Skip to main content
Right of Boom
January 30, 2025

The vCIO business convo

In this video, Gary, Wes, and Phyllis discuss the importance of aligning business strategies with IT and cybersecurity initiatives. They delve into the role of a VCIO in understanding a client's business needs, risk tolerance, and how to create a proactive IT strategy that aligns with business goals. The conversation emphasizes the necessity for MSPs to evolve beyond basic IT management, focusing on strategic relationships and continuous alignment to drive value and growth.<ul><li>The importance of aligning technology with business goals to drive value and stand out from competition.</li><li>The necessity of having a dedicated resource for VCIO (Virtual Chief Information Officer) role to build strategic relationships and improve MSP services.</li><li>The role of automation in improving efficiency and accuracy in MSP operations, especially in security management.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome back, everybody. Episode one 20 here, December 5th. Can't believe we are in the home stretch of 2022 this year. Absolutely flew. And, um, wow. Um, just a few quick announcements. Gary, I'll let you start off. I did put in the call to action in the green button below, um, schiz Fest. Um, and excited about that because we are gonna do a cyber call live there. Is that true? We are, we, and it's gonna be a special one because we're gonna talk about everything.

We have all learned about the security posture and about MSPs in it, over 120 calls, which by the way, that's 16 eight hour days That ought out for some formal I math. Yeah. And so we're gonna, um, yeah. So that's gonna be really great. But if, if you've never been to Schnoz Fest and it's almost sold out because, you know, our peer members, they all sign up first, but now any, anyone can sign up and it is, um, a day and a half, first day all main stage.

My keynote, we have a special guest keynote cyber call live. Um, we're doing a really updated and special, um, version of Peak omics, really digging in to all the mistakes people make, why they don't understand their cost properly. It's gonna be awesome. And then, you know, our friend Shell, mond's gonna be talking about culture, and then day two, we break out into three sections, business owners, um, uh, what we're talking about today, alignment and, and, and VCIO and sales and marketing.

So it's gonna be awesome. That's, that's excellent. I can't, I can't wait. Um, it's gonna be fun to do one officially live too. Um, Billis, you'll be there. Wes will be there. I'll be there. Um, obviously, Yeah, we'll, we'll have, um, we'll have 500 MSPs, you know, we'll be, we, we will sell out. We're already close to four 50. That's awesome. So we're almost, we're already almost sold out. That's fantastic. That's fantastic. Good for you, Gary. Proud of you. Um, okay.

Just one or two other quick things. One, um, Wes, we are gonna have Mackenzie Brown back, not next Monday, but the following Monday from the Microsoft Dart. And I'm putting this in there for anybody, um, that wants to little get ahead. Um, Microsoft puts out, um, their digital defense report. It is fantastic. I mean, it is a very, very, very good, uh, intelligence brief. Wes, I see you shaking your head.

Are you familiar with Yeah, well, she, McKenzie mentioned it on the last cyber call, and I don't know how many people went and was like, oh, I don't know about that. And went and looked. I posted a link in chat when we last did it, and I took a peek at it too. And it is solid. And it's solid because of the breadth of what Microsoft sees, right? Yeah. They see more than just about anybody on planet Earth, even more than the government in many cases. So it's really good. Yeah.

So it just came out. Um, and so next week we have scenario based security assessments with Brian Blakely. So, I mean, this is turning out to be a year end. Um, tell your friends, family, um, you know, power Moores, uh, whatever you want to come to the cyber call, um, and, and see what's going on here. Um, and she's, She's awesome. She's really relatable and she was a great guest. Oh, thank. Yeah, I agree. Gary, thanks to Wes.

He, he's the one that ran into her at an event and she is running the incident response panel, um, at write a Boom. And so, so please, uh, come to that. The only other thing I wanted to just put in Gary, and it kind of kicks things off to today, is a two minute video of you and, uh, mark from last week, Mark French. Um, I put the YouTube link in there and it's just such a great, uh, two minutes of mark talking about, um, how companies, uh, or really security departments struggle.

Like it's not just us, right? As MSPs finding budget, he's like, security departments struggle finding budget because they're not aligning, uh, the initiatives of the business to what they need. Um, and, you know, and how he talks through it. And then obviously you give a little bit of humor as you always do, uh, to that. But it kind of set the stage for today, which is a little bit unique. Um, and how we're going to do today, Gary, you're gonna kind of like do a presentation.

And now since we're gonna do a, a PowerPoint, um, I'll pull that up momentarily. Um, Gary, you're probably gonna have a landing page for people that can get it if you at some point, or do you want me to just share it? Uh, just make a PDF and share it. Okay. I'll put it in so everybody Have it. You can put it in, um, you can put it in, um, sub Nation. It's fine. Yeah. Okay. That's why I put a few extra slides in here.

We'll move past 'em quickly so that afterwards when people get it, they feel like they can, they can use it. Okay. Perfect. I'll, um, I'll make sure I get that done and, and let everybody know where that, that is, uh, uh, in Cyber Nation. Um, okay.

So let me start sharing Gary, and in setting the stage here, um, you know, as, as I said, mark, you know, talked about, you know, finding budget, you shared, maybe I'll, I'll hand it to you, if you could kind of just pick up when you had just invested in your second MSP, um, what you found and what changed once you understood what they knew and what they didn't know, your CIOs about your customers that you had just purchased. Yeah, that's a great place to start. While you pull that up, Andrew.

Uh, I'll share two things to, to set the stage. One is when I got to my second MSP and I spoke to our V CIOs, uh, they didn't really know much about our customers businesses. They knew something about their technology. Many times they weren't even dealing with the ultimate decision makers. And so that made us so limited in how valuable we could be to them. And so getting them to accept recommendations was hard. Getting them to pay more for our services was hard. Like everything was just harder.

And I will tell you that in my career, my two MSPs and, and, and in, in true methods, the one thing that, that we focused on is this relationship. It is what built my fir, both of my MSPs, and it is what has built and changed all the people we work with, right at, at, at, at True Methods.

So if you can get better at this, you will have a better MSP, I don't know where else you can apply time and resources and energy and get the same return on investment that you do in the things we're gonna talk about, uh, over this hour. Cool. So yeah, people want some help. They can go to this true methods.com fors, VCIO, and this is, um, it's not an ebook.

This is actually a 22 page training manual, uh, around align standards alignment and, and VCIO that people can download for free and they can use it. Awesome. Alright, Let's roll. So, VCI it is critical, like this is how your customers view value. We do all of these other things for them, Andrew, but the way they perceive the value is when we meet with decision makers and what that relationship looks like determines your value.

I always say, Hey, people depend too much on their csat, uh, uh, when they should be looking at their seat price, because that shows you how much PE people value you. They may like you, but they, they don't value you if they're paying you 120 bucks a seat. Fair enough. So I break the business down into these, uh, delivery areas, the things that we have to do and do well, they're critical. We have to provide support centralized services.

That is the growing area of the 30 tools you now have in, in your stack. And of course, we still do professional services. These are low perceived value, they're critical, right? You can lose customers for these, but you don't gain customers by doing this well. 'cause that's the expectation as opposed to the proactive things. Alignment. And we'll use the word alignment and compliance kind of interchangeably, right? And we're gonna show you what our version looks like and VCIO.

These are the a hundred percent proactive things that I call technology success. And that is where we drive value and set ourselves apart from competition. Andrew, Gary, can I just ask a quick question as we go through?

So centralized services, you know, you would commonly, let's go before EDR, um, and before we started seeing MDR and things like that, are you seeing those breakout differently, Gary, than being in your traditional, your RMM, you know, as an example, you know, somebody centrally managing those things because there's, Yeah.

So what I'm seeing with is people that are, uh, not as far along their security journey, they'll start off by making some of those things like part of another offering, right? So they'll make 'em, uh, like their security plus that they add on. Um, but the people that have been, you know, a little further down in their journey, um, they're, they're just charging more per seat, and that's part of their core offering. They won't take a customer that doesn't have 'em. Okay?

So, I mean, that's where you want to end up. Got it. Fair enough. And even now, e even sock and steam stuff, the prices come down enough that people are bundling all of it in. Got it. Yeah. So here's our four key delivery areas. I've taken professional services out of it. This is normally what our monthly fee is, reactive support, our centralized services, some type of proactive role around, you know, alignment, aligning technology and VCIO.

So th this is really how your customers should view your services so that they are seeing, they're not just paying you for support, but they're paying you right. To be able to actually understand their business and their technology, uh, and, and make good decisions. Awesome. So I like to ask this question when I'm in a, uh, in, on the next slide, uh, when I'm in a live session, I ask how many people here are or have A-V-C-I-O role in their company? How many hands do you think go up, Andrew?

I would imagine most, Yeah. M most of them go up and, and, and my thing, are you really A-V-C-I-O or are you actually A VCO? I think I know where that's going. Yeah. Virtual captain obvious, Hey man, your servers are old. You probably should replace 'em, dude, you know, your backup doesn't work. Your email's old. Let's go to 3 6 5. Your licensing expired, you should renew it. It's like, well, thank you Captain. Obvious.

Like, I could be in business for 10 minutes and give you that kind of advice. Right? And then you're wondering why decision makers don't want to come back to your meeting again, Andrew, to tell 'em how many PCs they gotta buy next year. They're not that interested in it, right? Um, they meet with non-decision makers, their reports center on tickets and SLAs and patch statuses and hardware and life cycles.

Uh, you know, as a decision maker, one of your customers, uh, unfortunately don't care as much about patch management as we do, man. Right? And that's, that's why you fall into this mode. You're really just an account manager, or I call it virtual captain. Obvious. Got it. So if you look at it, a true VCIO, uh, has technical re uh, has a business relationship versus technical. They, and we're gonna show you this today, they do an in-depth business profile.

They build these important strategic relationships and they use technical alignment. And the business impact of, of things out of alignment is the foundation of the relationship. It's the language we speak to take complex things and make decision makers be able to understand them in terms they can understand. So zoom out, uh, uh, uh, a virtual captain, obvious, they're gathering information, they're quoting, they're dealing with escalations. They're basically account managers, right?

As opposed to creating strategic roadmaps for every customers meeting with actual decision makers, understanding every customer's business, leveraging the data from alignment, really digging in and making that the role. Andrew, Gary question. Historically it was like you could have, depending on the MRR, you always aligned roles. UL ultimately, maybe there's 20 to 25 accounts.

I think it was like a hundred and correct me if I'm wrong, about 130, 40,000 of M-R-R-B-C-I-O could manage, um, A little higher now. 'cause the average deal size is higher, The average deal size. Okay, fair. Yeah. But knowing we have framework and so many other pieces these days, especially in regulated, could as seat price goes up, are you seeing that you might have to have more or have a vc? So I know we're gonna talk maybe more about this, but Yeah. Is that changing the game?

Yeah, absolutely. And why don't we go through the structure first and I think in some of the questions we'll talk about afterwards. Okay. I'll tell you exactly what I'm seeing across, you know, hundreds of companies. Um, and because they fall into two or three different categories, Andrew. Okay? Right. But, but the, but the mechanism of this part of it should be the same. It's just the skill sets and how you divide out the roles are different. Okay? So, but this is the most important thing.

You gotta have some dedicated resource, even if you're small. And like when we started, I was the first VCIO, but I had all my accounts scheduled out a quarter in advance, a repeatable process, going and doing it the same way every time. And then what outcomes, how do I know whether I'm doing a good job or not? Are they accepting my recommendations? Are they willing to pay more? Uh, uh, how much non-recurring revenue and, and new MRIs, percentage of Mr MRR am I generating?

Like they're the metrics to tell you are you actually achieving it where you're helping your customers? So first off, who are you meeting with, man? Are they decision maker? Do they develop the com customer's strategic goals? Do they control the budget? If they don't, you're probably meeting with the wrong person. Got it. And think of, I like this little, uh, analogy. Think of it this way. As business owners, we look at expenses in two ways. Like what I call sg and a. That's your expenses.

These are things you're trying to reduce the cost of these at all times. 'cause every dollar less you spend on 'em is a dollar more to your bottom line. Then you have your functional areas, those things you look at is investing in, right?

And, and the example I always give is, you ever have a customer that, um, just spent two and a half million dollars on a new piece of shop floor equipment because they know the ROI, but you tell 'em they gotta spend 15 grand more on some in, uh, insecurity initiative and they act like you shot their dog. Right? And because they don't, they're viewing that as an expense instead of an investment.

We need to be seen as a functional area because it, for most of our customers, is the most important functional area, right? It's definitely, you know, more complicated and more important than finance. A lot of the size customers we deal with are still use QuickBooks. You understand what I'm saying? But they don't always view it that way. And you can tell.

'cause if they don't wanna meet with you, they don't think it's valuable, then that means they're not viewing it as a function functional area that's your fault and you're letting them down. 'cause they have more risk. They're not making the right investments. It's bad for everybody involved. Andrew, Uh, can I tell a real fast story, Gary? Yeah.

I was, uh, doing a community call for a client and um, one of the MSPs stood up and said, Hey, um, we had, we focused on graphic, uh, graphic design companies and we struggled selling our security. He goes, recently though we won two deals. And I said, well, what happened? Um, in both cases, their customer, the graphics design customer was regulated. And for the first time pushed down a third party questionnaire to the graphic design company. Yeah.

That had a bunch of security controls and questions and policies. And the MSP all of a sudden had, in essence, carte blanche all the things they were trying to sell. Um, but they could have done it anyway without that. If they would've just had a framework around standards and explaining risks, they could have done the same thing. Like, that's the whole point we're trying to make here, Andrew. We don't have to wait for that. 'cause that one worked out well.

But sometimes it works out that they don't. Someone else comes in and solves that problem for 'em. No, I, I couldn't, could, I couldn't agree more. It was just, I said, well, what was the reason ultimately, why did they do it? And, and again, it was because of the business. It was money. They the only reason they were right. So again, it has to do with the right conversation. Yeah. So understanding your customer business, um, what did they do and how do they make money?

Like what are their revenue streams and their gross margins on each of those streams? What products or services do they offer? What systems support those efforts? I mean, Wes, this almost starts to, you know, getting into the, um, uh, the BIA territory. Yeah, it does. And, and these are the things that should be a precursor to a good BIA because you, you need to know your business for sure.

And you know your client's business as you start building that BIA 'cause it's your job to like guide them through that process and make sure, hey, you know, you told me earlier that, you know, 90% of your revenue comes from this system over here and I'm not seeing anything over here. Can we talk more about that? Uh, it's a great point. Awesome. That's exactly it. So what's, uh, you know, what systems support those efforts? What does their business model look like? You know, are they growing?

Are they shrinking? Who are their customers? Uh, who are their key suppliers? What are their critical KPIs that they run the business? Andrew Drew, It's, it's, it's, it's great. I mean, if you can, if you can nail those things, you're having business conversations. Absolutely. Are they growing or shrinking? You know, are they a big player in a small market or a small market in a big player? What's the biggest obstacle they face? What's their biggest initiative? I love this one.

What does success look like to the company and the decision maker over the next few years? You, you know, I'll tell you one other question that's not on here that I ask every prospect and every customer, which is, Hey, who are your biggest competitors? So are you cost more than them or are you less than them? Oh, you know, we cost more. So when you put a bid in and they're less, why do, why would a customer pay more for you? Listen very carefully.

First off, they're gonna get up over their chair and you're gonna see their passion and enthusiasm about their business. And then in the next five minutes, they're gonna tell you exactly how to sell them exactly how to sell them. It's, it's like a cheat code. Yep. And consider building a business canvas. If you go, uh, just Google this, it's a free something. You can get off the internet.

But basically what it does is it describes the important stakeholders revenue streams cost in, in, in a simple way that you can do it the same for every customer, right? And then you can start to later when we talk about their technology, you can, you can align it with this. It's a great resource. Have, has any of you ever used this business canvas Still a wire and in, um, in chat for us? Yeah. It's really good Delay there, Gary. It'll come. Yeah. Good resource. Okay.

And then now we get into their risk profile, like what you started alluding to, Wes, you know, what are the key datas and application, what's the cost or impact of any data loss? Like, dig deep into that and then downtime, dig deep into that. And many of 'em not even considering what those real costs are until you paint it in a way. Like, okay, so let me tell you some stories of what, what we've seen happen, right? What if you didn't have access to that system for three or four days?

What about a week or two weeks? What would that mean? Right? All of those things. And this kind of tells you what their risk tolerance is. And it's not just downtime. It, it, it is the cost, uh, like of their people and all that. Like how does it impact their customer, their business model? Can they make up the gross margin they lose? Or is it gone forever? So, and again, do this with an assumed breach mentality.

Well, Gary, I just, you know, again, I love, I forget we, we were talking about this, but like, just questions. Do you have SLAs with your customers? Do you have contracts with your customers that you have to, you know, get things done in a certain period of time? You know, I mean, a lot of time, Yeah. Are there third parties that care if you're breached and lose your data? Right? If your data gets stolen, does anybody else care besides you?

Like, and any oversight that care, it's like all, all of these questions, right? Right. But then what we have to do is, uh, and I will tell you this, some people say to me, well, hey, I have, uh, uh, V CIOs, but they don't have my business experience. Like, they don't know how to do this the same way I would as a business leader. Let me tell you, I've trained a bunch of V CIOs. You teach 'em the questions to ask and they can build on it over time.

You make 'em go out and start having the conversations the same way over time. And after they've had these conversations with 5, 6, 7, 8 business leaders, something amazing happens, Andrew, they start to get pattern recognition and all of a sudden they become super interesting. 'cause almost anything a business leader says that what they deal with, Hey, you know what? I was talking to another business. They kind of do this. They dealt with it this way.

It, it's all of a sudden you become like this person that may never have run a business, but all your business leaders look up to you. That's awesome. So here's the second piece. Now we're gonna combine it with your view, uh, uh, uh, of technology. And it's broken up. I break it into two roles, four steps. First, you have to have your standards. You gotta do regular alignment. Then knowing their business.

You want to explain the business impact of misalignment and use that to make decisions, to develop a, a strategy for every customer. I liked how you said and write a boom last year when you're interviewing, uh, Robert and Eric, and you said, if you don't have somebody dedicated to alignment and standards, you're probably your customer. Your, you and your customers are probably not secure. They're not secure. Like, this is not something someone can do in between tickets on the support desk.

That's why we're always pushing back on why you have to charge the right amount. And look, we know all the standards, right? We know all the general ones and we know all the security standards. I mean, we have Phyllis here for god's sake, right? So, and what we've learned is that you don't have to have a hundred standards. You can pick one and a piece of it. You can just start with IG one and use that one and cover a lot of ground, right? Uh, in terms of, uh, your, your customer's, um, posture.

So keep going angio. Let me get to the nitty gritty on, on, on this. Okay? This is the one slide I want you to remember. I call this the box and the blob. That box is your standards. The blob is your customer's actual environment, right? Our job is to always be kind of be pushing the blob inside the box and where they're outside the box. Um, what is the risk to their business?

'cause the same misalignment, Andrew, could be really meaningful to one company who's regulated and a lot less meaningful to a flower shop. Okay? So that's where, that's where we put this in place. And the thing about it, and I drew this at almost every sales call that I went on, uh, when I was in the business. And the reason why is if you don't have standards, okay? If you don't have a box and you have 30 customers, you just have 30 blobs.

And I'm abstractly trying to tell every customer what they should do. And that's why I end up only giving 'em advice That's really generic. But if I have standards and I'm taking this view of every customer, this is how we're gonna communicate. Do you understand why we have standards? Here's where they are. Here's where you're outside those, here's where you're red, right? And let me tell you what red means to you. It it, it's a language that every business leader understands. Yeah.

Well, it's, it's when I think medical too, Gary, it's like, let's take simple things like heart rate or blood pressure, right? You're saying you need to hear, you know, your heart rate's at resting heart rates at one 30, probably a little outside the standard where you wanna be, uh, unless you're being, Yeah, otherwise you'd go into the doctor and they had no test and no standards, and they just say, well, you probably aren't as healthy as you should be. Right?

Okay, what's that supposed to mean? I mean, right down to this organizational password policy, is it secure? Yes. No. Is it aligned? Is it marginal? Vulnerable? Where is it? I mean, we want to be able to show 'em, Andrew, exactly what this looks like. Okay? And then once we do that, now we can introduce the VCIO process.

We understand their business, we have an objective view of their technology, and now we can have this role to take that information and have meaningful, repeatable conversations with customers that gets results that are predictable. So the VCIO is responsible for the long-term technology strategy, and they present this strategy in clear business terms. This process, right? Is your competitive advantage, right?

And eventually, and this is what, you know, comes from the software that, that, that we developed that true methods, my process. But, so I'm using it to give you the example. Um, but eventually we want people thinking out. And here's one thing I'll tell you, Andrew.

If you have customers and you're going to see them as A-V-C-I-O and you're telling them that there's an issue and you're giving them the proposal and you want them to sign it while you're there on a regular basis, you're probably a captain, obvious, your customers should be signing proposals for recommendations that they've agreed to in past meetings. That means they budgeted for it. They see it as an investment. This needs to be a proactive role.

Not consistently, not that once in a while, something doesn't happen, right? You need to address. But on whole, everything should be planned out. And because of that, you should be able to have your professional services stacked out 8, 12, 8 to 12 weeks in advance. So prioritize and propose timelines for recommendations. Some of them may just be addressed by your service and you're telling 'em why, right? And then others are changes in configurations.

And many of them become projects that are, uh, non-recurring services or additional, uh, MRR create budget numbers to implement. Um, and then if it's a project, make sure they understand the ballpark and the quote. So strategic recommendations from like maintenance and lifecycle items. So always start with the strategic recommendations, right? You have your decision makers there.

Get 'em to make the big decisions, depending upon the size of the company and the audience, you may go on to those lifestyle things, Andrew, or it may be appropriate to have a separate meeting with a separate level person to talk about the, the captain obvious stuff, the lifecycle stuff. In other words, don't mix it all together, right? Does that, does that make sense? Awesome. Oh, now selling.

When you're selling your, explain why you're, if you're going back to your customers, now again, this happens a lot right now, right? With security, explain what you're adding to your service, that you're responding to new threats. Show them why things are different, and answer the question why I thought you were already doing this. Answer it before it gets asked, right? And relate the risks back to their strategic business initiatives. I can share this.

I I mentioned this on one of the calls, but I sit on a few boards, Andrew, and one of 'em is, uh, a large MS. P that's acquiring other MSPs, um, uh, NDIC partners. And I know our only major risk, right? Is a widespread cyber attack. So we have to design everything we do in a way that it couldn't be completely widespread. Even if our costs go up and our efficiency goes down, it's the only thing that stands between us and our goals, nothing else is gonna stop us.

They could take us six months longer or shorter, right? O other external factors. That's the only one. Most of our customers are in the same boat, but they don't see it that way. Make sure they understand it and then help clients make decisions about their budget and then track the results of those conversations. Every time I sit with my V CIOs, who did you see last week? What recommendations did you make? How did they respond? Which did they accept? Which did they reject? And why?

Who are you gonna see this week? What recommendations are you you making? Tell me how you're gonna present it. You get it? That's awesome. And then let me just finish up with this. Hey Gary, my clients don't take my recommendations. What should I do? This is number one question I get, Andrew, I Should, oh, should we do the next one? Do the next slide. Customers don't take your recommendations when they can't see the impact on their business, period.

Remember, I, I write a boom when I end it at the end of, of talking, um, with Eric and Robert, I said, Hey, if everyone to the MSPs, if every one of your customers sat in this room for the last hour, do you think any of them wouldn't take a recommendation or would care whether you charge them 3000 a month or 4,500? And the answer was no. They wouldn't care. Why. 'cause they would understand the value and the impact and the risk to make that good decision.

And 1500, another $1,500 a month to an account that spends 3000 is nothing in the scope of their business, Andrew. But guess what? A widespread attack is a major thing. Yeah. Fantastic. Yeah. So I'll just close by saying, you know, be curious. Stop trying to value what you know about it and start trying to make it around what you understand about their business. Look for ways to reduce risk and capture opportunity for your customers. This is what they need and they're gonna get it from us.

Or eventually they're gonna get it from somebody else. Andrew. Yeah, awesome. We talked about that. Okay, I'll stop sharing. Tha that was awesome Gary. Um, so as, as Gary said, I will get that into a PDF. I'll put it out in Cyber nation and I'll put a URL in here momentarily. Yeah. Um, Wes, I'm gonna have you kick things off with Gary and please feel free guys out there, guys and gals, can you, if you have questions, put 'em in, ask a question.

Um, Yeah, I saw a lot of comments, but I was presenting, so I couldn't track, I couldn't track them. I, I couldn't either. So, because I was doing the pres presenta, the flipping. And so, You know, there, there was a lot of good discuss. I can sum some of it up for you. There's a lot of good discussion on like, interaction between A-V-C-I-O and A CIO at the business and how, and, and a few folks are like, I wish I had a CIO at every business.

Whereas I'm sure, and maybe I'll just open this one, Gary, how many MSPs do you think would be scared if the, if the client was hiring their CIO, do you think like they're like an internal cio, they view that as a threat? Should you view it as a threat? They shouldn't, but a lot will. If, 'cause if your process is not mature, uh, then you're viewing them 'cause they're gonna do your job.

And then you're threatened if you have a good process, you like it better because it's easier to translate technical risks to A CIO than it is to A CEO. So they, if you're good at it, they actually make your job easier. Yep, yep. They, and exactly.

And, and I loved what stood, one of the things that really stood out to me in that presentation was the technology alignment, the road mapping, the budgeting, the processing, almost seeing that Kanban board of like, this is where we're going, here's what next quarter's gonna look like. I can tell you as an executive sitting here, I'm like, I eat that stuff up. Like I really am interested in that and I want to know, hey, where are we going with this?

And how is it coming in and addressing some of these things? And I, I think you nailed it. Like the, you'll put a board to sleep if you wanna just talk about recurring printer costs and here's what your cost per page is and here's what your IT lifecycle on three year, whatever. They've already budgeted that stuff. Like, go away. Yep. Tell me about what the future is. Tell me what we're building. Um, I think that's really good. And I think that's really where you get that crucial seat there.

Um, as a strategic advisor, um, can you talk more about that? Like how does an MSP become comfortable with getting into, um, those kinds of discussions? Especially if they've never been in an opportunity like that. They've worked in MSP all, all, all their life and they've just never had those discussions. How do they get comfortable with that? Uh, what I tell people is just start doing it. So when I gave my example of my second MSP man, there was fear on, on our, these, they're young.

We had a couple young guys who had never run a business. And you want me to go out there and I'm like, just start with these basic questions. Ask 'em these things, get them talking about their business, and then do that a couple more times and next quarter we'll see where we are and then we'll start to dig deeper when you're comfortable. But just start asking people about their business, how they make money.

Ask 'em that question about their competitive advantage and start having those initial risk conversations. I mean, we've talked about it so much in so many ways, over 120 episodes, right? Yep. That's solid. Really, really solid. So let's talk about security assessments. Um, this is becoming more and more important. Um, we're seeing MSPs over and over that are getting good at it and leveraging this and really dealing with it.

But it gets complex because now you have so many regulations that A-V-C-A-O has to jump in and deal with. Is it the V C's job to be the one that manages all of those, like particular industry specific regulations for their clients? Or do they have help on the backend from the rest of the MSP? What do you think?

So the way I see this in the real world playing out, again, there's it stratifies based on where the MSP is with their scale, with their security, um, maturity on one end, we have people that have, um, they have vcso, uh, in their business. So they've actually gotten that far. Now, what I would say is of that group, a percentage of them, you wouldn't say were a vcso. Do you know what I mean? Like by maybe your definition Wes on it. Yeah.

But they have that role, but for many of them, they're not there yet. And so they're working as a team to make sure that VCIO is understanding. And really as it comes up with customers, they're many times having to go back and do the research. And if you think about it, we are encouraging like in to bundle into their offering that that, um, we call it the TAM role technical alignment manager.

And they're doing basic alignment and, and at least hopefully they're able to, to get into, you know, I IG one. And then other customers that have more, they're usually bill start off by billing those other assessments outside of it in the beginning because they don't really match up with seats. If you have to do certain, um, uh, compliance stuff, whether you have 20 employees or 50 employees, it takes about the same amount of time.

So I think there's a learning curve you have to go up and don't get. If, if you don't understand it, then just bill for it and do it. And then you'll learn as you go. You don't have to figure the whole thing out the first time you do it. You're not going to, by the way. Does that make sense? Yep. It, It makes a lot of sense. And some things I can add into that I think are helpful is, um, I, I think you're right. You learn as you go. I think you should ask a lot of questions.

I mean, you, you talked about that already a lot, Gary. Like I think most of the time if the questions are good around like how can I help you? Like let's say you're talking to a bank or healthcare, it doesn't matter. I think asking questions like, Hey, how can I make sure that we're helping you in your journey around your regulatory compliance? I wanna make sure that we're going down that journey with you. Anything that stands out to you, anything you know's important.

Another thing that I think is solid gold is anytime you can get your hands on there like audit reports, you're gonna need an NDA in place. But those are solid gold too. Absolutely. Just to say, can I get a copy of those? I want to kind of see what we're doing, make sure we're moving our alignment towards your audit results. Because you'll peel out. I can tell you I learned so much about regulation just from seeing what the auditors are coming in saying. So that's valuable.

If you're working with industries like that, you're gonna have to get their secure, their, their buy-in for them to feel comfortable giving that to you. But I think that's good. And you're right.

I think as you just go start doing it, you start talking to them, you start learning, you pick it up and boy, imagine you take all of that prebuilt knowledge and now you go to the next bank or the next healthcare or the next whatever it is you like, they, you already speak their language so much more and you just see that growth that compounds on top, right? Yeah. And listen, sometimes unfortunate, it's easier than it should be.

I have friends who own businesses and one of 'em, my no falls under, uh, um, HIPAA and I, I asked him some questions that he didn't have the answers to and I'm like, dude, you should know more what I'm asking you than you do. Like you have, how are you able, like you're the CEO of your company. You can't even assess Rick's, you, you don't even know who you should ask in your company. Like, you know, by the time we finished our cigar, I thought he was gonna have a heart attack.

But sometimes it's literally that easy wes to do. You start the conversations and you don't have to dive deep. You immediately start to uncover, um, fear, uncertainty and real fear and you're helping him. Yeah, that's exactly right. So a pivot off this is metrics. So you, I mean, everyone knows peak economics, right? Like you've taught the industry so well on peak economics over the years. What about security? Do you see security as, does peak economics fit directly into that?

Or are you seeing a shift in how we look at, uh, KPIs as a whole when it comes to security? Are they distinctly different from it? What do you think? So here's how I look at it in, in, in terms of how it overlays our business model. But basically what peak economics is, is we have delivery areas and we know the relationship between those delivery areas and how many seats, you know, we can manage. That's a professional services thing. So we have to be able to have a way of knowing our costs.

Security can't change that. It's just made it really complicated, dude. 'cause one of two things happens every time we turn on a tool, not just the cost of the tool, but what else do we have to do? Is it gonna create more noise? Where does that noise go? How do we, uh, capture that in our cost? And now with some of these things we're talking about around compliance, like how many more hours do we have to spend in terms of in a compliance and alignment role?

Does it fall into like how much we charge or are we charging for some of these things outside? So the most important thing here is you have to have a framework. You have to have a way of looking at it so that you know, regardless of how you charge when you're doing things differently, that you're gonna be able to cover your costs.

Because if it's gonna cost me an extra five bucks a seat to do additional alignment or compliance and I don't raise my price, you know, by 25 bucks, I just tweak my margin and eventually I only have so much time and I gotta do my tickets and alerts. Dude, I have to do 'em. I don't have a choice. So they get done first and then our intentions are good, but we can't do alignment. We can't do VCIO 'cause we can't afford to.

And that's why I'm telling people we're headed to 300 bucks a seat quickly. I see a lot of MSPs talk when I just have conversations about them. They're like, the way I think about how I price these things into my margins. If I'm looking at a new tool and it's gonna be, you know, $3 a seat, then I just triple that and I bill to the customer, you know, $9 a seat. Insecurity. Do you think that holds true as a rule of thumb? Talk to me more.

No, because almost every security tool has other noise associated with it. Mm-Hmm. So, uh, you, you're gonna, you know, you put, like you, well you're familiar with, we turn on, you know, perch, right? Mm-Hmm. Um, there's a certain amount of things that are gonna get uncovered that my team is gonna have to deal, work together and deal with on. So if I'm not billing for that, which most people aren't, um, it's just reducing my margins.

And it could be the same or equal to the cost of, of the tool over time. But you definitely need to understand that. And that's why every quarter I have people tracking, uh, all of those things to look back to see, hey, is my average cost for support going up or down? If it's going up, that's usually why. 'cause they had 15 tools and now they have 30 and they all created some noise. Okay. That gets me thinking even more then, uh, if that's the case, which I agree.

A great example would be like phishing alerts, right? We turn on the report a phish button and you know, first you're like, this is the greatest thing ever. And now they can report to me. You're like, wait a second, I'm kidding. Report after report after report. That makes all, all of a sudden automation becomes important, right? Especially automation and security.

Can you talk to us a little bit more about how MSPs should think about automating their security stack and automating what they're doing in this modern age? Yeah. So let me tell you, you have to do this on a small scale, but let me tell you what, um, like on a big scale, right?

The, the company that I sit on, the boardom, I, I helped initiate like an an an automation practice that will, uh, teach everyone in the business where to look for opportunities and security is a big one for us to be able to automate things, to do things in a way, not just to save time. 'cause we we're talking about that MSPs understand it, but actually being able to respond better right. Quicker, more accurately to be able to do the same things all the time.

I mean the one that simple things like we talk about, um, you and I, Wes is like user onboarding and offboarding. You know, you, most people have a checklist for it. They have 10 people that do it. It's done 10 different ways every time. Like automatically we have security risks like before we even get started 'cause it wasn't done the same way. So I'm a big proponent that automation and you know, full disclosure, uh, I sit on the board of roost.

Uh, so obviously I think that much of it, but automation in general, I don't think we can get from here to where we have to be, um, doing it the old fashioned way with a pick and shovel. Not just we can't afford to do it, but we can't do it good enough. Yeah. Uh, I completely agree. And I think it's shifting that, that like mantra and mindset of what good automation looks like and the outcomes of automation. Like it doesn't have to be an end to end. I 100% automated something.

Sometimes if all you do is you say, here's a process that takes me 30 seconds every time it occurs and I can peel and it occurs a thousand times a month. If I peel away 25 seconds or five seconds or 10 seconds out of that for the human, like that can have exponential impact for us, right? And it's right every time. Yeah. Yeah. And it's right every time. It's not right 80% of the time and creating more noise or more security risk in the future. Yeah.

So these are things I think do impact our margins and how we we build for profitability and how we handle a recession squeeze that may be coming up all of these things. So my last question for you, uh, before I turn it over to Phyllis is let's just talk about, let's future cast just a little bit.

Where are the areas that MSPs need to invest over the next one to three years to stay competitive, to stay proficient, to make sure they have command and control over themselves, their clients, all of that? Gimme some thoughts. So I I, I'll give you a couple things. First is really understanding what this v ccio slash vcso as we move forward role looks like. And almost viewing everything else you do in your business and delivery areas.

The reason you do the rest is to put that role in a position to be as impactful to customers as possible. It's the thing that we as MSPs can do and why big giant companies like Dell having coming in and taken over, right? Because of all the things we talked about that have to happen, humanizing right in, in that role. So investments to make sure that that works. And then the other piece is automation.

For all the reasons we talked about, there's gonna continue, no matter what happens to labor markets, we are not gonna be clearing out of our, uh, situation where there's less good people out there for what we need 'em for. Even if the broader markets open up, there's no end in sight. I think it's gonna get a lot worse. And it, and not, before it gets better, it may not get better.

So if we can't figure out a way of increasing our leverage, getting a results from B people, I just don't think if you can't do those two things, if you can't be more efficient and if you can't build a closer relationship with customers, it almost doesn't matter, right? It almost doesn't matter.

And obviously security being central to that process And, and maybe even getting aggressively bought up with a terrible margin 'cause you couldn't compete and you sold to a bigger conglomerate that could and they just bought up your book of business. And that's tough if you didn't sell for the margin or the the multiples that you thought you would. So yeah, I see. I see it every day, man.

I get to look at, you know, I, I sit on an m and a committee and I see the good news and I also see, like, I really feel bad for some people 'cause they went on and they saw something on a webinar that told 'em their business was worth, you know, seven times ebitda and we're the ones who have to tell 'em that their EBITDA is half what they thought it was. And so are the multiples based on where they are. It's not an easy conversation to have with people. Mm-Hmm. Yeah, it's not Phyllis.

Oh, go ahead Aaron or Andrew. Good, because I'm all fired up now, Andrew. Yeah. Well This has been great Gary, uh, appreciate it. Um, Lauren, one who you've known for years, a Lauren GR asks a question and I want to kind of ask it to Phyllis if I could first, um, do you feel there are si many, there are many or there are there cybersecurity solutions that are just un unearthing bad?

IT and Phyllis, you know, I I immediately thought of things like secure configuration, uh, when it can comes to bad it, but is what are your thoughts on that question? It's a good, yeah, I mean, you know, I think, um, we are just, we just kind of did a thing about costing of cyber defense and the overlap of your IT tools that can be used for cybersecurity tools, right?

And I'm, I would say the primary and IT, for whatever reason, every organization that I've been talking to has been around like, know your environment. That's like, it's number one thing. What, what assets are on the network? What software is on the net? I mean, these are things that you just wanna charge for or make sure you're up to date on licenses, right? Like, and then where's your critical data?

And so yeah, those, those are the top three things that number one, it should be looking out for or is managing and are fundamental to a cybersecurity program. So yes. Yeah, That I love that the digital defense report from Microsoft points out I OT as a, like literally when it comes back to inventory, like just where attackers are evolving, um, that is one of the areas because again, you know, default and, and the internet facing stuff too, right?

Wess, like where you're seeing default passwords still missed inventory on iot. I mean, like again, we threat actors, we know on the margin are, and I'm air quoting, right? They're lazy, they want to go after low hanging fruit. I'd be albeit nation state, but they're gonna look for the easy Stuff, aren't they? And Eric, you see what happened with Rackspace this weekend? Oh my gosh, I feel bad for a lot of MSPs that lost their weekend for exactly that reason. Yes. Yeah.

And, you know, yeah, Andrew, that's the other thing why my view alignment is different than most people's in compliance. To me it's continuous alignment. It can't be like, uh, you know, it maybe insurance companies allow you to do something once a year, but guess what? We gotta, we're not in alignment for insurance companies. They're asking those things because they're the things that reduce our risk and we're responsible for it.

I was thinking about Jim Lippy, he was saying like every time he's the CEO of SaaS alerts, every time they get a new customer, they always find all this stuff. Like they find all of these, um, you know, guest accounts and different things that have built up that have all these security risks for no reason. Do, do you understand what I'm saying?

I wanna say one thing and then Phyllis, but, but your point is well taken, Gary, even for insurance companies, Wess, and that is this multifactor and the traveler's case. Let's just assume it was on and it was filled out correctly. Well, if you're doing it once a year and something gets turned off, guess what? The insurance company isn't gonna pay. You said it was filled out. Yeah, you said it was on, it's not. That's how the threat actor got in.

So yes, I agree with you, Gary, on it's gotta be continuous. Phyllis over to you. Yeah. Great. Well first off, I am learning so much during this, this episode today, and thank you Gary, and I really appreciate your pat your passion. And I really, I also really like those questions.

You have to really to find out the business impact because, and I think I've said this before on this webinar, is even these big companies, I'm telling you I've worked with Fortune 100, fortune 500, they do not understand their reliance on cyber. They understand their business, they understand what it takes to make money. They understand the uptime they need, but they don't understand, um, you know, why, why should they care about cyber and how to explain that to the board.

And we're talking, you know, hundreds of millions of dollars these companies, um, have. So, um, I'm gonna download your presentation too, Gary. Well, they almost can't do it, right? You, I don't have an MS type of standards to use as the basis. They're the same way we're what we're trying to do when, if they have to go to a board, they really can't do it without some framework to explain to them.

They have to be able to, to explain it in terms like, Hey, here's why these people adhere to these standards. Here's where look at, look at where we are. And, and you ha you have to be able to, to say, show 'em that in that way rather than just telling them to spend more money. And I, and I love that because so often they'll say, what tool do I need to buy Phyllis? And, and they just wanna be able to just buy a singular tool and call it a day. So I I love that.

This is a great, a great briefing today, Carrie. So, um, obviously you've, you've coached so many MSPs, um, over the years and, um, I'm sure you've taken note of maybe, maybe even you and your, a quick assessment when you help MSPs. Maybe in the first 10 minutes you can decide Yep, they're gonna make it. Nope, they're not gonna make it.

Um, you know, what kind of, um, properties do you see in MSPs or what kind of, um, what kind of mentality or properties an MS P needs to have in order to succeed and to have, um, you know, these great VCIO conversations? Yeah, so the first thing I ask is like, can you tell me about your people and what roles they fall into? And if I can, I try to draw boxes and say, Hey, here's the roles. We look at the ones that I shared earlier, can you put your people in?

And then usually when there's people without boxes or boxes without people. That kind of tells me what their starting point is. And the next thing I look at is I figure out what their average sheet cost is. 'cause that tells me what they can't afford to do, even if they don't know it. And so, Phyllis, the number one thing is if you can't build the proactive piece of this into your pricing model, you can't deliver it. Period. End of story.

And you might be able to deliver it to some people sometimes, but not to everybody all the time. And scale it to the point where they're willing to pay you more. And so to me that's, that's how I start with looking, okay, where are they in their maturity model? And it doesn't mean they're gonna make it or not make it, it just means like many of them, Andrew, that we have met, they just have been stuck in the same place for as long as we've known 'em for 20, literally for 20 years. Yeah.

Do you think the people who are stuck in that place, I mean, are they gonna be able to survive do you think? Like are they gonna be here five, 10 years from now or do they have to figure out what to do do to change to be able to charge that much more? I, I don't know that they're going to, some will go away and we're already seeing it.

But I think what's happened that has saved some people not in a good way, is that as MSPs have continued to mature, we've kind of been able to move up slowly five employee at a time to the kind of targets that we have now to the point where in these coming years, anybody with less than 250 employees will outsource some or all of their it to some type of an MSP. So there's some at the bottom, the customers that they wouldn't want that maybe will accept something at a lower price.

But it's a really tough way to go Phyllis. A really tough way to go. Much harder than it was the past five years. Got it, got it. Good. So, um, do you see a correlation as you do your work to the MSPs who've matured their VCI VCIO practices, um, with their ability to drive, um, net new monthly recurring revenue A hundred percent. Like it's the leading indicator on two things. One, it's the leading indicator of are they able to grow?

'cause the same process that you build within your organization, then you figure out, right, once your self image changes about that value, that's how you also get new customers. The second thing, Phyllis, is that the customers that we've worked with that have, were the most mature coming into the past couple years, are also the most mature in security because they already had the same process. They already had it laid out. So when they start, they one, they were able to do alignment.

They just went and got CIS and they started, you know, uh, putting those things in. We were, we had our software Mikey process, we just added those things into what we already had. They already had A-V-C-I-O process. So more having that business relationship and being able to make those recommendations. So both in terms of growth command of, of seat price and maturity, they, they're, they're really one and the same.

Like I don't think you become a great security business and get your customers to do everything if you don't understand everything. We just talked about the first half of this show. I like, I don't know how you, how you do it. I haven't seen anybody do it. I'm not saying it can't be done. Right. I have a, I have a question too. It just kind of triggered, you know, you talked about the captain obvious. If you ask those captain obvious questions, you're just an account manager.

What you really need are those VCIO questions. Do you think like going into the future, like you can't really just be account managers anymore. You really have to have these VCIO conversations with everybody. Uh, you will not keep customers. The customers you would want, you will not keep them without being able to do that. Okay. It's kind of, it's mainly what they need from us now. And more and more companies as they invest more in technology. Remember SMBs are in their revolution.

They're all spending more and more on technology as a percentage, uh, of revenue. So as they do that, the same business leaders that thought it was an expense item, they already know it's an investment. Many of them without you having to tell them. So they're gonna come looking for those answers and they're gonna get 'em from you and they're gonna get that relationship from you or they're gonna get it from someone else 'cause there's enough people to do it.

So yeah, the market is telling us what we need to do. Okay. Yeah, I thought I was getting that. Uh, I really like that. Like the captain obvious versus the PCIO. Um, well we only have three minutes left. So what are the top things in 2023 that you think MSPs, um, should focus on to drive that Smith vest, write a boom or Maintain anything? Yeah.

Right, Andrew, Of course, honestly, I'm not saying this 'cause I run, uh, peer groups 'cause you can get in, there's pl there's a ton of good peer groups.

But number one, if you are not in an industry peer group, both from a business standpoint to run a better business, but also from a security standpoint, how many times we heard someone had a security incident, it's happened within our peer, it's happened within the other peer groups like the ConnectWise peer groups and the same thing comes back. I wouldn't have made it through in the same way had I not had my peers to rely on.

So number one, if you're not in an industry peer group, there's four or five of 'em I think that are, that are out there. Go take a look, you know, evaluate 'em, see which one is right for you and, and join a a peer group. Number two, if you are a business leader right now, you have to change how you view what your job is. You better look at what's happening to our customers and what they need from us. And we are no longer technology companies. We're business companies that deliver technology.

So again, being in a peer group, you know, helps with that. Um, go hang out with people who have done or are doing what you want to do. Find ways to do that. That's the best advice I could give anyone. Yeah. Really, really good stuff, Gary, that was really appreciate you Doing that. You see, I love it. Right? Just want to tell every Yeah, this how we, This Is absolutely. And it's, and businesses is how we change lives. That's right.

Um, I posted it before, I'm gonna post it again if you want the PDF version of today's, um, presentation from Gary. I put it in the first comment 'cause otherwise it looks hideous in the way it mighty Networks, it looks. So I did a nice screenshot and then the first comment you'll see you can download that PDF there. Um, so, um, next week, just wrapping up, what we've got going on next week will be Brian Blakely, um, on, uh, scenario based security assessments.

I'm really looking forward to this one. And again, somebody that really, he's good. One of the best in the business I think. Yeah. In terms of having a business conversation and can drive revenue from it. He's, he's owned several MSPs. He was a security person first, like, and now he, you know, he's in the game of security solely, uh, again, following week, Mackenzie Brown, um, going over the Microsoft Digital Defense report. And until then, uh, Wes Phyllis, thank you so much Gary.

Really appreciate today. Everybody have a fantastic week and we'll see you on Monday next week. See you everyone. Take everyone.

Related Videos