Skip to main content
Right of Boom
January 30, 2025

October 5th, 2020

In this video, Wes Spencer, Justin Remo, Mike Begard, Gary Piqua, and Kyle Hanslov discuss the complexities and strategies of selling cybersecurity solutions in the MSP space. They explore the importance of educating clients about security risks, aligning with industry frameworks, and overcoming common objections such as cost and perceived irrelevance. Through role-playing and real-world examples, the speakers provide insights and techniques for effectively communicating the value of cybersecurity to both prospects and existing clients, emphasizing the need for a proactive and well-informed approach.<ul><li>The importance of sales reps having a certain level of knowledge to effectively challenge and discuss cybersecurity with clients.</li><li>Cybersecurity is a journey and ongoing process, not a one-time solution.</li><li>MSPs must focus on standards and frameworks to effectively communicate and manage client expectations and legal liabilities.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. We are live with episode 21, and I'm gonna go around the horn real quick with Wes Spencer, Justin Remo, Mike Beard, Gary Pika, and Kyle Hansel. And welcome everybody to episode 21. Thanks for joining us. We got an action packed show today, and it's about having the conversation. Gary, not the one that you and I have had with our kids, although this is equally as important, I think, if you're in the cybersecurity field. Fair. Absolutely. Andrew.

Uh, this is something we're gonna open up a conversation on today, uh, but it's not as simple as do this and this happens. It's, it, it's a process. Absolutely. Well, in that process, what I'm gonna do is, everybody's getting settled in here. I've got a bunch of people joining. I'm gonna throw out a quick poll and let everybody, uh, uh, see what they say about that. Oh, did I? Yeah. That, that went out there. Good. I think it went out. Yes. Can you guys check? Yeah. Yep. Okay. You got it.

So out there. Okay. Quick few, quick Bonafide in Nepal, the word bonafide. Can you believe that I actually used the dictionary? Yeah. Um, alright, so a few quick announcements. We talk every week. Cyber Nation taking off, ordering right on 700 right now in four weeks. So it's, and a lot of interactions going on. So that's, that's very excited about that. Um, in November, early November 11th, we're gonna be doing A-C-M-M-C webinar, um, with Ryan Bonner. It's gonna be really interesting.

We're gonna do that. Kyle, we got trade craft Tuesday. Next Tuesday. Yep. Have next Tuesday. Um, I'll throw that in there. Once, uh, we get going here 'cause I want get things moving 'cause we really got something cool at the end. We're gonna do a cyber, we're gonna do a sales call, role play. And, um, a gentleman named Keenan is gonna come on stage and Keenan isn't here.

I haven't checked yet, but if he isn't, we're gonna have to bring back Wes' Bearden coin, which is the top grossing YouTube video that I have on my YouTube channel. Left while I haven't gotten any left right yet. You know, let me see if he's in real quick. I can see if I can grab him. Yeah, there he is. He is. He's here and ready to go. So he's on standby. All right, awesome. Okay, so let's get right on into a few quick intros. Justin, you were on. Wait, you gotta look at the poll. What's that?

The poll. Okay. Results. Okay, let's go to the poll results. Alright, Gary, you wanna tell everybody what they look like or can you see 'em? Yeah, Yeah. Uh, almost 90% of the people said yes, I get pushbacks from prospects and customers when there's actual security gaps. And, uh, only around 10% of the people, uh, said that that's not happening.

So one thing is when we get to that portion, if anybody who answered no, they're not getting that pushback, that might be a great way to open to hear why they're not getting that might be really valuable as we start to, to, to dive into it. Yeah, that would be, that would be awesome. You could, you know, like throw those in as questions. Even just like, here's why we're not getting pushback. Um, I'm, as I'm assuming Gary, they're true methods members. I don't, that I don't know.

Alright, few quick intros. Justin Remo, uh, Ray Remu who, uh, was with us a few weeks ago, Justin, with the technology risk underwriting group, 16 plus thousand cybersecurity policies, uh, understands our business just a little bit. Works with MSP's, IT folks. Justin, welcome. Tell a little quick about yourself, even though I probably just did it. Yeah, no, thanks Andrew. I appreciate it. Um, yeah, I know I was here two weeks ago, so if I'm repeating myself, I apologize.

But, um, you know, yeah, we, you know, when, when I first started in the insurance industry, I did have an IT background and you know, just kind of working through and seeing that, you know, this was back in, in, in 2004, uh, you know, I got involved and strictly started focusing on, on IT companies back in 2009. But, you know, just going through these policies, you know, I realized real quick that these are kind of unregulated policies, you know, like we talked about the last time.

And so, uh, you know, there were a lot of it service providers. I wouldn't call 'em MSPs back then that were running around without the necessary coverages that they need. And so, you know, I think we, you know, again, talked about that, but, you know, understanding these policies are unregulated, kind of the devil's in the detail. You know, make sure that your policy aligns with your service offerings. 'cause if not, you could get yourself into trouble.

Um, you know, there are specialists out there and I just, you know, again, if you're gonna use a medical analogy, if you got a heart problem, you don't go to a ear, nose and throat specialist, right? You go to a cardiologist. So I would say if you got a cyber problem, go to a cyber specialist. That's it. And the reason I wanted to bring you back Justin, is hey, you're in the heart of sales. It's what you do on a day in day, day in and day out basis. You're having risk-based conversations.

That's what this is about today. So thanks for joining us back again. Absolutely. No, I appreciate it. Yeah. And then we've got the illustrious CSO of Marco. Mike Beard. Mike, welcome. Thanks for coming back. And for those of those of them out there that even though I can't speak, may not know you, tell us a little about yourself, Mike. Yeah, thanks Andrew. Uh, yeah, Mike Beard, CISO, Marco Technologies, uh, or name SP up in the upper Midwest.

Uh, we've spread out into the east coast just a little bit. Got quite a few sales reps that I work with here. Um, and then, uh, my background, I spent 10 years in the financial space and leadership roles, uh, including security. And I spent six years spread between manufacturing and K 12 prior to that. Awesome. So thanks for having me. Hey, Uh, we're, we're psyched to have you, Mike. Alright, so let's get right on Intuit here, Mike.

I'm gonna just ask a few, kind of set the stage here and then I'm gonna turn it over to, uh, one of the guys that I think is the best at sales ever, which is Gary Pika. So Ever's a long time and ever's a pretty big state. That is, it's pretty big. And, um, so, uh, and when I say evers and always, um, you know, um, anyway, but, um, Mike, um, wanted to, uh, even I talk a lot about sales, right? So, and specifically selling cybersecurity.

And, you know, one of the things, um, you know, you insinuated or, or were sharing with me is that, you know, well what, what, what are you ha, sorry, you know, you, you instituted something kind of unique is what, what I wanted to say. Um, Matt, Marco, can you share a little bit about that? Yeah. Um, a few months back we started what I call, I, I've called it a couple of things. I guess a cyber round table or state of the union and security. We, we've called it a number of things.

I kinda like the round table personally, but, uh, um, really it's once a month I pull all of our sales force together, which is a couple hundred sales reps and, and we talk security. Um, and it's, when we talk current events, we talk what's happening. Uh, we've talked alphabet soup, we, we talk a lot of different topics, but it's always focused on security.

Um, you know, I I I think one of the things that you and I talked about is just we have such a hard time with this and why is it, I know you're a fan of the challenger sale and as am I, and, and I think one of the elements that when we look at that, in order to challenge, you have to have a, you have to have a certain level of knowledge in order to challenge effectively. Yeah.

And I think especially when you look at a lot of sales reps, like we've got, you've got knowledge and skill sets all over the board. All these folks have different backgrounds and, and ultimately they just don't have knowledge and security. That's really what it comes down to. So we're taking a different approach and a more direct approach in education and, and talking talk tracks that we want our sales force to talk about. Talk about. Yeah, I think it's really cool.

And how long have you been doing this? Um, you've got about 200 or so reps, right? And I think you have something like over 1200 managed clients. And so you have a pretty substantial organization there. And also there's a whole bar side of the business. How long have you been doing it? And with that, maybe share a little about that and I'll transition it to Gary to talk about some of the results, how you guys are doing those things.

Yeah, we, we started back, uh, June was the first month that we enacted this. Um, and, and I took the approach that I want people to, to be there that want to be there. So we're not requiring it for all employees. I think that's the first thing, right? We sent it out as basically a lunch and learn style format. Hey, come, come join. We're gonna do it at 12 o'clock central, which is predominantly where we're based. We're gonna do it 12 to one, bring your lunch, we'll make it the first half hour.

So presentation only, the security group, um, or our guest speakers. And, and to be upfront, part of the idea came from this, right? We took a similar format where we might pull different people in and we're gonna talk security for the first half, and then we'll open it up to discussion and, and round table and answer questions. And I think the cool thing about it, so by making it non-required, I think actually improved attendance.

We, we on average run about 75% attendance, and the recordings actually do get watched as well. So I think it's been pretty neat to see just adoption in the organization. So just real quick, aria, as I turn it to you, I just wanna ask Mike, can we get some royalty fees from your organization? So, So You'll get a percentage of what I pay. Yeah, Mike. So, so with that I, 'cause I got a couple angles here, but you know, what changes have you seen as a result of this, of people attending this?

Um, what's, what's changed in terms of their behavior? Or have you gotten any feedback? We have, we've, with the, the feedback has been very, very positive. Um, first and foremost, I think just people learning things that can benefit themselves, that can benefit their friends and family and that benefit their customers and, and ultimately take, you know, it's a client endeavor, uh, I think, uh, was said earlier, right? It's, it's the journey, not the destination.

I think that's been the first thing that we've wanted to impart on, on our sales force. Security is never a one time thing, right? We wanna sell something and then move on with life and, and it just doesn't work that way. It's the journey that gets us there. And I, I think things that we've seen, um, tangible things that we've seen is our sales reps have, have now gotten engagements with clients that they've never been able to engage with before. Right.

In your Model, are they sell, are they selling the cybersecurity or are they, you know, bringing up the needs? And do you do some type of assessment, you know, for those gaps? How, how does it work? Like what's their role in the process? Because they sell other things, They, they do sell a lot. So, um, say it typically it starts with the, with assessment, right? And that's one of the things that they really do push.

And in our organization, we are large enough that that then in some cases drives different sales focused folks to come into the account. Yep. On top of it. That's good. Uh, and then, um, so with this, like, the point I try to make to people is that, you know, you can sell cybersecurity sales and you can have a, a great conversation. You don't, you don't need to be Kyle or West, do you know what I mean? Like, you don't have to have all the knowledge.

So how do you focus that on things that are helpful to them so that they seem like they understand, like what the risks are, what's happening, like those kind of things that, that, again, you're not trying to make 'em technical people, you're trying to make them have some command over knowing more, right? About the reality, what's going on with the changing landscape. Yeah, that, that's right.

So one of the ways that we do that is we, we use current events, we loop in current events and we back it up with statistics. So we will pull in, it could be CSA certificate, you know, um, statistics, or it could be something from the FBI, it could be something from Huntress or Perch as well where they've made a publication and we will pull that into the conversation track. Um, and then one of the things that we follow up with, after every one of these, we give them a deliverable.

And ultimately what we're giving 'em is potentially slide deck material, right? Use this talk track, take it elsewhere. Um, and by providing that, we found greater commitment from the sales team to actually understand what we're talking about. The last thing I would say on that is, you, you've gotta use analogies. I think breaking it down, simplifying it, just like Justin said, right? You don't go to ENT when you got a heart problem kind of a thing. That's the type of analogy that we'll use.

Um, is that, or airports or other analogies that we've used on here and that kind of thing. That really does make it, uh, repeatable. I think when you make it simple, They can keep up on things just, um, file, uh, follow Kyle on Twitter, right, Kyle? Yeah. I mean it's, I I love the fact that you said it. Current events will sell it for you. Yeah. And as long as you can explain it to these non-technical audience through those analogies, that's an awesome win.

And the more you follow it, you, you start to build over time, like some pattern recognition, and it's really easy to spend a couple minutes and immediately the person you're sitting with, you know, that those conversations change.

So, I mean, if you can do it with move the needle with 200 people, Mike, I'm thinking that gives a lot of hope to people that are on this call that just need to educate themselves and do it, or have a small team of one or two people that they can work with and work with and do it. Um, you know, I want to throw things over to Justin. You know, you're hearing this how the conversation needs to change with customers.

So you're dealing with MSPs specifically around, you know, cybersecurity, insurance. How have you heard them or lead them to try to change that conversation with their customers? Yeah, it's a great question, Gary. I mean, I think, you know, we try to make them focus on is that, you know, it's not, I'm dictating to you, it's, we, you know, big picture, they're the CIO of the organization. Their client is the CEO of the organization.

If we go into a Fortune 500 company and the CIO isn't doing his job, and the guy, the guy or girl from Verizon calls their friend at American Express and says, oh, your C i's recommending no before security, we're, you know, whatever it may be. And we're not like the CIO's gonna get fired in our world when it comes to court. You're gonna get fired in suited, you know. So I think that it has to be a team concept, not I'm gonna dictate to you.

So we as an organization need to be doing certain things. I make re we make representations to the insurance company that we are doing certain things. If we don't do these certain things, then I don't have a million dollars sitting in the bank. So I need, we need our policy to respond. So it needs to be a we conversation and take out the I'm dictating team. Yeah, yeah.

So Mike, is that also I'm gonna, I just this, as you said that a great point, Justin, Mike is some of what you're educating your people on is to what you're doing to secure your organization and, and like that piece of it. So one is there's the landscape and the other thing is like kind of what you're doing around standards and IR and all the time you've put in and then understanding that that's the other piece of building that belief system. It it is, that has to be part of the story.

Um, no better example than multifactor. Our, my organization, just like any other challenged multifactor, when we rolled it out to all of our sales reps that it's gonna be disruptive, disrupt too much time, et cetera. And, and that was, you know, we kept, no, it's not, it's not if it's done right. And ultimately when we rolled it out, it was not disruptive.

And then all of a sudden we saw a bunch of multifactor sales increase across the board because reps could actually show it for one and two, tell our story that, hey, we thought it would be disruptive too. And it's not. So absolutely it has to be part of that journey. Gary, can I just say something real quick? Yeah. You know, um, your Show, It's our show. It's our show.

But what, but what's interesting, Mike, you talk about, you know, bringing in your CEOs and CFOs and you know, how you need to communicate, and I just want to just, I'm gonna, uh, uh, not read it exactly, but in domain one of C-I-S-S-P, you know, and you look at the security and risk management for any of you guys out there, and Wes talks about this like learning to speak the language of your, uh, of your leadership is a key personal, it's key to personal success in the industry.

Your ability to effectively communicate information security concepts to the c-level executives is a rare and needed skill. So I just wanna applaud what you're doing, Mike, because that's really, you know, if, if, if they can't sell you and your executives, they're not selling the customer That Yeah, that, that's right. I, I always, you know, I learned this in the financial space, there should be two of your key friends in business should be your CFO and your HR director, right?

You keep those people happy, things go generally your way. And, and part of that comes down to understanding what's important to them. Listen, CFOs are not the bad guy. I think when we talk to CFOs and clients, it's always that great. This is the guy that signs the check. I tell you what, there is typically nobody in the business that's better at understanding risk than a CFO when you put it in financial and dollars and cents, right?

If you can put it in dollars, they'll buy off on these things. If, if you go through and Justin talks about the impact of a ransomware event that typically was caused by multi-factor not being in place or a good endpoint protection product, all of a sudden they're willing to spend on those when they understand the financial impact and really what they're protecting. So do not be afraid of CFOs. You just need to learn how to communicate with CFOs. And that's, that's having a conversation.

Um, Excellent. Excellent. Gary, we transitioning from you over to Kyle at this point? Yeah, yeah, we can go, we can go ahead over to Kyle. One last quick thing I had for Yeah, please go ahead. Justin was, you know, you mentioned this on the last call, is that, um, you see the lack of command that most, a lot of the customers when you meet them, the MSPs, um, have over standards. Like they really haven't gotten down the line.

And when you don't have that in your organization, right, whatever you start with, you know, CIS, nist, whatever it is, before you get to CMMP, um, it makes it a lot harder, doesn't it, Justin, to have that conversation? Like they don't have a starting point by which to kind of frame it out. Yeah. Are you talking about like when the MSPs have it with their clients? Yeah, yeah, exactly. Yeah. Meaning internally Gary, right?

You're saying, hey, if you're Not doing internally and with their clients, they're just not, they have not gotten that far with their security journey. Yeah, I mean I think if we're just dealing with the clients like Mike brought up, you know, I mean to use kind of the real world analogies or something they can relate to. I mean, you know, I just went to the dentist a couple weeks ago.

I can guarantee you that dentist doesn't get medical malpractice if he doesn't, after he sticks those utensils in my mouth, if he doesn't seal 'em up and stick 'em in that hot microwave, he doesn't get medical malpractice. 'cause if he takes it from my mouth and puts it into Mike's mouth, the infection rate's gonna go through the roof and he's not gonna get medical malpractice.

So what I'm getting at is, there is a standard, whether it's the American Dental Association, the a MA, if you're building a bridge, the a i a that somebody's following. So I still don't understand why we can't point out to the clients and say, Hey, like they gotta follow a standard. It's not crazy. I gotta follow a standard. And if we don't follow this standard, we could get in trouble. You know, there are fines and penalties that could come about because of that.

And I think it needs, again, it, it just needs the, the conversation needs to be, you know, switched from, I'm not the bad guy or girl in the room, right? I'm your CIO If I don't do certain things and we don't have certain things in place, this is what could happen. If you're looking at me for negligence and you're not taking my recommendation, my policy's off the table, it's no good to you. You either do it or you don't. And, you know, it just comes down to it.

I mean, we have to do it at tech rug. Sometimes you just got 200 credit score clients and you gotta walk away. You can't give a million dollar loans. If you do, it's gonna go sideways. And don't be surprised. I've used that analogy twice, Justin, since you've been on last in regards to the credit score. It just, it's, it goes back to that analogy. W was was that sharing utensils or is it something else? Well, we do believe in that, but we, we just put 'em in the microwave.

As long as you put utensils, kids in the microwave is what we learned in today's episode. Um, with that said, guys, I think a lot of the audience doesn't realize like how much of this is fairly ad hoc. I've been throwing in the chat all the things that I'm learning from Mike, and you know, Mike, I can't help but think like the last time we heard from Justin, he really kind of covered like how a lot of the security, you know, um, culture starts from within.

You know, it's an internal effort and I can't help but thinking about like you just shared about like, you know, the journey first with these sales individuals that first had to start using two FA internally, then they could use that experience that got better to understand the value. And only once they got that, now all of a sudden they started crushing it with those deals.

I'm just curious, is that something that, you know, you could share maybe more feelings either on that side of the house of, you know, whether you have to, you know, try before you buy or how you help your own other folks that are having these struggles. Because I know at Hunts we actually do some of the same thing. And I didn't even, wasn't even cognizant that I was doing it, but we kind of forced folks to spend time with our threat hunters to be able to understand what we do.

So they could talk about it better, but maybe other folks aren't realizing that's part of your secret. And I'd love to learn more if you could share us about that, you know, making it part of your sales team's journey before they actually could even sell something. Yeah. That, uh, it's kind of a loaded question, so thanks Kyle. I I, I think it goes back to something that Nathan just put in the chat, right? What standard do you use as an MSP?

I would translate it to that and share that journey, right? Like, like we align with nist CSF like in, you know, most organizations are probably gonna in the United States and that, uh, that works. But that can also mean a lot of things, right? And I think that's one, one of the pushbacks that we commonly get from clients is, well, it's a framework. I don't have to follow it.

And, you know, teaching our sales reps the same thing that we went through internally, that, you know, what certain things they can show up on an audit every year, and eventually that looks really, really bad, right? And that's, it goes back to the, the dental analogy of you get told you've got a cavity coming, you get told you got a cavity coming two or three times, and all of a sudden then you've got a cavity, now you're paying for it. The same thing happens, I think, with MSPs.

And the same thing will happen with clients. So walking our, except now at The root canal. Now at the root canal, right? Yeah. That's ultimately what we see, 2,500 bucks. So, so walking our, you know, walking our folks through the process and the journey that we go through internally, how we align with frameworks, why we have to align with frameworks. I think that's actually an important concept.

Educating our sales folks as to why we have to do certain things naturally is gonna make them better. And Mike and Kyle, not to interrupt you, I just, I just want to point out one thing. I know you said we don't have to follow the framework, but I will tell you when we go to court and the, the, the attorney on the other side goes, why does the accounting firm down the street have two FA on email? And my client's an accounting firm and they don't. What's, what do you follow?

How are you coming up with these recommendations outside of testifying in front of congress and having all these credentials? If you're not following some sort of standard, you're gonna lose in court. That, that's exactly right, Justin. And that's actually something I took out of the last one is pivot. Even just internal with my leadership, I've pivoted certain conversations to something Justin said a couple weeks ago. If you're presenting to 12 jurors, right? How are they gonna look at it?

When we're the technologists, we're the experts. And I think when you start pivoting that approach to taking that angle on it, that's when decisions can change a little bit. Um, you know, I've heard David Powell talk about before, nobody likes to talk about any kind of breach, any kind of security incident, whatever that case may be, just businesses aren't talking about it. You don't get a bunch of CEOs together and they go, Hey, I got hit the other day. That just doesn't happen.

There's this stigma around it. And I think once you pivot it to that is part of the conversation track. First off, we're not talking about it. Second off, it does happen. Here's the impacts and here's why we choose to follow these frameworks because it's a pro, it's proven, right? We know that we'll get to a better place. Last thing I'll throw on that is the, one of the frameworks that, uh, Nathan had in his thing was he had NIST and CMMC, and I didn't see what the other one was.

CMMC is not a framework, right? There's, that's law. There's, there's actual requirements around that. And I think understanding the difference between regulatory requirements versus framework is really important because we, as MSPs in a lot of cases, are bearing that burden of responsibility for regulatory requirements from our customers through transference. So understanding that impact's important. I Can I say one thing and I'll tee you up for the next thing, just Yeah, Yeah. Go, go to town.

Because Justin, what you said is like, Hey, you know, what framework do you follow? I'm not, you know, the, the customer pushback. I'm not regulated. I don't need to follow a framework. I love what you said last time about, Hey, there's a trampoline and you said on your insurance policy, we don't have a trampoline in the backyard. Someone goes out there, some kid comes across, gets hurt on the trampoline.

You can't say, I didn't follow the guidelines of my insurance reg, uh, policy and go, Hey, I have no negligence. It's just, that's not what happens. You're, you're correct. And you know, the other thing I totally understand, I mean, I don't live, and I tell our MSPs all the time, I don't live in this world of, you know, getting your clients to follow a standard is really like chasing an an affinity. Affinity, right? I mean, I understand it, it's an, you know, will they get there?

But, you know, it doesn't absolve you of the liability of recommending that they follow a standard, right? And the other thing is, even if you can take 50% of, if you've got 50% of clients that aren't following your advice, and we can make that number 20%. If we get into a situation where God forbid there's a ransomware attack and it would've affected 15% of those people that you switched around, we might not run outta limits if we go to, if we get into a claim situation, right?

So again, the closer that we can take that number down of having good clients and, and take it down to zero, the better. Again, I don't live in a fairytale world where I know it's gonna get to zero, right? But we need to be constantly pushing ourselves. I mean, I didn't wanna come in and work six hours yesterday, but I had to, you know, I mean, we just gotta keep going. Yeah. So I don't know if anybody saw in chat, Tim just teed me up for a question that I was gonna ask anyways.

So I, I hear all the stuff we're saying of like, look, we're gonna have to raise the bar. We're gonna have to do it. But we know this conversation's about overturning sales object objections and SMBs are gonna have objections. So Mike, if I'm thinking about these frameworks, a lot of 'em are teeing up ideas like blue team or defensive efforts. Do you mind maybe, maybe explaining real quick what, what the heck is even like Blue team for those that don't know?

And then your perspective of how are some people going to either have to add some of those, or maybe as Tim's whole question is, what if somebody just doesn't have the resources, but the frameworks they're advising? I think that's gonna be a really hard part that a lot of people struggle of how do I adapt this to those that just don't see the value or just don't have the resources? Okay, you got it. So, um, so Blue team, let's start with that. So what is it Blue team?

I'm gonna put it in an analogy form first. I think that that's like calling, you know, one of the local city police officers over to your house saying, Hey, can you do a walk around inspection and tell me if you were a bad guy, how would you would get in and what I should do to strengthen my property? Right? Most, most agencies will do that for you. Um, that's really what it is in the cybersecurity space.

We're bringing somebody in that's gonna be a good guy in this case, that's going to evaluate our system, find out where it's weak, find out where, where we're good. Um, and then ultimately we're gonna take that list of weak areas, make those action items and strengthen it. Um, how I see that playing in the MS P space, I think first and foremost, we need to be doing it around our own technology stacks as MSPs. That, that's really important.

We, you know, throw it up in a lab and test it there when, you know, to be frank, when you get clients that do test their environment and you react to it, that customer, make sure that you're applying those things across the board so that you're not exposing the accounting firm down the street to another vulnerability that had already been identified by the manufacturing company that just got tested, right? So I, I think there's a lot of use cases for it.

I do think through the model maturity in, in some of the things we're seeing with the, you know, N 853, red five, I haven't even been all the way through that yet, but we're CMMC and those things are going, you're seeing vulnerability detection and repair become a huge component of, of these newer frameworks that are coming out, newer regulatory requirements. Blue team, I think is gonna be the thing that makes it, uh, actionable, right?

It's proving that those technologies are all coming together and that what we're delivering actually works. It's making it so that we can go to a guy like Justin with a, Hey, I've actually been tested and here was the results, and oh, by the way, I've already taken action items and I've turned it into an improvement plan. Um, that's ultimately where I think it's gonna go. Gotcha. It's that age old trust but verify. And obviously verification is starting to actually have some teeth.

There's some cases that you're gonna have to show, like, this really is verified, or you're gonna have a hard time if you're just, you know, doing self attestation and rubber doesn't meet the road when you go to claim or when you have to prove this, some of this stuff. So I totally get it. Any thoughts on that?

You know, for those smaller clients that, you know, maybe they can't, red team, maybe I, maybe the point we're making here is your future might be limited of, you know, who you can service if you can't do these, this is where the market's going. Yeah. I, I think, uh, obviously the, the beauty of MSPs is the flexibility and the, the variety of options that we have to consume services.

I think in a lot of cases it's gonna be a partnership with another organization, um, such as one of the fine folks on this call today, right? Maybe a perch, a huntress, et cetera. We're bring these features into my organization 'cause I'm too small to staff it myself. Um, you know, I think the continuous component is gonna be an interesting one. Um, that's I think where partnerships and SOC services are gonna be very important.

Bear in mind, there's also typically a point in time aspect of this too. What I see typically today on insurance forms, do you do this annually? Start with annually, start doing something and then evolve it into continuous. The the best time to start is now you gotta start somewhere, do that initial assessment. A blue team is assessment is just that, it's an assessment. You're starting there and then you're gonna mature it as you grow it forward into something that's continuous. Okay.

No, I'm definitely tracking there. And Justin, I can't help but think like, uh, a year ago, if you rewind the clock, uh, ProPublica came out and they actually labeled MSPs as ransomware enablers.

Fast forward one year later, uh, CISA and the multi-state ISAC actually came out with a ransomware guide, and I'll be darned in this September of 2020 guide, it ended up throwing MSPs, I won't say under the bus, it just called it like, it was, it called a spade a spade, and it flat out said ransomware infection vector. And literally the title was third parties and managed service providers.

And it warned people that take in consideration of these potential threats, these third parties that could do it. I'd love to know, you know, as we're starting to talk about and pivot to the sales side of this about, you know, the using this as a sales wedge or be able to get into this to talk to new other, uh, prospects.

Any, any, any recommendations in either how to differentiate yourself, maybe to be able to have this conversation or once again, open that door or wedging customers open into the situation to say, this is where we're at. Yeah, I mean, and to your point actually, I mean, I've seen a disturbing trend from, uh, the MSP's clients now, just in the last three months. I've had two cyber carriers that said, oh, you work with an msp no cyber insurance.

So that's another thing that that's kind of disturbing. Now you've got cyber insurance carriers that are saying, Hey, unless you've got internal IT that we can kind of control, you don't get a cyber policy if you work with, Because they're real good at it too, right. To the fire. Right, right, right. Yeah, I I got six, I got 60 employees, and I'm gonna find someone who's gonna take me to the security promise land Exactly Right. To work for me.

But Kyle, um, and I don't know if it's so much of a wedge, right? But I think one of the things that sitting down with your clients is, you know, making, taking snippets of the application, you know, and showing them, Hey, this is what we represent to the insurance carriers that we are doing. Right? If we aren't doing these certain things, again, we can get into trouble. Um, you know, I know years ago, five years ago, it was kind of a, a hot thing for MSPs to say, oh, I've got cyber insurance.

Does your MSP have cyber insurance? Well, I mean, now we're getting to the point where I don't wanna say everyone is, but a large, hopefully a large majority of MSPs do carry some sort of cyber insurance. You know, I, I think that the opportunity of using insurance as a, you know, hey, this is why we gotta do it. I mean, you know, people do things every year in their life.

Whether you apply for, you know, your driver's license in the state, you know, you're checking a box, I'm gonna carry auto insurance. You know, if you get your significant other a piece of jewelry, you have to get an appraisal turned into the insurance company. You know, if you live by the beach, you've gotta turn in, or you've, if you wanna take out a mortgage, you've gotta get, you know, uh, a flood policy or wind hail policy or whatever it may be.

So you have to do certain things to comply with insurance. And I think that blaming, if you want to the MSP, why we have to do it, oh, my insurance provider makes us do it, I think a, they get less pushback. And BI hear it allows 'em to round out accounts and get the clients to do things that they weren't doing before. Uh, that makes sense. I totally get it. I mean, guys, obviously we only have so much time. I'm, I'm curious if you got any, like, what was that, Andrew? No, take it Away, bud.

No, I just wanted to get Wes in in, uh, I, I totally spaced on some of Wes' stuff here, so I apologize. Great. T-shirt by the way there, Wes. I'll put a Request in for one. Yeah, the, uh, yeah, the chili is horrible. It's not even real chili, but the shirt is awesome. Yeah, we're waiting for a cease and desist from our friends at Skyline and not seen yet. Yeah. Yeah. So we Away a little bit and then we'll get into the role play, Wes.

But yeah, I want to go back for a minute to what we started the call with and, and ard, I've got a question for you. Right. So, uh, Kyle and I did a, a session which Kyle, we need to redo this again really soon. I think it's come due again, just around demystifying cybersecurity. Like I get really as a practitioner, but also a vendor, I get really frustrated when I see a lot of the pitches and ambiguation behind cybersecurity.

If you don't know what I mean, go to RSA or black hat, especially Black hat, and you'll just be blown away by what's out there. Right. And one thing that Kyle and I did, Mike, is uh, we talked through, uh, the cyber defense matrix. So I'm gonna post that right here so anyone can see what we're talking about. It's now part of OAS from Sunil U and you know, what Sunil is doing, it's a great and noble attempt, um, is demystifying security concepts.

And, and Mike, I guess I've got that question for you is, in your experience in, in, in practitioner, you know, a a an MSP of over, over a thousand, like 1500 employees or something like that, how have you found that process of demystifying cybersecurity into understandable segments to people that are not practitioners? Like what keys to success would you point to in that? Yeah, I think, uh, um, education, common vernacular, which falls into education.

And then just, again, good analogies, you gotta break it down and make it simple. The, um, common vernacular is important. I can't, I, it was last week or two weeks ago. It might have been Justin the last time you were on. One of the things that we drive hard in our organization is certain terminology. One of the things in that being breach, do not use breach. Nobody in this company other than me declares that.

And only I'm gonna probably do it when an outside firm's coming in and verified it, right? We, we overuse certain terms. That said, we also have other terms that do mean different things and, and hope everybody, everybody joins next week. 'cause I think that's a fun conversation that still you's got. But I would take things like Microsoft and, and Cisco, for example, have very different approaches to zero trust another security term and another concept that means different things to vendors.

So ultimately, me as the CISO in an organization like this, I'm gonna control that again through these, um, round tables that we do by talking about what does zero trust mean, how do you talk about it? And breaking it down to an analogy, um, you know, there's a lot of great analogies out there, and I think that's, again, gonna be the easiest way to associate and bring it down to that common level. Yeah. And Mike, I think it's so important to be able to do that, right?

I, I remember, if I can just share this story, and Mike, you were in the room with this, I remember in the early days of her starting to work with MSPs, uh, this is probably almost three years ago. I remember Aaron, my CEO sitting down with you and a whole bunch of others, Andrew Morgan, you were in the room as well. And we just distilled everything down to the difference between prevention and detection is like a very simple example of this, right?

Instead of talking about, you know, stopping breaches before they happen, which means nothing, or the ai ml thready threat, whatevers that truly don't mean anything, we just said, let's boil this down to the minimum level, the basic level of concepts and understanding and tie that into really good analogies to drive it home. And it makes so much sense, right?

You see people's eyes pop open, you know, like Mike, one of the things we use at Perch a lot is just talking about like a home security system, right? The reason we put one in is because we expect at some point our preventative defenses, the door locks are gonna fail, right? Someone's gonna, you know, jimmy the window open or just come down Santa style down the chimney or what have you. And so it's a great simple analogy to explain the difference between detection and and prevention.

Uh, my question for you, Mike, is what, what analogies do you love? I've always found myself asking that to people. What have you used successfully and what resonates with either your sales team and your people internally or with, uh, clients? Yeah, we, we've got a couple. So if I'm talking to my c-suite, everything's in terms of an airport, and that actually started with my c-suite. That was the CFO started that and, and president et cetera. And that's the, the equate things they understand.

TSA, they understand their role in an airport, they understand detection, right? Everybody goes through a body scanner, whatever he has your bag check kind of a thing. We understand those things. We also understand that you get different levels of security based on a price, right? If you want to pay more, you can go through that TSA free check line. If you wanna pay even more, you can go through that faster line. Um, and, and that's something that's resonated with that group.

So that, that's the analogy that I'll use typically in that space. Um, other ways to be frank, I like any of the medical ones. We talked to dentists, we've talked, uh, just regular doctors and health checks lately, ransomware, and somebody said it earlier, right? It's that 200 credit score. It's like going to the oncologist and, and then telling you, Hey, you got cancer, it's treatable. Do you wanna do surgery? And the patient yeah, says, no, I don't think so. I'm gonna let this one go.

You know what, we're probably gonna pass on that customer kind of a thing. So I think the medical field is a very much one that people understand. And then of course, the home defense, everybody, everybody has, they, they live somewhere, right? Everybody's got a door for their house. And, and they do typically understand those things too. So those would be the three areas that we typically will talk analogies. And we, we, and to be frank, we keep it in that space.

I don't try to introduce new analogies unless we really need to. Um, I I think that's another part of the story is keeping the analogy going. Um, so that'd be my, my 2 cents on that. Yeah, it, I mean, that's really good, Mike. Like, I found myself just for what it may help for everyone on the call being an educating first ciso, and, and it's just in my DNA, right?

I, I've been a professor one of these days when my, my practition days are over, I'm gonna go back and I'm gonna go back to being a professor. I love it. I love the ability to educate. And I remember when I stepped out of education, went into finance, uh, started as a CIO at a, at a bank, uh, I found myself just naturally educating, naturally teaching.

And I've discovered it works wonders for not only your organization, but your clients as an MSP, just being that educating voice and distilling concepts in a way that understand it's understandable to everybody. So Mike, I appreciate that. Justin, I wanna turn to you now. So question that is off script that you have no idea I'm gonna ask, but, uh, the, the language of this conversation just turned to, you'll have no trouble with this.

In the world of banking, one of the things that, uh, we talk about a lot is what's called concentration risk, which is this idea of, Hey, I may have one client or too many clients in a certain category, that's just causing too much risk to me if there's systemic failure in all of that, right?

And we've been talking, and you mentioned Justin, like try, it's, it's not possible, but the objective of trying to get down to like a, a level of, you know, zero clients that aren't adhering to a standard and have accepted it, you know, that sort of thing. Here's my question with concentration risk, do you feel like MSPs probably still have too much concentration risk of what I would call bad clients, clients that, uh, are going to present too much risk back to the, the MSP themselves?

What are your thoughts on that? Yeah, I mean, I, I think, you know, they have to look and identify. I mean, at some point, people born square don't die around, right? You can't, you could peel back so many layers of the onion, but you aren't gonna get them to change. And so I think that's a big thing in understanding, you know, again, I know we're using credit scores again, but can you make 500 credit score clients, 700 credit score clients, right?

Um, you know, and, and you know, in terms of diversification and concentration, you know, making sure that we're in, you know, you're not too heavy in one industry and maybe, you know, spreading it out. Pick two or three industries that you can, that you can focus on.

Um, but yeah, I think it comes to a point again, 'cause I just see it, you know, when you have clients that aren't doing the right things and all of a sudden you, you, I, a lot of MSPs will tell us, well, I know that was gonna happen. Well, if your gut's telling you to run, you gotta run. Because when it doesn't, they are going to point the finger right at you and say, you didn't tell me.

And then their lawyer's gonna say, or the, the MSP usually says, oh, no, don't you remember we had that conversation in your office, or I sent you an email and the lawyer says, I'm sorry he didn't get the email. He doesn't remember, remember the conversation? I mean, he must have temporary, I don't know what it is, but he just doesn't remember it. And so, you know, can you provide us some sort of proof of critical action letter that you provided for that client?

And if you can't do it again, you gotta be defendable in court because you're gonna have 12 jurors that are gonna look at you and they're just common people and go, if you're the expert in the room, why weren't they doing it? If you thought they should have, should be doing it, why weren't they doing it? Again, a doctor isn't gonna treat two cancer patients incredibly different. If he, if the recommendation's chemotherapy, he's not gonna treat one with holistic medicine or she, right?

So that's the biggest thing to me, is making sure that, you know, you know, even we do it at, at tera, right? If, if our gut tells us, ugh, you know, they got a private cloud exposure, they aren't doing some of these things, we just walk like, you know, you know, some of the best clients we have are the clients we didn't work with. Hey Wes. Yeah, just, just, you know, going back, you talk about three years earlier and, you know, think about the evolution of the, and the maturity of MSPs, right?

The ones that you know today are actually using risk assessment and are internally doing it. I think it, it's like this psychology term of projecting, right? If, if you're not doing it internally, I, I guarantee most of your clients aren't doing it to the way that Justin's gonna wanna write them. And, and I can't beat that home enough. Gary, again, it comes back to my years of working with you. Let's use a sales analogy for cyber. You have to have command.

You, you just, you can't sell if you don't have command over your metrics, your numbers, your process there. Look, there's so much here. I'm sitting here listening quietly. I, I can't, I'm going from note to note, like, I can't, it's just, there's too much to unpack. I'm, I'm on fire right now with stuff and we don't have the time today to do it. I, I, couple quick points I wanna make, right? One is, um, Mike, you made a good, you brought up framework versus regulations, right?

So regulations are, you have to do it or there's a penalty. And so you'll see people will invest more money. It's part of their business model. If you wanna do business with the government, there's certain things, right? You need to do. A framework is different and it's, and it's on us to have a starting point. So I'm gonna show you something right now that I drew. I'm also an artist musician. I'm looking forward To this. Let's see what you got. Yeah. Yeah.

You're The modern day da Vinci, aren't you? This is something that, uh, way before cybersecurity that in almost every one of the 1500 sales calls that I went on as an MSPI, if they were qualified at all, I, I drew, I drew this picture. Can you see it Up a little bit? And Ooh, yeah. The box in the blob. Yeah, that's the box in the blob.

And to me, whether you're with, um, I wrote down sales in VCIO, it's the same conversation except one's with a customer, one's with a prospect, which is just explaining to them why we use standards. Now, we didn't have security standards. They were our standards to start with. But listen, here's why we use a standard. Here's our starting point. Here's where you are. And then for your business, let me tell you what those risks are for you when you're outside of these standards.

And they're different for everyone, right? The same, not every customer has the same risk tolerance or, uh, they may not have the same cost to what would happen if, if something was to go wrong. And so if you can make that conceptual sale, that's step one. Okay? Then step two is instead of telling them 50 things technically and what you're gonna do, which a salesperson in Mike's organization might not even be able to do, if you can just say, here's how we've solved it.

We've solved it with roles process. Here's the way a normal provider looks. Here's how we look. Do you see the difference? Yes. Do you see why that makes sense? Yes. Can you live with the risk that you have now? No. Do you understand why my customers invest a little bit more? That kind of process is how we can create, use security like other things. It's not the only one where we can use it as a wedge.

So if we can make that conceptual sale, we only have to give as much detail as when we start to get into examples and we tell stories and relate that back to changes or upgrades. And like we said before, if this year in 2020, you ha you're an MSP and you've not gone back to your customers okay. And told them what changes you've made and what they had to invest because of it. One of two things. Your margins went down or your customer's risk went up a hundred percent of the time, Andrew. Yeah.

And Now we're more fired up. Well, but your risk went up too, according to Justin, right? Yeah. Justin. Right, right. Their risk goes up. Our risk goes up, right? Exactly. Yeah. Hey, so we're at 12 of Gary, I know you got a hard stop at two. We want to do a sales call, role play. Um, we're gonna bring Keenan up here and I'm really proud of him for, uh, wanting to do that. Um, Not easy to do, but we'll be, we we're gonna, yeah, no, It's not easy to do. I've done it with you. It's not fun.

It's talk about a root canal. Alright, so, Hey, hey, um, Mike, do you want me to move you off or? Yeah. Okay. Yeah, go ahead. All right. I'll close you down and then we'll get Keenan. Mike's becoming like a household name, isn't he? He's famous. Really is. Man, Keenan, I'm just gonna, you'll see me grab you. Just accept and come on up. Hope we didn't test your audio and all your fun, all that fun stuff, but hopefully it'll work. Podcast is only about 5% reliable.

Oh wait, first off, I got the mic tattoo, by the way, for household name. I, I took it that far and he's right up there with the Zoom and everything else. You get tattooed? Yeah. Yeah. I get a picture of Mike on my back. Did you, did you see what Matt, Matt put out there? Wes? Of course. Matt Hopper, who I hope it pronounce his last name. The Mona Pika. Oh Yes. Pretty soon you'll be seeing that in the Louvre. Right next to the original. Exactly. All right, so let's see what's going on here.

Bear with me one second. Uh, One thing I I wanna say about Keenan, listen, everybody here is in good company. Like 90% of the people who are on this call, uh, are dealing with the same thing that you run into these situations. Look, some customers make it easy for you, right? They make it easy, and some customers make it really hard and everybody else falls on some continuum. So we have to develop a, um, a position and a process that's effective enough, right?

Like you said, if it's your customers, Justin, then we've reduced the risk reasonably on that. And if it's prospects that we can hit a close rate at the right price that makes sense, so that we can build our business. So we have those kind of guidelines to help us. All right? Uh, it says he's accepting. Can Keenan, I'm gonna stop it and try it one more time.

Let's do one more and then if not, we'll have to move to, and If not, what we'll do, if people wanna, while we're waiting, Andrew, just put in some of the main objections that they get. Yeah. Not only that. What do you mean? Like real world stuff. So it's not us making it up. Like what do customers say? Yeah, That's great. What is the Issue? We will go right after it, man. Right? What do you, what are the objections? And then, um, and, and what are the ones that, um, are so success?

You know, we sent people out that we got 10% that aren't getting objections, man, I, I wanna know, Or they're able to deal with them. Yeah. Hey, the, the other thing we could do, I know Gary Peek had just brought on a, uh, new client who happens to be, um, uh, Wes' Ax Emporium, uh, fine producer of, of axes. Very sharp, very good. So if, uh, we can't get him on, I can certainly Ask him. Yeah, why don't you go ahead. Uh, I've got, we will see if he can get up here.

But in the meantime, why don't you go ahead, Gary. And you know, one of the things we were talking about, I don't know if you want to use it, when you were talking about that CISA guide, and we're calling out MSPs, but why don't, you know, I, I loved what you're doing with the box and the blob as well, but Are people more concerned when they're talking to customers or prospects? It's similar, but it's a little bit different of a conversation. I Like what Dennis put in there.

Now, Dennis has been in this space for years. Uh, he put in, Hey, I'm too small to be a target gar. Oh yeah, that, that's a good one, Wes. That's great. Uh, I mean, Hans, Yeah. Let me just ask the question. Look here, we, all we do is make axes, all right? That's all I do. I get wood, I get iron. I make an awesome ax. Nobody wants to go after me, Gary. And if they do, they're probably gonna be afraid. I'm gonna come after them with my axes, right? So why do I care about cyber?

Yeah, listen, uh, you probably wouldn't care about cyber insurance unless we go through a couple other questions, Hans. Uh, like, you know, number one, uh, if, if something were to happen here, can you still just make all the axes and bill your customers and collect your money if you didn't have access to anything, any of your systems? 'cause if you can, you probably wouldn't care about it. Well, you're right. I mean, we do everything by machine now, like machine based.

Uh, but, but Gary, we've never been attacked before, right? So, like, what's gonna make it happen now? Yeah. So let me ask you a question. On your house, do you, do you have an alarm system? Yes. Has your house ever been broken into? No. No. Mine has not been broken into either. But when I leave, I still set that alarm. 'cause that one time, right when someone's is gonna come difference is hopefully our country is, you know, over time is safer than it was a hundred years ago.

Um, but your country, which is the cyber country, um, it's less safe. So I'm saying, you know, all these stories we've been talking about and the articles, right? That I've been sending you and you've been reading some of our blog posts, seeing about, you know, what's happening, there's more people around now. So again, what you have to do is you have to work under the assumption that your house could get broken into.

And that means you might have a security system, but also means you might have a safe in your house where in case someone gets in, your things that are really valuable are even protected further. And that's the way we're gonna look at it. I, I don't know for you that we need to build a moat around your factory. Um, but we do gotta put in some basic, you know, protections or not. And I don't know, based on that, does it seem like thing it's never happened before, so it might never happen.

I mean, look, I've never thought about it from like a home analogy, right? Like I, I care about my home system. I don't want anyone to get in. If they do, I'm gonna be really angry. I'm coming at 'em with axis, right? I don't have a way to come after somebody with Axis and swords, uh, if, you know, from the cyber perspective. So I get that. But Gary, look man, I mean, I'm looking at the cost, the price that you put in front of me. This is high. Like for us, this is really, really high. Yeah.

And, and I hear that, but you know what, when we were talking, uh, the last time we spoke, uh, you were just telling me about a new piece of equipment you put on the shop floor. I think you told me it was over a half a million dollars, right? Um, like to me, that's a lot of money. Why would you spend a half a million dollars on another piece of shop floor equipment? You were already making access before? Okay, I, okay, I I got it.

So you're trying to get at this from that perspective of if that thing goes down, and I can tell you the cost for us if it goes down is $15,000 an hour. So yeah, I'm guessing, right? You're gonna keep this thing alive and keep it from being hit by some cyber attack. I'm gonna reduce it. I'm telling you we're gonna do these things and I can't even eliminate it for you, but I'm gonna say we're gonna take reasonable precaution.

Again, we're not gonna build a moat, but we are gonna put some basic perimeter security on it. Look, let me tell you why we're having this conversation. 'cause even six months ago, I'm gonna tell you a couple stories about things and attacks that are happening. I'm gonna explain to you that the criminals are not kids in their neighborhood trying to break into your house. They are now, you know, or organizations, uh, that are, that are focused on this and get it done.

And so the situation that we're both in, as me, the person who's here to, to, you know, to protect you and you right? As the person who needs protecting, it's just changed so much. So just like you, we're not gonna shoot an ant with an elephant gun. And if you look at that investment that I asked you to make, you have to look at it relative to your business, to your revenue, to what all your other costs are per month, right? We're still really small costs, you know, per month.

Um, yeah, okay, that's fair about this Hans, that I, I can't let you not do this. If you tell me like I don't believe it, we're not gonna do it. You and I are gonna have to have a different kind of conversation because I can't live with your risk. Okay? I, I see that, that makes a lot of sense and I see what Sunny's saying that's kind of following in, in light of that, right? My revenue's 5 million, raising the prices by one penny, the security I need, okay?

So I'm, I'm sort of offsetting all of this, right? So maybe a couple last quick questions then. Uh, Gary, so are we saying that I'm not gonna get hit? I mean that's what I'm looking for, right? I don't want to get hit by some ransom incident. This is gonna prevent this from ever happening, right? No, this will not prevent this from ever happening.

And if anyone you deal with or any other providers tell you that they're either lying to you or they don't understand how security works the same way, I can't tell you as a putting a security system on your house that you're, no one's gonna figure out how to break that down. That they're not gonna have some technology or the level of person that would come in there to be able to do that.

What I am saying is for the investment that, that as where you are in the size business you are, we're making the smart investments. We do this for 40 other customers, right? We spend all of our time researching what's happening and we're making things that are gonna reduce it to what's reasonable. That I feel like we can both sleep at night and we also spend time and some of this investment is what we're doing. So we know if it does happen that we're ready to respond to that too.

And that costs us money. Honestly, I appreciate the honesty, I appreciate that you're honest enough to tell me it's not gonna happen, right? Because intuition tells me it is gonna happen, so I get it right? I'm a business owner, I make a lot of axes. They're really nice, like I said, very sharp in case anyone wants to buy one. Uh, but I get it, right? I, I'm not perfect either in what I do and I'm not gonna, uh, certify that my axes are, are never gonna, you know, go dull. I, I get it.

I guess my last question, Gary, is I'm looking at all this stuff that's in here and you know, I like these hunts people. It sounds pretty cool. This, this perch stuff. I don't do. I really can. I just, Probably not. That's Probably the one thing. All these things out here, It's probably the one thing you don't need. We can take out the perch. Alright, Cool. But everything else, I mean, hunters obviously, you know, you have to have yeah, but Easy conversation. Seriously, You get that.

You get, can I just do this? Can I just do that? And, and to me, the way that seriously I would answer that would say, listen, Wes, this is, this is the approach. Like we, we do the research, we live in this every day and these are the changes that we need to make. Some of them are tools and services like perch and huntress. Some of them are just some process things that we're doing, some labor things. We talked about the roles we've carved out in it's totality is what I'm saying.

We can get you to a reasonable risk level for a reasonable investment, right? So we don't want to go one step, you know, below that and you're spending all this other stuff and we leave, you know, we leave what would be an unreasonable Hal? And we don't want you to have to think about it. Like, this is our job, Andrew. I'll take it one step further. This is a customer conversation. So I can go right at you pretty hard if you were a prospect.

I, I would even, I always get to the part to go further and say, listen, I'm gonna make a bold statement when you say that. And what comes next is what's called an inflection point. It's what they listen to. Uh, I feel so strongly about this, Wes, and I'm telling you this. Whether you do business with me or not, or choose somebody else, if anyone in our scenario, our quote's gonna come in at $4,000. If anybody comes in below $4,000, I would eliminate them from your process.

'cause based on what you told me you needed to do, and based on the risk conversation we have, uh, remember I showed you how we're set up and those roles and what we do, that's what it costs. So your decision isn't really to spend 4,000 or 3000. Your decision is can you live with that additional risk that you told me you were, you're already living with and don't want to, that's your two choices. You can't get 3000, $4,000 results for 3000.

Here's, here's the process, here's the math man, are you with me? Yes. And at the end of the day, I get it. Yeah, it makes sense. I'm not happy about it, but it makes sense and I'm gonna probably sign that paper as long as I get, uh, some good kickbacks from those, those hunters and uh, and purge people. I need the t-shirts. Listen, ultimately, my job here today, Wes, isn't whether you should buy from true methods or not.

My goal here today is that you are making a decision based on actual facts. And if that leads us that you can live with the breach and you could live with and you can save a thousand dollars a month, I'll be the one to tell you to do that. But that's not where we are. So my only thing here is we don't end this and I walk out and you're making a decision and you're making any investment, even a dollar for something that's not gonna get what you already told me. You have to get to man.

And like, all right, I'm the messenger here. I appreciate that. Maybe we can barter for axes later instead of dollars, but, uh, Gary, Oh absolutely. I'll take almost all payment in axes. Yeah, crypto axes. Yeah. Awesome. Great job. Great job guys. That was Gary. Awesome, Wes, great job. Um, really I love the pushback. I love the way you reframed a lot of it. Gary, agreeing with his objection. Phenomenal. So awesome. Great, great stuff. Gary.

I Know you gotta drop, but I do you do this stuff in true, like I obviously don't know a whole lot about what goes behind closed doors as a service. Do you guys do this type of stuff? Oh yeah, a absolutely. We have a virtual sales meeting. Uh, people bring objections, not just about security, uh, but about everything. And in our peer groups, um, they often will have me do, you know, we'll do role plays, so we'll sit up there. My only rule is I have two rules.

One, um, I get, they tell me the situation and they have to be the sales person first or the MSP and I get to be the customer and then we flip it around so they can see the, they can see the difference. And two, I don't let 'em record it because I don't want 'em to write down my words. I want 'em to just get the concepts, you know what I mean? And the logic. 'cause once you do, you start to get this command and you know, o over it and, and it's fun 'cause you're not really selling anymore.

You're really just trying to help that person. Um, but it's not easy to do if you haven't put your house in order and you come from that position where you know, they can feel it like almost before you open your mouth, they know you have that conviction, that sincerity. Yeah. Well you can see. So Gary, thank you for spending a few minutes extra. I don't know if you, if I can close. Yeah, I'll Stay on for another minute before I bounce.

By the way, you can, you know, you can hear it in Justin, right? The same kind of conviction. You heard it all day long. You heard, you heard it in Mike, you know, and, and why, because they do it internally. You know, it's, you can't all of a sudden say, Hey, we don't do this internally, but we're, what'd you do there, Justin? My automatic light just went off. Um, you know, again, I'll come back to command.

Gary, you were able to literally, I think the light went on for you today back with the box and the blob, which you talked about for years. That hey, we didn't have security standards back then that, you know, there were at the enterprise level, no question. You know, the 853 has been around, but for the typical SMB, so great job pulling that all together. I think this was incredibly impactful today. And I want to thank Justin, thank you so much for coming back with us.

It was all, it's great to have you, um, Mike regard. Thanks a million. And uh, the crew as always, Kyle, uh, Gary and Wes, thanks for an awesome session. 21 Han next Week. Thanks. Especially Hans. We wanna thank Hans from Hans, the act Baker. Yeah, yeah. Amazing Hans. Fantastic. You're welcome. Wishing everybody out there a fantastic day. We'll see you back here next week for Chris Sanders. Be, will be back. Who wrote the book on honeypot? He was feeling allegedly. He'll be back.

What's that, Gary? Allegedly. We'll Be back. Allegedly. All right. Take care everyone. Thanks all.

Related Videos