I always like to catch one or two attendees of an event after they get home to see what did they come away with. I spoke with Jim Harryman of Kinetic Technology Group to get his reaction on an event that he has now attended for the third year in a row. If you weren't at Channelcon24 I hope this gives you some FOMO and that we will see you at CCF and ChannelCon 2025.
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:22] Well, it is that time. Welcome everybody to MSP 1337. This week, I'm joined by Jim Harriman of Kinetic Technology Group. Jim, welcome to the show.
[00:00:33] How are you doing, Chris?
[00:00:35] Chris, I'm good. I feel like we're just going to have to start saying these are the regulars. These are the regular guests. So that'd be like you, Charles, you and Charles. I think those are the two pretty much the regulars.
[00:00:49] We are fast approaching episode 200. I think we're like too shy at this point. And I wanted to take this episode since, you know, ChannelCon is, you know, freshly in the rearview mirror to just kind of get from someone that was there from the pre-days.
[00:01:06] Well, like we can even say the pre-day through like till Thursday. I mean, there were so many things going on and so many different tracks to explore. And I was just curious, like, you know, you've gone to now, is this what your third ChannelCon?
[00:01:21] Yeah, third time.
[00:01:24] Largely tied to being recruited by your peer group facilitator, right?
[00:01:28] That is true.
[00:01:30] So, you know, not necessarily going back in time to recap the last three, but to just kind of get your overall take on what ChannelCon was like for you 2024.
[00:01:45] Well, I thought it was a great event. I actually, looking back, I was the only person from our team this year that went.
[00:01:53] So, I'm wishing that I'd have taken some other folks because there was just a lot of nuggets to be had for everybody in various roles within our organization.
[00:02:08] And it just, you know, timing wise, you know, in the summer vacations and whatnot, it was just kind of difficult.
[00:02:15] But I think that next year we'll definitely try and get some other people there.
[00:02:22] I mean, I thought it was a great event. I spent most of my time anything related to incident response.
[00:02:34] That was kind of, you know, I mean, that was the big deal for me.
[00:02:40] I mean, it was definitely one of the areas that I felt we needed to improve upon organizationally.
[00:02:47] Not that we have no incident response plan or anything like that, because we do.
[00:02:53] Not that we haven't done tabletop exercises, because we do.
[00:02:57] But in visiting with our auditor through the Trustmark, that was one of the areas that we can improve upon significantly.
[00:03:07] So, we're going to be working towards that.
[00:03:10] So, speaking of sort of the cyber track or the cybersecurity track, you highlight a couple things that I was definitely super stoked about.
[00:03:20] I was particularly not sure what to expect.
[00:03:24] We've done the policy one before.
[00:03:26] Alex was involved in it.
[00:03:28] We've done the data one before.
[00:03:30] Well, I take that back.
[00:03:31] We have not done the data one before.
[00:03:33] We've done the Matt Lee, you know, how to dig into a safeguard.
[00:03:39] Sarah has done the tabletop before.
[00:03:43] But we didn't have the time commitments before, right?
[00:03:47] We didn't have as much time to work through this.
[00:03:49] And the thing for me, my big takeaway, and you kind of highlighted some of it, was just the amount of time that was invested into setting up a tabletop exercise.
[00:04:00] That I think, for me, and I was only able to be in there for a little bit, was like, you're actually walking someone through the exercise of creating a tabletop to be successful and not having it be like, let's make this overly complicated.
[00:04:15] And yet, even a, not to trivialize a tabletop, but like, a super simple one is still not, you still have to prepare for it so that it's not treated like, you know, so it's not treated like it's just an exercise or it's just a game.
[00:04:31] It's to prepare you, right?
[00:04:33] And I think, I hope that that was received because I was, you know, my heart was pounding because I was like, this is exactly what I was hoping for.
[00:04:41] Well, and I think those of us that were in that workshop, actually, well, both workshops really were, but particularly the one where we actually went through a prepared one that Matt Lee kind of ran us through as the dungeon master, right?
[00:04:59] I mean, it was, it was, it was pretty awesome.
[00:05:02] Right.
[00:05:03] That, I think everybody that participated in that particularly, I think their blood pressure went up a little bit.
[00:05:10] I think their heart rate went up a little bit.
[00:05:12] I think it, it, it definitely, it definitely had the stress of an actual event, you know?
[00:05:22] I mean, that, that was the, that was the thing.
[00:05:25] And the, and the, you know, the time clock and the moving on and it's like, well, we haven't finished yet.
[00:05:31] Yeah.
[00:05:31] Yeah.
[00:05:32] Like this is a monopoly where you're like, don't touch the board.
[00:05:35] We'll come back to this tomorrow.
[00:05:36] This is like, no, that's not what the bad guys are going to do.
[00:05:39] They're like, uh, you know, it's late.
[00:05:41] I want to be involved still.
[00:05:43] So I'm going to just take a nap.
[00:05:44] Right.
[00:05:44] Like that's not how it works.
[00:05:46] That Seinfeld risk episode where.
[00:05:48] Oh yeah.
[00:05:49] Yeah.
[00:05:51] I invented this.
[00:05:54] That's so funny.
[00:05:56] I mean, there was, it was great.
[00:05:58] I actually, uh, came back and, you know, met with my, uh, staff, particularly the ones that are, uh, involved in, uh, security for our company.
[00:06:10] And actually talked about that experience already once today and, uh, had them like, Oh, that sounds awesome.
[00:06:19] You know, boring ones that we've been doing and everything else.
[00:06:23] I do think that it's, I think it's important to, regardless of how you structure it or anything else, the important thing is, is that you do it and that you have the conversations and that you talk about the various scenarios that could, could possibly happen.
[00:06:38] Um, you know, and, and doing it more frequently than, than, you know, once a year, even, which is what most requirements are calling for, uh, by and large.
[00:06:50] But I think, um, I think it's something that could be done way more frequently than that.
[00:06:58] So, um, along those lines, you know, a couple of things that, you know, there's a lot of other things going on.
[00:07:03] There were, there are two more that I thought worth highlighting.
[00:07:06] Um, so Alex had done the policy with Matt the previous year and I was just, you know, the feedback that I got and some of the challenges that you have talked about and going through the trust mark.
[00:07:18] Um, there, there was some areas that I think a lot of those participating had misalignment on how policies are supposed to work, how policies are supposed to help your organization.
[00:07:29] And so I was just thinking about like the, um, the examples that she gave, you know, like what, what's the purpose behind creating this policy.
[00:07:40] And I know we joke about it, but like, it's bigger than just removing the yellow highlight and changing company name.
[00:07:47] Uh, and, and it shouldn't be a 20 page document that's telling a whole life story on what it is that you're going to do.
[00:07:53] And I, I just thought she navigated that really well.
[00:07:56] Um, and there was definitely some, I don't want to call them hecklers in the room, but there were definitely a few people that were like challenging, you know, what should be or not be in a policy.
[00:08:06] Uh, like one example that, that comes to mind is, you know, making sure that the person who's creating the policy isn't the same person that's approving the policy.
[00:08:15] And, you know, like, well, what if you're a one person company?
[00:08:18] Okay.
[00:08:19] Well, maybe you should ask somebody else to also look at your policy.
[00:08:24] That's not in your organization to at least give it some sort of like, somebody's looked at this to make sure there aren't any holes in it.
[00:08:31] Um, you know, your attorney could be that person, right?
[00:08:33] That might make sense if you're a one person shop though.
[00:08:36] Um, we may have some other areas to focus on before policies.
[00:08:40] Anyway, sorry.
[00:08:42] No, you're, you're good.
[00:08:43] I think, um, policy, I missed that one, unfortunately.
[00:08:47] Uh, but, um, uh, you know, the policy thing, it is very easy just to take a template, change the name and move on just to say, Hey, I have this without really reading through.
[00:08:59] Or even though it probably applies to you mostly, uh, there's probably things missing.
[00:09:06] Right.
[00:09:07] Yeah.
[00:09:07] I mean, one of the best compliments I ever got from an, uh, an auditor assessor, uh, during one of our audits was, you know, probably our third year going through SOC 2.
[00:09:18] I put my policies up there and they're like, do you mind if we use these as templates?
[00:09:23] I'm like, well, they're the templates that you gave me.
[00:09:26] Right.
[00:09:27] I'm like, this is my, and they're like, well, this is weight.
[00:09:30] I'm like, well, yes, because we went in and we added the things that we needed to add and remove the things that didn't apply and actually put some work into the development of these things.
[00:09:42] And though they're not perfect, um, I, I think that it, you know, it, it's something that you have to take time to do.
[00:09:50] And, you know, I think you're, you're selling yourself in your organization short by just, you know, changing the company name on a, on a template.
[00:10:00] Well, and I think that's, that's the unfortunate, uh, world we live in is that there's a lot of pressure on an organization that needs policies around access control or, or any number of things.
[00:10:14] And, and that pressure is often driven from external sources, right?
[00:10:19] Like it's not, it's not you, Jim telling your staff quick, we need a policy for this because I said, so, uh, you know, to your point about going through this with SOC two or pursuing some of these, that's one pressure.
[00:10:31] I mean, you obviously want to get it done, but I see the pressures that make this, um, scary.
[00:10:35] It's like, okay, we've got cybersecurity insurance.
[00:10:38] They're asking for policies.
[00:10:39] It's like, well, why does the cybersecurity insurance want these policies?
[00:10:43] That part's not clear.
[00:10:44] Um, especially for an organization that hasn't pursued or adopted a framework to help align their organization with, you're like, all right, cool.
[00:10:52] We're going to go down list from the SANS website or wherever the, uh, chat GPT directs me.
[00:10:57] Um, and then go hope this passes muster with, with, uh, the insurance provider or, or clients.
[00:11:03] And I think to your point, I love what you said.
[00:11:05] They were their templates.
[00:11:06] You adopted them.
[00:11:08] You made them your own.
[00:11:09] And they're like, Hey, can we use these as templates?
[00:11:11] Which means you had to have changed them enough for them to not recognize them anymore.
[00:11:16] You know, like probably change the letterhead.
[00:11:17] I mean, that that's a dead, that's definitely going to make them not know that they're theirs.
[00:11:22] I definitely did that.
[00:11:23] I mean, that is, that is for sure.
[00:11:26] But, uh, yeah, I mean, there were just so many takeaways from, from the event, Chris, that, uh, you know, I, I, I learned about some, you know, I don't, I don't like to talk about tools and products, but I mean, there are some, some new players that, that I met.
[00:11:43] And though it's probably too early for us to really engage with some of them, I think, um, you know, just where they're at.
[00:11:52] Yeah.
[00:11:53] It's really cool just to see some advancements in various areas of things, including, you know, whether it's, you know, managed, uh, security operation centers or, you know, pen testing operations and just having some additional choices out there that, uh, have been pretty small, uh, by and large.
[00:12:15] And, you know, not always with the companies that everybody would like to deal with.
[00:12:21] So, you know, I mean, it's, it's just good to see, it's good to see that.
[00:12:25] And that's the thing I love about channel con is that, you know, you, you can, every vendor is kind of up on the same level and they're, they're there to really, there, there's a track for them to, you know, on how to work with MSPs and so on and so forth.
[00:12:41] It's just, uh, I, I just really think that it's the most organic event out there for sure.
[00:12:48] I like that organic events.
[00:12:50] Like we're planning, you know, some, you know, green beans and hopefully they produce.
[00:12:55] Right.
[00:12:55] I, I love that you, you brought up the, the, the tech vendor fair.
[00:12:59] So, um, you know, I, I don't generally, you know, vendor fair.
[00:13:04] It's like, you know, especially when I'm busy and we have, you know, some of the stuff for, for CompTO side that I might need to be doing at the same time.
[00:13:10] I had a chance to kind of walk through, uh, the, the tech vendor fair and I had, I had two takeaways.
[00:13:17] One, there's a lot more security vendors showing up than, than we used to see.
[00:13:23] And I don't think it's necessarily because security vendors didn't exist, but I think it's just the importance of security vendors to MSPs is skyrocketing right now, which I think that factors in.
[00:13:34] But the second one for me, and this one was, was one that it took me really the whole week.
[00:13:40] And since I've been home to do some additional exploring on some of the conversations that I had, I can't believe how many vendors that are legitimately giving the MSP.
[00:13:51] A free version, like no strings attached, no cost, um, for up to so many users, which I thought was interesting because like, if you're a three to five person MSP sub 10, there's a lot of challenges with considering or adopting a vendor's product.
[00:14:09] When there's costs attached, because you're like, well, if it's not a good fit for my five person MSP and our growth strategy is we're going to be 17 or 18 in two to three years.
[00:14:20] Well, you, you pick a product that's got you spending money and you haven't really had a chance to get, you know, intimate with it.
[00:14:28] Well, now you've, you're back to square one and what have you invested in?
[00:14:31] So I was just really impressed with the way a lot of the vendors have structured their pricing models to really open the doors to those that are serious about this.
[00:14:41] We're seeing it with the trust mark, right?
[00:14:42] If a one man shop, one woman shop, or I self identify as a micro MSP, you know, what are the, you know, how do I, how do I go into, is there a barrier of entry just because my revenue stream might not be high enough for me to start looking at and adopting the tools that we need to be successful.
[00:15:02] And I just thought this, that was big for me.
[00:15:05] Like I, you know, in the last five years, I have not seen, like we talk about like, well, I'm going to use open source.
[00:15:11] Cause you know, that's free and you're like, yeah.
[00:15:13] And who's supporting it?
[00:15:14] You're like, oh, well I have an engineer.
[00:15:15] You do.
[00:15:16] Yeah.
[00:15:17] Um, how often does he work?
[00:15:19] Oh, he works like 97 hours on, you know, Monday, right?
[00:15:24] Like he, he works in parallels, right?
[00:15:27] So I don't know if you, you saw that, but I then saw something that I have not seen probably in my entire career.
[00:15:35] I could not believe in this.
[00:15:36] I'm sure this carries across other tracks because I was spending a lot of time in the cyber one.
[00:15:41] How many vendors that participated and were actively engaged in sharing their personal, I shouldn't say personal, their professional viewpoints, whether they aligned or didn't align with the company that they worked for to just be like, I want to be part of this community.
[00:15:59] And share my experiences to help you not make the mistakes that I did and, you know, improve your own business.
[00:16:05] I haven't seen it at that level.
[00:16:07] Uh, I, I mean, and I might be the exception.
[00:16:10] Maybe I just had blinders on, but I thought it was.
[00:16:13] Over the top.
[00:16:14] Just saying.
[00:16:15] No, it was, I thought it was awesome.
[00:16:18] And especially when you start to get to know some of these folks and their stories, especially the ones that have worked in or a part of, or started larger organizations that are, you see them at their own events.
[00:16:36] And it's completely different.
[00:16:37] It was really cool to get that side of, of those folks and their stories.
[00:16:44] Multiple times.
[00:16:45] I, I was like, ah, I don't know.
[00:16:47] I don't know if I want to listen to, and I know we weren't, you know, getting sales pitches in those things.
[00:16:52] Right.
[00:16:52] And so, but it was like, well, what exactly are they going to talk about?
[00:16:56] And then it was like, oh, well, this is, this is relevant to me today, yesterday, and probably two months from now.
[00:17:04] So I'm taking notes, you know?
[00:17:06] And so it was, it was great to see that.
[00:17:10] I think that the, the engagement with the overall CompTIA community, but particularly, you know, the MSP side of things was, was, was really great.
[00:17:23] Just the, the active involvement from, from the channel in that regard.
[00:17:29] Yeah, there was a, there was a panel that Wayne Salk moderated that had, and I, I'm not going to get all the names.
[00:17:38] Kimberly Simon, Natalie Suarez.
[00:17:41] There were four of them.
[00:17:43] Lawrence, I forget his last name.
[00:17:45] And there was one other person.
[00:17:47] And I just.
[00:17:47] That's the one that there was supposed to be a Senator there.
[00:17:50] And then he got.
[00:17:51] Yeah.
[00:17:52] I believe he had, he ended up having problems with his voice, but yes, that, that would have been.
[00:17:57] I was in that.
[00:17:57] I was in that one.
[00:17:59] Yeah.
[00:17:59] I, I really enjoyed hearing the, it was very much not a talk down to the room, which sometimes happens with a panel, especially a panel that's got vendors on it.
[00:18:11] It was very, I thought it was a very humble conversation that you almost felt.
[00:18:16] I mean, that room was packed and I don't care where you were sitting in that room.
[00:18:20] It felt like you were being kind of like, you were in a chair that was in somebody's living room and you were really hearing the genuine, like, this is my experience.
[00:18:29] This is how I would tackle that.
[00:18:31] And I, and I thought that did a really good job of setting up the rest of the event for me.
[00:18:35] I just felt like that just came out really, really well.
[00:18:38] Yeah.
[00:18:39] I, I really enjoyed that.
[00:18:41] And I think, you know, Wayne does a great job of, of positioning questions in a way that, you know, really kind of goes out.
[00:18:48] And, and I just, I appreciate that about, about him and, and my experience of working with him has, has been that way as well.
[00:18:57] I mean, he's, he asked the right questions and if he doesn't get the answer he's really looking for, he, he will dig a little deeper, you know?
[00:19:07] Right.
[00:19:07] So I think that it's really, really cool.
[00:19:10] And he did a great job of that.
[00:19:12] And the, the folks that participated were, you know, just the experience that they've had in the, the various areas that they work in and whether their MSP is doing this or whether they work for a vendor or what, you know, it was just, it was just great, great information.
[00:19:30] And, and, you know, different, different thoughts, different strategies.
[00:19:34] I mean, there, there was a lot of agreement, but at the same time different approaches, right?
[00:19:41] It was, yeah, it was, it was really good.
[00:19:44] The, so I took the, the risk management workshop on the last day.
[00:19:49] So what I, what I had eye opener for me is I apparently have to give a risk management workshop coming up next week.
[00:19:58] And so I thought it'd be a good idea to, you know, make sure that I heard it from the horse's mouth, exactly what I need to be talking about.
[00:20:06] And, you know, there were two things that I took away from the, the two and a half hours and it's like a, well, it was longer than two and a half hours, but like it's a, it's roughly, it's a five module.
[00:20:15] Each module is about 50 minutes.
[00:20:17] If you were to go really extend it out.
[00:20:19] But the first two modules to me are perhaps the most important, you know, understanding risk.
[00:20:25] Right.
[00:20:25] Right. And the first thing Wayne does is he goes into the definition of risk, like straight out of the dictionary.
[00:20:32] And then he looks at it through the lens of like an insurance company, which of course is going to take it into the financial space.
[00:20:36] And then you spend the rest of the time really talking about what does it do to a managed services company?
[00:20:42] That's got a lot more at stake than just whether or not you can run payroll.
[00:20:46] And there were some things in there that I thought were really interesting that I think apply to all of the MSPs going through the trust mark,
[00:20:52] or we're just there to take in the cyber tracks.
[00:20:56] Do you know what your risks actually are?
[00:20:58] Or are you buying security tools and hoping that you don't ever have to talk about the risks that they're potentially protecting you from?
[00:21:07] Yeah, it's, that is, that is a hard thing to do.
[00:21:10] When we first started down our audit journey, that was the hardest thing for me to wrap my brain around was doing a risk assessment beyond just the technology and the cyber side.
[00:21:28] Because I really hadn't thought about all those other types of risks, you know.
[00:21:35] And so I took that workshop last year with Wayne and came out completely, with a completely different mindset about how to look at risk.
[00:21:46] And because the, that year during our audit, they said, you know, we'd like you to start expanding upon identifying risks beyond just the technology side of things, beyond that.
[00:22:03] Looking at it from a full on business perspective and how, I mean, technology still may be a solution or something to mitigate or reduce the risk that you have.
[00:22:16] But it's, it's not always the answer.
[00:22:19] And we have to look at those things through the, through the various lenses that, that we have to, to analyze that and identify those risks and what they, what they really are.
[00:22:35] I mean, whether it's financial risk or, you know, physical risk or whatever the case may be.
[00:22:42] I mean, it, it all exists.
[00:22:44] We have to identify it and, and deal with it.
[00:22:48] Or at least understand, understand that.
[00:22:51] Right.
[00:22:52] So this came up more times than I care to count.
[00:22:56] We do, you know, business continuity, disaster recovery, incident response.
[00:23:00] This conference, I had it said repeatedly, and I think it's really important is business disruption.
[00:23:06] Not like we got business continuity, but what about business disruption?
[00:23:10] What does it, what does it mean when you can't work?
[00:23:14] And we can't just say like, oh, well, I have a plan for my IR plan or my, my business continuity plan.
[00:23:20] Like, yeah, but what if you can't?
[00:23:22] What, what does that look like?
[00:23:24] What, what kind of communication do you say?
[00:23:25] Like, Hey, it's Tuesday.
[00:23:27] There's no power.
[00:23:28] There's no internet.
[00:23:29] There's no like, or you could use pen and paper, but like, what does that look like?
[00:23:33] What, how do you like share with the team?
[00:23:36] I thought that was interesting.
[00:23:37] So a quick recap to correct.
[00:23:40] So it was meet me at the intersection of security and compliance that Wayne Salk moderated.
[00:23:43] And the name that I was missing was Blair, Blair Dawson.
[00:23:50] She was the other person.
[00:23:51] So Lawrence, I don't remember his last name, but Blair Dawson was the one that I was missing.
[00:23:55] I thought that was a great session.
[00:23:58] I know we talked a lot about the cybersecurity side of this.
[00:24:01] Obviously we had the keynote with Kara Swisher.
[00:24:04] That was like very in some respects kind of dark.
[00:24:09] Like there was definitely some, uh, some dark humor there.
[00:24:12] Like, yep, they'll just go away kind of thing.
[00:24:14] And I thought that was, um, wasn't what I expected.
[00:24:17] I thought it was, um, it was very entertaining.
[00:24:20] And I thought she said some really, uh, eyeopening things that all of us should probably, uh, think
[00:24:25] hard, uh, you know, think hard on, uh, I did pick up the book.
[00:24:29] So I'm going to make it a point to read that, uh, any, any closing thoughts, anything that
[00:24:34] I missed.
[00:24:34] I mean, obviously the wind down was amazing because there was plenty of beer and wine for everybody.
[00:24:39] Dude, that was, that was the most incredible, um, wind down event, whatever.
[00:24:46] I mean, that, that was that in the three years that I've been, that was by far the best venue.
[00:24:51] Um, and just the best overall evening experience.
[00:24:56] I mean, I, I thought it was, was awesome.
[00:24:58] The aquarium was great, but to your point about the wind down, like, uh, in, in, in most
[00:25:04] events, the last night is usually the least attended.
[00:25:08] Right.
[00:25:09] And this is like late afternoon on a Thursday and that place was packed.
[00:25:15] That's, that's awesome.
[00:25:17] Yeah.
[00:25:17] I think my final thoughts is like, if you're, if you're not engaged with CompTIA, I would
[00:25:23] say that it's, it's worth getting engaged with CompTIA.
[00:25:27] It's worth getting, uh, involved in the community overall.
[00:25:32] Um, I know for, for folks like me, that that's just not in my DNA and it's really hard for
[00:25:38] me to step out and just meet new people and, and do all that kind of stuff.
[00:25:43] But, uh, it was, it was a great personal experience, professional experience.
[00:25:48] I think that, uh, uh, we took a lot away from, uh, from there that I could bring back to
[00:25:55] my, my team here.
[00:25:57] And, uh, it is just a great value value.
[00:26:02] They bring a great value to, to that for, I mean, it's virtually free.
[00:26:08] I mean, I mean, it's $450 to be a member of CompTIA for the whole year, for all your employees,
[00:26:14] for all of our events, you know, if you can get to them, you know, there's three of those
[00:26:17] for you.
[00:26:18] Um, but you failed to mention one of the takeaways that you, or brought back to, to,
[00:26:22] to Texas is, uh, I think your wife bought all of the stuffed animals that were available
[00:26:27] in the gift shop there.
[00:26:30] Yeah, that was, uh, that was, that was pretty funny.
[00:26:33] Yes.
[00:26:34] Yes.
[00:26:35] Yes.
[00:26:35] Cute little stuffed animals for the grand babies.
[00:26:38] That's, uh, that, that's awesome.
[00:26:41] Yeah.
[00:26:41] That was fun.
[00:26:43] For those of you listening, this has been an episode of MSP 1337.
[00:26:46] Uh, thank you so much and have a great week.
[00:26:49] Thank you.