Actual compliance challenges in 2025 are heating up with clients now asking for evidence and proof on how their MSP is helping them meet certain safeguards for regulatory requirements and insurance. Join Josh Hohbein of CentrexIT and I as we discuss the opportunities and challenges surrounding compliance and roles and responsibilities pertaining to the role an MSP plays in helping their clients and themselves comply with frameworks and safeguards.
[00:00:06] Welcome to MSP 1337, I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone. Spanish, for English, stay on the line. You're like, well, we were going to stay on the line anyways. When I worked at a call center, that was like, we had a script where if somebody started speaking Spanish to you,
[00:00:33] he would just say, you know, no hablo espanol, uno memento por favor. So I said that and the guy's like, I don't know, that sounded like pretty good Spanish to me. He like called me. I just used all of my words. That's like when traveling to a foreign country, you should at least know the basics. I'm like, I'm pretty sure if I cross my legs and point, they're going to know that I need a bathroom and I don't have to use any other words to describe the destination that I particularly need.
[00:01:02] And it's in their best interest to get me there as fast as possible. All righty. Welcome everybody to another episode of MSP 1337. I'm joined this week by Josh Hobain of Centrix IT. Did I say your last name right? I'm not. It's okay. Is it close? No one gets close, you know. I was like, I think it's at the last second I looked at your name instead of having it already in my head. And I'm like, wait, Josh, Josh, Josh, you know, it happens. Thanks.
[00:01:33] So we've been, you know, we're in 2025 and we've started kind of down this path of businesses or the MSPs are talking about, you know, strategy for 2025. And we often talk about cybersecurity as if it's a part of, you know, the business function. But the reality is when you look at holistically at a business and their strategic initiatives for a given year
[00:02:00] or goals within the business of a trajectory of maybe six months or 12 months or however long it is, how does cybersecurity fit into that? And I think what's really interesting, as you and I were talking about this before the show, besides our ability to spoof foreign languages on auto attendance,
[00:02:20] is that there are things that are being dictated to us or dictated to the MSP that is not coming to you direct, right? It's a client ask, not a I am regulated and therefore I must comply with. So, you know, you were sharing a little bit like, hey, some of our initiatives for 2025. And, you know, one of the things that we've talked about in the past and, you know, as a trust mark holder yourself,
[00:02:50] the compliance component, right? You chose to comply with the cybersecurity trust mark. And I'd just love to hear, you know, what you've kind of heard as we went into the end of 2024, some of the challenges that you're facing that you're actually being brought into the conversation at the last minute as it pertains to compliance and how that's impacting, you know, Centrix IT. Yeah, there's actually a couple instances recently of a handful of our clients going through various audits.
[00:03:18] There was one is going through a PCI audit and we're kind of getting brought in here and there. And, of course, you know, everything is, hey, we need this right away. And they're getting, you know, going through all this and realize how extensive it was. And then there was a client who not so much regulatory one, but after some business issues they had prior to or about to bringing us on, they just wanted kind of a holistic view.
[00:03:45] So they paid for a rather sizable assessment and very in-depth. And, of course, you know, because we're in charge of managing their infrastructure, we got brought into that and they were assessing us as well. And the best thing about, you know, going through there is, you know, they're going through saying, hey, we need you. These are the controls that we're addressing and looking at. And we need you to upload the evidence of all of this stuff. And it's like, you know, 50 items. And, you know, the client is looking at it like, oh, this is going to take a while to get.
[00:04:13] And then when it comes to our turn, I'm like, we literally just went through this. I have all of most of this stuff like documented already. Like, give me two hours and I will get it over to you. And then it would be really translated well to like, hey, we, you know, we have our stuff together. We've we've gone through this. And it was a huge mark to that. And I think that was a good sign for the client as well to where, you know, they're just going through this journey.
[00:04:38] And a lot of what we brought them in, you know, we have our own IT assessment and our maturity model and questions and gap analysis that we do with them. And a lot of that was the same. Right. And we're going to work with them and roadmap and these things. But, you know, for them to kind of like, oh, crap, this is a lot of work. And then to see that, hey, this is, you know, we have this handled. We're already doing. I think there's a pretty dang good feather in our cap to have that on as well.
[00:05:06] So to drill down a little bit into some of the specifics, not necessarily I'm not going to ask you who the client is and at that level. But, you know, one of the things that I've seen quite a bit of is clients having to satisfy questionnaires or surveys or to your point, they've gone through an assessment and they need to produce evidence in some way, shape or form. But then they are also being asked, you know, the who and the what.
[00:05:30] So, like, for example, the question might say, who is the individual responsible for your network? Did you get questions like that in this particular case around those types of things? Because I think there's a disconnect right now and the questions that are coming versus whether or not as an MSP you can actually answer the question when, you know, you're not going to say, oh, well, I could say Centrix IT manages the network.
[00:05:54] But I can't say, you know, that I, Josh, take full responsibility for a client network because, well, it's not your network. You're only responsible for making sure it's being managed. Correct. And we when we work with our clients and we make that evident as well. I mean, as again, as part of our onboarding, I mean, we literally have them designate a security officer and point of contact. And for those things like, hey, this is a relationship, a partnership. This is what we'll do and do it to the best of our abilities.
[00:06:23] But at the end of the day, like this is your data. This is your network and you have to take a responsibility to it. So when it comes to answering those questions, I mean, it's we typically put the POC down or whoever the designated security officer is and then, you know, add like, hey, you know, I'm responsible for it. But, you know, Centrix helps me manage it. And then it usually leads to more questions on our, you know, proficiencies and exactly what we're doing and the separation of duties or not even separation of duties, but maybe more responsibility matrix or everything that we're doing.
[00:06:53] And maybe it is like 95% of it and it's just like the 5% is the POC is aware of this, right? But at the end of the day, still, it's the client who owns it. It's theirs. Right. They're accountable, not you. Yep. Right. Exactly.
[00:07:23] So you've got to have somebody. Are you finding, though, that the organizations are quick to give you a name or a point of contact? But the reality is that even though they're accountable, they really have no idea what you're talking about. Sometimes, though, when I'm going through and doing policies and procedures with their clients, that's where it usually comes up in. Like we're making a who to call like a stakeholder list. Like, okay, so I got the CFO or the head of IT on this.
[00:07:52] So it's like, okay, when, you know, who would be responsible for this particular thing? And it's usually them. And it's like, okay, well, now crap is at the fan. We need to involve more stakeholders. Like, who are we bringing into this? Who are we responsible? Like, we need a name and a number to put down on this. And then they're like, oh, well, you'd probably be them. And then it's like, okay, well, like, are we going to let them know? You know, so we could put them down on this.
[00:08:21] But like the other part of it is, you know, not just implementing the policy. But then it's like, hey, we're going to do a dry run of this. Like, we're going to test it. So like, we can't just write this down. We're going to put it in action here. And I think that's where that comes up most often. So with that in mind, you're making me think that maybe we're at a point where, as an industry, you know, the MSP space that provides these services into different types across many different verticals.
[00:08:49] Is there perhaps an opportunity to create some sort of like description around, you know, I've made you, you know, client X, you know, Acme Corporation. I need your who's accountable for your network. You know, the ISP services go down. You know, what does that look like? I, the MSP, can tell that you no longer are connected to the internet. I've reached out to point of contact.
[00:09:15] But point of contact has, without some education or like, hey, you know, burden of accountability here, who's your ISP? If you were to ask this point of contact, you know, do you have, you know, Spectrum or do you have AT&T? And they're like, for what? What? Your internet that's down. Oh, I don't know. And then is that a reflection, you know, of it hitting the fan that puts some burden on you, the MSP?
[00:09:43] Or is that a lack of clarity and understanding with the client? I kind of feel like there's a mixed bag here that often gets overlooked. I'm just curious as what you're seeing. Yeah, I would think that's a little bit of both. And, you know, when we're going through the policies, that's literally like we have network team and server team and application team. And some of our SMB is like, it's the sustained person for every one of them, but at least having that understanding of it. And it's not just who do we call it? It's okay.
[00:10:13] Well, not only are we calling this, but we have like the ISPs number or the account number. Like, again, these are all if we- Letter of authorization kind of things. Yeah. Like what's the code? Things like that. So it's like, if anything happens, we literally look at this piece of paper and it doesn't matter who's in charge or whatever. Like, you know, this is the, you know, this is like the numbers and stuff to call. But I think it is a little bit of a joint responsibility because yes, it is on the client to know that,
[00:10:41] but they're not in the trenches. They're not doing this every day. They're not thinking about those sort of things. So that's where it kind of falls onto your MSP who, and really what we're seeing is way more of a technical and a cybersecurity advisor role, more so than a break fix, right? And bringing these and having these conversations with the clients and, you know, creating them because if you're not and something hits the fan, like, well, if your client already doesn't have that documentation, you don't have that documentation.
[00:11:11] Now it's taking longer for you guys to solve the problem and get them back up and your client is suffering for it. And whatever KPIs, SLA service, you know, you want to call, your techs are getting frustrated at a lack of documentation and a lack of, you know, being able to fix the issue. And now the clients are, the end users are calling you guys more and it's just not a good thing to have for anyone.
[00:11:36] There's finger pointing so it can all be solved by just, you know, writing down on a piece of paper. Sure. I just made up a new acronym. It's called the ARM acronym, which is advisory role mapping that, and, and there didn't need it to be an acronym. I just, when I wrote it, it said ARM. So there you go. New acronym. See if it gets used on LinkedIn. We could flex that arm. That's right. That's right. Flex that arm.
[00:12:02] But, but I, I, I say it in that way, the advisory role mapping. I think that within most MSPs, there are unique areas of expertise that have to often get shared to one, to the same point of contact or to several people. But when I, if I was a point of contact for, you know, Acme Corporation and my service provider goes down, do I understand from a, from a, how I can escalate to get support for something like
[00:12:32] that, to make sure that I'm contacting in the right way to the right advisory role? Because, you know, let's be honest. Like when, when I need support, my account rep might not be the best person to call on their cell phone to say, Hey, I don't have internet services. And they're like, well, I'm playing golf. Right. Like, you know, like, all right, you're fired. You're not my account rep anymore. I want a new one. It's like, well, we only have one account rep. Um, but you didn't call our support line.
[00:12:59] You didn't call, you know, any of the, the ways in which that you could have put and been put in touch with the right advisory person to, to give you direction on, Hey, maybe it's best if you call the spectrum or AT&T phone number. Um, because maybe it's as simple as because you are the account holder and they're like, Hey, we can, we can see that you're online. Um, well, that'd be a great information to know because then, then they could have shared that potentially, you know, with you.
[00:13:24] So I, I'm just, I feel like that the world that we're living in today has a lot better, uh, visibility or clarity around when things do happen. It's not this, you know, vortex of like, have you tried turning it off and on again? Like there's just, we know more information than we used to. So, so the next question I have is if I were to go back in time with Centrix IT to a year ago or a year ago, plus, were you having these same conversations with your clients around compliance?
[00:13:55] Um, I would say a year ago, yes, but we've done it more and more and more practice. So we know how to speak to them better and how to, um, I guess how to traverse them. Um, I think better just with the experience and even the experience, the exposure that we've gotten to see as well. Um, you know, if we back it up two years, I would say the answer is probably different.
[00:14:21] Um, I knew speaking with other MSPs too, there's, um, you know, a lot of them, the only time compliance gets mentioned is when the insurance cyber insurance from dual comes at the end of December. And it's, Hey, I do what you can you check these boxes for me? Can you fill this out and based on bad things that have happened over the last 12 months, we've now added, you know, 25 new questions that we don't know the answers to, but we're hoping you do.
[00:14:47] And, and then, and even that too, um, it's like, we shouldn't just be blindly answering those and, and, you know, renewing it. Like what are you, what is being covered? Like, why are they asking these? And obviously we can answer it, but then going back and like, is your, you know, cyber insurance is your policy actually covering and helping you with what you need to do. And, and just kind of digging in a little more, we're having more and more of those conversations
[00:15:13] now, because, um, I mean, there's two times to have them, uh, when it, before, before an incident happens and we can, we can at least, even if no action is taken, we at least have the knowledge, right? We have an awareness. We have an awareness that we either accepting this risk or we're, we're choosing to do this or, Hey, maybe we do need to change this out. Uh, or when the incident happens and you find, Oh, I thought I had insurance. Oh, I'm, I'm only covered for that amount. And, oh crap. Why didn't you tell me this? Yeah.
[00:15:43] Isn't it pretty common? Anytime someone pays off their car that they dropped the coverage to something less than full and is what you've dropped it to a coverage that you're accepting as comfortable or as just because it's less than full, you didn't ask any more questions. I almost fell into that trap. Like I had my car paid off. I'm like, Oh yeah, I'm going to save a bunch of money every month. Cause I'm going to switch to like liability insurance. And I'm looking at, I'm like, but my car's paid off.
[00:16:09] Like the amount that I would save versus like keeping full coverage. And if anything happens, like I'm, you know, my car's so good. Like, yeah. Not to mention that there's, there's usually an in-between like comprehensive that will handle things like I hit a deer, not another car or a tree fell on my car. And then if the car wasn't in your driveway at your house, well, then homeowners insurance doesn't cover you. And I think it's interesting.
[00:16:36] We will ask more questions still today around homeowners insurance, flood insurance, fire insurance. And at the very least we ask for those things to be included in our policies. Right. But when it comes to cybersecurity, when was the last time you heard anybody say, does that cover for, you know, PR like reputation? Yeah. Like what, what's included in this?
[00:16:58] No, we, we often see the decision-making being made around that policy is really in my price range. That makes perfect sense to me. I like, Oh, I'm going to buy that one. Yeah. And you're like, well, that's cool. So you need to use it. And what does it cover? Oh, it, it, well, it doesn't cover anything that I need it for. So awesome. I'm paying for something I can't use. It's like, it's like buying a, a subscription to, to some sort of streaming entertainment only
[00:17:27] to find that the show you do want to watch is not available through that streaming service. Yeah. Oh, calling you out Hulu. Yeah. Right. That's always the one like, Oh, I can watch this. I have Hulu. Oh, but you need Hulu live with sports. I'm like, or, or worse is it's the, as the other ones where it's like, you see it through like the Apple TV. And it's like, if you have, would you like to trial a paramount plus with, you know, show time? And you're like, wait, I got to have like three things trialed to get to the one thing.
[00:17:57] And like, where's it going to show up? Like, there's no like pop-up that says to call support and get the right streaming. Yeah. We're all going to go back to cable. I think it's inevitable. Maybe that's it. Maybe we just said, not only did you invent an acronym on this, you invented another position is just a, an MSP for streaming services that helps you get the right one. Like, Hey, I want to watch this service category. I feel like though MSPs in general are going to say no to that because that's probably residential.
[00:18:24] So unless you're listening and you cater to the residential space, if you cater to the residential space, have I got a new service offering for you? Absolutely. So you, you touched on something that I thought was really interesting in the, in this sort of navigating, um, compliance. And you had mentioned, you know, one of your clients going through a PCI audit and the things that you did because of the experiences you had of building out your own documentation with the cybersecurity trust mark.
[00:18:53] Um, but you mentioned something that I thought was interesting first time for them on this journey. And so, you know, I think everybody falls into this camp at some point in time, especially if you've never done any sort of a assessment through third party, because you've never had to answer for showing evidence. Are you finding that you get a lot of, uh, I don't want to say resistance, but maybe friction is the right word around.
[00:19:20] Hey, Josh, I thought you guys were already managing that level of data for us. You were already collecting or providing the, you know, six months worth of, of log files. You know, like, well, no, we're doing the default, which is two weeks. You aren't paying for 90 days or six months or a year. Has, has that been a challenge or do you get a lot of like, oh, well then let's make those changes. Um, I would say so far it hasn't really been a challenge because again, one of the things
[00:19:48] that, that we do is we understand that our clients like need. So like, for example, we know, Hey, if a client is HIPAA, then some information needs to be kept for seven years or six years and things like that. So we're trying to get ahead of those. Um, why I think where it comes in is the, the in scope versus out of scope. For example, the, the PCI is a good one where we don't really do anything with the POS is, uh, POS devices. Right. And well, the logs need to be retained for a year.
[00:20:18] Okay. Ask your point and ask your POS. So it's like what logs, but then like, if the user has access to it, so that's where we're getting the challenges. We're really getting into the weeds. And I think that's an appropriate challenge to have where like no one's pointing fingers. We're all on the same team, just trying to get the right things. And, and maybe where it's like, this is where, Hey, like we have a pretty good idea of compliance. We can read the safeguards and things like that, but we're not, you know, trained to
[00:20:45] assessors and trained auditors, nor should we, because we're the ones managing and protecting the environment. We should not be the ones assessing it. And now we're, we're going to have our own assessment to make sure that you meet our internal standards and do a gap assessment and things. But for an actual regulatory, like, you know, we're going to defer to, to, uh, somebody who's, who's trained in actually doing those assessments. So, yeah, I don't think, uh, or so far it hasn't been a, Hey, I thought you guys were doing this. Uh, it's more of just kind of a letter of making sure that it's, uh, you know,
[00:21:14] the, the shared responsibility and the more of the specifics. So let me ask you a question. Uh, you're obviously very familiar with the, uh, what we now call the GTIA cybersecurity trust mark. Uh, you have it, you're waiting on your assured status and, uh, I hope to have that come your way soon. Question though, on, on that whole sort of, uh, initiative around, um, the, the evidence collecting, if you will, like what you went through from an, from an evidence standpoint,
[00:21:44] uh, raises the question of, of whether or not these are things that should be applicable to your clients. Like for example, you, you mentioned the, the HIPAA framework and, you know, we, we know that coming out here, it's in public comment right now. Uh, there's some dramatic changes, if you will, being made to the omnibus rule for those that have to meet those requirements. And what I found interesting as I was going through it is that I'm seeing things like MFA
[00:22:12] needs to be implemented and data encryption and some other things that we would argue are probably more in that cyber hygiene space of like, should already be doing. And I was just curious, like, as you're going through the, the POS one, um, I'll start with POS before we go to HIPAA. Cause I think POS is one area where your burden of responsibility is actually probably significantly more narrow in scope because they have a point of sale system and it's
[00:22:39] all about how does that system access the internet and what, you know, terminals that can make. And I'm just curious, like the things come up like, Hey, um, are there point of sale machines VLAN can the end users get or process, you know, credit card transactions from the machines that you're managing? Was that part of that like challenge for you with PCI? Um, not a challenge, but just to, to make sure. And that was the one where like, yeah, the made sure that they are on a separate VLAN
[00:23:08] and, um, like it's completely, you know, it's separate and they're using certain devices that we wouldn't even be able to put on our arm anyway. So it's, um, yeah, like, but, but then you run into things like, uh, you know, I'm, I collected, I put a credit card into my browser and I hit save. And now we're doing the PCI audit and this data is coming back showing, you know, credit card data living in cash or save to browser.
[00:23:36] Uh, are you finding that today it's easier to have the conversation with the client about what they shouldn't be doing rather than kind of blaming you for how did you allow this to happen? Um, yeah, I, I definitely think so. And I think that attributes just to how much, um, news and, and cyber awareness is being put out there for better or for worse. Uh, one of the examples recently, I'm sure if, if anybody has a Facebook, you saw it going
[00:24:04] around that police departments were warning people of brushing scams and, uh, you know, Hey, you, you get this Amazon package and you open it up and you scan the QR code and they have everything and us in the security firm are like, that's not how it works. But at the same time, like these are being shared and people are being aware that like nothing's safe anymore. And we should be aware of this. Maybe the, the message isn't the best and it's obviously, you know, not how it works,
[00:24:31] but we're seeing more and more security, cyber security being top of mind. So it's more of how, what else can we doing? Um, and then there are still some clients out there who, you know, subscribe to our training just because they're checking a box. And then they're like, well, why am I wasting five minutes of my time looking, looking, uh, or learning about pig butchering? That's never going to happen to me or it's never going to help me with my job.
[00:24:58] And, you know, if you take a step back and like, yeah, yeah, it will, because people lose billions of dollars. And if you do fall victim to that, like, you don't think that's going to affect your job at all. Like we just saw that happen. And I want to say it was California, the, the individual that is now suing three separate banks for failing to do consumer best practice fraud alert on how did they allow this many bank accounts to get created without ever verifying or validating that there's anybody or anything behind these accounts.
[00:25:29] Yeah. It's, it's interesting, you know, um, brushing pig butchering. There's a lot of these scams that really are evolutions of the Nigerian prince, uh, facts. And it got me thinking like, you know, as we approach this from a security perspective and, and I would love to hear how you guys are approaching 2025 for that. Um, but real quick on the HIPAA one, you know, I, I feel like the more we see frameworks, regulatory frameworks get pushed out.
[00:25:56] We're seeing the evidence crystal clear that the things that those who are participating in like the comp or the GTIA cybersecurity trust mark or others are already saying you have to do these things, right? Like it's not new. What it is, is I think educational and reinforcing what you've been trying to accomplish. And now you've got more, uh, I can beat with a stick and have you recognize like, Hey, no, look, look that direction.
[00:26:24] You know, like I'm going to turn your head so you can see that this is what the expectations are to be in business versus a year ago where it's like, yeah, make sure you just use unique passwords, like, and change them every once in a while. Like I know it don't make it inconvenient. Like, you know, as long as it's a couple of words and a number, maybe a birthday, like you'll be fine because it's long enough character string and it's got enough capital letters in it, but that's not, that's not the reality anymore. Right. And now it's being that education component is being done for us.
[00:26:54] And I think that will hopefully really help, you know, drive this forward where you don't have to be the bad guy. You can be more of the, you know, the, the champion that comes in and says, and we can help you achieve those requirements that you can continue to operate and not have this be, you know, more than an inconvenience. Cause inconveniences, we deal with those all the time, but make it so that I can't do my job. That that's where we, I think as MSPs have the opportunity to take care of what is largely
[00:27:22] perceived as it's just overwhelming, too complicated and no one will do it. All right. Last thing, as we wrap this up, talk to me about how you're changing your security offerings in part, I think, because you've figured out through going through the trust mark and some other things that you need to package your service offerings differently, if not completely
[00:27:48] revamp, rip and replace, not so much the products and services you deliver, but the way in which you work with your clients, is that a fair assessment? Yeah, absolutely. I mean, it's one of those, like, we shouldn't be wasting time on calls and trying to get people to understand that the security is important. If they're hiring us for a job of taking care of their network and keeping them secure, then there's a minimum amount of tools that you need to do that to pass the negligence threshold
[00:28:14] and, you know, whatever your, your stack looks like to meet, um, you know, at least based cyber insurance requirements, uh, those just need to be included. It's no longer an a la carte, no longer a, Hey, you should have that. And it just leads to poor relationships. You know, if a secure, when a security incident happens, if when a security incident happens and you go, when you're like, well, you know, it was part of the cap, uh, like you could have had, you know, our advanced monitoring and we would have caught it. But because you said no, like too bad. So sad. Like that just looks terrible.
[00:28:44] Like it should just be, Hey, like we got your back because there's no guarantee either. Right. It doesn't change. Like just because you could have put those in place. So yeah. Yeah. I like that approach. Do you think that you're getting into the space of recognizing that negligence and ignorance is no longer such a low bar where the, the expectation is that you're my MSP.
[00:29:11] You're going to provide some layer of security, regardless of what packages I quote choose. But now if I understand you correctly, we're, we're getting into a space where we can no longer, uh, it's not so much their negligence as it is ignorance, right? Like they, they don't know the difference between defender and needing to layer something on top of, or in, in, instead of because it doesn't meet for their business type, the industry that they're in, or just because the, the evolution of threat surface changes
[00:29:40] all the time. How do you stay up on it? Are you running in? Do you get the resistance? Like, I would think that based on what you're telling me is two things are going to happen. One, you're saying that rather than having to put myself in a position of negotiating or, or, uh, separating out to get a price point of a package to the, the right threshold where they're like comfortable with the, the dollar sign. You're more focused on the clients are like, I need these things.
[00:30:07] And you're like, well, in order to achieve that, that's what it looks like. And they're either going to say yes or no to that rather than yes, but. Yeah, no, that that's a hundred percent is we're, we're focused on, you know, selling solutions. And as part of that solution, it's, you're going to have a, a good level of, um, cyber maturity, just, you know, off the bat. Right. And we don't expect, I mean, again, that's why your clients are going to an MSP.
[00:30:37] They're not going to know the difference between the defender levels. And, uh, you know, if you need this or what, what SIM to use or what EDR to use, just like, they might even not even know those words, but. Should they even kill? Sure. Yeah. Uh, they have other things to. I mean, like, please explain to me the acronym that is SIM so that I can make a better decision on the proposal you put in front of me. Exactly. Uh, it's no, Hey, like when an incident happens, uh, we need, if we have the right logging, then we have the right evidence.
[00:31:06] So we can be sure that the, we've covered the root cause analysis in order of complying with frameworks. Like, and you're just going to get that. So last question, and this, this might come across as strange. Consider this, uh, this might be my today's first dumb question. Um, maybe not for me, but like it said, so I keep thinking about this and I think that the evolution of an MSP today is that I can provide services into a client that does not
[00:31:35] involve me putting in any tools at all whatsoever. I am just there to help guide and improve their decision-making process around the things that they need to protect their business. Is that a fair, is that fair? Yeah. I mean that to me, that would go to like a VC. So or a VC IO type service. And that can be something that is of value is you have somebody like a, an organization
[00:32:02] that might have an it guy, like singular, or maybe one sysadmin and, uh, somebody helping him, but they not might not really understand the, the strategic or the road mapping and, or they just might be like putting fires out all day and not realizing what gaps and things. So just kind of blinders. Yeah, exactly. So trying to, to let them see yourself. So do you see, you know, centrics it, like as part of the evolution of, because you've
[00:32:32] achieved the trust mark and other things that you've had to go through that were, whether they were regulatory based or just even insurance questioners, where you see as an organization that you're providing more of the, uh, leadership and guidance and that the it services are really becoming a secondary because I would like to think that in 2025, the it side of offering
[00:32:55] it services is not a very complex model anymore because you either have the skillset internally and can do it and you have the resources to do it, or you're outsourcing to the, the resources and vendors that can help you achieve the same end goal without having to have the knowledge based. But when it comes to the first part of that leadership part, that's not something you can just outsource anymore. I don't think. No.
[00:33:22] And we're, we're seeing that with our service offerings is we pretty much have like a full management or co-manage, like you can hire us to do the it that's table stakes. MSPs most of the time do that. We obviously have an extremely competent service desk who are full of amazing people, but clients who they might have their own and they might do that. And that's where, you know, what they can't do is a lot of what we're doing from the cybersecurity. So maybe it's more outsource security kind of SOC type stuff, but really more around the
[00:33:52] strategic guidance and the leadership and the, the, the VCIO or V-CISO type stuff. Yeah. So it's like you wrap it up with, and we offer IT services. Yeah. That's, that's literally like the, but again, it is, it's table stakes, right? Like that's just something you would expect and, and we're, you know, the differentiator for us is just our experiences and knowledge and helping you with the strategic side. And as a plus, we also have a really kick ass service desk.
[00:34:21] We make our own data cables. Check it out. Yeah. Yep. All right. That's, that's awesome. Well, Josh, uh, I'm sure I'll be reaching out to you more. Uh, definitely a good conversation. There's obviously going to be some things that we want to hear from you more in detail on your journey through the trust mark. For those of you listening, this has been an episode of MSP 1337. Thanks and have a great week.