Host Dave Sobel engages in a thought-provoking conversation with Josh Hoffman, the Chief Revenue Officer at ControlCase. They delve into the complexities of compliance in the regulatory landscape, particularly in the United States, where a patchwork of state laws creates confusion for businesses. Hoffman emphasizes the challenges faced by clients navigating compliance requirements, highlighting the need for expertise and support, especially for Managed Service Providers (MSPs) who can play a crucial role in guiding their clients through these intricate processes.
Hoffman discusses the increasing complexity of compliance requirements, such as the new controls introduced by PCI DSS and the chaos surrounding the Cybersecurity Maturity Model Certification (CMMC). He advocates for a more streamlined approach, suggesting that the industry should work towards simplifying compliance standards to make it easier for businesses to understand and implement necessary measures. ControlCase aims to facilitate this process by offering tools that allow clients to "assess once, comply to many," thereby reducing the burden of compliance and enabling MSPs to monetize their services effectively.
The conversation shifts to the challenge of linking cybersecurity efforts to tangible business outcomes. Hoffman explains that while cybersecurity is often viewed through the lens of risk management, it is essential for businesses to recognize the value of a strong cybersecurity posture in protecting their reputation and client data. He encourages MSPs to communicate the importance of cybersecurity to their clients, particularly in industries like law and finance, where safeguarding sensitive information is paramount. By framing cybersecurity as a critical component of business credibility, MSPs can help clients understand the broader implications of their investments in security measures.
Finally, the discussion touches on the role of artificial intelligence (AI) in compliance and cybersecurity. Hoffman shares insights into how ControlCase is leveraging AI to enhance the efficiency and accuracy of compliance processes. He notes that AI can significantly improve the speed at which evidence is processed and assessed, ultimately benefiting both clients and MSPs. As the conversation concludes, Hoffman expresses optimism about the future of compliance and cybersecurity, emphasizing the potential for AI to transform the industry and make compliance more manageable for businesses.
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:01] Dave Sobel here at IT Nation Connect for another bonus episode. I'm talking with Josh Hoffman. He's the Chief Revenue Officer at Controlcase. Josh, thanks for joining me today.
[00:00:12] Oh, Dave, thanks for having me on. I've been looking forward to this. I appreciate the time.
[00:00:15] I appreciate you. I always like mixing it up a little bit, particularly in the compliance case, because I'm kind of intrigued by the dynamics there as we look at the regulatory market, because in the US in particular, it's very fractured, right? We have lots of vertical level laws, but we don't necessarily
[00:00:31] have a national privacy law, and then you end up with a mishmash of 50 states with different privacy laws. We have a different industry. Give me kind of your high-level assessment of the current state of compliance right now, late 2024.
[00:00:46] Sure. Well, first of all, it's painful. It's expensive. It's confusing for most clients to go through this process. Unless you have an army of internal people that are experts, you're probably staring this in the face and saying,
[00:01:00] what do I do next and how do I do it? And in the case of many clients, they're seeking expertise out there. And of course, we are an expert in that. But my purpose, one of my missions in life is to help MSPs learn how to monetize this.
[00:01:14] And MSPs can be the expert as the center of their technological existence. They have the ability to play a role in this and help them work through this huge challenge. And with the onset of more controls that are being required, PCI DSS has new controls that are coming out.
[00:01:30] But CMMC is creating an enormous amount of chaos. And that's a never-ending thing. It's just going to keep getting, candidly, probably more challenging.
[00:01:41] And our goal is to make it a little bit easier and hopefully make the process smoother. And less expensive would be my other goal.
[00:01:48] Well, that's fair. So I want to get a little bit of thought on the way this is playing out. Because you can actually dial up the knob on complexity so high that we become an effective at it.
[00:01:59] Right. If we have so many at it, we know that this is happening a lot and we're comparing it to the cybersecurity insurance market.
[00:02:05] Yes.
[00:02:06] They're unable to really get their heads around anything because there's so many levels of standards and so many levels of it.
[00:02:12] Give me a little bit of a sense of the way Control Case is thinking about the balance. Because we can talk about it in a broad opportunity sense, but we kind of probably got it too complicated.
[00:02:24] And if we simplify it a little bit, as an industry, we might be pushing for some simplification to apply, say, a privacy and a standard. Or we say, rather than having multiple centers, we roll out CMMC broadly.
[00:02:39] Give me a little bit of a sense of the way that you guys are thinking about that to find the right balance that's effective.
[00:02:45] Yeah. It's a really interesting question. And not an easy one to answer, by the way.
[00:02:49] But if you're on the client side of this, there's a couple things you have to consider.
[00:02:53] What must I be compliant with? And then what do I want to be compliant with?
[00:02:58] Because compliancy at times generates credibility for businesses and they're interested in making that investment because they look better to their clients.
[00:03:05] If you're on the MSP side, you're also thinking about the same things.
[00:03:09] Do I want to be compliant myself? Do I want to help my clients go on the journey?
[00:03:14] Historically, MSPs, and I say this with the most kindness because I've led an MSP practice before, they run screaming from this work because it's really hard to do.
[00:03:24] And that balance gets struck in how you apply the right expertise to it, how you apply the right tooling to it, and how you create an environment where maybe it doesn't have to be so hard.
[00:03:35] And you asked me specifically about how ControlCase thinks about it, so stepping past the sort of philosophical generic approach.
[00:03:42] Over the last 20 years, we've created an environment where clients can come in and we call it assess ones, comply to many, where you can do multiple different journeys at the same time.
[00:03:55] And the tooling that we've created allows them, or in the case of the MSP, to see where are you on the journey?
[00:04:01] How does the evidentiary overlap actually fit into the puzzle?
[00:04:05] Can I make things easier because I can answer one question and apply it to three different things?
[00:04:11] Can I save time and money by doing that?
[00:04:13] And so our mission is to try and make this easier, a little bit more digestible, and to create a collaborative team environment where not only within the tool,
[00:04:22] but just literally where the client, the MSP, and our team can actually go through the journey together.
[00:04:29] One of the things that makes ControlCase a little bit different is that we're able to go through the readiness, the assessment, the audit, and the literal certification process across 65-ish different areas of compliance.
[00:04:43] And we've made commitments to our MSP partners about how we'll work with them to make sure that they're able to monetize it and save their clients money.
[00:04:52] And that's a pretty compelling thought, not only for the MSP, but also for the client.
[00:04:59] I have my center of excellence that can take me through this.
[00:05:03] And so we're trying to do something that, candidly, I think is a bit disruptive in this marketplace.
[00:05:07] Okay.
[00:05:08] So help me reconcile something that I kind of struggle with when I look at cybersecurity products.
[00:05:13] One of the things that has become very much a theme is that we're looking to help customers with business outcomes.
[00:05:19] Yes.
[00:05:20] And for most technological investments, I can measure that very clearly in like an ROI.
[00:05:26] For example, if I help a membership organization with their back end and do digital transformation, we can onboard more membership and we can drive revenue.
[00:05:35] It's very ROI driven.
[00:05:37] One of the struggles of cybersecurity is that it's actually risk management rather than a ROI driven.
[00:05:44] Right.
[00:05:44] How do you find that having those conversations worked more effectively when it's risk management and you're trying to tie it back to business outcomes?
[00:05:53] Yeah.
[00:05:54] I had this sort of good fortune of having spent time at a handful of different companies, one of them being Palo Alto Networks, where I spent five years there and found my love of cybersecurity.
[00:06:03] And what it can do to help make the world a little bit safer.
[00:06:07] And risk management really is sitting at the top of that food chain.
[00:06:10] It's a board level conversation about how are we going to make sure that we protect the house?
[00:06:14] What are we going to do to make sure we're not ransom hacked?
[00:06:17] To make sure that we maintain our credibility in the marketplace.
[00:06:19] To make sure that we're protected in every way that we need to be.
[00:06:22] And the MSBs part of that process is obviously very significant.
[00:06:25] They're deploying numerous sets of tools, controls, products, and services to make sure that their clients are well detected.
[00:06:32] And as you pick that apart and move it into how do we get into something that's actually going to help people either make money or save money and not just feel like they're spending money against this.
[00:06:42] It's really easy for us to see that on the MSB side.
[00:06:45] And we know how we can help them monetize those services to create better evidentiary overlap and create an environment where they're going to make a little bit of money and they're going to save their clients money.
[00:06:55] Everybody wins.
[00:06:56] It's incredibly symbiotic, including for the cybersecurity providers.
[00:06:59] If you take a look at it on the client side, there is a way for them to start thinking about this in terms of if I have the right tools, the right services, and the right provider in the mix, I might actually save money inside of the process.
[00:07:12] So if I can create an environment where I'm able to use all of this information that's being gathered in the process of protecting them to serve another purpose, there is another benefit inside of that.
[00:07:22] And so when I take a look at the types of alliances that we build as an organization, we're looking for cybersecurity tools and other types of tools that have that evidence overlap with what we're looking for.
[00:07:34] Let's try and make this easier and save people some money.
[00:07:37] We can do that.
[00:07:38] It's an interesting mission.
[00:07:39] So do you have a case study that really latches out that you can make that crystallize?
[00:07:44] Because it sounds good, but I'm struggling a little bit to make that concrete in my head.
[00:07:49] Is there a great case study that you think about as an example?
[00:07:51] There is.
[00:07:52] And so I'm not going to publicly share names, but let me use an example of somebody that has a fantastic booth sitting here today.
[00:07:58] Okay.
[00:07:59] We, our clients, and we've been direct for a lot of these years, and so a lot of our clients are direct, although we're moving much more significantly into the MSB services orientation, and we can talk about that if you like.
[00:08:10] The opportunity for us to use the evidence that this particular tool is gathering to provide a significant amount of the evidence that we need to collect across those controls and across the environment, we're literally doing that today.
[00:08:26] It's part of the puzzle, and so when we take a look at what a client's using, we can measure what percentage of the requirements are being met because of this particular tool or service that's being provided.
[00:08:38] And the example that I'm using today, we know that 5% of what we need inside of the SOC 2 work that we're doing for this particular client is being covered by this one service.
[00:08:48] That's a pretty amazing thing to have happen.
[00:08:51] It's saving time and money in a couple of different ways.
[00:08:55] But I think what I'm struggling with is, is I'm trying to move that out of the pure save time and money within the cyber realm and move it into their broader business outcomes.
[00:09:04] So I'm talking with a small business owner there, a law practice, a bunch of lawyers working together, a bunch of paralegals, and I'm trying to link cybersecurity to their business outcomes.
[00:09:17] How do you best recommend doing that position?
[00:09:20] Well, if I was a law firm today, I would be touting our cybersecurity posture as being a protector of the key data that's a part of almost every service-oriented relationship with a client on their side.
[00:09:32] If they don't have that information protected, I mean, it's not a day goes by that we don't hear about a hack, that we don't hear about information being fired off to the dark web, that we don't hear about something being shared with the public that shouldn't be shared.
[00:09:44] If I'm a law firm of all the things in the world, an accounting firm, any sort of professional services firm, financial planning, wealth management, the last thing you want to have is the reputation of not protecting that information.
[00:09:56] And more and more clients are asking them, what are you doing to help save my information?
[00:10:00] What are you doing to make sure that our relationship is as protected as it should be?
[00:10:05] I think it's a key business principle that they have to live up to.
[00:10:08] And so as they work through the cybersecurity posture and then let that drift into the compliance posture where there's regulatory bodies that are forcing these organizations to be compliant in certain areas, the overlap there becomes significant.
[00:10:21] And hopefully that answers your question a little bit more deeply.
[00:10:23] Yeah, it does. I will freely admit that in regulated industries, because there is financial penalty, I am completely on board.
[00:10:31] I think I'm challenging a lot of cybersecurity people to say is this.
[00:10:35] I'd like to actually get more specific with your examples on reputational damage.
[00:10:38] Yeah.
[00:10:39] Because they happen so often to everybody all the time that I think it's become noise.
[00:10:44] And I'm not convinced that reputational damage actually happens at Edmund.
[00:10:50] Yeah.
[00:10:50] And I think one of the things that I want us as an industry to be challenging a little bit more is that core assumption to make sure that we are actually resonating with clients over pain they're having versus perceived pain.
[00:11:03] And I worry about that being a thing.
[00:11:06] Well, you certainly hear about it more in the negative than you do in the positive.
[00:11:09] And if you're one of the big name law firms, for example, sitting out there, you have to pay attention to this.
[00:11:15] The last thing you need to do is be on CNN.
[00:11:17] Right.
[00:11:17] And somebody's trying to figure out, oh, my gosh, should I go to this law firm or not?
[00:11:21] You don't want to be those people.
[00:11:23] Well, that's fair.
[00:11:24] But to be fair, most people will forget three days later who they saw on CNN.
[00:11:28] That may very well be true.
[00:11:30] Now, I want to dwell here, so I'm going to ask one little area that I'm kind of interested in is, and I admit I've managed to go most of the conversation without ringing up AI.
[00:11:38] But I am curious to see what you're thinking the role of AI is going to have with compliance, particularly because it feels like an area where there's a lot of potential impact.
[00:11:49] Are you seeing it already or is it more built into the vision?
[00:11:52] The answer is yes, we are seeing it already.
[00:11:55] And we're a much larger, broader, deeper compliance firm than most.
[00:11:59] And so we have made key investments in AI-based technology and process that's allowed us to process evidence at a faster rate, more efficacy, better accuracy.
[00:12:10] And we continue to grow the population of controls and pieces of evidence that we can actually assess appropriately with AI.
[00:12:18] That is going to make a big difference, not just for us, but also for the clients and the MSPs, as we can take that information and gather it into a process that can, you know, with some level of automation.
[00:12:29] And in some cases, it's almost 100% automation can, to a degree, say this satisfies the need.
[00:12:36] That's going, that population is going to continue to grow.
[00:12:38] It's incredibly relevant.
[00:12:40] And I only see this becoming a super positive for us, for the MSPs and for the clients.
[00:12:46] I would think you guys have really good experience on what the models do really well and what they don't.
[00:12:50] Are there any particular insights on what it's doing really well?
[00:12:53] Well, the answer is, is that some of it I'll share and some of it I won't.
[00:12:57] So just being candid about it, some of it is relevant to our own IP.
[00:13:02] But the fact is, is that AI does have the ability to read information incredibly well.
[00:13:08] It has the ability to process that information at a faster rate.
[00:13:11] And it has the ability to take a set of rules that are sitting out there and apply that information against those rules with automation.
[00:13:19] Now, that's going to continue to grow.
[00:13:21] So the reality is we're seeing it today.
[00:13:24] There is part of our process that is AI driven, but it's going to continue to grow.
[00:13:28] I expect it to be a fantastic part of what we do.
[00:13:31] Well, Josh, this has been fascinating.
[00:13:32] I've learned a ton today.
[00:13:33] Really appreciate you sitting down and chatting with you.
[00:13:35] Yeah, thanks.
[00:13:35] I really appreciate it.
[00:13:36] Thanks for having me on.
[00:13:39] Are you ready to get your brand in front of the tech leaders shaping the future of managed services?
[00:13:45] Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs.
[00:13:50] Whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars.
[00:13:56] From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact.
[00:14:06] Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs.
[00:14:14] Be a part of the conversation that matters to IT service providers worldwide.
[00:14:20] Join us at MSP Radio and amplify your message where it counts.
[00:14:25] Visit MSP Radio dot com slash engage today to explore all the ways we can help you grow.
[00:14:32] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines, posted at businessof.tech.
[00:14:42] If you like the content, please make sure to hit that like button and follow or subscribe.
[00:14:47] It's free and easy and the best way to support the show and help us grow.
[00:14:52] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP Radio or buy our Why Do We Care merch at businessof.tech.
[00:15:05] Finally, if you're interested in advertising on this show, visit MSP Radio dot com slash engage.
[00:15:12] Once again, thanks for listening to me and I will talk to you again on our next episode of the Business of Tech.
[00:15:21] Part of the MSP Radio Network.