Navigating Compliance, Cybersecurity Investment, & Decision-Making w/ Jared Casner

[00:00:01] Dave Sobel here with another bonus episode at IT Nation Connect.

[00:00:06] Where are you going?

[00:00:07] I was looking at that camera.

[00:00:09] Dave, you were looking on the-

[00:00:10] Sorry, thanks for the reset. I got it.

[00:00:14] Without saying that.

[00:00:15] Alright, get ready, let me start to look at this camera.

[00:00:18] Oh, cool.

[00:00:20] Dave Sobel here with another bonus episode at IT Nation Connect.

[00:00:24] I'm talking with Jared Casner, the co-founder of Blacksmith InfoSec.

[00:00:29] Jared, thanks for joining me today.

[00:00:30] Thanks for having me on.

[00:00:31] Now, one of the things that really fascinated me about your story was actually, as we were talking beforehand,

[00:00:35] was you gave me a little bit of perspective of your journey into the channel.

[00:00:38] Now, I don't want to spend a ton of time here, but you did a pivot after going direct with customers

[00:00:43] and learned a little bit about that interaction.

[00:00:45] Just give me the quick version of that to set the stage.

[00:00:47] Jared Yeah, the quick version is we built a product to go direct to business,

[00:00:50] really thinking about where we were in our careers 10 years ago and targeting that space.

[00:00:56] Sold it into a handful of customers, mostly former employers of ours and friends of ours.

[00:01:00] And every one of them immediately, they'd get kind of step one, got this.

[00:01:05] Step two, uh-oh.

[00:01:07] And bring their MSP in.

[00:01:09] As soon as they brought their MSP in, the MSP started looking at the platform and saying,

[00:01:11] ooh, this is really nice.

[00:01:13] Now what?

[00:01:14] How do I deploy this to the rest of my customers?

[00:01:15] And so we had to build out multi-tenancy and white labeling and the things that an MSP needs to be able to deliver services.

[00:01:21] But realistically, while we had used MSPs in the past as CTO of healthcare companies,

[00:01:26] as my co-founder was a V-Sys who worked very closely with MSPs for a long time,

[00:01:32] we didn't ever think about the channel.

[00:01:34] I had never heard anybody talk about the channel before.

[00:01:37] And so we had to spend the last, we spent six months after that learning and growing and going to conferences

[00:01:43] and kind of sneaking our way in as non-paying vendors to just learn and ask questions and kind of have a listening tour.

[00:01:49] So we could understand what the channel was and learn from our MSP partners and grow and build from there.

[00:01:56] Yeah, I want to take the quick step back for the listeners to understand.

[00:01:59] So you've got a compliance as a service platform.

[00:02:00] You're focused on helping solutions.

[00:02:02] You've identified that, hey, this is a problem.

[00:02:04] Small businesses have this problem and so we're going to go after it.

[00:02:07] And you've been on a bit of that entrepreneurial journey of like, hey, I've identified the product.

[00:02:11] Yeah.

[00:02:11] And I go out to the customers and oh, wait a second, it's not quite the way that it is.

[00:02:14] And what I kind of wanted to talk to you a little bit here was,

[00:02:17] is let's take the moment of the thinking about the problem for a moment.

[00:02:21] You've identified compliance.

[00:02:22] Tell me like the how you isolated the problem that small businesses had.

[00:02:27] Like, give me a little bit about that experience.

[00:02:29] Pain.

[00:02:30] Lots of pain, poor life choices.

[00:02:33] So I spent the last 10 years as head of engineering or CTO at finance and health care companies.

[00:02:38] And every time I'd come into a company, I'd say, oh, hey, we have social security numbers or we have PHI.

[00:02:43] What are we doing to secure that?

[00:02:45] Security.

[00:02:45] Security.

[00:02:46] Okay.

[00:02:46] I guess I'll go build a security program.

[00:02:48] I built a security program from scratch at half a dozen early stage startups and kind

[00:02:55] of went through that journey and had to learn along the way and learned some pretty painful

[00:02:58] lessons along the way.

[00:02:59] My co-founder came at it more from the traditional IT side of things, grew into cybersecurity and

[00:03:04] then spent a number of years as a VCSO before he joined me at a health care company where

[00:03:08] I was running engineering and he was running IT and cybersecurity.

[00:03:13] That company filed chapter 11.

[00:03:15] Okay.

[00:03:16] As head of IT and cybersecurity, he was the last man standing, asked to lock the door and turn

[00:03:20] off the lights on his way out.

[00:03:22] And as he was starting to interview and had gotten that transition pretty close to the finish line

[00:03:27] and we're starting to interview, he and I were talking and said, hey, what are you going to do when you get that next job?

[00:03:33] Well, I'm probably going to go build another security program.

[00:03:35] Oh, for the 400th time?

[00:03:37] Cool.

[00:03:38] Lucky you.

[00:03:39] And he said, yeah, it would be nice if there was some software out there that could do this

[00:03:41] for me.

[00:03:42] And so, oh, actually, why isn't there software to do this for you?

[00:03:45] And so that was really the genesis for the idea was we'd both always wanted to be entrepreneurial

[00:03:51] and we both have been in small business.

[00:03:54] I've been first non-founder employee at a number of startups along the way.

[00:03:59] All right, let's go do this.

[00:04:01] Let's take the plunge.

[00:04:02] And so that was really sort of the genesis of the idea.

[00:04:06] Why compliance?

[00:04:07] Again, poor life choices ten years ago in our careers led us to believe that this should be a solvable problem,

[00:04:14] that software can make things easier.

[00:04:16] And realistically, building a compliance program at a small business should not be as expensive as it is today.

[00:04:24] It should be more accessible so that more companies can get involved.

[00:04:28] And we've sort of taken the 401k style approach to this where if you start to invest in your compliance and security program early on,

[00:04:35] small amounts of money will reduce your total cost of ownership over time.

[00:04:38] Now, okay, so that's an interesting approach to it because I've not heard it described that way.

[00:04:42] Tell me a little bit more of the way you're thinking about that security as an investment.

[00:04:47] Tell me a little bit more of that.

[00:04:48] Yeah.

[00:04:52] So you've been an MSP before, right?

[00:04:54] I have.

[00:04:54] Yeah.

[00:04:54] So as you're building out your MSP, standardizing services, building playbooks, things like that, those create operational efficiency.

[00:05:02] Those become part of the culture of your organization and the way you deliver services.

[00:05:06] The same thing is true in security, right?

[00:05:08] If you start to invest in the security early on in your organization and you have security kind of baked into the culture, guess what?

[00:05:15] That starts to pay dividends over time because now people don't just understand the letter of the law.

[00:05:19] Don't click on that link.

[00:05:21] They understand the spirit of the law.

[00:05:22] Why am I not supposed to click on that link?

[00:05:23] Why am I supposed to look at this and understand, right?

[00:05:27] And so now all of a sudden people start to think about things a little bit more proactively.

[00:05:32] And so when the next, when the text message comes, right?

[00:05:36] We all remember the first email phishing campaigns were pretty mediocre.

[00:05:40] And then they got more sophisticated and now all of a sudden we start getting texting campaigns.

[00:05:44] And the first texting campaigns, oh man, my boss just texted me.

[00:05:47] I better go buy that gift card.

[00:05:49] But if you understand the spirit of the law, hang on a second.

[00:05:52] I don't know this phone number.

[00:05:53] That's probably not Dave texting me asking for gift cards.

[00:05:55] Right, so getting that culture ingrained in early allows it to be an investment in the future of your business.

[00:06:02] Likewise, your security policies, your procedures, those become the operational efficiency that help your business run faster.

[00:06:08] And again, if you wait until a customer says, hey, we need you to be SOC 2 compliant.

[00:06:13] Or you get popped and all of a sudden you're dealing with a breach.

[00:06:17] Or a new legislation is passed that says, hey, all of a sudden you're dealing with DOD subcontractors

[00:06:22] and you need to be CMMC compliant.

[00:06:25] Uh-oh.

[00:06:26] Now no amount of money is going to be enough to get you to that, right?

[00:06:29] You just have to throw money away to get to that compliance.

[00:06:32] And it's a huge change management cost.

[00:06:34] It's a huge amount of friction on your business.

[00:06:36] We're trying to simplify that by small steps early, allow you to make those changes over time and really make that change management a lot easier.

[00:06:46] Help me then understand a little bit because obviously knowing that analogies start to break down if we push them too far.

[00:06:51] Of course, yeah.

[00:06:52] I'll switch analogies on you.

[00:06:53] It'll be fine.

[00:06:54] But I like talking about this one because it's a different way of approaching it.

[00:06:57] I'd like to explore the idea a little bit more.

[00:06:59] One of the struggles that I have with cybersecurity investments, even in a broad sense,

[00:07:04] is that if I know if I, on a typical say digital transformation project, I know that if I spend money on innovating,

[00:07:11] I can improve operational efficiency by 30% and in the end I can see an improved ROI on my revenue line item.

[00:07:20] Or I can show it in reduced cost of goods sold.

[00:07:22] Like I know I can directly tie it.

[00:07:24] Security is a struggle because my favorite joke on this is that I can give a security person infinite money and they still promise me nothing.

[00:07:33] So I like to understand a little bit about how you're framing it.

[00:07:36] If it is an investment, how do I measure that return when I'm not necessarily sure the security journey that I'm on?

[00:07:43] Yeah.

[00:07:44] Well, and so you're right.

[00:07:45] You can give me an infinite amount of money and I can't secure your business.

[00:07:48] Right.

[00:07:49] Why not?

[00:07:49] Because guess what?

[00:07:52] The attackers will always be a step ahead of me.

[00:07:53] There will be a vulnerability or zero day that I haven't figured out or haven't patched yet or whatever.

[00:07:56] So there's going to be a way in.

[00:07:58] And so what we can do though is mitigate risk.

[00:08:02] And so when you start reframing it as a risk mitigation, right?

[00:08:05] There's a reason you don't go by a helicopter, not least of which is your wife will probably, well that's the conversation between your wife.

[00:08:11] Right.

[00:08:12] But at the end of the day, it's about understanding the risks to your business and being able to make pragmatic decisions along the way.

[00:08:19] Now I get the risk management.

[00:08:21] What I actually want to get is a little bit of the subtle, how to position and talk about that.

[00:08:25] Yeah.

[00:08:25] Because if we get into the risk management conversation, we have to figure out like where the point of actual investment makes the most sense.

[00:08:32] Right?

[00:08:32] Because there is diminishing returns on getting the 90th percentile, 95th percentile, whatever it is.

[00:08:39] So give me a little bit of the way that you frame this.

[00:08:42] Particularly, you're doing product development teams.

[00:08:44] You've got to make, you're probably doing something along scoring.

[00:08:47] And give me a sense of the way that you tackle that problem.

[00:08:50] Yeah.

[00:08:51] So we, I mean, we sort of do it for you in some ways, right?

[00:08:54] Okay.

[00:08:54] So first of all, we're giving you the risk scores for each of the different items in our compliance roadmap.

[00:09:00] We're giving you the compliance roadmap that is by the way, phased out.

[00:09:02] So you know, you're essentially the must do's, the should do's, right?

[00:09:06] And making that easier to have those conversations.

[00:09:08] And so when you get to the tier three, tier four items, you can start to have a conversation with a customer like, yeah, you really should do those eventually.

[00:09:16] But it's okay to punch on those for a little while.

[00:09:18] And here's why.

[00:09:19] And let's talk about, and more importantly, being able to work, we're putting the language in there that says, here's what this risk actually means.

[00:09:25] And so if you're, if you're making a widget, and you don't have, and so now you have a factory, and if you don't have physical controls in your factory, there's a risk that somebody breaks in.

[00:09:35] And so you want to make sure you have enough physical controls there, locks and cameras and things like that to make sure that your factory is protected.

[00:09:41] Because if the factory goes down, you're losing out on, there's an opportunity cost.

[00:09:46] If you don't have a factory, if you don't have an office to have physical controls on, I bother with those, right?

[00:09:54] Like your ring doorbell camera might be enough physical security for your home office to say, I don't need a whole lot more, right?

[00:10:01] And so being able to have those pragmatic conversations, and again, it's your point.

[00:10:06] It's finding that 90th percentile and being able to have a pragmatic conversation with your customer that says, maybe you don't need to go that extra step, or at least not yet.

[00:10:14] You've hit on it exactly the area I want to explore, and thank you for the example.

[00:10:18] So if I think about, and because what I want to get to is just kind of your philosophy of scoring almost, is I want to understand a little bit about the way that you're approaching that.

[00:10:26] Because if I think we all want to get 100%, right?

[00:10:29] Like the ideal best way is to present this kind of information is, hey, you've achieved enough risk mitigation that makes sense.

[00:10:36] But that means different things for different people.

[00:10:39] And, you know, we want to make it achievable.

[00:10:42] We want to make it something that they can comprehend, and those scenarios are all different.

[00:10:47] How are you thinking about that scoring to make that tangible and relevant for the right people?

[00:10:53] Yeah, and so real quickly, I'll kind of start at the, something you said in the middle there, which is some people need to be 100%, right?

[00:11:00] If you're CMMC, if you want to do a SOC 2 and have a third-party auditor, you need to be at 100%.

[00:11:07] Well, actually, you've hit on a great example.

[00:11:10] So if you need to be those things.

[00:11:12] But by the way, there's also 100% for the small antique store, right?

[00:11:18] That needs to have some level.

[00:11:19] There's 100% that is defined differently for them.

[00:11:22] That's what I'm trying to understand is I want to get, and it really is like a philosophy of scoring.

[00:11:27] Yeah.

[00:11:27] Like how are you thinking about that 100% is important to each person, but the 100% means something different?

[00:11:33] How do you think about that?

[00:11:35] Yeah.

[00:11:35] So this is a great question.

[00:11:37] And this is a piece that honestly we're still working on from a product development standpoint.

[00:11:41] Right?

[00:11:41] So there's a couple of different lenses to look at that, right?

[00:11:43] So there's the risk scoring itself, which is we're right now using the classic X times Y.

[00:11:52] So likelihood times impact.

[00:11:54] How likely is something to happen versus what is the impact if that happens, right?

[00:11:57] Again, I'll use that helicopter example.

[00:11:59] Dave buys a helicopter.

[00:12:00] The likelihood of that happening?

[00:12:02] One out of five, right?

[00:12:03] Right.

[00:12:03] Very low probability that you're going to go buy a helicopter.

[00:12:05] Right.

[00:12:05] However, if you bought a helicopter, the financial impact to your business would be pretty significant.

[00:12:10] Right.

[00:12:10] So maybe it's a one and a five.

[00:12:12] Okay.

[00:12:13] So it's pretty straightforward.

[00:12:14] There are other things, if you don't have MFA enforced across the board, guess what?

[00:12:18] The likelihood that somebody's going to get a phishing email and accidentally click on a link, whether they intend to or not,

[00:12:23] if they don't have MFA, the impact could be catastrophic.

[00:12:27] And so that's going to be the five by five.

[00:12:29] There are some other risk scoring methods that we're looking at.

[00:12:31] The Fair Institute has some great stuff that we're exploring and figuring out how to kind of bring some of that in.

[00:12:36] The way that things are scored today is based on our decades of experience as VCISO and head of engineering and CTO, right?

[00:12:43] Sure.

[00:12:43] So it's the things that we've seen and the ways that actually impact things.

[00:12:46] But at the end of the day, again, it's about as an MSP being that trusted advisor and having that conversation with your client that says,

[00:12:52] you know, we're going to go in and now we're actually going to tweak this, your risk register.

[00:12:56] We're going to look at this with you and we're going to say, all right, physical controls on your office space.

[00:13:00] Guess what?

[00:13:01] You have your office space is a desk and a filing cabinet really just as a secretary to answer the phone or an office manager to answer the phones.

[00:13:12] But everybody else is remote.

[00:13:13] It's having that physical presence just so you have an address that you, yeah, look, we have a corporate downtown New York headquarters.

[00:13:18] It's one room and a wee one, right?

[00:13:20] Right.

[00:13:21] So your physical controls, the likelihood of it or the impact of anybody breaking into that space is going to be a one.

[00:13:26] And so being able to have those, and so being able to adjust that along the way so that, again, you can focus on that.

[00:13:31] But what we're asking the MSPs to do is have those conversations about what is it.

[00:13:37] And so there is some product development work that we need to do to make it a little bit easier to kind of ask those questions

[00:13:42] and drive that conversation to drive down the risk score in the areas that should be moved to the bottom of the list that, you know, again, risk score or the physical risk.

[00:13:50] Right.

[00:13:51] In the pre-COVID days, physical risk of four office controls may be a little bit higher than they are today.

[00:13:56] And now that Amazon is forcing everybody to come back to the office five days a week and starting in January, I think, right?

[00:14:02] Other companies are going to follow suit, so maybe the physical control has become more important again.

[00:14:06] Right.

[00:14:07] We'll have to – there will be some exploration there.

[00:14:09] But anyhow, a long way of saying let's get – putting the MSP in the – giving them the tools and putting them in the driver's seat or the passenger seat

[00:14:17] to be that trusted advisor, the co-pilot.

[00:14:19] Yeah.

[00:14:19] To drive those conversations is important.

[00:14:21] It's the customization bit, allowing them to work on that.

[00:14:24] And all that customization is available in the product today, but it's – there's the product development lens to it is how do I make this easier for them to have that conversation?

[00:14:34] And ideally, move that conversation down to the level two tech or the IT project manager to have that conversation.

[00:14:40] So now I can deliver that service as an MSP at a fraction of the cost of having a V-SISO that thinks about risk on a daily basis.

[00:14:48] It's hundreds of dollars an hour versus $60 an hour.

[00:14:50] It's a big difference in my cost as an MSP.

[00:14:53] And so that's what we're really trying to drive towards is lower the cost of investment from an MSP standpoint.

[00:14:59] Gotcha.

[00:14:59] Now I want to ask something that's a bit of a philosophical question to wrap it up, but I find it's really helpful to talk with people that are – entrepreneurs that are focused on this to get a bit of a lens of the way you think about this.

[00:15:09] How do you think about the framework of decisions?

[00:15:12] You know, you're having to make – you've made some pivot decisions to make that.

[00:15:16] You're making product decisions on a regular basis.

[00:15:18] You've got to make hiring decisions.

[00:15:20] Give me a little bit of like your framework for making decisions and how that works.

[00:15:24] Yeah.

[00:15:26] So there's a couple of things that I look at.

[00:15:28] And I'll talk about some different philosophies because there's – it sort of depends on the decision, but there's a great book, Thinking in Bets by Annie Duke.

[00:15:36] She was a professional poker player with a PhD and fabulous book, but it's really – sometimes it's just making a bet, right?

[00:15:43] Okay.

[00:15:44] I think 51% chance that this is going to be the right way to go.

[00:15:47] So let's make the bet.

[00:15:48] We'll make the decision.

[00:15:49] Sometimes we're going to get it right, but it's – there's a great aspect of the decision-making process that's kind of baked into Annie's philosophy of how you should be thinking about those bets and how you should be evaluating.

[00:16:02] Just because you got the bet wrong doesn't mean that it was a bad bet.

[00:16:05] And so I encourage anybody to read that one.

[00:16:09] So that's part of it.

[00:16:11] Some of it is just raw intuition, right?

[00:16:14] Again, it's sort of that model, but I've done this enough times.

[00:16:20] Some of it is having conversations with our partners and understanding what they need.

[00:16:26] But, you know, again, I think as I look at the decision-making process, it's very much sit down with my partner because he's my partner and think through what is it going to take to get there.

[00:16:38] We do a really good job of talking about the where we want to be in five years from a product lens, and then it's working backwards from that a lot of ways to, all right, what are the steps to get there so we make sure we can get something useful and actionable today that will help us take the next step and the next step and the next step and give enough value to our partners and to their clients that we can continue to keep them excited and engaged in our product and continue to drive that forward for us.

[00:17:00] Yeah, cool.

[00:17:00] Well, Jed, this has been fun.

[00:17:01] I've really enjoyed chatting with you.

[00:17:03] Thanks for joining me today.

[00:17:04] Yeah, thank you for having me.

[00:17:06] Thank you.

[00:17:34] Thank you.

[00:17:49] Thank you.

[00:17:51] to learn more.

[00:17:54] The Business of Tech is written and produced by me,

[00:17:57] Dave Sobel, under ethics guidelines,

[00:17:59] posted at businessof.tech.

[00:18:01] If you like the content,

[00:18:03] please make sure to hit that like button

[00:18:05] and follow or subscribe.

[00:18:07] It's free and easy

[00:18:09] and the best way to support the show

[00:18:10] and help us grow.

[00:18:11] You can also check out our Patreon

[00:18:14] where you can join the Business of Tech community

[00:18:16] at patreon.com slash MSP radio

[00:18:19] or buy our Why Do We Care merch

[00:18:22] at businessof.tech.

[00:18:24] Finally, if you're interested in advertising on this show,

[00:18:28] visit mspradio.com slash engage.

[00:18:31] Once again, thanks for listening to me

[00:18:34] and I will talk to you again

[00:18:35] on our next episode of the Business of Tech.

[00:18:40] Part of the MSP radio network.