Matt Lee and I recap 2024 and the impact of Cybersecurity on the MSP community. We then look forward at what we might expect in 2025. This is an episode that will really get you thinking about your own cybersecurity posture as Matt drops some serious knowledge.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity, challenges, solutions, a journey together, not alone.
[00:00:21] Welcome everybody to another episode of MSP 1337 Fireside Chat Special Edition with Matt Lee. It's December. Matt, welcome to the show.
[00:00:31] Man, it's been a year and a half, and now 17, 18, 19 months of this, but here we find ourselves.
[00:00:41] We find ourselves, and you know, it's December. I've been doing this now. This is season five, so roughly five years we have done like the prediction of looking ahead.
[00:00:53] And before we look ahead, obviously saying, you know, what did or didn't happen in 2024 that, you know, is one of those things where it's just a loss and we just move forward?
[00:01:04] Or is a, we didn't get it done quite right. Hopefully we can, you know, fix it as we go into the new year, right?
[00:01:11] So I'd like to start off with just sort of pointing out a couple things.
[00:01:15] One, CMMC final ruling is out. Literally today. Yeah. Yeah. Today. I think they said officially the, those that can do assessments is like January 5th, 2025, 2025.
[00:01:31] I know they can't start today. Even though it's out. The second one is, and I've talked about this on the show before, SMB 1001, formerly an Australian only really SMB framework that has some paths to self-attestation and some more extensive audits for a business.
[00:01:53] That will be becoming early 2025. And then I just thought it'd be good to sort of like look back and think about, you know, from an MSP perspective, what are the things that we missed?
[00:02:05] Because I think the two, the reason why I bring up those frameworks, obviously there's the trust mark. The reason why I bring them up is I think we're starting to see an actual, in the absence of, we can create something, right?
[00:02:17] Anybody that says compliance is, is because you know, just government wants to regulate us. No, it's almost always frameworks like this come out because you know, we weren't doing due diligence or even remotely trying to do things that we should.
[00:02:33] Yeah. Yeah.
[00:02:34] So well back.
[00:02:34] We saw this, right? CJ, like, you and I talked about this in the green room before we, we saw this, like we talked about this a year and a half ago, almost two years ago. And you said to me, Matt, let's do a call where we talk about how, how long does it take an MSP to get through the trust mark? And you remember what time I said?
[00:02:54] I think you said 12 to 18 months.
[00:02:56] I did. And the reason I said that is they just stated the fricking union, Chris, like state of the union. We have as practitioners in the small to midsize business, MSP serving market in this channel that we call home. And even in larger mid market and enterprises have been lying to ourselves about what good is.
[00:03:17] Right. It's like the first time you ever got to this like oval track and decided you were going to race a car around this parking lot. And then you started doing it with 30 of your friends.
[00:03:25] And then you start calling it NASCAR and then you start going, Hey, drivers are dying. Maybe we need to put like roll cages. Well, the roll cages probably should have been there the whole time. Stupid.
[00:03:33] You're only doing this now because you're at this stage where it's gotten to a scale. You're starting to realize the death is happening. You're starting to see in more public eyes.
[00:03:40] And I think the point is, is that we as an industry in general technology across the board have been around for since about 1937 was the first digital computer. So if you do that, we're nearing 80, 90 years or so. Right.
[00:03:55] And so when you think about that, most industries go through that timeframe from a technology before we start fixing the problem. Sure.
[00:04:01] So I'll go back to my prediction last year. Right. Last year, I had this rosy, unjaded, matly belief that MSPs were moving forward.
[00:04:09] We had already been talking about the trust mark for six months. People were signing up. We had, I think, a couple hundred people signed up at that point.
[00:04:15] I had this like belief and optimism that this was the year that MSPs were going to start moving forward in their career and to, in their, in their own protection and their own adoption of frameworks, whatever framework that.
[00:04:29] I was wrong, but it leads to my prediction. Now we have started to see the beginning of the division of those that survive. Right.
[00:04:38] I think we are starting to see, Chris, well, you have like what, 20 people that have finished the trust mark, 2,000 signed up with interest, 240-ish or so that are going through it.
[00:04:48] Like of the 20,000 or so practitioners in the U.S. or 30,000 MSPs in the U.S., whatever it is, like we're seeing some choose to live.
[00:04:56] Right.
[00:04:57] Like we were talking about this in our signal group today of, of the, of with CMMC now coming out, MSPs are having to make decisions.
[00:05:03] Do I get rid of those clients? Do I do a part assessment? Do I an assessment on like the pieces I do provide for them?
[00:05:09] And I do very little. Do I assess like, but most of them are saying the SMB might be pushed out of this a little bit and that more mid-market players are going to take this up because they can afford it.
[00:05:17] That's some of that chatter. When you think about that, my, my thoughts is that means that that pressure is going to be for the MSPs that choose to serve them.
[00:05:26] They're going to have to get even better. The market itself is saying we need, we need frameworks, right, CJ?
[00:05:31] Like you're looking at SMB, you're looking at Trustmark, you see CMMC going through.
[00:05:35] I think the world is starting to at least divide who's going to make it and who's not.
[00:05:39] Like that's what this year's about is the ones that work or finishing or midway through their process of changing and are going to be able to take advantage and capitalize on that.
[00:05:48] Well, Matt, remember when we were at, I think it was Momentum and someone asked the question,
[00:05:53] it was probably Henry Tim because he likes to ask those fun questions.
[00:05:57] You know, what do you consider to be success? And I remember, I think you and I were,
[00:06:01] you were moderating our panel and we were talking about just kind of the challenges around proving cyber hygiene, that kind of thing.
[00:06:09] And if I, if I recall, if I quote you correctly, you said success will be defined by 50% of you being gone.
[00:06:16] I tried to be nicer than that. I tried to be softening the blow of 50% of us won't be here.
[00:06:21] Sure.
[00:06:27] I think that 50% of you and really in the ratio and I'm seeing Chris, God bless us.
[00:06:31] It's better if it was 80%. I mean, I don't want to feel like Thanos with two snaps here, bro.
[00:06:36] But like, I genuinely feel like snapping twice. I, I, I, I just, yeah.
[00:06:41] Well, let's go back to the positives. Let's go back to the positives.
[00:06:43] So you and I did a, a workshop together more than a year ago and we've done some stuff obviously since then.
[00:06:51] But I remember the first time you and I shared a stage talking about cybersecurity and all the things that MSPs need to do.
[00:06:59] And we were talking about CIS top 18 and, you know, it went through both of our heads was no one has a clue what the acronyms we're using or what the hell we're talking about.
[00:07:09] So fast forward to even the fall of 2024.
[00:07:13] And I would argue that the conversations have changed.
[00:07:17] The questions have sounded at least remotely.
[00:07:20] I use chat GPT before I asked this out loud and we're getting genuine questions about how to navigate.
[00:07:27] From some.
[00:07:28] Some.
[00:07:28] But from some, I think there's this Chris, like selected group that were, that are around us now that are, and they're very much maturing and they are speaking in those languages.
[00:07:38] And I think to your point, what we don't see as an obverse of that are the others in my Thanos experiment, if you will.
[00:07:47] Right.
[00:07:47] Like I think there is that group that when I meet them, they've done none of these things.
[00:07:52] Sure.
[00:07:52] So much of this is new.
[00:07:53] Even people that are espousing CMMC.
[00:07:55] I've had meetings with people that say I'm doing CMMC.
[00:07:58] That's my primary market focus.
[00:07:59] And I go, okay, cool.
[00:08:00] What do you have done?
[00:08:02] Nothing.
[00:08:02] Right.
[00:08:03] Wow.
[00:08:03] That's a problem.
[00:08:04] Right.
[00:08:05] And at some point you can't lie to yourself there anymore.
[00:08:06] So I, I feel like.
[00:08:08] But you have to start with the group that wants to, right?
[00:08:10] And I'm not saying.
[00:08:11] Oh, no.
[00:08:11] I'm not saying that you're going to pull those other ones through.
[00:08:15] But you will pull some.
[00:08:17] Yeah.
[00:08:18] Agreed.
[00:08:18] And I think it's, and I think it's bigger than that because, you know, just like things like suddenly finding that now Microsoft has like security defaults turned on.
[00:08:26] Five years ago, we did not have that.
[00:08:28] Um, so they were in that group that was saying, yeah, no, not right now.
[00:08:33] Or, and so I think that the group that is navigating and pushing hard and pursuing, gravitating to the workshops and the events that we're involved in, they are the conduit or the vessel of change that is, that is coming.
[00:08:48] And there will be more that will come into that group, if you will.
[00:08:53] Then I think that will stay away because once you hit a certain critical threshold where everybody sees it all the time, you realize that when you go to prospect, I mean, this is my favorite line that I hear from an MSP on sales.
[00:09:06] Well, there's only so many MSR, only so many SMBs in my area that I can go after.
[00:09:12] No kidding.
[00:09:13] You came to that conclusion just now?
[00:09:16] Like there's a market.
[00:09:17] There's a cap.
[00:09:18] There's a metropolitan service area.
[00:09:21] Holy heck.
[00:09:21] This blows my mind.
[00:09:22] And funny, funny how this works where you can acquire another MSP, your client volume just skyrocketed potentially.
[00:09:29] You can go outside of the geography that you currently are in.
[00:09:32] Oh, there's another pool.
[00:09:33] And the reality is the services that we deliver continue to get added on top of service after service.
[00:09:41] So you're telling me that your opportunity keeps shrinking.
[00:09:45] Have you heard of cybersecurity?
[00:09:47] There's huge opportunity.
[00:09:48] And a lot of that opportunity is interesting because it's also something I decry, right?
[00:09:54] Like when I talk about middle theory or something I've talked about forever, it's really just saying, hey, products don't rise much above the maturity of the consuming entity,
[00:10:01] nor do they fall very much below and survive very long, right?
[00:10:04] Like there's no benefit capitalistically to be better than the maturity.
[00:10:08] Right.
[00:10:09] So when we talk about this, all these things that are coming to do that like the examples of the trust mark, we talked about what are some of the challenges of going through the trust mark.
[00:10:15] Well, it's all the hours and time and work to undo the things that you should have already been doing right in the beginning in a lot of cases.
[00:10:23] Like just the basics, the basics, basics, basics.
[00:10:26] We're in a world where there was no capitalistic pressure of maturity to make us do things in a secure way.
[00:10:31] You roll out an RMM that's literally doing clear text passwords for the number of years because why?
[00:10:37] They weren't being asked to be more mature, right?
[00:10:39] Or we created our own password field because there wasn't one and it was also –
[00:10:44] Just tons of these things that you have to do all more correctly.
[00:10:47] But then there's the other things of stuff that we didn't know we needed to be doing like the tasks to be compliant yourself or to be compliant with services you offer your clients,
[00:10:57] the ability to prove and document that you've done things, like the ability to follow policy, set policy, write policy, adhere to it,
[00:11:04] the ability to like those things, change approval, right, the change of accountability.
[00:11:08] None of that existed in our space.
[00:11:11] And so when people talk about how hard this has been and how lack of progress, it's almost like a duck swimming frantically under the surface but calm on the top, right?
[00:11:20] Because at some point they'll reach the land and they're moving.
[00:11:23] But right now – I tease.
[00:11:25] But genuinely, man, like –
[00:11:26] You're not wrong.
[00:11:27] I agree with you.
[00:11:28] This year is probably the year we see the ones that were early leaners get to where they needed to be and start profiting from that
[00:11:36] and taking that reduced risk as they continue forward and being able to take new business as that goes.
[00:11:42] Because at some point, back to your point, maybe there's not new market for you because you're not attractive to the market that exists around you.
[00:11:48] Right.
[00:11:49] And others are.
[00:11:50] And that's the point.
[00:11:51] And I think that's where we're heading to is the more and more this is in the public conscious,
[00:11:54] the more and more we're going to see that drive people's behavior in the world.
[00:11:59] I'd like to throw another thought into the mix on this because I remember – let's use mid-market or corporate.
[00:12:07] If you've ever worked in a corporate environment, it's an easy – everybody recognizes this.
[00:12:12] Get an acceptable use policy.
[00:12:13] You have an employee handbook.
[00:12:15] There are things that you as an employee had no problem signing off on and you agreed knowingly to not do things like use the internet inappropriately
[00:12:24] or maybe not use your personal device for fill in the blank.
[00:12:28] There's things in that realm that we all agreed to at some point if you ever were in corporate.
[00:12:33] What I find interesting is that in the SMB space, particularly with MSPs, we've had similar policies written,
[00:12:41] acceptable use, employee handbooks, where employees knew that to violate that could result in their own termination.
[00:12:49] And what I have witnessed – and I'm curious what your thoughts are on this – where the owner or leadership team write up policies
[00:12:56] that they expect their employees to follow and are quick to say things like,
[00:13:00] failure to follow this can result in termination.
[00:13:03] And while that may be true, what's interesting is in most cases that I've seen this,
[00:13:08] they've done zero to educate on the why for the new policy.
[00:13:12] They have made it very clear that the employees have no idea what they're doing,
[00:13:17] that they didn't have this policy before.
[00:13:19] Now they're going to be capable of doing something that they didn't do before.
[00:13:22] And so you have this muddy model happening where the reality is they're afraid to even enforce it,
[00:13:29] but they'd never bother to go about getting buy-in from their own staff on things that improve the overall maturity.
[00:13:37] If you're listening to this in your MSP, do you have an ISO named?
[00:13:41] Do you have executive support to move forward with security decisions for yourself and your clients?
[00:13:46] And stop right there, Matt.
[00:13:47] You said something right there that's extremely important.
[00:13:50] I'm the business owner.
[00:13:51] We don't have an executive leadership team.
[00:13:53] Okay, fine.
[00:13:55] Do you buy into what you're asking?
[00:13:57] Yes, put the hat on.
[00:13:58] Put the freaking hat on that says ISO.
[00:14:00] That's that hat time.
[00:14:02] Sorry.
[00:14:02] Right?
[00:14:02] But the point is that I think what you're describing is a lack of governance.
[00:14:07] And I know I'm just like a one-string guitar dude, and I'm just blunk, blunk, blunk, blunk, pulling it over and over again.
[00:14:12] It works good in that folk music.
[00:14:15] It does, right?
[00:14:16] It's like a jug.
[00:14:17] But no, seriously though, the lack of governance means no one in executive level has set the policies, understood the policies, educated on the policies, and taken action upon the policy's failure.
[00:14:28] Like at the end of the day, it's not a policy.
[00:14:31] It's not real.
[00:14:31] It doesn't exist if there's not governance.
[00:14:33] It's all – that's what we're seeing in corporate America every day, CJ.
[00:14:36] Right.
[00:14:36] That's what we're seeing everywhere.
[00:14:37] There is no translation from here's policy.
[00:14:40] Here's what we need to do to protect ourselves and the actions we need to take.
[00:14:43] And then the governance and executive function to make it happen.
[00:14:46] It goes to that aspect.
[00:14:48] And I think in the SMB, the causation is different.
[00:14:51] The outcome is the same.
[00:14:53] Right.
[00:14:53] And I think sometimes it's funny going back to like CIS when it says words like enterprise.
[00:14:59] And they're like, yeah, that doesn't apply to you.
[00:15:00] Well, they just mean any business.
[00:15:01] I know that.
[00:15:02] It was a very British version of the word enterprise.
[00:15:04] It is.
[00:15:05] It is.
[00:15:06] The enterprise to do this.
[00:15:08] Right.
[00:15:09] I think that while we say that, if you watch the conversations that happen when words like enterprise that obviously have more than one meaning are used, it creates a disconnect.
[00:15:21] And it creates this misalignment with what the spirit of the safeguard or controls actually were.
[00:15:28] And that's where we're already failing as MSPs.
[00:15:31] We've got to get out of our own way.
[00:15:32] Look, when you set up your business, odds are you had to say something like co-founder or CEO or CFO.
[00:15:40] Why?
[00:15:40] Because when you register an LLC, they want to know who the members are and what their titles are.
[00:15:45] And the reality is...
[00:15:46] Well, they want to know who's executively in charge of that organization.
[00:15:49] Exactly.
[00:15:49] That's so fair.
[00:15:50] But what's ironic about that is we've created this notion out of the gate when they created the company of three that you had to have these names in that way.
[00:16:01] And while they are important on paper for those filings, you're not running your company that way.
[00:16:07] You're probably the business owner and the CFO.
[00:16:10] You're probably the business owner and the ISO.
[00:16:14] Right?
[00:16:14] A hundred percent.
[00:16:15] Yeah.
[00:16:15] And we just need to get that stuff behind us and recognize like, hey, this is about defining roles and responsibilities, not what the title says.
[00:16:23] What does the responsibility that goes with that role?
[00:16:25] Because that's what matters.
[00:16:27] Right.
[00:16:28] And it allows you to function in that capacitance.
[00:16:31] It's funny.
[00:16:32] I'll tell this story a bunch and I have told it before other places.
[00:16:35] But Tony Miller was at some point the general manager of Denver and the VP of operations of a five-state organization running 20,000 humans or devices at least, 17,000 or so humans' lives.
[00:16:48] So he would literally, in the middle of an argument with me, it's my boss of the VP of O, VP of operations.
[00:16:54] He would put on his VPO operation hat and go, yeah, Matt, that's great.
[00:16:57] We need to take rights away.
[00:16:58] Let's sign scripts.
[00:16:59] Yep.
[00:16:59] A hundred percent.
[00:17:00] Nope.
[00:17:00] Nope.
[00:17:00] A hundred percent.
[00:17:01] Boom.
[00:17:02] Boom.
[00:17:03] Hat on GM of Denver.
[00:17:04] You're going to wreck my people.
[00:17:05] I'm going to have revolt.
[00:17:07] I hate you for this.
[00:17:08] I'm not sure how we're going to deal with this.
[00:17:09] I put in a vote no for this.
[00:17:10] He would literally vote against himself in each of the different capacitances.
[00:17:14] And he literally had a hat that engraved VPO and GMD on these two different Titleist hat.
[00:17:21] And he would just switch between them to change personas.
[00:17:24] And I take that as a hyperbolic example, Chris.
[00:17:26] Sure.
[00:17:27] But maybe that's another part of my prediction this year is that MSPs will start to understand more maturely those roles.
[00:17:33] And if they're at the scale that they can do it, they will assign them.
[00:17:36] If they're at a scale where they have to wear multiple hats, they'll at least understand them.
[00:17:39] At least the ones that are going to be successful will.
[00:17:41] And I'd go back to that same question.
[00:17:42] If you haven't assigned an ISO, somebody that's your internal security officer or information security officer for things,
[00:17:49] then you aren't going to have someone in charge to make those executive decisions.
[00:17:52] If you don't have a change accountability board, even if that's a member of two or one,
[00:17:56] you document and vote and go through those things, you're not going to be successful
[00:18:00] because more and more frameworks are going to pop up,
[00:18:02] more and more requirements at a commercial and business level will come up.
[00:18:06] And they should because I think the more and more focus, it helps, right?
[00:18:10] If you have something that's a smaller container, you have a tendency to be successful because it's not broad and large.
[00:18:18] We go back to CIS Top 18.
[00:18:20] It's no small feat for any organization.
[00:18:23] I don't care if you're 5,000 employees or one employee.
[00:18:26] It is not easy to just go through and establish cyber hygiene, whether it's 25 safeguards or 153 safeguards, right?
[00:18:36] Like it's the doing part that tends to be difficult when you haven't done it.
[00:18:41] But I will add that that is not made easier by vendors.
[00:18:46] And you and I started off with a talk about Microsoft licensing, but that applies to so many places.
[00:18:50] I'll make this prediction.
[00:18:51] This year, the maturity of that middle person, that middle MSP is high enough that they are asking questions
[00:18:59] about products and services' own security and products and services' own supply chain risk
[00:19:06] and are asking questions and will vote more with their dollar for the ones that can better answer the questions,
[00:19:12] even if they don't know what those answers mean.
[00:19:14] Like genuinely, even if the middle human doesn't really understand, but they know to ask now,
[00:19:18] the ones that can tell the better story will do better.
[00:19:21] Yeah, I feel like that's a great point.
[00:19:23] Very John Madden of me, but...
[00:19:25] Yes, well, I think for years, the MSP space has, especially since the majority are not 7,500 employees
[00:19:33] managing thousands of endpoints, right?
[00:19:35] Where they have, you know, wallet share that matters to the vendor they're buying from, right?
[00:19:41] Like, yeah, if you're only buying 50, 100, 500 seats, they may not really care.
[00:19:45] Like, if you want to go see like where a vendor has like some, whether or not you make a difference,
[00:19:50] when the threshold that is two or three tiers above the starting point for that vendor you're already at,
[00:19:58] you probably have pretty solid wallet share or potential for pretty solid wallet share.
[00:20:02] If you're at the bottom of like, yeah, we're looking at trying out like four to 10 seats,
[00:20:06] they're like, awesome, list price, don't care.
[00:20:09] But I think the questions that have not been asked for many, many years are largely tied to,
[00:20:15] we weren't educated as MSPs on what those questions really were.
[00:20:18] And it goes back to what you said about security defaults.
[00:20:21] I didn't know that was a thing back when we were doing it.
[00:20:23] Like, we did try to put security, you know, things in place.
[00:20:28] But like even looking at things like, you know, putting somebody in GCC and the client's like,
[00:20:32] well, wait, aren't you done?
[00:20:34] Like, no, no, no, that's the tenant environment, not the rules that we need to apply.
[00:20:39] That's now the acceptable chassis and frames and motors for a NASCAR race.
[00:20:45] We now have to go configure all that.
[00:20:46] We have to make it work to save the driver, right?
[00:20:49] Right, right.
[00:20:49] And apparently they don't let you, you know, paint your car in camouflage, right?
[00:20:53] Like, you know, hey, he's driving an invisible car.
[00:20:57] But yeah, to your point, that's the other side of this is that vendors that tell a better story
[00:21:01] about their own security, their own posture, their own supply chain, their own modernness,
[00:21:05] their own lack of tech debt.
[00:21:06] That's one thing.
[00:21:07] But then to your other point, like there are so many vendors that have been balanced.
[00:21:11] And I didn't realize this was only a year ago, but less than a year ago, I was at an engineering airlift
[00:21:16] and we talked about that MSPs only had 29% strong auth turned on.
[00:21:20] And the question was asked, why are they not educated enough?
[00:21:23] Maybe my turnaround question is, why don't you just enable it by default?
[00:21:26] Why don't you just remove those?
[00:21:28] And you're starting to see it play out that we're going to see more and more stringency
[00:21:32] on secure by default, notwithstanding of what happens to CISA or the rhetoric driving it,
[00:21:37] but certainly just the understanding of you can't sell a car with ABS turned off.
[00:21:42] Sure.
[00:21:43] Like you just can't.
[00:21:44] I can turn it off.
[00:21:45] But you can't unless it was 1972.
[00:21:48] It was 2005.
[00:21:50] That's great.
[00:21:51] The point is you can't have it where it was already default turned off.
[00:21:54] It's not allowed.
[00:21:56] Or it's certainly not commercially acceptable.
[00:21:59] So let's pause that for a second because I think to that, there's a flip side to that too.
[00:22:04] So I think back to the first ransomware that I ever dealt with.
[00:22:09] It was back in 2015.
[00:22:11] And the way in which they were compromised was through the session of a remote desktop connection.
[00:22:16] So it wasn't the actual how they – it wasn't the because they had RDC turned on.
[00:22:23] It was that the user in an RDC session was compromised.
[00:22:28] User doesn't know he's compromised.
[00:22:30] And when they were done doing their work, they hit the little red X in the top right-hand corner
[00:22:35] instead of logging off their session.
[00:22:38] And because timeouts were set to 45 minutes, that user had time to permeate basically 45 minutes of I have access until this session logs out.
[00:22:52] The interesting thing about it was had the users been educated that the red X is not a logout button, that might have never even happened.
[00:23:01] And it's just the lack of understanding on the technology.
[00:23:05] Or the systemic function set with a shorter timeline that does that once X has been pressed and a session is distributed.
[00:23:10] Well, so that's why I say it's the two sides of the same thing.
[00:23:13] On the one hand, as the leadership that's saying let's do that by default.
[00:23:17] So let's just say it was an RDC session.
[00:23:19] We still said that was okay to use.
[00:23:21] Oh, you know what's funny?
[00:23:23] Leadership sometimes deals with – there's a YouTuber I watch called Technology Connections.
[00:23:27] I love the guy.
[00:23:29] And he loves to take arguments from people when he's made a very empirical basis of something.
[00:23:34] He loves to take arguments from them and say, but, well, sometimes, right?
[00:23:39] But, well, sometimes – and one of the arguments he talked about was traffic lights going to LED from incandescent.
[00:23:44] They died less.
[00:23:45] They live forever.
[00:23:46] The problem is that – but, well, sometimes when the snow blows a certain direction, they don't have any heat internally to melt the snow off.
[00:23:53] Therefore, no one is going to be able to drive.
[00:23:55] But the sheer amount of energy savings, the sheer amount of – the lights are always functional.
[00:23:59] The sheer amount of difference in that, the greater good still comes out to a far better basis.
[00:24:03] Yeah, when was the last time you'd use a tire?
[00:24:05] And that's the point is like people live with the yeah, but well, sometimes.
[00:24:09] And what I mean by that is let's say we were to argue that we want to set our session lifetimes,
[00:24:13] that when they're disconnected, that people will generally be back up on the internet in five minutes.
[00:24:17] And then we don't want them to have persistent sessions.
[00:24:20] They're already using SAS or something of that nature that autosaves, let's say.
[00:24:23] When we make that argument, somebody goes, yeah, but sometimes I'm out for like 15, 30 minutes.
[00:24:28] I need 15, 30 minutes.
[00:24:30] Why don't we make the executive function to deal with that challenge at a small microdose rather than having a much larger risk surface?
[00:24:36] And I'm not saying that's exactly how I'd feel about this scenario for anybody who wants to be haters later.
[00:24:40] I just mean the way we should think about this is in are we actually adjusting to a but well sometimes?
[00:24:47] Right.
[00:24:48] Or are we actually planning for a real occurrence that's going to happen on a high enough basis to make a difference in my world?
[00:24:55] So we've largely talked about more of the historical of what has gotten us to here to put us in the predicting 2025.
[00:25:02] What do you think we're going to see from a, you know, whether it's tied to AI or new technology in the form of, you know, CPU revolution that I think is probably happening in the near future for the way in which they're all throwing down right now.
[00:25:20] Like, hey, let's measure the existing crap that we have and try to keep that in the spotlight.
[00:25:24] Someone's got something brewing for them to try and draw attention away.
[00:25:28] Yeah, I'm just curious.
[00:25:29] What are your thoughts about what we should be looking out for in 2025?
[00:25:33] I think from an AI perspective or at least from machine learning AI applicability, I think next year you'll see the culmination of a lot of startups that have done things that are unique, that add value to mainly around like what is an asset, anomaly detection, things in that nature that are getting really good just because they've reduced the barrier of entry.
[00:25:57] I think the reduction of barrier entry starts going into things that are make your own tools better in a lot of ways.
[00:26:02] You've seen a lot of that playing out just even over the last couple of six months to a year of announcements of people, what they're putting in their products, how they're doing it.
[00:26:11] You mean like a player that like comes in and says, I know that you're not smart enough or you don't have the time to configure 365 securely.
[00:26:17] So use our product and we will secure or lock it down for you.
[00:26:21] Yeah, like ISVs that add value to things and find anomalies in great data and set structure to how we apply these safeguards.
[00:26:29] I think a lot of that is where that kind of language models do really well in some of that stuff, like finding anomalies of things, tying machine names together.
[00:26:39] Some of that earlier machine learning that we've seen people struggle with, now it's easy for somebody to do.
[00:26:43] Well, I feel like it kind of goes hand in hand with like the ability now to extrapolate evidence to support that it's doing what it's supposed to be doing.
[00:26:49] Where before we relied on the idea or the response from the said, you know, GPO or fill in the blank.
[00:26:56] It says, yes, we're doing that because you told me to.
[00:26:58] Awesome.
[00:26:58] Like what evidence does it besides what you said?
[00:27:00] Yeah.
[00:27:00] And that goes to predictions.
[00:27:02] Let's stay away from the AI prediction side just because I don't know all those things of what's going to come.
[00:27:07] I think that's one of the beautiful creativities of people.
[00:27:10] I know a few of them.
[00:27:11] But back to your point, I really do believe this is the year where automation and ISVs of automating key platforms will be huge for them.
[00:27:23] Right?
[00:27:23] If you think about even a roost or an automation platform, they had like exhausted their natural market.
[00:27:27] But that's because the natural market are the ones that are forward thinking in that first self-selected view that go down that direction.
[00:27:34] I think that the market will expand because more people will find valuable things they can do after being forced to try to sort through all the things they're going to have to do to survive and profitability.
[00:27:45] Right?
[00:27:45] And so I think automation will be big this year.
[00:27:47] I think people adding value for ISVs or solution providers that add value to other existing APIs like Microsoft will do really, really well this year.
[00:27:57] I think you'll start seeing more and more of those people that make security settings at a systemic level of those that are very deeply in those systems easy to do.
[00:28:09] Like even several of the products I've looked at are trying to take frameworks and map them into various products like Salesforce.
[00:28:15] How do we set up Salesforce to be more secure?
[00:28:17] And how do we set up and setting up APIs to do it?
[00:28:20] Right?
[00:28:20] So that they can automate that.
[00:28:22] And then that also ties back to, to your point, the beginnings of evidence collection.
[00:28:26] I did a talk with Mike Simmel the other day about how to actually be secure for your customers.
[00:28:33] What do you mean by that?
[00:28:34] He went back to say, if your customers need seven years of history for something and somebody comes back two years later and says, show me those EDR logs from there, do you have them?
[00:28:42] Right.
[00:28:42] Do you even have them? Like let alone the security aspect, but what you're doing for them as a function.
[00:28:47] And so he goes through some of that, like just the challenge that it'll be to actually be able to be ready for those things.
[00:28:51] I think that comes at the value of automation.
[00:28:55] I think that comes at the value of if you are a company and you can write one cool feature.
[00:29:00] I think how many people made money on like signing stuff for ConnectWise or right?
[00:29:04] Like you added some cool feature and now everybody bought it and you made a lot of profit.
[00:29:08] But now those features are evidence collection for like being able to store it and save it for documentation as a service or compliance as a service or whatever it may be.
[00:29:17] Or even just being compliant yourself with the own tools you sell and provide.
[00:29:21] Like I think there's market opportunity there.
[00:29:23] But at the same time, using APIs to automate so many of these things where I go, oh, it's Microsoft?
[00:29:28] Click here with Cloud Capsule and it'll start doing those things.
[00:29:31] Right.
[00:29:32] Fair disclosure.
[00:29:32] Right.
[00:29:33] I am an investor in Cloud Capsule, but it's because I believe in the mission and what they're doing.
[00:29:36] And so I just think, Chris, this year is a year for the halves to go very deeply into being profitable by doing these things in an automated fashion that allow more scalability, that allow you to scale this and do it at a way.
[00:29:48] No matter how big you are as an MSP ultimately, which is the leveling factor there that's interesting.
[00:29:54] So I'll add one.
[00:29:55] So my prediction is that we've seen this continue to be a race to the bottom in some cases.
[00:30:02] And I'm not talking about what you charge for services as an MSP.
[00:30:06] I'm talking about the vendor products and services that are available to help augment what an MSP does without buying into a third party service.
[00:30:17] Like what I mean by, like, I don't mean hiring a SOC as a service.
[00:30:20] I'm saying like, this is like the tools to your point, like a cloud capsule.
[00:30:24] Like how do I do a meaningful evaluation of an environment that I'm responsible for managing and make sure that I've checked.
[00:30:31] In a uniform, repeatable way.
[00:30:33] Exactly.
[00:30:34] That's a great way to say it.
[00:30:35] And, you know, I, you know, remember when, when Vonahe came out, is it what we all want to be seen as that's the end all be all for a pen test?
[00:30:45] I don't want to get into politics pen testing.
[00:30:47] But that came along.
[00:30:48] For the bell curve of stuff that it enabled us to check.
[00:30:51] It's pretty good.
[00:30:51] Absolutely.
[00:30:51] And then, and then the secondary version of that is vendors out there like Cypher who have, who really are, you know, digging in deeper into that space and are saying, look, here's a pricing model to do things that are continuous, which I would argue in some cases is.
[00:31:07] But even at the same time, open source tools like Maestro.
[00:31:10] Oh, yeah.
[00:31:10] Right.
[00:31:12] MS.code or whatever it is.
[00:31:14] CMD.MS.
[00:31:15] Like the kind of stuff that's being enabled for us is massive.
[00:31:19] CIPP is another example.
[00:31:20] Or look at CIS top 18.
[00:31:23] If you look at the group, implementation group one, it shows every single one of those that there is either a means to do it without any tools or the tools they do show are available to help solve that do not cost any money.
[00:31:36] Now, I would argue that everything comes at a cost.
[00:31:39] That's fair.
[00:31:40] Not if it has no cost.
[00:31:41] So there may be some resource consumption.
[00:31:43] But again, my whole thing is I think we're going to see more of that.
[00:31:46] No cost challenges or deployment challenges or scale challenges.
[00:31:49] I mean, you pay for what you get.
[00:31:50] But we're going to see more of that.
[00:31:52] And I think what's interesting is we're going to see more of buying into things that they do one-off things.
[00:31:57] Like they don't do lots of things.
[00:31:58] They do one thing and they do it really, really well.
[00:32:00] And if you ask them what their roadmap is, continue to do this better, to do more reporting, to do more of this, but still stay.
[00:32:07] I know it well.
[00:32:07] Right.
[00:32:08] But at the same time, you have people trying to do more platform breadth across their whole ecosystem.
[00:32:14] And, you know.
[00:32:15] Yeah.
[00:32:15] I don't want to get into that on this episode.
[00:32:17] We'll save that for January.
[00:32:20] Okay.
[00:32:20] All right.
[00:32:21] That's fair.
[00:32:22] For everybody listening, this has been an episode of MSP 1337.
[00:32:26] I'd say thanks and have a great week.
[00:32:27] But I'm going to say thanks.
[00:32:29] And I hope you have a happy holidays.
[00:32:30] If we don't hear you on the next episode, we'll catch you on the new year.
[00:32:34] Thanks.