Preventing Cybercrime Why Every Business Needs to Prioritize Cybersecurity

[00:00:03] Welcome to MSP Business School led by our deans of business development, Brian Doyle, Tim McNeil and Rob Rogers.

[00:00:11] Each week MSP Business School is committed to delivering you proven strategies, tips and tactics

[00:00:18] for MSPs to accelerate their business growth and revenue through better sales, better marketing, and true account management.

[00:00:27] Classes start now so let's get started. Let's throw it to the deans.

[00:00:31] Hey everyone, welcome to the latest installment of MSP Business School. I'm Brian Doyle and I'm excited to have you all here joining us today.

[00:00:45] But besides myself, more importantly we have a special guest today. So I'd like to welcome to MSP Business School Matt Guaman from the president of Optimize Cyber.

[00:00:55] I got to know Matt a little bit over the last couple of weeks and he is definitely a personality you want to get to know.

[00:01:02] And certainly a smart person within the security space that can share a lot to help you improve the services that you're delivering as well.

[00:01:10] So Matt, welcome. Thank you so much for joining me today.

[00:01:13] Thank you Brian. That's hard to live up to but I appreciate the false kind of words.

[00:01:17] No, not at all. Matt and I had a podcast before the podcast when we met each other.

[00:01:22] So, you know, I was like, yeah, you need to come on here. This is some good information that I think needs to be shared.

[00:01:29] So really appreciate both conversations now Matt and thank you for joining.

[00:01:34] I'd love to kick things off though and certainly the listeners love to understand who is talking to them on the other side.

[00:01:42] So maybe you can tell us a little bit of your backstory, how you found your way into IT and then of course to the crazy world of MSP MSSP as well.

[00:01:49] Well, I didn't know I was joining the IT world. I got drafted in 14 years ago.

[00:01:56] I was basically somebody recruited me into Oracle and started out doing technology applications there at the time did not love technology.

[00:02:08] Frankly still don't love technology just for you know just for its own sake but I do love what technology can do for businesses.

[00:02:15] About eight years ago I started my security journey. Same thing was drafted said I don't I'm not a security guy and don't want to do it but was talked into it and within about two weeks I fell in love with with the industry and I've never looked back.

[00:02:32] So, you know, it's funny that you talked a little bit about getting drafted I think a lot of us found our way into technology accidentally.

[00:02:39] You know there's obviously a whole grouping that went for it directly but a lot of us you know fell into that trajectory of hey some opportunity presented itself and we got an attack.

[00:02:49] I had no intention of being in tech I was actually compared computer averse when I was a kid, and then you know I fell into tech and I fell in love with the people I fell in love with the concepts and just like you it's all about delivering a better outcome for people right so if you kind of have that in mind and in that concept of being a servant to to the people that you're working with.

[00:03:09] He's always been a big part of you know it drove me, but what I'd love to learn a little bit is, you know, what makes you love security, you know, because security can be a dry subject sometimes but it can also be a challenging subject.

[00:03:22] Well I agree. I love simplifying it for business owners, you know my personal story with security.

[00:03:29] This goes back to this goes back to my dad's HVAC company growing up my dad had a mid size HVAC company in Minnesota and was, you know we weren't the Rockefellers but he was certainly a successful entrepreneur for a couple decades.

[00:03:47] It came time for him to exit the business to sell the business and what happened was people he was negotiating with stole the client list, which was, you know for an HVAC distributor for an HVAC service provider.

[00:04:04] Probably the most valuable asset that the that the business has so that was stolen and people put up a competitor two miles away.

[00:04:13] Ultimately that that which again I don't care about technology for its own sake but that theft devalued his company by about 50%. So, his life's work was half of it was was really stolen overnight so this is before ransomware attacks before before anything really in terms of cyber cyber crime data you know data security incidents

[00:04:43] especially in the SMB.

[00:04:47] And it greatly affected his life and and yeah so that's my my passion for it is when I started in security I quickly put those had some great leadership that taught me a lot of things and and I quickly put those pieces of the puzzle together that well,

[00:05:03] this is this is what happened to my dad, but it's happening every day to SMB and midmark enterprise companies in the US.

[00:05:14] So that's my passion for, you know, hopefully optimized cyber can help can help help every business owner out there but regardless I'm here to help individuals and business owners and share knowledge.

[00:05:28] A lot of pro bono knowledge because, because I frankly want to save want to help people like my dad, like that business avoid the same kind of outcomes that that I saw him go through.

[00:05:42] And that's it you know that's the beautiful thing about this industry to Matt right is there's a lot of people that are here to serve and here to share that part about thought leadership is really what you know is critical in this industry you know in order people buy from those that they know like you know

[00:05:57] they can trust, but more importantly, we need to help educate others to what we know that they might not know to right it's the reason we do this podcast, hopefully filling in the gaps for some of our customers, you know that are out there that just don't you know

[00:06:11] know what the topics that we're doing. But you know when we look at that thought leadership piece it's critical to have that happy balance of what should be free and what should be for a fee to, and you know we'll get into a couple of your

[00:06:26] early approaches in a few moments, but before we had there something that you said earlier kind of stuck with me. You know you fell into security, and then you fell in love with it. A lot of our listeners are trying to make that crossover from you know traditional

[00:06:41] conversations into cyber security. Maybe you can talk a little bit about what that original experience was like and what you were tasked with at the start of your cyber security journey. Yeah well first let's.

[00:06:53] First I should address who like if you don't have a passion for security, you should not be in security. We need more people in this fight. But if you don't if you don't wake up in the morning and get excited about being able to help American

[00:07:09] entrepreneurs or you know whatever your listeners are Australian entrepreneurs. Yeah, secure their business there, their dream. Then you should not be in this. You got to remember the why right the the why any of us should be in this industry is to help people

[00:07:27] who have financial losses prevent losing their business to cyber attacks. If you start from their from that premise, the how and what gets super easy right because, because your mission focused and I believe that customers and and business owners understand

[00:07:47] people who have a cool new tool that you should buy. Maybe they even really believe in the tool. No one wants to buy a new tool, no business owner wants to buy a new tool. They want, but they do care a lot about safeguarding their company from cyber attacks it's all over the news, and it's a real

[00:08:05] threat. So, making that pivot. First, tell the tell your clients tell your prospects why why do we need to talk about it security.

[00:08:16] And that why is to keep their business open and keep them safe from there. I would say the fundamentals are not.

[00:08:26] It's not rocket surgery in terms of the free stuff and the fundamentals you have to do. Let me give you an example when I started when I co founded optimize I had a friend asked me.

[00:08:35] He said, he said so you guys have a you have some software that people pay you 300 grand it keeps all the hackers out. And I told him that that was precisely the wrong way to think about security.

[00:08:48] So, that's not what security is security is that MFA code when you log into your bank account. It's checking email senders before you click out things.

[00:08:58] A lot of it is not secure it's text messages that we all get on a daily basis emails from AT&T right now that are trying to steal your, your passwords. So, largely it's about keeping your passwords, keeping your account safe keeping people out of your

[00:09:16] account and then not wiring money to bad guys. You do though, if you keep people out of your account, and you don't wire money to bad guys that that's going to keep you safe.

[00:09:29] So how we get there is is.

[00:09:32] So start with why start with why and what we're fighting against and then reverse engineer. Okay, keeping people out of my accounts what do I need to do that. I need a password manager I need somebody who's managing my I need an MSP to manage my vulnerabilities and manage

[00:09:47] my devices keep everything patched. I need to roll out MFA everywhere I need to take away privileges, all those things, but no business owner says, cool, I want to talk about multi factor authentication.

[00:10:01] They want to talk. How do I keep my money right and I, and I think that's a big component today Matt to you know in the sense that everybody kind of looks at it from a fear uncertainty and doubt point of view right and everybody

[00:10:14] says that false hope of that's not going to happen to me. I'm not big enough or you know whatever the story might be, but we need to be having more of a risk conversation right and and that's the beauty of where security is going to for those that are

[00:10:27] looking to enter security there's a technical path and there's really a business path to to it like just like technology. And once you find what you're passionate for what is that thing you wake up every morning to go into.

[00:10:38] You can find your direction on where you're going to work within the security spectrum, but for the customers we got to help them understand hey, here's where the risk lives.

[00:10:46] And this is the risk you're facing right now and get away from that it can happen to you conversation but hey here's where you're vulnerable right now and you touched upon it.

[00:10:55] There's really four core pillars if you will have what we do in insecurity right we're doing some continuous monitoring. We have email security, we obviously need to do training for our customers and we have some asset governance at least that's what

[00:11:09] springs to my mind is some core areas as well. And, you know if we're doing that appropriately we can really nail things down. And I'm assuming that's a lot of what your customers companies doing as well.

[00:11:20] You know, helping with cyber hygiene but then going into really understanding where the vulnerability points are.

[00:11:27] Absolutely. So, you know, I am not saying that that cybersecurity is easy, but it is simple. So let's talk cyber right.

[00:11:38] I always talk about three pillars of cyber risk.

[00:11:42] Number one, what do you do in 24 seven from an IT security standpoint this can be some organizations have built this internally.

[00:11:51] But for the vast majority of the SMB and mid market this is your MSP, your service provider relationship that's, that's helping you manage, manage it and security on a day to day basis.

[00:12:04] That means when something crazy happens who do I call what red flag goes up who's proactively addressing these things.

[00:12:12] And who is keeping things keeping things tightened when new vulnerabilities do roll out the second pillar, which is probably the most important so this should have been my first pillar but the second pillar is cyber insurance.

[00:12:26] You have an incident. Right, it's on average once every three four five years depending on the publication. We want to have great security so it's once every 40 years.

[00:12:36] But when that does happen. It's very very expensive to remediate you when you can buy a million dollar policy for 1500 bucks.

[00:12:47] We should do that. Nobody, the vast majority of people ensure everything else, just because this is it does not mean we, we should not address it as such so that's our second thing the third, the third point being you talked about governance, the compliance governance I really

[00:13:05] think is the risk management bucket. Yeah, that's where that's why I know VCI toolbox lives that's where we live as well as the third party risk assessors third party pen penetration testing.

[00:13:20] So when I talk about cyber risk I talked about those three. And when you talk to business owners and they say oh ransomware keeps me up at night, whatever keeps me up at night.

[00:13:29] And the reason why is why if you do those three things to a strong degree, you can't guarantee that you'll never have a cyber incident.

[00:13:39] But I can guarantee that you're financially protected and that you are, you're going to be okay through a cyber incident. So, that's my that's my approach to cyber risk is try to keep it simple for the client.

[00:13:53] And also for us and all of our partners every MSP out there that we partner with keep everybody swimming in the right direction.

[00:14:01] Now, now the MSP is not fighting against the penetration testing firm that comes in, and none of neither of us are fighting against the insurance firm, because you need to balance all three.

[00:14:16] Yeah, you need to balance all three.

[00:14:18] You know, listen, just remember one of the things that insurance companies are hoping not to do is pay. So we need to have our house in order to make sure that when you know unfortunately that claim event does need to be paid that we've done all the right things to ensure that we can, you know what we can get what we

[00:14:33] require to continue business continue operations as well.

[00:14:37] I want to segue a little bit, Matt, into your domain expertise right you talked a little bit about that you're doing some third party penetration testing those kind of things for your, for your customers.

[00:14:50] But maybe let's take a step back. A lot of people still confuse vulnerability scanning and penetration testing.

[00:14:59] Maybe you can give a little high level overview of how those two things differ because that's a question I hear all the time or a misconception I have people from people yeah I'm doing pen test I'm using this tool and it's just a vulnerability scanner so maybe you can help the audience level set on that.

[00:15:14] Correct, the number one difference is a penetration test should be manual.

[00:15:19] I'm using it 100% just like the attackers are at the hacking team is using tool, a combination of tools and manual efforts but we see it every week on a on a different penetration test that tool finds one thing human.

[00:15:36] So, the ability gets you to the next level and is the entire game changer.

[00:15:41] Back in the incident response base I can tell you for sure that that they're that they have levels to this and they're pivoting and using their using their best hackers to to pivot and to come and attack you where they the tools would indicate a dead end so PCI recently released their

[00:16:03] PCI DSS 4.0 and they did a really, really good job I'm paraphrasing here so nobody, you know, write this in stone but ultimately what they said is a penetration test is a manual exercise where an ethical hacker is going to emulate the behaviors and tactics, the

[00:16:25] techniques and procedures of an attacker.

[00:16:30] They also caution with to with two things that that make it stand out as not a pen test.

[00:16:37] One being automated results and to being if they did if the penetration test test does not find anything.

[00:16:49] Even the most secured environments should have some low and informational findings. Those are fine. Those are things a lot of businesses have accepted as risks.

[00:16:59] But without when tools spit out no results. That's a pretty good way for you to understand that it's just an automated script that's running.

[00:17:09] And then there's also other sources when qualified experienced OSCP certified professionals are doing a penetration test.

[00:17:18] There's always going to be some findings, even though the even though hopefully they're low level ones that we don't largely need to worry about.

[00:17:27] There's a great distinction right there and I think that's going to help a lot of the listeners really understand what the difference is because I've always looked at it I used to run data centers right so we would go through our you know we actually did by annual pen testing at the core level.

[00:17:41] And, you know, we would, you know, we, that was a manual process we wanted people to get in because we wanted to understand where those pathways might have existed.

[00:17:50] And so we started our vulnerability scanning which was continuous and automated was really keeping us up to date on things that were happening in real time that could lead to a bigger vulnerability down the road.

[00:18:01] And I think that's one of the bigger distinctions too right not every CD that comes out matters to you.

[00:18:07] I mean, you know it was helping us correlate where there was potentially some risk up brewing so our operational teams could take care of it. But the pen testing was then validating are we doing what we could do best to our ability to then, you know, drive off or maintain security.

[00:18:22] Absolutely one thing I'd love that it's.

[00:18:25] I'm in no way saying that vulnerability scanning patching and remediating is not the most important piece that's more important in my opinion, and penetration testing that happening on an ongoing basis is critical for organizations to be better secured.

[00:18:41] But if you are going into the pen test bucket.

[00:18:45] Don't pay pen test dollars for a vulnerability scan find the right firm that's doing manual testing that's going to find things that the, that the scanner won't because you want your pen test firm to find them and and ultimately guide you through remediation.

[00:19:00] Guide you the client and your your MSP through remediation of those findings, because, you know, if we don't find it.

[00:19:08] It's a latent risk that knock on wood it never happens but ultimately someday an attacker is going to find those.

[00:19:16] And I think that's a key piece right there too. You know, it's that remediation piece.

[00:19:21] When you get a vulnerability scan, you may get some remediation steps but it's pretty generic to the big picture issue right when you've got somebody that's doing a penetration test period periodically that remediation is to your environment.

[00:19:34] It's taking on the different configurations that you have within your environment and into account and giving you that true next step and I think that's something that's very important to certain types of businesses.

[00:19:45] I'm a SAS business. It's certainly important to me right so, you know, that's something that the listeners should consider in this process as well.

[00:19:53] You know the remediation is great I agree with you continuous vulnerability scanning has been a big difference that you know it.

[00:19:58] It goes so far beyond what just pure patch management does which was, you know, obviously the bread and butter of the MSP monitoring, you know, framework for so many years.

[00:20:09] You know, and really got us to that next step started showing us where there were flaws and even assets that weren't in a negative space in the product life cycle management.

[00:20:18] But now you're talking about, you know, this next level of it which is really identifying where those gaps are in your environment and knowing a human went in there to try to find those gaps.

[00:20:27] Absolutely. And I'll say two pieces on that one.

[00:20:31] I talk a lot about our testing team my co founders the brains the operation OSCP CIS SP Defcon podium finisher with teams, led teams to that.

[00:20:43] But, and all of our team all of our testing team is actually OSCP certified, but it's not just that those folks are great packers we're also looking for great consultants.

[00:20:55] So we want to be the folks that that our MSP partners know are going to be there and guide remediation, finding something is not helpful to an MSP or a business.

[00:21:06] What's helpful is to fix those things. So their their infrastructure knowledge from our testing team is really, really critical to be able to guide our MSP partners in the right direction.

[00:21:18] And one other piece that you just made me think of that I think is important is for a lot of MSPs out there. It's difficult to bring in a third party for penetration testing, even though we all know that you need to have that independence.

[00:21:31] The problem is the vast majority of ethical hacking firms, offensive security firms are competing with that MSP are ultimately a threat to that MSP business.

[00:21:43] That's why when we created optimize, we set out to solely focus on risk assessment and penetration testing. That's so we can be the third party to come in do this test do this assessment guide that remediation for the MSP and the client.

[00:21:58] And the M or MSP partners know and have a level of comfort that.

[00:22:02] Okay, I don't have to worry about optimized cyber stealing my, you know, my vulnerability management contract or whatever contract you have with the client so

[00:22:12] a lot of times people will will give a bad rap to MSPs and MSSPs that that try to do everything right.

[00:22:22] But sometimes they need to because otherwise, because pentest firms offensive security firms are doing the same thing. So we're eating our own dog food a little bit by staying in our in our third prong the risk management and testing piece, and not stepping into other areas where obviously you can make

[00:22:39] revenue, because we want to be that independent testing assessment firm that helps make everyone better and helps make the whole security ecosystem better because now our MSP partners have that comfort to bring us in with no risk to losing the account.

[00:22:57] And you know, you talk about that we were talking about this prior to recording today, you know the separation of kind of church and stay in doing the penetration test.

[00:23:06] And I think, you know, I put on my owner's hat. It's also a de risking step for the MSP as well.

[00:23:12] You know, we can't be holding both sides because all we can potentially do is miss something right and this gives us a check and balance system so we know where we got to remediate, but more importantly helps validate how important we could even be from a

[00:23:24] services level to the customer because this work does need to get done. And that independent third party coming in there certainly will help with the cyber insurance conversation as well because there will be less question into, are you sure, you know, how did you approach this what test did you use, you know, again when the roosters

[00:23:43] are watching the hen house it's really easy to take your foot off the gas and kind of do things a little bit more lax and that's what the cyber insurers are trying to uncover when it comes time to play pay a claim.

[00:23:54] Yeah, I would, I would completely agree with the de risky and it's also a better client conversation right if if Brian's, if Brian's my MSP.

[00:24:04] And now you say you want to do a pen test and an assessment of my environment.

[00:24:10] Why do I need, why do I need you to do that if you already knew or if there's holes here why didn't you do it already. Right so the whole purpose of a second set of eyes is to have a second set of eyes and to find things that they maybe got overlooked from a prior MSP before you took over the contract, or stood up a new firewall

[00:24:30] and bought some new shadow it that you didn't know about. And we're there to say, hey, these things need to get done from a business standpoint. Now Brian also can go in and say, I didn't say you have to do this, optimize cyber said you have to do these four remediation steps.

[00:24:47] Here's our statement of work to do these four or time and materials bill.

[00:24:52] So ultimately, you know it seems like you're losing revenue when you bring in a third party but but ultimately it grows the pie and it actually grows revenue and in more cases than not while delivering better security for the client.

[00:25:05] Yeah, I know when I speak a lot to the more mature MSPs in our community and it's certainly the way I felt when I was an MSP. There's right revenue and there's wrong revenue right.

[00:25:14] And when you get to that point where you are no longer chasing every dollar you realize, hey there are things that are right for the customer and bringing in the third party assessor I think is critical to because you're letting the customer know, but we're willing to be

[00:25:27] checked as well. Yes they will find things that's that's fact you know that need to be safeguarded, but we want to make sure that we are hitting the major best practices that the things that they're uncovering are hopefully minor.

[00:25:39] And D, you know, in and easy to remediate. You know, I always like it did to you know the story I would have with people that said, you know we can't be hacked back in the days before everybody realized you can be and I'm like, well the only way you're not going to be hacked as if young, you know, I'm disconnect everything from the internet

[00:25:57] network, pull out all the plugs and then turn off the circuit.

[00:26:01] You know right that's that's the way it's going to work but then we don't get anything done so where do you want to meet in the middle right and this is really helping foster that conversation to have hey let's get a third party to tell us where the real critical risks are that we do need to remediate, but then also help us

[00:26:16] understand where the things that you know might not might be a risk that you can accept, and it's not coming from the MSP.

[00:26:23] So let's get back to the fact and let's have that. Let's have a 90 page report from Optimize cyber, that's going to help us improve cyber risk today. It's going to help Brian's MSP service, expand into bone management or maybe roll out a new

[00:26:39] program, some kind of hardening work. Maybe it's just climbing materials but expand the client now to improve their security and also when that incident happens.

[00:26:48] And the insurance claims team says what was happening here at this organization.

[00:26:55] We've got you know you're in VCI a VCIO toolbox with your notes as your as an MSP, the client has has their practices and there's the audit trail as well.

[00:27:06] But there's also this third party 90 page PDF that you can go and review claims team or attorneys that that are inquiring and say, look obviously something went wrong that was an incident but in a world of zero days and things like that supply chain attacks.

[00:27:23] No one's impervious. What we're trying to do is show that we were mana. What what Brian's it services then can show is I was managing cyber risk for this client very well.

[00:27:35] Here's all the documentation here's the third party review. Maybe there was a risk that we accepted more often than not it's just something that went wrong, a click email, a zero day or a supply chain attack.

[00:27:49] Obviously, obviously the difference with this kind of independence and documentation to support what you were doing on behalf of your client.

[00:27:57] Now Brian looks like an asset Brian was not the liability in this incident and, and you know we can all save money on attorneys.

[00:28:05] Well, you know that and you know it steps into what we feel is a huge market opportunity for the MSP today and that's being you know.

[00:28:12] That's really adding that governance layer to the conversation it's not being responsible for every aspect of security because they probably shouldn't be, but helping the customer really build a cyber security program that has, you know, regular reviews of policy procedure, annual pen tests, all these critical steps that are

[00:28:30] going to work to having a good cyber hygiene and making sure that you're de risking yourself. So you have less claims if not no claims right turn that one in four years to one and 40 as you said earlier, and you know obviously this 2.0 CSF 2.0 was released recently and brought

[00:28:46] into that conversation so you know it's really exciting that everybody saying, hey there's a way now to look over that but it's also understanding you need to have multiple pieces and you have to have a way to manage those pieces.

[00:28:57] Cohesively in a single program for a client in order to have it work effectively and almost that guides you to where the third parties need to exist as well. I'm a big believer in third party pen testing because I want to know what we don't know.

[00:29:12] Absolutely. I laugh every time we see the new graphic with govern that came into this 2.0 because it's very similar to you know March Madness is going on right now and and I'm watching a lot of basketball I guess it's April already but

[00:29:28] it in hindsight it looks like okay we had the shoes the jerseys we had some players we had a basketball we had a court. We're playing games now in the 2.0 we're also going to have a strategy.

[00:29:43] Like, I, it's not as though govern is new to most people are having a strategy for cyber risk is new. But it does make me laugh that that we existed for so long without a structured hey let's have some let's have a govern governance unifying piece where we're going to take care of

[00:30:04] cyber risk and we're going to bring in the right people at the right time whether it's a fire you know a firewall whether it's an EDR technology or whether it's optimized cyber for a penetration test.

[00:30:14] I mean if you look at a lot of those assessments it talks about in various areas regular reviews and that's what governance is finally doing is making sure that that actually happens right because that was really the biggest part people would set it forget it

[00:30:26] was track of time I mean as we're recording this already in April I thought it was New Year's five minutes ago right you know time goes by quickly so you know this is really helping enforce things certainly nothing new people have done that part of the

[00:30:39] puzzle but I think what we're finally understanding is if we don't dictate the wrapper that should be going around every good cybersecurity program.

[00:30:49] We're missing the opportunity to make sure that things are actually happening right and I think I think that's where we're headed to but it's a huge opportunity for the MSPs.

[00:30:59] And that's a way for them to augment some of that money that they might be earning through doing pen testing that they should be outsourcing to right you know there's always a new way to generate new revenue in our world and if not just wait until

[00:31:11] the next time it comes out. Absolutely well and to bring a full circle to where we started. I think this is the great opportunity to go to your clients and become their governor right now the governor's in there be the governor.

[00:31:26] You're not you're not an insurance carrier should not be writing insurance.

[00:31:31] You're not a partner for insurance that you bring in. You should be core functionality for a lot that happens in terms of cyber defense but bring in the right third parties like Optimize Cyber on the pen testing

[00:31:44] the right audit firms the right you should have relationships like that so your client can come to you as as my coach as my governor of cyber risk who brings in the right third party at the right time and ultimately start remembering why are we doing this.

[00:32:02] You're doing this to help those clients prevent financial losses to cyber crime period.

[00:32:08] They do not look at you and say your once people understand cyber risk they don't look at you and say it is your job Mr. Mr. MSP Mrs. MSP to keep all the hackers out we need the right team and you are you are the quarterback you're the you're the governor of that team and you're

[00:32:26] bringing in the right assets at the right time to manage cyber risk insurance is a part of that third party testing is a part of that your own tools technologies and offerings are part are a big part of that probably the biggest part.

[00:32:39] But the more that you can have the discussion of why do we want to manage cyber risk.

[00:32:45] And that you are not too small for the risk.

[00:32:48] All of our biggest competitor is clients, not wanting to do what not wanting to manage cyber risk.

[00:32:56] It's not your MSP four miles over.

[00:32:59] It's not the client.

[00:33:01] It's not the firm that you bid against every single time a contract goes up.

[00:33:05] Your biggest risk as an MSP is clients throwing their hands up and saying this is too hard.

[00:33:11] I'm not going to do anything about this.

[00:33:14] And I'm too small and I'm just going to bury my head in the sand, keeping heads out of the sand should be the goal for everyone so the more that we can keep this simple.

[00:33:23] Keep this focused on preventing your business shutting down due to a cyber attack or losing money, because everyone now has a story.

[00:33:33] Your business owner either personally has a story or has talked has friends that have their own story of losing money to cyber criminals.

[00:33:43] So the more that you can become their go to and be the people that they know care about this and will bring in the right, the right people at the right time the right tools, the right processes, and the right third parties, the more successful that I think your individual MSP can be and and

[00:33:59] certainly your clients.

[00:34:01] That's awesome. So, you know, at that I think we've come full circle on this conversation I know we're getting near the end of our time to so, you know, Matt, a couple things I'd like you to do first tell people how they can get in touch with you.

[00:34:13] You know if they're looking for a third party testing partner. How can they get in touch with you and optimize cyber.

[00:34:19] Optimize cyber.com or find me on LinkedIn send a carrier pigeon contact us on the forum will be in touch shortly and and

[00:34:30] yeah happy to have any conversations and explore this thing further with anybody out there also open the criticisms go to the website and say hey Matt hated the podcast but appreciate.

[00:34:40] Appreciate the willingness to share so optimize cyber.com.

[00:34:45] Terrific. And, you know before we step away and say goodbye for today. Any closing thoughts Matt from your seat.

[00:34:54] Yes. The only thing I care about. Again, love, love our technology friends I love the legal friends I work with the insurance carriers, all the people in the cybersecurity world.

[00:35:06] I love you all. But I love after my site, but I do not care about any of us individually.

[00:35:13] Remember when you get up in the morning, you get to go share this like unique knowledge that no one else has about cyber risk and cybersecurity.

[00:35:22] Like where would you rather be in the world than then being able to address people's biggest concern. There was a few recent there was a Pew survey that came out.

[00:35:31] And I'll share this with you Brian if you want.

[00:35:33] They asked people about their biggest fears. Number one was identity theft number two was having money stolen from their bank accounts by cyber criminals, getting murdered was like a third as high of a risk or of a concern to people that Pew research found.

[00:35:51] So, this is on people's top of mind. Once they find out that you are not there to sell them services that you care about them.

[00:35:59] You're going to be, you're going to become the new best friend to a lot of new clients and land a lot of folks.

[00:36:05] Yeah, you know I got to be honest I don't think much about getting murdered either but you know here nor there though that's some great information.

[00:36:13] And with that Matt, I want to say thank you for joining us today. For the listener. Obviously this episode will be up anywhere you get your podcast including Spotify, Apple and I heart radio, as well as YouTube if you want to see the video version

[00:36:28] and really see what goes on behind the scenes as well.

[00:36:32] And then on the show notes will be including a link to optimize cyber as well as Matthew's LinkedIn account so feel free to connect with him and ask some questions.

[00:36:41] And with that listeners I look forward to seeing you again next week. Matthew thanks for joining us. Thanks for having me Brian.