Right of Boom debrief
In this video, industry experts discuss the evolving landscape of cybersecurity for MSPs, highlighting the challenges and opportunities in implementing effective security measures. They delve into the importance of business model innovation and the need for MSPs to adapt their processes to stay ahead in an ever-changing threat environment. The conversation emphasizes the significance of community collaboration and knowledge sharing to enhance security practices across the board.<ul><li>The webinar emphasized the importance of MSPs (Managed Service Providers) and MSSPs (Managed Security Service Providers) in cybersecurity, highlighting the first-ever address by Executive Director Wales from CISA to these groups.</li><li>A significant focus was placed on the importance of asset inventory and essential cyber hygiene as foundational elements for defending against cyber threats.</li><li>The event underscored the value of community and collaboration among MSPs and cybersecurity professionals, promoting the sharing of knowledge and resources to tackle cybersecurity challenges collectively.</li></ul>
Guests
Video Transcript
All right. Welcome everybody. Uh, episode one 30. Thanks for joining in and, uh, great to see so many of you, um, who are in chat. Um, gosh. Uh, and, and just a few things real quick. Um, those are the key that have asked about PowerPoints and recordings. Um, yes, promise you, um, they are coming. It takes us a little time to render everything, but, um, we will certainly email you on how Toce access them. Um, so that is coming. Um, just a, a few quick announcements.
One, um, again, for those that may, there's a poll up, um, and, uh, about the poll for those of you that may not have experienced, uh, executive director Whales, uh, from CISA addressing, um, MSPs and MSPs, the first time CISA has ever done that, I put the link just in there again that you can watch. So that's right there. Uh, tomorrow special Thanks to John at Black Point. Yes. Yeah, That was awesome of him. Thank you. Yeah, appreciate you calling that out.
So, John John's got some, He's a true, you know, uh, help community first, uh, own a software company. Second guy. Yeah, he was awesome. And he, he was very, um, yeah, lemme just take a minute. John Eson from Black Point was instrumental. The reason CSA is now kind of like, uh, you know, uh, looking at us and, and, uh, and more seriously, he, he has some very strong relationships and, uh, called in those relationships for us as a community. So, John, thank you so much for doing that.
Very, very much grateful for what you did. Um, okay. Uh, just one announcement, Gar and team, um, I have it in call to action. There's a webinar tomorrow, 1:00 PM I highly, highly, highly encourage you guys to attend this. Um, the former director of, uh, identity and access management from hp, who is now the field CSO from networks, along with, uh, chip buck CTO of SaaS alerts are going to be doing. I'm moderating. It's, so, it's, it's an honor to, to be able to do that.
Um, but it's gonna be a fantastic webinar on, um, uh, the, the, you know, initial access and around credentials. And, uh, you know, certainly Wes, if you look at the, the five things that all cyber insurance is asking for, a lot of it has to do with, you know, I am. So, um, I think it's a, it's a very, uh, it's Only going to grow. Like, I, I really think I'm gonna pop that article in right now, but that, that carriers are still trying to figure out, like their minds are blown.
You're like, you mean an MSP has access to like 40 of our clients, what, you know, like full control. It's becoming a bigger and bigger deal. Yeah. Yeah. Yeah. Gary, were you gonna say, I think the first question people wanna know, Andrew, is how can a guy who rolls giant truck tires around three hours a day like you and all your CrossFit get on stage and dance for two minutes to be completely outta breath? Like, what is going on?
The, the most, the, the scariest thing was like, I hadn't been sleeping for a month straight, and like, my, my, like, my legs were cramping my calves, and all I could picture was tripping over the stage as I jumped up, you know, tumbling forward that, that's what I pictured. Um, so anyway, um, all right, let's get on into it here and, uh, let me kind of set the stage. So, um, Dustin said it's different muscle groups. You don't work those muscles, so great.
Um, oh, first off, I wish I had it with me, but, um, the threat brief was phenomenal. Um, we'll bring it, I'll show it to everybody next week. Who in the audience, if you could just say that, you know, what did you guys think of the threat brief? Um, uh, the, the, the folks I have behind the scenes that are helping are just absolutely phenomenal on content. But first I'd like to thank all of you, the attendees and certainly the sponsors, um, at the event.
So our goal, you know, and the vision of m you know, for, for this was for MSPs and MSPs to, you know, see an attack through the lens of a threat actor, right? That was literally arguably right now one of the most innovative and dangerous period black cat.
Um, and so at the same time, kind of like we move from left of boom in the identify phase all the way over to recover, how do you, um, you know, then take that as a, as an MSP and MSSP, how do you take that and build capability and then monetize it? Because if we can't actually get it to our customers, Gary, we failed. Right? It's our fault. Yeah.
Andrew, I, I'll tell you, my feeling was, and I talked to a lot of people, I talked to business owners, I talked to their teams right at, at the VCIO or, or, or, uh, CISO level. I talked to some line workers, so different people, and just the fact that, that it was viewed that way that everybody's, you know, starting to use the same terms, but also seeing things in the same way universally was helpful to everybody at all levels of technical skills. Cool. Well, thanks for that, Gary.
But I don't know what you do next year, right? That's what circles through my mind, Gary. It's like, it, it's hard to continue to top yourself. So like, good luck, Andrew. Thanks. Yeah. Listen, you're talking to the somebody who's done, you know, 11 schiz fast and every one, I'm like, well, I'm done. I have nothing else. It was great this year, Gary. Um, okay, Wes, I'm gonna ask you a question and I'm gonna plug in so I don't lose power Uhoh, but you know, I don't do that. No.
But your role as the, uh, mc, I want to thank you. You, you know, the comments on LinkedIn just keep coming in. Um, that is not, for those of you out there, um, that is not an easy job. Being able to, um, first have to intro and outro everybody. And then in between your segmenting one, uh, session to the next session, summarizing it and how it now on the fly goes into the next 'cause let me tell you, Wes does not rehearse anything.
I'm kidding, Wes, but no, seriously, um, Wes just masterful job. Yeah. You really can't rehearse that. It's real time. Yeah. And number one comment I heard about Wes is he's taller than I thought he would be. Everyone says that. Yeah. It's just where this guy is right here. Someone helped me fix that. I don't know if, like, I need to be like, like this all the time on my camera still, Or you have to get a standing desk like me where people I thought you were, I get the exact opposite, Gary.
I thought you were taller. Yeah, that's what I get. Andrew. People Say That to me too. I do have a standing desk. Yeah. I'm just always sitting. I, I, I could imagine Phyllis. Oh, Phyllis, you definitely get that. You're the opposite. You're, you're smaller, you're smaller than I thought you would be the first time I met you. So, um, so Wes, you are, you know, you probably had the most interesting purview of Yeah, the whole show being the person weaving everything.
Certainly a lot of people talking to you gonna ask you about things you did specifically pre days, et cetera. But love your thoughts just On the it, Andrew, it is an absolute whirlwind. Uh, but it's so dirty little secret. I've never been in Mc before, other than the last write of boom. So I don't really know what I'm doing. And so my view is like, well, if there's people I really like coming up to speak, it's easy for me to brag on them.
It's easy for me to pull out some good questions and it's easy for me to like, mandate people come up and talk. So all the people I force to come up. Yeah. Uh, you're welcome. And I'll do it again. Dang it. But no, it was super fun. But you know, the only challenge of being at mc is I don't get to like sit down and have like really great long, meaningful conversations. 'cause I gotta sneak out at 11:00 PM to get to bed, you know, I'm not out drinking with people.
'cause man, it's just, it's a, it's a whirlwind. But, um, so much fun. And I truly thank you for, uh, for letting me have that opportunity. And I won't drop the news yet. We're just gonna leave it in some height. But I think we've, we've, we're making a really cool addition to next year's mc. That's all. We'll just say, we're just gonna take it up three more notches and you're just gonna have to wait to find out. Yeah, yeah, yeah.
I, we, that was an executive decision, Wes, you and I made on the last day. Yeah. Yeah. So that's fine. So that's one thing. Gary, we're already at top, uh, our mc expectations for That. Just wait. Yeah, just wait. Um, okay. So Phyllis, um, lots and lots of positive comments on CIS. Um, so I'd love your assessment, um, no pun intended, but you kind of like your perspective on 2 0 20 22 to 2023 around, you know, CIS the maturity of MSPs. Any, you, you're kind of your perspective on it.
Yeah, sure. Um, number one, thanks for having me again this year. Of course. Uh, I always enjoy being able to talk with MSPs. I I love the community. Um, so, um, I would say what was great about this year, um, was that in 2022, folks were like, oh, what are the controls? Can you talk to me some more about it? Or when, where can I find out more?
And I think, you know, through your efforts, Andrew and Cyber Nation, and in particular this call, I mean this, you know, the cyber call and then the, um, cyber cast. Everyone, most everyone's, oh, I've seen you on Cyber call and oh, I love cyber cast. And what the questions that I've been getting this year or that I got this year, showed a level of maturity where they're like, you know, we're just starting on our journey and we're, we have questions about X or can I find out more about Y?
And so I totally see the community, um, maturing and starting to actually implement controls and, you know, wanting to learn from, um, Gary Pika. How do I monetize it? Mm-Hmm Mm-Hmm. Yeah, really cool. I thought it was interesting. We're certainly gonna talk more about Brandon Wales, but how, you know, okay, the, the former executive, the number one guy before you know, Jen, uh, you know, when Krebs left, he was the man. And, uh, arguably is the operator, if you will, of csa.
But how he harped right in on inventory, I don't know if you caught that fellas, but immediate man, he, he, right. Did he just go right at inventory? And it was just really interesting to hear. So Gar, you had a number of your peer group members there, and Yeah, A lot. We had a, we had a, a lot of, uh, true methods, which I'm glad Andrew, I mean, why, first off, I think every one of them should be there, right? Yeah, Yeah, yeah.
And, But it made me feel good that this community, in this platform, I get to see it firsthand making a difference in, in people's businesses. Yeah. I was gonna ask you, you know, do you see a level of, I guess whether it's maturity or just a, and when you think of who is there, obviously it's, when you think of a Keith Bartol, you know, we know that's a, you know, somebody that has a really way down the path. But did you, could you correlate, oh yeah.
Their, as, you know, as SP or oil and seed price, their, their profitability was kind of their level of maturity? Was it in line with who showed up, or was it all Up? Yeah, absolutely. Uh, um, the people that were there at all business scale sizes, um, are all on their way. Like they, at least, if they're not where they need to be, they have a, they have their arms around where they are, like they're self-aware and what they need to do, and they're making progress.
They're also, without an exception, the people that are excited about their businesses. Mm-Hmm. Right. Because I think it's hard to be completely excited about being an MSP if you feel you are lost from a security standpoint. Yeah. Like, it's not fun when you feel overwhelmed with something that is being presented to you. Like you don't, you, you don't get a choice, right? Like, we're responsible for more stuff for our customers, whether we like it or not.
And even if, you know, you're deficient in a bunch of areas, and some of it is just scale or business majority, at least when you know you have, you have a frame of reference to know where you are, that in and of itself, to me is a big step, you know, is a big step forward, Andrew, and, um, you know, one thing I wanted to really make sure we get to use the word community now about write a boom and about the cyber call. And look, I know how hard it is to build a community, right?
Like, I have spent my last over a decade of my life trying to build a community of people that have higher, higher expectations for themselves and, and, and their businesses. And this is now a community, right? And I said in my wrap up, I don't think we meet these challenges that are bigger than the challenges of moving from break and fix to MSP. I don't think we, we, we needed a community then. And, and in this area, we need a community now. Like we all need to be part of it.
And just the fact that, you know, that with the frameworks and, and the call, like all the con real similar, like I, I equated almost the true methods. Like we have our own language around this now, right? And the community, and they're all speaking and their teams are speaking in that language. It's just, it's, it's going to save people years of their life in this area. Right? It almost overlaps exactly. To, to similar to, to what I've been through in the past. It's awesome. Yeah. Yeah.
Gary, can you just chime in on, you've said this before, but I think it's really relevant that as a, as a whole, we MSPs like, you know, I think you and I have met way back in 2 0 4 kind of a thing when you were an early customer ConnectWise, but for years you could get away with a lot. And now, like, can you just give that narrative of why things are so different? Yeah. Listen, I still have people that I meet that are trying to get from break and fix to MSP, right?
Like in, uh, what year is it? Right? 2020 2023. And everywhere in between. We haven't had to change as much as we thought we did, Andrew, right? I kind of alluded this in my keynote at Schiz Fest. We've changed our tools and we bill a little differently, but the core of what we do has still been like our people spending their time on supporting projects.
And so if you fell behind, you weren't gonna go outta business or put your customer outta business, and you, you weren't gonna, you could just kind of plot along. And it's not, I don't feel it's that way now when it comes to all the changes. And we're talking specifically about the biggest one, which is what we need to do in our responsibility and role in security for our, our customers. Every day you're not moving forward. You're now further, further and further behind.
'cause this is moving way faster with way higher consequences. Yeah. Yeah. No, I agree. I agree. Um, for those of you who asked about dates and everything, um, I promise that we'll get 'em ironed out. We're in our final stages. Ideally, we're back with the Gaylord. Ideally it's, uh, February. I'm pushing potentially for early March simply because of we had ice storms. So I promise to keep everybody up to date, um, on everything. Um, so Wes, you had a pre-day Mm-Hmm.
Um, call preparing for boom mm-Hmm. Um, I'm just curious about this because, um, you had it with you, you know, you, it was with Garrett Gross, Eric Tilt and, and Chris Laer. And wondering, you know, if you one, you could unpack it a bit for Yeah. And, you know, a follow up. Were you surprised with the attendance? Uh, wasn't surprised with the attendance.
When you get people like Eric and you get people like Garrett, you get people like Chris Laer, whoever that guy is, you're gonna get a packed house, right? And thanks to Huntress for sponsoring it, because they were, they were, um, adamant that this thing not be a huntress thing. That this just be an extension of the community. So what can we give back? So just, I mean, huge for them to do that, right?
And I wish, I think, I think we channel vendors, the good ones are really good about that, of like, how do we truly give back without making this a sales pitch? I come out of like, enterprise when it's always like, well, how do we get the one hour pitch, you know, and the, you know, where do we get all the leads and how do we sign 'em up for deals right now? You know? So it's really refreshing to just be able to do something with a true give back.
And so, you know, a few things I noticed, one was that, um, the MSP is, is I'm walking from table to table. If you compare this time to the very first time we did this, which I think was like 2017 or 2018 at, at Connect man, MSPs were not ready way back then. Like, you could just see their eyes pop open, and you, if you've ever seen Chris Laer be Chris Laer before, you know, and like back then, you know, people would like blurred out.
Well, we've already, we've already handled this, you know, this wouldn't be a big deal. We would've just already re-imaged the machine, and off we're going. And back then Chris would be like, and you're an idiot. Let me tell you why. Here's what you did wrong. Here's now what you've cost. You know, and now you fast forward to today.
And MSBs are like deep good conversations about like, even, you know, in the situation we had where, you know, it's gonna be some kind of big event that's the tabletop. But it's a lot of discussion of like, okay, is this the incident yet? Who calls it? Why do we call it, when do we call the incident? Um, how are we dealing with the, the, even the pre-incident analysis, at what point do we lead up to this? And why?
They were asking great questions, like, why is account management leading on the front of this with the way the story went? Versus like, where's, where's business leadership here? Where's security leadership in all of this? Like, I just love the depth of discussion. And then having Eric in was really, really cool because Eric, just as an attorney, like, we're in this age now where I think everyone now knows just how messy a, a breach gets, right?
And so having Eric come in and sort of just really guide us through those things, like, what's in your MSA? Have you really protected yourself for the future? Um, here's how some things could go if you don't handle this correctly, if you did it this way instead of that way. And really the gist of it, Andrew, I'll just close on this. The, the gist of the whole thing was in this scenario, we, we ha we took on a client that was too big for our britches, and we couldn't handle that, that client.
So we hired a bunch of people to handle it. And in the aftermath of the, the incident, one of the things we realized in the story was, whoops, we sort of took them on as a customer, according to our, according to our M ms IMSA before they were fully onboarded. And because we hadn't onboarded them, they hadn't gone through some things like true incident response planning, we hadn't put full controls in.
And so it turned into a nightmare for the MSP because they took them on as a fully managed client in the middle of a breach. And so Eric unpacked how important that is, and I think a lot of MSPs came away with, yep. We really need to go back to the drawing board and really define this for our clients. So super good. And, and really hats off to layer for Chris Laer for really coming up with such a brilliant, um, tabletop. Good. Good, good. Yeah.
And listen, you just made a lot of assumptions about what happens during, even during onboarding dude. Yeah. For an and their client. A lot of assumptions that I don't think really unfortunately are true yet. Yeah. It's got, we, we should really do a cyber call on that sometime soon, I think. Okay. And Gary, what, what, can you maybe just give us a sense of what one or two you mean, dude? Yeah. Like, like an IR plan. He said he hadn't done the IR plan yet, Right?
I, I, you know, I, I don't know if you can ask, that'd be a good poll. How many people, how many MSPs have part of their standard onboarding process of new customers internet response plan, Right? Yeah. And, and I think, I think it'd be great to bring Eric back on again and say, Eric, help us unpack what things need to happen both contractually and Gary from your perspective. Even like the checklist of critical things before we call them a managed client. Yeah.
Because otherwise, what happens when a big incident comes like this and we're not ready, now we can time and material them, and we're not the ones responsible. 'cause we're in the middle of onboarding when something happens versus, oh, we just took 'em right away. Now they're managed client, we'll get there one day. That's how we used to do it for years. Yeah. Is is it, is this good having an IR plan as part of our onboarding process? Yes. No. Yeah. Yeah. How many have, yeah.
How many people have, right. An IR plan as part of your, like everyone gets onboarded, gets their, gets an IR Plan. Yeah. Okay. It's, it's, it's up for everybody too. That's a great, I like that Wes, I, uh, I put that down onboarding cyber call. Um, fantastic. And then, so Wes, you, you know, I remember these vividly, you know, when you were with PERCH and, and, and they were typically with Chris Laer at IT nation and packed houses, uh, for doing tabletops. And then obviously the pandemic hit.
So this is kind of the first one I'm thinking live per se, that we've, that we've kind of done in a while. What differences or similarities did you see? Did you see increased maturity in kind of the response We'd handle it this way? Because, you know, maybe if you could, for those that aren't there, maybe you could just say like, here's what, like, here's an example. You know, Chris says this, then you get together.
So if you could just posture what it's like being in that room, and then I'd love your take on the answers, the, the thoughtfulness, the how the responses were. Did you see differences a few years later? The, a big difference is, I mean, obviously there's a little con, maybe a lot of confirmation bias in terms of the fact that these MSPs have been committed to this journey with us for years, and that's why they came to write a boom. So they're leading MSPs and security maturity granted, right?
Um, but, but yeah, like, so one of the things that we always do is, like, I, I tell 'em, you can't put your security goody two shoes hats on on these. Like, you can't be like, oh, you know, all of a sudden, you know, one of your clients went offline. It's mass systemic ransomware, and we're gonna like jump. No, you can't do that because you have to operate the data you're given. Are you really gonna go to a client at this point and declare a mass ransomware event when the RMM goes offline?
There's a lot of reasons that could happen for that. And so, so we force 'em into like a very pigeonholed, uh, story as we go through all of this, right? And so I just noticed, the thing that stands out to me is MSPs in that group this past week we're like really good at know what does our incident response say? What do we do next? It what, we're not ready to call this an incident. And here's why.
Because we don't have true impact to confidentiality, availability, and integrity yet, we don't know, based on what's happened so far, we don't have enough data to call this an incident and start enacting a plan. We're still in this research phase. We're not even ready for containment yet, because we don't know there's anything to contain. Those were, I loved hearing those discussions and I loved people bringing up, I mentioned this before.
I loved people bringing up, wait, why are we having the tail wagging the dog here? Why is it the account manager that's running all of this? Why is the account manager calling the CEO in the middle of the Super Bowl saying, Hey, it looks like we have some kind of outage and we're trying to figure out what, what's going on here? And why is it that we didn't even understand this huge client that we had, that we were only managing like 10% of their, it it was a co-managed relationship.
And we never introduced that until later on in the, in the tabletop. And so we purposely put chaos in the middle of all of this that nobody could plan for. But I think a lot of MSPs did come outta that being like, okay, we definitely had some curve balls thrown to us that we gotta think through our onboarding processes, but I could just tell they're far more mature in their processes and what they would do in this situation than than years before. And it's so encouraging for me to hear that.
Yeah. Very good. I think Eric, really go, go ahead, Gary, You were gonna say? No, no. I'm, I, I agree. I was just looking at these poll results and 74% of people, uh, you know, and again, I, that's why I asked the question and Derek's trying to stealing my thunder. 'cause all these things take time and you either gotta build it into your onboarding fee or I want to bring up something Carl said, uh, from Snap Tech, um, that I thought was really interesting.
'cause this, what he described is exactly how I developed proactive roles in the beginning. Um, to, to be able to, to, to, you know, and explain to customers what we did. He said that basically he looked at the things that he had to do annually, the things he had to do quarterly and monthly from a security process standpoint.
And he kind of looked, figured those things out, and then he was able to say like, on average, how do we build enough, you know, time and money into it, and then built that into what he charges people. And so if you think about this idea, the reason why people aren't doing an IR plan, there's only really one reason it manifests as a few, they aren't charging enough. Mm-Hmm. Right. To be able to dedicate the time.
So you can either charge somebody more upfront or don't, and 'cause an IR plan is something that has to not only be built but updated, that and all the other things you need to do. Take Carl's advice and just sit down and think it through. You don't even have to get it perfect. Do you know what I mean? You can just get it close, then you can. He schedules those things out the same way.
We used to always schedule out all of our proactive work that we did a year in advance, and then the customers saw the advantage in the sales cycle or in an upgrade cycle as to why they were making those investments. And that if we didn't have these things built in, then we weren't gonna be able to do 'em. And guess what? Neither is anybody else. This is how you, uh, I've been reading the book.
Um, I'm right in the middle of reading the book, uh, blitzscaling and in that book talks about fast growth companies and that successful companies don't succeed by having the best product. They succeed when they have an innovation in business process. And what Carl is talking about was an innovation in business process. The technology alignment process, Andrew, that we taught for years, is an innovation to business process.
And I don't think you get better at security unless you do an innovation to your business process. Because this is not centralized services, it's not project, it's not support. It's not just VCIO. It is things we need to do proactively that don't fit into those delivery areas. So we need to build a delivery area. We need to think those through. Then we need to make it the reasons why customers buy from us. Mm-Hmm. Yeah.
So when I look at that poll, I'm saying there's the opportunity, people presenting it, we figured it out. Yeah. Well, and Gary, I what's really interesting now We're all fired Up. I know, I know. And people are realizing that, and it was really well summed up Gary, really masterful. But what I said on stage, and I gave you kudos to this, Gary, was like, sales, you know, if you think about command, right? Those who have done it successfully can teach it. Right?
The thing the saying, you can't give somebody something you don't know. Yep. Why I say that is, if, if you think about Carl, they were one of the earliest that I can remember. I mean, I think they're in year nine now of doing their SOC too. And, and he tells one of the funniest stories ever where one of his clients called his business partners, like, yeah, you know, if you can get together, you know your soc too. Remember this show, uh, Wes, I do remember it. Yeah.
They're like, how hard can this be? Sure we'll get It. Yeah. If you could send us over your SOC too. We really need that to continue to do business with. It was a public company, right? This is years ago, Gary and Phillips. And Sean's like, yeah, we'll get that right over to you. He had no idea what it even was. Right? But my point is, so nine, 10 years later, right?
They've been at security relative to most MSPs for so long in terms of their policies, their controls, their frameworks internally. But you put Carl, it's, it's not hard to see why, like, he'll never give away an assessment. 'cause you know how expensive it is and what it takes to do it, right? And that's why they get, you know, their all in seat price, where it's at, why they get, you know, they charge what they do for onboarding assessments.
Um, it just, it just goes line in line with com, you know, your term of about command. Um, if that makes any Sense. Absolutely. So the, again, I try to look at all these as opportunities, Andrew, and the words I want everyone to take away today are like business model innovation. Yeah. We're not gonna be able to change our relationship with our customers if we are doing things the same way we were doing them. It's time to innovate.
And that doesn't mean innovation is not the latest and greatest tools, although that can be part of it. It is how we approach business, our roles, our process, how we take and how we take them to market. That's business process innovation. Last, uh, last thing I'm gonna put on this, and I'll come to Phyllis, is one of the reasons I think why, you know, Aaron Cherin and Roo are doing so well, right? It's like, you know, oh, just help us. It's like, look, what's the process first?
What is the process you're innovating? Then we can look at automating that process, you know, and, and Mindy Green has done some phenomenal things, by the way. MSP Geek Con, there is is where you'll see a lot more of that. But does that make sense, Gary? You can't just go, you know, automate this. Well, what are we automating? What are we innovating? Right? Yeah. And, and you know, you know, I spend a lot of time with the, with the Roo folks since one of them is my son.
So we talk, we talk a lot. And that's one of the biggest challenges. You know, they get low hanging fruit with people, then they almost have to lead them on their process. Journey. Absolutely. 'cause they don't have their processes. And just look at it. Just going to show us. We, we have more work to do, but man, write a boom says we have, it's also good to look back and say, look how far we've come. Yeah. Yeah. Chelsea, just so you know, um, cyber Nation, I'll get a post up.
We, we get this asked a lot, but there's some good IR stuff in Cyber Nation. We've done actual projects in the, our, our group, and there's really good, uh, information on ir. Okay. Phyllis, over to you. Your session was, um, cyber resilience with, uh, CIS, uh, CIS controls and, uh, uh, CDM, um, which is the, um, uh, community defense model. Um, so could you unpack that a bit for us? You and Eric Woodard, Eric, phenomenal job as always. Who's on the call?
Um, you know, again, um, I can't stress enough what, how awesome you are, um, for all you do to help everybody in the community. But Phyllis Yeah, thanks. Happy. Well, I wanna give all the credit to Eric 'cause he had the best story to tell, which was so compelling.
And what we wanted to show is, um, that if you implement the controls IG one, um, that you can defend against a lot of attacks and, you know, how doable is it the fact that, you know, he could step through those controls and walk, you know, and then the example that he gave that he could step through those controls and help, you know, um, appear actually, um, manage their way through their incident. And so, um, I just thought that was amazing that he could share that story.
And, you know, um, so often, and I say this a lot on this call, folks say, you know, what's the tool? What's the tool that I can buy? What if, if I buy a Palo Alto, am I IG one compliant? If I do this? Am I, you know what I mean? Because everyone wants the easy button. And what I, you know, really liked to showcase with Eric is, you know, it takes work. What did he say? Like 2000 hours? Um, you know, and that seems daunting.
Um, but at the same time, now he can turn that around and, um, it's not gonna take him 2000 hours every year. That's, you know, some of that, um, is just that initial startup time. But we wanted to show that, um, really, you know, the best offense really is a good defense, right? And you heard so many times during the day, what's the number one thing you can do asset inventory as, uh, you know, so many times people said that one of the hardest things to do, the most mundane, but a must have.
And you know, Eric even shared that in his story when he was helping out, you know, his peer, where are your devices? Where's the critical data? Right? Right. Like I said, it was, it was, I was just like, wait, you know, I obviously you can't, uh, you know, interrupt, um, you know, the executive director of cisa, but I wanted to go, wait, whoa, whoa, hold on. Can I call up Phyllis for a minute? And can everybody, can you repeat that for everyone in the audience about inventory?
Um, so, uh, very, very cool. We, um, Phyllis, um, the other thing I ribbed you on during the event, but we, in, in all good light is obviously, um, you know, the respond and recover side of, you know, if we were thinking about the CSF, you guys are masterful at CIS, you know, in the first portion, if you will, of the controls Mm-Hmm. Version nine or is some dot version eight. Do we foresee some stuff coming in more on that? So I do, first I'll answer on 8.1. I do hope to have an 8.
1 out this year, and that's really a minor rev. I don't wanna change any controls, add any or subtract any. It's more, um, I think will change the prioritization. We've been talking a lot about incident response. And so I feel strongly that we need to push almost every safeguard in the incident response control into IG one for a few reasons. Number one, it's just so important now, um, as we've seen.
And number two, you really can't get cybersecurity insurance unless you really have a lot more in your incident response plans. So, um, we can't, we can't go forward saying, oh, only do these couple things, um, when you can't get insured. Um, and, and so, you know, we've definitely heard the feedback, Hey, I just started implementing controls and then you just changed it. No, thanks. And so we're gonna slow down that role of, um, new versions.
So for version nine, will we have respond and recover? You know, that's a good question. You guys are always pushing me. Um, you know, it's something to look into. Um, you know, I have to really, we have to be cognizant of, of Gary's on mute if you wanted to say something. Go ahead. Gary, did you wanna say something? That sounds like a Yes. I would say we have to look into our core audience, you know what I mean?
Like, um, I don't know if you guys who know John Tesori from Sands, he says, we have fast followers, right? And so, um, you know, it's definitely something to look at, but think about, you know, um, who, what would go in those controls? Who would be actually implementing those? Um, and is it something that, um, the majority of organizations are capable of? It's unclear. I think, Listen, you have a tough job because, Oh, go ahead, Gary.
No, I was gonna say, you have a tough job between balancing, you know, things change and need to be updated over time to having people that are, like you said, they're working and they're, and they're implementing, and there's pros and cons. Every time you make any change, you have to be so thoughtful. And, um, it's, it's, it's a, it's a, it's a, a, a line that you have to walk. Yeah. It's easy for someone who doesn't know about that to be able to say, well, just add this or change this. Right?
But it's not so easy, man. Well, we, we tell her all the time on the cyber cast. Gary, Wes, before you go, um, uh, I'm sorry, Wes, before you go, I just wanted to say this, um, to your point, Gary, kudos to Phyllis and CISI mean, when's the last time this CSF was updated? Right? In, in any meaningful way? And you guys are constantly, constantly listening and iterating. So hat's off to you guys. Phyllis. Yeah, Thanks.
Uh, and, and just so folks know, um, it's funny you mention that, um, NIST is accepting comments right now for like, what would, um, the cybersecurity framework version two look like? It's gonna be interesting. There's, if you've looked through the comments, there's some wild ones and some good ones. It's literally thousands and thousands of pages. So I just don't know how you get through all that. I don't, I don't wish that on anybody.
No, Phyllis, you know, when we look at the, here's my thoughts. Um, when we look at the c when we look at Sunil Cyber Defense Matrix, and we know we slide, right? Mm-Hmm. I kind of, I know this is not exactly the way it's supposed to be looked at, but as we slide right, we slide into deeper maturity, it just, it is that way, right? Just because we then go from, from automated technology more into people process is always important.
So I could even, I could even see CIS creating a secondary framework that is response recover that is tied to, uh, the controls, but is more like process and people like, what are the things? Because I still think we're missing that, I mean, this even goes into Chelsea's question, you know, of like, okay, I know what IR is, but how do I go about it? And I go, pull up 800, um, what is it? Uh, I forget the NIST recommendation for ir. Wait, Don't read this 200 document. I know.
So I, I could definitely see a secondary framework, so to speak, that helps us around IR and what that would look like. Like the minimum, right? Wes? Yeah. Like the minimum, the minimum stuff. Because when you see the percentage of people that aren't doing it as part of an onboarding process that says, we don't need people to shoot an an with an elephant gun. Like we need them to start the, the basics. Yeah.
And, and, and, and by the way, I love what you were about to say, you know, with the 200 page. I mean, again, this produces some amazing stuff, but again, for 55% of the GDP, which is what our community is protecting, you know, you put a document on incident response or whatever it may be from nist, this one's 200, this one's 400 this. And I know they're not four, but you just sit there and go, you know, I, I've gotta service my customers, right?
And, and they're like, that's again, why, you know, I'm, we're as a community so bullish on what you do, Phyllis, because it's prescriptive, right? Mm-Hmm. Yes. You still have to read, yes, you still have to do work, but it's actually something you can go get your mind around. Mm-Hmm. And, and that's what I'm so grateful for what you guys do. No, I, I appreciate that.
And you know, I do like the idea, we call them companion guides, wes of a companion guide and, um, you know, and, and, um, if we get started on that, then, um, you know, I'll announce it on here, looking for some help folks. Yeah, yeah, yeah. Yeah. Exactly. Um, okay. And then Phyllis, last one for you is, um, love your thoughts on the threat brief. Um, reason is, you know, like you guys with, with the community defense model, look, you know, a lot of threat data.
Um, and so what were your thoughts on it? Um, what were your specifically, you know, when you look at what this threat actor black cat, like, you know, John Enson in his, um, presentation, right? They've had, I think arguably probably some of the most run-ins so far with this threat group. And to see them, you know, notify ConnectWise, ConnectWise did a fantastic job shutting down control and then instantaneously pivot to a terror Mm-Hmm.
Like, what do you like when you see a threat actor, do those types of things? Give us your, give us your thoughts on this. First off, I had this, 'cause I was looking at it, so, you know, so let me just talk about this right of room, right of boom threat brief.
One of the best rep briefs I've ever read, and I have read a lot, you know, I would say the number one feedback, um, the US government and all these, you know, the US government, there are about seven cybersecurity centers across the US National Cybersecurity Centers, and they all put out threat advisories. And the number one thing, the number one feedback that they always get is like, I have so much data, but what do you want me to do? What's actionable? Mm-Hmm.
And so what I really appreciate about this threat brief, um, is, is it broke it down. It said, Hey, you know, like there's lateral movement. This is, these are the different ways the persist, you know, really broke it down for people to understand. So I really appreciate the thought that was put into it. I really appreciate, you know, hey, and here's how you mitigate. Of course we use controls, I appreciate that. But I really thought it was, um, it was well done.
Um, and, you know, the, the, the strength of, in my opinion, um, Sue Neil's matrix is it helps you tell a story around people, process and technology. So, so I really, I really liked that breakout as well, um, because then the data supported that. Um, as far as you know, John, number one, John Murson, of course, is always a great speaker, so it's always great to hear him. And, um, you know, to me it, there are a couple things. Number one, it shows how agile the adversary is, right?
So shut off one venue, that's no big deal. I'll just do something else. But again, what that reinforces also for me is you really have to go back to the basics. Essential cyber hygiene versus, you know, um, what is it about remote access or RMM that, that you really actually need to secure from the get go versus, um, you know, oh, I shut this down in this tool, now I'm gonna jump to another tool, right? So the question is, um, could I have done better with initial access?
How much, what else can we do to actually shut down lateral movement versus, um, shutting down things and tools? So again, um, to me that just drives that home that instead of, you know, playing whack-a-mole amongst the different tools, get to the root of the problem, get your essential cyber hygiene in place, and be able to shut things down, um, at the root. Yeah. Very cool. Thanks Phyllis. And again, thank you and Kurt and CIS for all you do. Um, we, we, yeah, sure.
So value, um, the partnership gar. Um, so cef for the first time, again, to your point, via John Ensen, um, addresses MSPs, um, and not just somebody in csa, but the, the man that oversaw SolarWinds, um, exchange Pulse secure, the, the Russia Ukraine conflict. I mean, this is a guy that has seen just about, and, and is basically the opera. He's the COO of csa, from my understanding internally.
Uh, brilliant man, like Wes said afterwards, and I loved what he said was, it feels like we've finally, as, as MSPs, we've finally been validated. So I'm paraphrasing Wes, but it was something to that degree. Um, Gary, can you unpack a little bit what you feel on that session? Yeah, I, I, I feel like it's almost like to me, an official turning point, right? An official change in how MSPs rightfully will be viewed.
And hopefully what this means is it's the first step to finding a way for MSPs to get a seat right at the table, um, and maybe get some additional resources, right? And all the things to come along when you're in the purview that are counterparts right in, in, um, in the enterprise have already have already gotten. So, um, Andrew, uh, kudos to you. Um, but this was a, a, a turning point in a positive way, not like being written up.
'cause there's another incident that that affected an SMB through an MSP, whatever that may be. So, um, I I hope everybody took some pride in that. Yeah, I, I, I certainly did. And, and I'm grateful for all of us as a community that we are finally on the radar, not, not just as, as Gary said, here's another CSA writeup or M combination, Ms ISAC writeup of, you know, how things are going bad for us, but that seen in a really positive light that we can work together as, as executive director.
Well said. Like, this is private public sector. So, um, okay. There are any particular sessions or interactions that stood out for you? Yeah, so, um, well, I mean, we're, we're, we're talking about the CA interview, so I was locked, you know, locked onto that one. Um, in, in part, in in particular. Uh, but I enjoyed the flow. Like I'm in and out of things.
I was in and out of things, the, the, you know, the whole time and trying to meet with some, some folks and just seeing the flow as the, the days went on and how we get into pretty long day, man, you're sitting in one room right? All day, and even, like, I'm doing the last session and people were still engaged. Mm-Hmm.
And so that really says something about a conference, you know, that can do that and have different levels of people of, of, I know people in there that are very technical and, um, some more technical than I'd like them to be. Uh, and others that are not technical, not technical enough, all get that same, you know, all get that same experience. Yeah. I love what you just said.
'cause um, even the session before yours, which was Eric Tills, I mean, and, and it's three, that's The one I was gonna call out. Yeah, Yeah. Please do. You know, I'll let you chat about it next, but it's four o'clock on Friday, the room's still packed, and people are just lining up with question after question after question. Um, but go ahead, Gary, you were gonna say something? Yeah. Two, two things. I, I, I'll mention one was with Eric. Um, first off, I think he did a great job.
He kind of, um, I felt like in the past he gives us a 1 0 1 version of things, and I felt like this was more of a two, oh, maybe he feels like people are ready to start hearing more. Um, but I think when he is talking about actual risks, when he's talking about, I, I think not all of us understand that we are now in a legal business and we were not before Mm-Hmm. Like, it wasn't really that appointment.
We had agreements, so people would pay us, but now there's so much liability involved that I, I gotta think it opened some people's eyes, Right? Yeah, yeah, yeah. Like I said, people were asking that question after question after question. Um, so, um, you're second Gary, And not logic and, and logic doesn't apply. Several times I thought to myself, this one's gonna throw people, right.
Um, when he talked about not getting people to sign off on, uh, decline of service and why legally that might not be defen, it might have the opposite effect, right? Because we said like, well, if you did a decline of service, then you knew they should have had it. It's almost like you, you're having the opposite effect. Yeah. Yeah. Yeah. No, very, very true. Um, yeah, and I just love, like, he did it as a Charles, uh, a Tale of Two MSPs. That was, I thought was brilliant.
I'm putting his, uh, LinkedIn profile in here. Um, for those of you, a lot of you guys work with Eric, um, as a fractional legal, uh, person in your business. So your, your, um, your session gar packaging, pricing sales, first off, you had an all star lineup there with you on stage. Um, maybe just kind of unpack that a bit for those of us that weren't, you know, here at the event. Yeah, so we had Carl from, uh, snap Tech, who was a pinch hitter and ended up being an all star. Yeah.
He always kudos to, to, to Carl. Um, and then we got to have Rob, uh, Stevenson, um, from Thrive. And if people don't know Thrive, they're one of the largest, and most, I'll say most successful mm-Hmm. Um, they, they've done a, um, you know, a really unique job in terms of how they approach the industry and, and really security has been the thing that has created their value. Like they have dove in full scale, right?
Into, into automation and security and process, and really driving that business model forward. And you would think at first, well, I don't know how much applies because, you know, they're like a big giant, you know, they're hundreds of millions of dollars and we're just small, but so much of it was transferable and they're, they're proving business models at scale. And so those things, well, we couldn't do this or we couldn't do that. No, they're doing it at scale.
If they can do it at scale, we can do it in our MSP. So I, I, I thought his input, um, a couple things surprised me that I'll share as well. And then finally, Keith, I, I have got to watch Keith go from zero MRR to, you know, to to, uh, uh, the scale that he's at.
And really, again, I'm gonna say his early push into understanding security and maturing, that has been what's has been a major driver into why is a, a top m, top MSP and, and Andrew, that's the common thread at all three levels of scale. The people that were there, they are telling us that security maturity is good business. Mm-Hmm. Good business. Yeah. Yeah. No doubt. No doubt.
Um, Gary, close us out with, were there any answers that you received from either of those gentlemen or, you know, uh, three of those gentlemen that were like surprising or, you know, caught you off guard, anything like that? Um, one interesting thing, and I've been thinking about it now over the weekend, and how, uh, Rob, when Thrive now goes in and they, they go into what I call MME, Mid-Market Enterprise. Mm-Hmm.
So like under, like, you know, the, the two to 500 seat or so companies, they have a lot of success, but the approach is more of an unbundled approach. Mm-Hmm. So, which is something we preach against, but if you think about it, they're trying to get in and wedge in the door. They're also hiring salespeople that have a background in enterprise sales. So they're trying to match their approach to the skillsets, OO of this. And then they have a plan on how they move people forward.
So I would say that, you know, if you're not a mature business, you would have to be careful, but I thought it would, and they're having success at it, but they really know their gross margins on every single piece. In other words, they're not going in with loss leaders. They're making gross margin on any of the things that they're bringing to market. So I, I thought that was important.
And then the other thing that didn't surprise me, but I'm glad we talked on Keith, is that in the beginning, there's some things that we don't know how to price. There's some things like, you know, some of the things we're talking about with IR planning and all the other process things that you need to think through in a different way, and that they aren't always just easy at first to convert to a seat price or they might be part of a base fee.
So there's again, innovation in business model, but Keith didn't figure it out until he understood it and Carl, and until they went out and started doing it for their customers, and then they were diligent in making sure they had command over their costs. Yeah. Really, really good point. And I think Jim really awesome. Yeah.
Jimmy Li, Jim Luby talks about that analogy of SaaS companies, how, you know, a SaaS company, you know, you go to their web, let's just say it's Salesforce, Salesforce doesn't try to sell you everything. They, they want to sell you something and they got pretty good margins on that something. And then now that they're, they've got a, a relationship with you, then they're moving up, up, up, up.
Um, the other thing, um, Yeah, they're charge that there's a good example, SAS alerts Rob mentioned, it's one of the examples he gave. They're charging three bucks for it, right? And it list price, it's 80 cents a seat. And I'm sure Rob got a good deal based on his, you know, his scale. Think about the margins on that, and now they start to get, and that starts to tell them a lot what's going on that leads to other products, controls that, that's the kind of thing Yeah.
That, that, that thrive's been masterful at. Yeah. And lastly, Gary is what Keith, what you're bringing up to light with, with Keith, and, and Sonny Lowe has talked about this a lot, who's also a disciple of, of true methods is, you know, when you're bringing a new technology in, it could be five, like the first five, or you're losing money, not intentionally, but you're figuring it out, right?
And then, you know, you're setting, you know, you're, you're changing your gross margins, your pricing. Um, it's an evolution. But those, those that stay with it really, uh, really that's where the, Can I give one example? Yeah, of course. People say, well, like, they always try to catch you like you're breaking your own rules. Well, you want everything included. You want everything in the chocolate cake. Yeah. You know what, I want more.
I want everybody to have all the things they should have. So let's take manage, you know, managed EDR, like based on maybe where, where it's priced today, maybe you're not prepared to put it into your, your chocolate cake at 70% gross margin. So rather than not do it if in the short term that's something you sell as part of a security bundle or, uh, in some other way where you can get, you know, fair margins on it, but protect a hundred percent of your customers, it'll all work out over time.
It's okay. Right. Very, very really good point. Really, really good point. Cool. Um, Phyllis, any close in the last few? Um, lemme just see if there's any questions, but Phyllis, any comments in the last, uh, thing thing here? And by the way, Chelsea, I hope you saw I put the IR URL into chat for you. Um, but Phil, uh, Phyllis, please. No, I mean, I think it was a great conference. I learn every time I go, um, and I get great suggestions from everybody.
So I really mean it like when I say what is it that we can create for MSPs to help you on your journey, please let us know at CIS we're happy to look at that. One other thing, if you look at the poll results on people who have an IR plan as part of that onboarding process, seems like the majority don't. So I think, you know, it is, you know, I think Wes or Gary mentioned we should talk about that on a Monday. And I, and I think that, um, those poll results are back. Yeah.
We, we haven't done, we haven't done an update. Right. It's been a, a while since, uh, we had Mike regard. Right. Help us with it. Mm-Hmm Mm-Hmm. Sure did. Maybe we re revisit that sometime soon. Aaron, I, I think wanna do like a, like one of those two, like I think probably a two hour one, Gary, where we do onboarding slash ir.
Um, you know, uh, and I think we have some cool stories like from guys like, like Carl, um, and people that have like started to deploy things like s SaaS alerts because of, hey, I, you're six weeks in my backlog and we've signed an agreement and the, and, and so the clock's ticking now if something goes wrong too. Who? Yeah. We have two MSPs in there. Right? That gets gnarly, right? With two signed agreements. Yep.
So maybe we'll do one of our off Mondays, like remember we used to Yeah, do 'em separate. Yeah. And then we'll recap it on a, on, on a call. Like we did a couple with a couple other things. Um, and then this is a good poll that like other ones we've done where we can kind of keep doing them and see if we can move the percentages. Yeah, very fair. Very, very fair. Okay, Wes, thoughts from you, my friend. And again, thank you for doing again, year two, a masterful job.
I can't wait to do it again anytime, but no, it was absolutely fantastic. Maybe the last thing I'll close on since we have 30 seconds, is I just wanna come back to John Strand. Um, setting that message of inclusiveness, setting that message of like, we're all in this together, setting that message of, dude, here's all the tools you need for free that we're giving you in the training. And like, that's so good for us.
And, uh, I just hope everyone listening to this call goes and parrots that same openness mentality to help each other out. Like that's what we're about. I remember in the earliest days people didn't want to talk about security. They didn't wanna talk what they're doing in their stack. And now I can bring probably anyone up on this comment list. Would you come on screen and talk to us about what's working for you in security and what your secrets are? Like, yeah, I'll jump in. That's good.
We need more and more and more of that. And John just has been one of the champions of that since day one, before any of us were even thinking what security was. Yeah. And I just, I, I'm so thankful to have him in our camp. I agree. And an Andrew, I just want to close, um, I, on a personal note, I I'm so proud of you man, and I, I've known you for so long. My wife is proud of you. Susan sends her best.
And when good people are doing the right thing and, and they can make a difference, there's nothing, nothing better. So I, I I, I, I, uh, I saw you up there and I, I got a little lump in my throat. I'm so ha I was so happy. Thank you, dude. I really appreciate our friendship, all of you, um, and everybody out there. I, I, I, it's all I, you know, I, I do this 'cause I'm passionate about. All I wanna do is help. So wish you all a fantastic week.
Look forward to seeing you all next Monday, and uh, make it a great day everybody. Thanks Everyone. Bye bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois