Kaseya Addresses IT Glue – Fortinet Vul & SOC2 for MSPs
In this video, industry experts discuss the intricacies of SOC 2 audits and their relevance for managed service providers (MSPs). They explore the common challenges MSPs face when pursuing SOC 2 compliance, including resource allocation and understanding the scope of the audit. The discussion also delves into the importance of having a well-defined process and the potential benefits of SOC 2 in enhancing trust and security maturity within an organization.<ul><li>The Cyber Call webinar discussed the recent actions taken by Kaseya regarding elevated attempts to access IT Glue user accounts, including the implementation of mandatory MFA and a password reset as precautionary measures.</li><li>The webinar highlighted the importance of addressing vulnerabilities such as the Fortinet vulnerability, urging immediate patching to prevent exploitation.</li><li>The discussion on SOC 2 audits emphasized the growing demand for these assessments among MSPs and the need for organizations to improve security controls and align with frameworks like CIS to meet customer and industry expectations.</li></ul>
Guests
Video Transcript
All right. Welcome everybody. Um, just a regular Monday here on the cyber call. Nothing, you know, exciting going on. Um, we got a lot of people with us today. If you're new to the Cyber call, welcome. Uh, we've been at this for over two years. Um, and, uh, new catch Look, we were, we're fi uh, 5,051. We added a few people this week. Oh, wow. We did, we finally hit the 5,000 mark. Very cool. Very, very cool. Um, and, uh, we have people from all over.
There's Kelvin from the Netherlands, but we got an action packed show. Um, let me start off this way real quick. Um, announcements, uh, write a boom is filling up very quickly. If you are interested in coming in the call to action underneath, you'll see the Brady Bunch, all the pictures, there's a little green thing there. Uh, click to learn more. The pre-day, I would gather is gonna be selling out in the next, it will sell out this week. It's with John Strand and John Hammond.
Um, so enough about that, uh, I'll come back to that. So, yeah. And Wes, thank you all. Cyber call sessions are recorded. Common question we get, if you go up into the left hand section of the cyber call, you'll see schedule and you can watch any of the last two years, uh, replays. Alright, um, let me just see if we have, uh, I, I still don't see Jason with us yet. It says accepting and connecting. I'll try and get him back.
So what we're gonna do real quick, setting the agenda, um, our main topic today was with Rob from Shelman. It was gonna be on SOC two and your MSP. We will get there. Uh, what we're gonna do, um, part one was gonna be Jason Minar and, and Kaseya address. Oh, and look at that. Jason, can you hear us? I can. Can you hear me? Hopefully. Perfect. We got timing. Okay. So perfect timing on the agenda. Thank you for joining us, Jason. So part one, we'll let Jason have, I'll start off by introing him.
He'll have the floor a little bit to address the recent, um, communications regarding IT Glue. Um, there's a bunch of questions. We'll spend maybe like 10, 12 minutes on it, uh, with Jason. Um, then we'll move to Dave Rushmore because we wanna address the Fortinet vulnerability. Although there is a patch, um, you can probably bet that this thing is gonna be reverse engineered and exploited. And there's a lot of unpatched, um, systems out there that Dave's verified.
And then we'll get into the main show. So, alright. So with that, um, first, uh, Jason, welcome to the show. I'll set the stage for you. I'll let you have the floor and, and address everything, and then we'll get into questions. So, awesome. A lot of MSPs are asking questions, um, varying degrees of obviously emotion out there. Um, so in setting the stage, um, I wanna say first off, thank you for coming on and addressing it. That's first of foremost. Oh, absolutely. Awesome.
Um, you know, I think, you know, when I listen and talk to MSPs, they want to know the why, the immediacy, why the kind of a drastic action Mm-Hmm. Of what Kaseya did regarding it glue. So with that, let me let you have the floor. Sure. And then I'll take a look at the questions. Wes, if you can help me also, and with Gary Chat and everything, the floor, your Jason. Thanks. Yeah, absolutely. Um, so guys, thanks so much. You, it was great.
I knew that whenever we took such a precedent action, uh, that I was gonna have calls just like this and I was gonna, uh, come on because, uh, what we're used to is we're as individuals that seen cyber event after a cyber event is the lack of transparency. And what you're seeing here is total transparency, total transparency in the fact that, um, we've committed, uh, to making sure that when we see something, we say something.
And we saw something, we saw something, uh, last week that indicated that there was a, uh, a significant in increase in attempts to access, uh, it glue users accounts. And, um, when we saw that, uh, we immediately called that out and we said, Hey, uh, we realized that the majority of our customers have MMFA already enacted, but some of them didn't. So we immediately turned that on, um, and made sure that everyone had to have MFA immediately after that.
Um, what quite frankly we wanted to make sure of is we were doing everything that we possibly could, knowing that we had seen so many alerts, uh, from the FBI back in August and, and so many other entities that had, um, warned us of targeted credential stuffing attacks based upon, uh, information that was out on the dark web. What we wanted to do is we wanted to act, and the best way to make sure everyone was secure at the end of the day was just make sure that we did a password reset.
It was the safest thing. It was the most prudent thing to do. And at the end of the day, I've always told people that I would take their security like I would my own. And if I had that piece of information, that's exactly what I would do. And so that's why we took the action that we did. Got it. I guess knowing you'd end up here on this call today, right? Absolutely. Knowing I would end up here on this call.
Um, and, and that's again, happy to be here, happy to talk about it, uh, wanna make sure that everyone understands, uh, why we took the action that we did. Uh, you know, uh, apologies to, to anyone that it may have impacted, but we're actually, um, very pleased because at least, uh, from the customer sentiment that, uh, we've been hearing, we've been having the AMS reach out to customers, um, they're actually appreciative.
They're appreciative that they we're, we're taking their security so serious and they're appreciative that, um, our, our actions are aligning with our words. Got it. Um, Wes, um, um, can I, uh, Wes, do you wanna go with a question? I'll, and then I'll fire off like from, like, we got a lot of up votes on these, so let me let you ask a question. Yeah, Wes, and then I'll get into the questions from the partners. Yeah, for sure. So, Ja, thanks for joining us. Always good to have you on.
Uh, um, yeah, the question I have, I had from a bunch of partners that I've talked to, um, is like, I come from banking. Like I'm, we're used to people hitting our front doors. I'm sure Kaseya gets hit on their front door nonstop 24 7 at significant levels.
Um, I think the big question they have is like, what was different between the normalcy of just the normal, like, like credential stuffing attacks, hitting the front door, just normal routine stuff versus something that really, you know, spooked you guys into like taking very quick weekend action with, you know, an email from marketing going out and, um, you know, some confusion initially in the response from MSP part of like, have I been breached?
You know, and I know that, um, Katie and others were, were really good about saying, no, there's no evidence of that, but it just seemed like such a level of, of immediacy. What, what triggered that? It, again, it was, we were seeing, uh, elevated attempts, right? Elevated attempts. And as soon as we saw those, and, uh, quite frankly, we knew that some of our customers didn't have MFA enabled.
And knowing that the, the elevated attempts, knowing that there was information out there, um, that the authorities like the FBI and CISA had put out, and knowing humans are humans, and oftentimes whether it's good practice or not, we'll use that same username over and over. Uh, we felt like it was a matter of time if we didn't enable MFA, if we didn't take the actions that we did, um, that someone might have been affected.
And after July, you heard Fred and, uh, and myself, if there is any single action that we can do to ensure that not one customer feels, uh, the pain of, of going through any kind of incident, that's the, that's actually more we're gonna take. Uh, even if it means that people are gonna question us and I have to come on the show and answer tough questions, I, that's what I want to do because at the end of the day, we just wanna do the right thing.
Um, now could you say that maybe we overreacted in doing the right thing? I would rather overreact any, any day, um, did not have taken definitive action. So, so Wes, I mean, just in, in clar some chatter going on in the, in the j Jason. So as far as you guys are aware at this point, there's been no breaches? Absolutely not. Absolutely not. Okay. Um, lemme go through a few questions if I could with the most up votes. Why did my IT Glue users, pardon me? Why did my IT glue users both, oh, sorry.
Gary Mylo. Yeah. Mylo Milu users both active and inactive also receive an email. Why did this email come through the marketing team? Yeah. Yeah. So it came through the marketing team, uh, because quite frankly, uh, it was, it was my direction that we pushed it out as quickly as we could. Um, and that is a, a very quick way to push out, um, information. And, and so that's why it came out through the marketing team. We wanted to get this information out as quickly as we could.
Again, um, uh, time will tell we can Monday morning quarterback how, uh, information went out. Um, we're always willing to do a better job in, in, in sharing information and making sure that, uh, we have, uh, the proper i's and t's dotted. But it was just a matter of making sure that everybody had the information.
Quite frankly, when I did, uh, because that's the promise that I've made to MSPs when I sit in front of them, is if I have a piece of information, you're gonna have a piece of information. And so that's how it, it transpired. Okay. Very cool. Quick question in terms of, I asked it from a breach perspective. Any compromises through brute force? Yeah, no, there's, there's no indication of of any compromises.
Uh, again, um, I know that this is also a playbook that people will utilize for that, but I would just say that, you know, uh, this is a tool in the tool belt that you use, uh, when it comes to, uh, any kind of, uh, potential threat. And that's what we want to, that's what we wanna make sure that everyone knows. It's a tool that's gonna be widely used, and it's a tool that we used, again, to make sure that our users were protected.
But there is absolutely no indication of any kind of compromise at this time. Cool. Okay. Why is SSO allowed to be bypassed? Does not, does not, it does not seem, does not, why, does not seem like a secure design. It was, it was a que it was more of a statement versus a question. But why is SSO allowed be bypass? Oh, Yeah. So, so I don't think SSO is necessarily bypassed.
There's just a, and we have a whole section on SSO, uh, and the way users are, uh, directed to, um, uh, to actually complete that authentication, uh, based on conditional access and policies. So I would say if you have questions about the SSO, we have a frequently asked page go there and, um, you can definitely, uh, find out a proper way to Jason.
One other Question, a a bunch of folks have asked that I've seen, um, in Reddit in other places is, um, data that's still around after a user left it glue. Do you guys have any thoughts on like, how that data should be decommissioned and removed? Yeah, so there, there's a policy, uh, where we decommission and remove, um, and I don't want to give you the wrong time periods, um, but I think that's up on the website. And if it's not, we're happy to get that for you.
But it absolutely is, uh, decommissioned and, and removed, uh, if they're no longer a user and applies and, and it, and it goes and it adheres to all applicable, you know, laws, wherever that person is. Okay. So one or two, one or two more. But I do want to ask Jason, there's a lot of questions out here, a lot of statements in chat. Is there a way for partners to get, you know, immediate answers on, on their concerns? Oh, absolutely.
So, you know, I would have you, uh, reach out to your account managers. I would have you reach out, um, uh, to our frequently asked questions page. We're trying to update that on a regular basis, uh, as these questions come in. Uh, but these are all great questions that we wanna, you know, continue to answer for our partners. Uh, but that's, uh, that's the best way. Or you could always, uh, you know, uh, create a ticket through, uh, customer service if you have, uh, continued questions.
And, and quite frankly, I'm happy to, uh, jump on calls and have been talking to customers, uh, you know, even today that would have any concerns. Got it. Okay. Um, okay. So given the recent security concerns, what information can be provided regarding the confidentiality integrity of data stored within your platform? I'm, I'm sorry, say that one more time. You broke profile me. Yeah.
Given the recent security concerns, what information can be provided regarding the confidentiality and integrity of the data stored within your platform? So I guess you'd have to define the recent security concerns. 'cause the only, uh, the only concern that we have, again, is making sure that we protect our customers to the highest level possible.
And we wanna make sure at the end of the day, uh, that when we see activity that we know is an indicative of a, a threat actor, and if there's a way for us to, to take action that we do so. Got it. Um, Wes, any, any others? I mean, it almost seems like we need to have like a, a webinar just dedicated to this 'cause there's so much in chat that's, that's coming up here. Um, Yeah, I mean there, there's a ton of pushback on the s SSO stuff, but I, yeah. This is not my area of expertise.
I don't, I don't, uh, unfortunately, I don't know enough about, uh, how it works and how it's architected. Yeah. Um, yeah, they're not, they're certainly not pleased with, I guess the, the responses on the s sso. Um, yeah. And Originally we were gonna have Nadir as well. He, you know, if you know Nadir, he pretty much architected the, the product, but we didn't Yeah. And, and we're, and we today, But I can have him back to a show he's, he was willing to be on today. We put Jason on instead.
Got it. Okay. Um, uh, lemme just see one more here. We'll go with, and then I, okay. So I'll go with this one. Given you, given you our, sorry, bear with me, Jason, given your Yeah, No worries.
Given you're having this call today, af after attempting to frame this as an extra precautionary measure to ensure your safety air quotes or, you know, quotes in the email on Saturday, why should anyone trust you're being honest about providing full disclosure as opposed to giving the minimal, legally required information until forced to disclose more? Sorry. So given the minimal, I'm sorry. Say, so say that again.
Providing full disclosure, the Question is are you not, is there something you're not saying, Which the question Yeah. Which I, I guess we've tried to answer. No, in fact, we're going above and beyond by trying to provide, you know, uh, everything that we have under the sun, which is, um, you know, we had the information that showed a potential, uh, attack.
Uh, we saw that our, our customers could potentially, a small segment of our customers, uh, could have somehow been exposed because the lack of, uh, processes that they had in place. And that's why we mandated the MFA, that's why we mandated, uh, a change across the board. Okay. So what I'm gonna suggest, um, by the way, guys, uh, first of all, appreciate every Jason, appreciate your coming on. Yeah, no worries.
In chat, uh, and everybody, I appreciate your passion and, and, and obviously, you know, this is an important so, you know, piece of your stack. Um, what I'm gonna ask is if you could email me, I'll just put my email in and I'll create a, a list of questions. And if need be, uh, maybe Gary, we do get Naira on next week. Yeah. Um, and come back for more. So here's my email, it's Andrew at the Cyber Nation.
Um, one thing I do want to quickly say, um, if you guys know, um, Jim Lippy, uh, at SaaS alerts, they monitor it glue. If you have concerns, Jim asked me to tell you everybody that there is a, he'll give everybody a 30 day, uh, free, um, trial, no strings attached. I put SaaS alerts in there. Um, obviously, you know, with your heightened concerns, that might be an option for everybody to turn that on for 30 days as well.
Yeah, SaaS alerts, I mean, they do a lot of apps, but specifically, uh, they can protect it glue. So everybody should give it a try. Yeah. Um, okay. Alright, Jason, thank you so much. You're welcome to stay. I'm going to, or, or not. It's, it's totally your call. I know you're busy, so No, no offense taken if you need to run. Yeah, Well, I do have a one 30, otherwise I would love to stay, uh, and always a pleasure coming on the show. Great having you. Thank you so much. Thanks Jason.
Thanks guys, Appreciate it. Um, okay. Gonna go to Dave, Rob again, thanks for your patience, Dave. Um, let's talk about the Fortinet vulnerability, because this is one where, I mean, last year we saw Fortinet, uh, pulse Secure. Um, I'm trying to think of the other internet facing one that was SonicWall got hammered. Um, and this is, this has got the kind of same feel to it in the making.
Um, I'm sure you went out and scanned the internet in terms of how many devices are unpatched and just humor me, how many are unpatched? So exact numbers for unpatched should be a bit difficult, but you are looking at about 166,000 Fortinet, um, and Fortinet gateways. Okay. Currently online at the last time I checked, um, based on when the patch came out.
And, and based on just how easy it is sometimes for people to patch and, and that's, this is no, um, I'm not trying to admonish anyone and say, look, you, you should be responsible for patching straightaway. But I'd say at least 50% of the ones that are out there are still unpatched. Well, I mean, look, look, just given the, what we saw last year, right? And, and all these internet facing. Yeah. Yeah. So, well, that's it. Right?
So CBE 20 18, 1 3, 3 7 9, which was another, it was an S-S-S-L-V-P-N, uh, vulnerability. I think Arista published a, a paper in July that said this vulnerability was still out there and still being used and they saw it on one of their customers. So I mean, that's a 2018 vulnerability that is still out there. So right now, CV 2022, this 4 0 6 8 4 remote authentication bypass, no one is reporting seeing it live.
But based on historical data, it's very likely that as soon as a, uh, proof of concept is out there and someone's got the code for it, it will start to be used. Um, and, and really that's why I'm here is just to encourage everyone there is a patch for it, please go and update. Um, because this sits on the operating system, there's very little that people can do about it other than monitoring for it.
So, for example, we we're monitoring it, we're not seeing anyone compromised yet and not seeing anyone using it. But I know there are a couple of research teams out there that are reverse engineering the patch and they're, they're working on a proof of concept and a block to go along with it and a paper And obviously no threat actors reverse engineering the patch, right, Dave? Oh, absolutely not. No. That's not something to do with at all. Um, Okay.
Um, You feel the sweat trickling down my face at that question And I'm assuming, just curious Black Point, you guys are also monitoring for IT glue as well? Yes. Okay. We are, yeah. And we're not seeing anyone compromise at the moment. We, uh, we're tracking a few different, uh, scenarios, but nothing around this compromise. Um, largely we've been following a nation state group that has used a compromised account, not linked to this.
Um, and that's a much bigger, a much bigger story that we've been working on, especially around, uh, more focused on that exchange vulnerability. Got it. That came out last week as well. Got it. So, Okay. Well thank you for coming on and uh, again, anything that, you know, oh my pleasure. We get update, uh, updated on Please, um, black Point can monitor it. Glue question mark. Uh, we do have monitoring in place for it, yes. Okay. To the best of my knowledge.
Um, but you know, if someone wants to fire any questions towards you, please feel free to email me on, uh, and I will verify and not give any inform. Yeah. Dave, can you put your email in there, um, as well so people can ask? I certainly can, yeah. Okay, perfect. Alright. Um, Rob onto you. So this is what, this is what today's call is supposed to be. Rob is thinking, what did I just get into? Yeah, yeah, yeah. And Dave, again, welcome to Stay my friend.
No pressure to, I know you're busy, but you're welcome to stay if you'd like. I think you guys are going through your SOC too as we, uh, you know, your re-audit as we speak, I believe. Um, okay. So without further ado, um, today, um, I wanted to, uh, bring on, um, Rob Toka, uh, Shelman. He's a principal there. He is, been there for many years. Awesome person. I got to meet Rob a few weeks ago.
Um, you know, in kind of setting the stage here, I am hearing from more and more MSPs that are either thinking about or going down the SOC two journey. So I wanted to have somebody on that obviously specializes in this, uh, does work with MSPs, um, and really kind of, you know, have a open, honest discussion about it. Wes, you would be, again, suited perfectly for this. You've, you've been through them, you've a number of them.
Um, and again, if you guys could, uh, in chat, let me know about your, um, uh, uh, questions on SOC two. But Rob, again, thanks for coming on. Can you share a little bit about yourself and Shellman? And, uh, it's wonderful to have you here. Absolutely. Thanks for having me. Uh, first time on the call. Great to be, uh, joining here today. So I'm a principal with shellman. I've been with the company, um, almost 15 years now.
I lead what our Midwest practice, this includes, um, not only SOC two, but SOC one, hipaa, PCI, ISO 27,001. Um, I live in the Chicago area and I'm married with, uh, with five kids. Wow. So you're not busy at all, huh? Not, not at all. We got with Columbus Day holiday. I'm surprised it's, uh, as quiet as it quiet as it is right now in my house. Uh, but from an organization standpoint, SHELMAN is a licensed CPA firm and provider of many information security and privacy related audits.
From an InfoSec perspective, that's SOC two and ISO 27,001. Uh, but from, you wanna work with one of the federal agencies, uh, FedRAMP as of, you know, as of late, uh, CMMC, you know, is on the radar with the Department of Defense. If you serve as a business associate handling EPHI, hipaa, high trusts, PCI, if you're, you know, credit card data and, and then privacy is all the rage these days. And so GDPR kind of brought some new life into the privacy, uh, realm.
Uh, but most commonly what we're doing is, uh, ISO 27 7 0 1 assessments, uh, to demonstrate, uh, compliance with some of those frameworks. Very cool. Yeah. I'm gonna hand it to you to start. Um, you know, kind of in light of, man, we, we haven't heard too much from, you know, cyber insurance from CS a from mi, ms. ISAC on, you know, MSPs needing to improve security controls. Right? We hear it day in and day out. It's what, you know, is important, you know, to everybody on this call.
Um, so let me take it, let you take it from here, my friend. Awesome. Well, like, maybe first of off, thanks for being here. Uh, really appreciate it. Maybe just kind of start, like at the, for some people with basics, SOC one, SOC two, if I'm a service provider, what's important to me and why? That's a great question.
And so, um, you know, the SOC reporting framework, SOC stands for System and Organization Controls, uh, was created by the A-I-C-P-A, and it's really meant to help companies establish trust and confidence, uh, with their customers and their services and their products. So to receive a report, you'd actually have to get, um, an audit performed by a third party CPA. And so, SOC one has a lot of history. It was formerly known as SAS 70, uh, if anybody might be familiar with that. Yeah.
It is an assessment that, uh, evaluates if your services have a direct or indirect, uh, impact on your customer's internal control over financial reporting. It's not a financial audit, rather, it's if your services affect the controls of the financial reporting process of your customers. So the more typical, um, you know, recipient would be a payroll processor, you're performing some kind of valuation services, tax services, SaaS services works as well, but more in the FinTech space.
Um, so while like IT general controls are very common across all of these frameworks, there are unique business process control objectives that would be more applicable for a SOC one from a SOC two perspective. Did you wanna stop me there on SOC one? It's good. Absolutely. So, uh, it's an assessment SOC two that opines on the controls at a service organization relevant to your, both your commitments and then what's known as the trust services categories.
These are security, availability, processing integrity, um, confidentiality and privacy. And it's the same criteria now that would be applicable to any organization. And so the controls to meet those many objectives, or those criteria will be unique to each organization, but it's, it's at least a standardized framework that each SOC two should have the same kind of components.
And it's much easier to then review and kind of assess, uh, you know, the maturity of an organization SOC two, um, you know, using that reporting framework. Gotcha. I, I didn't, I'm gonna jump into the options here really quick. Go ahead. Type one versus type two. Type one is an assessment as of a specific date or a point in time just on the design of your controls. And then most organizations would then kind of pivot to a type two afterwards.
And so that covers not only the design and, uh, implementation of those controls, but its operating effectiveness. Then over a period of time, we usually come in towards the review date or the end of the review period, and then look back, um, you know, uh, to determine the effectiveness of those controls. So what are the main one or two things, like when someone reaches out to your organization for help, why, like, what, why do they need help?
Well, they, they, they need help because they're getting this, um, you know, requirements from their customers. They're not familiar with what it is. Maybe there's dollars and cents on the line. Um, were you, were you asking of more of the benefits or why they would wanna work with like a company? Like Yeah. What's the reason why they, one or two reasons why they would like as versus just being able to, you know, dig in and get it done? Yeah.
Um, so they, so they would reach out, obviously, um, because, you know, you, you need that third party CPA, right? And so they're gonna have to select, uh, one CPA or another CPA anyways. Um, so it's gotta be a CPA for us. Some of our differentiating factors are that we're the only US firm on the top 100 accounting firms that only specializes in IT security and privacy. As a CPA firm, you know, most do traditional tax, finance, accounting services.
We kind of just stick to our lanes and do only, you know, the IT security and privacy assessments. And then the second one part of that is really independence. Because we don't do any advisory services, which is common for other CPA firms. We're able to maintain our independence. And this leads to lots of synergies, uh, what your customers might be asking about SOC two only right now, but then maybe, uh, you know, uh, a contractor or prospect comes up for HIPAA or maybe PCI is applicable.
And so lots of synergies with one request list, one meeting of your, you know, control owners, uh, and GA gaining those synergies in multiple assessments. Okay. So one big question I have is, you know, we see, I mean, I know a bunch of MSPs that have been successful with this. They've, I think a couple things they share in common is it was way more, always more work than they thought that it, you know, thought that it would be.
So, you know, we know, uh, Andrew Sonny Lowe from BlueJean and, and, uh, Carl from Snap Tech, these guys have 20 plus people, right? In, in their, in their organizations. Like, I'm an MSP, I have, you know, 10 people total, 12 people total in my business, you know, six or seven technical people. Do I have the resources to do something like this? Or do you need a certain level of scale or maturity to even attempt it? You know, that, that's a great question.
I think that there's a misconception because you're limited on resources that you cannot get this while we work with organizations of all sizes, you know, I think I had one recently that had maybe 10 people that, that completed one. And, um, it's not that you have to be mature to begin the process. I think it all kind of starts with commitment. And so the organization is committed to achieving this, uh, top management commitment is gonna be ensure your success, right?
Once they're committed to it. Uh, but, you know, we, from our side, we need one or a few liaisons to help us facilitate the audit, right? When we send out, uh, our request list to help kind of coordinate some of the things that we'll be looking at, setting up meetings with the control owners, we wouldn't know who the DBAs are or system admins or who's responsible for, you know, incident management or risk assessment.
So, um, having that liaison and that commitment's gonna be, um, you know, very important. And, um, you know, I'd say that's why I, I wish most organizations are doing this because it's the right thing to do. You know, it's usually the, uh, they're pursuing it initially because it's a customer. Yeah. Or a Prospect. There's some other driver right behind it.
Um, can you give us a cost, a a a sense of, you know, cost preparation time, like some idea if someone is thinking about this, how they should, you know, consider it all that stuff? Yep. And so we, uh, do have a cost structure that we have. We've got tons of blogs and stuff on our website. Um, we just went through this standardization approach. There. There are gonna always be with anything you buy, always gonna be, um, you know, factors to consider when it comes to cost, right?
Like, uh, how many different services are gonna be included in scope? Um, you know, what does the technical architecture look like? Is it all just a window shop? You have a flavor of Windows and Linux and containers? Are you half, uh, on-prem and half in the cloud? Um, and the applicable trust services categories, security is the only required one. Are you looking to add others as well?
Regardless of those options, we did put together a baseline cost for a type one that point in time assessment, kind of like I mentioned, you'd probably be in the, in the mid twenties to upper thirties range at the baseline. And then if you're gonna add a bunch of things, you know, it could go up from there.
And then for a type two, uh, looking at the operating effectiveness of those controls, you're probably starting out around 30, uh, up to, you know, the low fifties with that potential to, to increase from there as well. Yeah. And what about from a time standpoint? From my resources, a as a provider? Yeah, it's, um, it, it, it, it's hard to gauge sometimes because I'm not sitting on that, on that side of things. But, you know, let me let, I'll, I'll tell you how our typical assessments go.
It's not gonna take 100% of your time, you know, during, during these, these weeks. And so with any engagement, we kind of break it out into planning, testing, and then reporting phases. I like to know a little bit about the environment before I'm gonna come in there, so I have more applicable requests. I don't wanna be asking you for Linux if you're an all window shop.
Um, and so, uh, there's some questionnaires, some, you know, meetings that we'll get to understand the process flows, how everything works. I put together a request list and a meeting list, get that to you about four to six weeks in advance of the audit. You're gonna gather a lot of that evidence for us so that on day one of the actual field work, which is the testing phase, that's gonna be about two to three, four calendar weeks, depending on the scope, everything's ready for us.
We can inquire with the control owners to confirm our understanding is correct, have to do some inspection testing to make sure that, um, you know, that the, the testing evidence, uh, suffices the controls. We are subject to peer review as well. So all of these, uh, tests must, you know, hold their own weight with supporting work papers. And then once we complete the audit, about three weeks after that is when we provide you with your draft report.
You can take as long as you need to review that. And then once you approve it about three to five business days, um, you'll get your final from there. So all in all, you're looking at about nine to 12 weeks from commitment to finish, um, assuming you know you're ready to go with that type one, and that's not gonna require, you know, a hundred percent of your time. Our, most of our customers wear multiple hats. They've got a lot of things going on.
And so prioritizing when it's field work time, you know, at least half of those days, we need dedicated to us. Yeah. So I, I'm gonna hand it over really, really great. Um, I'm gonna hand it over to Wes, but, uh, the one comment that I'll make, Andrew, is that just like most things we talk about here, right? If you, you don't have carved out, developed and priced in, like proactive roles in your business, there is no room for this.
Just like there's no room for the additional security things you need to do. Like, there's nowhere to go. And, and if you're in that situation and you're running under, you know, 15 or 18% true net profit, there, you, there's no bag of tricks that you can go into, you know, for 12 to 15 weeks to be able to do this, let alone, you know, keep the, the, the, the discipline in place. So it's, again, something for people that's our business model is changing.
And almost every week when different topics come up, the answer is the same. Andrew, So let me ask you this, Gary, do you find with your peer groups, because you do special projects, let's just go to something that, you know, before you'd even consider SOC two is, you know, just getting like an implementation group, one of CIS when you guys did that kind of special project, did you find peer help kind of elevate or rising tide, like help push others to get controls and top employees? Yeah.
Listen, Andrew, we've spent so much time kind of focused on this over the past couple years. Um, you know, based on the change in environment, and frankly, thanks to being here and being educated, uh, for, you know, all, all this time, uh, and, and inter bringing that back, you know, to our groups, but, uh, definitely, uh, people are thinking more about it. And that's what it takes. Like coming here, being part of a peer, you have to constantly be immersed into what you need to do.
And at least getting to the point where even if you don't fix it, you see that gap between where you are and where you need to be as the first step. And I don't think people are figuring out all, all, you know, all by them, all by themselves. Yeah. I think more than ever now you, you kind of, you can't, I mean, not, we've always been kind of a fraternal ecosystem, no question. Yeah. You know, about the people that attend the events and, and, and things like that.
But I, I think I, I, I, I, I think more than ever, it's almost like, uh, impossible to not be part of something Gary to on, on a continuous basis where we are in, in today's threat landscape. Is that a fair way To say it? Yeah. I don't know. I, again, if, if you run an MSP today, I don't know how you're not involved in more communities, uh, how you're not in a, you know, in, in, in a peer group, there's a bunch of great ones, right, right. That are out there.
Um, and whenever comes time when there's changes to be made in the business, and we're only talking about, um, you know, one piece on this call, but there's a lot of other changes in the business model right now, uh, that's changing. So yeah, you're not gonna figure it out inside of a ticket in your office. Yeah. Good stuff. Wes, Over To you. So, yeah, so Rob, uh, I know that shelman is, is a, is different, right?
Because like you guys said, you really focus on like the IT and security aspects, but one question that people ask all the time is, why are a bunch of bean counters CPAs, like, have they cornered the market? Why does it have to be A-I-C-P-A? Why are CPAs qualified and the right choice to be doing this audit, uh, for security? Can you kind of walk through the history of that so we understand why, um, it's always ai CPA and and it has to be CPAs? Yeah, that, that, that's a great question.
So, um, you know, the A-I-C-P-A created this framework, right? And, and it kind of comes from because there's an an opinion that needs to be issued by the auditor, uh, by the auditing, the cpa, a company. And so most of us actually were, you know, IT and mi s majors at the, at the core of it, we are CPA. So I did get my, uh, CPA license in, uh, several states just last year, which was, uh, quite a task with, with five kids. Uh, but, um, you are gonna have people with deep expertise.
Uh, you know, un unfortunately, if you ask me about bookkeeping or tax, uh, despite getting the CPA designation, you know, i, I am not the, uh, subject matter expert in that realm. So each different framework, whether it's high trusts by, you know, the, or, you know, cloud star by the Cloud Security Alliance, um, you know, has its own prereqs for who is eligible. Like with the ISO 27,001, you have to be accredited by a a or ucas or one of the accreditation bodies.
So it's kinda similar from a SOC two perspective, But from, can I just go pick up any CPA firm that's in AI CPA off the street and they can do a SOC two? Like, how do I actually know that this, this audit firm is, is the right one, either for me or just across the board? I mean, couldn't there be some Saul McGill, Jimmy Jimmy, uh, Jimmy McGill, Saul Goodmans, I dunno if you guys watch that show, uh, CPA version, I mean, how do you, how do you address that? There, there could be, right?
I mean, you, you could be, um, a, a new CPA firm that, that does soc twos and, um, most organizations would want a reputable company to be signing off on the reports because you don't want your customers questioning the legitimacy of that report. Um, but a lot of it's going to go to the capabilities as well, right? It's that that audit is not gonna be a streamlined, kinda like what I mentioned from the planning, testing, and execution stages. You're gonna have a lot of bumps in the road.
You, you never know if a client's prepared or not, which adds, you know, and then if they wanna add PCI or other assessments, they're not gonna have the capabilities to do that. So these are the kind of things that you wanna do when you do your, your sourcing processes, interview a few CPAs, uh, figure out which is gonna be the best for you. You know, we, we may not be the best for you. Um, so that's something that each MSP would've to look into. Well, let's flip that script then for a minute.
Let's say that I work, I, I'm a CPA and you're in my shoes, right? So you're, you're sitting here thinking, okay, for Mike, we need to get a sock two out the door. What questions would you ask your CPA if you were vetting them trying to figure out, is this the right one for me? Yeah, you know, I would question their methodology. I would question, um, you know, how fast it's gonna take for them to deliver the deliverables.
You know, that's kind of what, um, set us aside early on is that we would get these reports in our customer's hands about, you know, three to four weeks upon completion of our review. Some other audit firms may take four to five months. Um, and so this is a, um, an SLA that we've consistently hit over my 15 years here. I'm not familiar with any instances in in which we've dropped the ball and that has not happened.
Um, asking about their qualifications, like I said, we might be thinking about SOC two right now, but more frameworks always come up down the pipeline. And then what I would also kind of question is you don't know what you don't know, right? So it's all gonna be about educating the MSPs. Um, you know, you're, the MSP is not required to be the expert in controls. That's kind of the CPA's job.
And so having that relationship with your customers, um, periodic checkpoints talk about their problems, their concerns, um, you know, we can't, any CPA firm has to be very, um, careful about not to do anything, could be perceived as consulting or advisory, but you can surely let you know, uh, the common gaps. There's a lot of common gaps that that, that transcend, uh, different, uh, soc twos as well. So, you know, lot, lots of com, uh, communication and knowledge to share.
Wes, can I, can I throw a few questions in my friend? Yeah, of course. Yeah. So Slagel, um, has, like, how do exemptions and exceptions play into all this? I've seen SOC two type two companies that essentially only audit a tiny part of their environment. Rob, can you, can you speak to that? Yeah. So, um, you know, the scoping is one piece where you're talking about auditing a, a tiny part of the environment, but exceptions could play, um, in any SOC two report.
That's a type two mo most often a type two. So with the type one, you're looking at the design of the controls as of a specific time, either the controls in place or it's not in place, you have to meet the criteria. Um, with a type two is where we test the operating effectiveness of those controls. And so if we're gonna look at a sample of changes, if we're gonna look at a sample of employees onboarded or terminated, you know, I might take a, you know, 25% up to a max of 25 terminations.
And if you didn't revoke access for four of whatever the 25% is, that would show up as a deviation in your report or otherwise known as an exception. Some exceptions could, uh, cause the auditor to qualify the report, qualify the opinion on the report. Uh, but often, you know, exceptions are, are manually they're, they're manual, you know, human issues. Uh, it's not a bad thing necessarily for an entity to have an exception. It's the qualified opinion that you're trying to avoid. Yeah.
And there, that's a great point because oftentimes I think the knee jerk for people is cool. I got the SOC two flips straight to the bottom. All I'm doing is I'm going to look through all of the, um, exceptions. And I'm just looking, are there exceptions yes or no? No, we're good. Good. SOC two, and we miss Rob, like the, like one of the most important pieces you've talked about is scope. I, I've learned this both from going through SOC twos and looking at them.
I can very easily have a very narrow scope to avoid a whole bunch of litany of things that I may not want tested. For example, there's a well-known security vendor that uses a Phish as a moniker. And this was years ago, so I can say this now. Um, and I was reviewing it at my bank and I was looking specifically for the, the email encryption service stuff. And I start looking through the audit and it has literally none of that stuff was in scope. And so I'm like, what's going on here?
So I ended up talking to their chief legal counsel and I'm like, Hey, I'm looking at your SOC two and nowhere in scope is this service that your, um, account rep sent me. So I'm kind of confused. Do you have another SOC two that covers that? Or is it just missing? And the, the, the, the legal, um, the lawyer comes back and says, well, no, we actually haven't tested that yet. I'm like, oh boy. And he is like, but no one really ever asked us that question.
I'm like, well, I'm asking that question. So I have no insight at all into this email encryption service that you're providing for me. It's a pretty scary position. Now they've since course corrected that, but that to me was my eye-opening moment of how important scope is when you're looking at this. Yeah, I mean it, that, that's the most important part.
It's what you should not be doing is picking up a SOC two report quickly, looking at the opinion quickly, looking at the findings and saying, we're good. Right? You, you need to assess what the scope is because if the scope is not covering the service you're subscribed to, what good is that SOC two report, right?
It's gonna provide some information about the organization and how great they're doing things from an entity level perspective, but it would not look at, you know, how they're authenticating to that service who can admin it, change management, um, the other more it general control specific ones. So, um, you know, definitely wanna look at that scope. There are specific requirements that are called like the system boundaries.
I don't wanna get too technical on this call, uh, but where you'd have to identify the infrastructure, software people, procedures and data relative to the scope. And so look at, look at the entire SOC two report is what I would recommend. And, and don't just complete a check the box exercise. Hey, uh, Wes, just real quick, I put up a poll. I would love it if everybody could just take two seconds.
It's a yes no, um, it would be really helpful to get it because so far only a few people have answered it, which is fine. But it's interesting, Gary, like just in those quick people that have answered it, how do you reconcile this dude? Like when you are like seeing that, you know, 60% or so of MSPs are being asked, it's even out a little bit now, but let's just say we end up 50 50 gar. Yeah. Which is where it looks like what it's gonna be.
50% of MSPs are being asked, do they have a SOC two or, I mean, I gotta believe with cyber insurance, where it's going gar one way, shape or form some type of security report framework, you know, some type of third party attestation is, aren't we headed that way? And if so, again, comes back to your point of roles, like how do we, how do we get there aside from charge more? Yeah. Well, I mean, look, I think we have to assume that's where we're gonna get it.
If you're not assuming that right now and, and not framing future decisions you're making going forward and how you approach, uh, the business, your roles, your process, your business relationship, then you're gonna put your business at risk. But when you're seeing 50% of people are asked that, I mean, I, you kind of need to know more. It's one thing if people are asking it is, is it a show stop? Or why are they asking?
And is it a red flag where they wouldn't do business with us or if they're a customer would stop doing business? And if in some scenarios that's the case, I think it's just like we talked about with, um, CMMP where you're gonna have to decide who your customer base is, right? And you might not. Yeah. And, and again, I think all MSPs my message, we have peer groups next week, my message is, listen, this is why marketing is more important. Now. We all need better prospects.
Used to be anyone was a prospect for us. 'cause we could sell 'em whatever, a server then yeah. Anybody that had less than so many seats was, was a prospect for us. It's within that. Now based on our size, our maturity level, our, our, our qualifications, our certifications, there's a smaller group of people that can do business with us.
It doesn't mean there's no room for everybody, but you get a reference, a smaller percentage of those are gonna be people that you actually have a competitive advantage with and everyone has to live with that moving forward, Andrew. Yeah. Yeah, yeah. I mean it's like, does that make sense? It's like, yeah. Are you with me on this? Yeah, I am.
And and there's a huge corollary between like if we were to take that study data and the ones that are being asked for it, I think you're gonna see ancillary things that attach to this. Like traditionally they probably do a work with a lot of financial orgs, right? That are used to asking this of all their vendors. Banks pay more per seat. They just do, right? So I think you'd see that. I think you also see a lot of like security maturity, Gary.
Like you don't just get a so To 'cause they have to, right? 'cause they have to, the banks have to Exactly. Because they, they have to have that level of security and it can't be delivered any other way. Yep, Yep. And Rob, I want you to walk us through an example of this really quick just so people understand. You can't hide from an audit. That's the, that's the great thing about an audit, right?
So like the policy piece is probably the most difficult and the thing that shocks MSPs the most to say, wait a second, my policies are probably kind of garbage once you're looking at 'em. But then you guys take the policy and you look at what's said, these things should be done. Let's take, um, user onboarding and offboarding, right? And then you guys actually, as part of your audit process, go pull logs and actually look to see if that policy is being enforced.
Can you kind of walk us through that and how you can't hide that from an auditor? Yeah. The, the, the SOC two is very particular in, in its criteria. And so this one, you know, particular will be like CC 62 about how the entity authorizes, you know, uh, onboarding and, and offboarding activities. And so, um, it, it, it may not require that you actually have like a policy, like a documented policy for each kind of control domain in place. But we're looking at the procedures, right?
The entity's procedures for onboarding and offboarding. And so, you know, kind of going back to your scope question, I'm gonna follow the SOC two framework to identify the controls in place to meet that. Um, you might have other controls outside that framework, but that's going beyond the scope of the audit.
So, uh, whatever is defined in the SOC two framework, um, you, you really can't hide from that with a type one, you get flexibility because you could implement the control up until the review date, uh, with a type two we're looking back. And so if you were deficient for six months out of the year as you were formulating that, that would show up on your report then. So I, I love that because, and go, I want everyone to go look at the polls. We got a second poll question that just came up.
Um, and I, I want your answers back on that, but I love that because I think those are the things that are, that's where the, the, to me, one of the most beneficial pieces of the SOC two is, is it forces organizational and security maturity. You can't fake it, at least for the things that are under scope.
And I think that's where the real, some of the real value, one of the best pieces, and that goes right back to Gary's point, um, around, that's why these are typically top performing MSPs because they've already mastered service delivery, security maturity. They bake that into their process. And so it just seems to be an offshoot of a SOC two.
Um, means it doesn't mean if you don't have one that you, you may not be there, but I think there's definitely a corollary there, Gary, A hundred percent. Man. It's, uh, figuring out how to implement process is hard. Figuring out how to implement additional process is not quite as hard.
So, um, Rob, another question that comes up oftentimes, and I've seen this as well in soc twos, is the TSPs, the trusted service, um, categories I think is the C um, you know, so you have like privacy, security, availability, all these different things that are, and I can actually choose which ones I'm, I may, may go for. Can you just talk to us a little bit about TSPs, the approach you should have when you're going through a SOC two?
Do you just start with like, availability to hit the easy button or, or what's your, what's your thought processes on that? That's a great question. Right? And that, and that's the first one that you're gonna have to come across with scoping is which apply to me. And so there are five, security is also known as common criteria. You can't do a SOC two without security. And then availability, process integrity, um, confidentiality, privacy are all the, uh, additional options.
Most, uh, MSPs will probably do security and availability. And I'll kinda walk into each really quick. I know we we're kinda short on time security's very encompassing. We're looking at control, environment commitment, integrity and ethical values, onboarding background checks, employee handbook, risk assessment, internal control evaluations, how you're doing vendor management and review incident management.
But then it goes into access provisioning and terminations like we spoke to authentication. Are you using MFA, admin, firewalls, IDS SIM tools, anti-malware change management, all the good stuff. Availability, which is also very common is regarding your commitments regarding to the availability of the system. And so if you are responsible for monitoring uptime, SLA requirements, backing up customer data, DR. Availability is, is very applicable to MSPs.
Processing integrity affects how, um, transactions are maintain their, um, integrity through input processing. Output storage does not apply to most MSPs. Uh, confidentiality would be a close third. And that kind of goes up to the initial conversation that we had. Data retention and data disposal. Right. SOC two's a little bit unique 'cause the other frameworks don't look at that. So are you committing to encrypting data at rest? Are you committing to retain it for seven years?
Um, do you have to dispose of, of that data upon termination of a contract or request? This is where we would actually go in and as a type two, you know, whatever the entity's control is, um, you know, upon termination of a contract 30 days after whatnot, we're gonna take a sample of 25 terminated customers and look at the operating effectiveness of that.
So we'd be able to be that independent source of truth if there's any concerns whether a company is kind of disposing of their data in accordance with their commitments. Got it. We, if you were an, you know, let's say you were an MSP today, would you, it, it almost seems, and I know it's easy to say this, but would you force yourself into the SOC two?
And what I mean by that is you might, you know, your first go at it, you might get these, this gap assessment and go, holy crap, you know, we got a lot of work to do. And, and Rob, I'm sure you, you do that at times, but would, would it force, you know, kind of you into this next, you know, level if you, for lack of a better word, I know I'm not articulating myself real well, Wes, but do you get my point where it's forcing you into a level of maturity Yeah. That you would Yeah.
Here here's, I think about it carts and horses, right? And, and to me, one of the horses is security alignment, right? So let's, let's get the, let's get maturity around our security alignment. Go fi, go follow CIS get through IG one, right? You go talk to someone like Eric Woodard, he's gonna tell you the value that's provided to his MS P and in terms of just where they've been going and control assessment and alignment, all that kinda stuff.
And then I think once you've got that horse in place, then you can begin to look at like the attesting side of the house. But even then, I think you really wanna see, I mean, Robert made a good point. Lots of small clients are asking for a SOC two, they're not requiring it, but that's a signal of like, hello, we're aware of this now. And we're asking, maybe we're only asking because our vendors are asking us if our suppliers have it.
So I think you see the motions there that it's becoming important, but that becomes easier. And then I think the next horse is an assessment, right? I would definitely reach out to a CPA firm and say, do you do SOC two, like readiness assessment so we can at least figure out where the heck we are. So we have a guide point of like where we're strong, where we're weak, what we need to work on, and then you begin to go down that SOC two journey.
But I would really only focus on that once you know that you're ready for it, you can commit to it, you have executive buy-in for it, you have control maturity, you have policy maturity and that you're truly committed and there's a reason and a motivation to go through that process, right? That's just how I would, I would look at it. So lemme ask you one last question here as we close out. Rob. Thanks, thanks so much for, for, for coming on with us, Wes.
Um, you know Dustin Bolan or who I know you know, you, you know, you're involved a lot that Trump slammer guy. Yeah, Yeah. He is kind of a Trump slammer. No, he's awesome. But, um, hey, watch it. That's My guy. CIS coming up a lot, right? And you look at cyber insurance questionnaires and no one will come out and say, oh yeah, we, we look at the CIS controls. But I mean, when you look at what they're asking these days, it pretty much goes in tandem with IG one.
I think I've talked about this a little bit, but I mean, how closely do you feel that, that here's the insurance companies are, are, are digging in there? Let me answer that as quickly as I can so I can shift part of this to Rob, because I don't think insurance is going to be looking at, um, a SOC two as a stamp of approval because insurance control carriers are, they have this struggle of like, they actually would have to read and all the things we talked about, is this scope, right?
Qualified opinions, how significant are the deficiencies? They're gonna have to like look through it from that perspective themselves. Oh, am I answering your question incorrectly? Yeah. I'm CIS controls. Oh, I said when you look at a security at the, at the cyber insurance questionnaires, yeah. They align to IG one heavily. Got it. Okay. Yeah. And that's what I'm wondering, do you think they're looking at them? So the question becomes, I mean, yes.
I mean I think they, they, they know about it. They care about it. Even a lot of the questions they ask are like, you look at a Beasley application, Beasley is one of the best that's out there, probably the best in my opinion. There's a lot of maturity in what's being asked in their questionnaire. But the question that we still have is, how do I know these things are true? Versus Yep, I'm doing this. No, I'm not doing that.
And also, we don't know what Beasley actually rates upon and doesn't rate upon. So sometimes they just ask questions to data gather. And so the next, the future is like, how do we actually know these controls are operating effectively, which is kind of what a SOC two is designed to do. So how do we know CIS is actually, how do we know this organization is correctly implemented, CIS and they're adhering to those baselines, where do they fall out of it? That sort of thing.
And if I can ask in like maybe 30 45 Yeah. Closing question. Yeah, yeah. Closing question. Rob, One last quick question for Rob. I've been itching ask what's the future of the SOC process? Like, where do you see this thing going? Are, are there things that are, like, where's the maturity going towards in in the SOC world? You Know, uh, that, that's an interesting question. And so they redo these frameworks, you know, every number of years. Um, and so I, it's been a while.
I don't know about any where the SOC two might be heading in the future, but most of our clients are adding additional frameworks onto it. So they've got the SOC two now, they wanna be on the CSA stars, you know, registry or their customers are asking about something else. And so naturally all these frameworks, um, become a little bit harder and more mature over time. That's just, you know, the natural evolution.
Uh, but soc soc two itself just, it, it's really been king, you know, the last few years and we've seen a tremendous growth in it beyond, you know, SOC one and some of the other, uh, audits. Awesome. Yeah. Gar closing thoughts, my friend. Um, and thank you by the way, for getting Jason, can we, uh, I I think it'd be awesome if we could have Madeira next week. I, I think there's a lot of people that I'm Gonna try to do the I'll, I'll see what I can do. Yeah, If you can.
I think there's a lot of people that felt their questions weren't answered, if I could be candid. Yeah. Um, yeah, I got I got that sense. You know, you guys don't wanna be in that position. Um, by the way, Rob, I put your email, I put your LinkedIn profile, um, and I know you talked to a lot of MSPs about this, so, um, sorry, Gary, your closing thoughts? No, uh, Rob, uh, thanks a lot and really appreciate it.
And again, I hope that people are getting this sense, like we're telling a story each week, right? About where this industry is headed and what we need to do differently that, you know, it might be so CI whatever frameworks, but conceptually being better business people delivering service in a more process oriented way, um, there's no other way to move forward no matter who you wanna service a few years from now. Yeah. Yeah. Very cool.
Um, Eric, uh, woodard's out there too, Eric, um, any status that you might wanna put on the peer group side of CIS, um, that you can give an update to? You're welcome to put your email in if that's still going on. Um, but lemme tell you, Eric and team have over a thousand hours invested in CIS this year alone. Um, he's done the sans uh, class on CIS They take a very serious, and he's trying to, um, get a peer group start a peer group around CIS.
So Eric, anything you wanna put in there, you're welcome to. Um, um, but anyway, Rob, um, thank you for your patience. I know today was not our typical, um, uh, legal land. Okay, fair enough. Uh, not our typical cyber call. So, so thank you for coming on and, and, you know, giving your expertise here. Wes, always great to have you, um, and, and your perspective Gary as well.
And I'll keep in touch with you, Gary, and everybody, about what we might be able to do, um, next week, um, around, uh, sure. It o until then, uh, if this was your first time, welcome to the cyber call. We look forward to seeing you back very soon. We'll be here next week, every week, Monday at 1:00 PM unless there's a holiday. Take care everyone. Thank you. Thanks. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois