing to stand up and say, this is how to do it or what to do, um, I love what you guys are doing 'cause it's prescriptive. Others are, we're just gonna give you guidance. Right. And that's about it. So, um, I I, I really applaud what you guys are doing. 'cause people for the most part, especially in where we serve in the SMB and the MSPs themselves, uh, I think need prescriptiveness.

The other thing is if you, when you, if and when you talk to any IR team, um, ask them, you know, again, that particular, uh, attack, could it have been prevented? Right? Again, it's always comes back to essential cyber hygiene. So, um, this is not nothing, we haven't said 47,000 times on this. It's, it's typically not some crazy nation state attack. Right? It's, it's the same thing over and over and over.

The one question I do have for you is you're coming out with a costing model, and Gary, I I, I would like maybe you to chime in here after Kurt answers, but is CIS taking into account things like speaking with Ms. P and MSPs on that? And the reason I ask that is there's a whole, there's the tool cost and there's the whole operational and the whole cost of support that a lot of times get missed in these studies.

And I'm not suggesting it's missed in yours, it just, my ears went up of the real cost to do. Yeah. So love your thoughts on this. Yeah. Do you want, I mean, so we did talk with a couple MSPs who listened to Cyber Call, and then of course at the end, I'm gonna run it by, um, Gary Pika. Okay. That's coming your way, Gary, or, okay, I'll run it by. You guys just Have, yeah, because it's, um, people, So Mike Regards team helped us And Oh, good. Yeah. Good, good, good. Yeah.

Yeah, They were really instrumental. Well, Gary, you know, Mike helped, who's awesome, but you know, you can't get those price per seats in Minnesota, so you know that story. Yeah. Well, any tools, look, we want everything we can to help show our customers that their costs have already changed, right? Their costs have already changed. It has nothing to do with how much we charge them, uh, per month. That's actually gonna reduce their overall cost by reducing their risk.

Hey, can, can just from, uh, Quinn, um, and, and great, great point. Uh, Andrew and Abso absolutely right. We are, we are vetting our numbers, I will admit. Um, um, some folks are more, more willing to talk with us around cost other organizations less so, or they had the initial discussion and then they basically shut us down. Uh, 'cause they didn't really, uh, they didn't wanna do it. My, my, my, my intent as a nonprofit really is, is here it is.

I've vetted as best I could, I may have it 80% right? Um, but I'm gonna force a discussion now on, on costs. And I, I think actually, I think that's a helpful thing for the, um, you know, for the, for the nation as, as well. And, and we did actually did, uh, we, we do break it out by tool costs, but as well as operational costs.

And we also break it out by, I won't say free tools, um, but I will say no, uh, no cost tools, meaning that you get, you get it, but there's always gonna be cost to the organizations to actually implement, uh, tho those tools as well as, uh, commercially available tools, uh, in that regard. And so I, I think it's, it's gonna be very interesting, I think, uh, from a discussion. I'll, I'll leave you with this one comment that is, is CIS will be a goat.

I just haven't quite figured out whether we'll be the greatest of all time or we'll actually be, actually be a goat and, and we'll, we'll beat up, beat up. But I, I'd like you to be the former, I mean, one of few things we could offer you, Kurt, either number one, we can open up, you know, we have 5,600 plus, uh, in the cyber call, we could send out a survey just to, and collect meta, you know, metadata for you, you know, on what, hey, this is what we charge for X for this, for that.

We have 550 at write a boom. Um, so we, we have different venues and avenues, um, if you want to validate and whether you use that or not use that is up to you. So Yeah, no, we, we will, like I said, and I've gotten, we've got most of the pros and, and, and text done. We've actually got a couple of, uh, spreadsheets to kind of break it out. Um, and I don't mind sharing those.

Uh, like I said, you know, I, I just, I won't see us at least get some credit for actually thinking about it and putting it out there, you know, and I, like I said, either the greatest of all time or more likely, you know, will be the goat, you know, and, uh, the bun, uh, the, the bane of everyone's exist, uh, existence.

So I doubt, I doubt it'll be the, the former, um, if we get the first part correct, I think, you know, then we can definitely talk about maybe phyllis's, you know, Ray's before November. There you go. Look at them. Always plugging for you. Phy always. I know. I love this community. I told you. Um, well, good. Uh, Phyllis, any other things for Kurt? Um, not right now. Um, I, I just wanna say thanks of course to my boss for coming on and we will be at right of boom.

I do, I do, you know, um, want to think harder and work with the community on how is it that we can engage better with government? How is it that, um, instead of being the goat getting kicked around, um, you know, we get to, as you know, an MSP community, um, really be more engaged. And so Kurt and I are gonna think about that and, um, you know, we will be at right of boom, open to any discussions. So That's awesome. I we're excited to have you and Eric Woodard on stage discussing the controls.

It's gonna be awesome. Um, and, uh, so with that, I know we ended up a few minutes here early. Kurt, any closing comments for us? Um, again, thank you so much for coming on. Look, really looking forward to seeing you. Yeah, no. Hey, so as always, Gary, great to see you again. I've met you out at, uh, write of boom, and I think I've been on a, uh, on a cyber call with you, Wes met you out at Cyber Boom as well as, uh, on, on a call. And always great to see you guys.

Any, anyone, any, any kind, any, anytime someone can pull off wearing a hoodie. I can't yet. I have to dressed with more formal. I'm always, I'm always for that. I, I feel you, man. Real hacker going, He can pull it, man. He can pull it off. And then of course, my, my Flo my Florida brother down there, uh, Andrew, you know, even though he went to that lesser university, um, you know, I I, I still, he's still a Floridian at the Floridian at the end of the day, uh, for that.

Just, just know Jackie's gonna be there and, and, and I'm sitting, sitting here right next to you at dinner. So It's, tell her not to wear Gar a Garnet and gold, uh, or wear orange and blue. But hey guys, everything that you do really cis is huge supporter of, uh, of the managed service providers. Um, and you know, and allowing us to be a, um, you know, part of this community. It's, it's, it's paid off in dividends for us.

And so, like I said, once, once, you know, we, we will maybe at right a boom, we can host a Birds of Feather, just a informal to talk about more about this costing. And and you can either walk me back or say, go for it. You know, I just wanna see this guy turn into a goat. Um, you know, but I, I think, you know, that's an opportunity for us to at least talk about this as well. Like I said, the, the text of the document's almost done.

Um, but I really am fiddling around, mostly around the, uh, around the spreadsheets. But really appreciate everything that, uh, that you guys do for us. Just Let us know, Kurt, we'll get a room for you and we can definitely have that happen. So maybe Gary's sweet. Alright, thanks everybody. We'll look forward to seeing you next Monday. Wishing you all a fantastic week. Take care. Take care everyone. Thanks.

Related Videos

How MSPs Should be Engaging CISA & US Govt. for guidance and funding | Right of Boom