Jason Maricchiolo of ISO365

[00:00:01] Hello ladies and gentlemen, welcome to a September 12th edition of the MSP Initiative MSP Talk

[00:00:10] slightly off our normal schedule, but not too far off and

[00:00:13] let's get into the housekeeping and then we'll get into the good stuff like we usually do. So if you follow these podcasts

[00:00:20] and you know MSPinitiative.com, if not

[00:00:23] figure out how to spell initiative and the rest is pretty easy MSPinitiative.com

[00:00:28] This session, for example, is recorded and you will find under the sessions page of MSPinitiative.com

[00:00:32] We have all these sessions going back to March of 2020, believe it or not

[00:00:37] they're in podcast, video, YouTube format basically pick what fits you best and like subscribe, download share

[00:00:44] all that good stuff, you know what to do.

[00:00:47] We have our

[00:00:48] educational in-person event happening again in Denver

[00:00:53] coming up here in two weeks, September 25th and 26th. So our agenda is posted day one and day two

[00:00:59] we have panels in the morning and workshops in the afternoon. You'll see four MSP panels with multiple MSP

[00:01:07] business owners that I think you would want to hear from people who have been in the trench and know a few things that

[00:01:13] work and don't work so why not learn from the people who have done it? And then we have

[00:01:18] specialists and

[00:01:20] workshop holders that will be doing more than a

[00:01:23] 45 minute death by PowerPoint with a credit card swipe at the end because you know, we want to charge you to learn more. Now these are absolutely

[00:01:29] covered. We've got all these experts in the new workshops two hours at a time. You can switch in between they're running twice

[00:01:36] multiple topics across the industry. By the way, this event is totally free for an MSP to register and join

[00:01:42] there is no $299, $999, $1299 registration fee. It is free.

[00:01:47] You do have to get there. And so time and a little bit of travel is what it will cost you to benefit from two days of what we feel is really good educational content. So take advantage while you can.

[00:02:00] I think it would be worth your while. Then we have the MSP block parties, what we're pretty well known for. There are four left between now and the end of the year. So pay close attention. If you're headed to Pax Apion in Berlin, Germany, that's right. Right after October fest because if you didn't

[00:02:17] know October fest ends in September in Germany, but we're holding a beer theme. We'll be doing our block party in Berlin on October 14th, which is the second night of the Pax Apion Berlin event at 9pm. Yes, we are transporting everyone there. You will absolutely love this venue. It holds to the beer brewery theme. This place is absolutely awesome. So we're looking forward to

[00:02:39] connecting with you there. Then we turn around, we burn some more airline miles we had to Miami. If you're headed to DattoCon Miami, we'll be holding a block party on the second night of DattoCon Miami at the Fountain Blue at Live Night Club, which is on property on October 29th at 930pm. No transportation required because you can literally just walk into the lobby and it will be right in front of you.

[00:03:03] Again, join us there in Miami on South Beach. Then we have the big one, IT Nation Connect in Orlando. And two years ago, All American Rejects last year, better than Azure Sugar Ray and Tonic. This year, we're happy to announce that we are bringing you Flow Rider. As you're right, get your Apple Bottom Jeans and the boots and the fur out. And we were having a special performance by Flow Rider himself. Don't miss it.

[00:03:30] Once again, absolutely 100% free for an MSP to join us. These are literally designed for you. Take advantage. How often do you get free concerts? I don't know. Maybe not often. And then we close out the year at DattoCon Sydney. So if you're headed to, you know, the great Darling Harbor on November 12th, which is the second night of DattoCon Sydney, we'll be right down the street from the Conference Hotel at 830pm until close.

[00:04:00] So all of these Black parties are designed to be absolutely great networking events. Food Beverage is covered, a little bit of entertainment or a lot of entertainment if you like Flow Rider. So definitely join us and register ahead of time so you do not get stuck standing in line.

[00:04:15] Then we have some MSP community offers from vendors from around the industry. If you can take advantage, feel free to do so. And then the industry calendar that goes until the end of the year, which quite frankly we are in what we like to call here at MSP Initiative, the Gauntlet.

[00:04:29] Because all of these events that are very large happen in like a 60, let's call it 90 day window and you can definitely burn some travel time in between that window. So there's all the housekeeping, MSPinitiative.com, it's all there for you.

[00:04:48] All the questions are answered. All the ways to register are there. Please, please, please take advantage.

[00:04:54] Awesome. So now that all of that is out of the way, we get on to our guests first time on the show, Jason from ISO 360 and you know if you wonder why are we, you know for the people who do catch this live doing this an hour later than the normal.

[00:05:10] We're trying to accommodate our friends from down under which Jason is in the great country of Australia. How are you doing today, Jason?

[00:05:18] Yeah, going good, George. Thank you very much. It is 4am or just past this 4am this morning. So it was a bit of an early wake up but thanks for accommodating the time zone.

[00:05:30] Absolutely. Well, hey, you know if you ask Jen who is a Starbucks person like almost everybody on this side of the ocean, she's more than happy to suggest some good coffee for you.

[00:05:41] Absolutely.

[00:05:43] Thanks for getting up early.

[00:05:44] No, Jason, you know anytime I have somebody net new on the show. I obviously want them to learn a little bit about you that the person like how did you get into technology land? What's your journey look like?

[00:05:56] And then we can talk about your company and see where we go.

[00:05:59] Yeah, nice. So my story is it's not very exciting to be honest. I've been on the managed services side myself for the last 15 or so years and my whole career has always been in an operations seat.

[00:06:13] So always worn that operations manager hat of some sort. And most recently come out of an MSP last year called First Focus down in Australia.

[00:06:25] And decided about it's better a year and a half ago or just under that I was going to leave the MSP side of the fence and jump over to call it vendor land if you like.

[00:06:36] But I decided that I wanted to do something a little bit different, but I still wanted to be helping MSPs primarily.

[00:06:44] So that's where I said 365 kind of came from. And that's why we're working with a bunch of MSPs now.

[00:06:51] That's awesome. Well, you know what? As somebody who feels the pain, right? I definitely live the MSP life for a long, long time.

[00:07:02] The nighttime calls, the weekend and holiday calls, the underneath the desk wiring, you know, all that stuff.

[00:07:08] I plugged my record in the wrong port somehow on my computer. I don't understand how that's even possible.

[00:07:14] I hear you and I feel you. And you know what? I feel like there's definitely something to be said for somebody that understands that part of it, right?

[00:07:24] Like if you come from the other side, right? Like there's a lot of people who come into this sandbox called the MSP sandbox who come from other industries

[00:07:32] and they just hear about things but they never live that part of it.

[00:07:36] And I think that that part is unfortunately a lot of the people who make decisions are the people who haven't lived it either, right?

[00:07:43] So like they build things and companies, programs and they're like, oh, it should work.

[00:07:48] And it's like, no, you're coming from a whole different life, my friends.

[00:07:52] Like especially corporate, you know, the corporate world where like, you know, all the stuff that we all griped about at all the user groups

[00:08:01] and conferences I ever went to were like, man, why are these people just so against helping themselves?

[00:08:06] I feel like I'm constantly fighting. You know, like it's almost like, hey, you should not do, you know, drive without a spare tire.

[00:08:14] Nope, I don't want a spare tire. No reason for the spare tire.

[00:08:16] It's like, so then what happens when you break down in the middle of nowhere? Oh, it's never going to happen.

[00:08:21] You know, like that's a pipe dream. And it's like, okay.

[00:08:24] Yeah, no, it definitely helps having, you know, spent a long or majority of my career on the other side and yeah, doing some good things now, which is great.

[00:08:33] But yeah, you're 100% right. Yeah, when the decisions are being made, not necessarily by those that have lived and breathed, it's sometimes hard.

[00:08:41] 100%. And you know what? I've traveled the world many a time and I find that the problems that challenge, you know, the US or Canada challenge the people in Australia and New Zealand challenge people in Europe.

[00:08:52] Like, it might be little wrinkles, don't get me wrong. But they are technology problems in a lot of cases and they are the same.

[00:09:00] So I find it funny where people are like, oh, it's not how it works down here. And it's like, okay, tell me what's so different.

[00:09:08] But yeah, that's just me bantering a little bit.

[00:09:11] So tell us about ISO 365. Why and how?

[00:09:16] Why and how. All right, cool. So very simple for me. So when I had left, I decided that I wanted to start this company ISO 365 with the primary intent or purpose to help manage service providers get ISO 27001 certified.

[00:09:32] So that's the information security management system. If for those that haven't heard of it, it's a global infosec standard. And everyone always asks me why so niche right like you've got NIST and you've got CIS controls and down here you've got the essential aid and all these different things.

[00:09:49] And I kind of said there's there's a bit of power in doing one thing and doing it really well. And to be honest, it's the one thing that I know, especially down here in Australia that many MSPs need to get but don't have the facilities or the resources in order to do it.

[00:10:09] So I decided that I was going to start this company with the with the managed service model in mind. And I basically decided I was going to do ISO as a service right so set monthly fee over a set period of time let's get this done let's get you uplifted let's get you certified.

[00:10:28] And I help all of my MSPs all the way through to the end of the, or all the way through to the end of the process, including sitting on their audits with them and helping them through. So it's really that that boutique but really hands on experience when trying to get ISO certified.

[00:10:47] So, I'm curious because I mean I'm sure word of this makes it down there but like, there's a lot of bluster and talk about MSPs and regulation and laws and like yeah we laugh you know, we laugh about it but it's like, hey if you want to be a hairdresser and work in a salon, you need to get a license from the government.

[00:11:07] Yeah, yeah.

[00:11:09] There is no license to be an IT services company or managed services company anywhere in the United States and that's all 50 states and territories.

[00:11:18] And so, is there some sort of legal or government requirement to have ISO to 27,000 like what why they need it.

[00:11:28] Yeah, why why did I tell you what's happening down here so we're in the exact same boat as you are right there is no formal kind of compliance framework or anything like that.

[00:11:37] So, if there's anything being pushed down there's there's there's the you know that all the governments want the each of the countries to be as cyber safe is possible and cyber secure is possible and all of these great initiatives but there's all of these different standards out there that are all great don't get me wrong.

[00:11:55] It's never a ISO 27,001 or a NIST or this or that's always an and right.

[00:12:02] The reason I aligned with 27,001 is because it is a global standard and it doesn't matter what controls you're using underneath whether it's nice to see is or whatever.

[00:12:14] You can put a nice umbrella over the top which is this ISO 27,001 certification and you can actually end up with a certificate that you can provide your clients to say hey we've opened our doors to auditors right yeah under the under the hood it's NIST or it's

[00:12:42] a trust that has our business name and our scope statement of who we are and what we do.

[00:12:47] And it just helps to sell right it helps to sell and it helps to prove or elevate I should say that you know next year competitor down the road, you've actually gone and invested in this stuff and see value in being able to provide your clients with like a certificate of some sort to say hey we've been externally audited and you know we passed.

[00:13:12] So, okay that's fair and like there is now one would one could argue the other side of the argument which is like hey the lawyer down the street that I want to sell it services to may have no clue what I said to 2027,000 is and or so 2700 is and like they have to like Google it right to figure out exactly does and like yeah

[00:13:32] I don't know why the certificate even matter right. Yeah, so, so, so number one.

[00:13:38] When you say it helps like kind of like validate you. I would love to I would love to hear from your perspective how that conversation goes with your end customer perspective and customer when it comes to this and then

[00:13:49] Next question that logically comes into mind is like what does this even look like like what is the process. Yeah, yeah nice and so two parts of that question now try to remember in both at 4am.

[00:14:01] But the first thing is that down here at least the end client generally knows what it is the higher end they are all closer to government agencies style. They already know what it is it's kind of the, it's almost their benchmark to or ticket to play if you will right

[00:14:21] So if they're if there's a tender that's being released from a government agency it's generally in Australia going to have do you have an information security framework, which in this case they're referring to 2700 and one.

[00:14:33] And then the next question will be is it a certified framework right do you have an external certificate it's kind of their ticket to play so totally get you if your client has no idea what it is it's going to be a hard sell to give them a nice piece of paper that probably cost you a lot of money and say hey look how good we are

[00:14:50] and they go well I don't even know what this is right there's got to be an understanding there on the client side. And it's generally a certain level of client that you're probably dealing with or you already have in your client base.

[00:15:02] And I generally always say to an MSP just look at your largest client. And if you think that they could be on this route, that's where you should start right because nobody can afford to lose their largest client.

[00:15:15] If it's, you know, if it's one of your, your, your lower level clients whatever and you can afford to lose them if you don't have this certification then that's a decision you can make.

[00:15:24] But otherwise, it does need to be known on the other end.

[00:15:27] And what does that.

[00:15:29] Yeah, I'll pause you for a second like, you know, over here from a government standpoint federal government which is the largest employer in this country.

[00:15:39] You know, like CMMC right is like the one that comes up it's like what you're supposed to do if you're selling the government, specifically the Defense Department agencies, it's starting to trickle into other areas.

[00:15:51] I'm like, here's the problem. Most MSPs are like, I don't even deal with the government. I don't want to deal with the government like it's too much red tapes. I'm not big enough.

[00:15:59] Yada yada yada. Of course, you know, the other side of the argument is, well, you may not but your larger customers who are in the supply chain somewhere are going to end up having to deal with that and if you can't play the ball the game, then they have to find somebody else who can and then that's where you get hurt downstream.

[00:16:16] Right. So like similar conversation here, except if there is no CMMC, you know, a Australia edition right they're just saying, Hey, there's a lot of frameworks out there. We're not going to dictate to you at the moment which one we want you to do but like you need to

[00:16:32] Yeah, certain tick boxes in order to at least even put your name in.

[00:16:36] Of course, of course. And it yeah you raise a great point as well because the higher up you do getting to government even here that it changes yet again right so 27,001 isn't almost you know it's not the top it's it's that ticket to play down here and it's starting to become that anyway so

[00:16:54] Yeah, definitely valid there and and I think the second question you had for me if I'm remembering correctly was what is this thing actually look like.

[00:17:01] All right, I pick up the phone I call Jason like Jason.

[00:17:04] I want to do this. I'm ready. I'm ready to have a conversation about this. How much and like what do I need what is this process at a high level actually look like because like there's only so many hours in the day and I like my beach time.

[00:17:17] Of course, and everyone does right so what it looks like basically I said 27,001 at its core information security framework it's.

[00:17:26] It's about having the right policies and procedures in place to govern your MSP right so we're talking you know at a very high level, acceptable use policies privacy policies network security policies mobile device policies.

[00:17:40] HR security policies all of the policies that you probably don't have or you might have one or two but not 20 or 30 I should say.

[00:17:50] And that is what the framework is kind of dictating what you should have as best practice, and then you go into things like having formal risk registers and these things called corrective action registers which is an ISO term it's basically, you know, a root cause analysis right.

[00:18:06] So there's all these. It basically helps you build this framework that helps you really stabilize the business. It has a list of controls 93 controls at the back of the standard and those 93 controls made up of four different sections you've got organizational type controls which are like procedures

[00:18:25] and policies and things like that. You've got physical controls of your actual building, you've got people controls of your people which is generally where a lot of people fall down.

[00:18:35] You know they might not even have an onboarding or an off boarding more importantly checklist when people leave their business it's that kind of stuff and then finally you've got the fancy stuff which is the technological controls which is what all the MSPs love to focus on, but it is just a you know a very not a very small

[00:18:51] subsection but it is just a subsection of the standard so in practice that's what it looks like. It's a framework, it's policies, it's procedures, it's registers it's all sorts of things and you tie it all together.

[00:19:06] And basically you get that you get that externally looked at by certification body, they come in and they then check evidence against your policies that says hey we do this and then they go okay now show me right and that's where that validation comes in.

[00:19:20] Now two controls man 90 something like I'm going to be honest with you as somebody who again has been in the trench like a lot of MSP land.

[00:19:31] I don't think as a service provider we're asking, I mean like your things all encompassing I get that but yeah the parts of the 93 that technology crosses over for it's probably a large portion of it.

[00:19:46] I'm sure that we I mean is done as an MSP when you go, you said hey you should as an accompanying there should be an onboarding onboarding for employees. Okay, as an MSP you need to onboard and onboard your at customer.

[00:19:59] Like if I were to ask 10 MSPs randomly at any event that ever walked into hey when you when you onboard your end customer do you ask them for their mobile device policy.

[00:20:09] I don't think that they know it's more about you having it for yourself right so your business needs it and and so you're building it to certify your your your company or your.

[00:20:22] But I'm just saying the average company probably hasn't even had this discussion at all.

[00:20:28] No, no absolutely not and it scares a lot of people and it is scary when you're throwing 93 controls at them and they go well how do I even start the beauty with this I suppose for a lot of MSPs is inadvertently with the technology that they have in their business.

[00:20:43] They do tick off a lot of the technical controls they're probably not 100% configured in a way that's going to tick off even more controls but the underlying spend is already there you know why because they're already doing it for their customers.

[00:20:56] The biggest the biggest problem that I see is that MSPs don't treat themselves sometimes as their own customer.

[00:21:05] Right, that's all a lot of problems.

[00:21:08] It's all a lot of problems if they were to treat themselves the way they treat their customers like the mechanic always has the worst car right this isn't new but it's now starting to show signs in in in our land.

[00:21:21] Hmm, that that number one so true. Absolutely 1000% true like the MSPs first customer should be themselves.

[00:21:30] You know like that's number one.

[00:21:32] Number two like.

[00:21:35] So let me just ask you a realistic question right like, I get I'm trying to protect my larger or largest customers by making sure I do this so that I don't get caught by surprise have no time and get the rug pulled out from underneath me, which by the way.

[00:21:48] How long does this normally take like average. Yeah, we work about an average of six months call it six months that's what we work to.

[00:21:57] So using that right if your if your customer comes by and says hell by the way you know we're going after this government contract you have this this and this like you may not have six months to just put that switch right so like let's put that on the table this is where you lose customers right because you just don't have the time to turn around turn it around right.

[00:22:15] That's number one but number two like.

[00:22:19] What if that larger customer also needs help doing exactly this, like I assume this just happens in the course of business.

[00:22:29] Yeah, absolutely it is about like you said earlier before that that supply chain, you know that whole chain of command or that whole chain that you're working with you know you are a supplier and you're probably one of the biggest suppliers it in regards to information.

[00:22:43] If a client wants you to do this for yourself they're probably giving you a bit of a, a bit of a nudge hey let's get this done you know and you hit the nail on the head.

[00:22:53] Every MSP that I speak to that goes oh we don't need it I go and that's fair right now you're in front of the train but the moment that somebody says hey, we actually need you to do this because we can't get cyber insurance anymore, or we need to be able to tick this box to reduce our premium or whatever it is.

[00:23:12] You're now behind the train right and I suppose you lose that in the in the heart beat you can't make up that time, unless you've got a really good customer that's going to give you heaps of time to do it.

[00:23:24] So yeah you're 100% right with the timeframe perspective and then your client may want support to do it themselves as well and that's where you know our services again come in and we partner with the MSP because hey we don't do the technical control implementation that's what the MSP does.

[00:23:40] So when we go in and we partner with a client that is not an MSP, we work really closely with the MSP and say hey see all of this boring admin stuff that's what I'm going to do and see all this fun tech stuff that you love doing.

[00:23:53] I need you to go and do all of that here's a nice register for you to go off and go bang bang bang we need all of these things done for your client.

[00:24:02] Okay.

[00:24:03] So kind of you Jason kind of have made a bet.

[00:24:09] You really made a wager with everyone.

[00:24:12] Yeah, this is the standard that works for the foreseeable future right like there is a world.

[00:24:20] I'm trying to play but that was advocate a little bit but it's a fair question.

[00:24:23] There is a world where some bureaucrat somewhere in the government says yeah I am going to go sock too as the compliance thing.

[00:24:31] So like now what now what.

[00:24:34] And it's a very good point and something I contemplate and deal with every day.

[00:24:40] That could happen right and if it does then so be it as a business owner it's my job to pivot and make sure that I am ahead of the game.

[00:24:49] A lot of people see what I do as risky.

[00:24:52] What you need to understand is take the name away right take ISO 27001 itself away what we do an underlying framework with all of the policies the risk registers and all of that.

[00:25:05] It doesn't matter what standard you're looking at they're all calling for the same thing right I said 27001 has been around for in its current form for for about 10 to 11 years based on the 2013 version but the standard itself has been around for over 30 years.

[00:25:23] When we used to stamp documents with the red confidential stamp.

[00:25:27] That was the I don't even remember the old number but that's where it came from right so information security as a ISO standard and a global standard has been around for a lot longer than I have.

[00:25:39] Right.

[00:25:39] And so when we're talking about letters and numbers and calling things you know certain things.

[00:25:45] Yes I have taken a bet that I said 27001 is going to be V1 but it doesn't have to be V1 for everybody.

[00:25:51] I mean my company is quite small you know we're not looking for global domination.

[00:25:56] We have a lot of need and requirements coming through our client base where they go hey this is the one right and and you know right now in Australia it's you know it's quite big I've got a couple of clients in the US one in the UK.

[00:26:12] So it is it is around the world. Those ones are just as bad as far as timing is concerned like this this podcast but yeah, like you're 100% right George you know it's not I'm not saying that this is the one for everyone.

[00:26:26] It's just that we're here to help those that need this one.

[00:26:30] Okay, a couple questions that just come to mind so you being like it's a global so this is a globally recognized standard so you being in one country and servicing somebody and others shouldn't matter.

[00:26:40] No, because what happens is is the certification body that comes in and does the audit can be in any jurisdiction that you need right.

[00:26:50] So for instance in Australia we have this thing called jazz ants j a j s and z it's the joint accreditation of a system for Australia and New Zealand right so all of my Aussie and New Zealand customers.

[00:27:02] We have a certification body that is accredited by jazz ants to do that now over in the states or over in Canada, we can use a local certification body where they do the audit right.

[00:27:14] They get a different looking certificate than what we get down here but effectively it's an audit performed by trained and qualified auditors in that jurisdiction they give you a certificate and hey now we're now we're so on it the audit scope is the same thing.

[00:27:30] It's just exactly the same.

[00:27:33] Correct, exactly. So where we have you know data breach laws down here and we need to, you know, if there was a breach to happen we have to report that to a certain body that would change over where you are right you'd need to figure that out what all of your legal requirements and what it, you know your regulatory bodies and all of that and so that's what changes but fundamentally when

[00:27:58] you're talking about technology whether you're here in Australia or, you know, over there in the States.

[00:28:03] You know everyone's kind of using a similar stack anyway so it truly is that global standard that can be done anyway.

[00:28:10] I mean, you're 1000% right. I saw it on a slide within the last month. I know everybody always argues the actual number but I saw on a slide that the estimated number of IT service providers I don't care whatever acronym you feel like that day is 400,000.

[00:28:28] Wow.

[00:28:29] Yeah, like I don't know if everybody will agree with that number.

[00:28:33] That's a global number it's not just North America is not just talking about the whole thing.

[00:28:38] Yeah, 400,000 there's a lot.

[00:28:41] But to your point the people that we're talking about and I was just taking a peek at some of the logos coming at the bottom of your screen here on your website.

[00:28:47] Like I see a lot of I've seen a lot of these MSPs before right and like you're they have standardized on pretty much one of three ecosystems of products.

[00:28:56] Sure.

[00:28:57] And it doesn't matter what country you're in like the product works the same way.

[00:29:01] Exactly right.

[00:29:03] Yeah.

[00:29:06] So, you know, some frameworks require like an interval re-up right annual every two years like how does this work you put the six months and get certificate and you're done forever like what or is there an upkeep?

[00:29:22] Yeah, so again this is kind of tying back into how my my service works or my managed service.

[00:29:29] So what happens is you build we build the system first six months call it then we book your audits right we get your auditors in we get you certified everyone jumps around we've got a nice piece of paper you go give it to your clients.

[00:29:41] Generally what happens though is that if clients do even MSP does this themselves when that high is done they go back to business as usual right they don't they don't go back to the framework and they get the certificate.

[00:29:52] They go they don't go back to their risk registers that they've just been compiling for six months, and they just go back to be a you and then 12 months later on your anniversary date of your certificate the auditors come back knocking and they say hey we're here for your surveillance audit right it's not a full audit but it's a check

[00:30:08] I never heard this surveillance I never heard it called this way surveillance audit I like.

[00:30:13] Yeah, yeah so they come back and they make sure that you know you're still doing what you said you were going to do.

[00:30:18] They make sure that any issues that they found at the first order even if they weren't enough to not grant you certification are closed out right so yes they do come back and they come back every year right after the third year then you go for what's called a re certification you sit the whole process again.

[00:30:36] Okay, so every 12 months they are coming back they are looking at your business and this is why the governance around 27001 is so rigid.

[00:30:46] That certification can can be pulled from you at any time if you don't comply with the outcome of your audit right if you end up with what's called a major non conformance and you don't close out that major non conformance which is like a complete lack of satisfying a particular control

[00:31:05] let's say and you don't provide you know evidence back within let's say 60 or 90 days that you've closed it out does suspend your certificate and it will show up on the on the register online for anyone to see that you are that you are you know currently in in a yeah basically not in a cancelled

[00:31:23] state but in a suspended state until you eventually become cancelled so yes the governance continues.

[00:31:30] That's why we are kind of around we as a managed service provider ourselves in a very small way, we are on with you every month going through this keeping you updated keeping your audits on in check and making sure that we remain compliant.

[00:31:47] Yeah, no that's I'm glad you spelled that out because I was I actually never even looked into what what past the initial part does it look like.

[00:31:56] Yeah, you know like at the end of the day of the people that you've worked with so far and looks like you have a pretty good business going.

[00:32:07] Have they come back and said alright, we have 27,001 but I need you to like this other things being requested different name.

[00:32:16] Yeah, maybe I don't know 10% in addition to what's already been done. Can you help us out does that happen.

[00:32:23] Yeah, it happens sometimes we're currently in the process of working with a client that is going to be looking at a cut down version or a light version if you will.

[00:32:35] That kind of thing won't be certifiable but it will still bring whoever they're trying to work with upper level right and I suppose that's what everyone's trying to do everyone is just trying to do something in this space trying to put some governance around their work or around their business.

[00:32:53] And it's, you know, I'd love to say that it's being driven by an internal kind of, you know, dream to be better but it's being driven by insurance companies or buy, you know people that are potentially, you know, giving them money because they're funded in some way or, you know, they just if people are getting

[00:33:12] money of some sort they kind of you know the people giving it might want to actually know that they these guys are protecting their business the way that they need to right so it could come from anywhere.

[00:33:21] It really could. But yeah, absolutely there is a version of, you know, these of everything where it's you know a cut down version not certifiable but hey, it's still a start right.

[00:33:34] 100%. Let me ask a question then because I didn't even think about this until literally just popped in my head. So like, again, the insurance industry clearly talks more than the government does to its various limbs but now bottom line is, if you look at

[00:34:02] the ask list they do this yes or no yes or no like almost similar almost identical like they're just sharing right zero zero.

[00:34:12] What does that look like in Australia like is it a similar situation and like, I hate to use this analogy but everybody knows cars exist so like, if I go to my car insurance company here in Pennsylvania and the United States and I'm like, Hey, my car has an alarm.

[00:34:28] Oh, you get a discount. Oh, my car has tracking right so if it gets stolen you can like figure out where to oh you get another discount and like all of a sudden like depending on the feature set that you can you know like they actually give you something back in return.

[00:34:42] So I don't know if that works in a similar way here but I'm curious. Yeah, it absolutely does like I keep kind of reminding everyone insurance companies right they of course they can hire in it experts to consult with them and all of that but all of the questions that

[00:34:57] they're asking do you have an information security policy. Do you have an access control policy. Do you govern this do you govern that they are they are all coming or they are all stemming from the core controls of ISO 27001 right those questions come from that standard

[00:35:15] Now you have all of your other cyber security frameworks which are a lot more prescriptive on what you need to do go and turn this checkbox on go and make sure this configuration on this particular platform is x, y and z right that is that is different and is a level of detail that absolute absolutely will harden your business but when we're talking about insurance.

[00:35:39] They're looking the next top let they you know they're looking at top level policies for instance right they're looking for you know, existence of you actually having some kind of framework in some cases they're not asking for it to be certified in some cases they are it depends on what level of insurance you're going for.

[00:35:56] But all of those questions and even the you know those dreaded cyber security question is that everybody always gets if you look at what they're asking for again.

[00:36:05] Do you have an information security policy do you have objective objectives around information security do you have access control all of this all stems from the same place.

[00:36:16] So do you like take your certificate and like staple it to the question.

[00:36:21] Yeah, no you fax you fax it in.

[00:36:24] No, so you can take a certificate it's absolutely worth its value.

[00:36:29] You know, I would love to say that the certificate itself is enough to just say, you know, here's the certificate bye bye.

[00:36:36] It's not really like that you give your certificate and then for instance you might just give your information security policy if they request it.

[00:36:43] And then you might actually just go into some detail about, you know how you're doing things there.

[00:36:48] And when you've got policies already written for you that are customized to your business.

[00:36:53] It's a matter of just going into where you already know copying what you need out and pasting it into the questionnaire.

[00:36:58] They're a pain when you don't have the answers consistently.

[00:37:03] Right. And so, you know you do it once you do it properly.

[00:37:07] It doesn't become a pain anymore.

[00:37:10] Fair or you do what everybody's done for years just try and copy somebody else's policy that you're not even filing.

[00:37:17] Yeah, you know I'm right.

[00:37:22] Absolutely and it goes back to the governance in our industry right like at what point is someone going to turn around and where the government side or even you know us internally and say something should be done here.

[00:37:35] There's really good MSPs out there that are doing the right thing and there's some really bad MSPs out there that are realistically, you know, if you look under the hood should they be in business?

[00:37:45] I don't know right and there's got to be some way to be able to differentiate those for the client's sake because hey we're the ones that are holding their data or protecting it at best.

[00:37:58] Fair so like you know for the people, you know for the people down there they know all about this for the people up here they're like I don't know maybe I have heard it maybe I haven't right like the government did come out with the essential eight which is.

[00:38:11] Yeah.

[00:38:11] I would say it's like the bare minimum right of like if you're in if you have a heartbeat these things have to be figured out or else we got problems now.

[00:38:19] I didn't dig into like how that's enforced or where it becomes a problem if you say you're doing something and you're not maybe you can just paint the picture for us but.

[00:38:29] And it's not like this is that's your first as a country that's your first layer to something specific to IT controls.

[00:38:38] Yeah, yeah it's the essential eight specifically the maturity level one because there's three separate maturity levels that appear in it maturity level one is like you said if you've got a heartbeat.

[00:38:49] You should be doing this stuff now I've had my fair share of conversations and and I'm pretty strong on this opinion that if you're an MSP maturity level one should already be like in the rearview mirror right.

[00:39:02] If you're an MSP and we're still working we're still trying to work out maturity level one.

[00:39:06] How are you even getting your clients to maturity level one right so you know that that you know a noise a lot of people but hey you know the reality is is that you know these frameworks come out for a reason.

[00:39:17] You know that's been out for a really long time already if we're still not there what are we doing right then you're kind of climbing that ladder you've got maturity level two maturity level three.

[00:39:27] They kind of say loosely I said 27,000 one and maturity level three are probably on par right so you're probably getting a nice little umbrella over your controls and your policies and things like that at maturity level three.

[00:39:41] But yeah you know your everyday businesses especially that aren't even MSP's you know maturity level one is going to do a world of good for them because otherwise what does their business even look like.

[00:39:54] So, like, this is just me naive right I never asked the question I'm sure everybody already knows it down by you but like how is that enforced.

[00:40:01] So like, it's kind of a self assessment at this point everything all of them all of them are self assessments.

[00:40:10] There may be like people may be able to prove me wrong on other frameworks where external auditors come in and do a proper external audit with a certificate.

[00:40:22] Now there's heaps of cybersecurity firms that will that will put their hand up and say hey yeah we'll assess you right, you know, we'll assess your maturity level one will assess your maturity level two but that is a private assessment done by a cyber firm that is, you know, great that's awesome if they give you a nice printed, you know illustrator certificate then so be it right.

[00:40:46] But not everybody's doing that it's not mandated in order for you to be ticked off if you will as being maturity level one, two or three that you go through this process.

[00:40:57] There's all of these certification bodies to pick from they're all going to do a consistent audit. There's nothing like that.

[00:41:04] Interesting. And so the but does the government at any level say hey submit your assessment to us and and for some reason if there's a problem we're going to come back and like it's like the insurance company is like.

[00:41:14] Finally enough, online one you check the box that everything and I pay on but you just had a breach so.

[00:41:22] Yeah, exactly. No funnily enough not not from an MSP standpoint there's no there's no maturity level submissions that MSPs need to do.

[00:41:31] Interestingly enough there is a government agency down here the Department of Employment and Workplace Relations that have to actually do a statement of applicability, which is basically a list of all of the controls not just in ISO but in the Australian ISM.

[00:41:50] And they need to write you know right justifications on whether or not they have it or they don't and they do need to submit it into the government and they have to do that once a year.

[00:42:01] And every quarter that gets updated like there's a lot more governments governance on that particular agency than there even is in for an MSP right they have to submit that an MSP doesn't.

[00:42:16] It's more the insurance companies that are coming in your scenario that's basically saying hey you said on your insurance form that you've got MFA turned on. What's up right not it's not that it's not the government that's coming it's the insurance companies that will come.

[00:42:30] Interesting have you just curious have you seen this happen like as somebody.

[00:42:34] Not firsthand especially with an insurance company that stuff is generally kept very private I suppose as they should.

[00:42:43] But no I personally haven't had any any experience or yeah haven't seen it happen I've heard of it happening.

[00:42:50] Definitely you tick the wrong box on an insurance form and you've voided your you've wasted your money.

[00:42:56] Right.

[00:42:57] Don't don't do it.

[00:42:58] There's no point the moment you need it it's not going to come through for you.

[00:43:02] This is not financial advice I should say that I definitely I always get dragged into the insurance kind of world practical advice it's practical advice let's call it that it's like it just like you would not.

[00:43:14] I don't think any I don't think it is smart personally for anyone to get in the car and I have car insurance.

[00:43:19] Yeah.

[00:43:20] Like in the scenario where you do get into an issue now what.

[00:43:24] Yeah.

[00:43:25] It gets very expensive very fast.

[00:43:27] Absolutely it does.

[00:43:28] Now I'm like nobody wants the six figure bill in their mailbox.

[00:43:34] No.

[00:43:36] Very true right.

[00:43:39] So OK.

[00:43:40] Would you say I don't know how to even categorize this right but like maybe you know I we could go back to the Paul Dippels of the world they're like well we've created a maturity score for every MSP one two three four and five like.

[00:43:55] Yeah.

[00:43:56] What level of maturity does an MSP get where this is something where they're like yep.

[00:44:01] This is what we need to do or I've talked to other people who are in a similar place and they're suggesting that if we haven't done this to start doing an Alec where would you say that hits.

[00:44:12] That's a great it's a really good point.

[00:44:14] Look 10 years ago I would have said it was the most mature companies that were needing to get it right you know at the top of that maturity level.

[00:44:25] But these days it doesn't even factor in like if you're in if you're in business and you're an MSP and let's say you've I mean the smallest company that I've ever worked with to do I said twenty seven thousand one was just two directors right.

[00:44:41] There's two directors that's it their whole business they've grown now they're up around that I don't know 10 or 15 mark.

[00:44:48] I'm not saying they've grown because of the standard but they launched the business they thought I want to do this let's go.

[00:44:58] We want to start on the right foot and they did it now hey costs also scale with the size of your business if you're a two person MSP you're going to pay X amount not just with a service like me but your certification costs are going to be absolutely lower than what they're going to be when you're a 30 or 40 or an 80 person MSP.

[00:45:17] So that's that all scales to which helps with that maturity level because we're not now talking about money restricting the outcome.

[00:45:25] Right.

[00:45:26] So like when I you know when I do my my talks or my lunch and learns I get that question a lot and I kind of say at the end of the day this is going to be governed by your client base right it's not about me trying to sell you the ISO I don't work for the ISO.

[00:45:42] It's about those that need it and how do we get it for you because your clients are asking you for it right so that's kind of where it all stems from so the OML you know I'd love to say it's only for that top end to protect those potentially at that lower end but it's probably the reverse if you're at that lower maturity level you probably need this in order to help you boost your maturity level.

[00:46:08] Okay, I get what you're saying you're okay if you want to punch above your weight.

[00:46:12] Yeah, this gives you outside credence to say, hey listen I may be small but I have the same thing they got down the street so like give me my hat in the ring let's see what happens.

[00:46:24] Absolutely, absolutely I mean down here especially because you know like I definitely haven't been over to the states yet to kind of see the uptake in 2001 but especially over here.

[00:46:37] You know, we do see you know that being the last piece of the puzzle or we decided to go with this company over your company because they were certified right it's the last check we loved you both but we had to separate you and what's a better way to separate two competing bodies that are

[00:46:54] more than something that's formal and certified.

[00:46:56] Okay, well I got two questions for you that come from that one.

[00:47:02] You know, you know your community best you live there right?

[00:47:07] Yeah.

[00:47:07] You were to guess what percentage of MSPs that like I'm told between Australian New Zealand's like 9000 MSPs I don't know if that's the real number let's just go with it.

[00:47:17] What percentage of that 9000 you think have done this?

[00:47:21] Ah, less than less than 2%.

[00:47:25] It's tiny.

[00:47:27] Wow, that's a really I thought you were going to say 10.

[00:47:31] No, 800 companies.

[00:47:33] Well if we talk about eight or 9000 MSPs would eight or 900 companies in Australia and New Zealand be sitting up.

[00:47:41] I don't reckon look maybe maybe 2% low maybe it's close to five.

[00:47:45] I could probably run the data probably should have run the data.

[00:47:48] It's quite hard to get.

[00:47:49] Good marketing and punchline for sure.

[00:47:53] Absolutely, but no look to be honest like I would be absolutely lying if I said oh yeah everyone's getting it you know get on the wagon all of that kind of stuff.

[00:48:01] No, but it's getting there.

[00:48:03] If you had asked me 10 years ago what the number was because you still would have had eight or 9000 MSPs.

[00:48:09] It definitely would have been a fraction of that of that but now we're definitely seeing that curve where because size doesn't matter and in a way we've tried to help with our managed service to alleviate costs being a barrier.

[00:48:26] Because some people can charge you up to 6070 $80,000 in a consulting fee to do this whereas we don't do that right.

[00:48:35] We know that doesn't work for an MSP it's going to going to crush the MSP to do this.

[00:48:40] So instead of them flicking it in the back going too hard basket it's going to cost too much.

[00:48:45] It's hey okay it's a set monthly fee it's over a period of time.

[00:48:50] Let's do this it's manageable.

[00:48:52] Can't even hire a person to do it at that cost.

[00:48:57] No, that's fair I mean $70,000 I would say the MSP is like do I hire somebody or do I do.

[00:49:03] Absolutely, I want to hire somebody like just an actual regular day to day employee.

[00:49:09] Yeah, not just absolutely.

[00:49:12] And of the industries where you of the people that you work with I should have asked approximately how many IT or managers companies have you worked with so far.

[00:49:21] Yeah, so we're working with I think at last count I think it's 45 MSPs down here in Australia and New Zealand.

[00:49:27] So yeah like I said not looking for global domination but you know for the size of business that we are for people doing a really you know a really boutique job for our client base.

[00:49:37] We love it right we're not for everybody but for those that we are working with I'd like to say they get lots of value out of us.

[00:49:46] That's fair.

[00:49:47] Of that group of 45 and growing what industries from the end customer of MSP have you seen where they're like hey man, I need the certificate how quickly can you get it like is it a specific vertical or vertical.

[00:50:03] Yeah, it's starting to it's starting to creep up in financial services.

[00:50:08] Right, so those that are, you know, getting data upfront about your all of the person that identifiable information that you could want a financial service provider has right accountants things like that I mean a lot of these guys are kind of when you send them a form with all of your details the back of your mind as an IT guy,

[00:50:29] you know you're kind of going well.

[00:50:31] How are you protecting this, you know I'm not trying to sell you my service here but like, where's this going right how are you controlling this data that I'm giving you or is it sitting in someone's email inbox ready to be you know fished out so it's a lot of the professional

[00:50:48] services industries or government agencies themselves like the like I said before with the DWR that are getting asked as end clients to do this.

[00:51:01] There's some others were starting to look at educational institutions, how many schools have data about all of our kids and their scores and their grades right a data breach at a school that all of a sudden has all of the you know the

[00:51:14] the people that are leaving that year like down here it's year 12 over there I think it's what is it it's not sophomore or maybe it is all of those grades right like that's all confidential at the end of the day and this is all the data that we're trying to protect.

[00:51:30] There has to be some governance around it.

[00:51:32] Yeah, you know it's funny you say that I was just helping my father submitted application for some doctor thing.

[00:51:38] And I was like, oh you need to like send all this documentation and I asked myself that question I'm like, hmm.

[00:51:44] So this is a lot is like a lot of numbers on these pages that are not things that I just want to put into mailbox here. And so they ended up having me fax it and I was just like, um, okay.

[00:51:56] Yeah, you do think about that where does that end up on the other side. Exactly.

[00:52:01] It and yeah, in this day and age it's the number one question everybody's asking right everyone wants more information because they know topic for another day but you've got all these are a algorithms and everything so people want more data than ever to be able to make decisions based on their existing clientele based on this data but then if they're not protecting that data then we're giving away more data than ever.

[00:52:26] And so you kind of say well at some point something's got to give we've got to have some kind of verification or governance around whoever we're giving this data to and entrusting it that they're at least at least being looked at on a regular basis and and you know being certified in my opinion.

[00:52:45] That's fair yeah I'll on my way out the door I'll give you this right like everybody forgot about it because crowd strike took the global stage for a good little while there but like right before that I'm going to be able to make decisions based on this data.

[00:52:56] And so I'll give you that.

[00:52:57] Like, it's very, very emblematic of our own sandbox and MSP land, one of the top three companies that like every car dealership in America uses got hit CDK their venture backed surprise, and inside of their application are the credit checks the social security numbers the bank, you know verification

[00:53:18] the insurance cards like oops.

[00:53:22] Yeah, it's a problem.

[00:53:25] Yeah like if you think about I take those three things like your social security number your banking information your insurance card and your credit score like that's like that your whole identity right there right like I'm going to be able to do a lot of damage.

[00:53:39] Absolutely, absolutely and it annoys everybody and it's a it's a big waste of time when you're hit with it as the you know as the end person you've now got to go and get a new driver's license with a new number and you've got to go and change this and change that and think

[00:53:54] about how much time we're wasting cumulatively cumulatively across the world trying to sort all this stuff out.

[00:54:00] Yeah, yeah it's crazy but it's like we've this isn't a I tell this all the time I was like, we're not talking about a possible future. It happened already.

[00:54:10] We're not like talking about well that'll never happen it's like I know it's already happened like all the time by the way all the time one time thing. Anyway, Jason this is awesome.

[00:54:19] I love when I talk to somebody else who's been in the sandbox because like, you know you can feel it through the screen even right.

[00:54:27] I can feel the pain coming through the screen. How do people find out more about you your company get more information maybe make it all that jazz.

[00:54:36] Yeah, just really simple for me I'm on LinkedIn. Jason Marrikeolo I think if you look for the ISO guy I might come up but yeah please connect with me on LinkedIn and send me a message I'll absolutely reach out to you and if you want to have a chat doesn't have to be a sales chat just even a friendly chat about info sec more than happy to chat to anyone.

[00:54:56] Let's just not make it at 4am.

[00:54:59] Bear, I apologize for that when I come down and I'll be down in for that Ocon Sidney what you saw.

[00:55:06] I was beers on me. Okay, I'll take care of that. Okay, you'll remind me I'm sure I will remind you absolutely.

[00:55:17] Also Jason's website ISO 365.com.au. I was actually poking through as we were talking just kind of, you know, I was like, Oh, I know those companies and like kept on scrolls like I know that guy.

[00:55:31] Cool. So check out ISO 365.com.

[00:55:35] Jason, maybe go I don't know if you're going to get back to sleep now but I sorry for making you start your day a little bit early but I promise there'll be enough beer to cover you on the other side.

[00:55:44] Nice nice now it'll be a productive morning for me and I don't worry so I'll get stuck into it but thanks for having me on Georgia was great.

[00:55:51] Awesome for everyone else thank you for tuning into this episode we recorded it. It'll be on YouTube it'll be on podcast or be on MSP initiative calm under sessions.

[00:55:58] If you just mentioned me saying we're going to Australia yeah like if you didn't pay attention to the beginning part of this.

[00:56:04] We're going to be at that icon Sidney, which is in November and we're throwing a community black party for all of you guys in it and MSP land so like, even if, like, hopefully I know I heard there's going to be 1000 people at that icon Sidney.

[00:56:17] That's really cool and for Australia it's pretty good number. But if you're just in the area, you can go to this block party without even going to the conference so like come hang out.

[00:56:24] Have a beer. Talk with me and Jason about well you know whether he made his bet right now we're going to put a major for three years from now and see something else happens.

[00:56:33] Anyway, thanks guys for tuning in we'll catch on the flip side Jason talk soon.

[00:56:37] Signing off. Have a good one guys.

[00:56:39] Bye.