Listen to MSP Business School on the Fox and Crow Group Your IT Podcasts Network!
[00:00:03] Welcome to MSP Business School led by our deans of business development, Brian Doyle, Tim McNeil and Rob Rogers.
[00:00:11] Each week MSP Business School is committed to delivering you proven strategies, tips and tactics for MSPs to accelerate their business growth and revenue through better sales, better marketing and true account management.
[00:00:27] Classes start now so let's get started. Let's throw it to the deans.
[00:00:31] Hey everyone welcome to the latest installment of MSP Business School. My name is Brian Doyle and I'll be your host today.
[00:00:41] Today we're going to really be talking about the opportunity to build an advisory program and how to build a VC source as a service offering for your customers.
[00:00:52] But before we kick off there, I want to share with our loyal listeners because I had a few of you reach out to me with some questions.
[00:00:57] We do know it's been a few weeks since we've been on the air here and we apologize and certainly appreciate your caring and understanding first.
[00:01:06] Thank you so much. We're going through some transitions here at MSP Business School. You may notice that I'm without a couple of people today.
[00:01:15] First and foremost, I want to share that Rob Rogers needs to step back from the podcast right now and really focus on his primary business OSR as well as some of the requirements over at Sales Maturity.
[00:01:28] So he's taking a break from being part of the podcast and I wish him the best as he moves forward. I can't thank him enough for the help and support in building this podcast over the last few years as well.
[00:01:41] Tim McNeil will still be joining me on certain sales topics as well. Similar to Rob, there needs to be a focus on some of the work that they're doing over at OSR.
[00:01:50] But Rob, Tim will be joining me from time to time on sales-based topics as we expand some of the curriculum here on MSP Business School as well.
[00:01:58] And I look forward to having Tim join us again in future podcasts as well.
[00:02:02] And similar to Rob, I can't thank him enough for being part of this process. We kicked this thing off as something to keep us connected during COVID.
[00:02:10] We didn't expect there to be as much response as there was. Certainly didn't expect to get as many people downloading the episodes as we've had the opportunity to do.
[00:02:19] So we really want to thank everybody that has been a supporter of the podcast over the course of the last three years thus far.
[00:02:26] And I will say, but don't worry, we're not stopping here. We're absolutely keeping the podcast going. I will be the primary host moving forward of the podcast.
[00:02:35] We will have topics like today where I'll be your sole speaker, still bringing some of that education to the forefront.
[00:02:41] And we'll continue to bring on guests as well so we can share the stories of those that are out in the MSP's world dealing with the same business problems as many of you were dealing with as business owners as well.
[00:02:52] So again, I really want to thank you all for being loyal listeners. I promise you we're back to our week to week format going from here.
[00:03:00] We won't have any periods of long term missing. We may skip a holiday or two year in there.
[00:03:06] But overall we're back on course with MSP Business School and as time moves on, we'll be sharing some new innovations that will be part of our curriculum here as well.
[00:03:15] As we look to expand the types of content that we bring to you and the ways that we can hopefully share our stories and the lessons that we've learned in the MSP space as well.
[00:03:25] So with that, now I will transition into today's topic, which is really building MRR opportunities through a VC SO program.
[00:03:35] Many of you are starting to move towards building fractional VCIO programs on top of what you're doing from a pure day-to-day QBR perspective.
[00:03:48] But now there's really a huge opportunity for us to expand on it.
[00:03:52] And what's really driving that opportunity is the changing landscape of the MSP world, right?
[00:03:58] If we really look at the evolution of what we're doing for our clients, there's been a lot of change.
[00:04:04] This is a very cyclical industry. I've been in it since the late 90s as far as being in an IT services realm.
[00:04:14] And we've seen it go from product driven approaches where we were selling big boxes and making huge percentages and really educating our customers on what they could do with these tools.
[00:04:25] The early days of the MSP was as much educating the clients as to why they need it as how they were going to utilize it.
[00:04:34] And certainly that shift changed as more and more people became comfortable with IT.
[00:04:41] We then moved into the MSP generation with managed services really launching in the early 2000s, mid 2000s,
[00:04:49] and people starting to add basic levels, you know, services like monitoring systems on that.
[00:04:55] But in those processes we became more of a trusted advisor.
[00:04:58] You know, we shed that hourly burden and that project burden and our customers just calling us in when there were problems
[00:05:05] and really started embedding ourselves into their business.
[00:05:08] Obviously from there we evolved into cloud-based technologies.
[00:05:12] The AWS and Azure scene came upon us.
[00:05:14] And now we're really in the era of security and innovation, right?
[00:05:19] We see our customers are having more advanced security requirements.
[00:05:23] We're seeing certainly the hackers continuing to stay one step ahead of where we are today.
[00:05:28] And we're really starting to see that they need support in building this out because things like obtaining cyber liability insurance are becoming much harder.
[00:05:36] More importantly claims are not being paid as readily if there's not full forthright honesty happening at the time of application.
[00:05:46] So we need to play more of a guiding role with our customers and really this is kind of the precursor into what we're doing today.
[00:05:54] Other things that are driving advisory services are obviously the emergence of AI, right?
[00:05:59] We're all looking at ways that we can leverage AI for our customers.
[00:06:03] We're seeing the different ways AI can be played.
[00:06:06] Chat GPT continues to evolve.
[00:06:09] Other AI sources are continuing to evolve and we're even seeing our industry starting to launch out AI based companies and the funding going into those as well to launch those vendors into the marketplace.
[00:06:21] So we know it's something that's going to be with us.
[00:06:24] It's going to continue to evolve and we're going to be looked to as a service provider community, not only to implement the tools,
[00:06:29] but to bring the advice and show a customer how to bring this all together.
[00:06:34] Extended business analytics is going to be continued to be needed.
[00:06:38] More automation is going to be needed or be needed by our customers.
[00:06:42] So we're really transitioning finally out of that break fix experience, out of that lift and shift experience and truly into an advisory role.
[00:06:51] So you know that's a big part of what's driving the advisory opportunity for our customers.
[00:06:57] And if we really want to talk about why advisory services, you have to go no further to a study that Jay McBain from Canalysis has done.
[00:07:06] He had noted that in 2021 there was an overall $3.5 billion market share going through the, in technology.
[00:07:17] The channel was going through $2.1 billion of it and we're receiving $2.1 billion of it.
[00:07:23] And that share included things like the sale of software, the sale of hardware, the sale of subscriptions, all that kind of good stuff.
[00:07:32] Now that's projected to double by 2031.
[00:07:35] At that stage we should be hitting a $7 billion global market share for IT services.
[00:07:42] But the channel growth is only going to go from $2.1 billion to a projected $2.31 billion.
[00:07:48] And why is that? Well, we've all seen it. There's an emergence of marketplaces that are coming in that our customers can buy from.
[00:07:56] We're certainly seeing the hardware vendors going more direct in certain technologies and taking ownership of those client relationships.
[00:08:03] And the channel while still getting those dollars isn't going to be involved as much in the product side of it.
[00:08:09] But the good news is we're expected to facilitate 90% of those deals.
[00:08:14] So what does that really mean to you?
[00:08:15] This means high margin service-based opportunities that you can deliver to your customers with these tools that are going to be part of this market share driving need
[00:08:26] and really be the advisor that implements and helps support and define these projects as they go in.
[00:08:33] So there's a really huge opportunity, a growing opportunity within the market space.
[00:08:39] So when you think about that, there's another reason that you might want to get into the game and it goes beyond just why advisory services and the macroeconomics.
[00:08:49] But let's just go into what compliance costs an end user company.
[00:08:53] Assessments are not cheap. Maintaining compliance is not cheap.
[00:08:58] And for those regulatory bound, this is an annual exercise.
[00:09:02] To give you a sense of what that looks like, standard CMMC in this 800-171 audits can cost anywhere from $20,000 to $60,000 for a full audit.
[00:09:14] And these suppliers have to do that in order to ensure that they can maintain their government contracts.
[00:09:19] About 15 to 35,000 of that revenue though or that cost is being spent on readiness.
[00:09:28] And readiness includes pre-assessment prep, the tools that they need to solidify the environment, the reporting controls that they need to illustrate there,
[00:09:38] and certainly the prep work to get ready for audit.
[00:09:41] And that's really an area where the MSSP or MSSP or MSPs or MSSP can play as well.
[00:09:46] When we look at some of the other audit concerns out there, you know, HIPAA gap assessment there can be anywhere from $20,000 to $30,000.
[00:09:55] A full HIPAA audit can be anywhere from $20,000 to $50,000 and a validated high trust assessment can be anywhere from $60,000 to $120,000 depending on the scope of the assessment and the size of the organization.
[00:10:08] And there certainly plays for the MSP getting some of the IT based controls that need to be part of that assessment organized and working properly to share with the customers.
[00:10:18] SOC2 has a range of anywhere from $5,000 to $60,000 for the formal audit and $15,000 is being spent on readiness.
[00:10:26] And that's a huge area again for MSP opportunity.
[00:10:30] But even standard frameworks like CIS and the new NSS CSF version 2.0, those assessments cost anywhere from $5,000 to $15,000.
[00:10:41] And now we're being conducted just to help companies build stronger cyber programs, finally implement that governance layer into their business, making sure that they're looking at policies, procedures, controls on a regular basis
[00:10:54] and making sure they're reducing their risk profile as much as possible.
[00:11:00] And, you know, on top of that, those customers need these things done to better align to what is required by cyber liability insurance.
[00:11:09] Everybody wants to make sure that when the if or the when not if happens that their claim can be paid out that they are protected financially.
[00:11:18] We all, you know, so that you've got to be completely honest in those surveys and understand where your gaps are and work to improve them.
[00:11:26] The second component of that is we're even seeing cases when they're large enough being brought to court under the concept of insurance fraud.
[00:11:35] Let's face it if you didn't have a control and a claim was paid and you took that claim payment and then it was discovered later under forensics that you really weren't doing what you said to do.
[00:11:45] Now you potentially face even bigger picture legal charges.
[00:11:49] So when we look at this whole compliance bubble that's out there and there's certainly a lot of hype around it these days, I'm part of that hype engine with VCI hot tool box.
[00:11:58] But all kidding aside when we look at you know what's going on there, more and more of us need to be, you know governed by some sort of cybersecurity program.
[00:12:05] These compliance costs can be great but the MSP can streamline the process and really help the MSSP or excuse me help their customers achieve the compliance that they require.
[00:12:16] So how do we do that? Well, it's really simple. You know we can build out a VC so as a service program.
[00:12:23] Now this can be done either in house or outsourced.
[00:12:28] You know we're certainly not saying now you need to staff up and make this happen.
[00:12:33] You can buy the service from vendors that are out in the marketplace.
[00:12:37] If you need some referrals or references on some of those please feel free to reach to me directly.
[00:12:42] But the reality is this is a program you can build internally or use an external partner but there's an opportunity to create new MRR revenue streams for you from those relationships.
[00:12:55] But what are the simple key objectives of that VC so role?
[00:12:59] Well one is to work with a customer's team on building a comprehensive security plan and it's best to breed leveraging some sort of framework to help you stay organized.
[00:13:09] It's identifying where risk lives within that organization.
[00:13:14] That risk may come out of the framework assessment but it could be things like demographic, socio economic, you know or you know weather based items.
[00:13:23] You know it's funny I used to talk to my customers regularly about you know hey here on the earthquake or the east coast earthquakes are not a big concern for us.
[00:13:32] But certainly on the west coast there are much higher impact and likelihood of those occurring.
[00:13:37] And a few weeks ago we had a 4.8 magnitude earthquake here in the northeast so we had to step off of that and really say look those impacts and likelihoods might rise and that might seem to be something we need to change in a risk management process.
[00:13:49] But ultimately we want to marry that framework risk and the risk we identify by external sources into a simple risk profile so we can really see what those impacts and likelihoods might be for a customer and get a better understanding of what risks are facing and how to manage and mitigate that risk long term.
[00:14:06] This really leads also into building that program of security governance as part of our role.
[00:14:11] Here we need to understand and really make sure that we're reviewing policies and procedure making sure they're up to date.
[00:14:18] Making sure they're still valid for the way we're operating as new innovation comes into our organization.
[00:14:25] And finally we need to identify where the gaps are in our program and create that plan of action.
[00:14:30] Nobody's going to you know you can't beg for forgiveness if you're not out there trying to make things continuously better.
[00:14:36] We all don't have unlimited budgets but we have to prioritize we have to determine how we're going to build this plan of action and we have to show we're sticking to that plan of action.
[00:14:46] Should you know should we need to prove that out for any regulatory requirement.
[00:14:50] So those are some of the key objectives let's talk now about kind of what the responsibilities are for each you know for the BC so things start with people in policy.
[00:15:01] One of the first things you need to do if you're launching a V C so as a service program is really go in there and identify where policy and procedure gaps exist within your clients.
[00:15:12] Do a full policy audit see what policies they have and see how that compares to the policies required by various frameworks and in where they have gaps start developing a plan of action to get those policies into place.
[00:15:26] We also want to make those make sure that those policies are reviewed periodically so we want to build a plan of review cadence that we can implement in and make sure that the right people from the customer side.
[00:15:38] I suggest building almost an internal security council there are part of that governance process.
[00:15:43] We also want to track acceptance on those policies in this in this portion of the relationship.
[00:15:50] Do we have signed off a UPS or end user agreements from our end users have officers signed off on the policies that have been implemented.
[00:15:59] We need to make sure that that has been formalized as well within the organization and we want to evaluate you know assess and evaluate employee cybersecurity training and look at some of those phishing results and make sure that they're doing well.
[00:16:13] We want to make sure that they're team as well trained as well and that we're helping educate the people as to what to look for what not to click on and if they do click on it we're having the right type of constructive one on ones to help get past that problem.
[00:16:27] But also developing into our policies and exit plan if we have continual repeated vendors that are ignoring the policies so the VC IO can I mean the VC so can really come in there and help organize the gathering and build out of the governance layer.
[00:16:40] You know get those policies and procedures documented set out a cadence of review and making sure they're implemented appropriately across the entire organization.
[00:16:50] A second responsibility of the of the VC so is really building out our maintaining architectural tools and training now some VC cells are going to be more technical than others.
[00:17:03] Some BC so will be relying on CIS admins and security analysts that they have on their team as well.
[00:17:10] But what we do need to do is make sure that on a regular cadence I suggest annually we're looking at the tools and we're looking at the architecture that's in force for the customer and making sure that we don't have gaps in in you know what what is current in the environment today.
[00:17:26] Do we have any outdated infrastructure that no longer can bring in new technologies like advanced UTM EDR MDR things like that that we might have to swap out and bring a better set of tools in.
[00:17:39] Do we know if we have the right architecture built to really prevent different areas do we have areas that we should be putting into a demilitarized zone.
[00:17:48] Have we done proper segmentation of the network.
[00:17:50] Do we have our data classified and do we have data separated logically for our internal users.
[00:17:57] We need to analyze that architecture a minimum of an annual basis to make sure that those you know eyes are dotted and teaser crossed.
[00:18:04] We certainly want to look at the user community at this standpoint to and you know go into tools like you know active directory on try and make sure that the right rights and lease privilege rules are in place and being utilized for the organization as well.
[00:18:17] And when you look at that current security tool suite really the tools that are most critical to annualize or things are to review are things like vulnerability management network access control your endpoint protections your breach detection and eradication tools.
[00:18:34] Your auditing and compliance tools any IDS or IPS that you might have in the environment and of course maintaining that your security awareness training is still relevant in the courses that are being distributed are speaking about the threats that we're currently facing.
[00:18:49] So you see that VCSOS off responsibility is kind of both at the architecture or at the infrastructure level but also at the advisory level and we're kind of the ones managing and quarterbacking those worlds to make sure that the right resources are in place at all times for our customers.
[00:19:06] The third area that we need to focus on is really governance and compliance.
[00:19:11] Oops.
[00:19:13] So you'll see here from a governance and compliance perspective. We want to look now at our cybersecurity posture against common frameworks.
[00:19:21] If your customers bound by a regulatory framework we can build that into the program if they have multiple frameworks let's say their department of defense contractor that's also healthcare based.
[00:19:31] They may require the NIST or the CMMC plus HIPAA as guidelines and frameworks that they have to apply to.
[00:19:38] And we need to make sure that we're helping them build against those past you know that they've got the right tools and controls to support those audits and that they're building out those frameworks and really managing to those frameworks throughout their process of the ease of audit as well.
[00:19:54] We want to create best practices in separation of duties and access restrictions throughout the environment as well.
[00:20:00] I mentioned least privilege earlier but we also want to make sure that duties don't overlap.
[00:20:05] That credentials aren't given just because of hierarchy within an organization and make sure that we've got you know that that best practice implemented.
[00:20:14] We want to understand all the pain points being felt by the organization.
[00:20:18] These can be business objectives and business challenge pain points as much as security pain points because those challenges at the business level translate into some of the security initiatives.
[00:20:30] We have to be put into play or at least we have to make them considerations as we implement security and really try to you know walk that tight rope of balancing.
[00:20:41] Where are we in terms of locking down systems versus actual usability and being able to do the things we need to do with our clients.
[00:20:48] And then ultimately we got to build that future state plan that plan of action that's going to address how we're going to you know mitigate those gaps and try to reduce that risk profile over time.
[00:21:00] Those are some of the approaches and responsibilities in terms of pure deliverables that you know I really put them into four different columns.
[00:21:07] We have some strategic deliverables you know we should be participating in executive meetings if we're not there at the table in the BC so role we're going to miss these things that might impact how security needs to be designed architected and supported.
[00:21:20] We should be part of building out the I.T. strategic plan and really developing and leading that process with the customer and then we need to be doing annual updates to that service plan which includes those that plan of action that I spoke of earlier.
[00:21:35] From a policy level we need to be building out those policies and reviews whether we're building the new policy and developing that directly or working with their teams to do that new policy to fill those gaps needs to be integrated.
[00:21:48] And if those policies haven't been reviewed in a long time they have to be reviewed and they have to be determined whether or not they're still valid for today's secure emerging security threats.
[00:21:59] We should be responsible for security program oversight. They're not going to look at that we need to maintain that that we're seeing that people are taking their training.
[00:22:08] And if they're not taking their training we really need to be the whistleblowers working with their team to get those people in line and working on getting that training completed so they don't become a threat.
[00:22:20] And then we should layer in some social engineering experiments throughout the year and really see if we can get those credentials or pull that information from a customer that we wouldn't want them giving away in a safe appropriate manner.
[00:22:34] From a program point of view the VC our VC so program should be a cyber defense program for the customer. We should be looking at defense in depth methodology making sure we've got the right systems to help support that that architecture and that we've got a way to identify,
[00:22:52] detect and then ultimately eradicate any issues that count are identified from a security perspective within the environment. And that also means the development of an incident management and response program.
[00:23:05] If you're not doing tabletop exercises with your customers but you're acting as their VC so you're not doing them a justice these tabletop exercises really give you an opportunity to work out the incident response plan identify where those gaps might be either in the communication plan or
[00:23:22] or actually tactics we need to take to eradicate that threat and mitigate that risk and we need to implement that into the plan. And then I've got most of my VC so that are working with us now taking on the responsibility of vendor risk assessments as well.
[00:23:38] We've all answered as MSPs those due diligence questionnaires and now we should be responsible of helping our customers get those to their clients, identifying those risk profiles, and then ultimately even getting an opportunity to work with those vendors to hopefully increase their posture.
[00:23:56] So you know if you can get to this level there's even an element of potentially building your business through that with new labels.
[00:24:02] Finally the last thing we need to be doing as a VC so is really testing. We have to be out there making sure that we're looking at the asset configurations that they're hardened to best practice and standards in the industry today, and that we have those secure configurations both implemented and backed up.
[00:24:21] So if we do have an issue we can implement those those as last built into configurations quickly into the environment.
[00:24:28] We need to be doing external vulnerability assessment and keeping that continual, you know process of understanding where vulnerabilities sick going on throughout the year.
[00:24:38] And then we need to do annual pen testing to really go deeper past what the vulnerability scanners can pick up and do that more in depth test to see where the true vulnerabilities might be, especially if you're an application based vendor that you're working with.
[00:24:52] And internal vulnerabilities and penetrating testing needs to be part of that equation as well, because as we all know, most threats come from inside, not outside.
[00:25:02] Build that strong human firewalls part of this program and make sure that you're identifying where those gaps might be internally.
[00:25:09] So as I mentioned earlier the advisory opportunity is real. There's a huge opportunity now for us to get out there and create some new revenue streams.
[00:25:18] Take those big dollar amounts I talked about earlier in the process and see how you can productize that and break it down into monthly chunks with a little bit of an uplift as well for the services you're going to provide here.
[00:25:30] And build that into your security stack as you go out to market.
[00:25:35] I want to thank everybody for listening today and you can get this podcast anywhere that you download your podcast to include Apple and Spotify.
[00:25:43] Of course, we're up on YouTube as well. If you want to watch the visual side of these things, please feel free to go to our YouTube channel at MSP Business School and you can see all of our videos there.
[00:25:56] If you have any suggestions for new topics you'd like us to cover, please reach me directly at B Doyle at BCIO Toolbox.
[00:26:04] I'd love to hear what you guys want to talk more about and bring that into our equation as well.
[00:26:08] I want to thank you all for bearing with us as we went through this transition period. We'll be back here every week going forward.
[00:26:16] I'm excited to be doing this and continuing on the MSP Business School brand and I tell you we have a lot of great guests coming up in the next few weeks.
[00:26:24] I'm looking forward to sharing those with you.
[00:26:27] So I want to thank everybody for joining me today and have a great week. Go get them.