Why MSPs Must Prioritize Compliance: Insights from Secureframe | EP78

Justin Esgar (00:07):

I broke chat GPT last night. I was doing so much with it, and this is after I spoke to you on the phone where it told me it would take 48 hours. I'd come back to it. I was doing some other things and at some point downloads stopped working and I was like, how does that happen? And it was like, it's an unknown error. And then Gen GPT said, I'll let you know when it's resolved. And I was like, how are you going to let me know you don't have any email capabilities? And they're like, you're right Justin. We don't just come back here and we'll check on it. So I was like, all right, whatever the s pain in the asshole. And so that was last night I was working on this morning, I went back and I go, Hey, are downloads working yet?

(00:46):

And it was like, we're sorry, they're not. And I was like, can you tell me how to fix this? And it goes, well, we have other ways you can get your information, have it write a document. And I'm having it trying to download as a Word doc and it's not working. So it goes, we have other ways you can get the information like Google Drive. And I was like, oh cool, you can output to Google Drive. And it goes, yes, give us a Google Drive link. Here's how you do it. So I give it the Google Drive link and he goes, which file is in this Google Drive? Would you like me to read? I'm like, no, no, no, no, no, no, no. I want you to output into Google Drive. And then it goes, we can't do that. And I was like, you just told me you could make up your mind.

(01:19):

So I actually figured out this is what got me. I was working on three separate projects yesterday with chat GPT, and if you tell it to Output as a Word document, it won't always output everything that's in the chat of it. So I was having it flush out more information for some security documents that were trying to write A IRP or whatever. And online through the web, through the chat, it was giving me a bunch of stuff, but when I outputted it, it was like three lines. And I was like, what happened to all the good stuff? And it was like, oh my bad, I'll put that. And then it was like, I can't do that. What is that? I can't do that, Hal. No, Hal's the computer. I can't do that, Dave. And I was like, I like go to bad. You're drunk.

Eric Anthony (02:06):

Yeah. So we had had a conversation about chat GPT yesterday and how you had asked it to do something and it was going to take 48 hours for it to come back. So I'm like, okay, I want to play with that because I'm interested in what I could do to simulate that with a different type of project. So I said, take the top 20 Berkshire Hathaway Holdings and give me an analysis of an investment strategy where I put in $50 initially and then $5 a week every week on Monday morning, and you purchase $5 worth of stock of the stock that's closest to its 180 day low.

Justin Esgar (03:00):

Okay.

Eric Anthony (03:02):

And tell me what I would have at the end

Justin Esgar (03:05):

And your computer exploded.

Eric Anthony (03:08):

No, but it does say that. It didn't tell me exactly how much time, but it did say come back later because I have to do this analysis. And so I said, well, what could speed it up? And it said, well, give me five stocks to specifically look at. And so I gave it five specific stocks to look at and now it says it's going to take one to two hours.

Justin Esgar (03:32):

Yeah. And are you on four? Oh yes. Look at your, yeah, you're on four. Oh, right. I don't know what the difference is between four oh and four mini. I don't know what the language model differences are. I'm not up to date on that information, but the fact that the robot needs time to do stuff, so even though we talked about on the call yesterday, I do, I'm going to repeat it. I got to find it though. I want to repeat it so that way the listeners know exactly what Chad told me. I have it basically writing a draft for something and it said I should have the draft for chapter one ready for you within 48 hours. Feel free to check back, then I'll have it ready for your review. Does that timeline work for you? So it's acting like a human. I never told it to be like this. I didn't give it the parameters like you're a ghost writer or whatever. I think that's what you had asked me yesterday.

(04:26):

And I said, all right. I said, sure, but may I ask why it's going to take that long? And it goes, good question. Screw you, dude. The 48 hour timeline gives me time to ensure this draft is well researched, thoughtfully written and aligned with your vision. And here's a quick rundown of the process, research reference gathering, writing the draft, self editing if you need it sooner. I can aim for 24 hours, but I want to ensure a high quality and it's comprehensive. Does that clarify the timeline? And that would clarify the timeline. If I was talking to a human being who's actually doing work, this is a robot, it should take a nanosecond.

Eric Anthony (05:08):

So I have a theory. I think chat GPT is quiet quitting on us. If you're struggling with the complexity of Microsoft 365 deployment, management and automation, it's time to check out coreview created by MSPs. For MSPs like you, they help you with the end-to-end, Microsoft 365 administration from the moment you set up a new tenant packed with things like unified visibility and control of all your tenants from a single UI to powerful, no-code automation, engine, baseline tenant configurations, drift remediation, and much more. You can supercharge your productivity and do even the most time consuming tasks with just one click. Work effortlessly and deliver best practices to your customers today with coreview. To learn more, visit ATP link slash coreview.

Justin Esgar (06:07):

Hey, I have a really good from the group I would love to do. You ready for this? I'm ready for this. I'm ready for this. For those who don't know and you haven't been paying attention to the first 70 something episodes of this show, facebook.com/groups/all things MSP and post. And then we'll talk about it on air and then maybe you'll hear your own name and be like, oh my God, they're talking about me. Yay. All right, so today we're talking about Matt Cornelius. Matt writes, and this is a long one, so I'll speed read. So if you're listening to this on podcast speed 1.5, you're not going to hear what I'm say. I probably can't link to the page. There's an SEO digital marketing company that is trying to get me as a client. They claim to be US-based workers, et cetera, and they're asking for $300 a month to get 10 keywords of my choice and have my site ranked on first page for each keyword.

(07:06):

They don't start charging me until one of the 10 starts showing up. That all sounds like an average pitch. I'm trying to do due diligence on the company. I was looking at their site under their terms and conditions, and it states that if they get a chargeback from you, they can contact your customers and notify them of this and they'll also start doing negative SEO on your site or sites. Is that normal? I've never heard of such a thing. Honestly, it sounds like they could be put in jail for that. Imagine if a construction contractor put a new door in your house and the check bounce and he comes back and rips the door off your front door, your front of the house. Hi Matt, this is your conscious calling. Don't do business with these people.

Eric Anthony (07:46):

Yeah, red flag, huge red flag.

Justin Esgar (07:50):

I do like that. There are 12 comments on this and a lot of them are trying to be honest, I'm not sure if some of these are trying to tell him to just don't charge back or saying that $300 is too low, someone writes $300 is low. For SEO, I wouldn't expect much. And with terms like that, they must have a lot of chargeback issues, red flag, but someone else was like, oh, tell 'em you'll pay on performance. Don't say that. Just don't engage. You don't engage with crazy. Yeah,

Eric Anthony (08:37):

This is a weird one to me because I understand what they're trying to do, but being that upfront about how they're going to rip you apart if you don't fulfill the contract, that just tells me that they're so bad that they've already had this problem multiple times, and so they are making sure that they are double and triply covered in case you do a chargeback. They can go back and screenshot these conversations and say, look, they agreed to this, we told them this, and yeah, no, no,

Justin Esgar (09:25):

I understand if the terms and conditions were like, if you charge back, we bring you to arbitration or even or immediately remove all of our work SEO. But if their contract states that they can contact your customers, first off, how would they even know who my customers are, right? I don't know what piece of information. If you're doing SEO, you're doing web work and content marketing, so I have no idea how you would know who my customers are. Not to mention, and we've had this conversation before, I'm a big proponent of not putting your customers on your website because that's just an easy way for your competitors to steal them. But I don't know how this company would even do. I mean, the fact that they even have to say it is a massive red flag for me and I would immediately not do work.

(10:20):

Not to mention $300 for SEO is extremely cheap, and for that much money for $300, I honestly think, because what average MSP per hour price is one 50. So we're talking about two hours of work a month or whatever. You could do that work yourself, and trust me, if you don't know how to do SEO, just go to Google. How should ISEO my website for MSPs? Now, sure, you're going to get the same results as everyone else who's Googling it, but truth be told, there's only so many different ways you can skin this cat, which also is a disgusting expression, by the way.

Eric Anthony (11:02):

Yeah, I would probably say that if you took the amount of time that it takes to deal with these people and pay these people, you could probably do enough organic social yourself to get the same results, ultimately the same number of leads, because I don't think SEO's necessarily going to do it for you. I think $300 on targeted ads on either LinkedIn or Facebook geographically, because that's going to buy you a lot within a small geography.

Justin Esgar (11:34):

Absolutely.

Eric Anthony (11:36):

And so spending that money on Facebook or LinkedIn ads, probably preferably LinkedIn on a very specific geographic region for a month, I think is going to generate a lot more net results than trying to do SEO.

Justin Esgar (11:55):

No, a hundred percent agree with you on that. Because if you think about this, everyone who's listening, we're all MSPs no matter what our niche is. Weirdly enough, I think if you Google Mac os Sonoma 14.2 0.1, my website shows up because I have an article about 14.2 0.1, that's it. But if you search Apple MSP, New York City, I'm definitely not on page one because Apple, the word apple's in there and they've taken it a whole bunch or what was tech serve? And now Mike's tech shop or some of the other big players have taken up that space, and especially a lot of the aggregate websites, right? So there's only so much SEO that any of us can do. So doing a targeted ad, like you said, I think makes way more sense because then you can hit the exact type of clients you're looking for.

(12:48):

And we've talked about it in the past, your ideal client profile, whatever. It's actually, and here's proof that this, people don't think that these things work, but I have proof that it does. And there's a story about this, and it was years ago, so I apologize, I'm missing some of the details, and I may have told it on the show before, but there was a kid who wanted an internship at some company and he took out, he made a video explaining why he should get an internship at this company, and then he took out specific targeted ads to everyone at the company except the CEO. So he looked up the company, he found all the people who worked there and targeted the CMO, the CFO, the CO, the head of hr, that way only they would get these ads. And the ad was a link to a video of him explaining why he should get a job at this company.

(13:35):

And all of them individually got the ad, and all of them went to the CEO O and all of them said, we should hire this kid. And the CO wrote a letter going, you got the job, now take down the ads. Right? It was a genius move. Now, I don't know how, again, that was years ago. So I don't know just the exact metrics on how well it worked now, but if you can hone in on that ideal customer, especially in a geographic, I think the idea of a geographic piece works really well. If you're not in a major metropolitan, it helps and if you can hone in on that type of customer and hit those people up, plus you have things like lookalike audiences. So you should be able to upload your current list of customers and let the system automatically figure out people that are related to or connected to or things like that. That's a much better spend of $300. But even a better spend of $300, Matt is put $250 in your pocket and take $50 and head over to patreon.com/all things MSP and we'll send you a sticker or a bottle or whatever Eric has line around

Eric Anthony (14:42):

You. Actually, going back to the ideal client profile, you don't even know this yet. I don't even think you and I have talked about this, but Tim Fitzpatrick and I just finished recording a three session masterclass on your ideal client profile that I think it'll probably not be next week, but the week after when that comes out,

Justin Esgar (15:07):

Also because of time, Wimy Wibbly wobbly, why don't we give people a date because they don't know when this is coming out.

Eric Anthony (15:13):

That's true. So by the time you see this,

Justin Esgar (15:15):

It's probably already out, we'll say beginning of October from Realto, our good friend from Realtime Marketing, right?

Eric Anthony (15:26):

Yes. Yes. Love that. And then what else was, oh, I was going to say, some people are going to say, but Eric, I don't know how to create ads,

Justin Esgar (15:35):

But Eric, I don't know how to create ads.

Eric Anthony (15:37):

Take $50 of that $300 and apply it to a Canvas subscription, which not only gives you the tools to create ads, it will actually create ads for you and has a gazillion, and I literally mean gazillion templates

Shrav Mehta (15:53):

That

Eric Anthony (15:53):

You can just use and fill in your own information on, or it has its own AI that you can also use to generate not only images, but also text and copy and that kind of stuff.

Justin Esgar (16:05):

Canvas is great. It has all those templates, and you can literally type in LinkedIn ad it will give you the exact dimensions, correct. Now, as for the AI images, I think we're at a point right now where if you're not careful with those, I've seen people starting to do AI imagery to promote their MSP, but I think if you're not careful with those, people are going to see that and think that either you don't know what you're doing or you're lazy. So just be careful with AI imagery, I think. Yes, I agree. But you're right. Canva is a great thing. So now we have $300 to start with, Matt. We've spent $50 on patreon.com/all things msp. We've spent $50 on Canva. You still have $200 in the bank to spend a hundred dollars on ads. And take that last a hundred dollars, buy yourself a nice bottle of bourbon and realize you didn't screw up by hiring this SEO company. Matt, thanks so much for writing in facebook.com/group/all things msp, and that has been from the group.

Eric Anthony (17:05):

If you're running an MSP and ever feel like you're constantly putting out fires, I've got some exciting news that could change the game for you. It's the Eureka Growth Program brought to you by GTA's Eureka Process, a sponsor of all things MSP, and it's specifically crafted for MSPs at every growth stage. Imagine having a C-suite of advisors right at your fingertips guiding you through everything from hiring to handling mergers, boosting your service delivery, and even planning your exit strategy. That's what this program offers. Let me tell you, it's like having a powerhouse team behind you, making sure that you're always ready for the next big opportunity. So if you're looking to elevate your MSP game, check out the Eureka Growth Program. You can sign up for a call with the Eureka team or shoot them an email. If you have questions, go to atsp.link/eureka to find out more.

Justin Esgar (18:00):

Hey, Eric, guess what Justin? We have a guest. I love it when we have a guest. Yes, I always say that. Bring them up, Mr. Shrav Mehta, CEO of Secureframe. What's up, man? How are you

Shrav Mehta (18:11):

Doing? Great. Thanks for having me.

Justin Esgar (18:14):

Yeah, thanks for being here. Real quick, before we get in, why don't you give everybody a two minute spiel? Who are you? What is Secureframe? And we were talking a little bit chat, chat, GPT in the pre-show. What's the stupidest thing you've asked? Chat GPT

Shrav Mehta (18:27):

Stupidest thing. Oh man, that's a good question. I think I've asked chat GPT for a lot of advice on how to phrase conversations or how do I say this thing without sounding disrespectful or rude? That actually very helpful for that.

Justin Esgar (18:54):

I won't take that one personally. Yeah. Alright, so anyway, give everybody the spiel. Who are you and what's Secureframe?

Shrav Mehta (18:59):

Yeah, yeah. So I'm Shrav, I'm the CEO and founder of Secureframe. So my journey in cybersecurity and compliance began when I realized how time consuming and inefficient it was for organizations to manage their security and compliance using basically no tooling outside of spreadsheets and data rooms that were put together. And I just figured there must be an easier way to do this, something that's simpler, something to keep this process more organized and streamline it. And that's basically what inspired me to create Secureframe. So Secureframe is essentially a platform that leverages automation and AI to streamline compliance processes for companies of all sizes. We help businesses achieve and maintain compliance with various frameworks like SOC two, ISO 27,001, hipaa, P-C-I-G-D-P-R, and all sorts of other things so that businesses can get through their audits more efficiently and they can focus on what is actually core to their business rather than getting bogged down by complex regulatory requirements or compliance requirements. So that's kind of what Secureframe is in a nutshell and how I got into it.

Justin Esgar (20:07):

Yeah, that's awesome. Compliance has been a big topic, especially the last couple of years, more so even this year I think than ever. And we've brought it up a lot on the show. I think we even have an entire episode dedicated to compliance. And just for the listeners in our home, I'm going through, I'm trying to get SOC two compliant for myself. Unfortunately, I'm not using Secureframe, but I think I'm well versed enough to get into it. So let's talk a little bit about why MSPs should think about getting to some sort of compliance themselves. Because most MSPs, they only know of hipaa. HIPAA is protected from, those are your doctors and dentists and whatever, but we never think about ourselves being compliant. And I think the big ones for MSPs, and tell me if I'm wrong, SOC two or ISO 27 0 1, why should an MSP think about becoming compliant in this fashion?

Shrav Mehta (21:08):

So there's a couple of things to kind of broach on here. So when we first started Secureframe, we were selling primarily direct, and we actually had a lot of MSPs and channel partners reach out to us saying, Hey, we actually need to get compliant ourselves. And some of these folks that started off as our customers were talking to us and said, Hey, we could distribute this and sell this to our customers. I had never been in a business that had a big channel sales function, so this was all pretty new to me, but I'm like, well, this sounds great. Yeah, we, we'd love to work with you over time. We've made some more serious investments in our overall MSP program, which I can go into later. But the reality is every business these days needs to be secure and compliant, and they need to prove that no one wants to be the weakest link in the chain or the one responsible for security breach.

(22:00):

We've had things like encryption since literally before Christ in much more rudimentary fashion, of course, than how we might imagine it today. But the issues that we often see is that the encryption or the tools and stuff that are given to you are not actually applied. So when you're doing something like SOC two, you need to make sure that all your cloud services are configured securely. So what Secureframe would do is go in, we'll connect to your AWS account or GCP Azure, whatever you're using, and we will make sure that it's configured by the standards that you're trying to comply with or the correct guidance. And we'll continuously monitor and check that you're doing that. So previously, let's say you wanted to make sure all your S3 buckets are encrypted, pretty baseline, security standard, that pretty much most frameworks have in some way or form. If you have hundreds of S3 buckets, it's very easy for one to go missing. So what Secureframe does is we check all these things through the API automatically and verify that it's set up correctly or give you guidance on how to make sure to configure it correctly. If you're an MSP, you probably want to make sure that you're meeting these minimum security standards just as much as your clients are.

Justin Esgar (23:16):

Yeah, I mean, it totally makes sense. So for those who are not aware, SOC two is not a technical compliancy, right? It's like an accounting measure around data security, correct?

Shrav Mehta (23:32):

Yes and no. SOC two can be construed as a lot of different things. So let me actually do this. Let me give the simple explain like a five version, and I always worry when I give these definitions of SOC two people, that's not what it is. It's X, Y, Z thing. So I'll preface it, but really SOC two, the way to think about it, it's a giant list of things that you have to do in order to stay secure and compliant. A bunch of these things are going to be things that are more of what I would consider non-technical. In fact, that's the vast majority of it. Things like, Hey, do all your employees have background checks done? Are you making sure that you have a performance review process in place? These kind of very basic business processes, things like that. And then about, let's just say anywhere from 30 to 50% of it is more technical, a technical list of things do like encrypting your S3 buckets, making sure that all your data is encrypted at Reston in transit, making sure that you have database backups and all these hundreds of little checkbox items.

(24:33):

And the thing about SOC two is it's very flexible. There's no rigid requirement or thing that says, Hey, your S3 buckets need to be encrypted. There will be requirements that kind of allude to, Hey, do you have these basic security things in place? And auditors have essentially kind of come to standardize that as, Hey, if you're on AWS, we expect you to do these things to meet that requirement. So there is a lot of flexibility, which is why when someone says, Hey, SOC two means doing this, it's not necessarily true, it's flexible. It could mean doing that, or it could mean doing X, or it could mean doing Y. It's really does the auditor believe that this kind of meets the requirements where they feel comfortable with what the company is doing, if that makes sense. Yeah.

Eric Anthony (25:20):

So the way that I would kind of put that is that it's a set of best practices that, especially for an MSP, an MSP does not have a requirement to be SOC two compliant. However, if they are SOC two compliant and something happens, they have an incident, being so to compliant is going to show that they've done their due diligence, they've followed the best practices to do everything that they can according to a standard that they didn't develop to avoid that from happening even though it's still happened.

Shrav Mehta (25:56):

Yeah, I think that's a good way to put it. And what I tell people is, SOC two doesn't mean you're secure. That would be a very dangerous thing to say, but it gets you kind of a baseline of like, Hey, these are some things that we should probably be doing on top of other things, especially as your business or company matures. For example, SOC two doesn't require a pen test to be done. It is something that the vast majority of companies do, and I would argue that that is probably one of the most important things you should be doing for the security of your application. So just an example of why just saying you have a SOC two doesn't mean you're automatically secure or there's no chance of having a data breach or an issue. Right.

Justin Esgar (26:39):

And I think a lot of it, like you said earlier, a lot of it's documentation and also there are things that don't apply. So for us, there was a lot of documentation that it wants to see about codebase and things we do in GitHub, and I was like, we don't do anything in GitHub. We are not monitoring that. We're just turning those off. That doesn't mean we're not going to get SOC two compliant. Those just don't apply to us. Whereas ones that are like, you have to have, and this is kind of a given, you should have malware protection on all of the computers. Funny enough, we did, but our software, our MDM won't report it properly or our, SO two program wouldn't pick up that Malware Bytes was a legitimate malware protector. So we ended up rolling out Microsoft Defender for Endpoint, which if you listen three episodes ago, I said, it's amazing on the max, and it picked up on that. So there are some things that are seem like there's such givens for us as technologists that we would have in our practice and things that we tell clients also, you tell all your MSPs, tell your clients, Hey, get malware protection, get antivirus, have your discs encrypted, but are you doing it yourself? This is a good way to get slapped in the face with, you should do it yourself. You have to eat your own dog food. So I think getting compliance is important.

Eric Anthony (28:02):

Obviously there's probably a staged rollout of this, right? You probably want as an MSP to do it yourself first, so you get the experience of going through it. B, you get the benefit of securing yourself while you're at it, but then you're going to move on to your clients depending on what type of compliance they want. How do you handle the conversation or how are you recommending MSPs handle the conversation when maybe they go through that gap assessment tool that you guys just announced, and there's kind of a lot of things that are missing. And does that reflect poorly on the MSP, or is there a way to have that conversation so that the MSP doesn't look like a deer in the headlights?

Shrav Mehta (28:54):

Yeah. Yeah. No, it's a good question. I don't think it reflects on the MSP. You don't necessarily run the company's entire division for their IT and security, or maybe you do, but there's so many things that go into it. Is the MSP responsible if an employee gets phished and all the proper trading and everything that you could really do was provided. These DeepFakes are getting really good these days. So I don't think it makes the MSP necessarily look bad. Your end clients might not purchase every single service that you have. And to some extent, that's on them too for deciding the tools and the level of security and things that they want from their MSP partner. But this is kind of why the GAP assessment is a really great tool for all of our channel partners. So when you take the GAP assessment, you can have the company connect up a bunch of their integrations, enter some basic information that you know about them, and then you'll go through some of the controls for some of those common frameworks.

(29:56):

So there's CIS controls, which are very popular with a lot of our channel partners. You could do SOC two ISO. We have 40 to 50 different frameworks on the platform today that are pre templated that you can do a gap assessment against. And when you go through that, you're going to see, okay, there's almost always going to be something that you're missing. It might be trivial or small, but it's a good way to assess like, Hey, what is the state of our security? How do we comply with some of these programs? And there are some gaps. So this is an area where us as your channel partner can help you fix these gaps and make sure that they're continuously monitored and don't happen again.

Eric Anthony (30:36):

Neat. Well, a lot of people think I'm a deep

Justin Esgar (30:38):

Fake, so everyone thinks that I've been talking to an AI for the last 74 episodes. So let me ask you a question, right? So getting to these compliance levels and getting these compliance done, you used to take hours on end, you said earlier Excel documents and papers and all these things. What is Secureframe doing that's helping them not have to just do that? Because a lot of people probably think that a program like Secureframe is just the place for us to upload all of those documents, but it's not, right? There's some other components involved. What are some of the things that SecureForm is doing to help lessen the burden on the people who are trying to get compliant?

Shrav Mehta (31:20):

Yeah, no, that's a great question. So when we started SecureForm, we just saw that there was so much time being spent on things that were just very automatable, right? And there was also just a lot of slippage. It's very hard to check a large AWS account for all these kinds of security settings. It's very easy to miss something. And that's kind of where attackers are looking. They're not, they're basically looking for the one thing that you missed during these processes, during these audits. And one of the things about a lot of these audits is that they use sampling methodologies. They don't check every little thing. And that's kind of where Secureframe comes in. What we do is we integrate with all your core business systems. So we'll integrate with your AWS, your GCP, your Azure, we'll integrate with your HR system and verify people have been off boarded from various accounts.

(32:08):

If they're no longer with the company, for example, we'll make sure that we're integrated into your version controls tools like GitHub, GitLab, Bitbucket. We have over 300 integrations today. And so instead of having to manually check, Hey, did we turn on our encryption for all of our S3 buckets, we can actually programmatically verify that instead of taking a bunch of screenshots, accidentally missing something, forgetting that we deployed something in X, Y, Z region on AWS that we totally forgot about. And that saves a ton of time. Matt, you really only have to look at the things that we found that there are gaps in between or that you aren't doing. You just have to remediate them. And we provide in-app instructions on how to do all that, and it saves companies literally hundreds of thousands of hours sometimes depending on the size of their footprint. So I want to be careful to say we're not taking a shortcut. We're basically using automation to make these things more efficient.

Justin Esgar (33:09):

Because the idea of being that instead of a human checking and all, so at the end of let's say someone signs up and they've gone through all this, does that mean now that they're SOC two a compliant end of story, or there are more steps that need to be done after these tests and things are done?

Shrav Mehta (33:24):

So Secureframe as a platform will help you get SOC two ready end to end, and then we basically pair you with one of our audit partners. We have basically hundreds at this point, and once you schedule your audit, they'll be invited into the Secureframe portal where they can export any evidence that they need, review things, leave some comments. And once the auditor looks through everything much quicker than before because of how everything's organized in their auditor portal, they'll be able to issue you a SOC two report very shortly after. So before these things could take months, and now with Secureframe, an auditor can get some of these audits done in less than a week or just a couple days depending on the size of the company. And the preparation, again, takes just so much less work as well as, one thing I hate is having to go back and forth between external parties and we save you so much of that communication overhead because everything's in the platform.

Justin Esgar (34:23):

So as we get into the end here, and thank you for that, it does make sense that someone has to still look over the work, right? The system. It's not just I dump everything into Secureframe and haha, now I'm SOC two compliant. There still has to be a human who checks it, which means this is why Eric can't become SOC two compliant himself. Let's say we go through all this, what's the, what do you think is the best compliance a framework? I've been looking for the word framework this entire episode. If anyone's been paying attention, what do you think is the best compliance framework an MSP should be going for? Because there are 50 frameworks out there, right?

Shrav Mehta (35:04):

Yeah. So it really depends on what's going on in your business and what your customers are asking for. So with a lot of technology companies, SOC two is the most popular report that everyone is asking for. So you'll oftentimes get a security questionnaire from a vendor like let's say CloudFlare and I was just looking at a security questionnaire that they had sent a customer and they basically said, Hey, do you have a so two type two or ISO 27,001 certification? And either of those would work for them. So two and iso, just since I mentioned it here, they're both very similar frameworks. They have a lot of overlap between them, and there are a lot of companies that end up getting both. But often enough you have healthcare data. So now you start to need hipaa. And HIPAA is a law. It is not something that's optional.

(35:56):

Whereas like SOC two ISO, it's usually something that's driven by your customers. They want to make sure that all their vendors have some baseline of security in place. HIPAA is a law, you have to follow it. If you have any sort of healthcare data, PCI, if you are dealing with any sort of payment transactions, you're probably going to have to comply with P-C-I-P-C-I level one. The most stringent one is required if you have more than 6 million payment transactions as well as a couple other things. So again, it's really driven by what's going on in your business, what are your customers asking for? Are there any regulatory frameworks that you fall under that you just have to do? And then there's a whole bunch of others that are kind of just nice to have things that you should probably be doing to beef up your security. Yeah,

Justin Esgar (36:41):

That's awesome. Well, Shrav, thanks so much for being here, man. I know we're out of time Real quick, where can people find out more about you and Secureframe online?

Shrav Mehta (36:51):

Yeah, just check us out@secureframe.com. You can always contact us through our form and we'll get you in touch with someone on our team. And we're always looking to speak with more partners.

Justin Esgar (37:02):

Awesome. Thanks so much, Eric, any final words before we head off for the day?

Eric Anthony (37:07):

No, I just think that this is a really important thing for MSPs to take a look at because they need to level up their compliance and whatever they're using for their security framework. And I think that a gap assessment tool like you guys have just announced, is really a good thing for MSPs, not only for themselves, but also to go out and evaluate their clients.

Justin Esgar (37:33):

So get out there, get yourself compliant, and be cool or don't and don't be cool. I think that's what it's coming down to. I think that's all I have really for today. I've kind of run out of things. So anyway, thanks Shrav for being here. Eric, as always, it's been a pleasure to do. Check us out facebook.com/group/all things msp. See all of this in its Visual greatness@youtube.com slash at all things msp, follow us on all of your favorite podcasting tools. Leave a review. Leave a review about shrove. Let's see if anyone's actually going to do that. I dunno, people do funny stuff nowadays. That's it. That's Eric. I'm Justin. Bye.

Eric Anthony (38:10):

Thanks for listening and don't forget to subscribe to us on your favorite podcast platform. You can also follow us on Facebook, but better yet, go ahead and join the Facebook group. You can also follow us on Instagram if that's your thing. And make sure you subscribe to our YouTube channel at all things MSP to catch us in all of our video glory. And last, but certainly not least, if LinkedIn is your thing, you can follow us there as well. And a special thank you to our premier sponsors, super Ops Move bot go into Easy DM a C and comtech. And we also want to thank our vendor sponsors. The All Things MSP podcast is a biz LLC production.