Navigating the Cybersecurity Landscape: From Security Investments to Talent Recruitment

[00:00:00] Let's talk security today, as I want to ponder the question, what is all this cyber security

[00:00:18] money going towards? Who's taking the profits and who is taking the risk? Welcome to the

[00:00:25] Business of Tech lounge, the live version of the Business of Tech podcast. It's Wednesday,

[00:00:30] June 5th, 2024. And I'm Dave Sobel. I'll be taking questions and comments throughout the show to make

[00:00:37] sure to put them in chat. There's a dedicated question section in the show with list or submitted

[00:00:43] questions. We'll be taking those chat call outs and comments anytime, particularly during a story.

[00:00:51] I want to thank Sales Builder, our Patreon sponsor whose support makes this show possible. Focus on

[00:00:57] your IT sales workflow with the power of automation and visit them at salesbuilder.com. That's B-U-I-L-D-R.com.

[00:01:08] Remember, I will be watching that chat. But now our first story. I want to talk security today. For

[00:01:16] context, let's pull from the Friday Big Ideas segment from the May 31st episode of this show. Let's roll it.

[00:01:26] I'll dive with a reminder in the article, cyber attacks are good for security vendors and business is booming. The

[00:01:34] cybersecurity industry has experienced significant growth, with global spending on security and risk

[00:01:39] management projected to reach $215 billion this year. Cybersecurity vendors develop defenses to mitigate

[00:01:46] attacks while highlighting cyber criminal activity to demonstrate their value. However, experts argue that

[00:01:52] the industry's focus on selling expensive solutions instead of practical ones adds unnecessary complexity.

[00:02:00] Despite efforts to improve security, cyber threats and attacks continue to rise, emphasizing the need for

[00:02:06] cybersecurity measures.

[00:02:12] And we have continual conversations about security in this space. We're always having interviews about that and

[00:02:19] conversations and thinking about that. In fact, I'm going to give you a preview of a conversation that I'm

[00:02:25] releasing this weekend with Paul Betty of IDM works and Dave Schwartz of sales point. We're talking about identity

[00:02:32] management solutions. Let's hear a clip.

[00:02:35] In terms of selling security, how much of this is tied back to business because one of the big challenges around

[00:02:42] security and I say this with a bit of a smile is like, look, it is a bottomless hole that you can throw infinite

[00:02:47] money into, where no security person will ever promise anything. Right? Kind of, that is the real reality of it, right?

[00:02:56] It says you I will take all your money yet still guarantee nothing. So so a savvy CFO essentially is going to look at

[00:03:03] that and say, Well, no, I don't. I don't do that. I need you to tie it to result. Talk to me a little bit about how that

[00:03:08] conversation plays out.

[00:03:12] Yeah, look, I think that it can be a bottomless pit. There is a trade off. And the trade off is, it does the revenue

[00:03:20] make? Are you making an impact on revenue that is significant enough for our business? Or are you just automating to

[00:03:27] automate? And what is the cost of paying off that risk if that you know, if we had a situation and so there is a cost

[00:03:35] benefit analysis, definitely that happens. But we understand that there's a fiduciary duty to have a minimum service

[00:03:43] level. And that's and we need to benchmark that against peers because you always want to be as popular as your peers, or

[00:03:50] as smart as your peers. And that's what they're doing. And we're providing that data for them. And we also use the

[00:03:55] industry analysts and ourselves, but obviously, who has 100 hundreds of more accounts than us to baseline what other

[00:04:03] folks are doing within an industry, provide that detail back. And then, you know, they have to make a decision whether

[00:04:09] they want to proceed or not.

[00:04:11] And Dave, I'd add one other thing to what Paul was saying. I think if you look at it, I wouldn't look at as a

[00:04:16] bottomless pit, there's actually a cost of doing nothing as well. And that's really where especially if you look at

[00:04:22] identity right now, and if you look at the breaches that are taking place in the marketplace, identity is access to a

[00:04:27] lot of a lot of those. So if you don't have a better identity program, right, we believe identity is core to not just

[00:04:35] identity security, but your your enterprise security level. So it's not just the cost of buying into a service like this,

[00:04:42] it's what's the cost of not doing something on this side?

[00:04:47] Paul brings up a really great question about the cost. What is the cost of the service? And what is the cost of doing

[00:04:55] nothing? Well, let's think about this from a breach perspective. I want to give you an example. And let's pull a very

[00:05:02] recently from yesterday's show. Here's a clip from Tuesday's the business of tech.

[00:05:08] Less good news. Ticketmasters parent company Live Nation has confirmed a data breach that exposed the personal

[00:05:15] information of 560 million customers. The breach advertised on hacking forums included names, email addresses, phone

[00:05:22] numbers and credit card details. Live Nation is working to mitigate the risk and has notified law enforcement and

[00:05:28] regulatory authorities. The company believes the breach will not materially impact its business operations. So let's tie

[00:05:38] this all together with our question, why do we care? Now I got to start with saying that Paul's conversation with me

[00:05:47] about the approach and the sales approach of an MSP is pretty typical. I'm not intending to pick on them and that

[00:05:54] conversation. In fact, I think there's some real value to learn about their approach and that interview will come up this

[00:05:59] weekend. But it's very typical. And I was able to easily pull out and say this is oftentimes how that conversation goes.

[00:06:06] And in fact, Paul's approach is quite sophisticated as he's talking about tying his security investments to business

[00:06:15] outcomes. But he also talked about a minimum service level. And I think that's the key point to focus on. But let's ask

[00:06:24] ourselves, what is the minimum level? What are the actual requirements that must be delivered for security to be an

[00:06:35] actual thing? I'm going to start with a really straightforward place. I think the place to start is immutable storage

[00:06:41] backups, and probably to. And I think most customers and in particular MSPs advising them are not leaning into enough doing

[00:06:50] right by simple backups. I then I'm going to extend that by saying I think patching is a core service and it needs to be

[00:06:58] delivered in a way that is oftentimes much more aggressive than most solution providers might do. I think you can automate a

[00:07:05] lot of this. And in fact, you see Microsoft starting to do that with their investments. I'm going to go to the next step. And I'm

[00:07:12] going to say pass keys and Yubit keys and two factor authentication are a mandatory requirement. I think this stuff of anybody

[00:07:21] arguing around a particular customer having exceptions or not doing it is pretty ridiculous. And I think every MSP should be

[00:07:29] doing that. But more importantly, I think every software vendor needs to be doing it. Now, I'm also going to say I'm not sure what

[00:07:36] beyond that is the proper minimum security product. I think this space has gotten incredibly complicated with everyone wanting

[00:07:45] to have their security product with a mix up alphabet soup of letters that don't necessarily mean anything. Do you need EDR or MDR

[00:07:56] or XDR? It's got to be next gen, right? Because it's not an antivirus. Well, what do we actually need? What are the actual

[00:08:04] requirements? I'm going to throw this out for listeners, both now live and if you've got something to post in the comment, if

[00:08:10] you're watching the in the recording, make sure to tell me because in this space, I think most of it is probably noise. There's a lot

[00:08:20] more here that could it is not necessarily required, because I would offer that the piece that isn't in most people's stack is a

[00:08:28] slush fund to be ready for downtime. In fact, I would counsel most customers to prepare for a day or two of downtime, have money on

[00:08:39] hand to do that and lean heavily into being able to do recovery. Because if I've done a really good job of patching, and I've made

[00:08:48] sure that my user accounts are protected with pass keys or physical keys, making sure that computing is requiring that level of

[00:08:57] access with physical keys, and I do a good job of just the basics, I can recover most. Now, I want to talk a little further about the

[00:09:07] idea of liability, because I think that's the actual key. What's interesting to me is that most companies that are selling

[00:09:16] cybersecurity products, assume no actual liability. If you sell me a cybersecurity product, but then don't include any level of

[00:09:27] guarantees of it actually working and protecting, what's the point of the investment? I really think we need to ask this as customers

[00:09:37] buying products, and on behalf of customers buying products. Why do it? Because let's point back to what happened with Live Nation, they

[00:09:46] get breached, and their business outcome is no material impact on their business. I think that's a really key point. And it happens a lot.

[00:09:59] I'm not being dismissive of downtime. And I'm not being dismissive of the time and effort required for recovery. But the data breach costs end up

[00:10:10] going to the consumer, right? So you actually need to plan for is just the I'm going to put it back together time. I think that's important.

[00:10:21] And finally, I'm going to also highlight what SIS is doing around secure by design, who's on the list? Well, when you look at who's actually

[00:10:30] signed up to start building software that is secure by design, it's not quite 70 vendors. In the MSP space, there's only really one that's

[00:10:39] signed and that's Huntress. So props to them for actually doing it. And their CEO called out the other members of the community for not, which

[00:10:48] brings us back to the start. CIO dive notes that attacks are good for business. They're good for cybersecurity vendor business. But I'm not

[00:10:59] convinced they're good for the managed services providers and IT services providers in the middle. And I think that's the piece that I want us to

[00:11:07] focus about. Because as you're being pushed by vendors, and by vendor paid analysts to sell more cybersecurity, are you really taking on

[00:11:17] something that is something your customers will actually need and actually respond to? But am I right? Or am I wrong? Put those chat

[00:11:27] comments in there. Tell me what you think. I want to hear if you're encouraged by these moves, or dismayed by what's happening in the

[00:11:34] market. You got that question or comment, put it in chat, if you're watching live. Or if you're watching the recording, I will catch up and

[00:11:41] respond to you. Now this past weekend, I did a different kind of interview, I spoke with Don Snyder, who's from the College of William and

[00:11:50] Mary. I'm an alum, so a little bit biased, but I love working with the group down there because they've got a very well defined career

[00:11:57] advancement track. And he and I had deep in depth conversation about the way small businesses and managed services providers and IT

[00:12:04] services companies can engage with colleges and universities. He said something that I wanted to highlight. So let's play a clip of that.

[00:12:13] A relatively new trend, probably COVID really elevated the the the awareness of this particular model. We think about the full summer length

[00:12:26] traditional internship. Let's think about what's called let's look at the what's called the micro internship. And so the micro internship is

[00:12:37] project based. And it can be three weeks, it could be four weeks. And so an organization has a need. We've got to update this database, we've got

[00:12:48] this, something that needs updated, something needs tweaked, something that needs implemented. It's short term, it's it's again, three, four or five

[00:12:57] weeks, skill based. Hey, let's this is a great opportunity to connect with a student who has this skill set who has some of this experience. And

[00:13:10] let's get them working on this project. Now most of these again, micro internships are going to be remote. And really, they're they're all should be paid.

[00:13:24] So why do we care? Well, I keep thinking about the tech staffing shortage. And I keep thinking of ways that small companies can help build their own

[00:13:34] recruitment channel, finding and retaining talent, key element. And by the way, part of that is finding talent. It's oftentimes hard to find the people you're

[00:13:45] looking for. And you're going to need to spend time doing it. So I think that that's an element that we want to revisit here. And it's one of the reasons why I

[00:13:54] focus so much on that portion of the business is that I thought think heavily about the way we can build that cycle of people. Don brings a number of

[00:14:04] different ways to do that. And I had not heard of the way of doing it with these small remote projects. It feels like something that managed services

[00:14:13] providers might actually be incredibly well positioned to do. Now I know he's noticing a comment here from Debbie who says don't call it an internship. It's a

[00:14:22] part time job, not an internship. internships focus on learning, not doing. All right, I'll totally see that one. And say though, that for me, the more

[00:14:32] interesting element is the outcome, giving engagement to just people that you may want to work with on ongoing paying them note that that's a very

[00:14:42] important element of what that's done, and getting valuable experience for both. Whether or not it's mislabeled. That's something that I think I want to

[00:14:51] definitely focus on. I'm going to encourage you to say that that interview is live on YouTube and on the podcast feed. So if you want to dive more into the

[00:14:58] topic, I encourage you to focus on it. Now I am spotting a comment here from our last piece. I want to throw that up. Let's have a little bit of a

[00:15:06] conversation there. From LinkedIn. I think the priority needs to be passkey strong identity security, backup disaster recovery and MDR. patching helps

[00:15:16] plenty, but the auto update functionality of most good and modern tools is a big boost. Chrome and other browser updates is easily the most impactful

[00:15:25] patching that a business can do. I am right there with you. And I think that this is an element of simplifying the security offering into what's

[00:15:35] actually important. And I'm glad to hear that from the audience the same way that I'm thinking that if you focus just on these key areas, and be very, very

[00:15:45] good at them, you can ignore a lot of the other noises. Note that this list isn't that long. If you're saying as said by this list right now, passkey strong

[00:15:58] identity security, backup disaster recovery and MDR. We don't necessarily have to make this more complicated than it needs to be. Now I'm going to continue

[00:16:07] taking those questions and comments. Remember, if you bring your questions live, you'll get a live response. Really do enjoy taking the questions. Of course, feel free to

[00:16:16] submit them ahead of time. If you're listening to the recording, sending an in question at MSP radio.com. q&a does give you a chance to get involved with the show.

[00:16:27] Now I'm noticing we're having we've had some comments from listeners, but no additional questions. I'll keep that open as long as we're live. And if somebody throws

[00:16:35] something into the chat, we will certainly take it. Now I want to thank sales builder who's our Patreon sponsor whose support makes this show possible. Focus on your IT

[00:16:46] sales workflow with the power of automation and visit them at sales builder.com. That's B U I L D R.com. Vendors you too can get your name mentioned on the live

[00:16:58] show. It's a simple monthly subscription. Visit patreon.com slash MSP radio for more. And listeners you can support the show like share and follow on your favorite platforms or support

[00:17:11] directly on Patreon with our give what you want model. You set what you think the content is worth that interview with Paul and Dave already available for my Patreon supporters. They can get that right

[00:17:23] now. If you're listening and have a question and want to add it for later to next week, send it in at question at MSP radio.com. Really do enjoy taking the questions. And you'll note we're making a couple of changes around here in terms of

[00:17:37] format would love to hear what you think of this slightly adjusted live show. Thanks for joining me for the business of tech lounge, and I will see you next time.

[00:17:53] Transcribed by https://otter.ai