Take the Challenge & Make It Your Opportunity, With Joe Harford of Reclamere

Hello, I'm Dan Thomas Shefsky and this is the connecting it podcast.

[inaudible]

Welcome to the connecting it podcast. I'm your host, Dan Thomas Chesky and joining me today is Joe Hartford, founder and president of Recla Mir Joe. Thanks for being on today,

Dan. Thanks so much for helping to make me famous. I appreciate it, man.

Oh, no, we're really excited to have you, Joe. I know recently you, uh, you participated in one of our connecting gauges and just all the MSPs were giving some phenomenal feedback on, on the things you are saying. So I thought we'd bring you into the bigger audience and really let you kind of share what you a little bit about yourself and just what you're seeing in that compliance and security space. So why don't we get in, why don't you tell the listeners out here today, a little bit about yourself and reckless here?

Sure. So Recla mere began about 20 years ago as an it asset management company focusing primarily in healthcare, financial services and education. And what we were doing is working with clients who were trying to answer the questions of what do I do with auth network equipment. As I get ready to go through either a merger and acquisition activity, or perhaps it's just a refresh cycle, uh, where I've got to manage a Depot for it gear, but more importantly, the real value was related to what do I do about onboard data? How do I make sure that whether I'm in healthcare or whatever market that I can prove to an auditor beyond a shadow of a doubt that someone has taken the responsibility to certify that all forms of digital data have been destroyed on my behalf. And that's really the value add that we brought to the it asset management space. About 20 years ago, we very quickly realized going into 2010 because of our customers, that it was more than just simply managing equipment. It was about managing the entire life cycle. How do we deal with warehousing and imaging and deployment? What do we do about special one-off projects where we're going to close or move a data center? How do I deal with, um, having equipment in multiple locations and recovering it from multiple locations, et cetera. And so the business just continued to evolve, uh, and really looked at cyber security from the perspective of the customer again, where they would come to us with these challenges about how do I deal with a data breach. It was very reactive in the very beginning and only within the last five years, has the conversation kind of pivoted to a much more proactive conversation where folks are saying, listen, I know I to do something. I'm not really exactly sure what the something is, and I want to be able to comply for whatever reason. And can you help me develop that security roadmap? That's going to allow me to more than just simply check a box because clients realize it's not about checking a box any longer. And so 20 years later here we are.

That's a really good story. I mean, and it, uh, I think it gives us kind of an idea of why you got into, you know, your cyberspace that you're in compliance. I think you've got a really interesting company. Um, that's doing really well and you know, just talk a little bit about cyber security. You know, we'll kind of carry on again more with it, but why did you decide to get into the cybersecurity space?

We decided to go into cyber security because of my business partner, Angie singer Keating, who had sat back about 10 years ago and said that the it asset management space is really not a space. That's completely diversified. In other words, it's not changing the way in which it does business. It equipment comes out, it's got to be warehoused. It has to be imaged. It has to be deployed, et cetera. And sure, although there are challenges with newer equipment. So the internet of things and medical devices that are connected to wireless networks, et cetera, definitely pose a challenge. But I think what she did was she looked at the horizon and she said, when we start talking about the opportunity in business to truly become sticky to customers and quite frankly, being able to drive margin and better longterm relationships as a business, we have to figure out what the cyber security mean to reckless here. And so those conversations really changed the way in which we develop the marketing message. What was the narrative that we sh that we shared with customers and prospects and how were we going to mature our own cybersecurity preparedness as a, as a service provider, and then go out and attract those businesses and work with them as a partner?

No, that's, that's a really good story. And so let's get into this a little bit, you know, if, if I'm sitting out here going, what are the challenges that MSPs have to take into consideration today before really diving into cyber security? Um, and I know this is something that, uh, you really focus on. So I'd love to hear your advice to the MSP listeners today.

So I think there are a number of challenges. And the first thing I think you have to do is you have to have a mindset of taking what you would view as a challenge and turn it into an opportunity. So, as an example, of what I mean is one of the challenges is how am I going to manage the liability associated with telling a client that I'm going to be their cyber security support agent. Now you could very easily look at that and step away and say, you know what? I don't want to deal with that. That's kind of scary to me. That's a little overwhelming, or you can look at it as an opportunity to differentiate yourself from the other MSPs out in the market, to be able to take that risk now, realize it's gotta be a calculated risk. You don't just simply jump in with both feet and not pay any attention, but you've got to take a look at how do you turn that challenge into an opportunity? Another challenge is, well, you know what, I don't, I don't really have engineers that are credentialed either as a CIS SP or they haven't taken a look at comp Tia, et cetera, and so forth. Well, look at it as an opportunity first as an owner of what certifications should you be getting. So you can really speak the language as a business owner, and then convey that to your client in a way where they can really understand it and not get wrapped around industry jargon and acronyms, and just kind of shut down in the sales discovery conversation. And then look at that development for your employees as an opportunity to reward them, to give them exposure to the education, the training, the tools, the challenges, et cetera. So again, you try to create that win-win culture and environment in your organization. And then I think the biggest challenge that you've got to flip into an opportunity overall is what does your cyber security roadmap of success look like? And where do you get started? Because often I think what happens, Dan is people, they look at all of the things that are out there, everything that Casa has to offer everything that's out in the market space. And they, they just get to some extent, I think they get so overwhelmed that it's almost like fatigue and they don't know where to get started. And, and that, that roadmap is, is really important to draw a line in the sand and get started.

No, that's, I think that's great advice, Joe. And I think, and I talked to MSPs a lot and, uh, you know, one of the things you hear is, is like I've been battling on building my stack. You know, I don't have one today. Um, but we've been working on it for a year. We're still trying to figure it out. And I think you, you kinda really hit it on the head is you gotta start somewhere and then build a roadmap in, in continue to add to it based on the market, based on the client you're serving. Uh, so I think that's a really good point because so many people get wrapped up and it has to be perfect. And I don't think it, I mean, maybe you can tell me if I'm right or wrong and you're welcome to disagree, but you need to, you need to have something and then continue to add on and on and on and on, based on information and what you're seeing.

So, you know, to your point, Dan, I'm very fortunate in my business because I'm not the technologist. I'm not the smart guy in the room. You know, I'm a sales guy, I build relationships. I meet with people. I consider myself to be a really good listener. And then I've got to make a decision whether or not I even want to engage with you as a, as a prospect and turn you into a client because quite frankly, there are some folks out there that just the, the match is not there. My business partner, however, is the technologist and the policy person and the security guru kind of person. And that, that balance is really helpful because very often what I find with it, people is there is a very technical, caring, risk averse nature to many technologists. And I think what happens is that many owners being that technologist, sometimes they suffer, um, you know, it's that whole paralysis by analysis. What if this, what if that, and again, I'm not saying that you just jump in with both feet and you don't care what part of the pool you're jumping into, but building a security stack should be as simple as having a conversation with someone like yourself or someone else could say, uh, and kind of working out literally within 30 days, you should be able to spin up a basic security stack realizing, you know what, as you go out and you get ready to sell it and service it, it's probably going to change. So what, as long as you don't cause your customer to be at risk and yourself at risk, you got to start somewhere like you said, Dan. And I think you've got to also accept the fact that it is going to morph over time. And quite frankly, quite frankly, it should morph over time. You shouldn't be stagnant. You should always be looking for what's a better way to optimize my operation, secure my customer and build out monthly recurring revenue.

No, that's great. And I think you said two things and I'm going to kinda go into this, but, uh, I think you said something that I think sometimes we struggle with is maybe they're not the right fit for me. And it's hard. I mean, you're, we're in a, in a, in a world today where someone could come in and be like, it's a$5,000 monthly reoccurring revenue deal that can change my business. I'm going to take it cause I need the money, but is it the right fit for the organization? And I think, uh, I think that's something that I hear you, and I've heard you say now that not everybody takes that time to really evaluate, are we the right fit for them and are they the right fit for us? And I'd like to hear your take on that one first.

So back in 2005, we were having a very difficult time in business. And I was really getting wrapped around the axle of every single deal, every single dollar and what am I going to do? And I found myself wasting a lot of time. And I remember Angie who's, my business partner had said to me, you know, you need to think about the theory of next and what she meant by that was you go into a deal and you evaluated based on a couple of things. Number one, is this going to be good for Recla Muir? And is this also going to be good for the customer? And if you don't get a yes, yes. Then you know what you may need to consider moving on to next, in addition to that, nobody likes to lose a deal. Especially me. I'm an incredibly competitive guy. I get really jacked when I, when I, when I miss a deal, especially, you know, through a debrief, if I realize, you know, I misquoted something, I didn't do it correctly, you know, I've put a lot of pressure on my shoulders as an owner. And that's just the way that I am. Um, but the reality is that there are certain pieces of business that you just don't want to win. And you've got to be courageous enough to be able to accept that. You know, I think one of the comments I made in engage was you gotta know when to fire a customer. Um, there there's nothing wrong with that. And some people that are listening may go this guy's completely totally off his rocker. Well, you know, every year we evaluate all of our clients through and we do a profitability review. And if a client isn't at a certain profitability level, we either a figure out how to get them where they need to be, or we have to figure out a different way in which to service them or they go away because we can't run our business in a non-profitable way. Right. Right. So, yeah, I think it comes down to, you gotta be, you gotta be really focused on those things and having those conversations ongoing.

Well, that's really good point. And that's why I wanted you to kind of hone in on that because, and that's a tough thing to do. I mean, like I've talked to MSPs that lost a lot of business because of COVID or different things. Are there certain verticals they went down to, like, I just want to take people to get my reoccurring revenue back up. Um, and then people are like, but I, it has to be right. And, uh, I just think that's a really important tip. You don't want to take business on just to take it on, make sure it's the right fit for you and your customers. I think that's a great point that you bring out. Um, and then the second question I was going to kind of go to is, look, we talked about evolving the stack and having, um, the ability to talk to customers about the ever evolving security stack compliance deck. How do you do that? Like, how do you, you know, we know that the world changes. We know there's things that we're doing now that we weren't doing a year ago, and there's going to be things in a year from now that we weren't doing today. What does it look like? That your customers, that talking to your customers, that they know there could be another expense or something else that's coming because of the security needs. How do you handle that conversation with your customers?

We do our best to schedule QPRs with our customers to talk about current state and future state under what we call the good, the bad and the ugly, and to try to get them to understand that what we're doing for them is in fact, a service. But that service is more times than not going to be evolving and changing because we know that the threat landscape is always evolving and changing. So giving an example, we have a client that we work with and they have a number of third party vendors that they rely on for the collection management storage transmission of all forms of financial information, long story short, they have a third party vendor that has suffered a security incident. And so in this review, not only do we find this out, but we find out from our client that they're now saying to the third party vendor, you've got to go to a company like reclamation and have this conversation and figure out what are you going to do in order to correct the challenge? My point is that you've got to be in constant communication with customers and prospects. And, you know, we found a lot of value in powered services. It's been incredibly helpful for us in social media, blog posts, et cetera. And I think that being able to stay top of mind with relevant information, that's really educational and not a sales pitch is what gets people to want to have the conversation with you because there's no feeling of odd Joe Hartford again, and he's, he's here to sell me a new kind of widget. And now my monthly number is going to go up. Not at all. It's about, listen, here's a, here's a new threat vector that we should talk about. We've been, we've been talking to you for the last three months about two factor authentication. And by the way, here's somebody who's in your general landscape that just had an issue that if they had to FFA in the environment, they would have been protected. Those kinds of conversations are really beneficial with our clients.

No, it you've hit. I mean, there was a wealth of knowledge in that one. Um, I think the fact that you're doing effective QPRs and you're educating your customers, you're demonstrating the value, but you're also letting them know the landscape that's coming up. It's vital. But you said that the, the keynote and I took a note of this is that your current customers, when incidents are happening at their supply chain are now calling and saying, you need to use Lameer because, you know, they've been able to put this into place for us, help us protect ourselves. And, uh, I, that is, to me, the whole reason why you should be doing QPRs because not only is it to have that relationship with your customer, to let them know about the landscape, you don't ever know who they're talking to. And or when the other person on the other side, struggling though that one of their vendors, and it turns into a really good opportunity for you.

No, I agree. And I think that, um, if we don't consider who our customers are working with as third party vendors, we, as business owners are missing out on an opportunity to grow our business. We know that we will spend an incredible amount of money to gain a brand new customer. We know that we dramatically reduce that cost marketing. And otherwise when we get a referral from a current customer, when we sell additional services into a current customer. So if we don't leverage that, we're really foolish. We really are. Right.

You talked about how the, the world's changing and there's constantly, you know, you're having new products and new things. Uh, one of the areas I wanted to ask you about was compliance. And what do you see? You know, I've been seeing MSPs really jumping on the compliance bandwagon and not just the CMMC, the cyber liability, the NIST framework. Um, I mean, HIPAA, I mean all the way around, I mean, it's more than just one product anymore. It's, it's multiple different solutions. What are you seeing around compliance? And what is that conversation? You know, when you're sitting down and having a customer, what are, what's the messaging that they're giving back when you're trying to talk about compliance?

First of all, I think that the conversation is going to be different, obviously, depending upon the market that you go into. One of the areas that I'm, I'm pretty excited about is what's happening in healthcare with these larger health systems that are purchasing and have been purchasing for years, quite frankly, either other health systems or specialty practices. It is, it's just an incredible tidal wave of activity. And so what's happening is historically in M and a activity. There's a due diligence process that folks go through. And within healthcare, they do a really great job of taking a look at the revenue life cycle. They're really good at taking a look at quality care metrics. They understand the physical plant, et cetera, but they haven't really done a good job of, you know, what, I'm a large healthcare system with however many thousands of beds I'm getting ready to buy the specialty practice. And we take them through the typical kind of gauntlet of activity. And then we buy ourselves a data breach because we did nothing at all to ensure that prior to that doctor's practice becoming part of our network, that we knew that ransomware was sitting active in that environment. That's a, that's an element that is a, a really great opportunity for organizations to take a look at helping that merger and acquisition activity and realizing that compliance is more than a check box. It's more than just simply saying here's a bunch of findings. It really is about having an active conversation about, okay, what is the current state, your risk profile, your risk, uh, picture or whatever you want to call it. And, Oh, by the way, what are you going to do in order to become compliant with whatever particular standard you want to be compliant to? And what does that journey look like? You know, what resources are you going to use internally? What resources may you look to a company like Recla mirrored to, to bring to the table? Um, are we going to have to hire additional staff? Are we going to look at building our own security stack? What, what is this going to look like? And it's more so than ever. It's not about really checking a box any longer. It really is about that ongoing journey where we never really check a box any longer. We just continue this perpetual cycle of assess, evaluate, remediate, et cetera. And then we just go through it again, because we know that we're going to add employees, we're going to remove employees. We're going to add technology. We're going to remove technology. Oh, by the way, the bad guys are always going to be three steps ahead, et cetera, and so forth. Oh, and by the way, we've got third parties that store data for us as well. So all of those things, I think really force us to accept the fact that it's this ongoing journey that we have to be in partnership with our clients.

No, it's, it's great information. I mean, look, give me compliance is not something that I don't think it's an easy conversation all the time, but I do think people are responding to the compliance talks better than ever now, especially with COVID. And I hate using the word COVID is the example that's really accelerated it, but I think it is. I think it's one of those things. Now people are taking it more serious. I mean, doctors and, you know, all these different medical professionals are taking more health care information than they've ever taken before with COVID tests and all these different things that are happening. So it's just a, it's one of those things where I hear the conversations around compliance or MSPs are having in their winning business, because they're talking about compliance and checking box, like you were saying, it's different to say, I can come in and put anti-virus in, or, you know, remote, you know, detection and do your dark web monitoring and things like that that you hear MSPs really kind of come in and say all the time, but it's another to say, I can do that. And I'm going to check the box and compliance work with you to make sure that the policies and procedures are in place. I think that really differentiates yourself now. And I think that's something that a lot of MSPs are gravitating toward.

Well, I think that they, they have to pay attention to it. They've gotta be aware of it. And the other thing that may sound kind of strange to everyone is, you know, you should really eat your own dog food. And what I mean by that is, um, if you're going to go ahead and you're going to use whatever tool set you want to use to perform an assessment of some sort where you want to run compliance manager, you had better do that within your own house first, right? It's not just about understanding the tool, right. And what the output looks like, but how do you say to somebody I'm going to be a trusted advisor that you can rely upon for your cyber security posture and maturity model getting better year over year when you yourself have never evaluated or assessed your own environment, your own network, determine your own risks and built your own remediation plan. How do you do something like that? I don't, I don't really think he can. So I think that, you know, when back to an earlier part of the conversation, you know, what should folks do well is I think as, as part of that roadmap, you should be running those tools and evaluating you as the MSP first, before you really decide you're going to go out on the street and save the world.

No, I totally agree. You gotta be looking at it. You gotta be practicing what you preach. Uh, and then you gotta be able to, you know, cause your customers are gonna say, well, can you show record of your compliant? And can you show us that you're following this? And you know, it's, it's, it goes a long way when you're able to say, yeah, here's what we're doing. And here's our risk. And that, you know, you know, and being able to kind of have that conversation with them, that we do this to ourselves. So that's a great point. Um, I do have another point I really want to get into with you, uh, because I think this is a really good, uh, question in, or having a pretty good conversation around a lot of different things today, but what are the it security challenges that SMBs today have to be aware of?

Oh, wow. I mean, we could, we could talk for an entire hour on that, right?

Let's go with the top ones. Let's go up. Maybe your top couple that you think are that are big ones.

You know, what I find is that with SMBs, there's no real, there's no real plan. You know, they, they know that they've got to buy equipment. They know that they've got to be connected to the internet. So they're looking for an ISP. They know that they need to have a firewall. So whether or not they have the resources to actually go to that level where they're able to identify an MSP that can help them. But there's no real clear understanding I think, or appreciation for when your business connects to the internet to conduct business, you are now truly in the wild West and there is no, I think appreciation maybe is the wrong word, but a clear understanding of when you start talking about risk and security, et cetera, I think many times it just kinda goes over people's heads because I don't know if we, as MSPs have done a really good job of being able to talk about what does that risk mean to the business? So that's the, that's the first thing understanding the risk, right? The second thing is I think being able to realize that in a small organization, um, you know, you still have, it goes back to the, there's a show. Um, the weakest link, it goes back to our employees. And I don't mean that in a, in a disparaging way, but the reality is we know, we know from practice the research that's out there, that folks are going to use their, uh, their corporate email address and a credential. And they're going to use it out on the dark way. It's going to get out onto the dark web because of some third party website that they went to. And then it was that application site, et cetera, was breached. And now it's for sale out on the dark web. We know that that's going to happen. We know that they're going to be challenged by, Oh my gosh, she made me remember too many passwords. So I got to write them down on a piece of paper. We know that that's a challenge. We know that they're going to be clicking on links. So, you know, phishing attacks. So the whole world of the employee, the, the person who sits behind the keyboard is I think number two for small business owners. And then finally, I think the third, the third element is what do they do when in fact a security incident happens? What do we do when it hits the fan? Oh my gosh, this has been brought to my attention. They have no incident response plan. There's no, there, there's no way for them to understand who's involved. Who talks to the media? Who do I call? Do I have cyber insurance? What does my cyber insurance talent, et cetera. And so like, there's no coordinated effort. So I think those, those three pieces are really, at least from my perspective, my experience, others may have, have additions to that. Uh, but that's been what my experiences with the MSP, the SMBs are really faced with as we, as we cruise through into 2021.

No, I think that's great advice. And I think one of the things that you hit on on that last part is, is the plan. And I can tell you so many people in the MSP space we talk about, Oh, we got to have a disaster recovery plan. We got to have a data breach plan. We've got to have, you know, all these different plans and we think we're ready. And then that scenario hits. We never did the fire drill. We never tested it. Like we never, you know, it's all on paper, but we've never actually walked through and sat down with the customer and said, okay, if this happens, this is who I'm calling. This is how we're going to do it. And like making sure everybody's aware of what to do. And, uh, I think I heard this a ton, right? When, like, let's say March, April timeframe, when everybody was going home, that the MSPs that had the plans and kind of did the fire drills and add it, it went smooth. I mean, people were right there. And then there was people that did not have a plan. They didn't believe in the plan and all of these other things that were going on, they struggled and businesses took some downtime. They had to order equipment, they had to get different pieces and things. So I think what you just said was, is a really good thing that, you know, if this pandemic taught us anything, um, it's to go out and have a plan, but don't just have a plan. You need to make sure that you're ready to execute on it and people know how to execute. And I think that even more important, you know, than just having the plan, you gotta know how to execute it and getting all the right players involved. So I think that's really good advice now. I agree with you, Dan. So I, you know, you've been giving a ton of information, whether it's been from security to compliance, to just having good QPRs and how it's turning into business. I mean, Joe, you've really brought a ton of information to us today, you know, to kind of close this out and, you know, for our listeners, I always like to let people kind of end it, like, what is your final thoughts or something that you can share. That's really good advice to the, the MSPs on here. That's like, you know, this is just something that I'm really passionate about or, you know, look at this, my final thought.

So my final thought is this, whether you have not jumped into cyberspace yet, or you have, and you're trying to figure out what's your next step going to be my advice to you is this, and this will, this may sound off the wall and that's okay. Find the people on your team that you're going to rely on to create the ideas, implement the plans, sell the clients, and then fulfill the order and get out of your building. Literally get physically get out of your building, get out of your house and go some place where you can really brainstorm and talk about what's going on, leave your phones in the car. Don't bring them into the meeting room. Don't bring them into the conference room. Don't bring them into the bar. I don't care if you go meet in a bar, but get out of your comfort zone and literally be able to brainstorm, what do you want your next step to look like, build the roadmap over the next 12 months. Don't start talking about what do I want to do in three years and five and three years from now, I could be dead. You know? So talk about what do you intend to do in 2021 at the end of Q1, two, three, and four, realize that you got to pivot the plan based upon resources, et cetera, and so forth and revisit that plan outside of the building once a quarter. And I think that, you know, if you do that, you you're going to have a, first of all, I think you're gonna have a great experience with your team. Uh, you're not going to be distracted because you're going to leave your phones in the car. And I think you're going to, you're going to start to flesh out some ideas that are going to be pretty cool for your business. And they may not all come to fruition by the end of the year and that's okay too. Uh, but I think you'll, you're going to find some real kernels of wisdom in those conversations that can turn into some really cool MRR.

No, that's, that's, that's great advice. Um, I really think that's some amazing advice actually that you just shared with us. And, um, I, I appreciate you. I really do appreciate you and the whole Recla mere team. Um, you guys have been great and, uh, the knowledge and just watching you guys on LinkedIn and the information you share there, um, you guys are a great wealth of knowledge to this industry. So I want to say thank you on behalf of, you know, just myself and the team here, uh, but also the, the channel. Thank you for, for being someone who's always sharing and giving really good information to help out other channel members.

Well, I learned a long time ago, Dan, that, um, if, if you're willing to give and you do it in a genuine and sincere fashion without expecting anything in return, it really does become, uh, very beneficial to the community. In this particular case to the channel. There've been a lot of people in my career that have done that for me. Um, and I've really appreciated it. And I would say, um, you know, between yourself and, um, and Katie and Curtis and many other people, um, there is a, there's a wealth of expertise and help within Cacia that if you don't reach out and ask and have that conversation or set up a Calendly meeting or whatever, you are not getting the biggest bang for your buck, I don't know everything, man there. I just, I don't, and I'm okay with that. But what I do know is where to find the expertise. And as far as I'm concerned and how we're growing our business, I come back to the expertise at Casea you guys get me plugged in and I always find benefit in those,

Knowing that we appreciate that. And, uh, you know, I think that's, what's important, you know, in the channel is that we always got to be connected. And even if it's not the experts that we all know, and we need to get you the right person to make sure that you're getting the assistance you need. So appreciate that. That's a really nice compliment. And, uh, I just want to say thank you for being on today and, um, you know, for all of our listeners today, thanks for listening to the connecting it podcast, make sure you subscribe and rate us five stars on the iTunes stores. And until next time we'll see you later.