Host Dave Sobel engages in a thought-provoking conversation with Steven Cook, the owner of Strategic IT Services, a managed service provider (MSP) specializing in cybersecurity. Steven shares insights into the diverse range of services his organization offers, from general technical support to cybersecurity and disaster recovery. With a focus on co-managed IT, Steven explains how his company assists businesses of varying sizes, from solopreneurs to larger organizations in regulated sectors like finance and energy.
The discussion delves into the impact of regulations on customer needs, particularly in the energy sector, where recent political changes have significantly affected income streams. Steven highlights the challenges faced by small businesses in maintaining IT services, often opting for minimal or no support, which raises concerns about cybersecurity risks. He emphasizes the importance of having a baseline level of security measures in place, such as endpoint detection and response, to protect sensitive information and maintain operational continuity.
As the conversation progresses, the topic shifts to the evolving landscape of cybersecurity regulations, including the rollout of CMMC 2.0 and the implications of FedRAMP certification for software vendors. Steven expresses his expectation that demand for compliance with these standards will increase, particularly as more MSPs and MSSPs serve defense-related industries. He notes that while some vendors have yet to prioritize FedRAMP certification, there is a growing need for businesses to adopt security measures that meet regulatory requirements.
Finally, Steven shares his perspective on the liability of software providers in the context of cybersecurity incidents. He argues that while vendors like CrowdStrike bear some responsibility for their products, the onus also falls on businesses and IT implementers to follow best practices in deploying technology. This includes implementing phased rollouts and testing updates in controlled environments. The episode concludes with a call for clearer regulations and standards to protect businesses and their customers from the increasing threat of cyberattacks.
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:02] I find it really useful to talk to people in the field delivering services. So let's talk to an MSP and MSSP focused on cybersecurity. Steven Cook from Strategic IT Services joins me for a conversation. He's got an interesting hot take or two on this bonus episode of the Business of Tech.
[00:00:23] Well, Steven, thanks for joining me today.
[00:00:26] Happy to be here.
[00:00:27] Steven Cook I'm excited to have you. It's always fun to talk to somebody who's in the field who's actually doing it. So take a minute and give me a sense of who your organization is and what services you're delivering.
[00:00:38] Steven Cook Sure. So we're kind of a full suite managed IT provider. We do everything from general technical support all the way through backups and disaster recovery, cybersecurity, managed IT.
[00:00:51] Steven Cook You know, we kind of do the full spectrum and through our various business partners.
[00:00:56] Steven Cook We do stuff that's not kind of in the managed IT ecosystem such as risk assessment, such as web design and stuff that's kind of a lateral thing right next to managed IT.
[00:01:12] Steven Cook Makes a lot of sense. And so you're trying to try to, you know, outsource and be every you be the technology solution provider for your customer.
[00:01:18] Steven Cook Yeah.
[00:01:19] Steven Cook Can you give our listeners that I know they're at they want to know like, can I give some sense of the size, geography, like like what your organization looks like how many people and points, whatever numbers you want to use to describe the organization.
[00:01:31] Steven Cook Sure. So so we're a fairly small MSP. We're less than 10 employees.
[00:01:35] Steven Cook Okay, but kind of what we do is we help with all our various experience.
[00:01:42] Steven Cook We we help people that have like these 50 person IT, you know, providers where you don't you don't need it, you know, through various means, whether that's streamlining processes, whether that's a little bit of automation or something like that.
[00:01:58] Steven Cook A lot of especially the bigger the company is, they they have lots of duplication and stuff going on, you know, throughout the environment.
[00:02:06] Steven Cook So we kind of help do that keep costs low without, you know, without outsourcing completely or anything like that.
[00:02:14] Steven Cook So interesting. So you lean more into co managed IT is like kind of the bigger.
[00:02:19] Steven Cook So you're focused on targeting those sort of 50 60 person organizations that have some resources and do co managed.
[00:02:27] Steven Cook Is that a fair assessment?
[00:02:28] Steven Cook So we kind of do a mixture.
[00:02:30] Steven Cook So, you know, I have customers that are, you know, one person solopreneur kind of shops.
[00:02:38] Steven Cook And then, you know, we have customers that are in the financial sector and the energy sector and stuff that are a lot larger, you know, you know, our customers do everything from, you know, they can make, you know, some, some of our solopreneurs can make maybe 10,000 a year in revenue.
[00:02:53] Steven Cook So I have ones that are in the, you know, tens of millions.
[00:02:56] Steven Cook So it's a very wide range, just kind of depending on the situation.
[00:03:00] Steven Cook Gotcha. Okay. So you really are like positioning is that, you know, IT supplementer to the organization, we're going to fill in the holes and help you out with that.
[00:03:09] Steven Cook Can you give me a little bit of a breakdown of, you know, the sense of how much of your business, you know, is recurring revenue managed services contract kind of stuff and how much stuff is more transactional?
[00:03:21] Steven Cook Sure. So it's about 70 30.
[00:03:23] Steven Cook Okay.
[00:03:24] Steven Cook So about 70% is recurring.
[00:03:27] Steven Cook You know, we have, we have larger businesses that, that kind of keep us a flow on the low, you know, in the valleys and stuff like that.
[00:03:34] Steven Cook You know, we support UPS, for example.
[00:03:37] Steven Cook You know, we have different hedge funds and stuff like that.
[00:03:40] Steven Cook That's a lot more, a lot more recurring.
[00:03:44] Steven Cook And, you know, rather than, you know, we every once in a while will get calls, you know, hey, can you fix this?
[00:03:49] Steven Cook Can you fix that kind of one shot stuff?
[00:03:52] Steven Cook But most of it is actually managed.
[00:03:54] Steven Cook Got it makes a lot of sense.
[00:03:57] Steven Cook So I want to get into sort of the meat meat of what you're seeing in the field, because I think that's the most valuable for the audience.
[00:04:03] Steven Cook You've named a couple of sectors that you're that it sounds like you're involved in.
[00:04:06] Steven Cook You have heard energy there.
[00:04:07] Steven Cook There's, there's transportation there.
[00:04:09] Steven Cook There's, you know, a bunch of a bunch of mix there.
[00:04:11] Steven Cook And there's some regulations that fall into that.
[00:04:14] Steven Cook How much are you seeing regulation impact your customer needs right now?
[00:04:19] Steven Cook Well, actually quite a bit.
[00:04:21] Steven Cook For example, my customers that are in the energy sector, because of the current political administration, they actually shut down drilling for about the first half of the year.
[00:04:33] Steven Cook So they went from, you know, having, you know, their standard income to basically zero, you know, so we kind of had to adjust with them.
[00:04:42] Steven Cook But yeah, we've, we've seen a lot of regulation, whether that's, you know, changes in like the NIST, the NIST framework, they just released the newest things for quantum computing that we're looking at, and all the way to GDPR and different things like that.
[00:04:58] Steven Cook Okay, so you've even got customers that you have to handle in the GDPR and potentially NIST 2 in Europe as well?
[00:05:05] Steven Cook Yeah, so, so we support the US, the UK, and Canada.
[00:05:11] Steven Cook Okay, got it. So, so you've got a, you've got a lot of experiences. So you'll be very relevant for a couple of questions. I've been, I've been thinking a lot about the rollout of CMMC 2.0, and the various levels. Are you seeing that in the field with your customers right now? Are they having conversations about that?
[00:05:27] Steven Cook Some are.
[00:05:28] Steven Cook I haven't kind of been super in, into those conversations. But, but yeah, I mean, it's happening. But I don't have a whole lot of kind of experience in that sector.
[00:05:41] Steven Cook Okay, got it. So that's not something that you've leaned into yet. How about, how about something along the lines of, you know, are you looking at FedRAMP? And like, is it one of the questions that you might have for your tool vendors? Like, is that because it's one of those areas where I'm curious to see how much it's happening in the field, because I'll give you my basic premise.
[00:05:58] Steven Cook There's a lot of these MSP based tools and MSSP based tools that are more moving more and more into defense related industries or serving, right? So you might be dealing with something that's related to that. And one of the ways that the US government can figure out, you know, which, which tools they're more comfortable with is FedRAMP certification.
[00:06:19] Steven Cook But as far as I can tell, most of the major MSP focused players have done little to nothing around FedRAMP certification. And I'm trying to understand, like, is that a demand that you're, you are seeing now or you're expecting soon?
[00:06:33] Steven Cook It's one I'm expecting soon. I think as it, as it ramps up, it's really going to go that way. I like you, I've not seen much from the major, you know, vendors that, that do, you know, MSP.
[00:06:49] Steven Cook Kind of suites of software and stuff. I really haven't seen much in the way of FedRAMP, kind of, kind of getting certified and stuff. You know, it's more, I think they're trying to gear their stuff towards kind of typical MSPs, not necessarily government entities and stuff, just so they can hit a bigger market.
[00:07:09] Steven Cook So I haven't seen it too much.
[00:07:12] Steven Cook Is it a concern though?
[00:07:14] Steven Cook It can be. I think you don't necessarily have to
[00:07:22] be with FedRAMP to have a certain amount of baseline security behind your, behind your applications. And so this is something actually I, I had a sit down with one of our congressmen here maybe a month ago.
[00:07:38] Steven Cook And I was kind of talking about this because what's happening is small businesses, um, because of the economy and stuff, they've basically stopped paying for IT. Um, so basically, um, you know, I, I've seen, I've seen companies where, you know, they, maybe they didn't have an IT, but maybe they're ramping up. So they're, you know, starting to need someone more dedicated.
[00:07:59] Steven Cook And they're just deciding not to do it. Um, so for example, there's a, um, like a tree removal company here, um, in my local area that I was kind of in talks with.
[00:08:12] Steven Cook And basically I asked them, Hey, what, you know, who does your IT now? And they were like, well, my business partner works at a hospital and they know a guy who knows the guy, you know, kind of thing. And I'm like, you're, you're making millions of dollars. How, how, you know, how is this functioning? And, but, but I mean, that's, that's actually fairly common, especially on the small business side.
[00:08:36] Is there just either going without, or they're going way under utilized.
[00:08:42] Steven Cook So that's a, it's an interesting point because, you know, so there's a lot of risk there in that space, right? So if, if, you know, as it stands right now, the software vendors that are deploying that are not liable for, for that risk. Those customers are essentially saying that they're willing to take all of that risk on operating.
[00:09:04] Steven Cook Like, is that something that you're looking at the liability as a pro or a comp? Because I could see it both ways, right? There's an element of the, if the customer is, is accepting all of that risk, that could be a positive selling factor for helping.
[00:09:19] Steven Cook Sure.
[00:09:19] Steven Cook Or at the same time, it'd be a big negative that, you know, for example, if they, we, that needs to get pushed onto the software vendor. How do you see that liability?
[00:09:26] Steven Cook Oh, I think you're exactly right. I think it can be a pro or a con. And I think a lot of the times it's not, you know,
[00:09:34] Steven Cook You know, a one or the other, I think it's a mixture of both.
[00:09:37] Steven Cook Okay.
[00:09:38] Steven Cook You know, and it's just, it's just one of those things. It's, I talked to so many business owners, especially newer business owners,
[00:09:45] Steven Cook And smaller businesses that they say, I want no risk. And you know, it's just one of those things in business they haven't quite learned yet is,
[00:09:54] Steven Cook You know, you can't have no risk because then you don't grow. You know, you need to take calculated risks and what risk can you accept to, to get that growth.
[00:10:05] Steven Cook And, and so it's just, you know, one of those things, for example, when the main services that we provide is endpoint detection and response.
[00:10:13] Steven Cook And I know, I know so many of those customers that I'm like, what kind of EDR solution do you have?
[00:10:21] Steven Cook They're like, we don't even run antivirus on our computers.
[00:10:25] Steven Cook And, and it's these days, it's, I would say it's kind of crazy, but it's more, it's irresponsible almost to run a business without anything.
[00:10:40] Steven Cook So, so yeah, I mean, it can be a major deficit for sure.
[00:10:50] Steven Cook So interestingly, I would agree with you 100%. It's irresponsible to run a business that way.
[00:10:53] Steven Cook But I'm going to observe it's not illegal, right?
[00:10:56] Steven Cook If we think about it from the perspective of assumed liability, the market has sort of said that this is one area that we're going to allow.
[00:11:04] Steven Cook But for example, you can't run a contracting business of house contracting business without insurance.
[00:11:09] Steven Cook You can't be a banker without a lot of regulation.
[00:11:12] Steven Cook You can't be a doctor without a better.
[00:11:14] Steven Cook What's your take on the requirement here of making this more of a regulatory environment?
[00:11:24] Steven Cook Saying that we have to, we tell, we have to, we would have to tell customers there are legal thresholds that you absolutely have to meet or you are breaking the law.
[00:11:32] Steven Cook What's your take on that?
[00:11:33] Steven Cook Sure.
[00:11:33] Steven Cook So that's actually a conversation that I had with, with the congressman when I sat down with him.
[00:11:39] Steven Cook And so there was a, there was a cybersecurity act passed in 2022.
[00:11:44] Steven Cook And but unfortunately that the federal government can't limit private businesses too much related to that or they haven't been willing to.
[00:11:56] Steven Cook So for example, that cybersecurity act, it affects federal contractors and, and company or companies that are in sectors that the federal government has deemed as critical infrastructure.
[00:12:10] Steven Cook So the energy sector, the healthcare sector, etc.
[00:12:12] Steven Cook And so that act, but that act really didn't do anything for private businesses outside of those sectors.
[00:12:21] Steven Cook And so it's one of those things where I think, I don't think it's, you know, malicious or anything like that.
[00:12:37] Steven Cook But I think because there's no regulation.
[00:13:29] Steven Cook
[00:13:30] Steven Cook So you know, it's a certain level of password policy, you know, so it doesn't necessarily have to be a ton of hardware or something like that.
[00:13:36] Steven Cook But there has to be some common sense things that businesses do to protect their customer state.
[00:13:44] Steven Cook So I mean, I'm, I'm 100% in agreement with that.
[00:13:46] Steven Cook So what would be your take on like a national privacy law, right?
[00:13:49] Steven Cook That says that there's a baseline of data protection that every, that every business is required to do.
[00:13:54] Steven Cook And violations of that would be, you know, actionable, finable offenses.
[00:13:58] Steven Cook So what would be your take on that?
[00:14:00] Steven Cook Sure.
[00:14:00] Steven Cook I mean, I think that would be a good thing.
[00:14:03] Steven Cook You know, they've already done it with HIPAA and other stuff.
[00:14:07] Steven Cook And you know, I know business owners especially don't like regulation.
[00:14:12] Steven Cook I don't like regulation necessarily either.
[00:14:15] Steven Cook But I think at some point you have to at least put some stuff in place just to protect the populace.
[00:14:24] Steven Cook You'll see it right now where banks are getting hammered.
[00:14:28] Steven Cook And then you'll go.
[00:14:30] Steven Cook I mean, you saw it with the CrowdStrike thing that happened, you know, that it hit all these airlines and banks and everything.
[00:14:37] Steven Cook And then one of the airlines, I forget which wasn't hit because they were still running Windows 3.1.
[00:14:45] Steven Cook And it's, you know, so, so it, the infrastructure is just so wide now that we have to put some kind of regulation.
[00:14:55] Steven Cook Even if it's a very, very baseline thing like two factor password policies.
[00:15:00] Steven Cook There has to be something to, to protect the populace.
[00:15:04] Steven Cook Otherwise there's, you know, there it's just going to keep happening with these cyber attacks and these data leaks.
[00:15:11] Steven Cook You know, you have to do something.
[00:15:14] Steven Cook So it's interesting you bring up CrowdStrike because it's, it's a great example of what an incident can do without actually being a security incident.
[00:15:22] Steven Cook That was actually a quality, it's a quality issue.
[00:15:24] Steven Cook So, so this is, so I'd like really like to get your take on the liability of the software providers in this case.
[00:15:31] Steven Cook So it's, CrowdStrike's an easy example because it's very clear.
[00:15:35] Steven Cook They shipped a not, they, they broke it.
[00:15:38] Steven Cook It's their quality concern.
[00:15:40] Steven Cook In the world of automotive, if you ship a defective car, you're liable for the repairs and the make good on.
[00:15:48] Steven Cook But in IT, if you ship a poorly functioning product, you actually have zero liability.
[00:15:55] Steven Cook Sure.
[00:15:56] Steven Cook You aren't responsible for that for based on the structure we've done.
[00:15:59] Steven Cook What's your take on that quality problem?
[00:16:02] Steven Cook Jenny's at least talked about it a lot is in Cissa.
[00:16:05] Steven Cook What's your take on the quality problem in software?
[00:16:07] Steven Cook So I kind of have a hot take a little bit on this.
[00:16:10] Steven Cook Okay.
[00:16:11] Steven Cook You know, I do think CrowdStrike has a certain, certain amount of risk.
[00:16:17] Steven Cook And they have a certain liability for that.
[00:16:20] Steven Cook However, I think the larger liability and the larger, not risk, but the larger fault, I guess, is for these companies not implementing technology in the way that across the industry, everyone knows it should be implemented.
[00:16:43] Steven Cook So no matter the sector, you talk to any managed search provider, you talk to any tech company.
[00:16:50] Steven Cook They will say you should not have automatic updates turned on from any vendor.
[00:16:56] Steven Cook You should, you know, no matter what size of your company or whatever, you know, you should, whether you have a test bed of servers, or if you have, you know, if you're a very small company, maybe you only have one laptop or something, you know, but you can.
[00:17:13] Steven Cook You know, you can test out these updates in a smaller area.
[00:17:17] Steven Cook And then if nothing goes wrong, then you can push them out, you know, within a week or two weeks or whatever it is.
[00:17:23] Steven Cook And that's kind of industry wide.
[00:17:26] Steven Cook You know, you go with Fortune 500 companies, they're, they're not, for the most part, just pushing all these updates out.
[00:17:33] Steven Cook They have a dev environment or a test environment.
[00:17:36] Steven Cook And then that's where they do their testing if they're updating their applications.
[00:17:40] Steven Cook And then they'll do a phased approach, and they'll push it out to maybe a small segment of production if everything goes well.
[00:17:47] Steven Cook And then if that goes well, then they push it out enterprise wide.
[00:17:51] Steven Cook And so I think it's a, it's a mix of fault.
[00:17:54] Steven Cook But so many companies are just, you know, turning on auto updates.
[00:17:59] Steven Cook And, you know, so, so I think it's, it's a mix there.
[00:18:03] Steven Cook So my understanding is, is that the Proudstrike product,
[00:18:06] Proudstrike requires the ability to do that, to be able to do real time requirements.
[00:18:12] Steven Cook And the, the statement that's been made was that, you know, Proudstrike was the one that chose not to do staggered rollouts and do testing there.
[00:18:20] Steven Cook So you're advocating that that that liability should be moved to the customer and the IT provider to be responsible for managing that risk of a quality concern coming out of Crowdstrike?
[00:18:33] Steven Cook So, so I'm not saying necessarily, um,
[00:18:35] Steven Cook So, so I'm not saying necessarily, um, like this Crowdstrike specific thing.
[00:18:38] Steven Cook So, so I'm not saying that, um, so for Crowdstrike, if they require, if they require you and their application does not allow you to, to do a phased approach like this, then of course, then, then they're liable.
[00:18:52] Steven Cook You don't, as an IT provider, as a company, then you don't have an option.
[00:18:57] Steven Cook So, so I think if, as a company or a manager service provider or whatever, if you decide not to do that, um, when the option is available, I think there has to be some give and take.
[00:19:17] Steven Cook So, okay.
[00:19:18] Steven Cook So, okay.
[00:19:18] Steven Cook So, so again, I just want to make sure that I understand your position that you're saying that you believe that the IT implementer, either customer or the customer's advocate should assume the testing and quality control for the vendor's products?
[00:19:34] Steven Cook If they're implementing something that is not best practice.
[00:19:37] Steven Cook So, so industry wide, for example, it's a best practice to use a dev and test environment and then do a phased rollout.
[00:19:45] Steven Cook So, so how would you, how would you know that, right?
[00:19:48] Steven Cook So, so how would you know, how would you test the vendor to know that they are best practice compliant?
[00:19:55] Steven Cook Well, I mean, that, that depends on your vendor, right?
[00:19:58] Steven Cook So, so each company, you will, whether it's best practices for VMware or, or whatever you, as an IT implementer, you have to implement those.
[00:20:09] Steven Cook So, so whether, you know, it's just like any company, you need to work with the best practices
[00:20:14] Steven Cook So, so you need to do a set of best practices and put a set of best practices together.
[00:20:16] Steven Cook Now, there are some, some industry things that are just known, whether it's, whether it's in a framework or anything that's known that you should have, right?
[00:20:27] Steven Cook So, if you have a critical application, for example, you should have it set up in an HA, you know, so you don't have single points of failure and stuff.
[00:20:35] Steven Cook And that's the kind of things that, that you kind of have to do.
[00:20:41] Steven Cook There's some general best practices that everyone in the industry basically knows that you should do, but a lot aren't, whether that's because of cost, because of manpower, you know, there's lots of different kind of factors.
[00:20:54] Steven Cook But I think at some point, there has to be some give and take if you're not implementing in a structured way.
[00:21:03] Steven Cook I'll definitely give it to you.
[00:21:04] It's a hot take.
[00:21:05] Steven Cook is the owner of Strategic IT Services, a cybersecurity company specializing in protecting businesses from digital threats.
[00:21:12] With nearly two decades of experience in the IT industry, Steven is dedicated to developing robust security strategies that safeguard sensitive information and ensure operational continuity.
[00:21:22] Steven, thanks for joining me today.
[00:21:24] Steven Cook No problem.
[00:21:25] Steven Cook Looking to reach an audience of thousands of MSPs and IT service providers?
[00:21:31] Put your ad right here on The Business of Tech and be on the show that 64% of MSPs report having listened to.
[00:21:39] A recurring top 50 tech news podcast, there are affordable options for you to reach our audience and we can support any budget.
[00:21:47] Steven Cook Podcast listeners are more engaged, have a higher level of brand retention and are more willing to listen to ads here than any other avenues.
[00:21:58] Want to know more?
[00:21:59] There's information at mspradio.com slash engage, including a button to book a time to talk.
[00:22:07] I'm looking forward to that discussion.
[00:22:11] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.
[00:22:19] If you like the content, please make sure to hit that like button and follow or subscribe.
[00:22:24] It's free and easy and the best way to support the show and help us grow.
[00:22:29] You can also check out our Patreon, where you can join the Business of Tech community at patreon.com slash mspradio or buy our Why Do We Care merch at businessof.tech.
[00:22:42] Finally, if you're interested in advertising on this show, visit mspradio.com slash engage.
[00:22:49] Once again, thanks for listening to me and I will talk to you again on our next episode of The Business of Tech.
[00:22:58] Part of the MSP Radio Network.