If you are pursuing the GTIA Cybersecurity Trustmark, you will want to tune in. Matt Lee of Pax8 and I discuss the taxonomy and prompts that drive success in breaking down safeguards into actionable and obtainable tasks.
[00:00:01] Oh, yeah, there it goes. Now you have to turn it back on. Isn't that weird? Mike, microphone as well. Welcome everybody to another episode of MSP 1337 Fireside Chat with Matt Lee. Matt Lee, welcome to the show. Man, it's like, you know, getting to be an old time thing here where it's like 20 or 30 of these or something.
[00:00:27] Matt Lee, Ph.D.: We have definitely gone above the 20 marker, I think. So yes, for sure. Matt Lee, Ph.D.: We've been having conversations recently about the Trustmark. You're one of the participants on the Trustmark. Matt Lee, Ph.D.: Well, you're one of the participants on the Trustmark working group. I'll leave it at that. Matt Lee, Ph.D.: One of the things that you and I have been talking about is as we help MSPs through the program, and you were on one of the cyber success calls yesterday,
[00:00:56] Matt Lee, Ph.D.: is witnessing this strange phenomenon, which is the necessity to over answer. Matt Lee, Ph.D.: And I was just curious, like, you know, you and I and largely you not so much me, but the taxonomy that you put together for CIS top 18 that made it very clear around this idea of these are the prompts that get you to being successful with satisfying what's being asked of you in this safeguard.
[00:01:23] Matt Lee, Ph.D.: So I don't want to say that's the easy part, but why is it that we're seeing so much of these over answers coming through on those that are trying to satisfy what's in the safeguard? Matt Lee, Ph.D.: So I don't know. I can't answer why. I can't say what we've seen, right? I think the why, if I had to take a poke at it is you're there trying to explain a control that you may or may not fully understand.
[00:01:49] Matt Lee, Ph.D.: I would say is a first part. You may get it, breadth, depth, all the things, but you're trying to explain it and then you put a lot of words in there to show how much you've gotten it. Matt Lee, Ph.D.: They don't necessarily add anything to it, right? And so a lot of times it's people going, oh, I've done this and all these other things that aren't relevant to this control in any way that if I just parsed out the one little this we'd have been fine. Matt Lee, Ph.D.: Yeah.
[00:02:10] Matt Lee, Ph.D.: So I think, you know, why are they doing it? It's probably just to try to pass and to try to be thorough in those things. But to your point, it lends towards, I had to read through, you know, a paragraph, a big paragraph to find the one little piece that said, yep, I think they understand this control. Matt Lee, Ph.D.: Sure. Matt Lee, Ph.D.: Right? Yep, I think they get this control. They added in local admin rights. They added in other things that had nothing to do with this nor part of this that have themselves separate controls, which adds to the confusion. Matt Lee, Ph.D.: Sure. Matt Lee, Ph.D.: And I talked about that too.
[00:02:40] Matt Lee, Ph.D.: Do you think that comes back a little bit to, you know, this concept of easy button and where players like ITGlue, BizDocs and others that help automate documentation because of what they collect or scrape from what's been configured. And so it's like, okay, well, have I been wordy enough? Am I sharing enough information? Because none of us really want to write things down, but we want to make sure that we're going to be able to do it.
[00:03:08] Matt Lee, Ph.D.: And I'm sure we don't leave anything out. And an example of this would be like in the when you're answering safeguards, one of the things that you and I talk about is we really want to understand how they plan to solve for this. You know, so if it was, you know, MFA might be a safeguard that we're talking about, and they've gone and listed off all the applications that have MFA turned on. That's not what the question is. The question is, you know, how are you doing this? Not sure what applications did you do this to?
[00:03:37] Matt Lee, Ph.D.: And so I've seen both scenarios. One, they put in like two words, like the two apps that they've got it running on, or they got it and they put the two apps in that they're using to help them do MFA. And I think I just am curious on that if maybe we're not doing a good job there.
[00:03:55] Matt Lee, Ph.D.: No, I think what you're actually speaking towards is the balance, right? What does that balance mean? I mean that if we're just looking at compliance, I want the simplest shit you can put down so I can see if it matches my simple shit and I can check it off. Matt Lee, Ph.D.: Right. Matt Lee, Ph.D.: Unfortunately, the world isn't that simple, right? The simplicity of saying, do you turn on MFA? On what? And in what way? Limited by what capacitance? Driven by what methodologies?
[00:04:19] And so when you're trying to assess security risk and security totality, you have to get in the nitty gritty. If you're trying to assess compliance, you want it rounded off. Matt Lee, Ph.D.: And I think you have this balance where if in a perfect world, we would just round nothing off and be able to measure everything by APIs by comparison. And at some point that may be where we find ourselves. Today, what you find is if you're a security professional, you're likely to write every single app, what its status is, what are the things that need to be done that can be done.
[00:04:47] And if you're someone just trying to meet the compliance, and again, I'll go back to a lot of these compliance platforms, they have served the compliance need more than they have the security need. And I'm being hyperbolous in that, and I'm being a bit of a jerk about it too, because compliance is trying and it's very hardest to measure security risk. It is. It's very much trying to. But you're balancing the forces of me needing to answer a do you have MFA on everything with, yes, on this app, we actually have to use a webhook methodology through Duo.
[00:05:15] But on these other three, we're able to use them in MFA as a basis of extension from our SSO based on separate conditional access policies that show you that I understand the need to have, right? Like, it's a balance. It sucks. And I don't have a perfect answer for it. Because for me, I'm a security nerd. I'd fall in. I want to see all the things and I judge a lot of these assessments by, oh, but what asset classes you've listed Bitdefender that may not cover the other asset classes.
[00:05:39] I haven't seen anything speaking towards the other asset. So the challenge is like, I am a shitty assessor because I'm looking at it from are you going to die or not? Not have you passed this compliance? And that's why I love Trustmark is it's meant to be see where they are, give some advice where they can go, give some advice where they can go. That's perfect, right? Like that's that is the mission. And to your problem, I don't know how you give them that. You got your nose to stop bleeding, but you're, you got your nose to stop bleeding, but you know, your leg's still not attached to your body. Yeah, yeah. And it's still like out of the femoral artery, unfortunately, right?
[00:06:07] Right. I think the challenge is that if you don't put enough information or context, like for example, what if I'm looking at a policy and says, here's our anti-malware management policy. And then I see context level reference in there that says, here's the attachment for these device classes. Now I can both compare that without being overly wordy. I don't need you getting into each of their differences. They'll be in attached documents. It's covering these, right? And so it's just a balance, Chris. Like, I don't, I wish I had a perfect answer.
[00:06:36] I think, I don't think there's a perfect answer, but I think, I think where we're at here is this is like putting some boundaries or guardrails on the approach to this. Right. So nobody wants to write a lot. No one wants, this isn't book level writing. This is maybe more like, let's write a haiku and not a essay. Right. Like we're trying to get into where in a few short sentences, we want the summarized version, right? Like we, because even an assessor is going to struggle with having the time.
[00:07:06] To read every little detail. I mean, that's one of the reasons why we see costs being so high for assessments is like, you gave me the ream of paper and now I have to read it because you gave it to me.
[00:07:18] Yeah. I think there's maybe something, something else to be said to the simplicity. Like if you were talking to someone who is, you know, say five and they asked you to explain how the microwave works, are you going to get into the circuitry and all of the, you know, logic and assuming that you even know what half that stuff is? Or are you going to just say, well, it uses, I don't even know if I could explain it to a five-year-old, right? Like it uses a magnetometer to create waves.
[00:07:50] And you know, your microwave is failing if it can't pop popcorn. Is it a magnetometer? I don't even know if I'm right. I may be wrong. It's okay. I mean, I was, you know, I could easily talk about the history of the microwave and what it was used to clean. Right. But like, but my point is like, if you can't explain it to someone who's non-technical, did you write something that was appropriate for what's in there at all? And for me, what I'm looking for is, did you understand the question? Like I can't, I can't audit everything you're going to do. I can't audit every setting.
[00:08:19] I mean, you know, my mission, Chris, I dream of a day where at some point it's assessments as code. If I say I have this information system and it has an API of which I can inspect it. And then I say I have these settings set and those have been mapped to safeguards as to their respective values. At some point you can get to where we could actually just assess the breadth of it pretty easily. Now I'm being very future and very summative, but until then you have this balance of how do you,
[00:08:49] how do you show that you've got the breadth without me assessing and auditing every bit of it, which is impossible? And the answer is show me, you understand it. Right. And, and that's the hard part is how do you show you understand it in, in, in goes back to that old adage. If I'd had longer, this would be shorter, right? Like if I'd had more time, this had been shorter. Yeah. I mean, if you think about writing, writing a book and then someone asks you to summarize it, that can be really hard because maybe the book's really long.
[00:09:14] Uh, but if it's, if it's something less complex than that, we can do summaries all day long. It kind of, it kind of makes me ask the question with regards to how we go about answering safeguards. If in fact, we're asking not so much too much for them, what the safeguard says, but in the way we're looking for the answer, like if we were to give a little bit more direction on, this is specifically what we're hoping to hear from you as opposed to going and, you know,
[00:09:44] right at that ad tribe about, you know, how you put a tile in the bathroom. Let's go back to that balance as a working group. It was the don't provide templates. Don't give the answers. Don't make it stupid for them. Like make sure they think, make sure they work, make sure that. So like there's that balance, right? Two of, of not wanting to templatize. And I think what, what, you know, going back to my point of you have to, um, you have to be able to show that, you know, what I'm talking about here. Think about, um, an example. Let's try to find one that would be fun for this. Um, that's not super nerdy or technical.
[00:10:14] Six to five implement MFA. That's one of them. Sure. Right. But if you were to say that you can ask, what are the components I'd need to see? I need to see that you have some type of policy governing it, right? Something that says XYZ corporation has a mal anti-malware policy that governs the application of anti-malware across these asset classes, right? Or, or the X asset classes, let's say six asset classes, right? Um, each of those are spoken towards by policy. Each of those have their own answers and methodologies of how they're done.
[00:10:43] And each of them are at this level of status of completion. Like if I get something that shows that they understand that there's a lot of different asset classes that might need that, right? Different types of things like going back to anti-malware, I guess is my switch back to 10.1. Um, you, that would tell me you understand it. I think you just went really deep though. I think that in a really mature response, that would be par for the course. But I think about something like that's maybe even simpler. Like let's just talk about centralized account management.
[00:11:12] Um, the understanding of what that means is a whole lot less complex than what you just described. True story. Where, where are your accounts? Yep. And are they managed centrally? And I've had this happen. They're like, well, you know, not all of them are in the same repository. I'm like, that's not what the question asks. It's really asking, are you essentially centralized? Well, it's really asking, are you, cause what I would accept in that is in 5.6, very
[00:11:38] specifically central management of accounts means that in every effort I'm trying to get down to one IDP, one identity provider or a set of X identity providers. But my point is that you understood the term SSO, you understand identity provider and you understand service providers. That is the only way to answer that in a way that I know you understand what the intent is. Now, do I know that you'll probably have some one-offs? Yeah. Go look at SSO.tax and tell me if you think there'll be some one-offs, but you have to
[00:12:06] at least speak towards the fact that I understand my goal is to make it where I can turn off Chris when Chris is fired and all things Chris touches go away. That's the goal, right? You just created a really good thought process for approaching this. There's also balance in how much time you spend on this safeguard, right? Because one can say, oh yeah, we haven't moved on from 5.6 because, well, we still have We're still waiting on these two other products. Yeah. No. Yeah. Yeah. So those are poem items. And we see that in asset inventory, right?
[00:12:34] I don't know how many times I've talked to an MSP and they're like, yeah, we're still working on our asset inventory. No, you've been working on asset inventory for a year. And they're like, yeah, I know. This is really hard. And it's like, but you have to say I'm accepting what I have. But you're going to be working. No, no, no, no. Stop. Yes. You're already there. The point is that's what gets missed. Everybody is trying to believe they can do this and walk away. That's not how this works. You're going to be doing this forever. So when you say my asset inventory isn't done, nope, nor will it ever be.
[00:13:02] But it will be at a point where iteration number six says that I'm at now 70% of my assets probably being covered, not 62, not 40. Right. And so when you think about it, every one of those controls should get to a state that you are acceptable with the balance between your POAM, your accepted risk, right? And your contractual obligations. And as you go through that, that MVP, minimum viable product or minimum viable standard, then next time you come back and iterate on top of it. Now I need to get other asset classes I wasn't getting.
[00:13:31] Now I need to get better passive methods in later 1.x. Now I need to get, because the nature of these controls and the nature of any type of maturity model program should be that I know I'm not there and nowhere will I ever be there, but I will get closer and closer to the line, right? Right. So. I mean, and I think that that's a good place to shift a little bit. So we've talked largely about interpretation for implementation, right? Like if I understand the spirit of this, I can go and do, and I'm not going to expect
[00:14:00] you to come and look at my work necessarily, but I've articulated well enough for you to go. I agree that you understand the spirit of the control and are working towards a fully implemented. You are likely to win. I believe you're going to get this and move forward. I believe in you now. You might not be done, but you're on the right path. Yeah, yeah, yeah, exactly. So then there's the other side of this. And this is the side that I think has bothered me since the inception of the trust mark. I see it when I look at a lot of the frameworks. And that is the governance piece.
[00:14:27] And specifically in this case, I'll say more in the policy. And I don't mean like you can't go find a template and have a policy or that you can't have somebody help you write one or they don't have legal counsel to help you have really good, you know, acceptable use or whatever. It's the rules. The rules that you say that you're going to adhere to and then see a complete disconnect between the policy and the rules and what it's supposed to be getting addressed in that
[00:14:56] implementation of that safeguard. And I don't know. I was curious what your thoughts are on that, because I think that one, if we can get the overarching to do better at recognizing it's not all about aspiring to be. It's about what are we doing now? And then looking at how do we improve this? Oh, gosh. Again, it kind of goes back to the nature of being an MSP, in my opinion. Like, it is a bit of a fake it till you make it environment.
[00:15:25] And in a lot of those worlds that exist, it's the best Googler that got the business, right? Like I saw that weird SMTV problem faster than the other people. Yeah. But I think the results were better than yours. Yeah. I think the point, though, is that in a lot of cases, how many times did MSPs say, we're going to get to 100% time entries on all of our tickets within 30 minutes of closing a ticket? And then that's the rule. But they didn't get there. The KPIs weren't measured. They didn't get there.
[00:15:53] How many people have made money helping MSPs go put up a dashboard and monitor that and get people where they need to go operationally? Yeah. Or never fix SLAs. Yeah. Or never. I think we're in the habit, however, of painting the picture in its perfect state, even if we don't understand it. And what you have to get used to, I think, in security, in my opinion, is painting the picture where you are so you have a real picture of where you're going to go. And I think that's the problem is that that's more work, right?
[00:16:19] Because now I have to paint where I am and it'd be much easier to just go paint where I think I'm going to be, right? And the same thing with going to the gym as a human. You'd much rather have some software turn you in. There are people that suck fat out for a living, Chris, because it's easier than going to the gym or controlling your diet. So you wonder why we paint a perfect picture. I digress. I think that's part of it. But along those lines, though, it's just so true. It's that you can't see where you've been. I mean, there's a reason why they teach history in school, right? Sure. Yeah.
[00:16:48] And then I think – I don't know how many times I did assessments back in the day where you'd present the results and they're like, yeah, we can't show this to the board. You're going to have to fix all these things and run a new report. We can do that, but that's not going to change this report that we have now. It's not representative of where we are. It's not representative of where I'll be next Thursday if we don't make changes to this. And that was one of the interesting conversations. Like they wanted to be able to show perfection.
[00:17:12] And finally, you know, you have the conversation of like when you go from what looks like perfect state and you have deviation from that in the future, the questions they're going to get asked of like what happened to your organization? Oh, I was going to make a conversation. Yeah. I was totally lying. Yeah. But if you show like how bad it was when you started on this journey and you show that major change, that's something people can get behind because that shows that you aren't ignorant, that you're not negligent.
[00:17:41] It comes back to reasonableness, right? You know, in the international term of reasonableness and defensibility. And in those two definitions, in the way I see it, reasonableness cannot be met by expecting you to go sign up for a gym membership and next Thursday be skinny. That would be an unreasonable expectation, right? Like that's not how this works. That poem has no chance of that poem timeline functioning. And so the point is like when we think about this, you have to be able to show the work.
[00:18:10] It's much better to show I'm here, I can reasonably get there and then get there. And then I'm here now, I can reasonably get there and get there. And that's iterative growth. And it also proves reasonableness because if you put somebody down in a box and said, all right, Chris, you don't work at this Acme Corporation. This corporation just got pwned and you're being sued for millions and millions of dollars. I want you to take these pieces and you're now in charge of their directory, their internal infrastructure and security. Here, go fix it a different way than that last person did.
[00:18:41] Why? I can't. These are all – they're all the same. I have these many problems. They had to – oh, and the last guy shows or gal shows the iterative work, the struggles, the growth from the board, the improvement, the investment, the buy-in, the governance. And that's reasonable. And that's what my vision of Trustmark would be is that like you as an MSP, define for yourself and we help define what is that minimum viable standard. And then from that, improve next year, which means you can only improve if you didn't paint a perfect picture of your gym body in the future. You can only show the steps in between.
[00:19:11] Like are you sure that's your face on the right body? No, I swear that's me, bro. Give me six months. I'm going to look just like that. We don't use AI. I digress. So we kind of looked at this through really two very different lenses, and I think that's one of the challenges that we've seen throughout this process. And we talk about this too is you do a gap assessment. So we're kind of doing these out of order, right? Implementation policy and now gap set.
[00:19:39] But we're really talking more about where we see some of the challenges. And, you know, I know when this goes live, those of you that, you know, tune into this show, you'll have had a chance to join Matt and I and Wayne Salk and Dom with PAX 8 on the game talking about what we've seen, like tales from the assessor.
[00:20:01] And some of what we're talking about today, you know, will be recognized that you've followed some of that that's in this dialogue. But the other piece that I think is interesting is what happens to those that do the gap analysis, which is the very first thing you should do in your organization. And it's one of my favorites because I don't know how many times I get the, yeah, we're doing that. And they'll be so quick to hit the thumbs up on that they're doing it.
[00:20:28] And then they get really discouraged when they go to do the actual, you know, make sure they have the evidence to go along with it. So I was asked this the other day, how would you do it? And I'm like, if I have an inkling that we might not be doing that well, I'm going to automatically give it a thumbs down. Because I would rather be, you know, able to, you know, be surprised that I was doing it better than I thought than to be disappointed that I had given a thumbs up and it's not.
[00:20:57] Part of that could be giving better contextual references during the gap assessments of the thumb up and down. Here's what I mean by that. Look at the prompts we were talking about with Miles and the work that came from the visuals work we did to break down all the safeguards. If when you're asking that, how well do you think you're doing centralizing account management? You might consider things like having one single sign on provider. Having, right?
[00:21:21] So when you get down to like giving people explanation, and a lot of that's because the control itself can't give you enough context to understand the real nuance of it. Yeah, the umbrella of it all. And so you have to give like maybe baby thumbs ups and thumbs downs in that risk assessment of saying, yes, I do this well. What about this part? No, no, no. Well, then you probably aren't doing that real well. And I think that has to live on the lines of some of the work we're doing, which is breaking these into those elements.
[00:21:46] And if someone says I have a, I think I'm doing my asset inventory really well in software, let's say. And you go, great. How are you collecting? Are you collecting? How do you feel about collecting it on endpoints? What about mobile phones? Romp. Romp. What about SaaS-based? Romp. So if we got better at asking those questions, I think people would be more real with themselves. I think the challenge is as humans, we're usually positive outcome bias. That's the reason we ever asked that first girl out on a date, Chris, because right?
[00:22:14] Like that's how that worked or else we wouldn't have done it. So we're positive outcome bias, which means if I'm reading that and I don't understand the context of it, and I think I do at the Dunning-Kruger principle, I'm going to say I'm doing it well. That's one of the biggest gaps, I think, is the gap between gap assessment and holy crap, this is hard, pit of despair from Dunning-Kruger.
[00:22:33] And that's some of the guidance that I've given is like if you say yes to your doing this and then you're going to move to implementation, I wouldn't have your carryover from gap analysis that you've implemented is at all. Yeah, yeah. You start again. You start at like some and then you improve upon that as you work through them and find out where you're at to your point of like I'm not doing them all well.
[00:22:55] So I think to a large degree, I don't know that MSPs, forget the trust mark for a minute, are regularly checking on themselves to recognize where they have gaps. And I don't mean just in cybersecurity, but like in general, because I go back to that governance conversation, if you have gaps from a business standpoint, and obviously cybersecurity is a part of your business staying alive.
[00:23:19] But like the things that we often take for granted in a business, operations, financials, where HR comes into play, the hiring, firing. Most of what you get into in the weeds in cybersecurity should have already been addressed at some level with governance because you have process and procedures in place for, hey, Matt was fired. And these are the stuff we take. You walk into the door, you put his stuff in the box, right?
[00:23:45] Like those are not cybersecurity things specifically, but if you have those things outlined first, when you start going down the more cyber version of that, it's a very, you know, similar conversation, right? It's not new. Yeah, 100%. And I think that's the interesting part about this is that in that overarching set of what is an MSP, specifically those serving the SMB. Well, what is an asset, Matt? Oh, don't get me started.
[00:24:13] But in that overarching set of what is an MSP, there's 30, 40,000 in the United States, I think. Maybe I'm wrong on the number, but it's massive. You know, McBain tracks it all the time. Of those, how many of those would you say are above an OML of two or three, right, or operational maturity level? It's very low. There's been billions of dollars made on helping MSPs be better business people. Why? Because they're nerds and technical people that just wanted to solve a problem or work somewhere that they hated and decided to do it better themselves. And they could do it for their friends.
[00:24:41] They're tired of their – like, that's why we wanted to build cool stuff. And one of the challenges – There's probably only five scenarios, right? Like, you could probably count on your hand the number of people that are like, oh, I'm not doing that anymore. I'm not that guy. But the interesting part is that, like, there was a time in our transition of our career and myself personally where I was strong enough to not do the things that were set out as rules because you couldn't afford to fire me. Right? And there's been people talk about those things. Like, I didn't do time entries. I literally – there was a girl that just did my time entries like once a quarter.
[00:25:11] It was so bad. But it was one of those things where I couldn't have continued to be there in that way or our company grew. Like, you just hit a stasis. You just can't. Right. You just can't. And to your point, if you've got – It's like you see that with the big cops versus the mediocre cops. What is the mediocre cop doing? Well, he's sitting at a desk putting in someone else's paperwork. Sure. Yeah. And so I just – anyways, long story short, I think the same level of operational maturity gaps create the same level of self-care that doesn't exist. But in your breath, also the lack of governance.
[00:25:41] And what is governance just for everybody? TLDR. You say something's going to be done and it gets done. That's governance. Like, that's it. You as a company say you're going to do time entries and then everybody does time entries or they don't. Right. And it's governance that dictates that. That's all. And I think a lot of people confuse that governance just exists and works. It's got some variables to it that I think they sometimes, you know, I'm going to say, you know, mask over. And that would be like, what does your culture look like?
[00:26:08] What does your organizational strategy business objectives look like that everybody in the organization is buying into? How do you get buy-in on your organizational goals and things you're going to do? What's your strategy? You said it at the same time. We had Jinx owe each other a soda there. Yeah. Yeah. A Coke. It's always a Coke. Is it a Coke? Yeah. It doesn't matter. It's always a Coke. Yeah. It's fine. Okay. Maybe if you're going to sell. I think we covered it quite smoothly in 30 minutes, which is surprising for us.
[00:26:38] You know, I wonder how many MSPs who listen to this are going, wait a second. I can do all of those things that they just talked about. I have been trying too hard to just get some of those things to a level of what I would consider to be complete. And that is not the point or the premise of pursuing the trust mark. Yeah. Be honest with where you are. If where you are sucks so bad that you don't want to present it, don't present it.
[00:27:05] If where you are is normal, move forward. Go get assessed and grow from there. You'll learn stuff through the assessment process. You won't overthink it. You won't overstress it. And I think that's the key piece, too, is like I saw on that call the other day, one of the gentlemen's like, I think I'm ready. But every time we talked to him, he was at least from a knowledge perspective, he was quite ready. I mean, he was there. And it was one of those things where it's that perfect is the enemy of good. I say that in my class. I start with that of don't let perfect be the enemy of good.
[00:27:33] And it's one of those where it's a challenge because you want to be good and you want to present like you've done the right thing and you hope you are. I'll share with you. We aren't. We all suck at this. Everyone on this call, everyone listening, we all suck at this. So be honest with where you are and try to get a little better. Like that's the goal. It's the mirror complex. It's the mirror complex. It's like have a conversation with yourself about what it is that you just said you are or are not doing.
[00:28:03] And if the mirror reality check agrees with you, that's probably a good sign. If it doesn't agree with you, which we've had a few of those. Poem time. Yeah, poem. And my favorites are the ones that are like, yeah, we're just not doing it to the way it says that we need to do it. And it's like as we play mirror role and have them walk me through why they think they're not doing it well or what they've done that's not adequate. And I'm like, wow, that's better than I would have ever imagined from any MSP.
[00:28:33] And you're still giving yourself a D minus. It goes back to what you said about engineers do at the end of the day like to be perfectionists, at least in concept around the implementation. They want it to be the best one until they don't have the bandwidth to do the best all the time. And they often are burdened with that knowledge. Going back to the Colin Powell example. Yeah, yeah. You know, if I have less than 40, and I may misquote this, but I have less than 40% of the information, you can't make a decision. And if you have more than 80% of the information, you can't make a decision. One's paralysis with not having enough context.
[00:29:04] The other one's paralysis of too much context, right? And so it's like find that stupid sweet spot in the middle, I suppose. And engineers are often burdened with the knowledge of what perfect looks like and the breadth of what it looks like in a lot of cases, too. Of like, yeah, but I haven't dealt with this or this or those things and those things. I think lean into the journey and get ready to start doing this on a constant basis. And do it with others that are going through this as well, because they are going to provide so much context and color to what you're trying to accomplish because of what they're trying to accomplish.
[00:29:34] I'm looking forward to the stream that you're watching and that we are going to be talking about later as the time flux here. Yes, the time flux, time capacitor. So real quick, it made me think about the drawing the line in the sand and knowing where to actually say I'm ready to be assessed. Yeah. In general, you mean? Yeah, because like you said, it's the paralysis of the one side versus the other, knowing the balance.
[00:30:03] And I think that's part of checking in on the cyber success calls. Yeah, for sure. Asking questions in cyber forums at events that we're at. And also, Matt, I think with the number of fireside chats that have been done, we may need to publish the these were all of the quotes that one of us has used. And make that available because I think you now could literally publish a quote book. You might be able to just have fun quips and quotes that go along with this conversation. Yeah.
[00:30:32] I think the line in the sand. I think the line in the sand to your point just real quick is if you feel like you're at some or most on a very broad application of the controls, you're probably ready. If you feel you're at full on a very narrow application of the controls interpretation, you're also probably ready. If you feel like you're a sum on a very narrow, you're not. Right. It is kind of the thing is because what I think you'll find is you'll think you're full on something. You'll get assessed.
[00:31:01] And I've seen some of the assessor's comments. They're really good about stretching your understanding of it. And I think then you'll go from there. If you are very some are all on a broad application, then you probably already have enough context to know where your gaps are. And the suggestions won't be all that new to you. So that's my thoughts just as that line in the sand. I think that's great advice. For those of you listening, this has been an episode of MSP 1337. Thanks and have a great week. See you.