Podcast – MSPs offering VCISO services lead by our co-host PowerPSA Jesse Miller

hey good afternoon good evening good morning good whatever freaking time we’re in anymore cuz I have no idea like I know that there’s been a bunch of other people that have been traveling the last three or four weeks like I have they’ve probably been traveling way more than I have but I’m getting too old for this like one time zone back to the other time zone back to the middle time zone and I’m like I don’t even know what day it is I was chatting with uh one of our one of our uh customers yesterday chitchatting and I was like yeah we can do that on Monday tomorrow and he’s like today’s Thursday I was like oh yeah so hey good afternoon everybody uh welcome back to team Tim uh we have all of us here some of us were at conferences some of us were at really fun places Mr schner um I’m Tim golden founder of compliant scorecard with our great guest here Eric Eric why don’t you take a second say hello and then we’ll go back around the room to everybody else tell us a little bit about yourself who what where how and why why is sort of tough but my name is Eric Stover I’m a a longtime uh they call it seasoned technologist who’s been uh working in it and uh in cyber security I I took some time to do the math and it’s about 40 years wow so uh i’ I’ve uh run the route all the way up from the uh provider side through EDS and then through uh centure then I went native and I worked as a ceso at a regional bank and I’m now shifting into what I’ll call a third phase of career where I’ve uh decided to uh join the the ranks of many and say hey how can I help a small business again way I did when I started my career that’s awesome thank you so much for that Mr Jesse thanks for holding down the fort last week how are you you got some new things going on you probably need to tell us about these new things that just came out okay yeah we can talk about that so uh yeah Jesse Miller founder of power PSA Consulting we help msps build Security Programs for scale and do it profitably and that leads right into the new thing that we have going on it’s the power grid see what I did there the power grid Community we’ve started a community that will be launching in April um in cooperation with a couple different vendor sponsors to empower msps to build C VC programs for themselves and their clients and so I’m super excited about this you can go check it out it’s power psa.com power grid that’s p w r g r yd g r yd and uh yeah so that’s what’s going on Tim awesome and thank you so much for that and of course Mr schner back from where world the hell you were you want to share about that what’s going on yes so back from uh kids spring break last week it was a nice week off um and then and uh got a little time locally in the mountains so a little bit of a little bit of hot a little bit of cold and uh you know welcome back Tim glad glad you’re uh you’re back in the host chair here um but I’m Tim sh I uh am a part-time VC so that’s what the VC so thing means we’ll we’ll start with that um but I also help small businesses with it and security uh privacy and intellectual property uh malicious Insider threat is a uh is a favorite topic of mine so Tim welcome back hey yeah you know it’s been a fun week hold on let me do this over here because you know we forgot I forgot to like have this queued up let’s do this here real quick push that there what you got and then and then I just wanted to like make sure we got’s URL up there I was trying to like rapidly grab it over here while you were talking so for for for those of you in our audience that are listening um go check out uh what Jesse’s doing over there on power PSA uh with his power grid not to be confused with the power grids right but uh go check it out um anyways we’re talking uh one of Jesse’s favorite words and y’all that know me like can we just stop and call it fractional instead of virtual and we’ve had this debate back and forth on what word and so on and so forth but today I’ve actually okay I’ve come to the dark side and I’m now starting to use the word VC so J do you want to give us a little introduction about kind of vso services like overall generalized stuff so we can kind of form today’s conversation around that yeah absolutely so it’s interesting when we talk about VC so and that term is interpreted very differently by many and so maybe we should just start with talking about what does the word VC so mean and what does it Encompass and I will give you the prototypical consultant answer and say that depends but really vciso is kind of a term that the industry has coalesced around and has used to talk about security advisory and risk strategic type services for clients okay so I’d like to break that into three different categories the first one being SMB and I I marked that as 0 to 150 users and the MSP space and then the second is uh s is midmarket and I call that 150 to 1,000 and then small to medium Enterprise or and above a th000 plus and so those different categories are going to have different levels of services that I think a VC so is going to provide to them uh for the small business SMB which we’re probably most familiar with that’s going to be a lot of project management prescriptive CIS control Gap analysis and then giving some impact analysis to that to create a risk score and then creating a prescriptive road map and managing against that road map having the customer Personnel do the things they’re supposed to have our internal Personnel do what they’re supposed to and then help the client increase their security posture that way it’s a very TCT it’s a more tactical role right when you get to the uh midmarket it becomes more of what a true ceso you’d think what they do it’s a strategic role where you’re guiding it is teams um helping them understand security helping them build security and shift left in their security processes um you know working with executive management even presenting to the board or at least enabling an executive management to present to the board and it’s still about 8020 you still do have to have that security Acumen because you’re going to get it’s a little it’s still a smaller environment and you’re going to get mesed into those uh technical discussions so you need to have some technical chops there then we move into theem or the Enterprise and I think the role really shifts there to more what Tim would probably call like a big four or Eric would call as well a big four consultant type role where you’re taking chunks of residual risk and offloading those for the organization in a an executing on those things like running a tprm program or focusing on an OT initiative um for a manufacturing company to segment their um Manufacturing Systems off into a secure moat behind a zero trust network access or something like that scoping down for cmmc uh so that’s how you see it from from an Enterprise perspective so that’s kind of a long-winded explanation but I wanted to set the stage here as we begin this discussion awesome and thank you so much for that and yes you know I always like to Define AC yeah and and T and Tim I have no idea why it’s not called fractional I was throwing them back in Forth there yeah yeah I have no idea why they don’t call it fractional because think about it like it’s basically you’re working with multiple companies you’re typically you know I don’t know where the where the V came from uh 10 years ago 15 years ago I don’t know when we started heing this term Eric probably has a better idea um but uh yeah I agree like uh those those classes are perfect on you know what what you’re doing for a small for an SMB uh what you’re doing at the midsize level I don’t think we usually hear the term that often um for some as you said like an OT project or a you know a one-off project for you know a thousand a bigger company right you’re you’re basically coming in as a consultant contractor whatever it is but the the VC so term is is alive and well and strong for smvs and certainly at the midsize companies where they have you know ass CIS admin they’ve got a tech team but they don’t have like a true security leader uh everyone should check out Jesse’s post he does a good job talking about like you know you start dealing with the politics and and uh executive management and the board at really really at the midsize level so yeah yeah and so coming from the banking background and now you know you talked a little bit about working for you know a big firm and whatnot in there right now I’m correct me if I’m wrong you’re making sort of that segue into like the smaller business right and so as you think about that and you think about you know Security offers security offerings and in Consulting talk a little bit about like your experience like going from the big one now down into smaller S&B markets well I’ll I’ll take it step either further back I don’t know whether any of you more mature people remember a company called EDS and EDS actually sort of jump started the MSP game by trying to move from a normal Outsource to developing an MSP type practice and that was in the 90s I had the opportunity to help lead an architect that and uh left it when theom boom came along because well of course yall got to jump out of Boom bandwagon and then I I went to the dark side and I went to a bank so I left what was a nent MSP type operation uh I architected systems that had a million and a half end points I left to join a bank wow that’s just completely off the rails right and I turned into a a customer of Po msps that’s kind of tough when you go from one side of the coin to the other because you start questioning the msps about how they’re doing why they’re doing how do I know that I’m not the one off that they really are trying to just lure as a customer and so when I went then to a much smaller bank I needed msps to help deliver what I needed to do in a secure fashion uh Jess identified sort of the teering based on size but there’s also teering based on specialty and special needs yeah uh you can’t be a very small bank and just say okay I’ll take the same kind of services that we’re going to give to the mom and pop Pizza chain yeah so for me the the the difference there and the learning there is that you know in the last three decades a lot hasn’t changed in terms of saying who your customer is do you know where your dog is you just pulled the Tim there you go do you know who your customer is do you know what they need are you assessing what is critical to them in terms of security and the risks that are going to keep them that that you want to avert to keep them safe um that really hasn’t changed and as I sort of dive back into this I’m discovering that a lot of the basics are still there yeah some of the things you need to focus on do you know your customer do you know what your edges are in terms of what that ideal customer profile looks like and what happens when you stretch Beyond it what do you break yeah Jesse does talk a lot about ICP Jesse Yeah I mean and Eric and I really see eye to eye on this I I think that might have been what spawned getting you on the show way back when is when we started talking about um you know I think you know you have some really deep background in building and scaling um large organizations and teams and so yeah let’s talk about that a little bit um what does break once you start going out your ICP from your um from your experience pretty much everything from top to bottom you break your Marketing in terms of and sales in terms of a salesperson saying gee I did it for this oneoff customer maybe I can stretch it a little further and all of a sudden the oneoff got a little bit better bigger uh it stretches in terms of delivery when you say okay this is the standard profile and the standard way we approach our ideal customers and now you have another customer that comes along that says GE I I want you to improve your response time by 50% well are you staffed for that are you staffed to work the same that you need to on a Sunday on Christmas Eve uh you stretch it in terms of your understanding of costs gee now I have to staff for that additional time when I didn’t build the service and I didn’t price it for that you stretch it from the top to the bottom when you stray from that ICT that said if you design your services well you know what that widest Edge could be you know how you can stretch and uh for those that haven’t listened or or haven’t heard Jesse use the phrase connective tissue before on his post that’s exactly what he’s talking about it’s the ability to say all of those things threaded together how far can you elastically move them before you break right right and so the best thing there is to say well maybe it’s a new service and you design it from the ground up to say hey here’s something new that we can do or you’re redesigning the service set you have from the ground up saying here’s what it’s going to cost me here’s what I need to do in terms of skills here’s what I need to do in terms of people here’s what I may have to do in terms of the technology that I use to interact with my customers right and then at the end of it you say okay now I’ll tell the salesperson what he can do and hope that they listen yeah love to hear from the audience as well like I think Tim just asked that question on the he popped it up a little bit but what is your you know even if you’re an MSP an mssp even if you’re a cyber cyber conserved consultant of VC so do you define your ICP and like does your web page specifically Target somebody is that like yeah really is that the main aspect of it Jesse like the targeting and Eric you can answer this as well like is it or is it more kind of like you kind of just have to churn through uh inquiries as they come in right like in terms of yeah I mean it’s not it’s not less than targeting but it’s definitely more than that right and that’s what when I say connective tissue that’s what I mean you typically we see marketing we we typically see the first link in that chain broken is marketing is disconnected from sales right yeah and then even sales is disconnected from solution engineering even though they’re working literally with each other every every week so uh just let’s take the front of that the front of that you know before we even get to service and say is do we have a type of customer we’re going after in a vertical in a size and does our messaging say that that’s great we get an mql in marketing qualified lead does then when it goes to sales are they targeting and qualifying the same way uh is solution engineering writing Scopes and do we have scope templates that actually have targeting language and marketing language that speaks to the pain points of that client so they don’t get through the marketing get through that honeymoon phase and then say oh you know what actually these guys just look the same as everybody else I’m going to go get quotes or does our quote actually talk to their specific pain points and our outcomes speak to their exact needs because then we’re really in a good spot from there then we hand it off to onboarding onboarding should have the same uh you know bespoke type of uh care for the client and then Service delivery onto account management and the cycle continues so when we talk connective tissue that’s what we mean and that’s what Eric was referring to yeah and so going back to that just to back up a little bit um so I mean a lot of a lot of msps just have a fix skes right like very rigid SKS I’ll call it um they have certain tools they use they may have services but usually it’s a lot of tools um so how you know the the system kind of almost gets broken from the beginning as you said because if you’re only marketing those tools and you’re only if you think about a typical uh MSP that’s trying to scale or get efficient right I mean I know there’s a balance right you you have to have some efficiency and scale and automation um some uniformity and like things you deal with but yeah how do you I guess how do you tow that line and and what I’m really trying get to is like I’m an MSP I want to start a VC so program and I want to really tailor to that ICP as you as you guys are saying so how do you get um you know how do you allow that kind of uh as you said connective tissue or flexibility or the ability to kind of like tailor that tailor the actual not just the messaging the marketing I think it’s almost impossible and you’re talking about like Industries and so that’s that’s the easy part but when you actually talk to a specific customer how do you how does your your your systems right like your your SKS and your uh and your marketing and your salese like how do you get them uh all on board with you know going out and offering this like very C at the end of the day it’s going to be customized and they’re going to love it but like how do you get there so well I’ll let Eric I’ll let Eric dig into this but I will say a couple quick ideas um first is probably if you’re building net new you’re in a better position cuz you don’t have to turn an aircraft carrier that’s already in motion right so that’s one right right second is how do you eat an elephant one bite at a time you got to start somewhere Tim and you have to start making changes right uh and so incrementally do changes you know things like what’s the one thing we can fix that’s the lowest hanging fruit to get it better and get quick it’s it’s the same thing as when you go into a security program for a client if we can get quick wins and get people excited and get people buying into the idea will do better so you know that’s going to look different for each MSP so I’m not going to be able to give you some you know Panacea that’s going to solve your problems but really um you know you have to you have to start small and begin with modular pieces and start blocking tackling and I think and I will be I I will say I think it starts with your targeting from a marketing perspective and getting marketing and sales aligned if you can get those two teams working together you’re going to actually solve a lot of scope creep that support complains about because it’s much less FR it’s frictionless bringing clients in and you’re not having to make all these special um these special uh acquis or you’re not having to acques you’re making special concessions to clients to get them to sign right because they’re already in that mode and they fall right into your standard templates right so Eric I’ll let you comment there but that’s kind of how I see it the other the other side of that coin is if you’ve developed a a rigid set of services is yeah uh then you probably by definition should have thought about the rigid way that you’re selling it and the rigid set of customers that you’re willing to live within that edge within those edges so it’s just as fair to say don’t go after those customers or say here’s here’s someone else that can serve your needs better no one likes Turning Away business especially if you’re a small business um but if you’re just starting off that small modular approach basically means that you have a better chance of successfully bringing in a broader set of customers and then you may Focus as you go forward you may find out that g i my best customers are going to be mom and pop pizza shops yeah yeah you become the MSP for Mom and Pop pizza shops for the East Coast yeah I I like what you’re saying there and that’s kind of what I was going to say too is like Tim to your point right let’s get down to Brass tax here and say I’m an MSP who wants to start a vciso practice what do I actually do to get started well I think you got what’s that yeah you buy compliance scorecard and you’re good to go no you no you buy power grid right you buy both exactly 500 my sta cheating the rules there we go um well so no but here honestly look inward uh so we had Tim Fitzpatrick on the show a while back and I just saw a video with him where he’s talking about his three power questions which I just love that is who are the clients we make the most and I’m going to butcher it but go go follow Tim Fitzpatrick and and find that video uh who are the clients we make the most difference for who are the clients we love working with and why right and I think that’s it yeah and so but then add to that if you’re looking to start risk services or vcso Services what about these clients do they need for security are can we identify a Common Thread where they’re deficient in certain things and start thinking about it that way and if you don’t have that at least start building that out for a specific type you know I wanted to make a point as everyone says well okay Amazon they’re pretty successful they scaled pretty well and they don’t focus on a specific type however they have different campaigns and different um targeted groups for each client type that they go after so that’s to say once you’ve focus and you’ve built this out let’s say for the pizza shops Eric right then you can take that model and lift and shift it onto a different industry and so you can Branch outward from there but only until you have that model in place and you can rinse and repeat it I got I got a really good example not Amazon but Wayfair did have you ever heard the story on how they started they bought the domains on everything like birdhouse docomo toy.com like whatever right like as you said like specifically ICP of the domains and then they just roll them all up and now it’s Wayfair yeah wow that’s awesome you know I’d like to hear from of of that coin sort of riffing off of what Jesse just said is that if you want to start the vcso services one of the best things that you can do not only looking inward but have the vcos help look inward as you’re building out that practice because you’re going to have a standard set of tools you may use power grid you may use something else um but you’re going to want to have a standard set of tools that that Theo is going to use that at least helps them align with the balance of the tools that the MSP is using and this is one of those challenging things that uh that that uh ends up being a real topic of discussion which is is the vcso merely a salesperson for the ml services and the answer should always be no because the dcso is going to know what those services are and is going to know whether they align right up front if you don’t have that alignment up front then you’re setting up the VC so for less than success and yourselves for less than success there there’s the hand grenade into the room right there’s gonna throw it exactly there so last piece on that is you got to make somebody accountable for the program right so this is not like hey we’ll just kind of all pitching and do it like you need to have somebody who’s going to be you’re going to you’re going to build RBC so practice and whether it’s somebody splitting time initially which it will be as you get started right um You have to have that person that’s accountable because that’s the way you’re going to get results because they’re going to own it then right so um you know I wantan to get I want to get back to this I want to get back to this Jesse on that as well like that leadership has to empower as well that person right you said accountability but ow as well right yeah like go fix that regulatory thing good luck with that yeah well I I want to get back to this but before we do Tim can you talk about WR aoom a little bit and just what you were hearing on the ground uh at the booth with when you were talking msps and stuff in any context around some of this are msps struggling or they they feel confident about this what are we hearing yeah you know so there was a lot of discussion uh at right of Boom uh this past week or actually two weeks ago um about VC so Services right and you know and there’s kind of a couple different camps in the MSP space I’m going to make some generalizations and so don’t don’t think that I’m targeting you specifically or a specific type of MSP but there are kind of a couple of different types there’s the MSP that really struggles to do the basics backup TFA scur wearers training like the five or six basic things those that really struggle with getting those rolled out having those things in place and operationalizing that at scale for their customers and then there’s others that really have those pieces together and and kind of honed that you know that skew as Tim schner mentioned earlier we do the managed part really well you know we he handle tickets well we’re uring TFA well we’re ensuring these things well and now we’re recognizing that we need to move into this consultative role as an MSP to have that risk conversation as an MSP right to go from like you know Johnny plumber fixing the pipes to actually architecting how the plumbing should be within the home and so there were a lot of really great conversations and a really lot of msps wanting to understand how do we do this yes we have endpoint yes we have this yes we have you have the basics covered now recognizing that shift to a more consultative role to being that expert like that was some of the things that I noticed in conversations and in hallway conversations at R of Boom this past two weeks ago was really just taking that in and wanting to have some kind of consultative role and virtual fractual CIO Security Services is the next entryway into those msps yeah boiling it all the way down to actually helping the SMB understand the risk conversation yeah yeah and I think I think that’s what I’m seeing too from a lot of the msps I talk to and you know it’s it’s that’s the idea for power grid right is to get a community where they can come ask questions and learn how to offer those VC so services and get more educated right we’re obviously partnering with empath and sonomi on that um and you know don’t mean to plug vendors but I just I’m excited about what empath is doing and I think it’s a I think it’s a a a great place to start for these msps right um you know so let’s go back cuz I really want to address this and I want to talk through this and Equip msps to answer this question because they’re inevitably going to run into it and that’s an MSP can’t ethically deliver VC so Services I hear this a lot great question great question hold on hold on let’s do this and start over like what was the question again Jesse and Jesse is this Independence related go ahead yeah so yeah I mean the question or the comment that I’ve heard and I think that is prevalent in some circles is that msps can’t ethically deliver VC so services and you know I think that’s just dead wrong um I think the the word we’re talking about here is ethics and an internal it person or ceso is going to have just as much ethical Dilemma to sweep things under the rug or make themselves look good or preserve their job if you know if the opportunity presents itself so let’s put that to the side and I want to say another piece is I think actually msps are positioned better to provide VC so Services over other providers because it’s a saying that I’ve coined about similar to this talking about operations is that the sum of the whole is better than the peak of the parts right and so what an MSP has at their disposal is a stack Tim you talked about that like what what if they what do they do with their stack well okay they might they might have an AV that detected 98% and the Best in Class detects 99% right but that’s really that is an exercise in futility when you consider that they have a whole range of detection backup a stack that works together that can provide better security for their customers and so when you bring a vciso into the mix and they can actively identify risk and help the client make the right decisions and what I call you know best or what I call good enough security right uh that that’s really powerful for a client and I just want to address one more thing is let me tell you after working with msps and nmps Security Programs for the last 10 years there is no issue with conflict of interest in an MSP because the VC so will hold the IT team accountable and there’s been knock down drag out fights that I’ve been in and meetings about people not doing their job and people holding each other accountable and so just I just let’s get that out of the way right away is that there is not an issue with conflict of interest when it comes to delivering Security Services as an MSP and I feel pretty passionate about that as you can tell I’m with best on that put another way other than true drag out knock down drag out fights VC can be the best entry point for improving the MSP Services because they’re there more often listening to the higher order problems not just hey here’s a ticket but here’s the why of the ticket uh they have an opportunity to be better feet on the ground and if they’re doing the job right you’re going to actually make the MSP better as a result yeah you know having having been in the similar situation and you know worked in a co-manage environment with internal it you know the the ethics part you know I kind of agree with you Jesse because ethics period whether you are doing this work as an MSP or VC so or you’re doing this work internally ethics is just always there right so if you’re not ethically working period right whether you’re offering those services or not yeah there will be a problem conflict of interest well you know the the the the struggle between selling more services making more Mr doing more things right this kind of when I was doing fractional work or VC so type work you know we based that on FTE we said you know 20% FTE over the course of X number of months you do the math you get me two or three hours a week or whatever that pans out to be right and and it’s set right all the way back to the very beginning of our conversation on what is the expectations is it the right customer fit and this is what we are and more importantly are not going to do right and so the ethics conversation and the and the conflict of interest conversation like it is their business decision whether they choose to buy the widget or not buy the widget my job as the fractional of the virtual ceso is to present them the options and let them make the decision yeah the the outside as an outsider like virtual ceso everything’s delineated in a contract it’s Crystal Clear what what’s in scope what’s not in scope what you’re doing what you’re not doing um I find that really hard to believe and you were talking about like selling other services right like it’s no different than internal it trying to sell budget for the next year so right right I don’t really see much of a difference budget that’s that’s a sort of a a perfect Point as well uh in that the vciso is going to have a better idea of how better to help the organization protect itself going forward yeah and it may be Investments it may be activity that is that is outside the scope of what what the MSP is doing yeah um and uh sort of on the sidebar uh one of the things that uh sort of is mentioned is is the notion is does that mean that in some cases the VC is in essence sort of stepping into a VCI kind of role and the answer is yeah they very well could be yeah and at that point then it’s a matter of of saying once again how well are you stretching the vciso services the big thing about these ceso Services is they are going to be by Nature more broad they do have the ability to flex more so they have a greater ability that the skew is bigger I guess you could put it that way in terms of saying what are you doing to meet a customer’s needs and it’s close to risk and it’s closer to the business needs of the customer yeah than just saying okay AV is running well today yeah I uh I might have a little bit of a different take on that because and here’s the here’s why I say that um you know Eric you’ve done you’ve held both the CI the VCI and the CIO role and the and the ceso role right so you’re kind of a five tool player okay and that’s not that’s not typical I may have had the wrong tools out at the same time it’s very fair to ask the question about conflict of interest if you’re both a ciso and a CTO yeah so well my only point is that you know just having worked with the two groups for you know I mean it’s you know many many years now there there’s just still a really large knowledge gap on the vcio and there’s it’s a whole another it’s a whole another or a whole other uh discipline security risk right that’s there that’s security is such a broad uh career path in of itself and then to say okay now we need to take everything it and stack it on top of that I think you’re it’s a recipe for you know it’s not it’s a recipe for not a great not a great outcome however I think that we should be uh intentional in training our cios to have a top level knowledge of security to work better with the security team security adviser or VC so however you’re structuring that service and let’s let’s face it uh one of the stats that was shared at right of Boom was 90% of small businesses in the United States is less than 10 people it’s actually more less than three people so they’re not even going to have any of these roles or any of these conversations they don’t know the difference between a ciso or CSO or f f whatever acronym you might include there right so us is msps coming into that role however we choose to label ourselves and Market ourselves the reality is is we’re the technical experts that you need that you don’t have right yeah the Enterprise completely different yeah that that uh I I think vcio really is like creating dollars or a like how are you using digital technology to like augment the business and the CES so obviously is like on the risk side and it’s not just technology risk they’re they’re playing risk manager like Risk Department the whole thing right so you you but e but both of those roles I think in the msps like a lot of the concepts and conversations we’ve had on the show really talk about like knowing the customer understanding the why tying it to business business problems they they’re they’re they’re both failing in that traditional kind of like what we think a vcso and a vcio uh is doing for outsourced it right and so either one if they can go out and know that customer and know the business know the problems know know what keeps them up at night right um you know they can better Prov you know better provide Solutions so yeah I I think ideally you have both and if it’s a big enough client uh great and they should work together so yeah yeah I agree with that yeah you’re not you’re not going to sell V VCI and VC so to a five person company unless unless they’re a boutique a boutique investment firm with like a million dollars a billion dollars of assets you probably sell it then but typically that’s not the case right so you’re the technology guy what it boils down to is that client doesn’t care about the distinction they care about knowing that stuff’s going to run that it’s going to be safe that I’m going to be able to make payroll next week because the systems didn’t go down um and that that really is what it boils down to uh if you slice it too fine then what ends up happening is you sort of disenchant the customer oh you you really don’t want to solve my problems you want to sell me something yeah over full screen on my black eye yeah oh what what happened there oh I don’t know I think it’s actually like swim goggles like you’re just wearing them too tight yeah gota oh wait back up keep the water out you went from the mountain to the water and the mountain didn’t get you hurt but the swim goggles did that’s right that’s right so so let’s just pause for a moment we’ve got a bunch of people in the audience listening uh thanks everybody for listening uh what are your questions for us as as a group here like how is it that uh we can help you uh building out your VC so practices uh take a minute uh drop drop a couple of comments in there we can we can kind of work through them uh uh Michael uh thanks so much here let’s pull up Michael’s real quick they just don’t know what they don’t know right it’s our job to help them learn yeah great comment uh Michael thank you so much uh Jesse you want to tackle that one well exactly it’s and it is our job to help them learn and I think that starts with small pieces of Education I mean we it’s interesting even in you know 100 plus companies you’ll see they’re not they don’t have a true risk program in their business so you can always you can start with a very benign hey let’s get you a business risk plan and from a vcio perspective how are we managing our risk do you guys see on the future for the next year what are your major risks as a business technology aside you know we do risk as an MSP we have a full cyber security risk program but we can also just help you with your business risks and that’s just an easy discussion to have and help people start planning right no charge I’m going to sit down with you take take your SBR and go over that right and then you have those conversations and that will those that education that long-term education will build over time so I think that’s something you do with a legacy customer that’s small and just hasn’t been thinking in that way and you know it’s easier when you Target and you bring in net new clients that are past the I I don’t know I have a problem stage right so that’s how I would approach that one particularly I like uh Paul’s comment too about you know a company that’s got hippo regulations that are small I hear so many horror stories Paul about this exact uh instance right and oh no our MSP handles that like no we don’t well and here and I’ll let Tim schne shime in on this a little bit too but there are you know what I’m going to let you take it Tim because I could probably rant on this for an hour so go ahead yeah rant a little bit I think uh yeah so first first and foremost we all know that Hippa is a challenge right they just came out with the new ruling what two weeks ago now if my math is correct maybe three weeks ago and as I was started to dig through it I was sadly disappointed in the changes that were made because it didn’t have a lot of teeth right and so we’re kind of right back on the same boat we’ve always been when it comes to hipper privacy and Hipp security now they have introduced a couple of good things but I think to Paul’s comment here right having that compliance officer and this is the conversation and and the contradiction that we see a lot like as the MSP can I be the compliance officer or does it have to be the individual ual at the customer like are they the compliance officer and I see this a lot right one of the requirements have somebody accountable right have somebody in the organization where the buck stops here yeah so maybe that’s the CEO right but the CEO like in our in our previous conversation doesn’t know what they don’t know that’s where we can really come in and provide that added value as an AM maned service provider to fill them in on what the risks are and allow them to make the business decisions allow them to be the accountable person and you as the trusted advisor yeah yeah and I’ll add that to him like same thing with FTC right um I don’t I don’t hear about them hiring enforcer enforcement agents and Hippa doesn’t have like tax examiners like you know like like the IRS running around the country being like your hip is not in order and I think it’s really it’s a little bit of a travesty but um you know so playing that risk role last week we had Rody Burger on on last um on last week’s show and I don’t know if you caught that Tim but he talks about instead of qbrs qrrs right like quarterly risk reviews which I I love this term really and you’re that’s that connective tissue that Jesse’s talking about like knowing the business and even providing a VC so function for like a dentist office like you’re going to be able to get their house in order and really talk to the the why and they’ll understand it they they’ll be excited not excited but you know they’ll be uh they’ll Empower you to put those security controls in place yeah good stuff good stuff just do you have anything else you want to add yeah I think for the the piece of the Hippa thing this speaks to what we were talking about about knowing your client base and building a right fit solution for them so I think that there is a lot of good money to be made in those small small mom and pop practices because you can be very prescriptive right so you come in and you say we have this stack and we have this procedure to give you your Hippa compliance we’re going to give you security advisory from a VC so on a quarterly basis maybe a couple hours a quarter to just meet with you talk through your risks make some adjusts adjustments change the prescription and execute over the next quarter and you’re going to be responsible but we’re going to give you that little push that little adjustment to make sure you’re managing your risk properly you do that at scale through economies of scale and the VC so actually does become profitable for really small organizations because they have a driver and you give them good enough security just enough to stay compliant but also enough risk to make sure they’re doing the right things you know basic data protection endpoint protection and Cloud security and you know for those businesses that’s going to be good enough and you design that modularly and you deploy it in a prescriptive manner I think you’re going to be well ahead of the game and then you’ve used vciso effectively for your particular client base the size and the industry that you’re in all right I’m going to toss a grenade oh man now that the new Hippa regulations are out can we just stop calling it Hippa compliance because there isn’t a thing right thing that’s true we follow like and and and this drives me crazy because you know if you think about it right um when I think of compliance I think there’s some kind of third- party objective attestation that’s kind of brought and tied into it right yeah that don’t happen with HIPPA you know that don’t happen with FTC like even when we were doing fed ramp moderate stuff I would never use the the phrase we’re fed rent moderate compliant no right we have an atto we have an authorization to operate under the FED ramp moderate umbrella right so I’m like can we just stop using these words and there’s a reason why I’m saying this because when msps and their customers think about the word compliance it’s scary right and they get freaked out right oh my God I’m not compliant like make me Hipp a compliant that’s not a thing how about align my business to the best practices of Hippo privacy and HPP secur right right words matter at least to me anyways yeah just do it it’s like the Nike thing like right it’s like identify protect detect respon oh that really helps somebody out like you know Wes had a comment about n 2.0 and someone came back and was like CIS is just better I’ve never heard anyone say that they were compliant with the speed limit sign yeah yeah you go exactly exactly so uh so Paul brings up another great question about wisp if only there was a platform form that automated whisp being rolled out literally on Monday I’m sorry um makes a great comment about wisp right so written information security plans written information security policy um you know tax repairers you know uh maybe Eric do you have a little bit around this like tell me about that uh a wisp is is uh really it’s it’s just your set of rules of the road um that that you’re going to follow internally uh it’s an expectation of most Financial yeah Services organizations well actually pretty much all of them and it’s just basically saying here’s the rules of the road that I’m going to follow and here’s how I do it it doesn’t need to be complex it just needs to say here’s what I’m doing here’s how you can measure what I’m doing and in the end when you’ve got an auditor coming in the first thing they’re going to look at is that program to say are you doing what you say you’re doing it doesn’t have to be it doesn’t have to be rocket science it doesn’t need to be a a tone that you put on the Shelf once a year before the auditor gets there just once again back to Tim just do it it’s what you do I should have worn my other shirt on the back it says docent turn around and there it is um but it it does not to be need to be anything more complex than that it’s just documenting what you do or what you say you’re G to do and what ends up happening then is if you’re not doing it that’s entirely on you and it’s not it’s not something that that can’t be also back to to Jesse’s point it’s not something that you don’t have you have to create from Full cloth every time uh you can develop the skeleton of a wisp that works well and there are a lot of framework practices for for building them um there’s nothing wrong back cycling back to a conversation if you know what your customer profile is and you’re going to focus on um insurance agencies there’s nothing wrong with understanding what a wisp would look like appropriately for uh insurance brokerages and saying okay I have the template for one and using that as a basis for saying okay let’s have that broader conversation here’s our starting point yeah yep yeah and that goes back to um Paul’s comment about you know our MSP does this this is why I believe vcso services in some form or other need to be applied to all msp’s customers just from a risk protection and level setting perspective so if you have small clients let’s say rmsp does this if you’ve gone through and given risk assessments during onboarding and you’ve or you’ve done risk assessments retroactively for your client base and GAP assessments even something easy to say do you have a written information security plan no you don’t this is a gap we can solve this for you and you’ve level set with the client now it becomes a question of not my MSP does this for me but my MSP can do this for me and I’m choosing not to do it at this point right so that is a bu different conversation and you’re going to you’re going to have some friction when you go to do this and change and change this the change course on that right but I think it’s something that’s really necessary and needs to be a part of your onboarding going forward and I think it needs to be done retroactively for the client base so so as we’re coming down to the top of the hour we always try to leave with one key takeaway um Mr snner I’ll make you go first since you brought it up and reminded all of us what is the one takeway yes I want to get the the wheels back on the track a little uh we’re talking about msps providing vciso Services um how to start a vciso program and Jesse probably has a better idea um I’ve only stepped in as a you know VC so re just recently in my career and I think you know the biggest things I’ve learned on these engagements are you know the risk assessments understanding the business understanding the why is you know step one right like even even if you don’t have a clearly defined ICP to start with I think the first step in MSP or an IT provider even an mssp could go deeper into understanding the why um and how the business works and how it operates and you’ll you know you’ll clearly uh jump start a BC so program so yeah awesome thank you for that and uh Eric what is your one key takeaway from today he takeaway uh is well one and a half key takeaways call it virtual call it fractional call it executive Consulting it’s how you get closer to your customer awesome and awes the value of getting closer is is both the ability to develop a trusted advisor relationship that’s deeper and more profitable um but it adds value on both sides of the equation for the customer and for the MSP awesome great stuff you know since I’m right here I’ll go next so my key takeaway if you’re looking to uh roll out some kind of uh ciso information officer information security officer in your MSP practice I’m probably gonna steal Jesse’s but the first is Define what that customer profile looks like Define what goes in that service offering and make sure you bring your whole team in on the conversation from the very beginning so that you’re not disjointed along the way so that your salesperson isn’t selling something that your technical implementor doesn’t exist and that your marketing team isn’t putting out baloney that your sales team has no idea about so my key takeaway is if you’re planning to roll this kinds of services out in your MSP start from the beginning with your whole team get everybody on the same page understand and the why and then all the other pieces flow from there yeah um for my takeaway I was just thinking about um I’ve been thinking about this this week and you know 11 years ago when the owners of the MSP that I worked at came to me and said you know you know all the the security stuff right can you build us a manage security practice I wish that I had had some help I made a lot of mistakes I struggled through a lot of uh process process and um Gob backs because I didn’t know what I was doing and I didn’t have resources for that and so there’s resources out there today so I guess my takeaway would be get some help I know we’re not supposed to plug vendors but I’m going to plug empath anyway because um I just finished recording a course for them it’s part of the empath license it’s risk 101 so learn how to think about risk learn how to talk about risk go over there watch that there’s other people put um you know we’d love to see in the power grid Community um learning the the giving you a crash course and how to actually build that practice right um and shoot me a message on LinkedIn if you have questions I’m happy to answer them um so my takeaway is get some help there’s help out there for you um you know don’t do this alone that’s my takeaway awesome awesome so uh winding down a couple seconds here uh let me just do this for us e m p a t let me see if I can get the right URL yes empath launch this week which I think is awesome we can plug some other vendors absolutely they’ve been just wait a second here right so I’m gonna come over here fantastic Partners come on the team Tim show yeah yeah there you go um so so for those of you that don’t know right um there as it literally States on their website transform transforming education and upscaling your MSP uh technicians right Wes Spencer Kyle Christensen Alex farling you know has this really great idea of leveling up and upskilling your staff right it’s not terribly expensive it’s a great way for you to not only educate your staff and yourself by the way but also have the accountability piece also have that followup piece you know there’s a bunch of us in the community Jesse myself uh Bob Miller uh bunch of us in the community that are starting to put content together for you as the MSP and your staff right so they’ve you know they’ve just launched it’s really great my recommendation take a look at it send your team over there sign them up get you know get the learning that you need and bring in your whole team to be able to all get on that same page yeah so Tim what do we have going on next week uh I have to look but keep going and I I think it’s really interesting this empath effort as well right it’s um something that uh no one’s really provided it’s something new it’s gonna it’s gonna they I’m sure they’ll go through their bumps but they’re three incredibly smart guys that you’ve probably everyone I think most of the people on the on the show know about them um so we’re pretty ex you know excited about the launch this week next week uh browser security uh she The Shield guys no actually my b no it’s not Shield it’s um it’s ction C ction oh nice yeah yeah we have we have Zach and Henry coming on next week actually I just just met with them uh in person right so I’ve known Zach and Henry for quite a while um just sat with them over at compt sdcf last week um so yeah they’re they’re Dro that in my uh my themes for 24 browser security and yeah so there’s another company as well but I won’t mention them but ction is moving from you know Windows configurations Mac configurations Linux configurations into the browser uh so Chrome browser configurations so I won’t give too much away yeah and so as we build out our schedule here well before I do that Jesse you keep you have something you want to add no I was just going to say I was I was laughing because uh what is it browser is the new perimeter is that are we moving past identity browser sureet it was identity oh man that’s so that’s that’s been like a month we need to move on to something new new cycle let’s go okay all right all right so so as we’re winding down here in the last 30 seconds or so um while we have a great lineup coming up and the you know over the next s weeks and month or so uh if you’re a cyber security professional or if you’re maybe even a marketing professional we have one of those coming up here soon right if you want to come and have a conversation with us to talk about how we can help educate shift left and bring value to the MSP Community head on over to team tim. live submit your bio we’ll get you on the schedule we really love to have you here uh and and really be able to bring that shift left conversation to everybody here any parting words before I kill us and hand hand us all off and give you back a couple minutes of your afternoon we’re right on we’re out these these guys are great it’s worth it’s worth your time uh joining team Tim it’s also worth your time checking out what they do individually uh they’re all quality they’re bringing great things to to the MSP space and they’re good people I appreciate the opportunity thank you much for that and uh you know as they say subscribe now