Navigating Cybersecurity Gaps: MSP Challenges, CMMC Impact, & Vendor Responsibilities w/ Wayne Selk

[00:00:02] Well, as we're coming off Cybersecurity Awareness Month, I had the opportunity to talk to Wayne Selk of CompTIA on a number of topics, including their State of Cybersecurity Report, what's going on around the perception of cybersecurity, and what we need to know to think about what the future is on this bonus episode of The Business of Tech.

[00:00:22] Are you ready to get your brand in front of the tech leaders shaping the future of managed services?

[00:00:28] Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs, whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars.

[00:00:40] From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact.

[00:00:49] Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs.

[00:00:58] Be a part of the conversation that matters to IT service providers worldwide.

[00:01:04] Join us at MSP Radio and amplify your message where it counts.

[00:01:09] Visit MSPRadio.com slash Engage today to explore all the ways we can help you grow.

[00:01:18] Well, Wayne, thanks for joining me today.

[00:01:20] Hey, Dave, I'm happy to be here.

[00:01:22] I don't think I've ever been on a podcast with you.

[00:01:25] I think this is our first time, so it'll be good fun.

[00:01:27] So let's start.

[00:01:29] I'm going to start with a sort of broad scope.

[00:01:31] You know, CompTI has recently published their State of Cybersecurity stuff and showed that gap between cyber investments and outcomes.

[00:01:39] Now, considering this is a theme of MSPs broadly is making sure that they're focused on business outcomes.

[00:01:45] Talk to me a little bit about what's going on with this disconnect and what we need to be doing to make that come together.

[00:01:54] Yeah, it's interesting. Right. And, you know, I haven't dug down deep into the behind the scenes, you know, because I get access to a lot of the stuff that made up the juicy stuff.

[00:02:07] I get it right.

[00:02:07] Right. Some of it is included in the report itself.

[00:02:10] But, you know, ultimately, I think MSPs want to do right in the cybersecurity world.

[00:02:18] If I have to peel back this this onion, I think they they're challenged by starting.

[00:02:27] Right. Where is it to start?

[00:02:30] And in some cases, it's also from a career standpoint, from an employment standpoint there.

[00:02:37] You know, I know I need I know I need training. Right.

[00:02:40] We all love our annual security awareness training and that's really focused training set to help us as an organization.

[00:02:48] But as an individual, where do I go to help me better understand cybersecurity or the niches and nuances that really make up cybersecurity in my day to day life?

[00:03:00] Whether I'm the owner of the MSP, I'm the lead technician, I'm the help desk individual, whatever the case may be. Right.

[00:03:07] And, you know, we've recognized that I've certainly recognized that over my storied career as a now recovering cybersecurity practitioner.

[00:03:19] And one of the one of the things I know we're focused on here at CompTIA inside the community side of CompTIA and cybersecurity programs is actually helping folks understand.

[00:03:32] You know, what what does it take to manage to one of the safeguards inside?

[00:03:38] Let's just say, for example, the cybersecurity trust mark that we have, which are based upon 87 percent of which are based on the Center for Internet Security, critical security controls.

[00:03:49] You know, those 18. So, you know, we're we want to help demystify, educate, because that's the whole purpose behind our program, too, is to raise the awareness of the

[00:04:00] awareness and understanding around cybersecurity for the managed service provider, because they're managing to a lot of different types of clients. Right.

[00:04:08] And prospects. And, you know, I think the outcome that they're really looking for is no one is truly an expert in cybersecurity.

[00:04:21] Cyber is a very broad spectrum. Right.

[00:04:24] Right. You can be niche as an expert. So you might you might be a fan of being a threat analyst.

[00:04:31] You might be a fan of actually helping folks architect a secure configuration for an organization. Right.

[00:04:39] There's many different facets to becoming a cybersecurity quote expert.

[00:04:45] And I think. The other side to this is it's also very scary. Right.

[00:04:52] I mean, because this is traditional traditional.

[00:04:56] I grew up in the technology space. I started in taught myself programming languages at a very young age and then moved in to, you know, understanding, networking, routing, firewalls, operating systems, all kinds of fun stuff.

[00:05:14] And you really do need that well-rounded experience set in order to move into a cybersecurity career.

[00:05:21] You can't just look at if anybody's listening and they're in a cybersecurity degree program, please reach out to me on LinkedIn.

[00:05:27] I'm happy to help. But but I'll just say this out loud.

[00:05:31] I don't think higher ed is really doing us any favors here either.

[00:05:34] By the way, they're not offering internships or apprenticeships while the folks are actually going through learning about cybersecurity in these degree programs.

[00:05:45] You know, I had I was at an InfraGard meeting locally here in Tampa and a gentleman said, hey, I've got a friend whose daughter just went to University of Miami.

[00:05:54] Now, for those that aren't familiar with University of Miami, I think it's like 60,000 a year, four year cybersecurity degree.

[00:06:00] Can't get a job. Three to five year minimum experience.

[00:06:04] That's what I mean where higher ed is failing, right?

[00:06:07] The experience should be.

[00:06:09] In programs like internships and apprenticeships while they're actually going through and being able to have that hands on to develop those kind of things.

[00:06:19] And I think we miss the the outcome that we're looking for as well.

[00:06:23] So there's a couple of different facets to the interesting side of the security report right now.

[00:06:30] Now, one of the things I want to tell you, so this what the internet intrigues me about cybersecurity, by the way, I never position myself as any level of expert on cybersecurity.

[00:06:37] I am a business technologist and my role is helping people make technology work in their business.

[00:06:44] I want to I always have this joke for cyber people that I laugh and go, if I gave any cyber person infinite money, I still wouldn't get outcomes.

[00:06:52] I would get a risk management program that would do it, but I would never I would never be assured of anything.

[00:06:58] Now, that is very problematic for business owners because they are looking for outcomes, right?

[00:07:03] They generally like to invest and they know they will get something.

[00:07:06] But what intrigued me about the report also was that only 25 percent of professionals feel positive about cybersecurity's direction.

[00:07:14] And so I've got this this confluence of places where it's like even with infinite money, theoretical resources, we can't necessarily solve the problem.

[00:07:24] We have business owners that are struggling to measure outcomes against it because it is all risk management versus an outcome.

[00:07:31] And we have the cyber professionals themselves, only a quarter of them feeling positive about that.

[00:07:36] Give me a sense of what you think is really stalling our progress here.

[00:07:42] I honestly from an MSP.

[00:07:44] Let's just focus on the MSPs for just a second.

[00:07:46] Please. Great space. Yeah.

[00:07:50] I'll probably catch a little flack for this and that's OK.

[00:07:53] You can hit me up on LinkedIn and tell me I missed the mark.

[00:07:57] But I would I would argue that probably I'll say a majority.

[00:08:02] So more than 50 percent.

[00:08:04] And I'm being very conservative with that number.

[00:08:06] Business owners of MSPs are pure technologists.

[00:08:10] Never, never a business person in their life. Right.

[00:08:13] They were working for somebody.

[00:08:15] They decided, hey, I could do this better.

[00:08:18] I could do it cheaper.

[00:08:19] I could make more money and it all comes to me. Right.

[00:08:22] Not not a care in the world around business.

[00:08:24] I would argue that a risk management program actually does help you develop better outcomes.

[00:08:32] OK, right.

[00:08:33] And and the way it does that, though, is you have to reflect inward on the business work on your business, not in your business, I think, is one of the things that's actually spinning around for cybersecurity awareness month as well.

[00:08:47] By working on your business, understanding.

[00:08:51] What your business objectives are.

[00:08:54] And Dave, you might be shocked to hear this, but that same percentage that I talked about again, very conservative number of MSP owners.

[00:09:03] Don't have a business plan.

[00:09:06] So they already are starting out with not realizing what their outcomes need to be.

[00:09:13] Right. Right.

[00:09:15] So so a business plan is actually very helpful.

[00:09:19] And I look, I've heard the entire gamut.

[00:09:21] I'm not selling my business, which is a crock of crap between stroke to twenty five a check for twenty five million dollars and said, here it is.

[00:09:29] I'm ready to buy your business, but I want to see your business plan.

[00:09:33] And when they can't produce it and I actually do this on stage, I rip I rip up the check, say, sorry, you know, you're not the right fit for me because I don't know what your intent is behind the business.

[00:09:46] I don't know what you've done to set yourself up for success, what the plan is, again, all outcome based.

[00:09:52] And what I'm suggesting to folks is when you actually align your risk.

[00:09:58] To those business objectives, you get a much clearer picture on what your outcomes need to be, where you need to wisely hire people, train people, spend your money.

[00:10:10] Right. Very quickly, everything becomes relevant all of a sudden and almost to the point of overwhelming.

[00:10:19] And that's where we say, OK, now that you've done this exercise, take a deep breath and let's prioritize what you want your outcomes to be, because you can't just flip a switch.

[00:10:30] There's no easy button in cyber. You can't just flip a switch and say we're going to fix everything to your point about having a multitude of cash because you need to make sure you find the right people.

[00:10:41] Right. It goes back to the talent challenge that we currently have.

[00:10:45] I mean, you may have the talent, but they might not be in the right seat on the bus.

[00:10:49] Well, what does that take in order to move them? Right.

[00:10:53] So let me ask a kind of a very is a bit tactical, but I think it's important on the strategy of what's going on here.

[00:10:59] So I've been tracking CMMC 2.0 pretty aggressively. My sense is this is the first set of regulations that has because it's got some auditing components to it.

[00:11:09] It's got some it and it has a pretty significant reach that I think a lot of providers may be underestimating the reach of the defense industry.

[00:11:17] And my example always and I borrow from Mike Semmel on this one all the time is I'm not thinking about fighter jets.

[00:11:23] I'm thinking about the bolt that holds the cockpit on is that comes from just a business right somewhere that makes bolts that somewhere goes to buy bolts.

[00:11:31] And so that is a significantly larger reach than the most.

[00:11:35] And it feels like it's a significant step forward in terms of regulation and compliance.

[00:11:40] What's your take on the impact of CMMC as we're kind of roll into 2025?

[00:11:47] So I'm very glad that in the final rule they made some adjustments, especially as it relates to the MSP industry.

[00:11:56] Right. So.

[00:12:00] Honestly, I understand in theory where they want to where the defense industrial base is trying to take this entire mechanism that we call CMMC.

[00:12:11] I want to make sure, though, that there's there's still a gap of knowledge, awareness and understanding that has to get.

[00:12:24] We have to we have to span that gap. Right.

[00:12:27] We can't just flip a switch. Right.

[00:12:30] To my point earlier, you can't just flip a switch and solve the world's problems.

[00:12:34] Now, from a CMMC perspective, this isn't anything new.

[00:12:38] Folks should have been doing this since the original executive order came out from President Obama.

[00:12:44] Right. And they had until December 31st, 2019, to get all of their stuff in a row.

[00:12:49] So the challenge for the MSPs and to your point, great analogy, by the way, the bolt people.

[00:12:56] Right.

[00:12:56] Right. Because I mean, I actually have a personal story of going into a mom and pop organization.

[00:13:03] I won't say where they are.

[00:13:07] They asked us prior life.

[00:13:10] I was working at Siena Group to come in and help them better understand this DFARS clause that they had to comply with.

[00:13:16] Right. Again, going back to the 800-171-CUI and the executive order.

[00:13:22] And when we gave them our proposal to actually help them, they said, oh, my God, I want to look, I'll just be transparent.

[00:13:33] I think the proposal was for forty thousand dollars to have us come in and evaluate and give them the recommendations that they need to in order to move forward.

[00:13:41] Sure.

[00:13:42] Mom and pop shop. They were making one hundred and fifty million dollars a year.

[00:13:47] Right.

[00:13:47] On government contracts.

[00:13:49] Yep.

[00:13:50] For the defense industrial base and forty thousand dollars to get them all set, ready to go.

[00:13:56] And they refused.

[00:13:58] And then.

[00:14:00] It wasn't more than six, eight months later, they ended up getting popped with a with with something terrible, horrible happening and information and data was was leaked and it was not good.

[00:14:12] It was not pretty.

[00:14:14] So, I mean, but that's the kind of stuff that we're trying to prevent.

[00:14:17] So, to your point about the little nuts and bolts, the mom and pops that the MSPs are trying to adhere to.

[00:14:23] And remember, the MSPs are ancillary in this whole process now.

[00:14:27] The mom and pops are the ones that get the flow downs from the prime contractors.

[00:14:31] Right.

[00:14:31] All the way down from the government all the way through.

[00:14:35] And they're not the ones understanding.

[00:14:37] And the the challenge that I see is that MSPs, again, going back to that percentage I use, they're not aligned in their conversation about what's important.

[00:14:47] And again, it's because the MSP is having a technology focused discussion.

[00:14:51] The business needs a risk based approach.

[00:14:56] Right.

[00:14:57] To your outcomes that they're that they need to be able to solve for.

[00:15:01] What's the risk to my business where you can lose 100 million dollars in annual revenue and you're going to have to kiss 40 of your employees goodbye.

[00:15:09] Right.

[00:15:09] Right. Yeah.

[00:15:10] You know, I mean, it's like it's a different kind of a conversation.

[00:15:13] Right. It's not about walking in with the brand new widget and going, hey, you need this because the threat actors are are targeting you.

[00:15:20] Well, you just sold me a firewall last year.

[00:15:23] Why do I need to upgrade that to this latest thing?

[00:15:26] Right.

[00:15:27] It again, it's it's just a really interesting dynamic.

[00:15:31] Again, I think we're we're we're on the cusp of helping MSPs better understand.

[00:15:40] And you and I were chatting about vendors earlier.

[00:15:43] As the vendor as the MSP start getting this whole new risk based approach and we're introducing third party vendor risk management for them.

[00:15:52] They're able to as a collective, not as an individual organization, but as a collective start pushing back on these vendors to say, hey, hey, hey.

[00:16:01] You know, we need you to change this because this isn't right.

[00:16:07] You can't expect me to connect an API integration into my organization today with full domain admin privileges.

[00:16:15] Right.

[00:16:16] So I'm going to I'm going to open this up a little bit.

[00:16:18] So one of the things we were warming up and talking, we were talking a little bit about vendors and I have I've observed that, you know, one of the things that I think is starting to culturally change is this is leading the way on their secure by design and secure by default.

[00:16:31] And in particular are talking about the vendors having responsibility for sending products out that come in a status that is, you know, at least let's go with minimally viably acceptable.

[00:16:45] Right.

[00:16:45] And there and you know, and my my statement has been, you know, they've hidden behind a level of non responsibility in their licensing agreements that essentially says we really aren't responsible for anything that happens with our software.

[00:16:58] That isn't changing contractually.

[00:17:02] This is starting by changing it culturally first to from that approach.

[00:17:07] As you think about kind of the vendors, what do you think the where do you think the dynamic needs to change, particularly as we with an eye to what the MSPs collectively need to push on to make this situation better?

[00:17:20] Well, you know, look, I'm in Reddit.

[00:17:24] I just I lurk out and read it more than anything else.

[00:17:27] Let me both.

[00:17:28] I know.

[00:17:29] But I'm involved in some of the other community channels and you hear all of the complaints about, oh, my God, I can't believe.

[00:17:37] And so let's keep in mind, we have to be very careful about shaming.

[00:17:44] So we're very careful about not shaming employees and reporting and that kind of stuff.

[00:17:49] We also have to be very careful about not shaming vendors either.

[00:17:53] And the vendors shouldn't shame clients.

[00:17:56] So we just need to get that out of that.

[00:17:58] Let's just open the air around that right now.

[00:18:00] Right.

[00:18:02] Are mistakes made during the development cycle?

[00:18:05] Yes.

[00:18:06] Are are there libraries and code snippets that are put in there that may not have the ability to be exploited right now today, but maybe tomorrow?

[00:18:19] Certainly.

[00:18:20] Right.

[00:18:20] Which is the flaw in technology to begin with.

[00:18:23] Right.

[00:18:23] So let's let that's why we have to we should step back from the whole shaming set.

[00:18:28] I think what this is trying to do is say, hey, to the best of your ability today as you're developing the product.

[00:18:37] Put in the secure by design concepts into your software.

[00:18:43] Now, that's not that's not going to do a dang thing for those that already have developed solutions that have perhaps a lot of tech debt.

[00:18:53] Right.

[00:18:53] Right.

[00:18:54] They're going to have to start clean slate and build back up again, because otherwise they're just going to it's a management nightmare.

[00:19:01] Right.

[00:19:02] It's like trying to build a concrete superstructure around a thatch hut.

[00:19:07] It doesn't work.

[00:19:08] It's going to crumble.

[00:19:10] So, you know, the the vendors, I think it would be great if they could start moving towards this secure by design.

[00:19:18] And I would argue because I know there's going to be people watching your show.

[00:19:22] If I didn't mention secure by default that I would get called out for that.

[00:19:26] Right.

[00:19:27] Because they go hand in hand.

[00:19:28] So as they're developing, they do the secure by design.

[00:19:32] But as they launch the the items that need to be turned on by default should be there.

[00:19:39] So out of the box, the technology is secure, whether it's an application, a device or some other piece of software.

[00:19:47] Now, I went one step further in some of my CISA Joint Cyber Defense Collaborative JCDC meetings.

[00:19:54] And I said when we were talking about creating this is we actually talked about creating the pledge.

[00:20:02] And one of the things I suggested was the vendors to help protect themselves, do a pop up.

[00:20:08] So if somebody goes to turn off one of those things by default, give them a pop up, a warning saying, hey, this you should not do.

[00:20:16] We don't want you doing this.

[00:20:19] Right.

[00:20:20] But if you do it, you're assuming all the risk.

[00:20:23] And when they click OK, you pop up another one.

[00:20:26] Are you sure?

[00:20:28] Right.

[00:20:28] You really want to do this and then log it.

[00:20:31] Who did it?

[00:20:33] Because you're logged in as the user.

[00:20:35] Who did it?

[00:20:36] Date, timestamp, everything.

[00:20:38] And that gets shipped back off to the company because now they have a record of somebody going, yeah, I don't care.

[00:20:45] Turn the damn thing up.

[00:20:47] And and now they now from a litigation perspective, they at least have something that can go back.

[00:20:53] Hmm.

[00:20:54] Somebody turned it off.

[00:20:56] Here it is.

[00:20:57] Here's the date.

[00:20:58] Here's the time.

[00:20:58] And here's who did it.

[00:21:00] Now, that implies that the flip side of that would also be true.

[00:21:04] Of course.

[00:21:04] That if that if it ships and the user does not agree to turn off all of those things, that the software vendor would have some responsibility.

[00:21:13] And I would argue right now that that is not entirely the way this all plays out.

[00:21:18] Well, that's correct.

[00:21:19] You know, and you're absolutely right.

[00:21:21] That that does not play out well today.

[00:21:23] But my my my comment, though, on turning things off is that it would already be turned on.

[00:21:29] And that's not the case today.

[00:21:31] And as a matter of fact, to our discussion earlier, it's all about functionality, not so much about security.

[00:21:37] Right.

[00:21:39] Right.

[00:21:39] And so.

[00:21:40] So that's the.

[00:21:42] So I would argue that someone had to make the determination that and the pushback from the partner that was buying the products previously.

[00:21:52] We want it this way.

[00:21:54] We don't want it that way.

[00:21:55] Right.

[00:21:56] So is the software company is the vendor still liable for that?

[00:22:00] Probably not.

[00:22:01] Well, so.

[00:22:02] So when does when does regulation come into the into play here?

[00:22:06] Because so let's let's.

[00:22:07] And we before we were talking a little bit about a car example and the liability, the manufacturers have some responsibility in car manufacturing and the user.

[00:22:15] You know, the operator of a vehicle has some responsibility in that.

[00:22:18] And it's been determined.

[00:22:19] But there are by the way, there are laws in there, because if I wanted to create the cheapest car possible, I wouldn't put seatbelts.

[00:22:26] Right.

[00:22:27] And so.

[00:22:28] And how do we get seatbelts?

[00:22:29] Well, we passed laws requiring seatbelts is how we got there.

[00:22:33] We didn't go necessarily to the car manufacturers and beg and plead and make them sign pledges.

[00:22:39] What we said was, is we all collectively would like to have less road deaths.

[00:22:43] So we're putting legislation tech, however, has essentially zero regulations, really.

[00:22:50] But particularly around data privacy about like there's there just aren't there.

[00:22:54] When does when does this move to regulation?

[00:22:58] You know that honestly, I think regulation is coming sooner rather than later for a lot for a lot of different entities within the industry.

[00:23:06] Right. I think it's going to take a little bit longer.

[00:23:10] And I applaud CISA for going down the secure by design pledge secure by default.

[00:23:16] And there's actually one other that they haven't really touted as much.

[00:23:22] But the that's kind of the start of it. Right.

[00:23:26] So you need groundswell.

[00:23:28] You need commitment.

[00:23:29] You need critical mass to basically pressure the rest of the folks that are just not going to move the needle.

[00:23:36] And the same thing is true.

[00:23:39] The same thing, honestly, is true in the MSP space. Right.

[00:23:43] You have you have the top five percent of the MSPs that say, you know, we're doing cybersecurity and we're going to be the best at the best at the best.

[00:23:52] That's it. We're going to do it. Right.

[00:23:54] And then you have the bottom 15 percent that say never in a million years.

[00:23:59] It doesn't make any sense.

[00:24:00] I'm too small. I don't have the cash.

[00:24:02] I don't have the people, blah, blah, blah.

[00:24:03] And then you have the 80 percent in the middle. Right.

[00:24:07] And and I would argue the the fringes of that 80 percent need to make up their minds.

[00:24:13] Either we're going to stay with the collective.

[00:24:15] The top half of the 80 percent are probably going to want to move up into the top five.

[00:24:20] And the bottom top of that 80 bottom of that 80 percent is if you're not careful, you're going to fall into the 15.

[00:24:28] What does that mean? Well, if if regulation decides to pop out, you're done.

[00:24:34] It's not you're not going to be able to do anything because you've already committed to not doing anything and your clients are going to leave, which means your revenues leave, which means you're losing people.

[00:24:45] You're hemorrhaging. That's it. You know, hang up the shingle.

[00:24:49] You know, that's it. We're done. But for the 80 percent getting focused on creating a foundational cybersecurity program, understanding, getting all the knowledge, getting raising your awareness and understanding of how you can actually do this.

[00:25:03] Be successful at it. I mean, shameless plug. We can help.

[00:25:09] We have a whole community around the world that is looking to help others be successful in implementing cybersecurity best practices.

[00:25:18] Well, we'll end it on an action item because that's exactly the resources take advantage of.

[00:25:23] Wayne Selk is the vice president of cybersecurity programs at CompTIA and serves as the executive director for the CompTIA information sharing and analysis organization.

[00:25:31] With over 25 years experience, he spearheaded cybersecurity strategy, data protection, compliance initiatives all within the IT channel.

[00:25:39] Wayne, this has been great fun. Thanks for joining me.

[00:25:41] Hey, thanks, Dave. Appreciate it.

[00:25:43] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:25:52] If you like the content, please make sure to hit that like button and follow or subscribe.

[00:25:56] It's free and easy and the best way to support the show and help us grow.

[00:26:02] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio or buy our Why Do We Care merch at businessof.tech.

[00:26:15] Finally, if you're interested in advertising on this show, visit MSP radio dot com slash engage.

[00:26:21] Once again, thanks for listening to me.

[00:26:24] I will talk to you again on our next episode of the Business of Tech.

[00:26:31] Part of the MSP radio network.