Transcript – John Harden from Auvik, Saaslio discussing what is Shadow IT, starting to manage it in an enterprise setting

well happy Friday afternoon everybody from hot muggy New Hampshire today it is so hot and muggy here that they actually cancelled school like how crazy is that I think when we were kids like Barefoot up the hill in snow blindfolded backwards naked all that stuff right but apparently when it gets to be I don’t know 72 degrees they cancel school well yeah I mean it got to like well I think it’s like 86 right now but yeah they canel school so uh wonderful week here uh very excited to have our good friend John I’m still probably going to screw it up and call SAS Leo but it is Avic SAS management and so without further Ado let’s just go round robin here I’m Tim golden founder of compliance risk we have uh Dr Jesse Mr mustache Mr farmer himself Jesse say hello hey everyone glad to be here it’s actually was 45 this morning in Minnesota so I’m enjoying the the heat has P you’re dealing with it now and uh it’s nice and cool I get to wear my flannels have a little bit of a mess going on here we’re painting so don’t mind my background I know you’re bright white like it’s it’s blinding me or something I don’t even need to have my ring light on because it just like glares right back at me so it it matches my aura better pure as the dill snow you know and and and honestly like the bed with the pillows like if I move over this way a little bit you can see the like unmade dog bed over there but yeah so right there with you my friend I’m not in my normal spot because I still have the back problems but uh without further Ado our co-host our partner in crime Mr timy what’s on a little bit noise but uh yeah no excited about this topic this week John and I met first pan conference I ever went I saw John present and I was like wow this guy this guy’s got it I mean Charisma right you know a product which we we won’t name because there’s there’s a new name Town polar bear right so but no really excited to talk about Shadow it what the heck is it right what uh you know how do I prevent it like what are some of the things I can do to monitor it um we can talk a little bit about policy and people and procedures maybe Tim right so you know so I’m excited about this topic and uh yeah you know yeah speak speak speaking of Shadow like what the heck is this on your chin and on your like speaking of Shadow it’s like what two o’clock shadow on a Friday I mean need a little milk in the kitty cat to come lick that off or what anyways without further Ado our good friend John Harden thank you so much John say hello uh from OB ex ass management hey there John Harden thanks for having me here Tim I didn’t realize uh I you’re gonna be offended now Tim I was up in New Hampshire last week and did not stop by and say hi I never knew you were in New Hampshire so this is news really yeah I was up in uh on S Lake cipe oh yeah that’s on the other side of the state but that’s okay we still like them yeah it’s just less humid there that’s all like something like that but yeah my name’s John Harden here uh senior product marketing manager over at AIC I represent our new line of offering called oxas management which is really about Shadow it manag man agement and it’s a big reason why I’m here today to have a conversation um I spent about 10 years in an MSP working my way up from the knock a help desk all the way up into upper management at my old MSP until launch uh Sasso a business to solve this problem which is now under the Avic umbrella under Avic SAS management after its acquisition last November so very happy to talk about this topic and as Tim know I could talk for hours on this so we’re so glad to have you and I gotta say what’s with the football helmet and why is it not a Patriots logo on there all right you’re out all right you’re out we should mention we should mention the Friday drinking game so every time John’s video freezes take a drink yeah I got my coffee here right so you know me I always got my yeti with me so uh it’s not my branded one maybe I should get a branded one um but yeah so so let’s come out of the shadows and jump into the light and figure out what is this thing called Shadow it I mean all right who who went to Urban Dictionary funny explanation right so what was urban Dictionary what did it have to say it says Shadow it someone who who will guard your back as long as they can and has a lot of life experience I don’t a government employee whose job is not viewed to be to be viewed particularly important by most of the people who don’t work for the government nope don’t think it’s that one nope no there’s gota be there’s got to be a dozen uh urban dictionary definitions of Shadow it so that’s funny so John tell us what is your definition what do OB a friend who follows you around while shopping oh I like that one isn’t that isn’t that me wait a minute wait a minut wait say that one more time Tim a friend who follows you around while shopping that would be me when I go out with my wife and daughters just about anywhere I’m the one Pony dog and shadowing behind them survey says all right so let’s actually go to the professional who’s been in this space and tell us John what is your definition of Shadow it yeah my definition is just right out of the book right nothing fancy nothing special um I mean Shadow it is truly uh just it or technology that employees adopt outside of the purview of the it leadership or the it um compliance Management Group and fundamentally Shadow it could be anything right um Shadow it it could literally be this mouse like I bought this mouse on Amazon um you know it’s not sanctioned it it’s just a mouse that I bought online and doesn’t have an asset tag so my it manager probably doesn’t care about it but fundamentally it’s Shadow it it’s it that I’m using to do my job that my it manager doesn’t know about um where I care and where I focus in it’s really on that SAS Shadow it which is really where the majority of um risky Shadow it kind of lays it’s in that software application Shadow it and um yeah go ahead Tim I think you got a question add there no I was gonna say so like my little USB drive that’s unlabeled oh wait now I just broke my own cui rule my own data labeling rule this could be considered Shadow it but that’s not what we’re talking about today we’re talking about something far easier that end users can get their hands on Y and more widespread than running the Amazon or Best Buy yeah and yeah and that’s that sash Shadow it um you know fundamentally this is I I introduced myself I spent 10 12 years in the MSP World prior to launching um a business to solve this problem but fundamentally employees tend to choose the path of least resistance say it’s like water in a stream uh and if it is a Blocker in that stream the employee wants to get their job done they typically just circumnavigate what it rules or policies I know is that a drinking word there too for you Tim uh to to enforce Shadow it and um fundamentally there’s no Mal intent in most cases of Shadow it either it’s just somebody trying to get their job done so we just want to bring visibility into it here um that’s why I exist is to bring visibility into the problem but why use this here at Avic to bring visibility into the individual issues so um excited to talk about it yeah so you know as I think about this right so it is very easy for me to run over to I don’t know clickup or or Miro or Gmail or Facebook or any of those kinds of things right when we talk about those SAS platforms I there literally two clicks and I’m in especially now when they make it even more easy or easier or more better or much more whatever they make it easier for like click here to log in with Microsoft click here to create your account with Google like so from an it management perspective from a from a MSP perspective you know clients running around grabbing all this stuff I what happened to us and one of our clients was as I dug into their business as I started to understand and have those Technical and business conversations with like their sales team for example and I started talking to this salesperson and that salesperson doing my one-on on ones like 10 or 15 minutes with each of them and then bringing them all together in the same room realizing they had four different crms which meant they had four different data sets because each one of them had their favorite tool that’s a problem right so from a lot of different reasons but that’s a problem and it happens everywhere yeah about I don’t want to do my job or I don’t want to write my uh you know my kids paper a little open AI little chat gbt right so I mean like seems like we got a new Shadow it in town uh yeah and you cover you’re covering mostly SAS right software as a service cloud-based um but there’s also right like downloading you know python libraries and things like that or like when you think about vulnerabilities like a lot of them are tied to uh uh open source things like like python so um how far do you go into is it mostly on the cloud side or do you kind of cover the full gamut of everything that’s uh we’ll get into this as well like allow list weight list not allow list not allow list right like where is that sanctioned unsanctioned as you said so yeah you say chat I’ll give you a stat by the way on chat GPT um I I had a contribution actually to uh CPO Magazine on this one so we analyze the data about 8% of users are using chat GPT so 8% of the workforce has tried it or used it to solve a business problem um and so I don’t know I just think that’s an overwhelming stat no other SAS company has had that explosive of a growth but fun have a point on that right so one of the biggest downloads on my website is acceptable use policy for or AI like I can’t tell you how like I didn’t even think much about it as a you know as a lead or whatever I was like hey this is here we probably need to have something to help us understand how to govern around it so I wrote a little article thre it out there and I’m like I’m getting a lot of visitors to that like the the amount of people that are searching for AI related tools AI related policies and procedures and SAS management right it’s crazy right and so it’s just interesting like you said like if you think of eight% of the workforce well how big as the workforce that’s pretty large that’s like millions and millions of people like Googling away on their chat things and probably dumping corporate data like they shouldn’t be scary yeah John how much is that sanctioned right that eight perc and what are you guys doing I guess like you know what are you are you looking at be I guess all the different flavors as well right because most of the time from a work from a work situation like it’s probably probably not okay right un unless you have really defined ground roles on it like what are you using chat GP for so yeah and what we find is I mean most people are probably just going to poke away and play at it like they jump in they they’ve heard it in the news they want to look at it and that’s starting this top of their AI exploration um but I think it’s kind of funny right for the longest time didn’t even have a sign in with Microsoft until the acquisition like all you can do is sign with Google or sign up via web form so even if you wanted to use an IDP you could and I would say Tim you you’ve asked this I I’ll answer it um where do we start and stop we’re about business apps um we got about 125,000 apps in our repository of what we see and it’s just growing but I I think there’s something important there um SAS isn’t the start and the stop of Shadow it business application is another area that’s really really critical when it comes down to it because um you know Tim you hit the Holy Grail of Shadow it by the way productivity Suites file sharing tools communication tools that’s kind of the Trinity of Shadow it uh people you know solving their own problems there but when it boils down to it any business app can hold business data like why is an online banking portal worse Shadow it or better Shadow it than Meo and why is uh you know tracking my issues in a Trello board where I can upload customer lists any less important than an Industry Council for that I’m part of so Shadow it comes in lots of flavors and forms uh there’s so many web apps out there these days and all of them have business data in it normally yeah speaking of that you know a question I wanted to ask you is typically sh you mentioned this is Shadow it materializes because business processes are impeded and users find a better or an easier way to work right they’re like water or attackers they flow to the area of least resistance having worked in an MSP you know that we kind of accept that’s how it is oh HR uses Citrix file share because they’ve just done it that way and it’s not really the rest of the business but we know that they use it um how do we or what would you say are the the steps you can take to start getting a hold on Shadow it and where’s the the line to bring it into the fold as part of the trench business process because people are using it and how do you balance that against being the department of no and saying like aha we caught you you can’t use that even though it’s easier how do you strike a balance there yes so um you know there’s two ways by the way Shadow it gets in the number one is the one you mentioned right um you know path of least resistance trying to do their job make it easy the second’s an education Gap Oh I thought we were gonna get a good fun freeze there second’s the education Gap uh it’s it’s because I go to solve a business problem but I didn’t know my business actually had a technology to solve it I’ve those are the two flavors of Shadow it I see time and time again but you know to help Jesse answer your question directly on the um Citrix F share scenario right like Shadow it is really just Shadow it until it’s not to be fair right like Shadow it is just it that’s not known by the IT team it’s not intrinsically good it’s not intrinsically bad it doesn’t you know have intent it just is and so um you know I always like to commend following word for word at least in the MSP space what the CIS framework is going to say about it right um you know two threes talking about addressing unauthorized software and where they talk about it is reviewing monthly and that’s what I actually recommend with manag service providers is um you’re doing a quarterly you know hopefully you’re doing your quarterly business reviews or some level of interval review with your client and bringing Shadow it to that conversation is a really strategic lens to talk about it with um we recommend traditionally here however you get it I don’t really care what tool you use to get to the shadow it but like when you get that list and you’re talking to your customer about it asking not is it approved or is it a bad or you know anything like that just since asking a really easy question to the customer you know what business problem is this technology solving not is it approved not like what business problem and you’ll get all the other questions you need so from a shadow it perspective with Citrix file shares one that the finance wants to use bring it into a managed compliant inventory assign a business owner and stakeholder assign the information to keep it compliant but review new things that are emerging on a recurring interval yeah I think that’s an important topic too Jesse because you were just talking about this like like I caught you in the no like I’m Dr no right like right interesting because Avic obviously we’re talking mostly msps who are in the channel right and they’re dealing with small businesses when you when Enterprise it uses these tools they like shut it all down shut it all down right right yeah and then there’s like anything else like no you’re not allowed to use it and I like the way you’re going about it right because it’s like these things are coming because they’re solving some kind of business problem that just trickles down right and it’s a little more dangerous obviously but but obviously you’re finding out tools that are making the business that are serving a business purpose right so it’s like it’s great and like an MSP can’t be that doctor no orless that they’re not going to be the MSP any longer right and and Keith and Keith our our good friend Dr Keith nson over there makes a really good point like making sure that we’re part of the business and not the police right and I think that’s what you were kind of alluding to there Tim yeah yeah no definitely sorry yeah no I just had a follow on and and again want to dig in on this a little bit because I agree with all of what you’re saying I think we should uh what’s what’s the word we should fail open right so if we can we should want to adopt a better way of doing things and so you have to have a reason to say no rather than just no like the Amazon role but I just give you a quick example because it’s fresh in my mind um an MSP I’m working with on be building their VC so program took on a 10p person SAS company for vciso engagement and we got the uh the application list and it’s 50 plus different applications and I can see duplication within that list right so I think what what you had mentioned I think is an important piece is having a standard application and business process workflow vetting and documentation process and that helps us identify those things early and often like why do we want to use this but again making it easy so just a just a quick introduction there maybe you have some thoughts yeah and I’ll piggyback on that as well right so when I first took a job at the m at the company that I was at uh or that I am at sorry um for the first several years I was known as the no guy I was known as the big bad Tim right I was known as the we can’t do it Tim won’t let us and where I failed in that was not taking the time to explain the why right not taking the time to help the people that are just trying to do their job understand this is why we’re removing at rights this is why we’re blocking these websites but yeah from an Enterprise perspective as the CTO CIO like quote quote had the authority to basically say nope and I went about it the wrong way I went about it as nope turning stuff off well and it the lesson learned here for msps is working with your client understanding their business and it may actually be a better tool than what they have in the long run like staff know what they need to do their job they collaborate with peers and like-minded individuals to and they might actually find a better tool to do that work and so try not to be the yes person but as Keith said and as as Jesse said be that true business partner Yeah Tim that’s why I was kind of like don’t be the referee yeah exactly dunk is legal can I add one thing to Jesse’s statement earlier there yeah yeah hold on hold on let’s do this right because I’m trying to make sure that we are doing this right you mentioned Jesse early and often I think that’s the key there right like you know you you talk about a business a 10 person company that has 50 SAS tools if you multiply that business by 10 more folks it’s gonna probably yeah oh it’s so close trust me they’ll be better um it’ll be it’ll be like a five 30 second free and I’ll be looking crazy so um but when you get it early and often you know I of this insas companies too they adopt a lot of SAS because that’s just the way of their beast that’s the way they run right when you can talk to them about you know the new intern who brought air table to the to the conversation and you don’t you’re not the no police by asking what business problem is this intern solving you’ll often find they kind of like work themselves into their own solutions by keeping open-minded approach but it is early and often I think that’s where the risks really start to emerge I was working with a partner who was talking to their client and um was running and looking at their Shadow it and they had found that in the intake process of this medical facility like six or seven really smart uh intake people found out that you could do automations in air table and all of a sudden intake was going through air table and every patient record is getting into air table no it’s no problem well you know how much it cost $80,000 to upgrade to the Enterprise version of air table um and now it’s not a problem but those are the things where early and often if you in MSP and you caught that behavior when air table came out the beginning and gone to the customer hey what business problem solving here You’ have probably found that there was a I guarantee there’s a solution in their uh EHR their PHR software to handle intake so just about early and often and asking business questions on it you you asked and said a very important question as I get Echo from my phone because I’m trying to simoc cast everywhere and follow Facebook everywhere so hold on the the the key questions as msps we should be asking is what business problem are you trying to solve that’s it that’s all that’s the only question you should be asking hey we love the fact that you’re using air table or hoot site or crma CRM like what is the business problem that the thing you may have isn’t solving for and how do we solve for that there’s the freeze you know just as you were talking Tim I had another question for John and I like maybe just get some uh pragmatic application that he’s seen from other partners of his right again the old question is this is another service that I have to buy and another service that I have to pitch to my clients how are Partners packaging this how are they paying for it how are they making money off of it oh that’s a that’s a great question yes wait wait wait no I want to hear this response all alone so so we never really get into the package and pricing and how do we sell it so John it’s all you my friend yeah so fundamentally I I firmly believe that SAS management is a table stake of the MSP of the future we can’t just continue to allow clients to adopt SAS at break neck feeds without doing any level of compliance or control management of it so fundamentally what we are seeing is the the folks that want to adopt ass SAS management practice tend to make this just akin to their rmm or just AK of their other uh tools that deliver in their full stack because you know most msps probably already have it in their contract agreement they just haven’t updated their msas in a long time that say we do software management they just haven’t kept up with the time that software is now in the cloud so for msps it’s actually not as daunting as you might think um maintaining that compliant list you don’t go into your rmm and you know facilitate a list constantly to maintain that compliant inventory of what’s on the devices just like you don’t go into a SAS management tool to build that list of SAS management offering the only thing is now you have the data like you’re accustomed to so when somebody calls in and says I have an issue with air table you have data to go support where to go look at it so for msbs in general it’s just part of that core packaging it’s not a pass on it’s not an additional item line item um because fundamentally you need to build your practice to a degree around supporting things like employee onboard and offboard cycles and SAS management you need to support all the different Support Tech questions that are coming into your help desk around SAS man or SAS products um you kind of just need this data to to support your customers in today’s world so packaging and pricing is just built into the model per user um see a lot of moving per user um and it’s just built into that model and then what the deliverables really boil down to is just working through the shadow it list on that recurring basis to maintain that CIS 23 um and working with the customer to to Wrangle that whole portfolio under it it’s not as daunting as it sounds it really isn’t yeah absolutely and just one last thing Tim and let’s move on is absolutely I think you’re right and that it’s needed and that they should be adopting it I want to go back to my my SAS company because if I have to manage 50 applications and I’m charging a per user price I think I think maybe a fixed fee bundle like 10 up to 10 sa SAS applications 10 to 25 and then per user on top of that might be the best way to build that package I you know I see I see where the uh the things where your inputs come from yeah SAS management of 50 apps doesn’t actually really mean um that you know SAS management a term big Enterprise industry it’s been around for like eight years and it’s making its way into the MSP but msp’s use a different than the Enterprise uses it right absolutely if it’s an Enterprise using SAS management they’re gonna have everything in that SAS management tool MSP is doing SAS management something completely different nmsp doing SAS management means you’re maintaining a compliant inventory of their list of SAS you’re working with them on a strategic interval about it or you’re owning a handful of key assets for like employee onboard and offboard Journeys um but managing it you’re not in there managing the data you’re not in there making sure it’s configured correctly you’re not in you’re you’re really only there extending the employee life cycle for management and the compliance management of it now there are of course deeper hooks you can claw right you can consult you can like recommend you can do implementation there’s a lot deep H but it’s more about maintaining that inventory just like again I think I always use rmm as an example like you offer software inventory management but that’s a passive process that your technology is doing because it’s part of your bundle I talked to John like early on with stas Leo and I was like talk to me about and we’re getting to it like you like the MSP like how are they using these insights right and this visibility to have that and what does it do with a qbr that I thought that was really interesting when you taught me I’m like yeah the list is going to be 50 there’s going to be tons of SAS but like let’s just have a conversation on the top five uses there there’s his long freze and and you’ll be amazed at those conversations just talking about those five top Ed that those five top Ed applications SAS applications on where it leads to right like oh maybe maybe we don’t need this on Prem server anymore maybe we don’t you know you know there’s just things that kind it it just opens up things in those qbrs so I thought that was really interesting I was like I was like originally when I heard about it I’m like this is a really sophisticated platform but then I was like oh well if you just kind of talk about you know you can go as deep as you want you don’t necessarily have to go deep and there’s a great value use case just by talking about like let’s talk about the top five things that your employees are doing on a day-to-day basis and just the visibility in that so yeah I think uh just uh one one thing to think about for msps right as they get into this and I think John’s right that if you’re just doing the asset management portion of the SAS from an IT perspective right you can be you can be pretty cut and dry so thinking about how you’re structuring your contract and I think where my question comes in is from a security perspective right I’m helping these msps build Security Programs build compliance programs and all of a sudden when you’re going for a sock to and those 50 apps are now in scope it becomes a much bigger lift so I just think considering that and saying is this security spend or is this the it spend and how are we packaging and bucketing for that is something to consider as you go through this uh exercise yeah 100 perc and and I think they whether they were scope or not the the the challenge there might be that they’re still in use and they might have critical business data that’s the thing exactly now you’re now you’re all of a sudden meshed in it you got to deal with it exactly yeah so John you said my favorite word at least a half a dozen times compliant compliant compliant right so and and you know I’m not going to go down too much of the compliant path but what want to talk a little bit about and Tim mentioned this earlier is allowing and disallowing right or you know uh sanctioned or not like that whole concept of Jesse you have 50 apps or that client has 50 apps SAS pieces like do they even have a defined software list that says this is the Baseline security this is our Baseline documentation that says this is where we start right for us in our msps it’s latest version of Windows MDR EDR you know seam product a browser an acrobat and that’s it anything beyond that is not on our approved list and we have that documented we have that as part of the acceptable use policy we have that as part of how we deal with stuff so that it isn’t the wild west now right not every MSP is like that and not every and client is like that especially when you’re looking at the micro businesses of two to three people in a company and go ahead yeah know I was going to say and you know I love the the the kind of aphorism that says security is a function of quality and so what you always caution against as when you’re writing policies is you never want to write a policy that immediately puts you outside of compliance with it and so if you’re manually Gathering software lists and you have your approved LIF of software and there’s an error there you’re all of a sudden out of outside of compliance with your own policy and that’s where I think to John’s point you get a huge benefit from having a dynamically updated and true list that you know you can uh depend on as a source of Truth and is not a configuration error that causes those types of issues in an AUD purpose and let’s face it as an MSP and we look at the rmm tools that are available we’re going to get the software that’s on the end device but we’re not going to know anything about the SAS stuff right we’re not and that’s where you know something like obic comes in to be able to help all that other noninstallment I mean it’s all out there it’s all in our KB there’s nothing to secret here right yeah um and Tim by the way I want to give you a number to that you said we’re M we’re on the what’s the computer the average employee is spending 62% of their time in the browser which is gonna get to my next Point here Tim awesome Tim number two uh so the way that we do it is it’s pretty simple right um you know when we set out to build the technology um handful of years ago it was really about where do employees spend their time um and I just kind of gave it away right 62% of the time is spent the the browser um so what we do is we push out agent via rmn it’s actually kind of nice how it works um there’s an agent that sits down on the device that says I’ll use you as an example here Jesse says you are Jesse Miller you’re logged in if you’re on a Windows device your user principal name tells me you are Jesse Miller um and I know that as a matter of fact when I go to do my reporting and then we have a browser extension that’s gets put on the device via policy and there’s actually a stream of uh communication going between these things and the browser extension is watching Jesse the user uh log into web application so if Jesse the user logs into Trello with J Miller power psac consulting.com we now know that Jesse the user is using this account to log into this application right we then integrate in with the IDP and we look for those matching events so we see oh Jesse Miller logged in he didn’t really use his IDP here’s an way he accessed outside of ID VP um and then we could start to map all those details so if you think about it we really just uh I got you here Tim just get one last thing just think about how a password manager prompts that’s that was the Eureka moment for me right like every time you’re loging into something those of same events we’re taking we’re trailing we’re storing for account inventory and software inventory we’re just using it for a compliance perspective so for the for those in the back IDP one of the things that we do here is make sure we qualify our acronyms so John IDP yes your identity provider think about Microsoft Google uh if you’re using OCTA any you know identity access method or if you’re thinking about the way you do your job dayto day sign in with Amazon sign in with Facebook sign in with apple uh all of those would be your identity providers um that you can access it your tool coming from the acronym guide that’s highly dyslexic that Drews them up 90% of the time anyways I like to make sure we always qualify Y and quantify acence so my goodness we are halfway through where are we going next Mr Tim so there’s there’s another um interesting aspect here this is just a tangent but I worked at a company big consulting firm the other thing is licenses right like so we would get paid to come into a big company and be like you’re paying for a thousand licenses but you’re only using 500 right you know we’ll save you million a year right so like a lot of that is like there’s Shadow it then there’s I I guess almost the opposite right like there’s there’s there’s there’s good to be gained in the fact that you’re not using something you’re paying for um and as you said 62% of the time on the browser like you start to get a lot of insights as well on like what tools or licenses am I paying for that I’m not actually using um this has gone into like some of these Services now my wife was just talking about it like you know there’s services like enter your your login for Netflix and all this stuff and you’ll figure out like all the stuff you’re not using so there’s a business in that as well so like as you said these insights go both ways the things that you’re using that you’re not permitted to use and the things that you should be using that you’re not using but you’re paying for so yeah there’s let’s face it how many of us paid for a gym membership all through coid and never went okay right that’s a personal call out Tim I don’t know what yeah right how many of us forgot to cancel our gym memberships during coid and still get charged month after month after month even though the business doors were closed speaking of which speaking of which I just reminded me I got to cancel my Beachbody subscription that I’ve had for like two years have you been watching physical on on uh on Apple TV Body by Sheila right it’s anyway I digress so but yeah I mean I think Tim you make a really good point right so being able to understand okay it is an approved app it is something that we want to use and take advantage of and we roll it out but the adoption isn’t there and we’re paying for way more than we need to and the adoption is not there right so now we have a different problem we have yes we have a tool that’s approved we bought a bucket of seats they’re not being consumed so we’re wasting money and why is it not being adopted that’s a whole another can of worms right and I believe I keep seeing the hand freeze up over there tell me tell me Mr John I just want to back it up with some data here because Tim um when I originally went out to solve this problem that’s the problem I thought mattered by the way the real issue and what blows my mind 25% this Gartner metric it’s it’s either Gartner or Forster but it’s a it’s a really well validated metric out there of SAS licenses go to waste so if you take the like 38 billion doll us SAS Market 33 and a half of it 33 billion dollars of valuation is just wrapped up in what we call orphan licenses underutilized licenses over provision licenses um there’s lots of different ways you can look at that same issue now I know a lot of our audience here’s MSP I will put an an ER of caution here um you know there’s not it’s a long battle uh to save not a lot of revenue for your end client down this journey I mean key applications you take an AutoCAD or adobe or a Salesforce or a Kronos or something that’s not cheap you bundle that in and you you get there um but where we see it really is around those product adoption reports at least in our system is um scheduling up a product adoption report but we don’t recommend the MSP on this we recommend in uh loading in the contract in our system and then sending the contract product adoption report to the CFO and letting that be the cfo’s problem yeah we we tend to we have the data like you can run a report this is just how many times they logged in this is how much time they spent in it but we as we don’t recommend the MSP take that problem on because it’s going to be a lot of juice to squeeze uh for maybe a couple hundred bucks it does go back to and I think we talked about this in the beginning like what is our role as the MSP when it comes to software both installed software and 62% of the SAS apps that we spend our time on now what is our role in that right you know coid again sort of shifted that whole cloudbased stuff now right like SharePoint and Dropbox and oh my God I need to share this thing tomorrow today with the Cent I can’t wait for it to set up a drive and a SharePoint and I just I know I’m gonna put in Dropbox and yeah and so what is the role of the MSP I think John you just hit on one of them like the adoption piece like you’re wasting money not my problem I’m just telling you about it yeah I think it’s really going to be hard for this ever to become a fully managed component I the the partners that I see that are really successful with it have a level of co-managed relationship where the CFO has access to their end you know dual painted glass where the CFO can go in and handle the data for what they care about the CTO and the CIO and the COO can log in for their technology layers and the operating officers might have access to to handle but generally the the MSP is focused more on the software management back to what we talk about the compliance soft sofware inventory the account inventory building and maintaining the inventory and providing the technology for the end layer to use so in that case Jesse I know you’re not looking for advice but the way I’d say it is like allow that 10 user company with 50 SAS apps the ability to do their own level of kind of SAS license and provisioning management and then you’re providing that expertise that strategy as an additional layer on top with the whole with conception of the whole it layer I wouldn’t recommend pulling in 50 apps under your management right you know that for sure you’ll never make money you’ll spend all day onboarding and offboarding people yeah I I think that’s that’s a great piece to uh segue back to what we were initially talking about is where do we draw that line and how do we not be the department of no but rather the department of bro better word but like uh bro come on bro um but using that to say okay hey we have 50 SAS and that’s that what I was talking about with the graduated management tier right like we can manage all 50 for you here’s what it’s going to cost we’re happy to do it or you can make some decisions either to manage yourself shrink that amount you know and we can help you with business process analysis to do some of that and then like you said you’re getting in front of the CTO you’re getting in front of the COO you’re getting in front of all the major players in the organization getting FaceTime and showing real value and so I think that is where there’s a huge amount of value that you can bring with this type of a service all right one of one of us has a high pitch squeal coming from their mic and it ain’t me probably somebody’s running the vacuum there’s the the painter is running the vacuum I think that’s what it is outside my door I’ll mute doesn’t that just suck you said something you said something important so I gotta hit it sorry I I’ll let us move from the subject from here CFO you echoed what I said but that is a lot of the magic of this sauce when you go into those qbrs do you know how many like how much they don’t care about Asset Management how much they really probably don’t care about the amount of things your security tools blocked or the amount of like they that stuff’s like I call invisible wear like it’s obviously we as professionals know it’s very valuable and very essential but the CEO doesn’t care about a lot of these invisible Wares now they do CEO Co CFOs C anything o c I mean really every employee uses SAS it’s one of those things that universally you don’t need to educate somebody on the problems most people just it clicks they go oh yeah there is probably a ways because I don’t cancel my Netflix or my gym membership oh yeah there is data in there that probably shouldn’t be in there because I’ve done it myself I think that’s one of the magic pieces of this thing is that there’s no role or responsibility that’s impervious to Shadow it or for caring about SAS right so oh know I get excited because that’s the part that’s the love it so we had we had one a couple weeks ago right metrics that matter to non-technical business owners and it’s not easy right and like we did a lot of surveys and at least when it comes to security I think what you’re talking about like because you’re talking about productivity and how people are doing their jobs they get excited about security is like kind of a tough thing to prove value um so that was you know that’s a conversation we had before we’re going to revisit that at it Nation as well the gang here so um anyway keep going so so 15 minutes left or so I’m gonna open up another can of worms when it comes to Shadow it and the MSP vendor due diligence and so as an MSP I do feel that part of our responsibility is great you just signed up with you know some file sharing site m files or move it or what whatever and I think it’s part of our responsibility to at least have some conceptual understanding of what is that vendor doing to protect the data what is that V what is that like do they have a not that I care about sock 2 are they fed ramp okay I’m gonna say that but what are we as the MSP we’re the professionals so to be able to go to our client Jesse your client of 50 PE of 50 apps doing the diligence on them like whether they’re allowed or not like I do feel like it’s kind of our responsibility from a security expert to do something to have something some process some vendor due diligence around it yeah yeah the hus is higher right like Tim we don’t want to talk about vendors but you know polygon or Cabello or whatever right like what data are we collecting as security vendors and how well is it protected and that’s a question like msps should be asking every vendor um right you know what what what are your certifications right like where where’s your data parked is it in AWS what region right like what what level support you know what level as you said AWS fed ramp you know moderate whatever um there’s all different there’s all different questions that have to happen and the onus is so much higher on security vendors and I’m sure the onus is pretty high on IC right like that that data still you know the data you’re taking is not necessarily like Health Data but it’s certainly um you know it gives you an understanding of like a a competitor or whatnot I mean I don’t know if people rant somewhere your your SAS metadata but so John I see I see you wanted to chime in here like so when we think about vdd vendor due diligence like and the ownership of vetting products for our clients like Tim or or John or Jesse thoughts I see Jesse keeps unmuting did you have some input there I have an opinion but I no John go ahead I want to hear I want to hear you kick us off yeah so when it comes to like vspm so vendor security posture management or uh Tim DDD vendor due diligence um I think I’m gonna lean back into my answer from earlier it’s a little bit of a co-managed relationship where does the MSP start and stop though I think it’s critical the MSP is educating here um you’re not going to stop Suzie and finance or let’s go back to our intake scenario earlier you’re not going to stop that team of people unless you black wall their their entire organization from doing anything you’re not going to stop those behaviors like think about it uh I always the worst example of Shadow it in the world is like Google forms because it actually probably looks like normal sanctioned it if I go to my form stock Google and if I just go IP block Google my company’s going to have a riot if I go block Google forms my company’s going to have a riot but I can start to ask for all sort of sensitive data and it looks like sanction it so I think the importance here is about educating the risks of Shadow it with the team and that starts with the beginning of the client Journey so that’s why I think Shadow it scans are a critical part of an client on board because You’ got to establish there’s these problems and then you blend it into that qbr then you go okay now we’re going to work on you on a regular Cadence to resolve these shadow IDE problems and then as you start to get into these shadow it assets you can expose issues like the SPN where you could start to say well you know you know Meo a lot of its development toolkits come out of like uh Russian backed development teams or something like that and you know not knocking Miro or anything in specific but like that’s where you start to bring up those kind of insights with your customer um but I that’s a tough pickle like I don’t think um you know I think the MSP has to educate and they have to Esta Lish a Cadence of Shadow it and process around it but you know frankly sort of black listing every IP and every domain name you’re not going to stop it you just have to educate it it’s kind of like security awareness training you’re not gonna stop it unless you start building education around it Jesse no before I chime in go so you know I’m the process guy you know that I’m the policy procedure guy like one of the things when we look at CIS for example and we look at the asset management components of CIS whether it’s Hardware or in this case software right there’s a huge gap and I’m gonna plug myself because I’m pretty excited about this new uh this new thing that we’re doing right there’s a huge gap in being able to both Hardware software and SAS take those lists review that data present it to our client and get them to sign off and acknowledge and accept this is our Hardware list this is our software list this is our SAS list I mean right now when you look at the space it’s uh I download a spreadsheet no no no we have completely automated that we’re pretty excited like we’re bringing Avic into this fold at some point here in the coming weeks hopefully by I na but we’re bringing Avic into that fold where you can completely automate the governing aspect of Hardware software Microsoft Microsoft anything in the Microsoft graph ecos system and soon to be Avic SAS management so as a bigger picture right now today at least put this conversation in your qbr at least get that in front of your client whether or not you bring in on a art tool or you bring in Avic or you hire somebody as smart as Jesse or do data Discovery with Tim at cavello start to have that conversation with your client and letting them know like people are signing up for stuff and it’s kind of weird and just bring that and once you start to operationalize your MSP Jesse can help you with that once you start to grab the data from cavello Once you understand the SAS product that are there from AIC and you can get them fully governed by us you can operationalize that within your MSP but at the bare minimum take ig1 Hardware Asset Management take ig2 software asset management at least do something with your client on a regular Cadence and by the way CIS is you should do that monthly yeah I think uh it’s a great point you mentioned in kind of blending all the those different tools into an offering when you have as regulations become more commonplace for more businesses it used to be okay well we we’re an MSP we don’t really have to deal our clients don’t have regulations well almost those days are those days are a bit kind of gone and we’re at a Tipping Point where we’re the majority of businesses are going to be regulated and so I think being able to know where your data is and again then having a footprint that maps that to what applications you’re using so you can see hey do I I have 50 apps right but maybe only 10 of those have sensitive data so I need to focus on those and that helps you price better and be more competitive in the marketplace good points really good points so we’re coming up on the last seven minutes Mr Tim I see you waving your hand yeah so I mean we we talk about turning up the dial right like so there’s no on everything and then there’s yes on everything and Jesse just said like that’s starting to creep over to the no over here so um if you don’t have visibility you can’t have the no on some things and yes on some things which you know which is awesome which John’s buil something that provides that um we talked about that I think you know we talked about we had an allow lless vendor on in the past and we talked about like if you just turn that thing on you’re going to be fired in 10 minutes so it’s it’s it’s turning that dialog slowly having that visibility to at least have a conversation so I mean how many times have you gotten in the car after your kids have been in there cranking their rap music and you get in you start the car and your ears blow out right that’s because they cranked the volume no no us as msps we’re classy kind of people we want to gradually raise that volume level of our ACDC or our Metallica or whatever genre it is you like to listen listen to We don’t want a blaring instantly in our face and that’s where when I think uh John forgive me if I’m wrong there are ways to softly roll these things out so it’s not full bore full B full blast yeah absolutely right you have to understand though to get started right I think that’s to Tim’s point the other Tim Tim s’s Point uh it’s you have to you have to understand and you have to go and strategically go to the customer because again even if you run all acccess management in your environment you get this whole list um you know I always say shadow it is not bad it but it’s also not good like it is in its state neutral there’s no no it has no opinion it has no intentions it just is and so if you just run ASM and then you go whitelist everything you’re not doing anything for your client because you’re allowing all the shadow it if you don’t run ASM and then you go whitelist only certain apps you’re going to be fired so it’s a magic about like going in and strategically taking that list working against it and then slowly introducing um controls around it to prevent these you know like you said popping your eardrums out when you jump in the car or never hearing any of the music at all I don’t know I tried to make that one work yeah so so so Jesse what’s your first step with your client that has 50 SAS products yeah I think that’s it is sitting down and creating a criticality criticality list so I I kind of alluded to it in the fact of that hey you need to know all what you have then need to Define where is critical data being stored then is there duplication in any of the applications and then what can we get rid of and maybe it’s nothing but at least understanding where we’re at and beginning to from that point forward make more informed decisions and then continuing to review that list and potentially have Things fall off as we move forward in this new world and then Mr Tim you’re uh you’re catching me here for final thoughts I think we’re running up against the clock um we are we are no I I think I think it’s that slow turning the dialup but visibility and insights Trump anything and I know Trump’s a bad word now but I still don’t have another word for it but you know well does live in the shadows right right and I think M I think MSP is the more in sites they deploy the more conversations they can have that talk about real business problems or Real Business Solutions so um yeah no I I this is awesome John thanks for thanks for a great hour yeah and I guess I’ll leave my final thought here right so this is this is very much you have to be very passionate about this problem to have a saying like this I say that like at the heart of every SAS tool is business data and every SAS tool is half business problem and half it problem and quite frankly like that is the holy Mecca of an MSP solving business data problems through it layers and business layers I I that’s why I’m just so passionate about the issue with SAS because fun fundamentally that’s that’s the space that there’s just so much opportunity to have great conversations with your client about and not yeah I’ll leave it there I could go for Aver I know you could I know you could John uh and obviously Jesse uh final words parting parting gifts parting parting gifts yeah I I would say we come full circle to say you have to know what you have before you can do anything about it and I think that’s where we got to start good stuff and obviously I get to say something maybe I do maybe I don’t but I will anyways um I say it every week start someplace do something start somewhere take that first step whether you go on and you you you you grab and sign up with Avic whether you you bring Jesse in to try to help you operationalize your your C ciso program whether you grab cavello and start discovering that data or you work with us to build out uh probably the first thing which is policies and procedures around the how and the why do something start somewhere like pick a thing take a half hour a week put it on your calendar and start someplace do something today uh so what’s coming up next week Tim I am next week is it next week I’m not here I think it’s next week I’m not here on the week after that so hiring and attaining and attracting cyber Talent which is uh harder than it Talent right now but uh Josh n Heather Nogle Cody stack yeah yeah so for those of us that uh that are here uh we thank you so much uh John if you want to uh drop your link is it just aoc.com is it is it uh I want frees sas.com is it protect myy sas.com what is it it is uh I’m gonna put it in chat here I’m not connected if you maybe don’t mind sharing somebody who’s connected into chat but it’s just going to aoc.com and um J jumping into our SAS management product and clicking into that product that’s where you can learn a little bit more nicew and for those of two right Tim there’s a reason why it’s CIS control one and two right they’re in order so yeah order there for John Harden top of the order and top of the order for yeah whatever we’re not there so uh three o’clock our time is up thank you everybody enjoy oh wait I gotta say one thing we just had a holiday weekend and I didn’t hear of any major cyber events my knockwood right a Monday holiday and not a major solar WIS or something else happen right so hopefully we’ll be going into into the next couple of holiday seasons a little less but you know always GNA be prepared so pretty excited uh for next week about the talent pool and uh this will end your podcast thanks everybody have a good day see you everyone Chea