What does it look like to have an employee request approval for a specific tool? Do you have an evaluation process? What types of risks are introduced that you need to consider when evaluating a new vendor, product, or service? All of these questions and more are discussed with Chad Holstead of BKS Group.
[00:00:00] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:17] Welcome everybody to another episode of MSP 1337. I'm joined again this week by Chad Holstead, a BKS group. Chad welcome to the show.
[00:00:29] Thanks. Welcome. Thanks for having me.
[00:00:32] So this isn't a topic that hasn't been covered, right? So we're going to talk again about I would like to have said this was a vendor management conversation but really we're trying to taking a step back. It's not really a control in the top 18 but to talk about vendor evaluation.
[00:00:53] We've seen some stuff come out of comptia around this. They've got a vendor, I don't remember the exact phrase for it. Oh, it's called the factors to consider when selecting a SaaS vendor. It's got some questions around what you might ask of a vendor who falls into this category.
[00:01:12] We've seen with Mike Stewart and others on, you know, a vendor doesn't have MFA as a criteria or doesn't integrate via SSO like those are deal breakers. And I think this conversation and some of the suggestions that you've made this is less about the checklist and more about a better understanding of what are the risks to my organization as it pertains to using their product not just for the company but for the company.
[00:01:42] Box checking, right? Like this isn't like buy need this vendor's product will figure out a way to make this work. This is really about understanding some of the things that you talked about like from a governance standpoint. Do we even need this tool.
[00:01:56] And then I got me thinking about some of the other pieces which is like, you know tied to the evaluation of control 17 in CIS which is that incident response and inside of incident response you highlighted for me gets into doing a business impact analysis, doing a risk profile.
[00:02:18] So I guess you could say that we were both looking for doesn't somebody have a sheet that already does this for me. I mean, I think was that kind of how the conversation started because I think it's worth sharing the story to help frame this up for people that are listening.
[00:02:36] Yeah, and ultimately that's where it started is I had an employee that asked for approval for a piece of software to be installed on his computer.
[00:02:51] I asked him what the software does and why are we asking for approval turns out that I've actually approved this already and I just forgot about it and it was zining an update.
[00:03:05] So but when I went down that thought process in my head since I didn't remember approving it, that means that we didn't do good due diligence. We didn't do the risks.
[00:03:17] We didn't understand the point to the vendor to our process. Right. That I think and now what that what that led me to ask questions about specifically you and the team was I started out with risk assessment.
[00:03:33] Hey, this vendor does this. What are my risks and as we I'm sorry, let me back up a half a step. This software does this. What are my risks? So I was a rabbit hole of a software risk assessment kind of thing right.
[00:03:49] Right does it save data. Where does it save data, et cetera, et cetera doesn't have MFA those kind of questions would actually turns out was I was asking a lot closer to what you're talking about is the vendor analysis.
[00:04:03] Why do we need the vendor? What risks do we have by onboarding this vendor and what mitigating factors are we putting into place if we have risks by on boarding this vendor and right yeah.
[00:04:17] I asked you we don't want to reinvent the wheel right so we all ask is there something out there I can start with kind of thing. We all are each other's AI right right.
[00:04:28] Go let's go check chat chat GTP will probably have a good answer for me let's go let's go look there yeah so that's kind of where I was started with it.
[00:04:37] And you're correct, you know I went at that level of thinking about risk assessments but in the end of the day what I was really what I really need to do is come up with a process and a procedure for evaluation so that we understand what's out there.
[00:04:53] Yeah, I think correct me if I'm wrong I said control 17 which is incident response planning control seven is vulnerability continuous vulnerability management which gets into business impact analysis.
[00:05:08] But the reality is that all of those things don't matter because yeah so so CIS unfortunately doesn't spend a lot of time talking about the vendor evaluation from the perspective that we're talking about it today.
[00:05:19] They talk about it more of like you have this vendor is it approved or not approved.
[00:05:25] Some things like that and I think and not to downplay the value there but more of like I think we're starting to navigate a new it's on a new space but are we're putting on different glasses right so like.
[00:05:37] You mentioned this before like 10 years ago everybody had admin rights like we looked at everything through rose colored glasses because we had no.
[00:05:46] The impacts that we'd seen the businesses were largely far away and seemed very unlikely to happen to any of us.
[00:05:55] But now what we're talking about is understanding why do we need this vendor product or service the why like even a week ago two weeks ago we might not have asked a very good question.
[00:06:07] Why question because everybody in our organizations going to ask for something that you're confident in their ask that that's probably something that they need or they wouldn't be working for you.
[00:06:19] But then it makes me think about like what you said we take admin rights away and we use things like auto elevate or you know just in time I whatever it's called but like they used to be resistant to that.
[00:06:33] And now we're talking about like just even to talk about applications that we want to install are we doing enough to mitigate those risks that might be tied to like is this really the right approach to solving this problem or solving this challenge.
[00:06:50] And I think that's the part that's got me kind of head spinning in which is why after you had posted that secure outcomes on like maybe we should talk about this on the show because I think this is largely what a lot of solution providers are dealing with and that is how to how to recognize when we've we've essentially gone around our own process and procedures or even are sort of like ignoring the policy that we thought was being enforced to solve a problem because we found an exception to the rule.
[00:07:20] Yep. And this kind of highlighted that for me, I mean the employee that has this question he wasn't trying to go around stuff no he had a very specific problem with our current procedure and he found a software that helped him get through that problem right now.
[00:07:41] I part of my reasoning for having this thought process in my head is like wait a minute probably ask me for approval when I was five other things like you said to go ask dad he's watching the football game they'll say yes right.
[00:07:55] And now it's like why didn't we evaluate our procedure right kind of thing.
[00:08:02] I don't know the answer to that and now I have to go back and do that but if I don't have a procedure documented what can I ask him to come to me kind of thing.
[00:08:15] So this is really where I'm at right now it's like I need to document a procedure, a policy something that says if you want something this is how you get it.
[00:08:27] Sure, but I think there's a there's a bigger challenge here so I'm thinking about the ask this ask is in.
[00:08:35] I don't want to say it was a selfish ask but it was how to solve a the inconvenience challenge and for those listening we're talking about trying to get a laptop to current windows updates before we start putting the additional software on there because the last thing you want is to just start flooding your system with tickets because the machine is not up to date right.
[00:08:56] We're getting into an area where we could have said well if only he would have used the flash drive with the golden image.
[00:09:02] That we just maintain because you can load those so quickly right but then you run into the whole like now I'm missing all the drivers for this version of HP or Dell or whatever it is and we all know how that goes but but I think what's what's interesting here is.
[00:09:16] We all are dealing with those types of challenges right so what would have been what's the right way to do that like maybe that's even a question asked like we're trying to solve windows updates is that tied to like needing to be able to you know third party software to remote to this because I think this gets into that you know when you meet with staff and you start having the brains for me the idea is that.
[00:09:39] Are the you know the creativity of you know we've been doing this this way for years but it takes X amount of time there's got to be more efficiently of doing this I think that's the real route of the question being asked to install this software was like there's got to be a more efficient way of doing this right and I think that's where your.
[00:09:59] Well I think that it is and you're correct on that the problem that we have is the culture that we have here and we talked about this in a meeting this morning too as MSP's a solution providers we've always had that customer service get the customers computer back up and running and get them back into production production right.
[00:10:24] They don't want to be sitting there twiddling their thumbs so what do we do we bypass checklist if there's a virus we clean it and get it back to them we don't actually slow down and cost cybersecurity insurance company do forensics analysis like we're supposed to all the time right we just wipe the computer give it back to them.
[00:10:44] This is the same scenario is instead of the team slowing down like we need to build a culture.
[00:10:52] We built such a big culture in the MSP community of go fast give the computer back to them in 30 minutes and you're on your way kind of right.
[00:11:00] And we need to now build a new culture in the MSP solution provider world of slow down call the experts first breaks think about it a little bit yes it's going to cost your customers from productivity so you know what throw them a loner laptop something else because we have to change that mentality.
[00:11:21] And that's what I'm struggling here with this specific incident and it's not an incident issue example yeah it's not yours those were yes.
[00:11:34] What the employee wanted to get something done needs to get it done in a timely manner for the customer has a work around whether or not it really is approved work around isn't to be said yet.
[00:11:48] Sure and slowing down and actually thinking about it instead of working your.
[00:11:55] Instead of setting the expectation of the customer up here he needs to bring the expectation of the customer down a little bit and that's a culture thing not necessarily even I mean you can't push that via policy you can only enforce it with you so it's funny so I have I have a workshop that I'm doing in April at MSP community mind.
[00:12:17] And it's how to select the right security stack and it's part of a workshop that matley from pack state and I have both presented together we've done it separately but we're now at a point where if one can't make it the other one can then we'll just swap out who's presenting and get it done.
[00:12:37] And what's important about the exercise in the workshop is it's all about the what and the why.
[00:12:43] Before you start deciding the how and the tools that will deliver on this and I think in your case the the approach wasn't necessarily wrong but it's one that could have been.
[00:12:57] On a more collaborative conversation go wait a second we don't want to just solve this for a one off we want to solve this for always in forever because this is crazy like I do not the efficiency waste here of trying to you know solve it in the one off is like what are we doing next time picking up the next free or paid tool to solve this I think that's where the challenges right like.
[00:13:19] We always say our actions that we the initiative for the taxonomy of safeguards on that tool side is is you know where does it fit so is it facilitating you know addressing a safeguard or your policy maybe you could say facilitate supporting the policy doesn't validate or verify the things that are in the policy like is it one of those automated collectors that can give you evidence to say yes you are doing these things or does it.
[00:13:47] Archery are fully facilitate the safeguard and I think that's where we start to see the challenges and what you're trying to accomplish is if the scope isn't defined well enough for what you're trying to accomplish.
[00:14:00] Then you're always going to have things like this that are kind of a one off because we haven't given the intent or the time to go we need to solve this not put another bandaid on.
[00:14:14] Correct and that's been their valuation right like is that not what we're evaluating vendors on like what is it that you're going to do for me what is it that you're going to solve for me is this a temporary solution or is it a permanent solution to my current challenge.
[00:14:30] Yes 100% and with the end of the day it.
[00:14:38] The guys just it's it's a frustration from them because it's like wait a minute I just want to do this and get out with my life and it's like but you're not solving the problem you're making us more inefficient than efficient.
[00:14:55] And it's you just can't throw tools at it and expect everything to work any we used to be able to.
[00:15:03] It's a different world that we live in now and you can't do it that way.
[00:15:09] Right so if we were to try and solve this today like what is it that you're looking for because you know the conversations started with you kind of posting and the secure outcomes teams channel saying hey does anybody have an answer.
[00:15:24] It's a different way to do this because this is way bigger than a checklist.
[00:15:30] This is getting into things like you mentioned business impact analysis you mentioned you know sort of a risk strategy for like critical infrastructure versus you know some of the more you know like operational versus and fill in the blog.
[00:15:45] Do I need is my coding software mission critical compared to my armman.
[00:15:52] You have the same risk right do I care if my coding software has MFA turned on probably not right do I care if my armman software has MFA yeah I do right you might want it in your your mark your sales or your voting software because you might have enough information in there that might be valuable to somebody besides you.
[00:16:15] Okay but to your point to your point the information is valuable to me not valuable to.
[00:16:23] The world in general right right but that's part of the process right like perceived like this is one of the things that you have this conversation all the time I know you do with your clients to talk about it on a lot of our calls getting a client to recognize that.
[00:16:35] They do have something that's important to somebody like so if we're doing you know like how long can you not be able to run payroll how long you know like a day 30 days.
[00:16:45] Like as long as my bad things happen between the second and the 18th everything's fine to do payroll you know between the 20 you know whatever right like those those start to change some of those things but the reality is what happens if you're just separated from your data.
[00:17:00] Yeah I agree and but you still don't necessarily half not every single one of our vendors is an armman vendor no.
[00:17:09] No God forbid if they got through the armman they can hack our customers but I think that's the question that's really being asked here is if i'm evaluating vendors they fall into different categories and whether or not the data that they store sensitive or not at this at this level of engagement it's identifying what are we willing to allow.
[00:17:30] Coming into our organization from a vendor can it have access to sensitive data does it have the ability to touch you know client infrastructure like there's like a list it's probably not very long but it's very specific around how it impacts critical infrastructure and operational technology as it pertains to staff.
[00:17:52] Correct and that's that's where I started my question this morning right it was you know how do I come up with this list of questions then basically our conditional access questions if this then that then this then that equals this sure.
[00:18:11] And coming up with that list of questions then you're right i'm thinking you're probably looking at a total list of questions of maybe 10 15 right but each 10 or 15 probably have two or three underneath it if yes then you know you have these other three things.
[00:18:29] I was looking for that list of questions what I truly believe is it's not just the list of questions it's also the entire.
[00:18:41] The why it really those questions don't ask her the why and that's the one question that I haven't gotten an answer from from my team right right so writing the questions in a form of a process you know we also talked about change management call this morning.
[00:18:59] One of the change management questions that you ask is what is it changing what is it fixing what is it right yes that's a what but same process is why why are you doing this what is it changing what is it resolving for you to do this kind of thing so that's what we did we fail to do here and we fail to do it quite often to be honest with you.
[00:19:22] So I recently have spent quality time going through the new list CSF 2.0 safeguards and interestingly enough the conversation was high yesterday is actually a section in the new 2.0 so it talks about establishing third party risk management or cyber security supply chain risk management so the safeguards talk about things like.
[00:19:50] Set up an align supply chain risk management program strategy objective policies and processes with the agreement of stakeholders right so like in your particular case there really wasn't necessarily a stakeholder buy into this it was more of the knee jerk reaction as dad his mom said no but then you get into things like.
[00:20:11] How do you evaluate.
[00:20:14] So identifying prioritized suppliers based on criticality so like we've seen this in CIS like your third party inventory right your software inventory your service management inventory are those categorize because when we think about evaluating a new vendor what category is that vendor it.
[00:20:33] What's the impact to your business if this thing goes swirly or or sideways and we could talk about that vendor specifically on another not on another upset but like not when we're recording.
[00:20:47] And we could talk through what are the challenges that are faced there because we see like so we identified identify identified identified based on criticality then we have to get into like what's the potential impact to our business.
[00:21:03] And some of the other things that go along with that what's interesting is a NIS CSF 2.0 goes on to say like what are the best practices for each one of their governance safeguards around supply chain risk and that is exactly what we're talking about right now right that is a different approach to the service vendor management that's found in CIS they're talking about more of the you were already using this vendor.
[00:21:28] The supply chain risk management piece that's talked about in this CSF 2 is talking about the supply chain where does this vendor that you're thinking about using bit because if you have it in the wrong place and something goes sideways the business impact is is potentially a really big impact.
[00:21:49] Yeah, it's traffic exactly yeah.
[00:21:52] And that's exactly this conversation is the software that he was asking for does give him access to remote systems and if that vendor because we didn't do any of our due diligence on that vendor we put them in the wrong box right.
[00:22:13] So we can all day talking about frameworks and ways to go about tackling this but you know as I was thinking through and kind of hearing you talk through the challenge and what was sort of the you know mom versus dad and it got executed it's like when was the last time you did a supply chain review for critical you know critical vendors with regards to your organization.
[00:22:37] We were talking about this before right like you got your arm and tools you got your PSA you got your coding tools they all fit into similar or different categories depending on what it is.
[00:22:47] But this is kind of like pen testing right like it has to be reviewed on a frequency and it made me think of like Charles love from show tech when he's like no we evaluate vendors this is the window otherwise we're not changing nothing right and can just think about it.
[00:23:06] And just thinking about that statement in the context of this request it's March we don't evaluate new vendors until October sorry that's the answer that's exactly it.
[00:23:19] It's but it's less about so for me right now i'm boiling all of this conversation that i've had in my head since last night that I've talked about since this morning it's ending up to coming down to two things for me.
[00:23:36] One is that I have a culture here good better and different that has a lot done right just get it done yeah right.
[00:23:45] You and every other MSP 100% but now we're in a different world and the culture has to change to a slow down culture.
[00:23:53] And the only way to really enforce that slow down culture is to reevaluate and put policies and procedures in black and white on paper so everybody understands what the policy and check call it checklist call what you want i don't care.
[00:24:09] We talk about on boarding and off boarding with employees like what's the strategy for when this project that this tool is needed for is done what's the strategy on what we do with that tool now is it being uninstalled like.
[00:24:25] We also we all remember the see cleaner and malware bites from back in the day when lots of us use the free editions and basically the limitation was you had to manually update them right that was the limitation.
[00:24:38] And only to discover things like i know with like see cleaner the one that happened back I think it was in 2018 yes free tool.
[00:24:48] It was auto updating and it was auto updating to the malware edition because they had had a sequel injection that changed the executable that was patching and the reason we didn't see a widespread disaster is because they were only targeting very specific entities so they sent their payload out everywhere but they were only looking for a certain kind of fish.
[00:25:11] So this is that same kind of challenge right because we've we've said yes to the tool for good better otherwise but is this something that ends up and we only have one person that uses it I forgotten who it is and we don't have anything in place to.
[00:25:29] We have a post conclusion to the usage of this where we sit down and say okay what did we learn from using this tool do we need to keep it do we need to invest in buying the premium edition or whatever it might be like.
[00:25:42] I want to be one of the biggest challenges we have in our industry because we are all running so thin so lean and so fast kind of thing well it's it's a catch 22 because you know as gas prices go up as an example do we drive last.
[00:25:58] Not necessarily but you become more conscious when it crosses a certain threshold and starts to impact quality of life and I think the same is true on a more bigger scale when we look at like okay we're going to add this other thing to you know acme corporation and you know two dollars per endpoint or 25 endpoints times 12 months all of a sudden it's like wow how many other things do you have to layer in here before you start charging me more and more money.
[00:26:27] And it's like well the cost of doing business is going up so while I may have to change my prices to you you may have to change your prices to your clients too.
[00:26:39] Yeah and it's.
[00:26:42] I don't really like the good old days of just you know go go go go go but there's a part of me that says you know what if you can take today's back up pro
[00:26:55] because let's face it 10 15 years ago our biggest problem was we had a restore of crashed hard drive right right.
[00:27:01] If you can take today's back up technology which really works a lot better than it used to yeah.
[00:27:06] Yeah, root of today's cyber security problems and go back yesterday I would do that all day.
[00:27:10] We all what I think like I just want to swap hard drives out again like just take me back to and go to fries I can get a box of hard drives for less than a laptop yeah I'm good to go.
[00:27:20] I mean we have seen this in the screen space for laptops break a screen replace a screen that's pretty.
[00:27:25] But like this this really I mean the more I think about it the more I'm starting to go wait a second the whole lifecycle management of vendors from exception to conclusion has got to get baked into the governance of literally this has to get embedded in your culture.
[00:27:44] So like I don't say cyber security is culture culture has to be cyber security but embedding things like vendor lifecycle management and the reasons behind that need to be owned by every employee in your organization.
[00:27:59] 100% and I think at my office we do a really good job of doing security first security forward thought right you're including security in the conversation that it is being.
[00:28:13] Considered for everything that you're doing as opposed to it's a byproduct or you know give a second thought maybe if you're lucky but the text not culture right like that's not culture.
[00:28:27] It takes it's text does that's just rules does you do as I say or else right I don't care if you talk to dad yeah and that's basically what kind of we got to get a little bit better out here at this point so.
[00:28:41] And I'm quite honestly you know we can look at this through a different lens let's look at it through the lens of all of the things that led to this conversation weren't wrong right like the we're solving is he needed a solution to a problem he's trying to improve the efficiencies of the way in which you prep.
[00:28:59] You prep in points for the end user.
[00:29:03] But I would say from a maturity standpoint what you haven't put in place is how do we discuss this post project closed the end user now has our laptop what it what was the takeaway from this is this a tool that needs to be part of our core.
[00:29:19] What we use every day all engineers are going to have access to this resource is it you know hey it was really good on these three things that lacked in these five.
[00:29:29] We need to reevaluate because this is going to happen again I think that's where the real challenge comes into play is that this isn't you're not closing the loop on the reason for having this tool in the first place think that's where if I was doing an evaluation on on BKS if I was assessing you against the the safeguards and the security controls that you want.
[00:29:48] In your organization the maturity I don't think was violated here I don't think you've you've done a like you're going in the wrong direction I think this is a opportunity for maturity because you haven't had something in place here yet and that's exactly the maturity is evident because you're saying hey I recognize that what we're doing.
[00:30:09] While it's solved the problem isn't the right way to go about doing this if we want to scale this to something else.
[00:30:15] No you're 100% correct you know and it's like there if you look at this we're trying to go down this trust marks CIS framework path right one then two then three then four then five and six and then go backwards to two three four because you've got something right.
[00:30:32] Right constantly doing this backwards and forwards kind of dance.
[00:30:37] I just happened to wake up last night go we got something wrong here.
[00:30:41] Jumped all the way to show 15 right which is solution provider management looked into it a little bit like okay I need to do something like that and then develop a culture and a maturity and then on that same point you have to do a postpartum right of course more than whatever you want to call.
[00:30:58] You have to conclude that this is we use it we're done with it until the next thing happens and we need it again but the reality is needed again may never happen so we need to make sure that we conclude having this installed somewhere where it can become a problem later.
[00:31:14] And that's it I cannot guarantee that this agent has been uninstalled from that users laptop.
[00:31:22] And now I will bring that up and i'll do a network scan and i'll see if I can find it and hopefully he has removed it like he promised but it's got to be we still have to do that post mortem to verify that it has been removed.
[00:31:38] And that's the maturity level of BKS that we're not there yet.
[00:31:42] Well and I would argue that this is one of those areas where you can have the best of intentions.
[00:31:48] And this one's still hard to get right it's still going to take time to build this out in the right because the reality is you don't want to frustrate the engineers right like you want them to be productive you want them to look forward to coming to work in the morning.
[00:32:02] The last thing you want is like well if I try to solve this problem i know chas is going to shut me down because this hasn't gone through the lifecycle approval process yet and this won't happen for six more months which means i'm going to be doing this manually until then.
[00:32:18] But the flip side is and i think to your point if we put something in place that creates structure around it so at least you can track it.
[00:32:27] You're more than you're more than halfway there right because the reality is if you can track this then you have something that you can review even if it's not tied to this like.
[00:32:36] You can't do this you can't do that you can't you can't can't right like that's not the model we want and i don't think cyber security is that either because as soon as cyber security starts to.
[00:32:46] It starts to.
[00:32:48] Impede the ability for you to do your job or to support a client then security starts to compromise security.
[00:32:58] Correct you're 100% because at that point you're going to bypass security all day long to get your job done simplicity complexity and i think the reality would be this is probably a pretty simple lifecycle management for vendors we're not talking about the details of SLAs in contracts and.
[00:33:16] Two years three year terms we're just talking about the usage of the tool.
[00:33:21] And just for lack of a better term transparency to the company as a whole because the Chris is the only one that has this tool and Chris leaves bks does that leave a hole in my.
[00:33:36] The company is a whole doesn't know about this tool i don't know what to do with it well i saw this in education and it was one of my like.
[00:33:43] It was a deal breaker for me so when we were evaluating software for in the classroom get aside the privacy and student stuff per minute a teacher would say this is a great tool allows you to do all of these things.
[00:33:56] And I can track progress for the student and so the question that would get asked is like okay and when that student goes to the next grade level.
[00:34:03] How does that data transition transition with that student for the next teacher oh it doesn't okay then we're not using it because if it's a one off.
[00:34:11] Even if it's paid i don't care because we are removing the ability for this to have any sort of long term.
[00:34:18] Positive with those students because if you can't measure it after the one window is it working i don't know it worked for.
[00:34:25] It gives a bit of a bit of a life easier for yeah six months right but now genes.
[00:34:31] It's the greater good right it's the equality and if it's missing then then there's problems and not even that if you think about like let's just say this is a great tool and everybody should be using it.
[00:34:41] Is the tool accessible for one user or is it accessible by the organization like do you need to buy licenses is it something we centrally manage like now we're back to going down this checklist of how do we evaluate whether or not we should use this product and I think at the end of the day.
[00:34:58] What you shared with me I believe that in this case to solve a problem there's probably nothing wrong with the execution that was followed to do this.
[00:35:07] But the post mortem has to happen because now you're like okay we've tried it we understand the value of doing this is that the right tool.
[00:35:18] And that's exactly it or okay guys we took a breath we got past this little hurdle now can somebody please call daddo and find out why we can't do this in the tool we already pay for exactly or fill in the blank right.
[00:35:31] Exactly so now my head spinning so any last thoughts on this check because I think I don't want to say we've exhausted it obviously we could do a whole discussion on vendor lifecycle management but well I guess I'm just asked this question to this help.
[00:35:48] It did and you know it I still need to go down the rabbit hole of building that list of questions if critical do you and access to data do you have an effect do you have a sock to do you have this if any of those are no it's a deal breaker you can't install it kind of thing or or it's a we need to re evaluate how important this tool is what is it is at a one of a kind.
[00:36:13] You know are you saving me you know 45 minutes per endpoint instead of you know five like you know what are we really solving with this tool because I think sometimes we accept risks because of the efficiency that it creates but I think it's having those conversations of being willing to draw a line in the sand.
[00:36:31] I think that just shows the maturity process at its finest which is that it's continuing to improve and that's exactly where I'm at I'm going to have to have some conversations internally here right up some SOPs and then yeah how many tools does every MSP have I know our security stack is 10 tools deep.
[00:36:51] I'm going to say it's probably between 75 and 100 let's just be honest and even if it's not on every machine.
[00:36:58] Yep so I got to go back through and I got to do vendor due diligence yep 75 to 100 vendors which is fine that's fine good to go do it but now we ask the question I would suggest before you do that is figuring figure out what are the categories that vendors that you work with live in.
[00:37:16] So when you go through that list you're not doing it five times no and that's the same question is this like like you talked about the guy that fills up the water tank in the basement yeah right.
[00:37:27] Does he have access to customer data you know he is a non critical vendor yeah all you got to do is do we have his a C H information yes done.
[00:37:35] Right.
[00:37:36] We know dad or M M okay we need a little more details on that we're not trying to solve for incidental exposure in this right we're trying to ensure that they don't have the means to be malicious and cause problems that's exactly it so all right Chad I think we've exhausted this one.
[00:37:52] So too.
[00:37:53] All right for everybody listening thanks and have a great week.