Episode 71: Don’t Buy Voldemort
Listen to the Podcast
Read the Transcript
Erick and Rich discuss why AI might be the spur MSPs need to take SaaS app management as seriously as they do device management, as well as why and how to avoid the dangers that come with letting too few clients account for too much revenue. Then they’re joined by Matt Lee, Pax8’s senior director of security and compliance, for a thought-provoking conversation about everything from the impact of agentic AI to why SMBs will soon have even better security than large businesses. And finally, one last thing: why children in the Japanese village of Kawara are collecting middle-aged man trading cards.
Discussed in this episode:
Will Shadow AI Make SaaS Management Mainstream?
Middle-Aged Man Trading Cards Go Viral in Rural Japan Town
Transcript:
Rich: [00:00:00] And 3, 2, 1. Bo Westoff, ladies and gentlemen, welcome another episode of the MSP Chat podcast. Your weekly visit with two talking heads, talking with you about the services, strategies, and success tips you need to make it big and managed services. My name is Rich Freeman. I’m Chief Analyst Channel mastered your organization responsible for the show.
I’m joined as I am every week by your other cohost. Our chief strategist at Channel mastered Erick Simpson. Erick as we record this, you just had a little bit of a shake, rattle and roll. Did you not
Erick: Certainly did Rich here in Southern California, epicenter few miles from San Diego, we experienced a 6.7.
Earthquake. It was what we call a roller [00:01:00] rich. So it wasn’t like a hard shock or anything like that. Like nothing fell over. One of my sons lives near San Diego, and he said, yeah, it was just a roller just waves. Lasted about 30, 40 seconds. And enough to remind you that California is one of the top states for natural disasters, fires, earthquakes you name it.
Yeah. But all good. Here you are in a fault zone for sure there. And I at least have not had a chance to look up any news accounts about this. So I certainly hope as we’re talking about this, that it was just kinda a roller and everybody got through through it the way your son did, and that there are no injuries and no damage.
Rich: I guess we’ll see a little bit later on, but yeah I grew up partly in Southern California and this is just a fact of I, for people who don’t live in that part of the world, it’s holy. Holy cow. An earthquake. But if you live down there, it’s just something that happens periodically.
Erick: Yeah. And you typically feel a few aftershocks afterwards, like things still settling and things like that. I have not felt [00:02:00] any and six point I’m sorry, was it six point? So that seems really high. I gotta double check that figure. But then that was something my son texted me about.
Maybe it was 5.7, maybe I misspoke because 6.7 would be like disastrous, right? But anyway, a good one. Yeah. All good. All good here. Another day in SoCal Rich.
Rich: And with that, let us dive into our story of the week which comes to us from my newsletter Channel Holic. This is part of the most recent post there.
Then you’ll find this article in its full glory at my website, www dot. Channel Holic News. Interesting story. Now I recently read a a research report published by Enable it’s their Annual Horizons report. Fantastic report, by the way, filled with data assembled and prepared for the folks over at Enable by Canals.
We know those folks really well. Good data. At one point in that study, they referred to SaaS management as basically table stakes for [00:03:00] MSPs. Now, and I think just anecdotally, you me, most of the people we know would agree you gotta be doing that for your clients. Now, how you would define SAS management might vary a little bit but one would assume most MSPs are doing this in one way, shape, or form for their customers, and therefore that they’re using SaaS management software of some kind.
I recently had an opportunity to speak with an executive at avic, John Harden. He AVIC is best known maybe for its network management software, but they also have a SaaS management platform that they sell. And John, let’s take basically was there are. Plenty of MSPs who are using a SaaS management platform of some kind, but it isn’t nearly as ubiquitous as you would think it is.
And he shared some data with me. This was exclusively shared with Channel Holic so far, but it was based on data that AVIC has been collecting. So through their SaaS management platform they’re getting a [00:04:00] lot of data on SaaS application usage and a lot of end user environments. And he was able to pull some reporting together for me that aggregated and anonymized that data.
So there was nothing private being shared. And the larger point that he was trying to make to me is that, shadow, IT has been a perennial issue. It’s been an issue in the IT world for many years. SaaS and bring your own hardware and people doing work on their phone and tablets and so on has made shadow it.
An even bigger issue because it’s so easy for for people to go out there and provision or just use some SaaS application without permission or without it’s knowledge. Ai has made that even a bigger issue. Basically, and for folks who are watching on YouTube, I’m going to share my screen right now, share some data that came to us from avic.
I will describe it for the folks who are listening to us right now. And there we [00:05:00] go. So this is data that was collected by the folks at avic.
Erick: Hey, rich. Rich, I don’t see it, so I’m gonna remove and re-add it real quick. Hold on. Sure. There it is. Okay, cool. Go right ahead. Sorry. And you know what, but while I’m doing that, I’m, I might comment that I imagine that shadow, it like grew by leaps and bounds when everybody was doing work from home during covid and things like that.
So I’m curious to your feedback on that.
Rich: Yeah. We can come back to that. I, yeah, absolutely. The short answer. But for for folks on video, what you’re looking at right now is data that Vic collected between January 23rd and April 7th of this year. And remember the world didn’t know about deep seek.
I. China’s large language model until late in January this year, and you can see that reflected in the data almost no usage in most of January 2025. Then on January 29th this was the day that the world caught onto the existence of deep seek and the [00:06:00] radical disruptive pricing and the infrastructure model underneath it and the implications of that for open AI and all the infrastructure providers.
So everybody became really interested in this technology. There was a massive sell off of AI related stocks on the stock market, which obviously created a lot of interest as well, and very disruptive.
Erick: Yeah. And rich for those folks that aren’t viewing us on YouTube and just listening, can you describe the graph here and the key points for us.
Rich: Yeah, that’s where I’m going. Basically, if you are looking at the chart that I’m sharing here right now, you will see like true hockey stick growth on January 29th. You’re gonna see this giant spike of usage. And basically what this graph is showing you is users going to deep seek to check it out January 29th.
Hockey stick growth from zero to something like 175,000 requests. It goes up and up over the course of the next week until it [00:07:00] peaks out on February 6th, somewhere between 450,000 or 400,000 and 500,000. Drops back down after that. Once people have digested it and then you can see it pick up, drop, pick up, drop.
A lot of usage continues for for deep seat going forward from that huge initial spike. And look a lot of that usage as you go on through that period from early February into early April could be authorized usage could be. But we know that that giant spike in usage that happened early on in the history of deep seek was not authorized because nobody even knew this technology existed.
At the time. Yeah. And this is just a sign basically of many that they’re collecting at AVIC right now. But there’s a ton of shadow AI usage going on inside businesses right now, and that has real implications for end users in terms of data leakage and potentially compliance [00:08:00] violations.
So if you are an MSP providing SaaS management, you really need to have a handle on AI usage in your end user accounts. That’s gonna be very difficult to do without a SaaS management platform. And John’s hope, and of course this is a guy. From a vendor that sells SaaS management software. So you can understand this, why he’s hopeful this will happen, but he hopes that this is the spur.
This is the thing that finally gets MSPs who are not really doing SaaS monitoring and management SaaS inventory SaaS license optimization. The folks who are on the sidelines with that set of services and are really just provisioning. Microsoft 365 say. This maybe could be, it really ought to be the thing that gets them to go out and find themselves a platform that fits well with what they’re doing that is specialized in SaaS management and adding that to their stack.
And by the way charging according accordingly, the, this, this data that [00:09:00] we were just talking about here shows a lot of shadow AI usage. There’s a lot of risk associated with that. If you are exposing that and reducing that for your clients, you deserve to be compensated for that.
So this is a recurring revenue opportunity as well.
Erick: Yeah. Holy cow. That, that graph you showed was like a heartbeat, like just up and down. So obviously there are things going on that not a lot of folks are aware of. And the point you made Rich about, this was happening before people became aware of it.
It’s scary for an MSP to think that they don’t really. Know what’s happening behind the scenes because they’re not thinking about monitoring for that specifically. So like you said, anything that we bundle into our services that add value and protect our clients, we should be compensated for as MSPs and we should not have to have a very difficult conversation with clients about that.
If we do, that just means that [00:10:00] we’re not working with the strategic clients that we need to be working with that, that trust our guidance and see us as strategic business partners rather than just the technology vendor. Yeah.
Rich: Les, do you think deep seek is the only issue you need to be concerned about?
I got a sort of stack ranked list of the SaaS applications most in use by end users supported by OIC partners. Just within the last couple of months chat, GPT has gone from 28th. Place on that list to 13th, and it’s obviously continuing to rise. That puts it ahead of things like Atlassian and Amazon Web Services.
So a ton of chat GPT use going on out there. And it’s the same issue with Deep Sea. There might be some national security concerns about leaking data to to China that are a little bit different than with open ai. But you really don’t your clients don’t necessarily want their data getting sucked up and included in the training model for chat GPT going [00:11:00] forward.
It something to be really thinking about and investigating right now, if you don’t have SaaS management software, this is a great reason to be looking into adding that to what you do the software to manage that and the service to your end user.
Erick: I’ll say this, rich. Obviously there, there are bad actors out there that are probably, figure it out.
Figuring out how to look for that data wherever it is to, build compromises against organizations. Just think if we can figure out where all this data is stored, whether it’s, here public on public servers or elsewhere in the world in China, and these bad actors have figured out how they can, crawl that data and identify vulnerabilities, then those can be used as exploits against target organizations,
Rich: absolutely. Absolutely. Erick, let’s move on to your tip of the week. Now the issue that you’re gonna be addressing this week is a long standing one. In the world of managed services, [00:12:00] I would argue it’s become maybe even a little bit more relevant. One of the other things that came up in my most recent channel, Hallock Post was just that, as we all know, we are in a time of economic uncertainty here.
Nobody knows if we’re in or headed towards a recession. But if we are, then over reliance on a small set of customers could be an even bigger issue than usual. Bigger risk than usual for MSPs, Erick.
Erick: Yeah it’s great. A great way to frame that up, rich. And yes, obviously we’re talking about the risks of having a high percentage of your revenues represented by a small number.
Of clients. So high client concentration risk. And there’s a couple of challenges that, that that poses, and most recently, yes, this economic uncertainty rich, if we are servicing, let’s say a vertical that is impacted by changes in [00:13:00] policy, by things that are outside of the control of that business or that MSP that can impact that organization’s ability to function.
Let’s say that working with a bunch of nonprofits and all of a sudden grants don’t no longer exist and things like that is going to put you at a very high level of risk. So there’s revenue vulnerability where losing a client or two, or a whole vertical of clients can severely impact your ability to continue operating.
There’s also the risk rich of having a. A negotiation imbalance where you’ve got a very large client that represents a high percentage of your revenue that may exert pressure on you for favorable terms, for supporting legacy things, for doing things that you don’t do for any other clients at a price that you certainly would never charge a new client to do right?
So they represent this kind of negotiating power. It can [00:14:00] operationally strain your organization if you are supporting if you’re allocating a large number of your technicians to a smaller number of clients, right? Impacting your ability to scale more broadly at pro, potentially higher margins.
And finally, rich, the one that is really relevant these days is the impact to a company’s valuation. So investors often view high client concentration as a red flag. And typically they want to see no less than 10% of your gross revenue be represented by one client. I’ve seen that kind of move around a little bit, doing a lot of m and a work for MSPs and some vendor clients as well.
But, typically, 10%, 20% attempt is really a red flag because it creates risk for all the, reasons I just mentioned.
Rich: Yeah. And let’s face it, those potential acquirers have a point. There is [00:15:00] risk attached to having more than 10 or 20% of your revenue coming in from from one account.
It’s, it, it’s one of those tricky things, especially for newer, younger MSPs out there because you land a big account and it’s something to celebrate. You’ve got this big account and it is something to celebrate. It’s great for the business, but if that one account all of a sudden is responsible for 40 or 50% of your revenue, you’re also in an exposed and vulnerable kind of position.
Erick, do you have any, so for the person who is listening or watching right now and is nodding their head, yeah. I’m getting most of my money from a relatively small number of accounts, but they’re keeping me very busy. How do I grow, diversify. Any advice on what to do next?
Basically to reduce that risk and exposure?
Erick: Yeah, rich, it’s a tough situation when you’ve built your business based on, a couple of these cornerstone key clients. Early on it happened to, to [00:16:00] me in our MSP as well and there’s no easy answer to it. Other than the basic, common sense things like look at your clients and make sure that if you do have a large percentage of your client, of your revenue represented by single account or a couple of accounts, make sure that you’re meeting your margin.
Targets, really evaluate what your cost of service is, making sure that you’re billing correctly and you’re receiving that revenue. Because one of the things that we found Rich, when we started doing this a, b, c segmentation of our client list and determining which clients we should exit the primary reason wa was that we, they were not meeting our margin requirements.
They, we were, they were recharging them a lot less than we would a new client that we would sign up tomorrow. And they were consuming a lot of our resources. So at the end of the day, the equation worked out [00:17:00] so that once we exited a bunch of these CD and F customers that we had, we were actually more profitable than we were before because we were now able to deliver more projects and services to our existing A and b clients or the ones that were left.
We were able to expand a lot broader and deeper with them, and we were able to bring on more of those A and B type clients without having to hire more resources. So it’s not a light switch that you turn on and off rich, it’s just a slow consistent strategy to bring on more clients and evaluate your existing clients to make sure that they’re meeting your profit tar margin targets.
And just it reminds me of that scene in the first Raiders of the Lost Ark. You’ll remember Rich, where Indy in the very opening scene, he’s trying to, steal this idol, right? And he’s got this bag of sand and he is trying to do this, flip the idle and put the bag of sand. It’s one of those things where you have to gradually transition [00:18:00] over to distributing that risk among more clients, but more profitable clients that allow you to become more efficient or more strategic for those clients.
Rich: And the first step basically is admitting you have a problem as the saying goes. So it’s gonna be a process. It’s not gonna be something you can fix easily, overnight, but you do need to acknowledge look check the revenue percentages, check the margins. If you’re getting more than 20% or even more than 10% of your revenue from 1, 2, 3 clients, you’ve got an issue.
And so you need to put together an action plan for rectifying that understanding. As you’ve been saying, Erick, that it’ll take a little time to do, but therefore the time to get started is in fact, right now,
Erick: progress over perfection. Yeah it’s a steady eat the elephant, one bite at a time.
Start at the tail, you know you’re gonna end at the trunk.
Rich: All right folks. We are gonna take a quick break when we come back in just a few moments. We are going to be joined [00:19:00] by Matt Lee. He is the Senior Director of Security and compliance at PAX eight. He is one of the foremost experts on security in the world of managed services.
Someone I always enjoy speaking with for a number of different reasons, and I’m glad to have him on the show with us. We’re gonna be talking a little bit about the security landscape, but also get some advice from him about things in the security realm. Security services offered security best practices adopted that he would like to see MSPs do more of than they’re doing more right now.
So we’re gonna get into that with Matt Lee in just a few moments. Stick around. We’ll be right back.
And welcome back to part two of this episode of the MSP Chat podcast, where it is Friday morning Pacific time as we record this right now. And we are joined by the senior Director of Security and compliance at Pax eight. His name is Matt Lee. He knows at [00:20:00] least as much about security and managed services as anyone in the channel right now and as a pre-end treat to ourselves Erick and I are going to pick his substantial brain for the next few minutes about those two topics.
Matt, welcome to the show, man. Glad to be here, boys.
Matt: It’s I feel like I’m in with a little bit of royalty in this one yeah. Thanks for having me.
Rich: You know what, Matt? I I travel quite a bit out there, but you travel quite a bit more. My guess is most of the folks in our audience know who you are, but for the folks out there who don’t just tell them a little bit about who you are and what you do at PAX eight.
Matt: Yeah, so I’m a recovering MSP I guess is the way you might start. I do go to the 12 step program an nineties. I spent about 12 years as a managed service provider in almost every seat. We grew that from just under seven of us and under a million in revenue to at the time I left 170 people reported that were in the technical org.
We were just over 40 million in revenue. And I was the director of security when we lost about 3 million in total economic impact [00:21:00] as an organization by buying a company I call Voldemort ’cause I’ll never say their name again. And so that really gave me the fire and drive to try to change as an organization.
And in my time there, as we built that organization, it also exposed me to just how bad it was from the vendor side. How little they were doing the things I needed them to be doing to meet my CIS safeguards and other controls. So I started serving on advisory boards about 26, 27 of them at the time total at one point.
And anybody, we had a million dollars or more in revenue with, I wanted to have a seat at the table and be able to help steer where they go and drive and decide whether I stayed with them. After that, I left and made a belief that marketing and traditional marketing is broken. We can’t keep just saying things to people without educating a lot of what you’re doing here, of the education aspect. And I proposed that I could come over and start driving some of the thought leadership around cybersecurity at PAX eight, and I’ve been there now for four years, I think just at four years doing just that. Yeah, I way too many words if you’re charging me by the word on that one.
Rich: First lesson for the audience here, don’t buy Voldemort. [00:22:00] Yeah. Don’t buy Vort. It’s gonna be a t-shirt. For the second one, let’s go to compliance, because I believe the last time you and I spoke it was about that topic and I was asking all these questions about should MSPs get into compliance, how should they go about doing that?
And you came back emphatically with the message that guess what? They are already in compliance every last. Yeah. Tell us a little bit more about what you mean when you say that.
Matt: I think there’s a couple of questions surfacing right now, right? One is should I start selling compliance management services for people where I put boxes and check boxes?
And, but then there’s the other component of at some point, you’ve sold stuff for the last 10 years that had to meet some form of a compliance that could bite you, that you may not have addressed. For example, if you’re saying, I’m deploying anti-malware on every device, and let’s say a small medical client has a compromise that is an incident that’s recorded and later is reviewed and they say, listen, [00:23:00] can you prove to me that you had EDR on each of those devices?
This is a talk I take from Mike Sim, but can you prove as their EDR on each of those devices at that time, have you ever told your clients to store the reports? Do you give them the reports? Do you even store the reports? Do you have something to prove it? And what I mean by this, and as a story to say is MSPs have not traditionally been great at proving their work.
They’ve been great at saying to their employees, Hey, if it’s not in the ticket notes. It didn’t happen. But that’s only really in respect to proving they did what they said from a ticket or meeting the SLAs or the things that they’re doing not really focused on. If you can’t prove that you’ve been doing this to meet someone compliance, then you are going to be the death of them from that compliance, which then will either introduce litigiousness, subrogation, other things, depending on what plays out, or just loss of reputation.
So there’s this challenge of saying, whether you know it or not, the world is growing towards, prove what you said. And I can say we’ve seen that, right? NIST CSF 2.0 as that came out almost a year and a half ago had the word govern added to it, [00:24:00] right? You said CS 8.1, which came out last August, which added in the word govern.
Why? ’cause we haven’t been measuring what we expect. We haven’t been actually inspecting to prove the stuff we’re doing. It’s very rare that we are doing that. So when I say you’re already in compliance, at the very least, as this world continues to shift, you’re gonna be more and more scrutiny to be able to give the proof statement.
How many of you out there listening when you buy a tool already go, okay, now how am I gonna document and prove this happened? If I had to require evidence of this and show it on some regular basis? Nope. Not part of the consideration. So I’ll yield the floor on that. But ultimately, it’s this understanding that the world is growing more and more.
Understanding of risk is risk. Cyber risk is a problem. We have to measure it better. We can’t just say, you’re gonna secure me. I need your help. And governance is what is governance? And I’d love to turn that around. What is the, what does govern mean to you,
Erick: Matt? You talk about, basic compliance and is a given.
You talk a little bit about governance, but for MSPs out there that are, like you and I [00:25:00] would say we’re former MSPs. I didn’t have the Voldemort experience. He, who shall not be named, but like you did knock on wood. But for the typical MSPs out there that are just trying to figure out.
How they can deliver much more value to their business clients today and to, and having to move into much more of a strategic role with cybersecurity. What beyond basic compliance monitoring should these MSPs be doing in your opinion, and how do they grow into that new persona that says, I am now much more valuable to you because I am defending you from these attacks instead of this commodity type.
I can close tickets for you a discussion. Sure.
Matt: Yeah. And it is becoming commoditized Erick? Like the reality is, angry birds pretty well, angry birds. For me I don’t need a lot of help with angry birding, right? It just works. And so more and more SaaS and more and more reliability of applications makes that commoditization start play out among many other things.
The [00:26:00] question is, how can you pivot? Don’t be the expert in the room, would be the first thing I’d say. Don’t be the smartest person in the room, I think is the point. There are so many frameworks out there, right? There’s even an XKCD comic of saying, Hey we now need to add another framework.
’cause these frameworks don’t meet it. It’s delicious. But the point is go follow a framework. Make it to where you are just trying to apply standards. It is the basics that kill you, right? And so it’s this, when you’re going down that path, as you’re starting to say, Hey, when you do these things, following a framework and using the framework as the methodology is defensible, meaning it’ll help you reduce your risk, it meets the reasonable person rule to that extent, as long as it’s implemented well.
And a lot of hold harmless is tied to that. But following your framework also makes you not have to know everything. When someone says, Hey, why are we doing, 5.2 and using, separate passwords everywhere. I don’t necessarily have to know. I just can reference, there’s a standard I’m implementing it, right?
That’s the benefit of that. It doesn’t mean you have to be the expert at all times, but using a standard helps make the deliverability more valuable, helps show that [00:27:00] you know enough to at least follow standards and do things the way that are valuable and well recognized. I think the other piece though is you will start, to your point, you mentioned strategy and needing to be more strategic.
We asked to be V CIOs and now I guess the conjecture is v ciso, right? But even as v CIOs we sometimes did a little more than go, ah, we need to buy 35 more PCs over the next five months. Let’s plan those out. That’s not a VC, that’s a purchasing acquisition ha help, right? Like, how do we get into their business?
How do we know more about their business? How do we know about what their data is? One of the chief problems with AI right now is you’ve been putting stuff in an S drive or in SharePoint and one big team share for forever, and nobody knows what data is, what it’s worth, what it’s classified as, what stuff’s in there.
So you ask the question of how can small MSPs or small partners start to help serve that SMB better and add that value back. It would be learning how to be more and more efficient and. And get good at applying standards across known sets of systems, right? Oh, RA, ID, I know how to apply the standards to that.
Oh, I know how to manage these things and reduce your risk and make your [00:28:00] job easier, make it easier to work with people, but it has to be about the business, which means it forces you to know more about how they make money, where they make money, where their contractual risk is, where their, regulatory risk could be.
You’re gonna have to get deeper in the business, in my opinion. Erick, Matt, you just mentioned AI and everybody understands AI is a tool. Actually in potentially both for attackers and defenders. And in, in recent months, I’ve been asking a lot of people, who’s getting more mileage out of ai right now, the attackers or the defenders.
Rich: I’ve gotten a whole spectrum of opinions about that gi give me your take on that now, in terms of where we are now and what you think it’s gonna look like two years from now, say.
Matt: Yeah. You just saw in the CrowdStrike report for the last year that I think it was something like 80% was malwareless, right?
80% of attacks started becoming social engineering started becoming all these things. Why do I bring that up? If you’re trying to weigh the balance of who’s getting [00:29:00] more out of ai, I think you have so many awesome arguments of what is happening on the non on the non threat actor side, right?
Of all the things that are coming, amazing new tools, amazing new apps, all of those. But the threat actors, I think the biggest benefit of LLMs in specific of the AI category has been the ability to make more and more meaningful social engineering attacks. The ability to do better research for osint and finding things that are great for spearfishing, right?
Where I’m targeting you and I need to know a lot about you really quickly, those are great tasks for that right? To make conjecture off of posts and been fantastic for that aspect. So I think. There’s not a winner in that. I think probably if we weren’t stupid and didn’t leave things out that make that easy for the threat actors, then we wouldn’t have the same order of magnitude return on investment for the ai.
But in the current right now, I believe that LLMs for the threat actors probably help the speed and efficacy and automation of them spearfishing and being better at what they’re doing from a social engineering perspective. Therefore, they get a tick. [00:30:00] And the same benefits are somewhat gained, but not as perfect on the other side because most of the applications I’ve seen of AI and LLMs around the defense side have been around like, I’ll make it easier for you to make a query to look for this threat, or I’ll make our tool better at looking for threats or I’ll and it’s good at that and it’s a scale factor, but I just don’t think it’s as much of a win as having the ability to really quickly know how to send Erick Simpson something to attack him and probably be successful.
That’s probably the other side of what that does for the threat actor today. Fast forwarding, however. I really believe that the ag agentic approach of LLMs combining RPA robotic process automation capabilities with smart objects, smart, dedicated, vertical and horizontal LLMs could make it to where this normalization.
In fact, I have a fairly salacious statement that I’ve been making lately and I think I can back it up. I believe that small to mid-size business security posture will exceed the security posture of enterprise in the next five to 10 years. [00:31:00] And the reason for that is these very factors. If we have normalization, meaning instead of me having server 2008, eight R 2 12, 12 R 2, 16, 19, 20, instead of having, server force function oh 8 0 8 R two 12, instead of having hypervisor, none of that, I now have graph API.
When you start thinking about it in that way, we start getting into a very simple and very normalized ways we can apply something. And if we can take LLMs to be agents to do things for that, look for any machines that are outta compliance, manage for these things. And we can actually spread the, the capabilities of the SMB beyond that cybersecurity poverty line as it sits today, right?
Where the six to 7% of top line revenue that small businesses spend on tech isn’t as much of a limiting factor when we can start scaling a lot of those normalized functions and automations and through the use of LLMs ’cause of that normalization and the function they can have. So I think that, got off on a topic there, but I think AI long-term probably shifts the balance back inside of the good, just because most of the things we fail at are the basics, in my opinion, boys. And if we can [00:32:00] get good at scaling the basics being well done, then the threat actors blast radius reduction means that it becomes a normalized thing.
And there’s a chart I like to talk about called The Death per Billion Miles Traveled. And if you ever go look it up, it shows automobiles from about 1890s or so until today, and it’s a chart and you think it’s death per billion miles. That normalizes it, right? Because there were less miles driven, but more death by proportion.
And so if you start in, in the turn of the century, it was way up here. And then it started to fall off in the sixties, seventies and eighties after the National Motor Vehicle Safety Act and Ralph Nader. And then in the eighties and through two thousands, it leveled off. Did it ever get to zero? No.
’cause we have an acceptable level of death that we’re okay with, otherwise we’d drive 30. And so we get to that point. We haven’t done that in technology yet. And so we’re starting to head towards that. And I do believe that’s where we’ll head and AI probably does make the scale capability for SMBs make that happen faster.
Erick: And those are some pretty bold predictions. Matt I wanna [00:33:00] touch on a couple of things that you mentioned there talking about AI and its ability to improve a hacker’s, success rate at getting past the human element of this, right? That social engineering component. I read an article in Forbes recently that said AI is now better than human hackers at creating these phishing attempts.
You also talked about social engineering, so it makes me think, I recently had a demo from a a vendor that’s just emerging a. They’re building, and we’re talking about Ag agentic AI and things like that. And they’re building an ag agentic AI to replace somebody like at a front desk scheduling appointments for whatever the company is.
And they said, look, just dial the number. Tell me what you think. And Matt, I dialed the number without giving too many details about this because, it’s still a Skunkwork project. And I, other than the, I can tell it wasn’t a human being, but just, it was [00:34:00] so close, but I was trying to throw every weird question at it that I, and it answered everyone.
If it had been a human being answering those questions, I would’ve thought that I was speaking to a human being. And so my whole, my bold statement is, I think in 18 months, we’re not going to be able to tell Angen AI person, it’s gonna be very, it’s gonna fool 95%. Hearing we get good. So if you agree with that what hope do we have?
Like what can we as folks that, that try to elevate the conversation for MSPs and help them out. What can we offer them besides like in, give your clients end user security awareness training is now like social engineering, end user security awareness training a thing now, or, I’m just like, this is, it is it’s past the during test, in, so crazy.
Matt: Same training, bigger scale, I think more understanding that it’s [00:35:00] gonna come in that way, that the LLMs will be programmed to understand you better, that they’ll be able to respond and influence you better. I think to your point, the vishing and Smishing and all of those get way more effective, right?
Because of the communication and you’re already seeing it like not to be that guy. But if you look at this extortion cases that these kids are dealing with they’re now getting AI bots that are chatting with them to groom them through that process and never even having to waste any human time, right?
And they’re doing that through bots and LLMs to, to your point. But I think the other side of this is, it’s also goes back to part of our job as security practitioners is to make it harder for users to do the wrong thing and easier to do the right. A lot of the times when we talk about this, it really comes down to training, but it also comes down to making sure that you’ve made the system conducive for them to be successful, right?
And making it harder for them to fail. There’s a great tactical example, if I could get people convinced to use, push phishing or phishing resistant methodologies or Fido, right? Push notification number matching things in [00:36:00] that nature. And using Fido. I could kill off all a ITMs, all adversary in the middle attacks, like all token theft that happens in over the wire situations done, just done.
They don’t have a password done. But what we don’t do those things right? And so we make it to where the user has to go, oh, I’ll put in my pen and type in my password. No problem. I’ll just take it away from their ability to do that. Why not just win the battle? And I think that’s the piece. We still take the convenience over security in that regard.
And I think as those start to transition, you’ll start seeing clear winners that, yeah, they might get social engineered, but they can’t do as much, or the blast radius is limited, or the methodology or modality are killed. And then we don’t have that problem. And so the Harding, it’s harder to train everybody to do everything right than it is to systemically stop them from failing.
And I think that’s some of the big misses right now that would help solve that long term. And again, that just goes back to the basics.
Rich: Matt, Erick and I are long, long time [00:37:00] veterans of the managed services scene, which is really sorry way of saying we’re old.
Erick: You’re aging us now, rich, come on.
And Matt, I’m including you in that conversation.
Matt: I’m in it, I’m in it, boys. I got you brother. Yeah, brother.
Rich: Too, you go way back. You go back 20 years now and it managed MSPs were mostly new to the field, smaller companies gaining maturity, everyone was figuring everything else figuring everything out as they went along.
We’re at a point in time now where there was a much wider spectrum. You’ve still got smaller companies, newcomers to the field, but you’ve got some really big very mature MSPs out there with deep pockets and a lot of money. Is there anything those bigger, wealthier more mature MSPs are doing in security that the smaller, newer companies.
Can, should be doing as well. Is there anything for the the, the bulk of the folks in our audience here to learn from some of these [00:38:00] giants out there right now?
Matt: Yeah, I, one specific that I just had come up, actually, you’re in luck boys. It wouldn’t have been on my mind otherwise. ’cause a lot of times the problem is it doesn’t translate you, you have an economy of scale problem.
You have a Pareto principle playing out, right? But this one does one of the things that’s the biggest challenge. How many of you have sold a backup appliance, whether it be a Datto or Veeam, whatever it might be, and said, your restore time objective is four hours. I can bring you back to a restore point objective of at least half a business day in this four hours.
Okay cool great until they have an incident and now you’re waiting on insurance and now you’re waiting on forensics. Now you’re waiting on the team to come and deal with it. Now you’re waiting on the right and the client’s going, why are you not restoring me? Why have you not brought me back up?
At least hopefully you’re waiting, right? For those things. If they have a major incident. And so the point is that you’ve sold something you can’t meet now because you haven’t set the conditions to them to help them understand, hey, guess what? If you’re ever in a big cyber incident, everything I’ve just told you might not be true.
We might be waiting on attorneys, we might be waiting on defer [00:39:00] teams or digital forensics and incident response teams. We might not be able to do that. If you could just go back and have that one conversation with them, that would be beneficial. So that’s where you could start. The bigger companies though, are starting to take it and go into pro mode and that is they are reaching out and one of them I just met with, I won’t name the name but they are reaching out to third party incident responders and asking them what are the chain of custody rules that I need to follow if I want to gather this evidence myself so that I can make it faster, charge them for it and bring it back up and not have destroyed their evidentiary requirements potentially, and chain of custody requirements potentially for that data when it happens.
And so they’re now saying, Hey, I can have a package ready with the right tools, the right stuff I have to do, the way the tickets are managed, the way the chain of custody is managed, the way I hash the images. All that could be something we could build ourselves. So I told you it’s easier just to go and at least have the conversation of you might be waiting, but if you really wanna tackle this and get them back up faster, you can offer, Hey, we, we have a rapid response package for $200 a [00:40:00] user.
Now that you’re in this situation and telling them about it beforehand, why? Because it might save them three weeks on getting up. It might save them until the insurance is ready to deal with that. So that’d be the argument that I’d give, is that they can at least go have the conversation of, Hey, are you aware that if you have a cybersecurity incident, you may be waiting, especially if you have insurance, and they’re gonna bring in legal counsel and they’re gonna have those things that they need to do to protect the insurer and the insured’s best interest.
So I don’t know if that’s something that meets that requirement for you, but I would say it’s one thing that I’ve seen larger MSPs are starting to do a couple of them in different paths.
Erick: Matt, there’s, given that. We’re seeing more and more SMBs and other organizations move more and more of their workloads to the cloud and SaaS applications.
Why does it feel like there’s fewer vendors really working towards securing those cloud apps? And [00:41:00] what should m MSPs be doing in their security strategy to help secure some of these cloud workloads? Because I think without good solutions, it just becomes a very, a whack-a-mole type of a, an engagement.
What are your thoughts?
Matt: The whole category is being born in our space, right? To, to your point, the SaaS management, SaaS compliance, SaaS, configuration. You’ve got players, I won’t name names ’cause I don’t like to do that, but I’m invested in a couple of different platforms that are trying to solve that as well.
But what I will say is that robotic process automation is probably your answer today, right? What I mean is what you’re looking for is a GUI that does all these things that’s been built by somebody. You could do all those things with common tools, right? There are several RPA platforms, I won’t name them out there, that would allow you to take and say, Hey, you know what?
Every Microsoft tenant that comes in, I wanna do this to it. I wanna make sure this happens, right? So in the absence, you can still at least code your way through that or manage your way through it. There’s [00:42:00] plenty of built crates and things out there that help you do those things. And platforms that are specific to some like Microsoft, right?
You have a couple of ’em out there that are very specific to Microsoft and how they manage those settings. You’re also starting to see more and more baselines be developed by characters like CIS, the Center for Internet Security, building their benchmarks for a lot of different software. What are benchmarks?
Hey, go in this one software and check these two boxes and help you reduce this type of intact. That’s benchmarks. So you’re starting to see the ability to have an application programming interface, right? An automatic way to apply things, A robotic process automation platform that could do that at scale for more and more normalized, as I talked about earlier, people, meaning everybody’s on entra, and if I need to write a thing on graph, it’s just gonna be a quid and a token.
And as long as I continue to do that for each client with a different grid and token, then I’m able to do the same script across all of them, right? So this argument is in the absence of more and more how cloud should be managed and configured, I would be building those things in robotic process automation form.
In that piece. [00:43:00] Additional to that, if you believe Satya’s. Future facing and my future facing belief that ageism will probably change the nature of SaaS. Gone, might be the days that I as a SaaS vendor have to program one UI to rule them all. One UX that everybody will love. That doesn’t even work in the grocery line, right?
So how’s that gonna happen? So instead, now I might have an API that I build an agent that interacts with that API, I don’t need a visual layer in the same way. And so you start seeing a world where the SaaS players down the future. Ageism will scale and replace a lot of robotic process automation, traditional function, and do the same functions as if I could just manually pull an API key outta my head and ask for something as a human, which I can’t.
So agents can, they can do that all day, every day. And so I would imagine that the normalization I talked about earlier and the other functions that we’re seeing along with ageism and AI start to make this a service offering that MSPs offer to do that. I’ve seen several MSPs that are building AI agents that do very specific functions very well, [00:44:00] and that’s when you get into vertical.
LLMs, right? Not horizontal LLMs. These are very specifically made to do that function, to train this one thing, and then maybe a horizontal LLM that helps manage those groups of vertical LLMs, right? You got to experience a vertical LLM, that chat bot that you talk to, right? And there might be a manager that’s more ver more horizontal and understands more of the components that manages those verticals.
So there’s just all kinds of interesting things that change a lot of what we expect and live in today. Even if you were to unpack that means that the SaaS vendor gets to take a third of their budget and get rid of it and do it on making their product better. ’cause now they’re out worried about a ui ux design on the front end.
They’re worried on API and functionality and outcome expectation. So anyways, you probably won’t want me to go on and on, but those are some of the initial thoughts.
Rich: The funny thing is we invited you on the show ’cause we love it when you go on and on. Fair. I’m gonna, this is one last question here you are extremely visible, extremely active in the community.
I think it’s fair to say you’re a believer in the [00:45:00] power of community when it comes to the channel. How would you advise the folks in our audience to learn from and leverage the channel community with respect to security?
Matt: I think what is community is part of that challenge of definition, right?
Because community in at the very beginning is there’s a dude sitting by this like sparkly, fiery thing and there’s some good smelling stuff. I wonder if I walk over and ask for food, will they kill me, right? That might’ve been a few thousand years ago. But the point is, like community in our case is we’re all in this forced condition.
What is that condition? The SMB, at least based on the research we’ve done, spends six to 7% of their top line revenue on all tech. And we have chosen for some reason, to be the people that decide to take the lowest dregs and try to help the hardest to help community of the SMB. I think that forms you into a comradery.
Comradery forms you into a solved common mission. And a common mission forms you into a community in that regard, right? That’s my opinion on it and in that way. But that said, how can you get the most [00:46:00] out of it? Don’t be a shitty community member. Like it’s pretty much that. Ask questions, but listen to the answers, feedback on the things you know.
Don’t poison the other people in the community, right? It’s just to be a good citizen type thing. But what makes up a good community is the fact that I would genuinely give you any knowledge I can to help you build and win, because it’s not gonna take away from me. It’s an unlimited ocean we all have to deal with and it’s really hard to be an MSP.
And so I think, at least in my experience, community has been, I’m willing to share, you’re willing to share, let’s be good friends. If you go in unwilling to share and you’re just asking to pull, it will immediately smell and feel like that and you will not get the value out of it. The other thing I think is there is some discernment in community.
I think there are a lot of places, communities spring up and it doesn’t make them all good. And I think you have to figure out, what am I getting out of this? What kind of things can this community offer? Is it a more technical community? Is it more of an education community? You’re in your own right.
Creating a community, right? And so I think when you think about it, it is, what am I [00:47:00] trying to get out? And being purposeful and mindful will help you be effective at using and being involved in those communities. And then if nothing else, you’ll meet expectations of what you would expected to get out of your value proposition of being involved.
Does that make sense? At least a little bit.
Rich: It absolutely does. And you know what, Matt I said at the beginning of the conversation that this was gonna be a pre weekend treat for Erick and me. It was, this was super interesting and a lot of fun. Thank you so much for joining us here. For anyone in the audience who wants to learn more about you, get in touch with you learn more about PAX eight where should they go?
Matt: Yeah, obviously follow me on LinkedIn front slash cyber Matt Lee, YouTube Cyber Matt Lee. Also I would love it if I could give a shout out to both my employer, PAX eight, who is awesome and sponsors my breakfast lunches and dinners, as you see right back here. And you can reach [email protected].
And then lastly, I am a board member and president of Cyber Inc. Which is a charity. We’re a 5 0 1 C3, and we have programs such as the Emergency response team [00:48:00] that is the MSP nine one one.org. If you’re ever in your worst case scenario as an Ms P, please reach out to us. We will at least give you coaching and guidance and help and things that you might need in your worst time.
As well as the framework mapping where we have a bunch of nerds being nerds and breaking apart frameworks like CIS, into their taxonomical elements so they can be used to sort tools for vendors as well as another program that’s to be launched here soon. Shout out to Cyber Rise dot org and also to PAX eight.
Thank y’all for letting me do that. I appreciate it.
Rich: As soon as Erick and I are done recording this episode of the show, I’m gonna make a donation to Cyber Eyes. I’m also gonna include their URL in the show notes, and I encourage everybody listening or watching to check it out and donate to.
Thank you Matt Lee from PAX eight. Thank you again for joining us on the show. Erick and I are gonna take a quick break right now. When we come back to the other side, we’ll share a few thoughts about this very interesting conversation. We’re just concluding here now. Have a little fun wrap up the show.
Stick around folks. We will be right back[00:49:00]
and welcome back to part three of this episode of the MSP Chat podcast. It, it is always such a delight to. Talk with Matt for many reasons. So first of all, people tease me for being a fast talker. Matt out does me, 10 x and yet it is all, the, he’s talking fast.
’cause there is so much going on in his brain that the words are trying to spill out before they they disappear on him. And you think about his response to almost every question that we threw at him, and there was something surprising or different about it each time. And a small example would just be that last little bit about community.
There, there are a lot of I. Easier, predictable answers you can imagine there in terms of how to leverage community and learn from your peers and stuff like that. And I, he does that. He believes in all that. But he had a much more nuanced take on it. It’s like there are different kinds of communities and [00:50:00] some of them are a better fit for you than others, and some of them are gonna be more valuable to you than others.
So understand what you’re trying to achieve. Do your homework, find the right community to get involved in, and. Ano among many others. One of the other really interesting insights there was what he called the salacious idea that a few years down the road, SMBs might be in a better security posture than large business.
And it was really interesting thought that if you go there with them, makes a lot of sense. Basically we’re gonna see AI in particular make it possible for smaller businesses to have the same kind of protection, essentially the same and on an automated basis as larger businesses. But, they’re gonna, they’re smaller organizations.
Their their challenges the attack surface that they’re protecting, it’s all gonna be smaller. And so you wind up with. The best tools in an easier environment to secure and a better security environment. I have not heard anyone else make that prediction, [00:51:00] but it does make a lot of sense.
Erick: Yeah, he definitely made a few bold statements there and it just fascinating to experience how Matt’s mind works and takes you into another level that, because he lives and breathes and thinks about this stuff nonstop. I can imagine his neurons are just firing a thousand times faster than everybody else’s.
But it was interesting, the two points you mentioned, and I think, if you think about it, what he said about the SMBs getting better protection in the enterprise and all that, immediately I connect the dots to who’s going to deliver that for them? And it is the MSPs, right? It is the MSPs.
It is us who are going to bring that to them because. Maybe you think that these enterprises are so gigantic and monolithic and, internal it, I worked in internal it, I know how slow moving molasses things can be there. And it is, the speed of business, the smaller and more nimble businesses that have really great guidance from their MSP and MSSP providers are going to [00:52:00] get there faster.
I also thought it was really interesting his response to the, hey, the iGen ai, vishing or, that kind of an attack. And it wasn’t, it was just, we just have to do it more and differently. So that’s what I’m kinda worried about. Rich, as you and I keep covering more stories about cybersecurity as it intersects AI and everything that the bad guys are doing with ai, I really believe.
That, I feel for the retirement community who are usually the target of a bunch of these scams and things like that. Can you imagine when, AI is just not calling, someone’s grandmother and impersonating their daughter that needs help. We’ve seen these stories in the news.
So not to, end this segment on kind of a downer note, but that is what we’re up against. So I think it, it goes much further beyond just educating SMBs and mid and enterprise markets. I think [00:53:00] the, everyone on the planet as a human being should be learning about and having access to these things because of the threat that it that it presents not only to business, but individuals and consumers as well.
Rich: Yeah, and you’re reminding me of something. I think it was two weeks ago, I was a guest on our mutual friend Dave Bels fantastic Business of Tech podcast. And so I was a guest. There was a an MSP who was also a guest on the show. And we were talking about a agentic AI and managed services.
And the MSP wasn’t terribly bullish on where that’s going because he said ultimately people are gonna want to. Talk to other people when they’re having a technical problem. And I actually think that’s getting less and less true over time for reasons I won’t go into here. But the other thing I was thinking of myself at the time was just two years from now or 18 months as as you just said during that interview there, you’re not gonna know if you’re talk EE even if you know you are somebody who really does like [00:54:00] to talk to someone.
When you’ve got a technical pro, you’re not gonna know if you are talking to, even if you’re on Zoom, even if you’re talking to somebody you’ve met in the flesh before, it’s the giveaway will be you called in at 3:00 AM on a Sunday, and boy rich looks freshly showered. I’m guessing that’s not, I it’s gonna be the same experience basically talking to a human tech, talking to an agentic tech.
Erick: Rich, you and I have talked about platforms on this program that I. We’ll take your audio, like snippets of you recording. Can you imagine everything that we’re producing on this podcast is out there in the public. If somebody wanted to PO us somehow, or po somebody that we know, they could feed our audio into a program.
And I’ve experimented with experiments as have you can I create a complete webinar or can can we create a podcast that sounds like us with avatars or soon, I think with DeepFakes, [00:55:00] right? So that technology is moving at Lightspeed right now. So if we can, without video, if it’s just a phone call, we can, the technology’s getting to the point where they’ll be able to write a script and use our voices to emulate that conversation.
And like I said, I tried to stump this, this other platform from another vendor that I was demoing. And it, although I could tell it was not a human being because we’re not there yet quite with the audio, but I could not stump it. I was asking questions and it had a response that a normal person would think that’s a reasonable response.
It was crazy.
Rich: I, I should say what you just described is is what Dave Sobel, who I mentioned before is something Dave Sobel has already done. So he found one of these AI platforms we’re experimenting with. He trained it on his appearance and his voice and his set, the whole thing.
And then he just fed it a [00:56:00] script for one of his shows. And it, it. He showed me a real he went did it on ai, then he did it for real. And then he showed me both versions of that to see if I could tell the difference. And the only reason I could was because he was challenging me to do that.
And I was looking very carefully. And I know there were little hints that the thing that will change. Today you can feed a script to AI and it’s gonna sound and look exactly like you, what’ll change down the road is that ability to interact very naturally, and you’ve already experienced some of that.
Yeah, it’s probably sooner than 18 months or two years. I was gonna say, I may have to revise my timeline for this. Yeah. But it’s a very, it’s a very interesting opportunity, but it’s also a huge risk opportunity as bad guys start to really leverage it.
Alright folks, that leaves us with time for just one last thing and we, Erick and I were talking about how we [00:57:00] are elders, let’s say in the community of managed service providers.
Here’s a story just for folks like us here, and it comes to us from Kawa in Japan. Now, folks in the audience here are familiar with like baseball, trading cards, maybe Pokemon trading cards in Kawa. There is a new set of trading cards and circulation right now celebrating middle aged men and specifically middle aged men from.
The community. There are 47 cards in the collection right now. They feature the the firewall card, not the kind of firewall we’re familiar with. The firewall card has Mr. Honda on it. Mr. Honda is 74 years old. He used to be the fire Brigade chief in the community. There is another card dedicated to Mr.
Takita, who is a local soba master soba noodles. Wonderful stuff. This was all created by somebody in the community who said, there are all these wonderful, amazing people here who [00:58:00] kids in, in the village don’t know enough about, don’t appreciate sufficiently, let’s find a way they can relate to to celebrate and make them aware of their neighbors.
And I love it. And we’ll obviously link to this story in the show notes. Take a look at the cards. They’re they’re very nicely done.
Erick: We, sometimes I feel like, man I need some of those cards. You have to spread to my extended family. People, can and the other thought I had is what is the calendar next, right?
Are we gonna see the old elders calendar for the year? That would be funny.
Rich: And the other thought that just popped into my head, and this is a business opportunity for us, Erick, is to create managed services trading cards, collect them all. You, me and Matt could be the first three cards, but yeah you could go nuts from there, but
Erick: no I know an AI platform that will do just that scary stuff.
Rich yo strep. Let’s see if we can do that for a hoot and see what happens. Maybe we will maybe we’ll introduce it on an episode of an up upcoming MSB Chat podcast.
Rich: Fantastic idea, folks. Coming your [00:59:00] way soon, AI generated managed services trading cards and that is all the time we have for you this week on this episode of the MSP Chat podcast.
We thank you for joining us. We’re gonna be back in a week’s time with another episode for you. Until then, I will remind you this is both. A video and an audio program, which means if you are listening to us, but you’d like to check us out on video, go to YouTube, look up MSP chat. If you’re watching us on YouTube, but you’re into audio podcasts, go to Spotify or Google or Apple, wherever it is to get your podcast.
You’re gonna find us there, and wherever you do find us, please subscribe, rate, review. It’s gonna help other people find and enjoy the program just like you do. This show is produced by the great Rus Johns. It is edited by the great Riley Simpson. They’re part of the team with us here at Channel Mastered.
They are out there and ready to go if you wanna create a a podcast of your own. And folks, podcasts really are just a tiny little bit of what we do at Channel Mastered. If you wanna learn more about the company and the full sweep of services we provide go to [01:00:00] www.channel mastered.com channel.
Mastered has a sister organization called MSP Mastered. That’s Erick working one-on-one with MSPs to help them grow and optimize their business. You can learn more about that venture. www.mspmaster.com. So once again, we thank you very much for joining us, folks, we’ll see you in a week. Until then, please remember, as always, you can’t spell channel without MSP.
