I have heard MSPs say, "we just eat the cost for some services." Whether they are services you have implemented internally are not, it doesn't mean you shouldn't sell those services. Liste to Bill Mulcahey of M6 Technology share his challenges and opportunities. Remember forward progress is good progress!
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions a journey together
[00:00:16] Not alone
[00:00:24] Welcome everybody to another episode of MSP 1337. I'm joined this week by Bill McCauley
[00:00:31] to talk
[00:00:33] I was close man. Yeah, you were
[00:00:36] You ever watch mash?
[00:00:38] Well, yeah, do I ever watch mash like if I watch like TV land. Yeah, sure I can watch mash
[00:00:44] right
[00:00:45] so
[00:00:47] You posed a question a few weeks back
[00:00:50] And it was less about how to offer cybersecurity services and more about I'm thinking about offering this specific service
[00:00:59] What are your thoughts around charging for it the way I've posed it?
[00:01:03] And I think I gave some like I was like dude if you pull that off I
[00:01:09] Want to know your secrets, right? Like
[00:01:11] And I think the challenge with what you had posed and we'll get into some of the details here in a second is
[00:01:17] thinking about time commitments
[00:01:19] With what you posed because really you had proposed a workshop concept around
[00:01:25] policies or you could fill in the blank with any number of things cybersecurity insurance questionnaires policies how to
[00:01:30] How to show evidence for things that you might need to get a contract
[00:01:34] It doesn't really matter what it is
[00:01:36] But the idea behind your approach was we'll do a two-day workshop
[00:01:42] I don't know about you
[00:01:43] But you've talked about going through the trust mark and having gone through CIS just the sheer
[00:01:49] Normity of time commitment and and maybe not time commitment in the volume of hours
[00:01:54] But time commitment into committing to doing the time when it's scheduled on your calendar
[00:01:59] So if it's two hours a week or five hours a week or whatever you've decided
[00:02:04] That you can't skip three weeks and then put two hours in in week four and think that you're gonna progress very fast through
[00:02:10] through the program and it may actually put you on a
[00:02:14] Regression stage right because you can only implement something halfway
[00:02:18] You now have to go back and start over because you don't know where you left off so
[00:02:23] For those of you listening this whole episode is about how do you position security services when you're navigating?
[00:02:30] frameworks and trust marks and you're trying to sort of say I
[00:02:34] Know I need to do this with my client and what better opportunity than as I'm going through this
[00:02:40] And dialing it in why not then use that as opportunity to do so with my clients
[00:02:46] And is that fair kind of in the question that you had asked like how do I how do I if I'm struggling to do this myself
[00:02:54] Should I even consider doing this client facing at least right now?
[00:02:59] That spot on yeah, but in the situation we get in Chris. Well at least me personally
[00:03:05] I think you know I've had some of my clients for a long time. Yeah years plus and I
[00:03:12] Feel responsible so as I'm learning stuff and trying to tighten m6, right?
[00:03:16] I now start thinking about my clients and think oh my gosh
[00:03:20] What would happen if I know this is there? I know ways to protect it and I don't offer it. Yeah
[00:03:27] So that's tough. Yeah, and we're kind of putting it in as we learn
[00:03:32] You know like enhanced security services or we'll add this additional tool and monitoring
[00:03:40] for X number of dollars a month, but it's
[00:03:44] It's kind of piecemeal and sure that's what I don't like about it and they they don't really learn. We're just doing it
[00:03:50] So I think there's well, there's a lot of things in what you just said the first thing that comes to mind for me is
[00:03:56] Remembering that when you say I'm just learning about this fill in the blank
[00:04:02] That needs to happen to improve my own security posture
[00:04:06] I think you have an obligation from an educational standpoint to share that with your client
[00:04:11] Like this isn't I need you to buy this product so that you can solve this problem that we just discovered
[00:04:17] It's more of a
[00:04:19] I'm learning we all are and the threat landscape is constantly changing the security tools and services
[00:04:26] Landscape is changing faster than anything else in our industry. I think you know with AI
[00:04:32] Features and functionality coming into play to help us
[00:04:35] You're constantly faced with what what could I be doing that?
[00:04:38] I'm not that will help me do this better
[00:04:41] And I think that's the most important piece right because it is not your job to make decisions for your clients
[00:04:47] It's your job to create
[00:04:49] options and
[00:04:51] Know like hey, this is the these are the outcomes that we can potentially help you
[00:04:57] See come to fruition
[00:05:01] But I don't think this is a I missed an event in my monitoring
[00:05:07] Therefore it is now my fault that bad things happened
[00:05:11] Maybe like that's a tough one to prove because all the event tells you is what it was able to
[00:05:17] You know grasp as a piece of technology
[00:05:20] Based on the information that it was fed and we know that it's not always truth, right? Like it could be a false positive
[00:05:26] It could be any number of things so I think
[00:05:29] That to just to share that piece is is I think paramount in the overall conversation because any
[00:05:36] progress forward is good progress like it's
[00:05:40] Raising you know if the water is rising and all the boats are rising with it then then that's that's good
[00:05:45] But to your other question, this is the bigger one. This is the one that I think every MSP is asking the question of
[00:05:51] Every time I improve my security posture. There's a good chance. I'm increasing my overhead costs, right?
[00:05:57] Right. So how do I pass some of that along?
[00:06:01] To my clients because at some point I'm gonna stop having positive dollars and now I just have negative dollars
[00:06:07] And it's like why am I still doing this?
[00:06:10] And your challenge and correct me if I'm wrong is if I can't if I'm not yet doing this well internally
[00:06:17] Should I even consider this client facing?
[00:06:22] I
[00:06:25] And and here's the thing I think since we've been in secure outcomes
[00:06:29] I've heard you say a number of times that you know were to be our clients trusted advisor
[00:06:35] So not really being out there selling like you said the tool
[00:06:39] But you get in that situation where we know what's happening. We know the security landscape is changing
[00:06:46] And we should be advising our clients and you know as we go through these controls with CIS or the trust mark
[00:06:55] You then stumble across stuff like wow, I miss that or yeah, you know something as simple Chris says
[00:07:02] You know we have security systems here, but we don't lock our front door
[00:07:07] And we had someone walk in and tell us they had to take our electric meter off the building
[00:07:13] This week it was a scam
[00:07:15] But these are things that you know sounds like a pretty good one like I'd love it if I didn't have my meter working like
[00:07:22] straight week
[00:07:23] No electric so but but I mean that's a type of stuff you come across
[00:07:27] You know I think of building security and I think I mentioned in one of the town halls
[00:07:31] It's like it's no big deal here. I'm in a smaller smaller part of the Pittsburgh area. Do you know what I mean?
[00:07:38] I
[00:07:40] Had one similar that that I think will really heighten how challenging this is from a from a physical security standpoint
[00:07:48] Doctor gets asked by one of his nurses
[00:07:51] Here's all the paperwork
[00:07:52] I need you to sign all of these and he started flipping through them and he's like I didn't order any of these
[00:07:58] I didn't order any of it. He's like where did this come from? Oh, it was it came through the facts today
[00:08:04] He's like these are all scams. These are all scams and literally I am basically committing fraud if I sign any of these
[00:08:12] So like not only is it about getting a scam from a financial standpoint
[00:08:16] But he would have been in hot water from a fraud standpoint by signing those because he never did request any of them
[00:08:22] So now there's money potentially coming into somebody
[00:08:26] Because of his signature and and so I think to your point
[00:08:30] This goes hand-in-hand with as we learn stuff
[00:08:33] We should implement stuff and it doesn't always mean we only implement internally. In fact one could argue that just because
[00:08:42] You have the
[00:08:44] So let's just say for example, it's 2FA will keep it simple
[00:08:47] You know that you need to implement 2FA you have four critical systems in your environment that as of right now today
[00:08:53] You can't implement 2FA on because they don't support it. So it raises the question
[00:08:59] do you not do 2FA with your clients or with
[00:09:06] Anybody else until you can do it internally
[00:09:08] So you're like wow well the reason why my clients were breached in fact was because we didn't help them get to the 2FA
[00:09:15] Implementation because we were six months out from getting our stuff
[00:09:20] Like I think that's where this argument becomes flawed is to say do this internally before you do it client-facing
[00:09:27] No, they evaluate internally figure out what the roadmap looks like for your internal
[00:09:34] Situation that doesn't mean that that has to be exactly verbatim what you do with your clients
[00:09:39] And I think that might be an area
[00:09:41] We need to do a better job in our own process when whether I'm working with secure outcomes or somebody else like
[00:09:48] Don't get stuck
[00:09:50] Because you can't address something today as a excuse to not do it where you can somewhere else. Yeah, I
[00:09:59] Think that's great advice and we have to do that
[00:10:04] I think the service I mean we've heard that I mean how many times bill did we hear this early on?
[00:10:08] I'm doing this together with my clients so that I can afford to do this internally
[00:10:13] Right like I can't afford to buy the tool unless I get some other clients to go in together with me to purchase
[00:10:19] This expensive whatever it is
[00:10:21] I
[00:10:22] Think that's fundamentally flawed and it's logic because that's about
[00:10:27] Finding the shiny object that allegedly solves a problem instead of evaluating
[00:10:31] What do I already have that at least gets me into a compensating control?
[00:10:36] You know one of the things I wish that have known coming into the trust mark that was was said was
[00:10:43] I
[00:10:45] Didn't know how many of the things I wasn't doing until I started to go through this that we have no excuses
[00:10:51] We're not doing and I'll give the example the best example that was given was
[00:10:56] after hours access
[00:10:59] And I'm like well, I asked him to elaborate you mean like like walking through the like the doors like someone key cards into the building
[00:11:07] He said that's when we should track to but his point was like why is anybody
[00:11:13] That works for our organization
[00:11:15] Logging in as an administrator with privileged access to a client account at two o'clock in the morning
[00:11:22] Like there is no good reason for that even if it's a good reason right like because no one else knows about it
[00:11:29] So it should be the immediately treated as it's bad
[00:11:32] And so I think it's things like that that we have to recognize that
[00:11:37] One of our challenges is to stop working right like our clients are eight to five
[00:11:43] Yeah, so when we work on their stuff at two o'clock in the morning who's paying for that?
[00:11:48] Right, right
[00:11:51] Um
[00:11:52] Yeah, it
[00:11:54] You know, I'm just thinking of client and I'm thinking of what we brought up at the beginning of the the session here and
[00:12:01] You know that two-day workshop
[00:12:04] I was thinking of the workshop or whatever you would want to call that and I was thinking you know
[00:12:09] You're gonna give a lot of feedback to
[00:12:12] From the client that may be beneficial
[00:12:15] Something you may not even know about as far as security or anything IT security building security physical funders
[00:12:22] So you can also learn a lot from your client as well
[00:12:28] So I'm assuming you can get that I think that's an amazing opportunity
[00:12:31] I don't know that I you know, I don't know what the appropriate price tag is for that
[00:12:36] I don't know that I even if I did I don't know that I should share it because that'd be like my version of the truth
[00:12:41] Right like
[00:12:42] But some things that come to mind for that, you know, like so for example with the trust mark
[00:12:46] We have every Tuesday we call it the cyber success
[00:12:49] Meetup like that's an opportunity for like you said to ask questions. Do we do that?
[00:12:55] Well with our clients like hey, it's Tuesday or Wednesday or whatever day of the week it is
[00:13:01] It's my open office hours
[00:13:03] We're here to answer questions like and if no one asks a question
[00:13:07] Here's some of the things that we plan on talking about like did you see in the news?
[00:13:12] The X the Microsoft, you know exploit with the executives
[00:13:17] How does that impact you as our clients? Does it have any bearing on?
[00:13:22] What we do and and maybe it does and maybe it's an opportunity to educate on like hey if they can hit Microsoft
[00:13:28] Do you really think that we're so invincible that we're protecting you at a level that says it's never gonna happen to you? No
[00:13:36] So what do we need to do that ensures that if something like that does happen?
[00:13:41] How do we minimize the impact and how do we do it in such a way that says?
[00:13:45] This is a pay-to-play right like this isn't a
[00:13:50] Charity system we didn't start businesses to be you know
[00:13:54] Well, I'm just doing it out of the goodness of my heart always in forever
[00:13:57] I don't need to pay for anything
[00:13:59] I don't need a quality of life and my kids will magically be able to go to college all on their own because they know a
[00:14:04] couple celebrities that have pulled some strings with the universities that they want to go to right like
[00:14:10] Somebody's reality. Yeah, right
[00:14:13] So how do you navigate that right and I think that's what you I think you are really on to something by saying like hey
[00:14:19] Let's spend time together
[00:14:20] But not do it from a I'm volunteering to hang out here on say a Saturday morning for four hours
[00:14:27] I'm saying that I think you need to be here for four hours
[00:14:30] And this is what I think it should cost you to participate in this conversation
[00:14:36] That's what coaches do right like good athletes don't have a coach
[00:14:41] To tell them what to do just to tell them what to do they do it because they know what's best for them
[00:14:47] and they pay money to be coached right like
[00:14:51] Like if you want to be better
[00:14:53] You find somebody that can coach you to be better than what you are today and you don't expect to get that for free
[00:14:58] Right right now we do that here
[00:15:01] You know we have leadership coaches so right and we pay for them
[00:15:06] right as long that it's and it was kind of
[00:15:09] That was kind of my thought process
[00:15:12] And then again, I'm juggling it Chris with the you know as I go through the trust mark again
[00:15:17] And my am I really at the position where I can offer that kind of coaching slash advice to a client
[00:15:25] But then you throw it in there as well as a you can't take the risk not to like you were saying, you know
[00:15:32] Evaluate get it in place
[00:15:35] So that that's kind of where we're where I am and
[00:15:39] That was my thought behind the you know the workshop type deal
[00:15:43] To tour to try and recoup a little bit of the cost involved
[00:15:47] Well, I think it's an opportunity where you could also bring resources in to help
[00:15:51] You know present the case, you know, I think to your point about like you know
[00:15:55] What you know the risk of not talking about it of not doing this?
[00:15:59] Of saying like, you know, I'm not gonna charge them for products X Y Z to change
[00:16:04] Because of your own risk in not doing so and I think the one thing that comes to mind for me and knowing that tomorrow we have the
[00:16:12] The cyber
[00:16:14] We're talking about cyber insurance questionnaires and like what to do and filling them out and I think
[00:16:19] One of the areas of conversation that we'll have tomorrow is talking about
[00:16:23] What are the things that need to be in place?
[00:16:26] Before I answer the questionnaire
[00:16:29] What am I willing to defend like what's the hill I'm willing to die on?
[00:16:34] With regards to you said no to MFA or you said no to
[00:16:39] privileged access or you like whatever it might be like I think we're at a point where
[00:16:44] Those are incurred costs either as a result of not
[00:16:49] Implementing based on recommendation and the cost that come with it versus the the cost of saying yes
[00:16:55] We're gonna whatever bill says and whatever m6 is doing we want to do too
[00:17:01] And I think you don't have to know no client is asking you for the speeds and fees
[00:17:06] They don't want the ones in zero version. They want the just summarize for me
[00:17:11] What it is that you're proposing that we should be doing and
[00:17:15] What are some options because money's tight?
[00:17:19] You know one option could be like hey, you don't want to subscribe to
[00:17:24] Fill in the blank rocket cyber. I think is one you mentioned
[00:17:27] So if they don't want that then maybe presented to them in such a way that says hey
[00:17:31] Who at your company is?
[00:17:34] What would it make sense for the for them to monitor your feed since you don't want to pay
[00:17:40] Have us do it because someone needs to watch this
[00:17:43] Someone needs to keep an eye on it, right?
[00:17:45] Like it's kind of like getting your car parked with ballet
[00:17:49] Wouldn't that be fun as if you do ballet parking and they just put your car in a parking lot
[00:17:53] That's like across the street with no fences nothing and the little sign that says don't worry
[00:17:59] This is under surveillance. The keys are in this box
[00:18:02] Yeah, it doesn't matter that it's under surveillance right those cars are going to disappear real quick. Yeah. Yeah
[00:18:09] Yeah, we do
[00:18:10] you know for those
[00:18:12] One of the things we do was we do practice what we preach so we have these tools in place and we're you know
[00:18:17] We're going through the trust mark. We explain this to clients when I go out
[00:18:21] I met with every one of my clients last year
[00:18:24] explain what was going on and and out of the
[00:18:27] You know 60 plus active clients we have unmanaged services
[00:18:31] I had to balk and we actually have a waiver Chris
[00:18:36] It's strong arm, but we have a waiver
[00:18:39] You know after we explain what the tools are for and what the services were providing what we're doing that
[00:18:45] says if you turn down this
[00:18:48] cybersecurity enhanced
[00:18:51] Offering that we are proposing
[00:18:54] You will notify your vendors and clients within 10 days that you have turned down
[00:19:00] Recommended cyber security. Oh, wow. Yeah, it came from our attorney and of course it was two law firms that bought and then
[00:19:09] Really back down. Yeah. Yeah, so you know it says something too though. It says
[00:19:15] You know, it's like we see this with kids, right?
[00:19:18] Like it's really easy to do bullying when you can do it from your cell phone versus doing it in person
[00:19:24] And I think that's true with cybersecurity services, it's easy to say notice something that's not tangible
[00:19:29] You can't see it and you don't really understand what the implications are of not having it in place
[00:19:36] So being able to articulate. Hey, you're saying no, but you're not just saying no to me
[00:19:41] You have to say no to everybody that you work with
[00:19:44] It's kind of like the the this is another insurance questioner comment
[00:19:49] But like what does yes no answer actually mean when I answer this question?
[00:19:54] And I think that was I think that's a really good example of they said no
[00:19:58] But it's no but or no and no you said no and you now have to tell everybody that you said no
[00:20:05] Well, the other thing we did Chris was tell them
[00:20:08] And again, this was last year that if you say no come January 1st. You are going to need to find
[00:20:15] new service provider because we couldn't I mean we were serious about we couldn't take the risk of continuing if you're not
[00:20:24] You know willing to
[00:20:28] Take these services and understand the risk they're putting themselves in and their clients
[00:20:33] I mean just like us and you and all of your other clients, right?
[00:20:37] So I think that's a really good segue as we have a few minutes left is to think about
[00:20:44] You know you mentioned the trust mark
[00:20:46] Doesn't show up so much just in CIS
[00:20:48] But when you think about governance and leadership of any organization one of the things that you should be doing is doing regular risk assessment
[00:20:54] Right not on your clients necessarily of course, that's important to but in this context
[00:20:59] Do a risk assessment on yourself and you're like hmm who are my biggest risks?
[00:21:04] Hmm probably every single one of my clients right and when you look at your clients of those
[00:21:10] Which which have the highest risk and maybe you give them a letter grade and you're like anybody that is a C or below
[00:21:16] We have to off-board in the next 90 days to six months because we just can't afford that risk
[00:21:22] And I think what it does is instead of it being this daunting. I can't lose
[00:21:28] I mean that's the whale right like they pay all the you know that one
[00:21:31] That's a D minus like they're they're covering the four clients that don't pay very much right like
[00:21:38] But I think if you do it in such a way that you you set a trajectory that says over time
[00:21:44] We're reducing that risk by X and you document and track it
[00:21:48] nobody's gonna you know come to you and say wow you
[00:21:52] You just guys you just kept this client on because they were paying you like you can move away from that
[00:21:57] And I think it gives you the ability to plan for
[00:22:01] replacing that revenue with clients that are willing to
[00:22:05] Sign off on security services, and I think that's the where you that's where you suddenly get excited about showing up to work the next day
[00:22:12] right, right
[00:22:15] Except on the weather we're having but like normally
[00:22:18] Like this is one of those where you like I want to get on a plane and fly to a
[00:22:22] Another climate where it's comfortable like tropical climate, but you're like yeah, I have to get to the airport
[00:22:27] I know it's gonna be delayed. I might not even leave the airport
[00:22:31] And so then you're right back to you like I don't even know why I'm thinking about leaving my house
[00:22:35] I
[00:22:39] Yeah, so
[00:22:42] With the few minutes that we have left we've covered a lot of ground and if I were to summarize
[00:22:47] The there's there's three things that anybody who's considering offering security services that isn't already doing it
[00:22:54] Three things come to mind number one is
[00:22:58] Obviously don't go and sell security services that you haven't wrapped your head around the value proposition as to why they need this service
[00:23:05] Because there isn't a one-size-fits-all I think we talked about that a few times and and within that it's okay
[00:23:13] to provide a security service that you're not
[00:23:18] Currently implemented in your own environment if you can defend it, right?
[00:23:23] So like defending it might be it's on the roadmap for
[00:23:26] Quarter two twenty twenty four
[00:23:28] But I can't do it right now because these other things have to change in our organization in order for it to work
[00:23:34] That doesn't mean your clients have those same
[00:23:37] Restrictions right like they may not have any of those things
[00:23:41] Number two, I think is you are obligated to educate. You are not obligated to implement. I
[00:23:50] Think you said that twice
[00:23:51] I think that's a really important one and then that links leads to the third one be prepared
[00:23:58] To
[00:24:00] Eliminate clients that are putting you at risk because they don't want to take the security services seriously
[00:24:06] And I think you gave them probably the best one. I've heard to date is if you say no to this
[00:24:12] You have to tell everybody else you said no
[00:24:15] Yeah
[00:24:17] Yeah, because that's not firing a client that doesn't necessarily mean you're not keeping the client
[00:24:21] But we're saying like we know that your risk is relatively high and everybody you do business with should know about this
[00:24:27] Like hey, am I calling the insurance company or are you calling the insurance company? Right, right?
[00:24:33] I mean okay, and you know if you look at it and all of us in the MSP or IT space know it
[00:24:39] If something happens at a client that affects their client it's gonna come right back to us and
[00:24:44] we're gonna we're gonna be the
[00:24:47] It's gonna be our fault basically and in so many cases it is your fault right even when it's not your fault based on the
[00:24:55] Technicality it's your fault because of the
[00:24:59] Negligence that came out of not forcing the cards right like you knew what would happen
[00:25:05] You told them that they needed to do this. They said no and really that's where it stopped because
[00:25:11] Sometimes it's really hard to show the evidence to support why why bad things will still happen
[00:25:18] But if only there was like a button you could push to say okay, if you say no
[00:25:23] Here's exactly what will happen to your company in approximately 30 60 90 days right like if we could do that
[00:25:29] I don't think you'd have very many clients saying no to anything right, right?
[00:25:34] Well bill is there anything that you want to share with the listeners that we might not have covered or that we should cover in
[00:25:40] Another episode as it pertains to
[00:25:43] Security services how to position them and what it means to say I'm not doing this internally
[00:25:48] But you need to have it in your environment
[00:25:50] Well, Chrissy the only thing I would suggest and only knowing this because even even in our tighter circle of
[00:25:58] You know MSP igniting and secure outcomes
[00:26:02] There are members of
[00:26:04] My peer group and others that you know have indicated they don't have the time or it's not it's not on their radar right now
[00:26:13] I would suggest to anyone considering it that if you don't start taking this seriously and going through some type of
[00:26:23] You know framework that's going to improve your security you're gonna be out of business or you're gonna be left behind
[00:26:31] So for those that are a little wary of starting I would you know start somewhere and start as soon as possible
[00:26:38] I
[00:26:39] Think that if the only thing someone got from this episode is that you can't ignore
[00:26:46] You have to do something you can't I
[00:26:50] Just just saying like I don't have time. I mean let's be clear the trust mark
[00:26:53] It seems daunting CIS it seems daunting the reality from any MSP that has really
[00:27:00] Articulated how much time it's taken them to prepare for the assessment?
[00:27:04] It was about 90 days with an investment of two to five hours a week
[00:27:08] So to me that says okay spread your timeline out a little longer
[00:27:14] commit time to this and
[00:27:16] You can move forward and get this done
[00:27:19] The only ones that are saying this they don't have time. They're not doing any of it
[00:27:23] They're not even trying to put something on the calendar to say you know what this week
[00:27:29] I have an hour. I'm gonna at least start
[00:27:31] Yep, yep very important very excellent. Well, I this was a great
[00:27:37] I learned a lot today bill. I really appreciate your time for those of you listening
[00:27:41] This has been an episode of MSP 1337. Thanks and have a great week. Thanks