Transcript – Mock Risk Assessment

and we’re live welcome back to Tim how the hell are yous msps all the people that we’ve ignored for a couple of months because you know life holidays travel conference companies fun things hey we’re really excited to have Team Tim back here um obviously Tim schneer Jesse Miller it’s been a hot minute Mr schner how the hell have you been what have you been up to these days doing great as you said you know busy busy yeah you you seem to be a little busier than everyone but you always amaze me on what you get done in a day and same thing with h my friend Jesse down here you know I don’t know how you uh starting the new Yellowstone in in upstate Minnesota and at the same time starting a business so I uh you know I pay pay on comparison to you guys but um you know it’s been good you know family and how that house that house are you in like This Old House mode where’s that Bob V guy oh you wouldn’t even recognize the house if you drove down the street it’s a new roof it’s got a new exterior it’s got a new front porch so it’s got a mud I got a muddy a full of you know front yard full of mud so so many guys walking through it bulldozers so it’s good it’s good it’s good Jesse you know what have you been up to um well I had the flu last week so or two weeks ago so I was getting back to normal last week and I finally feel like this week is I feel like a normal person again I got a little bit of a frog in my throat still but on the menend and um yeah I feel like this has been the longest month ever it’s uh I don’t know yeah Tim we were just talking about this Tim uh backstage but but um yeah it’s like it just seems like this has been a I did not expect it to be really busy in terms of business I thought we would get a little bit of a breather here and January has not afforded that which is good but it’s just been super busy so that and being sick and I was just talking with Tim about you know buying cattle for this year and everything else we it’s been a busy month so I’m glad to get some sense of normaly and feeling like we’re back in a Cadence here on team Tim and excited to talk today about risk assessments what is normal right so really love that Jesse you know being a being a cow guy myself and love that fresh beef right always looking forward to throwing the next steak on the barbie so uh you know things here have been ramping up too um you know it’s been it’s been a a whirlwind of the last three to four months so rip out the holidays because that’s always you know craziness but we acquired a company we brought in a whole new service division we have a whole new team of people and stuff and oh my God like every single aspect I think of my life and our business and everything has changed in like six weeks okay maybe a little more than six weeks if you take out Christmas and Thanksgiving but it has been nutty it has been really nutty but it has been amazing you know I I know we’re going to get into the risk assessment stuff here but it actually can relate because you know a lot of msps are looking to like get their exit do some m&a maybe got bought out and a component of that is definitely conducting and dealing with risk assessments right us technical Geeks we always want to just dive into the technical controls and tell me what 1.7 meets we’re gonna get a little round that today but I think we need to set the stage because obviously we haven’t done our own introductions we’ve been bantering here for a minute so just take a second who are you what are you why are you oh yeah that’s right I do do something don’t I no um Jesse Miller founder of power PSA Consulting and Crea creator of the power good VC so system what we do is teach msps to crack the code for deploying profitable VC so services and growing their businesses love that and then Mr Tim I think I have one of these for you someplace here let’s get you up on stage and say hello scroller down there yeah appreciate it uh so Tim schner I’m in the the New York City area I help uh mostly law firms but some uh hedge funds as well in terms of advanced cyber security and what does that mean data privacy um data classification and uh integrating these new and interesting tools into securing their data um so that’s generally what I do awesome awesome yeah and then I suppose I should probably come up here and say say a word or two huh so hey msps fellow friends cyber risk enthusiasts I don’t know I’m supposed to say jelly cats and other things no our friend Tera I’m Tim golden founder and CEO of compliance scor card where we help your MSP have the risk conversation with your customers using our compliance scorecards the little live demo on the bottom if you want to check us out week after week after week of where we can show you how to have that risk conversation with your customer and without further Ado let’s just Dive Right In I’m G got a short episode right and I and and the question is Jesse Define risk assessment well two hours later we’ll get there um yeah so I think risk assessment to me can mean a lot of different things um let’s go with the Scholastic version first and that’s looking at the cyber security posture and controls for a business and deciding the level of impact that each one of the gaps will have on their environment based on their specific technical controls okay so to do one of those yeah it’s a lot right but it’s really just it’s really just the impact of their the impact of their cyber controls on the probability that an event will occur Impact versus probability right the problem is is that to do that extremely uh qualitatively and or excuse me quantitatively we have to get very detailed in terms of our algorithms the where the controls are applied so a true risk assessment is probably not affordable I would say for 95% of small businesses okay oh that’s interesting I might that continue yeah yeah so yeah and I want you to jump in here so I will say that I consider a risk assessment something where we take a blend of that so we take a gap assessment a gap assessment is where are you doing this yes or no and then we make some educated guesses through understanding their environment and their suppliers and the way they make money in their business processes and we create some educated guesses as to the impact of those gaps and we can come up with a risk number that way and have it be a risk assessment that’s actually affordable for businesses so I’ll let you go from here Tim no there’s a there’s a clear delineation here that I want us to Noodle here in a few minutes but before we do Mr schneer how do you define risk assessment you know I I’ll dance but and Jesse got into it and um Brian who is now a partner or employee or you know aligned with Tim golden over there has some great kind of uh posts on this and I I implore everyone to check them out but it’s you know it’s really understanding their business at first I think Jesse started with like this you know the standards and the baselines which talk about you know how are you aligned to a like a framework like a nist or a CIS or something like that and I think we we get caught up in that quite often and um you know it’s it’s really about understanding the business at first so I was hoping you know if we have time we can kind of go through like a little mock exercise of a fake company out in Ohio and and see kind of Jesse work as magic and maybe Tim uh add some add some uh color as well so but yeah no it’s I think it’s really understanding it’s risk management as Jesse said right uh and probability right is is about risk management so like the firm is worth a lot of money it’s got some Enterprise Value what are the things in The Firm that are risks and what are the both probability impact of those risks is important to kind of sus out so um but first you certainly better understand the firm and what where did that Enterprise Value come from because that is going to be really important to understand the um you know like how do you protect those Revenue flows going forward so so do you see what we both did here at least you both did here was as a technologist we jumped right into understanding what buttons to click in the why and the likelihood and the and we wa we went right into our mind set of what we think a risk assessment is Jesse you made a really key and interesting uh distinction a gap analysis and a risk assessment a yes or no and a what the hell does this all mean and when I think of a risk assessment I’m thinking we already did a yes no maybe exercise we already did a rapid thing that said yes no maybe yes no maybe yes no maybe and then all the things out of that I can then tie back into business risk I can then tie back into actual business outcomes right understanding and building out when I think of a risk assessment it’s vastly different than a quick yes no maybe now the Yes No Maybe component I believe 90% 100 every business should have some baseline now if they choose to go deeper and figure out where their risks are like Jesse you want to get all these cows build a farm well I guess my first question is do you have land do you have a tractor do you have a water bucket do you have feed yes no maybe right yeah but the actual risk assessment is hey Jesse is your grass actually good enough to eat is your water contaminated or not yeah right so if I’m trying to bring it back like I think a risk assessment is digging a little deeper yeah yeah abolutely what’s the order there I or Jesse you can answer that question what’s the order Gap assessment risk assessment uh MSP new customer right or well yeah I mean I think I think like at a at a core level I always want to understand two things before I even get into Gap in Risk assessments because that’s GNA inform that’s going to inform how I answer the questions when I get down to the technical n nitty-gritty and Tim uh golden you exactly hit it on the head is that it’s their business and what’s important to their business so I always want to do like what whatever you want to call it a crown jewels exercise or a l i call L apps or critical business applications that’s where I really want to start is talk to me about your or chart your different departments who’s in charge of those departments and then what are the most critical business functions or applications that you use in those departments to do your job and so I always explain it to people like I want to break it down to a high like a stoplight scenario in terms of criticality like low medium high and so how do I do that when I’m explaining it to clients like if we’re you know we’re talking about this exercise that you that you have Tim is somebody that doesn’t know what really any of that means I’m going to say okay well think about it this way I want to explain to them well we have these things called confidentiality integrity and availability so I say think about your data if a data in this system was compromised meaning somebody got access to it that shouldn’t um if it was available meaning you can actually get to it or use it or not or if it was changed or altered what effect would that have on your business okay if it’s if we’re looking at a high impact we say that this is like a catastrophic or Extinction potential extinction level event for your business right so that’s what I want to think about a high impact any of those three things are compromised I want to think about this in a high impact uh uh system so medium impact we want to say okay it would be extremely painful we might see downturn for six months to a year but we think we could get through it and then low is yeah it’d be a bump in the road it would be bad but we could get through it pretty quickly and we’d be back on our feet and less than a month right so those are the three ways I want people to start thinking about or the customer to start thinking about the impact of their systems and then we create a list and go through that now once I have that then I’ve got a really good risk framework for what’s important to the business to then start doing like Tim said and going in and looking at technical gaps and the systems in place to support and protect those Bal business critical systems and that then helps me determine the level of risk for each one of those sounds like you have a pretty like nuanced view of the business already Jesse right like I I guess we’re assuming you’re you’re tailoring or you’re n you’re a niche MSP right but like do we want to kind of back up and say if you weren’t and if you were like looking at a you know a new customer with that you don’t understand like how are they doing business how do they plan on exiting or like monetizing the business in the future things like that do you kind of ask those questions up front or you or do you just generally have an idea like I know these systems um I guess how do you sus that out I think you I think you should get into this whether you know the business or not I mean yes I would I would Advocate that you should specialize in in certain verticals and you should as like not to say you can’t you have to do just one but you start off you have a pod that does just one you have a pod that does another one and you grow that way right so you should have you should be it’s going to be easier for you if you’re focused on on similar business types but assum you’re not and you’re just going and talking to your current client base I think you need to know all these things about the business at a general level before you can make any sort of risk determination and the customer should help you with that right yeah yeah no I I think we we’ve had some interesting calls here right with uh like Brad gross or you know some of these people talking about do you know do have you looked at their contracts do you know what yeah they you know are are responsible to deliver so there’s Ray yeah that’s right in terms you know go ahead Tim no I was just gonna say I know you want to kind of get into a mock assessment right because that’s the whole point of this right of today’s specific session I just understanding as an MSP what it is that you’re bringing to your customer is going to be key are you going to be for example bringing them a business impact analysis are you going to be having some sort of business outcome with them right just walking into an existing customer or a prospect and say I want to do an assessment you need to be able to help them understand why it is that you’re doing this right start with start with why and so Tim I think you had a little bit of a scenario that you wanted to set us up on here and kind of role play things so who’s who what’s what what’s the scenario so let’s do this uh Jesse is the uh cyber security provider VC so uh whatever capacity we want to put him in um I’ll play a customer uh so the sample customer is a Building Company in Ohio uh it’s family business um the you’re talking to the CFO which is myself here uh the CEO and the father is the owner um they do residential commercial uh municipalities uh so they do some government work as well so that’s kind of out there so and what’s my role shut up and listen you get to You’re Gonna you’re you’re gonna play the referee Pine here because you’re a you know Master professor over there you’re gonna you’re gonna grade us yeah okay you can you can hit timeout too if you want here I don’t know if that’s a good idea I’m letting you hit letting you do timeouts but yeah I mean the first thing the first thing I want to know is what are how does the customer cuz I have I mean we we have to be professionals we understand the customer is not going to know everything about cyber but I do want to understand what the customer perceives their areas of greatest risk to their business as so that’s probably where I’d start is say where cyber aside where are the areas of greatest risk to your business and as as a construction business I don’t know Tim what do you think yeah so I I’ll tell you what I think about my business I mean I I manage or or Outsource all the it right so um we do have a lot of accounting systems we do we both do building on spec um so there is kind of like some you know speculatory you know speculative things we do uh we do rfps for government contracts to build buildings and things like that um we’re we’re all over the place Jesse we have systems that we have to do things in our vendor systems we have data in our own system and uh you know hope hope someday you know I’ll own the business and and take it over and maybe sell it someday or something like that but uh just high level kind of like what we do so okay so so to me it sounds like um workforce management is probably a concern Logistics are probably a concern in terms of lead times on materials and things like that cash flow I’m guessing there’s a lot of cash flow stress in the business because you’re putting out a lot of money for these projects okay and then uh reputation is probably big if you’re working with government and in the construction industry I’m guessing it’s kind of a closed system right like uh you gota you got people got to know people or it’s all who you know I would guess partially in this type of an environment right we’re a huge name in central Ohio okay all right we have tons of vendors go Tim you time out yeah no so quick question so love Jesse the fact that you thought of like their business you thought of the components at the workforce the cash flow the components of their business you know I keyed in on something because this is what I do with Tim’s with what Tim said was government contracts and my first bring went to have you even done a contract review with all of your end customers Mr schner and determined are there legal in contract ual requirements in those contracts with I don’t know defense maybe you have a defs uh I don’t know uh State maybe you have a far contract have you even done a contract review and do you know what’s in it and what your customers Mr schner are asking you to do and adhere to is there a right to audit is there a right to monitor you know is there a right to XYZ have you done that Mr Tim so there’s certainly uh yeah auditing and performance like uh disclosures and transparency and and monitoring that that happens but Tim in terms of the lawyers and understanding the contracts um I don’t really know where we are I don’t I don’t know if we’re in a good place in terms of like like I said we have all these systems and this data but um you know I know other builders that have been breached and have run into problems um really to you know really dig in here to get your expertise I think the business is worth you know millions of dollars and I want to protect it so but Tim I don’t necessarily know if um if we have a uh you know you said fars or def fars or you know State on a state basis as well so yeah yeah so I think uh obviously compliance and Regulatory concerns are something that like you said Tim we want to key in on and especially technical requirements but I’ll just tell you where my head’s at talking to this client there’s a couple of things I’m thinking about um I would ask them this but I don’t want to slow this up too much and say hey like if your systems are down all these systems we just talked about are your guys still going to be out in the field working and can they get stuff done they’re going to be like yeah our guys can we you know they’re construction workers we they can be out working in the field for a day or two without a laptop and it’s not going to kill them right so to me I’m going to immediately think like op operationally workers can be out in the field so I’m already thinking like things like data protection is more of a concern and more of a risk for this business because if they lose customer data or they lose government data um they’re they’re going to be in hot water and that’s a long taale but it does have existential potential effects for their business because they could go out of business for lack of work or fines or longterm not being able to have cash flow or things like that so longtail impact of data loss is now I’m GNA I’m going to be looking at when I look at their Gap analysis controls around data I’m going to rate a higher impact in my stoplight fashion and say okay if you don’t have good data controls and you’re not meeting that in the Gap that’s going to be rated as a high and it’s going to have higher weight in the score on your risk assessment again right back to that business impact analysis the guys in the in in the field can sledgehammers all day long because they don’t need a laptop to do that right but the data on the back end the security the payroll the all like you know heaven forbid you Tim I think you said you had multiple accounting systems right so chances are you probably have shared passwords across all of them because convenience or lazy or whatever and so heaven forbid like one of those accounts get compromised you take over all of the all the accounting systems and now you’re 600 employees in your bazillion Dollar business can’t get paid yep you you mentioned uh Mr construction owner you have all outsourced it is that through an MSP or is it through a single consultant who’s who’s handling that for you it’s through an MSP that’s right yeah so I mean we uh and as you said I think we can still work uh without the systems on a shortterm basis but um all the ordering supplies Logistics payroll um that all is uh you know we have to get that up at some point but yeah and I would say the the data is incredibly we have so many contracts and so many planning and data in terms of lots and entitlements and you know all that stuff like incredibly valuable to us so tell me about this MSP you have outsourced it I think Jesse is this where you were heading yeah I was gonna I mean so just yeah high level I’m GNA sidebar here and step out of the scenario the next thing I want to identify now that I kind of have like a general you see we did that and what did that take 15 it’s a 15 30 minute discussion to kind of get a sense of like what’s important and where the the general risks are okay this now you’re starting to build that business profile so to your point Tim I don’t think you need to know it’s better if you know but you don’t need to know you just you can start getting that sense so next thing is I want to start blocking and tackling of the people I need to talk to to dig in on each of these so exactly where I was going I can we talk to the MSP you mentioned separate accounting systems who handles that do you handle that do you have a c you said you have a CFO um can I talk to the CFO about that yeah can I talk to the CFO um can I talk to the to your Logistics or your drafting Department right whoever you’re do you guys Outsource your architecture work or do you have insource in-house architecture work can I talk to that person right what are the different that’s what I’m talking about or charts I want to know the different leaders in the company that are responsible for making the business work and I want to talk to them with these systems in mind now and that’s where I’m going to start building out my line of business applications and so let’s let’s stop there and I’ll let you weigh in Tim no I agree understanding the key the key stakeholders getting the right people at the table and having having the appropriate conversations there was an underlying thing that I was asking about the MSP which is what I was trying to determine from Mr schner construction is do you even know what they’re doing for you right we have you very basic systems yeah so I I’ll just like we have firewall we have you know we have we’re Microsoft shop we have um you know we have uh on the cloud it’s not like we have a on Prem here um we have Microsoft you know we use PowerPoint we use Excel uh we use QuickBooks for accounting um we use uh a CRM like HubSpot for uh you know for keeping track of all the clients and whatnot and all the contracts as well we have it basically all in HubSpot so but besides that um you know we have you know BYOD and uh and uh you know we we’re using the Microsoft Suite so so essentially um have you done any sort of like I’m going to dig in on the MSP side because that’s our audience here in team Tim right do you even do are you on a contract with them do you know what’s in that contract are they explicitly saying these are the things we’re doing and more importantly this are the things we’re not doing because if Jesse’s going to come in as the VC so and determine you have seven instances of QuickBooks all with the same username and password across 12 different companies and all the Microsoft tenants and all the SSO that goes around that and no like Jesse’s gonna come in as a VC so and be like we just identified a major area of risk and if we heard from Mr schner construction oh my IT company takes care of that yeah that’s the word for yeah so I’ll increase the narrative here we want to we want to get bought out or you know we want to get purchased somewhere down the road and you know buyers want to we want to have their our ducks in a row so Jesse’s really here to uh orchestrate that yeah yeah so and that does change things because it’s like the reason then we do need to have a more stringent risk program and risk assessment and NIS base even um framework because when we go to talk to potential buyers and they’re doing their it and cyber du diligence which is a thing now right it didn’t used to be as much five 10 years ago but they’re going to look and say what are the controls you have in place how can you demonstrate that you’re a secure and we’re not bringing risk into the buying process and they might actually say hey you’re not worth as much because we’re going to have to spend a bunch of money in terms of making sure that you’re secure and that your systems are up to par and that you have you know proper resilience built into the organization so that that is a thing now right exactly so yeah I know I know we’re running short on time here a couple other things I want to hit so um now I’ve identified who I want to talk to you know the CFO maybe the operations manager which is yourself I want to talk to sales and I want to talk to um field operations right so those are probably like the four I try to you know to again making these things cost effective is like I try to limit it at four roles that I’m going to talk to and when I would talk to those four roles I then want to get my list of critical applications that they use and how they use them and what they use them for and then determine some basic things about those so I want to get a a basic function definition and statement how are they using is it internet facing yes or no where does the DAT where does it live like is it on Prem in the cloud both both where is the so I want to know where the data is across different locations obviously are we using unique passwords in MFA or SSO or a combination of those in terms of our identity for that is it properly backed up and recoverable are there any thirdparty Integrations to it and then is it product custom developed are we doing any custom development on any of this too because that’s going to inform some other things that we’re doing so I think if you can answer those questions for each of the line of business applications all of a sudden you’ve gotten a really good landscape of what protection looks like at a high level for the different critical Business Systems then you can go talk to the MSP or the IT people and talk about General patching you know now you can put on your propeller hat and go go talk about patching um AV MDR all the things that we’re doing in terms of our framework and then because you have that list of critical Business Systems like okay are you guys patching oh yeah we’re patching while you’re patching this this this and this oh no we don’t do that well that’s a critical business system and you’re not patching it so the answer is not yes it’s partial and it’s a high-risk item because it’s tied to a high business system all of a sudden now we are creating a risk uh measurement for that particular control in our framework right Jesse do you want me to onboard you as a employee and Tim can answer that like you usually do that like I like to request that like to be a you know to actually go through the process so it depends on how deep you’re going on the risk assessment right like I think that can be definitely useful it’s not something I include in my de facto like initial risk assessment because that’s one of those things that and I I will say like to me this is a continuation like we want to get we want to give the customer value at a decent price so if I want to get my risk assessment somewhere in between $6,000 and $122,000 which is digestible for almost any business and the size you’re talking about right that’s where I need to be able to to get like a quick risk View and not go too deep but go deep enough that I can actually provide some value so all that to say is that then past the risk assessment we’re saying hey there’s a lot of things we didn’t do we didn’t go through your employee onboarding process there’s probably risk there we didn’t go through your vendor acquisition process there’s probably risk there we didn’t dig into all your contracts we looked at two or three and we’re noticing that there’s probably risk there right so this is where we want you to sign up for our VC so program to continue this ongoing risk treatment and then those are things I’m going to start doing with them as their vciso in a continuous monitoring fashion for risk program for the risk program I um I don’t know I always I’m always curious about do I add you on as staff well you know the question becomes like the legality of all of that around there right you know depending on again you mentioned government contracts maybe there’s a defar clause who knows maybe there isn’t um and and you know when we would consider you know con you know some kind of fractional augmentation or V SEO kind of work you know there’s a component of that risk to us right so I always would go back to and in this case uh Mr schner construction like we would be happy to be named your Chief risk officer or your compliance officer but that comes with a certain level of risk on us which means we’re willing to do that and we’re willing to put these safeguards in place but it is going to cost you a hell of a lot more money yeah oh and that and that’s maybe my fault maybe I misunderstood Tim were you asking I thought you were asking do I want to go through the onboarding process to see if there’s risk within the onboarding process or that’s what I thought you were asking no it’s really both right I think I think Tim’s hitting on and if you were a full-time CA you would go through the full onboarding position and you and become staff right yeah um so I guess this is great great color here right like um I go through I I usually ask through you do get a lot of information like you understand the employee handbook you understand the onboarding procedures or the lack there of them um you get an understanding of like what systems you’re being provisioned like they might miss these things I think in you know in questionnaires right like because you just assume everything because you’re living in it right so I I I find that color you know colorful then even if you’re quickly offboard uh also really good color but I think Tim sing you know being being kind of fully nestled in is I I agree and I’m I’m curious to him like terms of like cost is that something you can put in a contract or not or is it something that’s inherent that really does Drive the cost up to time job so right and so and by the way this is not reflective of a compliance scorecard I putting my MSP hat on so I want the audience to know that right I am an MSP and I am going to become the risk officer the named person the named entity on risk for Tim schnur’s construction there’s a cost to that not only my own insurance not only my own stuff not only my own reputation there is a cost to that right and part of that cost not is just not the financial aspect of I need to charge you more to cover my own butt but there’s a cost of Tim if I’m going to take this on you need to give me the authority you need to empower me to make these decisions with you and you need to provide us that opportunity to be able to dictate how things are going to happen in your business Mr Schnur are you willing to pay for that yeah so I guess the question is how do I get that from a VC so get that same level same level of uh you know how do I Empower because I do want to empower them because ultimately my goal is to sell this business for $50 million and I’ll do whatever the investment banker tells me to do yeah I think say you need to have somebody managing your risk whether you hire a body internally that is your FTE or you pay more money to bring a VC so on that’s taking that risk on themselves well I you I I mean I I will be I will diverge a little bit here and I don’t think as a VC so I’m ever going to say that I want to be n there’s no amount of money you can put to name me as your your named ISO right that’s somebody who’s a Company employee that needs to be named and I’m happy to advise them right but I am not a named security officer like that there’s just to me the risk upside the risk downside for that is far too great to ever Justus find me risking my business or my uh or litigation on that like yeah I mean I recently had a client say hey can we list you as our security officer on our 10K and I said no you can’t right um You can list that you have a VC so consultant who works with you to make risk decisions and that you have a risk program we can talk about all that kind of stuff but I’m not an a Company employee So and I’ve done it both ways at the MSP when I ran the MS right and it and it’s and actually as long as legally and contractually how you’re writing those agreements and mitigating the risks around those agreements Right This Is Us now talking about our own risk right doing our own mock assessment right as you know as long as the Agreements are in place that all parties agree to there’s the legal e and components around that like I was named isso on a bunch of different things because that’s how the company structured the agreements structured the risk mitigated the risk to the best of our ability but then that empowered me to go to Mr Schnur and say I am logging you out of every single instance of Quicks books I am removing every I am coming in with that sledgehammer and this is what you’re doing but that’s because how the agreements were built to give us because if we’re taking that risk I’m bringing the hammer cool all right so last five minutes uh we tend to try to leave team Tim with a key takeaway um you the key takeaway is you know take off his hat and we’re no longer in the scenario Jesse do you want with you on your key takeaway or should I start with Mr Schnur yeah I’m I’m ready um I I would say my last key takeaway is we didn’t get a chance to talk about delivering results of the risk assessment which I think think is another important part so I’ll just give the tldr of this is that whatever you have for a risk score you’re going to have some sort of percentage that’s going to be ambiguous for lack of to the client you’re gonna be like hey you have 75% risk that’s bad so that’s not helpful so you have to make your result results helpful and actionable so what I think is a good thing that you can Define is levels or expected outcomes for levels of risk so you say somebody in the n in the 100 down to 75 percentile risk range is going to have ransomware risks and other large scale risks like that 75 to 50 you’re going to have business email compromise or data compromise risks back to your scenario Tim that could be we want to avoid that so you need to get below that 50 Mark right we want to see you in the 30% we see businesses between 50 and 25% that are you know pretty well protected but they still are not completely compliant so if you have regulatory concerns we’re going to have to look at getting your risk lower to make sure that you don’t have regulatory fines and and things risks pop up there so giving them levels of risk and what to expect for each level helps them kind of compartmentalize that but then you can then refer back I call it uh you know cutting through the layers of the cake like you just showed them the cake with that particular View and then you want to cut into the slices of it and say okay you’re at a 50% so it seems good but we have this critical business system that isn’t protected so that’s a layer and a risk that we need to worry about and that gets into risk risk register and things like that which we can’t cover today but when you long story short my takeaway is that when you’re delivering those uh risk assessment results you want to make sure and try and compartmentalize that and make it relate to the client in terms of business outcomes when you do that okay yeah the gears are spinning that makes sense um what about you Mr schner and your yeah so backing backing up backing away like big Vision what is their mission what are they trying to do what where do the business want to go I think I think it’s great as you said you’re distilling it downward as Jesse said what are the five big risks right like regulatory risks or like what what’s gonna punch a hole in that vision and that mission and that’s how I think you resonate and get them on board and once you get them on board like you’ll get all the interviews that you want or you’ll you know they’re fully engaged they’re they’re gonna answer all the questions and they’re you know as you said they’re aligned with what this risk assessment is and what it’s going to ask for and then you can once you then you can once you have those four interviews you can start I just don’t think you start with the framework you start at the top and you actually move you kind of flow into it so yeah um yeah Tim yeah so you know thinking about in this case a mock risk assessment right thinking about as an MSP and determining am I doing a rapid Gap analysis to get to some guest no lwh hanging fruit to be able to converse with my customer and understand where they are yes no maybe then actually move them into the business risk conversation I would think of it that way I would think of I want every one of my customers to have a yes no maybe and some sort of Baseline that says we’re we’re good or not good or we’re great or we’re not great some quick yes no maybe kind of conversation that can then start to uncover the actual business risks maybe against a framework maybe against a compliance maybe against aw whatever actually uncover the and conduct a risk assessment as opposed to a gap analysis yeah and tie that back to business outcomes love it yep all right that’s how you put a bow on it folks pay attention I don’t know there’s a clip there that I should have pulled out I so all right uh I don’t know what the schedule is I know that we are launching our own podcast series here under compliance scorecard I’m going to do a little plug for MSP thought leadership.com we uh Brian Blakeley our friends from connect secure Ryan Seymour Desiree we are launching this twice a month risk to revenue conversation starting uh coming up on uh the 13th of febru so in two Thursdays every other month we’re going to walk you through a yearlong series of risk to revenue we’re really excited we’ll probably even have some special team Tim guests come on and join us from time to time as well sorry to plug our new thing but it is completely educational we are not talking about compliance scorecard but we are talking about risk to revenue so we’re really excited about that team Tim is still going to be here as well interspersed between all of that so get to see my bright shiny face plastered all over the Internet probably way more than you would like to be able to see okay everybody anybody party before I kick us all out thanks for joining everybody it’s great to be back see you next month awesome thank you and do the Subscribe now