Skip to main content
Right of Boom
January 30, 2025

January 11th, 2021 – The Era’s of cybersecurity

In this video, Gary, Wes, and Andrew discuss the importance of shifting towards an 'assume breach' mentality in cybersecurity for 2021. They highlight the necessity of implementing frameworks, vulnerability management, and the need for effective communication with clients about security measures. The video emphasizes the role of people and processes in building a resilient cybersecurity strategy, encouraging MSPs to educate clients and adapt to evolving security challenges.<ul><li>The webinar discusses the importance of adopting an 'assume breach' mentality, emphasizing the need for organizations to be prepared for potential security breaches and to focus on resilience and operational recovery.</li><li>The speakers highlight the evolving nature of security, from asset management in the 1980s to current strategies prioritizing recovery and cyber resilience, and the necessity for MSPs (Managed Service Providers) to adapt accordingly.</li><li>There is a strong emphasis on the need for MSPs to educate their clients about the differences between IT and security and to position themselves as specialists in security to gain a competitive advantage.</li></ul>

Guests

Andrew Morgan

Video Transcript

Wow. 2021. Welcome everybody. We are back. Gary, kick us off. Oh. Oh, yeah. Here we go. I don't know, Wes, are you gonna kind of follow suit there and the, uh, Hey, I need to come up with my own greeting. So I'm gonna take, uh, take suggestions from the crowd here. Uh, let me know what you need it to be. It'll probably be something highly embarrassing. Uh, but, uh, I'll deliver. That's what we call a, that's what we call a call in response. That's right. And, and the business.

Wes, you got big shoes as as dictator. You 2020. You've got some big callings here, so, uh, we're expecting big things outta you. Yeah. You know, in, in light of the, uh, recent news, uh, we're moving the campaign to dictator 2024. Uh, rumor is we're starting really strong. So looking forward to everyone on the campaign trail, thank you to the czars that, uh, volunteered their positions for 2020. Uh, you're gonna see 2024, uh, look to be an even better year for the campaign.

Well, that's awesome. Okay, so, um, Ryan couldn't make it today, as you guys can see, unfortunately. And, um, but we're gonna get right on a few quick announcements. Um, first off, uh, I'm gonna put up a whole question up. It'll make some sense as we talk through this. Um, can, is that, is that up now, Wes? I think it is, Yes. Pull is up. Okay, cool. We have two, this will be the first. So take a look at the poll. Um, Gary, we collectively, Wes Ryan, Mike Ard, um, who else? Chris Lair.

And I think we're even gonna have, um, not Kevin from Kaseya, uh, Matt, Matt, on the last day. So we are gonna do, we're not gonna call it a summit, but on February 23rd and 24th, we are gonna do a cyber resilience. Right now we're calling it the Cyber Resilience Roadmap. Um, Gary, any comment? Yeah, yeah, we'll have the final naming done on a, today Marketing is, uh, working on that.

But, uh, yeah, we're gonna take a couple days and we're gonna break down really some of the most important things, uh, that we have picked up and heard from people around, uh, security. So with, with, uh, with a great team. So I, I think it's gonna be really great way to start two thou get it, 2021 and come out setting meaningful goals and achievable goals each quarter to mature your security posture. Yeah. And go to Mar and go to market. Yeah, absolutely.

We're gonna look at basically high level, Gary, we're gonna look at where we are today. And part of it is actually today's conversation ties into this, but where's your practice today? Um, in terms of living in an assumed breach world? We're gonna dig into your incident response plans. We're gonna bring back Mike Beard for that. Wes and Chris are gonna go at it for a tabletop. And then ultimately, how do you take that to market?

Because if we're now saying that we have to take the assumption that we are gonna be breached, right? We have to be resilient and operationalized and still run our business in the event of that packaging, pricing and selling are gonna be different. Gary, thoughts? Wes? Yeah. AB absolutely. And, and I, I'll, I, I'll let Wes chime in on this, but yeah, the, the, the hard part we've been talking about for the past year is that this all fits together.

Like how you go to market, the price you command, uh, you know, being able to operationalize it for yourself and customers. You can't just do one of them. You have to do them all together in order to make it work. And Wes, we've come at it from a bunch of different directions. Uh, we have, and it's, it's high time in 2021 that we begin to go down that road of mastery of all the things, right? Uh, uh, security and our strategy inside of it.

Not just in what we offer, but how we communicate it, how we sell it. Um, it, it requires, uh, being far more comprehensive in, in 2021. So, yep. These are big things. Yeah. And, and I wanna, I wanna say one thing to kick off this year. I mean, we were forced with everything that happened last year to spend a lot of time on uncovering the risks that MSPs have and the con and the concerns we have for MSPs and SMBs.

And I still have those, but this year I really want to try to tilt that message over to this opportunity that we have. And this is how you can kind of separate yourself and your MSP to a different relationship with customers if you haven't already done that. So I want to make sure that we bring everything back every week to an, to people seeing the opportunity, not just doing things because of the risk, but also balancing that with how great this can be for your MSP in the next few years.

Yeah, absolutely, Gary. Absolutely. There's gonna be huge opportunity and it is gonna be a hu a widening gap, I think, wider than ever of haves and have nots here. So let's make sure that you guys are the haves. Um, that's what we're committed to. That's, that's our Job. So with that, um, I'm gonna, I know we don't normally do this. I'm gonna share my screen because we think we have a little bit of time to play with. Um, just humor me for two minutes.

I just want share something because it's germane. Oh, other things. It's Your show, Andrew. Take as long as you want. Thanks Gary. It's our show. Um, in the call to action underneath Gary, if he's in your middle, there's, uh, it says New paradigms for the next era of security. I'm gonna share out a slide from that. That's, this is Sunil, uh, Yu's work. Um, let me make sure you guys can see me. Okay. Um, I always mess, tend to mess. Can, can you guys see my screen well or no? Sure can. You can.

Okay. Okay, good. So you're seeing the mapping and everything. Yep. Okay, perfect. Walk me through walk. Okay, real quick, here's how Sunil takes a look at this. And, and I, and I, when I heard this, I'm like, man, this is really so germane to us. And let me explain. So Sunil at a high level walks through and you can listen to him the eighties, as you can see there, the eighties, nineties, two thousands, et cetera. Interestingly, he looks at the core challenges.

For example, you know, in the eighties we looked at, you know, technology really coming on the age of the pc, low cost, right? We had Dell and Gateway and people were, corporations were buying technology off the Richter scale, right? Adding it to their businesses. So they needed to figure out what they bought and what did it support. And therefore the solutions they came up were asset management and discovery tools.

I mean, I don't know if you remember Gary and West, but like, things like Peregrine, right? All the way back there and right. Land desk and all these tools that discovered assets, got 'em dating myself. Um, so, um, and then the other thing was he said, you know, what kind of tension was there between IT and security? Well, there was none 'cause security teams didn't exist. So let's just take one or two more examples and you'll get the point. 'cause we're not gonna go through each part of it.

Let's take the nineties. Well, obviously viruses right? Started to come in and obviously, you know, there was the Nigerian prince, right? Even phishing came in, right in in those types of things. Firewalls had to get put in place because we got attacked at a perimeter and for the most part, right? We still had it. And security operating, not very, not a lot of conflict because security was now just really dealing with vulnerabilities.

And you can see as we go into two thousands that this is the first time we start getting into some conflict. And the reason, um, I just wanted to, I'm not gonna walk through each of each step, but if you think about what most MSPs are doing, right? Think about 20 16, 20 17. I remember it very well, even though it's already three and four, like five years ago. I mean, when you look at your stacks today, and, and I've done this, I've asked MSPs, right?

We only have a few, right, Gary, that we deal with. But you look at your stack and if you're honest with yourself, most of the offerings you have up until recently are on the protect side. And when we think of identify, we're relying on our RMMs. And Wes and I are gonna talk a little bit about that. It's not really the best solution for identify. So if we look at the 2010s and we think that finally, you know, know we finally have this conflict right between IT and security, right?

Where now all of a sudden, corporations and, you know, enterprises, mid markets have finally said, look, security is its own business unit, right? And we need to have governance and security over here and IT over here. 'cause there's too much tension. You're gonna operate autonomously per se. Yes. You have to inter interact. My point is this, your customers, Gary, I want to kind of get your, take the SMBs think you do the same thing. And then the 2010s in enterprises, it's where it's separated.

So we've got this massive disconnect and gap that we're trying to fill. So lemme just pause there, Gary. Am I making sense? And yeah. And, and I think what happens in the MSP world is two things, right? And I want Wes' take on this one. It kind of lags behind here to some degree what you see happening in, in, in, in, uh, IT companies. That's number one.

And number two, the hard part is, you know, in, in a Fortune 1000 company, they've been able to physically create these separate departments as MSPs have 5, 10, 15, 20, 25 employees or, or maybe more. Uh, we're both. So like we have to be on the same page. We have to make those decisions. And v CIOs have to start. In other words, we've been talking about baking security into the culture. That's what's different about an MSP dealing with so many customers than an IT department.

I want like Wes' view on this. Yeah. Well, and this is why I just asked this question in chat because I want to get your guys' opinion of are you starting to detect and see some of this as well? I do think the larger MSPs that may be on this call, like, uh, I'll just call one out as an example, Marco, uh, that has a dedicated CISO in micro regard, they may notice that tension occurs a lot more, right?

They may notice it because they have a dedicated security division that is separate in its operational responsibilities. But I think maybe smaller MSPs may not struggle with that as much. They may say, you know, that's a luxury that we have in the sense that we have to deliver both IT and security together, both internally for our own security and for our clients. And so very curious to see where that tension may exist.

And if you start to see that expand as your maturity in cybersecurity grows. I'm very curious. Yeah, no, is it convenient or, or is it the fact that if less tension there is probably the less secure you might be. 'cause I think part of what happens in these more mature companies and you know, and we have, you know, Mike Beard is nice enough to come on and help us with this is, you know, it's his job to bridge that gap.

But that's kind of what has to happen to, to, to increase your security posture as well, Wes. Yeah. Yeah. Good. And, and I'm reading through the comments here that are coming through and I, I think we are seeing this, right? The, we are seeing that tension begin to, um, begin to show in rear its ugly head. And so this is something that, uh, you, you actually, so I say this a lot and I think a lot of you guys know this about me.

I always say, by and large, MSPs kind of, and really SMB as a whole really follow about five years behind where enterprise is going. And so that's actually a huge advantage for us in the sense that we can look through the pain points, the struggles that they've had, and we get to say, Hey, let's, let's make some of the corrections that they should have made a long time ago. And, and some of those are how we actually handle the security operations piece and how that belongs inside.

It should not be stuck as the redheaded stepchild, so to speak, uh, of, of the, of the, uh, IT organization. It should be treated as its own business unit. And you, you're, you're seeing that in the 2020s, which we'll cover in a minute, Andrew, Uh, threat actors are not five years behind and guess, and they, and they found us. Yes. So we're being forced to really close that gap. We can't have that big of a gap anymore. And that's kind of what we've been talking about week in and week out. Yeah.

Well, um, yeah, great perspective. And you know what's interesting you said, Wes, is that it actually may be an advantage here that we are five plus years behind. And what I mean by that is, when you listen to what Sunil talks about, and I wouldn't do it justice, so I'm not going to listen to the recording, but he talks about the CIA triad, Wes, and you and I are gonna talk about this later, but just real quick, hear me out and something called the DIE triad.

And if you were here when Sunil was on, he talks about the theory of pets and cattle and that we like to have our pet, right? I like to have my LA um, my laptop's right over here, you know, and if my laptop gets sick, right? Or if it has a vulnerability, I'm gonna patch it. I'm gonna take care of it, it's my pet. Whereas a cat, you know, cattle, the cattle get, you know, cow gets sick. What do we do? We call it from the herd sun.

Neil's premise is, if we begin to start asking questions and architecting our systems from a, what he calls a DIE triad or distributed, immutable and ephemeral, basically short-lived un, you know, immutable, meaning we can't change it. Well, we always think about uptime. We have to have uptime forever, 365, 2 years, right? It's actually the worst thing. Now if we're assuming breach, we want short-lived systems.

So I just wanted to put that out there that maybe we are an advantage, maybe if we start looking at Gary Packaging pricing, how we implement things going forward, we can save a lot of time, energy, and headache and cost that the enterprise has gone through. So yeah. W does that make sense? Yeah, absolutely. I'm with you. A lot of great comments out here today. Yeah, Yeah. Well, a lot of great comments.

Uh, you know, uh, Clifton said the biggest tension we see is cost to the business to get there. So I think that's a great point. Uh, yeah, just, there's just so many great comments out here. People are all over this today, Wes. Yeah. Well, what's really interesting, let's just talk about real quick, the fact that the ms, the, the SMB, right? They're to them security and it are the same thing.

Well, if we think about it in, you know, 2010 over 10 years ago, that's when those departments split and we're asking our customers, Hey, we need more budget, right? So maybe if we start thinking about it from this perspective, right? We've talked about this, right? Your accounting department doesn't do your legal work, right? That analogy. And we start trying to, you know, part of this is education, right? We have to educate our customers that IT and security are not the same.

So with that, Gary, um, love the interaction. Big audience today. If you are thinking about doing something different in 2021, come join us. We'll have some time at the end, come on stage with us here. Come on camera, do something uncomfortable. Um, so, and, and, and break out in 2021. So Gary, here's my question to you. Um, I wanted to start off 2021 with the eras of cybersecurity and Sun's work.

Um, because again, MSPs have been the outsourced IT department, rightly so, that's their background. You know, when you look at what Sunil is doing here, what do you see as the biggest challenges, but the biggest opportunities for MSPs? Yeah, so, um, let me start with the biggest opportunity, because I'm seeing it, you know, partly because of what's changed in security over the past year of the landscape, and partially because of the pandemic.

I know with our, like peer members, when the pandemic hit, we were on with them every single week, taking it apart, locking their businesses down, making sure that they understood their cost drivers. And then as we got through that, what we saw was, um, in the second half of the year, two things happened. They were able to sell a lot of recurring revenue and they were able to increase their prices pretty dramatically.

So I think that's the opportunity is that once you get, once you get enough maturity on the right things internally, and you don't have to have it all, but enough of it to have the confidence to get out in front of customers and prospects and have a different kind of conversation, um, you eliminate prices, the objection. And once you do that, now you can start to fund it and it starts to spiral up like this. And that's what we're seeing over and over again.

Um, the people that aren't educated themselves, that don't have the right approach, that don't have the right, you know, priorities around security, especially when they're smaller, they're kind of stuck in it, Andrew, they haven't started that spiral up and they have just enough money to do their tickets and they gotta make sure they do a couple professional service, you know, projects and, and, and sell some hardware so they can make their payroll.

And that's, that's gonna be a tougher and tougher and tougher place to be. Yeah. You know, it's interesting Gary, and the analogy I think about, you've, you've talked about, and I've known you for years, is self-image, right? And, and, and you know, again, the one, this is about self-image, if you think about a security firm, right?

I, I analogize at Wes, you've used healthcare analogies, but it's like we're this general practitioner that's gotten taken over by this, by HCA and we're happy 'cause we make $90,000 a year as a, as a, as a general practitioner, but as a security firm, Wess, if you were a, you, you started an MSSP and you're like, Hey, I'm gonna come in and do some pen testing. I'm going to, you know, manage your, so sim you don't think twice about charging the right amount for those services.

You're a specialist, right? You're a brain surgeon, you're talk, talk to us about that. Am I, am I seeing that correctly? Um, I'm not sure I have much to say other than yes, that is, uh, that that is certainly how we have to approach it for sure. Um, and, and you know, I, I do think it is maybe as an aside, it is we're still getting our end users, our SMBs by and large is who we serve to understand there is a difference here, right?

And that, um, there is a, it, it, it's that security is not just an add-on tack on extension into our IT strategy. That used to be the case, um, for, for ever since we've been offering services. But we're getting to this point of, of, hey, this is not an add-on is not just an extra thing that I just kind of push here. And I think some of us have been guilty even of maybe even promoting it that way for a long time. And maybe that was actually true.

But this day and age is changing to where, um, security is actually strategy. That is something that's included in what we have to be offering, which is why we're charging more, which is why there's an addition in your per pursuit cost. Um, but I'm not just adding a firewall anymore. And then if you're super serious a firewall and av, or maybe I flip that, um, it, we, we've really changed, right, Gary? Yeah. A a Abso absolutely.

And and again, until that conversation changes, until your, like you said, your self-image and your belief, uh, changes. You know, I was talking to a couple business people yesterday, friends of mine who owns companies, and one guy, I think he's got like 35 employees. And I was saying to him, I said, yeah, I guess you've been seeing like what went on on with this whole SolarWinds thing? And he was like, what?

I'm like, I'm like, do you not, you don't look at the Wall Street Journal or, or turn on the evening news with David Muir. I mean, like, who, you know, but there you go, there's someone, and I gave him an idea like, you know, kind of what's been going on. And I said to him, Hey, with your IT provider, 'cause he outsources it. I'm like, have they talked to you about, do you know what, what would happen if you got breached? He's like, no.

And I'm like, you have to take and assume breach mentality. And I, I'm sure he is on the phone today with his, with his IT people. They have not had that conversation with him. And I can tell you when they do, if they ha if they are capable of it or someone else will, he, he's not gonna worry. I know his business, he's not gonna worry about spending an extra one or two or or thousand or 2,500 bucks a month because it's just so critical to him. Right?

And, uh, you know, his eyes were, you know, you know, pretty big by, by the end of the end of the conversation. But there's an example and of the opportunity that's out there. Yeah. Very good. Gary, a follow up question, um, ironically, I did a poll in the cyber nation, um, about a week ago. And 'cause I, I was really curious what people felt the training and skills they needed most in 2021 in my h you know, I'm thinking I'll pick something out.

Hey, I, I want to get a, become a certified ethical hacker. I want to become a better security analyst. Like, those are the things that I'm, I'm thinking and I put up, so we will talk about the questions I put up, but the number one response skill and training, uh, by far was, um, being able to articulate, adding additional security controls and the value of those controls. So my clients say yes, that was the number one response.

And so the good news for you, Gary, is it makes you highly relevant. Well, that gives me hope that people are recognizing that unless they're able to do that, they're probably not gonna figure anything else out. So I, I don't know, I, that gives me like, makes me feel really optimistic, Andrew. Yeah, well, no, I I, I thought of you immediately. So, but, but to that degree, like what does that mean, Gary, about owning?

I, and I might ask you this later on, but it was just, while I think about it, what does that mean in terms of owning and understanding frameworks? Because again, it comes back to self-image. You can't fake this stuff. We could fake a lot of stuff for years in it. Uh, we got the easy button on a lot of stuff. We got hall passes on a lot of stuff, you know? Yeah. Yeah. I, I mean, if, if you just take two concepts that we've talked about here, like week in and week out.

One is you really can't do this without using standards. A standards based approach is so critical to translating value, right? And, and, and then, uh, we've added to it this assumed breach mentality.

Like just those two concepts alone, Andrew, um, not only give you, let, you set priorities internally, but they create kind of the, the framework from A-V-C-I-O standpoint to start to change that conversation with customers instead of what's happened in the past, which is, you know, a vendor sells you, you know, this security thing, and then you go out and sell it, and then a month later or two months later, you get another security thing, and now you go and add that on.

You know, instead of saying like, okay, what, what do I need? Where are the real gaps that are reasonable that I can close in my stack? Can I go in right now if I can't get 'em all, do I know what they'll cost? And can I go have the conversation once with my customers Yeah. A meaningful conversation and, and, and move that investment. So now I can fund those tools. I can fund the process, I can fund the alignment, uh, and, and the, and the additional skill sets that I need.

The, the part of assumed breach and cyber resiliency, i, I, I think is the most bullish things for MSPs is it takes FUD out of the game, right? We don't, there's no such thing as FUD anymore. We're going right to the end result. You're owned. Yeah. They'll attach a value to FUD on their own. We don't, you don't need to. Yeah, It's great. Um, Wes, any thoughts or are you sure you Yeah, I, it, I I, I do love that comment.

You made it, it kind of made my brain go pow for a second of it takes foot outta the game, right? As vendors, um, our marketing teams are always trying to think through, you know, what, what's that one thing that we can say that tagline or catchphrase, it's gonna get people to, to want to invest?

And I think that, I love that idea of saying, when we jump right into that assumed breach mentality, it forces us to change into bypassing all the things that are gonna happen and say, what would we do and how would we react? And where and how would we recover? And what are the, the critical pieces of things that we have to consider inside of all of it?

And you know, I can, Gary, I can just see myself if I'm an MSP sitting down with a client and saying, Hey, did you see what happened with the SolarWinds stuff?

And regardless of whether they say yes or no, you can say, you know, there's some interesting things that came out of that Gary, and it really got us thinking as an MSP, here we are today thinking, wow, some of the biggest organizations that are out there, including cybersecurity organizations that are really well known and publicly traded, got significantly hit. And Gary, there's really not anything that they could have done about it.

Uh, the, the, when you hit get hit with a software provider, that you're leveraging that, that, that there's malware inside of their own software that gets delivered to us. It's impossible to see that. It's impossible to prevent that. It's impossible, largely speaking, to have detected that we've really gotta operate Mr. Client or Gary or my client, it, we've gotta shift into how are we going to respond when that happens.

And so that's caused our MSP to start thinking about things like, you know, Gary, we, what kind of data do you have? Where does it exist? How would we recover it? Who would we notify when that happens? What would be the processes? Do you know how to get in touch with us? How would we get in touch with you at 2:00 AM when we saw something like this happen? And what would be the steps of recovery? Uh, and when would we get regulators involved, or federal or state agencies involved?

And you start having these conversations like this, and it forces them into that end game of what do we do about all of that, and how would we react and recover? That is a valuable conversation to get a client thinking about. Right? It's awesome. Yeah, man, hopefully, uh, people are gonna go back and watch the recording and they're gonna take that little clip you just did.

Um, because I, I, I don't know, what I tell people is you have that conversation with a prospect or a customer, it can't go bad, right? It, it can't, yeah, it can't, it can't go poorly there. Uh, because I have those conversations with a lot of business people and the response is always the same.

They start to lean in and they wanna further the conversation and they want to know how can you help me a hundred percent of the time, Well, hey Wes, you were involved, I believe with Mike Beard doing a mass quote unquote tabletop with a bunch of prospect prospects and customers. Think about it, they were shooting fish in a barrel because you mock Yeah. Mocked went through one. So think about this. If you did that with a customer, charge the customer for it, guess what?

You're gonna see gaps galore in terms of, wow, we weren't prepared for this. We weren't prepared for that. Wow. We didn't know our data was here. It was over here. It was, we thought this person would be the top person to make the decision. Gary. Yeah. Look, and Mike says, I'm getting more and more frustrated with vendors expecting us to specialize in their solution. Well, you shouldn't get frustrated with them, Mike. That's their job. They have software to sell, right?

And they have enough MSPs that they can train to do it. And it's like, okay, now we sell dark web, now we sell phishing. Now we sell, you know, advanced endpoint, whatever it is. Like that's their job. It's our job to change our perspective the way we're doing on this call. Yeah. To think about this assumed breach mentality to work backwards. The other way to focus on the data, that stuff we've learned from Chris Lore right?

About this year, about data exfiltration and you know, and some of it's technology, some of it's process and some of it's just the recommendations of where data lives. And some customers, they may have to give up some convenience of certain things in the, in the name of having their topology be one that that is more resilient.

And, and so yeah, when you start to like, you can hear how West sounds like he's rising above things and really tell that he has command over this, and every business person's gonna respect that, and they're not gonna tell you, I don't wanna do that this quarter. Whatever those recommendations are, very rarely will it end up that way. Yeah. You know, Matt, as opposed To they will tell you they don't wanna buy a product. Yeah. Because They don't. It's an excellent point.

Matt Lee made a PO point about data's the key here. Data's always been the key. Matt, I'm really glad you pointed out. You're probably making Ken Tripp from Network's Heart thing right now. Ken's probably on, I hope you are Ken, make a comment if you are. But you know, in terms of solutions, we, since when is MSPs, by the way, have we ever thought about where does data live? Right? Um, for the most part, yeah.

You know, we've run some things and the HIPAA data is here, the PCI data is there, but to a large degree who has access to it, um, are we, you know, doing things around, you know, active directory accounts that are dorm and, and on and on and on. So I think you're gonna see solutions like that, that are much more meaningful, that play into tabletops and, you know, so anyway, I'm beating this. Wes, let's move on to you. What One, can me add one more thing to, to Wes' to kind of what Wes said?

Sure. You're either gonna learn to have that conversation or someone else is, and, and the customer's gonna be answering you questions that are gonna be uncomfortable for you. It's gonna be one or the other in the next year or two. Yeah. Well, well, Gary, you say this a lot, right? You're training your guys, you're, you're training, you know, to ask these questions. And by the way, we're gonna have on, um, this is gonna be awesome, by the way, just, sorry, tangent.

It's like a squirrel over here. Um, but we're gonna have, uh, Ryan on from Steel Root who wrote that article on the, and I always butcher his name, so I, I think it's heor, but I'll probably butchering it. But Ryan's gonna be on the week after next to talk about the 21 questions you should be asking your MSP. And these guys are specialists in CMMC, and they, they do run a great, great company, but it was awesome.

And he even admitted, he's like, Hey, this is something I have to hold up my standards to and I have to keep getting better at. But so, so Wes, let me run this by you. When you looked at, um, sun Neil's latest work, um, if you were consulting for an MSP right now, um, and maybe you are Wes, are you, are you for hire, Um, uh, only in Bitcoin, Um, you know, how might you, you know, consult with that MSP and what might the changes be in terms of their stack or their people or process?

What, what, what would you say to that? Yeah, that's a, I saw that question come in that you wanted to ask me, and I, I thought it was a good one. It's really, really hard to, to systemically answer that in such a short period of time. Um, but what I would say is, you know, if we go back to that model, and you know what I'm gonna do, I'm gonna share this out with you guys real quick. I'm just gonna pop this into chat. Hopefully it'll come up pretty quickly.

This right here is IL's slide deck that we've, we've been referencing is our guidepost. Uh, and, and there's a slide that exists in there that we actually showed a little bit. I'm gonna go back to this. You know, one of the things I might start with, if you go over there to slide five, just take a look at that for a minute and, and just kind of map that to your own MSP. And you should be able to do this within seconds.

You should be able to kind of look and say, okay, yeah, we're definitely in that 1990s era or that two thousands era. And don't be embarrassed about where your MSP is at in this journey. Yeah. Um, I would say, you know, what I would start with is, I think this is a really interesting and fun framework to think through. Where do we exist from a maturity perspective? Where are we mapping in? Are we in between some of these? And this will give us a good thought process on some of this.

And so if I were, you know, if I were consulting with an MSP, I mean, there's a million questions we could ask, right? What's your understanding of risk and how does that, um, map in what kind of clients do you have in place? Those are things that would then dictate into the, the security stack that exists. And people love to just get right into, Hey, what should go in my stack?

I know that's a big common question, but this is just a fun way to really think through, uh, that entire journey and where we, where we would map in. And so, um, that's what I would say, Andrew. I would really want to get a better understanding of, of where they're at with this. And do you notice as well, especially that slide five that, that I referenced in the link 1980s is identification. 1990s is protection, two thousands is detection, and then 2010 is response. Hmm.

Wonder what comes into the 2020 era, right? Is this idea of recovery. Uh, and so I, I think this is brilliant. And, and so maybe that's where I would start is a series of questions that get us to understand where you are at in your own journey. And I love how Sunil, uh, intentionally mapped in the CSF into this. Yeah, it's awesome. Wes did I, did I show, like, did my screen not come up in the beginning? 'cause it mirrored? It did. Oh no, it came up.

I just wanted to reference that in case people joined later or they didn't fully soak it in. Okay. No, no problem. I was like, oh man, it was I not sharing. So, um, um, you know, so when we, um, you know, you, you mentioned obviously, you know, what is 2020? Well, it's the age of recover, as Sunil likes to say.

And my question to you, Wes, is what does that do in the terms of people and process, you know, because, you know, as Sunil says, you know, when he, what, what dawned on him and how he came to this epiphany is, you know, when he was at Bank of America, right? He plotted, why did he create the cyber defense matrix? 'cause he had to figure out what you're trying to sell him, right? He had thousands of vendors coming at him and he needed to see if there were gaps.

And he looked at just the skewed amount of in, you know, technologies in the identified detect and protect side. And as we get into the 2010s and 2020s, there's barely anything, which it leads into his whole architecture around the DIE triad. But talk to us about people in process. What, what is that gonna mean for MSPs here? People in process is hard. Why is it hard? It's hard because it's people and it's process. It's not a vendor you throw at something, right?

And you guys remember we had talked, I go back to Sunil again, um, last year we had talked about the cyber defense matrix. And one of the things that Sunil showed in the cyber defense matrix is you scale away from identification and protection. And even when you go beyond detection, you start getting into response and recovery. It's less vendor specific and more people in process. You know, we talk about, Mike Rigg said this in chat a minute ago.

People, process and technology as you slide right into the CSF, and I would just even say into more maturity. I think we could even say, um, all of a sudden, yeah, it becomes more people and process based, less vendors that you throw at something. Not to say vendors aren't involved.

And so I think for a lot of MSPs, and I don't mean to just paint with an overly broad stroke here, but by and large, you know, some of the original MSPs that came out were really good at selecting vendors that could, that could sort of outsource everything too. And they just handle it end to end. And, and that's what they were good at, right? Well, that's changing a lot when it comes to cybersecurity, Gary.

It forces us to say, do we have the people and the processes in place to adequately and smartly recover when something like this happens? And I've seen this happen, purchase dealt with many, many MSPs. Either they're a current client of ours and a client gets hit with something, one of their clients, or they're coming to perch in the middle of an incident, usually ransomware. And they're trying to figure out what do I do? What's my next step? Everyone's yelling at me, everybody's mad.

My techs don't know how to respond. I've got one guy doing this, another guy doing that, and nothing is aligned here. And I feel like my business is falling apart before my eyes. That's a scary thing to be in. And that's why people in process is a really important piece to All right, and you ask, Is it expensive? Yeah.

And you probably, same thing I say, when people ask me these questions about a sales situation they're in, the first question I ask them is, by any chance, do you have a time machine? Yeah, but it's true. And if they could go back, one, they would do things differently, right? They would spend the time to be more educated, but they also would change their relationship with their customers.

'cause they realized, look, one thing, and I'm gonna see if you see this with your customers, Wes, uh, scale is starting to matter more. Like my customers that, um, both are profitable and have a little bit of scale. They're able, all the ones that are doing the best, they have some dedicated proactive roles. People that don't, you know, they don't do tickets and they don't have to have billable, billable hours, then they're devoted to this.

My customers that are trying to mature, they're a little smaller. It's harder for them. 'cause everyone who's doing what you're talking about the process, they also have some level of billable or reactive. And so it ebbs and flows in that discipline. And I want to see, so that, I think they need to lean more on outside vendors. Would, does that make sense? No, it, it, it does make sense. Yes. And, um, well, I don't have anything to add to it, but No, that does make exact sense. Yes.

And you see that with your customer base. Yeah, we do see that with our customer base. Customer base for sure. And, and not across the board, and maybe as an aside, but what you're getting me thinking about is, this is why Chris Lahr and I decided to start doing, um, these tabletop events, is because I felt like, and I, I think we proved ourselves to be right. And again, not pre with an overly, I'm not saying every MSP is this way, but is an, is an industry trend.

I think we, our cyber defense strategy, especially five years ago was, well, what vendors do I have in place and how do I stop? You know, it's very reactive, you know, this threat. I would stop this threat with this thing. It's not always that way. And often you have this thing in place and they still get past it. And so forcing everyone to say, forget all of that, get rid of the things you have in place. How would you respond?

We're just gonna say this happened and then this happened, and then that happened, and then this screw to this, what are you gonna do next? What are you gonna do next? Now you got a person doing this thing, how are you gonna handle it? Now you got a client yelling this, how are you gonna handle that?

Now you got a regulator asking you this, it, it's so beneficial and helpful for us to, Andrew, going back to your point, stepping out of the, you know, the castle and moat analogies of this threat, and I stopped this threat with this vendor and how do I actually respond to all of it?

I'm so glad we we've done all these tabletops because I felt like we've helped shift the industry into thinking about a resilience and a recovery and a preparation, um, approach to security through a tabletop test forcing us into it. Yeah, We, well, Wes, look, you know, in talking to Chris, you know, the good news is he works, you know, in terms of efficacy, he works a lot of cases with MSPs. Bad news is he works a lot of cases with MSPs.

But the, the point is, you know, he could probably count on, when I ask him one hand, MSPs that had an incident, you know, major Pulled the, uh, uh, their, their incident response plan work, their incident response plan point is the level in which decision and execution and levelheadedness and good decision making it it's night and day. Right. And not that that's a shock, right?

But, but that's, you know, I like what Carl said out in chat, you know, it resonates with him working, working backwards. And I'm really glad to hear that. I think it's gonna change your conversations and I think you'll see that your clients or rather and or prospects are gonna see you much differently, you know, in, in that. Yeah. From a maturity perspective, Gary. Yeah, I, uh, so I, we have some time, so I want to, um, last week, um, every quarter we do, uh, what we call innovation council.

We get together, um, every one of our peer groups, they send the, uh, one person who's their representative and we just spend a couple hours thinking ahead, right? So one of the thought experiments that came out of that, and I said to them, I'm like, 'cause some of, some innovation is iterative. It's like, it's solving today's problems a little bit at a time. You know, and, and, and some of it is transformative, right? Uh, big things come along.

Um, it's been more iterative for MSPs for a while. So I said, um, with my CTO, Bob Penland, what if you weren't dragging all of your thought process, all of your revenue, all of your current customers, all all of it behind. What if you could start with a clean piece of paper today and start a new IT support business, what would you do differently? Because five or six years ago, you would've said, well, I, I, I get a PSA and I get an RMM, I don't think they are on the first two.

I don't think they're in the first 10 things that I, that I would do today, right? There's other things. So what would you do? And, and what came out of it was not only like what tools, but what would that relationship look like? Um, what would a good customer look like today compared to it? What customers would we steer away from just based on what we've learned about security?

And so I thought that was a great thought experiment that everybody can, maybe this week could take a couple minutes and say, what would the new code look like different than what you're dragging behind you today? And there'll probably be some nuggets in there of how you set priorities moving forward, if that makes sense. Yeah, absolutely. Gary. It's a No, it's a really good point. Hey, just in, you know, before I wrap up with a few questions here with you both, um, I put another poll in.

Wes and I were thinking about, um, doing like a, a quick podcast every day, every other day kind of a thing. I just wanna love your thoughts. Would you guys like that If, you know, we de dissected a security control, you know, three minutes, something like that real quick. And, um, it was real consumable. You know, we talked about the, um, uh, you know, against the framework, I-E-S-C-I-S or CSF, what vendors, where it fits in the cyber defense matrix, something of that nature.

Where it fits in your stack is that is, or you got like, ah, three minute, you know, love, love your thoughts on that. Um, um, So far you're at a hundred percent yes. I, I struggle to think of someone saying no to that, but there's probably a contrarian probably. I'd rather have the accurate Context. Yeah. And then put 'em in the cyber nation and then get some conversations.

I mean, I, I don't know that I would doo 'em every day because I would like you to post them and then like get some con get some thought, get some threads on this thing. I think they're just as valuable what people are thinking in the real world. Yeah, that absolutely. Which leads me to the other thing I just kind of ask everybody out there. We have a few hundred on. Um, look, I, I would love more community involvement in the cyber nation.

It's only as good as your guys like I try to post daily and uh, you know, I just want, this is for you. But the more we can get involved and post questions and you know, share wins and, you know, those types of things, uh, would be great. Yeah. Mattia, uh, daily's probably too much. I agree. But maybe it's once or a week, you know, like if you take CSF, there's 108 sub controls total. I think it's 108 or 110.

I think it's 1 0 8, but that's, let's just say twice, two a week, something of that nature. But anyway. Okay. Gary, back on track. The other things I wanted to talk about briefly was that in this survey was being able to, um, for lack of a better word, have command, which is a word you use a lot, Gary. Yeah. On the framework, you know, being able to really, you know, implement a framework, assess gaps, um, that was, and perform a risk assessment that was the second most.

And Wes, it's tied closely to the question I'm gonna ask you next. But Gary, um, again, just in, in terms of when you look now, uh, at the work that Sunil put out there, um, you know, we've talked a lot about assessments. You are a big believer in standards and assessments. MyIT process has a lot of them in there.

Just again, if you could just talk to us, and I may have been beating this 'cause I asked a little bit earlier, but just your thoughts on the importance of, of, of having command in 2020s, uh, around security. Yeah. So, so let's do this. That's the framework. That's what you need to do. We've, we've hit on that enough. But let's just think of the other side, which is ask yourself this question. Who's gonna do it? And how many customers can they manage? And how many seats is that?

And turn it into a per seat cost, right? You know, that that's really what you have to do. 'cause if you're not building the costing into it, right, you're not gonna do it. You're gonna do the stuff that you have to do. You gotta push patches, you gotta answer the phone or e or the tickets. You know, you gotta do the projects that the customers signed off on. You have to do that.

So if you're not thinking through it, and I heard someone say, oh, we got this new idea, we're gonna have someone who just does this. And I'm like, okay, uh, is it costed into your model? And they're like, they didn't think about that part. I'm like, if it's not, you're not going to do it.

They're gonna start doing it, but then you're gonna assign 'em stuff 'cause you have to, or they're gonna go out and, and it's gonna be done in three months and, and they're going to and they're gonna be wasting their time. 'cause if you don't do it a hundred percent, you might as well not do it at all. So Gary, is this more project, just to your point, I'm glad you brought this as up. Is this more project based when we talk, think about assessment?

Or are you thinking about it more as, let me use one of your roles like A-B-C-I-O that can manage 25 to 30 customers, maybe 150 to 200 K of MRR, that that's all they do? I is it that, or what are you thinking these days? Look, I think there's some of both. There's some, you're up, you're front loading some stuff when you get a new customer. But no, I think alignment is something that has to be ongoing. It, it can't end environment changes, threats change.

Uh, you know, a lot of things change, you know, over time. So it's something that has to be built in and it's gotta be someone's job and they can manage 20 accounts and they're giving that information to the VCIO and the, and the VCIO can can build that relationship and they know that every month or every quarter, these business owners know that, that this, that, that someone from their IT department is gonna have a conversation with them. It's gonna be meaningful.

Wes, and, and it's gonna sound a lot like the one in different ways. It's gonna sound a lot like the conversation that you, that you gave us a few minutes ago. Yeah. I mean, minute 27, Wes, I'm gonna be cutting that out and posting it, uh, everywhere. Dictator 2021 or 2024. We can hash that out for you. Um, maybe we could even do a, a Hans Gary, uh, sales call role play. Sounds like you're gonna be the sales, uh, person in, in this one. Wes Gary. Yeah.

Well I know I always have to be the one to be sold to. Yeah. I'm gonna make Gary throw on a nice, uh, uh, filter and you know, he can be the tough guy this time around. Yeah, We'll do that. We'll do that. Wes the other thing, so in kind of last thing is, um, you know, the other thing that came neck and neck of skills and and and training people needed was, um, being able to implement vulnerability management. It's, it's starting to catch on.

I guess maybe if you could quickly talk to us about number one, why vulnerability management isn't A, isn't patch management B why it's still gonna have to be around. And when I say that is, if, when you guys listen to, uh, Sunil and talk about pets and cattle and the DIE triad, in theory you would need vulnerability management 'cause you're just building a system and killing that system very rapidly. But, um, Wes, talk to us about that.

Why is, why is VM vulnerability management gonna come on and, and, and, and I think be a big part of the stack coming up here? Yeah, so a lot to say. So I'll see if I can summarize it in just a couple of minutes. So, you know, obviously what we've seen in the news happen recently has proven to us that vulnerability management is something that's very important to us, right? And it's clearly not, and I think most of us are beginning to learn this.

In the olden days when we would talk about vulnerabilities and management of those vulnerabilities, we were like, well, what's my patches when Patch Tuesday comes out? How do I, you know, get that across and through the RMM and deploy everything and make sure we're tightened and buttoned up. That that's only a very small piece of what vulnerability management as a whole is all about. And I'll just give you an example.

If you think about a vulnerability, like a weakness in a system, where do those weaknesses come from? It's not always just something that I patch against. It's not always just software. There are many other things. I introduced my kid to, uh, catch me if you can. The other day we were, we saw it on YouTube tv and, uh, he fell in love with it. He is like, you mean he actually did these things, dad? I'm like, yes.

There's a guy that found all kinds of vulnerabilities in a system, uh, that were usually physical in nature and impersonal in nature, right? And, and so, uh, vulnerability management itself has become this true trade that MSPs are going to have to be forced to learn how to master if for no other reason other than you have been caught in the crosshairs for the first time in other people now knowing who you are, right? You see this in new regulation that's coming out.

You see this in new guidance that's coming out. We had shared some of this a few months ago, I think it was back in October or November when we saw some things come out from some regulators around, hey, know who your MSP is. Uh, if you use a managed IT provider and understand the risks that you inherit by choosing them, that's all vulnerability management stuff that comes into play and, and how we deal with all of this. And it can be a big competitive advantage. Now.

Um, Andrew, your question was a little bit around, um, like this, what Sunil was talking about in terms of like pets and cattle. And again, I can't, I gotta summarize this quickly. Yeah. Um, if you wanna see what Sunil was talking about in the slide share that I shared with you guys. He talks about this on slide 12. I had to go back and find this. Um, and if you come from a farm background, which I actually happened to come from a farm background, and I'm gonna, I'm gonna prove this to you.

Uh, I'm gonna show you guys something real quick. Oh, I didn't think was gonna do this or something. You're gonna, there you go. You should be able to see this. This is Wes on the farm. Now, that's not me. That's one of my best friends on the left, uh, over the Christmas break. I actually spent a few days on my friend's cattle farm. And I'm telling you, it was rewarding for me. Oh, I thought you were a weed farmer. Uh, it was very, uh, yeah, no, yeah, the wife makes me a weed farmer. Uh, yeah.

No, but, um, uh, you didn't hear me say that. I'm not saying what kind of weed we're talking about. Um, no, this is, so we're putting on a hay, hay baler here. So we're switching out an implement on the, on the tractor, right? And this is for the cattle. Uh, and when you think about how a farmer handles cattle, this is what Sunil was saying, way different than how I handle a pet.

If my pet gets sick, I take it to the vet, I get all hugs, hugs on the pet and take care of it, and daily walks, all that kind of stuff. Whereas on the farm, when we're taking care of cattle, we take care of them in groups and in masses. And he has some kind of like rough analogies inside of all of this, you know, that I, that he talks about like when they get sick, you shoot 'em, uh, you know, they're in the food processes, I sell 'em out to the slaughterhouse, all that kind of stuff, right?

You may or may not like those analogies, but it's true. And there's some analogies in how we handle that. Uh, when it comes to our IT as well is do, do. We are our clients. So they all still are pets is every machine, every endpoint, they have a pet that's always up, never goes offline deep care. Or if it's something, when we have an issue with it, we blow it away in time for a new one. And I'll give you a quick example of this. Let me figure out how to stop sharing my screen.

I don't know if I know how to sh how to stop. Um, thank, thank you. It looks like you did it for me. Uh, here's the way enterprise will oftentimes handle this. When they have some kind of, um, significant issue with a threat, what do they do? They just blow that machine away or they blow that network away and they just start over from a known good image. That's how they handle it. Very quick and very easy. I've seen enterprise do that for even like light spyware incidents.

They don't mess around. They're like, tiny incident gone. We don't care about it. New machine, new newly re imaged. Done. Very quick, very Easy. Yeah. Hey, user, you're down for a day. Whatever. Too bad. Yeah, yeah. Yes. Yeah. Yes. And so that's, that's kinda what Sunil is talking about with this pets versus cattle. And that does definitely fall into vulnerability management and how we handle these things.

Um, so, so, and, and then that, and I'm not gonna share about this, but that goes into what he is talking about, the DIE stuff, the distributed, immutable ephemeral. Um, definitely goes into all that as well. So if you wanna know more about it, hopefully I gave you just enough to confuse you. Go watch that YouTube video that Andrew posted at the beginning and the SlideShare as well. We'll walk you through those things. Yeah.

Andrew, Tim, Tim posted something that, hey, this could be as simple as, you know, is does everybody have screen lock on? Right? Gave that example, and it made me think, uh, we had foreign operatives in our capital in the past week, right? Right. With foreign operatives that were in that capital. Man, I really hope that, um, the IT people, uh, for our representatives, uh, had screen lock, Right?

Well, that was one of their big, you know, articles on that, Gary, where people did, they bolted away, but their PCs were still up, up and functional. Um, so, so with that, Gary, Wes, awesome. I'm just gonna kind of share my screen one more time. Can you guys see this or no? Yeah. Okay. So this is how Sunil summarizes it. And there's been some good conversation around this that I want you guys to take away today. Sunil talks about look, most attacks. And we're seeing this, right?

We've seen Wes with the MSPs and your threat research, and I know you're doing another one that you're gonna release here probably very soon. It used to be lock down the Ms p give us some money. Okay, you're free. Then it was lockdown, the MSP and all their customers. Alright? And let's figure out which ones are the most valuable. Now it's lock down. Everybody exfiltrate their data. Let's hold the data ransom.

If you don't want to pay a certain amount, we're gonna sell it on the dark web and start distributing it. Ow. And we can't keep up. We're not as good as the bad guys as Wes, as Sunil likes to say, uh, the bad guys age, like wine vulnerabilities, age like, or sour like milk. Right? Age like milk. And that's really what's happening. So again, we need to take a different approach this year. We need to do the assumed breach cyber resiliency, as Carl said, and I'm glad he did.

Let's come at it that way in 2021 with our customers. I'll, I'll, uh, take Wes', um, uh, uh, little, uh, few minutes there. I'll post it back up for everybody to see. I'll put it in Cyber Nation. Um, closing comments from us first and then to Gary. Hey, these are really good things for us to think about.

And, and I think there's so many advantages to moving towards this, um, assumed breach mentality to leveraging the things that have happened for us as an industry of late into, you know, getting our clients to understand, um, uh, we've gotta take more action. We've gotta do more than we've done in the past. That's what every MSP has.

And let's be honest, if you're an MSP on this call, you're fearful and you're fearful because you're thinking, man, I am only as secure as I can get my clients to buy into. And that's a scare, scary proposition to be in. It's rather unique for MSPs themselves.

Uh, and so I, I think these are some things that hopefully give you some ammo, uh, that, that will give you some ability to have some better conversations and shift the mindset of your clients that ultimately deliver into more security, um, when the breach happens. Not this, how did this happen to me? And more, okay, we've talked about this, it's go time and I know how to handle this because you've trained me. And then ultimately, higher proceed margins, which is always a good thing. Gary.

Yeah, Gary. Absolutely. Yeah. Uh, just great call today. I was thinking how funny it is that when before we launched this, it was gonna be a 30 minute call. Yeah, yeah, yeah, Yeah, yeah, yeah. And now we're, we're trying to, we're rushing to get it done in a, to get to get it done in an hour with a topic like this. Yeah. Right. That we don't, this is like, we don't have other formats to be able to, to do it in this way.

Um, Andrew, I was thinking about something, um, from, uh, from today is that I think one of the key things, and we talk about relating to our customers, right? Building on what West did is, uh, I just did some training for my true methods in my true methods, uh, program. It was on the decision phase of the sales cycle, you know, paying money decision. And, and what we said in it was you have to be able to ask questions and find ways of changing prospects and customers decision criteria.

'cause that's when I hear people say, like, I just heard someone say, oh, we have people push back a lot on screen lock. That's our fault, not theirs. Right? Right. We have to ask questions and present things in a way maybe that would be a good topic to do. I can bring some of the information that I, that I shared with my members and talk about what are some techniques you can use, um, in order to change prospects. And, and I see it the same prospects, customers, it's all the same.

How do we change their decision criteria? 'cause once we do that, then it's not sales anymore. Yeah. It's, it's very much challenger sale based, Gary. Right? It's our job to educate. Like we can't, it's, we're, we're failing, but maybe we do that next week. I know we're kind of debating still with MLK day next week, and if we do do it, maybe we bring on your data and we have Wes and you role play and, and something like that. So with that awesome job guys. Thanks so much everybody.

Uh, really appreciate everybody coming out. Please tell your peers, get involved with Cyber Nation. Let's, let's help elevate each other, uh, in 2021. Make it an awesome day. Thanks. Thanks guys.

Related Videos

January 11th, 2021 – The Era’s of cybersecurity | Right of Boom