Self Governance & CIS Controls through the eyes of an MSP
In this video, Gary and Andrew discuss self-governance and the implementation of CIS controls through the lens of a managed service provider (MSP). They explore the importance of having a structured approach to security, including the alignment of tools and processes to established frameworks like CIS, and the significance of starting from where you are and continuously improving. The conversation highlights the journey of an MSP in adopting these controls, the role of self-regulation in the industry, and the necessity of balancing security measures with business needs.<ul><li>The importance of aligning security practices with established frameworks like CIS to ensure defensibility and manage risks effectively.</li><li>The role of self-governance and self-regulation in the tech industry to avoid fragmented government regulations across states.</li><li>The necessity of having dedicated roles and processes for security and compliance within MSPs to ensure effective risk management and customer trust.</li></ul>
Guests
Video Transcript
All right. Lot of Ys behind the scenes and we are live. Welcome everybody. I hope you all had a fantastic Father's Day and, uh, good to see you all out there. Got people coming on in. Um, we don't know if we know Phyllis is off today. Like, if, if there's any potential holiday, Gary, any, you know, whether it's, you know, federal, state, you know, hallmark guarantee Hallmark, you're off. Yeah. Um, but Wes, second Cousin's day, she Had off her second cousin's Day. Exactly, exactly.
Not sure where Wes is. He might be off. Um, so it might be the, uh, Gary and Andrew show. I'll be playing, I'm not sure if I'll be playing Phyllis Wes, who knows who I'll be playing, but I'll be, I'll be playing one of the participants. Um, and I'll introduce our guests momentarily. Okay. So our title, Self-Governance, and CIS through the eyes of an MSP. And we got an awesome one today and a former recovering one, uh, on with us as well.
Um, so the reason I wanna do this, uh, Gary, is I actually was watching over the weekend in, um, 'cause I don't have much of a life. Um, I was watching some LinkedIn stuff came across, um, stalking Roddy as I always do. He had, he had done a, a podcast and, um, I, I was really intrigued what he was saying. 'cause again, it was around CIS and I just was at PAX eight. Beyond who shout out to, uh, the PAX eight group and Rob Ray.
Um, they did a absolutely stellar job for an inaugural, um, uh, uh, uh, uh, conference. It, it was, it was really, really well done. Yeah. Um, I think there must have been, you know, probably 1800 people total. So probably 1100 MSPs, if I had to guess. And then between PACS and, and, uh, vendors, it was, but it would be a lot of collaboration. Great job. But, um, CIS was heavily, heavily present. Um, and we're gonna be talking a little bit about that.
So, so coming outta that conference and seeing Roddy, um, uh, hanging out with Phyllis and Kurt at the event, moderating something with them, and Eric Wooder did a, he's in the audience. You can see him there. Did a fantastic job as always talking about he, how he's implemented the controls and the work he's put in.
Um, I thought it would be, um, you know, kind of timely also coming out of Gary, our last two onboarding sessions around risk, um, and the importance of using frameworks to mitigate that. So, uh, well Not only mitigate it to explain it to decision makers. Yeah, really good point. Like, There's two pieces to it, And not always to get rid of it, sometimes to make a decision to accept it or transfer it or, or make other methodologies. Right. So, Yeah. Yeah. Exactly. Exactly. Good point.
Really good point, Matt. Really good point. Um, so with that, uh, let me introduce our, uh, esteem. Esteemed, esteemed, esteemed guests, uh, starting off. Roddy, it's good to have you with us, finally. Thank you. Yeah. Tell us a little about yourself, your MSP, your background. Uh, the fact that you gave up your vacation to hang out with us, which is really nice of you. It's hot, it's hot outside. I'd rather be indoors right now. Alright. Uh, yeah. But no, thank you. Thank you for having me.
Uh, you know, my name's Roddy Bergon. I'm, I'm the Chief Information Security Officer, uh, at Enterprise Data Concepts. Uh, we're located in south Louisiana, Lafayette, Louisiana, and with an office in New Orleans background, you know, got a tech degree, went work for an auditing firm and, and assisted our audit teams with government audits and hospital audits and bank audits. I mean, you name it.
Uh, went work for a nonprofit, did some privatizations with the state of Louisiana, was on part of their transition team working to like, you know, figure out how we incorporated technology and, and merged technology with the state, uh, what they were working on. And then said, uh, I missed it. And, and got back into the MSP game. Uh, started working for enterprise data concepts as the director of operations built out their full MSP side.
They were a break fix shop whenever I came in and, and just rocking and rolling with cybersecurity and, and preaching the good word of, of, of control frameworks, especially CIS controls. Yeah. Very cool. And, and you, you've actually put your toe into public office as well, right? Uh, yes. Yes. I'm, uh, I'm running for, uh, for school board here in Lafayette Parish. Uh, everybody asks me, you know, why are you doing it? And I was like, why not? Someone has to do it.
And you'd rather have someone I think, who's who's, who's got some passion there and some heart there who wants to see things, do things better. Uh, and, and that's just, you know, it's, it's one thing I'm just passionate about. Uh, I wanna see things, uh, get better around here. We all know education has a strong tie up to poverty and, and crime rate, I mean, you name it, education has a, has a, has a huge tie to all that. Uh, so we have to start somewhere, right?
So we're gonna start with education here. Yeah. Gary, you ever notice you, God, God, God bless you, man. I mean, uh, someone has to do it, but it won't be made. Yeah. Yeah. And that's, and that's, that's the thing, you know, like, who's it gonna be? Right? And the people who I think, who are, who are, uh, who tend to be smart enough to say, I wanna stay out of it, are usually the ones who probably should get into it because they have Yeah, exactly. They have the capacity. Yeah. It is thankless.
It is thankless. But you, you do it, you do it for the betterment. Right. But yeah. You, you ever notice what's interesting is folks that really, um, are are doing lots of things in their life. AKA Roddy, right? You know, he is heavily involved in cybersecurity, passion, you know, incorporating it, not only in the company, but you know, as we'll talk about in their clients. Like, people that put in the hard work aren't afraid to like, be in multiple different things.
It, it, it, there, there, it, it shows up. It's just so good for you, Roddy. It's, it's just, thank you. It's, um, I I love looking at disciplined people, the, just the, the, the mindset there. Do you know what I mean? Yeah, yeah. Yeah. And really, to me, what it comes down to is, uh, ironically, you have to be able to say no. Like, I have a busy life, right. I'm involved in a lot of things in my career. Mm-Hmm. And I have my family and I, you know, I say no to almost everything else. Hmm.
That's what it takes to, to find your way and find and pursue things. You can't do everything, you Know? Right, right, right. Is that why I, I never get any text responses. Yeah. Alright, Matt, welcome. A lot of the folks know you out there, but for those that don't, uh, a little about yourself and your background. Yeah, yeah, absolutely. So I'll start with, my eyes used to be straight. I got punched in the face real hard as an MSP.
Uh, so no, I, I started out as a break fix technician in Wichita, Kansas for a company that was just under a million in revenue. Uh, and decided very quickly that I wanted to be a part of that. I was able to purchase a portion of that MSP and watch it grow from seven humans to over 170 before I left. And, uh, you know, most of that is, uh, you know, from the benefits of listening to the man down in the bottom left corner for a bunch of our early history. Right. So, uh, but, uh, yeah.
So one of the things that happened was as we merged together to become a large entity and started acquiring entities, one of the entities was bought before We had a real good due diligence process. And, uh, there was no security team brought in, even though the director of security was there.
Uh, and, uh, they were ransom to by our evil ransomware gang, uh, resulting in the loss of a million dollars in, uh, actual costs over the course of time, as well as the entire firing of every single client. Uh, and also quitting of every single employee of a million dollar acquisition. So if you do the math, that's a million. A million. And an opportunity cost of a million, um, which gave me an iron, uh, sharp sword to build a very, very secure That's like 50 million, I think. Yeah.
If you really took it way out there, you're not wrong. But at least in the short number, it's, it's pretty ugly. Right. So, yeah. Um, but, you know, the, And that's after tax dollars, by the Way. True. Good call out. That's not grossed up for taxes, right? Yeah, Yeah. Right, right.
But short story is, you know, that resulted in the ability to adhere to a safeguard framework to write the email that says, Hey, I'm taking away your local admin rights and watch the revolt happen, and start having that conversation. Uh, and resulted in me realizing that some of the industry itself was broken. So I spent the next, uh, five years or so spending time in advisory councils and ultimately wound up at PAX eight doing very similar work. So, um, yeah. Thanks for having me.
I appreciate it. God, God, God bless you for that work, Matt. Like, It's, I know it's a, it's An uphill battle sometimes. Uh, and, but it's, it's, you know, we're, we're starting, we're starting to see the changes. You know, we're starting, See we're, and it's because of stuff like this call right here, right? It's this group, this community. So it's awesome. Thanks for having me here. Yeah. Thanks for being here, Gary. So, do you wanna be Phyllis or Gary? Yeah, I'll be Gary for now. Gary.
So Roddy, um, the last two calls we've been talking about just a lot of things, um, but onboarding specifically of new customers and the risks that are associated, how people, what they are and how people handle it. Um, but it also kind of, um, you know, overlaps with, um, controls, right? CIS framework and I want to see how you have incorporated CIS into the onboarding process, how they fit together for you. Yeah, yeah.
You know, when it comes down to like, whether or not you're gonna onboard a compromised environment, you feel like it's the chicken and egg scenario, right? What, what came first the client or the compromise? Uh, so, you know, we don't, you don't always have enough data, right? To know someone's gonna compromise. You can, you can get some clues, you know, sometimes we'll onboard a client and I don't wanna get in the way of sales, right?
'cause, you know, we want to, we do wanna close more clients, but, you know, we'll start doing some data discovery, right? Dark web searches. I might run some clients through like ransom watch or some breach databases to see what pops up, right? Just do a quick cursor. 'cause sometimes they don't know. Uh, right. Uh, but we always assume, you know, breach in a network whenever we, we call, we, we take it on, right? We always assume that something, Say that again.
You always assume, Always assume the network is breached and we take it on until we can, we can have a relatively known state, Which is a pillar of zero trust, right? That is one of the core tendencies of zero trust is assume breach. So, yeah. Yeah. Because I mean, because 'cause you're always gonna have someone who's been in that network before, um, you know, you have to kick them out legitimately, right?
So, so we follow a mix of like our own best practice stuff from our incident response processes of like, go change passwords on switches and yada yada, yada. But we also adopt the CIS implementation guide for smb. So if you've never seen the implementation guide, so like 20 steps, first one starts with data discovery, right? Like, know what you're dealing with. So pre-onboarding, you know, we're asking questions, right? Our onboarding questionnaire, I think is about 20 pages right now.
Our sales team hates it. But like, I'm just, we're asking just everything from like, what's your budget? What's your age of your workstations type of you existing warranties far? I mean, you name it. We're just going through this list. Like we're trying to get as much data as possible. We're trying to understand what we're working with, but also kind of gives you an idea of the maturity of the business to some extent.
Um, 'cause you know, we go into some very low, you know, operational maturity clients and I mean, we, we start throwing tools on there and next thing you know, you know, we're, we're starting to get hits from things, right? Like, uh, but, you know, pre-work, uh, with our clients, you know, we give 'em a two pager. We're like, here's all the things we're gonna be doing as part of your onboarding, changing passwords, setting policies, give 'em a heads up of what we're gonna do.
And at this point we're, we're, we're trying to get buy-in with our changes, right? That's the first thing we do. It has to be tied. You have issues 'cause you do all that. Yeah. But you are communicating mainly with the decision makers. Yeah. And some things you do affect the end user, and are they, do you have situations where like, oh, you got this new IT company 'cause they didn't even know they had risk or a problem, they're just trying to do their job. Yeah.
And you get pushback on that, or you have a bad first impression? Yeah. I mean, yeah, we get put, we, we, I mean we get pushback from clients, but you know, we, we let them know as part of the whole thing. Like, this is, this is gonna better things in the long run. Um, you know, our onboarding process, I know people always say like, Hey, it's a, it's all, it's for always be onboarding, you know, like always be, always learn new things.
But like our, our onboarding process is like a 30 to 90 day process, depending on size of clients. We're, we're making these two pages worth of changes and we're testing them and we're rolling them out, and we're gauging and we're seeing how many tickets we get, things like that. But really, I think our, our alignment process is where we really want to be. That's like a, that could be a two or three year long process. Sometimes up to five, depending on how new hardware is continuous.
It is, it is a hundred percent continuous. And at the same time, all of our alignment, all of our onboarding, all of our pieces are all aligned with CIS controls, right? Like, so about three or four years ago, I started saying, all right, what are we doing as part of our onboarding? And how's this map to our CIS controls and where's our low hanging fruit? And the easy things, uh, you know, I can start doing log data collection without interrupting a client, right? That's all on the back end.
They don't, you know, things like that. So, you know, we're installing our agents, we're collecting data, you know, we're putting our NDR clients to start collecting data from their, their network switches and everything. And we start discovering things, right?
You got open RDP, they have a, you know, VPN with no MFA, we had one where the copier was exposed to the outside world, uh, because they would just like map the, the nat was just like one-to-one for a copier, so someone could print remotely. But that left the admin page open and the password was admin, and a username was admin password, 1, 2, 3, 4, 5, 6, 7, 8, 9. Like, I just guessed it. I was like, I'm in, you know, and we, you know, you just find stuff like that, right?
So like, maybe they, I was thinking about it today. I, I was in, I'm installing a, uh, EV charger, you know, for an electric car. And first thing you gotta do is put it on wifi. And I go by these offices that have all the chargers out front, and I'm thinking, Hmm, I wonder how secure they are. 'cause probably the IT people didn't set those up. Some vendor came in and just asked them for their wifi password and just connected them, you Know? Yeah. Yeah.
So like, we're, we're just, we're just doing the data discovery for like the first week or two, just learning what they have, what's exposed, where they're storing their data. Like we really can't, you know, like I kind of look at csf, 'cause CSF is kind where I cut my teeth on, on learning some things. It's like, the first thing I tell you is, is you gotta identify, right? You can't protect what you don't know about. Uh, so like, we had one, we one board a client.
It was a 2016 exchange server. And within like a day we were getting hits from our, our, our sock. That was like, yeah, this thing's got half breached by half you like six months ago. Yeah. And like, so you, you just find things and you're never always prepared, but you can at least have some kind of level of where this client's at in a maturity level during the onboarding process. What Do you got, Andrew? Yeah. Two things I Wanna wanna say. First is a comment, Gary.
It's gotta make you feel good hearing the words alignment come out of Roddy Mouth, especially when the first word is continuous. Yeah, yeah, yeah. But I mean, I'm, you know, look, uh, it'll sound like I'm a sycophant here, Gary, but you've really had an impact on this, on this industry. I mean, no one was talking alignment, you know, before you did.
And, you know, you built a business around it, and it's just really cool to hear, you know, now we're seeing, you know, alignment match up not only with just, you know, what best practices are in your MSP, but now alignment to frameworks. So, yeah. But I wanna add something to this, Andrew, because one of the things you just said is, is exactly right. What we're doing in security is nothing special, different or unique.
It is simply applying the same stuff Gary's been talking about in a new and unique ways of things that we hadn't considered part of the fold of what we needed to do before. Right? No difference. Like same, it's same work. No, it's just alignment. It's just really all that it is knowing, you know, uh, which is much different than documentation, which is a representation of the current state as opposed to comparison with the desired state. Yeah. Which is, which is alignment. Yeah.
And now we're, now we're trying to figure out that, you know, frameworks are, are there, and then some, someone's smarter and better than me has already figured this out, so why do I go reinvent the wheel? Right? And that's, and, and then we, we turn to, like, some of the stuff I'm doing with like, uh, some conversation I'm having with local, with government about, about regulation frame, sps trying to reinvent the wheel, you know, it's like, hold on guys, like pump the brakes.
We've figured this out to some extent, you know? Yeah. Don't shoot an ant with an elephant gun. You know what I mean? Like, there's some reasonable, like, starting with standards is like, Hey, do this before you do one more thing. Yeah. You know what I mean? Like, don't do 50 other things first. Yeah, that's, that's a great point.
I, I don't wanna go off, I want to ask this question, but to, to your point there, Gary, is, you know, what Ryan Weeks used to say all the time, people would always ask him, what's my next tool? He'd be like, nothing, nothing. Absolutely No more tools. Let's look at what you currently have and is it even implemented correctly right before we go to the next and the next and the next tool. Yeah. Yeah.
That's leading to my next question for you, Roddy, which is, I know you're a fan of only having the tools that you need and, and no more, you know, we track tools across 300 and some MSPs now, uh, in our peer groups. It's like, I think the average is 40 tools, right? It's preposterous and a lot of 'em are small. M ms p, like, you're a small MSP that's under 3 million. You don't, you don't even have a dedicated role around that. Yeah. You know what I mean?
Um, so tell me how you look at this in terms of like, looking at like IG one, let's say. Okay. How do you look at it and trying to minimize the tools that you need to help along those, those lines? Yeah. Um, I mean, first thing is I, I find, and maybe just just me and my, my discussions. I have my hallway discussions with MSPs, but a lot of 'em aren't taking their existing tool set, understanding the full thing, and then mapping of the CIS controls. They know exactly what they do, right?
Or they get tiny shiny tool syndrome and they're like, oh, this tool, this tool documents everything and, and puts it into, into my documentation system for me automatically. And they start going down that rabbit hole of new tools ci IS controls, right? Asset inventory can be as complex or as simple as you want. I can have a spreadsheet written down with all my assets and I've met 1.1, right? Or, and it's just, we tend to overcomplicate things sometimes, right?
Like, let's talk about like the Bit Locker, right? Like drive encryption. I could roll that out with my PSA or I can go buy, I mean my, uh, RMM or I can go buy a whole new tool that does just that, right? We're, we're not fully understanding our tool sets and what they're capable of. Um, and, and just other things too. Like, uh, DDNS filtering or DNS protection, right?
There's tons of free ones you can just pop up there just to meet that control where you're at right now, and then maybe later on as you mature as the MSP, as you raise your prices, as you start showing your value, you go out and you get a DNS filtering tool that lets you get more granular at it. Like, both of those still meet those controls in my head. So you're using common sense? Is that what you're trying to say? Well, I think, I think, look, we're, we're tech, we're technical people, right?
That's a lot of it, right? Don't you think That's a lot. It, it's, don't let perfect be the enemy of good. Yeah. I think that's the challenge. That exact quote is in my, is in my notes here. Don't let, don't let perfection be the enemy of good enough, right? If we 80 20 rule, we can get 80% there. It's good enough. You meet the definition for that. Next, Next, next, next, next. A lot of them Is PS like to shoot an in with an elephant gun man. Yeah, True. Cool.
I'm gonna get that tattooed on my back, I think now. I think you've said it enough. Yeah, I can do it. Can can I just ask this quick question because it's, yeah, go ahead, man. It's your show. Yeah. So, um, I'm, I'm just gonna put this in chat, Matt. I bet you've seen this. And I'll start with Roddy though. Um, last week, C'S directive to basically say to all federal agencies that doubt shall not have any internet facing devices any further.
And they, they put forth, you know, and this is in the wake of, you know, you know, compromise after Compromise after Compromise by Fortinet. And I'm not here to bask Fortinet 'cause man, they were a, they are and were a fantastic organization. Um, Matt, do you have a comment here? Because I, I just wanna put this that, you know, it would seem based on the four configurations, Matt, that CS put out there.
I mean, they're talk about, you mentioned zero trust, but it would, this is a really good document for you to, I think, to show your customers to say, look, even the federal government, even though you see here in, you know, figures one through three, you do see VPN still as an alternative. I mean, if, in my opinion, if you're an organization still supporting VPNI, I don't know what you're doing. I mean, honestly, but, but not matter.
Your, what's worse about this is if you look at the scope of this directive, it's literally devices for like ILO and irac, right? Like literally saying, Hey, please stop exposing your management infrastructure to the internet. Yeah. So let's put this in scope, right? It's so broken that that's what they're having to say. They're not talking about web applications here. Yeah. They're talking about management interfaces being exposed. Right? Right.
They had, I mean, yeah, they were breaching E ES XI hosts 'cause they were exposed to the outside world, and it's like, who's exposing those servers to the outside? Why? Right. Like, but that was, It was that ESX one was a big one recently. Uh, Well, and for God's sakes move it, which is an external FTP direct sharing site. Right. And, and the exposure Just over that.
Well, By the way, I, I have a call, uh, a poll question I'll put up, but Gary, are, you start with, you move it, are you surprised that like so many SMBs are using this tool? Are, are you hearing it in your peers, um, that their customers are being compromised in this? Yeah, and I'm surprised By it. Yeah. In in in what respect for you? Uh, I just, I, it's not something I was aware of. Yeah, yeah. Yeah. Um, Roddy, is this one surprised you a little bit? Um, I mean, no.
I mean, first thing we first heard about at beginning of June, we was, we did a search, uh, for installed software across all of our client base looking for move it or anything related to it. We found nothing. So we were like, all right, cool. Next thing was like, all right, so we're not using, so our clients aren't compromised. We were like, we'll see what comes out of it.
Then we started getting news, like the state of Louisiana's, OMV, whether, I dunno if it's vendor or OMV itself got breached. And I was like, okay, well I need to email all of our clients. We got like four, four, uh, emails back to me from clients who are like, yeah, we work with vendors who use, uh, who use MoveIt. And I'm like, all right, go change your passwords. You logging information for it right now. I said, then we need to get a on a phone call with him.
One of 'em was a, was a very large insurance company. Um, and, um, they, they were like, uh, we'll let y'all know. Uh, we were still digging through it. So, Gary, I wanna put a time out here real quick for Roddy. I hope everybody is listening what Roddy just said. 'cause it is such a step in the right direction that so many MSPs miss. He's asking his customers in their supply chain. Are any of your suppliers, vendors, is anybody in your supply chain using MoveIt? Yeah. Yeah.
Because like, we, we don't always know, like we, we, we have our tools, it's pulling in, that's all the data, what's sell, but we don't know what services they're always using, you know, and that's, That's the future replacement of the commoditization of what MSPs have, have done. Right? I think it's that deep strategic, uh, security role where you're saying, Hey, let me make sure and remind you, you have a supply chain risk. You have your own control 15, right?
Let's see if we can't help you be better about that, we have this new news. We know it's a major vulnerability, maybe we should, should go down this path with them. Right? And I, I think that's the point of, that's a value add Roddy of, of you actually adding strategy value to the VSO role, right? In that, in that kind of respective, however you just choose to label It. Yeah. Yeah. But also shared risk is just assumptive in everything Roddy has said. Yes, true.
It's just, it's just the starting point. He's not even saying we have shared risk. It's just, just every statement he's made and how he talks with and to customers is under that assumption of assume breach and shared risk. That it's their jour it's their journey that you're helping them with Roddy. Yeah. And that's, that's, we talked to our clients. We onboard, we talked about the partnership, right? Like, it's not gonna be it making you safe. We both have to be a part of this.
'cause I don't know all your business processes. I don't know where all your data's stored at, but we're gonna walk through this over the course of our relationship, we're gonna figure this out, right? Like any, like any good relationship leading up to marriage, right? You wanna know the ins and outs and everything else, right? You don't, you know, that's, and that's how we kind of, that's how we start our conversation.
So when we, we were talking about pushback earlier, we don't get a whole lot of pushback because we start with that conversation of like, we're gonna be asking you a lot of questions or we're gonna be working on your policies and procedures internally and how your staff works. And like, we, we, we start the conversation non-technical. It's not like we're gonna put a bunch of tools and you're gonna be safe. It does not work that way. Getting Stakeholder buy-in, right? Yeah.
Management support Director. It's all about, it's all about buy-in and setting that tone at the beginning. Yeah. Roddy, um, just for Josh's sake and for everybody, can you, he's like, can you ple please? You know what we were talking about here.
Can you, can you give us a sense like when you're communicating to the, let's just say the business owners, the business leaders, like, hey, you know, you might, you know, I heard you're using mo you mentioned you're using move it in our questionary recently, which means, you know, you guys are accepting files back and forth with this supplier.
Can you just walk through for Josh's sake, you know, from a business acumen perspective, risk to revenue, why this could be impactful to that, to that business that you are doing business with that doesn't have MoveIt, but their client or their supplier rather does. Yeah. Yeah. So I, I, you know, I've been involved in a lot of incident response and in, in PR nightmares, and you name it. And like for our clients, when we start talking specifically to MoveIt, right?
I had a conversation with, with four clients who came back to me and they were like, well, so why is this, like, one of 'em was like, why is this important? And I was like, you know, I don't know what kind of data you're exchanging with 'em Exactly. But if I was one of your clients, uh, and I found out that, that we were impacted by your, by your breach or by this breach, I, I would want to know it from you before I found out about it through the news, right?
Like, and, and we talk about loss of reputation, like the soft numbers, like not direct, uh, you know, you're gonna lose a client lose X revenue, but like, how much money are you gonna have to spend in, in marketing and PR to like gain your reputation back even through no fault of your own, your clients are gonna see that as, as your fault, right? So we, we, we talk about that in a, in a non-direct manner with them.
And we tie it back to revenue, Which, which Roddy, if you don't have that conversation, then it's your fault. Yeah. It's, it is all Downhill. Yeah. They're gonna tell me in I, I deal a lot with attorneys, right? And they're always looking to like, how do we, how do we move blame, uh, you know, sometimes, and they'll come always tell me like, why didn't y'all tell us about this? Why didn't y'all explain this to this? Uh, we didn't know this was going on.
Um, and like, it's easier to have that pre conversation, or at least have an email or some kind of phone call with them, um, before it hits the fan. And look, this happens throughout the year for us, stuff that really doesn't maybe impact our clients directly.
You know, their stuff's not breached, but a vendor they may work with or something, they may hear in the news and start asking questions, and we get ahead of that so that they're not wondering if that's them or wondering why their IT guy not getting in front of them about it. Right? Yeah. And, and explaining to them what's going on Or what to do, right? Roddy, if if, for example, they were, their customer was compromised or their vendor was compromised, and yes, your data was exposed. Yeah.
Well, then, Then you can have a conversation on what to do. Well, and, and hopefully, you know, what data and how sensitive, what level of exposure, what, what was my shared responsibility matrix with that company? These are all things that we're gonna get better at doing for small to midsize business as MSPs.
I think that's where the future state of our success lies, is in that, uh, ability to articulate and understand and have a bit of a vision presence of the battlefield for what that impact is to your client. I think, you know, that is what replaces some of the plate spending commoditization of tech. You just skip right over a shared responsibility matrix. Yeah, fair. That's fair. It's part of my endemic understanding that Yeah. Yeah. Yeah. Very assumptive. Fair, Fair, fair.
I'm, I'm, I get to think future state, Gary, remember I get to think future state. So Yeah. Uh, I'm hoping it's there in future state. Yeah. I, I just, I wanna, we wanna get the map, but I Roddy one more question because, um, I, I've heard you mention this idea of, uh, self-governance. So I want you to maybe to talk to that and like what role do you think CIS could have in that as well? Yeah, yeah.
You know, uh, having worked in, worked in government and worked in, in public private partnerships and, you know, doing these government audits that I used to do, you know, I'm not a humongous fan of government regulation, especially at the federal level. Um, you know, I know sometimes they, you know, well, You don't think government's awesome at doing things Well. Well, here, here I'm gonna, I I have a different opinion, right?
My opinion is, is it's the federal government moves slowly because it has to, it has to be deliberate in its actions, and it has to make sure it's not steamrolling over things, right? Because there, there are rules and their, and the consequences from it could be a lot more for reaching even internationally, right? Sure. And, and so when they do something like, so people are talking about how, you know, government moves slow. I'm like, good.
It needs to, it needs to be deliberate and thoughtful and hopefully, you know, intentional in its impact, right? Um, but it doesn't move fast enough for tech, right? So we have an issue either we re Or doctors or attorneys or CPAs or exists everywhere, right? Yeah. Yeah. So, like if, if, if, if, unless we rethink how the federal government's gonna work and, and, and, and redo it, the, the next best thing is self-regulation, right?
And I know the states are getting involved, uh, and, and they want to do their own thing, but we can't have 50 different frameworks controlling 50 different states. That is going to be an absolute nightmare of things. Uh, you know, the, it will, you know, set the floor for MSPs and what it needs to be. Yeah. Um, but we're gonna be setting the floor at the penthouse at that point. And that's, that's, you know, always say it's, it's way too high to be setting the floor.
Um, so we need, we need a framework. We need something, uh, that's gonna work across, uh, state lines. And I kind of look at the Bar association, right? The, the, the, um, for, for attorneys, right? So they have, they have self-regulation, right? They have guardrails from the government, but the Bar Association sets the floor of what an attorney is. You have to do X, y and and, and Z to practice law. You know, you have data handling and privacy, uh, rules.
They have, you have to do continuing education ethics rules, you know, you have to pass the bar, uh, to even be an attorney, right? Uh, but CIS kind of holds that, that weight of, of just non-government interference, you know? And, and, uh, and they come from a place of community. I find, I find, yep. The tech industry in general is kind of fearful of government regulations.
When you have like a, a non-profit entity or somebody like CIS come in and say, Hey, here's some controls we wanna work with you on implementing them. Um, you know, they're more likely to accept them. Right? And if the MSPs are willing to accept CIS controls as the floor, right? Then you start to get the state governments in here and you say, look, CIS controls work. Look at what we're doing here. We wanna self-regulate.
Um, and you don't play this game of like 50 different states and 50 different regulations, right? So just use it as your standard or your rubric for regulation. Um, and then, and then we, we've got something here and we, we just self-regulate and, and we don't have to have other industries like the insurance industry or, or whichever telling us how we're supposed to operate. 'cause that's gonna be another recipe for disaster for MSPs, right? And, and look, look at, look at the m and a space.
You know, you got MSPs gobbling up other MSPs from other states. So 50 different states have 50 different regulations. Regulations. It's gonna be a nightmare for the m and a space. And I just have a ton of concerns there. You know, Gary, repeat about This is, this is coming from someone who wants to run for office, right? Like, But I love what you're saying, Roddy, because if you think about it, right? And Phyllis is gonna moderate a panel, by the way, with Eric Woodard.
Um, and, um, oh, uh, VC three, why can't I think of his name? He was on Ryan, Ryan Bur, uh, Ryan, Uh, Vesty. Yeah. Ryan Vesty, CEO at VC Three. Yeah. And, and we're not sure the third yet, but, um, we're working on it. But they're going to be on a panel at the MSIs sac. And if you think about it, right, the states, many of the states right, have implemented CIS controls and are adopting the controls and now have reciprocity, by the way, like Connecticut. So it's really good thinking.
Roddy, if you, I I love where you're going with this. Like Connecticut has a hold harmless, Gary. Yep. So if you are, you know, implementing CIS controls in Connecticut, and you can show Steve Farber. Yeah. Yeah. Thanks Matt. Yeah. And you're a business and you've showed due diligence and due care of implementing the controls and you're compromised, um, you in essence have safe harbor Yep. In terms of, you know, being sued by different entities and stuff like that.
So I think it is a really good rubric, Roddy, that you're going down that path and something that we can kind of all look towards. Yeah. Yeah. A hundred percent. Yeah. Matt, from your standpoint, like there has to be some starting point. I think you're agreeing right now, CIS is probably the best. Oh, absolutely. I mean, when you get down to it, I like to say that that CIS is the, is the how to nist what, right?
When you start thinking about nist, the, the origination of that was to be extremely pragmatic and wide and not give people a summative list of things to do. Therefore, they have to be practitioners. Whereas when you look at CIS, it's extremely stove hot, don't touch stove, right? 9.5, implement Dmar to Roddy's point, turn on BitLocker, do those basic things. They're all those basic standards. Um, and so it's, it's absolutely the direction that we're heading.
And the nice thing about it is it's meant to be iterative. It's meant to be not only continuous alignment, but continuous improvement of what we're aligning to The standard will change over time as you get better at it. So, you know, you could look at a CIS safeguard after finishing all three IG one and two and three and come back and go, oh my God, I had this completely wrong. As is most things in life, right? You, you can, you can see the growth and its over time of your capabilities.
So I won't go too far into the evangelism of it, but I, I do think it's extremely effective as a, as a way to do things And, and no one which to use to communicate. Like I know, like in a, with customers and with prospects, you know, you start from a NIST perspective because we can have these conceptual conversations Sure. That really do explain what assumed breach means and why you need to make investments both right and left of boom. Yeah. In a real easy, contextual way.
Then only then if po you know, you may need to go deeper, but sometimes from that standpoint, you don't. Well, and, and Eric's hitting the nail on the head, like back to Roddy's point, and Roddy, you can cut me off here just like I did too here in a second. But, you know, to the point, we need to self-regulate, and it's not just our own shoes for the cobbler, right? We need to make sure we're protecting ourselves, but how do we securely handle and interface with clients?
How do we set standards on what's expected to be that outward service provider too, as part of it to Eric? Uh, Eric's point here in the chat, right? Yeah. Saying you need to extra, but the other challenge with this is if I simply regulate MSPs, if I simply say, you are an ms. P-T-S-P-M-S-S-P, blah, blah, blah, blah, X-P-R-P-C-P, whatever it may be, at the end of the day, we still have people say, I won't pay that price. I'm gonna hire someone internal, I'll, I'll get cousin Johnny to run it.
It's getting easier these days. So you all also have a challenge with SRO of needing to regulate anyone turning the wrench, right? Yeah. And this same concept like FINRA did with FINRA being the auspices of the SEC for regulating my series 7 66 and LHVA. Right? And so there's a lot of talk to be gone into this, but I think the elevated piece that has to happen first is mass and adoption.
And I think following a, an adhered set of standards, like Roddy, I know you're with the state of Louisiana stuff that you've got going on and all the different talk that we're all involved in. Yeah. Even Trust Mart, to someone's point in the comments is using compt is using, uh, CIS as their, you know, 151 of the, of the 200 ish safeguards that are gonna be in part of that. So, you know, getting started, Gary, to your point, The most it takes time. Think about finra, it did decades.
Decades Oh yeah. Of Open issues to eventually get somewhere there. True story. We're at the very beginning. Very early. Yeah. Yeah, Yeah, a hundred percent. And, and look, it, it's, it's gonna take some time. And I think that's one of the problems with adoption too, is that we look at it and we say, oh, this is too much. And, and you, and you pull back instead of just starting where you're at, right. One Bite at a time. One, the funniest things ever heard is like, you know, yeah.
It's technical people, you know, before they pull out the garage, you gotta make sure all the red lights turn green before they hit the street. And it's like, I was like, that just nails a lot of technical people, right? They, they, they go also over the easy stuff and they go look at like, oh man, how I am gonna deploy sim across all my clients? Or how, how am I, I've never wrote an acceptable use policy before. I Oh, that's, that's way too much. It's like, just start where you're at.
Just start where you are. Yeah. Sit down and say, what can I do right now? What are we doing right now? Map it and say, okay, what can I do in the next quarter, in the next six months and next year? You know, I, I tell people, start with a crappy policy. You know, you can follow and iterate upon it with its weaknesses. Right? Like, start where you are. Don't, don't make it perfect. The enemy of good. A screen, a screen door's great.
I'd rather have a solid door, but a screen door can work too for, you know, you just start where you're at. It doesn't have to be perfect. Yeah. You don't have, Yeah. I'm gonna hand it over to, uh, Andrew, but first I want one more thing. Roddy, as you are going through and rattling off kind of like what that onboarding process feels like, looks like, that's a lot. Like, that sounds expensive, right? Right. Yeah. No, There's, there's a cost to doing all that. Yeah.
And like, look, when we started, you think we were charging what we're charging now for clients? No, we were charging a lot less, but we and our onboarding process matured and we learned what we had to do, and we showed value to our clients, and we show 'em what we do and our prices went up because of that. And they're willing to pay for it, and they're willing to pay for it. And look, that's part of the thing.
Like we don't, I mean, like, when we're prospecting clients first, we walk in and be like, here's our price. It's, it's, it's two 50 per endpoint. And if, if a user, and if you can't do that, then like, I'm sorry, you know, you have to go with someone else. And then if they bite and they're like, well, you know, let's talk about it, then we start showing the value. Right?
Um, 'cause if they're not willing to pay for the service that we're providing and, and, and, and making things better, it's just not gonna happen. Right? But, but we weren't always at that point. I don't want people to think I started day one and we had all these great tools. We were charging the, the right price for our, our clients. It's Not how it works. It's not how it works. Right. And our onboarding process used to be very simple.
It was collect data, install our endpoint agents, and just to be done with it. Right? And that was our first onboarding process. Now it's turned into, uh, uh, uh, doing like 20 something. I forgot what my percentages of the alignment piece upfront, because it's not a whole, it's not very impactful to, to, to, to staff at the beginning and then learning and then the alignment piece with the, with the tams when they go out there and, and, and start aligning.
So it's become a lot more mature process, but we started somewhere, right? And, and that's, that's the point I wanna get out to people is you, technology Alignment managers, tams Yeah. Tech. Yeah, sorry. Uh, you don't have to be better. You don't have to be at a level of a mature MSB, you just have to start and you have to be better than you were. It's endeavor to be there. Yeah. Yeah.
Gary, I used, I like to say, you know, when somebody asks me about price a lot and way more than you wanna spend, But not as much as you need to, right? Yeah. Yeah. And we love our customers too much, not to charge them enough. Exactly. Yeah. Hey, miles is in the house. Miles nailed it. Yeah, yeah, Yeah, Yeah. When, when, uh, when, oh, He came a long way. I'll tell you that. Yeah. When my wife, when my wife had her, my wife had her photography business, right?
She was charging like way low prices and I was like, double 'em. And she was like, what do you mean? I was like, like you booked every week. Double 'em. I was like, if you lose half your half your clients, you're still making the same amount of money. You're doing half as much work. And she know what happened. She doubled her prices and she was still booked every weekend. So it was, I'm Gonna see if I can find my notes with miles from 2008, and I can tell you what his price was then.
That's Awesome. He runs an incredible NSP Miles does. Yeah. Does A great job. He's, he's awesome. Hey, so Matt, um, uh, again, uh, congrats on the PAX eight event. It was awesome. That team crushed it. You guys did an amazing job as well. I'll tell you, there's hundreds of humans that spent the last six months doing everything they could to make it as awesome as it was, and they really crushed it. So anyways, gotta say my one plug, I swear that's it. I'll keep it to one. All right.
So, um, one thing that, you know, I was, I was literally taken back by this 'cause you, uh, PAX eight mentioned that, um, we are going to align our marketplace to CISI mean, that's, it's a pretty profound statement. So talk to us about that and then what's in it for MSPs, because Yeah. You know, and, and I, I think even to the degree of solutions that you guys aren't even carrying, so I, I, I really wanna understand and I want people to understand, you know, the why behind this.
'cause you know, CIS doesn't get a thing out of this, right? Right. So this is an interesting play. I would like to know more about that. So I, I tipped my hat to this as nicely and gently as I could on the main stage, um, about this changing customer, right? And, and it comes down to if you're selling to an immature consumer, flashy marketing stuff is beautiful. Stops all threats, can protect you from anything, never take a punch, won't get wet in the rain, can't have your soup go bad.
Those things are very easy. And as those maturities rise, you now have to have more data to have that conversation. You now need to actually talk about the what. And one of the things that happened was the vision of the platform through Scott Chason and team collided with the vision of my gap in, in the environment to some extent, which is when I asked vendors, what do you serve? What do you do to make Roddy's job easy?
When he's trying to figure out what this tool does for me and map it himself as a practitioner just learning in the wild, what do you think your tool does, Andrew? Would it surprise you to say that no vendors know that answer? In fact, I say that almost unilaterally no vendors know that answer. Roddy, what are your thoughts? Do they have that? Just quick, quick question to you and then let Roddy answer.
Matt, you done, it sounds like you really took kind of like Sun Neil's kind of approach, right? To starting to ask vendors because that was his initial use case of the cyber defense. Yeah. Is that A clear We kind of collided actually. So I, I found Sun Neil's book as I was doing this work project over the last couple years of trying to manually find a mapping to say, okay, if I buy X product, does this help me with 7.1, 7.3? Is it fully satisfying that, is it partial?
And so it's very granular, but you're right, Sunil took the same kind of where does this map, how does this map to protect functions and people functions and data functions and all of that, and that beautiful, beautiful cyber defense matrix. So I would say they're definitely additive and certainly supportive of the same direction, Andrew, in my opinion. So, so Robbie to your, to Matt's question to you. Yeah.
So, so not often, I mean, last year we did the exercise with Fact state where we walked through and we were like, all right, let's map what you do, what you have to CIS controls. And, you know, we did, I I think we were, we were fairly good there, but you know, that was through my own, my own work of mapping those controls, right? So actually, Yeah, I'll give Roddy the credit. It's Roddy's idea.
Yeah, we, we did, yeah, we we did, we was in a spreadsheet last year, worked with our k it was, it was fun. Uh, but so that, That started, We did that manually, right? And, and, and to my point earlier about like over tooling, you know, like, yeah, this is part of it. 'cause you don't really know what your tools are doing and you're over tooling.
And then we bring in supply chain risk now into the major, like you got 40 something tools that you have to manage and, and worry if that's gonna be a source of a, of a, of a compromise for you or your clients. Like yeah. It's just, it's, to me, this is the value of the PAX State marketplace now. Like what are y'all trying to do? Is now you start people, I think MSPs start to realize they are over tooling because they have tools that are overlapping sometimes 50, 60%.
And you know, it's, I think you're gonna have some, some pretty, some pretty great conversations with MSPs about some of the tools they're Using. Well, you, you hit the nail on the head back to Andrew's original question of what's in it for the MSPs. Yeah. Once you get a data set like that, right? And, and Roddy full circle, I actually had your cams start doing those consults.
So I, I think the point back to me initially then, now that you've stated where that came from, uh, about 18 months ago, I teased, um, but genuinely when I came in Andrew to PAX eight, I was noticing we're just selling an ever increasing field of security tools. When there was a map right in front of us, a map saying, here's 153 subcategories of things that I can say at least this does that piece for me. You know, 9.5 implement dmar, valla, mail, dmar, and platforms like that, slam dunk.
That's what they do. I can say they fully meet it. When you start getting into, you know, deploy any malware on assets, well assets are windows, windows, server, Linux, Mac, uh, os, iOS, Android, ChromeOS, which breadth and use, right? Like there's all of this, this breadth of just user assets. You're getting Roddy started on assets. I didn't mean to do that, but lord Jesus, that turns into three days.
The point is, imagine a world where all of that data's mapped, whether it be in our platform, whether it be in somebody else's data set, and then that data now says, I wanna find the one that covers the most of these for the most efficient cost that meets the most of my oss and the things I have to protect. That's a machine learning dream, right?
That's a lowest ball in the variable field dream that that's literally optimization at its finest, which is what machine learning is really, really good at. Yeah. So you start getting into a world where, what does it mean to an Ms p an experience that at some point could guide you from absolutely picking needs to fulfill along CIS, that's a well and common accepted framework that can be mapped across to iso that can be mapped across to, to, to, to soc.
That can be mapped across to, uh, 800, 1 71 things such as that. Then now I can say, okay, well find these pieces that I need and find them that maybe are already in the tools I use. If it's another feature or sku, maybe they're in things that I, I'm just not using already that I have, that needs to be surfaced. Like talk about helping enable and drive the success of an MSP through data-driven objects. Right?
Where now I'm looking at functions I need to preserve, but the challenge obviously still exists of you still have to know what to do with it. You still have to have the policy, procedures and governance. You still have to have all that. So there's still a mountain to lift, but I started with, and this is my pet project, of meeting with vendors and mapping three lenses, uh, of That. So, so, so Matt, are you saying that PAX eight is starting where they're at in this? You're damn right. Roddy.
Bergeron. You're damn right. So, Roddy to you, like, it's interesting that you, you, how you kind of concluded that, right? It's like tools, right? And, and again, I'll come back to, uh, Ryan Weeks code, you know, but you need people to process. Damn, right? Yeah. You know, this, this, and Gary, you know that better than anybody, right? And governance. Yeah. Governance is And governance. Yeah. No doubt. Go. You're on mute. Gary, what were you gonna say? I said, and think about our marketplace.
Like think about what percentage of MSPs, you know, are under 2 million in revenue or under 10 employees. Sure, sure. Big, big number. Yep. Like, I don't know exactly what it is, but I'll say under 10 employees has to be over like 75%, right? In terms of the total number. Without scale, it's harder and harder, you know, to do these things. 'cause the level of discipline you need to start separating proactive from reactive and knowing where to start.
Like you have to listen to the advice today, which is starting where you are and knowing that you're not going to be able, based on your pricing and your scale, you're not gonna be able to do all the things that more mature people that have more scale and hadn't been working on this for three years can do. That's unreasonable to, to put that on yourself. Yep. But you have to start somewhere. You can't just continue in the way that you are. Yeah, exactly.
So, I, I, I'm gonna ask this question first to Roddy, but if you could comment on, on Roddy, you know, your journey with CIS first. 'cause again, we talk about patient zero, and we had, we did have miles on the time with actually with Keith Bartel, and they both talked about building internal security.
So I'd love your journey, but Gary, can you just kind of cap off like whether you're 10 employees or a hundred, how critical is it to know your alignment of people and metrics and roles, you know, to that, you know, process and, and that delivery area? It's, it's the first thing. If you don't have defined roles and process in, in each of the delivery areas, you will have good intentions about alignment and governance. But you won't actually do it because you have to answer the ticket.
You gotta finish the project. There are things that you have to do today, every day. And so until you start to draw, and when people start to do that, that's when they realize the costing and make changes in their pricing. Like necessities, the mother of invention, when you realize, I I I, I have to have two people now that focus on this and I gotta bundle this into my, and, and I, I don't wanna defender are charging more than me. One, one second.
So, so Gary, was that your point in write a boom, number one, when you moderated Robert and Eric when you said if you don't have dedicated roles and people to these things, I can guarantee you're, you're not, you and your customers are not secure. They're, period, it's impossible. Yeah. By definition. And they, I use a term that, that Matt taught me years ago, defensibility. I mean, like Matt said, that word so many times driven my Head. Chad GT even Picks it up now. It Was in the days. Yeah.
So like, you know, when we talk to our clients, especially our attorneys, right? You use the word defensibility in front of attorney and they're just like, they just kind of sit back like, what are you talking about?
It's like, you can, you can listen to us or you can listen to yourself, but like, when it comes down to that court case, and I said it last week in my webinar, like, this is the difference in a civil court case between you having to, you or your client having to shell out $300,000 versus 30,000, right? Because you can defend some of your practices, uh, by using Exactly. Using framework. Exactly. Reasonable person rule, right? Yeah. It's, it's definitely a slam Dunk, proven man. Yeah. Putin man.
Yeah. All that. Like, what, what would, what would, how would you defend your actions in front of a juror of 12 people? And, and could you go up there and be like, why, why did you not have A-A-A-M-D-R solution? And you just go, I don't know, it just couldn't afford it. Like, that's not gonna play out too well in front of a judge. Right. You know, like saying, Hey, you know, we, we understood the risk. Uh, we, we, you know, we best mitigate the best we could. Here's our risk register of this.
Here's the calculation we made before we decided to do this. Yeah. You can't shrug your, yeah. You can't just shrug your shoulders at the jury. You know, like, that doesn't work that way. You know? So we, we talk a lot about that with our clients, about defensibility of them, defensibility of their staff, and, you know, we kind of get into the human side a little bit more of like defensibility of their, their livelihood and their paycheck and their mortgage.
Like, this is all stuff, like, I've been in enough incidents where I've seen the, the, the full, uh, explosion in, in, in, in, in the consequences of poor risk management. And it's never the person who made the decision. For the most part. It's the people further down where it's like, yeah, we had to cut your job 'cause we lost this client because of, because of this incident.
Uh, and now you have other people looking for, uh, how they're gonna, how they gonna, you know, feed, you know, housing, food, all the other stuff that goes along with a, a paycheck. You have to defend that now, right?
And, and it's something not, not a lot of people think about, but, um, I, I tend to lay on the human side of things like do, if you really care about your staff enough and you really care about their livelihood, you know, you have your core values in the law, talk about how like, family first and all this, like, you know, we all, we got, we gotta do some things to help protect that, you know? So, Roddy, um, we got about, you know, eight minutes left.
Can you, can you just talk to us about, you know, your journey? This was, I, I, you know, I, I was, I sat in a standing room only with Phyllis and Eric and, you know, and, and peers want to hear from peers, right? Yeah. And I'm meeting Eric Woodard, um, who's always incredibly selfless, like all you guys on this call, um, love Mr. Eric about his journey, um, implementing the controls in his own environment and then, you know, uh, his clients.
But can you talk to us a little about what it was like for you? Yeah. And, and how, you know, went about it. Yeah. So I'm gonna give him a plug to Gary. 'cause we were, uh, we were a, my IT process, uh, shop, uh, for a long time. That's how we kind of cut our teeth, right? And I was, you know, in charge of operations and I was like, you know, there's gotta be a better way. There's someone, someone's, someone's figured this out, right?
Um, so I'm actually in looking like plowing through some of the templates, and I was like, what's CSF? Like, what's CISI don't know anything about this. So like, started digging into that and I was like, man, someone really has figured this out, and I don't know what I'm doing with this, but like, I'm gonna start doing this. Uh, and I, I can tell you how many YouTube videos I watched of like what CIS controls is and, and, and like learning and asking questions, right. You know?
And then, um, I really, we really started internally, so we were like, all right, let's map our control. What are we doing right now? Right? That's the first thing. We gotta know where we're at and where we stand, uh, and, and figure that out. And then we started internally. So everything we do with our clients, we always do internally first from removing administrative rights, which Matt, you'd be glad I finally removed my own administrative rights.
So I took the, after our last conversation, I said, I can't let, I can't, I can't let Matt cry. So I took my, I took my own administrative rights away. Uh, you know, we, and we ruled through that and, and it, our staff understands it. And our, we, we educate our staff on why we do it. Like not just, we're doing this because CIS control says, so like, we're doing, this is why we do it. The y is the most important and hundred percent, and the, yeah.
And we tell the stories of like, Hey, we had this breach. If we would've done X, Y, and Z, you know, we may have at least limited this breach, right? We're all, you know, I go back to storytelling a whole lot. You know, we're all storytellers, uh, you know, cave drawings, uh, you know, we, we all speak to us. Uh, so, you know, that's, that's, you know, but my journey was started with that. It was just doing the simple things.
Uh, and like we didn't fully implement IG one before we started jumping into IG two because we were like, we could, there's some things I think we could more easily implement IG two instead of forcing some of our clients to start doing IG one. Uh, so like policies and procedures, processes, things like that. Sure.
So like, we started doing some mixes of the two, and then when we felt like some of our clients were mature enough to start going to start doing some process and procedure stuff, we roll that, uh, up, right? Or, or if they're even communicative with us, like we communicate with them about policy, process, procedure. Is that a new skew or replacing the value lost through some of the commoditization Roddy? Um, that, that's just, that's showing, that's showing value, right?
And, and wanting to show that we we're reaching across into their business side, right? Because we go back to the whole thing of like, what side of the balance sheet do we wanna be on the same size, the people who cut the grass and, and, and water the plants, or we wanna be on the same side as the lawyers and the, and the CPAs on their financial statement, right?
We're not, like, I always say like, you, it's okay if you wanna be a computer janitor, but I wanna be a, I wanna be a consultant and I wanna be that, that that trusted advisor, like that side of it. So we, we work that way. And like clients sometimes are forced by it. So we've had clients, you know, we have clients that work with Target and Walmart and Best Buy. I mean, you name it.
And how those people are pushing down regulations on the, the, our clients that, that handle their data and saying, you have to do with Walmart just 190, uh, questionnaire, 190 questions of like, how are you handling all this? And how are you encrypting our data when it's resting on your network and your locations? So like, that's forcing them into governance and we're ready for it. Right? Like, our whole company's ready for it.
So whenever they came to us and handed us the questionnaire, we were ready for it. We, we had all the, the process procedures and policies and everything in place. We were just waiting for them to come to us, right? But we'd already implemented all that internally. You know, we'd already implemented our training, our cadence with our policies, training staff on policies and procedures.
We had a little bit of work in there, and we were ready to roll when the client came to us and was ready for it. So it's, um, it, it was a journey. It took us. That was pretty. So we've been at it for four or five years now, right. And it's still not perfect, and we're still not there. We still haven't gone to IG three all the way at, uh, at our company. We're trying to get there, but it's, it's tough. Yeah.
But you just, you gotta, the, the, the, the journey of a thousand miles starts with a first step. You just, you just gotta, just gotta do it, you know? True Story. Good stuff. Gary, I maybe you could close us out with three minutes. There's a question from Tracy, but basically what he, or she's asking, apologies, because I've seen both spelled, um, is about, you know, you talk about Gary, um, being able to show, uh, the box and the blob is really what they're asking.
Um, I don't know if you can see the question, but can you, can you give a sense, you were on the sales side as a, you know, initially you were the owner led sales, and then you obviously taught many people below you as you expanded. You know, you became 160, 80, you know, customers. You obviously had a big team. But can you talk about that dichotomy so that even as a sales person, you don't have to bring in the security p team to explain it? No. A little bit different with customers, right?
'cause with customers, you may get to that point because you're actually implementing changes and you want them to know. But at the conceptual level of selling concepts as A-V-C-I-O or bringing on new customers, you shouldn't have to to do that. It's just this idea of using the framework, using what I used to call that concept of the box and the blob, which is, Hey, see this box, we know when you're in that box, you're gonna be the most productive, most secure.
We have a framework that defines that box, right? So if your current vendor doesn't, and this blob, that's where your actual are. And we're always pushing you in and telling you where your risks are. It's okay to be, to be, to have a little blobbing. This, if you are aware of it and you choose for your business, and it's different risk for everyone. But if I'm an MSP and you're dealing with someone who's got 30 customers and they don't have a box, guess what they have?
They have 30 blobs, right? And finding impactful ways to have those conversations, you know, and then if you can tie it back to say, Hey, remember when we spoke, you said you had that issue around passwords. Can I just show you here an example of the 13 questions we ask once a month about passwords? Do you understand why my customers don't experience that? Yeah. Do you understand why they're, I have a hundred other things we do besides passwords.
Do you understand that I have dedicated roles and why my customers are willing to invest a little bit more? Yes. Do you think that your, your current vendor or any other vendor who's charging you 30% less is gonna be able to do these same things? Yes. Great. You're not choosing between vendors or prices. You're choosing between results. That's the whole loop, Andrew. Yeah. It's, it's great. It's great.
And when you show it like Gary, that way, like, Hey, your current provider you're telling me is a blob out here. And the, the way you just said it, you know, they probably have 30, 60 other customers. Well, that's just one thing that they have to manage around your security. Imagine all these blobs. I mean, it's just really Well, and you can, and someone can picture that you are not talking about security, right? You're talking about being able to manage risk in their business.
You know, it's not, it's not just about the technology. It's, it's about the business. And That's what we, it's about the, it's about the profit at the end of the day. Yeah. I mean, if we're really, really candid, it's about their profit at the end of The day. Yeah. Yeah. And this was really great. Um, you know, Matt, Roddy, thanks so much for being here. Super fun conversation and Good stuff. Thank y'all for having me. Yeah, Thanks Roddy. Have a great vacation, Matt. Awesome having you again.
Congrats Gary. Thanks as always my friend for joining. Um, this week or next, I'm sorry, next week or the following, Gary, we're gonna have one of the lead authors of the Verizon data breach report on with us. Oh, very good. So that's gonna Cool. That'll be fun. That's always fun. Yeah, it's great that they're supportive of that. So until next week, everybody have a fantastic one. Take care. Thanks again everybody. Bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois