Bonus Episode, Sponsored by Beachhead Solutions: An Inside Look at Compliance for MSPs
Listen to the Podcast
Read the Transcript
In this special bonus episode of MSP Chat, sponsored by Beachhead Solutions, Erick and Rich talk with Sam Daigle of Kennebunk Cyber Systems about why now’s a great time for MSPs to launch compliance practices, and how to go about doing it.
That’s followed by nuggets of wisdom on running successful webinars from an experienced master of the art (Erick) and a deep dive with Cam Roberson, Beachhead’s vice president of sales and marketing, on how to cash in on the compliance opportunity for MSPs.
And finally, one last thing: How a carry-on bag full of rotten fish on a recent Delta Airlines flight made cramped seats, bad food, and schedule delays all look like minor inconveniences.
Discussed in this episode:
https://www.beachheadsolutions.com/lp/2024-msp-compliance-report
https://www.upi.com/Odd_News/2024/02/15/delta-flight-rerouted-maggots/1521708002879
Transcript:
Rich: [00:00:00] This episode of MSP Chat is sponsored by Beachhead Solutions. Beachhead Secure from Beachhead Solutions is the only MSP platform to provide encryption and both manual and automatic access controls for your client’s PCs, Macs, phones, tablets, USB storage, and Windows servers. A built for MSP platform.
count them of the control out by C. M. C. 2. 0. T as must have requirements steep fines immediately. boxes with beachhead secu beachhead solutions dot c And three, two, one blast off, ladies and gentlemen, welcome to this episode of the MSP chat podcast, your weekly visit with two talking heads, talking with you about the strategies, services, and success tips you need to make it big in managed services.
This week’s episode is sponsored. By Beachhead Solutions. I am Rich Freeman. I’m chief content officer at Channel Master, the organization responsible for this podcast. I am joined this week. It’s I am every week by your other cohost, Erick Simpson, our chief strategy officer at Channel Master. Erick, how you doing?
Erick: I’m doing well, Rich. A little waterlogged. It’s as you’ve probably heard it’s been quite a rainy season in California. So just trying to stay dry and look out for any ceiling leaks here at
Rich: the house. Yeah. I, given that I am based in Seattle, you’re going to have a hard time getting sympathy about rain for me, but I do know, having grown up in Southern California, it’s a little bit unusual.
So hang in there. You’ll get the sunshine back at any time. Erick, as I said, this episode is sponsored by Beachhead Solutions. We are joined this week. By a special guest host, who is a Beachhead partner. His name is Sam Daigle. He is the managing partner of Kennebunk Cyber Systems.
Let’s bring him on stage.
Sam: Awesome. Hey, Sam.
Erick: Hey, Sam. Good to see ya. It’s nice to
Sam: see you guys as well. Thank you for having me. Absolutely.
Rich: I mentioned to folks, you’re a Beachhead partner, but there’s a lot more going on in your life than that. Tell folks a little bit about yourself, about Kennebunk who you are, what you do.
Sam: Yeah, absolutely.
So as you mentioned, my name is Sam Daigle. I am one of two principals for Kennebunk Cybersystems. We’re based out of Arundel, Maine. Nobody recognizes Arundel. A lot of people recognize Kennebunk. They have the same zip code. So that’s how we ended up with that name. Both myself and my business partner are retired military, and a number of years ago, he asked me if I wanted to do something fun and interesting and and here we are, we started a cyber security consultancy when we first started, we worked with primarily military and government contracts because that’s where we came from.
And that’s what we knew. We pretty quickly branched out into the commercial sector, and now we work with managed services providers and various companies that have their own IT staff helping them stay ahead of the curve.
Rich: What a great strategy and great timing. There are so many MSPs out there right now who kind of wish they were security specialists, cause that is such a hot segment of the market right now.
You did very well to specialize in the way that you did.
Sam: Yeah. There’s been no shortage of work since we started this. I guess it was the right place at the right time. Yeah, absolutely. It’s worked out.
Rich: A lot about a lot of different aspects of security.
One of those is compliance. We’re going to spend a lot of time on this episode talking about compliance. And in fact, Later on in the show, we will be joined by Cam Robertson from Beachhead Solutions to get Beachhead’s perspective on challenges and opportunities in compliance for MSPs. But for right now, we really want to get your frontline perspective as an MSP dealing with compliance issues.
Day in and day out. I’m going to take it as a given. There are a lot of folks in our audience here who are really still coming up to speed on compliance. What are some of the things that you would tell them they, they need to understand, need to know?
Sam: So I think every single compliance framework out there is about understanding what your risks are.
So it doesn’t matter if you’re talking about health care compliance. So everybody is familiar at least with the word HIPAA and the fact that is a health care compliancy that Some people need to worry about there’s compliances that are based around the purchase card industry and protecting credit card and consumer data.
There is compliances that are based on protecting federal government information, most currently called controlled, but unclassified information. So if you’re within the federal supply chain [00:05:00] or federal service chain, you’re probably familiar with the defense supplement to the federal acquisition regulation or anything that’s based on this special publication.
800171. But for all business owners, regardless of whether or not they’re using a managed services provider, they’re doing their own I. T. Stuff. Whether they have their own staff or they’re relying on their brother in law. I think understanding what your risks are and being able to tie those risks to.
Some sort of security framework is a good way to make sure that you’re not just brainstorming on your own, and you’re following a checklist, which every industry has their own best practices, and adopting a security framework is a really good way to do that. And these compliances are based on just that they’re based on making sure that you adopt a security framework that makes sense for you and your organization.
And so MSPs obviously very much need to be aware of that and and how that relates to their own business and their clients.
Erick: Sam, I used to think that we as a recovering MSP, and speaking for partners that I work with and others, I used to think that, compliance is for specific types of businesses where MSPs may have.
clients that do not need to meet regulatory compliance standards because their businesses just, aren’t regulated yet. And I use that term yet very specifically here, right? And then we, you mentioned that we have businesses that definitely are regulated. You talked about, the healthcare industry, you talked about payment processing, the so what are the expectations of other businesses that aren’t in the finance sector and things like that in terms of regulatory compliance, where they’ve enjoyed this kind of a niche that says I really don’t do those kinds of things. Do you expect every business at some point to fall under some sort of compliance?
So I
Sam: think that there are probably more compliance requirements out there than most businesses could even hope to keep track of. And I’ll give you a couple of specific examples. So I’m based out of Maine. I actually live in New Hampshire, right south of the border. I’ve got Massachusetts and Massachusetts has some of the strictest privacy laws in the nation, probably second only to perhaps New York and California.
Those privacy laws affect all businesses regardless of. What market or industry that business is in if they’ve got employees that live or work within that state. So if work or live within the Commonwealth of Massachusetts, for example, and I work with a lot of businesses that aren’t based in Massachusetts, but they’re absolutely Employing people that live in Massachusetts.
And now they’ve got the Department of Labor down in the Commonwealth of Massachusetts that’s enforcing compliancy for businesses that aren’t even based in Massachusetts. How do you know that? And the answer is. From my personal perspective, and I don’t know that this is going to be super helpful or even agreed upon.
I don’t know that it matters. What matters is understanding what information you have, right? What data are you trying to protect? What processes are you trying to protect? And in protecting that data in those processes, do you understand what your risks are? Do you have. Some sort of security framework that you are leveraging so that you have a checklist.
Do you have, are you backing up your data? Are you encrypting your data? Are following these things that you’re supposed to be doing for the information that you’re protecting, regardless of what the compliance requirement actually is. If you’re doing those things, Okay.
Then whatever the compliance requirement is. Oh, I didn’t know that I fell within, Massachusetts Department of Labor law, right? Because how would I possibly know that? The answer is, it doesn’t matter because you are protecting your information, and you can demonstrate that you’re doing that by following some sort of security framework.
Does that make sense? Yeah, it absolutely does. Yeah.
Rich: So thinking about approaching the topic again from the standpoint of the typical MSP, where do you see the biggest gaps right now between where they are and where they need to be around compliance?
Sam: So the biggest gap that I have found working with managed services providers in my own experience, right?
So this is anecdotal at best. But is the understanding that a lot of M. S. P. S. Think that they’re providing I. T. Services. They’re working under the belief that they’re acting as a help desk that they’re managing servers. They’re managing workstations. They may be managing software. Now they’re probably managing, office 365 or Google G suite.
But they’re thinking about it from an IT perspective and they’re not necessarily thinking about it from a risk [00:10:00] transference perspective, but there’s a lot of MSPs that I work with that have clients. That I’ve also worked with that 100 percent feel like, Hey, I’ve hired this managed services provider.
And one of the reasons that I did so was so that they could help us in an I. T. Capacity. But one of the other reasons that we hired this managed services provider is so that we could transfer risk, right? We’ve got all of these risks. For all of these systems that we are managing and we just wanna push all of that responsibility off onto an MSP.
And now this is their deal. And I don’t know that a lot of MSPs understand that.
Erick: Sam, we hear this confidentially confidentiality, integrity, availability, guiding principle. What does that really mean? For MSPs and their clients, and are there any gaps or security holes that you see from that perspective?
Yeah.
Cam: So
Sam: I think confidentiality, integrity, and availability is the information security triad, right? So these are the three core components and for any security framework with any kind of security controls, whether it’s a management control or a technical control, management control being something that, you know, or the organizational management has decided this is what we’re going to do, right?
We’re going to have, everybody’s going to have their own account. They are all going to be unique. They are all going to be password protected. Those passwords are going to be complex. Those are management controls, right? We’ve made these decisions. Hopefully we’ve documented them and we can demonstrate, hey, we’ve got those security controls in place, but in technical controls on the same token are how do we enforce those decisions that we’ve made and the ability to Automate, right?
Like and provide that check and balance. Hey, does everybody have a unique account? Does everybody have complex passwords? So there are technical controls that we can put in place that protect the management decisions that we’ve made that can not protect but can. Enforce the management decisions that we’ve made with all of these controls, every single one of them is based on either enforcing confidentiality of your data, right?
I want access to my data, but I don’t want everybody else to have access. So that’s the confidentiality aspect. There’s the integrity aspect, which is I’ve got this data and can I trust it? Do I know when I’m opening up my financial spreadsheet that the data that is in there is information that I can trust or hasn’t been manipulated or corrupted?
And then the availability piece is am I able to access my information as I require access to it on demand, right? And with a threat such as ransomware, and I’ll use that just as a genErick example, ransomware can affect all three aspects of the information security triad. It can gain access, ransomware attack can gain access to your information, so you’re violating confidentiality.
It can encrypt or manipulate that data. Now you’re affecting integrity, and you can be denied access to that information, and now you’re affecting availability. So that information security triad is something that I communicate to every single client that I meet with initially, because there’s a lot to an information security program, and it’s really nice to be able to simplify it down into three core components, and that is knowing where your information is, knowing who has access to it, understanding how you’re protecting it, And how you can recover in the event that there’s some sort of issue because, issues happen,
Rich: We’ve got a lot more about compliance coming up on the show.
Sam, but before we move on, I do want to take advantage of your experience, your expertise in the compliance field. For M. S. P. S. In the audience who are thinking they want to move in this direction. They want to get more of a compliance practice going. What kind of final tips getting started?
Advice do you have
Sam: for them? So I would definitely adopt a security framework. And to be true, honest, a lot of M. S. P. S. That I’ve worked with Don’t start out by thinking that they need to adopt a cybersecurity framework, understanding what cybersecurity framework that you’re using. And if I were to throw one out there, I would use an open standard.
So that means that I wouldn’t recommend ISO 27, 000 as like the first security framework that you adopt, because you have to pay for it. You have to get a third party assessment. It’s very complicated. But using an. OpenStandard, like the National Institute of Standards and Technology, has a cybersecurity framework that’s available for everybody.
It’s pretty simplified. It’s also pretty comprehensive. And it’s made up of a bunch of industry lessons learned. And using that as your [00:15:00] checklist, you can go through and assess your own security controls, whether they’re the management controls, technical controls, on behalf of the MSP or on behalf of the MSP’s client.
There’s no single tool. Out there that will just check every box and make sure that you can implement every single control that doesn’t exist. But there are tools out there that will meaningfully reduce and mitigate the risk that an MSP would have or an MSP client would have. And the single piece of advice that I give people is to encrypt their data.
And that’s a complicated conversation because. Do encrypt the data in transit, as I’m, emailing people or transferring files on a cloud storage? Do encryption at rest? I’ve got data on my hard drive. I shut it down. I close it. Now, if somebody steals my laptop, can they gain access to it?
If I’ve got encryption at rush, sorry, encryption at rest the answer is hopefully no. But there are other aspects, like if I’m working on my computer and I go to a bad website, or if I click on a phishing email, allow a threat actor to gain a foothold onto my machine there’s this concept that I’ve been calling encryption in use, which is, I’ve got data on my computer, I’ll refer back to financial spreadsheet that I have and how do I protect that financial spreadsheet if I need to have access to it, but I also want to make sure that some threat actor doesn’t come back and and access that, that spreadsheet while I’m, on my computer and there are tools out there that will help.
Manage that kind of capability which is actually how I got introduced to the sponsor of this program Beachhead because they’ve got an encryption management platform that kind of helps manage that and they’re one of the the organizations that allows you the centralized management and that visibility.
It’s all about understanding your risks, but. Not just about compliance, but in a meaningfully meaningful way, how do you protect your data and in encrypting it is definitely the answer to that question, how you do. So that’s a complicated answer, although
Rich: the the, at least part of the answer you’ve come up with involves beachhead.
So this is maybe a good moment to pause the compliance discussion a little bit, because in a few minutes, we’re going to be joined by somebody from beachhead. To talk a little bit more about the business opportunity around compliance for MSPs. But before we go there, Erick, what is your tip of the week?
Erick: All right, Rich, Sam, today’s tip of the week is all about leveraging webinars as an MSP, as a lead generator. And this is an approach that is very tough to pull off if you don’t have a strategy. and a plan so that when you’re delivering webinars to your contact list or your lead list as an MSP, you’re actually able to convert, get folks to sign up, to attend, and then convert into appointments for your services.
So just a couple of quick tips. Number one, understand who your target audience is. Understand Who it is that you’re trying to reach with your message. What are their pain points? What are the challenges that they are facing? and what are the Opportunities and benefits of them to solve those challenges create a very catchy Subject line that allows the your audience to understand what it is that you’re going to try to share with them in a thought leadership perspective.
I do a lot of webinars and I always try to approach it from a thought leadership perspective and try not to use a very genErick subject line best practices for. For protecting your company from hackers. You want to give them something that has a little bit more meat, five tips to secure your business data from threats, something with a number in it, I think is catchy.
And then you have your subject line, you have your title of your webinar. And then the abstract has to deliver on what you want to express that the attendees are going to walk away with you want to give them something of value that says, Hey, if you register and attend my webinar, I’m going to give you a checklist, for instance, of the five tips and how you can make sure that you’re securing your company data.
Against hackers, encryption could be one of those tips, right? Along with other best practices, give them a little something that, they can’t easily find elsewhere, or if they can find it, you’re saving them time by giving them, just that one checklist, that one item of value that they’re going to take away with, if you have the ability to bring [00:20:00] on some of your clients that are using your services, then that’s a great way to have a conversation.
For your prospects to really understand from other business owners what they were experiencing before kind of a mini case study. What was the problem? What were their options? How did you solve it for them? And what does life look like on the other side? And ultimately use some polls and some surveys to try to identify the folks that are really interested and prioritize your follow up.
Afterwards and make sure that you send the recording and a link to download the Asset that you promised them and then reach out to them No later than three days after the webinar to start scheduling your appointment. So I know a lot in that tip rich, but I did write a blog post recently and you’ll see that out on our website soon
Rich: Yeah.
No, I mean in fact it’s shameless self promotion, but we’re not only do we have a blog post about Your webinar tips coming up, at channelmaster. com Pretty soon, but we are finalizing an ebook That captures a lot of your experience in the webinars area and that to you’ll see us.
We’ll probably end up talking about it on the show. You’ll see us promoting that on LinkedIn as well. And I’ll just say, Erick has been doing webinars. For many years, and he just gave you the, a little taste of what he’s learned about what works and what doesn’t work, and so watch out for that ebook.
And and part of why I say that, Ericka, is as I listen to you talk about that it just occurs to me, webinars are one of those things. That everybody knows to do, thinks to do, should do. And there is such an immense difference. So everyone is probably going to go ahead and do that at some point.
And there is such an immense difference between doing it right and not doing it right. You could have the same amount of time, you can draw the same audience. If you know how to put the show together properly, how to keep it flowing properly, engage the audience, follow up, et cetera, you’re going to get really great ROI.
And if you don’t know these things, if you just figure, I’m going to turn a camera on and start talking and and it’s going to be about security, who’s not interested in security, you will not get great ROI. And so it’s just, one, one, and it’s true of webinars, it’s true of blogs and podcasts and live events, lunch and learned, et cetera.
There is,
Sam: there are better ways to do these things.
Rich: And in the webinar area there, Erick, you’ve got a lot of a lot of wisdom and experience to share.
Erick: Yeah, let me tag in Rich with some additional thoughts, you serviced. Hey, you could do them wrong. And, I’ll just talk a little bit about, what that looks like.
So you could spend all this time, energy, effort and, break some of the best practices. There’s a lot more that we’ll release in our ebook. Obviously, let’s just say that, everything goes sideways for whatever reason now you have the real threat of, delivering a negative perception in your audience or a lack of trust in your organization or your solution in the worst case scenario, you could actually drive.
Your prospects away to your competitors may even use that experience against you so there are a lot of reasons to get this right and Practice it and then have a very engaging type of conversation with the audience during the webinar. Don’t you know? Overdo it with a bunch of powerpoint the biggest mistake.
I typically see rich are just slide presentations that are just Too much information. Less is more. Don’t take away from the audience’s attention on you as the speaker or your presenter and your panelists who are actually going to describe the experience. So you don’t have to explain it all on a slide, just a couple of bullet points.
You want them focused on you, your presenters, your panelists, and then have a very strong call to action at the end, make sure you have plenty of time to deliver that call to action. What is it that you want? The attendees to do at the end of that webinar. Sometimes the poll that I typically use is how would you like to engage and give them several options that make sense for them and finish strong.
So again, less is more. Keep them focused, thought leadership, interesting subject, abstract that, that describes what they’re going to gain. Because you know who your audience is and can deliver on that promise,
Rich: Sam, I don’t know if you’ve hosted webinars before. I’m sure you’ve attended plenty through the years.
Do you have any thoughts based on your experience about what works and what doesn’t work in
Sam: webinars? So I do not have a lot of experience when it comes to webinars. I have participated in them in the past. I know that there’s a lot more than just sitting down and interviewing like you guys are doing right now.
My experience has been more about standing in front of a room, with that [00:25:00] physical, classroom type setting, if you will. And I think that all of the points that Erick just made, honestly, are very relevant to that kind of environment as well. The call to action piece obviously is a huge thing in any kind of effort and keeping your message short and understandable and allowing for that hook.
To encourage more dialogue, I think is one of the things that I’ve found that has worked well. And certainly a lot of our business has been based on that. That would be my feedback. Awesome. Awesome.
Rich: More to come, folks. Like I said, we’ve got that ebook and the blog post, and I’ll bet it comes up on the the podcast again in our future episodes, more to come on webinars.
But right now we’re going to take a quick break when we come back on the other side, we’re going to be joined by Cam Robertson from Beachhead Solutions, which is sponsoring this episode of MSP chat, and we’re going to get into the business opportunity in compliance for MSP. So stick around, folks. We.
Are going to be right back.
All right, welcome back to part two of this episode of the MSP Chat Podcast sponsored by Beachhead Solutions. And as I promised, we are joined by Cam Robertson, VP of Sales and Marketing at Beachhead, to talk a little bit more about compliance. Cam, I’ve known you for quite a number of years now but not everybody in our audience has.
Before we dive in tell folks a little bit about who you are and a little bit about Beachhead. Thanks
Cam: Rich. Yes, it has been a great number of years. Yeah, so I, I handle sales and marketing for Beachhead Solutions. My, my primary role as I see it is recruiting terrific partners, MSPs, who have a like minded approach to security.
And who might recognize that compliance is coming and it’s not, until breaches stop, I suspect we’ll see even more regulation. And I just did want to say I appreciated the opportunity to listen in while you guys were talking. I always learn something from Sam, and I think the key takeaway that I got from that is that Issues happen in your words, Sam?
Not sure That’s exactly how you would’ve said it if you and I were talking. But issues do in fact happen and very
Rich: true. True precisely because they do compliance is a pretty tremendous opportunity for MSPs. How tremendous what, how big an opportunity is this for somebody who’s trying to decide?
Do I or do I not get a little deeper into compliance?
Cam: I think it’s a terrific opportunity, and good security is good security, and being able to map it into a compliance mandate I think makes all kinds of sense, and one of the biggest problems I think I hear almost daily from our partners is, things like, my client’s not going to pay for this, or I need to compete with the guy down the street or in the next County because they’re undercutting me.
And, it’s a common problem. We get on this thing where the way we differentiate our offering is by having the lowest price. Everybody understands that because. It’s tangible.
Rich: And sadly,
Cam: many clients believe that this is a commodity service. They’re providing security, they’re providing help desk, they’re, they may not understand the depth of what they’re getting offered.
And so it’s in the many clients minds, a commodity business. So how do we distinguish one commodity from the other price? And, and that becomes the distinguishing and differentiating factor in an MSP service. It’s the wrong path to get on, in my humble opinion. And this represents being versant, being able to offer a consultancy, like Sam does.
a differential advantage in distinguishing their practice from the next guy, which I think leads to better client relationships. I think it leads to better and higher MRR, better margins, and a, I’ll get off my soapbox here, but a, a better, more trusted, perhaps, relationship. With your client, they’re going to look at you as not somebody, trying to gouge them, but somebody who can offer advice and as this stuff changes almost daily,
Rich: stay on
Sam: top of it a little bit, somebody that you can trust to steer you down the right
Erick: path.
Cam you’re, you’re singing [00:30:00] from my songbook. I do a lot of work with MSPs and, I tend to find. Some MSPs want to do the best they can for their clients and they’ll add more products to their portfolio and in that attempt to prove value and deliver that to their clients.
And I find two things. One is they’ll add these things because they know it’s the right thing to do to help their clients out, but they don’t. Increase what they’re charging their clients in order to cover those costs. So I think that there’s a little bit of a maturity conversation that we can have there.
And then the other side of the coin or other partners that I speak with they don’t do that because they don’t know how to properly present that price increase conversation. So the ones are. Trying to help their clients and they’ll add, additional services and maybe a little bit more sprawl, but they’re not charging for it.
And then the other half are afraid of clients saying no to an increase in price and then don’t do what’s necessary and are seeing a little bit, I think more, maybe that’s more of a transactional kind of a relationship. What are your thoughts and what would your advice be to both of these two types of MSPs?
And I’m not trying to categorize all MSPs as being this way, I think these are the ones that need the most guidance, especially now that we’re seeing regulatory compliance changing moving forward and things like that. And so the need to stay ahead. And to lead with security and compliance becomes even more important now.
So what would you say to, to partners that have these distinct perspectives on delivering services to their clients?
Cam: Wow.
Rich: That’s a deep
Cam: question. I, I think most MSPs are just plain fearful, as you say,
Rich: in increasing the price. And
Cam: I think justifiably so in some respects.
You can’t just do that without proving additional value. And I think that it’s important. I think a lot of MSPs sell acronyms and they sell certain security tools, many of which overlap. But that means so little to most MSPs. I think what’s important is being able to articulate, what these.
Controls that are part of this software package or this service, how they map to, general security. And if you were to look at, for instance, the NIST cybersecurity framework,
Rich: it’s not, you need this particular
Cam: acronym or whatnot. It discusses it in layman’s terms as to what you’re doing.
And if you give some thought to it, you can map your Software controls and services that you provide into these frameworks that are, I think, digestible by most clients. And it’s the start, in my opinion, to providing compliance services to them, or at least a consultancy. And as I mentioned before, I think it’s a way to differentiate your offering.
And if you can then take it one step further and say, look, we have expertise in, the FTC safeguards rule, or we have expertise with HIPAA. It’s very easy. What I’ve found, because we went through this exercise ourselves, is that there’s not a whole bunch of difference between one and the other compliancy mandate.
And when Klager’s different, the way in which it’s organized may be different, but they’re all asking for the same things. They’re all asking for you to protect either, client information, employee information, customer information, or government information. And they’re all asking you to do mostly the same things.
And again I believe this to be an opportunity to distinguish your practice from the others. If you can take and articulate. What your stack looks like, not in acronym terms, but what it’s satisfying from a security perspective, as is, delineated in CSF or transcript. Choose whatever.
I personally believe that starting with the CSF, I think I heard you say the same thing, Sam is a good place to start. And then should you want to go to a different our specific compliance mandate, you can certainly do that. I don’t know if I answered your question, Erick, did I?
Erick: I think we’re, I think we’re in the ballpark here.
I think one, one thing that I’ve, give me your opinion on this and Sam, jump in here. I think what’s real to that end customer. [00:35:00] Is what is going to influence, or their risk or their fear, cause there’s fear and then there’s benefit, right? So some folks respond to fear, some folks respond to benefit.
I want that shiny object or something like that. And so I know that regulated clients, may understand at some level what they’ve got to do. It’s important for us as MSPs. Sam, to understand and Cam, what those compliance mandates are. And like you said, Cam, help steer the solution help them meet those obligations.
And then, we talked in the earlier segment, Sam, I said what about these, organizations that don’t really feel that they have to comply yet? What they do need to comply with is the requirements of their cyber liability insurance policy. So is that a good place to start having a conversation?
I’m trying to help these MSPs that are trying to figure out how to have that conversation. I speak a lot about. Starting there and understanding what is the minimum, what do your clients need to subscribe to from you as the MSP as a minimum for them to be your clients, there has to be some cyber security.
Services in there and whether they map to specific controls and things like that. I think that’s a conversation that we’re having right now. What makes the most sense? But if I’m an MFP that just says, okay, I need to start having this conversation with my clients. How do I start that conversation if I haven’t done it before?
Go ahead, Sam.
Sam: So I want to tie two concepts together, something that I had said in the earlier segment, something that Cam just mentioned in the earlier segment, we talked about compliancies and I made a comment that like the call, I think that the specific compliancy. Doesn’t necessarily matter, and that’s an oversimplification, and obviously it isn’t entirely true.
But Cam also mentioned that for MSPs, the service is often treated as a commodity where price is the differentiator. One of the things that I try to do, because I don’t try to compute on price because oftentimes there isn’t even anything to compare to. In my industry there’s way more work than there are people to provide the service when it comes to cyber security MSP is a different ballgame, right?
So I’m coming about this from a different tactic, if you will for me, it’s about confidence. When I’m talking about confidence, there’s three, almost every single client I’ve ever worked with ever has three different problem statements that we try to tackle. The first one is what is your real world risk?
Which is a conversation unto itself, right? That’s a big conversation, especially with small businesses that don’t think that they’re a target. Understanding what your real world risk is a big piece of this. But also what it is from an IT or an information security perspective, what is a blocker to revenue?
And so particularly within the markets that I specialize in federal supply chain, federal service chain What is it that the organization isn’t doing that is preventing them from, this additional revenue stream? And then the third one is blockers to compliance. How do they demonstrate that they’re doing the things that they need to be doing?
So if I can answer these three problem statements the compliance itself, whether it’s defars, ITAR, CMMC, HIPAA, PCI DSS, it doesn’t matter. If I can answer these three things, then I can probably answer any questions for any compliancy, regardless. And that’s where that confidence comes in, right?
So instead of using price as a differentiator, I’m using that confidence of, Yeah, you know what? We know we’re protecting our data. We understand what we have. If somebody comes up and says, Oh, by the way, did you know that you fell under this compliance requirement for the Commonwealth of Massachusetts?
The answer is, Hey, that’s really interesting. We’re covered because we’re doing the things that we need to do and being able to provide that kind of confidence, whether it’s coming from me. As a cybersecurity consultancy, whether it’s coming from cam as, a tool set that helps MSPs achieve that level of confidence, whether it’s the MSPs themselves that have asked these questions provided some sort of answer, whether through third party services, such as us or through their own, process, internal process, that confidence is the piece that I have seen a lot of clients respond to not, Hey, who’s the cheapest, but who has. Who’s got it covered? Who’s accepting that risk transference that I mentioned earlier and taking ownership of it and saying, yeah, we’ve got you. That’s where the biggest differentiator is from my perspective.
Now, understand, I’ve already said earlier, it’s anecdotal, right? Like I’m one person out of a lot of people that are out there, but this, it’s a big thing. It’s a big market. There’s [00:40:00] a lot of MSP. Unbelievable number of MSPs out there. How do you differentiate? And in my opinion, price is never going to be the winning factor.
It’s always going to be confidence. Can I make
Cam: a couple of points too? I think that’s extremely valuable information. I think documentation and being able to prove that you’ve got these things also helps to build the confidence that I have these controls in place. They were implemented. They were in place when.
Such and such SAM issue happened, and I can prove it to you, Mr. or Ms. Client. I, also, a second thought I had, I mentioned there’s more similarities between these different compliancy mandates than there are dissimilarities. The other thing that sort of should be an entree into moving in this direction is You’re getting cybersecurity insurance questionnaires.
You’re getting supply chain questionnaires that are generally starting at the top and they’re working down to a sub of a sub. Those two are very similar. They’re not asking for something completely disparate from CMMC, for instance. They’re all, as I mentioned before, good security is good security.
And that’s why they’re those practices and controls and documentations are part of these mandates, but those two are very similar. And I know that my partners are getting clients handing them questionnaires and saying, Hey, fill this out for me and help me prove that, I can stay in the chain and keep that, revenue in place.
Rich: Cam you were saying earlier on, you don’t want to get into a tools conversation, a stack conversation with end users, at least in terms of acronyms and stuff like that. And you do need tools to do compliance. You’ve got to have a stack that has the capabilities that are required.
Sam was talking before about encryption. You were just talking about documentation and reporting. So in, in your experience, where do you tend to see the gaps? In an MSP stack, between what they have and what they need to do compliance properly. That’s a terrific questions. I think I have
Cam: Two answers for that.
I’ll make the statement. I believe that most MSPs, certainly our partners have a terrific stack. They’ve got products, maybe some overlap, as I mentioned before, that are terrific security tools. They’ve not yet taken that step to map them to the controls that are necessary for any of these compliancy mandates.
And I think that’s a gap and that is a lot of. Process and documentation and being able to prove that you’ve got compliance in place so that is a necessary component. And I think you consider that a gap. Sam and I met him a few years back and it was really a kind of a fortuitous conversation.
He wrote to we got on the horn and he said, I’m trying to look for a way to And I, these aren’t Sam’s words, but reduce threat surfaces and I we continue to talk about this and basically look at ways in which we could limit access to data. And we talked about conceptually some things and.
And I think we mutually had somewhat of an epiphany in that the way in which we do encryption, we do a layered approach, is that I don’t have access to the guy sitting in the next office from me, his data, and likewise, and that’s the way it should be, I don’t want somebody who’s not been properly trained or is a in a different department to have access to my financial data as a, for instance, or my HR data, they shouldn’t have access to it because that increases the, let’s say employee threat surfaces that are available.
I don’t know, Sam, if that kind of mirrors what you were thinking, but that was what I had. Oh, terrific.
Sam: We do. Yeah. I’ve got three thoughts on this and I’m going to try to keep it pretty short because I don’t know how much time we have. So I want to be respectful of the time but let me cover the three of them and I can dive in as, as deep as you guys would like.
So the first thought that I have is this concept of best effort and a lot of organizations. And in fact, a lot of managed service providers. are going through an ad hoc or best effort approach of how they handle cybersecurity. I know off the top of my head, everybody should have a backup.
I know off the top of my head, I should be looking at fault tolerance or some sort of redundancy, right? And I’m just going off the top of my head [00:45:00] and I can come up with a lot of information. A lot of people can, right? They can come up with pretty good framework. On their own, but the advantage of using an established framework is that you’re not doing best effort.
It is not ad hoc. It’s a methodical approach to handling cyber security. It’s addressing asking questions regarding management trolls, how to implement technical controls. And I think that is regardless of what the tool set are, regardless of what the acronyms are, I think having that methodical approach is absolutely key to any organization or MSP success as it relates to cybersecurity.
The second thing I wanted to tie into is I’ll share a little bit more about the introduction as far as how Cam and I met. We had an issue. A lot of the clients that I’ve worked with I don’t get introduced to until after something bad happens. And then somebody who knows somebody, ends up calling us up and saying, Hey we’ve had an accident.
In this particular case it was the organization was pretty well protected. They had a lot of protections in place. They were actually managed by a managed services provider. There were a lot of tools. The threat actor was pretty good. They were able to bypass the tools.
They were able to get in and they were able to secure and exfiltrate data. So the company had backups and they were able to recover and it wasn’t until there was a risk of data leakage. So the threat actor said, Hey, we’ve got your financial data. We’re going to publish it on some sort of wiki or whatever.
And and the company ended up paying because they didn’t want that to happen. And that’s super, super common. And as we were working with the threat actors to negotiate the payment and, bring this whole thing to a close. The threat actor made a comment and said, Hey, if you actually cared about your data, you would have encrypted it.
And so the MSP came to me after the fact, and they said, we’re doing data encryption. We’ve got BitLocker, we’ve got FileVault, we’ve, everything is, using a secure transfer protocol. Like we’re doing all of the things and what they weren’t doing was, the computer’s up, it’s operational.
People are logged in. Somebody clicked on a phishing email. That’s how this whole thing started. And the threat actor was able to gain access, enumerate the environment and bypass the endpoint protection. And it doesn’t matter what the endpoint protection is. Cause there’s a way to bypass it. There’s no single answer Oh, this protects you against everything.
And the threat actor was able to gain access to data. It wasn’t a ton of data, but it was important data. And The question was super valid. I’ve got this finance spreadsheet, right? I keep going to that as an example. There’s a reason for that. How do I protect it? If some threat actor gains access to my.
Computer into my data while I’m here online, BitLocker is not doing anything because I’m logged in and BitLocker is no longer enabled, right? BitLocker will protect it from somebody stealing my laptop, but it doesn’t protect against that data that’s currently in use. So I ended up reaching out to Beachhead and a bunch of other companies and I said, Hey, how do you guys manage encryption?
And long story short Beachhead as a platform. Can manage who has access to what data, right? So myself, Sam, as a user on my computer, because I’ve got a different privileged access. I’ve got a different admin account, right? I’m following my own advice. And so Sam as a user has access to my finance spreadsheet.
Sam is an administrator. Or the local administrator or a system level user. None of those users have access to that finance spreadsheet. From a threat actor, TTP perspective tools, techniques, protocols TTP tactics, protocols, whatever it is they’re not accessing. Data as me, they’re not trying to be me as a user.
They’re trying to be an administrator. They’re trying to elevate their privileges so that they can enumerate the environment. They can figure out what’s on the machine. They can see I’ve got this finance spreadsheet looks super interesting. They can, try to grab it. And as an admin or as a system level user, Beachhead manages.
That encryption so that those users don’t have access to that data. I have access to it. Why that’s relevant to MSPs is because I’m asked often by MSPs, Hey, how do we communicate to their clients that we’re not going in and looking at their data and having a platform like Beachhead to manage that encryption and to deny access.
To admin level users or system level users is an excellent. That’s that confidence again, right? MSPs don’t want access to this data. They’re not trying to gain access to the finance spreadsheet. They would rather not have [00:50:00] access to any of it, but their admins, they’re administrating the platform. They’re administrating the workstations.
They don’t have a choice. This is just kind of part of the job. So if there’s an additional level of protection for MSPs and an additional level of protection for their clients That’s an excellent thing. So as a cybersecurity consultancy, we’re product agnostic. I’m not going to sit here and say, Oh, I think that this antivirus program is the best or that managed detection and response platform is the best.
As long as the tool is implemented in a, a well reasoned tool with a good reputation and whatnot. As long as it’s administrated appropriately, it’s going to do a pretty good job. It’s not going to do all of the everything and having that defensive depth, having multiple tools to provide, layers of protection, I think is super, super important.
Every once in a while we run into a product that kind of stands on its own. There’s other encryption management platforms out there. Beachhead is not the only one. But from a centralized management perspective as a managed services provider or a managed security services provider, it’s nice to have that centralized ability to do this level of protection on behalf of the MSPs and the clients.
So that I would have to circle back and try to loop this back to your question, but I wanted to share that story because I think it’s super relevant, right? It’s. How do you talk to MSPs about removing yourself from the tech stack and talking about the capability and that capability that I’m talking about?
Hey, how do you protect the data if you’re actively using it? That’s a valid question. Doesn’t have to, there’s a lot of answers to it, but, anyway, Sam,
Cam: didn’t the threat actor say to you, if only the exfiltrated data that I have access to. We’re encrypted. You’d not have a problem.
Sam: Literally the sentence was, if you cared about your data, you’d be encrypting it and the managed services provider came back and said, but we are. We are right. But not in a way that was functional under that scenario.
Erick: Sam and Cam, I really, that, that story resonate resonates with me.
And as I’m sure it will resonate with our audience, because you touched on something that. The data is true in two different, very specific ways. One way is, overcoming that objection of the business owner that says I’m a small business who wants my data. And I always say to, to my MSP audience my immediate way to overcome that objection is you want your data, don’t you?
And you don’t want it published because now there’s that double. Double indemnity or whatever. It’s not only that they’ll take the data or crypto lock it, but they will release it on the internet now. So beachhead, addresses that the situation, but the other one is very interesting as well is the MSP themselves being, having that barrier from, accessing or manipulating or anything.
that can keep that MSP out of any kind of legal trouble. Should something happen, there’s a demonstrable way for the MSP to say we had, we don’t have access to that data. We don’t deal with that data or some customers that say we don’t want your team looking at our financial data.
We can’t look at the financial data because it’s all encrypted. We can still provide great service. So those are two very interesting. Perspectives that I wish we had more time to dive into, at the end of the day, Cam, we talk about, Hey, there are these controls.
There are these mandates. There’s, NIST 800171. all these different regulatory compliances. Compliances, if that’s a word that business owners need to comply with how has beachhead helped its partners in terms of providing. Tools or our mapping or diagrams or whatever demonstration they need that shows how it maps to those controls.
So that when we sit in front of a prospect and say, Oh, you need them you need to comply to these specific regulations. Here’s how we’re going to help you do that.
Cam: Yeah, thank you. Thanks for that. We have actually, as I mentioned, an exercise that I went through that I.
That was tedious, but we went through and mapped it. I have the results of that. We have a white paper that I think we’re going to give access to from here somehow that I’d be happy to give it. It is, it has expert contributions from others much smarter than I, but we’ve mapped all our. Controls, including the one that Sam just mentioned against CSF and against all the other compliancy mandates as well.
Hint, hint[00:55:00] that will become part of our product because I think, again, to build the confidence and be able to, distinguish your offering, you ought to be able to say, look, we’re. We are providing a lot of the controls necessary for CMMC 2. 0 or whatever the man is. Just a, a glimpse as to what we’re currently working on.
And I think you’re going to see this from other vendors as well. We don’t do everything. As Sam said, there’s a lot of tools. But we handle some of the other things, other, we address other risks better. But I think you’ll see other vendors providing that information because it is going to be a requirement.
It’s coming, there’s going to be more of this stuff and the MSP needs to be able to convey that documentation, that proof. And as Sam says, build their
Rich: confidence. I I cover the the news of this industry and in my blog separately, Channelholic for folks who are listening carefully, you just got to scoop cause Cam just told you what’s coming next from VChat solutions, which I didn’t actually know.
We’re going to keep in touch on that Cam and I’ll make sure I write that up for the the readers of Channelholic. Unfortunately, and I do mean unfortunately, because we talk about compliance on this show and this was a really kind of substantive conversation about it that I found very helpful and interesting, but we are out of time.
Cam, before we move on where can people get in touch with you, learn more about you, get in touch with Beachhead, learn more about Beachhead?
Cam: They can, go to my website. There’s all kinds of links that’ll ultimately get to me. My email address is C. Roberson at apologies for the long stern beach at solutions.
com. C. Roberson at beach at solutions. com. Our phone number is 408 496 1690. Oh my God. I give my cell phone. Mostly they call me and myself nine to five. 895 5726 and our as again I hope we’ll provide a link to your listenership to get that compliance guide, the MSP compliance guide, if you’re
Rich: interested.
Absolutely. Absolutely. We will do that. And I have I have read it. It is well worth reading folks. Thank you so much for making time and joining us here today. Great stuff. Good to see you again. Folks, we’re going to take another break here. When we come back on the other side, Sam will join us to wrap up the show, maybe have a little bit of fun.
So stick around. We. All
And welcome to the final segment of this episode of the MSP chat podcast sponsored by beachhead solutions. Like I said a few moments ago, there was a lot to that interview that I really enjoyed. If I was to boil the whole darn thing down to one word, the one word to take away I think it would be differentiation.
There are, and this is something you were talking about, Sam, there are 86, 000 MSPs on planet Earth right now, about 43, 000 make 40 percent or more of their money from recurring revenue, according to Canals. There are a lot of MSPs out there that you’re competing with, and they’re all pretty much doing the same basic stuff.
So how do you separate yourself from the pack and compliance? Particularly right now, and this is only going to get more true. I think if we move forward is a really good answer to that question and it’s a very important question.
Sam: Absolutely. Yep, I think Confidence as it relates to compliance and being able to answer the question regardless of knowing what that question actually is, I think is something that will really help MSPs moving forward.
Any final thoughts before we move
Cam: on, Erick?
Erick: Yeah,
I think that if I were still running my MSP practice today, I would see, this move toward regulatory compliance as, increasing more and more. I hadn’t thought about it, I sold my MSP practice way back in 2007. So we didn’t have, these kinds of concerns like we do today.
There’s, and they don’t seem to be slowing down at all. So I would see compliance as that unique opportunity to differentiate my practice. As an MSP, I think to myself, okay, what is it going to take for me to have that confidence that we’ve been talking about so much during this episode sponsored by Beachhead solutions.
And it takes confidence in your strategic vendor partnerships and in the additional support that they can provide you so that you can have these conversations with your prospects and your clients and [01:00:00] overcome some of these. I think typical objections that we get. Sam, from your perspective, did you, I’d like to understand a little bit more about how you evolved into doing the business that you’re doing.
Were you migrating your practice from the traditional MSP that we are also familiar with, and then saw the opportunity yourself and started focusing more and more on compliance and then leveraging Beachhead. Support to help you get there. How did you approach this? And what kind of guidance would you give to MSPs that are looking at this and going man that you know I don’t understand how i’m going to get there from here.
It seems like a lot. You know that i’m gonna have to work towards. Can you give them some guidance? Absolutely.
Sam: First point of clarity Kenny Monk Cyber very small organization focus solely on the consultancy aspect of it. We’ve never actually been a managed services provider.
We’ve had the privilege of working with a number of MSPs in the area and actually across the country as our presence has grown and we’ve worked with various clients. We inevitably end up working with their IT providers. As far as advice moving forward it’s overwhelming if, and it, even the most simple cybersecurity framework is almost too much if you look at it, like in its entirety.
I think the key is to understand that, it’s an iterative approach. We all start somewhere and as long as we can demonstrate that we are moving forward I think that’s. You know what every msp needs to keep in mind. It’s not just you know, hey, are we doing these things?
It’s hey, do we have the ability to demonstrate that we’re doing these things and have a plan of action moving forward? That we’re not going to solve 100 and we’re probably never going to get to 100 But how can we continue moving the needle forward? And I think if every msp, you know takes that approach.
It’ll help their own practice and it will help their clients. Really great stuff
Rich: and a great place to close out the compliance conversation with. It leaves us with time for one last thing, folks, though, and I’ll tell you right up front, this is going to resonate a little bit more if you fly Delta regularly, as Erick and I do, but this concerns a a Delta flight.
That was making its way from Amsterdam to Detroit, Michigan, just a few weeks back. Apparently one of the passengers I guess a Dutch passenger on the plane, for reasons not explained in the news coverage I’ve read, had a lot of rotten fish in a carry on bag that they had brought onto the plane with them.
And the rotten fish was covered in, yes, maggots, ladies and gentlemen, and they made their way out of the bag. And all of a sudden there were some people on this plane who were getting maggots rained upon them. Now, you don’t actually have to be a Delta flyer. Anybody understands the indignities of flying.
Raining maggots, that’s a little bit beyond. All of the inconvenience and the discomfort that we’ve gotten used to. But if you’re a Delta flyer and you know that they have changed the rules around their Sky Miles program in ways ticking off the Delta radios this just feels like Delta may be really turning up the volume a little bit too loud.
In terms of wanting to turn some of us away from the airline.
Erick: Yeah. I don’t think that’s a delicacy in any country that I can think of. Rich.
Rich: Yeah, neither the rotten fish, nor the maggots yeah, I don’t know, but glad I wasn’t on that flight. Folks, that is all the time we have this week for this episode of the MSP Chat Podcast, sponsored by Beachhead Solutions.
Thank you so much for joining us. We’re going to be back again in a week with another episode. If you are listening to the audio version of this podcast, there is a video version of this as well. You will find that on YouTube. If you’re watching the YouTube version, But you’re also into audio podcasts, you will find us wherever you get audio podcasts, whether that’s Apple, Google, Spotify, you name it, we’re there, wherever you find us, please subscribe, rate, and review that’s going to help other folks like you find the show and enjoy it just like you do.
This show is produced by the great Russ Johns he can produce a podcast for you too, folks, if you want to learn more about him, check him out. At rustjohns. com and channel mastered is responsible for this podcast. There’s all sorts of great stuff we can do for you. If you are a vendor with an MSP channel to learn more about us, you’re going to want to go to channel mastered.
com. So once again, that is all the time we’ve got this week. We’re going to be back again in one week’s time with another episode for you. Until then, folks, please remember you can’t spell channel without N S
Sam: P.[01:05:00]
