In this episode, Josh Hohbein of CentrexIT breaks down a practical, MSP-centric approach to risk assessments that moves beyond complex, consultant-driven reports and toward clear, actionable business outcomes. He shares how combining vulnerability scans, client interviews, and system configuration reviews, anchored in a cyber maturity model, helps MSPs translate technical findings into meaningful risk conversations, especially during onboarding. The discussion highlights the importance of ownership, communication, and collaboration in managing inherited client risk, while previewing a live demonstration session at Pack State Beyond, designed to equip MSPs with repeatable frameworks they can own. Ultimately, the episode reinforces that effective risk assessments aren’t about identifying more issues; they’re about enabling better decisions, strengthening governance, and driving measurable security maturity.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. So to MSP 1337, we are getting close to the PAC State Beyond event. In fact, it is literally a week from today will be the first day of sessions.
[00:00:34] And with me, I have Josh Hobine of Centrix IT. Josh, welcome to the show. Hey, glad to be back again. Yeah, you kind of are a borderline regular. I think it's been, you've already been on twice this year. So, I mean, with the number of episodes that makes you a regular. But I wanted specifically today to talk about what you're doing at PAC State Beyond.
[00:00:57] I think it's a testament to many of the conversations you and I have had, conversations that Matt Lee and Dom Kirby and the four of us collectively have either had together or separately. And in many cases, actually talking about the very same things, both related and unrelated to what you're proposing or what you're presenting at PAC State Beyond. And just to give the audience a little bit of background.
[00:01:53] When an organization is starting to show maturity in their both their approach for doing one, because I think there's there's evidence of maturity by proposing you're going to do a risk assessment. And maybe just give a little bit of background as to how you got into doing risk assessments and maybe explain the components of what goes into a risk assessment. That kind of thing. Maybe just kind of a little bit of the back backstory for how you got into this.
[00:02:20] Yeah, no. So it all really comes back to, you know, what we've talked about, not only on this podcast, but plenty of other places. If you know me in the cyber industry, I'm always touting the cyber maturity model where we've made, you know, took controls and stuff and made them easy. And it really tied back to that and having it as a risk assessment.
[00:02:44] So the maturity model is kind of the roadmap, the blueprint, our whole everything we do, the services, the products, our whole security offering is based off of this. So it made sense to then basically, well, we're kind of doing a gap assessment, but let's go a step further and really kicked it off as seeing some of our clients going out and paying a lot of money for a large consulting company to do a risk assessment.
[00:03:14] And they came in and with their, you know, spreadsheets and basically, hey, here's 60 questions or more on, do you do this? You know, upload some evidence and stuff here. And it was always based off of like, usually NIST. And then at the end of that, they got, you know, maybe a fancy PDF or a large Excel sheet. And the, you know, our point of contact, the client was left wondering of like, what the heck do I do here? Like it says I'm missing policies and I could be doing it, but they didn't have a clear definition.
[00:03:44] And they had just paid, you know, multiple tens of thousands for this. Right. So I really came at it with, hey, we've, we've simplified aligning to a framework. Let's simplify a risk assessment and make it really a practitioner level of what specific steps do I need to take right now to address business risk?
[00:04:04] So what I'll be doing at Pax8 with Matt Lee and Dom Kirby is, I mean, really giving away our secret sauce of exactly how I do risk assessments within an organization. And they've been a great source of like a sales funnel where we're leading with those. I'm also helping our current clients with them as well, because, you know, first and foremost, it's not just an external vulnerability scan. Like, yeah, that's part of it, but that's not your full assessment.
[00:04:31] And then on the other side, it isn't just, hey, answer these questions. Because at that point, it's more of a self-guided attestation, guided self-attestation at that point. It's working with the client and it's a combination of, yes, the external scan. Yes, there are things that I need you to, to add, you know, to answer some questions and provide some feedback on.
[00:04:53] But we're actually looking at the configurations of their environment, their Microsoft, their Google, their Active Directory, the network, you know, the things that will actually matter and will actually get them compromised and can provide, you know, business risk. And from there, in that process, we are checking off what things they meet on the maturity model, which is the framework. And we're showing them, hey, these are the high risks that need to be addressed right away.
[00:05:23] They have a roadmap. They have a frame, like they're aligned, like they see which controls they meet and which ones they don't meet on that maturity model. So not only do they get a roadmap of these need to be fixed, they're also aligned to a simpler framework. And it is really easy for them to, you know, either hire us, hopefully, to help them with that.
[00:05:45] But even if they don't, to take it internally or potentially to, you know, maybe a break fix, depending on their budgetary needs, to look and say, hey, I need this done. And then what do I do next? Well, you know, X, Y, Z. So I found really good success with it. It's interesting. You know, I was thinking about when you look at any framework and you think about the role you play as the MSP on the equation.
[00:06:12] If it's a prospective client, you know, what are the things that they would get by having your services that they would inherit, right? So, like, we know that if you use CIS Top 18 as an example, or the Trustmark maybe is something you're using internally to help you navigate. This is what we're doing internally. What are the things in here that we would also then transfer or the client would inherit?
[00:06:33] And it's interesting because every MSP I've talked to can talk about the services that they deliver, but they often can't talk about what those services actually align to. So if I did a gap assessment, I did a discovery, you know, risk assessment on a client, I don't really have a good way if I just do it, you know, shoot from the hip and say, oh, look, I did a bone scan. Look at all the bad things. You know, what does that mean?
[00:06:58] What were the risks that I'm basically telling them that they have and do they even matter when we look at it through, you know, the microscope and say, oh, yeah, solve this vulnerability, but it only can be exploited if the following three things are true. So let's not put that as a red alert, like go do this right now and then have them think like, well, I have to hire somebody to do this because I don't even understand what you're telling me and you're telling me to go and fix this.
[00:07:25] That seems like we're just asking, you know, whether the blind leading the blind. Yep. So, so you go through and do this sort of risk assessment and you come away with like, these are the things that are needing to be done, but how do you get them to understand that this isn't a, you're not looking to find bad things to just have them go and feel like, man, we were doing it all wrong.
[00:07:49] And woe is me, they've given me a really clear picture of how much we fail at providing the security to our organization, either through the existing MSP if they have one or their internal IT infrastructure, whatever that might look like. How do you help them understand like what you're doing isn't about, you know, damaging a relationship potentially with their existing MSP or any number of participants in this equation? Because, you know, we all see the forest through the trees differently. Yeah.
[00:08:19] No, there's, there's a couple of ways we go about it. I mean, there are, you know, ones that I've done assessments that I've done for clients who are currently working with an IT provider or maybe a smaller MSP. And it is never, you know, a blame of things like that. It is like, Hey, these are the facts. And, you know, we at Centrix are more than happy to help you whether on a MRR and our basis, but you are fully able to take this, you know, our findings and bring it to your perspective.
[00:08:48] And that's not a preferred provider for them to do.
[00:09:18] It's really more of a collaborative effort rather than, than a blame. You know, sometimes there are glaring holes. And again, it isn't just a, you're just presenting the facts and it's how you present them. And again, offering your assistance. But, you know, you're, you're there as like the third party attestation of, Hey, you know, this is what you guys are meeting. This would be the recommendations, you know, our roadmap, our budget.
[00:09:44] But again, feel free to take this internally or whoever you want and, and work with them on fixing it. And we're here if you guys need extra help. Do you find that there's a, a challenge with helping them understand where their burden of responsibility and take action? Like, you know, every time an MSP takes on a new client, you take on new risks too, right?
[00:10:08] Like that client, regardless of your risk impact or risk, your risk assessment, regardless of that, you're, you're inheriting risk as soon as they become your client. Do you have a, how do you navigate that? Because I feel like that is one of the biggest challenges that any MSP is going to face in thinking about things like, did you ask to see their insurance questionnaire that they filled out? Do they have insurance for the, you know, and for cyber liability? Do they have those things in place?
[00:10:34] And, you know, the one I always hate to hear is like, well, we have, you know, but you guys handle all of our cybersecurity. So you should be carrying these cybersecurity insurance. It's like, wait, wait, wait, cybersecurity insurance is for the MSP that gets popped, not for an MSP's client that gets popped. That's E&O.
[00:10:53] And I can almost guarantee you that most of those clients are not thinking about how they have to carry E&O and cyber liability for their clients downstream from them, which is that, you know, six degrees of Kevin Bacon. But like, if we're not looking for those things and helping them understand responsibility just at the insurance level, how do we ask them questions to show that they understand the responsibilities of risk that they have as they engage in that agreement with you as well? Yep.
[00:11:21] So we've actually built it into, so if somebody signs on with us as a client, we obviously are doing our homework. Our onboarding is a project. It's a four-week project that's ran where we're doing a lot of discovery. But as part of that, the risk assessment outline that I do as a project is built in to that cost.
[00:11:44] So all of the clients are really getting one, so we understand the risks and can help with that roadmap. But, yeah, it's happened for sure, you know, is there's only so much sales conversations and, you know, quick assessments can look at.
[00:12:01] But as you start getting into the environment, you know, we have a document of, like, known issues that are logged, that are fixed, that need to be followed up on, that, you know, if it's bad enough where 3389 is open to the world, you know, we might step in. But all of those things are documented. I don't know, you change it to 3390 to keep them secure. Yeah. Security by obscurity, you know? That's right. They won't think of trying other ports, but... They won't. They won't port scan, no. No, of course not.
[00:12:31] Well, so let me ask you a question, because I think this is a really good segue. Is, you know, you're thinking about doing the risk assessment, you think about things like vulnerability scanning, and all the different things that you can uncover through those tools or resources that, I mean, even asking questions can often tell you a whole lot about things like policy, policy enforcement.
[00:12:54] How do you navigate when you're providing them with some of that feedback and the things that they need to do, but they don't actually understand what that means? Like, so, like one of the reports that I used to use all the time back in the day, it was actually the first time I'd seen it, was it was a vulnerability scanning tool that did both the scanning and remediation, but it showed you 30 days in rear, current, and 30 day future, right? So, like it says, we've solved for these things.
[00:13:23] This is currently what's still showing up as needing to be remediated, potentially. And then here's an outlook going 30 days into the future of what we plan to do with the existing remediation. The flaw that it had, the report was great, assuming those were things that you wanted to actually do. The problem was it was all automated, and it just showed what it found, what it deemed to be, you know, true, whether it was a false positive or not. Here's the list. And sometimes it was repetitive, right?
[00:13:51] It would show you, you have 35 assets, and they all have the same vulnerability. Well, it would show up as 35 vulnerabilities, which is true, but that's a dirty way of looking at, hey, if I fix this one thing, it fixes 35. I'm doing one task for 38, 35 problems. How do you, I mean, that seems like a big one. Yeah, luckily, like the vulnerability management platform we use, it's called Shield Cyber, and a shout out to them.
[00:14:18] They do that, like where they combine, we get like an executive summary of like, yes, it says you have 47, but if you update, you know, these two servers, like it takes care of all 47. So we're able to easily show that. But I also explain it, I mean, that's the whole thing here is like really, and dumb it down isn't the right context, but make it much more digestible of, you know, I let them in on a secret.
[00:14:43] I'm like, hey, honestly, vulnerability scanning is just, you know, telling you if you're installing your updates. So really, it just shows that we're behind on updates, we need to patch whether it was missed, or, you know, do you have a business reason for leaving this one behind? And then we need to add compensating controls to it. So that's really what it comes down to is just, hey, are you installing your patching, your updates, whether it's on edge devices or endpoints.
[00:15:12] And if there's something glaring, then we'll go into detail over why this is bad. You know, if you have an exposed firewall management system, like, hey, we can't have that or whatever. But really, the vulnerabilities come down to, hey, we just need to run updates on these. And if, you know, if they say, well, we can't, or this is like a lab machine or a manufacturing machine, then, okay, we need to have another conversation over, like, this is a risk, like, what other compensating controls get into the air gapping,
[00:15:42] the separate VLAN, DMZ, XYZ. But, yeah, just really simplifying it. Because, yeah, that's my, it's a gripe with vulnerability scanning is, like, yeah, you run a scan, NESTUS or whatever, and it's like, oh, you have a thousand on all of these, and you're looking at it, like, what the hell do I even do with this? And, yeah, it's very simplifying. You're like, oh, look, there's a JavaScript library from 2004 on every asset. Wait, it's included in the patching? What do you mean it's included in the patching? Yeah. So we've got a few minutes left.
[00:16:11] I would love to have you kind of give some hype around the session that you're doing next week, because I think it's very compelling as you are going to be exposing some of your secret recipes, secret sauce, if you will, to the MSPs that join for that session. And kind of walk me through how this came about and why Pax8 Beyond to sort of share with the world. Yeah. I mean, we're big at Sendrix.
[00:16:40] We're big Pax8 partners, and I love working with Matly and Dom Kirby. Beyond is one of my favorite conferences, so I'm very excited to work with them. Matly, especially on the cybersecurity track, does a lot of the content. So it is very educational with that. And they kind of reached out to me and asked if I would want to do a session with them. And yeah, we made a fake company.
[00:17:06] So if you ever worked with Matt or Dom, they are fun guys to work with. So not only will it be educational, but we'll have some jokes and fun times thrown there. But we made a fictional company and really just ran the assessment on the company. So on stage, you'll be able to see that client meeting, that executive summary where I go over the findings, discuss the findings with Dom and Matt. There will be some role play in there.
[00:17:33] And I mean, it really is like I'm giving you the 11 secret herbs and spices of our risk assessment. Is you'll walk away with the cyber maturity model, which I know I've shared out plenty of other times, but you'll have it then as well. And you'll be able to see how to align the risk and the assessment to it and what things that you should actually look for, in my opinion, to make your risk assessment worthwhile.
[00:18:02] And it doesn't involve getting a high paid consultant. Really, if you're a managed service provider, you should be able to be able to look at these things and perform this. So you're going to be able to increase your projects, have this as an NRR, which then obviously will, you know, you do these when you're offering these, adds to your sales funnel of hopefully capturing that as managed reoccurring revenue.
[00:18:30] Yeah, it's not to give away any secrets, but having seen your maturity model a few times, I think it's kind of cool to one of my big takeaways from the maturity model that you've built out using the Venn diagram of showing people process and technology or people process and tools, quite honestly, and where those overlaps are across the three categories.
[00:18:55] What I found interesting is without, I don't know that I saw any exceptions across the board, but so my observation, and you can correct me if I'm wrong, is that as you mature, not only is there a shift of heavy saturation of tools on the one side without people process really being in the equation, but when those shifts start to happen, you also start to see a real reduction in the number of tools being used. Oh yeah.
[00:19:53] You're level one, level two, if you will have that heavy tool saturation. They're spending a lot of money on technology and they're probably not getting a lot of ROI unless all of those tools are being handled and managed by a third party. Yeah, no, it's a, it is fun. If you look at that Venn diagram, your level one is like all tool basically with a little bit of pop process and people. And as you go to two to three to four, it does shift.
[00:20:21] I mean, you can see the shift in the, in the Venn diagram where it's more of the process with maybe a little overlap in the tooling. Yeah, you could have, I suppose you could see where your, your three circles were to become a lot more collapsed on each other. So the overlap in the center is a much bigger piece of the overall circle.
[00:20:41] And I think, I think that's another, you know, potentially a future episode or even a future in-person conversation around looking at what real governance looks like. Right. So governance isn't just the people process and technology. It's how does that organization not just survive, but thrive in the absence of say business owner or in the, the absence of a technology failing. And I think we tend to see that getting missed. I had this conversation this morning.
[00:21:10] We were talking about the research that Carolyn April and the team put together for, for the ASCII shows basically talking about, you know, where AI adoption is happening. And so that survive, thrive, et cetera, of like the AI train has come and gone, right? We're no longer dealing with when AI gets here or when we adopt AI. I think they said something like 96% or 98% of the SMB space has already adopted AI in some way, shape or form.
[00:21:38] Whether it's shadow, shadow AI or, or just, you know, turning on say things like copilot. But what was interesting, and I think this kind of goes to where you're doing the risk assessments, where this maturity model comes into play is that it kept coming up over and over again. Leadership has to establish with the organization, what are the outcomes we want from AI?
[00:21:59] And then it was like talking about things like, how does the strategy look as far as, you know, getting all the right people, you know, who's the champion in our organization around AI? And one of the things that it points to is that most organizations in the SMB space have not invested in roles and responsibility. And if you think about that for a minute, like, it's not saying that you need to have a named CEO or a named, you know, chief marketing officer, those kind of things.
[00:22:26] What it's saying is, is there, are there clearly defined roles and responsibilities that are recognized by everybody in your organization? Which then translates into if that's being done well, then that means that those are interchangeable because the clarity around the work needing to be done can be given to somebody else. And the event that that individual is no longer there. And so that kind of comes into like what came into like the fourth through six sections of the AI conversation, which was this is tied to maturity.
[00:22:56] Maturity is tied directly to good governance. And I think it goes back to pretty much everything that we've been talking about today is that a risk assessment identifies the either the absence of maturity in certain domains or the opportunity to mature because of what the risk assessment uncovers. Yep. Well, so we've got your session. Is it on Tuesday or Monday of next week?
[00:23:26] I believe it's on Tuesday. I think so. I'll have to look at the schedule, but I'm fairly certain that it's Tuesday, Tuesday afternoon. Well, there you have it. For those of you that are listening to this episode, I hope to see you. Josh hopes to see you both in his session and to network and hang out with us at the upcoming PAX 8 event. I will be there Sunday through Tuesday. Josh, I assume you're going to be there Sunday night or Monday. Yep. I'll be there Saturday, Saturday, actually.
[00:23:55] Saturday through Wednesday. I actually get in on Saturday. I go home on Wednesday. So, you know, you have to plan, right? You can't just be there like get there on Monday. You'll miss something. So, yeah, I'm excited. We know all of the PAX 8 peeps that will be there. I actually got to listen to Rex Frank speak at ASCII and knowing we kind of had some foreshadowing of the things that he'll be presenting on at the upcoming event.
[00:24:21] And GTIA has some big announcements that I think will be being shared at this coming PAX 8 event. So, we hope to see you there. We'll have a booth in the Tech Pavilion. And I think a good percentage of our leadership will be there. So, be sure to say hi. For everybody else that's not going to be there, too bad. So sad. Thanks and have a great week.