Last week, we discussed the highs and lows of 2024. This week, we will examine what we expect or predict to see in 2025 and how it might impact us. Thanks again to Joshua Smith of Reliaquest and Charles Love of ShowTech Solutions for joining me and discussing the future and what is in store.
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:21] Welcome everybody to another episode of MSP 1337. We are at the end of 2024 and we are going to look at the prediction of what we hope to see in 2025.
[00:00:32] And I'm joined yet again by Joshua Smith and Charles Love, former participants.
[00:00:40] And I don't know what else I would say of the legacy that was Untangled Solutions.
[00:00:46] So guys, welcome to the show.
[00:00:47] I think conspirators, there we go.
[00:00:49] There you go. Yeah.
[00:00:51] I won't even talk about, well, that's a whole nother conversation for a whole nother day, another episode.
[00:00:57] So Josh, we can just start this off with you had some concerns that you didn't get everything off your chest with regards to 2024.
[00:01:07] So I'll let you start with anything you want to pull back into before we look at what's what you see coming on the horizon for 2025.
[00:01:16] I think I got most of them.
[00:01:18] And, you know, again, thank you, Charles, for doing my work for me and coming to all those points.
[00:01:24] Yeah, it was mostly just, again, I think there's a lot of things.
[00:01:29] It's hard to talk about 2024 and where things are going without then talking about 2025.
[00:01:35] So I also blame you, Chris, for this format.
[00:01:38] It is my fault.
[00:01:39] To bifurcate my mind.
[00:01:41] But I think we talked a lot of good things.
[00:01:43] I think the momentum is going to carry right on through into 2025.
[00:01:48] So, you know, things like the whole Gen AI thing, staffing, I think vendor consolidation.
[00:01:52] I think that's the stuff that we're talking about.
[00:01:54] Kind of just kind of starting to really build momentum in 2024.
[00:01:58] And I think a lot of that is we're still going to be talking about that in 2025.
[00:02:03] That's fair.
[00:02:04] Like it's like kind of like saying it's changing, but it's not changing fast enough that the topics are net new.
[00:02:10] Yeah, it's not like everything just waits for the calendar to change.
[00:02:13] It goes like, oh, finally, I can do this now.
[00:02:16] Right.
[00:02:16] It's a continuum.
[00:02:18] So I'll throw one out and maybe this will actually trigger some dark conversation or light conversation.
[00:02:28] I think it was ISC Squared made this comment that they're envisioning that there will be a shift from protection in the cybersecurity space and a move towards resilience.
[00:02:41] That it's more about withstanding the earthquake than it is about, you know, trying to keep an earthquake from happening.
[00:02:52] I just actually heard that from a CISO that we were chatting with.
[00:02:57] They talked about like, you know, we're trying to do all we can with prevention.
[00:03:01] But in some things, we'd rather focus on the detection and response.
[00:03:06] So if we have the risk and we have a control for the risk in terms of how do we respond to it, right, the breach doesn't happen until they get active actions on objectives.
[00:03:17] Right. So until they get those credentials, until they're able to exfil.
[00:03:20] Right. It's not a full breach in their mind.
[00:03:23] It was like you can stop them at logging in.
[00:03:25] Right. They get to log in.
[00:03:27] They do a lateral movement.
[00:03:28] Maybe they maybe they do a privilege escalation.
[00:03:31] We can stop it there.
[00:03:32] You know, they don't really see that as bad as then they were able to grab stuff and exfil it.
[00:03:36] So moving more towards like we can prevent as much as we want, but we're never going to be fully right.
[00:03:41] So then let's also kind of start to focus on that that containment investigation response phase of things as well.
[00:03:47] It's funny you bring it up.
[00:03:49] Wow. So like I kind of likened it to like, you know, if you're cooking in the kitchen, just because you've never had a fire doesn't mean you should not have a fire extinguisher.
[00:03:57] So, you know, like, yes, the stove caught on fire, but you didn't burn the house down.
[00:04:03] It could still be damaged is also the problem.
[00:04:05] Right.
[00:04:07] But you want to minimize.
[00:04:08] It's like an acceptance moving towards that kind of like, how are we going to handle those risks?
[00:04:13] We're not always going to prevent the risk, but so how do we like accept it?
[00:04:16] How do we mitigate it?
[00:04:18] How do we deal with that risk when it happens rather than trying to stop it from happening?
[00:04:25] All right.
[00:04:25] What do you what do you got as far as an expectation, Charles?
[00:04:28] Well, I think 2024 taught us that AI and those kind of things need to be better defined.
[00:04:37] Right.
[00:04:38] So we have a lot of things out there where people are mistaking automation for AI.
[00:04:45] Right.
[00:04:46] When I mean AI, I mean, like, you know, chat GPT, the language models, compilot, all that kind of fun.
[00:04:53] Sure.
[00:04:53] Even on the iPhones now.
[00:04:55] It's like it's hey, you should probably reword this email.
[00:04:59] Right.
[00:04:59] That kind of stuff.
[00:05:00] But a lot of vendors and people make automations and allude to the fact that it's the magic of AI when it's when it's simply not.
[00:05:10] So it's simply automation.
[00:05:13] Yeah.
[00:05:13] It's just automation.
[00:05:14] Right.
[00:05:14] It's kind of like the old conversation we used to have.
[00:05:16] Hey, do you have ticket integration?
[00:05:18] We send emails.
[00:05:20] That is not ticket integration.
[00:05:22] Right.
[00:05:22] Right.
[00:05:23] Into a PSA.
[00:05:24] And then that used to be the buzzword back in the day.
[00:05:27] And then it turned into no, no, no.
[00:05:28] We have we have integration now.
[00:05:30] So I remember wasn't it something monkey that would take an email and actually do the integration like it would take it, parse it and actually do meaningful things with it.
[00:05:40] Something monkey.
[00:05:41] I can't remember what this call is.
[00:05:42] Yeah.
[00:05:42] There was a couple of.
[00:05:42] Right.
[00:05:43] Yeah.
[00:05:44] Yeah.
[00:05:44] Yeah.
[00:05:45] Yeah.
[00:05:46] I think to that effect and while we're defining it, I think that there is going to slowly I think we're starting to see the pivot that people that at this point, I think a lot of organizations, a lot of vendors have kind of just wedged.
[00:06:01] Gen AI into usage and tools, I think.
[00:06:35] We're starting to manage that and kind of build it into larger kind of AI use cases.
[00:06:39] So we're starting to hear a lot more terms around like agentic AI.
[00:06:44] So AI that can use generative AI, but then start to take actions, build out like plans of action, like relook at its plan, re-learning time based on.
[00:06:55] Yeah.
[00:06:55] So essentially like a self-learning model that can use Gen AI for both kind of, you know, taking instructions, but also giving instructions.
[00:07:02] It's more like a piece of the puzzle rather than the full puzzle itself is where I see kind of Gen AI kind of starting to fit into a unique spot rather than kind of a catch all.
[00:07:11] But I think people are still trying to understand what it actually is.
[00:07:15] Right.
[00:07:15] Sure.
[00:07:16] So Apple did a really great job.
[00:07:19] They made this thing called image playground.
[00:07:21] Right.
[00:07:22] And you take a picture and then with your finger, you click duck, hat, cruise ship.
[00:07:30] Right.
[00:07:30] And then you hit go.
[00:07:33] And in the back end, it's basically like an image journey going, please take this photo, put it on a cruise ship, put a duck in the photo, make it on the water.
[00:07:42] Right.
[00:07:42] It's it's kind of like, I don't know, paint by numbers, AI, like it's a it's a pretty front end.
[00:07:48] But on the back end, it's just doing the stuff that we've been knowing how to do for years.
[00:07:53] But but I think we're going to see more people take away all the hard stuff.
[00:07:58] Right.
[00:07:59] Because not for nothing, six months ago, it was all about prompts.
[00:08:03] People were on Etsy.
[00:08:04] People were on Fiverr selling prompts.
[00:08:07] I don't think in six months I've heard prompts.
[00:08:11] Right.
[00:08:12] Aside from a C prop like that used to be the thing to make the most out of the platform is you had to have your prompts all in.
[00:08:20] And now it's gotten so much better.
[00:08:23] You just say, I want to boat on a with the duck on the cruise ship.
[00:08:27] And then it makes right.
[00:08:28] But like in in part, we're really identifying.
[00:08:32] And I heard someone say this.
[00:08:33] We're using gunnerative AI to go after or attempt to solve the wrong problems.
[00:08:39] And, you know, like to your point, Charles, like if you think about the compute power that goes into doing that, is that a good use or a bad use?
[00:08:48] It's entertaining.
[00:08:50] I mean, I spent 20 minutes yesterday and I created a hip hop song for for the trust mark.
[00:08:57] And I had it, you know, style it in the form of Nelly's Pimp Juice.
[00:09:02] And I thought, well, how accurate is this going to be?
[00:09:04] Like I could tell that it was done in the style of Nelly's music.
[00:09:08] And it was like it sounded like someone actually created it.
[00:09:13] Is that what I should be using AI for?
[00:09:15] Probably not.
[00:09:16] But but the things that come to mind for me is like I think back to what Charles or what you said, Josh, like it's almost like we've gotten to the point where we've poured the foundation for something that we haven't.
[00:09:27] Been able to envision should look like.
[00:09:30] And so because we haven't figured that out, we keep adding this concrete or whatever, you know, material we're using to pour the foundation.
[00:09:38] But all we're doing is continuing to make this foundation bigger and bigger and bigger.
[00:09:42] Going back to what you said is at some point it's taking what those things give us the capability for.
[00:09:48] And now either combining them in unique ways to do something else or even start all over again because we figured out there's a better way to write this formula.
[00:09:57] It might even be written by the same gen AI that we have built out through these, you know, LLMs.
[00:10:04] I think there's so much that we have not tapped into because we're so I guess that's to your point, Charles, of like we're still using the thing like, oh, cool.
[00:10:13] I can do a better picture or I can, you know, draw art that people might want to buy.
[00:10:18] But all those things now have tie ins to ethics, plagiarism.
[00:10:25] Where did it where did the information that helped build it get sourced from?
[00:10:28] Like what are like the rules still are being written for how we navigate this going forward?
[00:10:34] I think this could be the year on AI.
[00:10:36] That is how the rules or the or the boundaries start to start to form.
[00:10:41] I mean, we have a whole new administration coming into office.
[00:10:44] And one of the things we already know is there's going to be a group dedicated to how do we put boundaries on AI?
[00:10:53] Whether or not they do it well, obviously that remains to be seen.
[00:10:57] Well, they're also building the cars they drive in.
[00:11:01] Right.
[00:11:02] Sure.
[00:11:02] So things are the better than a plane.
[00:11:05] Well, yeah, but the enhancements are coming so fast.
[00:11:10] Right.
[00:11:10] Right.
[00:11:11] Like I am a notorious photo bomb.
[00:11:14] Right.
[00:11:14] So if I'm at a conference and somebody's taking a photo, I guarantee you I'm going to make a goofy face behind him.
[00:11:19] Right.
[00:11:20] And now that even on the iPhone, I think Android has it too.
[00:11:24] You could just click my dumb face and then remove it.
[00:11:28] Right.
[00:11:29] And then it uses the magic in the back end.
[00:11:31] And now Charles is gone.
[00:11:33] Right.
[00:11:34] Do we dub that Charles mode?
[00:11:36] Yeah.
[00:11:36] Can we just call it Charles mode?
[00:11:38] Yeah.
[00:11:38] Yeah, exactly.
[00:11:40] There's royalties.
[00:11:41] I can't call it that.
[00:11:42] But six months ago, a year ago, maybe for Android, because I think they had it for a bit.
[00:11:47] But like the mainstream ability to to, you know, like even with Photoshop to take a photo and expand upon it.
[00:11:56] And it looks like downright amazing is is fascinating.
[00:12:01] And we didn't think about that stuff in January of last year.
[00:12:07] So I have another prediction to add to the equation.
[00:12:10] And I've seen this in 2024 quite a bit.
[00:12:15] I think the conversation we touched on a little bit around, you know, answering an insurance questionnaire and whether or not you are or are not doing it.
[00:12:23] One of the things I think is going to come into play on a much larger scale is that third party risk management and the supply chain.
[00:12:30] So, you know, we touched on a couple of them, but like thinking about like the solar winds, the crowd strike, you know, thinking about silos versus all in on one platform.
[00:12:42] I think especially in the MSP space, doing due diligence on what are the risks that you're willing to accept?
[00:12:49] How are you managing risks with your, you know, third parties?
[00:12:53] And obviously we're even seeing tools come out to help you manage third party.
[00:12:58] Of course, it's run by AI, but, you know, what are your thoughts around that?
[00:13:04] You know, I'll tell you, information drives change.
[00:13:09] Right.
[00:13:10] So recently it was brought to my attention that I'll just give you an example.
[00:13:15] Greenshot, which is a very, you know, widely used screenshot program, has an open CVE and has had for some time.
[00:13:25] Um, and, uh, you know, reading that the answer is they have a stable version and then they have an unstable version.
[00:13:34] The stable version was made years ago.
[00:13:36] And since the CVE was found, there literally is like five or six different iterations, but they're all the quote unquote unstable version.
[00:13:44] Um, I don't feel comfortable running that.
[00:13:47] And I'm using the information that my tools are providing going, hey, Charles, there's an open CVE on stuff that's found on your device.
[00:13:54] And we're taking that and we're making a conscious decision to say, is this a risk I want to take?
[00:14:00] Just like you had said.
[00:14:02] And the likelihood of somebody running a remote code execution when I hit the print screen key, it's, it's low, but it ain't zero.
[00:14:12] So it's water.
[00:14:13] It's not watering.
[00:14:14] Yeah.
[00:14:14] So, but, but nowadays we're taking, we're taking things a little bit more and saying, well, you know what?
[00:14:20] Maybe that isn't the best choice for us.
[00:14:23] Right.
[00:14:23] Maybe I do need to just learn how to use the built in tool, which is amazing now.
[00:14:28] Right.
[00:14:29] Right.
[00:14:29] But, but my point here is lots of tools are providing information that we just, I don't want to say we ignored, but we really didn't listen to.
[00:14:38] Now we're taking a little more of a hardened stance and, and just to make you kind of smile for a minute, the whole green shot conversation.
[00:14:49] Um, my, my main fat, my main focus on removing it was, I don't want to have to, uh, report to the auditor for trust mark, why we have something with an open CV.
[00:15:02] So it's gotta go right for, come to your trust mark.
[00:15:06] So just kind of funny.
[00:15:07] Well, I think that's a very valid, uh, way to say it.
[00:15:10] I'm not necessarily meaning because of the trust mark, but you know, the whole CD thing is interesting too, right?
[00:15:15] Because it's not looking at the probability that it'll happen, right?
[00:15:19] Like it's looking at the actual, if, if I had the, you know, the frictionless environment to execute, you know, what would happen?
[00:15:28] And then, and I think that's part of why I think we're going to see, uh, I will predict in 2025.
[00:15:34] I think we're going to see a new scoring model come out that will likely help with this.
[00:15:38] Because if you go look at the third party risk management piece just by itself, I think one of the things that's happening right now is asking better questions, right?
[00:15:47] Doing research on the history of the company.
[00:15:50] Like, yeah, you might not say, uh, we're going to use AT&T versus Verizon from a cellular choices for our organization because, you know, that's a tough decision.
[00:16:00] They both been hit.
[00:16:00] Uh, you know, which one do I go with?
[00:16:02] Like, you know, or what's, how are they improving?
[00:16:04] But like, I was looking at some VoIP solutions the other day from a security perspective and I just won't say the name of the, the VoIP provider.
[00:16:14] It's probably easy to deduce if you did some homework on a VoIP carrier that still has a known, uh, vulnerability that is easy to exploit in the wild that has been, um, they've, they've provided a patch for it.
[00:16:27] But I can't remember how many thousands of the phone systems still exist for a patch that has existed now for going on four years that can still be, you know, compromising to that entire phone system for that organization.
[00:16:40] That's concerning to me because I would think as a vendor that there'd be a little bit more voice in communicating to those using their products that, Hey, this patch needs to get, you know, applied because it's not just a CVE.
[00:16:56] It's a, you are going to get hit at some point because it's exposed to the outside world.
[00:17:03] Right. And, and I don't think we're seeing enough of that with, uh, and I, you guys have heard me say this before.
[00:17:08] We have a voice and we can choose to be quiet or we can choose to be loud.
[00:17:14] And I think in some cases we are doing very little to communicate loudly enough when there's a real problem, um, that has not been addressed.
[00:17:23] And, you know, whether it's choosing to, uh, make that voice with your, your wallet, you know, wallet share.
[00:17:29] Um, I think it's ironic when an MSP says, yeah, we've chosen to not use that company anymore because of how they operate, you know, for 150 seats.
[00:17:37] So maybe that doesn't have a huge impact, but I know there are MSPs that have wallet share that are more like 5,000 and 10,000 endpoints that don't do a good job of being vocal about their decisions for leaving a vendor.
[00:17:50] Who is not willing to address the security challenges within their, within their company.
[00:17:56] I don't know. I just went on a rampage there. I'm sorry.
[00:17:59] Uh, no, it's, it's like a, and I think Charles makes a great point and kind of folding into his open CVE issue is what I'm hearing more about, even in the enterprise space, there's a lot more people, uh, noticing more of the small details, but not having enough people to take care of those small details.
[00:18:15] Yeah.
[00:18:15] And so I get questioned a lot, like, like, like we're like, we focus purely on security events. Right. But we, I get asked almost every time, you know, will you manage our vulnerability management tool for us?
[00:18:26] Right. Because that's getting pushed into the security team, even though I kind of do more as an IT function, right? Like having an unpatched machine, isn't a security event. It's a precursor to a security event.
[00:18:39] And if that, if that, you know, is exploited, then it becomes a security event, but it's, I think it's onto IT to at least keep the walls up. So, you know, I see an increase in reporting to leadership, um, new asks around metrics.
[00:18:52] So instead of, Hey, how many alerts do we get this month? It's more along the lines of, you know, what is our coverage, you know, around certain TTPs that we're seeing in the news or threat actors. Right. So I think the metrics is pushing even a bigger cyber spend because we're seeing the side, the percentage of the IT budget going to security.
[00:19:10] At least I'm, I'm seeing it starting to, starting to creep up. And I don't think that's coming away anytime soon, especially as you can only throw so many bodies at this kind of problem.
[00:19:19] Right. Like Charles was saying, like, it's great that they have the time to look at that. But if you're an organization that doesn't do IT or security as a function, right. And you have a team in there, they're probably understaffed and underpaid and under resourced.
[00:19:31] So to ask them to keep on top of every single CVE that comes out of the hundreds, probably of software and SaaS solutions you have in play, I think it's unnecessary.
[00:19:40] So I think that outsourcing to the ever increasing XDR marketplace, I think we're going to see a big trend on that because we can't keep the butts in seats.
[00:19:50] Cause as soon as you train someone to do something from scratch, they're going to get their LinkedIn blowed up and be offered probably two X what you're paying them.
[00:19:57] Right. So I think that we as a vendor marketplace have to be able to provide more tangible solutions to around the things that I think that businesses are really starting to understand are the big threats that are kind of like the sleeping giants in their environment.
[00:20:13] Yeah. So, uh, I, I think you're spot on. I have one more that I think will take us to the end of this.
[00:20:20] So, uh, looking at zero trust architecture, um, I think I had this conversation the other day.
[00:20:29] I think that zero trust when it originally came out, um, obviously super complicated, you know, you look at a desktop environment, you're like, oh my word, there's 159 applications running on this thing.
[00:20:40] How do I, you know, move this to zero trust? Like, do I need to account for, you know, all of the, you know, uh, dot net, uh, you know, you know, scripts or whatever running, uh, how many versions of the job was okay.
[00:20:54] Four versions of, of FTP, you know, or, or, uh, not FTP, uh, uh, like Adobe Acrobat or a PDF editor.
[00:21:02] And it got me thinking like today, a lot of that stuff can be automated, right? We're going to allow listen only for the first 30 days.
[00:21:09] We'll identify what we know definitively should not be in there, clean it up.
[00:21:13] But I think there's zero trust in so many different categories say that we didn't even talk about before.
[00:21:18] So like zero trust from a network standpoint, zero trust from an application, uh, install standpoint.
[00:21:24] And obviously the list can go on and on and on like, no, you, you don't just get a, uh, a role change or, uh, you know, access to something because you just asked for it.
[00:21:35] There has to be a reasoning behind why you're asking, and it has to be vetted and verified that you in fact should be given that access.
[00:21:42] Um, what are your guys' thoughts on, on seeing the expansion of zero trust becoming more than just, I brought in a vendor.
[00:21:49] And so now I have zero trust.
[00:21:51] Well, I think it's like Charles said before, we're still trying to understand what AI is.
[00:21:55] I think the business, uh, ecosystem is still trying to understand what the heck ZTNA is, right?
[00:22:01] Because it's not a product you can buy, right?
[00:22:04] It's more like an approach or framework, if you will.
[00:22:07] Same with, uh, as that's the other day to, to give a, to give some references around what, what SASE products I think were the most outstanding.
[00:22:14] I'm looking at them and I try to like figure out, like I go to a couple of different vendors.
[00:22:17] And again, it's kind of like, here's our stack.
[00:22:21] And it's, and inside of that was zero trust, right?
[00:22:25] And I'm like, so it's like the snake eating its own tail, right?
[00:22:28] Because I'm like, wait a minute, I thought SASE was part of ZTNA.
[00:22:31] But now they're saying, no, ZTNA is part of SASE.
[00:22:34] And it's just really, you know, I don't want to throw people on the bus.
[00:22:37] It's just certain organizations that are paid to make up terms for industries, uh, and have to deal with quadrants.
[00:22:43] Um, you know, they need to keep coming up with cool acronyms and cool approaches and cool frameworks.
[00:22:48] So maybe things that have kind of already been in the ecosphere for a while, but you need to put a label on it so they can create a ranking for it.
[00:22:55] So I think that slowly but surely, right, we're getting the SSO.
[00:23:00] We're getting the multi-factors becoming more and more of a commonplace thing.
[00:23:03] We're getting more of a, uh, really moving away from, uh, VPN gateways, VPN clients to more of that.
[00:23:11] Okay, we're going to have you go into a vendor's cloud and then direct you from there to wherever the nearest resource is.
[00:23:16] So I don't think it's like a monolithic, like stamp, like, you know, mission accomplished, right?
[00:23:21] It's ZTNA done.
[00:23:22] I think it's more just like a game of inches.
[00:23:27] Do you think it's so sort of that, do you think, so if, if I were to give Z, you know, ZTNA, um, more of a success trajectory as we go into 2025, it's less about achieving zero trust across everything.
[00:23:43] And more about using the concept behind zero trust and how it came about than it is about the destination, right?
[00:23:52] Like if you put the right things in place, like, Hey, you know, you can't get to that cloud service without being here first.
[00:23:58] Uh, you've created, uh, you know, an entry point that has, has created a zero trust of sorts, right?
[00:24:05] Like if you don't have a pin code and you, you don't know how to get to here, uh, that like you haven't followed the map that gets you to, to the, to the
[00:24:13] treasure, well, then you can't get to that next, that next hop.
[00:24:16] There's no clues for you until you get to there and you have to authenticate.
[00:24:20] Like, is that maybe a better model to approach it to go into 2025?
[00:24:25] It's not about like, Oh man, you gotta have a perfect list of, you know, your approved, uh, applications and your, in your zero trust of, of what kids allowed or not allowed, but more of like an exercise or a process that says we're constantly working to improve.
[00:24:40] Do we really need that?
[00:24:41] And if we don't, then let's get rid of it.
[00:24:43] But rather than doing this whole, like, I'm just going to go at this with a machete and we'll get it to the point where, you know, pick books, payroll.
[00:24:51] Yeah.
[00:24:51] We can't do that anymore because we are zero trust.
[00:24:54] Yeah.
[00:24:54] I think, and I want to hear Charles thoughts on this, but I think just like everything in security operations, it's a journey, not a destination.
[00:25:01] Right.
[00:25:02] It's just, just like, you know, we, we build a 10 foot wall and the cyber criminals build themselves an 11 foot ladder.
[00:25:10] Right.
[00:25:11] And so it's a constant game of cat and mouse.
[00:25:13] So anyone that says it, we're done walk away.
[00:25:16] Right.
[00:25:16] Then there would be no ransomware.
[00:25:17] We wouldn't have seen the biggest ransomware attack in the history because like, Hey, once EDR was on the scene, Hey, I thought ransomware was going to be gone.
[00:25:23] Right.
[00:25:24] Right.
[00:25:24] It's always a cat and mouse game.
[00:25:25] And I think it will be for the foreseeable future, maybe until quantum computers come around.
[00:25:29] But, you know, that's, that's what I see is like, don't, don't strive for perfect, you know, you know, drive through with good.
[00:25:35] Is that the, the battle for Helm's deep in essence, the, the taller, the ladder, you know, in the reality was if, if those that were defending Helm's deep would have recognized that no fortress is truly impenetrable.
[00:25:51] Uh, they might've actually never had to lose Helm's deep.
[00:25:58] Maybe we can learn something from that.
[00:26:00] I don't know.
[00:26:01] Maybe.
[00:26:02] We'll see.
[00:26:02] Sounds what you got.
[00:26:04] Yeah.
[00:26:06] Well, so it's interesting, right?
[00:26:09] Because Josh is playing at a very different level than most MSPs.
[00:26:14] Right.
[00:26:15] Um, so what he's a vendor.
[00:26:17] Well, yeah, but he's, he's not dealing with the 50, a hundred user networks.
[00:26:22] Yeah.
[00:26:22] Yeah.
[00:26:23] It's, you know, he's, he's looking at 50 to a hundred users per floor.
[00:26:30] So, you know, a little bit more capital to make some changes, but, but we are starting to see like on the smaller MSP side, um, uh, some insurance carriers with the questionnaire, which is no longer for questions.
[00:26:44] I had one the other day that was like six pages.
[00:26:47] It's actually asking, how do you segment your traffic?
[00:26:51] How do you segment guest machines?
[00:26:53] Do you, I had one that literally referenced control one the other day.
[00:26:57] I was like, I was amazed.
[00:26:59] Um, you know, do you have a ZTNA such as control one?
[00:27:02] And they rambled off a couple of, you know, I haven't on a lot of a few other ones.
[00:27:06] Um, and, and the insurance questionnaire sometimes helps drive business change.
[00:27:15] Like I want everything to be, yes.
[00:27:16] How do I make everything?
[00:27:17] Yes.
[00:27:17] It's like, yes, we've been telling you about this for five years.
[00:27:20] Like, these are all the things I've been quoting you.
[00:27:22] Oh, is that what that stuff is?
[00:27:23] So we're, we're, we're starting to see some, some changes there.
[00:27:27] It's not going as fast as one would like.
[00:27:29] Um, but like Josh said earlier, a lot of vendors are, are coming out with solutions.
[00:27:36] SonicWall just came out with an amazing new VPN solution.
[00:27:39] Um, where, you know, it's, it's very similar to zero trust networking where, you know, you
[00:27:46] have to meet certain criteria to get on the network, to do these things.
[00:27:49] And we're seeing a lot of innovation with some vendors who you wouldn't expect that.
[00:27:54] Yeah.
[00:27:55] That reminds me of like what Cloudflare released under their Warp Plus product where you can
[00:27:59] do the gateway.
[00:28:00] And if you don't have the connection to the gateway, uh, to go out on the network, you eliminate
[00:28:06] the ability to do anything, uh, which I found quite interesting.
[00:28:09] You said it, Charles.
[00:28:11] And I think this wraps up where we're at in, in this episode will totally wrap up for the
[00:28:16] future of future outlook.
[00:28:18] We have all definitively said this repeatedly on last week's episode and this week's episode,
[00:28:23] the necessity for cybersecurity insurance.
[00:28:25] The one significant change is the way in which the questions are being asked.
[00:28:30] And to your point, Charles, I saw one the other day that actually asked for the person
[00:28:35] to be named that was responsible for the network.
[00:28:40] Yeah.
[00:28:40] And it didn't say VLAN.
[00:28:41] It was like the, the whole network architecture.
[00:28:44] And, and, and it wanted like, like there's six questions in there.
[00:28:46] Like it starts with a name and then it was like phone number, email address.
[00:28:49] And I'm like, okay, I kind of get this.
[00:28:53] I kind of understand where they're coming from.
[00:28:54] And the MSP that asked me about it said, you know, how does this, how does this work?
[00:28:59] Right?
[00:29:00] Like we're responsible for the client's network.
[00:29:03] And I said, yes, but you're not accountable for their network.
[00:29:06] They are.
[00:29:08] And so anytime you see that individual name being called out, they need a point of contact.
[00:29:15] And I think that's one of the things that is largely being missed right now is a lot of
[00:29:19] questions on the questionnaire are not about how to, you know, prevent you from getting
[00:29:24] insurance.
[00:29:25] They're about understanding how, if you call upon them because you need to make a claim,
[00:29:30] who are they talking to?
[00:29:31] Is this a real claim?
[00:29:33] Like if the person who's calling in, isn't on the approved list to call the insurance
[00:29:38] company, I would be really upset if that insurance carrier said, awesome.
[00:29:42] We've launched the investigation.
[00:29:44] The attorney has been engaged.
[00:29:46] And oh, by the way, yeah, you didn't get the payout.
[00:29:49] And they're like, we didn't make a claim.
[00:29:52] I don't know who called you.
[00:29:54] Right?
[00:29:54] Like there's a lot coming in that regards, I think on the insurance side to even qualify
[00:30:00] for coverage anymore.
[00:30:02] Well, personally, I think at 2025, the insurance companies are going to start saying, okay,
[00:30:08] how, how proven, right?
[00:30:10] To pull from compliance.
[00:30:12] You said, yes, show me.
[00:30:15] Yeah.
[00:30:16] Or have a third party.
[00:30:17] I'm also seeing a requirement for a third party to assess the questionnaire and answer
[00:30:21] on the, on the behalf of the, like, like a neutral third party.
[00:30:25] Because it's easy to say yes, yes, yes, yes.
[00:30:27] And then they get hit and the insurance company says, well, you didn't answer this right.
[00:30:31] And then it's a lawsuit where they could at the very beginning say, before we even agree
[00:30:34] to give you a policy, you have to prove that these yeses are true.
[00:30:39] So yes.
[00:30:40] I don't know if it's like by you, but I have a family member who was literally paid to go
[00:30:47] to people's homes all throughout the U S and look for things like trampolines, fences
[00:30:53] around pools.
[00:30:55] How's the roof look like for home insurance?
[00:30:57] When they, when they say they've done certain things, this dude literally goes state to state.
[00:31:03] Yeah.
[00:31:03] He gets a list and he goes and looks and he reports back that yeah, so-and-so has a trampoline.
[00:31:08] They said they didn't, or so-and-so has a pool.
[00:31:11] It doesn't have a pool fence on their pool and they have a three-year-old.
[00:31:14] Right.
[00:31:15] So they're actually sending out a human to do homeowner inspections, like from the street.
[00:31:21] They're not like going in the yard, stuff like that, but, uh, they're validating.
[00:31:25] Whereas before they just took your word and you know, everything is groovy, but they're
[00:31:30] actually sending out human people to start validating these, these insurance policies.
[00:31:36] And in 2026, they're going to no longer send out humans.
[00:31:39] They're just going to send out drone swarms to do all that instead.
[00:31:42] Well, it'll be generative AI out of the TV that just happens to have a camera that looks
[00:31:47] out into the backyard.
[00:31:48] So very funny.
[00:31:50] This is super topical.
[00:31:51] You mentioned the drone storm, uh, Clearwater, uh, I'm in Florida, right?
[00:31:56] Clearwater, Florida.
[00:31:57] They actually just sent out a huge public.
[00:31:59] They went through email, uh, Facebook texts, everything.
[00:32:02] We are using drones to inspect the waterways.
[00:32:06] Like we got a notice today, uh, saying you will see drones in the air.
[00:32:11] Do not panic.
[00:32:12] Like this is normal.
[00:32:13] And it's a whole press release as to why they're going to be flying drones.
[00:32:18] Cause everyone's going to freak out.
[00:32:19] Oh my God, the drones are back.
[00:32:21] Well, I mean, I think that it's a, don't panic.
[00:32:23] Or did it say dear Florida man, don't shoot down.
[00:32:26] Yeah.
[00:32:27] Yeah.
[00:32:27] It probably should, but it did come from Clearwater PD.
[00:32:31] That's different for the swamp areas that that's, they get a different press release.
[00:32:36] That's, that's different.
[00:32:36] Josh.
[00:32:37] It's a different.
[00:32:38] Yeah.
[00:32:38] Yeah.
[00:32:38] Yeah.
[00:32:39] Yeah.
[00:32:39] It's right.
[00:32:40] Yeah.
[00:32:41] Yeah.
[00:32:41] The younger, you know, the younger communities, it's like, you know, no cap.
[00:32:44] Don't, don't shoot.
[00:32:45] Yeah.
[00:32:47] They've got a legend for those reading it.
[00:32:49] Like, oh, no, no, no.
[00:32:50] This doesn't apply to you.
[00:32:51] This doesn't apply to you.
[00:32:52] Right.
[00:32:53] Last, last thought on the cyber insurance.
[00:32:55] I think that might be the most positive thing that we could have for cybersecurity, not because
[00:33:02] of insurance, but, you know, when you think about self attestation, that's largely been a
[00:33:07] common practice, which every insurance questioner is essentially that, right?
[00:33:11] I answer the questions.
[00:33:12] I'm self attesting to doing these things.
[00:33:15] There are actually frameworks now in the SMB space, SMB 1001 based out of Australia.
[00:33:21] They have a, a paid assessment level one.
[00:33:24] It's like three, $400 US dollars.
[00:33:26] You are self attesting.
[00:33:28] And at first I had the conversation with them.
[00:33:30] I said, but do you think there's really any teeth to this?
[00:33:34] And their response was they have agreed to an insurance questionnaire in the way they
[00:33:39] answered that said, I not only am attesting to doing this, there is teeth to what I've
[00:33:44] attested to, because if I'm not doing it and something does happen, it's going to be
[00:33:49] potentially catastrophic to my company, as opposed to I'm paying the money to just say,
[00:33:55] I, I am knowingly paying this money to say, I did these things actually takes it to another
[00:34:00] level, right?
[00:34:01] Because when you apply for insurance in a lot of cases, it's microscopic dollars being
[00:34:07] spent unless you've already been hit with something.
[00:34:08] Then when you are hit with something, assuming you can get insurance again.
[00:34:13] Boy, it would have been nice to have somebody check your stuff, have a third party come
[00:34:17] in and say, yeah, you got part of this, right?
[00:34:19] But not the whole thing.
[00:34:20] And I think that's one of the things we're going to see more of in 2025, where self
[00:34:25] attestation is going to have teeth attached to it by the very nature of the way it's being
[00:34:30] issued.
[00:34:31] I agree.
[00:34:34] Wow.
[00:34:34] That brings 2024 to an end.
[00:34:38] I wish everybody a happy new year.
[00:34:40] Guys, I appreciate you coming on until next year.
[00:34:44] Thanks, everybody.