Dave Sobel engages with Holly Rollo to discuss the critical role small and mid-sized businesses (SMBs) play in national security. Rollo emphasizes that in today's interconnected environment, the security practices of every company are vital, as vulnerabilities often arise from third-party interactions. She highlights the importance of maintaining robust cybersecurity measures, particularly as many breaches have occurred through less secure connections with external partners.
The conversation shifts to the federal government's efforts to enhance cybersecurity through initiatives like CMMC 2.0, which aims to regulate and improve security standards among defense contractors. Rollo argues that while compliance is essential for those directly involved in federal contracts, the organic flow of data across various channels means that even businesses not directly linked to federal work must prioritize cybersecurity. She uses the example of a company providing HR software to construction firms, illustrating how even seemingly benign businesses can be targets for cyber threats due to their connections to critical infrastructure projects.
Sobel raises concerns about the competing priorities small businesses face, suggesting that the perceived penalties for inadequate cybersecurity may not be severe enough to prompt immediate action. Rollo counters this by explaining that cybersecurity issues are often intertwined with broader operational challenges, such as outdated technology and data integrity problems. She argues that addressing these issues holistically can lead to improved business resilience and profitability, making a compelling case for integrating cybersecurity into overall business strategy rather than viewing it as a separate concern.
The discussion also touches on the challenges companies face in adopting generative AI technologies. Rollo points out that many organizations lack a clear business strategy and understanding of their market fit, which hinders their ability to leverage AI effectively. She stresses the need for companies to modernize their systems and workflows before attempting to implement AI solutions, as doing so without addressing foundational issues can lead to suboptimal outcomes. Ultimately, Rollo's insights underscore the necessity for businesses to prioritize cybersecurity and strategic planning to thrive in an increasingly complex digital landscape.
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:02] What can small companies do around national security? And what's holding back most companies from using generative AI? Holly Rollo joins me today to talk out these issues in a bonus episode of the Business of Tech. With as many breaches and security concerns as I report on this show, it should be obvious that cybersecurity is not just about technology, but also the human expertise needed to interpret and respond to complex threats.
[00:00:30] Huntress is focused on elevating SMBs and MSPs around the world. Huntress has a suite of fully managed cybersecurity solutions powered by a 24x7 human-led SOC dedicated to continuous monitoring, expert investigation, and rapid response. And the proof is the execution. Huntress is the number one rated EDR for SMBs on G2.
[00:00:56] Want to know more about the platform? Visit Huntress.com slash MSP Radio to learn more. Well, Holly, nice to meet you and talk to you today. Great to meet you too. Now, I want to dive right into it because one of the things that got my attention was you made some statements that small and mid-sized businesses are critical for national security. I want to hear your take on why that is and what you're focused on.
[00:01:24] Yeah, I do quite a bit of work for the federal government and also for the cybersecurity space. And what everybody needs to understand is in today's complex environment, everybody's interconnected. And all the business that we're doing, you know, is connecting to each other whether we like it or not.
[00:01:47] And what I mean by that is sometimes we're using technology and connecting our systems and our data across APIs that we may have lost track of. And companies can get a little sloppy doing that and not, you know, take into account best practices from a security and compliance standpoint. And if you look at a lot of the threat out there and vulnerabilities, it has to do with credentials.
[00:02:15] It has to do with, you know, the single sign-on. It has to do with encryption. It has to do with some basic things that can get a little loose when you have third and fourth parties interacting with you just to do simple things like connect your web traffic to your CRM system, for instance.
[00:02:34] So, you know, a lot of the breaches in the past have happened through these third and fourth parties where, you know, maybe it's a law firm or, you know, a different kind of service provider or technology service provider where they're not targeting you, but they're targeting your client or your client's client. And really having a sense of this complex nature of the environment.
[00:02:59] And it's, you know, it's more like the weather versus sort of a linear traffic in terms of our data and data integrity and data security. And so every company plays a role to keep up, you know, their practices from a security and compliance standpoint. Well, you brought up the federal government, which is the one area which I would make an argument is doing a reasonably good job of getting their house in order.
[00:03:22] And what I would point to is, is I would say like, OK, look, CMMC 2.0, while imperfect, is distinctly a step towards getting this area much more controlled and regulated. If you're a small business and you're now in the supply chain for the federal government, you have to get that cleaned up in order to do business in the supply chain. Is there is that is that not enough for you?
[00:03:47] What's the argument here that those specifically involved in Fed were wouldn't be managing with the new CMMC? Well, there's certainly the the compliance aspect of it, of people that are directly related to the supply chain, you know, in the in defense contractors, you know, those kinds of things for sure.
[00:04:07] The thing to keep in mind is that data is organic and it flows through everything, every channel, every workflow that you can think of. So you may not even be doing federal contract work. You may be doing something as benign. I'll give you an example.
[00:04:30] So there's a say you're a business who sells HR software to construction companies. OK, very benign. You would think this is not a big deal. Construction companies, their biggest growth area right now is in infrastructure. So because of the federal funding, they've gotten funding to do things like bridges and, you know, work on electrical systems and things like that.
[00:04:57] The idea is that they are are builders. Right. So they're literally doing hammers and nails and sometimes setting up, you know, the electrical and things like that. But that's part of a grid system. So if you're a tech company selling SaaS based HR services, you have all the HR information for that construction company.
[00:05:23] And that information, right, can be hacked into or credentials can be stolen to get into the system for said project to infiltrate their environment. So it's very important to take an orientation, you know, as a software service provider to these construction companies to help them understand that security is their responsibility, too. Even if they're not because, you know, you wouldn't consider them a mature organization.
[00:05:52] So I'm using kind of an extreme example to make the point is more and more every company needs to be a cybersecurity company and understand their role. And it may not be directly connected. So philosophically, I don't disagree with you. But what I would make an argument is, is like, sure. But that's a long list of competing priorities for the business, of which the downside of not investing enough is actually much lower than people will say.
[00:06:20] So, for example, I'm that construction company. What I have to do first off is pay my people, win the contract, expand the business, like grow the business healthily. I have the cost of doing business, which is just enough cybersecurity. But if I get breached, I mean, the actual penalties besides downtime and recovery are actually not necessarily all that extreme. The laws are not really that tough there.
[00:06:48] If I actually go through the process, it's really difficult for somebody to sue me over that. If it's if it's an actual attack, it's all gets really murky. I mean, we've got extreme cases of companies like SolarWinds who just nobody got sued because, you know, it was a third party actor. So I want to I understand the value of it. And I don't disagree with the point. But when I stack rank it against a small business's priorities, the argument starts to get a little harder.
[00:07:13] What am I missing here in terms of what we what the small business owner, the end customer needs to think about different? Yeah. So what I would say and I understand your theoretical counterpoint, I think in practical terms, I can tell you based on conversations I'm involved with with clients and people I'm talking to, what I'm exposed to.
[00:07:34] And again, I'm an anecdote of one person with many contact points is that it sometimes is a problem linked to another set of problems. So there's the actual, you know, risk of infiltration or or identities getting stolen or data getting leaked.
[00:07:56] Oftentimes, and this is for the most part for companies, many small to midsize companies have been around for a while and they've maybe they haven't you know, they're not market leaders yet. So they've grown through a series of acquisitions. They've gotten acquired by private equity.
[00:08:13] They're trying to sort out, you know, what their growth strategy is for many of those companies because the technology has evolved so quickly in many different aspects, including customer experience, service and support. And everybody's wanting to put AI on top of these systems. They're realizing they were built in silos and they're antiquated. And the data integrity problem is still a big problem.
[00:08:39] So the cybersecurity threat is one element that also associated with larger issues of even having sustainability and rigidity within their environment to withstand, you know, piling more technology on. A lot of these environments are very fragile. So when you when when a board, say, looks at that level of problem, they're like, oh, this this is not only a security issue and a business business risk and clients problem.
[00:09:09] This is actually, you know, could bring down our whole system and threaten our ability to actually serve customers, not just from a, you know, a breach perspective, but from everything else. So it's the fragility over all of these systems and the and the data integrity that is compounding the problem. And then they have to ask themselves, well, this is an investment now to be able to modernize this kind of technology. And I want to like take a tangent for a minute because it matters.
[00:09:38] If you're in the tech B2B tech space in software as a service, you have three fundamental platforms that you're that you're working with. You have the platform you sell typically. So it's your your set of services, your technology that you deliver. You have your back office systems like your ERP system, your HR system, et cetera. And then you have another platform called your customer experience platform.
[00:10:04] And I'm using that as a broad term, not as the specific technology space that Gartner assigns in their taxonomy. But in that third platform, if you ask any CEO who owns it, how is it funded? How is it monitored? And what's the roadmap? They typically can't give an answer because that platform has actually grown through a series of virtual acquisitions over time as cloud based tools or cloud based systems.
[00:10:31] And it's actually making the data bad, increasing the levels of threats and really increasing the noise in in what's going on in their in their data integrity overall. So if this is a digital transformation argument, I will completely buy on that. Yeah. Organizations need to keep their systems modern and invested. You get cybersecurity as a benefit of doing that.
[00:10:56] But I think and I think that's a much stronger discussion with a small business owner of, hey, we can make your business more resilient, more profitable, drive better outcomes. Oh, and the upside of that is, is you also get better cybersecurity. And that's exactly where the conversation is gone, like at the board level. You know, it's sort of like the scratch the surface on some of the cyber issues.
[00:11:17] And then they look at hygiene and then they back it up and they go, oh, but our ERP, our provisioning, our this and that, like their technology has been so legacy or they've customized it over time that it's just become more and more fragile. And then the point about AI I want to make is many of these companies are so excited about AI and they want to start using it in all aspects of their business. Actually kind of plugging AI into the product service offerings is one thing.
[00:11:46] Plugging in a chat bot into their services and support is another thing. The problem is, is that in this legacy environment they have for their go to market, for their everything to do with how they interact and support customers is still sort of kludgy. So they're wanting to pile the AI on top and get as much value out of it without really addressing the core problem, which is not only the systems, it's the workflow. It's the company culture.
[00:12:16] The roles across sales, marketing and customer support are converging. The pipeline is shortening. The B2B tech buyers getting more and more consumer-like with a different set of expectations and behaviors than ever before. So not only do you need to modernize and future-proof your CX, you actually need to look across at roles and responsibilities and how the organization is going to manage it.
[00:12:42] I think you've alluded to it, but I want to make sure that I've asked directly because you've made some statements that most companies are not in a position to take advantage of generative AI. Expand a little bit on that, on the why. Why are most companies not capable and positioned to take advantage of the technology? Right. Well, as I said, they are wanting to enthusiastically adopt AI to do one of two things.
[00:13:06] One is to offer a better customer experience in a digital-first type of environment with the benefit of automation and the ability to kind of take out operational complexity or that sort of thing. The fundamentals are still not addressed. So, for instance, you know, I'll get a call from a CEO and they'll say, oh, we're not seeing the growth that we want.
[00:13:33] We're not seeing kind of our uptick as much as we thought we would this year or something that was working before isn't working now. So, we're going to kind of do a digital-first type of engagement with our customer base and that's going to make it better and remove friction. And then I asked them, well, what is your business strategy? And they say growth. And you and I know growth isn't a strategy, right? It's an outcome.
[00:13:59] But this actually is amazing how many times people will answer that way, which is the reason why I wrote the book, Power of Search, because I wanted to kind of make an argument for why strategy is so important. And so, you know, until that is addressed, until they really understand, you know, are you really an innovator or are you a turnaround company? Are you distressed? Should you be focusing on your core customer base?
[00:14:29] Should you be in heavy growth mode? Should you be in expansion mode? Sometimes companies will think they're competing as a market leader because they're competing with market leaders and they'll be doing all kinds of activities, but they're not actually doing the right set of strategies in the context of what their business needs. So that's kind of order of business number one. Order of business number two is looking and making sure they have product market fit in a specific customer segment. And oftentimes segments are confused with sales coverage models.
[00:14:59] So small, medium, large, or this kind of industry versus, you know, how a certain buyer acts or what problems they're trying to solve uniquely in a customer needs-based segmentation orientation. And then with that kind of focus, then you can look at the workflows, the processes, the systems, the data that's needed to actually support an end-to-end customer experience in this new digital first modern model.
[00:15:22] So all of those things need to be looked at holistically in order to get effective use and prioritization of where you use AI versus just saying, let's do this, let's do that. And it just becomes another activity and isn't really optimized and successful. So you've done a really good job of outlining all of the stuff that I think are the action items. And I want to ask kind of one last final question, because I think everything you've just said is valuable regardless of what the answer to this next question is. So I think we're leaving everybody with an action.
[00:15:51] But there's one other thing that you said that I want to follow up on. You said growth is not a strategy. And I can make a pretty good argument that the model providers of generative AI are running a growth as their only strategy. Because we know they're not making any money. Are you concerned, and if so, how, about building businesses around generative AI on top of companies that don't actually have a business strategy? I am.
[00:16:17] But, you know, if you think of these AI companies, they're early innovators on their own. And in that phase of their lifespan, they should be. That's the goal. The goal is to gather users. That is the goal. And so that's a very different goal if you are a more legacy company, a turnaround company, a private equity-owned company, a company that just merged with three other companies. You're building a platform. That's a very different kind of thing.
[00:16:43] So while it concerns me, what's going to happen is what happened in every other industry, cybersecurity included, is there's a lot of froth in the beginning and then leaders emerge. All that really matters there is where we are on the time. Well, Holly Rollo is a CEO, board member, and strategic advisor with over 30 years of experience in the tech industry. She's also the author of Power Surge, Five Ways to Supercharge Your B2B Software Business and Unleash Hidden Value, a practical guide for CEOs to transform their business outcomes. Holly, this has been fascinating. Thanks for joining me today.
[00:17:13] Thanks, Dave. Are you ready to get your brand in front of the tech leaders shaping the future of managed services? Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs, whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars. From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact.
[00:17:43] Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs. Be a part of the conversation that matters to IT service providers worldwide. Join us at MSP Radio and amplify your message where it counts. Visit MSP Radio dot com slash engage today to explore all the ways we can help you grow.
[00:18:11] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit Patreon dot com slash MSP Radio and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech.
[00:18:40] Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio dot com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio dot com slash engage.
[00:19:07] Once again, thanks for listening and I will talk to you again on our next episode. Part of the MSP Radio Network.