If you have ever worked with Construction Management, Manufacturing, Healthcare, and others where the technology that is in place is no longer supported. How do you help them move forward and when is it appropriate to continue to use legacy technology? Join me as I sit with Jeff Borello of Andromeda Technology Solutions to chat about successful approaches and knowing, in some cases, when to walk away.
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. Welcome everybody to another episode of MSP 1337. I'm joined this week by Jeff Borrello of Andromeda Technology Solutions. Jeff, welcome to the show. Chris, thanks for having me.
[00:00:32] So, each week we take on differing topics around cybersecurity, and this week I think it would be a great opportunity to talk about your client portfolio. Not so much your client specifically, unless you want to talk about a specific client, but to talk about what it means to provide services into a lot of what I would consider to be clients that don't have the regulatory requirements imposed upon them,
[00:00:59] and maybe treat security a little bit less reactive, or say maybe more reactive than intentional or proactive per se. Is that a fair assessment? Yeah, I would say that's very indicative of what we see out there, unfortunately. So, I think it would be good. So, I know that there are several major categories that you work with.
[00:01:24] You mentioned having to go through the 800-171, which is a great framework, I think, for assessing a cybersecurity posture within any organization. And so, I'd be curious to just hear a little bit about your journey around pursuing the 800-171, why that was important to you, because obviously I would assume it has something to do with insurance or clients.
[00:01:48] Let's just start there, and then we can dive into maybe how some of the clients that you do work with have shaped your focus on cybersecurity. Yeah. So, the NIST 800-171 journey, we started about 18 months ago, call it. A little bit of a push from our insurance company, a little bit of us just wanting to be out and head of the security world, right? So, we're always telling our clients that security is first, and it needs to be first and foremost.
[00:02:16] So, we needed to be walking the talk, I guess, so to speak. Like, so we said, yeah, let's get our house in order and make sure we have all our ducks in a row, and then we can, you know, start leading the charge for some of our clients. And, you know, ultimately, I think down the road, one year, two year, three year, I think you're going to see everybody needing to be, have some level of compliance to a security framework. And I think this is going to get driven a lot by the cyber insurance industry, right?
[00:02:42] They're taking a beating, you know, they're getting to this place where they don't want to even insure people. And if they do, their rates are up through the roof. So, I think we're going to see a lot of this get pushed out by the insurance companies. And even those that are not in some regulatory situation are going to need to get adhered to a framework. So, we wanted to be in a position to be able to do that for our clients, you know, and be ready to do it when it was needed. Yeah, with that, it makes me think that maybe we should talk about pursuing the GTIA cybersecurity trust mark.
[00:03:10] But that's a conversation for another, maybe another episode. It's ironic that you said, though, about the insurance. So, the cybersecurity trust mark, if you're not familiar with it, it's basically built around CIS top 18 elements pulled in from other frameworks to help balance out things like governance. And then when we went to go live with it, we discovered that we should probably make sure that the questions that come out of insurance questionnaires are also being satisfied.
[00:03:37] And one of the takeaways that we had from that, and maybe your experience is similar, is an insurance questionnaire will ask you a question. There's actually 10 questions in one question. And the only answer they're looking for is yes or no, not but, right? And so, our challenge, and I'd love to hear your thoughts on this, is like, you know, seeing things like, do you have MFA? Well, MFA on what?
[00:04:00] And we saw that, you know, you're in the Midwest, so you're probably very familiar with the traveler's insurance debacle where the client, the insurance paid out and then later basically sued to get the money back because, well, they hadn't quite done what was implied across all areas that should have MFA.
[00:04:19] So, I was curious on, you know, going through 800-171, you talked about your insurance, were there some things that you ran into that were eye-openers that you were going through 800-171 that you hadn't considered that were tied largely to those questions? That's a good question.
[00:04:38] And we, there's, and you hit the nail on the head too with these, you know, and this is why people don't like to fill out these forms because they're either, you know, I don't know if they're intentionally vague or, but there are certainly some vague questions that, yeah, we take exception to every year when we fill ours out. It's like, I can't answer this question. It's not a yes or no question. You know, the security frameworks, there's a lot there, right? And some of it's probably more helpful and critical than others. And there's some areas that are probably not a big deal.
[00:05:06] Um, but certainly our, you know, we see a lot of alignment between the framework itself and the questions on the cyber insurance forms. Um, I think they, they are in a lot of cases the same or one leverages the other. Um, but I would say there was, you know, certain areas that we said, yeah, we were probably living in the spirit of things on the insurance form. But by taking a few extra two, three extra steps, we could really nail it down and really be, say, okay, we, we know we're solid here as opposed to just kind of hitting the spirit of it.
[00:05:36] Gathering evidence, I think is the one that I always seem to run into is they can, you can articulate the yes, we're doing this. And then I ask for evidence and you're like, I'm going to need a couple of days. Yeah. And that's fair, right? Because you don't get asked for evidence every day. So sometimes the, the ask itself is like, oh yeah, I need to produce some evidence in order for you to believe that I am actually, you know, doing this. That's, um, that's a fair, fair question. So, so obviously insurance questionnaires driving it. I think you're right.
[00:06:06] I think we're going to see over the next, I would give it a year. I think we're still on the tipping point of, of insurance providers understanding well enough to look for, like you said, the evidence. So they can ask the questions they've, they've cherry picked from different frameworks or, or even we're seeing more and more as similarities across the questions being asked regardless of what framework was used.
[00:06:29] But one thing that, uh, I haven't seen is that the consistency around what they're looking for in the answers. Right. So to your point of you're taking an exception to something, uh, you know, how do you know you get coverage, but you're like, you're saying, I said no to that. Or I put an exception there and you're like, did I get coverage? Did I, am I good? Uh, did you run into that where you had to like actually talk to a broker or, or an agent and just say, Hey, we're not sure about these things.
[00:06:58] Can you walk us through it? No, but generally we will, um, you know, we may answer yes or no. Um, but then in the, where there's a comment section, we will say, you know, we'll, we'll clarify like, Hey, I said yes, but this, that, the other, um, and let them come back and ask us about it if they want. You know, part of it is just trying to be as honest as possible. And, you know, right. There's, there's no benefit to anybody to try and to stretch the truth or you just, and listen, areas that we are not for whatever reason that there's, you know, there's a couple areas that we can't do.
[00:07:28] We cannot do for whatever reason. And we just say, no, we're not, uh, you know, we can't adhere to this. Here's why. Uh, and then, you know, but we're always open to having a conversation about it. But, you know, I, I do think your, your, your comment was dead on being able to provide the evidence for things is really where the rubber meets the road. I think, I think that really is the, a very big difference between an insurance questionnaire and following a security framework because it really takes it to that next level where someone says, yeah, we're doing this fine. You know, show me.
[00:07:58] So I love, it's almost show me versus tell me. Right. Yeah. And I think it's, yeah. Actions speak louder than words. Right. Uh, so it was interesting about what you said. I think that, you know, in coming into this conversation, you know, we, we see this a lot in, in our industry of providing IP services. And it's like, how to, how to do more with less, how to increase our profit margins. And, you know, everybody needs to be selling cybersecurity services.
[00:08:24] And what you said, I think is paramount because instead of looking at it through the lens of how do I make more money or how do I keep my clients that want me to do compliance? You looked at it through the lens of like, if I don't do these things, I mean, I have been in no position to sell or deliver services around these things. So I liked it. I think you picked the, perhaps one of the tougher, uh, of the frameworks to go through. That's, that's a lot of, uh, uh, evidence gathering, if you will.
[00:08:51] Um, but, uh, but I'm curious, uh, as you went client facing, having put that effort in, what are you seeing with your clients that maybe prior to having that 800-171 was getting into the areas of like, well, uh, we're not doing this. And they're asking me to do this. Are they doing this? You know, are they doing the things that they're asking of you that, you know, letting you to go through 800-171?
[00:09:17] How did that change when you're like, I can now be an authority to my clients on, we have implemented. And now quite honestly, looking at you, the client going, wait a second, you, you made us go through these hoops and we're realizing the importance and the value of that. But show me your evidence. Yeah, I think a lot of it, you know, certainly in the last couple of years, it's, it's been increasing, but we don't get a lot of requests around those.
[00:09:44] I mean, you may, you know, we've had a, you know, can you show me your incident response plan or your business continuity plan? Um, but I think up until like the last month, I'm not sure anyone has asked us for enough where we would actually need to provide some, like a summary level of the framework of what we're doing. Um, it's generally been kind of very piecemeal. And I think a lot of that is just so much of the world is behind in the security, right?
[00:10:13] They think it's not going to happen to us. We're too small, you know, all the stuff we hear all the time. Um, you know, we're still, one of the things we've been pushing and it's actually in our legal agreement with clients is, you know, they have to have a standalone cyber security policy. And it's amazing how many people we still talk to who don't. Um, it's just, it's just, it's like not a reality until something happens. Sure. And then it's a whole different story, right? Um, they find out that the insurance they do have is not what is needed for what they need coverage for. Right. Yeah.
[00:10:43] Yeah. And you know, and I, you know, ultimately the customer's responsible for, for filling out their assessment with their insurance company. But I think in a lot of cases they're, they're really struggling to answer them appropriately to be able to get coverage. Cause they're just, it's security is still fairly lax out there, which explains, you know, why there's ransomware events every day and everything's in the news. And it's just, it's just still not taken seriously to the level that it needs to be.
[00:11:06] Do you, do you run into with your clients who have insurance where they have filled out the questionnaire and didn't bother to consider your input on what answers they were putting down? Not that I know of, I think most clients would, you know, cause they know they don't know the answers. So as far as I know, most people are, you know, they submit the app to us. We answer the questions that we can, and then basically give it back to them to, to finish off because we went on, we're very clear that we are not responsible for the final answers on this. Right. Right. This is your policy.
[00:11:35] It's your answers, but they generally need some help from us. And we're, you know, we're happy to do that. Yeah. I mean, you're providing services in that from a responsibility of implementation, you guys are taking on hence the client relationship. But the thing that always floors me is their unwillingness to recognize that they're still accountable for the answers that they're giving back to the insurance provider or to the regulatory body. It just, it never gets old. You're like, but, but you wrote with your pen and signed your name at the bottom of this. This does not include me. Right.
[00:12:05] Yeah. Yeah. I'm, I'm here to give you some guidance on what, you know, what we're doing, but ultimately, yeah, it's, it's their responsibility. And, you know, they're, that's the funny thing about it. People would never do that with their accounting and their financials. Right. But somehow the IT it's this, you know, it's, people are still treating it as an expense and not as a, as a, as a, as a leverageable, you know, investment. And I think the IT guys here, this is, this is IT stuff. This is your domain, not mine.
[00:12:32] And I think that's part of the reason you see a lot of the, you know, either not paying enough attention to security or just generally not paying enough attention to your IT. Because it's just this, this thing I have to deal with as opposed to understanding how to, how to leverage it. Yeah. And technology has gotten easier to implement. Right.
[00:12:50] So you can, and I don't mean necessarily good technology, but as a, as a layman in the technology world we live in, if I need an application to solve a problem, I can probably do a search for it. And either I get the tool that I think I need, good, bad, or otherwise, or I can probably get a, a AI type functionality and have it build it for me. Some sort of automation, things like that. Right. So I'm just curious, especially knowing that you cater into the manufacturing space.
[00:13:19] Do you run into a lot of like shadow, I don't call it shadow IT. I think that's an unfair statement because I think that's more of like the world of intentional avoiding. Yeah. Having to call the IT guy. And this is more of like efficiency, productivity. How do I get things done without bothering somebody? Yeah. Do you run into like a, had no idea there were these apps for running or that they are in a category that we shouldn't be using when you come into an environment like that? Yeah. You know, for sure.
[00:13:47] Um, and one of the things we've done over the last couple of years is, uh, we've introduced a new, uh, security tool in our stack that basically, so people can't just run around installing apps. Right. Um, because it is, like you said, applications are just ubiquitous. You can get an application to do anything you want. You load it up, you do its thing. Right. So not that we're trying to lock down requirements. What? Yeah, exactly. Um, we, man, we even saw it here at our company, right? We said, Hey, we were trying to get a handle on all the vendors we have.
[00:14:14] And there's all kinds of ones that we know about that are centrally managed that are paid for through the company. But then you start looking around and asking or run a, run a tool. And there's a lot of applications that people have gotten on their own. Right. Maybe not necessarily paying for it, but they, they got it through their Gmail address or whatever. And it's on, it's on the system and it's doing its thing. So I think it's, that's a big, big deal. Um, and I think the solution is you've, you've got to have zero trust system set up that people can't install it without getting some sort of a prior approval.
[00:14:44] So somebody at least looks at it. At least the second level of like, uh, eyes on to make sure that it's like, no, that's not Dropbox. You thought it was Dropbox, but it's definitely not Dropbox. Yep. Yeah. Again, again, it's just so easy to get whatever you want now. And I think there is this level of, there is a perception that IT has gotten easier because I have an iPhone and it updates itself. And I load applications and why, why do I need to pay you to patch? Um, sure.
[00:15:09] And there's this, it's caused a lack of appreciation, I think for the level of complexity that has gotten more complex, not less. Um, you know, between cloud environments and non-prem and hybrid and trying to move data back and forth. It's, it's the, the environment's actually gotten a lot more complex, not less. Yeah. Yeah. Do you think that that's tied in any way, shape or form to the lack of understanding of, you know, my data?
[00:15:33] You know, I think about like, uh, we saw this take place, uh, here recently with the, uh, ban on TikTok, right? And suddenly the option was to switch to, uh, whatever is called red note. Uh, and you know, the, the privacy policies isn't even in English. And yet you have millions of people switching without any consideration to what would happen or what is happening or can happen to their data or what it has access to.
[00:15:59] And I had a conversation, uh, the other day with, uh, a teenager who said, I don't care. I don't have any data that's important and they can't do anything anyways to my device because, and I said, because why? Because why, what, what makes you think they can't do something to your device?
[00:16:20] And so like the, the look on this individual's face was priceless because in their mind, it was only what the app allowed data from the app out, not what access that app has to the device. And I think, I mean, curious your thoughts on this. Like we find applications to solve problems. Do you think any of them are asking questions like what problems does this create? No, not at all.
[00:16:49] I think Chris, it was your son, right? You can say, no, I'm kidding. I've had, I've had conversations like that with my son. This particular case was not. Yeah. I think it's, again, it's just ubiquitous. I have this device in my, I can load up anything I want. No, I don't think anybody even gives it a second thought these days. Yeah. And it, and it, and it jumps generations, right? This isn't like the, the, you know, baby boomers to the Gen Zs having.
[00:17:17] We're all in agreement. We'll, we'll give data away freely because we don't recognize the value of the data or understand how that data can be accessed from our alleged quote secure devices. Yeah. Yeah. It's really frightening when you think about it. Just the lack of understanding, you know, I mean, even, you know, I'm in, I'm as technical as anybody. I know I'm in the tech world, but sure. You get an app, they put an agreement in front of you. It's impossible to read them. Couldn't possibly read them to understand it. Right.
[00:17:47] So yeah. The legal counsel that needs to read it. Right. Yeah. Yeah. So I think that's just a, it's a, and you're right. And the data is the most powerful thing there is now. People's private data is it's, it's everything. I mean, it's, so it's, it's really kind of a scary situation we've gotten ourselves into that, that people don't think about that. Yeah. Yeah. And I would argue at this point, I'm not sure that any of us have data that is still private. I think we're quite kind of at that point where you haven't gotten a letter in the mail.
[00:18:16] It's just a matter of days before you get one that says, Oh, back in 2024. Sorry about that. No monitoring for you. Yeah. Yeah. I it's in that exact stance. I think I just assume everything's out there. Um, one of the things we started doing here recently was we started, uh, recording a lot of our calls and so we can review them. And do some, some training with our, and people are like, wow, is that going to be like people going to balk it? Then I'm like, like pay attention. You're like half the calls you're on are recorded these days.
[00:18:46] I just assume everybody's listening to everything, everything you put out there, somebody is going to get ahold of it. And it's, you know, you definitely got to take the right steps and safeguards to do what you can to protect it. But yeah, this concept of data privacy, I think is long since gone. Yeah. I would, I would argue that if you want to have a private conversation, you probably should leave your technical devices.
[00:19:06] Uh, in a Faraday cage or, or far away from you where the microphones don't pick that up and then, and then go somewhere that there are no technology devices to have that whole secure conversation. Yep. I mean, I was just talking about this the other day. There's almost, I mean, think about this, the helicopter crash into the airplane. There was so many videos of that. Now, not like somebody knew that was going to happen. It was out there videoing. It's like, there are so many cameras and so many recording devices out in the world. Yeah. You just have to assume that it's like there's everything gets picked up on a camera somewhere.
[00:19:36] It's really kind of mind boggling when you think about it. Yeah. That would have been concerning if it was camera footage from a drone, but yeah, there was plenty of, uh, plenty of, um, video footage for that. And we see this elsewhere too, right? Like, uh, you look at like surveillance cameras in other countries and it's just par for the course that you're always on camera and we get wrapped around the axle here in the States about, you know, giving permission to be on camera.
[00:20:03] And yet we don't have a, we don't say anything about giving our data to, you know, nation states or, you know, really anybody like, oh wait, I can get a coupon for that. You know, all I got to do is my email address and my date of birth and I get free, whatever. Um, but you know, if you look at it through the other lens, how many other countries would allow us to do the same thing? Like, Hey, I'm going to send this to Italy or France. I got this cool app. All that I require, it's free.
[00:20:30] All that we require is that for those that install this app, all of the data that we grab off that phone, we're going to suck up and bring it back here to the States. Which could never happen. Correct. Yeah. It really is a different perspective on things. So you're largely dealing with clients like we were talking about earlier that don't see, and I think it's unfair to sort of point at the industries that you're serving as if they're somehow different than the rest of them.
[00:20:57] Um, but I think that in construction and building management, uh, a lot of those trades are often associated with, uh, less technology. You know, they're, they're using more so now, but I remember back like in 05, 06 or 07, the technology being used was, you know, maybe they were using a tablet to enter notes on a job site. Maybe they were using, and that was pretty advanced tech if they were doing that.
[00:21:22] Um, in fact, in a lot of cases they had somebody to do the digital version of their yellow legal pads for the project that they were working on. But then fast forward, and I would, I would argue probably like, um, you know, 2015, 2016 and on, we started seeing the applications that were crazy expensive. Your timber lines and, uh, tools like that suddenly had cloud options that were a fraction of the
[00:21:49] cost had easy, easy customized fields and, and, and views that we didn't have in the quote dinosaur apps. And, and I think it was a picture that it showed me that it was actually across the board. It wasn't unique to construction or manufacturing was actually more of a, a shift in the way applications were being built. And so we would refer to the other players as the, the dinosaurs, the tech dinosaurs, or, you know, where lots of tech that was, you know, built around like cumbersome databases
[00:22:18] and lots of infrastructure. But one thing that I think still exists today that was a problem on that, that turning point. Security wasn't the primary focus for building those applications. Yeah. Yeah. I think, I mean, you know, pick, and we don't do a lot, um, with architecture rooms, we don't have any architects. Um, but I was just, I was at a peer group meeting last week. Um, and one of the peers in there, they, they serve a lot of architects, so they do a lot
[00:22:47] of Autodesk and they said, sure, they got to update Autodesk. It takes hours and hours and hours, but they said they're coming out with 20 bug fixes like a day. I mean, I think they were exaggerating, but, but again, that's a giant application. It was built way before security was a thing. And it's, you know, and you can't just go in there and find all the security holes overnight, right? There's a lot of code. There's a lot of people involved. So yeah, I think that's absolutely, you know, and, and, and in a lot of ways, the cloud
[00:23:14] applications aren't a lot better other than they're newer and they were built generally when security was more front and center, I think. So I think both places have the issues, but yeah, some of these, you know, some of these softwares were written, you know, the underlying platform that they wrote it in isn't even secure. So. So we're even, or are there even programmers still around that are willing to write code for those platforms anymore? Yeah. Well, yeah. I mean, you talk about, and I think the state of Illinois is one of them here where we're
[00:23:42] at is, uh, you know, a bunch of the, the tax system was written in, you know, COBOL. It's like, yeah, it's pretty, pretty hard to find COBOL programmers anymore. Yeah. I, uh, snowball COBOL, Fortran. There's a lot of that, that, you know, the older languages that a lot of our existing infrastructure still resides on. And there are no quote, easy fixes, uh, to solve those problems. But on the flip side, I think we're also, you know, going back to, I don't care about
[00:24:09] my data mindset where we're seeing applications getting built and privacy policies getting shared where no one's asking questions like, but is this application secure? I know it's got single sign on, but you know, how hard is it to bypass the, you know, the front door to get, to get into the data that's just there. Yeah. You know, I've got a few minutes left. I'd be curious, you know, as you approach new and existing clients with, you know, the
[00:24:39] knowledge that you have from a security standpoint, do you have any sort of like go or no go? So like prospective client, you're looking at onboarding them. They obviously like, you know, the opportunity to potentially work with you. Do you have any that are just flat out deal breakers when you go into a net new client? Yeah. I think one of the biggest, you know, binary tests is if they're, and we, we seem to find this pretty binary split.
[00:25:06] But they're either they're investors in technology and they're keeping up and they have new gear and they have some technology. They have an ERP system for their manufacturer, right? They're kind of cutting edge, so to speak. And then there's the people that are 10, 15 years behind. So we don't have a problem with you being 10 to 15 years behind if you're willing to catch up. So if we come in and we find a shop that's just, listen, you got, you know, you got a windows 98 machine sitting here and it just security problems all over the place.
[00:25:33] You have switches that are 15 years old, if you're willing to put the money and time in and let us get it right, we're happy to do that. I mean, think it's a win and win, right? It's good business for us. It gets them where they need to be. It's the people that are 10 years behind and don't want to put the investment in. That's just a giant risk for us, right? Like, um, it's not a question of like we talked about earlier. It's not a question of when they're going to have an incident or not a question if it's when, and we don't want to be there holding the bag when it happens.
[00:25:59] Um, so it's hard enough to secure places when they're investing. Sure. When they're not willing to, to, to do what they need to do from their side and they're not willing to let us kind of drive. Those are the opportunities that we have to walk away from because the risk is just too great these days that we don't want to carry that. I would imagine there's also the, the in between prospects where, uh, you know, the, the manufacturing floor has the CNC machines and the different devices running to your point, Windows 98 or whatever it might be.
[00:26:27] And, and you don't necessarily care about the OS because well, they're not on the internet, right? They're not connected. Uh, and then you find out that they have matured because they have a new ERP software or accounting package for running the, the job costings. And they did something like connect all of those devices together so that they could see it without going and physically touching it. And so they went from, they basically leapfrogged, right?
[00:26:52] So they 15, 20 year old, old infrastructure, but then they added one app and an access point and suddenly all of that is now vulnerable and exposed. Yeah. Have you run into that, that hybrid one? Um, a little bit here and there. Uh, you know, and I think that's one of the, one of the, you know, we don't expect people to like, you're not going to plunk down a hundred thousand dollars tomorrow to bring everything up to speed, but if we can put you on a three-year roadmap and you're, and you'll something that the, the owner will commit to, um, you know, we're happy to do over time.
[00:27:21] You find the most vulnerable, risky thing, get that out first. Right. So that's, so we're happy to put it on some sort of roadmap. It's the, it's the people that say, yeah, we're going to do it. And then two years in, they haven't, they haven't done anything. That that's a real problem. But yeah, I think that's the same way, right? I'm sorry. Well, I was just going to say healthcare is kind of the same way, right? You've got a multimillion dollar DICOM imaging machine or an MRI machine and the software for it, you know, is windows XP or windows 10 and not supported anymore. It's like, yeah, but the MRI machine works just fine.
[00:27:51] And you're proposing something that's going to cost, you know, millions of dollars to replace because I can't put a $30 operating system to bring it into 2025. Yeah. That we run into a lot, both. And we, we, we came out of the medical space. We did a lot in medical. And I think there is a very similarity there. The really, really, really expensive machines, whether it's a medical or manufacturing. Sure. Yeah. I can't just replace it. It's, you know, it's cost prohibitive. So then the question is, you know, what do you do? And that's a tough place for them to be in.
[00:28:20] And, um, you know, so we, you know, that's our job to figure out how to mitigate it because okay, this, this has to be a windows 98 machine. Um, fine. We need to figure out how to get that segmented. So it's not on the network with everything else. And when you've got to do what you can to protect it. And that's just, you know, that's part of our job to figure out those absolute, we can't do that's our job to figure out how to make it work. I mean, the good news is there's not a lot of, uh, threat actors writing malware for windows 98 anymore. So, I mean, there is that. Yes.
[00:28:51] Eventually, eventually it becomes, it becomes a good security solution. That's right. Right. That's right. Uh, so Jeff, we've got about a minute left, uh, on the show. Is there anything you want to share with the audience? That's largely other MSPs, but shoot, they can be clients of MSPs as well. Yeah. I think to do the two big things we talk about a lot are, you know, it takes security seriously. And I know everyone gets tired of hearing that. Yeah, we know, we know, we know, but we see it, you know, every day somebody's getting ransomware and it's just the thing that happens.
[00:29:20] So you gotta, you gotta really put it front and center and every decision you make needs to be security driven. And then I think the second thing is for, for clients of, you know, there's a lot of MSPs out there. There's a lot of great MSPs. There's a lot of not so good. If you're stuck in a relationship with an MSP that you, that aren't, they're not getting it done or you're not happy. Switching is not as bad as you think it is with the right group. So don't, don't be stuck in a relationship that you really don't like. Um, there's something better out there for you. I think that's the, the quid pro quo, right?
[00:29:50] I think MSPs are starting to take that same mindset as well, where, you know, if the client is a bad fit, it's okay to say no, there's dollars somewhere else too. Yeah, absolutely. Right. They're right for somebody. It's just a question of who. That's right. All right. Well, Jeff, I appreciate you coming on the show. And for those of you listening, thanks and have a great week. Good. Thanks for having me, Chris. That was great.