🎙️ SPEAKER Chris Johnson
📍 WHERE TO FIND HIM LinkedIn: https://www.linkedin.com/in/chrisjohnson1337msp/ Website: https://www.comptia.org/
📌WHAT IS THE MSP INITIATIVE? The MSP Initiative was developed with one goal in mind: education for the IT & MSP Channel. We are bringing together some of the best industry minds from all over the planet to help you learn relevant and helpful tips and tricks you need to take your business to the next level! Every Tuesday and Thursday at 1:00 PM ET, we will have great IT Channel members and experts discussing relevant topics to your business. We hope to have these great members from diverse backgrounds and areas of expertise help everyone through some new and changing times. Register once and join us every week! There will be time reserved at the end of each session for a Q&A, giving you the opportunity to ask real questions you need answers to for your business.
📝 VISIT THE WEBSITE BELOW TO REGISTER tinyurl.com/y749r79u
📱 WHERE TO FIND US Facebook: @mspInitiative LinkedIn: @mspinitiative Twitter: @mspinitiative Website: mspinitiative.com
[00:00:01] Hello ladies and gentlemen, welcome to a May that's right May edition May 7th
[00:00:09] actually edition of the MSP Initiative MSP talks we're gonna get through the
[00:00:14] housekeeping real quick and then get on to the good stuff like we usually do
[00:00:17] here is that housekeeping ready MSP initiative.com this is pretty much
[00:00:24] everything that we do kind of in one place so this session for example is
[00:00:28] being recorded and we're going to post it on to the podcatchers YouTube pages all
[00:00:32] that jazz or under the sessions page on MSP initiative.com like share subscribe
[00:00:37] forward all that jazz that is what is there for we do these for you hopefully
[00:00:43] you take advantage of them keep coming back that's for sure actually today's
[00:00:48] guests who I'm gonna introduce in a second was with us at our Nashville MSP
[00:00:52] Community Minds event which went swimmingly by the way and we'll talk
[00:00:55] about it once we get past these housekeeping items but we will be
[00:00:59] doing another MSP Community Minds at the end of September we'll be posting the
[00:01:03] date shortly if you want to check out what MSP Community Minds was and go to
[00:01:08] MSP Community Minds at MSP initiative.com you see it's up top and you'll
[00:01:11] see we had a bunch of MSP panelists and expert workshop givers who you know
[00:01:17] across two days they didn't PowerPoint you to death and actually tried to
[00:01:21] like take you from an idea and the actual practical application of the idea
[00:01:27] right so we'll talk about that a little bit more in a moment but if you're
[00:01:31] interested in a super educational event that's what MSP Community Minds was
[00:01:35] invented for again we have at least one more of these in the calendar for this
[00:01:40] year in Denver in September we promise we'll share the dates with you as
[00:01:43] soon as possible hopefully you'll be able to join us then we get to the
[00:01:48] fun stuff the after-hour stuff we have two MSP Community Block parties coming up
[00:01:53] oh there's several actually more this year but the next two are both on the same
[00:01:58] week so either you're gonna be hopefully joining PAX 8 at their beyond
[00:02:04] event a conference in Denver June 9, 10, 11 and if you are on June 10th we will
[00:02:11] be holding an MSP Community Block Party with the great folks at PAX 8 for
[00:02:16] PAX 8 beyond you can already click on this link and go ahead and register and
[00:02:21] get your QR codes and like get ahead of the line right so if you haven't
[00:02:25] already there's two links here right MSPs and anybody other than an MSP so
[00:02:30] you know use the right link register at a time so that we don't have to do the
[00:02:34] whole you're standing at the door you know doing your cell phone screen
[00:02:37] thing so definitely join us there we'll be announcing our entertainment for
[00:02:42] that event very soon I'm super excited on that one and then if you happen to be
[00:02:49] around last year and we're on the other side of the ocean and joined us for
[00:02:53] Kasai Datacon in Dublin well we're going back and we'll be running our MSP
[00:02:58] Community Block Party at the Datacon Dublin event here you go same deal
[00:03:03] links are registered registration links are there so that would be on June 12th
[00:03:09] yes we love airplanes here at MSP initiative so those are the two that are
[00:03:14] coming up check them out under community block parties at MSPinitiative.com
[00:03:18] register register register ahead of time we can't wait to see you there
[00:03:22] especially obviously MSPs cost you absolutely nothing it doesn't cost you
[00:03:28] anything for community minds doesn't cost you anything for the Community
[00:03:30] Block Parties you just need to show up and have a good time so I think that
[00:03:34] would be that would be a good thing for you community offers these are just
[00:03:37] deals and hookups from companies around the industry that may or may not apply
[00:03:40] to you feel free to take advantage lastly is our industry calendar that we keep
[00:03:45] on updating as time goes on because you know everybody likes to throw events
[00:03:48] events events events and if you want to be on the road every day of the week
[00:03:51] every day week of the month and every month of the year you surely could
[00:03:55] I would say you should pick and choose wisely but there are so many to
[00:03:59] choose from so you see our community our industry calendar there
[00:04:03] that is all the housekeeping MSP initiative.com now we get to the good
[00:04:07] stuff like to bring I think for the first time on on the podcast
[00:04:13] Chris from CompTIA how you doing today Chris?
[00:04:17] I'm doing great thanks for having me on the show.
[00:04:19] Yeah absolutely swear I just saw you like you know a few weeks ago.
[00:04:23] Few weeks ago absolutely.
[00:04:25] So number one thank you so much for joining us at MSP Community Mines
[00:04:30] I know Matt Lee was originally supposed to come on in along with you
[00:04:34] and then he got like triple booked no problem.
[00:04:37] You guys work together all the time we're going to talk a little bit
[00:04:40] about what you guys have been baking up on both sides but
[00:04:44] what did you think of MSP Community Mines?
[00:04:47] I thought it was a very unique I would even go so far as to say
[00:04:51] intimate setting where I was just kind of saying before the episode
[00:04:56] that we had an opportunity to talk to people as if we were
[00:05:00] sharing dinner like it wasn't large volumes of people filling rooms up
[00:05:05] and there wasn't pressure like to buy or the pressure to
[00:05:11] you didn't feel like someone had an alternative agenda other than to be
[00:05:14] there and be present.
[00:05:16] Yeah no that's really what we were after to be honest
[00:05:21] I know there's a lot of people in the sandbox that are trying to help
[00:05:24] kind of turn the tide a little bit but like how many trade shows
[00:05:28] how many show how many booths how many credit cards wives how many
[00:05:32] etc etc etc etc like I understand there's a time and a place for everything.
[00:05:35] Got it but excuse me we definitely heard the messaging that
[00:05:41] hey we want to go and actually learn something
[00:05:45] like I want to take time out of my my my regular day to day business life
[00:05:50] and actually come back with something net positive.
[00:05:52] Yeah and I think one of the things that we've heard for Chris and I'm sure
[00:05:55] you've been around for a long time you've seen it is like hey I went to
[00:05:59] a session at an event and like the theory of something was presented
[00:06:05] right the idea the concept but then like I walked away with I guess
[00:06:09] I need to do a lot of homework here to figure out what to do right in order
[00:06:13] to implement and I think that's for a guy that has been in hundreds of
[00:06:17] sessions at hundreds of events over the years it's like man I keep on
[00:06:21] like doing housekeeping around here and I find my notes I found my notes
[00:06:25] on I-C-Dation 2012 the other day and I was like oh nice.
[00:06:29] I don't think I read this after I wrote this right like you know and so
[00:06:32] I think that's kind of what we were trying to do differently with MSB
[00:06:37] Community Minds so thank you thank you thank you for number one coming
[00:06:41] I know you're a busy guy number two you know helping educate the masses
[00:06:45] right we're going to talk about that in a second couldn't have done it
[00:06:48] with everyone who kind of put their time in and so you know I hope that
[00:06:53] we're doing our little part here at MSB Initiative along with several others
[00:06:56] right and I could name five right now top of my head who are like hey you
[00:07:00] know I really want to change the model of how the events work in our
[00:07:06] surveys and our sandbox.
[00:07:08] Yeah.
[00:07:08] So you know I know that we're just one one you know a little drop
[00:07:12] in the bucket but at least we're trying.
[00:07:15] I think it's it's more than a drop in a bucket I think the industry is starting
[00:07:20] to wake up and they're starting to recognize that their time is valuable
[00:07:25] and going to events where I think you said it well of the theory or
[00:07:30] there's a theme that says you know when I get to the end of this I'm
[00:07:33] so excited like for the punchline and then the punchline is like if you
[00:07:37] buy our suite of products or our service subscription will help you do
[00:07:42] that and I think that while those aren't necessarily bad it's more of like am
[00:07:49] I ready for what they have to offer going into this and in many cases you
[00:07:54] get to that quote punchline and you realize like you said I gotta go home
[00:07:58] and do some homework I'm not ready the show special is not going to make
[00:08:02] this move any faster for me and now that we're you know I go back in time
[00:08:08] like let's go back you know five six years we didn't have the same type
[00:08:12] of vendor overload like we do today there were there were some overlaps
[00:08:16] there were some vendors that were in the same space right but we didn't
[00:08:19] have this like I can you know roll the dice and whichever number comes up
[00:08:24] then I'll use that vendor that does this thing and I think that's
[00:08:28] one of the things that's really unique today is that overlaps different
[00:08:32] now I go and choose a product based on the value proposition that
[00:08:36] makes sense for my business even though there's five of you that do what
[00:08:40] would be on the surface almost the same thing in the reality is the same
[00:08:44] thing doesn't mean implemented the same way. No actually that was one
[00:08:50] of the things you know not to go too crazy down the road right but it's
[00:08:54] like hey anytime somebody comes up with a new bundle offering right and
[00:08:59] again not knocking on them just gonna use them as the most recent
[00:09:02] example right we heard about 365 exact to say 365 right like a lot of stuff
[00:09:09] and you know they took a Microsoft approach to their 40 years companies
[00:09:14] and they're okay we're just gonna pack a whole bunch of stuff together
[00:09:16] and then we're gonna charge a really aggressive price awesome.
[00:09:19] I wonder have they been able to streamline I don't know because I
[00:09:24] wasn't at the event right like everybody else online it's like
[00:09:27] hey if there's 20 something things underneath of that one product skew
[00:09:31] that's now bundled am I still touching 20 separate things to implement it
[00:09:36] or has it been streamlined at all. I don't know the answer to that but
[00:09:40] like bottom line is the time to switch and like we hear MSPs like
[00:09:46] I've heard it for years right it's like oh well I'm thinking about
[00:09:48] switching vendors in the same category as like for what purpose it was
[00:09:52] a right price is it just not working did you have an event of
[00:09:56] some bad thing happened to you like yeah you know we just we thought
[00:10:00] we're gonna get a better deal and I'm like okay that's cool like we all
[00:10:03] let's save money but like what about your time costs right like there's
[00:10:07] an effective labor rate for everybody in every company.
[00:10:11] Like did you figure out what that was before you decided to make a change
[00:10:15] because if I'm adding something net new to the company and it's
[00:10:18] going to bring more value more revenue more you know services
[00:10:22] that I wasn't offering before that's different right like I'm
[00:10:25] investing in something net new but if I'm just replacing things
[00:10:29] in the same line items like and when do I actually stop doing that
[00:10:35] right like you know what I mean like it just yeah I think there's
[00:10:39] like three things that come to mind for me on that that are I think
[00:10:42] matter I think MSPs make emotional decisions MSPs are human so we
[00:10:47] all are if you've ever you know and I think vendors do too.
[00:10:52] I think the emotional piece of this is often tied to the least
[00:10:56] mature part of the operational maturity so if I to your point like
[00:11:01] if it's in the same category if I'm making an emotional decision
[00:11:06] you know what do they say when you're ready to react and you're like
[00:11:09] okay take a deep breath count to 10 is it really worth me getting
[00:11:14] you know amped about this and I think that's one thing that
[00:11:17] comes to mind first and foremost is like am I making an
[00:11:20] emotional decision because if I am it likely has more
[00:11:23] negative than positive consequences for my company.
[00:11:26] The second one is cost is a big deal and I think as we see
[00:11:30] that you know had a conversation this morning they were talking
[00:11:32] about you know you know the things that are continuing to get
[00:11:35] added up running in system trade that makes a machine either
[00:11:38] you're buying a beefier machine to get the same performance
[00:11:41] or you're going what things in here do I really really
[00:11:44] really need you know what things were configured in
[00:11:47] correctly that I now need to readjust and that all comes
[00:11:49] back to you costs and I think one of the things that
[00:11:51] happens when we look at cost for vendor products as we
[00:11:54] really only look at the cost of the transaction not the cost
[00:11:58] attached to someone on my team or even say a vendor team
[00:12:03] being able to you know what does the FTE look like to
[00:12:07] implement manage and continuously monitor what we've
[00:12:11] acquired and I think then then the third one would be
[00:12:15] what's the impact to our current operational efficiency
[00:12:18] is good bad or otherwise and have we evaluated that before
[00:12:21] moving forward I mean because an emotional decision hey
[00:12:23] we're doing this and you go look at the operational
[00:12:26] efficiencies like yep I'm willing to take that hit or hey I had
[00:12:29] no idea this actually is a good decision but again I think
[00:12:32] if you don't do those other two things I because we've seen
[00:12:38] it right ping pong with RMM ping pong with PSAs I'll never
[00:12:43] I will never go to that vendor again I was burnt once
[00:12:47] and you know now we package the robust offering that's
[00:12:51] very aggressive and you're like oh look all of my
[00:12:54] problems go away I now have a control over my month
[00:12:57] through reoccurring costs I mean at the end of the day
[00:13:02] here's you know or I'm going to just go in the big picture
[00:13:06] because then today is not till the end of this session
[00:13:12] cost is important labor rate is important profitability
[00:13:17] is important but you I also really like want to hit on
[00:13:22] the fact that you need to be pretty confident that you
[00:13:25] can deliver what you've marketed to your end customer right
[00:13:28] because like yeah too many times right like they're like
[00:13:32] yep we got it's covered until it's not covered problem
[00:13:36] happens and then all of a sudden it's like well my
[00:13:38] expectation as a customer was you got me I'm covered
[00:13:41] but in reality I ran into an issue and then like this
[00:13:45] starts happening and then all you know the finger
[00:13:47] pointing and then all of a sudden it's while my
[00:13:49] vendor said it was set it and forget it and I didn't
[00:13:51] look at it and it's like but that's not true that was
[00:13:56] never true and like if that was the messaging failure
[00:14:01] I feel like that was you know a little night either
[00:14:03] you were naive to just take it for what it was or
[00:14:06] you were miss sold by somebody who didn't care either
[00:14:08] way we're talking about toggle switch syndrome right
[00:14:11] like oh no no like yeah you just turn it on it's
[00:14:15] like well how do you know it didn't get turned off
[00:14:17] like unless you go look yeah no I think that's
[00:14:21] a big one I think you know we see this a lot I
[00:14:23] remember early days of my career having an MSP it
[00:14:27] was that very thing in fact I remember going to
[00:14:30] different trade shows or vendor you know the
[00:14:33] vendor pavilion like that's definitely what I need
[00:14:36] why do I need it because I'm here and there's a
[00:14:38] good show special and I like shiny objects but
[00:14:41] what I did find like if if you're not careful
[00:14:43] no matter how important that product is to
[00:14:45] your ecosystem of what you're delivering to
[00:14:47] clients you often saw this it wasn't just
[00:14:51] finger pointing it was full on vendor bashing
[00:14:54] the one product I bought on a Tuesday I tried
[00:14:56] to implement on a Thursday and it didn't go well
[00:14:59] and it's obviously the vendors fault right like
[00:15:01] we and I think it's still some today but I
[00:15:04] think less so as the world around us has
[00:15:06] woken up to the fact that you know you're
[00:15:08] not going to just implement whatever you buy if
[00:15:10] you don't have the resources to do it
[00:15:13] well and that and that in itself is a major
[00:15:16] problem that I still see on a regular right like
[00:15:20] hey an MSP signs up for service and their
[00:15:23] expectation is that you're just going to the
[00:15:25] vendors just going to do it all for them
[00:15:26] sure vendor has a OK idea of what you're doing
[00:15:31] and like has a pretty good ballpark idea of
[00:15:33] what your outcome hopefully should be but at
[00:15:37] the end of the day like they are specifics
[00:15:38] to your business they're never gonna know
[00:15:41] right your end customer you're never they're
[00:15:42] never gonna know sure and like the idea that
[00:15:46] you know you're just going to offload it to
[00:15:47] someone without being involved I just
[00:15:51] don't see it yeah I if you think about a
[00:15:56] lot of the technologies that are out there
[00:15:57] and fill in the blank and I know for you
[00:15:59] and being in the VoIP services space I
[00:16:01] remember back in the early 2000s when
[00:16:04] when VoIP first became a thing and it
[00:16:07] suddenly took the little guy that had
[00:16:09] three employees and put them in this
[00:16:10] competitive space from a communication
[00:16:12] standpoint with all the big players and
[00:16:15] I don't have to spend six figures on my
[00:16:16] phone solution right but what was
[00:16:18] interesting about that as we progress
[00:16:20] forward I think in a lot of areas we
[00:16:22] regressed because you know the
[00:16:23] conveniences of cell phones started to
[00:16:26] grow and you know people are still
[00:16:28] like well I still need my faxes so
[00:16:30] we'll accommodate that too as we advance
[00:16:32] in technology but what was interesting
[00:16:34] is you still had a lot of businesses
[00:16:37] that were largely in the IT services
[00:16:39] space that didn't actually understand
[00:16:41] how VoIP even works and so they're
[00:16:44] spending money and then it's like the
[00:16:47] vendor problem when you know QOS doesn't
[00:16:49] work right you're like well we can
[00:16:50] control QOS between the firewall or
[00:16:53] your network perimeter and our phone
[00:16:56] system but I can't control that you've
[00:16:58] got you know kids with Xboxes on the
[00:17:00] same VLAN right like and that was
[00:17:03] mind-boggling for something like well
[00:17:05] why can't they account for that like
[00:17:07] why are you in this space you know
[00:17:11] and that by the way that hasn't changed
[00:17:14] no or I think we're still fighting the
[00:17:16] same problem just for the record
[00:17:19] but anyway before we get too far down
[00:17:22] the line because we're already 19 minutes
[00:17:23] in Chris like for people who don't know
[00:17:25] you don't know your story don't know
[00:17:27] your journey give it to us what's
[00:17:30] what's your background
[00:17:31] sure once upon a time I was an MSP
[00:17:35] and you know before that I was like many
[00:17:37] MSPs where I was like I can do what
[00:17:39] I'm doing today better than the IT
[00:17:42] services company that I'm working for
[00:17:45] and that progressed over the course
[00:17:46] of about five years to figuring out
[00:17:48] I'm going to start an MSP that was
[00:17:51] back in early 2007 did that for about
[00:17:56] six and a half years and realize that
[00:17:59] if I really wanted to make a difference
[00:18:01] in the security and compliance base
[00:18:04] I needed to do it on a bigger platform
[00:18:06] or bigger scale and so Josh Smith and
[00:18:09] I started looking at like should we
[00:18:11] should we still have an MSP
[00:18:13] we started talking to bigger ones
[00:18:15] and we realized that we could do a
[00:18:17] whole lot more if we were to switch
[00:18:19] up and work with a much larger MSP
[00:18:21] and we did that for a couple years
[00:18:23] and then realize like hey let's
[00:18:24] let's go ahead and merge with this
[00:18:26] large MSP and we continue to
[00:18:28] security and compliance and sort of
[00:18:30] the rest is history I left that MSP
[00:18:32] I went into the MSSP space and went
[00:18:35] from doing like health care
[00:18:36] compliance security consulting to
[00:18:38] focusing on mid-market and enterprise
[00:18:41] banks doing the financial compliance
[00:18:43] audits there and then right before
[00:18:46] COVID hit my wife and I realized
[00:18:49] like hey this is a lot of travel
[00:18:50] you're gone all the time only so
[00:18:52] much more time left before our kids
[00:18:54] are going to be out of the house
[00:18:55] and you've missed out on a lot of
[00:18:56] things that you know in their middle
[00:18:59] school and high school years that's
[00:19:00] like that's when you see those
[00:19:01] moments that you want to really
[00:19:02] capture when they're engaged they
[00:19:03] want to know that dad and mom are
[00:19:05] present and so I took a I left the
[00:19:08] channel I left the managed services
[00:19:10] space I went to a local rural
[00:19:14] school district and took on the hat
[00:19:16] of tech director and security officer
[00:19:19] and that was the biggest eye-opener
[00:19:22] I had about the industry I think
[00:19:24] I'd been living in that blinder space
[00:19:26] which was you know we have access to
[00:19:29] all these tools we put them in and we
[00:19:31] use them when we do all these things
[00:19:32] and I go to school district and they're
[00:19:33] like you get no more staff
[00:19:36] and I'm like what so you know you got
[00:19:38] 3,000 assets under management and you
[00:19:40] have two people to manage all of it
[00:19:43] and I'm like kind of like the idea
[00:19:45] behind being an MSP right more assets
[00:19:47] less FTEs so I started getting
[00:19:50] engaged in that mindset again as an
[00:19:53] employee and it was interesting because
[00:19:54] I saw myself going again back to that
[00:19:57] whole impact and what can I do here
[00:20:00] and COVID hit and so in COVID hit no
[00:20:02] one's traveling but in education space
[00:20:05] we were critical infrastructure so we
[00:20:07] had to be at school so what had been
[00:20:10] planned as four years of projects we
[00:20:12] did in roughly one year because we
[00:20:15] had no students to work around in
[00:20:16] the buildings and so four years of
[00:20:19] that and I had an opportunity to
[00:20:23] re-engage with what we call the
[00:20:26] channel CompTIA had an opportunity
[00:20:29] and I said yes so I am now the senior
[00:20:33] director of cybersecurity compliance
[00:20:36] programs so that's two business cards
[00:20:38] side by side to get that whole thing
[00:20:39] on there and basically my job function
[00:20:42] right now is to oversee our
[00:20:45] compliance programs obviously the big
[00:20:46] one and what a lot of people if
[00:20:48] they are familiar with anything that
[00:20:49] we're doing is the cybersecurity
[00:20:52] trust mark and we have about
[00:20:54] 215 MSPs currently in the program
[00:20:58] and that grows by about three to five
[00:21:02] on a weekly basis now continuously
[00:21:04] moving forward and we're starting to
[00:21:06] see some of those MSPs come through
[00:21:08] the other side with the trust mark
[00:21:09] so that's from A to Z where I've
[00:21:13] been in the industry over the last
[00:21:16] I think I said five years
[00:21:18] I love that story right hey
[00:21:20] started in the space graduated through
[00:21:22] the space left came back trying to do
[00:21:25] you know trying to tackle it from a
[00:21:27] different angle right yeah doesn't
[00:21:29] surprise me on the education side by
[00:21:31] the way right for some reason they
[00:21:35] you know they have technology is just
[00:21:37] yeah making it running wasn't part of
[00:21:40] the plan you know
[00:21:41] stuff
[00:21:42] they're in a big learning experience
[00:21:44] because one of the things that's
[00:21:44] interesting about the K-12 space and
[00:21:47] for anybody that's listening to this
[00:21:48] there's it is ripe for the MSPs to come
[00:21:50] in and really help in K-12 so
[00:21:52] what's interesting about budgets in
[00:21:54] K-12 is they don't have a significant
[00:21:56] platform for tenure of staff
[00:21:59] and a lot of times they don't even
[00:22:00] have a pay scale in a lot of their
[00:22:04] roles or categories that we're
[00:22:05] comfortable with outside of K-12
[00:22:07] so like a technician, net admins,
[00:22:10] sys admins they just don't have it
[00:22:11] so they're comparing it to
[00:22:12] something that doesn't
[00:22:13] have any correlation from a
[00:22:16] value of time
[00:22:17] and then the other piece that they have
[00:22:19] is in a lot of cases especially where
[00:22:21] there's lots of urban development
[00:22:23] factories that kind of thing
[00:22:25] they often have really good tax system
[00:22:27] in place so they have access to
[00:22:29] technology
[00:22:30] they have access to budget to buy
[00:22:32] the equipment the
[00:22:34] you know the subsidized through
[00:22:35] e-rate and some of those things so
[00:22:36] they can spend money that way
[00:22:38] and what you find is they can then
[00:22:40] pay for third party services
[00:22:42] because they're not paying for staff
[00:22:44] and so you find that balance
[00:22:46] and you can make a huge difference
[00:22:48] in a K-12 space where you've got
[00:22:50] someone that was a PE teacher
[00:22:51] yesterday and is now the tech
[00:22:53] director
[00:22:54] spinning their wheels trying to wrap
[00:22:55] their head around how to manage
[00:22:57] all these assets
[00:22:58] not to mention the tools that we
[00:22:59] have access to in the MSP space
[00:23:01] that are big lifts and outside right
[00:23:04] you know it's not like you can
[00:23:05] just go and buy any RMM tool
[00:23:08] if you're not a solution provider
[00:23:09] so I just found there was an
[00:23:11] interesting parallel that was
[00:23:12] happening and then I also kept
[00:23:13] running into people
[00:23:15] that were from the you know the
[00:23:16] channel space the you know the
[00:23:18] Amy Lubey and the
[00:23:20] like her husband is in the
[00:23:21] it was in the tech space but for
[00:23:23] the K-12 and I'm like I had a
[00:23:24] conference I'm like hey I
[00:23:26] I know you and then all of a
[00:23:27] sudden it's like all these people
[00:23:28] that are like it was like the
[00:23:30] other half of you know spouses
[00:23:32] and partners that you're running
[00:23:34] into you're like wait a second
[00:23:35] how do we this is weird like and
[00:23:36] then I realized that this
[00:23:37] that's how smaller industry is
[00:23:39] it is super small that's why I
[00:23:41] called the sandbox right right
[00:23:42] like everybody has to play in it
[00:23:46] so talk to us about real quick the
[00:23:47] trustmark program like
[00:23:49] why would an MSP look at that
[00:23:51] versus I don't know all these
[00:23:53] other frameworks you and I know
[00:23:56] that people in government land are
[00:23:58] all about CMMC because it's changing
[00:23:59] in its or you know then you have
[00:24:01] like the ISO 127 you know 127000
[00:24:04] whatever and now there's so many
[00:24:06] right it's definitely alphabet soup
[00:24:08] of frameworks yes so I think the
[00:24:11] easiest way to look at it is most
[00:24:13] frameworks are not written for a
[00:24:16] business type right so like PCI DSS
[00:24:20] you know for credit card you know
[00:24:22] they didn't write it and say like
[00:24:23] well this is only applies to coffee
[00:24:25] shops it doesn't apply to big box
[00:24:27] Walmart right like it's it's for
[00:24:29] anything that deals with the
[00:24:30] transaction of credit card data
[00:24:33] and similarly ISO
[00:24:37] third and less specific but they have
[00:24:39] sort of the same idea HIPAA obviously
[00:24:41] for health care so when we when we went
[00:24:44] about the trustmark it was
[00:24:47] we want this to be unique to solution
[00:24:49] providers so we as Wayne has said
[00:24:52] defining an MSP or an MSSP is near
[00:24:55] impossible in today's world
[00:24:57] so we simplified our definition
[00:25:01] for the trust mark so we said
[00:25:03] if you provide IT services in part
[00:25:05] or in whole to another entity
[00:25:08] done if you provide a security service
[00:25:11] in part or in whole maybe it's an
[00:25:13] application a cloud service don't
[00:25:14] really care we are providing it to
[00:25:16] another entity in part or in whole
[00:25:19] qualifies obviously that doesn't
[00:25:22] account for everybody but today was
[00:25:25] to do a trust mark specific to
[00:25:27] solution providers and we brought
[00:25:29] safeguards in from multiple frameworks
[00:25:32] to make it very unique to the industry
[00:25:36] that is an MSP or a solution provider
[00:25:39] and it is made up of about 123 of the
[00:25:42] CIS top 18 and then we have that
[00:25:45] then the alphabet suit comes in so
[00:25:48] NYDFS HIPAA 8171 853 ISO 27001
[00:25:55] that add in another 54 safeguards
[00:25:58] and everybody goes well when can I use
[00:26:00] this with my clients so we're working
[00:26:03] on what we call profiles so we'll have
[00:26:05] a client profile and a vendor profile
[00:26:08] our goal is by the end of the year
[00:26:10] so why the trust mark for solution
[00:26:13] providers obviously it's unique
[00:26:14] and a couple of the other reasons are
[00:26:16] a lot of solution providers aren't
[00:26:18] necessarily working in the regulated
[00:26:20] space or they're not sure yet how
[00:26:22] it's going to impact them for their
[00:26:24] clients who maybe are regulated
[00:26:27] whether it's for
[00:26:29] CMMC or some of the others you got to
[00:26:31] start somewhere and I think that a lot
[00:26:34] of what's out there and I know I'll
[00:26:35] quote Dave Alton said this to me he goes
[00:26:39] what other framework has a community
[00:26:42] of others dedicated to your success
[00:26:46] with a set of safeguards he's like if
[00:26:48] you can find that please point me in
[00:26:50] that direction because otherwise I'm
[00:26:51] going to stick with the trust mark
[00:26:53] because that's a community and it's
[00:26:55] not something I got to write someone
[00:26:56] to check to once a month to keep them
[00:26:59] you know helping me on my journey
[00:27:01] there's a lot of volunteers that have
[00:27:03] stepped up and said we can do this we
[00:27:05] can change an industry and then so
[00:27:08] changing an industry we can change how
[00:27:10] we provide support services to
[00:27:12] largely the SMB and mid-market space
[00:27:16] okay well that's a pretty good
[00:27:18] background of the program
[00:27:22] is that it's definitely gaining steam
[00:27:24] there's no question about it I think
[00:27:26] in the industry to your point right
[00:27:28] something specific to us right people in
[00:27:31] the sandbox yeah I'm not sure their end
[00:27:34] customers would recognize what that is
[00:27:38] right like from uh you know I have the
[00:27:42] trust mark now what right exactly so
[00:27:46] part of that is is on us comptia and
[00:27:48] others to raise the awareness from
[00:27:50] that perspective like what you know
[00:27:52] comptia is largely known in the
[00:27:54] industry they're not necessarily known
[00:27:57] for solution providers having a trust
[00:27:59] mark they're more known on the cert side
[00:28:01] so we look at this like this is an
[00:28:03] is a organizational cert or an accreditation
[00:28:06] so it's not a certificate it's an
[00:28:08] accreditation and and looking through
[00:28:10] that lens we're seeing this take place
[00:28:12] here in the us there's a lot of
[00:28:14] requirements especially at the dod
[00:28:16] are fill in the you know three four
[00:28:17] letter agencies that require those
[00:28:20] who bid on work with them to have
[00:28:22] or proof of comptia certifications
[00:28:25] like a plus network plus security plus
[00:28:27] so this is an easy one to put on top of
[00:28:30] that and add additional recognition for
[00:28:32] those types of opportunities the other
[00:28:34] one is that the accreditation is being
[00:28:37] stood up the accreditation board is
[00:28:38] we're working with um
[00:28:41] pressed that's who we are trying to
[00:28:43] get this finalized but you know
[00:28:45] crust is internationally recognized
[00:28:47] and they have that ability to add
[00:28:49] additional credibility for those that
[00:28:51] maybe aren't familiar with what we do
[00:28:53] here in the us or you know looking at
[00:28:56] this for the uk having the trust mark
[00:28:58] helps those that are in the uk
[00:29:00] operate with a security posture that's
[00:29:02] recognized outside of the uk
[00:29:05] and those are big challenges i don't
[00:29:07] see this as a replacing other frameworks
[00:29:09] in fact it's we always say this is a
[00:29:11] precursor to what you might still
[00:29:12] need to do but it should be giving
[00:29:14] you a good baseline and an approach
[00:29:17] to a cyber security maturity as
[00:29:20] opposed to most frameworks are going to
[00:29:22] be you didn't do this therefore you
[00:29:25] failed our approach to this is you
[00:29:27] aren't doing this where you need to be
[00:29:30] here's what you need to do in the
[00:29:32] future to improve that posture and when
[00:29:34] you're evaluated again in future
[00:29:36] assessments now we can give you
[00:29:39] that feedback like yes you did mature
[00:29:41] and you matured in all of these
[00:29:43] areas oh wait you went down in this
[00:29:44] area because that's normal that's the
[00:29:46] reality of the world we live in
[00:29:48] is not going to stay perfect if it ever
[00:29:50] gets to perfect that's fair and i think
[00:29:55] to some degree for people who for service
[00:29:59] providers again the definition was pretty
[00:30:01] good i i think the way that what you
[00:30:03] came up with that would be wain's
[00:30:06] definition i'm not sure i could truly
[00:30:09] answer a definition for resolution
[00:30:10] provider anymore uh fair i just think
[00:30:14] it's interesting like for the people
[00:30:15] that you know i run into providers msp
[00:30:19] it certifies whatever you want to call
[00:30:20] who don't have a particular framework
[00:30:24] that they have to work with for every
[00:30:26] reason right right could be the size of
[00:30:28] the customer the clientele the
[00:30:29] verticals whatever so like in that case
[00:30:32] they're like i guess we're just going
[00:30:34] to find something generic right you know
[00:30:36] maybe a sock two for example right but
[00:30:39] like bottom line is sock two is
[00:30:43] really i think you're that you know
[00:30:45] anybody can do it but i really think it's
[00:30:47] really geared for an enterprise
[00:30:48] mid-market enterprise it's expensive
[00:30:51] and here's here's an interesting way to
[00:30:54] look at sock two because that does come
[00:30:55] up a lot because clients have heard that
[00:30:57] term they ask you know all my insurance
[00:30:59] asking for it we need to do it um
[00:31:01] nothing wrong with doing sock two i think
[00:31:03] it's a learning experience no matter
[00:31:04] what you do when i was with the msp
[00:31:07] we had to go through our annual sock
[00:31:09] two assessment and literally it was
[00:31:11] like once you're done with it
[00:31:12] you're literally starting your prep for
[00:31:13] the next year it's a never-ending
[00:31:15] vicious cycle and not that any framework
[00:31:18] is going to be easy when you get assessed
[00:31:20] and like you're not going to have to do
[00:31:21] more it's all about continuous
[00:31:22] improvement but one thing that's
[00:31:24] interesting about sock two and i'll
[00:31:25] just use that one others are like this
[00:31:27] too is you get to define the scope
[00:31:30] not the assessor so in the trust mark
[00:31:34] we're saying there is really no limit
[00:31:38] outside of the boundaries of your
[00:31:39] organization so sorry within the
[00:31:41] organization so we're we're saying no
[00:31:44] rock unturned in looking at the
[00:31:47] technology that you're using from an
[00:31:48] asset inventory standpoint to ensure
[00:31:51] that where sensitive data might live it
[00:31:53] is being protected i mean that's
[00:31:57] pretty clear could live in a lot like
[00:31:59] probably places that you don't want it
[00:32:00] to live let's be honest and that's
[00:32:02] why we have safeguards in there for
[00:32:03] those questions like well let's think
[00:32:05] about you know the vms that you have
[00:32:07] living in some cloud infrastructure or
[00:32:09] somebody else's data center like
[00:32:11] there's a lot of questions to ask
[00:32:13] back to one of them is talking about
[00:32:15] data flow where does the data go in and
[00:32:18] out of your organization i so and some
[00:32:21] of the others they look more closely
[00:32:22] at data in your organization like
[00:32:24] right now not where it can go or
[00:32:26] what's coming in but like what's
[00:32:28] there today and most frameworks are
[00:32:30] going to look at you as a snapshot
[00:32:32] at that moment in time not at the
[00:32:34] historical evidence of how you've
[00:32:36] been doing or how you did over the
[00:32:38] year over year you know are you
[00:32:40] continuously to prove so you know
[00:32:44] pass fail i'd like to think that you
[00:32:46] know getting an a or a b those things
[00:32:49] really shouldn't matter it should be
[00:32:50] more about can you see an understanding
[00:32:52] in my organization that we are taking
[00:32:54] cybersecurity seriously and we're moving
[00:32:57] our organization in a direction that
[00:32:58] says our goal is to continuously
[00:33:01] improve i agree 100 so somebody wants
[00:33:05] to learn more about the trust mark
[00:33:07] program what the process is and
[00:33:11] you know get yeah download more
[00:33:12] information where should we send so you
[00:33:15] can literally google comp tia trust
[00:33:18] mark trust mark one word and it's like
[00:33:20] the first or second link that shows up
[00:33:21] it's pretty clear it's not a sponsored
[00:33:23] link so you're not going i wonder if
[00:33:25] this really is the organization uh
[00:33:27] you can email me c johnson at comp
[00:33:30] tia.org um but largely if if you're
[00:33:34] familiar with cis top 18 that's two
[00:33:37] thirds of the trust mark so if you're
[00:33:40] if you're working on that and maybe
[00:33:42] you're working in another framework
[00:33:43] uh most frameworks do crosswalk pretty
[00:33:46] well to cis top 18 okay there it is and
[00:33:51] we've heard i know matley both in his
[00:33:53] professional capacity at pack states
[00:33:54] been working on like cis stuff you
[00:33:56] know within their portfolio of people
[00:33:59] on there but also generally you know
[00:34:02] cis you know controls for all for
[00:34:04] all right like right what solutions what
[00:34:07] products what fits you know like a
[00:34:09] lot of people that never did the
[00:34:10] homework right so i think part of his
[00:34:12] like pet projects which i'm sure you
[00:34:14] you know you probably run into is hey
[00:34:16] like you probably already have a lot
[00:34:17] of this stuff that you need
[00:34:19] you just don't you don't know right like
[00:34:21] you're not aware yeah and i think
[00:34:24] something that we often miss is like
[00:34:26] how do you know if your your internal
[00:34:29] process is mature or is maturing um if
[00:34:33] you don't have something to compare it
[00:34:34] to like some sort of a set of
[00:34:35] standard something that's recognized in
[00:34:36] the industry because i'm pretty sure
[00:34:38] that we're not you know individually in
[00:34:40] our own little bubbles gonna know what's
[00:34:44] best in class or the right vendor for my
[00:34:46] sized organization and into the matley
[00:34:49] matley and i um we're probably
[00:34:52] collaborating two three times a week
[00:34:54] sometimes and you know the thing you
[00:34:56] mentioned like that he's working on i
[00:34:58] think is a big deal the taxonomy of
[00:35:00] cis safeguards for vendors and
[00:35:03] obviously there's going to be some
[00:35:04] tie-ins pretty clearly tie-ins with
[00:35:06] regards to what we will see as the
[00:35:08] profile for the trust mark um you know
[00:35:10] facilitate validate partially me or
[00:35:13] fully meet a safeguard uh our you know
[00:35:16] msp is supposed to make decisions when
[00:35:18] a vendor says yeah our product satisfies
[00:35:21] control seven you're like cool awesome
[00:35:23] check the box right and then you find
[00:35:25] out that even if it's implemented
[00:35:26] perfectly it was actually only three
[00:35:29] safeguards in control seven now you've
[00:35:31] got gaps that you didn't know about
[00:35:32] because you didn't understand what was
[00:35:34] being shared with you and so i think
[00:35:36] this is an industry learning process
[00:35:38] that's going to raise the bar and what
[00:35:40] is happening from a security standpoint
[00:35:42] as we implement tools and services that
[00:35:44] previously were based on largely
[00:35:46] whatever marketing says marketing says
[00:35:50] a lot right still still wondering
[00:35:52] where that single pane of glass thing
[00:35:54] was oh yeah right never happened and
[00:35:58] if it is single pane it's probably a
[00:35:59] stained glass window never happened
[00:36:02] there were a lot of things i just
[00:36:04] don't think it ever was delivered i
[00:36:05] digress yes um your session that you
[00:36:08] did at community minds let's talk about
[00:36:10] that a little bit because i think it was
[00:36:12] was fun i you know like other than the
[00:36:13] donuts i think i think donuts aren't
[00:36:16] fun i i i love donuts i said put the
[00:36:19] doughnuts aside for a second yeah fun
[00:36:21] without doughnuts yeah yeah don't don't
[00:36:23] just add to the fun uh so it's
[00:36:28] interesting this is the first time i
[00:36:29] had done this approach to secure you
[00:36:33] know defining your security stack
[00:36:35] it's something that matt and i have done
[00:36:37] quite a few times both together and
[00:36:38] separately like how to dissect and
[00:36:40] implement what is being told to you in
[00:36:43] a control and obviously we use the cis
[00:36:45] top 18 which translates very same as it
[00:36:48] would be in the truss mark and i had
[00:36:50] some i had some great feedback i had
[00:36:52] one uh criticism that i thought was i
[00:36:55] i've like duh just assuming that they
[00:36:58] would know what the cis top 18 was
[00:37:01] and we just kind of jumped in and started
[00:37:03] you know talking about security stacks
[00:37:04] and how to align it with these controls
[00:37:06] and safeguards and that someone had
[00:37:09] never seen before the idea is instead of
[00:37:13] buying security tools and services for
[00:37:16] your organization whether it's for
[00:37:17] internal
[00:37:18] posture or things that you need to do
[00:37:20] with your clients the idea here is
[00:37:23] let the framework be what you're
[00:37:26] aligning to let it let it tell you
[00:37:28] where your gaps are let it tell you
[00:37:31] where your risks might live and then
[00:37:33] make decisions for what tools and
[00:37:35] services you're going to subscribe to
[00:37:38] based on that rather than i went to a
[00:37:40] trade show and vendor acts told me i
[00:37:42] needed their product to solve a gap that
[00:37:44] i don't understand have never run into
[00:37:47] it before and i'm not sure if i
[00:37:49] implement it perfectly that it actually
[00:37:51] changes any risks for me even if it
[00:37:53] might change risks for my client
[00:37:55] because i've not applied a gap analysis
[00:37:58] to this and then find out oh wait
[00:38:01] three of the products you've already
[00:38:02] implemented actually cover that gap
[00:38:05] and so we talk about things like how
[00:38:07] often do you review vendors that are in
[00:38:10] your stack how often do you look at the
[00:38:12] roadmaps that they may have that find
[00:38:14] out like
[00:38:15] i've been looking for this one thing
[00:38:17] to solve a problem in my security
[00:38:18] stack
[00:38:19] only to find out that one of the
[00:38:21] vendors i use implemented that six
[00:38:22] months ago
[00:38:25] and then it's the best you know what's
[00:38:26] best for me
[00:38:27] so i had to i said this several times
[00:38:31] just because it's not the best in class
[00:38:32] security product or service
[00:38:34] doesn't mean it's not the best product
[00:38:36] or service for your organization
[00:38:38] okay can be better than nothing at all
[00:38:41] and what you're doing even if you
[00:38:42] still have gaps
[00:38:43] might be all that your organization
[00:38:45] is capable of taking on today
[00:38:48] so that was kind of the messaging or
[00:38:50] the theme
[00:38:51] um we had a packed house on day one
[00:38:53] um and i was it was really um for
[00:38:56] me i felt like i was learning
[00:38:59] with everybody in the room there was a
[00:39:00] lot of great feedback a lot of big
[00:39:02] questions that were more of a
[00:39:04] uh that question is going to merit
[00:39:06] that we kind of slow down and it's
[00:39:07] going to take us five or ten minutes
[00:39:09] to walk through that question and get
[00:39:11] a conversation going
[00:39:13] and then day two um we had we had
[00:39:16] donuts so that that drew that drew a
[00:39:18] little bit of a an audience
[00:39:20] temporarily kind of like we would at
[00:39:22] the circus
[00:39:23] go to the concessions
[00:39:24] um but we had a much smaller group
[00:39:26] on day two so i kind of shifted gears
[00:39:29] and we did it a little bit differently
[00:39:30] and we ended up with one msp asked some
[00:39:33] questions about
[00:39:34] their situation with one of their
[00:39:36] clients
[00:39:37] and navigating uh an immaturity in
[00:39:41] their client's environment
[00:39:42] and what would we do
[00:39:44] uh how would we address some of those
[00:39:46] challenges and and it grew into a
[00:39:48] pretty good conversation
[00:39:49] a little bit different obviously than
[00:39:50] day one
[00:39:51] uh and one of the things i think we
[00:39:53] heard
[00:39:53] on more than one
[00:39:55] outburst from those in the room was
[00:39:57] have you taken what you're telling us
[00:39:59] to
[00:40:00] Bradley Gross who is uh in the across the
[00:40:03] hall
[00:40:03] because i think and i'm no lawyer
[00:40:06] i've read a lot of john grisham novels
[00:40:07] but i'm no lawyer
[00:40:09] um i would tell you that i'm pretty
[00:40:10] confident
[00:40:11] what he would say
[00:40:13] and so we just kind of went through
[00:40:14] that
[00:40:15] and
[00:40:15] i think a lot of msp's deal with this
[00:40:17] particular msp's challenge and that is
[00:40:20] they're writing me a check every
[00:40:21] month
[00:40:21] and it's a pretty significant check
[00:40:24] and i have followed my attorney's
[00:40:26] advice of making sure that i'm
[00:40:29] giving them written notice
[00:40:30] i'm telling them that you've turned
[00:40:31] down certain services
[00:40:33] you know you're indemnifying me from
[00:40:34] something if it were to happen
[00:40:36] and i think it's a common practice
[00:40:39] however
[00:40:40] in the world of cyber security um
[00:40:43] that doesn't mean your insurance agrees
[00:40:44] with that
[00:40:45] it doesn't mean that your actual
[00:40:47] potential negland
[00:40:49] negligence or ignorance in that
[00:40:50] area
[00:40:51] isn't going to come back and bite you
[00:40:54] this is the united states of america
[00:40:56] and i can say you because you blinked
[00:40:58] funny on a tuesday
[00:41:01] will insurance then protect me from
[00:41:04] that potentially frivolous lawsuit
[00:41:06] and i think if we said hey
[00:41:07] if i follow the standards of this
[00:41:10] framework
[00:41:10] if i can prove the trust mark or
[00:41:12] cis or sock two i could show something
[00:41:16] now you put yourself in a potential
[00:41:18] safe harbor situation
[00:41:19] where there is a little bit more
[00:41:21] protection
[00:41:22] and i think as this continues to move
[00:41:24] forward i think those are some of the
[00:41:25] things that msp's are really going to
[00:41:27] have to watch out for
[00:41:29] i mean a lot lot to unpack there
[00:41:32] bottom line is yes
[00:41:37] your customer suing you is one scenario
[00:41:40] right
[00:41:41] but remember your customer has an
[00:41:43] insurance company who can also sue
[00:41:45] you
[00:41:46] right
[00:41:46] your customer's customer
[00:41:48] because you're in the supply chain
[00:41:50] if that's what you want to call it
[00:41:52] the the the the path of data
[00:41:54] transparent yeah
[00:41:55] could come after you right
[00:41:58] and and and so there's that
[00:42:00] there's also hey you know like
[00:42:03] and we're seeing it now right
[00:42:05] your customers customers customer
[00:42:06] ends up being a three-letter
[00:42:08] three-letter thing right now all of
[00:42:09] us like well
[00:42:10] i didn't know that i have no idea what
[00:42:12] this is and it's like
[00:42:13] well no like
[00:42:14] you didn't have to know
[00:42:16] but you're still screwed
[00:42:17] right six degrees of kevin baking
[00:42:19] is still we got to kevin bacon
[00:42:21] right so you know unfortunately
[00:42:24] the cya part of this
[00:42:26] is a lot more intricate
[00:42:28] yeah
[00:42:29] the team the t's and c's no matter
[00:42:32] how tightly they're dotted
[00:42:34] you know you hear this it's
[00:42:35] becoming more of a thing than ever
[00:42:37] before whistleblowers exist
[00:42:39] and they get a third of the penalties
[00:42:43] right so i just looking at that
[00:42:46] like you know an employee in your
[00:42:48] own organization could be the one
[00:42:49] that blows the whistle
[00:42:51] and you'll never know it was them
[00:42:52] other than they might quit because
[00:42:54] that settlement might have been 30
[00:42:56] percent big enough to i'm retired
[00:42:59] that i mean that's there
[00:43:01] i mean the other reality is
[00:43:03] you know i know matt brought it up
[00:43:05] last year like
[00:43:07] all right your insurance company
[00:43:08] initially paid out
[00:43:09] but three years later they came
[00:43:10] back and decided
[00:43:12] to change our minds
[00:43:13] yeah that's uh that's a very
[00:43:14] specific case i believe that was
[00:43:16] travelers insurance i believe it
[00:43:17] actually happened in chicago
[00:43:20] i think we're going to see more and
[00:43:21] more of those because i think
[00:43:23] you have to be able to show evidence
[00:43:26] to support that your implementation
[00:43:28] of what you said yes to in that
[00:43:29] insurance questionnaire
[00:43:32] has any water holds any water
[00:43:36] i i think if that is the beginning
[00:43:38] of what could be a tree behind it
[00:43:42] insurance companies basically saying
[00:43:43] hey we came to the conclusion
[00:43:45] after the fact that this wasn't
[00:43:48] actually true
[00:43:49] right and you know like all of a
[00:43:51] sudden what you thought was behind
[00:43:53] you and done deal
[00:43:55] there's no longer a done deal right
[00:43:56] and now now you're in jeopardy
[00:43:59] just kick the can down the road
[00:44:01] yeah and i don't want to tell
[00:44:02] anybody not to get insurance but
[00:44:03] if you look at it through the lens
[00:44:04] of most policies now state things
[00:44:06] like if it's a terrorist act
[00:44:09] you know cyber warfare where nation
[00:44:10] states involved we're not going to
[00:44:12] pay out you know when it comes
[00:44:14] to things like ransomware
[00:44:15] and you know data exfiltration
[00:44:18] you know how hard is it to prove
[00:44:20] that it's not a nation state
[00:44:22] so if there's any inkling that it
[00:44:25] looks that way
[00:44:26] you are starting to walk down this
[00:44:27] path real quick of an insurance
[00:44:29] going
[00:44:30] we're calling that nation state
[00:44:32] unless you can prove otherwise
[00:44:35] yeah it's difficult conversation
[00:44:37] when it is
[00:44:38] bits and pieces right
[00:44:41] and i would argue or or brad gross
[00:44:43] has argued i'm going to reference
[00:44:45] mr gross
[00:44:46] um very expensive to bring somebody
[00:44:50] else out to validate what you're
[00:44:52] saying too
[00:44:53] yeah forensics forensics in the
[00:44:55] event of an incident
[00:44:57] can be extremely costly and is often
[00:45:00] i mean unless you've already engaged
[00:45:01] insurance you know insurance may not
[00:45:04] cover forensics or if they do cover
[00:45:06] forensics
[00:45:07] it's only for a certain amount of time
[00:45:09] or dollar value and you know seeing
[00:45:12] forensics experts you know
[00:45:13] they're they're cost to be in the
[00:45:16] room doing forensics you know is in
[00:45:18] the same ballpark of what a lot of
[00:45:20] attorneys are charging as an hourly
[00:45:22] rate so
[00:45:23] you know
[00:45:25] dotting our eyes and crossing our
[00:45:27] teases uh very big deal
[00:45:30] fair there was somebody want i
[00:45:32] forget who mentioned it on one of
[00:45:33] the msp panels at community minds
[00:45:35] he said um oh i i know who it was
[00:45:39] i'm not going to say his name
[00:45:41] but we all know who he is
[00:45:42] you know mr scott
[00:45:44] he said i had an incident
[00:45:46] i engaged this insurance
[00:45:51] but the insurances i are people came
[00:45:54] in because they have their own vendors
[00:45:55] right and what should have been the
[00:45:58] ability for me to flip the switch and
[00:46:00] go to my dr plan was paused
[00:46:02] right they wouldn't let me turn on the
[00:46:05] dr plan for a week
[00:46:07] right because they wanted us because
[00:46:09] then the evidence potentially is gone
[00:46:13] so they were like hey if you go to your
[00:46:14] backup system how do we know the
[00:46:15] backup system doesn't have the same
[00:46:17] compromise this is the production also
[00:46:18] true so basically they were like
[00:46:21] sorry you need to be on the sidewalk
[00:46:24] waiting for us to tell you can come
[00:46:25] back into the building until we're
[00:46:27] done
[00:46:27] like that was a week i mean business
[00:46:30] interruption which is a different
[00:46:31] insurance to itself like
[00:46:33] that's a lot of like you know most
[00:46:36] companies time and salaries are
[00:46:38] probably one of the biggest expenses
[00:46:40] if not the top top is probably top three
[00:46:42] right
[00:46:43] and after four days of not being able to
[00:46:45] do anything
[00:46:46] that are small businesses doors close
[00:46:49] and so so then there was like that
[00:46:51] morphed into another discussion of
[00:46:52] but your marketing says that you have
[00:46:55] a dr plan your contract says that
[00:46:57] there's a certain sla to the dr plan
[00:47:00] but effectively it's i didn't it's not
[00:47:02] that i wasn't prepared it's not that
[00:47:03] it wasn't ready
[00:47:04] yeah i was literally instructed to not
[00:47:06] turn it off
[00:47:08] so that's an interesting um scenario
[00:47:11] i don't think it's unique i think it's
[00:47:13] not i think it's not all that uncommon
[00:47:15] what what is interesting though and i've
[00:47:17] seen this before is if you have a
[00:47:19] cybersecurity insurance
[00:47:22] hopefully before you ever have to use
[00:47:24] them
[00:47:24] you've had some sit-downs with your
[00:47:26] insurance uh and kind of go through a
[00:47:28] tabletop exercise of saying
[00:47:30] if i were to use the b word or if
[00:47:33] we were to have an incident where i
[00:47:34] want to at least inform insurance
[00:47:37] what does that process look like are we
[00:47:39] working together
[00:47:40] are we on the same team together or is
[00:47:42] this a i have my team and you have your
[00:47:45] team neither one of those are wrong
[00:47:46] answers but if you don't know what the
[00:47:48] outcomes of the situations are going
[00:47:50] to look like
[00:47:51] you may be making your entire scenario
[00:47:53] worse as soon as the ir dr plan gets
[00:47:56] kicked in because you may be
[00:47:58] contradicting what the insurance is
[00:48:00] saying that they're going to do so
[00:48:02] scrutinize that policy make sure
[00:48:04] you're talking to the carrier
[00:48:07] these are these are no small tasks and
[00:48:11] they're they're you know time consuming
[00:48:13] but i think if you put the time in i
[00:48:16] think you'll find that the insurance
[00:48:17] companies are not the bad guys
[00:48:19] but they're going to do due diligence
[00:48:21] right i mean the reality is insurance
[00:48:23] carriers would not last if they never
[00:48:26] paid out claims
[00:48:27] so let's not give them reasons to
[00:48:29] not pay the claims that you may
[00:48:30] have to submit in the not too
[00:48:32] distant future
[00:48:33] yeah and like by the way you know
[00:48:36] while i'm hearing you say chris
[00:48:38] i would say more than the majority
[00:48:41] have not actually said hey let's go
[00:48:44] through some you know scenarios right
[00:48:48] if this happens what happens after if
[00:48:51] that happens what happens after and
[00:48:53] like they just review the policy
[00:48:56] but the execution of what happens
[00:48:59] because of the policy sure really
[00:49:01] over here
[00:49:02] yep the you know when you think about
[00:49:04] tabletop exercises you know it's really
[00:49:07] easy to all sit around a conference
[00:49:09] table and start talking scenarios and
[00:49:11] ask people to put their input like what
[00:49:13] would you do oh well i'd call george
[00:49:15] right um and some of those are are
[00:49:17] valid because it helps with the
[00:49:18] responsibility matrix it's not saying
[00:49:20] that those are bad things to do
[00:49:21] but a true tabletop exercise using
[00:49:24] scenarios that have happened in the
[00:49:26] real world to help make it a you
[00:49:28] know the real deal and say you know
[00:49:29] bring the ir plan the business
[00:49:32] continuity plan bring those to the table
[00:49:34] because we're going to use those as we
[00:49:36] go through this exercise and our goal
[00:49:39] is to find the holes in those plans
[00:49:42] so that we can after action fix them
[00:49:47] and i'll tell you this i mean and you
[00:49:49] know going back to our buddy bragg
[00:49:51] gross like if a law enforcement
[00:49:53] agency comes in and it's like hey
[00:49:55] we're confiscating your equipment
[00:49:57] is evidence sure you may not get
[00:49:59] that back for a long time or ever
[00:50:03] so like in this case it could turn out
[00:50:05] to be that right right i mean i've seen
[00:50:08] some that aren't even necessarily that
[00:50:10] serious like where there was no way to
[00:50:14] confidently restore to the hardware
[00:50:16] because we were pretty confident that
[00:50:17] the hardware itself had been
[00:50:20] compromised like that the bios level
[00:50:22] hack had happened so you're like okay
[00:50:25] how do we get another hundred and
[00:50:27] twelve thousand dollar server in
[00:50:28] here in the next 72 hours it's not
[00:50:31] like we stock this in inventory or that
[00:50:32] anybody would have stocked those in
[00:50:34] inventory so i mean it doesn't
[00:50:36] necessarily even mean that the data
[00:50:38] can't be restored or that the assets
[00:50:40] being seized aren't rightly so
[00:50:44] what's the plan look like you know how
[00:50:46] do you operate in a what can you do
[00:50:48] to sort of limp along to get back to
[00:50:51] operational start playing through some
[00:50:54] strategies because i think the reality
[00:50:55] is bad things will happen to good
[00:50:58] people we know that we see it happening
[00:51:00] every day but we can minimize the
[00:51:03] damage done if we have plans in place
[00:51:07] and if you ask the questions upfront
[00:51:11] on the part that you don't control right
[00:51:13] once you're in the third party let's
[00:51:16] call it the short any whatever like you
[00:51:18] need to then go back and probably
[00:51:20] adjust what your verbiage of deliverables
[00:51:23] are right your right master services
[00:51:26] agreement your scope of work
[00:51:28] your committed timelines to what a DR
[00:51:31] event looks like because if you're
[00:51:34] even if the sentence is and again i'm
[00:51:36] not a lawyer but i play one on tv they
[00:51:38] tell me yeah you know like in the event
[00:51:42] a third party instructs us that we are
[00:51:44] unable to engage the dr strategy right
[00:51:49] you're not going to hold us responsible
[00:51:50] for missing the predefined sla or the
[00:51:54] you know the timeline to restoration of
[00:51:56] your system well i think what you just
[00:51:58] highlighted is how many msp's have looked
[00:52:01] at their sla's that are client facing
[00:52:04] in the context of understanding that
[00:52:06] you may not be in control of meeting
[00:52:09] the sla so what are the do you have
[00:52:12] contingencies or some sort of like
[00:52:14] this is the exception like if the
[00:52:16] following things are happening
[00:52:18] the sla has a pause clause or whatever
[00:52:21] it might be so that you can effectively
[00:52:24] still do your job i mean the reality is
[00:52:26] no one wants to intentionally not meet an
[00:52:29] sla so it kind of comes back to make
[00:52:31] sure you're not creating sla's that
[00:52:33] you can't meet back to the whole you
[00:52:36] better be sure you can deliver the
[00:52:38] service marketing to your end customer
[00:52:41] and so like these are the gotchas right
[00:52:42] these are some of the things that i
[00:52:44] learned right as i was listening you
[00:52:46] know in the community minds crowd
[00:52:48] and i was just like you know that's
[00:52:50] it's a really good point right like
[00:52:51] there are going to be things outside of
[00:52:53] your control and when you use the
[00:52:55] insurance company as the example it's
[00:52:57] like but we exclude this situation
[00:53:00] this situation this situation and maybe
[00:53:02] this one too like are you also
[00:53:05] excluding the things that you
[00:53:08] effectively don't have control of and
[00:53:10] test it test the sla i mean we see
[00:53:13] this all the time let's go by edr xdr
[00:53:15] fill in the blank r and
[00:53:18] i work eight to five what is the vendor
[00:53:20] work other 24 7365 what does the client
[00:53:23] work oh they're really eight to three
[00:53:25] okay so what happens when the xdr
[00:53:28] vendor or whatever fill in the blank
[00:53:31] sim for service whatever says that's
[00:53:33] 2am who they calling are you gonna
[00:53:35] answer the phone i mean then what
[00:53:38] right like obviously an sla's not back
[00:53:40] because i'm pretty confident that you
[00:53:42] promised that customer that 24 7365
[00:53:46] monitoring because you implemented
[00:53:48] fill in the blank vendor that provides
[00:53:50] that service who are they calling
[00:53:53] that these are simple questions that
[00:53:56] sometimes don't get answered in the
[00:53:58] best way until after problem happens
[00:54:01] right so so if you're listening
[00:54:04] if you're watching or listening to this
[00:54:05] episode i want you to like we
[00:54:09] touch on like seven themes in this
[00:54:11] in this one hour session here but
[00:54:14] point here is none of the things we
[00:54:17] talked about had anything to do about
[00:54:19] vendor specific specific stuff right
[00:54:21] we're talking about the problem the
[00:54:24] issue the result hey the experiences
[00:54:29] that others people or had already gone
[00:54:32] through that haven't maybe gotten to you
[00:54:34] yet but they're real world right they
[00:54:36] happen and so i don't know i know i'm
[00:54:40] still you know mr. filly old school
[00:54:42] over here in the northeast but like i
[00:54:44] learn best when i hear somebody else
[00:54:46] who's effectively in the same position
[00:54:48] i'm in had gone through something i'm
[00:54:50] like oh that that's not that's not
[00:54:53] conceptual that that happened right
[00:54:55] right so that's the type of that's the
[00:54:58] type of learning that i really enjoy
[00:54:59] and that's what uh that's what i
[00:55:02] appreciate again you chris for you
[00:55:04] know coming in and going through what
[00:55:06] you went through and some of the
[00:55:07] other people right like if we have
[00:55:10] more of that sure i think everybody's
[00:55:14] health and quite frankly i saw some of
[00:55:17] the cosponsoring vendors of community
[00:55:18] minds who by the way like twisted my
[00:55:21] arm to give them tables you know like
[00:55:23] not even full day but just able tops
[00:55:25] um they were in the room they were in
[00:55:29] the room they were and participating
[00:55:31] any information yep i was actually
[00:55:34] really impressed with that because
[00:55:36] you see it a lot of events you know
[00:55:37] as vendors and even even com to you
[00:55:39] we're not a vendor per se but like we
[00:55:41] have a booth depending on the event and
[00:55:44] you know one of the things that i was
[00:55:45] encouraged to do coming up with beyond
[00:55:47] i don't know right now what my level
[00:55:49] of involvement will be but like one of
[00:55:51] the things that was said to me is like
[00:55:53] for all of us it would be beneficial if
[00:55:55] you just participated as an attendee
[00:55:58] and just look at what kind of real
[00:56:01] what things are right what things need
[00:56:03] to be adjusted are you seeing things
[00:56:05] that we missed and i'm like
[00:56:07] i i can do more of that like it's not
[00:56:10] very often that you speak more than 45
[00:56:12] minutes at an event that's running two or
[00:56:14] three days so you know stay engaged right
[00:56:17] i think that goes for everybody don't
[00:56:19] let if you're at an event and you're
[00:56:21] there as a speaker don't let the event
[00:56:23] pass you by because you have too many
[00:56:26] other things and i think mmsp community
[00:56:29] minds was a perfect example of that
[00:56:30] because there's no agenda like what
[00:56:32] you see at some of the vendor
[00:56:33] hosted events right like where they
[00:56:35] you know come to the to the keynote where
[00:56:38] we're going to tell you about the new
[00:56:41] fill-in-the-blank 365 or whatever it might
[00:56:43] be right like and not that those are
[00:56:45] wrong but like again if you're not
[00:56:48] absorbing when those education sessions
[00:56:50] come along
[00:56:51] um you might miss something i agree
[00:56:55] thank you thank you thank you i hope
[00:56:57] you
[00:56:57] you know i know we're we're looking at
[00:56:59] the end of september hopefully you're
[00:57:00] available love to have you back again
[00:57:02] for community minds in Denver
[00:57:04] guys even if it's not this event specifically
[00:57:07] there are a lot of learning opportunities
[00:57:10] out there right and like i i challenge
[00:57:13] everyone to go through the calendar
[00:57:17] and pick things out that aren't the
[00:57:20] same things that you've done for years
[00:57:22] and years and years and years that like
[00:57:23] i get it i love the networking part
[00:57:25] too i love meeting up with the
[00:57:26] you know people and catching up and
[00:57:28] seeing what's happening and we all love
[00:57:30] that part of every event but
[00:57:32] there is something to take away if you
[00:57:35] yeah if you're looking for it is there
[00:57:38] right and maybe go with a plan like i
[00:57:41] you know i was looking at paxate beyond
[00:57:42] said denver that popped into my head so
[00:57:44] that's coming up in a few weeks i know
[00:57:46] there's going to be a lot of education
[00:57:48] i mean they call it academy for a
[00:57:49] reason
[00:57:50] um we've got channel con coming up at
[00:57:53] the end of july which will be in
[00:57:54] atlanta and i know very definitively
[00:57:58] that there's going to be solely
[00:57:59] focused on educational tracks and
[00:58:01] cyber security and other
[00:58:03] um domains uh and then right around the
[00:58:06] corner after that would be community
[00:58:08] minds all over again
[00:58:10] there is good learning moments that do
[00:58:15] not require you to swipe a credit card
[00:58:17] to buy something at the end i promise
[00:58:18] you exactly learn from the people
[00:58:21] around you there's and by the way for
[00:58:24] the people out there that still think
[00:58:25] everybody's your competitor i know
[00:58:26] there's people out there that do this
[00:58:28] i've been saying it for years castle
[00:58:29] mentality with the moat and the
[00:58:31] broad drawl right alligators it's there
[00:58:34] is a completely different situation
[00:58:37] out there where people are actually
[00:58:38] sharing
[00:58:39] right like you know it doesn't have to be
[00:58:41] that way so if you're open to it
[00:58:44] there's something for sure for sure so
[00:58:46] chris how do people find you online
[00:58:50] other than googling com tia trustmark
[00:58:53] monlinton um i think it says msp 1337
[00:58:57] is in my tagline uh i do a podcast
[00:59:01] a lot like what you're doing where i
[00:59:02] interview people around cyber security
[00:59:05] tracks uh that's probably really the
[00:59:08] social platform that i i'm actively on
[00:59:10] so i'll just say linkedin and then
[00:59:12] c johnson at com tia.org you can get a
[00:59:15] hold me there um and hope to see you at
[00:59:17] uh an upcoming event uh let's see when
[00:59:20] next one is cyber security summit in
[00:59:22] denver next friday got it well
[00:59:25] definitely probably see you at beyond
[00:59:27] that there i know i will be and
[00:59:29] we'll be at beyond we'll definitely
[00:59:31] talk some more uh on some of these
[00:59:33] themes guys this session absolutely
[00:59:35] recorded we'll post it later on today
[00:59:37] and all the feeds um rewind it you know
[00:59:42] take the pieces out here that are
[00:59:43] helpful for you you know everybody who
[00:59:45] always comes on here is like hey if
[00:59:46] you want to reach out to me i'm
[00:59:47] you know happy to happy to help right
[00:59:49] like that's absolutely port mentality
[00:59:52] take advantage of that i don't know
[00:59:54] how else to say that like you do
[00:59:56] yourself at this service by not you
[00:59:57] know using the resources in the sandbox
[00:59:59] they're there for you it's community
[01:00:01] minds for a reason exactly right and so
[01:00:04] pay you know we'll be talking about
[01:00:06] dates for september for community minds
[01:00:07] if not again we're going to look forward
[01:00:09] to seeing people in person at uh beyond
[01:00:11] if you're not going to be a packsape
[01:00:12] beyond in denver you know apparently
[01:00:14] you know again our airplane uh
[01:00:16] travels will be over in datto con
[01:00:18] doubling as well there's a bunch of
[01:00:20] other events in between then and then
[01:00:21] to the year that we'll be working
[01:00:22] with as well so stay tuned first thank
[01:00:24] you thank you thank you thank you again
[01:00:26] for your time really appreciate it and
[01:00:28] for everyone else catch on the next one
[01:00:30] thanks cheers guys