James Davis the Director of the Pax8 Academy in Asia hosts Andrew Lawrence from de.iterate to discuss the concept of Risk Management so that we can understand how to apply it in our conversations with clients and how we manage our practicesAndrew talks us through how Risk Management is not just a big enterprise methodology and how applying the core frameworks and simplifying our approach we can bring this to our SMB clients. He explains how taking a risk based approach helps us identify opportunities with our clients in a way they buy into, instead of flogging technical controls they don't care about.
[00:00:00] Get everyone, it's James Davis from the Pax8 Academy and this time I've got Andrew
[00:00:24] from DeerDirect. How you going Andrew? Hey James, how you doing? Great to be on the show.
[00:00:28] Thanks for joining me. I've got a little tradition of asking where people are based in this wide world.
[00:00:33] Well, you can't see outside but we're in sunny Queensland so we've found it up here in Queensland
[00:00:39] and we have some staff all around Australia but yeah in Queensland is where we're based to their
[00:00:44] office. Yeah, awesome. I'm down here in tropical Hobart so I'm feeling exactly the same
[00:00:50] weather as you guys up there. It's really great to have you on for today because we're going to
[00:00:54] cover a topic that probably not enough people are talking about and it's risk management
[00:01:00] and everything that goes on to it. I know there's a lot of people are scared by this concept
[00:01:06] because it's seen as an enterprise thing, it doesn't apply to small business so we're going to
[00:01:11] grab all your great knowledge and we're going to help the partners today. We're going to start with
[00:01:16] a really simple question though to get us started. Is selling cybersecurity by a shiny
[00:01:23] technical tools and controls the right way to go about engaging a business and talking about risk?
[00:01:30] I think it's one way to go. I wouldn't personally say I think it's the right way to go.
[00:01:34] We talk with MSPs pretty well constantly, we have a steady stream of conversations going
[00:01:41] with a lot of MSPs around Australia and the MSPs that are having conversations about risk management
[00:01:47] prior to the shiny technology. Other ones we find have the most success in the long run because
[00:01:54] they're talking in business terms and saying to the business, is your risk? Is how we can help
[00:01:58] you mitigate that risk? Would you like our assistance to mitigate that risk? That's an easier
[00:02:03] conversation to have than we've got this new shiny thing and here's a bunch of technical acronyms
[00:02:09] and words that you understand which should convince you to buy my shiny object.
[00:02:15] I wouldn't go with Shiny Objects first although they're an important part of the long term solution
[00:02:20] but there's a lot to be said for basic education and basic knowledge transfer between MSPs
[00:02:26] over those trusted devices and your customers who are there open asking questions because they
[00:02:32] want to learn in my experience, they want to learn anyway. It's a good opportunity to do that
[00:02:38] knowledge transfer and help them on that road in a risk management conversation. Absolutely.
[00:02:43] Understanding that right way, it's more of the risk and business level conversations,
[00:02:49] what really is risk management? What are all the key concepts?
[00:02:54] Yeah, look, it's actually really simple. I think it's one of those topics that people are
[00:02:59] approaching to, oh man, this is a big topic. I don't really get it. I don't really want to get it,
[00:03:03] it's gingerly boring but I know we need to do something in this space. What we do is,
[00:03:09] and we take MSPs and MSP customers through the journey of implementing cyber security
[00:03:15] information security risk management on a daily basis and we always start our onboarding programs
[00:03:20] with risk management because it is a core concept of implementing a management system to manage
[00:03:25] your information security risks. It's pretty straightforward. We sit down and we talk to customers
[00:03:31] and say, what are your assets? What are your vendors? What is your environment? What is
[00:03:35] a compliance terms? I would say what is the context of your organization which is really confusing
[00:03:40] term. But what is the thing that we're worried about here? Then you take that list of assets
[00:03:47] or that list of service providers and you say, what are the bad things that might happen to this
[00:03:51] particular asset? Then there are your risks. Then after that, you say, okay, what am I going to
[00:03:58] implement to mitigate those risks? What can I do to bring that risk from being a really high
[00:04:02] probability inside the terms, really high velocity risk and bring that down to something that's a bit
[00:04:08] more achievable and maybe something that I can sleep better at night knowing that I'm trying
[00:04:12] to mitigate that in some way. It's less about trying to be perfect and saying, well, here's every
[00:04:18] permutation of everything that might happen. You say, well, let's aggregate these risks together
[00:04:25] and then let's look at them on balance and see what we can do. That's practical.
[00:04:30] So, what we do is we say to customers, that's a process. It's not something you can just rush into
[00:04:34] when I do an hour and then you're away. It's something that you need to sit down and look at
[00:04:38] and just plan your way through. It doesn't have to go for months. I personally don't advocate
[00:04:43] for risk registers that are 30, 40 lines long because no one wants to read through that guy.
[00:04:49] But if you can aggregate your risks and come up with 10 or maybe 15, really
[00:04:55] core aggregate risks that articulate your position and then you can start talking about,
[00:05:01] okay, what are we going to do to mitigate those risks? So understanding the context,
[00:05:06] then thinking about your threat environment and maybe your attack surface a little bit.
[00:05:10] And this is where when you start talking about attack surfaces and you start talking about bad
[00:05:14] things that might happen. MSPs, they have a certain amount of knowledge in the technology world
[00:05:20] and that's where they would lean on that knowledge to say, well, here are the things that we've
[00:05:24] experienced in the past. Here are the bad things that we know will probably happen to your asset.
[00:05:28] Let's say you've got a server on the internet and it's accepting connections publicly.
[00:05:33] We know it's going to get a certain amount of attention from the world, right? So they can help
[00:05:37] articulate that with a customer. What we find is super helpful is to build on top of that
[00:05:42] and work in getting some sort of situational based awareness as well on what are the things that
[00:05:48] are happening in Australia to those assets that we can overlay on top of that to help get
[00:05:53] additional kind of context for those risks. It's a fascinating concept. As I was getting lost in
[00:06:02] what you were talking about in terms of just all the examples I think about my head is that
[00:06:09] conversation contrasts between what you're talking about compared to just leading with you need
[00:06:15] EDR or you need EDR, that conversation around what's actually going on and you can educate
[00:06:21] your clients as you're going is way more powerful. I think at this point I'd just highlight to everyone
[00:06:28] one of the things that we're doing wrong as a NMSP is a technology partner is we're treating
[00:06:35] cybersecurity static because that's how we've always treated our infrastructure management
[00:06:40] and support. So we're going straight to cybersecurity. He's our bundle now static where what you're
[00:06:46] describing is more of an ongoing process and what really made it curious for me that I'll ask you
[00:06:52] about is when we're having these conversations is it just technical risks that we should be talking
[00:06:58] about and coming from that frame of lens or is there different ways that we can have this sort
[00:07:04] of conversation. Technology is a part of that conversation. It's probably a big part of the
[00:07:09] conversation especially in the context of an IT partner having a conversation with their customer.
[00:07:14] But IT is such a core part of most people's business today. If you don't have emails and you
[00:07:20] have Zoom, you haven't got a bunch of those applications that everyone uses every day then your
[00:07:25] business is sufficiently hindered on most occasions. So I think it's a part of it but it needs to
[00:07:32] kind of transcend those technology controls and look at the business. If you look at like a framework
[00:07:38] like ISO 27001 which I know everyone has got a bad story about ISO 27001 how it was implemented
[00:07:43] badly and it's a massive thing. But if you take and break it down into its components,
[00:07:48] it's actually really practical, kind of modular way of dealing with information security risks.
[00:07:52] So if you were to take one of those concepts which is business continuity that's a part of that
[00:07:57] standard. Now that standard is the international standard for best practice information security
[00:08:02] and self-security governance and it's got a topic around business continuity. That's the business
[00:08:07] has barely survived an event not necessarily a disaster recovery effort which is like a technology
[00:08:13] recovery type effort. That's a how does the business survive when the technology fails. So I think
[00:08:20] traditionally IT focused service providers have really got blinkers on when it comes to IT,
[00:08:25] I just need to deal with those IT risks but I think if you take them off there's not that much more
[00:08:29] you need to think about when you go into the business lens and if you put the hat on your
[00:08:34] business owner typically if you're in the MSP space, if you take that business owner approach from
[00:08:40] your customer side as well, it's pretty easy to take those risks and then put a business lens on
[00:08:45] the end of them as well and say well here's the overall business impact if we have this sustained
[00:08:51] failure of communications for example at your business. Let's help you articulate that and that's not
[00:08:57] necessarily about solving all the world's problems but what you want to do is you want to table all
[00:09:01] these risks, get them on the table and you want to be able to sort of wrap your arms around them
[00:09:04] right? And as long as you can do that then you can effectively say look into when we know we start,
[00:09:09] we know we finish, we've got a good view and you may not like the risks that are on that table,
[00:09:13] you may think oh man some of these things really need to get solved and that's totally okay as well
[00:09:18] but that's means you can start planning what are they learning for, well they're really high
[00:09:22] ones that we really need to cap off first and then what are those nice to have one that maybe a bit
[00:09:27] further down the line? Now that might be an uncomfortable conversation because it made push some
[00:09:31] of those technology control implementations a bit further down the line but it's a longer engagement with
[00:09:38] the customer so you'll end up engaging with them early, they see the why, they understand why
[00:09:43] they're implementing these controls and then they're invested and it's more of a okay we've got
[00:09:48] it, we're getting advice from our partner there are trusted business partner of ours they're giving
[00:09:52] us advice what we need to do and we're going to get there in a long run and that turns into the
[00:09:56] come-ulti-year strategy of rolling out technology change over time. So I think it's a better style
[00:10:02] of long-term engagement and it kind of graduates the conversation from pure risk management into a
[00:10:08] topic that I've seen increasingly talked about in the space which is data governance right and it's
[00:10:14] not just cyber security like cyber security is a cog you turn in your overall data governance
[00:10:18] structure to affect privacy and security right so when we talk about data governance we say you
[00:10:24] know that's kind of the umbrella term since across the organization is governance and that's
[00:10:27] business 101 is governing different topics it might be safety like physical safety health and
[00:10:33] safety or it might be cyber security those two things are there's some similarities there right
[00:10:38] from a governance perspective and what you do is you overlay those controls across these domains
[00:10:45] right to say how we're going to affect them and cyber security is one part data privacy is obviously
[00:10:50] a big part of it and that's an evolving topic especially in Australia with legislation changing
[00:10:54] this year so we're going to see these conversations come up more and more so I think if you're just
[00:11:00] focused on the cyber security part you're probably missing out on a bigger opportunity to engage
[00:11:06] in a deeper way with that customer and talk to them about a more of a holistic kind of long-term
[00:11:11] approach to technology. There's such great wisdom in that what you just spoke to us about the
[00:11:21] thing that I really liked that what you said there was we might not be comfortable with some of
[00:11:26] the risks on the table and this is dependent on how we position ourselves if we're treating ourselves
[00:11:36] as a service provider we're transactional we're only selling low-value commoditized services or
[00:11:42] we're selling products well we don't have a voice at the strategic table to actually push back and
[00:11:48] go no this is a bigger risk whereas an advisor if you're an advisor they're expecting you to do that
[00:11:56] but you've got to manage with the context that you're talking about you can then position
[00:12:00] the in your head well really where does this risk sit for the client and if it is such a critical risk
[00:12:10] if you're speaking up it'll have a lot more power to go well we've spoken about all these
[00:12:14] other risks I understand maybe your hospitality company and the bigger risk is armed hold-ups
[00:12:19] at the moment maybe your construction company the bigger risk is workplace health and safety
[00:12:25] I get that but if you don't do this this this and this could happen and it could really affect
[00:12:31] your business and having that context just paints a different picture then well it's technical I
[00:12:37] think it's super critical that you're not backing up your stuff from a technical perspective
[00:12:43] but it's not fitting into that business conversation so I found that really fascinating
[00:12:46] yeah it's um I think it's interesting when you see that engagement between technology partners
[00:12:51] and businesses there's already this massive amount of trust right they're coming to you
[00:12:57] to ask you question about technology which is a topic they're not the subject matter expert in
[00:13:01] you are right so if you have an opinion about what they should do based on something that's
[00:13:07] quantifiable then you can give that opinion freely and it's up to them to decide if they want to
[00:13:13] accept that risk if they identify the risk as yeah that's a true thing or they trust you that
[00:13:19] yeah he's articulating that well then it's up to the business owner to accept that risk um
[00:13:24] and this is where we see service providers and MSPs and bars kind of tipping the tables a little bit
[00:13:30] and saying yeah we're going to engage with you and talk about your risks but we're also going to give
[00:13:34] you a sort of an indication of what our risks look like so you're a customer of mine and you're
[00:13:40] deciding as a customer to not implement basic cybersecurity hygiene across your organization
[00:13:46] now when you get when something bad happens to you and that's going to happen someday right
[00:13:50] when something bad happens to you you're going to you're going to point at me and say but you
[00:13:53] look after my IT and you know this is why did you let this happen to me type deal and that's a
[00:13:59] I think that's a fear that every single service provider I speak to has got right
[00:14:03] because they know they're on the hook when the bad thing happens um but if you're having that
[00:14:08] productive conversation with your with your customers you say well here's the risks that you
[00:14:12] post to me as a business right and here are the risks that we're not articulate to you and in our
[00:14:17] monthly or a quarterly catch up whatever you do with your customers you say here are the risks
[00:14:21] of identified and here are the risks that we've agreed that you're going to accept now if one day
[00:14:28] they come back to and say Andrew like why did you let this bad thing happen to me
[00:14:32] and I know it's not a great thing to do but you pull out that road registering so look we've
[00:14:36] had a discussion a lot for a long time about these over time um and maybe it's you know a change
[00:14:40] in personnel at the far end and they say well how come you ever told me and you say look we've
[00:14:44] been discussing this for a couple of years now we've been tablein these topics it's something
[00:14:48] we've been really productively managing we understand it's not going to priority for you but we're
[00:14:52] doing the best we can with the you know with the positions that you've been holding here and I think
[00:14:57] that's a mature conversation around so that shared responsibility of MSPs I know there's shared
[00:15:03] responsibility models for cloud service providers but there's not a really good shared responsibility
[00:15:07] model for an MSP engagement or that I've seen anyway if you've got one please have a team
[00:15:11] but I think it's really important to try and articulate that shared responsibility with your
[00:15:14] customers because they get it right they intrinsically get it because if they were had that
[00:15:19] IT service in house then it would be all their risk right but they've outsourced to do that
[00:15:24] they're transferring that risk across the MSP so I think it's important MSP I think you
[00:15:29] let's that risk back to the customer as well. That's a really good point around like the shared
[00:15:34] responsibility and really defining where things sit because I think the traditional MSP we've
[00:15:41] always taken on all the burden on the responsibility if it tech is that's what SMBs have expected from us
[00:15:47] but how many times have I seen the clients coming back to the MSP and going well I thought you did
[00:15:56] all of this and that goes back to what you just said we haven't actually gone and have the
[00:16:01] mature conversation to say what we do and what we don't do is that appropriate or not and have
[00:16:06] that conversation again we're highlighting this as we've been trying to sell product-tires things
[00:16:13] where what we're moving into is a lot more of that advisory consulting and then we provide the
[00:16:19] services off the back of what's needed for the particular clients because what you've highlighted
[00:16:24] different businesses have different contexts it's not one size fits all. Yeah I think there's an
[00:16:29] evolution too of the MSP sort of role in the in businesses right so go back to 15 years ago 20
[00:16:36] years ago your MSP was the subject matter expert then everything about technology everyone in the
[00:16:41] business have just looked at them said I help I need help these days you've got staff coming into
[00:16:46] the workforce who are pretty well versed in most of the tech that they're using every day they're
[00:16:51] not calling you saying hey my zoom doesn't work they're just figuring it out right on the flyer
[00:16:55] there's always people who call you anyway right but there's a big chunk that kind of coming up and
[00:17:00] not needing that help so I think it's natural for the MSPs to move from a hardcore technical advisory
[00:17:07] role into a more of a softer strategic business technology advisory rock. How do you need to act
[00:17:13] to be that because a lot of us have come from that you know we're texts a text at heart you've
[00:17:18] already sort of explained well we need to have business level conversations and the identification
[00:17:24] process for for risk and the ongoing conversations that are needed inside this sort of risk management
[00:17:30] and conversation piece doing still need to be that expert that knows everything and then deliver
[00:17:36] everything in your opinion and carry all the risk for your clients. I don't think so I think
[00:17:42] customers really respond well if you know your limits and you can help articulate them right so you
[00:17:47] might say okay we're gonna get this asset list we're gonna get these suppliers we're gonna look at
[00:17:52] these some you know some open source intelligence and try and get a position for you on where the risks
[00:17:57] sit maybe we're gonna go part of the Australian service security center which I recommend every MSP
[00:18:03] because you get curated threat intelligence for the Australian market now you can go subscribe
[00:18:08] to Cisco Talos or Palo Alto or any of those threat feeds that are out there you're gonna get global
[00:18:13] threat intelligence for the global landscape but if you get partnered with the ACSC you get free
[00:18:17] Australian based curated threat intelligence so you know that there's no better intelligence than
[00:18:22] the free one and it's already curated for the Australian market which means you're getting rid of a
[00:18:26] bunch of noise so you can take some of that knowledge that you're going to get from this kind of the
[00:18:31] JCSC and the Australian service security center and you can take that and look at your customers
[00:18:36] say we know these kind of groups operating these are the kind of threats that are out there
[00:18:40] we know you're running this kind of software so you're you're in a heightened risk over here
[00:18:45] so you know the conversation with you so you're not the expert you're not saying I know the threat
[00:18:50] intelligent code the cozy bearer out there doing this particular threat right now so I need you
[00:18:54] to solve this problem you're saying we've got some intelligence here from really smart people
[00:18:59] that says this is an active kind of a campaign or environment here we know that you're one
[00:19:04] of the prime kind of use cases for that that threat so let's make sure we talk about mitigating
[00:19:09] that in a particular way as it as like a tactical solution to like an active thing that's going on
[00:19:17] and that's bringing an expertise right so you don't have to be the expert and just because
[00:19:21] you're great at technology and you're great at rolling out you know technology transformation
[00:19:25] within organizations doesn't mean you're the cybersecurity of threat intelligence expert
[00:19:29] doesn't mean you're the data governance or compliance expert in most cases all of us have
[00:19:34] specialized in certain areas throughout our careers and you know jack of all but you know you can't
[00:19:39] always be the master in every single one so I think a little bit knowledge is important
[00:19:44] by thinking knowing where to lean on other people for assistance is super important as well
[00:19:48] and I don't think the customer is necessarily expected to be you know a PhD student on 30 topics
[00:19:55] and get articulate that like encyclopedia Britannica right so I think if you know where your limits are
[00:20:00] and you can bring people in to help support you along the way I think it's a just as good engagement
[00:20:05] as you know just seeing that see back and doing it with yourself you've got to sort of share
[00:20:09] that load a little bit. I agree fully with that the old terminology of one throat to choke
[00:20:17] we've run with it for a long time and yeah maybe as if we're the technology advisor where
[00:20:25] the ones responsible for that sort of governance and and a translation and bringing the right
[00:20:32] people in but it doesn't mean you need to deliver everything and probably one of the things I'd
[00:20:36] highlight from a cybersecurity perspective that I'm talking about a lot is incident response
[00:20:42] yeah MSPs shouldn't touch it at all and should be looking at other partners to do proper incident
[00:20:48] response even the cyber cyber insurance providers have an incident response change so just like
[00:20:55] that one example out of this is something that we should we should look at doing differently than
[00:21:00] what we traditionally have. Yeah MSPs probably need to make sure their position well to assist
[00:21:06] the incident response 100% so making sure you've got logs making sure you've got appropriate you
[00:21:12] know up to date assets lists and classifications and all sorts of stuff but you're you're playing
[00:21:16] a really critical supporting role in incident response unless you're a sock you probably aren't going
[00:21:20] to be the incident responder as much as you're going to be supporting the efforts of the incident
[00:21:24] response team so you 100% correct. It's in the supplies to do a lot of things and keeping it along
[00:21:33] the risk sort of conversation is the more you take on the more risky take on as well from being
[00:21:42] the sort of generalist provider that's trying to provide absolutely everything you're increasing your
[00:21:49] risk profile on your risk footprint like you were describing there which I think is a very
[00:21:56] interesting concept is we're changing that sort of thought process from a business perspective we've
[00:22:02] typically never worried about that kind of risk we've just typically run in and doing things
[00:22:08] so risk just keeps coming up over and over again when you look at it from a business perspective.
[00:22:14] Yeah I think one thing I'd probably say to the people that are out there trying to
[00:22:18] just enter into doing this risk management piece for their customers and even themselves
[00:22:23] is risk management is going to look a little bit different customer customer and entity to entity
[00:22:29] there's no fixed rule that says you have to have a risk register which is 400 calls wide with lots
[00:22:34] of colors and all sorts of stuff you know it can be really really simple as long as you're articulating
[00:22:39] what the risk is, what the cause is and then what your controls are going to look like and then maybe
[00:22:44] what you're going to put in later to help mitigate that like a treatment plan. You can keep it really
[00:22:48] really tight doesn't have to be also 30 100 which is the risk management stand it doesn't have to be
[00:22:53] you know this massive task and as long as it means something to you it means something to your
[00:22:59] business and it means something to the customer if you're talking to them then it can be in whatever
[00:23:03] language it needs to be in right that's the that's I think they're one of the key takeaways from
[00:23:07] risk management is you know it's probably good because it's so flexible but it's frustrating
[00:23:12] because it's so flexible there's no we like rules we like lists right and technology we're like
[00:23:16] we'll follow this rule we'll follow this thing it'll be great but it is a little bit more creative
[00:23:20] than that you know you need to sit down and look at what are the actual bad things that might
[00:23:24] happen what are the cause of those bad things I think one of the things that people really need to
[00:23:28] make sure they think about before they document these things is causes aren't always risks
[00:23:34] and risks aren't always causes right and those two things that get confused a lot right
[00:23:39] the risk is that the business may not only be able to support their customers
[00:23:43] cause might be the building burning down now the risk might be the building burning down as well
[00:23:47] but the probability from business perspective is that your inability to serve as your customers
[00:23:51] is the risk the cause of that risk is not having an office stop right out of so when you're thinking
[00:23:56] about risks and causes I think just causing a little bit and thinking about those things in context
[00:24:02] is important but that's probably the trickiest part once you get past that part you can make it whatever
[00:24:06] you want to make it and we always say when we're talking to customers and we're implementing this
[00:24:11] it is a sustainable approach what if you start doing whatever you start working into your organization
[00:24:17] or you work into your customers organizations it has to be a sustainable compliance right you have
[00:24:21] to actually get a do it on an ongoing basis there's no point in spending a week coming up with this
[00:24:27] rainbows and unicorns process and they're never actually implementing it you may as well come up with
[00:24:32] you know back of a napkin process start working at it and then letting it naturally get better over time
[00:24:39] then trying and what's that I'm saying perfect is the idea of good right making it good
[00:24:44] and then letting the natural your natural desire to make things better I think most technologists
[00:24:49] are never really happy with what they've implemented or what they've got they always want to make it
[00:24:53] a little bit better I think that's a great trait from technology's perspective and you will let
[00:24:58] that natural curiosity build that program and make it better over time but it's not so important
[00:25:03] to make it perfect on day one what's important is that you'll take that first step and you start
[00:25:08] to think about it and you start trying to articulate it I think that's an excellent point
[00:25:15] like you mentioned ISO 31,000 there's a framework to work off from like there's a globally accepted
[00:25:24] framework and it's probably worth part there's understanding that framework but then translating
[00:25:29] down towards appropriate there's no point reinventing the wheel here like smart people of
[00:25:34] created structure for this but you're point to that translation is critical because
[00:25:40] your clients and yourself are going to be in a different position to other businesses
[00:25:45] and what you keep telling us is there's a journey and we need to get started and I really like
[00:25:52] that approach of like we just need to get started we just we need to get on the road of this program
[00:25:58] not build a fully fledged program and and try and work into that because let's be honest most SMBs
[00:26:06] aren't at that maturity level to operate at a fully fledged program anyway so
[00:26:11] like most of the things we're doing we only need to be one step ahead of our client base
[00:26:15] it's we don't need to be the world's experts we just need to be an expert for our clients
[00:26:20] I love that I love that approach and so you mentioned out of that that you know obviously
[00:26:27] our clients are going to be in different places and they're going to have different risks and things
[00:26:31] yeah how how would you see this going for like an MSP that's managing multiple clients
[00:26:38] and we obviously were used to centralize management and all that kind of stuff
[00:26:43] how do we sort of do this as an effective program across multiple multiple clients
[00:26:48] yeah that's always been a bit of a challenge when it comes to things like compliance right because
[00:26:54] it's heavy on the people side like it's heavy on professional services and that's what's kind
[00:26:58] of scared that mid market away from compliance because you know you say I'm going to take 10 days
[00:27:03] worth of effort to do this work you've got a customer and say well 10 times our day rate is X
[00:27:08] that's what the project is going to cost customers going to look you go we're never doing that
[00:27:12] like Andrew it's not going to happen so that's why I think we can leverage a bit of tech these days
[00:27:18] to go well let's use some sort of software or platform to look at the look at all of our
[00:27:24] customers and we had to aggregate our customers together and do that process once across multiple
[00:27:28] customers and have these smaller touch points which are easier to digest as part of that or maybe
[00:27:34] you're existing NSA and you're helping yourself and you're helping the customer at the same time
[00:27:39] you spend the time articulate your risk their risk to you and your risk then and then you're
[00:27:44] helping them articulate their risk on an overall basis which will drive that overall transformation
[00:27:49] conversation so you know I think it's important that we don't try and like you say before reinvent
[00:27:55] the wheel but if you do say let's pick up you know 10 paper-based policies and try and rewrite
[00:28:01] them for every customer I always have this conversation probably weekly with with with
[00:28:06] customs are varying sizes and that is don't waste your time writing policies over and over and
[00:28:12] over again you know an asset management policy for example he's always going to say the same thing
[00:28:18] that you should have assets you should classify them they should have owners you should review it on
[00:28:21] a regular basis and keep it up to date there's only so many ways you can say that on a bit of paper
[00:28:25] right so if you spend half a day or a day writing one of those for everyone in your customers you're
[00:28:30] going to burn a lot of time writing the same thing over and over again what you're probably better
[00:28:35] off doing is spending your time think about how that customer's going to implement that process
[00:28:40] and making that sustainable and that's the piece that we do when we take customers through that
[00:28:45] journey and say right what are you doing right now and it may be that you're doing a bunch of
[00:28:49] software development let's know this piece have little portals and little apps they use for
[00:28:53] customers to sort of see some like maybe auto services maybe they use it to see this status of you
[00:28:59] know they're they're fleet so you're doing some software development most software developers do
[00:29:04] the same process right there's a main branch of code they check their code out they edit that code
[00:29:08] they push that back in someone approves it it gets released into production that's a change in
[00:29:12] management process for you're already doing that in your business right so you don't have to come
[00:29:17] in and say all right everyone we need to start having once once a week meetings to talk about
[00:29:20] what changes are going to happen in the organization that's a big company thing like process right small
[00:29:25] companies are usually doing a lot of the right things already that's just about tweaking those things
[00:29:30] just a slight little bit to add maybe a security lens to it and say okay when you do that code
[00:29:34] review can you just like make sure you're thinking about like the security implications of releasing
[00:29:38] that code into production and then then you're covering your bases right so it's more about taking
[00:29:44] what's there focus your attention on what's achievable and don't try and don't try and reinvent this
[00:29:50] for every single customer the idea that you can stamp out one one sort of environment and then use
[00:29:55] it many many times it's something we do in MSP's all the time right yeah we have one EDR
[00:30:00] platform which allows us to manage all of our customers endpoints and see alerts from those endpoints
[00:30:05] compliance can be exactly the same right we can use one platform one service to monitor all of
[00:30:10] that compliance and then we can do little bits of work for that customer along the way it could be a
[00:30:16] lot of the customers to it themselves and just need you as that augmented support right they say
[00:30:20] well we're happy running with it but when we get stuck only got to call you and get some help
[00:30:25] in which case they call you get cool yep we can help you with that no problem at all and then
[00:30:29] check back out again so it's less about that like really deep you know 10 days of support up front
[00:30:35] and then every year coming back for big blocks of professional services and more making that as
[00:30:39] part of the ingrained process and it returns you know you do it once it returns to a three value
[00:30:44] propositions the MP the MSP but I love that because I think I 100% agree everyone's getting stuck on
[00:30:54] creating this is a bigger thing than it needs to be and we we don't take it from the client first
[00:31:02] perspective approach we're not going well what are they even capable of rolling out in their own
[00:31:08] business at one time let alone what we can roll out then roll out now we do it like we should look
[00:31:16] at what our clients are at where they're at and treat this more holistically like what you mentioned
[00:31:21] before that you know risk is a good place to start because that is one of the high level business
[00:31:27] areas that business owners are just naturally thinking about but when we weave this with that sort
[00:31:33] of innovation or digital transformation programs to make their business better so you enable revenue
[00:31:39] and then then weaving in cyber security is just a given this small achievable chunks it can just
[00:31:46] happen months after month or quarter after quarter that's aligned to their strategic objectives
[00:31:52] and if we just weave in this thought process risk management is just something that we do cyber
[00:31:57] security is just something that we do all of a sudden how we approach this will be completely
[00:32:01] different and like what you said to policies a perfect example of how you said it like it
[00:32:08] doesn't vary that much there's only there's probably only a paragraph of how it's actually
[00:32:12] implemented and wants to sited on for the business that's specific so why don't we just focus
[00:32:17] on understanding that because like you said asset management is a perfect example you know maybe
[00:32:23] maybe there are field services company that has a lot of vehicles and they need to do that sort
[00:32:30] of fleet management component in asset management well there's a whole bunch of conversations that
[00:32:35] come out of this based on that risk profile then we're doing we can talk about how we're actually
[00:32:41] managing that and what systems what's our processes how do we be more efficient at that are the
[00:32:46] better ways of doing it that then we can increase their margins and what they're doing and improve
[00:32:50] their business through this and then they'll spend more with us like that's that sort and but
[00:32:56] they get more benefits in the ROI where I think a lot of us get caught up on risk and cyber security
[00:33:02] and there's no there's no direct tangible ROI for the business with the way that we're selling it so
[00:33:08] I'm loving I'm loving what you're putting down to us today yeah no problem I think ultimately
[00:33:15] it is about sort of working with the customers to see what their overall goal is as well and
[00:33:21] a lot of times customers are getting from getting from their customers they're getting pushed okay what
[00:33:25] are you doing information security what are you doing for sub-security how can you articulate maturity
[00:33:30] in this space and that's the hard part for the customer that's why they're calling right so I've
[00:33:34] got a big deal with this big company and it's going to go to custom less I can demonstrate I'm
[00:33:39] doing some cyber security help me do some cyber security and you know I think maybe five ten
[00:33:45] years ago you could say we're doing a bit you know any virus patching with this but that and
[00:33:50] those questions would kind of disappear these days we're seeing those conversations are going
[00:33:55] much much deeper not only from a customer's customer perspective but from a customer's insurance
[00:34:01] company perspective I got an A on question earlier the day it was the biggest insurance
[00:34:06] questionnaire I've ever seen but it was really well written and that's a sign of that industry
[00:34:11] maturing and asking the right questions and it's putting MSPs under the pump to say well how are you
[00:34:16] actually doing a bunch of this stuff and that's then driving conversation about implementing good
[00:34:22] governance and compliance but you can get on the front foot and say well here's the framework we're
[00:34:26] going to use and I always say 27,000 one is a good business framework essential leaders is a
[00:34:32] configuration standard that just does like one slice of it but if you want a holistic business
[00:34:36] standard you should look at something a little bit deeper and that's how you answer those sort
[00:34:42] of questionnaires to say well we've got a process in place that manages these risks and we might have
[00:34:47] accepted some risks right that just say we're growing business we're going we're running with
[00:34:51] scissors we're absolutely scared and like crazy we have to accept some risks because we just don't
[00:34:56] have the bench strength to do some stuff but it's not about saying we're never going to do it it's
[00:35:01] about saying it's in our risk register every three months we review this risk and say are we at
[00:35:05] the size now where we should implement this control and you consciously say yes or no and when
[00:35:11] you consciously say yes or no you can stand behind that and say we've got structure in place
[00:35:15] we've got good governance in place we understand our risk profile and we cannot articulate that as well
[00:35:21] I think that is a really powerful position for any company to go to their customers who are coming
[00:35:25] with their insurance companies who are coming asking these questions but you can't do that unless
[00:35:30] you wind the clock all the way back and say we're going to categorize our assets, do our risk
[00:35:35] assessments and then choose what we're going to implement to mitigate our risks but once you get
[00:35:40] into a system of managing that in that really effective way then it makes that conversation down
[00:35:45] the road so much so much easier and much more sure what I took out of what you just said there for
[00:35:56] me is you can't really accept the risks if you don't understand them and that's from a client's
[00:36:04] perspective the way most of us have been we think we've been highlighting the risks to our clients
[00:36:10] but we don't have enough context for our clients to actually accept the risk and make decisions
[00:36:17] and what you've shared with us today hopefully will change the way that people are approaching
[00:36:22] these conversations but it just tweaked to me then that is how can I accept something if I don't
[00:36:29] actually understand it properly it's just logical isn't it yeah surprisingly enough risk management
[00:36:38] is more exciting and more interesting than people expect and compliance when it's tied to the
[00:36:45] tied to these sort of business cases it is important it's not just a necessary evil so this has
[00:36:53] been an awesome conversation I could keep talking about I've got a bunch more questions but
[00:36:58] I'll save them up what do you want people to really take away from today and what do you think if
[00:37:04] they're walking away from this conversation and they've really loved what you're saying
[00:37:09] what should they get due to get started and change the way that they've been approaching things
[00:37:14] yeah I think if I can if I can take anything away from from this conversation is that the topic
[00:37:19] itself isn't that big and scary as it probably first seems when you look at it you know if you
[00:37:26] start simply and work your way through it and I emphasize the sustainability approach like do
[00:37:31] the sustainable processes and then you know don't try and over cook it on day one it's a really
[00:37:38] common sort of trap to get into is to try and be perfect at all these things in day one is start simple
[00:37:45] and work your way through it and if you need help obviously just reach out we're happy to help
[00:37:50] we partner with MSPs to do this you know weekend week out and we find that if you take it
[00:37:55] and you really use the processes and you really use these these processes in your day to day
[00:38:00] it does make your life easier in the short term you've got a little learning home of course but
[00:38:04] it does make your life easier in the long run and we find that you get a much better long-term
[00:38:10] engagement in your customers when you when you engage this way so I would say it's probably time
[00:38:16] to turn face towards compliance it's that was showing away and and treating it as something
[00:38:20] that's happening later on you know legislation is going to change this year around privacy which
[00:38:24] is going to drive a lot of these conversations from your customers you know I'm a betting man
[00:38:29] I reckon we'll see a cybersecurity act in the very very very short future as well and it's
[00:38:34] going to hold directors accountable for starboard risk in organizations and as soon as they put
[00:38:40] that on a bit of paper directors that companies have all sizes are going to reach out to the nearest
[00:38:44] trusted advisor and a lot of times that's the IT MSP and say hey how do we how do we fix this how
[00:38:49] do we how do I sleep at night now that I've got this new really really executable commitment from
[00:38:56] a from a directors perspective how do I make sure that I'm covering all of our vases and I think
[00:39:03] that conversation you'll see shift into next year once this happens and I think every MSP should be
[00:39:08] getting ready now for that conversation because if you are ready you will capitalize on that conversation
[00:39:14] if you're not ready you'll be behind that ball and you'll be sort of chasing it and everyone likes
[00:39:18] to be prepared and over and hasn't got a lot of time in their day but this is one of the things
[00:39:22] I genuinely believe if you spend a little bit of time on you'll get that better.
[00:39:28] I completely agree and that this is one of the catalysts for us to elevate ourselves and if
[00:39:34] you're not the one that's elevated when it does when Penn does hit paper you're you're not going
[00:39:40] to be spoken to. These aren't conversations where people come directly to if you're not
[00:39:45] practically talking about it they'll go find someone who is that difference of stature
[00:39:51] or and status of someone that's acting like an advisory level person that works at sea suite
[00:39:57] and board level compared to someone that's just a service provider so hopefully people get on the
[00:40:03] front foot with this and I think you know the thing that I'd add just to wrap up to get started
[00:40:10] even if you don't develop a risk program yet and your clients aren't quite ready and you're
[00:40:14] going to work towards it just start asking better questions and more holistic questions.
[00:40:19] Just ask them what do they perceive as risks in their business? Don't even talk from a
[00:40:23] technology perspective just open that conversation up and start having it and you'll start to see trends
[00:40:30] you'll start to get deeper relationships etc etc but just start so it's been awesome having
[00:40:38] your injury and I no doubt I have it happy to back again in the future as all the landscapes
[00:40:43] changed and there is more regulation and legislation but thank you so much for your time today.
[00:40:49] No problem at all. Thanks for having me and appreciate it. I look forward to coming back soon.