Join Zachary Sherf and CyberMattLee as they discuss how not to stub your toe like we did when implementing a framework!
[00:00:00] I think we're live. I think there's like 400 clips of me just saying okay, I think we're live because I'm just that nervous that we're not because the application the software
[00:00:07] Okay, we're live. This is episode 51. I'm here with Jack with Zach Scherf
[00:00:12] and
[00:00:13] I'm super excited to talk about this because we're talking about what Zach brought up, which is this the challenge of building a framework centric security program
[00:00:21] Like it's not that simple y'all and I'd love to be the guy that goes this one crazy trick
[00:00:27] This one easy solve and Zach
[00:00:29] I'm sure you would be as well, but why don't you introduce yourself brother and and let's get it going if you're out there
[00:00:35] Please chat. I'll see you from LinkedIn from his LinkedIn. I'll also see it from my YouTube
[00:00:40] So put in comments tell us how how smart Zach is and how dumb Matt is and we'll rock through this conversation in a glorious way
[00:00:48] So introduce yourself Zach what's going on and tell me what the premise of why we wanted to have this conversation
[00:00:53] Yeah, thanks Matt. My name is Zach Scherf. I'm the director of cybersecurity for interlaced for an MSP
[00:00:59] You know initially based out of Southern California now
[00:01:02] nation and worldwide and
[00:01:05] so
[00:01:07] We does that mean I can call you mr. Worldwide because I haven't had anybody I've been able to call that or is that
[00:01:13] You know, I legally don't know
[00:01:15] Like is there a certain like yeah, I must cross or certain numbers of longitudes like it must be crossed
[00:01:25] My audience is small enough and your audience is large enough that it might whatever risk
[00:01:30] Okay, well, let's just say we'll call you Zach then. Yeah
[00:01:34] I'm sorry for that side tangent
[00:01:37] and so
[00:01:39] We spent and the reason I'm really excited to be here as we spent a little over the last year
[00:01:45] figuring out how we can best enable our clients to
[00:01:51] Really guide them through implementing the CIS control set even starting with one and
[00:01:57] Candidly, we we tried a lot of different things
[00:02:00] And learned a lot about it
[00:02:02] But in some ways didn't succeed in in the way that we had originally set out to
[00:02:08] And so if we've migrated and move the program and but I think on the tail end of where we are now
[00:02:14] There's just a lot of challenges and learnings that I think would be beneficial to share with the broader community
[00:02:20] Yeah, our pain your game conversation is really what you're trying to bring up is like where do you fail?
[00:02:25] Where does it suck like what are the challenges?
[00:02:27] You know one of the first things I'd love to tackle Zach and I'm putting you on spot because we haven't had this conversation
[00:02:32] Have you implemented these yourself?
[00:02:34] Did you start there or did you start with a client first?
[00:02:37] How did you go about it because I've and I'll let you answer here in a second
[00:02:40] But I've got so many people in this world want to look up as MSPs and say I wish my vendor would do this
[00:02:46] I wish they had their their sock too. I wish they would follow this. I wish I'd good secure design
[00:02:49] I wish they had all these bug bounty
[00:02:51] I wish they had all these things and they looked down go
[00:02:53] I wish my clients would do this I wish I could get them bought in to do this
[00:02:55] I wish my clients would do that they'll look down. Yep, but it's rare. They look inward
[00:02:59] So yeah start on you hopefully
[00:03:02] So to a degree yes, right and the reason I say to a degree. Thank you for the honesty. Yeah. Yeah
[00:03:08] Yeah, right. So the reason I say to a degree is I think that we went through a number of different approaches to figure out what the best
[00:03:17] approach to cybersecurity for us would be whether we go with a
[00:03:21] purely risk-based approach or a
[00:03:24] You know just kind of framework based approach and if we started with with risk based, right?
[00:03:29] Yeah
[00:03:30] And and what we realized quickly and I think this was one of the learnings that led us to
[00:03:34] Going towards a framework based approach for our clients is that
[00:03:38] With small businesses, which is you know are one of our core markets was called business is it's really difficult
[00:03:46] to do a or to justify the cost of a formal risk assessment
[00:03:52] especially when a lot of the clients are looking to just understand what this best practice was best hygiene how can I put in the
[00:04:00] For lack of a phrase low effort high reward or even high effort high reward type type situation or type solutions
[00:04:07] And a risk assessment
[00:04:09] It just I think for a lot of these organizations felt kind of esoteric and difficult to go through and maybe
[00:04:15] Let's disambiguate this for anybody watching because I think you may have just like fired a shot against most people that go risk-based
[00:04:23] Sin so like just understand that first. You just like right through that out there
[00:04:27] So let's dig into that a little bit because there are risk assessments where people are doing some type of assessment
[00:04:34] That is purely sales that will break out these five or six or seven things that help you move the needle to get in the door
[00:04:40] And there are risk assessments that are a qualitative or quantitative methodology digging deep into the weeds of decisions
[00:04:47] I'm trying to make overarching decisions of your overall cyber security program. There are two in my minds
[00:04:52] Those are two ends of the spectrum. Yeah, which end of that spectrum in your mind
[00:04:56] Were you talking about when you say these risk assessments that are that are more expensive the by-the-book NIST page?
[00:05:01] Okay
[00:05:04] Yes, because the free sales tools is not what you're talking about here
[00:05:08] You're talking about genuine this this then this assessments of current status quo
[00:05:13] So we tried to build those sales tools out and I felt that those were to some degree kind of distant
[00:05:19] Shouldn't keep firing shots
[00:05:28] Two cannons that'll sink your ship
[00:05:35] Anyways
[00:05:38] I felt like we weren't really doing our
[00:05:42] Clients justice in that because those assessments might as well have been framework-based instead of risk-based, right?
[00:05:49] No doubt you're just creating like a hyper local
[00:05:53] Hyper-focused version of of the framework and of risk based only on what you can provide as an organization
[00:06:00] Right, and so it ignores the the broader stay right here like I'm gonna hurt, but I'm gonna stay here a minute you go
[00:06:07] And so what we found with the CIS controls
[00:06:10] And the reason that we went in that direction was because we realized that we were
[00:06:15] Effectively picking from a list with that that type of approach where it's just kind of a hyper localized and we said why don't we?
[00:06:22] refer to the authority that exists in the industry of
[00:06:27] People who like basically spend all this time trying to figure out what the largest risks that face business are
[00:06:34] Especially, you know small business and things like that like these are experts who are working on
[00:06:39] Defending and protecting enterprise, but because it's so fundamentals based it does work at effectively every level of the scale
[00:06:46] so
[00:06:48] So that one I started to choose to choose CIS and and why we ultimately went from the
[00:06:55] Hyper-expensive risk-based like NIST risk-based approach into CIS as we found like we need to make action now
[00:07:02] Let's start on these things and then you know as the maturity increases and there's more of a need and an ROI on
[00:07:09] Disbased risk assessment we can go back and have so much more visibility and confidence into what we're doing today to answer the right questions
[00:07:17] On you like that dude. I'm literally probably done talking about cybersecurity like Zach's got it solved
[00:07:23] Genuinely, I may literally retire at this point
[00:07:25] I think genuinely when you think about it
[00:07:27] There's a couple things you said that were brilliant there number one would be
[00:07:30] You're shifting the authority outside of your control
[00:07:35] You're now saying and same thing with the NIST risk assessment
[00:07:38] Don't take me for saying that's not in the same vein, but you're now saying okay
[00:07:42] Here's pragmatic stuff. That's the low hanging fruit
[00:07:44] Here's IG ones of something like CIS it applies to NIST
[00:07:48] It applies to NS CSF and to your point the second brilliant thing you said is I think that you understand that as you're doing this work
[00:07:55] It's not wasted work
[00:07:56] It's the exact opposite of the risk assessment in the sense that you're doing the stuff
[00:08:00] You're gonna find as a no on the checkbox on the risk assessment. Let's just close the holes in the ship
[00:08:04] Let's take care of 20 of these 300 cannon holes right some way
[00:08:08] And I think so that's that's brilliant as well is that you're now creating this reprative piece not just the
[00:08:14] not just this kind of
[00:08:16] Did it get a hole? All right, and then the other piece of this was just being able to break it into
[00:08:23] Small action will today things and understand there's a list and a greater as we go so dude
[00:08:28] That was just a whole ball of awesome. So let's get to the point to go into okay. Where's the failures?
[00:08:33] Let's talk about the failures
[00:08:36] If we did it first I yeah, yeah, we did
[00:08:41] And I think that that created
[00:08:46] Simultaneously a lot of confidence and a little bit of
[00:08:50] Maybe even false confidence around how it would go outside of our organization
[00:08:55] Because you have all the end players you have people
[00:08:59] Focused organization everybody in the org like
[00:09:04] It was it was easy to come in and build a culture around security because everybody's interested in cyber security
[00:09:09] Sure, there's not a knowledge curve to overcome right?
[00:09:14] Educating
[00:09:16] Right so everybody's super committed to it which was is great and something I expected to exist elsewhere
[00:09:23] That was probably
[00:09:28] Probably my first myth misstep and that's you know
[00:09:31] If I were to boil down to three big categories for the missteps the first one be client commitment, right?
[00:09:37] Yeah, I am hearts and minds conversation
[00:09:40] You know we can get commitment through our points of contact we can get commitment through key decision makers
[00:09:45] It doesn't mean you have organizational commitment and I'm stakeholder buy-in. You don't have organizational commitment cold
[00:09:50] Yeah, trying to empower people within that
[00:09:54] Organization to do that because they have the leeway and we're effectively an MSP. We don't have the same
[00:10:02] Same leeway as you don't roll up and sit at the same coffee pot and talk about yesterday's boss meeting and
[00:10:10] Conversation right and so that's our or we deliver great service, but the rapport the personal rapport
[00:10:16] Just takes significantly more time and yeah
[00:10:20] To your point so that's the second category right?
[00:10:23] What's the next one so we've got?
[00:10:26] resourcing
[00:10:27] Which I'll be totally transparent
[00:10:29] We grossly underestimated on and we kept our or your side or on the client side or both both
[00:10:36] Yeah, yeah, how much work it's going to take to get this done as a resource perspective right yep
[00:10:41] And that ties right back into client commitment
[00:10:44] Right because we didn't understand yeah
[00:10:46] Yeah, I need to do another 40 hours of an FTE over the next three weeks just to get this point
[00:10:52] I don't have it Matt. I'm sorry Zach. I don't have it. I can't give you that resource
[00:10:56] He's already she's already right that the statement and back to I thought this was gonna be easy
[00:11:00] I thought this was gonna be you know
[00:11:02] Right and then if you look at that Zach and just go ahead continue you said in then and the third one is training
[00:11:08] But we can go back to the other thing, but it ultimately was
[00:11:12] And these are training and then training internally of
[00:11:16] How to scale this out through all the different?
[00:11:20] You know parties within our organization who we would need to scale it out to to do that work and to inform and to instill
[00:11:27] confidence that requires a
[00:11:29] commitment and a
[00:11:31] significant commitment to internal training
[00:11:33] To everybody in the org not just around a security culture
[00:11:37] But on how to
[00:11:38] Understand and literally deliver to the intent behind these CIS controls. Yeah
[00:11:44] Yeah, and what you're you know just to make sure I understand so the first one as we talk about it is really
[00:11:48] Not expecting that the clients wouldn't have this buy-in
[00:11:51] I think all of them seem to have a thematic aspect too
[00:11:54] Right as we go through this right the first one being not it's not having the client buy-in while expecting it was one of the first
[00:12:01] Dumbles like do I understand that correctly Zach? Yeah, yeah
[00:12:04] So so when you think that out there's there's components of the second one that come into that
[00:12:09] Right not knowing how many hours and how much resource it was going to take how many like think about things that are like five
[00:12:15] Dot two that says use unique passwords, right? We think immediately towards using a password manager slam dunk done, right?
[00:12:21] Yeah, I'll tell a story my wife's watching so she may come in here and slap me
[00:12:25] We'll see what happens, but I play with fire all the time
[00:12:27] But my wife and I bought a password manager like three or four years ago
[00:12:31] And at that time I said hey get all your password your personal passwords in a password manager
[00:12:35] And I'm gonna do the same we're gonna move forward and that way we can help meet five times
[00:12:40] I did the same thing
[00:12:42] Yeah, yeah, we'll see if your outcome was better
[00:12:44] You may have been a better educator than me because I come to use my wife's password one time and she's done
[00:12:48] She's got them all in. I'm like yes. This is so awesome
[00:12:51] I start looking at them because I'm using her thing to sign in something with her and they're all exactly the same
[00:12:56] They're the exact same password story. She's stored every password
[00:12:59] But it's changed none that has not had met the intent of this aspect, right?
[00:13:03] And that's a failure on me which goes to your third point which is training
[00:13:06] And the third point of like this implementation takes training and buy-in and education anyways
[00:13:11] Yeah, continue you had yours you said
[00:13:14] Well, what was gonna say on the password manager friend. I think we're getting
[00:13:19] To close to the point with privileged access management and API controls and things like that
[00:13:25] That we should be able to get to the point where we can go into our password managers and tell it to
[00:13:31] To reset or to go password or configure it to make it so that it's known or to set up reporting capabilities
[00:13:38] And yeah, we've seen that comes with cost right because think about things like
[00:13:43] Last pass I'm doing a webinar with them here in a couple weeks. It's gonna be great
[00:13:46] But some of their failure points were things like they wanted to be able to report
[00:13:49] Which meant they had to keep pieces unencrypted about where you were going in sites those natures
[00:13:53] But they didn't filter it right and there was other challenges
[00:13:55] I won't get into the the the breaking down the body there, but ultimately I think to your point
[00:14:01] The training part the resource part the other pieces are underestimated because people don't get into the how
[00:14:08] One of the things that I teach with Chris Johnson that CompTIA is that we always focus on the tool
[00:14:13] But we really need to look at the safeguards from a how perspective
[00:14:16] Have you had any challenges with like the nomenclature of what's really being asked?
[00:14:21] What's the real scope of this? How do I scope this in that lens anything?
[00:14:25] on there a hundred percent right and I think that starts with control one
[00:14:31] Yeah, one dot one even
[00:14:34] Building it maintain establish a maintain detailed enterprise asset inventory right what does that actually mean and three?
[00:14:42] hundred words longer under it of what type should be included including IOT and internet and assets that are devices on the network that are
[00:14:50] non net computing devices and all
[00:14:53] Assets with the potential to store process data. Do you know how?
[00:14:58] Broad that is and yeah, it's a good
[00:15:01] It's great as a first control because I think it simultaneously
[00:15:06] Every other control yeah, but it highlights just the gap between
[00:15:12] What we think you know about your organization and what is actually out there right?
[00:15:17] Yeah, and if you get to kind of overzealous with it then you start moving as you're doing it
[00:15:22] You're thinking yourself. You're like I have to you know enable
[00:15:26] Security controls on this asset not and you see my face turned on here
[00:15:30] You skip you know control force thrown
[00:15:33] You know some and so forth and so but but we're talking to
[00:15:39] You know heads of staff and yeah, oh you nailed it in a broad
[00:15:45] Yeah, I'm technical role within the organization pause for a sec because
[00:15:50] Another thing you talked about first
[00:15:51] You said that people aren't bought in like we are like to your point the security culture and that's a real big problem
[00:15:57] Yeah, but additionally in your organization you actually know what's in your organization even though you suck at it
[00:16:03] You know and how do I know when we were doing this at iconic me and Matt Topper and Jason?
[00:16:08] Farmer and some of the others we literally just kept finding applications and finding applications and finding applications
[00:16:15] When you think about 2.1 and we came up with like
[00:16:18] 67 we still needed to keep
[00:16:20] 67 that we still needed to keep the rest of them
[00:16:23] We still got rid of the other 50 60 70 80 moved them to jump boxes did things like that that we needed to do
[00:16:28] But you know when you dig into it
[00:16:30] I think we get the blessed ability to do that because we have those resources and we can command it as MSPs
[00:16:36] When you think about doing that with your client think about all that in that lens all those things you might need to do to be successful
[00:16:43] Well, it's even simple the simplest ways
[00:16:45] And so this was I think a little win that we had is we had to figure out creative ways to communicate the intent behind these
[00:16:51] Controls and to get the result that we want
[00:16:55] one of the ways that we did that is by
[00:16:58] Finding systems that we had access to that would maybe collect data about asset inventory that clients
[00:17:05] Might not know about right so that would be going into by the way you're describing passive asset discovery
[00:17:11] Just so you know in its very nature. So anybody confused in the 1x with passive asset discovery. Yeah, that's how
[00:17:19] Exactly
[00:17:21] 100% sass are doing some level of passive asset discovery is still a policy or procedure around it
[00:17:26] Right and so they don't know what is actually being collected in those things
[00:17:31] And so we haven't thought creatively enough to know right
[00:17:35] I always like to say something my grandfather said my father said which is don't jump me in a rock pile
[00:17:39] I'll sure as shit throw a rock, right? And it's this understanding of you need to know what's around you
[00:17:45] What what can you extract information about you? You're dude
[00:17:48] You're it's like we're separated at birth and I got the beard and you got the looks in the hair
[00:17:52] but like
[00:17:53] You know genuinely being able to pull passively
[00:17:57] Information about things we see sass whether there's through DNS queries, whether it's through, you know
[00:18:02] The sass tools they're using whether it's through asset inventories
[00:18:05] We're collecting and then get a handle on it so you can present that I would imagine that
[00:18:09] To them to make decisions on and being able or an empower and
[00:18:15] Give us all your stuff so that we can put more work back on you
[00:18:19] Right, right and I think that was an approach we started with there's we said
[00:18:23] Can you get your finance team to go through every credit card invoice and see what is what we did internally?
[00:18:30] Right, that's how I did it with my finance team. We said pull the invoices you with software
[00:18:34] No, I'm saying I need to know what people are charging
[00:18:37] I need to know like where are we spending money on software and that breaks down by and doesn't it?
[00:18:43] And so you have to empower them to overcome that and in their minds. Why here's why Zach
[00:18:48] Well, you told me you'd be an all-you-can-eat service provider for MSP for this much ahead per user
[00:18:54] This 250 or 300 a head your charge in these include that and you have to then educate and
[00:19:00] Maybe some of it does right to your point of going and doing the research with the tools at hand
[00:19:04] Yeah, coming with the data. Okay continue sorry, but we you know to that point
[00:19:09] It was well-intentioned
[00:19:11] Within that because more of our clients were asking us around it's fair
[00:19:15] You know around what what is the line between cybersecurity and you know managed services?
[00:19:23] How do we we
[00:19:25] Benefit and provide value to our clients
[00:19:28] Because that changes year-over-year what what clients used to value
[00:19:33] Oh my gosh, it's different now. They're looking at us for different things
[00:19:36] So how do we meet that need without overly without being kind of ascending without effectively saying like this isn't us
[00:19:44] Right, we need to find a way that it could be us and this is well, which we thought would work and
[00:19:50] Ultimately, it was like it's not to say that it didn't work
[00:19:53] It's to say that that we needed to find a more creative way to make it work for everybody involved to understand how they could give value
[00:20:02] And ROI without over committing ourselves and without over committing labor from our clients, right?
[00:20:08] Both sides where possible, right? That's the beauty of trying to figure this out at scale
[00:20:13] You know you said something that like totally triggers me because I'd like wrote a book about this with Juan Fernandez
[00:20:19] and and and Marnie Stockman and and Wes Spencer and
[00:20:23] Anyways, the the the concept is this I genuinely believe you tell me if you think I'm wrong that
[00:20:29] What we have done as MSPs over the last 10 years is becoming
[00:20:34] commoditized and and and what I mean is like think about our days as exchange server admins
[00:20:39] We needed a C volume that was on regular spinning discs
[00:20:43] Maybe raid 10 I needed to have a
[00:20:46] D volume or a second volume that had the exchange logs on it
[00:20:49] and then I needed to have a volume that had the database that was on at least 10k storage in a raid 10 format or
[00:20:56] SSD and in VMAs that went potentially I
[00:20:59] Needed to have those dedicated volume so I can make sure the performance
[00:21:01] But I got all these things I had to do to make sure exchange perform well, which most people didn't do
[00:21:05] They probably just slapped that some gun on a VMs at Vine
[00:21:07] but even then when you dig through that process the work and the things we had to do was so much more to keep that running
[00:21:14] Compared to I pay 20 bucks and I have Microsoft Office 365. I pay five bucks and I have Google Workspaces whatever it is
[00:21:20] There's no right like that commoditization
[00:21:23] Continues out and if you think back if anybody's old enough we used to put IRQ jumpers on our cards
[00:21:29] So I could say this is calm seven
[00:21:31] Right, this is IRQ 3 or whatever maybe don't butcher me if I'm wrong on those IRQ configurations
[00:21:35] But and then plug that in right in the in the card and in our PCI or isis slot back in the days
[00:21:41] Right and so when you think about that that doesn't happen anymore
[00:21:44] I buy a laptop at Best Buy I sign in and so that commoditization is playing out in our world
[00:21:48] And if you start a company tomorrow, it's identity centric and sass centric and so
[00:21:52] Um, I think my my wrapping that up statement that I want you to take a thought on Zach is
[00:21:57] Does some of this work?
[00:21:59] Continue to add the value where the others have been commoditized away as table stakes
[00:22:04] Is that part of that change you talk about every year in your mind? Um, I won't
[00:22:10] overly brag about interlaced positioning, but
[00:22:14] Uh, we have a single we haven't have had for a while a single digit percentage of our clients with on-prem infrastructure
[00:22:22] We're talking with all my heart right now. Zach. We were obviously we're talking
[00:22:26] Yeah, and any of that right and and i'm not counting
[00:22:29] Like basic networks that just do wi-fi access. No, no, no I follow that should have that has to be there
[00:22:34] You gotta have the the polling
[00:22:36] Organizations it's just not right like when yeah when they're all at home or completely not. Yeah, yeah 100% so
[00:22:43] um
[00:22:44] That does a number of different things one it gives us or gave us at some level a competitive advantage
[00:22:52] That if I should do the pandemic. Yeah, especially
[00:22:55] Msp's who weren't us were making money hand over fist
[00:22:59] On pro-services
[00:23:01] Yeah, you're setting up the ends like building out some of the concentrators doing like all moving people into the cloud and we were like
[00:23:09] Our clients were prepared and our clients were thrilled to be
[00:23:13] Prepared for it. What yeah, yeah day like is us doing our job
[00:23:17] Um, but but to your point now any new client who joins us that's table stakes, right? They're a sass organization
[00:23:25] They want a hybrid
[00:23:28] They want to be able to use their ios their ipad os their mac os their in a safe way. Hopefully
[00:23:33] In a safe way. Yeah
[00:23:35] They want to be able to work from home or a coffee shop or like anywhere in the world
[00:23:39] And our clients at the leadership level are asking how can we do this and balance security?
[00:23:44] Right in a meaningful way and like if we are the people who have the answer to that
[00:23:50] Without it, you know without taking a squirts the earth nuclear
[00:23:55] Yeah, yeah, which I i'm a i'm a scorcher is some friends
[00:23:58] Then that's the value that we can provide right like understanding the the business value proposition to like making people
[00:24:05] happy
[00:24:06] And secure at the same time and it's nailed it and it like tremendously challenging
[00:24:11] I'm not sure that we have nailed it. Maybe I nailed the concept
[00:24:13] I don't think you ever nail it
[00:24:15] You know one of the things that one of my CEOs said once chris who's brilliant brilliant brilliant human and just good human in general
[00:24:21] Is I was telling him I had a work life balance established
[00:24:24] Right and he kind of laughed at me a little bit. He says matt go stand on a basketball
[00:24:29] Are you ever in balance?
[00:24:31] Well, no no i'm balancing at all times. He goes great. You're never in work life balance either
[00:24:35] It's always a challenge
[00:24:36] And I think I extract that to also go towards this point
[00:24:39] Right as well and that it's always going to be a challenge of balancing
[00:24:42] Giving people the ability to magically create craft they care about that's it
[00:24:46] That's the end of the day whether that's caring for their clients
[00:24:49] Whether that's making the Mona Lisa whatever it may be give people the ability to magically create
[00:24:55] And if you can do that in a way that creates security
[00:24:58] Then you are winning and what's interesting about the world that you and I live in think about and describe
[00:25:04] Is that when you do apply those safeguards?
[00:25:06] You almost can apply
[00:25:08] I'd probably put 50 or 60 of the technical controls apply unilaterally for all of those consumers
[00:25:14] You can do the same things now. It's just educating. Why am I turning on?
[00:25:18] You know strong authentication. Why am I turning on and enabling these things?
[00:25:21] And so it does give you one place to script it which means you can script the experience too
[00:25:26] Um, what are some of the other failures you've run into like in this implementing safeguards?
[00:25:31] Because that's what people love. I'm giving the people what they want is our failure
[00:25:34] Blood and tears so I have a couple specific examples, right the legwork
[00:25:38] We talked about the legwork behind software assets
[00:25:41] um at building the asset inventory like all of that that just
[00:25:44] Requires a lot of of commitment and I think where we failed on that was
[00:25:49] Properly communicating to our clients how much work it would take on there and to do it and getting their buy-in
[00:25:55] Because I think we got their what was that kind of work
[00:25:57] What was the stuff they're having to do help me understand that just so people get it kinesthetically
[00:26:01] Yeah, so I mean like the we talked about the billing thing right like pull all your credit card
[00:26:07] Take a guy that's that's just trying to get numbers out the door and pull them for four hours to do this for me
[00:26:12] Right. Yeah, right like that. That's a huge one talking to
[00:26:16] departmental managers about
[00:26:18] What workflows they have that are so core to their department and what led them to using the software stack that they're using
[00:26:25] That does differ from the the organization. I can't tell you how many times
[00:26:29] Um, and i'm sure you've seen it as well
[00:26:32] Where you're talking to uh, let's say a cfo, uh, right and they understand they're like we use 365
[00:26:40] We use google meet we use, um, you know, or we use teams
[00:26:45] And you're like
[00:26:47] And i'm like well, why are you spending a thousand dollars a month on zoom and it's like okay. Well the sales team uses zoom
[00:26:53] I'm like, okay, but right exists in how many different departments and if you're
[00:27:00] If you tell me
[00:27:02] We use x y and z stack
[00:27:05] And then you know all the time like just you're using r f and t over here, right as well
[00:27:11] Different tools that enable them
[00:27:13] Why are one why are they using those different tools not from a
[00:27:18] Who didn't stop them? But from uh, what is missing? Is there a need? Is there a missing piece?
[00:27:23] What a hold?
[00:27:25] Yeah, yeah, we can do this in a way that like balances that security properly
[00:27:29] Are they using free tools that don't do the data protection things and how can we enable them to use
[00:27:36] Tools that that do balance what they actually need to do and the and the data protection
[00:27:39] So having those conversations without the individual departmental managers feeling threatened
[00:27:44] And being willing to like give up that information because us it come to them and you're like
[00:27:50] They they I think
[00:27:52] Want to feel defensive immediately feels like an interrogation not an insider asking a question, right?
[00:27:57] Even if you do it as an insider, it's an interrogation in some cases, right? Like people just want to create
[00:28:03] um, there was a
[00:28:05] Interesting tangent in my head that I had around around this and think about this way
[00:28:11] We ignore things in the software world that we would never tolerate
[00:28:15] In the physical world like let's say a department manager goes no bro
[00:28:19] I understand we're massy fergusson, but I am not massy fergusson
[00:28:22] I'm gonna be buying john deere for my needs and y'all can go to heck on it. That's not gonna happen
[00:28:28] You would see it. It would be visual, but yet we'll use slack for this team and teams for that team
[00:28:33] And not have a real argument of the delineation other than really cool icons. Yeah, and I and I think um
[00:28:40] Anyways, I think this is the interesting part about our world where we have to work through in unearth the digital
[00:28:46] In ways that you never have to in physical
[00:28:47] I would see you're using a laser cutter when i'm trying to use additive manufacturing
[00:28:51] I would try right you'd you'd just be instantly known
[00:28:54] Um, and yet we have to play that that educator and fight through the challenges you're talking about and we're undoing
[00:29:00] and fighting against
[00:29:02] Years of stigma around it. I like I feel within our organization. It's like we almost kind of cringe at the
[00:29:09] Uh, the stereotypes that exist around you mean the beard and bald head for hackers or
[00:29:15] I was like that she does and who they are and that they're like
[00:29:19] They many times are like, uh
[00:29:21] Concerned to be like unapproachable mean totalitarian might be like or yeah
[00:29:27] Yeah, our security team is the no team the no department, right? Yeah, I think it's a no team, right and and
[00:29:32] Trying to figure out one as an external department
[00:29:37] two, um, you know as uh as msp just
[00:29:42] individually and then kind of three
[00:29:46] um, just as like individual contributors
[00:29:49] uh, how to have conversations
[00:29:52] Oh that are non confrontational and like really collaborative to truly find the root cause of
[00:30:00] What enables people to do this work?
[00:30:02] Um has been our key to success
[00:30:06] I think at every level and it's it's still really challenging because like I said
[00:30:09] Is that focusing on the positive like let me let me just scenario this out and ask if this is similar like
[00:30:15] Instead of saying I want to know what software you're using what software the company's allowed one instead of focusing on
[00:30:20] We're trying to help the company to the efficient ability to bring everybody together in one place and make sure we're all rowing
[00:30:25] And getting the things we need like is it more focusing on those positive outcomes than the negative and loss outcomes?
[00:30:30] Is that part of that equation? I I think it's simpler than that. I think it is the difference between
[00:30:37] At like I said at every level seeking to
[00:30:41] Uh respond versus seeking to understand right like when you're having conversations like in general, right?
[00:30:49] Like I think a lot of times security or it
[00:30:53] Like you get myself included. I get so laser focused on this threat. I'm trying to prevent this risk
[00:30:58] I'm trying to mitigate that I go into a conversation and and naturally think like an engineer
[00:31:03] I'm like, how do I fix this problem? How can I pull the band-aid off and kill this software as the real?
[00:31:08] Yeah, yeah
[00:31:13] And that is I think absolutely the wrong approach
[00:31:16] The right approach is to just sit down with that person and be like, how do you work today?
[00:31:20] Yeah, what do you need this for why are you using this?
[00:31:23] Yeah, exactly
[00:31:24] Like show me a little bit because a lot of times they will not even know
[00:31:27] That there is like a happier compromise a better solution like
[00:31:32] Something out or they may have landed on the right one. I mean the other aspect of this too truly is
[00:31:37] We want to find the wins now to your point
[00:31:40] If I've got something that's rife with with vulnerabilities or I've been asked not to use contractually or things of that nature
[00:31:46] And that that that trumps that right?
[00:31:48] But so so back to the original point of that amount of work that it requires to get good at it
[00:31:54] And I think part of this is that I I really believe there's a Dunning's Kruger challenge with cyber security
[00:31:59] Right, and I know there's some recent discussion that that that statement has been debunked a bit
[00:32:04] Scientifically but the point being that as you learn something that you think you really know
[00:32:08] You get to this like plane where you understand
[00:32:11] There's so much more and you fall into this pit of despair of understanding that you have so much more to understand
[00:32:15] That you just can't I think um
[00:32:18] Cyber security is somewhat that way because if you look at it simplistically you you think
[00:32:23] All I have to do is deploy these tools and get the clients to buy these tools and I'm done
[00:32:26] Yeah, what if you think about it at that precipice of despair there you start going?
[00:32:30] Oh my god. I have to know what they use I have to know how they use it
[00:32:33] I have to see how they're connected. I have to know the data flows. I have to understand how it's classified
[00:32:36] I have to like think about what co-pilot brings up in that scenario of what data you have access to and
[00:32:42] You know what its risk might be to you
[00:32:43] Yeah, and you have to know how it's you know, ultimately just going to
[00:32:47] To benefit the business and so when I talked about how training was
[00:32:51] One of the most difficult things that we talked about everything that I just told you from an approach perspective
[00:32:57] We have to bake into our training like as MSPs is like
[00:33:01] How do you make people first?
[00:33:03] And then level yeah, yeah, all of them
[00:33:05] Right. Yeah, all okay
[00:33:08] The great super ambitious
[00:33:10] service desk guy who wants to come in here and like find a problem and fix it to understand that fixing that problem might actually
[00:33:19] You might fix the technical problem
[00:33:21] But you create this this perception that then we'll have to fight against in the future that we're being you know
[00:33:27] overzealous or again totalitarian and in our approach
[00:33:30] um, and I think it's you know, it's one thing that that
[00:33:34] Apple has done really well just in there in their genius bars and things like that is like
[00:33:39] For the most part when you go in there like the the idea is about repairing the relationship between you and the technology
[00:33:45] and so if we can uh, take the same approach of
[00:33:49] Trying to figure out why a person is frustrated either
[00:33:53] Frustrated enough to pick their own new solution or frustrated in how the existing solutions configured or or frustrated because they don't know
[00:34:01] How to use the technology to make their life easier an approach it that way as opposed as opposed to trying to just
[00:34:07] Fixing the symptom of that ticket of why they call in of whatever it is
[00:34:12] We'll then build the reports that when we need to deliver
[00:34:16] um, you know, uh some unilateral changes in the name of security
[00:34:21] It's informed by an understanding of how these clients work and also we've gotten the buy-in and the trust
[00:34:27] From them over that series of interactions
[00:34:29] So it really is like as an msp a whole organizational challenge of like effectively saying
[00:34:36] How do we?
[00:34:37] Train our people to understand tech understand security in so far as
[00:34:43] It is a method of
[00:34:45] understanding workflows
[00:34:47] And then how do we leverage that to build trust so that when we need to take
[00:34:51] Some money out of the bank not physical money, but like trust
[00:34:55] Right. Yeah personal capital to implement
[00:34:58] A sweeping change that that capital is there
[00:35:01] Yeah, 100 you get it and I think if anybody hasn't listened to this show before
[00:35:06] I think zack probably just said
[00:35:09] One of the first statements that I think is 100 point's worthy which by the way for anybody listening
[00:35:13] These are worthless points. They have no monetary value at all, but
[00:35:18] You've been laying them out today man, um 100 i think it's that challenge of understanding that we we don't get seen as part of the business
[00:35:26] Or in the business
[00:35:27] We aren't seen and we don't put ourselves in the position of understanding how they use their technology
[00:35:32] I'll call myself out for it. I sucked at it, right? I got better
[00:35:35] But over time you start understanding that security is non-delineable from that
[00:35:39] Right security isn't separable from the technology choices we make it's it's unfortunately the way it is no more than driving a car
[00:35:45] And car safety would be separate like hey, listen. I'm gonna teach you to drive a car
[00:35:48] I'm not going to teach you anything about them concrete bunkers or things you hit
[00:35:51] Like I guess i'm not going to teach you anything about the other cars and how they might
[00:35:54] No, no, that's all safety and security. We're going to separate that off to a separate class
[00:35:58] It's not about driving a car
[00:36:00] No, they're inseparable and I think one of the things I want to bring it back to home on was eric woodard and and
[00:36:07] And you know philis lee and senile you and all them did a pre-day at um at beyond at pexy beyond last year
[00:36:14] And you had a quote that kind of said there was three hours
[00:36:17] Per employee or per user that was what it would take to implement ig ones or implementation group one the 53
[00:36:24] Safecards um do you think that's still true based on what you just said and all the time and the expectations
[00:36:29] Is that number accurate?
[00:36:31] I think that
[00:36:33] That is a sliding scale
[00:36:36] Okay, and based on the size of the organization readiness all the time
[00:36:39] No, I would say based on how much good will you have built up like it's kind of a multiplier
[00:36:44] So like if you have all this trust built out already
[00:36:48] Then the amount of time it will take to implement decreases like I said, it's a multiplier, right?
[00:36:54] And so if you've got uh
[00:36:56] Just from buy-in alone
[00:36:58] Yeah, just from personal capital as a balance in the buy-in department
[00:37:02] Then you're going to be talking about 2x multiplier to get anything done, especially related to security. And so that might be
[00:37:09] Six hours, right just implement ig one. You might double it. Yeah. Yeah, because you would have positional command to say sally
[00:37:17] Bill I need you to go meet with zax team and really put some effort into this. This is a deliverable this quarter
[00:37:21] We need this done. I need you that's a big difference then
[00:37:24] Yeah, man be like humor zack and like get him the stuff he needs
[00:37:27] We need like those are very different statements in time of effort 100% that's so smart zack
[00:37:31] Yeah, so I don't want to begrudgingly get people on the security train. Nobody, you know
[00:37:39] The Dale Carnegie is uh, uh, you know a man convinced
[00:37:43] Against as well as of the paint of the same opinion still right? So if you're if you're convinced of something
[00:37:50] and you don't
[00:37:51] want to
[00:37:54] If you lose an argument
[00:37:56] Right. Yeah, you're not going to walk away from that argument
[00:38:01] Wanting to believe that the other person is right even if they are sure right? Yeah
[00:38:06] And so if you lose a battle in terms of
[00:38:09] risk of saying
[00:38:10] This tool is too big of a risk and you come at it from saying you're wrong for this that and the other reason
[00:38:16] The person's going to try to find any possible way they can
[00:38:20] To keep using that thing. Yeah, totally instead of understanding your perspective and your point of view and and the other side exists as well
[00:38:27] right
[00:38:28] And it ties to that kind of chris fos type mentality of right never split the difference
[00:38:33] But really this understanding of if you're ever sitting on the other side of the table and i'm bastardizing his book
[00:38:37] So like he's kind of terrifying because he's like a hostage negotiator
[00:38:41] So it'd be very very unfortunate if he wasn't at me on this but is this understanding of we want to sit on the same side of the table
[00:38:46] And that's the way I always approach things like when I was working with certain big vendors as a practitioner
[00:38:51] My argument was like I don't want to change your legal agreement to the point that it's redlined my way versus your way
[00:38:56] I want to make sure we're both in the same boat
[00:38:59] Where we share certain risks and responsibilities and we have certain understandings of sitting on the same side of the table
[00:39:04] And I think to your point of you know, you can't make it adversarial
[00:39:07] You have to make this a pitch to drive people to a common goal which is business profit
[00:39:13] Which is success and paying employees and driving this brand new business venture you want to succeed or right?
[00:39:20] That's what we have to commonly come together on and then security has to be a byproduct of that
[00:39:24] I know I get the benefit of being a theorist now
[00:39:28] Which makes it find and easy to say but do you find that's a common element that lands
[00:39:32] Um with being successful and the things that you have found successful those align with that
[00:39:37] um
[00:39:39] Yes, but it's it's difficult right like that goes back to like really understanding what the business does and and
[00:39:46] And and how they operate I would say
[00:39:50] Probably the most important thing is by again making yourself like a invaluable resource as a trusted advisor
[00:39:59] Pardon one example of this that I'll give because everybody says that every msp wants to be the trusted advisor
[00:40:05] Like that's the key. No you hear it all the time
[00:40:08] But like a real world example of that is let's say I have a graphic design client, right?
[00:40:14] and um, I think a lot of msp's would look at that and effectively say if we're building a cyber security program
[00:40:20] We're going to target fintech first. We're going to target healthcare first
[00:40:24] And not our graphic design clients and I would say the opposite is probably true because the graphic design client
[00:40:32] might be working with
[00:40:34] large corporations with built out
[00:40:37] GRC programs and they are completely and totally lost on how to answer those questionnaires
[00:40:43] But the business is so critical and it's so hyper competitive
[00:40:47] That if they have the competitive advantage of having a mature
[00:40:51] security program
[00:40:53] Put together and they can really confidently answer those GRC questionnaires from the mega corporations
[00:41:00] They have the competitive edge to win the business
[00:41:03] I've seen businesses lose over the maturity of their program and more
[00:41:07] I've seen businesses who put just a little bit of effort in
[00:41:11] Something like cis ig1 where they can just really confidently answer the questions. Here's what I've done and this is where I stopped
[00:41:18] Great, there's a baseline, but ultimately they want to see like intent to improve
[00:41:25] Right having a program like well things like that and just like
[00:41:29] Going forth and saying we've thought about this
[00:41:33] Gives you such an edge in the marketplace true story. That's why it's worth investing in, you know, to speak to those
[00:41:39] This goes to a corollary. So one of my early clients guy named david
[00:41:43] He was um, I wouldn't say a small shop, but they were like
[00:41:47] I think seven or eight five-axis machines, right a few lathes
[00:41:51] It wasn't a huge shop
[00:41:52] But they were making parts and they were doing parts for Boeing and spirit and north of grumman and
[00:41:57] You know Lockheed Martin and others that would have some thoughts there
[00:42:01] And this was in the early days of 800 171 like think back to 2016 2017
[00:42:05] And when nobody gave a crap zack, nobody cared still they don't really care like if i'm honest
[00:42:10] A lot of people don't but you know what was interesting was when david started putting all this work in and the tides changed
[00:42:15] We hadn't even had the spur the interim ruling, right that they'd asked for the spur scores
[00:42:19] None of that happened. It was still all self attestation
[00:42:22] And many people were just lying and he had put in mfa
[00:42:24] He had put in all the things to do and start meeting some of these data sovereignty requirements things of where he was
[00:42:29] You managing cui fci all the things
[00:42:33] And and everybody told him he's stupid
[00:42:35] Because they said, you know, nobody cares right now. You're wasting money
[00:42:38] You're making your art. Right. What's funny is even though they hadn't yet checked to your point
[00:42:44] He started getting rate readiness reviews from the north north of grumman's and the spirits
[00:42:48] And he was standing up on a pulpit talking about a cyber program
[00:42:52] Who do you think when those rate readiness teams went around when their objective is to be more secure?
[00:42:57] Who do you think if the prices were normalized they chose?
[00:43:00] And he grew and he grew and he grew and he grew and he made it to
[00:43:04] Not normalized it's now becoming such a risk that it's worth
[00:43:10] It gives you r or y it's just hard to calculate
[00:43:14] It's hard to prove hard to calculate how to tie it in that goes back to that having something in the bucket and trust in the client
[00:43:21] And that comes with listening and i'm going to wrap it up with that zack because brother
[00:43:25] You just gave me too many nuggets to even try to distill this town
[00:43:28] Ultimately, I think for people watching this is one to catch
[00:43:31] And I don't actually say that often you can go back and look at the last 50 episodes
[00:43:34] But I think this is so important because the the mindsets and the fundamentals are things that I wish I knew
[00:43:40] Going into a security program and trying to implement a framework
[00:43:43] When I teach my class zack for implementing cis
[00:43:46] I had to eventually make peace with people hating me after the class
[00:43:50] And the reason is they walk out and go matt
[00:43:52] I thought I was going to walk in here your security class and you were going to solve security for me
[00:43:57] In fact, you've given me 10 to 20 to 30 times more to think about than I ever imagined
[00:44:02] Right and I just had to make peace with that because that's where we are today
[00:44:05] And that ties but the good thing about a conversation like that
[00:44:10] And it is we talked about client commitment. We talked about training. We talked about resourcing
[00:44:15] Training and resourcing both lever up into client commitment, which is at the end of the most important thing true
[00:44:21] But I think you know if there was a misstep if there's one big misstep around this
[00:44:26] It was oversimplifying how easy something like this would be without talking about the value
[00:44:32] And at the end of the day approaching it now we say it's going to take this level of commitment
[00:44:38] But if you trust us and we do this right it will pay dividends in the long term
[00:44:44] That's epic brother. Well, I want to say thank you it goes by quick doesn't it but
[00:44:48] If you guys haven't connected with zack, please connect with zack on linkedin
[00:44:52] We'll get his comments down below. He's also doing this on his linkedin
[00:44:55] And then you know if you want to be on the show reach out to me
[00:44:58] I've got a form to fill out and we can go down this path. I've got quite a bit of a guess
[00:45:02] But yeah, zack. Love you brother
[00:45:05] You and I share very much a lot of the same visions on
[00:45:09] These challenges and where we're going and I appreciate you being out there man keep