Talking about risk shouldn't be difficult, but it is as I sit down with Peter Maynard of SMB1001. There are so many challenges in cybersecurity, but sometimes we need to look through the lens of risk. SMBs worldwide will soon be asking their MSPs about how they can help them align their cybersecurity posture with a set of safeguards that will complement what MSPs pursuing the CompTIA Cybersecurity Trustmark can manage or support for their new or existing clients.
[00:00:06] [SPEAKER_01]: Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges,
[00:00:14] [SPEAKER_01]: solutions, a journey together, not alone.
[00:00:22] [SPEAKER_01]: Welcome everybody to another episode of MSP 1337. I'm joined this week by Peter Maynard,
[00:00:29] [SPEAKER_01]: co-founder of SMB 1001. Peter, welcome to the show.
[00:00:34] [SPEAKER_00]: Hey, Chris. Thanks very much for having me. It's great to be here.
[00:00:37] [SPEAKER_01]: It's always good to have unique perspectives and a little bit of a global view. For those of you that
[00:00:43] [SPEAKER_01]: don't know, if you couldn't figure it out, Peter is not based in the US. Peter hails currently from
[00:00:50] [SPEAKER_01]: Down Under and I had the opportunity to talk to several colleagues that have
[00:00:57] [SPEAKER_01]: shared interest in SMB 1001 and of course our conversations have evolved and what I wanted
[00:01:02] [SPEAKER_01]: to talk about today is just the challenges that you're seeing. I think we all are seeing some of
[00:01:08] [SPEAKER_01]: the same ones and it all seems to come back to one thing and I hate to call it this but risk
[00:01:14] [SPEAKER_01]: does not seem to be a conversation that really any MSP wants to have but more specifically,
[00:01:21] [SPEAKER_01]: and we were talking about this earlier, the SMB space seems to think that they are,
[00:01:28] [SPEAKER_01]: I don't want to say safe from the need to talk about risk but that there's somehow this
[00:01:35] [SPEAKER_01]: vortex, the cyber defenses that the world around them doesn't really care about them because they're
[00:01:42] [SPEAKER_00]: so small. Is that a safe assumption? It's definitely been one that we've been working to
[00:01:50] [SPEAKER_00]: is that and it has been in the past empirically that absolutely has been.
[00:01:56] [SPEAKER_00]: I'm too small, I have nothing of value. Why would they target me? What do I need to take action? And
[00:02:02] [SPEAKER_00]: most importantly, we've got nothing to worry about our IT guys have got us covered. That's
[00:02:09] [SPEAKER_00]: basically what I had heard for the last better part. I like that one, our IT guy hasn't covered.
[00:02:15] [SPEAKER_01]: What is it that your IT guy does? I have no idea but it's no idea. But being able to say
[00:02:21] [SPEAKER_00]: that confidently and convincingly to you allows me to go to sleep at night and it gets you to
[00:02:27] [SPEAKER_00]: retreat from being in front of my face so you'll go away. Absolutely, that's it. I think one of the
[00:02:37] [SPEAKER_00]: most telling things that we've come across over the last 12 months was a survey that was done
[00:02:47] [SPEAKER_00]: by one of the major credit card companies and it was done for across a thousand small businesses
[00:02:53] [SPEAKER_00]: here in Australia. The businesses were asked what are your biggest concerns and risks moving
[00:03:04] [SPEAKER_00]: forward so to say? The top three concerns was continuing to make revenue and increasing revenue.
[00:03:12] [SPEAKER_00]: Secondly was creating relationships that would lead to revenue creation and third was
[00:03:22] [SPEAKER_00]: reducing our costs. So that were the primary concerns of the SMBs. Those in sequential order
[00:03:29] [SPEAKER_01]: like number one was number two and three. So question about number two because we say this
[00:03:36] [SPEAKER_01]: in the States, you can't rely at a certain point of word-of-mouth referrals because you run out of
[00:03:42] [SPEAKER_01]: word-of-mouth referrals. Is that not been reached yet or they just... I mean because a lot of MSPs
[00:03:51] [SPEAKER_01]: in Myspace still say that anyways. They're like well we've done great with word-of-mouth.
[00:03:57] [SPEAKER_01]: Are you wanting to grow beyond that or that's enough? You raised a great point there too.
[00:04:04] [SPEAKER_00]: I think that point too could be looked more broadly as marketing and ability to market.
[00:04:11] [SPEAKER_00]: And interestingly enough at a conference I went to recently that was speaking specifically to MSPs
[00:04:20] [SPEAKER_00]: and their business acumen. This wasn't even on the list of a skill set to have yet when
[00:04:27] [SPEAKER_00]: we looked at by the leading credit card companies it was a number two focus for
[00:04:33] [SPEAKER_00]: most businesses out there. So that may be something that is specific in the IT sector.
[00:04:39] [SPEAKER_00]: It probably is fairly similar in the accounting sector as well as we're going to be not the best
[00:04:43] [SPEAKER_01]: market in the world. Yeah, yeah. Well and you see in the accounting sector because everybody
[00:04:47] [SPEAKER_01]: needs accounting and no one wants to do math. There seems to be no shortage of referrals
[00:04:53] [SPEAKER_01]: happening to those that do a good job at accounting. Indeed indeed. I think the most
[00:04:59] [SPEAKER_00]: interesting thing from that survey though was that cybersecurity rated the lowest.
[00:05:06] [SPEAKER_00]: And that was a really interesting discovery for me. It wasn't surprising. Empirically it had been
[00:05:12] [SPEAKER_00]: what I had observed in the market. That lots of words were spoken, no action or little action
[00:05:19] [SPEAKER_00]: was taken and was more than happy to rely on whatever the IT provider was providing.
[00:05:25] [SPEAKER_00]: So that then made me think well as security professionals, I've taken the view over the
[00:05:33] [SPEAKER_00]: last three to four years that as security professionals we need to be focused more on
[00:05:39] [SPEAKER_00]: being good shepherds as opposed to deputized sheriffs out there that are looking to enforce
[00:05:46] [SPEAKER_01]: the cybersecurity laws across the house. Issue a ticket as opposed to tell you why you got a
[00:05:52] [SPEAKER_00]: product. Absolutely. How to avoid getting one. How to avoid the ticket. How to protect ourselves.
[00:05:57] [SPEAKER_00]: So what I had seen is that whenever I had spoken to a business in running a maturity
[00:06:05] [SPEAKER_00]: assessment and they'd be over 500 now was yeah, cybersecurity is a massive concern to us.
[00:06:13] [SPEAKER_00]: It's one of our biggest risks. Our IT guys have got us covered but when we did that
[00:06:19] [SPEAKER_00]: maturity assessment, if we were able to get through the process of doing that maturity
[00:06:23] [SPEAKER_00]: assessment because the business owner had pushed us away before we even got there or the IT provider
[00:06:29] [SPEAKER_00]: had stopped us from doing it probably from a self-protection point at that stage was that
[00:06:36] [SPEAKER_00]: you would see enormous gaps in risk management and it was an overinvestment in technical
[00:06:43] [SPEAKER_00]: controls. I think that could be a localized problem in Australia because a lot of the guidance
[00:06:49] [SPEAKER_00]: that we get in Australia is focused on technical control but there was no preparation done in
[00:06:55] [SPEAKER_00]: the ability to respond to an incident or more importantly to recover. It's almost that if
[00:07:02] [SPEAKER_00]: you have these IT controls in place, you won't need to recover because you won't be attacked
[00:07:09] [SPEAKER_00]: but the figures don't say that. Australia is one of the most prized targeted locations in the world
[00:07:15] [SPEAKER_00]: and I think it's for a lot of these reasons sadly Chris and it's not the fault of the business owners.
[00:07:22] [SPEAKER_00]: Australian small business owners are just like their American cousins, they're hard working,
[00:07:26] [SPEAKER_00]: they're heavily invested, they're family organizations with lots to lose. It's just
[00:07:31] [SPEAKER_00]: the ecosystem that has been supporting them really probably hasn't been fit for purpose
[00:07:37] [SPEAKER_01]: for their needs. Sure, I mean from a financial standpoint I can't imagine defining how I want
[00:07:43] [SPEAKER_01]: to grow my business by like how do I reduce my costs? You know there's some things I guess I
[00:07:49] [SPEAKER_01]: think at the end of the day these aren't necessarily unique to the challenges we have here. I
[00:07:53] [SPEAKER_01]: mean I think we say the same things I'm too small. I think the MSP world here has shifted
[00:08:00] [SPEAKER_01]: into more of like I understand that I need to do these things but I don't have time
[00:08:06] [SPEAKER_01]: or I have time to deliver cybersecurity services to my clients but I haven't taken the time to
[00:08:12] [SPEAKER_01]: execute or implement them internally for my own MSP. And I think the challenge is twofold.
[00:08:20] [SPEAKER_01]: One, I believe for the last 20 years the world of the quote managed service provider and even
[00:08:27] [SPEAKER_01]: if we go back to before it was called that all had a couple similar goals in mind. One,
[00:08:31] [SPEAKER_01]: you know increase profitability, we all wanted that. Usually that meant have more clients or
[00:08:36] [SPEAKER_01]: better clients maybe we even started really standardizing on the type of client we were
[00:08:40] [SPEAKER_01]: providing services to and then we were concerned about reducing cost not so much about increasing
[00:08:47] [SPEAKER_01]: profitability. And one thing that I think has happened in the last four or five years that
[00:08:52] [SPEAKER_01]: makes the timing now if you're an MSP somewhat brilliant is that there are tools today that
[00:08:59] [SPEAKER_01]: didn't exist five, 10 years ago with regards to enabling the discovery of the enabling of
[00:09:05] [SPEAKER_01]: efficiencies the reduction in FTE resources but largely in areas that are not cybersecurity
[00:09:11] [SPEAKER_01]: centric. And as an MSP we're like well when it becomes a tool then I can invest in it because
[00:09:18] [SPEAKER_01]: that doesn't take away from my I haven't added FTEs to put tools in. And I think in this
[00:09:25] [SPEAKER_01]: is the one area where we need the most eyes on glass is when it comes to cybersecurity and obviously
[00:09:30] [SPEAKER_01]: AI is going to have I think a very positive impact in the not too distant future on the ability to
[00:09:36] [SPEAKER_01]: help you know corral the amount of data and help reduce false positives. But the reality is
[00:09:43] [SPEAKER_01]: this is not a commoditized area, you know I can deploy an RMM tool I can deploy AV I can
[00:09:50] [SPEAKER_01]: you know patch management and some of those things that's become very commoditized in a lot of areas
[00:09:56] [SPEAKER_01]: across the globe. But what has not become commoditized is you know reducing the impact
[00:10:02] [SPEAKER_01]: of bad things happening without really do consultative delivery of services around
[00:10:08] [SPEAKER_01]: things like no we have to execute SSO etc. And then the second one is
[00:10:14] [SPEAKER_01]: and you said this at the beginning my MSP is already doing those things
[00:10:20] [SPEAKER_01]: based on what criteria have you come to that conclusion because I think that's where we have
[00:10:25] [SPEAKER_01]: a I need to wake up and educate the world at large around if you're going to hire an MSP
[00:10:32] [SPEAKER_01]: you need to have an understanding of at a minimum these dozen fifth I don't care how many
[00:10:39] [SPEAKER_01]: you can start with one thing that they're doing some of these things in my environment
[00:10:43] [SPEAKER_01]: or helping me achieve that these are being done well before I assume that they're just being done
[00:10:49] [SPEAKER_01]: because if I'm not participating in the conversation or in the responsibility of this being done
[00:10:54] [SPEAKER_00]: no one's going to do this for me. Yeah, you're absolutely right and and I've seen the whole
[00:11:02] [SPEAKER_00]: the whole spectrum of MSPs just to what you've spoken to the ones that understand the incredible risk
[00:11:11] [SPEAKER_00]: that comes with their risk and responsibility that comes with their job as a provider and as one
[00:11:17] [SPEAKER_00]: that holds the keys to the castle so to say all the way back to the ones that are looking to
[00:11:23] [SPEAKER_00]: how do we monetize this and how can we just put money into the business without
[00:11:29] [SPEAKER_00]: necessarily addressing the risk and you're right not every doctor that graduates from
[00:11:34] [SPEAKER_00]: university got sevens that's got much lower scores. Simpson's is a perfect example as Dr Nick
[00:11:41] [SPEAKER_00]: Riviera for example he was a great example of not every doctor was brilliant. Yeah, yeah, yeah
[00:11:47] [SPEAKER_00]: that's it that's a really important point and it was one of the key tenets of SMB 1001
[00:11:55] [SPEAKER_00]: whilst the attempt was to simplify the language that's used in a standard
[00:12:02] [SPEAKER_00]: in one that's typically been a confusing area for for the businesses that needed to be able
[00:12:08] [SPEAKER_00]: to implement and really there hasn't been a standard specifically made just for a small
[00:12:14] [SPEAKER_00]: business so they're always trying to interpret something that was for someone in a higher
[00:12:19] [SPEAKER_01]: grade than where they're at or legacy right they use lots of legacy safeguards you get lost in the
[00:12:25] [SPEAKER_01]: legacy safeguards and then you're like well which ones of these actually matter to me well they all do
[00:12:29] [SPEAKER_00]: even if they are legacy and that makes it absolutely you're dead you're dead right so
[00:12:35] [SPEAKER_00]: the the purpose of the standard was also if if all I ever heard was when my IT guys got us
[00:12:42] [SPEAKER_00]: covered well let's make sure that every IT guy that tells us that is working is singing off the
[00:12:48] [SPEAKER_00]: same hymn sheet at the very least it did two things at least in the right colored hymenal
[00:12:54] [SPEAKER_01]: right could be the red one and it's not the blue one then you got a bigger problem on your hands
[00:12:58] [SPEAKER_00]: that's exactly right that's exactly right it also helped it also helped the msp especially in
[00:13:06] [SPEAKER_00]: Australia I think a lot of a lot of msp and IT providers here in Australia has sort of come to
[00:13:12] [SPEAKER_00]: a roadblock where they've tried for years and years and years to move the dial with
[00:13:16] [SPEAKER_00]: cybersecurity and cyber resilience uplift and maturity uplift with their customers but
[00:13:22] [SPEAKER_00]: where the source of guidance that it all came that it was all coming from really didn't help them
[00:13:28] [SPEAKER_00]: on that journey it was it was well we've had how do we implement these eight controls and
[00:13:35] [SPEAKER_00]: once we've made that investment what do we get to show for it we're done we're done we don't
[00:13:41] [SPEAKER_00]: have to do anymore because we've done the eight things yeah that's exactly right so what it's what
[00:13:48] [SPEAKER_00]: it's done is it's it's it's simplified first of all it's made very transparent to a small business
[00:13:53] [SPEAKER_00]: owner sure what they needed to do to be good better or best and if they wanted to go beyond that
[00:14:00] [SPEAKER_00]: but more importantly I think it's standardized for the msp providers and the IT providers
[00:14:05] [SPEAKER_00]: that these small businesses will always look to look to for their cyber security guidance
[00:14:12] [SPEAKER_00]: on what they needed to be delivering as services these businesses don't need a $30,000 firewall
[00:14:19] [SPEAKER_00]: they need no cost mfa turned on all of their email email accounts including their administrative
[00:14:24] [SPEAKER_00]: accounts they need simple policies to help them avoid invoice fraud which is probably going
[00:14:30] [SPEAKER_00]: to be the way that they go out of business in many cases for sure yeah so that's that was really
[00:14:37] [SPEAKER_01]: the intention so the whole risk management concept I think comes into play here and it reminds me of
[00:14:43] [SPEAKER_01]: you know the health and the culture of an organization you know Drucker says you
[00:14:48] [SPEAKER_01]: know culture will eat strategy for breakfast and then you have the the more current one which
[00:14:53] [SPEAKER_01]: would be the Patrick Lincione where he says uh why organizational health trumps everything else
[00:14:59] [SPEAKER_01]: in business and I think what we have for a long time struggled with is when it comes to organizational
[00:15:06] [SPEAKER_01]: health cyber security is as important or critical as sales and operations and HR and all of those
[00:15:15] [SPEAKER_01]: components that make up what encompasses you know the will of an organization to move forward
[00:15:22] [SPEAKER_01]: in any direction based on what leadership and the maturity of the organization is showing
[00:15:27] [SPEAKER_01]: so if we are to be successful with something as critical as cyber security well then the health
[00:15:36] [SPEAKER_01]: of the organization then is directly tied to cyber security being part of that culture and
[00:15:43] [SPEAKER_01]: strategy and together moving that in one direction do you think that's I mean I've read through
[00:15:49] [SPEAKER_01]: the SMB 1001 I've read a lot of frameworks over the last few years that some make me just feel
[00:15:55] [SPEAKER_01]: sad and depressed and others give me hope that there is enough of a prescriptive guidance
[00:16:02] [SPEAKER_01]: in the framework for any one organization to be successful based on their willingness
[00:16:06] [SPEAKER_01]: to commit to the outcome that's desired in the framework right and yeah and in generally
[00:16:13] [SPEAKER_01]: speaking and I'm sure you've heard this too we're too small it's too hard uh I don't have
[00:16:19] [SPEAKER_01]: time so I can't even get started and it goes back to what you said but why don't you turn on MFA
[00:16:25] [SPEAKER_01]: I remember the days and you could probably attest this too when it was easy to say that's a work
[00:16:32] [SPEAKER_01]: problem not a me problem so when it comes to what I do to log into my computer if the
[00:16:37] [SPEAKER_01]: password complexity needs to be eight characters versus 20 characters or bajillion characters
[00:16:41] [SPEAKER_01]: if it's a work to asset I'm relying on my workplace to do that for me regardless of how
[00:16:49] [SPEAKER_01]: they're getting it done and if they don't do that then I don't care the strange part is in the consumer
[00:16:54] [SPEAKER_01]: personal life of every single consumer out there we've started to be forced down a path of things
[00:17:01] [SPEAKER_01]: like to log into your bank account please put in the secondary pin code or some other form of
[00:17:06] [SPEAKER_01]: additional authentication we have to shift this whole thing onto that mindset I personally
[00:17:14] [SPEAKER_01]: have a responsibility to protect myself and my family and those I care about from bad things
[00:17:20] [SPEAKER_01]: happening based on what I can do to keep them from happening I can no longer just ignore at the
[00:17:26] [SPEAKER_01]: workplace that someone else is going to do it for me I have to take that consumer mentality now with
[00:17:31] [SPEAKER_01]: me its inconveniences and all into the workplace and say how do I participate in making a
[00:17:37] [SPEAKER_01]: difference and I think to a couple of the questions that come out of the SMB 1001 I think
[00:17:43] [SPEAKER_01]: it does a great job of at least starting a small business on the journey of asking questions
[00:17:50] [SPEAKER_01]: of themselves and who's helping them to do the IT services now granted it's a slam dunk for an MSP
[00:17:56] [SPEAKER_01]: if they read the first question and it says they need to engage a professional that can do these
[00:18:00] [SPEAKER_01]: things awesome but I think more often than not you have the SMB world that says I have that
[00:18:06] [SPEAKER_01]: professional my son my cousin we all have a family member that at least knows how to turn on
[00:18:12] [SPEAKER_01]: a laptop and in some cases that's the epitome of the cybersecurity mastery course that's been
[00:18:18] [SPEAKER_01]: taken and now embedded into your company but then you start asking the questions that go beyond that
[00:18:25] [SPEAKER_01]: it's easy to ask the question to use a password manager most end users today would probably say
[00:18:31] [SPEAKER_01]: yes even if it's not a good one like yeah I've got them all in my browser which is probably
[00:18:37] [SPEAKER_01]: enabling them to create better than the password that they can remember which they have for 350
[00:18:43] [SPEAKER_01]: websites it's a combination of some dog anniversary and fill in the blank right yeah yeah but then you
[00:18:49] [SPEAKER_01]: ask the second question which gets a little bit more advanced is it centrally managed and I think
[00:18:56] [SPEAKER_01]: this is where in lies the challenges that we see across all frameworks you have to have somebody
[00:19:02] [SPEAKER_01]: in a role within your organization with the responsibility to oversee and ensure
[00:19:07] [SPEAKER_01]: that things are being handled and addressed in a meaningful way at a corporate level and I don't
[00:19:12] [SPEAKER_01]: use the word corporate in the sense that you have to be fortune 1000 but like your company
[00:19:18] [SPEAKER_01]: as an organization is choosing and it may be the same person for all umpteen things that are
[00:19:24] [SPEAKER_01]: in your list because there's only three of you or two of you or one but it has to happen
[00:19:30] [SPEAKER_01]: right like it can no longer just live in silos because silos are where things get broken and bad
[00:19:35] [SPEAKER_01]: guys love silos because they can hide there for a very long period of time so I do so really
[00:19:42] [SPEAKER_01]: I mean the goals that you have is to target what we would consider is the global economic
[00:19:50] [SPEAKER_01]: economy right like the global economy is defined by the SMB maybe a little bit less so in the
[00:19:56] [SPEAKER_01]: US than other countries are our percentage of what's considered SMB is a much lower number than say
[00:20:02] [SPEAKER_01]: Australia or Europe but the reality is that number is always going to continue climbing
[00:20:09] [SPEAKER_01]: be correct even when it collapses right because it's a whole lot easier to start a company of one
[00:20:14] [SPEAKER_00]: than it is a company of 100 yeah and the great the great thing too is it's it's infinitely
[00:20:20] [SPEAKER_00]: easier to secure that company that's the great if you start at the yeah you know turning a cruise
[00:20:27] [SPEAKER_00]: ship is a whole lot more difficult than a speed boat absolutely absolutely and you can navigate shallow
[00:20:32] [SPEAKER_00]: water right indeed indeed I think one of the one of the things that that I brought to the standard
[00:20:41] [SPEAKER_00]: was not not expertise in cyber security it was it was it was far more around having empathy for
[00:20:50] [SPEAKER_00]: a small business owner and a reality of what a small business owner is I've lived small business
[00:20:54] [SPEAKER_01]: or yeah my father people have right if we think about percentages in the space most people have
[00:21:00] [SPEAKER_00]: lived at some point in time in a small business yeah absolutely absolutely and there's and that
[00:21:06] [SPEAKER_00]: small business owner needs to be everything and do everything I definitely think you see
[00:21:11] [SPEAKER_00]: a change in engagement and culture when you move to an organization size that's
[00:21:17] [SPEAKER_00]: accountable to a board at that point in time they're actually managing risk at some level
[00:21:24] [SPEAKER_00]: and and it's not just being done from the hip if at all but by the small business
[00:21:31] [SPEAKER_00]: but I think the most important concept that that I stayed focused on through the whole journey
[00:21:39] [SPEAKER_00]: was one that came that that I even put myself into when I first met my mentor and and we spent
[00:21:47] [SPEAKER_00]: five hours together in that in that steak restaurant in Mandalay Bay in at Black Hat in 2015 and we
[00:21:57] [SPEAKER_00]: just talked about that's a good steak place yeah it was great we had a great it was a great evening
[00:22:02] [SPEAKER_00]: and I said to him I said look I'm I'm really interested in getting into cyber security
[00:22:07] [SPEAKER_00]: I want to I want to be able to stand in front of small business and help them improve at scale
[00:22:13] [SPEAKER_00]: because they need to it's just something they're going to have to do every business now is a
[00:22:18] [SPEAKER_00]: technology business and if you're a technology business you've got your door wide open to cyber
[00:22:23] [SPEAKER_00]: crime and risk so what can we do I said I'm looking to you as the professor in cyber security
[00:22:32] [SPEAKER_00]: I'm in preschool and I need you to bring me up to about grade three or four level
[00:22:37] [SPEAKER_00]: so I can help everyone that's in grade one right and that remains the case today
[00:22:42] [SPEAKER_00]: what what what what I what I see time and time again especially with assessments that get sent out
[00:22:48] [SPEAKER_00]: we've got small businesses here in Australia being sent assessments with 400 questions in them
[00:22:55] [SPEAKER_00]: and the question I always ask is as a grade 12 student doing advanced geometry and calculus
[00:23:05] [SPEAKER_00]: would you have any expectation that you could take that exam down to a grade one class
[00:23:11] [SPEAKER_00]: and have that grade one student complete that exam and the answer is absolutely no they haven't even
[00:23:17] [SPEAKER_00]: learned how to add or subtract yet so how can they do complex mathematical calculations
[00:23:24] [SPEAKER_01]: they can't and so I've got the attention span problem too exactly which is almost more to the
[00:23:30] [SPEAKER_01]: problem right so even if we had trivial questions at the 12th grade level that was only leveraging
[00:23:37] [SPEAKER_01]: the math that the first grader knows your first graders not going to sit there and answer 400
[00:23:42] [SPEAKER_01]: questions the 12th grader might not sit there and answer 400 questions but I think that's to your
[00:23:48] [SPEAKER_01]: point if the question volume was reduced down to a dozen or two dozen core conceptual
[00:23:55] [SPEAKER_00]: questions I don't I don't even think you can ask questions because I'll come back to I come
[00:24:00] [SPEAKER_00]: back to a point you made is it centrally managed I would not be surprised if half of the participants
[00:24:06] [SPEAKER_00]: that saw that question would be saying who do they mean the government is the government managing
[00:24:10] [SPEAKER_00]: passport well I don't want a password okay the government's touching it I'm not interested in it
[00:24:15] [SPEAKER_00]: the other the other really important part about the grade one persona as opposed to grade 12
[00:24:21] [SPEAKER_00]: persona the grade one persona doesn't understand risk that has they don't understand what's
[00:24:27] [SPEAKER_00]: dangerous behavior they haven't but they can be taught they can be taught empirically they've been
[00:24:34] [SPEAKER_01]: taught by being breached or being attacked no I'm saying that the first the first grade assuming
[00:24:39] [SPEAKER_01]: you get them before that b word has happened yeah yeah they can be taught what risk looks like and
[00:24:46] [SPEAKER_01]: understanding what risk means to their company that's the 12th grader you may have a really big
[00:24:52] [SPEAKER_01]: problem on your hands because they already have a preconceived idea of what risk is to their
[00:24:56] [SPEAKER_01]: organization that's built on a bunch of lies over time yeah and it comes back to that age old
[00:25:01] [SPEAKER_01]: statement that says I'm too small no one cares and then the second one is I have nothing for them
[00:25:07] [SPEAKER_01]: to take so they can take whatever I will just reopen again tomorrow and I always say like
[00:25:13] [SPEAKER_01]: have you ever tried to file bankruptcy it's not easy and it's not something you just like oh
[00:25:18] [SPEAKER_01]: yeah today's Tuesday we got l lp instead of l lc and we're good to go yeah no I know I know
[00:25:24] [SPEAKER_00]: look for me in empirically as a boy I learned by falling over that's that's how I learned I
[00:25:32] [SPEAKER_00]: noticed my daughter learned differently she was a little bit more risk averse than I was growing up
[00:25:37] [SPEAKER_00]: but I really think it's important that that we give the SMBs the respect of where they are
[00:25:45] [SPEAKER_00]: on their business journey they're not coca-cola they're not we can do incorporated it needs to
[00:25:50] [SPEAKER_01]: be incorporated into their journey to your point like the problem we have right now everything we've
[00:25:56] [SPEAKER_01]: talked about with regards to cyber security SMU 1001 the comtea cyber security trust mark any framework
[00:26:02] [SPEAKER_01]: it's probably not specifically well I would with the exception of the two that we were
[00:26:07] [SPEAKER_01]: estimate 1001 and trust mark we're not even talking to a specific audience we're just saying
[00:26:13] [SPEAKER_01]: do you have to protect the following data type and then just saying then do all of these things
[00:26:18] [SPEAKER_00]: and be successful at it yeah yeah look I I hear what you're saying and how and that that can't
[00:26:24] [SPEAKER_00]: that really comes to the ultimate question how do you how do you drive authentic engagement
[00:26:31] [SPEAKER_00]: and for me I I'm I'm really confident that the only way you will drive authentic engagement
[00:26:39] [SPEAKER_00]: is through economic incentive or economic drivers for a small business the to have a relationship
[00:26:47] [SPEAKER_00]: with an organization like Best Buy or Walmart or a large organization is almost the holy grail for them
[00:26:57] [SPEAKER_00]: that that's one of the most important things that ticks off those top those top two issues in the
[00:27:02] [SPEAKER_00]: survey how do I maximize my revenue how do I create relationships if I'm at risk of losing
[00:27:07] [SPEAKER_00]: that relationship because I failed to engage on cyber security trust me I will be engaged very
[00:27:14] [SPEAKER_00]: very quickly sure and that that's where we believe we will see massive change is when cyber
[00:27:22] [SPEAKER_00]: certification becomes mandatory for a supply chain perspective from large organizations and from
[00:27:28] [SPEAKER_00]: governments that will create the economic incentive to actually move at scale the SMB sector what was
[00:27:36] [SPEAKER_00]: really important though was that if you're going to rely on that mechanism first of all
[00:27:42] [SPEAKER_00]: make it achievable by who you're sending it to if we're asking a catering company to complete a
[00:27:47] [SPEAKER_00]: certification make sure they can do it and make sure they can afford it so yeah raising the bar
[00:27:54] [SPEAKER_01]: over time as opposed to just saying we have a bar up here yep you have time to figure out how to get
[00:28:00] [SPEAKER_00]: over it yeah absolutely absolutely so that's that's really the mechanism that that we're confident
[00:28:07] [SPEAKER_00]: will make that change up until SMB 1001 there hasn't been a valid solution that a large prime can
[00:28:17] [SPEAKER_00]: conduct a whole of supply chain cyber assurance program based off certification because the
[00:28:23] [SPEAKER_00]: certifications only existed for the for the enterprise end of their supply chain yeah now
[00:28:29] [SPEAKER_00]: there's one that goes all the way down to the smallest most insignificant supplier and therefore
[00:28:35] [SPEAKER_00]: remember back to 2013 the HVAC company certainly was an enterprise company no it was a small
[00:28:41] [SPEAKER_00]: engineering firm with about 50 people that probably if they had have been at the silver
[00:28:46] [SPEAKER_00]: level at the level two of SMB 1001 that attack wouldn't have occurred yeah and even if it would
[00:28:53] [SPEAKER_01]: have they would have at least had a much more in-depth awareness to understand that that
[00:28:59] [SPEAKER_01]: was a potential risk may have probably done a better job of communicating with target to make
[00:29:06] [SPEAKER_01]: sure that that didn't happen I mean I think that's also true on we see this in the CMMC space right
[00:29:12] [SPEAKER_01]: like all of the supply chain will have to meet some level and it's past fail like I can't imagine
[00:29:18] [SPEAKER_01]: being a vendor that you just got told like you failed and you're like well kid would now what
[00:29:22] [SPEAKER_00]: yeah come back again in a year that's exactly right it isn't it isn't black or white it's
[00:29:29] [SPEAKER_00]: binary and the needs to be that allowance for a journey to really occur in my experience of any
[00:29:35] [SPEAKER_00]: business that completed the level one requirements the immediate turnaround was that was really
[00:29:41] [SPEAKER_00]: simple what's involved in us getting to the next level yeah that's bona fide engagement that's
[00:29:46] [SPEAKER_00]: investment we've seen we made an investment we got something for it we've got something we
[00:29:51] [SPEAKER_00]: can market in the form of a certification so we can show our clients and customers we've
[00:29:56] [SPEAKER_00]: taken action we want a better one now and that's really that's what's been missing
[00:30:01] [SPEAKER_01]: agreed well it sounds like you guys are really moving the needle and I think it will create
[00:30:08] [SPEAKER_01]: a the yin and yang of this in the in the msp space because with the trust mark
[00:30:13] [SPEAKER_01]: focusing on the msp's well their clients are largely in the smb space the smb's
[00:30:18] [SPEAKER_01]: I hope are starting to ask questions of their service provider to say hey
[00:30:24] [SPEAKER_01]: are how do I how do I achieve these things like where am I at on the on your radar as my msp like
[00:30:32] [SPEAKER_01]: what what improvements do I need to start participating in that I'm not aware of and
[00:30:37] [SPEAKER_01]: I think that will start to push the envelope around am I with the right msp because if they're
[00:30:42] [SPEAKER_01]: not if they're not equipped to handle things like pushing me down a path of centralized
[00:30:47] [SPEAKER_01]: password management or helping me achieve things like sso across our account base
[00:30:52] [SPEAKER_01]: then is then and how do I know if they are qualified to do those things because I think
[00:30:57] [SPEAKER_01]: that's to your point which really isn't part of the smb requirement is it doesn't say in there like
[00:31:02] [SPEAKER_01]: oh by the way make sure that the qualification of the service provider is at this stamp level
[00:31:09] [SPEAKER_01]: but because of those questions because those questions are being asked obviously the the
[00:31:14] [SPEAKER_01]: organizations themselves will start driving okay well what are we using as the benchmark
[00:31:17] [SPEAKER_01]: to qualify those that are going to deliver services to us you raise an excellent point
[00:31:22] [SPEAKER_00]: and the com to your trust mark is a is a is a great way of being able to demonstrate that
[00:31:29] [SPEAKER_00]: we've already had some some early feedback from msp's that really want to be able to
[00:31:35] [SPEAKER_00]: demonstrate that higher level of assurance so the certification body for smb 1001 will
[00:31:41] [SPEAKER_00]: be looking to implement that in the future so having a technical support specialist is one thing
[00:31:48] [SPEAKER_00]: having an accredited one is a double tick yeah and we all know ticks are better than checks so
[00:31:54] [SPEAKER_01]: we'll just go with that absolutely amen for those of you listening this has been an episode of msp
[00:32:00] [SPEAKER_01]: 1337 thanks and have a great week