Skip to main content
Right of Boom
January 30, 2025

Session 1

Guests

Andrew Morgan

Video Transcript

So We're about to do this. Yeah. So we're live and recording. Should have shaved, uh, nah, that's okay. Nah, you're, you're fine. You're, you're absolutely fine. Um, let me get up the PowerPoint. Wes, tell me if it looks good, close my door. Get a drink. Get a drink. At least Do it live. And Wes, just tell me to drive forward, you know, on a slide if I shouldn't, you know what I mean? Yeah. Cool. Yeah. I'll cue you with like a, you know, as the next slide shows or so we move on or whatever.

Right. Or if you need me to, I can just, you know, lawyer catch you as it's time to go to the next one. Whatever you, whatever you want. Man. That's One of the funniest things ever, Ain't it? I am not a cat, You know, he's like, Oh, that's terrible. You ready Mr. Powell? I am. All right. Sounds great. Okay, so Just for some reason, I, the view is screwed up. What do you mean your Slides are, or try it again? Well, gimme a sec.

I, I've got a, I dunno if you guys saw it the way I saw it, but the slides were like tiny. Mm-Hmm. Yeah, yeah. There we go. That's better. Gimme yeah, I'll make them. Tell me if this looks a little better, Wes. Yep. Okay, fantastic. So let's start with without it, Right? Yeah, yeah, absolutely. We'll start with, uh, with some intros and uh, then we'll go into that. Okay. Um, alright. So, fantastic. So we'll get, we'll kick it off here. I'll do a, a countdown.

I'll say, Hey, it's Andrew Morgan, host of the Cyber call. We, uh, we're doing some great sales enablement content with our friends at Cisco. True Methods and per security. Joining me today are, and I'll go around and, um, okay. You know, ask each one of you at that point to intro. Wes, what do you think? Just a quick background. Yeah, We should do a quick intro. Yeah, Yeah. Okay. Quick As possible though. Yeah, yeah, yeah. Okay. Awesome. All right, so I'll count us down. 3, 2, 1.

Hey everybody, it's Andrew Morgan, host of the Cyber Call. I'm joined here today with Wes Spencer, CSO of Per Security, Trent Ballard, VP and VCIO of Dev Source Technology Solutions. And my good friend David Powell, VP of security, David, I'm butchering a VP of S**t. Lemme start again. It changes, it Changes all the time, Andrew. So it Doesn't What was it like? It's technically like SVP of growth or something. Okay. Alright. It doesn't matter.

Alright, you say he leads to security, uh, sell through sell with motion with partners at ConnectWise. That's sufficient. All Right, let's start again. Senior Sales bro is what I would say Senior seamlessly. Okay. 3, 2, 1. Hey everybody, it's Andrew Morgan, uh, host of the Cyber call and we are doing some great sales enablement today for the Cisco Perch and True Methods combined sales enablement track.

Joining me is West Spencer CISO of Perch, Trent Ballard, VP and VCIO of Dev Source Technology Solutions. And David Powell, uh, SVP of Growth at ConnectWise, all things cybersecurity growth I might add. So before I get rolling here, let me just do some quick intros. Wes, take it away just to tell everyone out there that may not know you a little bit about yourself and, and what you do. Yeah. So, hey, you've got Wes Spencer here.

I was the CISO at Perch and one of the co-founders, um, from the early, early days. And, uh, ConnectWise has acquired Perch and we are coming on board and all about messaging, cybersecurity for our partners inside the ConnectWise ecosystem, which is really, really exciting. So great to be with you and, uh, thanks for bringing me on board, Andrew. Hey, thanks, Wes. Trent, tell, tell the folks a little bit about you. Um, I was excited to bring you on 'cause you're one of their peers.

You're doing a lot with Cisco, a lot with Purge, so let's, let's, uh, take it, let you take it away. Yeah. My name's Trent. I'm the Vice President of VCIO at Dev Source. So we're located in Western Kentucky and, uh, you know, we're, uh, N-M-M-S-P, but kind of moving toward the MSSP. Uh, so, you know, we work very closely with Perch and, uh, Cisco. So good to be here. Thanks, John and David?

Yeah, David Powell and, um, coming at you from Birmingham, Alabama, uh, just up the road from my beloved Alabama Crimson Tide West. Um, and, uh, I'm the SVP of growth. Like, uh, Andrew said, basically I came from Perch and before that I worked in the MSP space at several different large MSPs where we built cybersecurity practices. So, um, I kind of understand the plight, you know, like Trent was saying, of of trying to convert from an MSP to that more security oriented MSP.

I've been there, I've done that. I've touched the stove and have the, the burn marks on my hand to prove it. And now in my role at ConnectWise, I'm really trying to help really kind of offer those cheat codes out to partners on how can they circumvent learning things the hard way and, um, move that journey along. So glad to be here. Yeah, David, I'm glad to have you two here as well.

You, uh, way back in the day when you and I met, it was probably 2 0 5, you were with, um, a Cisco partner, not very large at the time, but became one of the biggest in the southeast lot of m and a you were involved with, and then you did it again. So I think you're gonna have a, a really interesting perspective to, to share with the partners today. So thank you so much for Yeah. Going out. Look forward to it. Yeah.

So what I'm gonna do is let me quickly share out my screen here with a PowerPoint and so we can kind of talk through, uh, go to market. And when we look at go to market, let me just get this up here and we'll share things out. Um, we talked about who we are and planning your go to market, and when we talk about go to market there, there's a few things I want to hand over to Wes and have him kind of bring this, uh, to light.

Number one, um, you know the analogy when you get on an airplane, you know, they always talk about put your oxygen mask on first before you can help others. And I think it's really applicable to cybersecurity. Um, you've gotta get your house in order. You know, for years we've been the cobbler's kids, we've been able to get away with things.

And in this journey that we're finally on here, uh, if you don't have your security, uh, resil, uh, your security, uh, uh, posture intact, if you don't understand a framework and align to it, it's really hard to have command and go into a customer and do the same. Um, and then from there, Wes is gonna touch on cyber resilience. Um, Ryan Weeks, the CISO of DA has been talking a lot and doing some great work around this for MSPs.

And it's really has to do with being able to operate in the event of an adverse, um, event. Wes will bring us through some ways in which you're gonna be able to do that and, and manage your business. And then we'll hand it over to David to talk about how he views go to market struggles and the opportunities for MSPs.

And finally, again, hearing from one of your peers who in the Cisco, uh, ConnectWise perch ecosystem will let, uh, Trent share some of the, um, things that he's been working on and where success has come from him. So, Wes, with that, let me let you take it over and maybe we could start off with what is this thing we're hearing a lot about called cyber resilience? Yeah, so, um, credit, where it's due right is, is you saw my, my friend and colleague Ryan Weeks from Datto.

Um, this is, this idea of cyber resilience I think is such a great description because it, it, again, it kind of moves the needle for us. What we really need in MSPs is we've moved from this, this, um, idea of, Hey, I just hope I don't get breached or how do I stop the breach or any of those kinds of things into, um, let's talk about resilience. The breach is coming, maybe the breach is already here, we just don't even know about it.

But let's get beyond this idea of hoping that we don't get hit by something and be the ostrich with that's head in the ground and really truly understand it's gonna happen. And when it does happen, how do I, um, deal with it?

And so you can see right here this description, I won't read all of this to you, but really it's this idea of, think of it as a zim, as a philosophy, as a approach to say, um, we're gonna build resilience into everything we do, the way we message, the way we think, the way we build products and services. Um, all of those kinds of things. And David, I'll flip it to you really quick. I mean, having, um, you know, run multiple MSPs, resilience is a big, big deal, right?

Uh, a hundred percent it is. And, and I don't think that enough time has really been spent thinking about like, what happens if something goes in the ditch? And we think through that with like, oh, what if backups or what if this, and, you know, you, you would never buy a server that didn't have dual power and an a and a B pole in the rack. You know, all those kind of things.

But we don't really think about, you know, how would somebody come in, what's my soft spot that somebody could, you know, penetrate? And I think that it's really something that just doesn't get played out as much. And part of the reason why I think is that they're scared of what that story kind of sounds like is that no one really feels good about, that's why most people don't want to talk about their, like, personal finances.

No one feels like they do a good job about it and don't wanna be told that they suck at it. So they just kind of make it go. I think similarly, no one wants to sit around the table and like, so Wes, what would happen if, you know, disgruntling employee dropped our admin credentials on the dark web? And all of a sudden everyone's like, Ooh, that's probably bad. You know?

And so I think it's a hard conversation for MSPs to really wrap their head around, so then they don't feel they have domain credibility around it. And so inaction is a result of that as opposed to just trying to press forward and figure, figure it out. Exactly. Right. And, and Trent, I wanna include you in this as well. Talk to us just quickly about y you know, at dev source where you lead, um, your idea through cyber resilience. Does this message kind of resonate with you guys too?

This idea of a breach is coming and resilience is really important in our approaches. Oh, yes. That, that's a really, really big thing that we have to think about every day, is that how can we make sure that we're putting as many layers in between us and, and the bad guys.

And, and for us, that means not only our internal use, but also for our clients because, you know, your reputation is, um, very fragile and especially in a, in a small market that we're in, you know, there, there's a lot of those things that we have to make sure that we're buttoned up on because, um, you know, again, the reputation is a big thing to us. So, uh, putting as many layers and as many controls as we can in between them, um, was, uh, a huge, you know, undertaking.

But doing it piece by piece has really, really made us feel a lot better and helped me sleep better at night, truthfully. Well, and Trent, real quick, if I could piggyback on that, um, you know, I, I like to use this analogy where we can all tell Andrew's a very fit guy. If you've ever been around Andrew, you know, it's like you're ordering the, the fish and chips and he's like, can I get like a little piece of kale just lightly brushed in olive oil or something is lunch, right?

And so if I decided I wanted to get super fit and you know, I, I would go and get all new clothes and I go to the gym membership and I'm ready to roll. And I hired Andrew as my personal trainer and Andrew walks in that day not looking like Andrew does, but he weighs 400 pounds. He's all sweaty and slobbing. He is shoving a, um, whopper in his mouth and wash it down with a Mountain dew. I wouldn't listen to a word he said, right? Mm-Hmm.

I mean, you're never gonna take that advice, but too many MSPs are really like that 400 pound personal trainer, right? Is that they're going out and trying to talk to their, to their partners and say, yo, you need to get straight on cybersecurity. You need to improve all this kind of stuff when they're the sloppy guy trying to tell them to do another rep or to keep running a little bit longer on the treadmill.

So I think you know, that getting it right yourself, like you were talking about how do you get your own environment, um, where it needs to be, offers you that credibility in the market to go out and talk to your clients. 'cause if you're not doing it yourself, how in the world are you gonna go talk to your clients about it? Right? Yeah. Wes, um, hey, let me just bring this up here next for you to talk about. And if I could maybe just key off this for you.

You know, I think one of the things that we heard people don't want to talk about is really this thing called respond and recover. An incident is coming, it's happened. And what's interesting is the MSPs selling the most, what we're seeing through the data from true methods and et cetera, is they're actually having that conversation. They're taking away the fud. They're talking about, Hey, look, when and if you're down, let's talk through what policies we have around respond and recover.

Um, how are we going to operationalize, et cetera. So Wes, can you take it from here on those concepts? Does that make sense to you? Yeah, no, it does make sense. And, and this is such a great slide to really kind of paint this picture. And, and Ryan shared this, and one of the other, um, talks that he and I gave, and this is just think of this as a way to sort of overlap many things together.

And this is one of the, the goals that we wanted to accomplish is just bring some clarity into how do different frameworks play together? And so at the very top, you do see the NIST cybersecurity framework, identify, protect, detect, respond, recover. We're really well aware of each of those. And then what we see is where cybersecurity tends to leave off, and business continuity and incident response picks up.

And not to say that cybersecurity is not involved in those things, but the truth of the matter is that is that's where resilience really comes into play. And that's where the people become. And the processes become much more important than just the vendors, so to speak. In other words, when the boom happens, you see where we put boom down there a little bit, down towards the bottom, um, you see where detection response and recover become very people dependent, very people heavy in the approach.

And this is something where I think a lot of our MSPs really get stuck, is we're very, you know, identify protection heavy. We're just starting to mature detection. But what happens when the boom occurs, the boom occurs, and, uh, oh, we're missing the, the people, the, the experience, the incident response planning, the procedures, the testing, all these things that happen and we kind of run around with a chicken with our head cut off, which makes the breach so much worse.

And so if, if you wanna kind of see that overlaid on top of like the, the cyber kill chain that Lockheed Martin developed, you can kind of see where exploitation picks up. And you see this here where exploitation, installation, command and control action on objective, all of these things begin to happen, happen after a boom, after the breach happens.

And we'll, we'll describe this a little bit more as we continue to move down this, uh, pathway, but this is a really good way to kind of look at how all of this kind of comes together and the impacts. Um, so this is a really good high level as we get into it. Andrew? Yeah, That was really well described Wes. And, uh, you know, we're looking at something here that, you know, one of the people that I really admire in the industry, a guy named Sunil Yu I developed called this Cyber Defense Matrix.

Um, can you give some clarity around, you know, the five by five grid? Uh, yeah. You know, Sunil created, So if you never met Sunil, I've met him many, many times and, and he's sort of a technologist and a futurist. He's one of these people that really has this really good, amazing capacity to think outside the box and say, how do I take complex things and simplify it?

And one of those is the cyber defense matrix, and you can literally just Google that term cyber defense matrix and his website will come right up. Um, what he is doing here at a high level, and we could spend the entire session on this, but I won't, is just how do we demystify cybersecurity and understand where our strengths and where our gaps are and and, um, how it all aligns.

So at the very top, you see the cybersecurity framework on the left, you also see items of the cybersecurity framework over here. Um, and what this allows for us to do is be able to put things into buckets, whether it's a, a process we have in place, whether it's a vendor, whether it's some kind of technology or an augmentation of technology, like something an active directory or a process that we follow, whatever it is.

And this really lets us kind of move towards this approach of what do I have and where and where are some of my gaps? And just to give you an example, let's say you start playing this out and you map through all your controls. You're like, man, with my antivirus and my spam controls and my, um, you know, my, my firewall and all this stuff, I've got a very heavy approach into protection, but I seem to be missing detection.

And I'll show you later as we get into this, how this actually plays out oftentimes for us. But it's a really good way for you to identify gaps. And the goal here is not to like fill every single one of these up, but the goal is just to see what you have in place and where you're strong and where you may want to account for some weaknesses.

And then I think the most brilliant part of this, Andrew, is as you look down at the very bottom, this degree of dependency, typically speaking, and this is not always true, but I'd say 99% of the time it's true identification and protection typically are very technology driven. They're very automated, they're very, um, you know, fire and forget, get it set up and let it run and do its thing.

But as we slide into detection, response and recover, the more mature, the later phases of the cybersecurity framework, notice that people become very important in this. And I'll just give you an example, you know, responding on the response side under users, how do we actually handle that? Or data? Who's doing that? What platforms do we do? Where do we restore it? How do we know that we need to restore it?

These are all people driven decisions that you can't just have something automated do without any effort at all. And again, this is where typically the problem happens. Andrew. Yeah, that's, that's really well said. Um, Wes and I, I appreciate you bringing that up. And, you know, on the, uh, I protect and tech side, you know, Trent will talk about later the, his relationship with Cisco because they, they fill so many of those areas. So, uh, really well said though. Wes, what are we seeing here?

And maybe can you give some context for those out there that may have never heard of boom before West? Yeah, just a, just a, a quick, uh, So the, the boom is when the boom happens, right? When the exploitation happens, when we go from everything being okay to a bad guy is now something bad has happened, some kind of, um, compromise and an incident, uh, occurs. And so again, credit where it's due. This is Sunil notice that he presented this way back in 2016, right?

So this is sort of ancient in the world of security, but it's really new and emerging for us as TSPs and, and MSPs as a whole. So you see here identifying protect over in the left. And, and this is like before something bad happens, we're preventing, we're doing the hygiene things, we're stopping the known bad things. And it's really all about what you see here. Pre-event, structural awareness. What's going on? Am I aware of everything that's happening? Am I watching over?

But, you know, everything should be happening just from that perspective before something happens. And then after something happens and after an exploitation happens and a bad guy's in, now everything changes and we go to post event. What do we do after that happens? And this is very situational awareness. First of all, do we even know something happened? When did it happen? How did it happen? What was affected? What's the extent of of it? Have we contained it?

All of these questions begin to pop up and we can't even start on that unless we have a good solid method to detect that something has happened. So this crossover, this like pillar you see here between protect and detect is such a critical piece because if we don't have strong detection capabilities in play, we will miss the things that happen that cause uh, once prevention fails, it causes a breach to happen.

And maybe the last thing I'd say on this is, this is a really critical thing for us to approach because we talk about dwell time all the time. We talk about the time in which a bad guy is active inside a network before we even know about it. And typically, most study data show that's weeks and months of dwell time that a bad guy has free reign because they bypassed the preventative defenses. And guess what? No one inside the org is known.

And that's a really, really scary thing because it gives the bad guys plenty of time to, uh, wreak havoc and ultimately do the things they wanna do, which typically these days is ransomware. Yeah, Wes, and you know, we, our good friend Chris Lair, who's one of the best outted instant response often talks about, you know, I wish people would think more about logging. 'cause you're talking about post event situational awareness.

And that's when Chris comes in and his team and I, and I think one of the really cool things that Perch and Cisco did together was the integrations you, the event correlation, the logging that, you know, they've done with their tool set and perch, I, I think adds a, a layer that, um, you know, really afford somebody that's using both tools. Um, uh, an an upper hand. Is that, is that a fair assessment? No, it, it is a fair assessment. Exactly. Right.

And, and this is where Cisco as a best of breed, I mean, they're market leaders for a reason. And so being able to adopt and utilize and, and command and control the capabilities that Cisco has in terms of the data that outputs and bring the entire story together on top of other things like Microsoft 365 is a powerful thing for, for partners. Yeah. And, uh, Andrew, what you see here, this is another piece. Like I'm just a big fan of trying to bring it all together for us, right?

And so you saw if I, I purposely faded out the, what you saw, the pre and post boom on the cyber defense matrix. And what I wanna do is I want to kind of in, in maybe five minutes or less, I wanna kind of share how you can wrap all this together.

So notice that if you take this, the cyber kill chain that comes from Lockheed Martin, this is just an easy way to describe how an attack happens, how bad guys start with reconnaissance, what's out there, who's vulnerable, figuring out how to weaponize something from the reconnaissance itself, structuring the delivery of the actual malware and the exploitation, getting into that, and then moving into installation command and control and actives on objective, which again, typically is ransomware that the exploitation.

See how I line that up right over the pre and post boom. This is a nice easy, um, I think brilliant way to get an understanding of how the, the cyber kill chain relates to the cybersecurity framework and the cyber defense matrix. And if we move forward, there's some things that we can learn out of this, some really important lessons that come home to us. And the first one, Andrew, as you hit the, the little button for me, there we go.

So bef you know, there's this, there's this thing that we talk about all the time in security. You may have heard people say it, things like, you know, the attackers have all the advantage, they only have to be right once they can try and try and try and try, you know, and, and that's true largely speaking, at least before exploitation. They have no risk to what they can do. They can try as much as they want, and then they finally get in.

There's just that they're looking for that one right chance, right? And, and that's very true. But as we move towards what I call after the boom paradigm, I wanna show you something. All of a sudden, these entire, uh, uh, perspectives flip and the tables have turned as Michael Scott says in the office, oh, the how the turn tables.

And notice, all of a sudden the defender has the advantage in the sense that now we only have to be right once, we only need one part to detect, to say something has happened and we are gonna go into incident response mode and we're gonna take action now. Now, the bad guy has to be the one that's super quiet. They can't make one mistake if they make one mistake and they're discovered and found out all of a sudden all their work is for Naugh. You see how that flips.

And that's a powerful thing for the defender, if I have the ability to detect and respond and recover. And that is the thing that from a resilience perspective, oftentimes we're missing. And so there's more to it here. You can kind of see the details here, but this is such a good thing for us to think about that should give us the desire to say, I am going to invest in the right side of boom, because that is how I take action and eliminate a threat from becoming so, so dangerous.

Yeah, Wes, and we've got some great resources here at the end that, you know, we did a, you know, the cyber resilience workshop. We've got an incident res how to build your incident response plan. We have a policy available for them. And also, um, running a tabletop that you and Chris Lair do all the time, literally, you know, being able to stay, you know, quote unquote calm.

I know that's a cliche, but really being able to execute, um, something that you've run through before is, is a, is a really, really critical thing. Um, Wes this is kind of, I, I really like what you've done here. This is where you took a look at the Center for Internet Security, the, or the CIS controls, the CIS 20. You looked at the different implementation groups. There's three implementation groups. They call 'em IG one, two, and three. Why should every MSP be at least IG level one?

And, and talk to us about what you're doing here. Yeah. You know, if the cybersecurity framework is sort of the, the structural, you know, processes to do all of this, then the CIS controls are the how I get it done, right? It's the step-by-step, what needs to happen. And IG one is the starting foundational guide. And, you know, I just was curious about this. I thought, you know, if, if IG one is where we all start, it's the beginning hygiene, it's the beginning steps.

What does it look like if we were to take IG one and just overlay it on top of the cyber defense matrix, which is very CSF driven. And so what you see here now there, I will say, just to, to make sure everyone knows, there are several sections in IG one, um, that don't actually map to this. So there's a few missing items. So those that may be deep students of CIS, like where are some of those? Well, they don't exist here, but the ones that do map in, I just wanted to see where they map out to.

And notice that IG one, you can see which column is it most heavy in, obviously protection, right? And that makes sense because what we're trying to say is these are the beginning steps. No one's saying IG one is the final solution. This is where we begin. And so it's very prevention focused, which again, let's eliminate the known things that we know we need to take care of. But there are some things that stand out here. One of those is you see detect over here, activate audit logging.

This is like what PERCH does, for example, in terms of a sim also pulling in the data that comes from Cisco, from umbrella, from Meraki, from Firepower, from amp, all these awesome solutions. Bringing all of this together, what the preventative tools are telling me to tell the story, bringing this together inside of audit logging so I can see it and have it, it available. Notice that is IG one.

And if ci, if CIS could pick, and they did, they picked one thing to go into detection and guess what that is, bring it all together, have it all together in one ecosystem, which is the SIM itself. And so I just think this is a powerful way to kind of, of see how it all exists and how it works out. But notice that there are many, many things that are missing here that are people and process driven. And many of these things happen as you begin to go down the IG two and IG three journey with CIS.

Yeah, that's, that's excellent. David, question for you, you know, when we look at C-I-S-I-G one, you can literally talk to, and I love Trent's perspective too, a customer and say, Hey, look, according to how they map this to something called the Mitre Attack framework and the Verizon data breach report, if you implement IG one, you would've eliminated 65% of the most major attacks. Um, a lot of 'em being around malware, ransomware last year.

Um, how do you guys look at that and, and did you incorporate some of those things in your messaging? Yeah, I think you have to have some kind of standards framework. It doesn't have to be this 801 71, you know, all that kind of stuff. But I think, you know, if I came into Trent and said, Hey Trent, I don't think, you know, I'm your MSP, I don't think you're very secure. A fair question for Trent would be like, compared to what David, I mean, you just feel like thin air.

I don't, I'm not very secure. So if you have some kind of framework, you know, and I think savvy MSPs, depending on their partner base, will kind of distill that down into something pretty easy. You know, it's like, here's 15, 20, 30 best practices that we did a quick audit and we don't think you're meeting however many of those. So having some kind of framework to kind of take their environment and lay it up against and say, here's your gaps, I think helps them identify what they're seeing.

I'll tell this quick story. I think way too many MSPs go out and do what I call scare and sell. They run an assessment, they come in and they bring Wes the binder of all the things they suck at and say, Hey Wes, here's all the things you suck at. And Wes looks at that is like, well, I, I don't have the money for that. There's no way I can do that. Versus going in and like, Hey, Wes in this room, you're in here. Let's, let's rip all the sheet rock out and putting sheet rock up.

And Wes is like, well David, I don't, I've got a bunch of kids. We've got a family vacation plan. I don't have the money to replace all the sheet rock, but if I took a knife and cut the corner, could pull that corner back and shine a flashlight back and showed there was mold growing and leaky pipes in the walls, suddenly Wes is like, well, gotta tell the family no family vacation. We gotta reallocate that budget to replace all the sheet rock in here.

'cause I sure can't have mold growing in the house. So how do you give them something actionable? Right? The big three ring binder of all the stuff you suck at is not actionable. If you could show them, here's something right now today that you can act on, and I'm not telling Wesley needs to rip down his whole house and build a new one. I'm like, let's start with this room, right?

And then in three months or next month or whatever, I'll come in and look at your next room and see what do we need to do in there? Mm-Hmm. So I think, you know, getting your partner, getting your client to get on a journey, just improving a little bit at a time, doing something new and a framework really helps you show them what those next steps could be and what their gaps that they need to fill are. Yeah, that, that's excellent.

Trent, you know, you work with both re you know, a lot of regulated customers, um, talk to us from that perspective. They understand a roadmap and a journey. 'cause you've got oversight from auditors, you're mapping to a framework. So for there, it's kind of easy, but how, you know, a how do you do it there? And then how have you been able to transition that into, you know, a company that's not regulated?

Well, what you we do is bring a good point because the regulated people understand that and they know that they have to check that box or they have to do that to comply with their regulators. So what that did for us was that we, we had these regulators that forced us as an MSP years ago to go, Hey, you have to look at this and either you're gonna sell and support this for me or somebody else is. So you kind of go, okay, I need to start working on that.

So from that standpoint, that really helped us educate ourselves on what is needed and why it's needed. Um, and then so what that did for us is, is that, you know, that industry knows the, that lingo. Well then to your point, was to kind of transition that to the people that don't understand that lingo. So instead of bringing out all of the, all of these, uh, frameworks, basically we kind of went to it in a very simplistic manner and said, Hey, you know, you need the backup.

You need, uh, DNS protection. And, and what we did as a company was we laid that out and we said, perch goes here. Cisco umbrella goes here, you know, Meraki goes here, and then it feeds into ConnectWise, it does all of that. And we said, this is what we do. So when we go engage the, let's call it the 10 person office, these are non-negotiable things that we do and this, and then we tell 'em why we do it.

We do this because you know what, when you, when you buy a house, you wanna buy it in a good neighborhood and you wanna put a nice door up front there and you wanna put a lock and you wanna put the, the sign in the front there, and then we start labeling all of these things, is what that is. And then, you know, at the bed, you got the dog and you got your bat, you know, those are the last steps that you have to go in there.

And then the very last one is, you know, after the boom, you're calling the police kind of situation. So, um, we try to relate to that a lot more for those kind of clients because the regulated, they understand it. But those are the ones that taught us how to, how to use these products and that we needed to have at least a baseline on every one of these, you know, every one of these products and, and services and, and how it aligned with this chart. And this chart is incredible.

I, I mean this is very, very powerful from an MSP standpoint. Awesome. So, um, Wes, how about we take it out? You kind of just maybe frame out the whole process technology. We'll hand it over to David to talk about, you know, how he looks at finished good raw materials, finished goods, some of his, you know, I think stories that he's really been able to successfully take some, you know, MSPs that he's managed, you know, multi-location, multi soc, and really get traction.

So I'd love some of those stories and then we'll finally hand it over to, to Trent who's, you know, in the, in the, you know, the thick of it right now. So, um, Yeah. Yeah. So, um, again, credit words due this, this is one of Ryan's slides and I know this came over from our friends at Optiv, and I think this is just a, and I'm gonna, Dave, I actually want you to talk about this more than I, because I think you've got the credibility here much more than me.

But, uh, this is a great way for us to really approach and think through the ramifications when we're going through this idea of people, process and technology. Like, you heard me mention a little bit of that in the cyber defense matrix, the very bottom, that degree of dependency. But what are the ramifications of having gaps? And maybe I'm very people focused and nothing else, or, or, or whatever. So David, talk to us a little bit more about this. I'd love to hear your thoughts.

Yeah, You know, I think as an MSP, um, we're used to kind of buying, like he talked, like Andrew talked about raw materials, finished goods. We're used to buying these raw materials and delivering a finished good to the client. So we may take down this vendor, this vendor, this vendor, and then voila, what comes out on this side is a, you know, image based backup solution that we're selling, you know, per gig, you know, whatever it may be. But security needs that.

But it has this like overarching wrapper of, you know, leadership kind of from like a guidance standpoint is that the clients don't understand this stuff, right? I mean you can go in and say, Hey, you got data, it should be backed up somewhere else. They're like, that makes sense to me, right? And you can show that outcome. We're gonna fail this over and show that this thing runs in another location.

You know, it's harder to like test or demonstrate or show what you're actually getting with security. So it makes the sales motion a little harder there. They're buying an outcome, right? But the outcome is we've made you a little more secure. Well how do you demonstrate that they're a little more secure? So trust really gets baked into that, right? It's that you can't be a transactional MSP where you just do the things quickly.

Hey, we need another server and you order it form, I need to turn on 10 more users. And you do that. If you're just transactional and not offering any guidance, you're not positioned really well to have those conversations. 'cause all the stuff up here on the screen happens in the background, right? And the client doesn't wanna fool with this. And I think one of the hard parts as an MSP is the very left side, right? There's the people.

So as an MSP, I want you to hear me say you have what it takes to be successful in this, right? Is that MSPs have done this year after year after year. 'cause at some point they didn't have virtualization, you sold 'em virtualization at some point. They didn't have hosted email. You sold, sold 'em, hosted email. So you historically have taken your clients zero to one, many, many, many, many times. This is just that next thing.

What's different is that in those things, you typically had a nerd on your team who went and kinda learn that stuff on his own and he would push you as the business owner, right? So he would come in and like, yo Trent, I've been doing some research on this thing. We are, we really ought to try it or we ought to implement this or this is cool.

Or Hey, I learned Python on the weekend and I figured out a way to script this thing is when the ticket comes in, it automatically kicks off this script and resolves the issue and translate. Dude, that's awesome. No one's accidentally getting good at security, right? It's like no one's going home on the weekend and you know, watching some code.org videos or YouTube videos or anything getting good at security, right?

You can teach yourself Python, you can teach yourself scripting, you can watch some Amazon classes, all that kind of stuff. You can kind of self-taught, but there's just like intimidation factor with security and there doesn't necessarily need to be. But the reason it's a little intimidating is because people matter and technology matter. But the thing a lot of your technologists don't like is the process piece, right?

Is they are used to being like the hero they're used to writing in and saving the day. They're don't really like following process sometimes on your staff and going in and teaching that. Most MSPs don't have a lot of good processes themselves. So taking that process orientation, having the right talent, and then the tech vendor side one would argue is the easiest piece. You know, you call something like ConnectWise, you call someone like Purge, you call someone like Cisco.

You can check some of those boxes on the technology side, but then you turn around and like, do I have the process to go with it? Do I have people go with it? So to put together that finished good that Andrew talked about that you would go take to your client, there's a lot of different kind raw materials to go into that. And I think that it's unnecessarily intimidating. The real answer is you just have to go forward that you're still the expert to your client at some point.

You were talking to your client about cloud before you were actually an expert, but you knew more than your client. Odds are good. Unless you're like Trent, work with some highly compliance oriented clients, you're gonna know more about this than them and you gotta go and take that step 'cause it's not getting better on its own. Mm-Hmm. I'll say this and I said it before, being patient in technology lots of times is the right answer.

You know, like on cloud being patient was the right answer is that if you went early to the cloud, you probably repatriated some assets because you found out that the cloud was super expensive for solid state workloads and stuff, steady state workloads, stuff like that. So if you waited a little bit, you probably ended up in hybrid and never kind of went that all cloud piece. So being patient's not a bad thing.

I mean, my friends that know I work in tech are always surprised that I don't have the newest TV or the newest phone, but all the tech guys kind of know you wait a little bit and let it settle out before you go get that right. This is not one of those things you can wait on, right? Is that security is not gonna get better on its own every day you wait as an MSP is another day your client base is at risk.

So figure it out, start the journey, go talk to 'em, um, and figure out a way to demystify there's people you know, all around that can help you demystify it. So how can we help you as an MSP move forward? But you have to be committed to getting started without having all the answers, um, outta the gate. Yeah. And you know, as we transition over to Trent, you know, Gary and the folks at True Methods do a fantastic job with my IT process.

David, you mentioned, you know, not a lot of MSPs have really good process and have pulled us all together, you know, and I'd argue that, um, you know, the folks at Gary's been, been training and are really increasing their MRR really spend a lot of time on this. And I, I know in your day, uh, at some of the MSPs that, that you ran David and, and had a huge influence and you know, like going back to itil, um, you implemented it way before others did.

Uh, there's a little blast from the past right? For you, you know, Dude, Andrew, uh, I hated itil, but I was so wrong. I like me, me and the COO argued about it one day and I'm like, you're just a sales prevention team, you know? And so we finally argued about it and I went in his office after we implemented it and I said, okay, turn on your mic on your phone. So lemme say this one time, you're right. I was wrong. Right?

And so having a, having that structure yielded better results and yielded better velocity. Um, but I think where that plays in a little bit here is that we talk a lot about the security convenience exchange rate, right? Is that the more secure something is, the less convenient is gonna be to do it. Right? And the more convenient it is, the less secure that thing's gonna be. That's why people want easy passwords. That's why people want the server room door unlocked.

All that stuff is convenient but not secure. And so a lot of our MSPs, because they haven't built good processes, like you're talking about how Gary wants 'em to, is they've just done what's convenient. So they have shared administrative passwords, they have shared logins, they have all sorts of things that aren't convenient, I mean, that aren't secure, but are convenient. And so now they have to increase their process adherence to make themselves better and also to serve their clients better.

Yeah, really well said. Trent, you know, these were some thoughts we had, but I don't wanna put words in your mouth, but can you give us your thoughts? You know, you've had this transition from, you know, working with a lot of regulated clients and have had success there, increasing MRR really, you know, as Gary likes to say, your chocolate cake was really focused around aligning to frameworks, uh, making sure controls were in line.

And, and so you had that kind of vantage point that really forced you guys to get better. Mm-Hmm. Uh, as you said earlier, um, then obviously not everybody's, uh, non-regulated as your SMBs, but talk to us from that place that you've come from and then something that is really kind of interesting that you're seeing an opportunity, uh, around today, uh, kind of up in the upper market. So, uh, uh, let me let you take it from here. Yeah.

So, you know, when we started out, like I said earlier, you know, it was more of we had a client that, you know, was small and it had this exponential growth. But, you know, with that became, uh, a lot of security things that, you know, we just weren't used to. We had talked about it, we had heard about it, but we just didn't have the partners that we needed at that point. We felt like, or we didn't have the, the chocolate cake already to go, so we can't hesitating.

Well, uh, this one particular client kind of kicked us forward and said, you're gonna do it, or somebody else is gonna do it. Well, you don't want anybody to get their foot in the door. That's just how you had to operate. So, um, we became better in that. And, you know, by doing that, it's, you know, our MSP has has shifted more to this MSSP in certain methods. Now, again, a lot of our clients don't understand that if they're not in the regulated entity.

But what we're seeing now is that we've gotten really good at that part that we're seeing that, you know, we're, we're the full managed, uh, clients, but we also are now getting into these what we call co-managed. So these co-managed clients are looking for those high level security services that us we know what to do.

So even though we're in western Kentucky, you know, we're working with people in, in Boston and California and Seattle and up in northern Kentucky and, and really all over, uh, because we have those expertise. So it's kind of weird how this, not having a partner and having any knowledge and just reaching out to my friend Wes as fast as possible, but I need help. I need help fast. And he did. And then now it's branched out to these other opportunities.

So, um, it's really, really interesting because you always think, well, we're, we're this geographically located and that's what we need to do. But now we're seeing that we can reach out to these other markets, uh, very easily and it's, it's helping our MSP grow and again, grow into an MSSP. So, um, I know Gary would hate me for this, but we are selling pieces of the chocolate cake, uh, on a larger scale. So, Hey, t can I comment in on that real quick? Yeah.

Because I feel like the co-managed space is super hot, right? Mm-Hmm. And, um, I think that too many MSPs for the longest time said, unless I can get the whole enchilada right? You have to give your whole tech environment. No, it guy, let me be that guy that they weren't interested. But I think there's a good opportunity, and I know that a lot of MSPs early in the MSP space, we avoided the term outsourcing.

You know, like Andrew, you said back in 2005, we would've avoided, I'm not an outsourcer, I'm an MS P, but big companies understand the word outsourcing. They don't have the foggiest idea what A MSP is. So I think a effective sales motion is like going and talking to a client like, Hey, Wes, you know, say it has internal IT staff, Wes, you really only have five things, right? You've got users with devices, you have network and servers and stuff.

You've got, um, infrastructure, you have security, you have cloud, right? Three of these things are easy. Two of those things are hard. So now the sales pitch goes one of two ways. Wes, your guys are awesome. They're great guys, but they're not super smart, right? So why don't you leave them with end your support and infrastructure and servers and give us cloud and security or flip it. Hey Wes, your guys are awesome.

They're kind of smart, but they're kind of a pain to deal with and none of your end users like 'em. So why don't you let those guys focus on cloud and security and we'll f focus on end user support and, you know, network and infrastructure. And it's a way to take the thing they suck at off their plate and bring it into your MSP and give that to 'em on an outsource basis. It could be cloud only, it could be security only. It could be help desk only.

But even though breaking that up, sometimes I know the values in the whole chocolate cake, but if they're, they're a little miniature chocolate cake, your value to get to them may be that one sliver that they can't hire, they don't have the talent on, on board. And it's a great opportunity, I feel, to grow by taking the stuff off their plate that they're not any good at. So that's a great point. Tr I love the co-managed space.

It's, it's hard and you better have some really good processes 'cause you have to draw clear lines of responsibility. But I think that's some of the highest growth space for the sophisticated MSPs out there. And, and real quick, just to add onto that, it's amazing how it turns into, uh, a spider effect. You know, it starts here and I'll say, Hey, do you all do this? Do you all do this? Do you this?

And, you know, then it's this whole little spot there and you know, they're doing all of that, but then you're getting these things. And to tell you the truth, there's not a ton of labor that is included with that, which is good for, you know, for msp, you know, so. Yep. Well, hey, I, I, I want to close out with this. Trent, you mentioned something in, you know, as you were talking that, you know, you pulled in Wes years ago. A lot of people don't know.

Wes was a, a, uh, a former banker or covering bankers. I like to call him many years ago. He was, he met him in Kentucky many, many years ago. He is a, he's a professor of cybersecurity. But what's interesting is that a lot of people, I think don't realize is the journey you've been on for years. And what we're here to tell MSPs is now has never been a better time and a more profitable time to get going on that journey.

And, uh, and, and in, in other words, um, you have to, you have to get going somewhere somehow. Let me just stop sharing for a minute. Sorry guys, and I'll bring us all back up. But you know, what we found is the companies that just start, okay, let's start implementing a framework for ourselves. Let's get command over what we're doing so that we can have some command talking to customers. But, you know, it's not a, I'm gonna do it and I'm gonna finish.

Um, it takes time, it takes effort, and, uh, it's, you've been on this journey for many years, and that's the, the, the, again, the p piece I wanna convey to everybody. So, with that, you know, Trent, thank you so much for joining us from the partner perspective. David Powell, thank you so much for sharing both your knowledge being an MSP for many, many years. And now sitting on the vendor side and Wes, uh, sit having multiple roles.

You know, you've, you've sat in the professor chair, you've sat in the, you know, CIO of a bank chair and also the CISO chair for, um, for pert. So really appreciate you joining us as well. And you know, there's some fantastic resources. We really appreciate you taking the time and wishing everybody a fantastic day. Take care everybody. Thanks so Much. Thank Phil. So that was a wrap. We probably went a little long, but I thought there was a lot to cover. What do you, what do you think Wes?

Just Yeah, I would rather it all the content was good. Yeah. So I think it's probably better. It's a little, little long. Yeah. I know Gary's gonna sit there. Oh, it's too long. It's too long. But, you know, look, there, there was, there, there was a, there was a ton to cover. You know, your go to market isn't, it wasn't a 10 minute session. No. And if we need to, I mean, there, I don't know if there were any good natural breaks in there, but there Geez.

But there might be some natural breaks in there where you can, um, cut it up if you wanted to break it into multiples. That's actually a pretty good filter, but whatever. Hey, are you a Texas fan? Is that what I see on the wall back there? Yeah. Oh yeah. You weren't on, we were talking about that. I was like, if Only Colt Hadn't gotten Hurt. Right. If only Colt hadn't gotten Hurt. Oh yeah. Yeah. Really. I mean, I knew there was gotta be some kind of comment I took here that night.

It was one of those, um, uh, whatchamacallit. It wasn't a recliner, but it was one of these like rocker chairs and I was just sitting there and finally at the end of the game it kind of snapped off. So, yeah. Yeah. I was, I actually, I actually went to that game. Oh Man. Um, the associate commissioner of championship ticket sales for the Southeastern Conference was a friend of mine. Oh wow. Got me 50 yard line seats, 23 rows back.

And if you ever wanna know, if you think you have good seats, uh, uh, something, if you turn around and Wayne Gretzky sitting behind you, you have good seats. It's probably because it wasn't his sport, you know, Actually, so I was curious. I was talking to him and asking why he was there. He was a part owner of the La Kings and Greg McElroy's dad was the GM of LA Kings before he became GM or President of football operations, whatever, for the Cowboys.

So Gretzky knew the McElroy family from the La Kings. Oh My gosh. Yeah. I'd love to go to that game. I, I guess maybe not the end of it wasn't very fun to watch. Yeah. We spent all kinds of money. 'cause we're like, this may be the last time we go to a national championship game, then like five national championship games later. I'm like, I cannot afford to keep going to national championship. I'm tired of this. They're gonna win. You know?

So I gotta say though, I went to a, um, an old Miss game where Texas played there. And if you've never been there, that's amazing. Even if you don't care about football, it's just an amazing experience to see all these people and they're so friendly. Like, just invited us down, eat, eat our catfish, eat our stuff, and come back when we're not playing Texas. I mean, I was Yeah. More of the games down there. Just, Are we recording right now, Andrew? We are, but I'm gonna spice it. Okay.

Dude, the females at Ole Miss. Oh yeah. Isn't it the number one party school? It's always up there. They always joke about they red shirt Miss America's. Yeah, they, I mean, to see what they had done there, they had chandeliers in the tents, TVs, um, uh, what we call it, satellite things. All of it goes up and they had, they have a really, really cool time lapse of it all going put up on Friday night and then all put back down like by Saturday morning. Sunday morning. Yeah.

Well, Bama plays at Texas in a few years, man. Let's go. Yeah. Well, we'll see what, what, uh, the, the new head coach could do by then. See what SARC has you up to. Yeah, I'm down man. Just, just send me an invite. You got the ticket hook over. Exactly. Um, all guys, it's been fun. I'm gonna jump over to another call I'm late for. Yeah, you.

Related Videos