Governance, Risk, Compliance (GRC), and the MSP Wake-up Call

[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. I am joined this week by Eric Shoemaker of Genius GRC. Eric, welcome to the show. Hey Chris, it's good to be here man. Glad to be talking to you. Well, I want to just get something out of the way for those listening.

[00:00:36] Just because we use terminology that involves GRC and some sort of naming convention, that doesn't always mean that it's a GRC platform. That was how I was introduced to your company, not realizing that Genius GRC is your name for your MSP. Correct. Yes. Hey look, what brought about this name really boiled down to what domain name was available and sounded interesting.

[00:01:06] In the GRC space. So, we started around 2022. I guess 2021 is when we, you know, we're getting it off the ground, but really hit the ground running in 2022. And haven't looked back since trying to just be at the forefront of taking really good processes that we've learned in building and owning programs internally and help bringing that to others.

[00:01:34] Sure. You know, it's interesting. You know, I think a lot of companies that are in the MSP managed services space have spent a lot of time honing their MSPs on providing certain product services that, you know, revolve largely around keeping businesses up and running from the more traditional standpoint of technical, tactical, lights on, printers, humming, those kinds of things.

[00:02:00] And it's probably only really been since I'm going to say roughly the time that you started your MSP that regulatory compliance has become more than just a hot topic. We look back, you know, we look back, you know, early 2000s when the Omnibus rule. So, twice, not early 2000, but like 2013 when that came about. And you had a lot of incentives for the healthcare space of like, hey, digitize your records, look at all these dollar incentives that you have.

[00:02:28] And strangely, we're kind of in that same boat again, only the strategy or the drivers behind it are more tied to the failure to do the things that we're supposed to do and the risk that we've created as a result of not doing the right thing the first time. And so, I think we're seeing this huge shift. And I love the fact that you guys kind of highlight or promote, you know, the areas that you provide guidance on.

[00:02:55] And I think this is kind of that next stage of service MSPs providing more of consultative services that solution-based when the client says, hey, this is what I know I need to do. This is what I'm afraid of. This is what keeps me up at night. And instead of just saying, oh, we can solve for all those things.

[00:03:15] From what I've seen from you is that you're saying, well, let's align with a set of best practices, a set of standards, a regulatory framework even that ensures us having some level of benchmark or baseline to get there. So, when you launched back in, you know, 2019, 2020, 2020, I think you said 2021. Yeah.

[00:03:36] Whatever year it was. But I mean, like, did you, was your go-to-market strategy like, hey, we're going to do this from a how do we help people align with, you know, frameworks? Like, what was the drive behind that? Yeah. So, it was like, really, we had built robust processes, you know, before GRC was automated, we were and had the term GRC engineering. Yeah.

[00:04:03] You know, we had done a lot of the things that are GRC engineering principles, but internal at, you know, for a single company. And so, I was looking and going, well, this has to be, you know, something that we can help others with. Things like pulling HR data, marrying that up with all the different systems and the accounts in those systems. Right. I was doing that in 2019.

[00:04:33] I remember having the conversation with the auditor, do we have to do annual access reviews? If we're every week doing a reconciliation across the, you know, all our systems and we can say with near virtual certainty that a person that's terminated doesn't have an active account and that roles are mapped to actual permissions within systems.

[00:04:57] And we can say that this role is reconciled across and then bubble up the outliers. Like, you know, it kind of blew the auditor's mind that that like taking that approach, we ultimately ended up doing that plus a formal access review to check that box. But, you know, yeah, that's what sort of drove us doing this. So, our go-to-market was really about how do we operationalize.

[00:05:28] And since then, you know, lots of platforms are out there. Yeah. Right. And they handle a lot of that stuff. So, you know, whereas when I, the vision at first was how do we build automations and like build programs around automations and help them automate. Now it's like, look, let those companies that do that handle their product. Right. And they've got teams of developers that spend their whole day making those processes better.

[00:05:57] So, now we've shifted back into how do we take the automations that exist on the market, but then implement them beyond just the checkbox approach and build real programs. But then have them at the core to help automate the tedium. Sure. I want to get into sort of more of the, you know, maturity in the space.

[00:06:22] And I think one of the drivers for maturity in the space is obviously coming from the fact that we have regulatory requirements that say do these things because you fail to do them without me telling you to. So, now I'm telling you to do these things, which does to some degree help mature a set of practices. What I find interesting, though, is to what you said, how many tools, not even getting into cybersecurity for a minute.

[00:06:49] Like, you think about the applications that are like what we call like maybe the core four. Every MSP has it. Most businesses have it. So, it's you got your email package or your office work suite. Right. Well, we'll say emails included that you got your financial package. And then in the MSP space, you definitely have some sort of management tool like an RMM and your PSA. Right. Those are the core products that make up your your business capacity to do anything else. You've got that kind of as your central hub.

[00:07:20] I still this day witness regularly where those products have not been fully dialed in or optimized and they're continuing to add tools and services, whether it's in the cybersecurity space or not. And yet, even the core applications aren't fully dialed in or optimized. A hundred percent. I think every business deals with that. And in the MSP space, you know, you're you can spend it's the 80 20 rule.

[00:07:49] Right. You can spend a whole bunch of time optimizing. But if you can spend 20 percent and get 80 percent there. Great. If you can spend 40 percent of your time and get 90 percent there, that's pretty good. Yeah. You know, and what it boils down to, it's not your core competency.

[00:08:11] Right. Like your core competency is taking your engineers and billing their time, taking your engineers, providing service to your customer, not getting your internal processes as dialed in as they possibly could be. But let's see, to that point. And this is where I wanted to shift it a little bit is thinking about what you said at the beginning and how we were talking about the maturity process. You know, I go back you go back 15, 20 years.

[00:08:38] A lot of the more complex applications often have the option for you to pick a implementation package, a set of hours to help you stand up a product to both get it to established state where everybody's comfortable with using it. But then also like guidance around how to optimize and really ensure that you're you're getting the most out of it.

[00:09:02] But I feel like today we've seen a shift or almost to, you know, the opposite direction where instead of leveraging that, we're more and more doing the I can do this myself. I've done this enough times. I'm switching from one PSA to another. I've done this before. They're all the same. They're just glorified spreadsheets. And the reality is that while that may be true, the nuances are actually quite significant.

[00:09:26] And we see this, I think, coming to bear on the industry right now and the cybersecurity space, the GRC platforms are out there. They're all the same and they're all different. And we're not taking the time to really learn and dial those in before we start to use them client facing.

[00:09:43] And unfortunately, I think it's going to, I don't want to say explode, but I think there's a lot of MSPs that will have a rude awakening in the not too distant future when they discover that something that should have been toggled on versus off or, you know, off versus on are going to be like, well, I thought that was a feature. And only to find out it's not.

[00:10:05] Yeah. No, going back to that 80-20, that's great for internal processes that, you know, are nice to haves and like maybe they could be better, but they don't actually impact anything. Right. Maybe they're less efficient, but, you know, you're getting the job done. Where it's different is, you know, the customer facing side of things. And they've purchased, you know, the GRC platform thinking that they're going to do it themselves. Like it's the era of vibe anything. Right. I'm going to vibe GRC my program.

[00:10:36] Right. I'm going to vibe cybersecurity because I'm a founder and I can do that. It doesn't take long to figure out, wait a minute, what are controls and like framework requirements? And how does that map to evidence? And how do you do a risk assessment? Isn't that the same as websites? Like, hey, got the website all built and the client's upset because it's not live. And you're like, but you haven't given me any content to put into the website.

[00:11:01] So you can have the tool, all the tools, but they generally don't self-populate the answers. 100%. And so if you take a junior, you know, help desk person and say, all right, cool, we got you a tool. You should be able to do GRC.

[00:11:15] You're going to get a very different outcome than if you take, you know, a 20 year veteran that's built and maintained cybersecurity programs and give them a tool that can operationalize it with their knowledge combined. And then they know how to pull out details and pull out people inside the company and help them grow. Right. And build that internal culture of cybersecurity.

[00:11:45] It's like, you know, paying a marketing firm 20 or $30,000 to build a really robust website versus, you know, pulling a $29.99 WordPress tablet out. Right. Right. Right. So that, I think, shifts really well into the sort of guided space that we're all being pushed into, right? So, you know, you were explaining to me what it means to give yourself a title of advisory CISO. We talked about field CISO.

[00:12:15] We talked about cybersecurity leadership, cybersecurity services. And obviously, the one thing that we don't ever want to be is called out as being the CISO for a company that's having a problem that needs to, you know, point fingers. But MSPs have been in this space for a really long time, right? VCIO, VCTO. We've been doing account management, whatever you want to call it.

[00:12:38] And I think now we're at a tipping point, right, where the role of that more security officer, information security officer function has been amplified to the nth degree, both from what we've seen in the media when bad things happen. But, you know, the SMB space is desperate to have guidance where they can say, I have this trusted advisor that can help me navigate things like SOC 2 or ISO 27001. You know, walk me through.

[00:13:07] I was concerned about the title. I think it's kind of catchy. But, like, how do you position that? Because as an MSP and the role that I think you guys are playing with that intelligent compliance model is it's way beyond traditional IT services. Well, it's adjacent.

[00:13:26] But we're taking that traditional MSP model of building out loose standards, loose standard processes, but then building them in a way that's flexible across customers. But what we're not trying to be is an all everything MSP, right? Sure. We don't sell firewalls, right?

[00:13:53] We're not doing endpoint management. We don't have a help desk. We're not trying to be an MSP, right? Like, we're a cybersecurity company at heart, hence the name. Have I worked at an MSP before and done all that stuff? Absolutely. Do I understand it? Sure. But I don't want to build that kind of company. We want to focus on the really strategic and tactical areas of cybersecurity.

[00:14:23] And then let the companies that have built their processes and procedures and their capabilities to really hone in the operational nature of IT. Let them do that, right? Like, our customers have a better experience when they combine that with, you know, the strategic nature and high-level thinking of, you know, really seasoned professionals.

[00:14:51] Do you think we're going to see more of that? Because, I mean, I can count on one hand the number of companies that I think would fall into, that I would sarcastically say are your competitors. I think within the space of high-level thinking and strategic alignments with frameworks and how to implement and compensating controls and best practices, your client base is going to be reflective of who's providing them the services, right?

[00:15:18] So clients that you turn down, one of your, quote, alleged competitors might be a great fit for them just because of the nature and the approach that's different. Because we're talking about information consulting as opposed to, you know, getting a Lenovo versus an HP laptop and, you know, a Palo Alto versus a WatchGuard firewall. Like, we could split hairs all day long, but we know at the end of the day, a laptop is a laptop and a firewall is a firewall. Are they all created equally?

[00:15:48] No. But on the laptop side, they're probably all running the same operating system. And on the firewall side, they're all designed to follow the same logical, you know, block things and allow things, right? Like, we could, outside of that, we're just, we're really getting into preferences. When you started, did you start that way or was it kind of you, as you started, you started evolving, you decided, hey, there's no way I want to do MSP stuff? No, yeah, we definitely started that way. I'm a security guy, right?

[00:16:18] CISSP. It was, the focus was always on cybersecurity. And, you know, they're just, your security guy, your security team should be focused on that. Yeah. Otherwise, you've got a conflict of interest. Serving two masters. Yeah.

[00:16:41] Or, you know, are you going to make it harder on yourself to be more secure? A lot of companies, you know, will say that, but then when the rubber meets the road, they take the shortcuts. Right? That's the nature of being an MSP. It is. Well, that too, but like, you know, you've got to get something done and you're going to take the path of least resistance. I mean, Shadow IT exists for that very reason.

[00:17:06] I mean, I would argue that MSPs largely wouldn't have jobs if Shadow IT didn't exist, right? Like, hey, we can't print or our network doesn't work. Well, here, let me come in and fix the problem before you plug the patch cable that was hanging there off the wall and you plugged it into the empty port only to realize that you just created a little bit of a problem. So let me ask you this.

[00:17:29] I would assume then that you guys probably have, maybe not MSPs as clients, but you probably work with a lot of MSPs that are trying to provide these services to their clients. Yeah. I mean, on paper, it looks like you can, we're an MSP. We've got, you know, people that are talented and a lot of MSPs are able to pull this off where they're able to have a security team that's truly independent of the day to day and provide, you know, strategic guidance without, you know, violating some independence principles and ethics.

[00:17:58] But, yeah, we do well with MSPs that try to stay out of the VC-SO game because we're not trying to be a traditional MSP, right? Right. It's a check and balance that needs to exist within any IT organization. And even when it's smaller. They're two separate entities. They're two different things, right? And two different focuses, right? Right. Your security team is there to reduce risk.

[00:18:29] Part of reducing risk is ensuring that the lights stay on, that, you know, services remain available, which aligns with the traditional IT ops model. But the IT ops model doesn't always align with, you know, meeting compliance requirements. Or even, like, even evaluating tools, right? Hey, CEO really wants to deploy fill-in-the-blank from Acme Corporation.

[00:18:55] And if they were asking IT, IT is like, okay, well, we need project scope, budget, blah, blah, blah. Yeah. We just need to integrate it with a single sign-on and, like, yeah, we'll get people access. No big deal. Like, super easy. That's right. Is this the right way, right? Is this the right tool?

[00:19:24] Is this the right tool? And is this the right company? Even if the features are correct, but the company doesn't take security seriously, you're putting sensitive data into somebody else's hands. Right? If somebody has to think in that way and then be able to, at the CEO level, push back in the right way, right? That's a skill in and of itself. Yeah.

[00:19:50] I've seen this in larger organizations, which I would assume you probably experienced some of that yourself with the services that you're providing. But, you know, where they've got somebody that either was on the security team or on the IT operations team, and you see this more in a larger organization. And one of them is up for review because they're considering putting them in a position where they would sort of be the liaison or lead to maintain a relationship between those two teams. Most of the time when I see it, I'm like, oh, this is going to go bad.

[00:20:20] Because you're either going to get one that's already loyal to one team versus the other. And so now you've got the nepotism kind of model where they've been promoted and they're like, I know what track I'm on and some of the people that are on that team. Or they do a really good job of being neutral and now they're resented by the team that they were on, which can be a really bad scenario.

[00:20:41] So I like the idea of what you're describing where you can come in, complement an MSP, give them that additional layer of integrity and independence that by and large MSPs standing these services up unless they're doing them for a client that wasn't their client to begin with. And you're creating a potential conflict of interest because it's like, hey, what's best for my MSP?

[00:21:03] What information is right for me to share knowing that the reason we're in the current situation that we are is because I've got some things I need to dial in instead of having someone independently come in and say, hey, this is a mess. And obviously, you know, MSPs are always, you know, gun shy because they think like when that third party comes in, it's like, well, they're going to take my client. They're going to they're going to find something wrong. And, you know, and so, of course, the client's going to be upset.

[00:21:30] And I think when expectations are set up front, it's actually the opposite because it's an opportunity for like all three parties to sit down together and say, hey, we found something. And the MSP can choose to say, I, you know, pretend like they knew about it or didn't know about it kind of thing. Most cases, they don't know about it. And you've exposed something that they need to address. They just don't like to have that come out in front of the client. Maybe. Yeah.

[00:21:56] But I'll tell you what, my my experience has been slightly different. Like, yeah, when I'm developing that new relationship and the MSP is worried that we're going to expose them, you know, a lot of times I'm not worried about that. What I'm going to that MSP about is like, hey, what's the thing that you've been trying to get done but haven't been able to push, you know, convince management to do that? You know, they absolutely need to do.

[00:22:22] And if it aligns with, you know, strategic security initiatives, there's an opportunity now to join forces and like actually help drive a positive outcome together. Now we both have one. Right. And that same principle applies. They're your army, right? Yeah. A lot of times. Yeah. The same principle applies and, you know, the engineering teams that are internal and IT teams that are internal.

[00:22:49] It's not about finding what you're doing wrong. It's about reducing risk across the board. So, like, we all have the same goal, you know, because even in that statement, reducing risk, what we're really saying is we're trying to keep the company in a state that allows our families to be cared for. Right. Yeah. It's all about people at the end of the day. So we all have the same goal or should have the same goal. Yeah.

[00:23:18] It's interesting when you see a client who, especially when they have internal IT. We did one. This has been years back. We did a security assessment of a lot of the different control domains, more from a function performance standpoint than from a, oh, look at all these gaps that you have. Obviously, those were going to come out. But they really wanted to know, where do we have, like, real holes? Like, where, I mean, and we found some really good ones, like tape backups were not being stored properly.

[00:23:48] And the door to the outside was usually propped open. So they're actually using. Tape backups not being stored properly. Man. Well, it was actually quite interesting. They had to actually, we're using tapes to prop one of the servers up to help with airflow. That was the actual, like, it says, don't remove tapes unless replacing with new tapes. This keeps this server cool or something to that effect. Well, we came in and did the whole report. And everybody's in the room. We've been going through the report for about 45 minutes.

[00:24:16] And the guy that was on my team was actually giving the walkthrough of things that we found and things that were, like, low-hanging fruit to fix. And things that were, like, longer term, need a better strategy. Really going to need to double down with your IT department. And we took a break. And when we came back, the head of IT didn't come back. And somebody in the room said, well, I bet he went to fill out his resignation letter because he's going to get fired anyway.

[00:24:42] And we were taken back by that because we didn't think that the IT guy was doing a bad job. We thought that the IT guy, based on what we'd seen, was under-resourced, did not have enough resources. That was the biggest thing that we had called out. So, up to that point, we'd call that lack of investment in the maturity of the IT infrastructure.

[00:25:03] And the second one that was really scary was the IT, head of IT, was not an authority in the organization. So, their head of IT department, which had a team of, like, six that was providing services across multiple financial institutions, did not have the authority to call the shots on things that would be potentially a risk from a security standpoint or from an operational risk where they're like, hey, we implement this. We could take everything down and it doesn't come back up.

[00:25:34] While the IT goes out of the room, that's what we kind of went over when we broke for lunch. They ended up letting the IT guy go and blaming the IT guy for all of the drama, right? And we were just floored. We're like, we're not here telling you that your IT department is the problem. We're telling you that you're the problem and you're allowing your IT staff to flounder at the mercy of whatever VP or CEO wants to do this week.

[00:26:03] And I'm just curious if you've seen some of that, especially when you go into larger organizations where they have an IT department. I have, especially, like, government organizations. What you're describing is where I see that happen. I'll say this, though. I've done this the right way and I've done this the wrong way, you know, where I've gone into those same meetings you've described and I outlined very similar things where we recognized there were gaps, but it wasn't that they were doing a bad job.

[00:26:32] Um, what I learned the hard way was I always start those meetings with here's where you guys are doing great. I try to find two or three things where they're like doing an awesome job and right up front in front of management, give those guys props. Like, you've got the right people in here. They've got the right mindset. Here's three things that are just, they're outstanding.

[00:27:01] We didn't see any issues. You should be really proud of them. And then everything else that, you know, the reason they came in, they brought us in to find gaps. Everything else doesn't become a gap. It becomes an opportunity for improvement. Hey, these are opportunities for improvement. These are opportunities to improve your maturity. Yeah. Every organization is at another level. This does not mean you're doing a bad job. It doesn't mean your organization is doing a bad job. It doesn't mean your IT team's doing a bad job.

[00:27:31] There's just, here's the opportunities for improvement and here's the plan for, you know, improving. Yeah. I think the only time I've seen where it's really more of in that negative space is when you have the no, not implemented. And I don't mean that, I don't mean no, not implemented as in nothing, as in you can have a developing model. You could be working towards the implementation, which I would call out if someone was doing initial or, you know, developing.

[00:27:59] I would call that implemented, like they've implemented some sort of strategy around addressing that known challenge. What I hate running into is there's nothing established of any kind. They've not even, there's, it's not initial or developing. There's not even, they're not even talking about it. And implementation would then be set to a hard no. So, and when you have the conversation with them and you're like, what's the logic behind having done zero with this?

[00:28:27] Those are the ones that, you know, should make your hair go up on the back of your neck because there's something blocking this from happening. Right. And, you know, when we come in and do those, you can't ignore negligence, right? Right. If there's negligence, like they're like part of what they're paying you to do is to let them know that, right? They, the management's, you know, but if at the same time, it could be that they're the ones that are negligent.

[00:28:57] That's where it gets tricky. You know, when the, the CIO keeps coming to them and saying, we got to spend money, guys, we got to do this. We got to do that. And he's just talking about fundamental security operations, one-on-one stuff.

[00:29:13] We're not talking about like crazy, you know, we're going to, you know, build out, you know, a world-class security operations center and have a bunch of 24-7 staff when the company can't even, you know, implement MFA properly. Right. Because they don't have enough licensing because management's like, well, you know, can we get a lower license?

[00:29:37] You, you, you, you identified one thing that I think is really interesting today that it's sad that we have to have this conversation or even think about it. But, you know, to stand up a business, I don't care what the business is. If, if the model to ensure resilience in this threat landscape is not part of what's being budgeted for, it's a short-term investment in a company that won't be here for very long. Oh, good. Good call out. I like the way you said that short-term investment because the company is not going to be here very long.

[00:30:08] That's right. So, but that's what we're trying to change, right? That's what we're, you know, we're trying to help educate those that are like, well, what do you mean I need a VPN? And I don't want to say that that could go down the rabbit hole of like, why are we doing VPNs? But, but yeah, I guess that's, that's where I'm at today is fundamentals. I'll tell you the, the one thing that blows my mind that I deal with even today is like just fundamental URL filtering.

[00:30:34] I don't care how you do it, but like your people from a company workstation should not be able to get to a known malware laden site, period. Right. Like the database that exists should at least be getting checked for those known that are in the database. Exactly right. Like fundamental stuff that, you know, you try to have a conversation about URL filtering. I'm like, ah, we don't want to do that. We don't, we trust our people. Well, it's not about trust.

[00:31:04] Right. I mean, it's really not, you know, it's funny you bring that one up. I was thinking about this the other day. That's a great example of something that also doesn't have to cost any money. There are plenty of free products out there, even for the commercial space that are like, hey, toggle this switch on. You use our DNS queries. We'll at least ensure that you're not sucking in known bad URLs. A hundred percent.

[00:31:29] Now it comes with trade-offs around, you know, issues with captive portals and whatever that you've got to work out. Like there's some engineering work. Yeah, but to your point, even on the enterprise side, like if you're less than 50 people, like you can get an enterprise grade cloud flare, you know, web gateway, sassy, remote access for completely free. Right.

[00:31:57] Now, you don't get some of the features like log retention, but if you're, you know, your risk profile says we just need to, you know, prevent, we don't need to have that log retention. Well, this could work for you. Or if you can offload the logs, you know, somehow it could work for you. Well, I think there's, you've got to start somewhere, right?

[00:32:21] Like I think, you know, one of the things that CIS did a really good job of, I think, is that they, they said for at least level implementation group one, here is the resources. They made a list of resources for each one of those safeguards. One of which was like, you know, whether you use the Oprah open office or Libra office, you know, have a spreadsheet for your inventory. And if that's where you're at, right? Like, you know, you got to start somewhere. But I think that's the part that a lot of organizations are afraid of is whatever thing I need to do to reduce my risk, I got to spend money to do it.

[00:32:52] And in many cases, that's not true. It's just, it might slow you down a little bit at first, or it might make you do something that you aren't used to doing for a while. But once it becomes habit, you know, I think you're in a better spot. You know. Well, we, we ran out of time and a great conversation. I'll ask this question. And if you don't have an answer, that's okay. My wife told me I need to start putting this at the beginning of the conversation before we start recording so that I don't put you on the spot.

[00:33:21] But I think you'll have an answer. What is a book that you think our audience would like to know about that you've read recently or are currently reading that they should also read? $100 Million Consulting. I think that's the name of it. Sweet. That sounds like a great title. Or Million Dollar Consulting. If you're, if you're, you know, thinking about getting into consulting, that's, that's the book to do it.

[00:33:51] I thought you were going to say, because you might lose a million dollars if you don't read this book. Well, it could be. Fair, fair, fair. Or more. Find out for yourself. Read the book. That's right. Eric, if someone's looking to reach out, ask you questions, where can they find you? Uh, geniusgrc.com. Um, also LinkedIn. My slug is advisory CISO. Got it. Well, for those of you listening, this has been an episode of MSP 1337.

[00:34:20] Thanks and have a great week. Bye.