Will 2025 be the year of natural selection for MSPs? I sit down with Matt Lee of Pax8 to chat about the cybersecurity picture for 2025 and it comes down to those that choose to make changes in their company to mature their cybersecurity posture and those that do not... Those that do not are the MSPs that use excuses like, I'm to small, We don't have time, Our clients won't pay, etc. Stay until the end to catch some of the foreshadowing of future fireside chats in 2025.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity, challenges, solutions, a journey together, not alone. Fireside Chat, you know what that means. Matt Lee of PAX8. Matt, welcome to the show.
[00:00:32] Man, I love the new privacy and security of GTIA. I had to actually approve before my camera could even come on. That is absolutely wonderful. Security! Yeah, man. All right. No, thanks bro. I appreciate you. It's a, you know, it's a fresh year. It's a new opportunity for us all to win and succeed. Blank canvas. Happy to be here, man. Yeah.
[00:00:55] I appreciate you joining me. I know you're traveling. I recognize your, that's not your home office, obviously. You are at, what is it? I, I, it is. I'm asking you. Code mash. Code mash 2025. Uh, it does say that you're in a tropical location. Is that true? You know what? I'm actually in a location in Sandusky, Ohio, that has about 12 inches of snow that I've been traipsing through for my hard 75 every day. It's not white sand?
[00:01:24] It feels like sand. It's, I mean, definitely if you ever walk in snow for two or three miles a day, bro, talk about building up some calves and some shins, man. That's right. I'm telling you. And you're like, and all I did was make it out of the doors of the hotel. I turned around and went back inside. Yeah, yeah, yeah. Exactly. Oh, it's so cold. It's 13 degrees right now. So no, it's fake tropical, fake tropical. I've had conversations, uh, in the ethers, you know, you and I have been on the tech degenerates, uh, live stream.
[00:01:51] I've seen you on a couple others. Um, I've got a couple of things going on, uh, with podcasts that came out on Tuesday and it's funny. There's a lot of conversation around either compliance or new requirements that may have come from compliance, you know, regulatory, otherwise that now have questions coming out of, of MSPs.
[00:02:13] And I think maybe for today's conversation, cause you know, as you and I were talking about before we hopped on, uh, there's a lot going on that we might throw into the equation of, uh, this, how is this net new? Like, you know, we were talking about these things in 2018, 2017, uh, I was doing healthcare security compliance all the way back in 2013, 2014.
[00:02:36] Um, and what was interesting about then versus now that I will say is very different and, and not to, to belittle where we are today, uh, is that there was a lot of financial positive incentives for dialing in security or, or electronic systems, uh, being implemented, which if you were good at what you did, there was security. In the equation. Um, but usually not, but that's fair. Uh, or what we would find when we tried to implement with heavy security, heavy handed security, uh, we would just get fired.
[00:03:05] I mean, literally we'd have doctor's offices fire us because they're like, you put two factor authentication on here. I can't have that. We all use the same login for QuickBooks. Yeah. Oh God. Are we all used a front desk, but the password of one, two, three or something. Right. Yeah. And then, and then you have like, where do you store all of your critical files? Oh, that's at C colon slash. We put them all right there. They're easy to find. Or the S drive. Right. No. Um, but I, but to your point, I think the financial incentive has changed.
[00:03:32] In fact, my, my blog, which now I've already, I've talked about it on five different live streams, but have never released it. So that tells you where my life is right now. No, that just means that it's being developed. Yeah. No, I'm not changing. It's like a book. It's kind of like a book, right? Like, Hey, you know, maybe you're just waiting for the new illustration to go on the cover. Wine. It's more like a wine. I'm not changing anything. It's just getting older. No, but like, seriously, um, my prediction is really, this is the year of have and have nots. Like I've been talking about this for five years. I've been talking about the growth of compliance.
[00:04:01] I've been talking about the growth of just being able to prove what you say you do. Right. Like our tool, right. You know, when you think about our exercise of the, what the, how the tool and the proof, it's all about that last segment of, can I prove I did it? Well, now we're finally at this point where some of the decisions you made over the last two or three years will probably be the means of your execution this year. Right. And I think that if not, it'll certainly be the decisions you make this year that over the next few years will play out in simple ways and also more complex ways.
[00:04:30] Simple ways, meaning, um, things like threat actors winning because you didn't deal with your passwords or MFA or all those things. That's a, that's a clear and present when we all understand, but also ways like less direct in, I had an incident that we just kind of whitewashed over two years ago. Cause we weren't very mature and now somebody's suing over it, or I now have a regulatory body or I now have a right. And we'll talk about that here in a little bit, but I think we're, we're seeing a, those that are at least above that 51% Chris will continue to grow.
[00:04:59] We'll continue to move forward. We'll take business from the others to fund the changes they need to do to fix the tech debt, tech debt, or capabilities debt or maturity debt. And I think you'll start seeing like what we've seen with CMMC, what we see with, uh, contractual aspects, all those drive change into people getting out of our market, selling their MSP, merging, deciding not to move forward, deciding to drop the DIB for today and kick the football down the road three months or seven years.
[00:05:27] And we're kind of in that, like, I think magical period. We're seeing that spark happen this year. I believe 2025 is going to be a material year for moving forward with a lot of these, um, changes. I want to go back to what you said. The, uh, one might say, this is the 2025, uh, uh, theme. And that is, you know, be able to prove through evidence that you're doing what you say you are. Yeah. And I think there's a, you understand what you say you're doing.
[00:05:55] Well, I'm going to come to your house. Oh, you want the water to leave your house? Oh man. You should have said so. Yeah. We can just disconnect all of the traps underneath every one of your sinks. And I'm pretty sure most of it, no more problems. Yeah. Yeah. Except for the gas that comes up, but yeah. Right. Right. Uh, so I, I will, so the thing that comes to mind for me is that that's obviously the, uh, I'm going to say like the, the, the, the outcome that we all are hoping for with what
[00:06:21] we see MSPs perhaps in the trust market and elsewhere, like show me evidence to prove without me having to have you go dig or come back in two weeks. Cause you've now implemented it. But I think there's another piece too. And I've had several of these conversations and I'd love to hear your thoughts. You know, you have a conversation with an MSP and they're like, we're not doing X because there's only three of us, or we're doing half of it. But like, we haven't implemented a no BYOD and you start having this conversation that
[00:06:47] feels very, um, uh, woe is me, the whiny syndrome, if you will. But then you keep the calm, but keep the conversation going. And suddenly you realize that they're not as, um, paralysis or whiny or too small as they said they were. They just aren't fully executed. So I have one, I'll just give this example. Um, they're using a something wall, you know, device and, and inside their office, you know, all of those URL requests are being logged and, you know, it's great.
[00:07:16] But then they put in their answer like, Oh, but like when they're not in the office, it's not getting tracked. And that was kind of how they left the answer. Right. Not a program, not a step, but just in the deeper conversation. We are. Yeah. The deeper conversation was they were evaluating a solution that solves for those things that they know they need to do. And I just said, well, why aren't you putting that down as evidence? Why aren't you documenting your discussion of what's on your poem and your next steps, right? On that aspect.
[00:07:46] And I think this is where, yeah. So, so poems, I think often get, um, intimidating, scary, like, ah, it's all that stuff. I got to track and, and fair. If you look at a CMMC template or some of those DOD templates for poems, they are, but the reality is if you're not moving forward, you're moving backward. Right. Like if you're not putting something in place and improving exactly. If you're not improving constantly, you understand you're not at where you need to be. Right. Like, yes. Admit.
[00:08:16] That's the biggest intent of, well, it's not even admitting. It's showing that you understand it. Like, like, oh, I think admitting is in the equation here. And I say, I say that because when I do maturity, there's way, when I do a maturity assessment with business owners, 98% of the time that business owner will tell me that they are doing things they are not doing because of what they believe that they were instilling in their staff. But that's what I mean by understanding. And then admitting that you have to at least understand. Oh yeah.
[00:08:44] You're saying there's a certain order to this. There is. There's somewhat of this like yellow brick road. You might find a logic ordered. One of the things that I had to hold on time. You said yellow brick road. I got to throw this out there. I have come to this conclusion. It's not that I am chutes and ladders and you are yellow brick road. It's that there is the yellow brick road while at the same time, chutes and ladders is being layered on top of it. True story. Yeah. And if we can make them out of silver, then it's like thematic. There we go. But yes.
[00:09:12] But one of the things I was quoted on earlier by an article, I don't know, I think it was Rich Freeman, was that we don't have, if small to mid-sized businesses think they have an expense problem to get started with compliance and being ready to prove what they do, they're wrong. They have an intent problem. Yeah. Right? And because there's nothing to stop me from starting an asset inventory in Excel and dedicating a quarter FTE a week to make sure that it's valid. Like, whatever. Matt, what safeguard in IG1 of CIS 8? I think that's 1.1.
[00:09:42] I think that's 1.1. I would argue that all of CIS. And 2.1 and some of its visibility of others. All of CIS. All of CIS IG1 has examples to implement without spending any money or adding any FTE. Or very little. Yeah. And especially as an MSP, you have tons and tons of things that are, you know, for resale and capabilities that you can go do for free, you know, that are out there. Hence MSPs. Hear it right now.
[00:10:10] There is nothing in the cybersecurity trust mark for GTIA or CIS top 18, or in fact, almost any framework that focuses on technical security controls that an MSP can't do in most cases today. Especially the technical ones for a company, right? Because no matter how large you are, I can implement that. And I am doing that. I mean, we have a three person charity right now. There's three board members.
[00:10:38] And everything's being done in individual Microsoft tenants. All those identities have a similar template being applied to them from a security perspective. They all have Intune management. They all pipe their information into Azure Sentinel. Like, those are all things that I can do that I could templatize and overdo again and again and again. But back to the kind of intent problem. I think this is why we are still seeing the byproduct of governance not being really a language. I mean, it's been in the term GSGRC for forever, but it didn't exist in NIST CSF.
[00:11:07] It didn't exist in CIS until 8.1 and 2.0 for NIST CSF, right? So we're not seeing those things. And it's not because it wasn't there. The safeguards largely represent the best of anyone's approach to things, which means governance wasn't thought about in general because nobody thought it was important. I mean, I may be getting slapped in the face for saying this here, but how many of you have said, oh yeah, our governance committee and our executive leadership team is absolutely
[00:11:36] helping make decisions on what our next strategy should be and making sure that they reinforce the things like, was that a reality? Or is that part of every meme I've ever seen in InfoSec? Sure. Right. And so we're not there yet. Well, even if I, so if we looked at the trust mark for a minute, there are 17 or 19 safeguards that we called out as governance and leadership. CIS 8.1 gets released. It adds governance as an asset classification. If I were to add all of those new tagged governance.
[00:12:05] Actually, it's a security function technically, but who's to correct? You are, you are. I literally live in it, so yeah. Right. But if I moved, if I moved all of those up into governance, I think I would kill the, I would encourage paralysis because we now have 75 safeguards that are around the governance function. Well, and we're speaking about the ugly truth of it, which does go towards the challenge that I think MSPs will face over the next couple of years, which is every safeguard.
[00:12:32] If I was to rewrite CIS, if I was left to my own devices, which I'm not, there's just tons of people that are all so much smarter than me genuinely involved. But if I was left to my own devices, yeah, they're really brilliant two people for sure, but extensively a bunch. But the point is, is like, if I was left to it, I would try to reinforce the fact that every safeguard has an administrative function and a technical function. And if you don't agree and you say, well, that doesn't have a technical function, I could use paper to make my list of assets. Yeah.
[00:13:00] Somebody took wood, chopped it all up, put it in a bunch of bleach, ran it through some water, pressed it together real hard, dried it pretty flat, cut it up into segments and made that stupid notebook you're using. So technology is involved in some form. It may not be digital technology. But the point is that everything has a technology component and an administrative component. And sometimes the technology only exists to support the administrative component.
[00:13:26] Well, now you're getting into where I've gotten pushback on redundancy and the trust mark. Well, you've already asked me that question. It's like, well, technical, administrative, and then there's also physical, right? And sometimes there is a substantial overlap in the safeguard in what it's asking you to do. But the lens through what it's seen in is very, very different, which means that the way in which you implement to solve for that may end up being not done by the same method. Oh, amen.
[00:13:56] Yeah. I'll give you a very clear example that someone can understand in technical terms, right? So let's say you are wanting to provide anti-malware, 10.1. And I use this a lot because it's very simple. 10.1 says deploy anti-malware solutions capabilities. I'm definitely paraphrasing. But imagine that's what you're doing. Well, where do you deploy that, Chris? Where would you deploy anti-malware if you were just a normal person thinking through this without having to listen to me for hundreds of hours? Oh, probably just on my car because it runs- Shut up. You know? Oh. I would- I mean, yeah.
[00:14:25] And in fact, I would- Yeah. And I would probably default if I really wasn't in the MSP space. I would think that that's something really important to run on any asset, right? Like, because consumer space is saying it now too, right? But that's what I want to get at is most MSPs would think 10.1, they work through their work, they show their evidence, and it shows Sentinel-1 or CrowdStrike or Malwarebytes or Blank or Y or Z, so folks, I don't want to be exclusive or inclusive. But the point is, it's like, they're going to show their EDR. But when I say, okay, now let's talk about another lens.
[00:14:54] This is going back to what you said of seeing things in a different lens. What if that next lens is, okay, tell me about each asset class. Great. You talked to me about endpoints. Talk to me now about network devices. Oh, oh, I do have that. I have a firewall, and it has IDS and IPS, and it has all these things that, okay, no, oh, you're right. That is a different... My point is, until you think about how broad these things are actually applied, and that's what I love about 8.1, is that if you take the lens of each different asset class when applied to that capability.
[00:15:24] Now, they often limit the asset class down to devices or to things like that, but now what they've done is they fixed it because devices... Or this is my small network. Well, no, devices actually fixes some of these things because in 8.1, devices encompasses network, encompasses endpoint, encompasses. So the fix that we're seeing, in my opinion, shows the breadth of it, but the gap in the collection of evidence, the gap in the understanding of application, the gap in the breadth of it is where I'm going to punch you. I'm going to cut you. You ever seen the knight's armor with the arrow through the helmet? Yeah.
[00:15:53] Like, I'm going to shoot you in the arrow hole, right? I'm not going to try to stab you through the metal holes. But that brings up a really good point. I think about where the costs or the knowledge needs to be that, you know, if you were to make a small circle, call this my personal network and go outwards from there. As I leave the office, the infrastructure and resources needed to continue to maintain becomes... I don't want to say it's always more expensive, but it requires more work, right?
[00:16:22] Like some things require... You don't agree? I don't know that I agree with that. I think if you do... I think this is why it goes back to my have and have nots. Sure. If you were a very infrastructural company that had traditional infrastructure, that required traditional VPNs that you hadn't accommodated for and managed, versus a company that is identity-centric, that is living with SASE as an extensible methodology, it's using ZTZT&A principles. You just aged me out for doing this.
[00:16:49] Like genuinely, I think those two, do they cost a little different? They do, but they also are based on where you start from a starting point. If I start a company today, this costs no different than if I'm somebody with this ancient anchor around my neck. And that's the difference that I see as my have and have nots delineator. I wrote about this in a book two, three years ago now, Chris, but we're there. Well, let me ask you a question, because there are some things in this space that I have seen drastic different in costs. So like, for example, I buy a firewall, I put it in my office, physical office, right?
[00:17:20] Versus standing up a virtual firewall in some sort of cloud environment. And I'm not saying that they can't be closer. Yeah. I just think that there are challenges there. Consumable SaaS service. And that's what I mean. It's like, when you start looking at this difference of starting today where I don't have to have any of the sins of the past, I might find a true SASE, SASE service, SASE service, or a SaaS ZT&A platform that allows me not to care about having to host some physical firewall, even though it's virtualized and even though it's running in a VNet. Well, you definitely see.
[00:17:49] Even though it's running in a, yeah. I mean, a trivial example of this would be the file folder structure of old, right? So like if you set up a server in 2005 versus today, you're like, oh no, we have to enable, you know, root share because otherwise it gets complicated. And then you're like, wait a second, everybody should see this share? Like, and then it never changes. It never changes. They upgrade server. They upgrade server. They upgrade server. Now it's 2024. 2024. And now they can't tell you why root of iDrive is shared. It's usually driven by nobody being able to articulate the reason.
[00:18:19] Yep. Nobody being able to overcome the language barrier to business to say, here's the function and why we're going to change and how it affects you and benefits you. Or they've never even reviewed it. Like they just have to move forward with no looking back. But the irony is that if you start today and just gave simple advice, we wouldn't put you in that position. And this is why I feel like we're heading down this path of natural selection in a way.
[00:18:46] And I don't know that natural selection cares where you originated at. They only care about what's going to happen to you. And I think that that's that choice where, and I'm not going to get up on a pedestal and say that this side is problem free. I'm just going to say it starts from a different place and has very different ways I would approach things that allow me to not think like the past and change the things that I'm able to do in a more holistic manner. That's like saying a three-legged dog born that way can't have a great active life. Yeah, sure. Right?
[00:19:12] But it's definitely going to have a disadvantage over a dog that has all four legs. Yeah, that's true. That's true. And the other dog would have to adapt significantly different, but for analogous perspectives. But yeah, I think the other thing about 2025 too is that like as a grand level, I think most vendors in our space understand the call to action around this movement towards being able to be compliant. And I told this story earlier that I think this should apply here and I'll tell it now. Fred, imagine you're Johnny Healthcare. Okay?
[00:19:42] It's a cool little dock in a box place and you have three locations. You're making about $7 million a year. You have five doctors that work for you in each location. Like you're doing pretty good, right? Like it's a decent business and operation out of that. And Johnny Healthcare gets a call one day from the Department of Justice and from HHS as an extensibility of saying, hey, we think you had an incident in 2022. Right?
[00:20:08] We believe you had an incident and that healthcare data and PII and PHI have been violated. And part of the civil cyber fraud initiative, which is part of the DOJ or Department of Justice efforts starting in 2021 in October to go after things using the False Claims Act saying, you lied to the United States government saying you had a effective cybersecurity program in place. We found an incident that we can now prove did happen, we believe. And we're going to come after you because we had a whistleblower. Whether it was ignorance or not, right?
[00:20:38] That's right. They may not have intentionally done this, but they still committed the fraud. Exactly. So Johnny Healthcare is in a panic a little bit. And the executive director of Johnny Healthcare says, let's reach out and look back over that incident, talk to our MSP, and let's see how things are. And it's great. At first, the MSP says, hey, we have some forensics we collected. We know what was going on. We found that it was this isolated machine. We think we know what happened. We did bring in maybe someone to look at it with us. Maybe we didn't.
[00:21:05] You didn't have insurance involved, and you decided to file it not as an incident or not as a material breach, but as an incident. Now, what's interesting is as you go through this process with them and as they're asking, they want to see that you've met your system security plan. So the first potential for Johnny Healthcare is, hey, MSP, we have a system security plan, right? Okay. First pause if you're an MSP and ask yourself that question. How have you looked at that with your healthcare providers and understood as that applies to HIPAA now? Granted, there's a lot more nuance.
[00:21:35] I'm being very summative. But the point being, they end up saying, yeah, we had one. And it says that we have all these controls in place. And we've been following CIS. Awesome. Can you show me, MSP, the logs that show that every endpoint that was being managed had anti-malware on and running at the time of the breach in 2022? Now, second pause. What do you in the audience think the MSP said in their heart at that moment? Right.
[00:22:03] And the point is that a great many of people aren't dealing with that, nor has their shared responsibility matrix, if it even exists, spoken towards this thing saying, hey, client, we send you reports every month of your EDR status. You need to save those in a folder so that if you're ever audited in the seven-year period of things that you're managing, we are able to speak towards it. And perhaps maybe our incident response plan didn't deal with that. What happens to that MSP now? What happens when it comes to subrogation and insurance costs and risk as that passed down
[00:22:32] of not having something in writing that says, we're going to show that we actually had EDR. And you sold them an EDR service. You sold them anti-malware. Can you prove it? Right. I mean, this goes hand in hand with like, I don't know if you saw the something daddy lawsuit that's happening right now where going all the way back to 2018, the plaintiffs are claiming that their hosting vendor, well, we can just say it's in Bleeping
[00:23:00] Computer, GoDaddy, since 2018, was not implementing secure by default, requiring things like two-factor authentication. Yeah. But at the same time saying to their clients that, hey, we're secure and the things that you're talking about. Exactly. Or what if they were and can't prove it? Right. But this kind of goes hand in hand with the, like, whether it's the MSP or in your case, the Johnny Healthcare. Yeah.
[00:23:24] Whether GoDaddy is or isn't sued does not change the current direness of what Johnny Healthcare is dealing with. And I think that's the part that, you know, as MSPs are concerned, need to wake up to. Like, even if the vendor is found negligent or if the vendor is found to not have these things in place, that doesn't give you a, you know, a get out of jail free card like this. And I think that's the part that's hard right now. But I will say, comma, space, depending on how your shared responsibility matrix is written,
[00:23:53] depending on how you have that legal proof of how what someone's responsible for versus another. Okay, but now you're going back to, am I a brain surgeon or a help desk technician? Right? Yeah. Like, when I say help desk tech, you don't automatically assume expert in my field. I say brain surgeon, you know I'm an expert in my field unless I've been this far. Right, right? Like, but, but, but I think this needs to get hammered home with, with those that are potentially listening to this. And that is, you're not off the hook just because. And so if you're not doing what you just described, which gets into that maturity component, shared
[00:24:22] responsibility matrices have been around forever. Yeah. But I don't know how many times someone asked me like, Hey, do you by chance have a template for a responsibility matrix? I'll give you a great example of a shared responsibility matrix. I am going to do the prep work. I'm going to cut the onions. I'm going to cut the jalapenos. And my wife is going to get her pan and put it on the oven and do, we do these every day. We speak towards making dinner is not something that someone does by themselves. Perhaps there may be other parties involved. And when we do that, we agree on what we're responsible for.
[00:24:52] Right? We do it maybe not in a written format and handshake, but we understand and we articulate that. We just don't do that very well in the MSP land for our clients as service providers. And in general, I haven't seen many MSPs that have a robust shared responsibility matrix, even a left right side, let alone a racy matrix or other things that get into very delineable ways that we're doing it. Do it in a simpler way than that. In fact, if you're doing the trust mark, because I might as well let people know,
[00:25:20] we had an MSP that we had been going back and forth with. I'm good friends with him. And he started using Microsoft Lists. I don't know if everybody's familiar with it. It's one of the hidden apps that Microsoft's made available. And what's nice about it that's uniquely different than, say, just a traditional Excel spreadsheet is that when you fill it out, you fill it out like a traditional form. Like, I need to add the objects that go along with this that are going to actually populate what looks like a traditional spreadsheet.
[00:25:47] Well, what's interesting about that as part of your third-party vendor management is you can bake into this as you populate with inventory the responsibility components for that vendor. You can do this with just about anything, right? It doesn't have to be to the grains of sand of how all of the pieces work. Start with having something that would identify like, hey, Matt, that's Sophos or whoever it is. And I'm concerned.
[00:26:15] And you're like, well, I look on the sheet and I go, oh, Matt is the responsible party that I need to include to then engage Sophos or whatever it might be, right? But how many have even anything close to that today? Yeah. And I think I can get their phone number from their website. Yeah. Yeah. Well, and now you're getting into like getting into the preparedness and having contact information in 17 for incident response, right? And things of that nature for this.
[00:26:41] And so I think one of the things that I guess maybe as a call to action out of this conversation, Chris, is like genuinely MSPs just need to take the first step. Like wherever you are in your journey, go iterate. Go do the next thing. Go try and start to get your ass inventory in place. Follow a framework. Get involved in the trust mark. Go through. And don't feel alone in this. Like Matt, both of us on the, you know, in this session, like, hey, reach out to us.
[00:27:08] We're happy to give you some, you know, thought-provoking places that might be easy. Yeah. Yeah. And I mean, there are resources out there, right? Like I'm starting to get into this from a peer group that I'm running. You're starting to get involved in peer groups more and more. We're starting to create these. You've done one-on-ones every week. We have a group call every week. Like there are things that you can do and the resources you'll get. And that's why I really genuinely say, I think this is a self-selected have and have nots here. Yeah. Right?
[00:27:36] It's self-selected in that you will choose to move forward from a governance and intent perspective or you won't. And it won't be whether or not you have the tools, right? Right. It's like saying, man, I would have fought back if I had a knife sitting next to a chair and a table and a bottle and a glass. And I'm like, bro, I got 20 weapons right here. Like we're going to figure it out, right? And I think, think like that. Don't say you're defeated. Don't be defeatist in approaching this. Simply understand that it just takes the first step and the next step and the next step.
[00:28:06] And that's not anything different than anything else you've ever done as an MSP. And, you know, I'd share this, you know, if the first step is, you know, inventory, great, fine. I think most organizations in the MSP space could do that because they have the tools facilitating to help them track that. But if that just seems daunting too, and you haven't done this, get plugged into a peer group. Good grief. The last thing I want anybody to do is navigate cybersecurity by themselves. This is not a one man opportunity.
[00:28:33] I guarantee you that your nightmare will start as soon as you say cybersecurity, we're going to do it by ourselves. Your nightmare, if it hasn't already begun, is now beginning. If you get involved and let other people help keep you accountable and share their experiences, it'll be more like an adventure. I had an MSP that's taking one of my classes that's been a follower of mine for a long time. And he's a great dude. And he reached out to me and said, hey man, I'm taking one of your classes. I was like, sweet, you're taking my CIS class. And he said, no, I'm taking your policy class. I've got like 9,000 things to do.
[00:29:02] And I'm just, where do you start? Right, mate? And he's not wrong. Like I've lived that life. It's funny. I was hiring this guy from, well, I think we can say it now. He was VMware. He was a remote worker. Sure. He was talking about in his pro services, like I've done two V2V migrations and 12 P2V migrations. And I've done four email migrations. And I'm like, bro, that's my project, guys, Thursday.
[00:29:27] Like as an MSP, you have to understand the pace of play is 10 to 12 fold what the pace of play might be in a small to mid-sized business job as a technician or in an enterprise space as a technician. It's just such a different exposure. Yeah, you ever have an ISP install the services to your house? Like you've been here for like three days. Can I get somebody else to give us 30 minutes? Or a test and turn up with AT&T with 95 people on the phone, right? Right.
[00:29:52] Anyways, but the point is, is like I think genuinely that pace of play difference is also what makes MSPs so leveraged in what they're trying to do with such little resources, right? Small to mid-sized businesses spend 7 to 9 percent, 7 to 9 percent on all technology, let alone security and other security capabilities.
[00:30:14] And so MSPs have to do a lot with a little, and the only thing I'll say is two things you have to be responsible for in MSP. Number one is there is no excuse for not doing the things you should be doing for you. That is only an intent problem. Number two, you should not be providing services you can't prove you did what you said you were going to do. And if that means you need to narrow the scope of what you say you're going to do, that is probably a prudent decision in your shared responsibility matrix.
[00:30:42] Probably reduces some of that FTE too if you're narrowing scope. Or at least clarifying scope is already there, right? And that you're going to get in trouble for. And I think that's the thing that will help this year is those that choose to embrace those two concepts this year will be ahead. And I think when you start seeing that play out, you see consolidation. You see people wanting to bail out of a market. You see people not surviving. And I don't think bailing out of a market anymore is going to really change a whole lot. You're just going to bail out of a smaller market.
[00:31:11] I was going to say, the inevitable is just going to be maybe further down the road, but it's still going to happen. You're just kicking the can down the road, right? This is good. I think this pretty much sums it up. I have to share this. If you can see, I have on my shirt, it is the Meraki Space Camp t-shirt. Oh, very nice. Very nice. It looks like you've had it a minute. Because it was a minute ago when they used... So that was when you...
[00:31:37] If you hosted them to do their technical trainings, they called it Space Camp. Oh, that's right. So then they would bring all their gear in. And it was ironic because they'd ask questions like, not how big is the room? They'd be like, how much power do you have available circuit-wise in the area that we will be doing the demos and walking people through the training? You know what? To take a tangent off this real quick, though, you think about that have and have-nots.
[00:32:00] If you were born in an era when what you were buying from a hardware infrastructure to move forward was Meraki, then scalability, management scalability, operational scalability, the ability to manage all interfaces in one place, the ability to patch everything in one place, the ability to manage the commonality of a network map, the ability to look at data flows in a viable way, all those things were part of one infrastructure that would have taken a lot more to do in an infrastructural world from one that was born before that. And so it's like... You could... Yeah, firmware updates on an access point.
[00:32:30] You could do 1,000 clients. Done. All their access points. Yeah, do it at 3 a.m. tonight, please. You know what I mean? And you could just automate it. You could just say, hey, if there's a firmware update available. And I had an FTE that did that. I had a guy named Neshe Bhandari in India that did patching at night. So it was off-cycle, right? And as soon as you go down that path, no more. I'm just automating it. And it really is this automation combined with the loss from regulation and commoditization and risk over contractual obligations. I think we're going to have to talk about that. I'm just doing all the shuns, aren't I? Yeah.
[00:33:00] So next month, Matt, I think Fireside Chat, maybe we should talk about how some of the things that we see, the have and have nots, is if you take advantage of the things that you can do through automation, you may move yourself from the have not into the have. So until the next Fireside Chat... Or from the have to better haves. Sorry for cutting off your ending. Have mores. The have mores. If you've been listening to this, this has been an episode of MSP 1337. Thanks and have a great week.