Quantifying Risk & Optimizing Responses: Scaling Your MSSP for Reduced Randomness - Ira Winkler - CFH #25

[00:00:00] Risk Quantification and Optimization, reducing the randomness of Risk Response and generating economies of scale with your MSSP Business Model. That in the latest news and trends in the managed security space coming right up on Cyber For Hire. Building bridges between managed security providers and their clients,

[00:00:23] it's the podcast where MSSP's VC-SOS and end users take a united stand against Cyber Crime. This is Cyber For Hire. Struggling to monitor the growing threat landscape, pressure to reduce costs, security skill gaps, facing compliance issues, these issues can translate to operational financial, regulatory

[00:00:46] and reputational risks to your business. Checkpoint can help. Checkpoint combines an MSSP Enabled and Program, Cloud Delivered Multitennant Management, Soft Platform and Superior Threat Intelligence capabilities to give MSSP's the confidence to grow profitably out of reduced risk. Checkpoint is 100% channel driven.

[00:01:09] We partner to deliver the best security everywhere. Visit MSSP Alert.com slash checkpoint. All right, welcome friends to episode number 25 of Cyber For Hire. How's everybody doing today? I'm Bradley Barth with SC media in New York.

[00:01:27] Enjoying me today just a three hour drive away on i95 is my guest co-host for the day. Jason Albuquerque, chief operating officer at Invision Technology Advisors and co-host of the business security weekly podcast. Jason Gladdy could join us. You know,

[00:01:44] earlier this month, I took a little road trip to Pittsburgh, Pennsylvania, which you might know is a pretty major hub in the robotics industry. Obviously robots and AI, very hot topic right now due to security concerns around connected

[00:02:00] devices and machine learning. So you might be interested to hear that when I went to Pittsburgh's Carnegie Science Center, I actually met a couple of robots. So yeah, so I sent you an email and

[00:02:14] will insert the image into the show later. Tell me if any of these guys seem familiar to you. What are they? What are those robots? Okay, so you don't recognize any of them. So the first one with the red blinking

[00:02:30] light, that's how that's how nine thousand from 2001 is space Odyssey. Oh, there we go. Yeah, yep. Yep. I mean he kept calling it. Yeah, yeah. So yeah, he had little messages coming up on

[00:02:43] the screen. He kept calling me Dave for some reason. But like how really is the perfect retort, right? Anyone who says, hey, yeah, what can go wrong, right? Yeah, right. I mean,

[00:02:57] you know, he basically, you know, he was basically the one of the first, you know, killer robots basically or artificial intelligence. The other two guys or robots that are both in the same

[00:03:11] picture there, one of them is the the robot from Lost in Space. The danger will Robinson. And then of course you have Gort from the day the Earth stood still. So real like oldie

[00:03:25] classic there. Very good. Do you have a favorite movie robot? Do I have a favorite one? I don't. Honestly, I'm not super into robot movies. Okay, more of a Marvel guy. So the closest

[00:03:40] thing to a robot would be Iron Man. Okay, fair enough for vision. Yeah. All right. Well, more discussion coming up later. But first, some news just can't wait, which is why we want to share what's top of mine today. So here's your headline Jason courtesy of MSSP Alert.

[00:03:57] A newly released report from Mandy at warns that a suspected Chinese cyber espionage campaign has been emailing malicious file attachments to organizations in order to exploit a zero-day vulnerability in barricut and networks email security gateway. Mandy and chief technical officer

[00:04:14] called at the Baratis Cyber espionage campaign conducted by a China nexus threat actor, since the Microsoft Exchange Compromise of 2021, which affected tens of thousands of machines. This latest campaign has been going on since October 2022. And among the hundreds of victims

[00:04:29] are various governments and foreign ministries. Barricut users are encouraged to investigate and hunt for compromises. Jason, why is this top of mine for you? Well, breaking news. So I filled in on Paul Security, we could last night. And this was a topic that we covered.

[00:04:45] Now they're coming out saying, you know, Barricut is saying, clients seem to replace all of their hardware appliances. It's unfixable. They tried to address it via multiple pack cycles. The malact are still persisted. And now they're actually coming out saying,

[00:04:59] replace all of your ESG hardware appliances. And the ramifications are huge. I mean, you know, it started off with a tar file attachment that allowed the malactors to executor reverse shell payload. You know, from there, they went in and had a Trojanized module for the

[00:05:17] STSMPP, Damon, and created some backdoor functionality there that allowed them to execute commands, upload down the files. They also had a persistence back door that allowed them to communicate to command and control. So, so very, very high risks to organizations. Some of the latest data

[00:05:36] a third of the victims have been public sectors with government entities. And at this point, you know, as an NSP, if you're supporting, you know, Barricuta, it's replaced the gear as quickly as you can replace the gear. That's the mantra at this point, replace. Now I don't know,

[00:05:52] and we talked about it last night whether or not Barricut is offering any type of financial reimbursement for this or any type of incentive for this. I haven't seen a news yet, but I would recommend

[00:06:05] if you're a Barricuta partner, talk to your partner, you know, your account executive, and your partner representative, and figure out how you can replace the gear as quickly as possible. Yeah, good advice there because it would certainly be interesting to see if there would be

[00:06:18] any kind of compensation they would offer there. Obviously, the response now more drastic than perhaps we initially thought it would be. So thanks for that analysis, Jason, and that's going to be

[00:06:28] our top of mind hot take for the day, but now it's time to move on to our InfoSec news and trends topic of the week presenting our big idea in security risk quantification and optimization, reducing the randomness of risk response. Risk isn't a static measurement. Threats like malware

[00:06:48] campaigns, vulnerabilities, human error, and unreliable third party partners can fluctuate in their severity depending on ever changing circumstances. That's why knowing which risk is of higher priority at any given time can allow MSSPs to dynamically adjust their prevention and

[00:07:03] mitigation efforts for both themselves and their clients, but which sources of risk do you measure and what factors go into such a calculation? How frequently do you re-measure and upon learning the latest risk scores? What are sound tactics for prioritization and response? The session is going

[00:07:19] to explore some of these big questions surrounding risk quantification and optimization. To discuss this further, we have an excellent guest who is always a pleasure to talk to. He is an author, speaker and consultant, Ira Winkler, Ira is director of the Human Security Engineering Consortium.

[00:07:37] He is the current VP and field CSO at CYE and he was the founder and president of security awareness services firm secure momentum. Though in his appearance today he'll be representing himself not any of his professional affiliations. I was also formally the Chief Security

[00:07:56] Architect at Walmart. You may have read his books, you can stop stupid, security awareness for dummies and advanced persistence security. Ira, thanks so much for joining us as always. Thanks so much. I appreciate it. Yeah, so again, you did use to work at Walmart. I'm not going

[00:08:16] to ask you to comment directly on what went on there. I did recently visit their headquarters earlier this year and I spoke to one of their senior directors who explained how Walmart's risk and compliance department leverages threat intelligence data and proprietary algorithms to assign

[00:08:33] quantitative scores to potential sources of fraud and cyber criminal risk in order to optimize their response. Everything from malware to third party partners employee risk. The pie in the sky scenario, he said would be if every executive came into Walmart and they could refer to

[00:08:49] this real-time stock ticker that tells you where your risk is in any given moment. Obviously, that's a bit of daydreaming but how frequently should you as an organization be refreshing and recalculating your organizational risk? There are different layers of organization

[00:09:07] risk that you really got to look at. At a high level, organization risk should not be something that changes drastically from moment to moment. That's one potential issue. At the same time, we're talking organizational risk versus cyber risk which is a distinction I'm going to assume

[00:09:26] that most people listening to this webcast are going to be primarily concerned with cyber risk. For sure. So if we're talking about cyber risk, one of the issues is in general cyber risk

[00:09:37] should be kind of relatively stable where you have a program in place that understands what the quantification is, that understands what the exposures are, what probability of something being exploited and so on. That should give you some element of your risk. Now, at the same time,

[00:09:58] where a lot of these quantification programs fail is they're not dynamic enough for example to take into account what is the exposure. So you were just talking about for example a new attack against

[00:10:10] barracuda equipment. If you have that barracuda equipment in place, you all of a sudden out of nowhere have a very serious threat. So in some cases with cyber risk, you're really talking about looking at threat intelligence and incorporating that into your program. For example, I heard this before

[00:10:34] I joined Walmart so I will give you this example and it's something throughout the industry. It's not just for Walmart but Walmart does have a very good cyber threat intelligence program.

[00:10:44] And if there are, if there is a credential dump put to the dark web, for example, let's say a bank is compromised, not Walmart, just some random bank. And the credentials are dumped. All of

[00:10:58] some Walmart knows way to second we might have a bigger threat and why would some bank credential thumb threat are dump all of a sudden impact Walmart? Because we know users are going to essentially

[00:11:11] reuse user IDs and passwords. So there is a distinct threat in through a not just through Walmart, but throughout the entire retail sector, the banking sector and anybody who does internet e-commerce. All of a sudden you know that the criminals are smart enough to do

[00:11:30] God all this I'm on. I'm on air and I forget the term. But you know, the essentially replaying all the credentials against every major retailer and every major bank. And so that's an

[00:11:43] example where you need threat intelligence because your threat does go up. And likewise, when you have a new vulnerability that's all of a sudden out there if you have a new threat actor like for

[00:11:55] example, if you happen to be in the energy sector and there's a new threat actor that's effectively targeting the energy sector. You want to go ahead and that increases your cyber risk, it increases

[00:12:09] your cyber risk exposure and it increases how you will change as how you do cyber risk optimization. Because all of a sudden a very low priority threat or low priority vulnerability might become

[00:12:23] your top concern because of what's going on in real time. But in general though, as long as you have a good program in place, your cyber risk should be relatively static unless there's major changes to

[00:12:36] your organization. So, so I know as cyber security professionals we've always had challenges with quantifying the risk to the business. Folks haven't done a really good job of proving out risk. What are some suggestions and get because you know I know professionals have gone out and tried

[00:12:58] to get investment. And then there's different priorities in the in the business that out way this cybersecurity investment. What are ways that professionals can do a better job of articulating risk to the business so that way they can get the investment articulate that they're reducing risk

[00:13:14] in a monetary perspective. Because that's what the CFM was going to look like. That's what the CEO was going to work with. Right, so I've said since I wrote my first book in 1997 corporate

[00:13:24] espionage you can look this up had a whole chapter and essentially the book was on risk as a whole applied to cyber security which wasn't even a turn back then, which I'm really dating myself now.

[00:13:37] But anyway, to that extent I said the major problem with cyber security programs is that CSOs get the budget state deserve not the budgets they need and they need to learn to deserve more.

[00:13:50] You know one of my friends and I'm going to use him as an example. Dan Meacham I'm going to use him in example in a good way. I would never use a friend in a bad way unless I really they were

[00:13:58] not a friend. But generally Dan one day he pulls me over like you know 2,000, 8, 2009 at some event is like I really let me show you my new iPad. I go I know what an iPad look like. He's like no it's

[00:14:11] not that it's not the pad it's an app I developed or I had one of my guys develop and he's like whenever I walk into a budget meeting I bring this iPad with me and he goes ahead and he's like I need

[00:14:23] you know I'm just making this up 50 million dollars for my budget and they come back and say okay we can only give you 45 and he's like okay I understand and he goes ahead he opens up his app and they

[00:14:34] clicks okay you know 50 you know now 45 reduction of $5 million and he's like okay according to my calculations and so for a saving of $5 million on the security budget you opt our risk by

[00:14:50] $238.7 million I just need you to sign here and then he had a signature block on his iPad for them to sign to accept this $238 million risk he got his budget because and to this day I'm pretty sure

[00:15:09] that that was just a random number generator honestly it might be more but the guy smart now he's sees so of lunch and their entertainment one of the smartest guys I know in cyber security and

[00:15:21] you know that's how he went ahead and did it now with the cyber risk quantification tools I must admit I have a problem with most of them and you know I like I do work with CYU security so there's a

[00:15:34] potential competition so I just want to lay that out there but generally cyber risk quantification tools can be helpful in how they do it some cyber risk quantification tools provide you not with a financial data but they provide you with some magical index score you know maybe it's

[00:15:53] helpful for your concerns I personally think it's going to be a limited value that's up to whoever chooses to buy it for their circumstances so mother companies are out there and they have

[00:16:04] actuary data and actuary data is good because there's some legitimacy to it where you can go ahead and take this actuary data and say okay we have x amount of cyber risk and some of these tools

[00:16:20] then say well g you know in a company of your size with your industry we recommend you should have a higher security awareness budget I wrote security awareness for dummies that's the stupidest

[00:16:34] thing I ever heard and I'm just using that as one example and why am I using that as an example because you don't know the effectiveness just saying that other company spend this amount so that's a

[00:16:46] good amount for you to spend is not a good reason and I like the old saying goes if everybody jumped off a cliff would you do it too? and the thing is it doesn't have a measure of effectiveness it doesn't

[00:16:59] have all these other characteristics and cyber risk quantification tools they're the latest buzz word I'm sure gardener will come out with a quadrant I think forester came out with a wave for it or whatever that situation is and those are useful tools for providing pretty pictures

[00:17:15] to management in the absence of anything else and I like to take the next leap which is what I call optimization where because part of the issue and again the fair model is another thing commonly

[00:17:28] used throughout industry and the fair model is good but the problem that I see with it is you have to estimate what is your actual probability of loss and to ask somebody what's your probability of

[00:17:43] what if they knew that we would never have an incident. So you know I like to take their other tools out there that can go ahead look at for example combining your attack surface looking at how

[00:18:01] threats get to assets and then figure out what's the likelihood of them getting there and there are different tools like Monte Carlo simulations and things like that and this requires

[00:18:13] a lot of mathematics I'm not you know this is what I've been focusing on for pretty much a year plus now again I've started writing about in 1996 sure and we need to go ahead and say okay risk

[00:18:28] quantification is important because here's one of the problems I see with cyber security is a whole going back to see so it's got the budgets they need because how what's the budget cycle and

[00:18:40] I've been lecturing or not let I like to say speaking I don't like lecturing it means I'm punting pontificating but when I speak to events I say okay the the way cyber budgets are created

[00:18:54] is that you look at what your budget was last year you then think okay did I get a budget cut can I go ahead and get some more what do I want to do and then I go in and I bake for money

[00:19:04] at the next budget meeting and then they go ahead like damn play does game like oh we'll get well we don't give you 50 we'll give you 45 blah blah blah maybe they make this arbitrary sanity check

[00:19:16] what is the percentage of the IT budget that IT security is and use that as a sanity check which again is one of the dumbest things out there and everybody is sitting there like okay that

[00:19:29] makes sense but that makes no sense at all because what you're doing is you're basing your cyber security budget on a random number from the previous year which was based on the random

[00:19:40] member from that previous year which is based on the random number and so on and so on and then the sanity check is what percentage of IT is the IT security budget it really shouldn't matter

[00:19:53] because look at banks the large banks especially the large banks are really really smart they don't go ahead and say what is my IT budget and let me give that to IT security because you're not protecting information technology you're protecting the services and value

[00:20:12] provided by the information technology and a large bank like a capital one not trying to point fingers at anybody but they know that they're not protecting the computers because if the computers magically

[00:20:24] go down they have all the computers they have all the hardware all the software all the people they have all the buildings but they're losing millions of dollars a second maybe or you know

[00:20:37] at least a minute and they know that they need to keep these things up and running and they don't base it on that they base it on okay what should be the budget to protect the information and

[00:20:49] services provided by this bank and then they architect it from there so anyway sorry you have an answer question so I said no it's okay you were on a roll you were on a roll we couldn't we couldn't

[00:21:04] let break your momentum there you know regardless of what ultimately tool or tactic or approach you take for risk quantification and optimization if you're an MSSP there's really almost two angles to

[00:21:23] this one you want to really have your own house in order and recognize risk to your own internal organization but then of course you have your clients so how easy is it for a managed services provider

[00:21:35] to leverage what it's already doing for itself in this area of risk quantification and turn it around and apply the same principles and approach to their client base so theoretically it should be relatively simple reality probably not because managed services providers they take you know

[00:21:57] especially managed security service providers they essentially take their clients they add them in they don't understand too much about their business they just know that they're managing the business they know they're managing the storage you know they probably in many cases don't know what's in

[00:22:15] their storage as much as a company would they don't know what the critical assets are you know for example if you go to you know let's just say Microsoft one drive I'm using the mega mega example

[00:22:27] does Microsoft have any clue what the clients have frankly I don't want them to know what I put on their systems as a C so at you know just as an example that being said if you want to help your

[00:22:40] clients you need to provide the tools and resources to help them do it for themselves you know as an MSP you know for example where are the risks you know for example you have your data

[00:22:54] servers you know where your value comes from you know where your vulnerabilities theoretically are so you know how to contain that what an organization does like a client of an MSP they have essentially

[00:23:08] outsourced their cyber risk to another party and should they know what that risk is the answer is probably they should they should know what is the value of risk that they've cut down because you know

[00:23:23] a lot of companies like it's no secret that most cyber security firms top not cyber security firms are using MSPs for their own services you know they're using Microsoft Google or whatever for their internal architectures and that's great because they these companies have good postures

[00:23:42] other MSPs likewise assuming they have good programs can do a better than all these other vendors because it could be much more tailored and responsive to people. However um well I guess

[00:23:55] I should go beyond that because you're not just going ahead and doing the storage or also doing the management of systems as well so I shouldn't leave that out but you need to go ahead and

[00:24:07] probably figure out how are you doing cyber risk optimization and hopefully you're doing optimization not just quantification and bringing it to your clients and potentially offering that as a service because you never see a more ungrateful client than one who experiences an incident after you've

[00:24:27] worn them about what could go wrong if they don't take additional services or do additional measures. So so what are some of the most important things to get out of the gate that an MSP can do you know it's

[00:24:46] a lot of times we don't have full visibility into the client and we don't have all of the asset classifications that we should have. Right? So for me for an MSP it's no your clients assets,

[00:24:59] no how they're classified, no the risk that those assets bring to the business, start to learn your clients business and then from there you can start giving them good advice on risk and starting having the conversation around risk management but I think a lot of the

[00:25:15] basics on happening. Well I think a lot of the basics don't happen and in many ways because I was a C-Sovid organization that was an MSP and you know frankly we tried to help our clients which were

[00:25:30] at the time mostly government agencies and things to that effect and they had their own people in place that did what they did and they outsource the risk to us but there's a limitation to what

[00:25:43] you know because I wish every MSP would offer the services to help their clients do a better job understanding the risk. But to a large extent an MSP is you know I hate to say much like a gas station

[00:25:59] and the way I describe it as a gas I love analogies if you don't know me you know I'm an analogy person and the reason I say a gas station is because when you go into a gas station you're

[00:26:10] putting gas in a car. And for example if you go ahead and somebody puts diesel gas or regular gas into a diesel engine, you know the the nozzle is not the same size so there's one protection mechanism

[00:26:26] against it but if somebody drives into a gas station and puts the wrong gas in their car they potentially have a problem. Then you have other people who put in premium gas and their car doesn't need

[00:26:39] premium gas it's optimized for regular gas and they still but they buy premium gas because they think it works so much better and they have some people who need premium gas that use regular gas

[00:26:51] because they have a hundred thousand dollar car and they're cheap bastards. And this is kind of in many ways the description of an MSP client where you have people who want premium services they

[00:27:06] don't need and frankly good for them especially with cybersecurity because every so often if you're going to waste money waste it on extra security in my opinion because it's usually not that much of

[00:27:18] a waste. Then you have some people who you really recommend you need the premium package and they're like no no no we're not we're not gonna bother with that you know we don't need all that extra EDR stuff

[00:27:31] then something goes wrong the car breaks down or the car putters or something or something goes wrong they get hacked and then now like how come you didn't detect my people downloading ransomware

[00:27:47] it's like because you refuse the EDR package you know and this is the same thing and so when you're an MSP we have to focus I mean because here's the problem do I want an MSP to really funnel

[00:28:03] their clients with proper cybersecurity as a whole the answer is yes is that the primary function of an MSP unfortunately not you know a lot of MSPs if they're smart they offer extra services to

[00:28:21] provide you know almost like a doctor taking care of the whole wellness not just taking care of the cough they come in with and that's what a good MSP should do but if a lot of clients don't

[00:28:32] want to hear you need to exercise more and lose an eat less for you know using lack of a better they're like well you know well manage your systems and but you we really should add this cyber

[00:28:45] security package to you we really should add EDR proactively they're like well no I don't really want to put the cost into it this is where you kind of got to go ahead and have a more consultative sales

[00:28:58] approach and perhaps identify where their industry has previously failed and we are for example they had companies that were shut down because they didn't go ahead and have EDR in place as an

[00:29:13] example you know where they didn't have hot spares and hot backups as part of their services as well and how they could be if they have an incident like ransomware which is unfortunately not uncommon if you look at the data breach report I think it's like 80% of companies

[00:29:33] had some form of ransomware I don't think that's the right number but it's either way it's not insignificant and we need to highlight to people because doing cyber risk quantification fundamentally unless you have a truly consultative approach you're not going to have the data to be able

[00:29:51] to do cyber risk quantification and optimization properly but you have to work around that you have to again take like what a good cyber risk quantification optimization tool would do and bring an actual array data bringing case studies that show where an organization can fail and be able

[00:30:13] to present it to make the business case because you're probably not going to be able to take a generic MSP client and get the data you need for a good providing of a dollar value right

[00:30:26] you hide I hate to say you have to kind of scare them and I don't really think it's selling fear I think it's frankly selling reality and too many of us have this whole thing like fear

[00:30:38] uncertainty of doubt security theater and all that crap the fact is things go wrong it's not fear uncertainty and doubt it's frankly certainty for me that without proper security all this statistics say you will be screwed we're selling facts and no some vendors are horrible

[00:31:02] but in the reality the situation is it's like look you can listen to me but the reality is one in every 50% of your industry suffers a ransomware incident once a year if they don't

[00:31:16] have EDR in place and frankly many suffer it with EDR in place but it helps to minimize the exposure that they have and minimize the risk and keeps them from and basically stops their whole organization from going down to keep you in a little piece going down

[00:31:37] yeah so you're sorry that's yeah go ahead yeah no no it's quite all right quite all right so we're a little long on time Ira this might be a tough assignment I'm gonna ask you maybe

[00:31:49] if in 90 seconds I have one last question for you on this or you'll keep it to 90 seconds which is you know we talked before about measuring risk across a number of different categories you know malware third party partners your own internal employees exploited vulnerabilities sometimes that

[00:32:06] can feel a little bit like comparing apples to oranges is there a way to aggregate all of that different risk data and basically calculated altogether do you really have to quantify the risks of

[00:32:18] each of those categories separately if you're gonna do it accurately you need to do it separately if you want to come up with a good value you really do need to go ahead and figure out okay

[00:32:32] what is my risk exposure from you know ransomware in general all these sorts of things on the other hand if you're able to get actualary data and look at the probabilities and figure out okay

[00:32:45] from a statistical historical perspective what had been traditional risks which is what a lot of data looks like from insurance companies you're gonna be able to go ahead and get aggregate data

[00:32:59] you know otherwise you really have to if you're not gonna use these tools I have my preferences obviously but if you're not gonna use some of the tools that are available you're gonna have to generate

[00:33:11] your own numbers and if you're gonna broadly generate your own numbers you're basically gonna say okay what is the value of my entire organization because pretty much the value of your entire organization these days in just about any organization is is gonna be protected by your

[00:33:30] cyber program you know maybe except you could take out all like let's say you have a company that has trucks take out the value of the trucks because the trucks will still be there take out the

[00:33:40] hardware but if you have information and services got to figure out okay that's the maximum value you have and then look at things like the Verizon data breach report and then figure out what's

[00:33:51] the probability of an incident happening and then multiply that by you know the total value you think you have to lose again I recommend the tools because this is an easy thing that's why these

[00:34:05] tools are now existing it used to just be kind of somebody making up numbers now we have a lot of vendors making up numbers with software that looks a little more legitimate but anyway people can

[00:34:18] contact me if they want more legitimate stuff but that's a separate thing absolutely what's their best way to contact you I would say LinkedIn Ira at IraWinkler on LinkedIn.com I think I'm one of two IraWinklers on LinkedIn.com so it makes it easy and then my website

[00:34:37] IraWinkler.com has a contact me number or you can just see me on me Ira at IraWinkler.com perfect alright before we go Ira let's just get to know each other a little bit more when the segment that we

[00:34:50] like to call we speak geek this is a show in tell-type game where we embrace the geek culture that people typically associate with these cyber nerd community because at the end of the day

[00:35:02] everybody's a little geeky about something right so I will we're definitely short on times we're going to kind of do this as a little bit of a lightning round but I would love to know how to you speak geek

[00:35:15] I speak geek frankly you can't just I just do it naturally I wish it was if you're not a true if you're a true geek it just comes out of your mouth randomly you know it's like all of a sudden

[00:35:27] sitting there talking about okay what do you like to do it's like well oh my god there's a charizard at the put check point or something like that you know I play Pokemon Go I admit it you

[00:35:38] know things it's it's just a natural thing because I just can't shut it off so Pokemon Go for you is the thing that you're particularly geeky about if that's if that's that's top of mine for you

[00:35:50] unfortunately yeah I love traveling I love seeing the world but unfortunately you see a lot easier to play Pokemon Go than to hop on a plane to Thailand alright so I will tell you real quick

[00:36:03] that a few years ago when I was working in the the old offices in New York City and I had a colleague at the time and he ended up as I best can remember this story I believe he kind of showed

[00:36:15] up a little bit like late and out of breath to work one day and he was like oh man this was like what a crazy day it worked like I was on the bus but then I saw a charizard on my Pokemon Go

[00:36:30] outside the bus I had to hop off the bus and chase after the charizard then I had to walk the rest of the way to the office so that's a dedicated Pokemon Go player right there.

[00:36:41] I unfortunately feel his pain true story now we can go but I was once traveling to Vienna Austria speaking at an event and I decided I wanted to see downtown and I was just sitting on the bus for like

[00:36:54] a half hour train ride or bus ride because we were there and all of a sudden like Pokemon Go has different Pokemon and different regions frequently and all of a sudden a new one popped up on my

[00:37:07] nearby screen and I like just jumped off the bus at the next stop and then it was at and then I like followed where the Pokemon Go stop was and it was in the middle of a United Nations compound

[00:37:23] and they wouldn't let me on the compound and I was trying to negotiate with the guard to get on there and telling them that like the the the white whale of Pokemon's that you needed to capture was

[00:37:37] not convincing enough to let the to let you in so I go I'm just trying to get into the park you have here look on the map he's like I don't know about this map you know like hilarious so this is a

[00:37:47] common occurrence people just like jumping off of public transportation to hunt down Pokemon unfortunately there are people falling off cliffs to hunt Pokemon I'm not that bad okay and we're glad that hasn't happened to you all right thank you so much for joining us always a pleasure to

[00:38:04] speak to you that's gonna wrap up the first half of our show but please everyone return for the second half of our episode featuring our big idea in business that and more coming right up so we will see you

[00:38:15] in a moment on the other side all right welcome back to cyber for higher the managed security podcast once again I'm Bradley Barth with SC media and the first half of our show he spoke with security

[00:38:33] thought leader Ira Winkler about risk quantification and optimization but right now I'd like to welcome back in my fill-in co-host Jason Albuquerque because it's time for us to examine our MSSP industry strategy topic of the week presenting our big idea in business generating economies of scale

[00:38:56] with your MSSP business model managed services providers know that investments in talent tools and infrastructure can take a heavy financial toll but as MSSP's continue to grow and take on more clients they can hopefully achieve certain economies of scale such that there are previous infusions of funds

[00:39:17] eventually pay for themselves the session will look at the key investment areas where security providers can get the most bang for their buck as they expand their business and grow their customer base

[00:39:30] Jason welcome back we're gonna jump right into things as we always do explain why the notion of economies of scale is so important in the MSSP industry and when you've reached an economy of

[00:39:44] scale as an MSSP when that threshold is hit what kind of efficiency ratio are we talking about here in terms of revenue over expenses so so importance I mean economies of scale and process improvement is really our competitive advantage over our competition I mean ultimately it creates efficiencies

[00:40:07] quality the eliminates non-value ad from your organization and it allows you to have that competitive advantage so you're driving margin and driving profit as you're realizing economies of scale because you can do more with less within your organization provide those quality services efficiently

[00:40:25] effectively with less overhead so that's the goal there is to really constantly focus on the efficiencies and the economies of scale that you can drive throughout the business so quite a while back

[00:40:37] early in my career in my first leadership role you know I had I had a mentor and for me I always have my own personal board of directors this is something that I have for myself where I have these

[00:40:49] folks that I can lean on for advice over the course of my career and you know the advice that I got was technology and pointy lights on top of a ruined process creates no efficiency, no effectiveness

[00:41:03] and can undermine your business so taking that I really dove in to lean process improvement method ologies and I integrated that into my leadership skills for an organization which ultimately got me

[00:41:18] to where I am in my career today I mean I went from a director to a CSO to a CIO and CSO of a half a billion dollar IT services and MSP organization to now cheap operating officer of a consulting company

[00:41:35] right managing that effectiveness managing that process improvement those economies of scale and how we can build a better competitive advantage every single day so you had mentioned also that once you hit that threshold my belief is there is no threshold we can always find to we can

[00:41:54] always improve we can always look at the business and figure out how we can get better process improvement more economies of scale and really eat out profit as much as we possibly can time

[00:42:05] over time all right well put well put although I don't know why you want to take away our fund by taking away the Blinky lights the Blinky lights are always fun to look they're part of the

[00:42:15] puzzle they're part of the not the whole fair enough fair enough are there any managed services in particular that you feel like scale up well as your company base grows and conversely which ones might be more challenging to scale up and require more resources or introduce more

[00:42:35] complexity yeah I mean it's it's it's the scenario of migrating more toward the consultative professional services aspects of the business versus supporting legacy things like hardware in iron all right so easy to scale as consulting services one of the things that our organization is doing

[00:42:55] really really well right now as we call it CXO services and you put the X where you need it right so whether it's CISO services CTO services CIO services we have to see at the table with the

[00:43:07] leadership of the organization helping them design strategies around their program whether it's their IT program their cybersecurity program their risk management program you know we're helping them with those strategies and in turn that's something that allows us to get deeper and wider

[00:43:25] into the customer base in order to sell additional services so when you're having those conversations at that CXO level we're making recommendations for services and by the way it's in our portfolio

[00:43:36] so if you want to take advantage of it you know let's dig into our portfolio you can learn about that and then we can bring those services to the table to help that company grow. We were just talking a

[00:43:48] little bit about services that are that you already have that you can then scale and grow bigger there might also be a temptation though as as you grow as an organization to also add more services

[00:44:04] now we did an episode a little while ago talking about you know go broad or stay specialized with your services but how does the the scale question and the ambition to scale affect this decision in

[00:44:19] terms of whether or not you should also add more to your repertoire. I think it's it's a diligence exercise right so so we have and this is something that I've done over the course of you know the

[00:44:33] last few organizations that I've worked for on the MSP slash consulting side is have a product operations process that exists within your organization so when an idea comes about anywhere in the organization about a potential new service you have to run it through a diligence process number one

[00:44:50] have an executive summary on what this this offering would bring to the table how would benefit a client and what would it take to support it whether it's software people hardware whatever type of

[00:45:02] investment you need you're bringing those expenditures to the table that goes to a group of folks who can vet that turn around and say is there a market for this can we drive revenue and doesn't meet

[00:45:13] the margins that we expect out of the services that we offer an art portfolio and does a compliment our portfolio and if the answer to that is yes then you go through an operationalization of this right

[00:45:26] so you figure out how would we actually build this offering how do we enable our marketing team enable our sales team our implementation team you build out the technical implementation planning

[00:45:39] and then from there you go to market with it so it is a diligence process but upfront is the vetting side that determines whether or not it's an offering that you should even put in your

[00:45:49] portfolio in general yeah Jason I'm actually going over this next question I'm going to hit the re-wine button for a second and skip back to my previous question because I know that when I asked you

[00:46:03] about what services scale up well you would mention things like consulting services you know CEO type services or the types of things they can scale up well I did also want to know which ones might

[00:46:15] be a little bit more challenging in terms of being a burden on your resource or introduce more complexity into your organization and I don't know if we really ended up discussing that too much so I want to re-emphasize that and ask you what particular management services might

[00:46:30] are a little bit more difficult to scale up and why yeah it's a lot of the legacy services right so so managing the iron that's on-prem in organizations if you're doing end-point management or traditional MSP support services you know it specific clients can can present a lot of

[00:46:53] influx of incidents and tickets and in need so that's always a challenge right because it's really keeping an eye on utilization of your team and positive utilization meaning you know billable work time for for the client and making sure that you're pricing these contracts accordingly

[00:47:12] you know because you're going to have customers who have high need who are probably higher risk to your organization so being able to classify your clients based on those type of engagements you know the the need the acumen you know their technical talent

[00:47:27] and really how much oversight from your team they're going to need pricing those out of accordingly is very important because you can start losing money right based on based on what

[00:47:36] those clients bring to the table so I see a lot of those heavy hitters as the end-point management and really managing the the iron the assets that physical assets are cost-to-missions all right so Jason

[00:47:49] let's talk best practice is a little bit I'm sure some of our listeners would be very interested in hearing what would be some of your top recommendations for how to scale up successfully

[00:48:01] yeah so I mean out of the gate understand the business right start embedding yourself in your business knowing your client base I highly recommend to organizations having a client advisory board highly highly recommended that's where you're going to get feedback from the organizations that

[00:48:20] that's where you're going to get connections into the leadership of those organizations because it's usually going to be your highest level stakeholder who's part of that advisory board and really start grooming that information and using it to your benefit that feedback loop is so

[00:48:33] important you know you don't want to get the feedback only in a net promoter score or a survey that you're sending to the customer you want to be able to get that genuine feedback and an advisory

[00:48:44] capacity that you can take that information back and make strategic changes within your organization you're going to hear about potential product offerings that you can add to the mix based on the client need that's validated by your existing client and know that you could

[00:48:58] actually sell it into your market so having that advisory board I think is one of the most important things you can do to keep your business effective efficient support the needs of your clients

[00:49:10] and be able to get that innovative insight as to what net new offers could come on board later on what about the the human resources and talent side of things because I would imagine that's

[00:49:22] going to be one of the most difficult areas when it comes to scaling there's of course just a continual competition for available talent and that extends certainly to any kind of an

[00:49:34] MSSP type service and if you want to scale and grow and have more customers that you have to interact with then you're going to need more people skilled up and trained up of course

[00:49:46] maybe you can also apply some automation to relieve some of that burden so what's your take on all of that yeah I mean I think automation and orchestration is very helpful to get those economies

[00:49:59] of scale but it's never going to eliminate the humans from the need especially when you're driving toward a consultative level organization right when you're putting that those consultative services forward so we talk about this all the time on business security weekly about the skills gap

[00:50:17] the talent shortage and at the end of the day I don't think there's a lack of talent out there I think it's a lack of the skills that we need within our industry to be able to provide the

[00:50:28] services and the quality of services that we that we want to provide and one of the mantras that I have is I do not want to be a unicorn hunter I can go out there and sit in a tree

[00:50:39] and try to hunt a unicorn all day long I will never find one what I want to be as a unicorn farmer I want to bring that talent in house that I groom that I build so having things like apprenticeship

[00:50:50] programs internship programs really looking at your organization and the roles within your organization figuring out how you ship that talent left and start hiring at the entry level and be able to start shifting that talent upstream and really grooming that talent so that way you're

[00:51:10] feeling entry level positions and grooming that excellent talent upstream farm the unicorns do not go try and hunt them they will be very expensive or you will never find them one more question

[00:51:23] about best practices for you Jason which is I'd love to ask you you know with your vendor partners where they come into play with all of this and do you have any tips or recommendations in terms

[00:51:36] of ensuring that all of your various vendor and solution partners are also going to be able to concurrently scale with you give you the the resources you need from their from their end as as you grow

[00:51:53] yeah I mean evaluation of partner is is always something that's on the table and a cadence it's not during the initial vetting process it's always re-evaluated and it's evaluated for many things

[00:52:06] quality the ability to support our customers and their ability to scale with us and there are times where you outgrow partners can you have to start looking at new partnerships to be able to scale

[00:52:17] with you as a business and I think that evaluation from a diligence perspective and a vendor risk perspective is something that you should be doing annually as an organization looking at those partners

[00:52:28] evaluate them annually do they still fit the partnership that we expect can they scale with us in our plant satisfied with what they're what they're ready to the table for us very important and then

[00:52:40] on the other side we are also a vendor partner to others we provide services to MSPs that don't have the services and our portfolio so we have to be on the other side of that as well making sure

[00:52:53] we're constantly driving quality or constantly getting feedback constantly being able to scale with our partners to be able to support them so I can see it from both sides of the aisle but it's extremely important to have that cadence where you're constantly evaluating all right excellent well

[00:53:11] that was great really interesting stuff I appreciate your insights Jason that's going to be our big idea in business next up is a segment that we like to call dear cyber for hire this is an advice

[00:53:23] column segment where we get to play marriage counselor between MSSPs and the clients to help men fences when the relationship goes awry and so the following letter has been dramatized and anonymized to protect the innocent but the conflict represented here is a very real problem

[00:53:44] that companies face and so Jason it's time to immerse ourselves in some juicy MSSP melodrama this complaint comes from the provider side of the relationship so fellas queue the music dear cyber for hire do you ever stare at your partner and come to realize that you don't even

[00:54:07] recognize them anymore that somewhere along the road they became a completely different person I never thought such a cruel fate would befall me and yet here we are my client has suffered a personality transplant as their former director of IT has now been replaced by a total stranger

[00:54:29] and I fear this newcomer will be questioning scrutinizing our MSSP relationship I'm going to have to prove myself all over again justify our costs all over again ensure continuity isn't lost as the new regime arrives frankly wouldn't shock me if the new guy

[00:54:47] recommends random changes to the CEO just to differentiate themselves from their predecessor I never thought I'd have to start over from scratch where do I begin? sincerely reluctant to restart reboot and renew relationship in Reno

[00:55:06] Jason earlier this year we had a letter where the client feared that an acquisition of their MSSP would change the dynamics of their relationship here this is almost the opposite scenario a change

[00:55:16] in leadership at the client so whether it's a new IT director or security director or a new CEO or CFL the change concernally alter the previous established relationship so what's the best way for the

[00:55:27] MSSP to hopefully make this uncertain transition go smoother and make a good first impression yeah and unfortunately this happens often right I mean kid you know business is always moving new leadership is always coming into play and at the end of the day it's about forming strong

[00:55:45] relationship so you know there's going to be a new incoming regime you want to make sure that you get out there in front of any narrative you able to build that relationship out of the gate

[00:55:54] and then I would say if you're looking at this and you realize that all of the eggs are in one basket you're only strategic relationship in the organization was with that IT director

[00:56:06] and now a new IT director is coming in that means all your eggs are in one basket you need to build relationships across the business right so for more perspective we're business partners first right

[00:56:17] you know yes we provide men and services yes we provide professional services but we are business partners so we are having conversations with not only IT leaders security leaders but with CFOs CEOs we're having relationships at our VP level with VP's and those organizations at director level

[00:56:36] with directors and those organizations and we're building strong relationships across the entirety of the business so that way you're not pigeonholed by one relationship if you're providing great service you're providing quality service you will have a group of evangelists within your client

[00:56:56] who can stick up for you when a new executive comes into play that's the strategic move here quick follow up on you on that Jason so first sit down meeting you know in person or virtually

[00:57:11] with the new director of IT you're the MSSP how do you want that meeting to go like what what what should be on the table what's part of the discussion there not number one you know learning

[00:57:24] the the personality and the drivers of that new IT director right get to know that person what motivates them what their strategy when they come in what their 90 day plan is 120 day plan is for the

[00:57:36] organization coming in and show how you can help enable that how you can get them to their goal because ultimately as a manager service provider you're there to make that stakeholder look great

[00:57:49] to bring quality service to the tables so that stakeholder looks incredible in front of the CEO or whoever they report to you we love there to serve we are service providers so keep that in mind

[00:57:59] understand their motivation understand how they need to align to the ultimate business goals that the CEO has brought down on them and what's their mission for the next 120 days so you can help support it right because that's ultimately as a new executive coming in you're gonna have

[00:58:14] 120 day 90 day maybe report out of your findings that's typically what happens when you're in a new executive role because that leader's gonna you know that that executive leader manager is going to want to know what they found and how they're going to change right and how they're

[00:58:28] going to make positive change for the organization so how can you help make positive impacts for that stakeholder makes perfect sense and it's very sound advice for anyone that finds themselves in this situation another relationship saved hopefully our listeners have learned from this

[00:58:46] and don't make the same mistake and remember if you've been struggling with your managed security services relationship whether you're the user or the provider we want to hear from you so

[00:58:56] please write to us at cyber for hire at cyberriscaliance.com and we might use your letter in a future episode all right well it's almost time to wrap things up but before we go we want to get a little random now

[00:59:11] as we share with you drum roll please our relevant news of the week now this is a real news pitch that I've received in my inbox for reasons that are quite frankly entirely inexplicable to

[00:59:24] me are you ready Jason for some randomness let's do it all right new research from online gaming platform heart sland has revealed the most popular characters that fans cosplay according to an analysis of Instagram hashtags and so you know Jason you just said you're pretty big on comic

[00:59:48] books so would you care to guess who is number one right now I could give you a hint if you'd like oh god spider man that is an excellent yes spider man is not number one spider man is actually

[01:00:02] number two oh yes all right cool with the 710000 approximately combined hashtags number one is a female villain character does that help? Harley Quinn that's right Mr. Jay as she would as she would

[01:00:22] say it is it is Harley Quinn so and then I believe number three was was Batman and then followed by the Joker and and so I want to ask you Jason have you outside of Halloween of course

[01:00:42] have you ever a cosplay I have not ever no no nothing ever really outside of a Halloween but if you were going to let's say you were going to the big Comic-Con in San Diego and you wanted

[01:00:57] to go all out you had to pick someone who's it gonna be oh that's a tough one well like I said earlier I mean you know obviously my favorite character is Iron Man from Marvel so I'd probably do

[01:01:10] something like that um well I gotta add some of those blinky lights though if you're gonna be Iron Man yeah I'm trying to think of who else I would be who's the guy from God of War um oh you're asking

[01:01:30] the wrong guy there yeah yeah it probably it probably like one of the God of War characters or something like that from the video okay fair enough fair enough yeah I was trying to think

[01:01:41] who would be on my end and it's like the same thing for me like I like all sorts of stuff and all sorts of pop culture and I'm I'm super into Marvel and you know I enjoy video games but

[01:01:52] I don't know if I feel like a real super close and it's to like any one particular character that I would just be like I have to be this person yeah you know like I was thinking about a little bit

[01:02:04] before the show and I was like I don't know if I like I love Futurama you know I joke with our like producers for the show all the time about Dr. Zoidberg because I do a little bit of like a

[01:02:14] Dr. Zoidberg impression too and so yeah so I was like so my Dr. Zoidberg would be like a pretty fun one to like dress up as like you know a giant like you know lobster crab you know mutant guy and then

[01:02:25] just and then be like nice your music's but then you should feel but this me Dr. Zoidberg so anyway so I don't know like maybe you like tender tender smokes cigars. That's right Laund that just

[01:02:40] brought us right back to robots again and now we've just gone full circle for the entire episode there is one robot I like it's that's right that's right all right well it's been fun talking

[01:02:51] about costumes and dress up but there's no way to disguise the fact that we're out of time for today's episode but fret not we will be back again next week with episode number 26 I want to give one

[01:03:03] less thank you to my co host for the day Jason Albacurkey thank you so much for filling in you were great we hope to have you again sometime meanwhile feel free to check out even more cybersecurity

[01:03:15] podcast content on the SC media MSSP alert and channel E to E websites until next time I'm Bradley Barth please reach out to us via our show page with your comments questions and insights about the business

[01:03:30] of cybersecurity we'll keep the conversation going on the next episode of cyber for higher your inside source for cyber outsource.