MSP Training Initiative with John Strand
In this video, industry experts discuss the evolving landscape of cybersecurity for Managed Service Providers (MSPs). They explore the challenges MSPs face in increasing their cybersecurity maturity and the significant opportunities available for those who can effectively integrate security into their service offerings. The conversation highlights the importance of continuous learning, strategic training, and the potential for MSPs to expand their services into areas like incident response and security assessments, emphasizing the shift from competing on price to providing enhanced security value.<ul><li>The cybersecurity industry is evolving rapidly, and MSPs need to keep up with enterprise-level security training and tools to remain competitive.</li><li>There is a significant opportunity for MSPs to provide security services, such as incident response and security assessments, traditionally offered by larger security firms.</li><li>Training and continuous learning are critical for MSPs to improve their security offerings and compete effectively in the market.</li></ul>
Guests
Video Transcript
Welcome everybody, episode 97 of the Cyber Call. And we have people coming in from all over the country, not you and all over the world in the audience, but we have our, uh, panelists coming in from all over the country. Uh, Gary, um, are you in Florida or Philly, or? I I'm in Philly. Yep. I'm in uh, I'm actually in, uh, I'm at the beach in New Jersey. Okay. Okay. Awesome. Wes, tell us where you're at. Yeah, I'm at IT Nations Secure.
So you can see everyone checking in now, right back there and, uh, in Orlando at Gaylord Palms. Yeah. Yeah. Very cool. John, you're at a small event, aren't you? Yeah, I'm at this, uh, little boutique security conference called RSA. Um, yeah, I'm here with about 45, I think it's called aaa. What's that? How many? Yeah. Ursa. Yeah. People make sure you Yeah. Say that again. How many of your closest friends are there? Yeah, 45,000. 5,000. Yeah. So, man, COVID Coming outta that, huh? John?
What's That? There'll be no covid cases coming outta this. No. So I was at the last RSA that we had live right when Covid was coming, and I'm like watching on the news. It's like, wow, China just shut down six of the nine largest ports in the world. And I met like this weird party with s and you met the people at side? Yeah. Yeah. It's like all SSS and there's like this haze of fermenting humans and like lights and I'm like, I gotta get the hell out of here now.
Um, but no, that was the, this was right before Covid hit was the last conference I did, and then that was it for me. Um, so yeah, there's plenty of fermenting for Covid going on here. Wow. It's all good. Good, good. Okay, so let's get right on into it. A few things. One, John's gonna stay with us until about a quarter to the hour. 'cause he's actually training, literally he's double dipping.
He has a training course going literally as we speak, was kind enough to take a break and is with us for 45 minutes. Um, Ryan is off today. Uh, Justin Showalter, one of the MSPs that has been taking a lot of John's courses and he is in the initial MSP training platform. Uh, is gonna come on 'cause I want you guys to hear it from the MSP side of things, how things are going. Jennifer, I thought you were in Spain. Um, who's there, uh, right now, uh, in chat?
Uh, so we'll, we'll have a few different perspectives going on today. Um, and, uh, few things. Lastly, poll, if you could fill out the polls, I put two of them up there. Just really know, love to know what you guys are doing, um, in terms of training, what you have done. And, uh, please feel free to ask questions. I see there's one in there. I haven't been able to look at it yet, but, um, you know, please ask questions along the way.
Uh, Gary, as I set the stage here, you know, I kind of think about, again, always the word command. You know, one of the things that, you know, back in 2 0 7 when you launched true methods, a big thing was both sales and operational command. Before cyber was even really a thing, right? It was antivirus and firewall was about it.
Um, and, and I liken today that we have got to figure out a way to level up the entire, you know, ecosystem in terms of their cybersecurity maturity, in terms of knowledge. Um, so that's why we really wanted to have John on today and share what he's doing. He's put a lot of time, energy, and effort and literally built out a platform. So any thoughts by the way on that, Gary? Do you liken it all to 15, 16 years ago? I do.
I just think that the difference is back then, the people that were laggards, they just didn't grow as fast or make enough money. They weren't putting their businesses or their customer's businesses at risk. So that's the big difference. I think the stakes are way higher and that's why you see some people figuring it out, right? Uh, in, in, in pretty short order compared to, you know, the evolution that we had back then.
Um, but it's definitely the same from it's sa it's the same Andrew from the standpoint is that, look, everyone has to look at this business differently. How they deliver, how they package, how they price, how they look at skill sets and process roles. You have to look at all of it right now. Right. All right. Good.
Wes, any thoughts from you as, uh, we lead in here and Well, uh, yeah, I mean, Gary's right, this is a constantly evolving world and I think MSPs are caught in a faster revolution cycle than, uh, enterprise because enterprise has had time to go through a lot of the things we've been talking about for years now, and MSPs are being ripped and forked into this.
I just, just as an example, I was talking to an MSP right over there earlier, and he's like, did you know, he's like, I am being, like even the cyber insurance discussions as an example, he is like, I am now being required to carry 10 million of coverage because I am serving a critical provider of ours that's literally a manufacturer and their main supplier is requiring us to have it and them to have it.
And so he's like, now that I'm going through this, like it's totally forcing major systemic changes in my own MSP just to keep up and I can't lose the contract. Uh, you know, this is like, we're seeing this big time. And John, one question for you that comes to my mind, I'm looking at like the second poll question.
It's still a fricking goose egg for Sands, for example, in, in the MS space, like when you look at like our need for training in the channel, there's gotta be alternative ways because sans just isn't, it's not that it's not meeting the need, it's, it's priced out and it doesn't work for the channel, does it? Well, and it isn't just the cost of training, right? I mean, it's the cost of the entire security package. Um, yeah.
When you look at enterprises, you know, usually in the, um, usually in enterprises, DOD looks at the non-class community and they're like, wow, we wish we were like finance and finance looks like healthcare. And they say, we wish we had the budget of healthcare. Healthcare looks at everybody else and says they wish they had the budget. The fact is their budgets and enterprise far outstrip the MSP space as far as what they are allowed to spend on tools, training and people.
And, and, and that, that, granted, that gives them the capability to move a little bit faster. But I really feel like whenever you're looking at that funding and that training side of the house, just that training side of the house, how does an MSP up their level so that they can start competing? Not just saying we're doing security, but how do you start competing at a larger scale with more companies? And that's something that I think a lot of MSPs need to start looking at.
Security is not a cost center. It is not going to cut into your profits if you do security correctly. And that's what we focus on, and I'll talk about that more a little bit later. You can now charge more with justification for insurance and for compliance reasons. And more importantly, and this needs to happen in my industry on the security industry, all these MSPs, it's been duct tape, bailing wire, and just pulling things together for years.
They are ready to start competing at medium-sized businesses and moving up into larger space. And they have the background, they have the technical skills. They know how to run lean, they know how to run like with ingenuity. And all we need to do is to start piecing some of that security stuff with the MSP space. And I think it's gonna fundamentally change the way the entire industry, the security industry looks. And that's something I'm hoping happens sooner rather than later. Very cool.
You're this, uh, you're this optimist, John, that I absolutely love. I don't think a lot of like heart, like, well-known security practitioners would use the, all those words that you use, but I so dearly appreciate, I mean this genuinely appreciate your, your positive outlook on where we're going with the MSP industry. 'cause I know a lot of folks don't carry that same opinion. Yeah. Well, and you know what's interesting at write a boom, you mentioned write a boom earlier.
It was so refreshing for me to see MSP after MSP, after MSP at one of the last talks, say we started doing security and it is making a big difference in our bottom line because we can start charging a premium. 'cause if you're playing the game in the MSP space of just competing on price, you're a dinosaur and you're gonna get washed out very quickly. You need to find other ways to compete. Good stuff.
Gary, as we turn the questions over to you, and I'll keep an eye out for Dustin, uh, Showalter, who's gonna be our voice of the MSP coming up. Um, at some point here, once we, you know, go to my portion, I'll be Ryan, we're gonna show a little bit of the training platform that John's built. But John, quickly for those, most of everybody out here knows you, but quick overview for those who don't. And then over to Gary, Was that audio just cut out?
Oh, I was saying for those of you who don't know you, I said most everybody does John, but for those that don't, just a quick overview of you. Okay. And then we'll turn it to Gary. Sounds good. I'm running all of this through my phone, which is actually sketchy in San Francisco under the best of circumstances. Uh, my name is John Strand. I am the owner of Black Hills Information Security and the owner of Antis Siphon Security Training.
We're a boutique pen testing company and boutique training company. We do about 650 security assessments, about a hundred employees. And we go anywhere from like Fortune five companies, DOD specialized JSOC training, all the way down to mom and pop bicycle shops. Very cool. Gary, you uh, just got off a DOD uh, you know, skiff, so why don't you go on into it here. Yeah.
So, um, John, uh, well first question I want to ask is, you've been hanging around with us for about a year, roughly how many people have gone through the anti siphon courses so far? How many MSPs do you know roughly? Um, um, oh, uh, Andrew, I was used to send you spreadsheets and we'd go through and say, this is an MSP, this is an MS P. Oh, it's Hard to tell. We gave up on that. Uh, the goal was initially to do 500. We blew through that easily, um, in the first couple of months.
Yeah, I think the first training I did when we were bringing in MSPs was about, I would say I think we had 2,500, uh, people and about 40% of those were MSPs. Um, and since then, we're probably looking at about 40%. So most of my training now, we started with like 7,000 people right off the gate, drop down to about five. We're about 2000 people that go through my pay what you can training for SOC and intro to security every single session.
And about 40% of those are MSPs that are just trying Really good, really amazing. Like, to go from not having that resource right. To having so many people being able to, to run through that. I think it's amazing. So you've been working on building, um, uh, like an extensive platform, right? Dedicated to MSPs. Can you tell us about that and what has been the initial feedback, um, from, from the MSPs? So the, the initial here I can actually just show it. Let me share my screen real quick.
Yeah, Yeah. Gary, and because we have Justin here, if you want to ask any, I wanted to bring an MSP that actually is going through to any questions because we don't have Ryan, so we have some spacing. Please feel free to ask. Yeah. Cool. So this is the, this is the platform and I'll go through it quickly. Um, we run on Brightspace, uh, 'cause it's a really good platform. And just the feedback that I've gotten as far as the organization and the layout has been very helpful.
Uh, a lot of the people that went through initially were like, I wanna know specifically what section do I need to go to? Um, like if I wanna learn Windows basics and how to do basic security or ir or if you're looking at the, um, or if you're looking into, uh, implementation groups, you can do a search on MSP. And then we got the implementation group names present here.
Um, and then in addition to that, a lot of people get our cyber range where we also have a ton of different challenges for people to kind of like grow their skills. And then finally, we also have a full lab VM that has every single one of the labs completely set up Step-by-step walkthroughs so that people can learn. It's got a full muntu, uh, windows subsystem for Linux stack in here.
And just really just trying to make it super accessible with lots of hands-on tons of different technical components. And I'd be happy to show people more, um, as we progress. But really it's all set up to make it super accessible. And more importantly, this is something that's kind of different. In the past, whenever I worked on, let's say, a class I would correct, I would create the class and I would throw it out and people would take it. And that's fine.
This is a bit different because we do ask me anythings. Um, I think the next one's coming up next week where we get feedback from the MSPs that are in the program. They ask questions of somebody that does cyber office operations, that does incident response on large scale. Um, I work with insurance organizations, things like that as well.
And then more important for me, they are starting to tell Andrew and I, I would like to have a section on this topic, and then we can very quickly create sections on those topics. And that feedback loop I think is really important. We're not trying to set this up as a set it and forget it cash cow. We want this to be an iterative thing.
'cause ultimately what we are trying to do, what we are ultimately trying to do with this entire class is we're trying to create affordable training that's world class that competes with people like the Sands Institute. And I might know a little bit about that. And it's accessible from a price perspective to the small, medium businesses.
All of that aside in the industry as a whole, we're getting our asses kicked by the attackers, and there's no way that we're going to change the tide of anything if we continue relying on training that is seven, eight, even $4,000. We want training that's continuous and affordable to get as many people through. Also, another quick thing that I like, we actually have a full mobile app, um, that I thought was kind of neat.
I didn't, you know, didn't know my team was working on this, but we actually have, so you can listen to it while you're in your car. You can go through your sections and go through everything there too. Awesome. So that's a quick, that's the quick overview. I'll throw it over to questions and anything else that other Yeah. I want to ask you this question and maybe, uh, and then follow it up with, with Justin.
So the one thing I hear, whether it's leveling up knowledge or putting a program in place, the average MSP, they get overwhelmed. Like the, the first question is, where do I start? So if someone was coming in and they have a relatively, you know, their business might be mature, but from a cybersecurity standpoint, we would say that they're have maybe a relatively low maturity. Uh, how would you suggest they approach this to kind of eliminate those fears?
And then Justin, I'll kind of ask how you've approached it. So I would say you have one of two options, right? The first option is start at the beginning and work through. Originally we set up the class, it was section 1, 2, 3, 4. And it was basically denoting start here, go to this, go to this, go to this. And some of the feedback was, that's nice, but we don't know what's in there.
So if you have the ability for people to sit and go through the training, you would start with resources, start here and just start working through the sections because it's fundamental for understanding network windows and Linux before you start moving into application. Allow listing and multifactor controls. However, that's ideal, right? That's a perfect world where you can sit down and you can go through these things step by step by step. We don't live in a perfect world, right?
So you can also do it like, I wanna learn, how do I actually start going through logs? What are the important logs that I need to look at? Um, how does it work? What are some tools I can use? You can go directly to the sections that you need to utilize right away. So it is also, it's a training class going step by step by step. But it also is kind of like a wiki in the fact of you go to the specific thing that you need to do to do the thing that you need to do as well. Cool.
And so, Justin, in, in the, in the real world, as you've gone through this journey, how, how have you, did you feel that way in the beginning? Like you didn't know where to start? Yeah, no, I would agree that it's, it's, it's an intense, it's like, you know, what's the phrase? How to eat an elephant one bite at a time. Okay. Or Chainsaw chainsaws are helpful. Uh, you can't, uh, you can't take it all in at once. 'cause it is, it's way too much information.
Um, I started off by this journey by just reading things online, you know, it could be something as simple as, um, was, uh, Andrew, uh, the book by Sunil u you could start there. Try to get yourself an idea of what do you need to know, like, you know, high level concepts. And then I've been through, uh, some of John's training, which is phenomenal by the way. Um, a big fan of John's, uh, training his introductory to sock course.
I've had a couple other people in my, uh, company go through it as well. And it's a lot of information, but the nice thing is it's in a format. You're like, okay, I don't understand this right now. Let me digest it, go through the labs and watch it again. And it's not like, you know, where you do in person, you're like, okay, I didn't get my question answered. Uh, I don't know this, I, you can go back and you can ask that question.
And then all of John's training that I've taken has been on Discord. So they have, I mean, there are people there who know way more than I do, and I can always say, Hey, I don't understand this. Somebody please explain to me. And then there's a community there that allows you to say, oh, okay, well, that's where I need to look into or help answer a question for me. So I forgot about to answer your question, Gary.
It's a, it's a journey as I've always said, but you gotta start small and little bites and you'll get there. Well, and Derek pointed out, I forgot, I forgot the Discord community. Um, yeah, there is a Discord community too, so you can go in with other MSPs and ask questions and stuff. Listen, I, I feel like it's like anything else, man. Like all of us had to learn a lot of things from scratch in our lives.
And that beginning learning curve is really hard until you get to a certain base level of knowledge where you start to understand and, and can kind of make good decisions about where to spend your time and what you need. You know, what you need, uh, more of. And you know what's Really weird on that though? I found this out with the, with the, uh, MSP community is they've been doing so many things that it seems like once the pieces start getting aligned for them, they click a lot faster.
Um, because they've been kind of fumbling around on some of this stuff and they don't understand, like, a big thing that we focus on is how can you sell security to your customers? We got an entire section dedicated to that, right? How do you bring insurance into a customer conversation? How do you bring, um, how do you bring compliance to a customer conversation? Well, I thought you were gonna say, how do you sell, uh, security to a client when you're not securing yourself?
Oh, I thought that was gonna be the punchline. That does, that does happen, right? Um, but it, but it's interesting because I noticed with the MSPs, and this is weird, I don't get nearly as many of the basic and fundamental questions as I do in security groups where they're like, what's a command line? Um, that, that doesn't seem to happen. I, I really feel like people have been living off the land for so long that finally whenever things click it, it clicks a lot faster for you here.
Yeah, absolutely. Um, oh, I just wanted to mention, you know, I'm not a, I'm not a technical person by, you know, by trade, but, um, when I read the book, um, sun Neil's book, uh, was really easy to get through. And I felt like it gave me, like, in, in language I could understand Andrew a really good base of, of, of seeing how things fit together. Um, so I just wanted to give another plug. Uh, I'm gonna give another plug for that.
And with that, uh, Wes, I'll let you, um, I'll, I'll hand things over to you. F**k on. Thanks, Gary. And, uh, John, thanks for spending some time with us at RSA. I appreciate that. Um, if, if I may, can we, let's get a little philosophical for a minute, uh, and get off the cyber discussion little bit. You get Philosophical and go a slightly different direction. I know. Can you believe, I know, uh, here, I've, I've had the opportunity to teach, I don't know, getting close to five, 600 students.
I've taught university courses, all that. And John, it's in your DNA, right? Let's talk about like what makes a good student for a minute, like, outside of the world of cyber, like I think we're always learning, we should always be in that position of like, humility of like, what new thing can I soak up? What can I learn from someone else? What's your thoughts on what makes a really good Student? Um, honestly, I, I've, this is kind of weird.
I've had incredibly brilliant people who get stuck and they can't get unstuck and they tend to give up. And I think that a good student is somebody who's willing to learn no matter what the circumstances are. Like I have people that come through and they're really, really, really advanced and they're like, this is a basic class, but they try their best to find something that they're going to learn. And they're people that dig, right, they don't get stuck and give up.
And that, once again, that goes back to the MSP space. I go back to the duct tape and bailing wire that I see in this community. I don't see that in the security community, in the enterprise security community. A lot of it is like, oh, well this didn't work. Hey, let's drop another half million on that product. And maybe now that single pane of glass is going to work for us, right?
So I, I get a lot of people that have been digging for a long, long, long time and, uh, I think that that makes for a very, very, very good student. Um, just the coming in, the ability to try to find something that you're going to learn, don't go in thinking I know more than anything that this person can teach me. Um, and if you come in with that attitude, you're a horrible student and you're probably gonna have a very painful career.
Um, but I don't get that as much as I used to back in the days in it. I, I love it. And I totally agree. I think that idea of, like, I have a friend that taught me that a long time ago of like, I always try to, like, what's one thing I can learn from whatever it's mm-Hmm. Even if, you know, I'm walking into something and I've been practicing for a long time and I'm hearing this talk and I've heard it before, what's the one thing?
And sometimes maybe it's not even a thing you like learn, it's just a thing you're reminded of. It's like, oh man, like I forgot about that. So here's my favorite example on that story. Um, does anybody here know who NextGen Hacker 1 0 1 is? I don't think so. Okay. I'm gonna share, uh, I'm gonna share a video here real quick. Alright, so this is, um, this is Next Gen Hacker 1 0 1. I'm gonna share it in the comments.
And he has this video where he is talking about Tracer T and he is like, tracer T is a tool that'll tell you how many people are using Google and what their speed is. And if your speed is fat, totally, completely wrong, like right there is so in, there's so much wrong with this kid's video explaining trace route that it's, it's incredibly comical. But he put in the protocol. So in his video, he does trace route http slash slash google.com.
And I didn't know that Trace Route could support protocols, but it can. So even in that video, you know, like if you haven't seen it, you've got to see it. I did learn something from it. And, and that's what you've gotta be looking for all the time. That that's a great example. That's an awesome example. I'm definitely gonna have to go watch that. Um, okay, so is that, is that kid like nine years old? He was in the video.
Most of his videos back then were like how to get cracked versions of video games. Um, but, uh, but no, I Remember those days. He's kind of famous those days. Not next Ben Hacker 1 0 1, by the way. So That's awesome. And, you know, kudos to him like making a video, right? Like actually stepping out. It's one thing I've learned with a lot of the stuff I do.
It's like, you know, you learn to sort of ignore the haters and be like, at least I am doing something about this and I'm trying to make the world a better place. Right? Like, that's better than not doing anything. I love that, that mantra for sure. So John, talk to me a little bit more about like, the getting started in any, any antis siphon, like maybe from two perspectives, maybe I am an MSP, like I'm a technical engineer.
Where would you recommend they, they put their focus and their effort and energy first. And then what about like a sales leader or, uh, an MSP owner that's not technical. What about that route? Where would you start on both of those? So for anybody that's technical, I would recommend, once again, just starting with a class and just going through it. Um, even if you, even if you have like, like feel like you're really, really solid on these things, please, please go through them.
Um, because whenever we're talking about security from networking, I put a specific security spin on it. Um, whenever we talk about Windows, I put a specific security incident response spin on it. So if you can, I recommend going through these sources one at a time, right? Um, also the fact that you can come back I think is helpful or you can jump ahead.
But honestly I'd recommend starting at the very beginning, and it's not that I'm smarter than somebody that's been in an MSPD space for a long time on networking Windows, Linux or memory analysis. It's just a different take on a, a thing that you may have been doing all the time. The other thing is down at the bottom, uh, we have this section dedicated to selling security.
This is where I would recommend people that are in charge of, like setting up the future of their MMSP pricing and packaging, how to build a community, how to do sales messaging, how to incorporate insurance, asset discovery and data protection into what they are providing for their customers. And the reason why I make this available for anybody that's taking the class is I also think the tech engineers need to know how do you actually sell security?
Because your sales, not your sales, your techs are on the frontline with your customers every day. Um, something like 70% of the work at Black Hills information Security is reoccurring customers, customers that keep coming back, because my techs know how to sell security.
If a customer says, oh geez, we're getting SOC two type two compliance, or we need to be ISO certified, my engineer, my actual pen testing engineers know how to communicate and sell the concept of what we can provide as a company all the way down. So we don't look at sales as like, this is the boss that sells, or this is the sales engineer that sells.
Everybody understands the cohesive message of how security actually meshes with day-to-day MSP work because I, I do believe that MSPs are truly the future. The idea of companies standing up their own security teams and doing all this stuff on their own, especially with cloud computing, is going away. And you're gonna see more and more consolidation in the SP space and the SSP space to be able to be taking those things off.
And the more you can have a cohesive message from the owner of the company all the way down to the like Tech one engineer, the better off you're gonna be. Wes? Yeah, go ahead Andrew, please. Yeah, just Real quick comment one I saw ju Justin shaking his head agreeing on that. I, I'd love his perspective, but I'd also, um, I'm hopeful, Gary, that I can get you and John, I talked to John about this, uh, get you two together on the packaging and pricing piece 'cause you so yes.
Throw and macro economics piece can bring that mm-hmm. Side of it. Um, so, you know, yeah. Anyway, I mean I've been working on that for 20 years, but I I'm currently very obsessed with it. Good, good, good. Well, and the other thing I think that you bring to the table is you've got a better idea of the problems that MSPs encounter than I would of course, right?
I know how you can talk to somebody that you know is working in medical and how you can say, here's the medical compliance frameworks that you can apply. Here's the Rosetta Stone to tie it all the back and insurance. But boy, there's gonna be sales messaging problems that I've never once encountered that I think that you're gonna just know much more about than I ever will. Yeah.
One thing I wanted to highlight that John just said, and Andrew, and you wanna get Justin's input, um, yeah, look, here's what the opportunity is. We're talking about the risk, the downside, what if, but the upside to it is for the most part, every SMB definitely up to 500 users will outsource some or all of their IT to an MSP in the next three to five years. That's what the surveys say. Mm-Hmm. Right?
So that's a massive opportunity for us, uh, to be able to go in to a lot larger, complex, uh, businesses and be able to offer, but we gotta have expertise and process that they don't have 'cause they have tools. Yep. Yeah, Gary, Okay. That's, that's a very important point, right? So I, I don't know how I can describe this, I'll just jump right in. Enterprises that are large scale enterprises tend to encounter fewer incidences and breaches than small to medium sized businesses.
And there's a wide variety of reasons for that. One is corporate compliance standards on workstations, consistency of firewall, consistency of location. There's a bunch of resources that enterprise security has that you all in the MSP space don't. Many of the MSPs that are out there, they have multiple, I guess let's say cats that they're trying to herd, right?
So you get a lot of people in the MSP space, whenever I'm talking incidents, whenever I'm sitting around at a table like at uh, right of boom, I'm hearing the stories that a lot of the MSPs are talking about. And they have been exposed to more incidents than a lot of the enterprise security people have just by the virtue of the tremendous diversity and the insanity that they have to put up with in all of their different small and medium sized businesses.
And once again, that expertise and that experience is going to translate into being better at dealing with these types of attacks as they continue to move into the SMB space and move up as well As we, as we get. I just one second, Gary, as as you're, you're on mute, Gary, you're on, we, Those SMB IT departments, they're in the same boat as the M MSPs except worse.
They don't have the people and resources and process that enterprise do, and they don't have the experience of dealing it's economi dealing with so many things that MSPs do that that is what, what we have to capitalize on. Yeah. It, so let's, so let's, I, as I set up j just, uh, Wes back to you shortly promise, uh, as we hear from Justin. Good.
I, I just feel that, you know, Gary, what you and John are saying as far as optimism, like we know from a macroeconomic perspective the next two years are not going to be really great. My point is that leads to, again, more outsourcing in larger companies relative to the what we're used to working with. So with that said, Justin, your comments on what you were agreeing to earlier, I know we got a little ways away from it, but are you seeing larger companies coming to the table?
Yeah, I mean, we do support several larger seat counts. So, you know, the MSP space is typically 25, 50 seats, maybe up to 75. I mean, we do help support several organizations that are 200, 300. I think the largest one we support is 700 seats. Now, are we in there doing, uh, day-to-day operations? No. We're in there for tactically, we're in there doing specific things because you're, they don't have the time and the ability to know everything that they need to know.
So when we started this journey two years ago, I've learned a lot and my staff has learned a lot, and we can now provide something to those companies saying, Hey, here's, um, something that you need to put in place. Here's how we put it into place and here's what it's going to do for you. So you can check that checkbox per se, or be better at what you need to be. And they're like, okay, great, because I don't have the, you know, whether do you wanna outsource?
I think the most common one that we do is the outsource seam soc. Now we don't do that, but you know, we do have, I can at least tell 'em how it's done, what's the force multiplier it's going to give them? Because they don't wanna hire an internal staff. Okay, well here's what you need to look for. I have a vendor or I can tell you what to look for in other vendors and here's what it's going to do for you. So yes, we do help support larger organizations, um, so that they can be more secure.
And then I use the same information to my smaller clients. Now, they may not have the budget, but at least, okay, I can put this one thing in or this other thing in this year, maybe next year I can put the next thing in. It's a, it's a slow growth process, but they'll get there eventually. Yeah.
And what's cool, Wes, is I hand it back to you, Justin was one of the first, I think two, two and a half years ago to embrace CIS This is a company now, his MSP is just about done with implementation group two. Yep. Um, but that gives you a sense of the dedication that Justin and his team are doing, and it's showing up in the results and command of security. So, and it takes time. Yes. It takes lots of time.
And I like, and I like to say, you know, the, you know, the best time to plant a tree was 20 years ago, but the second best time is now. Yeah, yeah. True. So, uh, John, let's get back to something you said that I, I think is important that we, we really talk about, and it is this, you, you mentioned sort of this culture you build at Black Hills of like, you know, recurring business coming.
So often the majority of revenue comes from that, which means that your boots on the ground folks are engaging with the client, they're creating value, they're being able to explain, you know, here's what else we can do. Here's how we can help you accomplish this goal. Here's how we can help you protect revenue in these ways, whatever. And, and I think that's awesome, right?
And, and yet paradoxically, a lot of times when you talk to people about like hiring new security people, the conversation is always, well, where do I find that cybersecurity talent? I'm looking for like those really smart cyber people and, and we actually landmine ourselves because we're trying to hire, hire for cybersecurity talent first. Yeah. Instead of looking for the right kind of person, and I can train them in the cyber talent that they like. I can give that to them.
And I think what you're talking about here, and I want you to riff on this a little bit, is you're unlocking that capability for MSPs to say, you know what, for the first time I can go hire a young tenacious, humble right outta college lady who's super, super, super like devoted, but she doesn't have the cyber talent. And I can get her going in the MSP and then get her into the antis siphon training and start learning this world.
And I can train the skillset I need, but I can hire for the qualities of a person I want first. Is that, is that kinda how you see That? That's absolutely accurate. I don't hire pen testers. I hire network engineers who have, who have a tendency to dig. I hire web app developers, I hire systems administrators. I don't hire security people, right? I hire people that have these deep skills. The best place for you to find InfoSec skills is in your own company.
You're gonna have like really brilliant, sharp people that have that, that that tenacity and they have that drive and you wanna give a path for them, right? And security is a good path. And one of the things I don't quite have an answer for in the MSP space is everybody brings up, and it's a valid concern. I train these people, they get the skills and then they immediately leave to other jobs. And that is, that is going to be an issue for a while, right? Um, so that is going to be a problem.
But you can counter that, right? If you make your workspace a great place to work, if you recognize these people who are key personnel and you start rewarding them, like the dividends coming back are huge. I'll, I'll give you an example. Um, we have a very, very, very large company that we're working with, um, in our SOC services. They deal with a petabyte of logs a day that's logs coming off of their Linux servers. And we're working on Dex with this particular customer.
And I put my two more advanced senior engineers on that. And they're very expensive. And from them knowing how to speak security, them understanding compliance, them understanding the lingo of quote unquote sales, from that one contract, we now have another pen testing contract, a physical pen testing contract where we're going to like 75 locations around the world. And then there, um, their IR team is now directly working with us and setting up retainer services.
And my sales team, they literally showed up to the meeting and the customer said, this is what we want. Here's the proposal. They signed it. And the whole entire thing was done in a matter of about two days because my people on the ground knew how to have those conversations with their people on the ground to make that happen. But like you said, my security people, they always started out as something else and I converted them into security people. They know the dance, it's like fon gong.
It's, you know, the dance, you know the moves, you speed it up and all of a sudden they know a martial art. And that's all that's actually we're working with, is just accelerating people from the skills they've already been developing and to putting a new spin on it so they can start doing security. I, I love it. Um, and I know you gotta go in here in a few minutes. So Justin, I'm gonna actually pepper you with some of those questions of the same thing, but from the MSP side.
But before we do that, um, I think you're right. Um, I I I, I think it's important for us to think through as MSP owners, are we giving the resources and time to allow our folks to be able to learn and grow and have the time to do it? Or are they just completely burdened by billable hours? Billable hours? That's where the burnout comes from that Gary, you mentioned there in chat that I saw. Mm-Hmm. I think that's a big takeaway for us is like, let's free them.
And we've all seen that old adage, uh, John of like, that goes on that meme that goes on LinkedIn all the time of, like the C ffo says, what happens if we train our employees and they leave? And the CEO says, what happens if we don't and they stay? I mean that not only is that something we, we, we just gotta do anyway, but I also think like, it, it sets a culture in the MSP of like, no, we encourage that and we know some of you are gonna leave. That's okay.
Because when people go and say, Hey, so and so you used to work for at MSP, did you like it? They're gonna be like, oh, I loved it. They're so awesome because they freed me up to train this stuff. They put me on a career trajectory that was so good. And you actually build that pipeline of like deep interest of people that wanna come and work there. And I think that what we're also talking about doing is creating new business lines for MSPs.
I I I, I'm gonna get, I'm probably gonna get egged when I step outside when I say this, but you all, every one of you in the MSP space, you can do IR retainers with your customers. You can do network security assessments and penetration tests for the small to medium sized businesses. You can do those. And those are additional business lines that you can make revenue on. You can start selling compliance.
And here's the thing, um, Justin, you were talking about, you're on implementation group too, right? Whenever you're at implementation group too, it becomes easier to upsell a customer and say, look, whenever you're doing insurance and they send you, you know, the cyber liability insurance or ransomware insurance, these are the due diligence things that you need to have to place. When you're doing business with Justin, you've already got a, I'm guessing about 75, 80% of that done. Yes.
So It takes time. But Justin now can compete at a higher class of, let's say business to business warfare. Then a lot of other MSPs are because he's providing a better product and he is going to attract larger customers with larger budgets for computer security. And you can justify it better that way. And I kind of look at it as if I'm eating my own dog food too, and I have to be able, I can't resell it. Yep. I can't resell it to somebody and tell you, well, you need this product. Why?
Uh, 'cause that's what the packaging says, that you need this and this says this over here, unless I've used it and I know where the pitfalls at, how can I honestly resell it to you and know what I'm talking about? And, and what I'm basically saying folks, is MSPs, if you're listening, come compete against the security firms that are out there. Come compete with us for SOC services. Come compete with us for pen testing and security auditing services and application security assessment services.
Come compete with us for two reasons. One, we're getting a little complacent and fat and kind of happy in this space. Two, we all do better whenever we actually have more competition across the entire board. And it's the only way we're gonna protect our customers is if we start doing that. So don't be competing on price anymore. Um, it's gonna be a trap for MSPs. That's my biggest fear.
That's what's gonna make this whole endeavor fail, is if the entire MSP space continues to hold on to just competing on price. And we don't fix the sales messaging pipeline. We're, we're in big trouble. And I mean, all of us are in trouble. So I hope to see you all real soon on the field of play. So, Wes, before we lose, John, can I ask a question and I'll let you please continue, John. Um, and I, and as I ask this question, I would love the MSPs to chime in and chat.
My suspicion is your training would be adopted more if there was a certification. Good. Call it, whatever we call it. Yep. But I'm, I'm wondering, my suspicion, my hypothesis is because I can put C-I-S-S-P after my name and I took a test or something of that nature. It, it lends itself to some, you know, this seal of approval. I'm curious from the MSPs in chat, do you agree, disagree that certification, a certification would be important? Love your thoughts, John.
And then certainly Justin as the voice of the msp, please comment after. So I, I would love to know what the MSPs say because we've had MSPs, if we're being completely honest, say I do not wanna have a certification because if I have a certification, as soon as somebody's certified, they're gone. Um, I have had some MSPs say, well, like you said, you, you worry about people if they go worry about people when they stay.
There's a lot of different conversations being had within, what we have done there is progress tracking. We call it a T. So as you work through, you get, you know, challenges solved your level, your total id, and this is something that can be shared and companies can track, uh, the progress of their employees.
And while this isn't an ANSI certified certification, it is a certification and we are now starting to see companies that are absolutely accepting these certifications, not just here, but also meta CTF, and, um, try hack me and hack the box in lieu of AL certifications. And that is the conversation I'm gonna have here in a few hours with John Hammond and some other people, is the idea of this space, not just training, but certification is changing.
It is no longer going and getting a sander or A-C-I-S-S-P or a CEH, but now we're seeing companies accept more and more often cyber range levels and percentages and things that they've solved. So it is changing, but honestly, folks, we, Andrew and I want to know, what do you all think? Uh, do you think certification is key to this or is it a detriment to this? How do you all feel? Yeah. As, as we wait for some of some of those answers. Justin, any thoughts just from your perspective?
Um, I will say that I can see the value in it and I can see the requirement, but I can also say that I have not once that I can recall off the top of my head, an engagement says that if you're not this particular standard, then therefore you can't bid on this contract. Does that make sense? A hundred percent. So I of that, yeah. Right. So I, there's pros and cons like everything else in life. I mean, I can see it, but I could also, who's signing it?
Who's like, yeah, it's, that's a hard one to answer. Yeah. Okay. It's, it's interesting 'cause you're seeing a lot of MSPs get a cis SP out there more and more and more. So I was just curious Thought Yeah, it, it's funny, this is something I've gotta wrestle with. I'm doing, um, expert witness testimony in Seattle next week for a trial. And one of the things, um, I'm working with the, uh, prosecution on the government side, and they're like, what certifications do you have Mr. Strand?
And I'm like, none. I used have Cisp, G-C-F-W-G-C-I-H-I had this whole soup and I stopped because I don't need them anymore. And they were just, it was like thousands of dollars every year. So that's gonna be interesting. Yeah. Um, I'm in the same boat, John, I, I literally have nothing left anymore and have no desire to go get them again. And, and I know, I know why people are saying no here.
I do think from my perspective, like, uh, I've talked to HR people before, especially like large hiring orgs. And one thing, one comment they make is they're like, you know, here's the reason we like certs, good or bad. Like 'em or not, they're like, here's our view is there's not a lot of like definitive, um, scientific things that I can look at in the hiring process.
Your GPA, I mean, like it or not, GPA is one's definitive in inserts or another, everything else is sort of like, do I feel like they're a good candidate? Do I not? And so at least CERT tells me they've gone through this process, they've gone above and beyond to learn something, even if they just brain dumped it. And so, and you need, I see where they're coming from on this HR side, you need Some type of filter, right?
We've gotta, if it's not certifications, there's gotta be a filter somewhere in this entire thing, right? It's tough, but I need to get going. I wanna say thank you very much to all of you. I really appreciate it. And once again, folks Say hi to John Hammond for me. I will, I will. I wanna say, once again, this is an iterative process.
Um, this is what we all make it, and please continue to give us the great feedback that we've been getting and we'll continue to make the class kick ass for everybody. Thanks again. I'll see you all. Thanks. Thanks John. So Justin, I got a question for you. Um, Yes. When, when John was talking about training and he was talking about, you know, um, it's a great entryway for like net network technical people. How does your MSP make time for that, for your own folks?
And like what lessons have you learned from like making that a priority in your, in your company agenda that you could share with other MSPs? Yeah, so I have learned through my interactions with Andrew and other MSPs through other different places that I've gone, I, we are not one of the MSPs that metrics our staff to death. Uh, you know, that if you do that, you do you, the way I look at it, I tendency to be a little bit more lax on that.
And then way we looked at it is more, uh, strategically, okay, who are the people and the key people and the individuals that we need to get trained. You know, uh, my cer uh, a service desk manager, okay, he's, he has a certified ethical hacker. We started introducing into the project process. So now my technical people who start doing the design work, I need to make sure it's built in from the very start. Not, Hey, I'm gonna try to resell you this product or service after the fact.
Let's build it into the very beginning. So we just kind of look at it like, okay, strategically who can we get informed and we start going in from there. And then is that the way to do it? I don't know, kind of like what else best works for your organization? But that seems the way that works for ours. Okay. And did your folks like immediately take to this like, oh, this is the coolest thing ever or did it take some time to like build in the, the want to piece of, of all this?
'cause I mean, it's certainly taxing the brain to like learn Yes. From a lot of the content that's there, right? Yeah. And I even saw a comment in Chatter earlier, you know, taking a class from anti syphon, it's like, and I even made the comment to Andrew, it's like drinking from a fire hose. I mean, it's a ton of information to digest in a and uh, I think the info to soc class that it took, uh, was four days, four hours long.
And it's, it's the amount of information come out of it, your brain hurts and I understand. But, um, the program that John's putting on now for the MSP, you know, you get at small bite-sized chunks to do it at your own pace. I don't tell people my, the people we've put through training, like, you have to finish it in these four days. Um, take it as you can redo the labs when you get a chance. The point is to understand and get something out of it.
Not necessarily, uh, okay, you've done it, now let's move on and you need to get back to that project. So it, as I said, we may be a little bit different than other MSPs out there in that regard. You know, I I, I was thinking about trying to equate this to things in the past and right when, um, you know, networking was exploding and we had to, you know, get people trained up, we didn't have all the Cisco, um, expertise that we needed.
And you know, early on when I realized as we start to get people trained up, we had to have how to do it, have a process for it, how to retain those people. Um, but also I realized there was a cost to it. We weren't. 'cause most of what we've done, Justin, is on the job training. Yes. Right? Like, techs learn 'cause they're doing so many tickets or so many projects. And as a team, we all learn together. But when there's new things like this right, that, that are mm-hmm.
A lot of knowledge that need to come in. Um, you have to have more of a formal process to level up and there's a cost to it, not the cost of the training, the cost of having a process. The, the people be able to spend the time on it. 'cause they can't do it all nights and weekends, they get burned out. Yeah. Good. Yeah. Very good. Um, uh, Wes, any, any other thoughts from your side? Well, you know, um, Justin, I think we can all learn a lot from you.
Um, I, first of all, congrats on getting all the way through and deep into IG two. Right? I mean, that, that's huge. Uh, I know MSPs that are like, would, would just, they envy that. And, and I think this comes from your perspective, from just a lot of iterative, consistent hard work of not giving up, right? Yeah. Can you, can you kind of share through that journey a little bit from for us?
Well, um, how it started was it literally, I think the beginning right around when the pandemic started and, um, it, I saw the writing on the wall and as I said, I've read a lot. It, to me, security, I'm not a, uh, I'm not John, I'm not anybody else who does security all day long. You know, I have a an MSP owner, I have other technical and other BCIO responsibilities. So I do it when I can.
And I started seeing the writing on the wall and I know it's been talked about before, but the whole, it, you know, MSP's gonna need to get certified. Okay. Or insurance, like, as all the MSPs on this phone call have had to go through trying to get cyber insurance renewed. You know, you're not doing these things in place. Nope. We don't deny your coverage. So we saw the writing on the wall a couple of years ago saying, okay, we need to get ahead of this.
Um, and we just slowly but surely, as I said, you know, taking small little chunks out of it and just, okay, let's knock this one out. What's next? Let's take that one out. Now. Some of the stuff that we resell to our clients and we have been for a while, make that piece and process easier. It's the boring stuff like the policies and the procedures and some of the other testing that's just, it's mind numbing. It's brutal. And I understand that. I've been through it.
And here's the fun fact is you're gonna have to do it again next year and the year after and you're gonna have to sit down with your team and you're gonna have to spend some time going through that and reviewing to make sure that, okay, well this last year we've updated this policy or this project or this product or whatever else we've done. We need to go through and review that. Are we still insecure? And, but it's other iterative things every single month.
It's like little checks, you know, and checks and balances. So it takes time and it has to be built in your culture and it has to be built in your processes and your procedures. 'cause otherwise it'll unravel on you really quickly. It, I had two questions for you, Justin. Yep. Number one, through this journey, has it had an impact on your new logo sales in terms of being able to bring on new customers?
I would say that since we just recently have gone, I think the last few pieces, we've just recently tried to wrapped up IG two, so I haven't really, um, say, Hey, guess what? We're now IG two. And that's one thing that I, there's no like to the certification process that we, the conversation we just had, there's no like stamped logo. Somebody comes on and says, you're not IG two, it's self attestation to a certain extent.
So is the NIST cybersecurity framework, there's no company that's gonna come in and say, is gonna certify you on that. What I was thinking, Justin, not so much the IG two as just your ma the maturity, your maturity journey and security, has that changed your conversation with prospects And the trajectory of the sales, right Gary? Over the Yeah, yeah, yeah. Have you been able to Gary separation from other people? Yes.
So, and then I can speak intelligently about like, I've done this, I've been through this, I know where you're going to go. I know what it needs to be done. I can put this in. If you're gonna go, they got on the street, you're gonna spend twice as much and it's not gonna be implemented correctly. Here's why, because I've done this and I've been through this internally first. They're like, oh, okay.
And, and you just, once you have that knowledge able to speak confidently about it and you're like, oh, they obviously know what they're talking about. Yeah. The second question I had is, compared to March of 2020 till now, um, either percentage or dollar number, either, how much more do you charge on average for per seat? How much more do I charge per seat?
Um, I would say it's going to be probably $50 or on up, depending on which service I start at $50 per head per month and go up from there depending on what they, uh, what services they wanna subscribe to or what they want us to do for them. Okay. I want everybody to hear that. That's where if to me, if your average seat price, and I'm seeing both the average seat price and I'm seeing the average MRR the average amount of a contract. 'cause again, I get to see 240 MSPs every quarter, right?
I'm seeing those two numbers. Uh, averages go up steadily and you know, we're doing a packaging and pricing gut check this quarter for our peer members and you know, I know it's gonna be eye-opening for them. Um, so if you're someone and your price hasn't changed by that much in the last two years, either your margins, gross margins are severely owned the wrong way, or you're not securing yourself or your customers, there's no third option. Yeah. Good stuff. Gary. Good stuff. Justin.
Really, really appreciate you coming on, um, and giving Always happy to. My pleasure. Yeah, well, it's, it's, look again, the MSP's out there hearing from you is really the important thing out there. We can all give perspective. Yes, Gary's owned an MSP multiple of them. So, but, but just hearing it from you right now is so critical. And I, and I guess I just wanna ask you this Justin, as a last question.
As a business owner, as somebody that's gone on this maturity journey of CIS, um, in your sales conversations, in your customer conversations, do you find yourself relating it back to what the owners care about? So less of about here's security controls, this is how it impacts revenue, this is how it impacts risk by not having these things, this is the dramatic impact it could have on this, this, this, this, this as an example.
Do you find yourself more being able to translate it into their things that they care about To a certain extent? I mean, it kind of depends. So I don't go on every sales call. I have a sales, uh, manager who does a lot of that stuff. So when he does go, but when I have to get pulled in or the security conversation, I do try to translate it to that because otherwise it in you're like, oh, I, I could speak technical talk to a non-technical person. And they're just sit there and like, uh, what?
Like, okay, that sounds great. All I see is a dollar amount. But as if you can explain to them in a real world scenarios why this is going to cost them money, um, it does make a difference. And I'm not an overly pushy person. Like, okay, listen, I'm gonna explain to you why you need this and if you choose not to do this, this is, I'm telling you something's gonna happen.
It's an if not a when you'll be coming back to me in a month, six months, a year, two years, whatever else it's gonna cost to you even more than what I'm doing now. 'cause I've seen it and my company's lived it and I've seen clients go through it. It's not fun. And you're gonna, you're gonna be kicking yourself in the pants when I offered this to you and you're like, no, it's too expensive. I can't do that right now. Okay, well I'll talk to you again in then at a future date. Yeah. Yeah.
And then I think that's step one is getting to where you got to step two is for customers anyway, saying like, listen, I hear what you're saying. I can't live with the risk and the only reason you're willing to live with the risk. 'cause I'm not doing a good enough job of explaining the risk to you. So I I'm saying you need to do this. If we need to talk through how we do it, work out payment, like whatever, I'll work with you. It's that important.
But we cannot make this, we can't make this a choice. I'm not, I'm, I'm not asking on this and a lot of MSPs have gotten to that point. As long as you soften it with, I'll work with you, but I can't let you live with the risk and it's my fault because if I was, if you understood it the way that I did, we would've be having a much different conversation. Like that's the progression. Does that make sense Justin? Yeah, no, it makes sense. Yeah, good stuff. Gary.
Wes, really appreciate you coming in from Orlando. I'll see you in a few hours. Look forward to seeing you my friend. Um, Gary, we will have a plane chartered in and fly you in because you know, I know you got to Helicopter. He flies. You know what, I, I, uh, I couldn't be there, but there's another Gary peek of there, so Ah, yes there is. We'll see your sign. I can't wait to go see him. Fantastic. Alright everybody, we'll look forward to seeing you next Monday.
Until then, make it a great day again. Justin, Gary, thanks Justin. You're welcome.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois