Skip to main content
Right of Boom
January 30, 2025

Virtual CISOs – Do MSPs need one?

In this video, Gary, Andrew, and Carl Bickmore discuss the evolving landscape of cybersecurity for Managed Service Providers (MSPs). They explore the challenges MSPs face in integrating security as a core part of their services, emphasizing the importance of culture and strategy over mere tool adoption. Carl shares insights from his experience at Snap Tech IT, highlighting the significance of operationalizing security practices and the potential benefits of engaging fractional CISOs to enhance security frameworks. The conversation delves into the critical need for MSPs to focus on internal security to protect their own operations as well as their clients' businesses.<ul><li>The importance of integrating security into the culture and strategy of an organization rather than relying solely on tools or vendors.</li><li>The challenge of finding and retaining security talent, emphasizing the need for community collaboration and leveraging external resources like fractional CISOs.</li><li>The necessity for MSPs to adopt a strategic business planning process, such as EOS, to successfully integrate security practices and remain competitive.</li></ul>

Guests

Andrew Morgan

Video Transcript

Hey everybody. We made it episode 100. Hope everybody is doing fantastic the week before July 4th. Um, kind of a, a nice little, uh, I guess cherry on top. Let's hope this July 4th isn't like last July 4th. Um, and, uh, so we're, we'll say a few prayers there. Um, but, um, what I wanted to do before we get kicked off here, Gary, um, turning to you, how was Connect? What was the experience like?

We talked about secure the week before with rest, so I just wanted to your take on how everything went there. Yeah. First I'd like to say, hey, yeah, it was a, it was a really good event. Um, both, uh, the rooms were full. The, the, um, all of my sessions were full. The energy was good. Um, yeah, so overall I would say it was really positive. You know, I probably got a chance to talk to, uh, 200 MSPs, you know, and I enjoyed talking to about 190 of them.

Uh, but you know, the first thing I'm asking, so hopefully you have some new viewers. 'cause we talked about the, the cyber call and all my sessions, but thanks, Gary. Um, the one thing I, I get confirm when we leave our little world right, of the cyber call and go out in the general population, just people have so much work to do around security, Andrew. Yeah. I mean, we gotta stay on this thing, uh, because, uh, a lot of people do a lot of work.

They haven't figured out how to change their motto. They don't have the right things in their stack. They don't have their arms around process. Some of the things that we talk about that we think are basics. Now, all of us here together on the cyber call that the, they're not basics out there. And it's, it's a tumultuous ground too, right, Gary? Like, everything's still changing around us. We have not settled at all.

Um, I, I've been on two conversations last week with a client and the client with the MSP and their client, and the client was denied ransomware, uh, protections and insurance. And I had to jump in and it kind of explain, hey, you know, nothing changed from what you're doing last year to this year, but it's changed on the insurance side. And, uh, I see a couple egregious things that you guys are lacking here that have caused this denial. So, yeah, it's, it's, it's, it's tremendous. Yeah.

And you think about it. So you have the insurance companies on one side, that's an issue you have to deal with. And then, you know, on the other side, I hosted on Monday an m and a event, and it was packed. I mean, there's so much interest when, uh, I know Jim Lippy started it like five years ago. There was 20 people there, they 20 people. And there must have been 300 people or more in that room.

But one of the things we said is there's only, there's basically three areas where these, what I call super regionals, PE-backed. The larger, you know, MSPs have an advantage, right? One of 'em is in talent, right? They, they can have professional recruiters, sales and marketing 'cause they can overlay that cost. They can professional sales and marketing. So they're knocking on your door. But the third one is cybersecurity.

They have an advantage because again, they can make investments in cybersecurity and then they have, they have more seats, right? To be able to amortize that across. So the rest of us, we gotta get moving, man. 'cause we don't want a competitor or an insurance company asking questions of our customer that we haven't asked Andrew. Yeah. Yeah. Really good perspective and kind of really nice segue into today, Gary, um, in terms of, you know, is it time for fractional CISOs?

And, and because if I could set the stage, um, my, my conversations with MSPs by and large go one of a few ways. They're still very tools related, which, um, I'm, you know, I'm getting less and less, you know, I guess I'm getting older and older, but like really frustrated with, not that it's bad, but it's my follow up question, which leads to the next question, which you typically have is tell me about your internal security. What are you doing about that?

Tell me, you know, the things you've done so far. A lot of these conversations though, recently have been actually, um, come they, them saying, you know, we're trying, we're trying with CIS, we're trying with CCSF. I really wish I had a resource to gimme some guidance. Which kind of led me to the thought thought of, you know, are we kind of at this inflection point where we have to look for external resources? Um, you know, is it time for your peer group to all chip in money? Right?

You know, those types of things started to go off in my head, which led to this session. So with that, um, I wanted to bring on an MSP who's, um, been at this for some time. Carl Bickmore, who I'll let introduce himself. Carl, Who also seems to be there calling him the ghost, MSP right now because of the camera. They all like my green screen app. What can I say? The, the behind me looks weird. So I'm, I'm using it today.

What can I, you know, I don't have the, uh, camera budget that, you know, Wes has. So Very few do. Who does? Yeah. Who does Do. Um, but Carl, you know, you guys have been at this game, um, from a security perspective. 'cause I remember when you really started to go at it with a SOC two, like way before that was vogue for an MSP 7, 8, 9 years ago now. Yeah.

Um, I wanted to have you on the program, so if you could, maybe just for those that don't know, you introduce yourself, um, a little bit about Snap Tech and then I'll hand it over to Wes for some questions. Yeah, sure. No problem. Well, first of all, uh, I remember when the cyber call didn't exist, the cyber nation didn't exist, and what a remarkable feat, uh, you've done here, Andrew. Uh, I, I was there for some of the very first few and, and I can't always make 'em, but man, congratulations.

A hundred episodes. Great work, and what a great service to the community. I'm a big fan and I, I just say, Andrew, thanks for thanks for what you do, man. I appreciate it. Um, so, and Everyone here. Thanks Carl. Appreciate It. Yeah. Yeah. I mean, right. It's a, it's a group effort, but I gotta say, you've, you've quarterbacked it all along, man. So good job, Andrew, and good job with everybody else. It is, it's a great conversation. It's vendor neutral.

It's everything that you want about, like, being practical. And Yeah. By the way, uh, in the, in the chat, Wes has a YouTube talking about his whole setup, I'm pretty sure. 'cause his like, setup is very intricate and awesome for his camera. I I do, I'll find it. So Yeah. In introductions, uh, so Snap Tech, it, we're a managed IT company. Um, yeah, as, as, uh, Andrew alluded to, I think we kind of happened into it at some level, like many of us have.

Maybe we just happened into thinking about security as a differentiator and that as just a good practice, uh, uh, back, uh, several years ago. I think our first SOC two we completed in 2014 is when it was, and we've been doing it annually since. But it's, uh, a SOC two reviewing policies that are very strict on cybersecurity, has been our intention all along. And, uh, we have offices in Atlanta, uh, in Arizona, Phoenix, Arizona area where I'm at, and also in San Francisco.

Uh, so that's, uh, that's a little bit about us. I'm one of the original, uh, founders of the organization. And, uh, I do, uh, a lot of sales and marketing work in our organization. But I was formerly an engineer as well. Used to be just me. So Carl, I just gotta tell the story of your partner, Sean, who's awesome. Okay. Where, you know, what led to the SOC two.

Um, he tells it way better than I do, and then it's over to us, which is they had a really big co-managed customer, I think even public publicly traded. Yes. And, uh, they're like, okay, so if you could just get us your information on your SOC two, and Sean is at his computer Googling. Oh yeah. uhhuh. Yep. We'll get our SOC two. Hey, uh, necessity is the mother of invention. I'd like to say we were some kind of genius, really.

We somehow landed a client that was just inappropriately sized for us, and it was awesome. That's great. All right. Wow. Sock Shoes, whatever it takes. That's right. That's Right. So I didn't know that story, but I know Sean well, and that's one of the most Sean things I've ever heard. I mean, you guys have ever met Sean Brown? I love that guy. Uh, that, that's awesome. Well, Sean's currently enjoying the Caribbean right now, so he'll have to watch the recording later to hear it.

He Does, as I said, just Sean things. Right. Just, he's probably cruising in his own sailboat. Right. Something like that. Um, so Carl, I got some questions for you. Um, I've known you for a really long time now, and, um, deep respect for you, just as, as a leader, and you've actually taught me a lot about the channel, how to operate.

You've been super good to, even in my the old old perch days, you were one of the originals that was like, Hey, this is what you gotta do and this is how you gotta do it. And I can't tell you how many conversations I've had Aaron's had. That's really gone a long way in those early days of forming up where we're at today.

So you, you're a foundational piece to this, and I do look at you as somebody who's been a visionary, um, that's like built their MSP in a way that, um, has proven to be the model of the future. Right? So that being said, talk to me about this whole fractional CSO thing a little bit. Is there, um, is that the right direction for MSPs? Um, are you guys going down that road? Gimme some thoughts on that. Well, yeah, good, good question.

It's like, to me, the whole fractional, uh, CISO thing or just being in contact, regular coaching, some type of mentorship, some way of engaging with somebody that knows us better. I think the fundamental problem we're dealing with here is something I've seen in the MSP space since I began, which is really in, uh, uh, thanks, uh, true method has got great, great posts on the notes there.

Uh, so, so, uh, something I've seen kind of in the MSP industry since I began is a lot of us are operationally minded people, right? And as operationally minded people, let's just say not a lot of MSPs have MBAs on staff. And those that do, that's great, right? But a lot of 'em have not thought through some of the business process or, uh, have not thought through some of the sales and marketing process. And we struggle with those things, at least I have.

I know that I relate to that quite a bit. So I was the classic accidental entrepreneur, tech guy used to show up in my flip flops and just go fix computers for people, and somehow I got paid, uh, some something. Uh, but the reality of it is, is, uh, we all get into this trap of thinking tools or vendors solve our problems for us. And that's the fundamental thing. I think we're dealing with this scenario. This is, uh, about understanding that security is a way of life.

It's not a new vendor or a new tool, right? And so, uh, so many of us fall into that trap of, I just need to go get connected with this, or go get connected with that, and then I'm gonna have a security offering, and then I'm going. But security is actually a way of being, and it's a way of managing and a way of thinking.

And, and so the question is, if you don't have somebody who really understands what a CISO should understand, then you need to have that resource to be able to get to the right type of MSP. Now, I would say that, uh, you know, like at Snap Tech, I don't know that we're at a spot where we're going to engage a virtual CISO or a a, uh, a, a part-time ciso at this point in time. Sean, my business partner actually technically has that title. And we've been building that up the long, hard way.

I think it would be an excellent shortcut if we were earlier in the process to engage earlier in that. And then, and then the other thing I'm, I'm hearing some great, interesting about, it's like however you do it, whether it's a part-time, you know, regularly engaged one, or it's a coach or a mentor, it's about how you think about security.

It's about the business process, the management, the tools are just the thing you use to do that control that your policy already should have dictated, right? And so it's about helping you get your policy, right, helping you figure out what's realistic, helping you figure out what will help you meet the requirements that you wanna meet, not only for protecting yourself, but maybe you have some compliance requirements to add to it as well.

'cause security and compliance, they, they can overlap, but they're different. And so you, you gotta learn how to line all these things up, right? And so that's What, yeah, that be so much. Isn't it so much easier just to buy some tools and say you're secure. Well, what I'll do is I'll just buy a bunch of templates of pro uh, of policies and then, and then slap my name on 'em. How's that? Does that work for 'em? And so, and the tool, yeah. So, uh, so, so that's the, that's the thing.

I think that here at Snap Tech, we really had to learn that the long way. And I would say the only thing that we've got going for us is that we've just been gnawing at it on a quarterly basis, a quarter after quarter, how to improve, how to constantly get better. Our SOC audits have helped us. I mean, SOC is just going to evaluate you based on your policies, but we've had some great advice and improved our policies as we've gone.

And so the third party audit was a critical piece for us getting there. But you know, how great it would've been and how many shortcuts it would've actually meant had we have learned at the feet of an experienced CISO to begin with, rather than picking it up piece of the time over years, like we've done. Okay. That makes a lot of sense. Um, Gary, you just got back from peer groups. Are you seeing the same sorts of trends? I know you said we're behind in this, in the industry, right?

So are you seeing what Carl's saying, or are you still seeing a lot of MSPs trying to catch up into that? Uh, a lot of MSPs trying to catch up into it. And my message to 'em is, this isn't, if you're behind, this is not something you fix in a quarter because it is a way of life, a way of thinking. And, um, just, you know, like I've taken Ryan under my wing and kind of taught him everything he knows, you know, uh, about that was your coworker. You really mentored him, can't you, Gary? Yeah.

Yeah, absolutely. Wes. Um, and the reason when you hear Carl and he puts it like, so, well, I mean, so many great clips in there, Andrew, that we can have you really, as only someone can speak, right? Wes, who's wa who has walked it. But it's the hard part, what he's talking about is what we've said here over and over, which is the tools is the easy part, and the hard part is making it a way of life.

Um, knowing where, what to do, where to start, what your policies are, how to enforce 'em, make them policies that are alive in your organization, uh, not just, uh, sitting on a, uh, you know, in a document somewhere. Yeah, Wes, and back to you, you know, who's just so animated about this as is Brian Blakely.

Like, I, I love having Brian on because, you know, he's so passionate, a guy that had several MSPs, but when he talks about policy, he, it's rare to get somebody that can get that animated about it. So, but anyway. Yeah. No, I, I, I, yeah, I love listening to Brian, his whole, how do you make money talk at, um, write a Boom was awesome. Like awesome foundational.

I don't know if you had that recorded, Andrew, but we should clip that out and get that on social media channels or just bring 'em on and let's do that. How do you make money discussion on cyber call? 'cause you just can't get enough of that. Um, Carl, uh, talk to me about, from your perspective, what, what does a CISO bring to the MSP, right, like fractional or full-time? What are the, the, the big things that, like impactful things that a CISO should bring to your MSP?

Well, I think that, uh, um, a ciso you know, look, this is a c-suite type of person as executive. So it should be a big piece of your strategy and a big piece of your culture, right? And I think a lot of folks really miss, and that's the example of the, you know, the tool only approach or the just getting started pieces. It's a big question to ask how you move the culture of your organization, but that is where this has to go.

This is, um, the, um, the main crux of the issue is how do you now infiltrate the security point of view into everything you do, every hiring decision, every policy, every meeting that you have. Why is it not part of everything you do? And once? And so, in my opinion, what a, um, a, uh, a CISO should bring to the table is the constant reminder of how to move the culture of the company and how to build the strategy around getting to the destination of being a security focused practice.

And, uh, and ideally they bring expertise to the table that you don't have around the security things as well. And so they should know what, uh, they should be able to give you advice and path on how to approach, how to build in a sustainable long-term way. And, and once again, it's not about getting advice on tools, it's more like advice on culture, strategy and process and management. We seeing, do you mind if I just call on Ryan real quick?

'cause you know, this is obviously in his, You were, you were reading my mind. I was about to Ask Ryan question. Same thing. Yeah. You're on mute still there, Ryan. But just love your, your, uh, your thoughts. Um, maybe the dog's barking or, I don't know. He's Just hunting down the UI on Crowdcast is, He's reconnecting. Hopefully we can get there. There, it's, there we go. It just likes my mic set up sometimes. Um, I mean, I I honestly, I couldn't agree more.

I think the one thing I would add to what Carl said is MSPs especially are uniquely situated. You think about a bank financial services where Wes and I came from, security is not a revenue generating function for the business for MSP MSPs, it can be a revenue generating function for the business. So I don't care if you want to call it full-time, CISO or fractional ciso.

If you find someone that can help you build that culture, focus on that process, put together that strategy, both for your own internal protection and the protection of your customers, that's gonna, one, protect the revenue you already have. 'cause a lot of times we focus on growing, right? We're just talking about Brian Blakeley and you know, how to make money. We're always focused on how to make more money and how to grow our business.

You sometimes you gotta sit back and you gotta protect the revenue you have. And then once you learn from that, your acceleration off of that can be, can be, can be fundamental. I mean, it's one of the things ultimately, you know, that, you know, that I I brought to data was come in, get your own house in order, and then that becomes part of your business strategy going forward and your alignment with the channel. And, and for MSPs, you have the same opportunity. So I, I agree.

This is CISOs don't come in and pick tools, and they don't come in and just hire people. They, they really are meant to be a, um, especially in this industry at this time, in this landscape, they are a critical executive function of your business.

Wes, just in, in handing back to you, Ryan, I love what you said from the revenue side because, uh, I'm gonna make Carl shine even brighter here, but again, because of the year she's been at this, um, relative to other MSPs, he will not do an assessment unless he gets paid many MSPs.

It's, let me do a free network assessment, let me do a free security assessment so the revenue is real, um, when you get your house in order and can actually, um, have command, Gary, we've talked about that for many, many years. Andrew, do you want to hear my network assessment? Yeah. How many employees do you have here and what do you pay your MSP per month? And then I calculate the C price and I say, you're not secure. Do you want see the math All? So I I, I can add to that real quick.

I just saw this week with a, a new opportunity that we had where another MSP had gone in and the salesperson had run a quick scan of a tool, kicked them outta report and said that was their assessment and audit. Oh, their audit. They called it an audit as well. Yes. Nice. Very good Bargain. So let's, let's go, um, in this direction for a minute, Carl. Let's talk about finding that kind of security talent.

You know, on one hand people might say, oh, Carl, you got it on Easy Street, you're on, you're in NFL cities, Phoenix, Atlanta, San Francisco. Like, it's not hard to go find great security talent. But I know on the other hand what you're thinking is, yeah, right, I gotta compete against like the Bank of Americas of the world. And, um, I know in Atlanta, New York Stock Exchange is there and I know what those guys pay. 'cause I have some friends that are over there like Uhuh.

So, so I have a conversation often with MSPs is how do I find that vcso, that fractional ciso, how do I build that in-house? I'm committed to it and I'll put the money in for it, but I can't find these people because I can't attract them. How do you solve that huge colossal challenge for an MSP? Well, look, I mean, I don't, I don't wanna lead the, the witness here or anything, but I think that this is actually a really difficult thing to do.

And I feel like we went about it probably one of the more difficult ways. But this, in my opinion, is one of the things that I see as a shifting tide in the industry. For me, I call on the major providers to help us with the vc, so to help us with the fractional piece because we don't, as individual MSPs really have the juice. It's really hard to get a good CISO practicing that has experience to wanna look at a small MSP very few ever operate in that scale.

And so, unless they're the ones starting your MSP or your MSSP, that's gonna be a hard gig to get and to find. And so I feel like we have to find ways to collaborate together. I, you know, maybe there can be peer groups around this. Maybe there can be other industry resources that you can join that that can do it. Because I don't know, for me, every time I've tried to find for my organization a true c-suite person, it has taken me multiple years to, to get that right person in place.

Uh, sometimes because, um, I've had to spend that long recruiting or sometimes because I've had to go through people to get the right person in place. And so from my perspective, it's not an easy thing to do. And I think this is a moment for the community to find a way to help, because I don't know a better way.

Um, and I, I, I think it's a, it's a tough thing, but like I said, if you ever, I, this is my general practice in general anyway, is if you find somebody you think would be a great addition to your team, whether you think you have an open position or not, hire 'em, that's what I would do. And so if you find somebody, go for it. If you think they're the right per, obviously, do your diligence.

But other than that, I think we have to find ways to band together and create the demand to catch the attention of truly talented CISOs. That's what I love about community in general. I hear and meet great people that have taught me many things. People like Ryan, people like you, and many others in the past that are CISOs that share great things with me that help me know what I'm looking for, what I'm doing.

And Carl, my last question before I give it over to Ryan, just as a follow on to that, do you build security talent in house? Like are you trying to embed security knowledge in your sales and account rep teams and even your, you know, your knock teams and all of that? Like, how are you guys going about that journey too? I'm really curious. Yeah, look, for us, it's like, um, every hire, um, needs to be thinking about security. Um, when we do it in a couple of different ways.

Like we've got questions for any kind of technical person where we look to see how they respond to a security scenario. So even a help desk person or a knock person, even from the hiring stage, we'll ask 'em questions and we'll decide if we think they're, we're comfortable. We're really looking for people that aren't cowboys that just kind of start taking things in their hand that they'll stop and ask questions.

They'll look for a process, they'll peer consult before they'll start, like, you know, unplugging things or shutting things down. But, you know, the other thing that we do is, um, we, you know, we're, we follow the e os entrepreneur operating system or traction as many people talk about. And, and one of the things that, that dictates is you hold a comp company state or state of the company meeting on a quarterly basis.

And, uh, I would say at the end of every one of those meetings is a good solid 10 to 15 company-wide discussion of what new security things did we learn? What things did we come across this last quarter, and how can we better protect and reminding 'em what a target we and our customers are? And so it's just, it's like, it's a part of every meeting, it's a part of every conversation, and we deliberately focus on it. We are absolutely building it in-House.

We've now, now on our list of certifications we want our team to build. It's not just the industry ones that you, you know, around like, you know, Microsoft things or cloud-based things or, uh, things like that. Now we have, uh, people going after security based certifications. We're growing CISOs of the future in our in-house. We're growing security analysts in-house. And, and, uh, because it's difficult to hire and, uh, and it's difficult to get people with the expertise.

And so we found this, the only practical way for us to add this is to continue to, uh, work on it internally in really every way we can think of. Okay. And I think what strikes with me, Ryan, as we jump over to you, is I love how you're looking for like the e os approach, right? We're looking for what are those, um, intangible kind of dn what, what's made up into that DNA, if we get those kinds of things we can build around and get the knowledge across to them.

I, I think that's a big takeaway for me that I think a lot of people can take encouragement in that. 'cause you can actually shortcut and even short circuit this process of finding great security talent by going that direction. It's really good, Ryan. Yeah. Yeah. You have to hire, I would say, especially in security, increasingly you have to hire for attitude, aptitude and potential. If you're hiring based on experience, um, that's a losing battle.

You need to find people and put them in a situation to succeed for a job that's bigger than they've done before. And that's, you gotta find those people that are ready to take those opportunities. Um, that's where you're gonna have the best look. But, so Carl, I think we've done a pretty good job of, of driving home that tools aren't the answer to security. Sure. At least in this echo chamber.

Uh, I think we're, we're, you know, over the years we've all been trying to broaden that echo chamber, but you know, it's still in the back of my head and I don't know if that message is penetrated broadly in the IT channel. Um, what are your feelings about, you know, the continued reliance on tools for security versus building a threat and formed risk-based security program using an established framework like CIS or CSF?

Oh man, I feel like it's, uh, it's worse than like gambling in Vegas, man. It's like, uh, it's, um, to go out there and represent yourself as a security expert, a security excellence company that has these things in place, and then just rely on a vendor to get you, there is a formula for a really big bad day or or two in my opinion.

I, I just think that if you don't fundamentally understand what's going on and don't know how to hold them accountable and don't know how to make sure they're doing and don't even have a vision for what you want them to do at, at best, you're just wasting money in, in this scenario. At worst, you're, you're adding risk. You're putting the client at risk, you're putting yourself at risk by not truly understanding what you're doing. The tools do not solve your problem.

No hammer made something nail. It's a person that does it, and there's just a tool. It's all it is. Excellent. Yeah, we still gotta, we still gotta drive that message home. As Andrew said, I think we're, we're getting to be grumpy old men on this topic. Yeah. Um, yeah, I think I, I, I think maybe a couple more years of hammering away at this and we might make a dent, so we'll see.

Um, Well, I, I think people don't fundamentally understand how risky it is to just simply start slinging out a vendor that you haven't spent the time to actually do the due diligence and understand how they work and what they do. I mean yeah, they can all help you, but you have to be ready for the process and culture change that comes with it. Yeah. Yeah.

I would argue, you know, especially as you, the way, well the way we think about maturity tend when you kind of get to this like managed place, you have people process technology, things are relatively working well, you attain kind of a capability and maturity model, two and a half to a three, you wanna expand beyond that. That's where you have to start getting into operational effectiveness of people, process and technology.

You can buy technology and get yourself to a one and a half or a two, but you are not really protected until you get yourself to a three, three and a half. And you can't do that without starting to look at the effectiveness of your combined people process and technology. Yeah.

I think that's a really great way of putting it, that, that makes a ton of sense to me and something that I guess at some level, um, it, it's, uh, I see that as a very early on stage is the very early kit, is it acceptable to be in that one or two stage? I mean, that should not last long at all. So risky. Yeah. If you have to buy a service or a tool to, to, to, you know, mature rapidly, okay. Without the process, it doesn't matter. Right. It's shelfware. Right.

Um, alright, Well I in fact, I would argue it's riskier, you know? Yeah. False sense of security. Right, right. So, excluding the top 10% of security first providers, what needs to change in the IT channel overall, um, for MSPs to build this kind of security program, governance and diligence and leadership into their business models? Well, I, I said it before and so I'm talking, you know, look, we have Gary here with his True methods and I know there's other great peer groups out there.

You know, our company was involved in Evol for a long time. Uh, and there, there's several of them out there. I think that the only meaningful process is if we get involved in something like quarterly, monthly, regular, ongoing process discussion rather, rather than just hit that conference once a year, here's some cool CISO thoughts and then move on. It's just not enough. You need to have like, regular accountability.

Most of us business owners, uh, only hold ourselves accountable once we've stated it in a peer group somewhere, and we know we're gonna get asked about at that next quarterly meeting. And so to me, I'm a big fan of their becoming a more focused, uh, security approach for in, in the peer group experience. And so I say that to guys like Gary, who has a great big, uh, uh, peer group organization. And I say it to anybody else that has 'em out there too.

If we're not seeing the, the kind of help that is needed on an ongoing basis, people will start and stop and they won't get there. Is, is is my experience. I mean, I would Get after It. I would even argue how a peer group helps their members mature along the cyber resilience journey is becoming a critical criteria for selection of a peer group. Hmm. Um, I, you know, I work with a lot of MSPs that are both in and not in peer groups.

Uh, I can tell you that, you know, anecdotally, I would say the the peer group members are moving three times faster than the ones that aren't. Yeah. I think that's been true for a long time. Uh, Go Ahead. Very good thing me to say that by the way. I said, yeah, now is a good time to announce a new security focused peer group, Um, headed up by Ryan Weeks. I tell him yet I'm in. Yeah.

Well, I, I just think, I just think that that's, you know, of the things that the community can do, it's recognizing it's not about selling products. I think that, you know, another thing that the industry could use is a lot less vendors claiming that their pro product solves all their security problems. And that, like for instance, that was one thing I really liked early on when I met, uh, uh, a young, uh, early MSP career.

Wes, uh, Spencer, who had of course already been in security for a long time, but as him and Aaron were trying to figure out this MSP space, and I just remember you guys would say things like, do they really actually do that? That's they really go out there that insecurely. I'm like, oh yeah, it's super common. You know, it's, I just remember having those conversations and, and what, uh, an education that was for me.

And these are the kind of things that I think the community can bring to the table. CISOs out there that are actually good. CISOs actually probably don't understand the MSP space very well, not many of them. Anyway, I could tell you I didn't know anything about it until I got the job at data. Yeah. And then I had interactions with an MSP at a conference and I said, oh, told me about your security stack. And they're like, I have a firewall. I'm like, and I got a firewall works pretty well.

I'm like, we update it once a year. Oh man, I, I learned in the early days of Perch and Carl, you were willing to help me learn this if, when I would intentionally ask in discovery with the client, Hey, what are you doing for security Open-ended. So they go whatever direction they want. And when they start with things like, well, I use Cisco for my firewall and I use web route for my antivirus, and I don't care what the vendors are, it doesn't matter.

But when they define their security stack by their vendors, Carl, you just get a little triggered, don't you? 'cause this goes right back to you very first thing you came out swinging on. Yeah. I mean, look, you know, and I feel like, uh, you know, like in my career before I was in an MSP, I worked at, uh, uh, Hewlett Packard for a little bit, and I worked at, uh, Charles Schwab for a little bit in the financial industry doing some technical support things.

And I just learned very early on that that, you know, look, the vast majority of the real controls is all about governance. It's all about policy and procedure that has nothing to do, like, like we've been kind of talking about. And so it's like, I think people just fail to recognize that like, you know, you miss things like physical security or you miss things like good change control or meaningful, uh, planning or meaningful strategy. It doesn't matter what your tool is.

You're just not, you're not gonna do a good job as, you know, tool doesn't solve it as we talked about. So. All right. So bit of a bit of an interesting question here, but let's say you had access to West and I for three months. What are the things that you think you would leverage us to implement or change in your MSP?

Well, if I had a Wes and a, and Orion, some very knowledgeable CISOs that know, uh, the MSP space really well, I would want you to help me in my strategy sessions to figure out how to prioritize my next steps. And so I would love for you to help me figure out, uh, policies that I'm missing or procedures that are weak or, uh, strategies around hiring process questions to ask. There's, there's really kinda a lot of things I would ask in that scenario.

And, uh, um, none of them would be like, what encryption things should I use? It would be about how to, how to proceed better, stronger, how to, how to raise the awareness in my team, how to better teach my customers about security. Good answer. Thanks, Gary. Gary approved From my focus at, at, at Datto has been foremost on, on building the security program internally, getting my house in order, which is why I say that a lot, right?

I was kind of hiding in the shadows for two years while I was getting my house in order. Um, and then eventually, you know, kind of peeking my head out and working externally for partners to secure products and services. We've used the cobbler's kids analogy. The, you know, the, the, the landscaper's garden, whatever you wanna call it, is part of the challenge for MSPs.

You think that the, the need to deliver a secure service to their customers first and neglecting Themselves Like the Classic commerce, You think that still happens? Okay. I think that is a big deal. Um, and, and maybe I got a SLA slanted point of view of this because I just am so freaked out about us ever being the target of a successful attack, which I'm, I really think we have to have the attitude that we will and be planned for it.

But, but, uh, you know, regardless, I feel like I, I got a first, well, something, this is something Sean says in our company a lot when we're having the security conversation or we're working on a project and we see something behind for Snap Tech, we will say, snap Tech has to be our first customer. Snap Tech has to be the place because all other things fall upon the fall of Snap Tech, right? And so for us, um, the, we treat ourselves like a customer in our PSA, we're a customer.

We propose projects, we do quarterly meetings for this. It, it's silly, but we actually just put ourselves through the same process. We would put our customers through and we make, have our team make the same kind of recommendations to us and what's next. We carry our own roadmap just like we want to with the customer. And, and, and so, but I, I, I know that there is this poll. It's like, I've got all this client work. How can I spend time on my internal stuff?

This is definitely an attitude piece. And really to the earlier question, like, what would you have Wes and Ryan help you with helping us with our tool set? There's a real problem in the industry of being able to meaningfully understand, say, logs of RMM or logs of remote control tools or the ability to, to use threat detection on our own tool set, the ability to surface issues within the MSP tool sets. We are more complicated than I think any of our customers because of that.

And, and so these are all things that I would love to have the, the, the Ryans and the Wees of the world Helping with. Yeah. I wanna, I wanna, you know, make sure that the, the dot on that I is really clear working on tools, but you're talking about getting the most operating effectiveness and understanding the operating effectiveness of the tools you have. You're not saying, Ryan, come in and tell me what tool I'm missing, but I mean, plug no stack.

You're saying, help me come in and figure out where my tools are operating well and where they're not, so that I have a better understanding of my current posture. Yeah. Current Posture starts with, with what's my policy and what are the controls, and then what's the tool you're using to do it, and how do you audit and check that it's actually working?

And then how do you follow through on initiatives or change requests and how do you govern it that, so the tool is one piece, but the, the real, the real question is like, where do you see the next most important policy change or control that we need to think about to meet our policy? It starts with a policy goes to the control, then you can start thinking about your operational implementation, and then you need to make sure you follow through with how to audit, manage, and validate.

Uh, those are the things that you need help with is the order that you're gonna go in. Right. And Ryan, I would argue from last week, you know, we had, um, uh, Jake Williams on Carl, and we were talking about control effectiveness, being able to even test is this, is this tool functioning correctly? Is this the right tool? What kind of risk does this tool pose API integration risk? Um, we can go on and on and on, but um, Yeah, like what's your vendor selection process?

How are you actually rating the risk and do you rate the risk of every vendor you interact with and and what type of risk? We have 10 risk ratings for every vendor we do in our di due diligence only. Some of them have to do with technology, some are reputation, some are financial, some are credit, some are country risks. Uh, you know, things around, uh, uh, compliance. So the, I mean, do you have a real process for that?

And that's the kind of thing I would think that a, uh, a, a CISO would help you put in place or help you understand how to do that due diligence better and, you know, which is an important part. 'cause we do need the tools. We, we absolutely need the tool. We need to be more efficient. Uh, but it's, it, it is all about, um, starting with the policy, going to the control, moving into the, the, the, the tool and then the audit of it. You know, Really good stuff.

Carl Ryan, should we head on over to Gary? Yeah, let's do it. Alright. Oh man, I don't know. I don't know where to start right now. My head is spinning, uh, with this. So I, I want to just make a point and get Carl's feedback on this. Look, it's hard enough to find good security talent and to get the right advice, all the things you're talking about, especially when you're a small MSP.

But then even if you get that far, Carl, the difference with someone coming in and giving some security device to an SMB compared to an M-S-B-M-S-P is to operationalize that. It's completely different for us because one, we have 10, 20, 50, I had 180 customers in my first MSP, so I have to operationalize it 180 times and I gotta figure out how to do it in a way that I can actually turn a profit. So to me, I call that the translation to our model.

So you, you've talked about how long you've been working on your security posture. What about that other piece of it, like being able to, does that make sense? Is that a good word? Like translate it to your business model?

Yeah, look, I mean, I, I think a lot of us can kind of take the point of view that, hey, you know, uh, maybe eat your own dog food a little bit and then get out and figure out how to, how to monetize is maybe another way of looking that I, I'm not sure, uh, if that's what you're asking, but that is absolutely our point is that, um, a good, a good process for how to implement and then how to monetize it is, is a critical piece.

And I think we're oftentimes too flippant about how good we, or what the effort it takes to a add a new process or a new vendor. It is a significant thing to really align your team on it, but really putting it out there as an offer to have the, the quoting in place to have the, the insights in place to have all your salespeople, uh, aligned with how to talk about it, your marketing people with, aligned with what the differentiators are. Those are all important things.

But I find it easier to monetize a security conversation because the implied need is agreed upon generally the customers generally now understand. I remember back in like 2009 when I started thinking I'm gonna be an MSP, uh, you know, like having to talk people into antivirus. I was like, you know, you really need this. I'm like, yeah, sure. It's kind of expensive. Like 85 cents a person, you know, whatever it was, you know, it was, it was a crazy thing. Like, no, you really need backups.

Uh, that was what the conversation used to be. I felt like the customer's more prone and more ready now than ever. And it just takes an understanding of how to communicate with them, the risk and how to help them understand the right way to mitigate it. And then the other piece I think is to explain to them how, uh, when you take a security approach, you're being more comprehensive.

And so, so often they have, might even have like fine IT people involved, but they've never really added the security piece. So they're missing big sections. That's why I like to use the framework conversation because it rounds out the conversation and it's an objective common language we can all use. Those are common things we've all talked about before, but to me, the monetization of, uh, security related things is not as difficult as other things in my experience. Yeah.

If you Go ahead, Andrew. Yeah. Can I just ask you, Gary, can you explain 60, 120 seconds? I think what you're asking though too is, and you, you, I, I remember one of your videos and sessions on this operationalizing something, you're losing money for the first, what is it? Five, 10 times. Gary, can you kind of just take us through that logic and then please continue because I think it's really important. And listen with some of this, it's not so easy. Tools are a little easier to bundle.

You should, however you pay for your tool, you should be able to make a conversion to a unit cost, right? Cost per seat, however you do it, you know, but with process, it isn't so easy, right? You have to put those, you have to put those, um, processes into a role. And then that role has to be laid across so many seats to determine what that's gonna be. And, and again, it's not so easy to do in the beginning. So sometimes Andrew, we gotta figure some things out in the beginning, right?

Uh, of actually what it's gonna take. Is it gonna throw off any noise? Uh, the tool or the process that we weren't considering, that's also gonna impact cost. So we can make sure, you know, that we can get it right. Carl, when you go to your customers and you're making enhancements in your package or your offering, your roles, your process, do you try to go back like in chunks and not just raise your price by this much?

Do you try to, when you go back, make, do you find that it's easier if you raise their price more 'cause you can attach it to a real value and it's not seen as a price increase? Yeah, it's a, it's a great question. I'll never forget. I think it was maybe five, six years ago now, something like that. I was on my third QBR with this long time customer that, uh, I actually handled personally before I even began an MSP just on the side.

And, and they started saying, oh, another thing for $2 a month, huh? Now I'm just gonna start calling you $2, Carl. Oh wow. It was a two buck. Carl, here he comes. I said, he just got used to like, every time I had some new thing for them to consider or think about. It is always better to give a more comprehensive approach. In fact, I think like at minimum, like what's the annual piece that this mi from a scope standpoint of what I want you to do for your plan this year.

Uh, ideally you can line it up even further and better. Not every customer's really up for that. The, the more mature customers are absolutely loving 2, 3, 4, 5 year planning. Uh, a lot of SMBs. Getting 'em to think a year is a bit of a stretch. And so, but we're like, Hey, here's what your IT budget is for this year, and these are the things that we need to work on. That's a far better approach than here's the one next thing you need to get because you have to go down the gauntlet every time.

They'll get fatigue. We get fatigue. They get it worse than us. Yep. Yeah. And I like what you said, I mean, one thing I tell people, don't always talk. And even even in your support offerings, don't always talk in, in monthlies, never talk in our units of measure. You know, you can just talk about, hey, like you're spending 50 grand, uh, a year with this, now it's gonna need to be 56,000. Let me tell you why and what we're dealing with that we weren't dealing with before.

And Carl, when you mentioned that, um, you know, you remember trying to convince people to buy, um, you know, uh, virus protection, it, because at the time they didn't understand the risks of not having virus protection the way that you did. And I, in general, I think that's what's happening. We understand or should understand the risks that our customers are already experiencing. And when they say no to us, that means we failed.

We didn't explain to them what that risk is and relate it to their business. 'cause if they felt the same way, then they, they would make another, what do they care about another $5,000 a year? It's such a small part of, of their expenses and revenue, man. Well, so, so Gary, I think there's a lot of wisdom.

I think we could be better at that as well, because sometimes we find ourselves, I mean, we maintain this active sales matrix where we see every customer and every offering and what they do and don't have. And some of these law legacy ones still have things that need to get checked off that we have not accomplished. And that's, I think, I think you said exactly right. I view that as a failure that we haven't been able to show them and we haven't either forced the issue.

Now we, we don't have a ton of that, but we have enough of it that I just know what you're talking about, right? Yep. And, and I, and, and to be perfectly frank, when we take on a new process, like there's new things we've added that since many of our customers are our customers and we've had to go through that process. And the way I look at, like I said, I talk about it like, this is it for the year. This is what we want you to think about.

And I think sometimes we do a good job of talking about it collectively and your points well taken. It works better when you think annual budget rather than monthly or piece of a time. Gary, question to you though, how much of it is, you know, our fault as the MSP, not asking good business questions, not understanding their business, their, their critical systems, how they transmit store data, how like That every, every time Translating it into business risk. Yep. Yeah.

And it's some simple questions. You go back and listen to the sessions we did with Brian Blakely. He, he takes you through what questions really he, he asked in terms of getting them to assign risk. I don't know, like, how could you be, Wes? How could you be the CISO of a bank if you didn't understand their business model and you were just recommending stuff to them? It's preposterous, right? Yeah.

I spent the first six months of my tenure at my bank learning how the bank freaking works because I, I knew I could not engage my executive team without knowledge of what we're doing and my ability to align risk for them correctly without deeply understanding how the bank operates. So I spent so much of my time bringing people in saying, tell me how you do this. Tell me what you do here. How does this work? What systems do you use?

And that actually birthed into, by the way, our first BIA, but, um, yeah, I mean, Totally agree. And West, we've seen this often, right? In our conversations with IR firms, right? And there's an MSP involved and they ask, what are the critical systems? And where's the data? That's where the blank stairs come in often is, is that fair?

We've, what we've heard, Listen, and, and, and the same logic that you use with your customers to get 'em there is the exact same logic you use with prospects to make them see they have hidden risks or opportunities and to be able to separate them from the current vendor. And Carl, I, I get to watch the sales numbers for 250 MSPs. I know more recurring revenues being sold at a higher price right now by far than ever before. That has to mean that churn is upright.

'cause almost every time you're taking it from someone else. Yeah. Yeah. It, it is, it is about that. And, uh, we we don't get a lot of kickback. I mean, we've got a pretty solid process of raising our, our, um, our rates every year as we go. Um, and, um, we have not gotten kickbacks on pricing so much as just kickbacks on do they believe we're the right MSP for them. But, you know, I can tell you this differentiation around security and being able to meaningfully demonstrate it.

'cause like there's a lot of folks out there claiming it now, uh, that are, are really just, you know, doing the kind of simple, here's your scan thing that the sales guy ran and here's your audit. Right? Uh, and so it's, it's amazing to me that's still going on. I, I mean, I get it. People are getting after it. They don't know. They don't have better pro process, but those, in my opinion, are those people are easy to eat, eat their lunch in a competitive conversation.

Just, it's just so easy, you know, because there's just no demonstrable value out of what they show. You know? Carl, what percent of your deals you're winning are MSP takeaway versus in-house outsourcing? Well, it's interesting. I'm, I'm definitely seeing both, uh, as it's going.

Um, and, and, uh, and I would say the co-managed section of our business even is a growing sector where we're, we're probably swimming upstream a little bit to bigger companies where there's a little bit more of that going on, and the, the sophistication around security is well received there. There's a lot more to be made there. But what the percentage, I don't know. I, I'd have to say, uh, the, the MSP takeaways kind of still be 70% of the time, if not more. Do You want, do you want, Yeah.

And for someone who's not Carl, it's higher. In other words, uh, some of the, of the more mature MSPs, they're moving more upstream, so they will bump into things where they're doing co-manage and they're not displacing someone. But when you talk about the average SP who's still selling, you know, under a hundred desktops, the majority of them are takeaways. Yeah, yeah, yeah. In that segment that for us too, You, you can thank me for swimming upstream still, Carl. Okay.

I want to talk about two things you touched on and, you know, you mentioned EOS, right? Um, if anyone's not familiar with EOS on the, there's other ones like scaling up, they're business planning processes, right? How you run your company, gaining command, setting priorities, execution, and, and you mentioned peer look, two things. One, I I don't know how you navigate things without being part of some ministry peer group right now. Like you just can't figure it out alone, right?

And, and again, putting the fact that I happen to run peer groups, there's a bunch of them out there, but you but people, and then as part of that, you have to have a business planning process. 'cause every peer group is based on that. Carl, I don't know that anyone can get, they can get all the knowledge they want, but if they aren't better business people, how to execute, set the right priorities around security and every quarter stick to those things.

I don't know how you get there with just knowledge or, or tools alone. You have to have some commander of your business. Well, I'm really glad you queued in on that because I would argue that our business process as what has led us to being a better security MSP more than anything, right? And that's kind of the spirit of what we've been talking about. But yes, for us, the tool happened to be, uh, that we got started on the EOS system before we, that was in 2016.

Before that, we were using mastering the Rockefeller Habits tools, not as effectively as we probably could, but it, it was definitely a, a planning. We held the meetings. We are constantly working on our business, not just in our business. And that's the real key, is the discipline to do that. And I feel like you, just for small businesses in general, not just MSPs, that's like the number one problem is the ownership is the limit of business.

And they're limited because they don't know how to better manage or lead their company. And I, I, I know I've certainly been that guy in my company and I've had to learn and grow. I would say the only thing that that helps me in my own thing is I have a desire to, I voraciously want to run my business better and to include my team and to build other, other leaders up.

But I, I think that, um, if you don't have a meaningful process and, and a, a disciplined approach to managing your business, I also agree. I don't know how you get there. I have no idea. That's the only Way, way, listen, when pe, when people come into our peer group, sometimes in the beginning they, they, they're not in full participation.

And my, I tell my team, our message to them is, one, if you are not willing to do the basics, the minimum that all business people should do, you, you are gonna have issues. But more importantly now, in the old days, Carl, it would just be you didn't grow and you didn't make much money, had a job, you couldn't quit, right? Not great, but not the worst thing in the world today. You're, you're yourself and you're putting your customers at risk, you're putting your customers businesses at risk.

So I, I feel like you owe it to your customers and your team to, to definitely get where you listen If you're small, start by reading the books he's talking about and, and, and start making some, some steps forward on it. But do something Andrew. Yeah, we gotta get going. I mean, I gotta tell you, like look, I, I, I'm in, I'm in industry peer groups and I'm also in other peer groups that are not industry focused.

And I see this problem across the board and, and I, I love the other peer groups I'm in. I I, like, I'm in an EO peer group here in Arizona. It's been awesome. Nobody in the room is an IT except me. You know? And, and, but I can tell you this is a universal small business problem in general. And, and it's because most of us are technicians or self people. None of us really have a lot of leadership experience. The leadership gap is very real.

And I, the one piece of advice I'd give you based on what I've seen amongst peers in MSP and also in other spaces is um, take a minute and set your ego aside and think that adherence to a system might be useful. 'cause so many I see, think I read this system, it looks like it's well researched, but I know better. So I'm gonna take these two things from it and ignore the rest. I think like that's a big issue with how to approach this, that I see across the board it at least learn it first.

It's like you can't be a great jazz player and improvise off, off, off the cuff until you know all the rules you're breaking and know 'em well. Right? And so like, if you want to improve upon EOS or scaling up or whatever, I don't, I don't think it's important what the tool is. I think it's that you're just adherent to a tool And master it first. Don't, yeah. Don't apply your logic. Master it the same way when you get in a peer group and you see people that have done what you want to do. Yes.

Take it and master it first before you change it. Genius. Yeah. Well to, but to me that you think of all the things that will help you grow your business, putting an infrastructure in your business that's reliable, that is, um, consistent, that your people know what to expect and what's expected of them.

I can't tell you how many times I've done a SWOT on an MSP when I was in a peer group and I come in and I just ask every employee who your supervisor is and the different answers you get, you know, it's like, are they would fundamentals of like what's an accountability chart or org chart or who's my supervisor are questions in their mind? And then what is a good day? What, what is, what are you supposed to actually accomplish? No lack of, no, no solid KPIs, no management system.

These are the things that I feel like we can always improve upon. But it's amazing and shocking to me sometimes how I see how businesses aren't run that way. And that's actually the crux probably as to why people can't get after the security thing. 'cause they don't know how to operate that way and they can't get after. Let's go Either. Let's go. I, Andrew, we're fired up today, man. This is great. This was absolutely fantastic. I got a lot. Carl. Carl's the best man.

This was such a great conversation. There are so many nuggets. I hope everyone goes back and listens to this one more time. 'cause there was a lot of great nuggets in there. Yeah, I, I couldn't agree more. Great job. Carl Ryan, west Gary. Fantastic. And audience with the chat as always. Very grateful that we made it. We are at, uh, episode 100 as we take a break, right? Next week will be July 4th. We'll be back July 11th.

And on the 11th, Gary, we are gonna have thrive's original CRO John Barrows, uh, who's very, very good friends with Jim Lippy. He's a sales trainer now for a number of years. Has a very big business and has trained him some of the most prolific SaaS companies and technology companies. Yeah. Yeah. If you wanna learn about sales, I've li I've talked to him and, and he really has a strong understanding of the sales process. And we gotta get Lippy on here too. We'll get, get him On next.

Yeah, that'd be absolutely, absolutely fine. Alright, everybody happy 4th of July. Be safe. Uh, be healthy. We look forward to seeing you all back on the 11th. Make it a great to everyone. Take care, Carl. Thanks. Annoying. Thanks. Thanks for having me.

Related Videos