MSP F12 Earns ISO 27001, Driving Security and Business Success
The recent Ingram Micro incident is a wake-up call for Managed Service Providers (MSPs) to strengthen their cybersecurity posture and vendor risk management practices. With supply chain attacks and VPN vulnerabilities on the rise, MSPs must assume compromise is inevitable and focus on resilience, clear communication strategies, and proactive defenses. Frameworks like ISO 27001 offer a proven roadmap for building credibility, improving security controls, and meeting growing client demands. By conducting gap assessments, implementing Zero Trust Network Access (ZTNA), and adopting a culture of continuous improvement, MSPs can stay ahead of evolving threats, reduce risk, and position themselves as trusted security leaders.
Guests
Video Transcript
All right, welcome, welcome, and welcome back from, uh, the fourth. I hope you all had a healthy and, uh, safe one. Um, certainly our hearts go out to the folks in Texas, um, for, uh, what awful, uh, tragedy went on there. Um, okay, so getting on into today, I'm gonna make a quick note. We're gonna do things that touch differently.
Um, I don't know if you saw the Post Phyllis, but I'm, I'm a little bit, uh, being facetious, we have this revolutionary idea that we would turn the cyber call audio into a podcast. Yay. Great idea. Um, so we, we had, uh, already hundreds of listeners since we posted the first one, so I'm gonna do it a little differently. First, I'll just do some quick intros then, so everybody knows who's here.
Then next, we'll go into, uh, a little bit of today's, um, banter, which has to do with the Ingram Micro cyber attack. And then we'll get into, uh, today's special guest, um, uh, and, uh, I won't give that away just yet, although we'll intro him shortly right now. So, alright, so let's talk about who's here. I'm Andrew Morgan, host of the Cyber Call. Joined as always with my co-host, Phyllis Lee, VP of content from CIS, special guest co-host.
This week I have Chris Slayer, EVP of SLAs, filling in and, uh, perfect timing for us to talk about incidents. So, Chris is here with us. Um, one of my favorite all times is, uh, chip, buck, co-founder, and CTO of SA alerts chip, thanks for joining. And then also, uh, many, many, your friend and amazing M-S-P-C-T-O and managing partner of F 12 Calvin Engin. Calvin, welcome. All right. Yeah, man. So, um, let's talk a little bit about, first of all, the Ingram Micro incident.
This has gotta be on everyone's mind. It's, uh, obviously unfortunate in that, again, this is in our industry. Um, it highlights two things from the Verizon DBIR this week, uh, I'm sorry, from this year's DBIR, which are supply chain attacks doubling year over year, 15 to 30% of all incidents were supply chain attack related. Phil Lang log was on from Verizon, um, and we did talk about that.
And the second thing is, um, again, what pushed vulnerabilities above phishing for the first time was the large number of VPN attacks. Um, again, now I will be clear, that is speculation from the bleeping computer article where they supposedly have, um, interviewed or spoken to some employees that, um, this was via, uh, you know, A-A-V-P-N compromise. Um, I'll put the links, um, in the chat, uh, one link to bleeping computer, the other link to Ingram Micro's statement.
Um, we certainly will try and get Ingram Micro on for the following week, um, CFO join us. Um, but, you know, let, let's just start off with this. Um, first we were talking offline. Um, I know you're big fans of the branding here of the Safe Pay Ransomware group. Um, I'm not sure if fan is the right word, but the irony, just put a, a chuckle in my, in my throat. Yeah, yeah, yeah. Um, so you and I discuss cyber incidents, um, week in and week out.
One thing you've shared with me is that, you know, we're, it's, it's one of those things that you have to assume, we'll all be compromised. You have to take that assumption. But as you've shared with me many times, it's not only, you know, how resilient are you, so how quickly can you get up and running? But then what's your comm strategy like? So Ingram's comm strategy was, you know, fairly, fairly concise. It hasn't been updated since the fifth.
Put yourself in that their shoes chip, you're a publicly traded company, right. Thing or wrong thing. What's your take on this so far? Um, it's, I wouldn't say it's right. It's certainly right in the sense that they got out in front of it and did the minimum that they've gotta do for SEC compliance. You know, they were transparent that they have been, um, you know, they've had a breach. They're, uh, dealing with the ransomware situation, and they haven't stepped beyond that at all.
Um, I think it's a little di minimus given the, the, the customers they serve are very tech industry focused. You know, I would like to see someone senior come along and update this maybe, and not necessarily provide any details. You don't wanna do that. But even if it's just, Hey, it's now Monday morning, you know, our last statement was Saturday, and, you know, here's where we're at. Um, we absolutely know how this occurred and when this occurred. We're not gonna provide details on that.
We're still working through, um, our negotiations, our conversation with the ransomware group, and we wanna resolve this. So we don't wanna share a lot of information, but, you know, know that our team is working full time on this. And, and, you know, we, we we're gonna come out of this poll and support our community the way we always have. I would do something like that. I would add more to it.
You know, there's a, there's a, there's an interesting trade off between not sending too much, um, and leaving too much room for, for too much silence. And then speculation grows, like that makes it worse. Um, so it's like any other pr um, exercise that you go through, whether it's politics or technology, you, you've gotta communicate to people regularly enough so they feel confident. Otherwise, they just wonder. People start making stuff up. You make things up when there's a void in a vacuum.
People fill it with their own ideas. Yeah, absolutely. Yeah. Or they think you're, they think you're hiding something. That's the other point. Yeah. So, So Eric sent you put a, a a a point about losing millions a day. Um, yeah, I did a go. I, I, I searched SEC and their filings, they don't break out e-commerce. They're digital versus their X vantage versus their normal revenue.
But I did some quick calculations, and it is, it's, it's millions, you know, several, it's, it's, I think the, the rough math I did, and I certainly wouldn't want to be, um, quoted on it, but it, it's, it's not trivial. Um, so Chris, over to you. What I always want us as a community to get out of this is what we can learn, right? Mm-hmm.
Because you know, this, let's talk comm strategy and, um, you know, what are your thoughts and advice for MSPs if, if they were, you know, when they're in a situation like this, um, you know, a comm strategy isn't something that you want to create post-incident and try to figure out what and how and who's gonna say it. Correct.
And because I've been in enough tabletops where with you, where you're like figuring out the, who, uh, is a really important person, and a lot of times it's not who you would think it should be communicating. Correct. Like, there's a lot of emotions at stake and things of that nature. Yeah. I think the, the, there are some lessons to be learned, but this is, you know, a massive size company. So things are a lot different.
I mean, from the, they, they have internal pr, they probably have firms, they have existing relationships with a lot of organizations already. So it's a little bit different than, let's just say you're an, you're an MSP and you're having to go through this. Typically in a situation when you're not a large company like this, you're going to lean heavily upon breach attorneys. And they have a very good, all the breach firms that are out there that are on a panel have very good command of comms.
They have scripts and they have templates. So a lot of companies come to us and they go, Hey, should we go ahead and try to, you know, write up scripts and letters and email comm templates and everything like that?
I'm like, no, because you, you can't account for every scenario, but you do need to have a process that you're gonna understand who's gonna do what, who's gonna approve the comms when the breach firm or whomever is involved, tells you what you need to say or how you need to say it, or whatever.
So, um, it's one of those things that, um, it's gonna, it's gonna be different in, in these really large, I've been involved nothing this size, but I've been involved in some that, you know, have, you know, the tens of thousands of employees, but it's just not as global in scale. And the number of parties and entities you get involved just around comms gets pretty darn complicated.
And so, what I don't want people to do from a small to medium sized base is over complicate things because it, it'll make the situation worse. So just realize what you can accomplish and who you're probably gonna have to communicate with. Typically, it's gonna be your employees and your internal people first. It's gonna be your key customers. In this case, they have a board. So you're gonna have those types of things that you have to account for, and then go from there.
But yes, I mean, the, the lesson learned is let the experts handle this type of stuff, and don't try to solve this problem when you're not a PR person. But, uh, I think one takeaway I heard in there, Chris, though, is, hey, the breach council will have, et cetera, et cetera. Mm-hmm. A lot of us don't have breach council on retainer. We don't have breach council relationships. Is that a takeaway? Maybe we should be talking to, you know, what is it like to work with a breach council?
Should we have somebody on speed dial? Should we have a relationship? Yes. I, so the short answer is yes. So, uh, if you have cyber insurance, which I would expect everybody on this that is watching, listening to this, does, uh, they're gonna have their, their breach firms on panel. And so you wanna be familiar with those.
Now, if you have a breach panel that's not on, uh, a breach firm, that's not on panel, you can, uh, upon signing up for your policy or renewing your policy, sometimes you can get them written in. Uh, but anyway, needless to say, let's just assume you do go with one of those that are on the panel. You Yeah, it is.
I always suggest, recommend that you have a conversation, and typically, those breach firms will do that for you complimentary, and have that conversation with you just so you can get a good feel of how they're gonna handle it. And they're gonna give you some, some guidance and some tips of, of what you need to do. Got it. So, um, you know, I, a Ann Men mentioned holiday weekend, uh, I think, I think Kelvin, this is, uh, almost four years to the day of the Kaseya incident.
I think that was, uh, the 2021 July, uh, 4th of July area. Don't hold me to the exact date, but it was somewhere in that, that timeframe. So timing interesting that, again, we're dealing with people on holidays, um, you know, not surprising. And, uh, this, uh, safe pay group, um, you know, Chris and I were talking Calvin 220 plus attacks, and I think the last 12 months, this is a very active group, but, you know, as an MSP, if Ingram was your disty, are you, are you quote unquote, okay.
Meaning, you know, we, they acknowledge the attack. Um, they've shared they're doing things to restore the system, their systems, um, you know, can, are you okay with the limited amount of info you've gotten so far? Um, you know, maybe play both sides right here, because Yeah, as Chip said, you know, you have to be cognizant of, especially these days, you're getting CISOs under literally going to jail for potentially saying the, the wrong thing.
So it's, it's certainly gotten people, uh, their, their dander up, but take it from the MSP side first. Yeah. Uh, you know, keep it simple. No, not okay. Um, you know, a lot of MSPs, hundreds and hundreds of them rely on dti, like an Ingram Micro to, um, provide products and services, uh, to their customers. And, uh, without comms, you're left holding the bag.
And so I can only imagine, um, you know, the amount of pain that this creates across the industry as, um, people are scrambling, scrambling for orders that are in flight orders that yet to get processed. Um, and I, and I think, um, you know, it's really important that you have an agnostic strategy as an organization so that you can pivot on an event like this happens if you put all your chips into one, um, one organization and, and they fail you.
Um, it's not a matter of if it's when, and here we are living in the when. So, you know, I would say, yeah, comms are poor here. Like, for, for me, as an organization, you wanna at least a regular update on a, on a daily basis to understand where we at, how long is this gonna last? How does that inform me now to make decisions on behalf of my customers that, you know, what that order, that I don't know where it sits, I'm gonna go and get it from another disti.
Um, I'm gonna go process this and start really thinking around what that's gonna take. 'cause um, you know, we don't know the extent of how long this is gonna take to recover the systems to something that will, um, be able to con continue business as usual. So, um, I'm certainly of the, the camp that more communication is better, um, even if it is just, we're still working on it. And, uh, that's, uh, that's an important aspect. Got it.
So, so, well, let's really appreciate all of your, um, insight into this thus far. And Kelvin, as, as we get into here, you know, we, you and I planned this session about, you know, I, I was really so proud of you for all you continue to do, and, you know, you just achieved DRIs O 27,001 certification. No small undertaking. One of the reasons, by the way, I have Chip here because he is somebody that can firsthand talk about what it's like to go through this process.
But, um, how about a quick intro about who you are, what you do up there, um, up there. Sure. And I'm pointing out the Canadian region. Um, so yeah, talk to us a little bit about that. Yeah, for sure. Well, thanks Andrew, for having me on the cyber call.
It's, uh, you know, I've always watched long time listener, um, first time, uh, in the seat here, so, um, and you have an incredible group, uh, that you've put together, um, to help just elevate, uh, raising the bar of information available to the community. So, you know, thank you for everyone on the, the panel here and, and yourself to continuing just to, you know, keep the bar high. We're, uh, we're all better together.
So, um, as for me, I'm Calvin Engin, uh, chief Technology Officer, uh, managing partner for F 12. Been with the business, um, just over 19 years now. So, pretty much grew up through the organization. I've done almost every technical role. But, um, you know, in, in this last little bit, um, I've really focused in on, um, elevating the standard. And, you know, the only one that's gonna push, um, yourself is yourself.
And, and so I really believed in how do we really increase our ability to deliver, um, excellent operations, um, technology, cybersecurity, and ultimately a better client experience. And, you know, thankfully I don't have to do that alone. I have an incredible team, um, behind us here at F 12 that helps just do that. Um, and so, you know, as it relates to ISO, it was just another step in the journey for us.
Um, and what I would say by that is there wasn't a customer that was demanding it, and it wasn't, it wasn't because a checkbox was looking lonely. Um, we really wanted to operationalize that trust in, uh, in F 12 and, and really harden that within our own business. And so, um, thankfully along that journey, customers were like, oh, like, we want ISO we want you to have that, we're not gonna come on unless you have it.
And, and so, uh, it was, uh, you know, you know, really good timing in terms of that, that we could to, um, really add that into our portfolio. Got so people did, so people did acknowledge it that you were doing, They they did afterwards. Yeah. I, I, you know, it was, you know, we, we started SOC two, type two, the attestation a decade ago. So like, we're not dis familiar with a lot of the frameworks and, and, uh, ways that we can really increase our service delivery.
But, um, you know, this was, SOC two is not a certification, it's just in attestation of your controls. And so you're only as good as the controls you put in. Um, and so I've always, um, really drove into our, our team here is that just because we put our control in there, uh, last year and we had it audited, doesn't mean it should still stay that way. And so I'm always about that continuous improvement.
And ISO uh, 27,001 is really about that continuous improvement now formalized in the operation. So you're continually adding that value. And so otherwise you could have a static control list for SOC two for a decade, and it'd be the same thing that you, you started with, and what's the value in doing that? How do you actually improve your operation if you're not, uh, taking that, uh, that level of scrutiny? Yeah. Very cool. Chip, um, one question to you before we h hand it to Phyllis.
Now, people may not understand like, oh, well, SAS alerts is big, they're part of cae, you got your ISO 20, you did it with a very small team before you were part of Kaseya. Um, so I, I wanna make sure we highlight that in the question where people are like, oh, this, you know, iso, I could never do ISO 20, th 27,001.
Um, and, and so that being number one, but, um, as someone that's personally gone through, through this certification process, can you share some insight on the amount at work, the effort, right? The dedication that you at Calvin's team went through for this? Yeah. Um, quite a bit. I mean, it's interesting to hear Calvin, um, you know, take us through the journey of how F 12 has done this, starting with a SOC two 10 years ago or more.
I think that's a really common place that people start because you're just getting into the process of building process. Um, but he's absolutely right that a SOC two, you know, some people, when we first did ours, not even SAS alerts, but prior to that, the first one I went through, we just picked a, a standard off the shelf, right? We, we picked COVID, we said, okay, this looks good. We're gonna try and model ourselves around COVID, and we'll use that as our SOC two baseline.
As Calvin points out, companies don't have to do that. They can just basically write up their own processes. And the auditor's job is to come in and say, yeah, you're doing what you say you're gonna do. You know, even if that process is, we keep all of our passwords on an Excel spreadsheet that we put out, print out, and put in a safe, like that's actually an acceptable SOC two process.
So you've heard me advocate in the past, Andrew, that is business is mature, um, businesses, particularly that are IT service providers, they need to move toward something that is an independent objective standards. And that's what ISO is. You've heard me advocate this many, many times, Andrew. Um, I think it's something that all, um, MSPs should be pursuing, even if it's a two man shop that's just starting out almost, especially if it's a two man start shop just starting out.
If you expect to grow, it's actually easier to implement all of these policies to build yourselves into a standards driven company when you're small. Um, I think very few businesses do that. So they wind up, look staring down the barrel of what they think of as the, this gigantic structure, um, of, of the ISO standard itself and wondering, oh my God, how are we gonna do this with all the other things that we have to do? It's a lot of work, no matter how you cut it.
I'm, you know, I'm gonna take a stab at this and say, even with the other certifications that I, you know, know, F 12 has obviously SOC two GDPR, uh, Canada Standard, um, they still put in hundreds of hours of work to bring the ISO framework, reorganize some of the ways that they write about and practice their policies. And when I say write about, I mean document them.
Um, and it's still a team effort that requires, you know, interdisciplinary, uh, cooperation from lots of different departments to get it done. Because ISO is touching everything. It's, it's everything from how you hire to how you offboard and everything in between. And again, it's not, oh, well, we just get to do it the way we want and document it. It's, no, you have to do it this way. Um, and, and that's, to me is a much more structured standard. You've heard me use this phrase before.
I still think it's the gold standard, um, of information systems management frameworks. Um, Andrew, you know, in in private conversations, you've heard me say like, everything else is alphabet soup. It just comes along and somebody else cooks it up and says, oh, we're gonna create a special standard just for this industry. You know, if you have an ISO in my mind, you've got my confidence as someone I'm gonna do business with, that you're protecting my information.
That you've got solid controls in place, um, for everything from personnel to, to your actual tech stack and how you manage it all. Um, you know, business continuity planning, everything that we all talk about, we're preaching all the time to MSPs, you build that is SO framework out, you follow it, you work with that audit. You put yourself in a whole new class, um, as an SP Yeah, Andrew, I'll add, I'll add into this.
'cause I went through this at a bank that I worked at prior, and it, it is a lot of work. No, no doubt. It takes a lot of focus and it takes a lot of, I mean, everybody's gotta be on board. I mean, it's something that you can't half-ass at all. But, um, to Chip's point, we, what we encountered was, uh, at the bank, we different auditors and regulators come in, you know, throughout the year. And one regu one, whether it was an audit or regulator, they would say, Hey, you need to do it this way.
And then the next guy would come in, say, no, I don't like it this way. You gotta do it this way. And so my boss at the time to give him credit, Lenny Smith, he's like, Hey, I'm tired of doing this. We're gonna, we're gonna go ISO 27 0 1. It's the right way to do it. And they can't tell us we're doing it the wrong way or our, you know, whatever. They, it basically takes their opinion and their subjectivity out of it. And, and it worked. I mean, it worked and it, it definitely helped us prepare.
We were gonna be acquired, uh, in the future. And it helped us with that immensely. We were, we were a public, uh, we were nasdaq, uh, bank at the time, and we were being acquired by another publicly traded bank. So, uh, there's, there's a tremendous amount of value. And, uh, but you know, you get what you, you get out of it what you put into it. And it's truly one of those, you put forth the effort. It does have the value, but you better be ready to commit. Yeah. So true. Yeah. Go ahead.
Go Kel. I was just gonna say, Chris, that gives me PTSD. Um, our auditors changing on our SOC too was like, Hey, we had this control, but now it's all of a sudden a different interpretation of that control. So, um, you know, after a decade, it became actually part of our normalcy. We said, actually, let's have a different perspective every year. Um, 'cause at first it was like, oh, this is really annoying.
Um, but it actually helped improve us because we said, okay, well that's a good perspective. How do we actually address that perspective of the interpretation of that control? But that's the challenge with a SOC two is it's only as good as the auditor's interpretation of the control, whether you met those needs. And so, um, yeah, I, I, I echo that, but, uh, certainly I feel, um, the challenge of, uh, auditor's perspective on a control for sure. Very cool.
So, Phyllis, I know you're a big fan of Lenny, um, and probably go way back with Chris. Um, you know, and, but, um, you know, as Brian Blakely likes to say, um, compliance is rolling downhill. So for MSPs out there that are like, why should we do this? You know, things are fine, this, that, and the other, um, as I always like to say, look at your contracts.
Look at who supplies your largest amount of revenue, and does the possibility exist that they or their customer might say, Hey, these are the security requirements and standards we need for you to continue to do business with us. So with that, Phyllis, let me let you take over from here and, uh, ask Calvin some questions. Yeah, sure. Thanks. It's been a good discussion so far.
So Calvin, um, you know, as we all know, it takes a lot of, um, resources and, um, money to become ISO certified, and it takes the whole team. So how is it that, um, F 12 decided as an organization, like, how did you get buy-in that this is the way we're gonna go, everyone, it's all hands on deck, this is how much and we're willing to make the investment. Yeah. Um, that was challenging. Um, you know, usually I, I can get, uh, you know, I would say almost a, a blank check on certifications.
Um, as I, as I go after a number of different ones, uh, you know, the, but they were a lot smaller, and so the checks were a lot smaller. Um, when we, we started looking at, uh, the ISO, what it was gonna take to do, um, that was, that was a, a much greater amount, uh, six figures, um, is what we were, we're talking about. And so, um, we, the business wasn't ready for it.
Um, when I proposed it in our strap planning, uh, session two years ago, it was like, we're just not quite ready for that just yet. And, um, and so I had to advocate, um, of what it was gonna take, um, set our teams up so that we're able to take on that work without impacting, um, other, other projects that we had in the pipeline. And so, uh, uh, we were able to gain budget for, uh, the, the fiscal year of 25.
And, uh, you know, I was able to fast track it, but we did, uh, a little bit of that work upfront so we could be, uh, much quicker in terms of our turnaround time. So it was kind of like, okay, we are not gonna maybe buy the audit, um, but we are gonna start doing some of the work towards that outcome. But it did take, uh, a lot of advocacy of a lot of the why and also the business to be in a right spot.
So as we start to look at, um, more, uh, international business, right, that we were prepared to be able to say, Hey, we're gonna come in, but we're also gonna be at a level that's going to give, uh, a trust aspect, um, to the operation, um, as it's not just, you know, Calvin saying, we're gonna do this and we're gonna get this great certificate at the end. It was the organization rallying behind that outcome.
So you said you, um, you know, you did some prep work, um, to get ready, so yeah, what was the first step, um, to trying to get ISO certified? Yeah. Well, you know, what I'm gonna say is that, uh, is SO 27,001 is not a walk in the park unless that park, uh, was full of policy documents, um, asset registers and internal audits. But, um, no, it, it, it really took us, um, you know, we started with a GAP assessment.
This was really to understand, you know, what are, what are the overlaps that we're seeing in our SOC two practice? Um, how does that, to correspond to, um, how those controls are interpreted and, uh, where's, where's the gaps? And we, we had a lot actually compared to it there, but there wasn't as many, um, overlaps as I thought. And so this really became ability to start saying, okay, let's look at all the things that we're doing, and we're doing a lot.
The challenge with it, an ISO though, is that you need to document it and you have to enforce it. And so, um, that became a, a component, uh, where we really need to, to drive in to operationalizing what we were doing in a formal way, um, whether that's policies, controls, and training. Um, but I would say, uh, the gap assessment was the fundamental starting point for us. So Did you, um, did you download the ISO spec first and then like, read it over?
When you say you did gap assessment, was it against the ISO and you guys interpreted and you guys, you know, did that on your own? Um, yeah, we, we did that first and then we're like, well, that's, that was, uh, that's not really what's gonna give us the way. And so, um, uh, be, several years ago we looked at a G GRC platform. Um, tug Tugboat is the one that we landed on now, OneTrust.
Um, so that really gave us the ability to start to, um, manage the policies appropriately, uh, and then create the appropriate integrations.
Um, and so that, uh, a platform like that is really good because then it can help as you're looking at your certification journey or whatever journey you're looking on, is, if you have one, um, you don't have to redo a lot of the work because now you can start to have those overlaps and you can really create a comprehensive way of managing the controls, the policies, um, and all the work, uh, associated with, um, um, um, grabbing the evidence required for the auditors.
And so it, it actually shortens the amount of time dramatically, um, once you have that, uh, rolling through, uh, GRC platform. Can I, can I ask something real quick here, Phyllis? Yeah. So Clint puts in there, we'll, we'll, I'll leave the Crest accreditation on the controls in a minute, but Kelvin, if, if you were, let's just say dealing with a lot of, you know, CMMC customers, would you have attacked that first over ISO if you had, you know, you had to have level two type certification?
And do you see in your GRC platform, is, is there overlap here that you could apply if you're like, Hey, well we do need level two and this is gonna get us a lot of the, is there any leverage of what you did? Yeah, well, you know, for, for us, you know, you wanna meet, meet where the customers demand is at, right?
So if you're required to be in A-C-M-M-C level two, um, and that is, that is really, otherwise you're gonna lose your customers in a certain amount of time, um, then that's where you focus. Um, from our perspective, we didn't have that requirement on us. And, and so we really looked at where do we want to be in the market? What do we, what is it gonna take to be in that segment of the market? And ISO was that for us?
Now, that being said, um, our very next certification is CMMC level two, or the, I think it's called the, uh, Canadian Program for Cybersecurity Certification for the Canadian variant. Um, and so really what we're, we're focused in on is, you know, where do we need to be next? So be ahead of the curve. Um, but I know a lot of us are starting behind the curve in, in many cases.
And so I wouldn't say that the ISO is, um, one that you should do, if your customers are demanding, you get CMMC level two. Like, there's overlap, but not enough to be significant, where I'd say go do that instead of this. Okay. Very good. And then Phyllis, just real quick on, you know, CIS accreditation from crest, that it's one, it's almost like an apple and an orange here when we're talking about, you know, an ISO versus A-A-C-I-S accreditation.
Yeah, I mean, yeah, I mean, an ISO credit accreditation is, you know, mandatory to do business in some, with some organizations and, and it is very comprehensive, right? So CIS critical security controls are not gonna be as comprehensive. It's not about business continuity, right? The CIS critical controls are really about, hey, these are the, these are the controls and policies you should be implementing to defend against top threats, right? And it's very cyber focused.
And so certification for CIS controls really is about, Hey, I can implement these controls and I can consult on these controls and show proficiency in these controls to defend against top threats, which has its role. Um, and certainly there's overlap between controls and ISO controls and CMMC, um, but those, um, you know, those other certifications are, if you wanna do business with certain sectors or certain parts, um, of, um, the industry, then you should definitely get those certifications.
I will say here in the US quickly, um, there are those safe harbor laws that we've talked about, and those point to CIS controls, um, ISO and nist. Yeah. Yeah, I was just gonna say, Phyllis, if you, if you, you know, were kind of stratifying Clint, like you had a customer, they weren't regulated, they lived, they were in Connecticut, they really want a good cyber program.
They want indemnification, as Phyllis said, they want safe, CIS is probably your way to go, you know, is a very, you know, strong roadmap. So thanks for going through that. Yeah, yeah, sure. No problem. Um, my last question before I hand it over to Chip is, what surprised you most about, um, trying to get ISO certification? Like good or bad? Um, you know, I humbly say that I thought it was gonna be more difficult. Like, and what I mean by that is I, it was, um, a scary thought as an endeavor.
I knew we could do it, don't get me wrong. But when, when I thought about, um, you know, ISO it had this, um, prestige, um, and this, uh, you know, this difficulty that I thought was associated with it. Um, but the fact that we had such a mature practice already, um, gave me a lot more solace when we started going through the process and our team members was going through it. And don't get me wrong, there was things that we needed to change.
Um, there was things that we needed to, to do, but it was really getting to that common language set that the auditors were using and, and the validation and to suddenly realize, oh, we're actually doing a lot of these things. Um, we just have to really create those, those procedures, those meetings, those outcomes mm-hmm. And document it. And so, um, it, it was, uh, it was surprising to me going through that, that we were able to, um, to move much quicker through the process.
'cause when we really kind of put rubber to the road, we turned it around in about four months. Um, that's good. When we really started driving towards the outcome. Um, but I would say that's not gonna be the journey for everybody. Right? Um, I would say the fact that we had a lot of the things already in place, um, was just a result of the decade history of, of doing, um, these in a continuous improvement model. Um, but I would say on average it would be an 18 month endeavor.
If you're starting from the ground floor, um, where you have a lot of technical debt, you gotta, you gotta implement a lot of these controls. And if you haven't, um, uh, it's gonna take some time without some dedicated resources. I know a lot of MSPs don't have a, a full GRC officer just focusing on it. You're gonna have to do it off the side of the desk and keep business running all the while doing, uh, something that's a pretty heavy lift for most.
Yeah, I mean, I, I think that's, um, it's a good lesson learned. Sometimes we're more intimidated by something and just getting started, you're like, oh, it's, it's, it's not as bad as I thought. But also, um, if you, if you don't have that as a part of your practice, having these policies in place, having the discipline and those processes in place, and it will be longer for you, um, I will hand it over to Chip. Yeah, thanks Phyllis.
As Chip goes, Phyllis, maybe just take a look at, um, Steve's question on CIS again versus the two. If you could maybe help him in there, that'd be great. Yeah. You know, I can't get to the, I can't chat, that's the problem. Oh, if you throw it in private chat, I'll respond it to. Okay, thanks. Alright, go ahead, chip.
So, um, Calvin Phyllis asked when, when she began kind of how you brought the management team along with this f twelve's, the big organization, the offices all across Canada, you know, there's a lot of boots on the ground. What was the impact reaction, you know, cooperation level you needed from, you know, sort of the frontline folks in the organization that they have to support the effort?
They don't necessarily have to be in the grind of all the documentation, everything else, but they, you know, the troops kind of have to rally to achieve this kind of a milestone. How did you, how did you find that? Yeah, so how You kind of went and what'd you use to, to rally the troops? Yeah. So, you know, one, um, you start with, with leadership, um, that fundamentally was the, the first, um, component.
So as we go deeper into some of the, um, operational, uh, departments, uh, there's already a buy-in from their executive leader that we're doing these, these things, these outcomes, and here's the benefit that we'll, we'll see as a result. Um, so it always starts with leadership, is how I, I would describe that. Um, in terms of some of the more like the brass tacks as it were around some of the, um, the core components.
Like, um, you know, you know, I almost shamefully say, you know, restricting access back down to the technicians so that the PCs that they're using don't have admin rights was one of the more difficult challenges that we had to overcome as, uh, just the frontline staff having to, uh, go right down to basic user access. And, um, we had to really come up with a solution so we weren't impacting their job.
And of course, they made all the excuses in the world on why this was gonna impact their job, but we, we came up with a, uh, a pretty elegant solution to be able to give them the access they need when they need it, when they're in front of customers. And, um, because we wanted to ensure that we could find that balance between security and usability within, within the, the platform. Um, you know, we're over 400, um, staff.
So finding that, uh, that nuance, there's always an opinion of a piece of software that needs to be used, um, because that was one of the other components of your ISO is you have to have an approved software list. You have to have a methodology to approve that software list and to ensure that it's within, um, the, um, asset registrar. So just even getting that down to an approval strategy to say, okay, why are we using this? Do we need to use it? Do we have an alternative?
Do we need to get everyone on that alternative, et cetera. Um, that was, uh, that was probably more time consuming than I would've, uh, thought, but, uh, as we all know, tech technical staff have an opinion, um, and they'll voice it. So we had to really, um, work through what that looks like. But thankfully, I, I think we took a pragmatic approach. We said, Hey, we're not opposed to using different technologies and testing it, but give 'em an environment to do it.
And not on the, uh, corporate assets where often they were using those as test beds. So we, we really created that safe area to do that, uh, with, uh, some control oversight and governance. Makes sense, Andrew? Um, so, so for those that are like, heard Calvin go, yeah, we're, we're a 400 person MSP and go, yeah, that, that's easy for you to do it iso quote unquote. Can you give a sense? I felt it was harder. It was harder to do. Yeah. I mean, I, Andrew, I would agree with that.
You know, when, when we went through ISO SAS alerts, we started that process at about 32 employees. Well, That's what, that's where I wanted to just give the sense to the, to the audience of, oh, well, you know, I, you know, they're 400. You are 32. Yeah.
So I, that's all I just wanted to share with everybody that it's just because you're 400 employees and as Calvin said, well, maybe it was more challenging 'cause they had to deal with so much, whereas you were saying, suggesting maybe it's a lot easier the smaller you are.
So I I, I don't know if it's a lot easier, but I think it's, it's certainly easier to herd the cats, you know, in, in the, in the sense that you don't have as many, uh, you don't have as much diversity of opinion and also people who have just developed their own way of doing something, right? In a large organization, you got people, you can have people that get very, very specialized in, in doing things their own way.
And now you're coming along and telling them, you know, we understand this has worked great for you and you serve our customers well, but we can't maintain what you're doing as a process organization wide, and we wanna continue to grow as an organization and grow safely. So we've gotta actually ask you to unlearn what you've learned to give up on your special way of doing something and, and, and to run with the rest of the pack. That's way harder to do it, 400 people than it is at 30 something.
Got it. So Would you say that it would be cheaper too for a smaller organization to be ISO certified? Or should everyone prepare themselves for like, at least a six figure price tag? No, we did it for far less than six figure. Okay. And again, you know, we, at the very outset, and I, I saw Chris nodding along when he made this comment earlier, if you're a, a brand new startup, MSP, go spend the money to, to get the I ISO standard and put it on your desk.
And this, you know, a lot of, a lot of tech people are gearhead or, you know, they've got other hobbies. This is like taking apart a car. Like you've got that hobby and you just go in piece by piece. If you're disciplined about it and you're doing a little bit of it every day, you, you, you discover a couple of things. Number one, you actually wake up a month later, two months later, you go, oh my gosh, I'm a lot farther closer to my goal here mm-hmm. Than I thought it would've been.
And you also start to see how these, how the, the framework comes together, um, how the different control groups and controls interweave and support each other. Mm-hmm. Like, you know, we, we could run down a rabbit hole with that, but it becomes easier and easier to advance the more you do it. It's one of those things like, you know, there's so many cliches, right? You climbing tallest mountain is one foot after the other, all that stuff. But it really is true.
And I think a smaller organization, um, a, has a, a much bigger benefit by getting there. Because Chris's organization, I mean, Calvin's organization's already pretty mature with a lot of certifications, which made this rational for them to move forward. You starting from absolute scratch, um, you could start working on IOY, you do CM mc at the same time. There's a lot of overlap Yep. And support between those, those different standards that you are working toward.
But, but let me jump into a couple other things, um, with Cal, and let's go back to the controls for a second. So for you guys at your size, you know, was it there a specific control group, um, or specific controller policy that, that you felt, you know, either took the most effort to push or provided the best payback? Um, and I know what this was for er, so I'll be happy to to answer for us.
But I'd love to, to to see if you've got anything in particular about, um, the ISO standard that jumped out at you that really helped. Um, yeah, there, there's probably, I would say there was two. Um, there was, uh, the data classification component, um, is an area of our SOC two control that was never, um, really matured to enforce. And so, well, we had like a policy, um, ISO was all about the enforcement of said policy.
And, um, and so like data labeling enforcement, um, how that goes out of the organization, it was an area that I, I was like, oh, we have this. Um, but the implementation wasn't, wasn't satisfactory, um, based off of, uh, what the control was.
And so, and this is relatively simple, but, um, I think the challenge is, if if you can't enforce policy and you can't measure the enforcement of that policy, now you really have a gap in terms of the, um, the ability to say, Hey, did this leave the organization? Um, did it leave with the right, uh, um, conditions set on it based on the controls you've set? And so that was, that was an area that I was like, oh, that was surprising.
Um, but absolutely see the value in, in driving that through the organization. The second one would've been around, um, our meeting, meeting cadence around, uh, our risk registrar and how we, um, how we implement that through the organization. So, um, before we do our risk assessments, and, um, that would be within the, um, the security team, the IT team, um, our cloud services team. And so it was really kind of insulated from the rest of the operations.
And so, uh, for the first time, this is where we actually brought in, um, uh, our operations, um, COO, we brought in our, our DevOps, um, director, and, uh, and now we had it. And so this really started to bring in those core, um, leadership capabilities to talk through some of these gaps that we had.
So if we needed to enforce additional policies on the front lines, like our data transportation policy on how we're encrypting that data in transit, how we're making sure that, you know, point A to point B, you're not stopping at the local, um, bar, uh, with that data enforcing that, that we we're not leaving that data, um, potentially in the hands where that could get misplaced or, uh, all of a sudden grow legs.
But I think what I really would, would zero in on is making sure that there was operational governance now at every layer of the business. And so that became so imperative so that we can ensure that they have visibility and we can enforce on whatever the, uh, the risk is that we have in the organization and getting to that cadence. So that's been very valuable. Yep. Makes sense.
So from, um, from an operational perspective, has this given you more confidence as a CTO in, in things like incident management, business continuity planning? Do you sleep better at night as, as you know, not nec, you're not the compliance officer necessarily. I assume a company of your size, you have a full-time compliance officer that's part of this program, but are you sleeping better at night as, as the CTO as a result of this? I have four, uh, young children.
Um, so, uh, I don't sleep, uh, well for the best of times, but, um, but for some of these areas of risk, um, certainly it, it helps. Um, I would say I think my, my own, uh, paranoia and, uh, knowing what's happening out there, it, it helps me feel like we're, we're rising the, the tide raising the bar in terms of our ability. Um, but I, I don't feel like we're, we've arrived. And I don't, I think that's the challenge in cybersecurity.
There isn't a, um, you know, there's no end point a destination you can end that it is continuous. And, um, so just ensuring that you have all those, those gaps, um, I feel like we have a great team. We we're looking at the right things and we have the capability to respond and, and we test those recovery plans, um, at a degree that, uh, we know we can, um, have resilience. But, uh, I, you know, pragmatically I'd say, I, I don't, I always feel anxious.
I always feel like, is there something else that we're missing that we haven't thought of? Is there, there's something else we ought to be doing, um, to stay ahead of the curve because just as, as we get to a spot where we feel safe and secure, um, the game changes, the tactics, the techniques change, and, um, and we're, we're left, you know, scrambling and, you know, the, whatever the event is, it's like, you know, next vulnerability, something we didn't see now becomes another risk point.
And, um, it's just shortened those times where we can say, Hey, event happens and we're able to respond and tighten that as close as possible so that we're not, uh, leaving ourselves open to exposure and, and victimization. So, um, short answer. No, I'm sorry. So last question. Um, when, when we went through I iso we made that decision almost within months of us starting up, that we were gonna build ourselves this way.
And one of the impacts that it had for LER since we were a startup small company, was immediate credibility, uh, in the marketplace with customers. It made it much easier for us to have customer conversations about them feeling good about us. Does that apply to MSPs in general, do you think versus, you know, we were, we're a software company.
And do you feel that kind of impact and sort of a shift into go to market motion and how your account managers and NCA team, how they can approach customers? Like, do they go out there wearing that badge? Like, Hey, we're ISO certified? Well, so early days, like we're, we're only a month in, so we're, we're, we're new on the, on the street as it relates to ISO. But I can say that the team, uh, was very well aware that we were undergoing our ISO certification and they knew what our timeline was.
And so, uh, they were already teasing it saying, Hey, we're upcoming, uh, ISO 27,001. So they were, uh, they were already trying to get ahead of that marketing side. Um, I, I would say because we, we weren't doing it for customers at the start, we knew it was for the potential of the new customers. Um, but we did along the journey have a customer that came to us and said, Hey, we're ISO 27,001, we need all of our suppliers to be 27,001.
Um, and so we had it written in our contract, we had to get it for the state. And um, when we obtained it, it was, uh, it was like you, you arrived to a, you know, a, you know, event and it was like everyone else in that same room has been there and knows what it took to get there. And so when we had that conversation that we, we had the ISO, they're like, wow, like you've arrived. We know how much work that takes. We understand, um, what you went through 'cause we go through it ourselves.
Um, and there's a common language and an acceptance of that trust. And so, uh, when, you know, seeing that firsthand was, uh, a little unique. It was never with a SOC two, was it the same way? Um, but with A ISO, it was like, no, this is, this is a, a different level that you've, uh, you come in at. So I do believe though, um, that, uh, you know, having the ISO having that will, um, reduce the amount of vendor questionnaires, I don't think it will, uh, eliminate.
'cause there's always another question to be asked. Um, but I do think it will drive, uh, deeper relationships with our customers, um, that, uh, that need it. And so they can rest knowing that we have something that can, uh, live up to, uh, some of these requirements. Yeah. Couldn't agree more. And, and I'd emphasized that, I think that applies to this, to the smaller MSPs as well.
You don't have to be a 400 person, uh, MSP for this to, to help your overall go-to market efforts and give you more credibility. Um, and, and honestly, even if you have to invest six digits and 18 months worth of time to get there, um, a it's not gonna be a, you know, a hundred thousand dollars upfront, but b, the journey is gonna pay off itself and the certification is gonna get cred, that credibility that it opens up markets. But congrats Calvin. I know it's a ton of work. Yeah.
Welcome to the club. Thank you, chip. Chris, I know you're gonna ask Calvin some questions, but I'd like to start off asking maybe both of you the same question, like you've confirmed it's A VPN, you know, we see this almost regularly now, right? We know it was one of the top things in the Verizon data breach report.
When is, when do we hit the point of VPNs being like, this is tech debt that we need to get into a single packet authorization, ZTNA solution, and, you know, start putting a line in the sand because I mean, it's no, no shock where threat actors are going, right? Um, maybe Cal starting with you Calvin, on this one. Yeah. I, I think, you know, how many, how many events do we need, um, to move the needle? Um, and you know, the, I think the challenge is, is always familiarity.
You know, I've always done it this way, this is the way I do it. I don't wanna put MFA on my VPN what, um, no, you can't be a customer. Um, we're gonna change this today. Uh, you know, I, I think this is the, the challenge that we are faced with is having the courage to be able to say no as an MSP. It's, it's to say this is not okay. Um, we know what the risk is and, uh, we're gonna, we're gonna say, let's, let's move you to this, this solution. Um, whatever that might look like.
Um, whether it's A-A-Z-T-N-A, whether it's, uh, something else all entirely different. And I think, um, it's, it's drawing that line in the sand to say, Hey, we're gonna at least start here as our standards for our customer and our service delivery.
Because we know we don't want to be in a position where, uh, that this is gonna cause us, uh, organizational challenges to, um, remediate um, when an event like this happens, 'cause you know, when an an event, an incident happens with a customer, how much of a drain on the technical resources in your company it takes, get them back up. And you've been talking to them about all that technical debt for ages and they haven't made the move.
It's, it's really starting to take that and say, no, we're, we're informing you that this is happening, or we're informing you, this is happening and your choice is a get in line, or we can recommend you to a great MSP down the, down the road that might take you on. And I hate that because it's just shifting it to somebody else to, to manage.
But I, I ultimately think it's having the courage and, and most customers trust that And they are, they such a great MSP if they will allow the customer to continue to operate that way. Good, good point. Yeah, I mean, I, I would add on here. Now I have seen some, and I don't think it could be that much of a secret that in this particular situation in Ingram, they did not have MFA on their VPN. Now, whether or not we'll hear the whole story behind this, you know, that's, that's to be determined.
Like, was there even a need for VPN? I mean, how many people even had that need? Right? I mean, I mean, when you start to look at ZTNA and anything of that nature, you start to look at the business need and you start thinking about, Hey, 'cause this happened, right? Right. When COVID hit, everybody said blah, blah, blah. And I was like, do your people really need, what do they need to work? And a lot of times they didn't need VPN to work.
They just needed email and maybe a couple of other things so you didn't have to give 'em full blown VPN. So it makes you wonder like, how many people throughout the Ingram universe had this? Why did they have it? What did they have access to? Was it overkill? Was it under, I mean, there's so many questions to be asked in this particular situation. Now I do believe, you know, Calvin said, right?
I mean, what you, you do have to draw a very firm line in the sand with your clients and say, this is just not gonna happen. You're not gonna operate this way. It's just not smart. I mean, the, the hopefully the customer goes, well, hell, Ingram didn't have, um, MFA, so why should I? Um, I don't think they're smarter. Well, mean The colonial is that, did they say Colonial Pipeline didn't and that was our reason. Yeah, exactly. No, no, you're exactly right. But, you know, LED Awards here.
Yeah, Here we are. We're talking about ISO. Um, great. You know, I, I've arrived at this certification, uh, increment Micro had ISO 27,001. Yep. So the challenge is, is like ISO isn't gonna give you the thing that's gonna stop everything from happening. And in fact, your implementation of that practice in your organization, um, doesn't mean anything unless you're actively working those, um, those risk registrars down.
You're making it part of the procedure, you're identifying that technical debt and you're taking action with courage. And I mean, you know, a billion multi-billion dollar company like Ingram, I could imagine they had a tremendous amount of technical debt that they had to overcome. And so systematically going through and saying, Hey, how are we prioritizing this?
And I'm sure there was a lot of information to get through, but this is why, you know, when Chip says, you know, do your ISO, uh, you know, as a 10 person company, just do it early. Because once you make it part of your, uh, your culture, you make it part of your journey, your day in, day out, um, now you have something really as a, a credible asset to the organization that elevates every conversation that you have with customers, with vendors, with your employees.
Because it's about the mindset. It's about the methodology of that framework coming to, um, ion through action. So I think, um, you know, Ingram will have, I'm sure lots to learn from this. And, but we can also take the, the opportunity to learn for what, uh, what we ought to be doing and, uh, and really put into practice The, the, the net. And Chris, I'll leave you with one question for Calvin is the, this all comes back to business impact analysis, right?
Really having business led conversations, because that's where we would've fi figure this out where you said, does everybody need it, Chris, why do they need it? Et cetera, et cetera, et cetera. Mm-hmm. No, yeah. No, you're exactly right. I mean, I was just thinking about just the change management side. Think about it. Just put yourself in the shoes of Ingram. If you're gonna roll out CT and a, that's not gonna happen overnight.
So, you know, they might be in the process of doing that, but they might be 20% of the way through, which is thousands of people, right? So it's just, um, yeah, it is kind of a crazy thing. So, I mean, it puts things in perspective to say, Hey, you don't, you know, things, you have to climb a mountain there. So my question to Calvin is, I'm gonna go a little bit off script, is, is like, now you put, you know, this, you, you, you are already a mature organization. You said that's made 27 0 1.
Uh, probably made an easier process because you were that way. How do you, uh, put these good processes in place but still allow your business to continue to be agile and responsive and be able to do the things you need to do without having maybe something like this slow it down to where it hurts the business? Well, that is, that is the dance we have to, to dance every other day, um, is, you know, the security component versus usability.
And, you know, I I would say ISO is a framework, not a straight jacket, right? It, it's really about a, a methodology to stay agile, in my opinion, if you use it as such, um, with some governance over that. And so, you know, some examples is, you know, when we add new, you know, tools into, um, into our stack, there's a vendor review process. It's to ensure that we're not letting something in that's not going to work for us or our customers and put our customers at risk or our company at risk.
And so, um, thankfully, you know, we, we can kind of, um, erase some of that shadow it that occurs, um, because with change management, with governance, um, with, uh, segregation of duties I think is very important, um, within the organization. So the, the person buying isn't the one implementing. Um, and then there's a, a, a clear line of what those, uh, those components are and, and the why behind it. Um, it really creates a, a much, uh, more agile practice.
And I know that you're like, oh, but there's a whole bunch of rules and things you have to follow. Yes. Um, but then you can ensure quality, you can ensure the right outcomes, and that that changes the, um, the ability for you to deliver on services. And, and what I would say even ahead of that is that once you start taking those methodologies, they can actually creep into the other, uh, operational aspects of like, like A-A-P-M-O of, uh, to, uh, that's a project management office, right?
To ensure that you're, you're delivering on what you say you're delivering with a security aspect in mind as part of that delivery. So, um, for me, it, it's really, um, it's about the clarity and accountability that needs to exist within the organization so that way you can deliver on what you say you're doing. Um, 'cause otherwise you're just doing a bunch of things and then you're picking up the mess on the other side when ship breaks.
And now you have to, you know, get in front of customers, get in front of vendors, maybe, you know, do press releases because something failed that wasn't kind of really thought through through that, uh, that process. Um, so I, I would say it empowers then it, then it, uh, as opposed to it just being like a hard no every time, right? And, um, it's about how do, how do we think this through from a security context and really empower the organization to be successful.
Um, that's, that's how I view it. Hey, thanks Calvin. So, uh, gosh, that, that flew and, uh, it was awesome. Um, can't believe, uh, we have to wrap it up already. I would've liked to keep going. Um, yeah, exactly. Calvin, you probably have a two, two o'clock Eastern you gotta get to. So let me wrap it up for everybody. Um, first off, Calvin, thank you for being our guest, for coming on. It was fantastic.
Uh, chip, really appreciate you coming on as a, a guest co-host and, and adding such colorful perspective on, on many areas of today's conversation. And Chris, likewise as always, uh, love having you coming on and you often at, not at the most glorifying times to talk about things, but always colorful and, and very important. So to that end, we'll see you all next Thursday. Be safe, uh, and we'll see you all soon. Take care. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois