Listen to "All Things MSP" on Your IT Podcasts!
[00:00:07] Dude, it's been a crazy week here in North Carolina.
[00:00:10] Oh my God. With the hurricanes and everything and the rain, I'm glad to see that you're okay and you're safe.
[00:00:16] We've been chatting throughout the last couple of days, but some of the news coming out of there, man.
[00:00:21] There's like towns that got wiped out.
[00:00:24] Yeah, and kind of to bring this to an IT conversation, little known fact,
[00:00:30] Asheville is actually a pretty big data center for a lot of places.
[00:00:36] And I mean, Asheville was literally for probably a day completely cut off from the world.
[00:00:44] There's a lot of services that went down that people are attributing to the hurricane and Asheville.
[00:00:52] Like I know Verizon was down, the PlayStation network was down.
[00:00:54] A lot of people are just assuming it's because of the hurricane.
[00:00:57] I don't know if it's true or not. I don't know where this is.
[00:00:58] Well, I mean, I was literally so I had a little bit of trouble with the transmission in the truck this weekend.
[00:01:04] And I went to an auto parts store to get transmission fluid for it.
[00:01:09] And they literally told me it could take an extra couple of seconds to process the credit card because the data center in Asheville is down.
[00:01:19] No, like it's crazy.
[00:01:21] And then did you read the article that came out?
[00:01:24] I think today about there's this really small town in Western North Carolina and it is the like biggest place in the world.
[00:01:34] Well, first of all, population like twenty six hundred.
[00:01:37] Yeah.
[00:01:38] Tiny town.
[00:01:39] But they make most of the courts used in the manufacturing process of circuit chips.
[00:01:48] Yeah.
[00:01:49] Yeah.
[00:01:49] And I'm like for them to be cut off from the world, what's that going to do to chip supply?
[00:01:54] We were talking about that today on our team call about that because like it's like that's one of those things where the after effects is not going to be immediate.
[00:02:04] It's going to be a long term.
[00:02:05] Yeah.
[00:02:05] Like what I don't remember was an earthquake or hurricane that was in somewhere in Southeast Asia and like it messed up like the ability to make processors for computers and chipsets and things like that.
[00:02:20] And that was almost five or seven years ago.
[00:02:23] And we're still like like it's starting to catch up and we're starting like we're still seeing delays in things because of that.
[00:02:30] So that entire that is honestly from the bottom of the hearts of here, all things MSP.
[00:02:36] We hope everybody is safe and that all your families are OK and we wish you the best.
[00:02:41] Normally, we try to be funny in the beginning of these things today.
[00:02:43] We won't.
[00:02:44] But just a moment just to make sure that you guys, everyone is OK.
[00:02:49] And now we'll start the show.
[00:02:57] If you're struggling with the complexity of Microsoft 365 deployment management and automation, it's time to check out CoreView.
[00:03:04] Created by MSPs for MSPs like you, they help you with the end to end Microsoft 365 administration from the moment you set up a new tenant.
[00:03:15] Packed with things like unified visibility and control of all your tenants from a single UI to powerful no code automation engine, baseline tenant configurations, drift remediation and much more.
[00:03:26] You can supercharge your productivity and do even the most time consuming tasks with just one click.
[00:03:34] Work effortlessly and deliver best practices to your customers today with CoreView.
[00:03:39] To learn more, visit ATMSP dot link forward slash CoreView.
[00:03:44] If you're running an MSP and ever feel like you're constantly putting out fires, I've got some exciting news that could change the game for you.
[00:03:52] It's the Eureka Growth Program brought to you by Gozinta's Eureka Process, a sponsor of all things MSP.
[00:03:58] And it's specifically crafted for MSPs at every growth stage.
[00:04:03] Imagine having a C-suite of advisors right at your fingertips, guiding you through everything from hiring to handling mergers, boosting your service delivery and even planning your exit strategy.
[00:04:15] That's what this program offers.
[00:04:17] And let me tell you, it's like having a powerhouse team behind you, making sure that you're always ready for the next big opportunity.
[00:04:25] So if you're looking to elevate your MSP game, check out the Eureka Growth Program.
[00:04:30] You can sign up for a call with the Eureka team or shoot them an email if you have questions.
[00:04:35] Go to ATMSP dot link forward slash Eureka to find out more.
[00:04:39] What's up, everybody? Welcome to the All Things MSP Podcast.
[00:04:42] I'm your host, Justin Esker.
[00:04:42] With me always is my good friend, podcast producer extraordinaire and pirate cybersecurity expert, apparently Mr. Eric Anthony.
[00:04:51] What's up, dude?
[00:04:52] Oh, I'm not a cybersecurity expert.
[00:04:54] I just play one on TV or a podcast.
[00:04:58] I love saying I'm not a doctor.
[00:05:00] I just play one on TV.
[00:05:01] All it's like my go to line.
[00:05:03] And then if you ever watched Brooklyn Nine-Nine, Andy Samberg's company, the production company, the end of the show, they would as go, not a doctor.
[00:05:10] And that is Michelle's response to every time I say I've played a doctor on TV.
[00:05:16] That being said, it is the start.
[00:05:19] We're recording this on the start of National Cybersecurity Awareness Month.
[00:05:24] That's a mouthful.
[00:05:25] But we have the best person to bring up to talk about it because I love it when we have a guest.
[00:05:30] Mr. Wayne Selk, VP of the CompTIA Community Cybersecurity Programs.
[00:05:37] That's even more of a mouthful.
[00:05:38] We really got to work on our acronym.
[00:05:40] You know, I did say like nine episodes ago, we got to stop doing acronyms and now I'm all about it.
[00:05:46] Wayne, what's up, buddy?
[00:05:47] How are you?
[00:05:47] I'm good.
[00:05:48] Thanks, guys, for having me on.
[00:05:49] Justin, nice to meet you.
[00:05:50] Nice to meet you, too.
[00:05:51] Thanks for being here.
[00:05:52] Give everybody like a two-minute spiel.
[00:05:54] Who are you?
[00:05:55] What's the CompTIA cybersecurity program?
[00:05:57] We'll get more into it.
[00:05:58] So just to give a quick one-line brief.
[00:06:00] And then like, what are you doing to celebrate national cybersecurity awareness?
[00:06:03] So I am a recovering cybersecurity practitioner.
[00:06:08] I spent well over 25 years in this space, 15 of which has been around governance, risk, and compliance.
[00:06:19] I'm also the executive director of the CompTIA Community Information Sharing and Analysis Organization.
[00:06:24] So if you want a mouthful, Justin, we can go down that rabbit hole too.
[00:06:28] But anyway, so CompTIA cybersecurity, CompTIA community and the cybersecurity programs team that I'm on, our whole focus is helping IT channel understand cybersecurity from an awareness and understanding and raising those levels slowly.
[00:06:51] And we do that in a variety of different ways.
[00:06:54] We have a lot of, we're going to have a lot more training content coming up by the end of the year, but we have a lot of content today.
[00:07:01] We have a lot of workshops, risk management, which is kind of like a foundational risk management workshop, culture and strategy workshop, what is data workshop.
[00:07:11] We also have the cybersecurity trust mark, which I know Eric is going to want to talk about a little bit more in depth as well.
[00:07:18] Third-party vendor risk management program, and the list goes on and on and on.
[00:07:23] That's awesome.
[00:07:23] Well, thanks so much for being here.
[00:07:25] I know what Eric wants to talk about.
[00:07:26] So let's not talk about that at all.
[00:07:27] Let's get into something else for a second here.
[00:07:30] So we were talking before the show.
[00:07:34] If you're just listening to this in your car, you need to go to YouTube.com slash at all things MSP.
[00:07:38] Just watch Eric's face.
[00:07:40] As I said that last line, the CompTIA community when it comes to cybersecurity program, you guys have put out a new cybersecurity guidebook.
[00:07:46] And we're talking a little bit about this before the show started recording, even though I told somebody to press the record button.
[00:07:55] And we were discussing a little bit about what's in the guidebook.
[00:08:00] And the guidebook is free.
[00:08:02] You can go to their website.
[00:08:03] We'll have links in the show notes and everything.
[00:08:05] And you can register for free to become a CompTIA community member, get the guidebook.
[00:08:08] But there's something we were talking about in the guidebook, which you had mentioned, Wayne, which is the guidebook is about MSPs talking to their customers about cybersecurity.
[00:08:17] Yep.
[00:08:17] You said something that really hit a nerve for me.
[00:08:21] And I'm going to repeat it so this way we can get into there, which is you said MSPs, you don't feel comfortable with MSPs talking about cybersecurity with their clients because basically most MSPs don't have cybersecurity figured out for themselves.
[00:08:32] Correct.
[00:08:33] And look, that comes from a place of love.
[00:08:36] And Eric knows this about me, as do some of the folks that I'm sure will be watching this.
[00:08:40] You know, I'm very transparent.
[00:08:43] I'm also very realistic in that I realize there's a lot of cybersecurity knowledge that exists out in the community as a whole.
[00:08:53] I'm not dismissing any of that.
[00:08:56] Honestly, we're all learners of cybersecurity because it's constantly changing and constantly evolving.
[00:09:03] Right.
[00:09:03] And my comment, Justin, just to put it into context, was really about as an MSP, before you even think about having conversations around cybersecurity with your clients, because let's just be honest.
[00:09:19] Most clients understand risk, which is part of the cybersecurity equation, a big part of the cybersecurity equation, more than the MSP, more experience than the MSP has currently in their wheelhouse today.
[00:09:36] Right.
[00:09:37] So what I'm suggesting is, and again, place of love, is don't get ahead of yourself.
[00:09:44] Right.
[00:09:45] Understand what that risk means in front of your own organization.
[00:09:50] Develop a process by which you can reduce that risk.
[00:09:54] Right.
[00:09:55] Because that's what your clients are going to ask of you.
[00:09:57] When you open up that Pandora's box and you start asking them or talking to them around cybersecurity, their immediate focus is going to go, one, you should already be doing that for me.
[00:10:09] And they're not wrong.
[00:10:10] Right.
[00:10:10] Two, the MSPs are going, well, but you didn't pay for it.
[00:10:16] And in most cases, and I bring this up in my risk management workshop, in most cases, you can actually solve for a lot of the cybersecurity challenges from people and process, not going down the technology path.
[00:10:31] The MSPs come at it from the opposite direction because that's all they know.
[00:10:35] Well, I'm not going to say all MSPs or is it all things MSP?
[00:10:39] Anyway, sorry, I had to get that plug in.
[00:10:43] It, you know, it's, it's more around using technology last to fill gaps, but you can actually solve for if you can, if you can have your people aligned to your business risk, which should be aligned to your business objectives, then your process aligned to your people, to your business risk, to your, to your business objectives.
[00:11:04] You can account for a lot of the risk and mitigate that at those two areas.
[00:11:09] And we've talked about this before on the show where, because everybody thinks that when it comes to security, right?
[00:11:16] And then it's tech, the answer is technology, but you, you said something.
[00:11:19] It's people process technology, literally in that order.
[00:11:22] And we've talked about this before because so many MSPs and I'll say a lot of them think that technology is the answer, right?
[00:11:30] Like, oh, we need email security.
[00:11:31] Let's just shove a defender, Avanon or some other product in there.
[00:11:35] But like, you're not taking into account some of the processes that need to be put in place, the training that needs to be put in place.
[00:11:41] And also whether or not that's the right tool for certain customers, right?
[00:11:44] Because we, we found that, you know, we've maybe deployed an email security tool and guess what happened?
[00:11:51] It like stopped communication between one of my clients' biggest client, right?
[00:11:56] And it wasn't something, like we didn't know, we didn't expect that to happen obviously.
[00:12:00] But like, that was a mistake that, that has to get right.
[00:12:03] I mean, it's simply simple to rectify, but still an issue that should have been figured out beforehand.
[00:12:08] Well, let me ask you a question.
[00:12:09] Because that, that just smacks square in what I'm referring to, right?
[00:12:14] What was the impact to the business for making that mistake?
[00:12:19] It could have, it could have been huge.
[00:12:22] Well, okay.
[00:12:24] So you caught it.
[00:12:25] Luckily, luckily the people that are involved were very smart and we caught it pretty quickly.
[00:12:28] Okay.
[00:12:29] But yes, your, your point being that the potential, the potential exposure, the potential loss to this company could have been million.
[00:12:37] They could have gotten days and not realized that they're not getting emails from this client of theirs, right?
[00:12:43] Which then would go the other way.
[00:12:45] Now, I'm going to put an asterisk on there because I know that everyone's listening and going like, Justin, you're an idiot.
[00:12:50] And why should I listen to you when you make mistakes like that?
[00:12:52] We were testing something.
[00:12:54] It wasn't a full rollout.
[00:12:56] We kind of were just looking to see what would happen.
[00:12:59] Like, I'm not that dumb.
[00:13:03] So you're back to processes again.
[00:13:05] Well, yeah, because we, we were trying to figure out what the right tool is.
[00:13:09] The other thing that, that goes into, we had mentioned this before the show is that MSPs tend not to eat their own dog food when it, especially when it comes to cybersecurity.
[00:13:18] We were selling Avanon.
[00:13:20] Truth be told, we were selling Avanon before we started using it ourselves.
[00:13:22] We sold it to two or three customers because PAX 8 told us there was a really good solution.
[00:13:27] And we're talking about, I love PAX 8 and I love Avanon, but we weren't using it internally.
[00:13:31] And so then all of a sudden when we started to see things, we're like, oh, we should probably be playing.
[00:13:35] And we implemented ourselves and we've become much better at the, the, the tool itself.
[00:13:44] Now knowing, cause we're doing it ourselves.
[00:13:46] So yeah, I think eating your own dog food and taking another level, talking about security and compliance.
[00:13:50] Like that's another reason why we've talked about the show before.
[00:13:52] We're going for SOC 2 compliance.
[00:13:54] We're building up those processes, things that we want to do internally before we go tell our clients that they should be doing it.
[00:13:59] So, uh, uh, since you brought up the SOC 2 stuff, the, the fun part for me around SOC 2 is that's a scoped audit and the MSP scopes what's in scope.
[00:14:13] Yeah.
[00:14:14] For engagement.
[00:14:15] So unless it's encompassing the entire organization for me, honestly, Wayne, personally, forget this.
[00:14:24] It's not worth it.
[00:14:25] Right.
[00:14:25] Because you still are going to have the glaring gaps inside of your organization that are going to bleed over and it's human nature.
[00:14:34] Well, we do it this way here, but we have to do it differently over here.
[00:14:37] Well, why can't I just do that here?
[00:14:40] Yeah.
[00:14:41] Right.
[00:14:43] Anyway, I could go, oh, I could go down on a tangent right there, but, um, I'm going, I'm not going to, cause we have other more important things to talk about.
[00:14:52] But if anybody wants my opinion and how to avoid those kinds of pitfalls, reach out to me.
[00:14:58] So let's, so fine.
[00:14:59] Fair enough.
[00:15:00] Let's go back then to the, to the, the protecting your clients.
[00:15:03] Right.
[00:15:03] So what are some things that MSPs should be doing internally and then eventually selling on clients to, to absolve that issue you said earlier, which is like, yeah.
[00:15:15] If you go to tell a client, like, Hey, we want to, we want to get you on email security.
[00:15:19] Well, why did you tell us about it before?
[00:15:21] Like why, why you should, you should have been doing it all the time.
[00:15:23] How does, how do MSPs navigate that minefield of a conversation?
[00:15:28] Yeah.
[00:15:28] That, and that's actually an excellent question that I'm asked all the time.
[00:15:33] Right.
[00:15:33] Especially when they now have to go and almost me a culpa saying, you're right.
[00:15:38] I should have talked to you a little bit more about why this is important.
[00:15:42] But again, I think if they bring the conversation back down to going, look, we're human.
[00:15:47] We all make mistakes because at the, at, when the bad thing happens at the client site, in most cases, it was due to a failure in that people in process area.
[00:15:57] Right.
[00:15:57] It had nothing to do with the technology.
[00:16:00] And so we all have to reflect internally.
[00:16:04] And Eric's heard me say this a million times as I'm sure some of your audience has as well.
[00:16:09] We have to get out of this shame game, right?
[00:16:12] It's not about, it's not about blaming somebody for failing to tell us something we should have already known.
[00:16:20] It's about how can we, how can we reflect internally and improve the process we currently have with our people to ensure we're protecting the business.
[00:16:31] So we can protect the objectives, whatever that might be, whether it's growing revenue, gaining market share, right?
[00:16:38] Being the best of the best of the best, or as part of an exit strategy, being caught up in an acquisition or a merger, right?
[00:16:48] All of those things kind of funnel through to the same concept of understanding your business, understanding your business risk.
[00:16:56] What's going to impede you from achieving those objectives?
[00:17:02] And start with, starting with your people first, figuring out, because, and I've brought this up and people have come up to me afterward and said, Wayne, I have the right people in my organization.
[00:17:12] I now see, I may have to shuffle a few folks around to put them in the better seat to be able to help the organization move forward, right?
[00:17:23] It's not necessarily about firing people.
[00:17:25] That's not what we're saying at all.
[00:17:27] But look at your organization and set it up for success to minimize the risk and drive to your goals of your business objectives, right?
[00:17:36] And then do the same thing with your process.
[00:17:42] We align to the objectives and mitigate as much of the risk as possible.
[00:17:46] And then look at your technology stack.
[00:17:49] Quit listening to the marketing hype.
[00:17:51] Look, I love, look, we have vendors, vendor members too, right?
[00:17:56] They are there to make a buck.
[00:18:01] Just like we all are.
[00:18:02] We live in a capitalistic society.
[00:18:04] And even for my, the members that might be watching from our socialist side, there's still some capitalist stuff in there.
[00:18:11] But the point is, we all need to make money in order to survive, put food on the table, etc.
[00:18:17] And if we're not paying attention to our business risk, and again, this is going to go right back to that white paper on how to have better conversations with our clients.
[00:18:25] Right?
[00:18:27] If the better our conversations are with our clients, the better they understand the barrier to entry to get them to do the things we need them to do to protect their business, then protects the MSP because there's not as much risk that they're having to manage across a multiple set of client coming into that one MSP.
[00:18:48] Right?
[00:18:49] The MSPs have more risk than each of the individual clients combined.
[00:18:54] Why?
[00:18:54] Because they have risk in every single one of the clients, which just multiplies the risk that they have for an organization.
[00:19:00] Yeah.
[00:19:01] And if they're not paying attention to that risk, they're going to get burned.
[00:19:05] How badly they get burned is how much they can reduce that impact.
[00:19:12] And in some cases, that may mean letting clients go because they don't fit your ideal client.
[00:19:20] Yeah.
[00:19:21] It's a hard conversation, but again, place of love, place of love.
[00:19:24] Place of love.
[00:19:24] That's what this whole show is about love.
[00:19:28] The truth is also that when you're having those conversations with your clients, right, it's not that we didn't tell you to have email security.
[00:19:36] It's that new things have come out and whether those things have changed.
[00:19:40] You have the client has hired and fired people.
[00:19:43] The client has maybe the client because of the pandemic changed their business model.
[00:19:49] Therefore, their processes have changed.
[00:19:51] And on top of which the technology has changed.
[00:19:54] Right?
[00:19:55] You know, you can look at a product like Microsoft Defender for email as an example.
[00:20:02] It is very different today than it was five years ago as a product.
[00:20:06] And so five years ago, the process that we built out for somebody could be, you know, hey, new user gets signed up.
[00:20:15] They get a business standard.
[00:20:16] They get Defender.
[00:20:17] We move on with our lives.
[00:20:18] That would be the process for onboarding a new person at a customer.
[00:20:22] Right?
[00:20:22] And that person is trained on how to use Defender or whatever it is.
[00:20:26] Well, if Defender is no longer doing the job, we have to go back and look at the process.
[00:20:31] Okay.
[00:20:31] The onboarding process has to be changed.
[00:20:33] That's where the license comes into place.
[00:20:35] We have to switch them to a different tool.
[00:20:37] We have to teach them on different ways.
[00:20:38] And we have to teach them how to protect themselves differently because the bad guys are just getting smarter.
[00:20:43] And a lot of MSPs are still resting on their laurels, which is a whole nother episode that just Eric and I are going to do an episode like ish that grinds my gears.
[00:20:56] Yeah.
[00:20:57] Yeah.
[00:20:57] Yeah.
[00:20:58] And well, and that's part of vendor management too, right?
[00:21:01] Is making sure that a you're keeping up with your vendors, whether or not they're dropping behind in technology and whether or not there are other vendors that are coming up that are doing things that are more effective.
[00:21:14] You know, that's, that's part of the whole process.
[00:21:17] And I think one of the things we've talked about here, we've pointed at it a couple of times is the MSP putting their oxygen mask on first.
[00:21:27] Right.
[00:21:27] Right.
[00:21:27] Yeah.
[00:21:28] Making sure that they've built the processes first, again, for a couple of reasons.
[00:21:34] Number one, Wayne, you mentioned, you know, the MSP has a little bit of risk across every single client.
[00:21:40] And so they've got to protect that first.
[00:21:44] And they can't teach, they can't help, they can't remediate until they've done it for themselves.
[00:21:52] And, and so that really becomes the crux of this is, and the reason why they have to do it for themselves first.
[00:22:00] Yeah.
[00:22:01] Cause honestly, until, until they've experienced it, they can't walk in that other business owner's shoes.
[00:22:06] And so, you know, truth be told it, it's, it's easy to have a conversation from a complete marketing slick that you're following on behalf of pick a vendor that you're, that you're currently using inside of your business today.
[00:22:24] It's something else to have that fail.
[00:22:28] And then the client's coming back to you going, you were the one that recommended this.
[00:22:34] That's a completely different conversation.
[00:22:37] I do want to, I want to take a step back a little bit.
[00:22:39] Cause like one of the things that Eric, you were talking about the vendor, like, and Wayne, you mentioned the risk.
[00:22:43] Like one thing that immediately popped into my mind is like the amount of MSPs I know who don't two factor their ticketing systems.
[00:22:51] Like something simple as that.
[00:22:55] Like if you're an MSP, okay.
[00:22:57] If you're driving, I want you to pull over for a second.
[00:23:00] Okay.
[00:23:01] I just shivered at that statement by the way.
[00:23:04] Your ticketing system doesn't have to, is not enforcing 2FA.
[00:23:09] And you're not trying to use the maximum MFA on it, whether that's, you know, an authenticator plus a Yubico key or something else.
[00:23:17] Like anywhere that you're, where your client's data lives, that's that documentation system online.
[00:23:24] That's your online file share.
[00:23:26] That's your email and your ticketing system.
[00:23:29] If you do not enforce 2FA across every one of those platforms, please reconsider what you do for a living.
[00:23:38] I'm being harsh, but it's true because like, that's the kind of stuff that pops up a lot because that is the easy way through.
[00:23:47] And then you have to get into the conversation about like, you know, we've talked about this with Gene Reich from Traceless about the MSP who got hacked for MGM.
[00:23:56] Right.
[00:23:57] Identity management kind of thing of like who tell who it is, but like those simple things need to be put in place.
[00:24:03] And if you're not put, if you're not enforcing 2FA on literally every tool you have, I don't care if it's your like online survey tool.
[00:24:12] You cannot talk to a client about security.
[00:24:14] No.
[00:24:15] And we have to live as an MSP.
[00:24:18] We need to be living and breathing, maturing our cybersecurity processes all the time.
[00:24:26] Right.
[00:24:26] Because things change.
[00:24:28] We have a multitude of types of businesses that we support multiple industry verticals.
[00:24:34] I mean, there are, there are some right MSPs that are very niche in focus community banks, insurance companies, retail shops.
[00:24:42] But those are few and far between.
[00:24:45] The majority of MSPs have multiple different vertical clients, healthcare, attorneys, retail, right?
[00:24:56] Water utility departments.
[00:24:59] I mean, it's just amazing to me.
[00:25:02] And we.
[00:25:05] I'll tell you, one of the other things I hear is, well, until government regulates me, I'm just going to continue going down this path.
[00:25:12] And I'm like, so what is your revenue go toward today?
[00:25:18] Well, what do you mean?
[00:25:20] I'm like, does it pay your salary?
[00:25:22] Well, yes.
[00:25:23] Does it pay your employees salaries?
[00:25:25] Well, yes.
[00:25:26] Does it put food on the table for your household?
[00:25:30] Yes.
[00:25:31] How about them?
[00:25:33] Yes.
[00:25:33] What if you can't do that anymore?
[00:25:37] And they're like, well, then I just do something else.
[00:25:42] Well, then maybe to your point, maybe you need to do something else, right?
[00:25:47] Because we're in such a world today.
[00:25:51] We're under constant attack.
[00:25:54] I just saw an article and I can't remember where I saw it today that there's been some power outages impacting Verizon cell towers specifically around the US.
[00:26:09] Now, I wonder if that has anything to do with Iran currently bombing Israel.
[00:26:18] I don't know.
[00:26:19] But why would you not be thinking about the risk to your business from an overall cybersecurity perspective, thinking you're fine when there are really bad people out there trying to do really bad things to those of us, not just here in the US, but around the world in a free society?
[00:26:38] I mean, it makes no sense to me.
[00:26:41] And Wayne, you know, I was reading over the new cybersecurity, the state of cybersecurity report that you guys put out recently.
[00:26:50] And it's pretty obvious to me that there is a mindset problem when it comes to that kind of risk.
[00:26:59] Yep.
[00:27:00] Oh, I completely agree, right?
[00:27:02] It's not going to happen to me.
[00:27:04] Well, again, we're back to the they don't know who I am.
[00:27:06] They don't know my data.
[00:27:07] We're too small.
[00:27:08] You know, but I mean, I could go on and on and on with all of the excuses.
[00:27:12] But the fact that the matter remains and Eric, I know you've heard me say this to businesses are even are in our personal life were nothing more than a street number on the information superhighway.
[00:27:26] Right.
[00:27:28] That that's all we are.
[00:27:29] You're just a IP address.
[00:27:31] They don't know who in the hell you are from Adam until they get in there and then they can discover what's going on.
[00:27:37] And if you don't have the proper secure controls in place, data is exposed.
[00:27:43] Now, all of a sudden, it's for sale.
[00:27:45] You don't even realize it.
[00:27:48] And then you're well, I could go down another.
[00:27:50] Well, I talk to clients a lot because like a really easy one just to make it to make a point for, you know, if you're listening, you want to make a point.
[00:27:58] You're close.
[00:27:58] A lot of your clients probably have a WordPress website.
[00:28:01] Right.
[00:28:01] And WordPress traditionally ends.
[00:28:05] You know, you want to get into the admin?
[00:28:06] It's domain.com.
[00:28:07] That's WP admin.
[00:28:08] And if if you go to a client's website and has that, you're not telling them to put in a like a security tool or whatever it is.
[00:28:13] You're leaving them exposed.
[00:28:14] And what I tell clients all the time with that one is.
[00:28:17] The bad guys aren't hacking you because you're you.
[00:28:21] They're hacking you because they can.
[00:28:24] They don't give two flying Fs if you're Wayne or Justin or Eric or whoever.
[00:28:31] Right.
[00:28:31] They're just doing it because they can, because once they get into one system, they can use that to propagate their information, their stuff, put out ads, do more spam, whatever it is.
[00:28:41] They just need to take control of more, more components there.
[00:28:44] So if you're not even just as basic as saying, listen, get a security plug in and change the slug.
[00:28:52] Right.
[00:28:52] And I always tell people like changing the slug is like having I this only works with the right demo.
[00:28:57] Right.
[00:28:58] Having changing the slug on your W on your WordPress admin is like having the club on your car in the 80s.
[00:29:04] Like it didn't stop people from stealing your car.
[00:29:07] It just made it more challenging and they just went for somebody else who's easier.
[00:29:11] So like security through obscurity is my favorite.
[00:29:14] All right.
[00:29:15] Let's jump into something Eric's been wanting to talk about and I'm still not going to let him, which is the side of the Conte a trust mark.
[00:29:21] Wayne, tell a little bit about what the trust mark is.
[00:29:25] What is this new cybersecurity trust mark and how can people, how can MSPs get trust market did trust mark, trust mark stamped?
[00:29:36] I don't know what the word is here.
[00:29:36] No.
[00:29:38] So first of all, it's not something new.
[00:29:41] Actually, CompTIA being the being right, the IT professional or IT channel trade association since 1982, by the way, we first launched the security trust mark plus in 2008.
[00:29:58] It was wickedly well ahead of its time.
[00:30:00] It was a badge for MSPs to actually start going down the path of creating a foundational security program.
[00:30:10] It was only 18 or 19 of the NIST cybersecurity framework safeguards though, right?
[00:30:16] It was third party assessed.
[00:30:20] It was modified, updated in 2014.
[00:30:23] And then when I came on board at CompTIA in 22, the members were already in the process of attempting another revamp, which I kind of gave them the timeout.
[00:30:34] Let's think about this for a second.
[00:30:36] And let's turn this into something that could be really, really more profound and useful and have a bigger impact on the IT community around the world.
[00:30:48] And let's call it the cybersecurity trust mark, the CompTIA cybersecurity trust mark, as a matter of fact.
[00:30:53] So 177 safeguards today, mostly based around 87% based around the CIS critical security controls.
[00:31:04] CIS is a great partner in this effort.
[00:31:07] The members, though, have added in some other global frameworks to kind of help MSPs focus and meet that uniqueness around the verticals that they support, right?
[00:31:18] So whether it's privacy, whether it's government and controlled unclassified information or critical national infrastructure components, there's a lot of things that we put in to actually help MSPs be more successful in achieving some of those other frameworks, including SOC 2, ISO 27000, NIST cybersecurity framework, and even get them on a good solid foundation ready for CMMC, right?
[00:31:46] It's not the end all be all for CMMC, but it can actually help get them prepared for what they're about to undertake in order to go through CMMC.
[00:31:54] So we were never intending, still never intending, to be the end all be all for any of those other formal frameworks, right?
[00:32:03] We want to just be that on ramp, again, to help MSPs actually all start moving in the same direction when it comes to cybersecurity, because everybody's unique.
[00:32:15] Every MSP is unique with who they support.
[00:32:18] Their risk profiles differ between MSPs.
[00:32:23] See, I'm going to bring it all the way back to risk, Justin.
[00:32:25] I'm okay with that.
[00:32:26] But honestly, so I don't care if you're going to go down an 800-171 path with CMMC or a SOC 2 Type 2 or an ISO 27001 audit.
[00:32:37] I really don't care.
[00:32:38] That's not the goal here.
[00:32:40] The goal here is to get us to help you raise your awareness and understanding around cybersecurity, develop a thicker foundation of a security program that you can then start building the rest of your whatever pathway, whatever you want your building to look like of a cybersecurity program for your MSP and your clients.
[00:33:02] We want to help create that foundation.
[00:33:04] That's what the Trustmark is all about.
[00:33:06] And that's what the Trustmark is designed to do.
[00:33:09] That sounds awesome.
[00:33:10] Can you give like an example of some of the beginning steps that if an MSP signed up to, I guess, join the program?
[00:33:18] I don't know.
[00:33:19] They would join the program.
[00:33:20] What are just like one or two things that you see most MSPs needing to do first and foremost?
[00:33:28] Is it they don't have a BDCR or an IRP?
[00:33:31] Or is it like they don't enforce encryption on staff computers?
[00:33:37] So there's a lot of different facets to the overall Trustmark program.
[00:33:44] Everybody has a different starting point.
[00:33:46] Some people have already started and have a continuation point.
[00:33:50] Right?
[00:33:51] Some people need a refresher and a reset.
[00:33:53] So this program is able to, I don't care where you are in your journey today.
[00:33:59] We're able to help course correct, add to your journey path and make you successful.
[00:34:09] The goal here.
[00:34:11] So because of who we are, we've actually created.
[00:34:17] So let me just go into some of the stuff.
[00:34:19] So we onboard you into three different solutions to help you better understand your risk.
[00:34:26] First and foremost, you get onboarded into a GRC platform.
[00:34:29] If you already have a GRC platform, great.
[00:34:33] All you have to do is let us know who that is.
[00:34:35] If they're one of the ones we're already working on adding into the mix, it's not a big deal.
[00:34:38] The Trustmark controls, the safeguards will be in that platform.
[00:34:44] Right?
[00:34:44] So, but if you don't have a GRC and you need to manage to all of the safeguards, we can onboard you into a GRC.
[00:34:52] We have an external, internal, automated vulnerability assessment, which is important.
[00:35:02] Right?
[00:35:02] Because most MSPs have not gone through an external and an internal and understand how to kind of bring that stuff together.
[00:35:11] Third one is we have an organization that can actually look outside in and help you understand your baseline risk posture today.
[00:35:24] All of those are included in the program.
[00:35:28] So, once you've onboarded the community inside of CompTIA, we get together weekly, sometimes a couple of times, more than a couple of times a month in a given week.
[00:35:48] But come together to help each other understand, all right, I'm stuck.
[00:35:54] How did you do this?
[00:35:55] How can I get this safeguard implemented?
[00:35:58] Or what did you do to help me think about how I can implement this inside of my environment?
[00:36:03] Find another framework where that's even taking place today.
[00:36:06] Yeah.
[00:36:07] Because there's all the frameworks that I know of, Elise.
[00:36:09] You know, all the things.
[00:36:10] They expect you to do it.
[00:36:11] They expect you to know how to do it.
[00:36:12] They expect you to do it.
[00:36:13] Yeah, yeah, yeah.
[00:36:14] So, like, even in our own audit, you know, they're like, you need an IRP.
[00:36:20] And we were like, okay, where should we start?
[00:36:22] You know?
[00:36:23] And so, like, we had to do the research and, you know, bring ChatGBT into it and look at templates and kind of, like, meld it all together.
[00:36:30] And even at that, it may not pass, you know, the auditors.
[00:36:35] But I don't know why I said that word weirdly.
[00:36:41] It may not pass that.
[00:36:42] And therefore, we're going to be in a position where we have to come up with a new solution where, if I'm hearing you correctly, Wayne, is that the community here is sharing that information so that way people have a much faster kickstart to get to some level of better cybersecurity.
[00:37:02] Not necessarily a controlled framework, but on the way there.
[00:37:07] But with a much better starting point than if you just went and signed up with one of these SaaS solutions that does the compliance for you.
[00:37:19] And again, it's not – those SaaS solutions are not taking care of everything you need to as a business, right?
[00:37:25] And that's part of the challenge I would encourage all of the listeners to take back, right?
[00:37:33] You have to understand your business objectives and figure out your risk to your business.
[00:37:39] That in and of itself is a major undertaking.
[00:37:43] But I'll tell you what.
[00:37:44] If you can do the homework around that and figure that out, then once you start looking at your business through a different lens, your people, your process, your technology,
[00:37:55] and I would even go down the path to say your clients, right?
[00:37:59] So for technology, I'm wrapping in all of the vendors.
[00:38:02] You're going to see the world from a completely different lens.
[00:38:07] And the impact on your business is going to be profound because now you're able to see why you've been told no from a lot of your clients
[00:38:19] or why a client said, you know what?
[00:38:21] I'm moving on.
[00:38:22] I'm going down the road.
[00:38:24] Yeah.
[00:38:25] Because you'll now understand what they've been seeing that maybe they were afraid to tell you.
[00:38:32] You are too close to the problem.
[00:38:34] And that, again, from a place of love, sometimes we're a little too close, right?
[00:38:39] And we can't see it.
[00:38:41] We think we're doing a good job.
[00:38:43] But, you know, and I'll just give you one.
[00:38:46] I'll give you a freebie.
[00:38:47] I'm going through auditing somebody right now, assessing somebody against the Trustmark safeguards.
[00:38:53] Fortunately, it's one of my last two.
[00:38:55] They're going to be third-party accredited going forward.
[00:38:57] But there's a disconnect in what they say they're doing that's not documented in either their policy or their process.
[00:39:09] So what does that lead to?
[00:39:12] One person in the organization that's putting in their implementation notes, this is how it's happening.
[00:39:17] But my question back is, how do you know?
[00:39:22] Is it measurable?
[00:39:23] Is it written down somewhere in a standardized document that every single one of the technicians is disabling doorman accounts after 45 days?
[00:39:36] Right.
[00:39:36] I don't know.
[00:39:38] I think this is my biggest beef with just the industry in general, which is this, like, we talk about standards and things like this.
[00:39:46] And yet, no two MSPs do it the same way.
[00:39:50] No two MSPs do it like which would you say.
[00:39:52] And so, like, we want to talk about building standards.
[00:39:56] We want to be talking about building policies and procedures and things like that.
[00:40:00] And yet, there's no guiding light.
[00:40:05] And I'm kind of setting you up to tell me that you have this.
[00:40:07] I'm hoping you do because I have no idea.
[00:40:09] Which is there's no guiding light to say, this is the way you should do it.
[00:40:14] Shut up and do it this way.
[00:40:17] Well, so let me ask you a question.
[00:40:21] Uh-oh.
[00:40:24] Because I'm not a fan of that, right?
[00:40:28] Again, Justin, I don't know.
[00:40:31] I just met you.
[00:40:32] I don't know your MSP.
[00:40:35] But I'm sure you guys have a specific.
[00:40:38] No, I know that.
[00:40:38] But I'm sure you have a culture that exists inside of your organization today.
[00:40:44] Yeah.
[00:40:44] Right?
[00:40:45] Yeah.
[00:40:46] I don't know if it's a good culture or bad culture.
[00:40:48] So just let me preface that for the audience.
[00:40:51] My point is, if Virtua, right, is doing things this way, that's good for Virtua, right?
[00:41:01] Yeah.
[00:41:01] But the entire organization of Virtua needs to be doing it that way.
[00:41:06] Right?
[00:41:07] Yeah.
[00:41:07] Because otherwise, you have the potential, a real potential, not just a, okay, it could happen, but maybe not.
[00:41:17] A real potential of somebody making a mistake, not following a standardized process inside of Virtua, and causing some risk to your business.
[00:41:28] Now, let's contrast that with Mr. Eric Anthony, who also has an MSP.
[00:41:35] Not really.
[00:41:36] But we're going to say that he does.
[00:41:38] Not anymore.
[00:41:39] Not anymore.
[00:41:40] I know.
[00:41:41] And he's doing things by the book every single time in a standardized document, in a standardized method that fits his MSP.
[00:41:52] What's the difference there?
[00:41:54] I should buy Eric's company.
[00:41:55] No.
[00:41:57] You should make your own company.
[00:41:59] No, no.
[00:41:59] It's, yeah.
[00:42:01] But have it mean culture?
[00:42:03] It's different culture.
[00:42:04] It's different clients.
[00:42:05] It's different modalities.
[00:42:06] And I get that.
[00:42:08] I do.
[00:42:09] But I think that there are some overarching standards, like disabling accounts after 45 days, or enforcing multi-factor authentication and everything.
[00:42:21] Or there's so many people who use, let's say, there's, what?
[00:42:24] There's five major cloud file share services that everybody uses.
[00:42:29] Two of them have the word box.
[00:42:30] One starts with an E, one starts with a G, and one starts with an O.
[00:42:33] Like, there are standards that everyone should be following along their policies.
[00:42:39] But, like, this is my point, is that, like, I want this to exist, but it can't.
[00:42:44] So, but I think there's a difference between the controls and the how you implement those controls.
[00:42:52] Sure.
[00:42:53] 100%.
[00:42:53] Because the how is what's going to depend on your culture.
[00:42:57] Correct.
[00:42:57] Because, and that's why people are so prominent in the positioning, right?
[00:43:03] That's why people come before process, come before tools, is because the people have to align to your culture.
[00:43:10] Right?
[00:43:11] Or the people are really going to define your culture.
[00:43:13] There you go.
[00:43:14] That's more on to the point, right?
[00:43:17] The people are going to define the culture, right?
[00:43:21] And, you know, you guys may have the best plan in the world and it works great for you, Justin.
[00:43:25] But here's the thing.
[00:43:27] That same plan may not fit well into Eric's MSP because they have a different culture and a different way of doing things.
[00:43:34] Yeah, but he's wrong.
[00:43:36] We can joke about that.
[00:43:38] But honestly, it's not that either is wrong.
[00:43:42] It's just different.
[00:43:43] Right.
[00:43:44] 100%, yes.
[00:43:45] Unless it's Eric.
[00:43:46] But, yes, everyone else is different and not wrong.
[00:43:49] So, maybe that's why I don't have an MSP anymore.
[00:43:52] That's probably why.
[00:43:53] We could talk about that.
[00:43:55] That's another episode.
[00:43:56] Yeah.
[00:43:57] Okay.
[00:43:57] So, real quick, because we're going to get towards the end of the episode here.
[00:44:01] What does someone need to do to get the CompTIA cybersecurity trust mark?
[00:44:07] What's the first step that they got to do?
[00:44:09] Well, first step is to let us know that you're interested, right?
[00:44:13] And that is as simple as going out to connect.comptia.org.
[00:44:17] Do not go to www.comptia.org, at least not today.
[00:44:22] Connect.comptia.org.
[00:44:25] You can put in the search bar up at the top cybersecurity trust mark.
[00:44:30] It will pop up.
[00:44:31] It will take you to the page that offers the interest form.
[00:44:36] Let us know, right?
[00:44:37] There are some prerequisites.
[00:44:39] You have to be a CompTIA member in order to go through the program.
[00:44:43] The reason for that is you're going to be saving a lot of money, number one, because of how we're onboarding you into some of those applications I had already talked about, right?
[00:44:55] Most importantly, though, by far, best bang for the benefit of joining is the ability to have access to the community and get their insight, their feedback, their assistance.
[00:45:08] Worth its weight.
[00:45:10] And then after, you know, after you're onboarding, you're ready to come into the readiness path.
[00:45:17] It's a simple application fee of $250 US.
[00:45:20] That goes to help fund some of the other things that we have going on, right?
[00:45:25] Inside of the trust mark program initiatives, right?
[00:45:31] And then you work through with the community.
[00:45:35] We give you two years from when you register or sign up into the readiness path to go through and get ready for your full audit, your full assessment.
[00:45:47] There is a midterm exam if you want to take advantage of that.
[00:45:52] We still have that available.
[00:45:53] No one's done it yet, though.
[00:45:55] No one's taken advantage of the midterm exam.
[00:45:57] And that's having an assessor actually give a cursory look at some of the things you've already put together, about 30, 35 of the safeguards, just to make sure you're on the right track in doing this, right?
[00:46:09] Last thing you want to have is get to the end going, you need to change some stuff.
[00:46:15] You don't want to have that happen, right?
[00:46:18] I had already mentioned the third-party assessor organization.
[00:46:23] They're accredited from Crest.
[00:46:26] We will have others that will get added to the mix.
[00:46:29] Again, for those that are familiar with the trust markets, we are taking a slow and methodical approach to changing the industry around the world.
[00:46:40] The full assessment is a fraction of what you would spend on anything else.
[00:46:46] It's only 2,500 U.S. to go through the full audit.
[00:46:52] That's a great deal.
[00:46:53] It's an annual renewal because we need to see maturity inside of your organization.
[00:46:59] We can help you actually mature the organization at that point, right?
[00:47:02] And it's a great marketing differentiator for a lot of MSPs because I know there's plenty of people who are listening who are not going to do this.
[00:47:08] But do understand that the ones that are going to do this are going to be able to differentiate themselves by putting this on their website, putting this to where their certifications are, and saying not only are they a member of CompTIA, but they also have this cybersecurity trust mark.
[00:47:20] And anyone who knows anything about computers knows CompTIA.
[00:47:23] And therefore, that carries a lot of weight, which you should be really thinking about as part of your marketing differential as well to take it just to another level.
[00:47:32] Well, and for those that might be on the fence or just like, I'm not going to do this.
[00:47:38] Let me tell you, government regulation around the world is coming for the solution provider community.
[00:47:44] I know that because I'm having conversations with a lot of those governments.
[00:47:48] And the government is actually looking to have, I won't call it a, it's a reverse reward system, right?
[00:48:00] So by that, I mean, it funds the government.
[00:48:03] It doesn't fund the MSP.
[00:48:06] If you get my drift in the form of fines, right?
[00:48:10] Penalties, that kind of stuff.
[00:48:12] So if you're not going to go down the path of the cybersecurity trust mark as a means by which you can start to develop and get into, build the foundation to your house, and then pile the other frameworks on top of it that you need, pending that government regulation, you're at least, all of those that go through are going to be well ahead of the game on getting to that regulation effort once that does in fact happen.
[00:48:40] I'm just, I'm just calling it out, right?
[00:48:43] Again, place of love.
[00:48:44] I've been saying there's going to be a governmental thing.
[00:48:47] I thought it was going to be this year, truth be told, but I think it'll be sometime.
[00:48:51] For the US?
[00:48:51] No way.
[00:48:52] Yeah, no, no, no, no.
[00:48:53] I thought two years ago it was going to be 2024.
[00:48:56] Well, no, not for us.
[00:48:59] Not at all.
[00:49:00] But UK, that legislation is going back in in January of 25.
[00:49:06] So for those that might be listening over there, heads up.
[00:49:09] And it will be effective immediately.
[00:49:12] So you're already, if you haven't been doing anything, you're already behind the curve.
[00:49:17] I'm just saying.
[00:49:18] Right.
[00:49:19] All right.
[00:49:20] Well, get on, listen up, folks.
[00:49:22] Get on this.
[00:49:22] Go check it out and get your CompTIA cybersecurity trust mark.
[00:49:27] Wayne, where else can people find you online if they have any questions asked about the CompTIA community cybersecurity programs?
[00:49:34] They can find me on LinkedIn.
[00:49:36] They can find me on Twitter.
[00:49:38] LinkedIn's easy.
[00:49:39] It's WayneRSelk.
[00:49:42] On Twitter, I'm sorry, X.
[00:49:45] We call it Twix.
[00:49:46] Elon will have a fit.
[00:49:49] It's Wayne.
[00:49:51] It's at WayneSienaSec.
[00:49:54] S-I-E-N-N-A-S-E-C.
[00:49:58] Right.
[00:50:00] I haven't changed my handle since I was with Siena Group.
[00:50:03] So, but that's where I am on X.
[00:50:06] Awesome.
[00:50:07] And I'm sorry I don't do Facebook.
[00:50:08] I don't do Instagram.
[00:50:10] I would strongly encourage you to be on Twitter.
[00:50:11] I can't imagine like a real good, strong cybersecurity.
[00:50:14] TikTok, absolutely not.
[00:50:17] TikTok, I understand.
[00:50:18] But like, I can't imagine a strong cybersecurity Instagram game.
[00:50:22] Like, it's just pictures of just hackers just all day long.
[00:50:25] I want you to think about who owns the technology stack behind it.
[00:50:30] Not necessarily that there's a cybersecurity play.
[00:50:33] Although, as soon as you figure out who's behind it, you're going to figure out very quickly there could be some additional risk there.
[00:50:38] Yeah.
[00:50:39] No, I know exactly where you're going with it.
[00:50:41] But I still won't remove TikTok from my phone.
[00:50:44] It's the best thing you can do before I go to bed.
[00:50:45] Eric, any final words before we finish off today's episode?
[00:50:50] So much to say.
[00:50:51] So much to say.
[00:50:51] But I know that we are out of time.
[00:50:53] So I'm going to save that for another episode.
[00:50:57] It's not like you.
[00:50:59] I know.
[00:51:00] That'll make them listen again.
[00:51:02] Well, then, if you're listening and you've made it this far, do check out the CompTIA.
[00:51:06] Trust Mark.
[00:51:07] Go sign up for that.
[00:51:08] Talk to Wayne.
[00:51:09] Get into that program.
[00:51:10] Get yourself a better foundation on your cybersecurity.
[00:51:12] Please put multi-factor authentication on literally everything you use.
[00:51:16] Stop being one of those people.
[00:51:17] It bothers the ever-living crap out of me.
[00:51:20] If you want to complain about this episode, check us out.
[00:51:22] Facebook.com slash group slash allthingsmsp.
[00:51:25] Watch us all in our video glory at youtube.com slash at allthingsmsp.
[00:51:29] Leave us a review on all of your favorite podcasting tools.
[00:51:32] That's Eric.
[00:51:33] I'm Justin.
[00:51:34] Bye.
[00:51:35] Thanks for listening.
[00:51:36] And don't forget to subscribe to us on your favorite podcast platform.
[00:51:40] You can also follow us on Facebook.
[00:51:42] But better yet, go ahead and join the Facebook group.
[00:51:45] You can also follow us on Instagram if that's your thing.
[00:51:49] And make sure you subscribe to our YouTube channel at allthingsmsp to catch us in all of
[00:51:55] our video glory.
[00:51:56] And last but certainly not least, if LinkedIn is your thing, you can follow us there as well.
[00:52:02] And a special thank you to our premier sponsors, SuperOps, Movebot, Gozinta, EasyDmark, and Comtech.
[00:52:12] And we also want to thank our vendor sponsors.
[00:52:18] The All Things MSP Podcast is a BizPow LLC production.