February 2, 2024

Episode 11: Understanding Vendor Relations and Security Awareness Training

Listen to the Podcast

Read the Transcript

Erick and Rich discuss some intriguing statistics from IDC’s latest North American Partner Landscape study and the why-to and how-to of offering flexible work arrangements. Then Connor Swalm, CEO of Phin Security, joins them for an expert’s take on maximizing customer benefit and revenue in security awareness training, constructing a great MSP security stack, and giving yourself “permission to suck”. And finally, one last thing: a possible answer to a recent Krispy Kreme mystery in the City of Light.

Discussed in this episode:
https://www.channelholic.news/p/the-dickensian-state-of-todays-channel
https://www.cnn.com/2023/12/08/business/kripsy-kreme-paris-open-store/index.html

Transcription:

Rich: [00:00:00] And three, two, one, blast off! Ladies and gentlemen, welcome to another episode of the MSP Chat Podcast, your weekly visit with two talking heads talking with you. About the strategies, services, and success tips you need to make it big in managed services. I am Rich Freeman, I’m chief content officer at Channel Master, the organization responsible for this podcast, and I am joined as I am every week by my business partner at Channel Master, our chief content, or excuse me, chief strategy officer and my friend of many years, Erick Simpson.

Erick, how are you?

Erick: I’m doing well, Rich. I’m doing very well. In fact, from a personal and a professional level, just getting stuff done that I’ve had, on my aspirational to do list to get done before the end of the year. And so I’m Christmas shopping done in advance, got to meet with some family from out of town and hosted them and from a business perspective, just making sure that we’re.

Finishing 2023 strong and have a great strategy for 2024, just like many of our listeners are preparing to do.

Rich: I I am envious. I have not, as we record the recording this before the holidays, I have yet to complete my holiday shopping. Most of it’s done, but not all of it. I’m getting nervous cuz Big day’s coming up real quick here.

So I gotta get a move on wrap that

Connor: up

Erick: You better get online quick rich. Yeah.

Rich: Yeah, exactly. I want it there On the day itself, but let’s dive into our story of the week. And this is derived from a post that as we record, this will be going up shortly on Channel Holic, my blog. You can find that folks channelholic.

news. And this is inspired by a conversation I had earlier in the week with Steve White. He is an analyst at IDC. He’s also a co author. of a recent study IDC published their 2023 North America partner landscape story. And it painted an interesting picture. There’s all sorts of interesting data in the study, but there was one set of numbers in there that really jumped out at me.

They surveyed 503 partners in North America, various sizes, various kinds. They asked them to rank their top opportunities. Number two on the list was vendor relations. And then they asked the same 503 partners to rank their challenges, and number two on that list was vendor relations. So the very same people who see a lot of opportunity around working with vendors also are having a lot of challenges around working with vendors.

It’s an interesting and understandable phenomenon. So on the opportunity side of that equation, obviously, there’s something like 200, 000 vendors out there right now. That number is growing. All the time per Jay McVean at Canalys, so that there’s just never been more vendors for an MSP to work with.

These are companies with well oiled sales and marketing machines and online marketplaces, online e commerce presences. So a ton of great vendor opportunities for MSPs out there, but it’s also very challenging. To work with those companies. First of all MSPs are at least as busy as they’ve ever been if not more so nice problem to have but it is an issue you know that CompTIA just recently came out with their most recent tech unemployment report in tech occupations in the U.

S. The unemployment rate is 1. 7 percent right now. That’s versus 3. 7 for the entire economy, less than half. MSPs are working really hard. They are shorthanded. They are trying to keep up with more vendors than have been out there ever before. Those vendors are continuously rolling out new products and then all sorts of programs and enablement systems and tools and whatnot.

To help their partners be successful with those products. It’s hard. That’s challenging and interesting. You look at it from the other side from the vendor point of view. It’s a very similar kind of thing. The vendors to a greater degree than has been true in recent years really do understand the importance of having.

An effective channel. This is something that’s been familiar in the software world for a long time, but in the era of software as a service in particular, in recent years, there have certainly been and still are some vendors out there who figure I can just sell direct. I don’t really need a channel, but that’s really beginning to fade away.

They are understanding that you scale faster, grow, faster if you have a channel. But they’ve got a lot of different products and services and changes that they need to communicate to those very busy partners. Those partners are a little bit harder to communicate with because they’re harder to [00:05:00] classify.

So it used to be you knew this partner here is a VAR and that partner over there is an MSP. When IDC went out and asked partners to classify themselves, on average, those partners A lot of them spells into 3. 2 categories. So they’re all VARs. They’re all MSPs. They’re all system integrators. And a bunch of other different categories makes things difficult for the vendor.

So opportunity and challenge on both sides, how do you fix this? One thing that the vendors can do, and we’ve just very recently seen Barracuda Networks do exactly this is take a bunch of different partner programs for those different partner types. Roll them together into one program.

That’s going to be easier for the vendor to manage easier for the partners to manage as well. And then, the other thing that we’re seeing increasingly from vendors is rolling out personalized centralized. Portals. So making it easier for partners to get all the information they need in one place, but do that on a customized, personalized kind of basis sometimes with help from AI.

You’re not just going to one destination to learn what you’ve got to learn. The stuff that kind of surfaces fastest and is easiest to find is going to be tailored to you and your particular needs. And then last but not least, and this was a point that Steve White from IDC emphasized, I’m talking about stuff that the vendors can do to help here, but the partners, the MSPs have a role in this too, and that is to find the client.

It is not easy. I’m not saying it’s easy. But you gotta find some time to invest in these portals and these resources and try to keep up with what your vendors are doing. It’s a relationship, if you really want to take advantage of these vendors, it is a relationship and you’ve got to put some work in on on a relationship

Erick: as well.

Boy, Rich, there’s there’s challenge and there’s opportunity here. And I think, some of the things that I take away from this being, a recovering MSP myself. Are the, what we’re talking about is, the sprawl that creates some of this additional work that gets in the way of MSPs being able to really take advantage of some of these opportunities.

So there’s work that needs to be done on both sides, like you mentioned on the MSP side, what’s important to them is to, increase their efficiencies, increase their profitability, make more money, reduce vendor sprawl, reduce the. The, the multiple panes of glass it takes them, to leverage all of these services and solutions in order to grow profitably and effectively.

And sometimes, the vendors, understand that they’re moving in a direction that first, serves their needs. Many of the mature vendors understand that. They have to incorporate the needs of the MSP first, but some don’t. So you and I talk a lot on the channel mastered side of the conversation about, consulting with some of these vendors and asking them questions like is your program MSP friendly, quote unquote.

Imagine what, what all those things may mean to MSPs. First and foremost is. Does it make integration easy into my other platforms? Does it make my billing and invoicing easier? Does it make the life of my staff easier? And ultimately does it make more money for me? So these are the kind of the fundamental table stakes I think that it takes for a vendor to really be attractive to msps And how they deliver that and how they you know skate to where the puck is going to be in terms of growing their, their strategy and growing through an indirect partner channel is the key to, getting what the partners need and what they need, as a team together, and sometimes, those strategies don’t exactly mesh.

So that’s the challenge. And, it’s very telling from, IDC that. Both times MSPs chose, vendor relationships as the number two thing that, they’d like to see improvement on. So it’s going to take them both to come together and to achieve this and, and that’s what it’s going to take.

So investors, hopefully are listening to their MSP partners as they make these strategy adjustments and these program adjustments to make their programs more MSP friendly and easy for MSPs to do business with them. Not only, to help their MSPs grow and build that, indirect channel revenue growth, but also to lure Potential new partners from their competitors.

So that’s an interesting dynamic and it’s not an easy Challenge to solve.

Rich: No, not at all. And I think another way to think about this a little bit is a vendor partner relationship is very much like any other relationship. I suppose you really do need to [00:10:00] understand what the other person in that relationship is experiencing and what their needs are so that.

Vendors need to understand the MSPs and the MSPs challenges and wishes and so on, as you were saying, and conversely, the partners, the MSPs need to understand what the vendors are looking for, what their priorities and challenges. So the vendors need you. To stay up to speed on their latest offerings and get the messaging around those right and invest in learning how to use and sell those products.

That’s your contribution to the relationship. And then, as you’re saying, Erick, their contribution to the relationship is to understand what matters most to the MSP and prioritize that. And, operating efficiency growing the top line, growing the bottom line very central. Let’s dive into your tip of the week Erick.

And we were talking about that low tech unemployment rate and factors into your tip of the week here in terms of accommodating how and where your employees

Connor: work these

Erick: days. Thanks, Rich. And yes, it’s very timely. Tip of the week because it addresses this post pandemic expectation or, lack of alignment in expectation of employers and employees in regards to, the getting back to work, right?

So we’ve gone from the work from home dynamic full time in, in many cases to now these employers. are requiring folks to be back in the office. And, for many MSPs, Rich, that’s where we would like everyone to be is in a central location, because this is how we learn from each other, we have, the service department or the knock in a central location and this is how we train each other, this cross training and just, learning tapping.

Your colleague on the shoulder saying, Hey, I’ve got this, interesting ticket. Have you seen anything like this? And there’s this immediate close interaction and relationship. And nowadays the challenge becomes, in order to bring more folks onto the team, this idea of, we’d like to work sometimes remotely and sometimes we’ll come into the office and things like that.

And I think that’s, An adjustment that a lot of businesses as well as MSPs are having to make to continue to grow. And, in order to offer these flexible work arrangements, there has to be some framework around, managing that balance. What are you missing from that internal, everybody in the office all the time.

As opposed to some folks being remote all the time or remote part time, I’m working with a lot of MSPs where they’re hiring folks that are completely remote in other locations or other countries even, right? So we’ve always had some of that outsourced type of opportunity for MSPs, Rich, but for the core team.

That we’ve come to expect to be in the office all the time. Now, they’re getting poached by other competitors that are offering some of this flex type of relationship. And it’s important, I think, for MSPs to realize that is a benefit that may allow you to hire more folks or to keep. It may be one of the things that can, prevent an MS an MSPs technical or sales staff from leaving to a competitor is because they’re offering some of this.

So offering flexible work arrangements can help not only attract new talent, but also retain some of your talent. Investigate these opportunities and offer it in a way that doesn’t. Denigrate that ability for the team to feel like it’s part of the team and put in place other measures to help these folks that are remote, feel as if they’re an integral part of the team.

And I think that’s something that a lot of MSPs are, struggling with in some cases, some of them have figured it out. But, if you ask me directly, Rich, what my preference would be if I’m building an MSP, if I’m building a NOC and a service desk, my preference would be to have everybody at the location.

But barring that facing this new reality and these new challenges of, again, attracting and retaining top talent, I would be forced to adjust my perspective on that and to build a, an opportunity for some flexible work arrangements. Just to remain competitive. In my industry.

Rich: Yeah, I know, I certainly know, and MSPs who insist that everybody be in the office five days a week. I think that’s harder and harder to do right now in this labor market right now. There are people I know who have pulled that off successfully, but it’s difficult.

[00:15:00] Conversely, we both know MSPs who are 100 percent remote. And they can be very successful with that model too that poses some interesting challenges around culture and connectedness and there’s some trade off that you’re making there in terms of that interaction among the texts and the increased efficiency that can result from them sharing ideas and so on and so forth.

I think the sweet spot increasingly is in between and this is true beyond. The tech industry beyond MSPs, we’re seeing this across the business landscape, that hybrid sort of work arrangement where, and people are debating, is it three days a week, four days a week, but having people in the office part of the week and then allowing them maybe on Mondays and Fridays to work remotely seems to be where it’s at.

Yeah. A majority of people are settling, and the nice thing about that for an MSP is that you do at least have, if you adopt that kind of arrangement, you do at least have those few days a week where people are seeing each other, interacting with each other face to face, you have that opportunity to build and maintain a culture, you don’t have to figure out how to do all that virtually, and by and large, when I look at survey numbers on this, which I do periodically most employees out there, they don’t like it when they’re required to be in the office 100 percent of the time, but that kind of three days a week, a lot of them will put up with.

So you’re probably not missing out on recruitment and retention as much.

Erick: And this wasn’t the thing that it is today before COVID. We, this has been, we’ve seen a lot of change as a result of us all going through, time of COVID, let’s say. And it requires us to think differently about how we manage our teams, how we hold them accountable.

What platforms do we now have to really leverage or put into place to make sure that we maintain that connectivity? Slack channels, teams, right? How do we manage and maintain that? How do we measure KPIs? How do we measure performance in a more, objective manner? Because they’re not in the office as much and, really, managing be a performance.

So I think there’s some benefits to, to, to being forced to adopt some of these new flexible work requirements. Along with some of the challenges,

Rich: so managing a hybrid workforce, managing vendor relationships, big topics that we’re not going to completely resolve on a podcast like this, but important issues for people to be thinking about and sharing strategies about, but it is time for us to move on to our spotlight interview.

We’re going to take a break here when we come back, we’re going to be joined. By Conor Swalm, he is the CEO of FinSecurity, a security awareness training company. Interesting guy too, and we’re going to get his take on the security landscape, the managed security landscape in particular. So stick around, we’re going to be right back.

And welcome back to part two of this episode of the MSP Chat Podcast, our spotlight interview segment. We are joined this week By CEO and co founder of FinSecurity. Conor, welcome to the show. Thanks for having me,

Connor: Rich and Erick.

Rich: So for folks in the audience who are new to you personally, just tell folks a little bit about your background and what you do.

Connor: Little bit about my background. I come from the first and the greatest state, Delaware. I’ve lived everywhere in Delaware, pretty much. I studied a bunch of math in college. I was a real estate investor for a little bit, always done. I guess you could say like entrepreneurial things. And then when I had graduated college, didn’t want to really do real estate investment anymore for a variety of reasons.

And really liked coding, really liked the math and. Tried to find a problem to solve for businesses and for people just because I don’t know entrepreneurs are weird like that and a little bit of masochism was probably involved, you know working all the time and trying to do things that don’t work And here we are three or four years later and the rest is history, I guess You know, Connor

Rich: as we’re recording this, just about two hours or so ago, I happened to come across something that you posted on LinkedIn with some background information about yourself, and among many other very interesting things in there, I learned that you have an older sister and two brothers And the three, three of you, the

Connor: three brothers, are triplets.

We are. We’re all three triplets. We’re not identical you could tell us apart, but if you saw us, you would know that we are very related. We’re very related.

Rich: And kudos, applause to your mom, that three Identical aged boys, that’s got to be a handful.

Connor: I like to say we were angels, but she would definitely disagree with you, so we just won’t ask her [00:20:00] for now.

Rich: For folks who are new to FIN security tell folks a little bit about FIN.

Connor: Sure, so we are, to put it simply, a security awareness training and phishing simulation platform built exclusively for MSPs. This was one of the, one of the problems of cyber security that I was I don’t want to use the word researching, but trying to understand when I was living with my parents, trying to build cool tools and I started looking at Verizon’s DBIR and really getting into how cyber attacks occur, and a lot of it is through people making mistakes not knowing what’s going on, or just being unaware of the dangers that surround them, and in that process of talking with businesses about that issue, I ran across one MSP.

And that MSP was I’ll never forget it they ended an hour or two hour long call that I had with them by making the statement, Don’t even build me a better tool, build me a shittier tool that is easier to use, and I’ll work with you tomorrow. And I was, I’m still very dumb, but I was dumb at the time, but not so dumb that I didn’t quite hear that opportunity.

I was like, wait a second. Bad software is my specialty because, I’m the worst developer at the company. So I was like, all right I guess that’s what we’re going with. And so from that point, that was like three or four years ago, we have built an MSP focused platform where we just make it super easy for you to manage all your client’s activities and not have to babysit the dashboards while you’re doing it.

Erick: We hear a lot Connor about. End user security awareness training. I know that, from my perspective, a recovering MSP it’s one of those things where if, the users are always the cause of the reactive support requests, right? We can do everything possible to manage and secure platforms, devices and services and things like that.

But at the end of the day, we’re dealing with human beings, right? So that opens up this, opportunity for bad things to happen. Because we’re all humans and sometimes we don’t know any better. And sometimes businesses don’t take, probably the approach that their MSPs and IT providers would want them to take and making sure that they’re.

That their users are trained on what to do and what not to do and how to identify, things that look a little bit weird specifically an email, like phishing attempts and things like that. But when left to our own devices as human beings, like we do what we think is, is the right thing to do.

And some of these cyber criminals, cyber terrorists are getting really good. At, fishing and penetrating, that last bastion of defense, if you will, which are the human beings in an environment. So what’s the state of, end user security awareness training now? It seems like something that most businesses should be aware of.

It should be implementing. Are they from

Connor: my perspective, they are. Not necessarily all of them are instituting awareness training to create more security. They’re more doing it to remain compliant with cyber insurance. That’s probably the biggest driver of adoption today. Starting about six months ago.

I talk with the people at Fifth Wall. I talk with a lot of other cyber insurance organizations. And all of them are saying the exact same thing. Is every underwriter and every broker they work with requires awareness training in the, just to satisfy the policy. At the very least, some of them have carve outs for social engineering related activities.

If you’re. Not enabling two factor authentication and credentials get abused. Maybe that’s a carve out in your policy. I don’t know. I’m not a cyber insurance expert and all of them are different because they’re all written for that organization. So I would say a lot of the adoption is being driven by cyber insurance.

I would also say I don’t believe the awareness training industry is doing as much as it can to actually prevent breaches. So there’s a couple of pieces that play into that. The first is I had an experience studying math in college that is very similar today for average employees at organizations.

Anytime I tried to talk with anyone about math, the conversation was over. It got me up in the morning. I paid hundreds of thousands of dollars to an educational institution to go study it. That’s how much I enjoyed it. Nobody cared. Nobody wanted to talk to me. Not even my parents. Not, no exaggeration.

And when you try to talk with an average individual who just wants to show up to their job and do great work and be safe, When you try to talk with them about security principles, even if it’s something as simple as enabling MFA and why it’s important, the same thing happens, they shut down, the light dims from their eyes, the conversation’s over before it starts, they just want to check out and move on with their day and get back to their activities.

And. What we’ve done as an industry or what I’ve seen the industry do over the last I’ve only been in it for three or four years, but I’ve looked back into the past decade and We haven’t really found anything different to do We’ve just doubled down on just give them more stuff and [00:25:00] make them do it I say, you know the industry has our industry has so many sticks We could start a fire and yet we don’t have any carrots and nobody’s getting fed So it’s we’re all starving to death and yet we’re warm, is the way I phrased it.

And when you look at motivating people and trying to get them to understand the threats that surround them and trying to get them to buy into, they have a place in cyber security regardless of their technical abilities. Nobody really wants to get bought in because of the way they’ve been treated historically.

Or some people would say that the IT industry has this sense of ego around understanding technology and that everyone should just get it by default. And I’ll give you a question that I asked. I did a talk with Wes Spencer who was at Persecurity and then just started Empath.

And we asked the room which was like 80, 100 MSPs. We said, who here had problems opening their email this week? Of course, nobody raises their hand in that way. Then we ask another question. Okay, who here has been playing with technology, servers, whatever you want to say, since they were like eight years old?

Everyone’s hands shot up. It’s great, if you flipped the answers to those questions, you’ve just gotten to understand your client base a little better. So it’s like, how is it that, it’s like, you are all in this room, you are so far, you’re so far removed from having problems understanding technology, that you don’t remember what it’s like, and that has informed the ways you’ve tried to teach those people how to recognize that it’s just not working.

Erick: That’s a great exercise. It’s a very simple way for, this audience that just expects people to do the right thing without having, that awareness of it to think about it a little bit differently. Yeah, thanks for sharing that. We’ve talked a lot about cybersecurity on this program.

We’ve talked a lot about cyber liability insurance. And, I’m a proponent and I’ve shared, on this program and, different sessions where I speak about, the requirement for MSPs and IT service providers to ensure that their clients have some form of cyber liability insurance policy.

And, I’ve never heard anyone express the influence or the reason why someone should subscribe to and enforce I end user security awareness training because they’re trying to comply with their cyber liability insurance policies minimum requirements. So that’s a very, strong influence.

And in fact, I go as far as to say if your clients will not, subscribe to a cyber liability insurance policy or a writer on their existing policy and subscribe to your minimum cyber, enhanced cyber security. The portfolio of services, which basically allows you to demonstrate compliance against these minimum requirements of the cyber liability insurance policy, then they cannot be your client.

So what are your thoughts on that?

Connor: I actually just did a series of webinars on this with Ray Orsini and Jason Slagle and Wes and Alex, and then Reg Harnish, the founder of Autotask. And there’s this idea of the cybersecurity poverty line is what it’s been named now is. On one hand, you have my business needs to operate and a lot of MSPs need those clients in order to continue surviving.

And on the other hand, they represent an incredible amount of risk, right? If somebody’s not willing to pay for proper security they’re still going to blame you for security incidents. I think that’s what a lot of people aren’t willing to come to terms with is what I’ve seen from all of my MSP friends that are all partners of mine or not, or even if they’re not partners of mine, they’ll all make the same statement.

It’s they didn’t buy the security. They got hacked, or some incident happened, and then they still blamed me. Even though I could go back to my text messages, and my emails, and the meetings we had, and explain to them, Hey, here’s all the things that you wouldn’t want to buy that not necessarily would have prevented this, but would have made this less likely to occur, and you said, no, I can’t afford that.

So I guess my answer is probably not one that it, feels good to hear cause it’s going to be, it depends. Out on one hand, you still have to feed yourselves and your family and you have employees to take care of and all that. And so obviously that comes first a lot of times. On the other hand, you can’t afford to work with clients that aren’t going to be secure.

They’re still going to blame you. And if any of the lawsuits that are currently going on or have just been recently settled against MSPs, by the way, Any indicator of what’s going to continue happening, the risk, it’s all going to keep flowing uphill and then you’re the final thing, you’re at the top, there’s nobody above you at the top of the hill, you’re where the buck stops, and that’s a dangerous place to be.

Erick: Let me ask a follow on question. It is a challenging decision, for an MSP to say, I’m going to plant this flag in the sand and say, look, you have to have a cyber liability insurance policy and you have to allow me to meet the minimum requirements of that policy because the risk to your organization is very great and the risk to my [00:30:00] organization As the MSP and by extension, all of my other customers is great because you’re failing to move in this direction.

So a couple of things to think about, when I, share this Connor is when the client gets breached or hacked, he’s for that remediation number one, right? Because, and you mentioned, Hey, there’s a lot of lawsuits going on against MSPs are getting hacked. We know that, supply chain things and all that.

Their customers are getting hacked as well, I’ve posed this question when I’ve done speaking engagements and I say to the audience, hey, audience of MSPs, MSSPs, I say, if a client gets hacked and they haven’t subscribed to your enhanced cybersecurity portfolio, i. e. they’re not paying you to, to guard against this.

Do you let them swing in the wind, or do you rescue them? And the vast majority, if not the overwhelming majority, will say we rescue them. And then I ask how do you get paid to do that? Because depending upon the size of the breach, and the local laws, and the, reporting and all this other stuff, this could become, this could, get bad very fast.

So just from that perspective a client’s never going to be able to submit a claim. Against their policy, if they haven’t demonstrated compliance against these minimum requirements in order to get the remediation paid for. So doesn’t that put everybody in a pickle?

Connor: I think it does, especially if it’s a business that’s not necessarily, I want to say, well entrenched and large enough to weather that storm on their own.

It’s why, if I were to, if somebody put a gun to my head and said, answer, really answer that question, I’d say, of course you should get cyber liability insurance and you shouldn’t ever talk with a client that’s not willing to do that. If not only for their own interests for yours as well, it’s if this has to be a partnership that works for both of us have to believe we are receiving something worth the money, we’re getting paid and paying, and if, I like the when. if mentality that’s going around on the site, it’s like, when you get breached, that’s how you have to approach it, you are unable to pay, it’s I still have employees that need to go do their jobs and still need to make money, and I you can’t force your business to operate at a loss because your client wouldn’t listen to you.

It’s just, it’s a really hard place to, it’s unfortunate for everybody if they’re in that position, and cyber liability insurance is, not a silver bullet. I don’t believe those exist, but it, definitely gives you some, something in the chamber to shoot out.

Rich: To the degree that we certainly hope yeah, most SMBs have cyber liability insurance the insurance requires security awareness training so therefore one assumes MSPs are already offering security awareness training these days, may or may not be true, you can give me your take on that, but I’m just wondering how big a business opportunity, a market opportunity is this a checkbox that an MSP has to check off and their end users have to check off or is this a a business opportunity as well?

Connor: It’s definitely a business opportunity for MSPs. I will say most MSPs we talk with are offering some kind of organized training. It’s not a brand new thing for them. The MSPs that offer a package where this is just a line item, right? They’re not naming FIN or any other awareness training program.

They’re just saying, we do awareness training for you. We like those the best cause that doesn’t require you be negotiating your contracts when you switch vendors, or if you’re adding it for the first time after they bought that package. What I would say is. Awareness training for compliance has turned from a want into a need.

You need cyber insurance to exist today as a small business. And in order to satisfy your cyber insurance, you need awareness training. So a lot of the decisions that the conversations we have are not around. Do we want this? Do we really want to buy this? It’s we have to buy it. Let’s choose the best one that we have to buy.

I will say, I think there’s going to be a I don’t want to say like a revolution, but a change in the space where. Awareness training clearly is not accomplishing everything it needs to. There’s a reason why Verizon’s DBIR, every year, if you go back since they started it, every year humans have either been the number one cause or, when they were usurped, they jumped right back in the first place.

I, I studied enough math to hate the way a lot of people interpret statistics, but what is very clear, by the way, Verizon the DBIR interprets it, is, humans are still a very big reason, the mistakes they make, the things they’re unaware of, we’re biologically wired to fall prey to appeals of authority and to be fooled We’re literally wired, as humans, all of us, and last time I checked, IT people are humans too.

We’re all wired to fall prey to this stuff. And so what I think there’s gonna be is a change in the way normal people, average individuals, the clients of MSPs are exposed to the problems and to the issues that they’re gonna have to be aware of before they turn into real social engineering.

The way I phrase it is we need more scrimmages and less batting cages is a lot of times [00:35:00] today with your security gateway and your web filter and with other various tools, you have agents whatever, a hundred agents you have on your devices, running and collecting data, what threats your employees are likely to face.

You just haven’t collected enough of that data to interpret them. Why aren’t we turning that into test exercises for employees and then don’t make them do more training when they fail, just give them more of the experience. Of of phishing or of social engineering have them get exactly what they need to recognize what’s relevant to their job before it turns into the bank information gets changed on an invoice and you’re out 40 grand.

It’s there are ways that we could prevent that. We can just expose them to more of reality as opposed to trying to cut off more and more access to different tools. Prohibition didn’t work to reduce alcohol consumption in the United States. It just moved it all underground. Why is the IT industry, we’re trying to do the same thing with average people, cutting off access to tools and making, giving them less ability to do their job in the sake, for the sake of safety.

Marker

Connor: It’s not necessarily going to create any more safety. It’s going to move all the behavior underground. So now you’re just not aware of it. But it’s still happening.

Rich: The exercise, the test exercise you just described a moment ago might be an example of this. But I’m wondering security awareness training, everybody needs it.

It is a business opportunity for MSPs. Are there things MSPs can do in terms of what they deliver, how they deliver security awareness training to increase the top line and the bottom line impact of that service?

Connor: Yes. Let’s start with the bottom line, like the finance for as an MSP, find a tool that’s automated and make sure you know how much time your employees are really spending managing the tools that you’re purchasing.

That’s the. Everyone will tell you that I would say awareness training, even though it’s a very simple and very well defined product offering. Sometimes it can just be, it can start to sprawl in terms of the activities your employees have to do to manage that. You can also, a lot of our MSPs offer it at near 100 percent margins, if not more.

So it’s not necessarily the biggest revenue generating activity you’ll ever do, but you can make it a positive, a revenue positive event. Again, if it’s automated enough. In terms of the effectiveness for your users, there’s two things that I would highly encourage, honestly, there’s a lot more things that I’m aware of that I could tell you not to do, but I’ll tell you two things you should do deliver it as frequently for as short a time period as you can, right?

And I explained this my mechanic that I use explained oil, the best thing for your car would be the oil would be for the order run out into the top and out the bottom. But that’s not feasible, so you change it every 3, 000, every 5, 000 miles. It’s the same thing with training. Deliver as small bits of it as you can, as often as you possibly can.

Don’t make them take hours or even 30 minutes to do their training every quarter. Make it five minutes a week, ten minutes a month, whatever it needs to be. And you’ll actually see that people retain way more information when stuff is delivered more consistently like that. The second piece is make it relevant to the individual’s job.

Don’t give the people in accounting health care related obviously if they’re in a a health care facility, you have to do that, but if they have nothing to do with health care, don’t make them take health care related training. That’s, this is a pedantic example, but I see it all the time.

It’s like, why are the people who will never come into contact with payment information in their entire life here at this organization? Why are they getting 30 minutes of PCI training every quarter? Sure, it might be required. Is it? Is it? Do you know the answer to that? A lot of them can’t tell me. So I would say make a job relevant.

Make sure that the people who are getting the training are getting something that’s relevant for them to do their job. A good friend of mine who runs another awareness training company in the space, he said, If people leave their training experience and saying, That wasn’t the worst thing I’ve ever seen.

That is a top tier experience. That’s how low the bar is in terms of getting people to buy into their own training so far.

Erick: Yeah, that’s interesting, Connor. Now, obviously there’s a lot of opportunity to customize training to the individual. That makes a lot of sense. And, your perspective on this is super helpful to the folks that, listen to this program.

But let’s shift for a second and think beyond training. Now, you, we tied together. The elements of, I think, a strong case of the necessity of having cyber liability insurance because hopefully that’ll, guard against, extraordinary expenses if we’re demonstrating compliance against what’s in those minimum, cyber liability policy requirements, right?

And security and wireless training, 2FA, password management, whatever those things are. But from where you’re sitting, Connor. What else do you see outside of just meeting those minimum requirements in those policies? Are essential elements of a complete security stack for MSBs to deliver to their clients.

Connor: A complete security [00:40:00] stack. I guess I could go through the five things that most cyber insurance policies require. And then we could talk about things that should be done above and beyond that. It’s EDR, backups managed AV, MFA, and awareness training. Those are, like, the big five. And if you go talk to cyber insurance companies or you go dive into policies, those are really the big five.

Areas. I would say doing almost all of the, doing all of those, that should be the poverty line that we talked about earlier. If, reality is, if you choose your tools right, just for those five things, you could build an incredibly economical package for even your most cost sensitive clients to, to use.

And they’ll satisfy cyber insurance requirements so they can get the insurance anyway. So on and so forth. I would say above and beyond that, it depends upon the verticals that your clients exist in. So now that car dealerships are required to report their financial information and have different controls in place now because of all the regulation that just came out.

What should you do? You should probably get a little bit more of additional training. You probably need to secure more gateways. You need some amount of financial software and more process in place to make sure things are getting reported properly. I, I say, Outside of tools, I would make the following statement that actually I stole it from Ray Orsini, by the way, most of security is people in process in order for a breach to occur, regardless of where the human was or was not involved, all of the software you purchased had to fail first.

If that’s the case, most of your security should just be people in process. Actually, look at your client, look at the way they operate, look at their business and how they generate revenue, and build security, not with tools, but with people in process around it. That’s what I would say is probably the most effective thing to do.

Erick: Yeah, that’s that’s great great perspective, Connor. You recently did a podcast about something you called Permission to suck. What is that for our listeners and why did you want to talk about it?

Connor: Permission to suck. Nothing, I’ll make the bold statement of nothing you do in life that’s worth doing you’ll ever do correctly for the first time.

So it’s if you want to do anything that gives you Value that you take a lot of value from that you feel really wakes you up in the morning on a consistent basis, whether that’s hiking with your family or providing security to small businesses in your community and being like a stalwart in your community there, protecting them, whatever that is, you’re going to suck at it.

If when you start, it’s that’s just the reality. It is a platitude that a lot of entrepreneurs will say, if you go look at them, get interviewed that Oh, I’m just better at failing than you. And I would always cringe when I heard that. I’ll still cringe every time I hear it.

And then I look back on all of the stuff that I still suck at, and all the stuff that I sucked at way back then. I’m like, oh, it’s actually that, that kind of rings true. I just didn’t, I was so dumb, whether that’s by hubris, or ignorance, or just lack of intelligence, that I didn’t know that I shouldn’t try something.

I just decided to go do it. That was it. It was the only thought that existed in my head. And what I think’s really needed, and I think what would be best for the world, is everybody approach life from that angle. Is, you have permission to suck at all this. You don’t need to get it done perfectly.

You don’t need to be perfect in order to start doing something you think you might enjoy, or you, or might provide value. You just Go do that. What you really need to be careful of is if you do that, and your ego gets in the way. Because that leads to destruction for everyone involved. You need to have a certain amount of humility involved to know, I’m gonna suck at this, I’m okay with that, and I’m willing to accept the rightly deserved criticism and the rightly deserved feedback when it comes my way.

And that’s what I would say is the permission to suck is you don’t have permission to be egotistical. You do have permission to try things and be willing to accept the feedback that comes.

Erick: Is that similar? Sometimes I say, look, we know it’s not going to be perfect, but what we’re looking for here is progress over perfection, right?

Is that similar?

Connor: Yeah. Yeah. When I was a real estate investor the term that got thrown around was analysis paralysis. So I flipped my first residential property when I was 17. And. I remember doing that, screwing up every which way still made a little bit of money, a tiny bit of pocket change.

And then I went to my local real estate investors association. I talked about it. And I got up at the front and I had a note card. That was all the talking points. There was like 200 people that I was talking to. It’s what the hell does a 17 year old loser know? In reality, I didn’t know, but I just had a note card with a single note on it.

So that’s the only difference between me and all of you in the crowd is I just did it. That was it. It’s not because I’m smarter. I’m not. It’s not because I’m more experienced. I know I’m not. It’s not because I’m better at this. I’m 17, dude. I work in Chick fil A in my spare time. I am not more qualified.

I am arguably less capable of all of this than every single one of you in this room. And whether it’s hubris or whether it’s ignorance, I just decided I could go out and do it, and I did. So that’s, that was what I would that’s what I would tell them. Analysis paralysis. Don’t get caught up in that.

Just do your due diligence. [00:45:00] Know that you’re going to be uncomfortable the entire time. That’s when you know, you should jump. It’s going to be uncomfortable.

Erick: And I especially appreciate, your guidance that says, have some humility, be humble. Don’t let ego get in the way, we’re all students all the time.

I don’t care, how successful you are. Like you said, you’re going to suck at a lot of things too.

Connor: I will tell you where ego gets you from personal experience. So I flipped that first one when I was 17, I ended up flipping 14 more. Borrowed a bunch of money from a bunch of real estate investors.

I tried to buy one more home and all of them said, don’t do it for a variety of reasons. I told them to F off that they didn’t know what they were talking about, that they were just losers on the sideline. And, like the biblical principle, pride cometh before a fall. I lost every penny that I had made over the course of four years, had to move back into my mom’s basement.

And out of, that basement came Phin, eventually. But for a very long time there, it was just me, wallowing in depression, and my own the result of my own hubris. It’s I know exactly where ego gets you, because I know where it got me, and it was nowhere that I want to be ever again. Don’t, just be sure to listen to the people that you bring around you.

Usually they’ll have some really good advice that you should listen to. Conor,

Rich: I can say definitively that you do not suck as a podcast guest. This has been a really interesting conversation. We’d love to have you back on the show at some point in the future. For now though, for anyone in the audience who would like to get in touch with you or learn more about FinSecurity, where should they go?

Connor: There’s really two places you should look. Our website, Phin Security, that’s P H I N S E C dot I O. You can also find us, Phin Security, on LinkedIn. And then you can find me on LinkedIn as well. It’s just my name, C O N O R dash S W A L M. LinkedIn, Conor, slash Conorswalm. And just connect with me there.

Don’t sell me anything, or I’ll probably block you. But, I’m always willing to have a chat about anything you’d really ever like. Alright,

Rich: fantastic. Again, thank you very much, Conor. Folks, we’re gonna take a break now. When we come back on the other side, Erick and I will chat a little bit about this very interesting conversation with Connor.

Wrap up the show, and maybe have a little fun in the process. Stick around! Alright,

welcome to the final part of this week’s episode of the MSP Chat Podcast. Once again, thank you to Connor Swalm for joining us for that spotlight interview. Very interesting guy. A lot of different angles we could approach in terms of sharing notes on that interview. One of the things that struck me is just it’s important to know your strengths.

And he obviously is a very effective verbal communicator. And so that’s what he does. Basically he’s learned that this is how he works with customers and works with partners and so on. He is at his best in front of a microphone on a zoom call or something like that. And he just really takes advantage of that.

I think

Erick: that’s smart. Yeah, I think that he’s obviously very personal, very humble. I like his leadership style, Rich. I like the, and like you said, he understands what it is that he does best for his organization, for his mission, but also what he’s the most comfortable doing. And he’s worked diligently to put himself in that role.

For his organization. And that is something that is very admirable and is very challenging for entrepreneurs sometimes to achieve, to get to that point where they are very focused at working towards getting to a point where they understand exactly what their value is and they are now able. To do that as their primary role in an organization.

Rich: Thank you once again to Connor. We hope to have him back on the show at some point in the future That leaves us time Erick for one last thing now Regular listeners of msp chat might recall the one last thing we had time for in the previous episode which concerned the mysterious theft of a van from a town just outside of Sydney, Australia, it was a van with Kreme donuts in it somebody made off with the van and the donuts and when we spoke the police were still looking for the thief and the donuts I think we may have solved the problem.

This mystery, because just days after that theft in Australia, Krispy Kreme opened up its first store in France, in Paris specifically and they know they’re baked goods in France, you may have known, they got a lot of bakeries, they’re into baked goods, and yet they’re Krispy Kremes, Erick, have been a giant hit in Paris.

They, that restaurant, that one first Krispy Kreme outlet opened up at 8 a. m. on a Wednesday. There were 400 people in line when the doors opened up, some of whom had gotten in line 10 p. m. the evening before, 10 hours in advance. [00:50:00] Now, Some of that according to the people writing about this has to do with the fact that the French have been hearing about seeing Krispy Kremes on American TV shows and movies for years, so intense curiosity.

But also the marketing geniuses at Krispy Kremes said that the first ten people in line would get a year’s supply of free doughnuts, and then Just to seed the habit just to get people addicted to Krispy Kremes They were also going out and about in Paris two weeks prior to the opening They handed out a hundred thousand free doughnuts, which got people interested as well So I don’t know that I would have guessed a big hit launch for Krispy Kreme in Paris But we found those missing doughnuts and they’ve all been consumed.

Yeah,

Erick: That’s incredible and again You know, we really don’t know You know, how, what happened in Australia and where those Krispy Kreme donuts ended up, but it looks like Krispy Kreme is on the march, Rich, and to have such an impact in France of all places that again, you would think as a very, holds a very high regard, as you mentioned, for their baked goods to have such an impact and a line out the door, like some crazy Black Friday, event outside of, your local Best Buy for.

Krispy Kreme donuts. Boy, it sounds like they got a winner on their hands.

Rich: Yeah. If we didn’t already know, it’s an impressive recipe. We know this for sure now, because it passed the test. Of the french folks that is all the time we’ve got for you this week on msp chat Thank you so much for joining us.

We’re going to be back again next week with another episode for you you know if you are listening to this podcast in audio format And you’re curious to check us out in video. We are available there as well on youtube Look for the MSP chat and the channel mastered channel there to find us.

If you’re watching on video, but you’re also into audio podcasts, wherever it is, you get your podcasts and audio Google, Apple, Spotify, you name it. You’re going to find us there too, wherever you find us, please. Subscribe rate review. It’ll help other people discover the show and enable them to enjoy it.

just like you are. This program is produced by the great Russ Johns. You’ll find information about Russ at russjohns. com. He’s also part of the Channel Master team. If you’d like him to produce a podcast for you, give us a ring cause we’re happy to discuss that with you. So once again, we thank you very much for joining us here on channel on the MSP chat podcast from Channel Master.

We’re going to be back again next week with another episode. Until then, folks, please remember, you can’t spell channel without M S P.