Onboarding Best Practices and Cyber Risks Associated with Inheriting a New Client
In this video, industry experts Wes, Phyllis, Ryan Weeks, and Eric Munro discuss the intricacies of onboarding and incident response management in the realm of managed service providers (MSPs). They delve into the critical aspects of setting client expectations, managing backlog, implementing security measures, and the importance of a comprehensive onboarding process. The conversation highlights the evolving threat landscape, the need for robust cybersecurity practices, and the strategic adjustments MSPs must make to navigate these challenges effectively.<ul><li>The importance of setting clear expectations during the sales process is crucial for successful onboarding and customer satisfaction.</li><li>A comprehensive onboarding process that includes security risk assessments can identify critical risks and set the stage for future projects and improvements.</li><li>The integration of security and compliance as core components of service delivery is becoming increasingly necessary due to evolving threat landscapes.</li></ul>
Guests
Video Transcript
Welcome everybody. We are live for session 1 42, um, and we've got people all over the country and north, north of us too. Um, so, uh, welcome all. We will get right on into it. Let me do some quick housekeeping intros, um, because one of our guests needs to leave at the bottom of the hour, and then I think Wes does too. He's got something going on. It's secure. So all that being said, quick announcement, I'm putting it in chat.
We, uh, we being Wes Phyllis and Ryan Weeks, uh, just got out of studio and finished the Control 17 podcast on incident response management. Really, really well done by them as always. Um, and, uh, what's interesting, as you guys know, is we are one away from being complete pen testing being the last one.
And then we will take kind of a detour into, um, the NIST controls, as it were, and or into a respond and recover, um, subset and, uh, be, uh, uh, doing a lot of lobbying to Phyllis, uh, for version nine. Um, so, all right. So, uh, that is in there. Please share far and wide. Enjoy it. Um, today's, uh, cyber call is about onboarding. Um, this one, um, I'm really, uh, you know, fascinated about, and I, I hope you all will be as well.
I mean, when you take a, a step back and I'm gonna set the stage here and then do intros, you know, it wasn't long ago. Be, uh, and I'll, and I'll put this in chat momentarily where csa, I think it was the end of January or February, was, uh, put out their, uh, protect event against, uh, the use of RMS using used in malicious sense, totally legitimate quote unquote tools, right? Through phishing campaigns. I dunno if you remember this, Wes, and, and, uh, and Gary and Phyllis.
But you know, it was, you know, using Screen Connect and one other to set up in essence, um, C two and persistence, um, in actually federal organizations and, and others as well, which, and, and by the way, EDR does not detect at all. So it led me to think about, okay, onboarding as MSPs, a lot of us are doing really well, thank God, right? And we've got some very successful MSPs on with us today.
So that means you have backlog, so you have to take into consider, You make sure you that term 'cause it backlog. Sometimes I think of a project backlog, but you're saying it onboarding. Yeah. Go Gary, just why don't you set, set the stage real quick in, into that piece of it, if you Would. No, no, I just wanna make sure we get you, you're on it, Andrew. I just wanna make sure we get that terminology. 'cause sometimes when you just say backlog, that's a term we use, right?
So like you professional services projects that was signed, but we're talking, which would apply here, but we're talking more specifically about you sign a new account and maybe you can't actually complete the onboarding for 4, 8, 12 weeks, right? You can only do so much onboarding. You sign four accounts at once and those kind of things. So what, what happens, you're saying in that, in that timeframe and how has onboarding changed? Yeah. Abso you, you nailed it, Gary.
And, and even if you could onboard somebody tomorrow, you know, we all know about, you know, technical debt and inherited risks today that we, we didn't have to worry about five, six years ago. So, backdrop set. So with that quick intros, um, I wanna first, um, I was saying this offline, but I'm gonna say it online. I am really thrilled, Ryan, spi that you are here. I was saying in the background, I hadn't seen him in a while, 20 or so years ago.
Uh, I was honored that I got to sell him ConnectWise, um, to his 12 employee company comp vision at the time. And Ryan, what's uh, what's your company have as far as employees now? Yeah, we're just, we're just creeping over 600. Um, so we've had a lot of growth trajectory, you know, through m and a and organic growth and, and all those great things. But, uh, it is a different beast today than it was 20 years ago, that's for sure. Yeah. Well con thank you, uh, for your friendship.
Thank you for coming on and congrats on all your success. You really deserve it. Tell us a little about yourself, your MSP, and then we'll go to Eric Monroe. Yeah. Um, thank you. And it's exciting to be here. Obviously you guys are doing some great things around, you know, our community and I'm happy to support wherever I can. Um, BC three, what can I tell you has kind of been around for 25 years. We're 600 plus employees. We work in 31 states and about eight provinces in Canada.
Um, the one unique thing about us, um, I would say is our focus is, um, around local government. So cities, towns, counties, special districts. We have about 1100 cities and towns that we take care of across both countries. And so that's a different vertical than, you know, SMB. We still have obviously an SMB focus and we've got verticals within those buckets as well.
But it's a different unique, um, vertical That's, you know, I would say if you put a hundred MSPs on stage and said, Hey, tell me, keep your hand up. If you take care of local government, it would probably be, you know, us and a smattering of other ones if, if they even exist out there. But, you know, put it in size perspective for, Wait, if you fall in that category, send right an email. Yeah, Let me know. I'd love you to join. It'd like to you. Correct.
And, uh, there's not a lot out there and when we find them, we seem to buy them 'cause we're, we're really really moving and focusing on this and it's a unique vertical that's there, you know. Um, but other than that, that's, that's really what we're focused on. We're, we're an MSP like everybody else within the ecosystem. And, but it's really, you start to understand your target market and what you focus on and how they buy differently. The sales cycle is far slower for cities and towns.
There used to, has, there usually has to be some real pain for them to make changes, but even if there was pain, it takes a long time to be able to do that. But that gives you a snapshot of us. And yeah, we're, we're growing organically 14% year over year. And then inorganically, 25% is our goal of, of like m and a activity that's happening. Put in perspective. We're about 130 million run rate, um, for revenue and 80% of that's recurring. Cool.
Hey Ryan, by the way, I, you know, we were joking around backstage, but you should be on stage with me, Phyllis and Eric Woodard, uh, at, at Salt Lake. 'cause it's for the SI Sac, which oversees all, all the state s SLTs state, you know? Right. Amazing. So we'll come back to that. So we Have to talk about that. Yes. Yeah, we do. Okay, Eric, thank you so much for joining. Uh, Zephyr principle of Zephyr Networks awesome to have you. And we're gonna split up the cyber call two ways.
By the way, Ryan's gonna go first. Eric's gonna go second. Ryan needs to drop at the bottom of the hour, so Eric let you let it rip. Well, thanks for having me. Thanks for having me. I know it's a real honor to be on the same screen with all you guys, industry leaders, so really happy to be here. Uh, we're on the opposite spectrum of Ryan. We're a regional MSP here in Southern California. So we have much smaller staff.
We like to leverage industry best partners and processes that allow us to deliver the quality of service that you would expect from a larger MSP. Um, so, you know, with our, with our team and our processes and our right fit clients, were able to do that. Eric, you're really humble though. You guys have done a really good job on your security, uh, both internally and in terms of how you're delivering. So I always appreciate that part of you. So we're gonna get get into it.
Greg, Gary, you gonna share Something? No, no. And it's great. And we, and when we talked about this Andrew, we wanted to have, you know, we want to have Eric on 'cause I think he's very representative of our community. Absolutely. And for many of 'em what they aspire to, right? And then also Ryan, because I've learned a lot about things from watching things at scale, right? Yeah. Seeing what companies at scale do we can learn a lot from.
And so, um, I, the full disclosure, I have a relationship with both here. Uh, so, um, with, uh, Eric in our peer groups, and I sit on the board of VC three, so, um, two people I've known for a long time and respect And, and you're my personal counselor, psych, my psychologist, my psychosis issue. So there's three relationships you have Here. Alright, so Ryan, let's get, let's jump into it. Let's talk about like the changes you've seen in how you approach new customers.
Like let's start from a sales perspective perspective about setting expectations about what happens after they sign an agreement in terms of timing, what risks there are. Who owns those risks? You with me? Yeah, Yeah, yeah. No, I, I mean, I'll just say, so we, and I'm, I'm happy you cleared up the comment around backlog. So we track two backlogs, we track project backlog, and then we track onboarding backlog.
I think our onboarding backlog right now is about, last time I checked was about eight to 10 weeks. And, and so what's interesting is you can imagine when you're having these conversations with prospects and you, you know, you need to be real clear upfront that, you know, we're not starting tomorrow unless this is like an emergency, you know, fire. And so very early on in the sales cycle, we share that and we actually use it to our advantage more like, hey, like who do you wanna work with?
If you can, if you can go to a doctor that you can get in this afternoon or you go to a doctor, you have to wait a couple weeks because they're the specialist and this is what it works for. So we try to use that, but we hit the, no, you know, we hit the nose rate rate on the head as soon as we can because I do believe that expectation is really, really important early in the sales process.
And then we just align that and tell them how that's gonna work and what does this look like, and get them excited that you've made a good decision. Um, but it's gonna take a bit of time and then we've got a process that we need to follow and, and move in that direction.
Yeah, I I mean the hard part there is even when we set the best expectations, if during that period there was to be an incident, it's, we, we, no matter what we say, right, we shoulder some of that risk and Andrew was saying, uh, in the green room, or maybe it was at the top of the hour that even after we get through that onboarding, we will un we'll identify some risks, right? Um, yeah. That are gonna take time and sometimes money to be able to mitigate.
So like that risk, we always have it, but like during that first three to six months, it's a lot more. Yeah. So I will say one of the things that we do for a couple of our larger customers, um, that are on the, their private equity backed and they have an m and a train as well. And so they're acquiring, we one in particular, I'm thinking about that they do 20 acquisitions a year, so they're just buying companies left and right.
And what we learned through this was what would happen is they would do the press release, um, that they've acquired another company and then they automatically become a target. And because they press release and they're the threat actors are all, you know, they're e listening and seeing this.
And so now what we've done is we've actually switched this protocol around governance and when they've acquired their next acquisition, before they do any press release, anything, they let us know and we're their provider. We roll out all of our security stack to everything.
So instantly they come on board, they still have an incumbent and we're gonna be transitioning, but before we actually do that, we roll out our entire security stack and have that in place before they even do their press release. And so what that's done is just like mitigated this risk that we're announcing to the world that we just acquired a company and it's gonna be an influx and it's a perfect target for threat actors and, you know, cyber criminals. But, so that's been a huge change. Yeah.
Andrew, go ahead. Just quick question. I mean, are you guys, you mentioned that you're doing it before the press release, but during due diligence, Ryan, are they using you from any MDR and investigative perspective of, you know, what kind of, what do they look like under the hood and address? So we're spending more and more time, I find when you have clients that have a capital partner and that are, are doing an m and a, they, they've got an m and a discipline.
Um, we're being brought in more and more around the due diligence. They haven't bought the company yet and just like they would do a quality of earnings on their financials they're doing do a quality of it or quality of stack. Um, and so we're seeing that where we're coming in place and it helps them, it helps 'em nonetheless understand the landscape that they're acquiring.
I don't know how much they use it for, like reducing cost or changing, you know, the EV value, but for the most part they want to know what they're dealing with. And I'm telling you, I I probably have a handful of stories where they've acquired companies, we put our stack in and they, that that acquisition has been compromised for eight to 12 months. They were, they were already in the environment.
We flick the switch on our cyber stack and they're like, whoa, there's like bad things happening already. And it's been happening for a long time and they had no idea. You know, so that, that's where we're seeing, you know, Gary, your comment around, well how has it changed? What does that look like and expectations.
And I think everybody needs to be prepared that you might acquire a account that's already been compromised, been compromised for a long time, and now it's gonna be your problem to mitigate because their incumbent, you know, obviously didn't do what they needed to do to take care of them. Yeah. It's, it's really interesting, uh, you know, Derek was talking to this point, you know, in chat, like, are you concerned about a new incident or existing?
And it kind of brings me back, Andrew, to thinking about, I keep going back to that moment at SCH Fest when we were all on stage together and getting a show of hands right. From some pretty good MSPs right. At, at our event and how, how few of them had a managed solution. Yeah. And to me, what you're talking about there, Ryan, is like, if you don't have a a, a managed solution, you're you, that risk still exists, but you might not uncover it until something else triggered. Right.
You're not gonna uncover it. And I think it just speaks to the fact of, of how we kind of have to change and reason why people don't do it right, is 'cause they're not able to have that value conversation. 'cause it's more of the most expensive things in the stack. Yeah. But it's, it's so critical.
'cause at the end of the day, if you inherit a new client and you don't have a good, uh, security stack, and so you've inherited them, you don't know that they have already been compromised and then six months later something bad happens. Well, that's on your watch now. Yeah. Even if you unpack that and realize that it actually happened two years ago, they were compromised. And we see this all the time where there's, there's, there's organizations that are compromised and they just sit dormant.
They want to gather data, they're just compiled, they're really, really, it's unbelievably patient to be able to wait and strike at the right time to be able to, to, to really maximize what this looks like. So I I, I'm at a point now where we, it's it's non-negotiable. The cybers stack's, non-negotiable. The risk is too high.
I have this saying that I say to our team and anyone that will listen, I'm like, it has never in our, in our history, it's never been more dangerous to be connected to the internet than it is today. And it will arguably never be this safe again. Mm-Hmm. And so it's only gonna get worse. And so like, we have to be thinking about this and what are we willing to, to take on?
And I use this analogy about being a doctor, and if I was taking on a new patient and they're smoking and drinking and doing all these bad things for them, and I'm like, you need to stop these things. And they're like, no, I'm good. I'm gonna figure it out. I I probably don't wanna be their doctor. And and it's the same scenario for, you know, the managed service space. Yeah.
So I I I say a little different way, which is I always say to our peer members to tell their their customers, why do I care more about your cybersecurity risk than you do? Yep. Right. So let's take it one step further. The cost of onboarding now is much higher because all of this before, you know, we just basically, you know, opened up it glue and documented some crap so that we would have six month old documentation in six months, right? Yeah.
So now all these things need to be alive and there's a lot more things we need to do, right? To uncover risk and put our best, our process in place and get our controls in place and our governance. So how, how do you do that? Like is the billable part of it more, have you baked it into more of a seat price? A combination of the two?
How are you dealing with, I'm Saying it's gotta be twice as expensive as three years ago to Properly Well, and I would just say the tools creep, like it every, it seems like every week there's a new tool that does something that we need to look at. And you know, I had this conversation that there's only so much, there's only so much margin. There's only so many dollars that people can do. But it all, it comes down to risk.
So we typically, when we do onboarding is we do this thing called a critical risk project where we would, I would look at just, we're not looking at everything in regards to, okay, how, what's your document management policy and how do you, how does SharePoint set up? It's more like backups, EDR, all of the cyber stack. And so we call them critical risks and then, and then we would take a snapshot of that and what are the gaps from where they are today.
And to where we agree is what standard is in VC three's world. And then we go back and say, and this is why it's called critical risk, um, here's what we need. These are kind of non-negotiables. We need to be able to execute and implement the, these is typically a project, there's a cost associated to it and we've gotta get you up to speed. Yeah. And I'll, I'll say the narrative around this is, this is why you hired us.
You wanted to know what was wrong with your environment and we're telling you. And so, so, you know, don't shoot the messenger here. We're actually gonna get you to a steady state where you could, you know, sleep good at night, but these are the things you need to do. And they're non-negotiable in regards to getting you to a good spot. Because your comment about why should I care about more cybersecurity than yourself is a hundred percent accurate.
And I always go back to why do people say no to EDR? Why do people say no clients to a cyber stack? And I, I say this to our sales reps and our V CIOs, I'm like, the only reason they're saying no is they don't have enough information to say yes because nobody around this call, or even everybody on this call understand the threat of it and how bad it is. Yeah. So somehow our clients or the prospects don't have enough information in a right way to go, oh my goodness, this is a bad thing.
We need to mitigate this Ryan, or said differently. We haven't spoken in a language that they understand. Correct. That means something to them. Correct. You know, your, your m and a and whose fault is that? Us or our clients? Always us Gary. Right? Always us. And and to your point with your m and a clients, like it's so evident. Like if you started to say, let's just say it was a company that had a lot of P-A-I-P-I-I or PHI and you said, Hey look, got some concerns here.
If, if there is indeed a compromise based on the number of records, oh, and by the way, you do some lending, so the FTC guidelines come, you could be looking at fines of whatever, $6.2 million. They all of a sudden have to make a decision in terms of we could be inheriting a direct regulatory hit of $6.2 million if we speak in terms of the business, people will go, yeah, put on whatever the hell you want, Ryan. Yes. Yeah. You're, you're a hundred percent correct.
I think the narrative is a important component. And I would just say our, we're at a point in our industry where we're, we've gotta be in incredible with our communication. We've gotta be able to share why this is important. Because think about it. We've had clients, you have clients for a long time. And, and, and when I talk about tools creep and all these things, and we're always going back, Hey, we gotta add a couple more dollars, this is to protect.
And, and then, and at some point, you know, they question this like clients question, but do we really, I get it. Do we really need this? And what we're talking about on this call today around the cyber is like, like this is lifeline. This is the most important thing to keep the lights on in an organization. But you're right around framing it in a way how it impacts them. Oh, you're not gonna be able to pay your people, you're not gonna be able, the the lights are gonna shut off.
Like you might not have a business tomorrow. Like those things are really near and dear to their heart, especially if they're small to medium businesses that we all take care of, right? People used to say, look, I, I, you know, I, I don't need a Maserati, I just need to be able to get to point A. And we're like, well, what if it doesn't matter what your car is, what if it's stolen? Right? Like you have no car and you're on a bicycle now. Yeah.
How long can you go to work on a bicycle, you know, 25 miles. Andrew every day could do it. And he, he'll be like doing dumbbell curls while he is riding the bike. Uh, I, I had other questions, but for sake of time I'm gonna move over, but Andrew, I'm gonna circle back. He said something really important about how they do the critical stuff first. I want to make sure I highlight that, but I, but I want to get it, I wanna get it over to Wes for sake of time. Yeah, absolutely. Cool.
By the way, Wess, you know what Brian's thing comment reminded me of? I can't think of Mark's last name, but remember the gentleman we had on who did the barn door assessments? Mm-Hmm. It, you dude, and I'll send you this, Ryan, we had a gentleman on that did something called the barn door assessment. Like is the, are the doors open and and are the sheep? And can all the livestock go flying out? And it's kind of what you're doing.
You're not sitting looking at every tactical policy within the organization, but you're looking at the big things that could let all the livestock out of the Barn. A hundred percent. Yeah. Yeah. It's like what could kill us? Not, not, not something that's a bad day, but what could truly kill us? And I, I love that analogy. I'm a, I'm a big fan of analogies, but it, it, it's, it's changing. It's changing. And we have to have resolve, I believe is MSPs.
We have to have resolve to believe in this and, and be okay to walk away from people that don't believe in if we cannot articulate it properly. Because that's how you get people's attention in my mind. Yeah, absolutely. Wes. So, uh, just as a preface to all this, um, Chris LA's right over here and the huntress preday that I stepped out to do the cyber call and oh, tell him I said happy birthday. I asked him, oh, was today's birthday? It was, it was just act like it is either way.
Yeah, I'll tell him. And I asked him like, Hey, our IR teams on the insurance side are seeing a huge uptick in ransomware attacks, especially from last year. I'm like, are you guys seeing the same thing? He goes, we are overwhelmed. So I just fair warning to everybody, um, we're seeing about a 77, 70 8% increase in ransomware claims this quarter alone compared to last year.
So like, I just want you guys to all know, uh, it is picking up again and this conversation is critically important for you. So just, just throw on that out there because this is becoming, um, as big of an issue as it's ever gonna become. Wes can unpack that at the End with you a little bit more. Yeah, well, yeah, maybe we could do it quickly right now. 'cause I've gotta drop at the bottom of the hour to get back to the pre-day.
Um, Gary, what I think is going on here is, um, I do, we're seeing a resurgence in some of the same threat actors that kind of went dormant for a while and are coming back. And also we covered it right at Boom Black Cat. They're one of the number one ones that we're seeing right now. And I think what's happening, Gary, is the conflict in Ukraine just caused an all out stop in that kind of stuff.
And now I don't think the conflict in Ukraine is like changing at all, but I think some of these threat actors are getting back to business again after there was a big reset for them. Um, and so we're starting to see a huge uptick in, in attacks once again. So that's probably, you know, unpacking it from that perspective. Gary. Awesome. Yeah. Yeah. Awesome. So just, just be aware. So Ryan, that brings up a question for you is let's get, uh, that the conversation so far has been really macro.
Let's get micro for a minute. Can talk to me about some of the mechanics that need to happen in onboarding. Like MSPs need to get really tight processes around what they're checking, what they're doing, what they're documenting, especially because if you realize something has happened, do we have good documentation along the way that's proved we've followed a procedural onboarding, we've done all the right due diligence, there's not been negligence.
So walk us through your perspective on this and how that should work. Yeah, I would say like the depth and breadth of, um, information we're gathering is, has dramatically increased over the years for onboarding clients. Um, and, and, and there's a massive focus around security. And so, so one of the things that, you know, when I was speaking to the team, we have, so we have a dedicated onboarding team. This is all they do.
Um, a lot of this is around, think about internet of things, um, internet of things, cloud services, all these things that are like tied to the internet and smart devices. That was never a thing, you know, even, even five, eight years ago to what it is today. It almost seems like everything's smart within these devices, within these organizations. So there's a ton of stuff around that.
Um, and then you can imagine when we're gathering in this data, we look through a lens, you know, can it have multifactor authentication?
There's a lot of, I I I, you know, I tell people all the time, this is probably the number one thing, and obviously everyone here is, has a level of security expertise, but when I'm sitting down with like my mom and dad, I'm talking about MFA, like if you, if he has a username and password needs MFA, so we, MFA is a big part about what that looks like because a lot of times we'll uncover things that either don't have it or it's historical or they don't have the right things.
But that's where we ensure is everything's looking through the security lens. So it's the first thing that we do. That's why the critical risks happen. And it's about the barn doors and letting all the animals out and then we'll figure out everything else. I will say it doesn't stop there. Once we make sure that the house is in order, we have something called a strategic alignment app and it probably has 80 plus things of best practices to do.
And then we just measure what they look like and, and are they, are they online? Are they offline? Do you even have it? And then that's how we would budget out our quarters and our years. Wow, that sounds expensive. It sounds more expensive if you didn't have it. Yeah, it takes time, right? Costs money. It does. Yeah. Yeah. But I mean, what did you sign up for with us?
You know, like I, I look at this going like, if we want this, if we want technology to be a driver in the right direction for these businesses, this is how they need to look it through that lens. So I don't know if that answered your question, Wes, but that that, that for us is like, we have a larger tool set. We're always looking through the security lens of everything we're doing and we're just uncovering more and more. It, it does answer the question.
Maybe a quick follow up and Gary, add to this, if you would, where does that checklist come from? Does it just come from doing it or are there like places people can go and pick up a starting point for to, to kind of build this process, this checklist? Gary, do you want to go? Can you start with controls? Yeah. And go from there, Ryan. So, so I will say this.
So we use this terminology internally, um, and we r and DA lot and r and d in our definition in our business is called ripoff and duplicate. Um, and so we rip off and duplicate a lot. And, and so what I mean by that is if you're in a peer group, r and d from your peers, if you go to a conference or you meet with people or you're compa like r and d, all this stuff.
And so I would just say our stack, you know, started with what we were doing and, and oh, we got burned on this, that better go on the strategic alignment app. And what I mean by that is it's gotta be something we need to check next time. And so it's always being refined and there's more things being added to it. We don't want it. So it's just this massive list that will never get done.
And it's needs to be a compelling enough to be able to articulate to your clients, and no, this is why you need it, this is why you need to invest in it. And if you don't have, if you don't do it, here's what, here's what the risks are. And it's similar to what Andrew was saying about the narrative of speaking to our clients because, uh, there's no reason everyone, there's no reason anyone should not say yes to these things if it really is compelling to, to actually protect their business.
But we're just not doing it in the right way. And so I just, I never take no for an answer. Like it's not, that's not good enough. Like No, no, we just, It's not, there's no way. Like we haven't, we haven't shared with them. I'll tell you. Yeah. I'll tell you Ryan, one thing I learned, right? Listen, I spent years right building my IT process, right? And so what I learned from that was the alignment was one really big piece, being able to do alignment, track alignment, verify alignment.
But the magic was in the presentation between understanding what the real security or technical debt is, but what is repeatable process where multiple different people in your company, right, like B ccio os know how to have present that in such a way that the customers can understand the business impact.
And I think that's where a lot of people, Ryan fall down and you talked in business terms, so obviously as the CEO you're pushing that down, but to me, knowing something and then translating it at the right level of detail, but also with the concept, so the customer enough where the customer says, yeah, that makes sense, yeah, That Is where the rubber meets the road. So, and I think in our industry, we, we, we haven't, we haven't historically been good at that.
And so even in our own business, we don't have it all figured out. I mean, I have v CIOs that are struggling in certain areas that they can't, they can't create this compelling narrative to the client. And I'll give you one quick story before I drop, but we had a, a scenario where, you know, end of life, 2012 servers, Microsoft, they're, you know, this is all happening.
There's this huge push that we're doing and, and I was talking to one of our guys and he is like, yeah, no, the client doesn't believe in it and they're not gonna do it. They're just gonna continue on. And I said, well, I'll just get on the call with their CEO, I'll call him. And so I call him and he's like, uh, you know, I know you're telling us we need to do this and, uh, I just don't think we need to spend the money.
I think we've got another three or four years on these things and I think we're good. And, and so, so I said to him, I said, I need you to understand you can do that, but I need you to understand like next year if you call Microsoft for support and say, Hey, I need, I need some, I need some help with this, this server instance, they're not gonna know what you're talking about because they're gonna, it's it's end of life. They, they, they believe it doesn't exist anymore.
And so the other thing is they're not doing patches. They're not looking for vulnerabilities. They have like turned that off and moved on to something else and you are the one now that is solely responsible, um, for the risk of this server. 'cause no one else is looking at it. And so like compelling talking them in that narrative. And then so all of a sudden it changes mindset. And I said, if you're not willing to to upgrade these, we, we can't have you as a client like that, that's on you.
You need to kind of move forward or you're signing off the risk here. And all of a sudden the mindset shifted. It was like, whoa, what do you know that I don't know. And, and, and it changed the whole parameter. And then they signed off and they got their, you know, they got, you know, they got upgraded. But my whole point with this, I can't be the only one doing that.
And we need people to be able to train and help our people see this and be authentic enough to walk away from a client because they believe in the principles of what we're doing. And I think that's part of the, the immaturity that we have as we grow in this industry, is to believe what we believe in and, and stand by it, Right?
And, and you quintessentially in that conversation, did the challenger sale, you pushed back, you created friction and you provided him an insight about Microsoft, right? Yes. We're not looking at vulnerabilities, we're not doing this, that, and the other. This is on you.
And I want everybody to hear that because whether you intuitively right, did it or just, you know, you, whether you're like, Hey, I'm a challenger guy, or in your intuition was spot on and that is why challengers sell because you were not willing to go, okay, the relationship is more important to me.
You're like, no, I'm gonna create friction here and I'm gonna provide 'em an insight or her on why this is actually a really bad decision for your business and what risk it's creating in your business. You can't run an MSP without that mindset today, at least not one that secures their customers and is gonna be financially viable moving forward above breakeven. It's impossible, Andrew. It's not the world we live in.
If you're living in the same world where the customer's always right, you're screwed. 'cause in our business, the customer's almost always wrong and you're the one who's gonna tell 'em. Yeah, Right? Yeah. You know, and I, I use this terminology all the time. Um, rejection creates obsession. Um, and, and I I, I do believe it's in the sales cycle as well when people, like they're pushing on our price and they don't know we want to discount. And I said, you know what?
You, you might not be ready for, you might, you might not just be ready for what we deliver and that's okay. Like, it's okay, you move on, we'll go find somebody else. But like, not everybody is equipped to, to to, to really believe in what we're doing and how we're doing it. And so that, you know, that rejection of like, it's okay. It's okay. Go find, there's a lot of MSPs up there you can go look at. And they're like, well, what do you mean? What do you mean I'm not ready?
Like, and I'm like, well, like it's gonna cost you some money and you're, we're gonna do it right. We're not gonna do it fast. We're gonna do it right. And it's, and, and I need you to believe in that. And if you don't, it's okay. But that's what we're delivering. Um, and if you wanna be on board, great, we'll have, but if not, you know, we'll see you we're, we're a great second MSP, that's what we look at it, you know, I feel like a lot of people gotta go try somebody else.
And we're, we're an awesome second MSP. So anyways, I'm like way over my time. No, Go ahead. You go Ryan. And we wanna and we wanna get to Eric, but I gotta, but but go ahead Ryan. We'll we'll let you go, but I gotta pull that thread a little more. I can't help it, Andrew. Alright, thanks folks. This has been fun. Thanks Ryan. Alright, bye-Bye bye. Thanks. You wanna pull on it, Gary? Yeah. Yeah. I wanna pull on that thread just a little bit more.
Not only, it's like you, you might not be ready, but what I like to phrase it differently, which is, listen, my job right now, I'm assuming we're not gonna do business. My job right now is not to convince you that you should spend the, invest the money in doing it. Right. My job is for you not to think that you're gonna go pay someone 30% less and get what we're talking about. 'cause I'll show you the math of how we do it. The people, the process and tools. It's not possible.
Long as you go and understand, you're not choosing price or vendor, you're choosing risk and results. If we get there and you still make that decision, I'm good, but I don't want you thinking you're getting something that you're not like I, that I can't live with. I'll take 10 more minutes with you. Yeah, yeah. Really good stuff. Hey Eric, just real quick, I took you off mute and we're getting a little echo. Is there any chance you have two crowd cast windows open? Huh? Okay.
I don't, No worries. Sorry. And it might just be the, the mic. No worries, Wes. No worries. We We'll make it, we'll Make it through. Yeah. Yeah. We're, it's not horrible Eric. It's not horrible. No. Okay, So I can switch mics to that. Let's, Let's go ahead and make it through. Yeah. That way we will, we can preserve as much time.
So there was a good question that came into q and a from Mark Winger and gave it an answer, but I actually wanna zoom into this and ask you the same question is from the sales side of the house, right? So like the prior to the deal closing, what expectations have you shifted training your V CIOs or your account team, whoever's in front of the deal? How have you transitioned this conversation of onboarding and security requirements and process overhaul?
To Gary's point, this stuff's gotten expensive, right? So how do you, how do you, how have you transition this over the years into that conversation? So in the years past, you know, as any revenue's, good revenue, right? Um, and that's completely changed these days and it's more of an education with the client than anything else and see if it's a right fit. Um, you know, we're a, we're a smaller MSP, so we can only onboard one client a month.
And, um, so we let them know what our kind of schedule is and what's available for them. And you know, what we've also done is that we've got a minimum monthly commit to us that kind of weeds out the less mature companies, the ones that don't really understand or get the value of what we provide. So we, we make sure that they understand that our onboarding process does take, you know, 30 days all the way up to 90 days, right?
And in that, in that, uh, onboarding process, we do a little bit more documentation and policy building. And that way it, it sets the expectation with the client of what the client's responsible for and what we're responsible for. And I'm, I am pleasantly shocked that you've set a limit for yourself of one client, uh, at a time, one client a month. That's pretty, Gary, how many, how many MSPs do you think set a limit like that? I think most of 'em are like, give as many as I can get, right?
Yeah, no, absolutely. And the thing is you can sign those deals, but they just have to be aware of what that situation is. And you might be stacked up a couple months, right, Eric? Yeah. And, uh, the first month of onboarding, we won't support them, right? They're not covered under the agreement. It's just the documentation. It is the deployment of tools. Um, you know, sometimes, most of the time it works really well with their current provider and it's an, it's a, a mutual respect handoff.
Uh, other times the client wants us to take over right away and they understand that everything we do for 'em during that first month of onboarding that's not onboarding is strictly time and materials. And they're gonna get billed for every time that we react to something. And, and here's why it has to be that way.
If you're listening, it must be that way because you run into these situations where it looks like an incident or you have problems with the prior MSP and if you just bridge them right into managed service with the whole, like take of like we take care of everything, all of a sudden you have built yourself into an enormous time sink that you can't get yourself out of. And in cases where an incident comes live, this is something that can really bite you in the rear.
Um, Andrew, I see you were gonna say something. Yeah, no, I, I'm, I'm excited, I'm glad we're touching on this. I know Phillips is gonna ask the question, but I I, I spoke with Eric Tilt offline. Gary and I talked about this and, and I wanted to talk to Eric the statement of work and your effective date.
We're gonna get into this really, really important Eric, I, I couldn't agree with Wes more that I'm really glad to hear of your approach on this because a lot of MSPs, you know, Eric will say easy Wes, nine out of 10, if not 10 out of 10 statements of work that he first looks at would crush them in today's environment in terms of when they onboard their customers and how they're onboarding them based on the, the legality of what's said in the agreement. You, you gotta protect yourself.
If you have not had a fine grain approach to your MSA on this, by the way, Eric Tilt is right over there in the same preday. Uh, you've got to go reach out to someone qualified like Eric or or Brad Gross or Spencer P*****k or one of those and really get a deep look into this. 'cause it, these are the things that can truly wreck your, your MSP for sure.
Um, okay, so, uh, next question then, and maybe this will be my last, I'm not sure 'cause I wanna make sure Phyllis has a good chance to jump in too. But, um, talk to us a little bit more just about like the, like we, we let dive in more to this on how the threat landscape has impacted our cost for onboarding is just walk us through more about how Zephyr looks at the threat landscape itself and what bad actors have caused to push into onboarding itself.
Like it, I guess get a little more tactical for me if you would, Eric, of like things that you guys make sure that you do in onboarding from the threat landscape mitigation perspective. Yeah, so we focus a lot on onboarding. Obviously if it's gonna take us around 90 days, we find that the more effort we put into it, you know, the, the less reactive tickets, the better security and the, and the happier the clients.
Um, and then it goes the, the cost of all that is the hours it takes to, to accomplish this. And we, we, we never come ahead in the cost of onboarding. We're usually pretty behind in it. Um, however it does identify projects to get to the standards that we, that we demand or where the client wants to be. And so that sets up professional services over the next year, quarter, whatever, to get them to the air, to those standards that we all want to get to.
Um, and then the other costs are all the tools, right? You know, we're a small MSP, we need to have a lot of technology. We need to have a lot of tools, a big tool stack that's comprehensive, that's got processes built around it that, that we include in our monthly alignments so that we include in our VCIO meetings. So all of those extra tools that we put in have to be incorporated in some sort of a process and accounted for in all the different stages of, of the service.
So the expense gets, gets large. It, it does. Andrew, you're on mute my friend. Can I, can I just, every time someone says I I think of 40-year-old virgin, like I, you know, I I hope you have a big trunk 'cause I'm gonna put my tool stack in it.
Um, Eric did, did does it how I, I'm just curious, you know, we've, we're talking about, you know, the tools and the micro and the, and the processes, but you know, you being in a peer with, with Gary, how has it kind of impacted your thoughts around the people, the roles, you know, in, in onboarding if you will, and then like how many they can do because, you know, in a smaller MSP, those people are shifting a little bit right back and forth.
So I is is, has that changed for you as well in terms of when you're onboarding who those people are, et cetera? So we've built out quite a comprehensive onboarding project plan with, with several phases, several tickets and tasks and all that kind, all those details into in it. And so our professional services team right now handles that along with the centralized services team. Okay.
So once they get everything kind of packaged up, then they hand it over to the alignment team and the help desk team and the vs. So that's how you know, basically again, how many you can take on. You've actually meed it to one client a month, which, and then obviously you know your sales Staffing. Correct. Right. Very cool. You must be glad to hear that Gary.
And he's gotta charge something for it up front because he's gotta come to the peer meeting and uh, and first thing we're, and hey Chris, and we're gonna look at his, um, you know, uh, monthly revenue per, per professional services. So he has to balance wanting to do it, but also getting something because he wants to keep his efficiencies in place. Right. Right, right, right. Yeah. And, and the TSP, right? The last letter then is a P for partner.
Everyone's saying Hi to you guys, said, Hey, decide hey back. Alright guys, I'm gonna get out. Thank you so much. All right. See yeah. So that, that partnership is also financial, right? So in order for a client to accept our services, you know, they've gotta pay for the first month and onboarding before we even start setting up their accounts and, and ConnectWise. So we get their commitment and their buy-in immediately.
That allows us to, you know, deploy all those resources and make sure things are right in the beginning. Yeah. And you know, Eric in, in the q and a says, Hey, uh, are those tools baked into your costs or does a client pay for them? I think, uh, I'd love to hear your thoughts. I think most MSPs Gary are, are obviously baking their tool sets. They're not sending, you know, saying, Hey, you need to pay $4 for my MDR, as many as they're baking in as many as they can.
Their goal would be to bake 'em all in. But it's moving so fast that there's some things that might be part of a security offering or maybe back up is, is something you can't put in at 70%, but the goal is to bake as many of 'em that you can keep your margins, target margins on your monthly intact. Yep. Absolutely. Yeah. So a few years ago when we did the, did like a security package, that was kind of a hard sell to the clients.
And so we we're finding that we're just going to bake in all the tools that we need and not really give them an option because, you know, it doesn't help them. Where Are you at in terms of target seat price now? Well, you know, as long as we're making our margins, you know, we, we, for a large client we could be, you know, upwards to 300, 3 50 a client, you know, and then the smaller ones even more because they don't have the, the leverage. Good for you Eric. I'm, I'm getting choked up.
Learn from the best. Yeah. An amazing Gary where we've, where we've come from in a few years where you're like, I can't get one 50 and now we're hearing 3 50, 400. Yeah. I mean, I would say even in the short year that I've been here, quite honestly, um, uh, or two years that I've been involved with this community, I, I really was just like, well, the MSP down the road's gonna charge $5 less. So, you know, I'm charging $6 less or I'm not gonna sell this security because it's lowest bidder.
I mean, I heard that over and over and over again. Yeah. And it's, it's less so now. Um, you know, so it's interesting. Um, if you don't mind, um, Eric, I'm gonna go and ask, you know, you talked about how you can onboard one person a month and then maybe it's 30, 60, 90 days to have them fully onboard. And, um, you know, this is news to me that you work out in agreement, um, which seems so smart with the, um, existing MSP to do the hand up 'cause there's going to be this gap.
So how do you walk your client through that? How do you even figure out, this is what I'm gonna be responsible for, this is what the other MSP's going to be responsible for. How does all that work? And and can you provide us some details on that?
Yeah, so one of the main things that we've done new in the last couple of years is we have an onboarding kickoff meeting with the client and we go over the MSA step by step, who's responsible for what, what they're gonna see from us, what do, what do we need from them to get the onboarding done?
Who's their, uh, client, uh, point of contact, you know, give us a couple of workstations so we can practice deploying our tool stack and make sure we don't mess up the whole company when we go to fully deploy.
Um, so there, there's a lot of expectation settings in that meeting and then we discuss with them their relationship with their current provider and what we're willing to do during that first 30 days and that, that they need to go to their current provider for, you know, any reactive support until that second month comes in. Does that, that, does that make sense? Yeah.
Now did, did you say like, um, for the most part is the current MSP the provider that they're with, are they, um, okay with that? I'm not that other Ms. P. So, um, most of the time they are right. Uh, sometimes there's some, uh, the client wants to be away from them as soon as possible. Um, but the majority of the time, uh, it is, it's more of a mutual agreed working environment. Phyllis, can I ask a quick question? Sure.
About that meeting that I'm, I'm really glad to hear you're doing those meetings, Eric. I think it makes a a lot of sense. You know, when the world of SaaS we live today is it, hey also make sure your, your person in charge of procurement or your accounts payable shows up as well to take a look at any, you know, potential SaaS invoicing and things like that.
Ha Has those, have those types of things come into your process and, and do people kind of look at you like with a half knotted, you know, neck, you know, when you ask those questions these days? Yeah. So we do document all of their different SaaS services, right? And we need to know who their account person is, you know, what their support numbers are. And so we get our arms around all of that. And then we also, you know, deploy, part of our stack is a cloud sim, right?
So hopefully whatever cloud services they're using is covered by that cloud sim. Um, but that way we can get good visibility on what's going on with, with what they're doing. Yeah. Just I a chuckle, you know, 'cause you know, in the late nineties we weren't MSPs, but I worked right for in the, in the space. And you know, it's like you'd never think, yeah, can you bring your payables person into the call? You'd be like, what the heck are you gonna bring a payables person in?
So it's just such a different world. Yeah. It's nice to get those guys involved too, because we need, we wanna know what their processes are. Right? Right. And, and where's the opportunity for automation in that. I know that's kind of a different subject, but you know, you're setting the stage immediately and how you're gonna help them, right? It's not just security.
It's gonna be how are we gonna help you automate, how do you, how are you guys gonna be more efficient and, and better at business and focus on what they're doing instead of it. Yeah. And, and ideally keep out shadow it to a degree as best we can, right? Absolutely. I'm making so many notes, we gotta stay here for an extra hour. I mean, I'm picking up a lot of good points as well. You know, it's, it's just so interesting.
Just I would say universally across for security, everyone wants less, even with controls all the time, you know? Yeah, yeah. We have implementation group one is our prioritization. They're like, that's, I got it, but can you just tell me what are the five things I can do? Just the five. I Just want five, you know, and, and can I not be the first three, which is know your environment. Yeah. Asset, hardware, software, asset inventory and data management. Right?
I get that question all the time, which is why I love what Ryan said about guiding principles. We have those. When you create something like controls, you, you have to have them because everyone has a strong opinion and they all wanna be heard. Right. But anyway, I digress. So, you know, Eric, um, it, it, it's interesting, you know, you start off saying, yeah, you know, it was really about just getting the sale. Now we're, um, interested in security.
So talk to us about like change in change management, how your practices have changed because of security, what checks and balances you may have added and can you provide some examples for us? Yeah, that's a great question. Um, so because in our onboarding, we, we establish all these policies and, and policy exception documents. So whenever there's a, a request to change that we have a discussion with the client.
And so you typically, the VCIO will go out and say, okay, you wanna do this, this differently? And they'll discuss what the ramifications are of doing that and or what the ramifications are of not doing that. So everyone's on the same page and as long as it fits in with, you know, the guiding principles of our security, we can make that change then.
But not until everyone's in agreement, and it's been documented, um, when it comes to actually support delivery, um, because of AI and all of the social engineering, our, our company has implemented, you know, support MFA. So when a customer calls us, we can send them an MFA code and they can verify who that person is. So we don't just get someone saying, Hey, this is Judy from x, Y, Z company, I need you to do this. Right?
We won't do that until we verify the person is actually there and it works the opposite way. So we, if we call them the, the client can actually ask us for that MFA code. And, and the way this kind of gets true, the first time I Heard someone say that, Oh really? Yeah, it's really good. We, we, we think it's important, right? Um, we want them to trust us. And with all the social engineering that's going on, it's, it's, it's scary.
And, and the way we do that during onboarding is we, we now have end user orientation training for, for our clients. So we'll go on site and train the end users how to be a Zephyr end user, right? And so we will explain how this, these processes work. We'll also introduce 'em to a little bit of a security awareness and then we'll also set the expectation that they're gonna get security awareness training every quarter for the foreseeable future.
So it really kind of gets everyone as a, as a single team and on board. That's, oh, I, I think that's great.
I just wanna make one comment 'cause so many times so I can really, you know, to me that's a great example of the value of setting up the documentation and the policies that first month because I talk with a lot of end organizations and it is the CFO who gets the contract from the MSP and just signs it 'cause they're in charge of the money and they're like, I have no idea what I just signed.
So they don't even know enough when they get that agreement to push back and say, I don't want this service. They really are just looking, you know, kind of at that bottom line. So I love that you do all this documentation the first month and go over it with the client or they really understand, you know, here, here's our agreement, this is what we're willing to do and this is how much, you know. So I think that's a great point. 'cause I still get that feedback from the small medium businesses.
Like we don't know What we're, what we're getting. So Setting expectations is huge, right? That's number one priority. Yeah. Eric, I'm just curious 'cause we are talking policy and there's Tim Golden, so yes, Tim, we're we're talking policies. Um, but um, Eric with ai, you know, are there things now where you're saying, for example, hey, you know, because we're seeing people put in confidential data right?
Into write, you know, hey chat GBT or barred help me write this email to Mr So and so with this and this and this, are there things like you have to have a paid for account or are, are there, are those kinds of conversations starting with your customers that might have PHI or you know, that do things in the FTC regs? How, how are, are you guys thinking about that? And if so, how are you going about that?
Well, you know, we think that going forward that privacy's gonna be, you know, more center stage and uh, we we're finishing building out a new service delivery that is right now security and compliance. And so they're gonna, each client's gonna have a security and compliance alignment manager that is separate from the technology alignment.
So during that process, we will start addressing, you know, what chat GTP or the ai, what information are you giving to these AI engines and are you sure it's gonna be secure or not? And then help them build the policy around it. And that way, um, we, we can at least understand what we're dealing with instead of some nebulous, Hey, I'm using ai, isn't that great? You know, we, Well listen, can, this is a good example, right? And we talked about this a lot, right?
Eric, at, at Pier you can see where Eric is. He calls himself a small MSP, right? He's not, uh, VC three. But the reason why you have to charge the right amount is so that you can do these things to have already put thought into these things that are at the front right now. Because if you don't, in a year, once you get so far behind Andrew, it's almost impossible right? To, to catch up. And that's why this is so important.
And so when you hear like what he just said that they're doing, they had to think about that. They had to have a meeting about it, they had to put some policy in place, then they're gonna have to revise it 'cause it's never gonna be right. And it's changing fast, but there's a cost to all of that. But it, but it, but it also typifies Eric's maturity in the following manner. Eric, uh, and, and Gary in, is that, my sense is he's especially being in California, right?
He's probably client zero, fair Eric. I mean, you guys don't go, Hey, our clients should do this. You guys probably are looking at this. I'm, I'm, I'm I'm pretty sure myopically as well, right? Internally, which then allows you to then go convey it with conviction. Is that, am I, am I taking a a leap here? No, not at all. We, um, we, we implement everything in-house first before we put it to our customers. And that includes policies, uh, security processes. So we do everything in-house first.
We get to know it, we know what's going on, and then we can talk intelligently about what we wanna do and why the costs are associated with it. 'cause we've done it. Yeah, no, That's great. Um, you know, it's two o'clock, so, um, I don't know, Eric, if you have any closing comments. This has been great. I've, I've learned so much. I do wanna give you a shout out. You know, I mean, you, I just heard him say, and now we're gonna have security and compliance managers.
It's not, it's not just the salesperson and training the salesperson to talk about security. He's really investing in saying, okay, now every client's gonna have this kind of person, you know, a security and compliance person to help them through and create policies around it. So, um, that's that's awesome. I Love that. And did the economics on it, how many, how much did they cost? How many customers can you manage? What's our cost per seat? Yeah. Yeah.
This, Eric, thank you so much for coming on. This was fantastic. Um, if Ryan Bestie was still here, we would thank him again. But this was, this was great Gary. I think we, you know, your idea to do more just MSP straight up stuff. We, we'll be doing more of that as well. Um, and this Could have been two hours, Andrew, I didn't even get to, I got, I have a whole list of things I didn't get to. Yeah, well we, there's no reason we can't do a part two of this 'cause I think it was really useful.
Uh, onboarding's a huge topic. So, um, anyway, with that, um, Phyllis, wonderful to see you back with us. Um, look forward to seeing you next week in Denver. Gary, it was awesome seeing you Eric. Thank you so much and we'll look forward to seeing you all very soon. Take care. Thanks guys. Thanks. Bye bye-Bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois