Skip to main content
Right of Boom
January 30, 2025

SLAs, Breach Notifications & Cybersecurity Considerations MSPs Should get from their Vendors

In this video, industry experts dive into the complexities of vendor risk management and how it impacts business operations. They explore the importance of secure coding practices, the role of third-party vendors, and the challenges of balancing security with business efficiency. With insights on current trends and best practices, this discussion is crucial for anyone looking to enhance their organization's security posture.<ul><li>The Verizon Data Breach Investigations Report (DBIR) is a critical source of insights into cybersecurity trends, with notable findings such as pretexting surpassing phishing in social engineering attacks.</li><li>Vendor management and risk assessment are crucial for MSPs, as the relationships with vendors can directly impact business operations and security. Regular vendor evaluations and having a third-party vendor risk management program are essential practices.</li><li>Understanding and communicating the potential financial and reputational risks associated with vendor breaches are crucial for both MSPs and their clients, involving discussions at the board level to ensure proper risk mitigation strategies are in place.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. Welcome everybody. Episode 1 45. We are live here on the cyber call the week before 4th of July. So just kind of a few housekeeping things, Gary, we'll take next week off, right, because of being the third there right before, uh, the fourth. And then we finally, after rescheduling Philip Lwa of the Verizon data breach report, like 16 times. Um, we'll have, um, we'll have the Verizon DBIR. So that's really cool. David will, uh, maybe, maybe that One will get us to 6,000 people.

I, I certainly hope so. It should. Um, yeah. Um, yes, Zach, we will be off next week, um, because I don't think anybody will be working per se. Um, alright. Um, let's see. Housekeeping. Yeah, I just wanted to make sure everybody, we'll, we'll, we'll put some emails and announcements out there because, um, I'm, I'm assuming that, um, Eric, Eric and David, you guys have seen the 2023 DBIR. It's, it's, um, real, really well done.

And, and boy, I'll tell you, I was chatting with Ryan Weeks quite a bit about it and fascinating about the data sets, um, and the changes that have come out this year. Um, you know, so just like one in particular that Pretexting for the first time bypassed, um, phishing as a, uh, on, on on social engineering, which I thought was fascinating. Um, I wrote a friend today. Alright. What's that, Gary? I Brought a friend. Oh, you did? Um, Mike. Mike. I can't wait to see there.

Ah, now you have several friends though, don't you, Gary? I Do. I have a couple friends here today. I'm gonna talk to Sue and tell her that you'd like another one. Yeah. All right. So let's get on into it before I introduce our guest, kind of setting the stage. So, you know, Gary, we spent a few weeks on, uh, you know, looking at risks that Uhm SP space around onboarding. Right? Um, and it was really good. Yeah, it was great. And I like this format, which actually you recommended Gary.

We, where we have MSPs on just about every week now. Um, and this, um, this week, uh, we, uh, we've got a great one on with us, um, as well as an awesome ciso. But Gary, in, in talking about those, um, we had some fantastic conversations. Things came up around self-governance. Things came up around CIS controls. Um, and then I, Eric, um, who is, is again, is been fantastic. He's been on, actually John Strand has had him on some of the Black, black Hills actually, um, podcast or cyber.

Their, their version of the cyber cast, um, uh, messaged me. He is like, you know, I'd love, love for us to take a deeper look into another kind of view of risk, which is our vendors and, you know, what is it that we should be asking our vendors, requiring our vendors, vetting our vendors? And we've, we've talked a little bit about this before, but I think, um, you know, it's, it's really good segue from where we were, uh, the last few weeks. All right.

So with that, um, let me introduce our guests. First and foremost, um, one of the awesome CISOs in the channel, David McKen, McKennan, David, great to have you. I think, is it, is it three years now? You've been in the space already? Is It, it it feels like a lot more, but no, only two. Two. Wow. That's gone quick. Yeah, go by fast even quick. So not everybody knows you out there. Um, if you could give a, a quick overview.

Um, I, I love the background you come from 'cause you do have a lot of incident handling, uh, and knowledge in this area. So, uh, great, great to see you and, and again, awesome job at writeup. Boom. That was a fantastic, probably one of the, the best sessions. Certainly better than, well, I don't know if better than Gary. It's, it was debatable. Gary will say his was better, but, uh, I'm not gonna say that You kind of set me up.

It was like, we're gonna start with Sunil, then we're gonna go to John Strand. And I was like, oh. And then Dave McKinnon. I'm like, well, s**t. Okay. Here, here we go. So you kind of made it, I'm glad where there was lunch in the middle for people to, to kind of slow down a little bit and, but yeah, they were hard shoes to, to follow. So, uh, well, it's awesome to have you. If you could tell a little about your background and everything, that'd be awesome. And then we'll go to Eric.

Yeah, sure. So, so Dave McKinnon, I've been with Enable right at two years. And as I've said to, to Andrew before, like I'm still learning the MSP space. I, I do typically come from the enterprise space. Um, I've spent the last 20 plus years in security. Um, I started out my career as a SOC analyst and, uh, at SecureWorks. And then I'd spent, uh, nearly a decade at ISS and then IBM doing all sorts of different engineering and professional services work.

Um, and then most recently I actually came from at and t. So, uh, I was a part of the Warner Media Group. We were acquired by at and t back in, I think 20 20 16. Um, so I ran Security operations, instant response, vulnerability management, um, security tools, engineering, uh, geez, a whole bunch of different stuff. Um, all that for, for at t and Warner Media.

And then I was offered the opportunity to come to enable as we spun out, to become, enable, and really build out the program here, which, uh, I was really excited to do. So it's been a, it's been an awesome ride. Like I said, we're right at two years now, but we've done a lot of awesome things, which is, and it's been fun. Good for you for having that, you know, you know, what's to take that role after what had happened, David?

'cause that's not an easy thing to just step into from a computational perspective and everything. So, um, that's a, that's, uh, impressive or maybe the best thing to step into. Yeah, I mean, Well because, so, because there's an awareness here, which I think helps, you know, John knows what the pain and I happen to be in Boston today. Um, John knows what that pain is. He, he understands what those calls are. The investor calls the p****d off customers.

Like all of that experience drives to, uh, to help overall as a business understand the importance of security. So I don't, you know, I don't have a huge uphill battle to get funding for things that are deemed business risks. And that is, to me, is a huge win. So, yes, it was like a big step, but at the same time I think there was, there's been a huge benefit in that I probably don't have the same challenges as other CISOs to get the funding I need to, to really protect the business.

Yeah, really good point. We says the best way to get security budget is a breach. Yeah. Never waste a good emergency. Yeah. Alright. Um, our second guest, Eric, um, Eric, welcome. And, uh, I pronouncing it right, is it Sun? Yeah. Perfect. Uh, Eric, another ciso, but in the MSP space and, um, really taking, uh, arc Source, uh, to a, a whole nother level. And I think Gary, one of your peer group members correct as well. Yes. Yeah. Long time. Yeah.

So, um, if you could share a little about yourself, uh, Eric, and we'll get right on into it. Yeah. Uh, briefly, my career started on Help Desk at a Fortune 500 company. Uh, moved to California, uh, for school and started in at Arc Source. That was 11 and a half years ago. Wow. Uh, My, my role at Arc Source has encompassed almost everything a tech could do. And then moving into management and moving on to, uh, strategy officer and now security.

Um, so really get, as you actually alluded to a second ago, trying to really double down on security and increase our sources stance and our customers to our customer's benefit. Um, and, you know, make sure that we are providing a secure by default service offering, not just, uh, not just vendors doing the same list software or whatever else. So, Hey, before we jump right in, in Gary, I put up a poll, we'll probably get three people to answer it.

Um, but it's, uh, I'd love first maybe because I think this is relative relevant 'cause it is vendor, right? Related the move It vulnerability. Um, this one, you know, when it, it first came out, I'll start with you David. Like I'm thinking, you know, well, gosh, how many people are using MoveIt? Right? And boy, a lot. Mm-Hmm. Yep. Um, as we have seen federal agencies, healthcare, I mean, you name it. Um, so a big supply chain event here. Um, what's your take on this so far?

You know, if you were to sum it up? Yeah, I mean, so I think in general, businesses are aware of it. So this made a lot of head headlines. We, like, I was trying to proactively get information out. We don't use it like we're doing all the right things, but our CEO is also saying, well, what are our customers experiencing? How do we protect them? So, you know, on the vendor side, for me it's kind of interesting 'cause we, we realized the impact downstream.

Um, you know, obviously the, the headlines that were made were enormous. Um, but, and, and I actually went through a part of our SOX audit last week and that was one of the topics that came up for us. Um, and I, I don't know if anybody's done cyber insurance, but like third party risk is they get a lot deeper now on, on the cyber renewal. Like, we're in the middle of it. And, um, do you use an MSP?

How do you do the third party vendor vetting like this, this, this conversation is actually extremely relevant as you talk about move it really anything else, like the insurers understand the risk of those vendors as well. David, I want, uh, before I leave your thought on this, I want the MSPs to hear this because I think this is really important for them.

So you first like, look through your, obviously your security, you know, your software libraries, Hey, is anybody in enable using, can you give us your mindset of, okay, well we're not using it. Talk to us about how you look at your cus your supply chain now to find out, oh, we're dealing with all these different companies that supply us. Mm-Hmm. How about you guys? How did, so talk to us about your vendor inventory and how did you go about making sure, or you know, like, did anybody have it?

And then what do you do, you know, what do you ask next? And I can't imagine the scale, the number of vendors you deal with. Um, I can tell you the exact number. It's not, um, our goal is to reduce the number of vendors we have. Um, so one of the things we do for all vendors is actually as a part of our business impact assessment for BCDR is we rate the vendor, uh, importance to our business.

You know, okay, you take like an AWS or Salesforce or M 365, like they're the most critical vendors that we, whether it be for us to internally operate or for our customers to function. So we have a pretty good rating of where those vendors sit and the most critical vendors we can send those questions out to pretty quickly. So we do that all under our, our third party vendor risk management program.

So it does make it easier, um, in terms of, uh, total cus I mean, or total vendors we're working with, it's less than a thousand. So it's not like a astronomical number. I also candidly have a pretty decent sized team to help go ask those questions. So I'm, I'm not just, I'm not a one man band trying to figure out which vendor I'm gonna call first. I can throw 10 people at it and we go, and that, that helps. Right. Right. So, but that's exactly what we did.

The, the critical vendors got a questionnaire to find out, do you have this, were you impacted? Um, and, and could we be impacted by it? And, and we got those across the board. How is it getting responses from vendors? It's, it's hit or miss Or is it some It's hit or miss? I I think it depends upon how good of a relationship you have with that vendor. Um, you know, candidly, usually it tie, it comes down to how much money do you spend with that vendor. Mm-Hmm.

Um, you know, like we spend a lot of money with Microsoft, but we're still a small fish in a really big pond. Yeah. So Microsoft's not gonna email me back if you take our financial platforms, we're a decent sized customer, and that they actually tend to be more responsive. So you kind of have to figure out, you know, how that, what that vendor relationship looks like. Um, and that's also candidly for us, like we do vendor assessments annually.

Like we don't just wait till we have a reason, um, to make sure that we have the most up-to-date information. But it, it is truly hit or miss Do does. And, and to that degree, uh, David, just curious, let's just say, you know, you, you know, Microsoft is your top critical vendor, hypothetically, and we do have a lot of sensitive data, you know, in different, you know, block. Maybe we have some, you know, Azure blobs or whatever it may be, right? Mm-Hmm.

And they're not responsive during the move it vulnerability. Um, how do they get marked? Like obviously you can't get rid of Microsoft. Yeah. Like you could get rid of somebody else, but does it change how your strategy going forward? And again, I I I'm asking all these questions for everybody out there to think about. I love the rating system, Gary, first of all, Mm-Hmm. Like, I, I bet you most MSPs aren't rating their vendors, you know what I mean? Yeah, absolutely.

Just, you know, using the term third party, you know, risk program, uh, I, I'm gonna say what I normally say every week, which is, that sounds expensive, right? Yeah. It's, yeah. It's, um, but Yeah, but, but like, you know, here's the problem, you know, enable, like all other vendors, if they're run right, they have 95% gross margins as MSPs.

Most MSPs are half that, you know, and this is where we keep running into that same, that's this, again, I, you're already, uh, a bunch of things are coming to mind as David's, you know, going through this. But this is really good Andrew And, and Ben, Ben Jones just said I'm the funniest things in chat. That's awesome, Ben. Um, We used to, Yeah. Um, we Used to have supply licenses.

I Was just gonna say, we can go back to, and it, And it was probably the most profitable thing we ever had in all my years as an MSP is when we Were, yeah. Was it as profitable as, as, um, Internet freight relay? I, I thought backup initially gar when you Oh, yeah. When that, when that was $23 a gig. Yeah. Yeah. Eric, uh, how about your thoughts on this? Did, did you guys, how did you approach this? Um, you know, did you, Yeah. So Movement vulnerability was announced.

I, I think I first heard it from a publication from Black Point Cyber. Um, but my first thing was to go check the software audits across our entire customer base. Okay. Does anyone have this installed? I didn't know of anyone who was using it, but let's at least find out it came back with zero. So I'm like, okay, good. Our customers are not gonna get hit by this as, as far as I can tell currently. My other thought was, man, no software is too unheard of to be a target because Right.

I had never heard the name ever, but Right. Like the whole conversation of they're gonna take anyone or anything. You're not too small as a business. This software is not too unheard of, you know, security by have security is not gonna work. I'll just use some random thing and hope that no one sees it. No, it, it can get hit. Right. Um, so, you know, it applies to the vendors that we're working with.

Even if there's some free open source or cheap source or unheard of source, there's still risk there. Eric, Um, I know I'm putting you on the spot here, but like, did you look at maybe like your top customers by revenue and go, Hey, we'll, we'll, maybe some are in, you know, uh, one of the verticals that was more targeted and asked them if they asked their vendors, did you go to that degree? Um, uh, you know, helping them things start to think about supply chain. Not in our case.

Uh, there, there wouldn't really be that many that would apply in that regard currently. Okay. Um, so didn't take that additional N no worries. Won't hold it against you. I was just curious. All right, Gary, I'll, uh, let you kick things off here. Yeah. So, you know, in the past the old days, the good old days, right? If you're we're vetting a vendor, you'd ask if they have a SOC two or iso, like today, what are some of the key things you're looking for in modern day?

So I think the part of the thing with SOC two is it's still useful. And I think, you know, we can't, we can't bypass that fact. But part of it is the fact that someone has a SOC two logo on their website doesn't mean a lot yet. Now I gotta determine, okay, well what is the scope of the SOC two? Does it actually include the thing that I'm looking at in the first place that I care about? Like, did they get their, their basic computer usage SOC two? Or did they actually get the tool?

I'm looking at SOC two, uh, then, okay, is the SOC two okay, it's the right scope, but did they include all the stuff I care about within that? And do they have a no exception SOC two pass, you know, unqualified, unqualified, unqualified, unqualified. Okay, cool, that's clean. If they don't like, maybe some of 'em show up and it says, well, no incident occurred during this time in order to be able to see whether these controls functioned or not. Well, in that case, I need to drill in on that.

Like, okay, the auditors didn't see this happen. Great. You didn't have a security incident. That's cool. But also I might wanna ask more about that. Like, so just the presence that SOC two, even type two has happened doesn't mean, hey, we're good to go. And I saw listed recently in something I was reading where someone suggested, Hey, you can sometimes do onsite visits with your vendors. And in many cases with cloud hosted vendors you can't.

But a SOC two serves as a good, as a good, you know, substitute for that. And I think that's how we should see it, is I can't just go walking up to AWS's locations right now, or I can't just walk into enable's office necessarily right now, or to, you know, by point cyber or interests or any of these vendors that we talk to on a regular basis. Uh, many people are hosting their stuff in cloud sources anyway.

So even if I were to say, you know, show me we have your stuff, they're like, well, it's, it's on Azure, it's on AWS, it's wherever. But what I can do is I've got an auditor who they've invited in, who's helped to look at some of their stuff, who acts as kind of the, the local presence. But for my role, I've gotta ask more questions than that SOC two doesn't cover right now in the moment. It might, is the organizational culture one that is secure?

Or do they just happen to set things up to make sure they pass that audit because they knew it was a marketing need? Right? That's two very different approaches to security. Where in the one case it's just a marketing investment. In the other case, it's actually a culture of leading with security. Gary, I see David, you know, doing a lot of nods. He's a very, obviously, very involved in this in a soc, you know, SOC two and obviously the compliance in his organization.

David, any comments as you, as you listen to Eric? 'cause I think he had some great points. No, I I, I, I'm just nodding 'cause he's spot on. I mean, it's the same way I look at it in terms of when we have one, we're looking at end. Any vendor, um, vendor spend doesn't necessarily equate to business risk. Um, you could have a really, really small vendor that you're spending a couple thousand dollars a year on.

Um, but depending upon the data they're handling for you, they could actually be your business biggest business risk. And if they're, you know, and to your point, it is, there are pathways to make SOC look like something you have, but if you're not actually reviewing the actual report, then it's just a logo. Like, so Yeah, I'm just totally nodding.

'cause I, I 100% agree with, with the approach of, of evaluating the vendors as thoroughly as possible and really digging in because, um, even with us, like vendors are like, oh, we use AWS so AWS handles these specific controls and some of 'em kind of get shoot, you know, physical controls. But when you look at, all right, well, how are the accounts structured? How do people get in, how do you make sure you restrict proper access?

Like as you peel back those layers of the onion, I want to know that for certain vendors just because if they're, you know, they're holding our customer data that that's a huge risk. Not just us, but also to our customers. Yeah. Really good stuff. Gary. I think most people don't, you think though, the majority of MSPs, it's like a, a checkbox like Oh yeah. I mean, I can tell you I was a software vendor. I build a, I build a cloud software and we get very few questions. Really very few.

I mean, uh, some around, you know, GDPR, but relative to what you would think, right? We didn't get a lot of, uh, we didn't, we didn't get very, like shockingly we didn't get many questions. So, you know, Eric, look, we've seen this tools proliferation, right? Uh, I don't know how many tools you guys have, but I track it across, you know, almost 400 MSPs right now every quarter. And it's probably average is 40 tools. And some of it's good, right?

We have a lot more functionality we can do more for our customer, change our business model, especially right now there's exciting things going on, right? Um, but that's a lot. I mean, having 40 tools and however many vendors that is, you know, is a lot for an MSP that doesn't have a dedicated vendor management resource Right. In most cases. So how, how do you look at this, like at that scale and, and keeping your arms around this, and do you look at maybe some reduction of tools over time?

Do you have a process for reviewing a manually? How do you approach it? Yeah. Well, the reduction of tools part I think is real. And I was, I mean, even this year doing annual review post write of boom, it works out conveniently just talk to a bunch of people and, you know, it's like, okay, now this one and then this one, and then this one and this one, and suddenly it's, you know, 15 tools. You're talking to, uh, these various vendors who this provides this and this provides that.

And at some point you go, well wait, the amount of extra management we're gonna introduce here and managing all these vendors, the amount of extra vendor risk there is, there's a chance we overlook something that's actually more costly than if the compromise happened on the other side. Um, so you're Saying there's a cost to risk. Yeah. And, and I think part of it, like you've gotta start with a mindset that my vendors need to match my level of intended commitment to security.

Like if, if my vendor can't match what my team is already gonna hold to, or what I'm gonna hold my team to, then now my vendor, they're becoming part of my team. Do you say no to vendors based on this? They don't a tool that you would like, but you pass on it? I have Yeah. This summer or I've delayed on it. Yeah. Uh, because we've gotta have the guts to do that if we're gonna provide great service.

And part of the thing that actually troubles me a little bit sometimes is how much security tool vendors are still leading with, I can help you boost your bottom line. And I'm like, I'm, I'm not a sales guru. Like that's not my role. It's not even my company's role within what we're doing. We're delivering IT services and obviously it needs to be profitable to exist as a company. But the fact that, that a vendor can come and tell me I'll give you 50% margins.

Okay, but is your tool actually providing good security and doing it in a secure way? And so part of the challenge here is to, to get vendors to lead with security. Like many of the vendors are employing people who are smarter than those who are at our MSPs who know more. Like we don't have a David McKinnon sitting on, on osis consulting, uh, staffing.

Um, so for, for a vendor to be in a space where it's, okay, well putting your feature request and then if enough people upvote it, we'll put it in. And it's like for some basic security initiative, I'm like, I, how about, how about lead this the industry? Right? Show what good security means and help us provide it. Garrett, I think also what Eric's saying, and maybe he's not saying it, but he, he is saying is that our customers and their customers, it's gonna roll back to us, right?

Eric, the audits that they're having and the questionnaires you are getting, which in turn you and I have to turn to your vendors and go, Hey, I gotta answer this to keep my customer so they can keep their customer. Yeah. And just listen, just alone think how many tools have an agent, Right? Right. There's a bunch of them, isn't there? Yep. And those have powerful access to the local machines. Yeah. So that's where, And a lot of integr and a lot of integrations.

So it's not only maybe sometimes risks of that vendor, but of, uh, vendor through vendor integration. Yeah. Well, and we've talked about this before too, Gary APIs where, you know, we're basically giving keys to the kingdom through that API when we turn it on. Yeah. We did a, remember we did a whole session with Ryan about it and about reducing, you know, your, uh, like how many, just by default, everybody turns their APIs on. You know what I mean? Sure.

Listen, I remember early on in, uh, when we were building MyFi process, the first question we would get every time, well, do you integrate with, you know, ConnectWise, we only buy tools that integrate with our PSA. And I'm like, well, what do you want to integrate? Well, I don't know. I just need it integrated. You know what I mean? It's like, okay, then yes, we integrate, but a but a lot of that stuff, uh, goes on.

Um, so in terms of when you look at this, Eric, do you do something similar with ranking? What the potential, like how critical those apps are to you, and then what the potential like risk based on what they do? Yeah. That is part of the goal. And, and that's where I think the evaluation comes in also essentially of risk trade-offs. Like just like we talk with a, you know, with our own companies or with our customer companies about here, here's this risk.

It might cost you, you know, $3,000 mitigation costs 500, this seems like a good win, or it might cost you 3000. Mitigation is a hundred thousand, it seems like we shouldn't do it. Right? Like, yeah, there should be, we need to do an analysis of, okay, this, this vendor's tool has this level of access, it provides this much risk. If they get hacked, you know, supply chain of my RMM, they can take over all my customer's computers, right? Supply chain of, of a random browser extension.

They can hit the browser and through that to some things, but it's not as direct as RMM supply chain of a, uh, GRC tool. Okay? They can see a lot of my policy documents. They're not gonna control my customer's computers from it, right? So we, we need to measure as well the relative risk of if this vendor tool is compromised, how big of a hit is that versus the trade off of what's that vendor covering for me? You know, an MDR R that's actively watching the network and shutting stuff down.

That's a really, really big benefit, right? If the MDRs tool is compromised, their tool might not be as powerful as their team is. You know, the trade off might be worth it, for example, in a scenario whereby contrast like, move it, it's just a file moving software, it gets compromised and their ransomware and all my stuff probably not worth it at all. Uh, and find a different software that can work and hopefully move it's able to, you know, recover their software or whatever.

But that's kind of what I'm thinking through. Like, we can't just think of monetary value. There's a little bit of risk balancing here as well. Yeah, absolutely. Gary, you also, for the first time, this is about a year ago now that you're on boards of some big MSPs with 50, a hundred thousand endpoints for the first time ever, I, I heard you go, Hey, we gotta think about going away from standardization to to manage risk.

And what I and I, and can you just, is there a certain threshold where you have so many endpoint, certain amount of endpoints where you're like, you probably need one or you need more than one RMM to divers, you know, to, to split risk? Yeah. Well, part of it might be more than one, or it might be the way you deploy that one. In other words, it is segmented in such a way, right? Um, to limit your risk.

And, and, and what I said that day was, you know, uh, these, I sit on the board of two, you know, pretty large scaling MSPs, uh, a a, a breach that affected all endpoints is the only thing that can stop us from success, Right? You know, within reason other than the end of end of the world. And so what I was saying is, however you approach it, you reach a point where you're now, efficiency is not the most important thing. You wanna be as efficient as you can while limiting your risk profile.

And that means you're not always gonna make, you're not always gonna do things in the most efficient way any longer. It's not Funny you say that because there's A cost attached to the risk. Yep. I'll put a post up from Brian Blakely, um, and his nu you know, these eight things that all MSPs should, you know, should focus on, or s SMBs, his number one, one was access control.

So, you know, and I see Eric Woodard posting and, and you know, I I think if MSPs aren't good Point for Eric's making there. Yeah, Yeah, absolutely. You, you know, in terms of access control, you know, have some type of, you know, ZTNA, obviously I'm using a buzzword, but zero, you know, network access control around, you know, access to your RMM.

I think locking that down these days, the extra cost of that, you know, validating, you know, your, IT is your device validating your ip, validating it against your user profile, that MFA is turned on, that ED r's on. Like all these things have to be a certain way to validate it. And that the only thing you can do is tunnel to that. Like, I think those days are here. Who did we have on a couple weeks ago?

An MSP that said they have MS MFA to get support, you can't get support from them without, you know, I think, yeah, no, I think it was actually last week with, um, I'm trying, I'm drawing a blank who was on with us, but, uh, um, shoot. Yeah, Yeah. But that's what they said, right? Yes, yes. M-F-A-M-F-A for support and I'm like, yeah, there's a lot of risk there. Yep. Right. Yeah, that was really good. Well, before that Was Roddy, Roddy from, uh, rod Bergon.

Yeah, he was real, he was really good. We got Eric Monroe too. Yeah, we'll get him that. Eric's on That was me. I, I wanna, I, I wanna pass it over to, to David, but Eric, this is really, this is really helpful. And I guess the last question, you know, that I had for you is in, in knowing that all of this, like somehow this work that you do around vendor management on a regular basis, it's, you gotta figure out how to cost it in, right? Like there's a cost attached to it.

Like, you have to work with Dave to figure out like, is this an extra three bucks a seat or what it is, like that's the other part of this, so that you can be funded to do it. So your customers need to fund you. Yep. It's absolutely true. And that's, that's the difficult part is assessing, okay, how much time is it gonna take to do these things and to do 'em well.

Um, but if we're talking about being a, I I'll say a modern, you know, environment, MSP leading with security, providing a truly good IT experience that is covering all the bases, that's what we have to do is, is do the hard work to cost that out and figure out what the extra, uh, money is. So the last question I have is Can is it, is are, can you share like a range of what, for a new customer, what your target would be for C price? Well, it's in the hundreds, uh, Over 200. Yeah. Yeah.

No, it's, I mean, it's probably, you know, probably well over 300 even. Yeah. Um, you know, and, and sometimes feels like it needs to be growing, but it's Well knowing, trying The need. 'cause it's, it's still the same thing where we want to be, we wanna be faithful with our customers of helping them to assess what's their risk of their size compared to the need.

But at the end of the day, I was just, I was talking with Dave the other day, and it's like, man, with, with some of the collection of tools we're looking at, you're talking about like 25 to 50 bucks per employee per month. Yeah. Just, you know, for security tools, that's not that much in the grand scheme to say, Hey, I'm protecting my business as part of, if I'm thinking of an employee, you know, I've got my overhead, I've got my insurance, I've got my, uh, benefits that I'm providing.

I've got their actual pay and allocate $50 a month to consider security as well, or 25 a month or whatever. Yeah, there you go. So in that kind of scenario that there's an easy talking point toward, it's rather minimal, you know, it's, it's eating lunch out once a month or something like that in terms of the big cost and we're, we're talking about compared to the, the, the cost of your company being ransom to losing your business or whatever else.

That's a relatively small thing, which is actually part of what I'm so excited about with the influx of tool related vendors in the past, what, five years, uh, that now there's so much enterprise quality expertise being provided on a scalable level that we can bring this stuff to small businesses Yeah. And say, Hey, we're not looking at hire your own soc we're looking at on a, you know, per head basis. You can get access to this kind of coverage. Yeah.

So two quick points, and David, I'm gonna hand it over to you now. One, uh, Dave Monk known him a long time. Just seeing them post that number in chat is, is getting me a little choked up, uh, how far he's come. So kudos, kudos there. And the second thing is, Andrew and all, how many shows have we done, Andrew? Uh, 145. This one. Yeah.

And those 145 shows, there hasn't been one time where an MSP has come on, who's at the level where Eric is in terms of understanding and where they're headed and hasn't come back with similar, you know, in the ballpark of, of a seat price. So everyone who's listening should see that you can't get there any other way. There's no cheap way. Yeah. To be able to do all the things we need to do. So with that, I'm gonna hand it over to, to David. Yeah.

And David, I just wanna maybe ask you and the, the, the team, this, 'cause we've got Steve Jenner out there who's, you know, really good in security. I, I, I followed him for a while. He's did a really big MSP. He asked, okay, but how do you, and I'm trying to get some qualification from him, but he is like, how do you quantify risk financially? Like, um, and then I asked him, you know, risk to revenue, risk to reputation.

Steve, maybe if you can, uh, put a comment, uh, in chat just to kind of maybe qualify or question. But, um, do you want, does that mean anything to you immediately, Eric? His question without some more qualification To quantify the risk, the difficulty is, you know, doing a blend of, of qualitative and quantitative, which once you get qualitative, you're very objective. You know, high, low, medium priority. And then in other cases, trying to put numbers on it.

So, I mean, even the vendor risk assessment idea is it's gonna be qualitative by, by dent of what it is, right? Like we're we're saying, well, they provide high benefit of security and low risk, or they provide high risk and low benefit to security or whatever. I don't, I don't see a monetary way to say, you know, this vendor provides me this much monetary value versus this much monetary risk as easily in this particular case.

Now, there might be, If you're in California, which you are, and this customer had all your customer records and you're subject to regulatory fines and every single one, that's a pretty big financial risk at hand. Fair. Yeah. You know, for, you know, so, so, no, but I'd love to know more where, where he's coming from. More questions in chat. We'll get to them. David, turn it over to you. Yeah.

So Eric, uh, just a kind of a question for, for how you guys, we've been talking a lot about risk, but when I think about risk, and I'd mentioned to Andrew before we all jumped on, like, I, I'm sitting in Boston today 'cause we're going, we went through a tabletop exercise this morning internally. Yes. Like, what do we do? How do we recover?

You know, how, how do you look at that for, for business continuity and how do you kind of plan in those vendors, those strategic vendors, like in RMMI get we are critical to MSP business, right? But how, how do you evaluate the, those vendors to figure out how they play? And, and even when I think about questionnaire, it's like, do you, do you know business continuity planning? Yes, we do. Um, do you dig any deeper to figure out how, how we actually do it?

And do we actually have like a, are we a card cardboard cutout going, yes, we do the thing versus actually there's a human behind it doing the thing, Right? And, and, and part of that is asking for and insisting on conversations with product leaders, security leaders at the business. And it's similar to what you said earlier, right? Like the, the small fish big pond scenario plays in where some vendors are like, well, I don't care, take it or leave it.

And then others are like, yeah, let's get on a call. And, you know, depending on how large or small you are relative to their customer base, but being able to say, okay, I needed, like, cool, I need the SOC two thanks, and now I can review that, and now next step I need to have a conversation with, you know, product, product head or security head or whoever to talk through the practical realities. I, I wanna hear them speak out these same things.

I wanna hear them talk through their software development life cycle. Even though the SOC two can tell me they do this. I wanna hear them say it. I want to, I want to hear them say, I mean, I was talking to someone earlier this summer and they said, oh yeah, if our, if our devs don't follow this restriction about who's allowed to post and, and the review process has, has to happen first, they're fired on the spot and they know it.

We tell 'em the first day they're hired that they're gonna get fired on the spot if they break this process. It's like, that's obviously anyone can say words, but it's still, you're in the midst of a conversation. It's no longer just a piece of paper that says, Hey, these things are happening. Um, getting even deeper is great. You know, if we can develop a relationship to get even more information, that's awesome. Yeah. On the, uh, I'm surprised.

So they, they fired developers if they didn't follow the process versus just blocking the developer from being able to do the bad process. That's, that's what it was. It's kind of a weird approach. Like, we'll block you on check-in, but I well, They work for enable Dave, just so you know.

No, I think, I think it was a, uh, it was in response, if I recall correctly, to when I asked him, Hey, what kind of controls are you putting in place with regard to supply chain attacks and helping to make sure that, you know, code is vetted properly before release Yeah. And the separation of duties.

Um, and that if they're breaking in separation of duties, it was a firewall offense in that case, but okay, not that everyone has to do it that exact way, but it was still noteworthy to me in that conversation. Yeah. I, I always struggle with the, um, I always call it the security hammer. Like, you come in with a big hammer and like slam it down and make people scared of being fired.

Um, because then what you don't get is like those, those things reported to you internally versus if they realize everybody makes mistakes, and if you make mistakes, how do we talk through that and, and kind of improve it? Um, you know, we were talking about zero trust a few minutes ago. How, how are you looking at that from, from your vendors and like, are you requiring them to, to leverage a a platform like that, um, to restrict their access control?

Especially when you talk about SDLC and like co-development, like most companies do, use a third party, develop their code. Ha have you started to evaluate that, uh, during the risk analysis to figure out if there's additional risk of their IP getting out a little bit easier? Because that's candidly for me, is one of the one things I worry about most. Yeah. And, and that also is going to vary a little bit depending on what kind of vendors were talking to.

Like, so we don't have many vendors who are entering into our environment or entering into our customer environment except through the agents that these tools are providing by contrast, you know, like maybe a bigger customer someday that we have, or if we have something that does come up, yeah. Now we've got a vendor who's actually on our systems, there's a different level of controls needed.

Um, but I think it, it does tie into what level of security does the vendor provide to me for my own people getting into the tool. Yeah. You know, so if the vendor's like, Hey, here's this new tool, it doesn't have MFA yet. I'm like, well, so this is 2023. Like when on in 2001, let's catch up. Uh, you know, or here's this tool. We don't have role-based access control. You know, it's either full admin or it's read only.

Like, okay, how are you gonna empower me to be able to implement these privilege? Yeah. How are you gonna empower me to be able to follow the standards that we're all talking about as vital for the past decade? And now it's like getting into these things rather than this just being a, a marketing opportunity. Yeah. Yeah. Um, so that, that's a big part of the question lots of times for me is how can I implement good controls with my team using your tool?

Because if, if your tool's gonna be wide open on my team's end, well that's, you know, vulnerability that is introduced if someone gets social engineered into, or someone's machine gets hacked or whatever. Um, so the more possible, you know, login factors and attributes we can use the better. Uh, you know, like if we can get, like SMS only is not cool, right? Yeah. Give me an app, give me a token, give me a Yuba key, give me web auth. Give me, give me some IP white listing.

Like various things that we could do to restrict access, uh, on multiple levels. Similar to what Andrew, what you were saying earlier. Yeah, yeah. No, the conditional access to me is, it's such a powerful tool that, like we we're pretty strict on it here, but like we're pushing further now. So to where if, like, when I think about contract, so we use outside contractors to develop code for us. They're effectively an extension of us.

But even in that case, like they're now moving into like Azure virtual desktops so that our source code never leaves an environment we control. Um, yeah. Just to help protect that. Like that's, that to me is kind of the, the path we have to go. Um, so David, what, what about, you know, we've talked about this before. At first, I'd love your, your thoughts and then Eric's, you know, you guys followed Brian's suit implementing B sim.

And, and maybe just tell people really quick what that is, and then I know that's not necessarily a affordable for a lot of the vendors developing code in our space, but, you know, even the minimal viable product that Google has out there for s software standards and coding, it just seems like really hard to get people on board, most security software vendors to start, you know, adopting some kind of secure coding principles and standards. But why do you think that is?

And maybe it's just start with you and be sim With me or with Eric? No, with you, Eric, with you. Oh, okay. Yeah. Uh, I mean, so I think part of it is, does oftentimes security initiatives are viewed by what value they'll drive to back to the business.

So like we talked earlier about me coming and whether I was a sucker or like, I took a really good opportunity and I'm in the unique position now to where, like I said, as we define risk and how we do it, and you know, we talk about SBOs and things like that, and how do we, we make sure that we're being transparent in the software you're buying. I'm not fighting that uphill battle.

Oftentimes you are like, like I'm sure many businesses are, they're always looking to trim dollars, so, and security, like we're heavy spenders. I hate to be that way, but, but I am, um, in my case, like the way my roll up goes is I report to our CTOI report to our CEO and I also report to the board. So as we kind of report out those risks and say, Hey, here's the business risk we need to fall in, and this, this is, you know, framework we need use, whether it's BS a M or something else.

Like, if you don't have that type of relationship within the business to drive what builds kind of a, a foundational security for the business, they're not gonna do it. 'cause they're gonna say, well, can I sell 20 more widgets? Well, if I can't sell 20 more widgets, I don't care to do it. And it's the wrong approach. Like the, the right approach is security is a core pillar and this is how we're gonna be secure, and this is how our customers know we're secure.

And that, that's a huge kind of step forward that companies need to work towards. Yeah, because Gary, I gotta, I mean, again, you understand customer acquisition costs. You look at things a lot differently these days after building software companies involved with software. Now you have a supply chain issue. As a software company, you lose a lot of value really fast, don't you? I mean, potentially like we've seen companies go through, go through things, um, but it hasn't been at scale, right?

It's been in every case it, it, it has, uh, it had like relatively s smaller containment, you know, relative to the, the base. So we haven't seen it at a, at, at complete scale. But yeah, I mean, listen, best case scenario, you lose a certain amount of, you know, time in your journey. Worst case, it's a death, death sentence. Yeah.

So, so just kind of last thing, and Eric, and I'll give it back to David, Eric, are, you know, are you, are you asking about any type of secure coding frameworks out there when you do talk to customers, uh, you know, potential vendors? It depends a little bit on how far we get into the conversation, how much time we have, what was unveiled in the SOC two report. Um, but yeah, I mean, that's part of it.

Like I don't want someone who's just waterfalling or agile in their way through things without concern for security that that needs to, like David was saying, it needs to be part of the, the core pillars of what we're doing, especially, and this is, this is where I really get kind of rankled about it, is like, especially when you're selling me a computer security tool.

Like it, it is one thing if, I mean, I, I talked to a vendor a few months ago who, you know, they're doing some sort of billing integration thing, right? And I asked the, the sales person I was talking to, Hey, so you know what kind of security standards you have in place? And they're like, oh, we won't sell your data. And I'm like, well, okay, that's not the question I asked at all. But like, you're also a building integrations platform.

When I'm talking to a security vendor, it's like, yeah, we're gonna give you a security tool, you're gonna sell it for us because you're the MSP and we don't have to hire any extra salespeople. They don't say those words, but that's what they're doing. And it's for cybersecurity and it's not secure. What, how, how does this even add up? Yeah, You're gonna sell us source for free and you take all the risk. Yeah, yeah, exactly. It may and, and maybe we won't even give you an NFR.

So you can't, you can't test it out and be familiar with it. We only give those threat actors the NFR too. Funny. All right, David, back to you. Yeah, I'll kind of wrap on this, but we had talked earlier about, you know, breach notifications from, you know, from vendors, especially when you talk about moving and other things like that and kind of the sizes. Um, what are you seeing in, in, in your space?

I mean, you know, we, again, for me it's kind of a mixed bag, but I'm kind of curious what, what you've seen as you've dealt with vendors who have breach. And I get nobody wants to talk about a breach. It's, you know, like it's an ugly word, but the reality is security events happen. It's, it's more how the business responds to it. But what have you seen just on your side? And this for me is somewhat enlightening. 'cause again, I'm somewhat new to the MSP space, so just me learning. Yeah.

Well, and, and thankfully we have not been hit with any major breaches at our vendors, uh, that I'm aware of, which means hopefully there haven't been any because they've been faithfully telling the public. Yep. The part of the thing that I'm looking for, and this I'll, I'll briefly hit on another term, especially in case of any MSPs who haven't already heard of this term, but service level agreement is what we've all heard of.

SLA service level requirement document is what we often have not heard of or discussed, but like, that's, that's my document to present to the vendor. Here's what I'm looking for, which great template, easy way to communicate it, right? Like I don't have to rethink it and recon converse it every time. I can say, this is, this is what we need. And so, you know, here's here's the things related to breach notification, here's the things to related up there.

Here's our, our starting point for discussion as we negotiate contracts and manage vendor risk and stuff. Um, but part of what I, I think we need to insist as MSPs that the vendors recognize, especially vendors who are wanting us to sell their stuff for them. Like we're talking about a partnership together. We're still the, the quote unquote experts to our customers with regard to IT advising.

So if this vendor gets breached, they can have all the concern they want about their reputation, but they're taking us on as a partner, our reputation is on the line as well. And you know, we don't get to just say, oh, it is, it's on the vendor. I don't know. Like, the customer's gonna ask us the questions, why, you know, how is this breach? Why is a breach? Why didn't you tell me? Or whatever else. So I wanna be in that conversation right away.

Like, I'm, I'm writing, you know, like I'm going, Hey, from the time that you know that CIA is compromised in some way from the time that, you know, there's a confirmed breach. Like let, let's get a notification, let's get the conversation started. Even if it's, Hey, we know that the availability of the system went down last night for three hours. We don't know why we're searching into it. We want to keep you looped in. You know, that sort of thing.

There's gotta be this mutual trust relationship going on. Otherwise I can't faithfully advise my customer in the midst of the scenario. Yeah. Ironically, we went through this today, which was, so we'd simulated an internal breach and specifically insight, but it was what are we communicating to our customers and what are we giving them to communicate to their customers? Hmm. That something I've definitely found we, and we need to be better about it.

Like, not like gonna knock on wood, not that this is something we have all the time, but in the event we have these types of events, being it one transparent, but two, providing the insight to, to cascade downwards, I think is absolutely critical for, uh, us as a vendor to be giving out. Yeah.

It's interesting you mentioned that David, I, I was speaking at IT Nation Secure with, uh, Amy Lucia, who's the chief marketing officer of ConnectWise now for a few years, but she was at Blackboard during, you know, for five years and was, you know, I dunno if you recall, they had a pretty big, um, uh, data breach and, and it rolled downhill quite heavily talking to their customers.

It was just interesting how, you know, the, the degree in which they had a, you know, the, the, the job they did, they did a really good job, you know, with communications that were prepared for, you know, how they talked to the customers, how they prepped everybody internally, then the documentation they would give to customers, you know, to their end, end users that might have gotten their data compromised. And it, it's a lot of things to think through.

Um, and, uh, really cool that you guys did that to that degree. Yeah. Well, and you know, in my scenario it was Friday. 'cause no good breach happens on a Monday or Tuesday. It's always Friday at four o'clock. Um, but, but that was part of what we were talking through today. Okay. Telephone lines are gonna surge. Like what are we doing from a support perspective? How do we make, but those are all things that, you know, I think I'm hoping everybody's thinking about.

'cause the MSP is, they're gonna get the calls from their customers and that pushes up and they're like, well, we'll put, you know, we'll put holding statements out. I'm like, they don't give a s**t. Like, not to say that people can't read the internet. They want to know if they're impacted. This is your livelihood. Like they're gonna call us.

So like that's part of the, the, the pieces we're exercising to make sure that we, we are putting those things in place and we know who we're gonna call and how do we surge these things out because, you know, it's a bad day for everybody, not just us. Yeah. Yeah. Eric ordered who's on here at a thousand calls a minute, I think at, at, at peaked at, during the incident. So, um, alright, so let's, let's, uh, do, do you wanna go to a few questions that are here?

Um, and I know we have a few more, uh, but, uh, just take a few questions. I'll, I'll cap off. You know, we're back to, you know, uh, generator qualified his, he said, you know, again, it started with, okay, how do you quantify risk financially? And he said, for example, CEO wants to know if vendor X was compromised. And in turn our systems were, and in turn our systems were compromised. What's the potential cost of that breach?

Um, you know, so this is a risk to revenue conversation, a risk to reputation conversation. David, how, how do you, like if you're talking to John, you know, and you're like, Hey, you know, we did a threat modeling exercise that came out of, you know, this current most recent vulnerability. Knock on wood, we were patched. It didn't happen to us, but I, we did find that we had gaps here, here and here that, you know, how, so how do you go and then have that conversation? Yeah, John. Yes.

I don't think it's even, it's even just with John. I mean, that is a boardroom conversation for us. Okay. They, they want, the board wants to understand what our business now figuring out the exact revenue. It's, it's a guesstimate. But, you know, in our case, you know, I look at a product, say, okay, this product generates this much revenue. If we had a fallout of X percentage, which would be, you know, a calculated amount, this is what we would lose. Just, you know, top line revenue.

Um, so that to me becomes pretty, pretty easy. What you can't always figure out is the cascading effect. So if we show some, uh, some other inherent issue in our business, and I, I'll pick, uh, Eric had mentioned before, like software development. Well, they weren't properly doing threat modeling at the beginning of their threat, you know, threat modeling in the beginning of the SCLC life lifecycle. Uh, and this is what the cause pain for one of our products.

Well, every other product is likely impacted by that same thing. So are you gonna see a a, a cascading effect downwards? Um, so that's, that's how we position it. I, i I come up with, with estimates. Um, but the reality is, is if when you're talking about something that bad, um, you know, it's, it's more you're trying to figure out, and the, the analogy I used today is like, you, you cut an artery. Like we're not talking about what type of tourniquet you use. You just need to tourniquet it.

Right. You need to figure out how do you, how do you contain the hemorrhaging so that, that you can move forward. And that's, that's how we end up. But it, but it is a board level room discussion. It's not even just at the CEO level for me. Yeah, yeah, yeah. And these are a lot, Think of the same thing now apply it what, what David just said. Apply that down to an MSP with their customers. Right.

And you have a customer that you, your relationship is not with the, you know, owner presidency level, it's with someone else. Like that's their boardroom. So you're trying to have a conversation. If you're not in their version of the boardroom room, it's not a risk conversation. Right. Right. And I hear what people, and you can ask some questions to try to get them in different business cases, um, to a monetary amount.

But I can tell you that in most scenarios they now just like board members, they can connect the dots and it's so massive for an MSP compared to a little bit more than you need to charge 'em. You don't have to do an ROI calculator. Like they get it, man. Yeah. Like they understand it. It's at, it's at that much of a scale. But, but Gary, it's true or false. You have to talk in terms of the business.

Like you gotta be talking about the systems that support that revenue, even if it isn't somebody in that board seat. Right. Like the equivalent in that SMB, right? You gotta be talking about, you know, what is that, you know, critical system or systems and what data, right. And what process. Yeah. It Goes all the way back to when we did the session with, uh, with Wes on, uh, business impact analysis. Mm-Hmm.

And, um, like the different sessions we've done on, those are great ones for people to go back and listen to and you hear the kind of questions. It's not like you have to ask a hundred questions.

You can start by understanding how they make money, what systems they depend on, what would happen if, and then, you know, maybe one level down from that is really as hard as far as you have to go for an MSP whose customer spends $7,000 a month with them and has, you know, costs every month of, you know, 3 million. Like, like again, relative to scale, we don't have to go a hundred levels deep. Mm-Hmm.

You get to have the right conversation with the right person in the organization who's tied to their strategic goals and you're gonna get there nine outta 10 times. Yeah. Right. The same way that David goes to a board that has an understanding, he presents things not at every bit and bite, I'm sure. But he can, he can present just the business case and they can connect the dots. It's the same process. Yeah.

You're not talking about any security controls and you know, specific, uh, you know, tooling. You know, they might ask you down the road, a y it costs X, but again, David, you're you, the first thing you said is, Hey, this business unit drives this amount of revenue if these people, because that's what they're gonna listen to. Right? Yeah. Well it all comes outta your risk assessment. I mean, you know, if you have a risk treatment plan and you can sit down and quantify how do you assess?

And, and I would, I would agree. It all starts at the BIA, like if you wanna look at your vendors, in our case it always starts with the BIA. If you want to know who the biggest risks are, do A BIA on your, across your systems, and you can figure out very quickly, like in our case, AWS Microsoft Salesforce, like I know who the biggest ones are. Um, but then you, you can do that RI risk treatment and then ca you know, add on top of that, be prepared to walk away from a vendor.

Like you don't have to. And that's one of the questions we ask when people are trying to bring on new vendors. Is this vendor critical to our business? And is there an alternative vendor, uh, that you could use? And then, and then who is it? Mm-Hmm. You don't like if they can do 80% of what the other one is, they're more secure. That might be the better business case for us to go forward with. Yeah, great Stuff.

And listen, there's a lot, like right now in our industry, there's a lot of small, you know, startups, right? And a lot of them maybe came out of MSPs and this is the first time they ever built software. Like they're at the beginning of their learning curve of Andrew. Yeah, yeah, yeah. There's a lot of that. And unfortunately that's where a lot of innovation comes from. Yeah. Very fair. Um, alright, so we're right at the top here. So one, Eric, David, thanks for making this awesome.

Uh, it was, it was really, really fantastic. Good. Great. Having your perspectives on it. Uh, two, the, uh, our participants and people that joined us each week, thank you as always for such a lively chat is and wanna wish you everybody a happy healthy 4th of July. So we'll skip next Monday. Gary will be back the following on the, with the Verizon breach Report, with the Verizon data breach report. Eric Lwa, one of the, uh, principal authors former, formerly worked at CIS.

And so, um, really excited to get into this. This is something that from a thought leadership, from a challenge or sale perspective, there's some really good data in this year's Verizon data breach report. So until then, everybody, Absolutely. David, Eric, thanks. Having people like you on, that's what makes the cyber call. So thank you. Yeah, Thank You for having me. Thank you guys. You guys, thank you so much and have a great fourth Garrett. Take care as always. Bye bye. Bye all.

Related Videos