It's been a big year for the passwordless movement, with tech giants Apple, Google and Microsoft supporting the FIDO Alliance's efforts to replace conventional credentials with passkey technology. Still, passwords have long been engrained into people's daily routines, so users may need some convincing to change their behaviors. And likewise, managed security services providers may need to persuade their own corporate clients that passwordless is the future. This segment will examine some of the key breakthroughs and remaining challenges surrounding passwordless technologies from an MSSP perspective. You're a big fish in a pretty big pond. But there are vast oceans to explore. Do you test the waters or not? For MSSPs who have prospered regionally, there's a lot to be considered before expanding into new geographical territories, especially international markets. Such as: business culture differences, market preferences, regulatory factors, language barriers, and differences in cyber threat risk factors. This segment will examine these factors as well as the client's point of view. After all, you need to figure out how to sell to them as a newcomer in a particular market.
Show Notes: https://securityweekly.com/cfh-24
[00:00:00] Going Passwordless, Preparing Your Clients for a Credentials-Free Future And defining your geographic market, stay regional or go global. That in the latest news and trends in the managed security space, coming right up on Cyber For Hire. Building bridges between managed security providers and their clients,
[00:00:22] It's the podcast where MSPs, VCs, and end users take a United Stand Against Cyber Crime. This is Cyber For Hire. Alright, welcome friends to episode number 24 of Cyber For Hire. How's everybody doing today?
[00:00:38] I'm Bradley Barth with SC Media in New York and joining me today on the other side of the Continental Divide is my co-host and partner in Cyber Crime, Ryan Morris, Principal Consultant with Morris Management Partners.
[00:00:51] Ryan and I return not too long ago from the Ideniverse Conference in Las Vegas. Now, Ryan, I know we like to play video games a lot. Well over the last couple of days I was there, I moved over to Luxor Hotel where they have their own esports arena.
[00:01:07] And inside the big pyramid, yeah, they were hosting a Street Fighter tournament, just one of the rare times you can say. I really enjoyed watching people brutally, savagely murder each other over and over again, I'm not sound like a completely depraved human being.
[00:01:23] I mean, it's like digital gladiator but you know, it's funny. I know there are a lot of people out there, especially kids like my 10 year old nephew who truly enjoy are like genuinely entertained by watching other people play video games.
[00:01:40] And I remember even one time being over at my friend's house with his kids and they were loving a sterico watching YouTube videos of people playing Mario or whatever.
[00:01:49] I think when I was a kid, I would find that a form of torture and maybe like a source and maybe it still does. Like give me the controller, I want to play.
[00:01:58] So I'm curious where you stand on this Ryan, could you sit there for hours watching other people play video games knowing that you never get a turn? You know what that was, I swear that was the question of the day when Twitch came out.
[00:02:11] When that service first came out, I was like, are you kidding me? That is, you know, all that's going to do is make me more uncomfortable and more feeling like I am missing out.
[00:02:22] But honestly it's grown on me and I will say it happened because with teenage sons at home who play games that are radically beyond my particular dexterity.
[00:02:33] And you know, I don't have enough time to become good at them watching them with modern graphics and advanced cards and all of the engines that drive this stuff.
[00:02:44] Just a hair short of the entertainment of watching a movie. So honestly, I wouldn't say it's grown on me in a way I literally never thought I could imagine. Oh, how about that? That's interesting.
[00:02:57] All right, well more on the universe conference in a moment but first, some news just can't wait, which is why we want to share what's top of mind today.
[00:03:05] So here's your headline courtesy of multiple news sources. The Klopp ransomware gang has been exploiting a sequel injection in vulnerability in the managed file transfer software movement in order to steal sensitive information from the database environments of corporate users.
[00:03:22] Apparently for the purpose of extortion victims have already reportedly included a herelinguish British airways, the BBC, the government of Nova Scotia, HR Solutions vendors, zealous in some of its customers and more.
[00:03:36] Move its developer progress software has issued a patch for both its on premises and cloud based solutions. Ryan, why is this top of mind for you?
[00:03:46] Well, it jumps to the very top of the stack because of the scale and the scope of the vulnerability that has been exploited and the impact on individual companies.
[00:03:57] Right, this a these are not small companies and b it's not just one or two of them. So obviously it comes up a big conversation when we get into something that's this big.
[00:04:08] But it stays top of mind because it is not a radically sophisticated exploit nor is it a system that anybody would call you know the most complex or the most, you know,
[00:04:22] vital information resource that they have in their stack. This is blocking and tackling right these are the fundamentals that we always talk about.
[00:04:31] File, sync and share applications are one of the very earliest things that we as MSPs were able to rationalize to our customers right you got a great big file you do not want to just you know mail a drive to somebody.
[00:04:47] Digital transfer you don't want to have to suck up your bandwidth. Is it possible to do this outside of the normal controls and limitations on file size in your corporate email system.
[00:04:58] That was a very straightforward and simple value proposition and I would say, I can't think of you know obviously there are many brands that do this and so without getting into all of that I would say I don't know anyone in my working universe who does not have at least one if not more.
[00:05:16] If not more than one of these services deployed they're very convenient they're incredibly deeply integrated into the way we do our digital jobs these days.
[00:05:27] And they are vulnerable and they also contain, I don't know, the crown jewels of corporate data in many cases. I'll say I felt an extra twinge for top of mind because literally the day that this exploit was announced.
[00:05:45] That very day I sat my butt in a chair on a British airways flight and I had that sensation as I sat down in the chair of great now I'm going to have to get another new credit card.
[00:05:59] It is it's just one of those things that we deal with out there in the moving world of digital stuff. I'm not sure that there's a fast way to solve it, but I know for a fact that every MSSP knows technologically how to solve this problem we just didn't so back to the fundamentals let's pay attention here.
[00:06:20] Absolutely and this type of tool like move it is a solution or a service that you're obviously going to see in use between a lot of company partners that do business together like a
[00:06:33] Standard Service is provider and a client for instance so very commonly used tool so something to really be aware of and be sure to take action on apply those patches.
[00:06:44] All right well that's top of mind for the day but it is now time to move on to our info second news and trends topic of the week presenting our big idea.
[00:06:54] In security going passwordless preparing your clients for it credentials free future now for this segment I actually had the opportunity to interview this weeks guessed in person at the iDeniverse conference so Ryan wasn't around for this particular one.
[00:07:11] In a moment we're going to throw things over to that pre pre recorded interview which will take us to the end of act one but then Ryan and I will be right back for the second half of the show so fellas roll the tape.
[00:07:24] While it's been a big year for the passwordless movement with tech giants apple google and Microsoft supporting the phyto alliance is efforts to replace conventional credentials with past key technology.
[00:07:38] Still passwords have long been ingrained into people's daily routines so users may need some convincing to change their behaviors and likewise managed security services providers may need to persuade their own corporate clients that passwordless is the future.
[00:07:53] This segment will examine some of the key breakthroughs and remaining challenges surrounding passwordless technologies from an MSSP perspective.
[00:08:02] And it's a rare treat for me to be able to announce that for the first time ever I will be speaking to a cyber for higher guest in person in the flesh she is Christine see Owen director at the consultancy and managed services provider guide house.
[00:08:19] Christine is a recovering attorney in her words who found solace as the zero trust lead at guide house she's interested in securing people things applications devices and the cloud taking an identity centric approach.
[00:08:34] Christine oversees and manages client engagements to provide enterprise I am and zero trust solutions she learned I am principles while consulting for an I am program that encompass the entire federal government.
[00:08:46] And she then moved into a sandbox teaching first responders how to secure their systems Christine thanks so much for being here today. I can actually reach out and shake your hand it's amazing something not virtual for once yeah.
[00:09:01] So for starters you had a panel session here at identiverse I have one done he had I actually want to steal your intro and use it for my panel session it was so good. And it's sweet.
[00:09:14] Yeah, so it's a year with past keys featuring some of the major players in this movement over the last year what would you identify as some of the most significant. Takeaways that you'll hope come out of this particular session.
[00:09:31] So one of the one of the biggest things that's happened in the past year that's like really exciting is that Apple and Google have started really not past keys right so I actually.
[00:09:41] And so I'm so happy that you can say that Christian brand on my birthday decided to give me a big birthday present because I got to install past keys on my phone and so now I have past keys.
[00:09:51] But the problem is is that I don't have anywhere to use them very much right I can use them on the Google products but I can't use others not a lot of relying parties that are using them.
[00:10:01] So what I'm really looking forward to in the next year is relying party adoption and I think that's what we're going to talk about that's why we have a relying party on the panel.
[00:10:11] And then we also have the fight of perspective on helping teach consumers to adopt and then we have two major platforms so it'll be really exciting.
[00:10:21] All right great well there was also a session yesterday all about past keys and forgive my little cheat sheet that I'm giving myself on my phone here because there's a lot of information.
[00:10:30] There's a lot of information here to go off of but this session featured the the nonprofit standards organization Fido Alliance and they announced some new initiatives around past keys and they also sought to address some of the lingering concerns around them so some of the concerns that were mentioned were.
[00:10:48] You know how safe is it to sync private keys via the cloud in an enterprise setting.
[00:10:53] Another one was you know just are you going are we going to be able to change users long term behavior after decades of implementing password so with managed services providers I almost imagine it's like a double duty because you now have to convince your clients that.
[00:11:12] They that this is the right way to go and that they will be able to intern convince their customers that it's the right way to go so how is that process going for. Vc so organizations MSS piece consultants in terms of.
[00:11:27] Establishing a little bit more of a trust with your clients to believe in this technology yet so that's something that I have developed over the years with my clients right so one of the things that we have been talking to my clients for years now is.
[00:11:42] These passwords they have to go and at every time we have some sort of incident it's almost always password based right there's always something that happened there's either it's efficient attempts that that they got through because there was a week password or because.
[00:11:59] The OTP was really easy to hack through right so so these these things don't work anymore and we have to go to some sort of.
[00:12:07] Of passwordless solution that's also strong authentication so luckily fight out created something you also have pk i technology obviously that's still really good and really strong.
[00:12:19] And so with a lot of my clients we talk about figuring out what their use cases are and how strong that credential needs to be if they go passwordless so.
[00:12:30] If it's something that and we really use nestanders quite frankly to figure that out to do a recent base approach so if you for example have.
[00:12:40] A a privileged user who's doing some really high value work maybe we secure them with some sort of pk i token whereas if you have some if you have a consumer who's just trying to look up their account.
[00:12:54] Then in that case a pass key is a perfect place and guess what you don't have to pay a lot of money when they forget their password which I do all the time I hate passwords so.
[00:13:03] I never can remember my passwords and then and then there's this in between which is the general internal user sometimes they're kind of low level and you maybe a pass key would work for that I think we need to see how the consumer side goes first and then and that's what I advise my clients.
[00:13:23] Let's use pass keys on the consumer side and then we can start talking about how we can bring past keys into your general internal users because the cool thing about technology today is you could use a pass key but then you could use a lot of other device level signals to strengthen that credential that would make the.
[00:13:44] That that organization feel more secure but right now I think let's get more adoption on the consumer side because as consumers understand how to use them.
[00:13:55] Then general users and companies are going to say hey why can't I use the same technology to get into my work laptop right so it's a lot of it's a lot of fun so right now there's also there's.
[00:14:10] There's a different flavors of past keys right and so you could use a I'm not supposed to use this word they'll get upset but you could use a token and token it would be I come from a federal background tokens are the words we see you could use a token as a as a pass key or you could use a multi device pass key.
[00:14:30] Yeah, let's talk about this a little bit more in terms of some of the difficulties around establishing trust in the technology. Do you help. Craft the message for your clients when trying to establish buy in amongst either the clients customers or the clients internal workforce.
[00:14:54] Yes, the answer is absolutely yes so I think because I have this attorney background. I'm really good at crafting arguments right and so that's what literally I feel like that's what I do I'm basically a lobbyist for either a technology type or I'm a lobbyist for.
[00:15:11] My client to go sell this technology to different areas of their organizations or I'm a lobbyist to sell it to the general population so it's something that I really enjoy I like to call myself an even jealous.
[00:15:27] I can't say right even in jellicle I guess is or I really enjoy going out and speaking about stuff like this because I think number one.
[00:15:39] Passkeys are like going past releases super important and so pass keys is one of many ways to go past were less and it's a very important thing to do I I can't really emphasize this enough how much I hate passwords like.
[00:15:52] I and you know it's just so much easier but the problem is is that we have this lingering technology we're always we're going to have passwords for many years to come so there's other ways that we can secure.
[00:16:04] Securely use passwords and one of those is using for example a password manager and then having a pass going password list to authenticate into that password manager right or using a Pam solution and use and going.
[00:16:19] Pass were listed to get into that Pam solution of course both of those products create in generate passwords on the back in but they generate really long passwords that the no one actually knows what they are and they become slightly more secure until we hit quantum but I don't want to go there yet.
[00:16:34] That's a whole other can. That we can save for another day you know something that's going to probably go into the messaging.
[00:16:42] To either the client directly or to the clients again customers or workforce it's just what some of the key benefits are of going password was whether it's pass keys or.
[00:16:53] A technology somewhere in that vein and just the idea of things like you're not going to have to memorize a million passwords anymore.
[00:17:02] You're not going to be susceptible to fishing where even something with like using MFA that's it's not foolproof that can still be victimized by a clever fishing scheme.
[00:17:15] So talk about you know what's on the highlight list of the key benefits that you want to include in your selling points on the technology.
[00:17:24] So one of the really important groups within an organization that you need to get on board is the service desk or the help desk because you have to completely retrain them on how to interact with end users and how to troubleshoot them.
[00:17:39] So a lot of the times we it's very slow to adoption because of that service desk and there we have to teach them how why we're doing this so that's you know it's it's more secure it'll make your life easier we swear.
[00:17:53] And then and then we know that there's going to be a spike in in users calling during the early days of the adoption so what we tend to do with my clients is we tend to also do a spike in on our service and.
[00:18:09] So we help the help desk so whenever they're getting calls if they get an overload of calls our team can come in and help that too.
[00:18:18] So we we make sure that the help desk is covered during the first couple weeks of a migration into a pass route with technology or a new technology that's utilizing password is a slightly different way.
[00:18:30] And then after that what we found is there's a huge drop off in service desk calls and the service desk can work on other things that are way more important.
[00:18:39] And then dealing with silly like users calling and going I can't get in because I forgot my password you know so it's a much easier solution for them as well.
[00:18:48] So we found that there's a long term cost savings on the general user like on them you know average Joe general user side. I found that actually.
[00:18:59] We're in normal people they want to go past worthless so yesterday maybe I was at the pool and I was talking to the server and so we had this group big group maybe it was all the people my panel later today.
[00:19:12] And and we were talking and they were asking what do you guys do and so I was explaining in very simple terms they said you know when you go to an app on your phone and you use your fingerprint to authenticate and that's like the basic technology that we use and we're actually doing this other thing.
[00:19:28] And she actually what it was she understood what Apple key chain is because Apple did a really good push to their users.
[00:19:35] She under her friend had a Google she understood that there was a Google pass keys because she had been offered a Google pass keys and she said oh you're getting rid of passwords this is amazing I don't like passwords.
[00:19:48] So I think the average user hates passwords it's just getting them trained on how to use the new technology. I think amongst all of the password list technologies that gets discussed right now the hot one is the notion of the pass keys that.
[00:20:04] Google and Apple and Microsoft have been supporting alongside the phyto alliance. It's certainly not the only direction one can go there are other password list solutions out there as well.
[00:20:17] Whether it involves things like an actual physical key or it could be something that's very heavily biometric spaced the pass keys themselves. Can use biometrics as one way of locking in but I'm also talking about other things like where you might do something like for an e-commerce transaction.
[00:20:38] You know, poms scanning technology for example so among some of those technologies outside of the the past key area that everyone's talking about.
[00:20:49] What what are some of the interesting ones to watch right now which ones are showing the most promise which ones are still a little bit of an iffy question mark.
[00:20:58] So actually the one that I think that comes to mind is both most promise and if you question mark because again we need adoption. But they're variable credentials so using for example mobile driver's license that's starting to become adopted throughout the US.
[00:21:14] Using those as a credential to be either be able to say hey I am old enough to go buy that alcoholic drink or hey I am old enough to be able to read this car without extra insurance attached to it.
[00:21:28] And then also using that as as a credential where it can go back to the to the drivers the DMV and say hey you know this person says that.
[00:21:41] That this that they have a verifiable credential from you is this true and then they can say oh yeah I got the I got you your good so I think that I honestly I mean it doesn't necessarily have to be an MDL.
[00:21:54] But I do think the verifiable credentials are starting to become something that we're talking about which is good.
[00:22:00] We've been talking about past keys for a year and we're going to start to see more adoption this next year because we now have the framework set out so it's very exciting.
[00:22:09] But I think we're going to get there with verifiable credentials as well and I think that's a really good use case for citizens to get government services because in that case they have a government organization.
[00:22:25] And I think that's a really really fun thing that's coming and it's something that I keep talking a lot of people about so.
[00:22:35] Excited about partially because I grew up in the federal space so I'm a federal and commercial clients but I federal probably a little deeper in my heart.
[00:22:44] And I think that that's a really really fun thing that's coming and it's something that I keep talking a lot of people about so. And it's a really interesting, interesting.
[00:22:54] You know zero trust goes very much hand in hand with identity and access management and that's your other big area of expertise and specialization so.
[00:23:05] You know a tie in the notion of zero trust to passwordless for those again clients who might be you know interested in a zero trust architecture.
[00:23:19] And it's something that it has become a much more popularized notion lately how does passwordless help you get there maybe in a way that is more ideal than and more secure. A password heavy environment.
[00:23:38] Yeah, so generally speaking, passwordless technology is in my way in most cases and it also tends to be stronger credentials right so right off the bat you already have stronger credentials that you give to users to be able to get into your systems.
[00:24:01] So number one, I think that a zero trust is pretty much the same security posture that we have right now. I know that it's a very controversial thing to say.
[00:24:12] So we have a lot of movement today in many systems and we're trying to get rid of that the first thing we do is we break up the network we create micro segmentation right.
[00:24:23] And then the second thing that we need to do to be able to really like make sure that the micro segmentation works is we need to understand who the user is every time they attempt to get into an application or a part of your organization's network.
[00:24:38] And that we need identity access management right so the fact that you would have a stronger credential means that you can trust that credential more that it's tied to that user.
[00:24:48] You probably would want to bring in device level signals, especially for internal users and in that case you can have a more robust viewpoint of that user because that user likely has a habitually logged in for example on their work laptops so there's probably a watermark and you'll be able to see that.
[00:25:07] If they're logging in not on their work laptop and somewhere in the middle of the US that they're but they like live and let's say Costa Rica that would be weird and there's probably something wrong right.
[00:25:19] So that's a red flag so these are like zero trust really in my opinion does three things one we get back to that identity centric posture that we need to do because you need to know who is on your network and why.
[00:25:33] And then the second thing is that it creates that micro segmentation so we get rid of lateral movement and then the third thing is that with the technology today.
[00:25:41] We can have a greater visibility using analytics and other tools to be able to crunch the numbers quickly either through through the technology or if it needs to get pulled out and put into a sock humans can look at it for other reasons.
[00:25:59] I'm actually really excited about all that I love it. I get so excited about it. But everything else all the other security posture pieces of zero trust it's all the same things that we need today fire walls encryption you know making sure you have.
[00:26:15] The concept of least privilege within your system those are all things that we should be doing to that so just adding a couple other layers maybe modernizing your systems.
[00:26:24] All right great well other than a few stragglers passing by here in the quarters of the already convention center here at identiverse we've been pretty lucky that we haven't had a wall of people just come charging through and making all sorts of noise.
[00:26:39] So let's not press our luck. I think you've actually managed to get through this pretty unscathed so I'm going to move on from this interview even though I'm sure we could talk about this all day.
[00:26:50] Absolutely and I'm going to transition us to a segment that we like to call we speak. Now we speak is our way of celebrating the geek culture that is so often associated with the cybersecurity community pretty much we all have something that we nerd out about.
[00:27:10] And you know we like to get to know a different side of you a little bit by knowing. You know what it is that you're especially passionate about and so Christine I ask you how do you speak geek.
[00:27:22] So I am a big follower of function way so function way is the concept that it's kind of like acupuncture for your home so it's the concept of. There's nine gwas the center was your health and then there's eight gwas around there the support your health.
[00:27:40] And if all of those gwas are in alignment, then your house is happy and it supports you in whatever areas of life you have.
[00:27:49] I really strongly believe this because from the moment that I've punctuated my house in 2019 until today I have done been really successful in my career. I'm really amazing friends mostly actually a lot of them are at this conference so it's very exciting a lot of them.
[00:28:08] I was like don't talk to me right now but but it's been it's been a really fun ride just in general right to the point that I now at or am at the point in my life and in my career that I was able to buy a second vacation home that I'm going to run out.
[00:28:27] And so I had to go and get a function way report for that home.
[00:28:31] So I and actually I really have to show you the pictures too but anyway so what we have is we have the home type what we learned in this is that it's bad for people and bad for money so that's not good actually my primary home is to.
[00:28:44] So what do you have to do it says add a mountain outside to the facing of the house? Well, it's a condo that's not an option.
[00:28:51] So you take what I will have to do is I'll have to take a big picture of a mountain of a gorgeous mountain probably everister something turn it.
[00:29:00] So that it's facing the wall and then put a really nice picture on the other side so that that creates this idea of a mountain facing on the other side actually where the mountains are that's where the water is supposed to go there so there's supposed to be something like 300 liters of water of constantly running water.
[00:29:21] That's not going to work. So I'm going to have to take a big picture of a big waterfall maybe like Niagara Falls also put that facing the wall and then put a nice picture over it so then you you'll never know throughout my house and in this house too I have.
[00:29:39] I'm going to have a metal all over the house but it's in it's tastefully done you'll never you can never see it unless I tell you oh that's there and that's there.
[00:29:48] So it's a lot of fun part of it is every year I get to redecuate my house because the glass change so red is fire in function way and sometimes you need extra fire in your glass sometimes you don't.
[00:30:03] I go around and I take all of my pictures and I look around and I say okay well this area needs more fire so I'll take all my red pictures.
[00:30:12] I'll figure out where I'll put them on the wall so first off is just fun to redecorate your house every year but then secondly your house becomes very supportive for your career and other things so.
[00:30:23] It I love it. I think it's the best thing ever I tell everyone go get your house fun choice whenever they have issues I'm like oh you have a leaky faucet oh you need fun choice. Everyone needs fun choice.
[00:30:35] All right real real quick with like the 45 seconds or so that we have left here. A client calls you up and says not only do I want you to help me with manage to identity and access management but I want you to.
[00:30:51] I want you to help me with my security operations center. What's like the what step one?
[00:30:59] So step one is walking in and feeling the energy so I'm really big on energy I know it's like super geeky so I walk in you feel the energy and you say oh this is like.
[00:31:10] There's too much energy in here so that means so you'll probably have to tone it down you'd likely tone it down with some water that's moving to that that of source energy or you.
[00:31:20] You might need to tone it down with with balls of metal which will absorb the energy if you come in and it just feels it key it's stale it's not exciting.
[00:31:30] It probably the energy needs to start circulating more also in a sock like you don't have windows coming in it is probably the state of energy so you likely would need some red pieces you would need maybe some earth and some.
[00:31:48] I'm like it some wood elements to be able to create the energy in there and and it would be strategically placed throughout that center depending on the glass that needed.
[00:31:58] All right well great well Christine thank you for bringing just the right amount of energy and fire to our show today much appreciated that's going to do it for the first half of our show but.
[00:32:11] Stick around because the show's not over in segment two we're going to look at our big idea in business which will focus on the strategy of whether you should stay regional with your mad at services approach.
[00:32:23] We're considering expanding globally and go international all that a lot more to come so we'll see you in a moment on the other side.
[00:32:31] Struggling to monitor the growing threat landscape pressure to reduce costs security skill gaps facing compliance issues these issues can translate to operational financial regulatory and reputation risks to your business check point can help. Checkpoint combines an MSSP enablement program cloud delivered multi tenant management.
[00:33:02] Sock platform and superior threat intelligence capabilities to give MSSP's the confidence to grow profitably out of reduced risk. Checkpoint is 100% channel driven we partner to deliver the best security everywhere visit mssp alert dot com slash checkpoint.
[00:33:21] All right welcome back to cyber for hired the managed security podcast once again. I'm Bradley Barth with us in media and the first half of our show we talked with Christine Owen at guide house about going passwordless.
[00:33:36] But right now I'd like to welcome back my co host Ryan Morris from Morris management partners because it's time for us to examine our MSSP industry strategy topic of the week presenting our big idea. In business defining your geographic market stay regional or go global.
[00:33:55] You're a big fish and a pretty big pond, but there are vast oceans to explore do you test the waters are not for MSSP's who have prospered regionally.
[00:34:06] There's a lot to be considered before expanding into new geographical territories especially international markets such as business culture differences market preferences regulatory factors. Language barriers and differences in cyber threat risk factors.
[00:34:22] This segment will examine these factors as well as the clients point of view after all you need to know how to how to sell to them as a newcomer in a particular market.
[00:34:34] So Ryan as always we're going to jump right into things what are the pros and cons of supporting customers in different geographic regions and why are some MSSP's better prepared to expand across borders than others.
[00:34:48] You know I think that the natural assumption that we have about any business we would like to grow grow and that means we need more customers to target in those.
[00:35:00] Let's put it this way from a statistical point of view in the managed services market place it is surprising to me how very local we continue to be as service providers as security providers.
[00:35:13] I'm going to the latest research that I have been participating in fewer than 5% of MSSP's claim to have or get noticeable and consistent revenue from clients across the entire country right so that's just one country when you go from that into international considerations.
[00:35:34] It is a microscopic portion of the population that is large enough sophisticated enough to do that right the old way that we used to describe geographic market reach for MSPs for solution providers before the remote capabilities.
[00:35:50] To say you know the channel is basically as big as they can drive in a single day that would kind of define their geographic scope around their office and again more than 95% of solution providers still fall into that category.
[00:36:08] What's weird about that is that we do our job by definition almost entirely remote from the physical facilities that our customers maintain.
[00:36:18] We don't do monitoring and incident management and training and all of the services that we provide as a cybersecurity partner in person right and in fact we we asked that question coming back out of the pandemic. As there's been a lot of conversation about in office remote, etc.
[00:36:37] While a majority of MSSP's indicate that they themselves and their own employees are moving back into their office for physical work.
[00:36:46] Fewer than 10% of them indicate that they do regular work in person at the customer's location so it's still a statistical anomaly what it says to me is it's not that there's not a market out there it's not that this isn't lucrative it's that it's complicated and we haven't figured out how to do that yet.
[00:37:06] All right, so Ryan this next set of questions is all going to look at you know understanding when is the right time to expand and some of those first steps you might want to take to so when is the right time what boxes need to be checked first before you really even think of pushing out the boundaries of your territory.
[00:37:31] How do you define what your ideal target customer looks like and once that's all established. Do you initially concentrate on the markets that are most alike to what you're already serving a place where you might already have some built in infrastructure.
[00:37:46] What's the playbook for your initial geographical this expansion? Okay, so lots of details to cover off on here.
[00:37:55] I believe that it's not a question of technological reach or even of local market dynamics because cybersecurity seems to be both universal and random at the same time and what I mean by that is that it's very rare that you will see any exploits that come in in the United States that are fundamentally different than the technological profile of an exploit that's happening in
[00:38:20] Canada in Mexico in Europe, etc.
[00:38:23] Right, obviously there's going to be language barriers obviously they're going to be you know some regulatory questions about what is a violation of privacy versus what is not and a couple of other considerations but the technology is fundamentally universal it's just that we happen to get very micro targeted by the bad guys these days with things that sound like they are exclusively about us right that whole spear.
[00:38:49] Right, that whole spear fishing concept is designed around not who you are not where you are but the information that they can use to convince them that they are directly connected to you.
[00:39:01] So I tend to think of it logically speaking as there is no there is no fundamental technological reason why we cannot service customers beyond a local or a regional or a national boundary.
[00:39:14] I think the very fundamental question is do you have the ability to engage on the front end with the customer onboarding process and to support customers with the occasional in person resources that are needed to convince them that they are being.
[00:39:30] Carefully managed that they are being personally watched out for in the business relationship. That might be monthly that might be quarterly it depends on the size and the scope of the services that we provide.
[00:39:43] But the vast majority of what we do for client relations post sales can be done in this kind of a remote meeting based format right there's very little reason for the technological side to say we must go there in person.
[00:39:59] Usually what we're going to be dealing with is just a relationship management side of things the first thing that I would consider when I'm looking at a market expansion is.
[00:40:09] Where do you possess expertise and where can you find another segment of customers that looks very much like the people who have the problem that you are presently an expert in solving. I prefer that being a geographic let me say a different.
[00:40:27] I prefer that to be a non geographic but vertical market specialization when we're defining our outreach to customers right if I can say with credibility that I can service people in the medical field in the financial services field in the legal vertical.
[00:40:45] You know what lawyers in New York lawyers in Los Angeles they have very different personalities but they have exactly the same technological setup. So we ought to be able to service them and those that cross even further international boundaries.
[00:41:00] They care more about whether we understand their industry and the regulations that they deal with then whether or not we are right down the road.
[00:41:09] I think about it this way the logical boundary was when I will allow you to provide me with an essential service in my technology environment that is performed anywhere beyond the four walls of my organization.
[00:41:25] As soon as you're outside those four walls wherever your four walls happen to be is irrelevant to me so long as you don't get caught by those regulatory boundaries right.
[00:41:38] All read the headlines last week of a couple of vendors that are getting in trouble and paying some substantial fines for capturing and retaining and then transmitting data about their customers across international boundaries.
[00:41:53] That's a big problem something we definitely need to be aware of but as long as you can understand European day to day to stay in Europe and Asian day to stay in Asia etc.
[00:42:05] Once you figure out those kinds of things and you can design systems very easily to manage that kind of data residency. The best of it is operational discipline and repeatability.
[00:42:17] If you are an expert in a market segment and you have defined repeatable scalable processes to engage to manage and to respond to the alerts for those kinds of customers then we should not allow ourselves to be bounded by driving distance or by the cost of an airplane ticket.
[00:42:38] Let's go where we can be taken seriously as experts and engage customers on what their priorities are instead of on what our geographic limitations might be.
[00:42:49] You'll notice a couple of caveats there pre sails sales function and pre sails and relationship management on the back end that before and after window is where we're going to benefit from having the opportunity to have real in person support.
[00:43:07] My definition then is we begin to expand as soon as we can realistically provide a human in territory to be able to go and meet with the customers and convince them not just a virtual avatar over here in a window.
[00:43:24] We are real, we are substantial and we can service your needs.
[00:43:29] Here's how we deal with that from a data center perspective right so I think that it is there's a lot of details but the one thing that we can do is to be able to do that is to be able to do that.
[00:43:36] But the one thing that I will say is expanding your reach does not require you to have a physical second facility or a second operating entity as a business.
[00:43:49] I think one of the hardest things small solution providers will ever learn to do is to open a second office in another geography and whether that's, you know, two hour drive away or a two day airplane journey.
[00:44:02] In any case, opening that second office and replicating the processes, the cultural impact, the leadership oversight, the actual accountability and control mechanisms. That's incredibly difficult to maintain the consistency between multiple offices.
[00:44:22] People have struggled with that for generations and it's still very difficult but you'll notice that doesn't have anything to do with technology.
[00:44:30] That's the human dynamics of managing an organization. We can provide exactly the same alert monitoring and management and systems administration and patching and incident management services in a cybersecurity world. Right down the street or all the way around the world, no technological barriers.
[00:44:53] Ryan, in the course of answering my previous question you also gave a little bit of a preview of what I wanted to ask about for my next question which was some of the factors that you do want to consider as your expanding geographically to put yourself in a better position.
[00:45:12] And as you were mentioning some of them, you did talk about how in terms of looking at threat landscape.
[00:45:20] It's pretty similar everywhere globally so that really shouldn't be too much of an impediment. I think that's largely true but would you not agree that there might be some exceptions to that rule like for example if you're doing something like managed threat intelligence.
[00:45:37] The particular types of feeds or information that you might want to give to a client that's let's say maybe in the Baltics bordering Russia might be different than a client that might be in Latin America.
[00:45:56] You know the Russian targets you're going to want to focus a little bit on the TTPs that are associated with the Russian groups like Kozy Bear.
[00:46:08] Latin America, you might focus a little bit more on okay is my client potentially going to try to be somebody going to try to impersonate them in some kind of a banking Trojan scams and that's kind of a bit more of a problem in that particular region.
[00:46:25] So for certain things or maybe like pen testers who are looking for the most common ways that bad guys are going to try to get into your particular organization you do need to be a little bit more aware of geographically what you might be at higher risk for it.
[00:46:40] Do you not agree with that?
[00:46:41] Yeah, you know what's a terrific point. I think that there are layers there. I don't think that the geography of of the client makes them any more or less likely to be targeted by say you know a group from Russia we deal with that here in the US every day right something obviously that they can land and launch you know they can launch it from wherever they are and land it anywhere that the customer happens to be but there's going to be cultural currency right there's going to be
[00:47:03] the prevailing conversation what are we paying attention to in the news what's affecting us in our real non technical lives. What is it that we are most likely to encounter? That's how you would be segmenting right think of it as cultural themes based on client location more than geography.
[00:47:30] That's definitely going to be an issue but you touched on the one that I think deserves the super important master is which is pen testing because of a very important segment of that field is in person is social engineering it may be physical access to to your facilities. It may be actually touching machines right there and ways that that is going to be a problem above and beyond what you can do over a network.
[00:47:58] That's the one neighborhood of service provision that I would say that's going to be very very local right if you think about just kind of the checklist the fundamentals that need to be true here regulation is going to come first because there are some serious consequences to not maintaining data residency.
[00:48:17] The second thing is going to be language because nobody wants to have to do business with somebody in a different language unless there's literally no other options. So localization in languages going to be very important and then beyond that the vertical market segmentation that would indicate what they are more likely to be exposed to according to their cultural content.
[00:48:44] I think that well you're going to have some things that are you know it's a little hotter for those Russian adversaries to be attacking in eastern Europe.
[00:48:55] Statistically not a lot right like they're they're not limiting themselves to attacks that are only in the adjacent geographies their expanding wherever they can and it's actually kind of a good thing now that we think about it.
[00:49:10] We can recognize some of those language barriers right one of the one of the key things we're always paying attention to in the fishing business is does that sound like a native speaker does their grammar match what we would expect in business or in conversational settings and that might be a limitation for them so that that gives us maybe a tiny little bit of a barrier but in an AI enabled world where everything can be instantly translated into any language.
[00:49:38] We can't rely on that anymore. All right, so you talked about some of the key challenges and factors that you want to be aware of like culture and language barriers. Regulatory considerations things like that. So for this final question I'm going to split it into two parts here.
[00:49:58] This question is going to look at things from the client point of view both current already existing clients and then future clients that you are going to be going after in other geographic markets.
[00:50:14] So how do you what are your recommendations Ryan for A ensuring that you are not diluting your core services by further expanding your reach and be?
[00:50:26] How do you convince prospective new customers in these new markets that a newcomer like you is going to be the better option than the field of the contenders that they're already familiar with within their market?
[00:50:45] So number one I would say the principal question about diluting your capabilities or your human bandwidth for service provision is going to be 24 hours in a day and your ability to follow the clock in target customer destinations.
[00:51:01] If you are supporting people within the continental US and you've only got three times on stick coverage to I mean to cover we know what I can staff from seven a.m. to seven p.m. that's not that hard, right?
[00:51:13] But when I'm looking at the other side of the clock for the other side of the ocean that becomes an operational question that we have to decide is that something we can and want to staff and manage across our facilities.
[00:51:28] So that's going to be a go no go kind of a conversation beyond that I think operationally. It's just a question of effective client onboarding demonstrating to them establish processes for how we interact, how we communicate, how we share reports and information right?
[00:51:47] That can be standardized and it shouldn't create any more of an outsized burden on our customer relations than anything that you know client who's just down the street.
[00:51:58] What we're talking about is the question about marketing, though, is that I think that's a critical thing that we all need to start thinking about.
[00:52:11] It's equally true that if you are based in Phoenix and you are trying to acquire customers in Las Vegas as closest those two marketplaces are customers are going to begin by thinking, hey you're not from around here why should we trust you.
[00:52:26] That's equally true if you are from Phoenix and Vegas versus Phoenix and Kuala Lumpur right they're going to have the exactly the same questions of can you sustain the relationship can you meet me on my time zone can you actually communicated my language can you actually support my industrial and vertical segment requirements people make a kind of a mistake when they think you know expanding internationally.
[00:52:53] That's going to be much more challenging to communicate to customers than it is regional that's simply not true right if you're not here.
[00:53:02] Then you have exactly the same challenge and the solution to that frankly I believe is what we will call the sense of marketing right they are local we're not limited by there by by their very limited perspective they are a long time participants in this local marketplace well we are experts across marketplaces we have customers in many geographies who deal with many kinds of operational challenges and we.
[00:53:31] And how to solve those problems which means that we can be relevant to you we can customize our approach to match your requirements because that's literally what we do for a living there's there's a historical assumption that local.
[00:53:47] And it makes the difference when it comes to business services and I will tell you that as soon as those services are handled in a digital environment.
[00:53:56] The only thing the customer will ever interact with is the salesperson that they talk to the account manager who is responsible for shepherding them through the onboarding process and then that account manager customer success facility on the back end who make sure that they are.
[00:54:13] And the right care and feeding across this relationship structure some of us like to think that our customers want to come and take a tour of our data center and that that might somehow create a competitive position look at me I have actual physical facilities in the geography.
[00:54:31] I will lose every single day to people whose data centers are located somewhere in the cloud and we don't think twice about the location of those facilities it's a question of whether you can have a human relationship.
[00:54:46] And we can scale up with a minor investment in local human capabilities that takes advantage or leverages the mass capability that we have back in our data center and our socks.
[00:55:02] This is a big topic and something that we think you guys are you given us the indication this is something on your mind especially as we're dealing with the interesting challenges in the economy right now.
[00:55:13] So what are you guys thinking about we'd love to hear some feedback from you on this topic what works what hurts what is your experience in the question of expansion across geographic boundaries.
[00:55:25] Have you done it? Did it work and would you give us some advice on how we can do this a little bit more effectively you can reach us at our email address cyber for hire at cyberrisca lions.com
[00:55:37] And we'd love to keep that conversation going right now though want to shift into our next segment which we like to call dear cyber for hire.
[00:55:45] This is an advice column segment where we get the opportunity to manage the relationships be a little bit of a marriage counselor between MSSPs and the clients who pay for their services.
[00:55:57] Now the following letter that we're going to share spent an item I still protect the innocent but this is definitely a real challenge that we see in the field so Bradley let me hand it over to you what do we need to know in the relationship world today.
[00:56:12] Alright thanks Ryan yes indeed we are back with even more juicy MSSP melodrama and this one comes from the client side of the relationship so fellas cue the music.
[00:56:25] Dear cyber for hire just call me client number two four six so one because that's what I am to my partner a number not a name.
[00:56:36] Just another faceless cog in the machine and to think when my MSSP was still courting me they made me feel so special like one an a million.
[00:56:47] But I sure wasn't treated like that once the ink was dried on our contract nope suddenly I was just another in a long line of clients you see it turns out.
[00:56:57] My MSSP prefers everything standardized across its customer base same philosophical approach same procedures and processes same default solution set minimal customization. No realization that each one of us has our own unique needs maybe standardization helps simplify things for them but it's not what's in my best interest.
[00:57:22] Speaking of standards maybe mine or too low and I should be looking for a new MS MSSP who's willing to treat me like the special unicorn I am. sincerely even if I gave you my name might still be anonymous to my MSSP in Chicago.
[00:57:41] Ryan and MSSP certainly should aim to cater to the individual needs of its clients still you do need to have some uniform standards right I mean you're not going to partner up with a million different network security vendor partners one for each client because this vendors tool set matches best with this client, et cetera, et cetera.
[00:58:01] But you know if you are doing again something like pen testing or threat intelligent services that maybe that is an area where you can be a little bit more flexible in the manner in which you conduct your offset operations or how you deliver your threat feed.
[00:58:14] So I don't know what's your take on this situation.
[00:58:18] You know I think this is probably this the one most universal predictable response that you're going to get when you deal with customers in any new environment right whether it's a new service provider across as we've been discussing across a geographic boundary into a new vertical segment.
[00:58:36] Whatever worked for you before that's fine and good but it's different here and I don't think you understand now I'm paraphrasing just barely slightly because I've personally just returned from over a month traveling internationally to meet with clients in nine different countries and across many many geographical boundaries.
[00:58:57] I'm 100% of those meetings in spite of the credibility that we have in spite of past communications in spite of everything we do to build credibility.
[00:59:07] First reaction that we get from 100% of those people is you know it's all fine and good that you know what you're doing over there but it's different over here.
[00:59:17] That's universal, but that flies directly in the face of our quest for standardization in service provision the this might be what I might be the most passionate almost religious server type conversation across the industry standardization versus customer engagement.
[00:59:37] Standardization is the product of the it's the platform for repeatability and consistency that leads to machine grade effectiveness. I completely understand that customization is a platform for mistakes for human error for driven up cost of service and support there are many downsides to customization.
[01:00:01] But we have to admit that these are still humans these are still independent businesses and no matter how much easier it would be for us to provide completely standardized offerings.
[01:00:14] dictating that to a client is the opposite of attractive in a new business development function there are many very smart people around this industry who will tell you if they don't run the technology that you have standardized on if they won't convert to match your stack and profile then you need to tell them go away and find a different MSP.
[01:00:37] I completely understand that philosophy from an operational point of view, but I just have to remind people that customers really dislike that philosophy we have to be careful we have to be limited we have to be very systematic about where we allow variation you know.
[01:00:57] variation within boundaries is kind of the philosophy that I would advocate we have to be very careful about where we allow that but it has to appear to the customer that we understand them not just the boxes that reside in their network not just the systems that they operate.
[01:01:16] them as humans as an organization as an industry as an entity of many people who have very hard beliefs about their situation being completely unique.
[01:01:28] are they unique? no, no. they're almost never right there are there are a finite number of business models across industries there are a finite number of operating dynamics that we will encounter there are patterns.
[01:01:42] there are profiles and there are very repeatable personas that we can apply across different business disciplines but that's not something you say out loud to a customer because that just sounds.
[01:01:55] really generic and it sounds like you said good for you not good for me as the customer so you have to be very careful. you'll recall the advice that I gave in the previous segment about expanding geographically.
[01:02:09] on the front end, you need to talk to a human on in the onboarding process it needs to feel incredibly personalized in the account management side.
[01:02:19] I need to talk to a human who knows me not just somebody who's reading standard reports not just somebody who says this is how we do it here.
[01:02:27] I need to talk to a human who can personalize what is otherwise a standard application of platform services it's in the human dynamics that's how we manage these relationships.
[01:02:41] all right Ryan very well put and another relationship saved hopefully our listeners have learned from this and don't make the same mistake.
[01:02:49] I remember if you have been struggling with your managed security services relationship whether you're the user or provider we want to hear from you so please write to us at cyber for hire at cyberriscalions.com and we might use your letter in a future episode.
[01:03:06] all right well it's almost time to wrap things up before we go. We want to get a little random as we share with you jrummeral please our relevant news of the week.
[01:03:18] This is a real news pitch that Ryan or I have received and are in boxes for reasons that are entirely inexplicable to us are you ready Ryan ready for the random. Okay well you know we started today with video games we're gonna end today with video games.
[01:03:36] A study by kribbit john line analyzed a database of completion times of over 60,000 games across PCs and all consoles in order to determine which took the longest to not just complete the main campaign but also gather all of the achievements the unlocks the secrets the collectables resulting in a 100% completion.
[01:03:57] So top tops on the list is ancient domains of mystery which is a rogue like game for the PC that takes around 2,000 hours or 83 days to 100% complete.
[01:04:12] Meanwhile there was a separate pitch that I or a separate data point that came from CSGO luck or CSGO luck which analyzed more than 50 video games ran out for their short play time. They found that the game with the quickest campaign is deer s-thr.
[01:04:33] A first person game that can be completed in one hour and 20 minutes but let's go back to the 83 days.
[01:04:41] Who has that kind of time on their hands Ryan I mean when you play video games are you the obsessive type who needs to complete all the side quests and get all the upgrades.
[01:04:54] You know my nature is but my practical reality has cured me of that you just you can't afford to disappear from life for 83 consecutive days. You might need to sleep and eat and do that in between might also need to have a job, you know.
[01:05:09] So reality dictates to us you have to do it in bite size chunks and they can be continuous I will come back to the same thing right I have an attention span that allows me to complete those 2,000 hours over.
[01:05:23] And extended period of time you know maybe across the course of a year that's actually something that I find fascinating to inhabit a world for an extended period of time.
[01:05:33] But you know I've just come back from doing all these consulting engagements where we were focused on building and improving the performance of professional services organizations and managed service organizations staffing and service definitions and packaging and and repeatable processes and all the like.
[01:05:52] It's burned into my brain that the total number of hours in a professional work week from you know 40 hour perspective that's 280 a year.
[01:06:01] So if you were doing this as just as long as you do a full time job that that game is an entire calendar year with just two weeks off or it's for a vacation. That that game is your second job that games are second job.
[01:06:19] Yeah, that's that's interesting you say that Ryan I mean I will say I do get also very OCD about trying to complete a full game and sometimes I am pretty successful at doing it now go through all the challenges and then there have been other games that I ended up essentially giving up on the game because there were just so many side quests that I just felt like it you know and then I really it just it just detoured me.
[01:06:45] I've been towards me too much from the main game to the point which I just kind of gave up on it all so that is in my nature to want to complete everything.
[01:06:54] I think the funny one is that I've recently when back and try to play all of the Batman Arkham games on the Xbox and one thing that I noticed that tended to happen is I'd be in the middle of the main campaign.
[01:07:10] I'm going to stop the joke or whatever and then as I'm going around you know the city of Gotham like trying to complete my next mission.
[01:07:17] You know suddenly you'd hear in the background like some poor guy in an alley getting beat up by a thug going like oh my god please want somebody please help me and I'm just like you're really wasting my time here I have to you know so I'm trying to save the entire city dude and then it but it bothers me like a bothers me that like this you know fictional character is gonna get beat up.
[01:07:39] forever if I don't like go over to this alley and like stop this crime from happening so I'm like oh fine.
[01:07:46] Imagine how the superhero's feel in the real world right yeah we're actually Batman you would have a nervous breakdown for exactly that same reason we want to help everybody we could help anybody there's just not enough time in the day.
[01:08:03] That's true and I think probably a lot of our cyber professionals and managed services providers feel the same way.
[01:08:12] Well anyway hopefully for those listening today it didn't feel like it took 83 days to complete this episode of ours which is now reaching its final moments but fret not we will be back again next week with episode number 25.
[01:08:28] Meanwhile feel free to check out even more cybersecurity podcasts content on the SC media MSSP alert and channel E to E websites until next time I'm Bradley Barth.
[01:08:39] And I am Ryan Morris please reach out to us and let's keep this conversation going because this topic and many others that we deal with in the industry we know there's an answer out there we just kind of figure out who has those answers so we would love to keep this conversation going on our website on our show page via our email and
[01:08:57] address cyber risk align cyber for higher at cyberriska lions dot com reach out let us know how things are going out there and what other topics we can address for you in the meantime we will keep this conversation going on the next episode cyber for higher your inside source or cyber outsourcing.