Connor Swalm, The Future of Cybersecurity Moving from Check the Box to Inbox

[00:00:03] Welcome to MSP Business School, led by our deans of business development, Brian Doyle, Tim McNeil and Rob Rogers.

[00:00:11] Each week MSP Business School is committed to delivering you proven strategies, tips and tactics for MSPs to accelerate their business growth and revenue through better sales, better marketing and true account management.

[00:00:26] Classes start now, so let's get started. Let's throw it to the deans.

[00:00:33] Hey everybody. Nice to see you again and welcome to the latest installment of MSP Business School. I'm your host Brian Doyle and I'm excited today because I've got a guest that we've started doing some work with over at Vcio Toolbox.

[00:00:46] And as we prepare for release of an integration and I want to welcome Connor Swam, one of the co-founders over at FinSecurity to the podcast today. Connor, welcome.

[00:00:56] Thanks for having me, Brian.

[00:00:59] I'm really excited about talking a little bit more to you today. You know, almost every podcast we kick off with a little backstory about the person but you know I've seen some of your posts out there.

[00:01:10] One of the things I admire is your vulnerability out in a public forum and really helping other business owners that might be struggling understand hey there's light at the end of the tunnel as long as you keep working hard.

[00:01:19] Maybe share a little bit about how you came to form Fin because it's really a fascinating story for those that might not have heard it yet.

[00:01:26] Sure. First thing I always share with people is I don't recommend anyone starts a business ever.

[00:01:34] You know there's the there's the saying in the industry just hating your job is not enough reason to start an MSP and I definitely understand that sentiment having now started a company it's like you have to be actually like a psychopath to do this and then get kicked down and get back up and

[00:01:55] So that's the first thing I tell people. But how I got started is I was actually flipping houses in college to pay for my student loans. I graduated was flipping about four homes at a time and then bought a home that I shouldn't have.

[00:02:09] And all of my advisors all my investors, everyone that I had asked for advice for in the past and you know counseled for their wisdom. All said I was making a mistake and I essentially you know flipped them the middle finger and was like you guys don't know what you're talking about.

[00:02:23] I was like 21 at the time. I literally just graduated. And so of course my head didn't fit through a door and I thought everything I touched turned to gold. I was making a ton of money. And so I buy this house and I lose all of it.

[00:02:36] I ended up losing close to $100,000 personally which is everything I had saved up over the course of the year.

[00:02:42] Huge summits money one let me tell you when I was 21 I didn't have half that backstory yet.

[00:02:49] I mean what a lot of people don't know is like the money yeah the money hurts to lose but also what I lost was I was about to propose to my longtime girlfriend. I was about to go buy a home was about to go start a family.

[00:03:00] I was about to move my life forward and like instantaneously I lost it all had to move into my parents basement had nothing but the shirt on my back and got real depressed and in my parents house I kind of came to the realization I only liked real estate for the money.

[00:03:16] So I was like well what do I actually like it has to be it was software and math which is what I had studied in college. And so I just started building cybersecurity tools and Finn is like the third iteration of I just walked downstairs every day and built what I thought was cool.

[00:03:35] I got other people involved along the way some of which are some of whom are still involved some of whom are not and we just kept you know meeting MSPs and we ran across one of them in the process of building these tools and I'll never forget their phrase to me this is something I say all the time.

[00:03:52] I was talking to them about their problems we ended up settling on awareness training it's what we do and they ended our conversation by saying don't build me a better tool build me something shittier that's easier to use and I'll work with you tomorrow.

[00:04:06] And I was like, that's, that's how I can build bad software it was just me in my underwear at that time so yes I can do this.

[00:04:14] Yeah and you know I think there's a lot to that statement.

[00:04:18] Easier is oftentimes better and you know as a guy that runs a fairly complex system unfortunately because it's really you know has a couple tentacles to it.

[00:04:28] Sometimes I want to look back and go how can we start it again from the ground floor and make it simpler and make it easier.

[00:04:34] You know for some of our end users not that it's super complex but there's hidden gems that you can find along the way and I think that approach of keeping things simple especially when you're going after a very straightforward topic right deliver training to people track whether or not they're finishing it and then continue to educate them long term right you know that's a pretty straightforward concept that that you guys are running but it's one of the most necessary concepts out there when you look at all the frameworks in the marketplace.

[00:05:01] Yeah it was kind of a shock to me because I had no understanding of any size cybersecurity whether that's small business or you know up to enterprise and so when they started giving me insight into well this is how typically this is how we typically have to use enterprise focused software.

[00:05:18] This is how it typically doesn't work for us look at the five examples I have in my own stack right now here.

[00:05:24] I'll show you and then they'd actually go into their tools and say I got to do this I got to do that and I think if more vendors just sat down and thought to themselves.

[00:05:34] How would someone feel if they did this 50 times right now.

[00:05:38] If the answer is like horrible, you should probably find a way to make them do it once.

[00:05:45] No, I agree you know and a lot of the new tools that are coming in or helping enable software is to bring more of the automation bring more of the integration capabilities and that's certainly you know for me a big focus for 2024 is how do we automate kind of, you know, an easy one click at least baseline assessment

[00:06:01] then you can choose if you want to put the manual steps on top of that for for QBR efforts as an example but you know you were mentioning the the upcoming flow by Rue show that you're going to be at you know there's a perfect example of let's make people's life simpler

[00:06:14] right and help them automate.

[00:06:16] Aaron, the founder of Roost was actually one of the first people I met in the industry.

[00:06:22] How we one of the reasons we got started in this industry is me and my co founder who's my best friend Josh, we started putting memes under people's LinkedIn posts.

[00:06:33] And we found one person specifically a guy by the name of Wes Spencer. Yeah, yeah who was a world one of the co founders at Roost and Aaron Aaron was the other one.

[00:06:44] And for whatever I still ask him all the time is hey why'd you like just, why'd you decide to respond to us and we were just some dumb kids doing some dumb things like he goes, I don't know, but it looked, it looked like you guys were having a blast, it looked like you were going to get it done and I felt like you were going to do anything to make it work.

[00:07:02] And so he, him and him and Aaron were one of the first some of the first people we ever met in the industry. They were still at perch at the time and they had literally just announced their sale to connect wise.

[00:07:14] And it's actually how I got to my first event too is I called Wes up on a Friday he's like, what are you doing on Monday.

[00:07:21] Working. Yes, no you're not you're coming down to Florida. You're a you're going to go to IT nation secure for the first one of the biggest industry conferences. I was like, I have no dollars.

[00:07:31] Don't want to go talk to people. I'm, you know, I studied math in college for a reason it wasn't because I was this wonderful socialite.

[00:07:38] Introvert on the inside extrovert on the outside right public perception but yeah, yeah, I get a lot of energy by just being by myself and just learn it's what I like.

[00:07:48] And so I have to be real honest if Josh my co founder wouldn't have been on that call and said, I don't care what you're doing on Monday, you're going to be at that conference.

[00:08:00] I probably wouldn't have gone we probably wouldn't be talking to that.

[00:08:03] It takes those steps but right but it's getting out of your comfort zone all the good things happen in the uncomfortable in life and until you kind of shake into that zone it's just going to be status quo repeating itself so you know that's a huge step.

[00:08:16] It's a huge step. It's a huge trust in you know some of the leaders you know obviously Wes is a respected member of the community and certainly shares a lot of information, but they're doing over empath is great him and Alex and the crew over there and, you know, having some, I won't call it sponsorship

[00:08:31] but having somebody over there that's willing to mentor you through that process the first time had to be amazing.

[00:08:36] That's kind of what we told him is, hey, we're, we're a group of young people young like literally we were like 2122 at the time.

[00:08:44] We know nothing but we, we have this really cool idea that we're really excited about.

[00:08:49] Please teach us everything you know I see what you've done it purge, I can see it online. I went to the conference and it was like everyone in a purple shirt was a part of a cult that I wanted to jump into is like this is the weirdest thing ever like, teach me how to do that please

[00:09:02] I don't know anything about this.

[00:09:05] And I think there's a lot of wisdom in that especially for everyone listening, you just need to be a sponge, there's somebody out there who's just a little bit further ahead of you. And it's the, you're not trying to be them, you're trying to accomplish some of the things

[00:09:17] that they have.

[00:09:19] They're probably going to be really willing to help you. People love those who help themselves and you just need to demonstrate that, you know, and I've always been like you know of the go giver mindset also give to those whatever you can do for those that are

[00:09:29] helping you make sure you're trying to help them twofold going out the door as well because, you know relationships should be a two way street I think all of us have been in those, those take take take type relationships but if you really want to make it in this industry

[00:09:41] and it's what makes some of the leaders that that folks see every day. So awesome is they're always willing to share, they're willing to share with nothing no expectation and return.

[00:09:51] And, you know, they expect the returns just come through being good people out there in the industry helping educate. I also don't want to gloss over one other point that you even brought there a moment ago just for a quick second.

[00:10:01] Posting memes, doing something to stand out is critical. You know, I look at all the posts, I'm guilty of it too sometimes where it's just a vanilla response to somebody's, somebody's thing and if they're getting 67 comments, they're not seeing you right?

[00:10:17] Obviously you putting means there kind of puts a little bit front and center and certainly put that fun part out on the table as well so awesome approach.

[00:10:25] Yeah, that actually came about completely by accident.

[00:10:29] A lot of things are organic right?

[00:10:32] Well, a lot of our decisions if people like why did they do that the answer to most of them is there wasn't an adult in the room. It's like that's literally it.

[00:10:40] So, somebody asked people ask us all the time why the hell did you guys wear purple life jackets to conferences and it's like, we thought it'd be cool. That was it that was the end of the discussion so we decided to bring we thought it'd be cool.

[00:10:53] We were going to have fun wearing purple life jackets and that was it.

[00:10:58] We knew we needed to stand out like there's all these other things we knew that we need to catch people's eyes and we'd be in the sea of vendors and our first conference but we thought it'd be fun. It's also why we make like weird, weirdly designed t shirts.

[00:11:11] It's why we like most of our online content is memes. It really, it's authentic for us. So that's what I would advise people to do is like, you have to stand out but make sure it's you, make sure it's you that's standing out not some version of someone else.

[00:11:26] Yeah, I mean you got to be authentic to your personality because it's impossible to fake it forever. Right. You know if it's not you if it's not embedded it's going to come out eventually that that's not the way you approach things.

[00:11:37] So let's kind of pivot a little bit from your background into you know what is Finn bring to the marketplace we've touched upon it a little bit but share with me you know really you know what's your mission and how does it help an MSP.

[00:11:48] Sure, so first and foremost there's two reasons why people buy awareness training one is a check the box exercise right whether it's compliance or cyber insurance or regulation or anything.

[00:11:57] The other is to create some modicum of increased security because your people behave in a more secure fashion.

[00:12:03] And the thing that most, most MSP is complained about when we started in this industry was.

[00:12:09] This is a really low margin activity for us right it's not an incredibly expensive part of your stack when compared to your RMM or other tools that you're like your EDR solution maybe you're doing a 24 by seven sock.

[00:12:21] Those you not only have margin on but they're more expensive. So the question became for us. Well how do we make them like literally if they could click one button and have this do everything they wanted to check the box.

[00:12:33] That would be the ideal solution, because whatever little margin does exist they'd be able to retain. And what I found out later is that poor individual who happens to be the newest employee at that MSP no longer has to spend their entire time running awareness training campaigns.

[00:12:49] So, it was really just a huge focus on automation. Whereas what when I would go talk to founders of other awareness training companies there was this enormous focus on the content.

[00:13:00] And I always bring up this story, when I was studying math in college, I, I loved it. Like, the only reason I went to college was so that I could study math, I didn't need to go there for a career, I was flipping homes at the time like I'd mentioned earlier.

[00:13:16] So and that's what I thought I was going to do for the rest of my life. I was like, I just really like it. And anytime I would try to talk to anyone about the math that I was learning that like the stuff that got me up in the morning, like literally I'd wake up, I can't wait to get into class today I can't wait to go do my homework like it was I was that kind of nerd right.

[00:13:34] Nobody that the conversation would end right when I brought it up they'd be like, um, yeah my mom's calling me sorry gotta go but I don't want to talk to you.

[00:13:41] So, um, when I would go to the employees at these clients of these MSP's.

[00:13:47] And I start talking about talking to them about their cybersecurity education. I get the exact same response. It was just like, oh, I've been here before is like these, these people fundamentally don't care about this content in a lot of ways or it turns them off in such ways that they don't want to engage with it, or sometimes what I see their security folk have beaten them with a stick for so long that they no longer want to do anything.

[00:14:10] See that sometimes too. And so that that immediately cemented our focus on it's not going to be about the content it's going to be about the use case for the MSP, the MSP is going to click a button and then we'll figure out how we're going to make user change.

[00:14:24] Yeah, and that's probably you know the probably the next question I got for you, you know as an end user.

[00:14:31] A lot of them don't understand that they're one of the biggest vulnerability points in their clients environment you know you don't undersell the the fact that your software might be the lowest price in the stack it's also one of the most valuable from my perception because the human elements where most breaches come from and it's usually accidental right so when we look at things like that how do you how does your system really get those end users engaged so you don't have a lot of people that are just ignoring you.

[00:14:54] So you're not really doing the training and you've got this big gap now when you look at kind of that security awareness compliance when you're reporting to controls or cyber liability insurance.

[00:15:05] Yeah, absolutely. I'll start by saying we have a we have a ton of vision on where we'd like to take this so we're not the company we'd want to be like long term but we do do a lot of things correct right now.

[00:15:15] One of which is no logins for end users so there is no barrier to doing your training we've made sure of that there is a link that you could save like you can you can click on any link that we sent to you it'll send you to the right place at the right time whenever you need to.

[00:15:29] So there's no barrier the second is we focused like very deeply on the fishing simulation piece and that came from a philosophical honestly probably debate at this point.

[00:15:43] That not only we had with other security experts but we were having internally where my perspective on teaching users about how to recognize vulnerability was a concept that I call more scrimmages less batting cages.

[00:15:55] You know, everyone's gotten that dumb fishing simulation where they all get it at the same time it's set in such a way. It's set in such a way that you recognize it. Yeah, they're talking amongst themselves and diminishing the effectiveness of it.

[00:16:09] Correct. It is the exact behavior you want to incentivize so by the way I'm not upset that that that behavior exists it's like wow everyone's working together. That's great.

[00:16:19] However, they recognize that this was a fish not because it was a fish but because of the way that you orchestrated the test.

[00:16:29] So it's like some it's like you giving a test to somebody and they can get all the right answers because of something else you've already put on the test. It's like, okay.

[00:16:37] So what we wanted to do is make these super realistic fishing simulations and then not give them training after teach them what our platform did to edit that fish to change it for them specifically because we, you know, we have all of their stuff in the in the past and we can see that they clicked on gift guard scams or they fell for appeals of authority.

[00:16:58] It's like all right, we're going to keep testing them with things that we think they're actually vulnerable to.

[00:17:02] That's it. That's awesome. Now, you know, I want to go back a little bit to though that maintaining compliance piece and forgive me on that obviously governance and compliance is a big part of my world. So I love that part of it.

[00:17:15] You know, what do you how does Finn help with those people that aren't clicking those links? As you said they can save them. They can go back to them later. Those links will be live for them and obviously they're unique to the individual.

[00:17:24] But how does like an administrator with that single click concept make sure that they're actually getting people to do the work and what can they do to kind of push them on that? Because that's where I see the gap really coming into, you know, Connor, he never clicks those links, but everybody else does. But he's a vulnerability for me, right?

[00:17:42] It's also a debate I have with the industry is like, well, just because I've not been fished so far doesn't mean I won't tomorrow.

[00:17:48] Something could happen in my life. We're human.

[00:17:50] We're all the best of us. You can be busy and see something and click on it and then go, Oh no.

[00:17:56] I get a lot of slack messages through all the various, you know, slack communities I'm a part of that are security experts. So like, I hate you guys. Like my company uses you internally because we give NFR accounts to MSPs.

[00:18:07] I've been trying to tell all of you just because you know security and just because you are technically able does not mean you're invulnerable.

[00:18:17] Unless you've escaped your biology, you're vulnerable. So please tell me, are you human or you're not?

[00:18:23] And you've never had a down moment or a mental distraction in your life, right?

[00:18:27] Or you never expected an invite to a SharePoint website or you never expected a package to show up on your front door.

[00:18:35] It's like those are super pedantic examples of fishes, but it's like you expect communication. Somebody could swoop right in and simulate.

[00:18:43] So on the reporting governance compliance piece, there's a couple of things. One is all users who have open training will continuously get reminders.

[00:18:51] You need to continue getting reminded. The second is per tenant, you can set up stakeholder reporting so you can actually send the list of we call it users to watch.

[00:19:02] But it's people who need their manager to step in and say, hey, next time that comes up, you need to go do it.

[00:19:09] So that the I don't think the MSP should be doing that. You're not their boss.

[00:19:13] You're very important piece of their business, but you're not the person that signs their paycheck.

[00:19:17] So that person should get a report. It's like, all right, I need to go email or I need to go walk into the office of these seven people because they're the reason we're not compliant with our training right now.

[00:19:27] And that's solved a lot of the problems.

[00:19:29] That's great. So, you know, we talked a little bit about, you know, the process.

[00:19:35] We've talked about some of your kind of, you know, concepts of how you came about doing it.

[00:19:39] Certainly, you know, easier is easier, truly, right? And getting there.

[00:19:43] Let's talk a little bit about what the future might bring for then, you know, what are some of the things that you're looking to accomplish, you know, over the next year or two?

[00:19:52] I mean, let's face it. None of us have a crystal ball that probably goes out much further than that in terms of products and features, right?

[00:19:57] It's definitely true. You know, I can sit here and claim that I do.

[00:20:01] But the reality is, you know, next week, next month, next quarter, I'm going to get new information. I'm going to.

[00:20:06] All right. I was wrong. Yep. We need to we need to move in this direction now.

[00:20:09] But here's the general direction. I actually think the industry needs to move in. So I'll talk about that.

[00:20:15] I'll talk about the industry. That's great.

[00:20:17] I think the awareness training industry, as it stands today, is a zombie.

[00:20:22] It's existed for 30 years, 25 years, something like that. Something very long, honestly, probably longer than I've been alive.

[00:20:31] And yet the problem of humans making mistakes that lead to security incidents has gotten worse every single year since at least the Verizon CBR has been recording.

[00:20:43] And so when I look at that and I look at these other this industry, which is making billions of dollars a year collectively, it's like, hold on.

[00:20:50] It's like cybersecurity spend has increased dramatically.

[00:20:52] Awareness training spend has increased dramatically.

[00:20:55] We're all promising that we're going to, you know, teach people to recognize mistakes, to not make the mistakes and recognize what's going on.

[00:21:02] And they're making more of them every year.

[00:21:06] So I think there's something fundamentally fundamentally missing.

[00:21:09] And what I've said is, I think awareness training needs to move from check the box and into the inbox.

[00:21:13] So there are three business systems that every company has, virtually every company has, let's put it that way.

[00:21:19] That is some kind of email gateway slash firewall that's blocking malicious traffic.

[00:21:25] There is your training and your phishing, like simulations.

[00:21:29] And then there is your reporting and your triage.

[00:21:32] So those are all three business systems that exist.

[00:21:35] All three of them have information about what vulnerabilities users are exposed to in your organization and also what vulnerabilities they are actually going to fall for or recognize.

[00:21:43] And so what I'd like to see in the future and one of the things that we're building towards is those three systems should work together.

[00:21:50] Right. You should be feeding the phishing simulation data and the reporting data into the phishing, sorry, into your email gateway to look at, all right, what attacks are we currently fending off?

[00:22:01] And another way of phrasing that, what attack is going to get through at some point?

[00:22:06] It's not a perfect...

[00:22:08] It's going to fake out the email security systems because it happens, right?

[00:22:10] Yeah, it's a when not if mentality for a lot of reasons.

[00:22:15] The difference between legitimate and illegitimate communication is so narrow that it is impossible to block all of it.

[00:22:21] That's a statement my actually co-founder makes all the time.

[00:22:25] It's when I ask, why don't we just build an email gateway?

[00:22:29] He's like, no, here's the problem they're solving.

[00:22:32] We don't want to solve that problem.

[00:22:34] The difference between legitimate and illegitimate communication is impossible to distinguish.

[00:22:36] And so what I'd like to see in the future is like you can look into your gateway and you could say, all right, we're fending off these attacks.

[00:22:43] I can compare that with the phishing and the reporting data we have on users to create what is the vulnerable population to this kind of attack that we'll get through eventually.

[00:22:52] And we can do that through categorizing the phishes, categorizing the emails coming in onto the email gateway.

[00:22:58] And then we can start to actually give more scrimmages and less batting cages to these users that is very relevant to their life, very relevant to their experience so far.

[00:23:07] And we can do a very similar thing on training as well.

[00:23:10] We can say what training have these people received so far?

[00:23:13] What has their behavior been as a result?

[00:23:16] And then what do we need to train them on now?

[00:23:18] Because let's face it, at some point this attack is going to get through and we need them to be able to recognize that when it shows up on their door.

[00:23:25] So that's kind of the direction that we're heading in.

[00:23:28] We also get a lot of requests from MSPs where there is a ton of functionality that exists in enterprise awareness training that just isn't one click, one to many functionalities that's not super sexy to talk about because it's essentially saying,

[00:23:43] we're going to let you share a phishing template with all your clients.

[00:23:47] That's not sexy to talk about but it's something that they ask for.

[00:23:50] No, but there's truth to that.

[00:23:52] Between our MSP exit and me starting BCIO Toolbox, I went to work big corporate for a little while so I was a VP at United Health Care.

[00:24:01] And they had different training sets depending on your role, depending on how you have to communicate out.

[00:24:07] None of it was sexy but all of it was required.

[00:24:10] No bonuses if you don't finish this was kind of what they had to hold us to it.

[00:24:16] But like you said, it wasn't sexy.

[00:24:17] Most of the managers around me who were down as in tune with cybersecurity were like, I can't believe I got to do this stuff.

[00:24:23] But it was a wealth of information that didn't need to be shared.

[00:24:28] Yeah, there's I think there's a lot of that left for the MSP industry still.

[00:24:32] Or rather our MSPs have told us a lot of valuable things that we should be building for them and we are just a mountain as you know, it's a mountain of work to get through.

[00:24:41] And I'll close with if you're watching the news as we record this United Health Care's change division had a user error lead to a huge breach that's costing them millions.

[00:24:51] Yeah, it's just those are the interesting things that do come out of not having that human element protected.

[00:24:57] I made a LinkedIn post yesterday and one thing I'm very, very careful about is I never promise that if you use us you won't get hacked.

[00:25:07] None of us can promise that right?

[00:25:08] No, and I've I'm friends with people who eviscerate vendors who do that.

[00:25:13] I love to watch it because I'm like, oh, grab the popcorn.

[00:25:15] This is it's like watching a fight.

[00:25:17] And so I forget where I was going to take that honestly.

[00:25:23] No, it's all good. I'll take it one way.

[00:25:25] You know, the only way to make a network totally secure is unplug it from the wall turn everything off.

[00:25:29] Right? I mean, it's just a reality.

[00:25:31] Things are going to come through. People are going to do what they do.

[00:25:33] And it is a more of a when or you know, when then if situation.

[00:25:38] Yeah, I think that's why you're also seeing spend going up because CEOs and owners are starting to look at this as a risk based problem and not a it could happen fear uncertainty and doubt problem.

[00:25:47] What I'm what I had meant to say was in that specific point, some of it like I think it was actually the exact United Health Care Group.

[00:25:54] I was reading up their public statement and then some security practitioners interpretation of it.

[00:25:59] And my response was the following is like, you know, what would have stopped this?

[00:26:04] A phone call. It's like employee picks up the phone.

[00:26:08] Hey, did you you mean to do this to me?

[00:26:11] And I was like, all right, how are we at a place in cybersecurity where a multi billion dollar company and I know why we're here.

[00:26:18] I'm not trying to know.

[00:26:20] It's because that person's afraid to make that phone call because they think they're going to get a punitive problems going to happen to them.

[00:26:24] At least that's my perspective.

[00:26:26] That's definitely some of the motivation.

[00:26:27] I still hear that a ton.

[00:26:29] Horrible, horrible practice.

[00:26:31] I hear of companies who tie people's compensation to their performance on phishing and training, which is and it's like, you know, that's a great.

[00:26:38] You know what? That's going to motivate them to do.

[00:26:40] Never talk to your security team ever again.

[00:26:44] 100 percent.

[00:26:46] That now that's that's phenomenal.

[00:26:48] I think you've got to put the right culture is putting one where people can self report when they've done something because as we know the early and I think that's got to be part of the education.

[00:26:55] I'm sure it's part of yours that you're putting out there.

[00:26:58] The earlier we can get in front of a problem, the less the compound effect will be by, you know, I'm sure 10 X factor or something on that order.

[00:27:06] So giving people that ability to go, oops, I think I did this without repercussion is going to help foster that open dialogue that we all need to have when we're trying to combat these threats.

[00:27:16] You almost need like a see something say something culture like you see at the airport with TSA because, you know.

[00:27:24] A question, a question that a lot of help desk employees ask when somebody says my computer's acting weird.

[00:27:30] It's like, all right, tell me one of two things.

[00:27:32] Is there some weird black little window that has text that doesn't look recognizable scrolling on your computer right now?

[00:27:39] No. OK. Is your mouse moving and you're not moving it?

[00:27:42] No. OK. Just restart your computer.

[00:27:44] But what are these two questions getting after?

[00:27:47] It's like there's something going on that's evident and it's evident to somebody with a smidge more experience and understanding that there's somebody else controlling your computer or something else doing it.

[00:27:58] Yeah. And I think the other part needs to be educated is if you self-report some of these things, your security team is going to love you.

[00:28:04] They're not causing them more work. You're saving them from the stressful work that can come down the line later.

[00:28:09] There should almost be like a reward program.

[00:28:12] This person reported four actual security violations of our security and it's not like a...

[00:28:18] Something akin to a bug bounty kind of thing, right?

[00:28:21] Yeah. Let's keep it bug bounty, not like Red Scare pre-World War II America.

[00:28:27] We don't want to be spying on our neighbors and stuff and big brother is always watching because that again, that denigrates your culture.

[00:28:32] But what you do want is that bug bounty like, hey, we're all working together to do something really cool and to help out the company.

[00:28:39] Awesome. Well, we're getting near the end of our time together, Connor.

[00:28:43] Before I share some of the places you're going to be, any closing thoughts from you that you'd like to share with the community?

[00:28:48] Any closing thoughts?

[00:28:50] It's OK if there's none.

[00:28:51] It's OK if there's none.

[00:28:56] I'm trying to say that, you know, I always...

[00:28:58] I'm really passionate about talking about business culture and whatnot and startups.

[00:29:05] It's just it's the life I've chosen or, you know, some say it's the life that chose me.

[00:29:10] I would say hating your job is not enough of a reason to start an MSP.

[00:29:15] So you should you should really dig down into most of the reasons.

[00:29:21] I guess most of the good reasons that I see people starting MSP is not only did they want a little bit of individuality, like they wanted to control their own destiny.

[00:29:28] They also wanted to have an impact on a community.

[00:29:31] That community happened to be where they lived.

[00:29:33] You have a skill set or you believe you do, but not many other people have.

[00:29:37] Turning that into a business is sometimes the best decision, sometimes the worst decision you could ever do.

[00:29:44] There's my advice.

[00:29:46] Awesome. Well, Connor, I really want to thank you for joining us today.

[00:29:50] Folks, if you want to learn more about Finn, they're going to be out at quite a few trade shows over the course of the next month or so.

[00:29:56] Go visit them at PAX8Beyond, down at Flow at Roos like we said, and then we'll all be down at IT Nation Secure.

[00:30:02] So love to see folks and I'm sure Connor would as well stop by and say hello and share what you thought of today's podcast.

[00:30:08] To get this podcast, you can download it anywhere you get it on the web as well as watching it up on YouTube.

[00:30:14] Go up there, check it out and subscribe.

[00:30:16] Connor, I really want to thank you both for coming on the podcast.

[00:30:19] And certainly we've enjoyed working with your team as we start building out a integration to you and partner a little bit deeper as well.

[00:30:25] But thank you for joining me today and I hope to see again when we're down in Florida.

[00:30:29] Thanks for having me, Brian. It was a blast chatting with you.

[00:30:32] You bet.