If you didn't get a chance to attend the sessions on MSP+ Playbooks or tabletop exercises, then join Matt Topper and me as we recap some of our interactions with attendees and feedback from both our sessions. In this episode there are no fire alarms.
[00:00:04] . Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. Welcome everybody to this episode of MSP 1337. It is a countdown from leaving one conference
[00:00:34] to starting another. I am currently at PAX 8 Beyond and wanted to get a little bit of a recap on how IT Nation secure went down last week. I have joining us today Matt Topper with Connectwise. Welcome to the show.
[00:00:50] Thanks Chris, glad to be here and had a great time with you at secure last week. It was a lot of fun. We noticed the music was a little loud. There was definitely
[00:00:59] a plethora of proteins for those of you that are into protein. There was a theme obviously because it's IT Nation secure that revolves around cybersecurity. Granted, it should be no other way. But you and I were talking both at the conference and even as we were
[00:01:18] getting ready to record that there was a different sort of theme this time perhaps in what we've seen in the past is this is year five of IT Nation secure. Wayne
[00:01:28] Sulk and I talk about this quite a bit that the industry at large, at least in the conversation piece is growing up. There's a maturity happening around the vocabulary even if we still are dealing with those not actually executing. And so I just wanted to take
[00:01:46] a minute. You said something that I think is a good place for us to start. The newer MSPs, the ones that are just launching this IT services company of sorts, regardless of what the structure looks like, they're not coming into this with the naivety of
[00:02:02] what's at stake. They're coming in with an understanding and in many cases a pretty solid plan. Hence why they showed up to events like IT Nation secure. Is that a fair assessment of the the noobs if you will?
[00:02:19] I would describe it as there's almost a default maturity now. So there was a time not too long ago where much of our efforts and things that you did and things that I did out in the community were around trying to convince MSPs and
[00:02:35] other organizations to even start taking security seriously at all. Right? Dropping the Swiss cheese model that internal IT can sometimes be or managed IT can sometimes be. And now what we're seeing, and this was highlighted at the event we were just at, is organizations care about security by
[00:02:56] default. And what they're struggling with is how to get started or some educational components or what tools or what frameworks or just what to do. But we're no longer, at least I don't think I am, seeing the having to
[00:03:11] convince organizations to care about security. And that's just so refreshing. It's awesome, right? The default state is I care about security. This is important stuff. And I'm here looking for help to do it better or maybe to get started.
[00:03:27] Right. And so I think that highlights a couple things that we saw take place. And I'll just touch on one that I think before we get into some of the sessions that we were a part of and the feedback that we got. You
[00:03:38] know, over the last, I'm going to say four or five years, one of the challenges that I've had has been largely in the governance space, leadership buy-in. We need to make these changes to improve our cyber
[00:03:50] hygiene. And you just get a deglazed look, deer in headlights. I'm not changing the way I operate. And the good news is we're seeing governance in some cases happening on their behalf for we're no longer allowing the ignorance or just flat out negligence like
[00:04:09] saying this will never happen to me. So things like MFA, better identity management being forced upon in the consumer space without them having to do a lot. It just happening and they don't get to choose. And I think
[00:04:21] that's great because we were at a point where it was no longer an acceptable practice to not at least do some of the basic cyber hygiene. But to your point, the governance piece isn't hard because of the steps taken for things like implementing MFA or the, where we're
[00:04:40] on this trajectory. It's, I think it's easy to say yes to we're going to assign, you know, Matt to be the information security officer, we're going to sign off on an acceptable use policy. Those are the things that I think look make it look like the governance
[00:04:56] component is almost trivial when the reality is the doing of any of these things requires everybody to participate. And I think there's your point about where to start, there's been a disconnect between leadership saying we're going to do this and assigning it to someone
[00:05:12] in the organization, but then not giving the authority or the support needed to actually carry out those changes. It's not really being coming part of the culture. It's not part of the core values. And so they get stuck trying to check boxes. Is that am I on the
[00:05:32] right path? Is that what you see, Matt? So nail on head. And I think we're seeing it less based on our answer from a few minutes ago, but think about if you're a tech or if you're a practitioner and you receive a directive that hey,
[00:05:49] we need to get our security in order. Great. Okay. Here's the budget I need. I need your backing when I tell employees that they have to get this approval. I need to implement configuration changes that may seem inconvenient. And sure, that's
[00:06:08] the real test is if when you start doing those things and asking for a budget and asking for approval to say no to things or implementing some new, new procedures or new technologies, you know, it's asking, do you really mean it
[00:06:22] organization? Right? Like, can I have the resources and authority that I need to get this done? And historically, we've seen that a lot of times this gets thrown on some tech and, you know, hey, can you make us secure? And the answer
[00:06:36] has been no, you can't have this. And I think what we're starting to see now, and I think, you know, maybe this we can get into this later, we largely have regulatory authorities and insurance companies to thank for this.
[00:06:49] The answer is more and more becoming yes, that yes, you can have what you need. And the the it starts at the top. I know we were talking about SOC 2 before this, right? That the right top down approach, that's control like number one on SOC.
[00:07:04] That's becoming more than just lip service, we see more that organizations do have the resources they need, or at least willing to allocate them once they figure out what those resources are. I think you think you're also getting into a cost component
[00:07:18] that if we were to go back a few years, there was a huge expense to a lot of the tools and services needed that have really come down, in some cases, even to commoditized pricing. You know, when we talk about some of the security
[00:07:36] stacks that we're seeing out there, what used to be $20 to $30 a month per seat across the you know, the ecosystem, we're seeing in that three to five sub $10 for a layered stack that does more or less cover many of the areas that
[00:07:53] are highest risk, right? But to your point, I think we're still seeing the where I think was lacking the most in making these decisions to move forward is, I don't think security skills and awareness training was as accessible or
[00:08:09] available as it is now. We're five years in on IT Nation secure, right? Like prior to that, what events did you go to where you knew you had the opportunity to be exposed in person to cybersecurity skills and awareness training, whether
[00:08:24] it's for the product specific type of things, or even just more of the high level, like one of the sessions that you did the the tabletop exercise. And, you know, you said this very plain and simple in the session at
[00:08:37] beginning before we were interrupted by the fire alarm. And that was this will provide some great resources, you know, go and consume the 96 page document about how to stand up a tabletop exercise and then go, Okay, how do we
[00:08:51] apply that in the world of a three to five person MSP who's serious about that tabletop exercise, but doesn't have a clue on where to start in the time to consume that kind of content to make good decisions with their team
[00:09:07] about what does a tabletop exercise look like? And how do I qualify what we've done to count towards an improvement in our organization? Talk to me a little bit about that. Because I think that was something that if I wasn't mistaken, seemed to be pretty big on
[00:09:21] your passion for educating the MSP space and I can attest to I know it is for me. I remember the first time I got asked about it. And the funny part was, it's like I did my head I went like, dude, if you're a nerd, you at
[00:09:35] least know what Dungeons and Dragons are like, come on, like we don't have to make this overly complicated. You got to set a dice. And someone who can narrate and make things really spooky and scary, you can probably do
[00:09:46] this. But they're not thinking about it as a game. They're thinking about it as this like incident response strategy session that they've already lost sight of by adding the complexities in to not even try and get started.
[00:10:02] So I just want to point out even though I made made the joke about the facilitator being like a Dungeons and Dragons Dungeon Master, I've never actually played that game. So I've just heard that from other people. I will have to try it at some point.
[00:10:17] You watched Stranger Things season finale? Nope, no. Oh, I'm so bad at pop culture. Like I watch sports that that's about as far as I get. Well, you could use that analogy. Think about the playbooks that they run and how they have to
[00:10:32] constantly make decisions around what the other team is going to do next. And I would argue that we are in a scenario where this isn't about the quarterback, you know, being able to throw, you know, to get that, you know, the next 10 yards,
[00:10:46] right? To get that next first down. You can't ever not get a first down every time in the space that we're living in. So, you know, I always worry about the MSP or the individual. It's like, we're going to win this war. And
[00:11:01] it's like, well, maybe, maybe we will win the war. But you've got to start focusing on the individual battles and go, what kind of sacrifices am I willing to make in this battle knowing that I'm not going to win every single battle?
[00:11:17] I agree with that. And to the point that you started making before, I really am passionate. And it's my simultaneous love and frustration of things like NIST CSF or the CISA tabletop workbooks. And what I mean by that is there is absolutely phenomenal information in them.
[00:11:39] Except if you're someone new to cybersecurity and you go download one of these things, like you're just so overwhelmed that you don't even know where to start. Like the CISA tabletop things, I believe it's what? Something like nine documents and like three
[00:11:57] months of finding before you even do anything. Yeah, the kit. You're talking about the kit you can download. Yeah, exactly. The worst offender... No, go ahead. Go ahead. The worst offender in all of this is the NIST guide to risk assessments.
[00:12:16] But by the time you actually analyze a risk and think about what it might do to your organization, like actually do something productive, you've spent a month probably on different pieces and components and scales and everything. And while I get the value in that, zero to
[00:12:35] one, right? Getting something going is so much more valuable than this mountain of paperwork that it generates, even though it's valuable. I don't want to take away from the value of that analysis, but it's too much. Okay, security is better than no security because you have to start
[00:12:53] somewhere. You have to recognize the gaps and start plugging them. And in some cases it might be like trying to take a rag to stuff the drain or to stuff a leaky... Put the flex tape around the little hole that's popped into the pipe. Because the reality is
[00:13:10] any water getting out is still bad for the room that the water's leaking in, even if the tape is not a permanent solution for your long term viability as an organization, you can't do this stuff overnight. I like that going back to the tabletop in your
[00:13:24] CISSE example, we've done at ChannelCon and CCF now and Amiacon, we've done some variation of a tabletop exercise with the room. And the first time that I stood it up with Sarah O'Kelly, we started going back and forth like, you know, we
[00:13:39] just need to understand some of the basic concepts like who are the people involved? What are the expectations for the facilitation of the exercise? What's allowed? What's not allowed? And I took the one that we use the one from CISSE on ransomware. And we basically used
[00:13:54] each slide was one of the days or the next thing happening to the particular example. And we just talked through it as a now what would you do in this case? We didn't spend any time like, let's go through your IR plan. Let's go through your
[00:14:08] business continuity plan. This was really about like, in the heat of the moment, as an organization, as a business owner, or whatever the role is that you're in, what would you do in this situation based on what you know on the information I've
[00:14:21] given you right now? It's not a lot of information. It's not a lot to go on. But what would you do? And what we found is they all were able to participate because there was no like extra like oh well until
[00:14:33] the so and so comes back who's on call, like that we had the number one thing we walked away with is that everyone was like, communication and responsibility matrix is more important than anything else. We've talked about pre tabletop exercises, and half the stuff that would go into
[00:14:48] business continuity, IR planning or any of these other things. What does my responsibility matrix look like? Have I tested it? And if I've tested it, how long ago was that test? How frequently should I test it? And then you get this response. Well, you know, it's
[00:15:05] nice that some companies have the staffing to regularly on a monthly basis call all 65 of their vendors and verify that it's still in place. And I was like, dude, you at least have three to five vendors that are so critical to your organization. You had better
[00:15:21] know on a monthly if not more frequent basis, if anything has changed. So I think some of that stuff is the minutiae that we don't talk about when we get into things like tabletop exercises that are assumed in those like, say the here's the kit or here's
[00:15:38] the bigger conversation of you need these things first. Is that fair? Like there's more to it than we'll we could just be focused on the things that build up to and tabletop exercise as the things that we're doing. And someday we have to do a complete tabletop exercise.
[00:15:55] I think you nailed it in more than one way in that answer. I used to do sessions at conferences with a very simple title. What happens if and that was the extent of the tabletop exercise, right? We didn't go deep into the minutia necessarily. We explain
[00:16:17] that you can stand around the water cooler or the lunch table. Yeah, say hey guys, what would happen if this server went down or we got ransomware or, you know, insert scenario here. Now realizing that that doesn't satisfy if you might have regulatory obligations to perform tabletop. Sure,
[00:16:36] there's some need to do formal ones, right? That's not enough. But from the value of preparing you for an incident, just saying, hey, what happens if we do this? How would we handle it? Gets you into that habit of just thinking about it all the
[00:16:50] time instead of only thinking about it during these big planned exercises. And the mindset shift is so valuable even if you still have to do a big, long, formal one to satisfy some insurance or regulatory criteria. Just getting you and your team into the mindset of thinking about
[00:17:13] small things, what might change, what our response would be and identifying small units of improvement from that. That's what gets you towards security, right? Security is not a bang. You weren't secure yesterday and are today. It's incrementally over time, fixing one little hole at
[00:17:30] a time with your flex tape example, gets you closer to security. I guess it's one of those infinite horizon things because you never actually get there. Well, and you have to, again, this goes back to how do you start? Right? Like I think to say that
[00:17:44] regulatory or not that you're going to just jump to pass the first time you answer a safeguard around, you know, doing exactly that on a table top exercise. Like that's to assume then that your entire staff has a competency to do incident response planning and all
[00:18:01] the other stuff that's assumed that you're bringing to the table to have a successful tabletop exercise. If you don't have those things, then really all you're doing is you're talking through the water cooler scenario and maybe you've got some ground rules in place that says this is
[00:18:15] no laughing matter. We're not creating jokes and no dumb idea or stupid idea is going to be mocked because that might be the idea that saves us. Right? Yeah, we could talk about, I think, tabletop and the build up to tabletops all day long. Let's shift
[00:18:31] gears. I know you did several sessions, but the one that you and I did together was talking about the MSP plus playbooks. That has been something that I have been excited about participating in the consumption of going back to their inception in 2020. When I came
[00:18:47] over to CompTIA in 2022, I was like, man, this would be really awesome if we could use these to help us with the trust mark. I think in the current iteration that will get released here in the next couple of weeks for all three of the books, the most
[00:19:03] important thing for me that I see as a takeaway from those playbooks is that this is about better cyber hygiene. And it goes back to, I think, everything we've talked about up until this point is that it gives you a place to start. And hopefully,
[00:19:17] even though the documents, you know, aren't all illustrated and there's more than 20 pages in most of them, it's the direction of doing something one step at a time and to not be overwhelmed as you progress. Is that fair? It's like, I'd love everybody if they were
[00:19:36] doing the trust mark. That's, you know, we're talking about like what benefits me and my passion for seeing solution providers comply with something that makes sense for them. Again, though, when I look at the playbooks, anybody that wants to improve their cyber hygiene, any framework that
[00:19:50] you might possibly be pursuing, this is structured in such a way that they can be successful if they use these books and follow them from the starting of the beginning of the book through the end. Is that a fair way to use the playbooks today? It is.
[00:20:06] So there's. The new playbooks are organized via section, they're organized via NIST domains, but the safeguards that are referenced come from trust mark and that that's intentional because trust marks doesn't suffer from the issue that we talked about before, where not everything is necessarily applicable to an MSP.
[00:20:27] They are applicable to any organization, but specifically trust mark solves the problem that we mentioned earlier that maybe stock two doesn't really fit all facets of an MSP. You can kind of shoehorn it in. You don't feel like you're shoehorning in on the things that you trust Mark.
[00:20:48] And the big thing with this update to the playbooks is the existing version has fantastic information in it, but it suffers from some of the same kinds of problems we just talked about with the NIST documents and the CISA tabletop kits. That is, they can be challenging
[00:21:04] to get through if you're just getting started. They're very long and you feel like you're just reading and reading and reading and not necessarily know what you start. So we intentionally changed the tone and point of view of the new ones. You can almost think of it
[00:21:18] as a conversation very much like this. It might be me talking to you as another MSP, right? If you and I both go back rewind over many years, we were both doing MSP work. It would be the kind of conversation we would have at a conference,
[00:21:33] as opposed to me from on high talking about how to do everything. It's like, hey, man, I tried implementing this. Watch out, because you might run into this landmine somewhere. It's that kind of tone as opposed to this is the perfect way to do everything.
[00:21:47] And we definitely don't want to do that. I think it's important to point that out, Matt, that like in our world as MSPs, we made mistakes. I made a lot of mistakes. I was really good at shiny object syndrome. But as we grew and after selling the MSP,
[00:22:05] really what what my passion is now is to say, hey, I hope you can learn from the mistakes that I have made and experience less headache, drama stress, PTSD, whatever it might be, because the reality is the roles that are the role that I was in,
[00:22:26] it was eating me a lot. Like I had to do something different because and the crazy is some of my hair actually grew back on top of my head. I haven't gotten any color back that turned white, but I feel like what MSPs are going through today,
[00:22:44] I don't envy any of that and really, if I can and I know you have the same viewpoint, if there is anything that we can do to answer questions or help you on your journey, that's largely why these playbooks exist. You will probably see additional guides coming out
[00:23:03] in the near future that go along with it. We could call them companion guides because I don't want to spend time dictating or telling you how to implement the right VLANs and firewall rules for your organization. That's kind of up to you, but that doesn't mean
[00:23:18] if you're a SOFO firewall or barricade or fill in the blank that there couldn't be a specific companion guide that helps you be successful and still aligns with the trust mark or a specific set of safeguards that are beneficial to you in your cyber hygiene journey.
[00:23:39] Is that fair? Right. We're sharing concepts as opposed to technical minutia. You know, most everyone that we talk to in this industry knows how to go and configure a VLAN and what a VLAN is and all of that. What they might not know is the security aspects
[00:23:58] of it, where it is and isn't a security domain and how that impacts their overall program. That's the kind of thing that we're trying to translate with this. So I loved I don't know if it was on purpose or accidental, but the the section that you brought up
[00:24:16] during our presentation was just like a quick note about it was about assets. And there was like an aside that said, hey, I know assets, the definition of an asset is like a hotly contested thing. Depending on who you ask in the process, you get like 100 different answers.
[00:24:34] And yeah. And the advice was like forget about the minutia save that for a bar conversation at some point, sure academic debate and just think about where your company data is. Right. Like, right. Worry about that and get out of the weeds and that type of practical advice
[00:24:51] is what we're trying to give. Yes. That couldn't be said any better. It was it's funny you pointed that out. I was thinking like. How many how many times I mean, just looking around what you know, what else is out there besides the playbooks?
[00:25:06] And, you know, every so many days I get an e-book or some sort of you know, something that I should read later. So like I was I was grabbing these different ones. And I have like a guide to defining reasonable cybersecurity from CIS, the O'Reilly Cybersecurity Manager's Guide,
[00:25:22] the Art of Building Your Security Program. Then I have cyber resilience as mission critical for business. These are all these are all published inside of the last 90 days. So I bring these up only because this isn't coming just from the playbooks. This isn't coming just from CompTIA
[00:25:43] and the need for the Trustmark. Even the stuff that you're hearing from the regulatory bodies, they're challenged to they don't know our industry. They're asking for help. And if you're listening to this podcast and you're making decisions around how to improve your own posture, I would encourage you,
[00:26:00] even if you haven't checked out the Trustmark yet to at least go and check out the playbooks, even the ones that are currently published today. I know that if you reach out to Matt Topper here on is it what's the best way for them
[00:26:12] to do it on LinkedIn? And you'll get them the link to at least the ready book. Yeah, we can have to be on LinkedIn happy to send a pre published version of it. The full release of all three of them will come sometime this summer.
[00:26:28] I don't have an exact date because I don't want to hold anyone editing to a specific date yet. But but this summer sometime is when the full release is coming. But until then, LinkedIn, you know, smoke signals. And I won't throw you under the bus
[00:26:44] because it's not you that I'm thinking of. So they don't want anybody to think that because I won't name the vendor that it's you. So we all remember the release cycles or roadmaps for a specific vendor that they'd be like, oh, yeah, that's being released third quarter.
[00:26:58] And everybody's like third quarter of 2024. That's awesome. And the reality was it was like third quarter of their fiscal year, which meant it wasn't going to happen until the first quarter of the following year, which was, you know, calendar versus fiscal. So like this is not that
[00:27:16] this is saying this summer. It is both of our respective goals for our respective organizations is to see this materialize officially this summer. So it will come out. There's a lot of work that went into this. I think the Connectwise team did an impeccable job
[00:27:36] of getting this done largely on, you know, Matt Topper shoulders. The if you're interested in the Trustmark, you can Google that, of course, and you can see the link. I got asked this by a couple of different MSPs that I guess weren't sure.
[00:27:51] And there will be some updates to the information that's out there. The onboarding fee to participate in the Trustmark journey is 250 U.S. dollars for the readiness path. And then to do the full audit, which is performed now by Crest, it's 2500 U.S. dollars per year.
[00:28:11] In the first iteration, you have up to two years to get your evidence collected and be ready for your audit. And then the other question that came out that I've had a lot of back and forth on is sort of the where we're at with other GRC platforms
[00:28:26] being able to host the Trustmark. And I can tell you that we have two beyond Fort Mesa that are activating right now. We'll probably see three to five over the course of the next three to six months. We'll even be at the point
[00:28:40] where if you sign up in the future, you'll be able to pick from a drop down if you're already using one or suggest one for future iterations of the Trustmark. So hopefully that's helpful for those that are listening that haven't picked up the torch to pursue the Trustmark.
[00:28:56] Matt, as always, I appreciate you joining me on MSP 1337. For those of you listening, thanks and have a great week. Thanks, Chris.