Supply Chain Security: How Moving Accountability Upstream Helps & Hurts MSSPs - Dave Sobel - CFH #29

[00:00:00] Supply Chain Security, how moving accountability upstream helps and hurts MSSP's

[00:00:07] and sign language, how to write effective security services contracts, then latest news

[00:00:14] and trends in the managed security space coming right up on Cyber For Hire.

[00:00:22] Building bridges between managed security providers and their clients, it's the podcast

[00:00:27] where MSSP's VC-SOS and end users take a united stand against Cyber Crime.

[00:00:33] This is Cyber For Hire.

[00:00:37] Struggling to monitor the growing threat landscape, pressure to reduce costs,

[00:00:41] security skill gaps, facing compliance issues, these issues can translate to operational,

[00:00:47] financial, regulatory, and reputational risks to your business.

[00:00:52] Checkpoint can help.

[00:00:53] Checkpoint combines an MSSP Enablement Program, cloud delivered multi-tenant management,

[00:01:00] sock platform and superior threat intelligence capabilities to give MSSP's the confidence

[00:01:06] to grow profitably out of reduced risk.

[00:01:09] Checkpoint is 100% channel driven.

[00:01:12] We partner to deliver the best security everywhere.

[00:01:15] Visit MSSP Alert.com slash checkpoint.

[00:01:22] All right, welcome friends to episode number 29 of Cyber For Hire.

[00:01:26] How's everybody doing today?

[00:01:27] I'm Bradley Barth with SC Media in New York and joining me today just an hour and a half

[00:01:32] drive away on 9.95 is my guest co-host for the day Joshua Marpet.

[00:01:37] CEO of MGM Growth and co-host of the Paul Security Weekly podcast.

[00:01:42] Josh, thanks for filling in this week really appreciate it.

[00:01:45] Now this will be our last show before the early August trifecta of Black Hat,

[00:01:53] Defcon and Vegas B-Sides.

[00:01:56] Josh, I know you are a B-Sides global council member.

[00:01:59] So is there anything in particular you're looking forward to at Vegas this year?

[00:02:03] Also along with that we all know that Defcon has this particular reputation of being a place where

[00:02:09] certain hackers like to cause a little mischief and trouble whether it's on lacking hotel rooms

[00:02:14] or hacking ATMs or all those great epic stories.

[00:02:17] So what's the most paranoid thing you do when you go to a show like that in Vegas?

[00:02:23] Lots of things.

[00:02:24] You know Defcon is saying is it's the most hostile network in the world when you're there

[00:02:30] and it's not untrue.

[00:02:32] However, the Defcon people, the labs people go through an amazing amount of work

[00:02:36] to provide secure wireless for people.

[00:02:39] Cell phone not so much.

[00:02:40] There was one year I was there, we measured an extra 45 cell towers I think that weren't there

[00:02:45] the week before Defcon during Defcon.

[00:02:48] So it's awkward but typically when I go I just turn off Bluetooth on everything I own

[00:02:54] whether it take either not and I turn off Wi-Fi and I use either cell exclusive on a burner or

[00:03:04] honestly a lot of times I just turn everything off.

[00:03:07] The only thing I do is maybe bring a device with signal on it.

[00:03:10] In years past it would be Twitter but this year with X I'm not sure what will happen.

[00:03:15] Now I'm not going to be in Vegas this year so I shouldn't even really talk about it.

[00:03:18] I have a one year old and since she's a little too young to be vaccinated

[00:03:22] and we've got a reservation at the beach we're going to the beach and frankly it's a much

[00:03:27] more pleasant batch of sand than Vegas if you know what I mean.

[00:03:29] Yeah absolutely all right well no I mean you can't turn down an opportunity to go to the beach

[00:03:33] especially with the major heat wave that we've been having lately so that sounds like

[00:03:37] pretty nice alternate plans. I remember the year that I went to Defcon I was a super paranoid

[00:03:42] I just felt like I was you know just eyeing everybody giving everybody the side eye and then

[00:03:46] I remember like having everything set up and having the whole routine of how I was going to stay

[00:03:50] secure and then the second I opened up my laptop for the first time it started almost automatically

[00:03:56] connecting to the local network and I was like oh no no no no disconnect disconnect and I was like

[00:04:01] miss that and then I you know how to take quick action there but yeah I mean those are always

[00:04:06] the ones where you just feel like you're almost justified in wearing that tin foil hat.

[00:04:10] So if you're worried go to the information desk one of the sock guns will help you set up your

[00:04:15] devices properly they're really really nice they're really helpful they're lovely people okay

[00:04:20] yeah honestly it depends on what you want to do if you want a party go to Defcon if you want to

[00:04:24] learn some really cool stuff go to be sides Vegas if you want to meet very high prestige

[00:04:29] speakers go to Defcon talks the villages are insane yeah and frankly blackhead is where you're

[00:04:36] going to be a business person it's a networking event that's what it's yeah yeah no there's definitely

[00:04:40] a little something for everyone across the three events so should be interesting see what happens

[00:04:46] this year all right more banter later but first a quick heads up to our listeners cyber for

[00:04:52] higher will be going on hiatus for the month of August so this will be our last episode for a

[00:04:58] little while but we will return with new shows and new guests of this fall all right so we've got

[00:05:05] a jam pack show for you as always but some news just can't wait which is why we want to begin

[00:05:09] by sharing what's top of mind today so here's your headline just days ago a trio of MSSP

[00:05:17] MSP and professional services firms announced the launch of the managed service providers for the

[00:05:24] protection of critical infrastructure a nonprofit organization whose objective in their words

[00:05:30] is to keep government bodies the defensive dust real base and members of the critical infrastructure

[00:05:35] sector informed of how external MSSP's and MSPs can help keep their operations secure functional

[00:05:44] and resilient according to the organizations press release the alliance aims to define the

[00:05:50] requirements for external service providers handling or processing controlled unclassified

[00:05:55] information and it also intends to openly share best practices industry insights and collaboration

[00:06:02] opportunities Josh why is this top of mind for you well first off they're talking about CMMC

[00:06:09] they're talking about the cybersecurity maturity like the whole thing that the DOD wrote

[00:06:14] I actually helped write it worked with SCI and DOD as a member of the working groups argued a lot

[00:06:20] with DOD and SCI and it was a long and involved process it's it's it's a fascinating standard I

[00:06:28] actually like CMMC a lot but I like it because it's based on 853 and 871 irrespectively this

[00:06:35] this coalition this group it's either a nonprofit designed to help people or a nonprofit designed to

[00:06:41] profit off of them oh but it's a nonprofit that doesn't matter okay the members of a nonprofit can

[00:06:46] help because they can set the standard and they can be the only ones to meet the standard so

[00:06:51] and I'm not accusing them of that I'm just stating that as has has happened in the past Dave

[00:06:55] I'm sure you've seen similar things like that before yeah so we'll see look their actions are

[00:06:59] going to be louder than their words in the long run okay but let's be honest can they help smaller MSPs

[00:07:06] absolutely even if they're there for their own betterment can they help them yes absolutely

[00:07:11] because some of the things the open source things that they're going to have to share those best

[00:07:15] practices those tools those products those those ideas and processes they can help okay so I'm not

[00:07:21] like it's not overpowering like this is bad but I'm cautious I want to make sure that it's actually

[00:07:27] an on-profit that's actually going to benefit the entire industry not just themselves

[00:07:33] yeah absolutely and just a quick shout out to the three founding members that were part of

[00:07:38] the press release that would be Summit 7 Neo Systems and Q-Zara if I got the pronunciation right

[00:07:44] on that last one apologies if I didn't all right well that's our top of mine headline for the

[00:07:50] day but now it's time to move on to our info sect topic of the week presenting our big idea

[00:07:57] insecurity supply chain security how moving accountability upstream helps and hurts MSSP's

[00:08:06] one of the most significant takeaways of the White House is recently unveiled national

[00:08:11] cybersecurity strategy is the assertion that software developers OEMs and technology service providers

[00:08:17] must bear the brunt of the responsibility rather than end users for keeping cyber environments

[00:08:24] with the looming prospect of further legislation and regulations that could impose greater

[00:08:28] liabilities on software products and services MSSP's and other cyber services providers must

[00:08:34] understand where they fit into the overall scheme of things our MSSP's an extension of the end

[00:08:39] user or are they one of the upstream providers who will be held accountable when cyber attacks occur

[00:08:45] in what ways will the burdens on MSSP's be reduced or shifted due to federal efforts around

[00:08:50] coordinated vulnerability disclosure espom views and other supply chain security strategies

[00:08:56] this segment will explore these key issues our guest for this segment is Dave Sobel now that's the

[00:09:02] Dave that Josh was just alluding to before during top of mind Dave is host of the business of

[00:09:09] tech podcast and YouTube show Dave is regarded as a leading expert in the delivery of technology

[00:09:14] services he owned an operated evolved technologies and IT solution provider and MSP for over a decade

[00:09:21] both acquiring organizations and eventually being acquired after his MSP experience he worked

[00:09:26] from multiple vendors at such companies as level platforms GFI logic now and solar winds

[00:09:32] leading community event marketing and product strategies as well as several M&A activities.

[00:09:37] Dave is also served on the executive council for managed services and emerging technologies

[00:09:42] the vendor advisory council as founding chair for the mobility community for comp tia.

[00:09:47] Dave so very glad that you could be joining us today yep thanks for being here and as always

[00:09:53] we're going to jump right into things I alluded to that recently announced White House cyber

[00:09:59] security strategy plan from an MSSP perspective should we be optimistic are there some lingering

[00:10:08] concerns what are your initial reactions since that announcement came down well thanks for having

[00:10:14] me guys super excited to get in to get in all this so I'm one of those people who's who's

[00:10:19] excited for for more regulation and I sort of laugh because this isn't working on our own everybody

[00:10:27] like I just sort of start from that perspective and I'm ready to mix it up a little bit and say

[00:10:32] I'd like some adults in the room to start actually worrying about making sure that the

[00:10:37] financial incentives align better and what I mean by this is is that like look I this ultimately

[00:10:43] private markets are about financial incentives right and once I we get why criminals are there

[00:10:48] they get it we get it and but on the other side we have a you know we have defenders in many

[00:10:55] cases are making money off of defense and then in the way it's and since we have customers and

[00:11:01] generic technologists getting squeezed in the middle so I'm kind of okay with somebody getting

[00:11:08] involved with the rules of the road here of how this this market's going to work yeah but but

[00:11:13] Dave I mean we've got so many people getting involved did you see that yesterday was yesterday yeah

[00:11:19] today's Thursday right okay don't like it's one of those days for me sorry but yesterday the

[00:11:24] SEC had their open forum where you could comment on their new cybersecurity rules and regulations

[00:11:29] the White House turns them out on a regular basis now you've got the DOD doing it with CMMC

[00:11:35] like there's a lot of this going on there's so many rules and groups that are trying to put out

[00:11:40] regulatory frameworks rules etc is it overkill yeah sucks to be an adult doesn't

[00:11:46] yeah I mean look well and I say this because by the way there's a lot of rules in I don't know

[00:11:52] big a doctor there's a lot of rules and being a lawyer there's a lot of rules and being an accountant

[00:11:57] I was under the impression that technologists wanted to be respected at the table at the

[00:12:01] sea level and with that comes some rules like some behavior some professionalism some like

[00:12:09] stuff you got to do I would like to be an adult I want to be treated like one and by the way I

[00:12:14] want to make the money of that prestige and complexity is how is some of that and that's the

[00:12:20] cost of it but it's also the opportunity I like complicated spaces because you're going to make

[00:12:27] money there okay let's let's go to the next step how about licensure so I'm pro licensure

[00:12:33] I like really I I am 100% on board with it because I mean last I checked the guy that cuts my hair

[00:12:41] is more licensed than the people that manage data for multi-million dollar organizations

[00:12:47] billion billion let's be clear but I plan but I even play an SMB right so I play a lot of

[00:12:53] SMB in mid-market like any Joe crab shack can hang out his sign and customers can't tell the

[00:13:00] difference between anybody but I can definitely get a sense of I don't know just my daughter my

[00:13:07] doctor my lawyer the guy who works in my car the guy who cuts my hair the guy who sells me a car

[00:13:12] like it's called me a car there's guys sells me house all of those people have some but we're a

[00:13:17] special flower in technology absolutely not I'm 100% on board with that and again because adding

[00:13:25] this adds professionalism adds value to what I'm delivering and chitching makes me money

[00:13:35] alright well now Dave you said that you're all in favor of some more rules but the question

[00:13:40] becomes what rules are going to apply for MSSP or MSSP type businesses because that goes back to

[00:13:47] one of the initial questions I pose in my introduction which is you know where do

[00:13:53] managed security service providers fall in that supply chain between you know most upstream

[00:13:58] and most downstream are is there going to be more liability on them or they considered an

[00:14:03] extension of the end user are they considered more of a technology services provider

[00:14:11] that they could actually find themselves dealing with with more accountability I think the

[00:14:15] definition right now of where they fit in the supply chain is maybe a little murky so how do we

[00:14:19] assess that out I don't know bottom of the pile of s like I mean so let's look at this from an actual

[00:14:25] liability perspective you ask can it can are they going to take on more could they take on more

[00:14:31] they've got it all right now so you I think of it like the Star Wars trash compactor right on one side

[00:14:37] you have customers that have all the have all of the liability ultimately but are trying to

[00:14:43] transfer that to service providers because that literally is the definition of dividing services

[00:14:48] you are assuming some level of risk it could be it's non zero and you're going to determine that

[00:14:53] but on the other side of this you have all of the the vendor community and the rest of the

[00:14:58] supply chain upstream who absolutely take none of it right right now maybe you have you sign an

[00:15:03] and user license agreement recently it's so multi level of their ability to push back and push it

[00:15:11] all onto the provider but they're just being squeezed you know in that trash compactor at the

[00:15:18] service provider level so for my perspective if I'm putting on my service provider at I'm saying

[00:15:23] well can I take more no I can't take anymore I would rather some of that get moved to the vendor

[00:15:29] as is appropriate for the things they do and by the way if we look at every other market you think

[00:15:35] about car manufacturing right faults in cars they have liability for if it's in during a process

[00:15:43] for that but in software so well you know whatever like that that isn't viable long term for the

[00:15:50] service providers being squeezed in the middle yeah and that's actually it's a really good point you've

[00:15:54] got you know with cloud we got the shared responsibility model I'm responsible for this you're

[00:15:58] responsible for that but with service providers adding another layer cloud service providers like

[00:16:03] ooh give it to them give it to them let them be responsible for everything and the customers like

[00:16:07] look I'm not a tech person I'm making widgets you're you're you're responsible for my tech

[00:16:11] and if anything goes wrong you're responsible for it as well but then there's the third problem

[00:16:15] which is out a lot of service providers MSPs and MSSPs do indemnification clauses which limit

[00:16:20] their liability to one month of service two months of service something like that realistically at

[00:16:25] the end of the day everybody's playing hot potato in the end is the potatoes out in the pond somewhere

[00:16:30] okay we're actually not leaving liability anywhere this is called I've been an expert witness in

[00:16:35] some of those cases and this is causing significant problems when it comes to medical information

[00:16:40] and I was involved in a case when medical information was lost and what do we do okay you know

[00:16:45] who's responsible for that for those hippoclames and for that liability and everything else

[00:16:50] it went to the state supreme court that's how bad it was okay so you're you're you're talking about

[00:16:56] and then with CMMC they actually list liability to the named subcontractors in the contract

[00:17:02] okay but what if I use another another layer of subcontractors they're not named in the contract

[00:17:06] can I put the liability on them and then they don't have to be CMMC certified it like like this

[00:17:11] gets complex and wait wait but there's more cyber insurance it goes up 300% year over year

[00:17:18] and it sucks and there's gonna start testing you to see whether you meet their standard it's

[00:17:22] not gonna be just a one question question and air anymore it's gonna be an actual pen test

[00:17:27] or some semblance of a pen test to see if you meet it we're like like this is a very complex

[00:17:33] question and I apologize I didn't come on here to say I have an answer I'm just saying it's

[00:17:36] crazy complex Dave but you have an answer right please have an answer please please by the way

[00:17:42] by my answer is is like I like complicated problems because that's where there are services

[00:17:47] opportunities right so I have to have to balance that but I always put because I come at this as a

[00:17:51] general technologist you know I'm not I don't position as a security guy because I am a guy who is in the

[00:17:58] business of helping companies with their technology needs of which security is a component right

[00:18:05] of course of course that that is a component but by the way it's the bit I hate the the most like

[00:18:09] if I could because because what I want to do with my customers is I want to them to give me a dollar

[00:18:14] and I make a dollar 25 for them with technology that's what I want it that's by ultimate

[00:18:20] ideal use of technology is make their business better right that's the that's the point

[00:18:26] and that's the problem with the security better yeah cost line item to all of that it does

[00:18:30] not accelerate things it actually is it's at best maintaining and it worst in impediment

[00:18:37] to that ability to to generate the 25 cent profit now we can have a whole argument over that

[00:18:42] yes we can and by the way savvy smart but the customer doesn't care right the customer does

[00:18:50] just wants the buck 25 for the dollar of technology and I've got as and particularly the smaller

[00:18:57] the customer gets the much more difficult it is to have the right amount of money for all of this

[00:19:03] stuff and it gets squeezed really fast right so if you're just looking at it from a proportion

[00:19:08] perspective like it can become just untenable just to even do some of the basics when your budget

[00:19:15] isn't is just gets that much smaller and that's where I look at it and say like I want

[00:19:21] better rules of the road so that it is proportional you know in the right places you know we

[00:19:26] talk about it cloud provider like I want to work with good cloud providers because they have

[00:19:31] the big budget for all of the security components of that that the typical you know 100 person

[00:19:39] 50 person law firm doesn't have and by the way can't get because that's just not in their wheelhouse

[00:19:47] right and I want to make sure that not that the proportions are right yeah you've got a economy of

[00:19:52] scale with the big cloud providers and they've got they've got such it's not slop but it's

[00:19:56] it's a little bit extra here a little bit extra there a little bit extra there means that they can buy

[00:20:00] huge products and you know apply them to all of their customers they've got so much extra you know

[00:20:06] would account for oh that gets lost on the noise of that line item with that budget item

[00:20:10] for 100 person law firm is you know sorry for a 10,000 person cloud provider sort of repertoire

[00:20:19] stable is is the entire budget of 100 person law firm okay not just take care budget it's the entire

[00:20:25] budget so I get your point and it makes sense it's great to work with the big companies that can

[00:20:29] offer these things it reduces prices lost leaders things you can make a profit off of and providing

[00:20:34] credible value to your customers is what you're saying if I hear you correctly well I mean it's

[00:20:38] ultimately that I mean by the way that's the point right that if I if I'm if I may get you know

[00:20:43] not because I come at this from from the I am trying to provide good technology to small and

[00:20:49] mid-market companies and so I'm working within that bound and that's the bid and I know I'm like

[00:20:53] you know I'm not crazy I know I have to invest in security to be clear your crazy is totally

[00:21:00] separate from this issue also also fair but but what I'm getting at is is that my crazy does not say

[00:21:07] I'm not going to spend money there but that and that's my point right is is that I'm not

[00:21:12] I'm not one of those people that's saying like oh I'm not gonna spend any money on security it's the

[00:21:16] that's not the bid that is that is it makes my job of making the extra 25% return like it's

[00:21:24] nothing the bit that drives that necessarily and it's definitely not the easy bit to drive that

[00:21:30] bit it doesn't drive new membership doesn't drive new revenue it doesn't drive new you know e-comic

[00:21:35] acquisition like whatever that is and I get all you security guys that always oh maybe maybe maybe

[00:21:40] like no it's tougher it is it is but my my maybe maybe was not from that my I actually

[00:21:47] work pretty significantly with a lot of MSPs and MSSPs I'm I'm very active on the Reddit forums

[00:21:53] I'm very active in in a lot of other four channel features and everything else I remember back when

[00:21:58] it was MSP mentor okay remember that and I worked out I'm not on two get the grades

[00:22:04] I'm very active with a lot of them I find that they're they're really our canary in the coal mine

[00:22:08] for a lot of things going on okay and and I love them I love them dearly because they do so much good

[00:22:13] work so many of them are so dedicated to doing good work and I love it but you know a lot of them

[00:22:18] these days are using security as their sales advantage so they are seeing the benefit for

[00:22:23] themselves as well as for their customers so I'm gonna argue with you just to just a little bit

[00:22:28] in that security and compliance are really the new differentiators for MSPs and MSSPs at least

[00:22:33] that's what I see from talking to them about it okay okay okay and that's a different topic it's not

[00:22:38] really on topic you know you're not wrong but actually what I'll push back on and say is the top

[00:22:45] performers in the space are not leading with that they're actually having business value

[00:22:50] conversation about exactly what I talked about at the buck of spend buck 25 back

[00:22:56] that's the action like that's the top performers on that so it's because it's and that's where

[00:23:02] I because I'm looking for like one of the the maximum roads to drive that revenue through their

[00:23:08] profit and loss of this provider and it's by tying yourself back to customer revenue can I

[00:23:14] clarify something I heard you say top performer and I agree with you I just want to point out

[00:23:20] that that doesn't necessarily mean the biggest okay oh the 100% you want to some pateco there

[00:23:27] totally top performer I'm looking for profit ability when I run business machine not biggest

[00:23:34] yeah and because a lot of people mistake that and conflate that I just I didn't say you did I just

[00:23:38] wanted to be very clear on that to people to our listeners it's a very fair clarification yeah

[00:23:42] because a lot of the biggest MSPs and MSSPs are are doing this on a formulaic basis they're

[00:23:48] they're they're turning and burning and that's fine that's their thing but realistically I have

[00:23:53] found and this is a personal anecdote please don't take it as gospel that the top performing

[00:23:58] MSPs and MSSPs are the ones that have a bit of formulaic a bit of customization and a lot of customer

[00:24:06] service so that they can understand your business and how they can make you more productive and better

[00:24:10] in the long run and that's again that's my anecdote that's my my experience Dave you may have

[00:24:15] different I I actually would agree because by the way that translates into the business value bed

[00:24:20] you're much more about working with customers the customization I mean it I always

[00:24:27] face it's old school consulting when you're good consultants in the and in the productivity layer

[00:24:33] right where you're actually working in their business process what is driving their end outcomes

[00:24:40] that's the best bits those are the best performing ones and by the way those oftentimes the

[00:24:44] bulk of the market may fall back on well will help you with secure because by the way everybody

[00:24:50] does need that again not not crazy I know that you need you know you you have to do the right

[00:24:56] level of bits I always they're the lock analogies always great right because everyone likes to talk

[00:25:01] about you got to sell locks you know the difference between physical in this space is I don't have

[00:25:07] criminals banging on my door every four milliseconds testing the the door it a completely

[00:25:13] automated process as opposed to the physical burglar who has to wander the neighborhood right

[00:25:18] so of course I'm not crazy put a lock on that door because the automated attack is so persistent

[00:25:24] yeah Dave you know we had a guest on our show just last week who specialized in

[00:25:32] managed cyber threat intelligence and one of the points that he made to us with is that

[00:25:37] he's spending an increased amount of time lately on threat intelligence around everything supply chain

[00:25:45] and it's become so much more importantly to get a sense and visibility of your clients

[00:25:51] expanded ecosystem more than ever before because there's so much third party risk

[00:25:56] that it's become a major challenge and a major priority to now understand better the threats

[00:26:01] surrounding not just directly your client but indirectly through all of these various third

[00:26:08] parties within the supply chain so I'm wondering you know if we would have closed our eyes right now

[00:26:14] and imagine a utopian cyber society where the government has stepped in now and through these

[00:26:24] increased efforts of introducing more accountability at the upstream in the supply chain

[00:26:30] let's say they're successful in some of those efforts where would you like to most see

[00:26:36] the burden relieved from MSSP's as it's currently situated today where do they need

[00:26:44] the most help where you would like to shift the responsibility what would we get the top of your list there

[00:26:49] you know it's ultimately and I'll try and again not a security guy trying to use security

[00:26:54] parlance which is dangerous you know but but I would sort of say like you're looking for more

[00:26:59] root cause analysis right I want to actually get to preventing attacks and preventing the avenues

[00:27:06] much more than we do I use a very simple example right we kind of all have agreed both spam and

[00:27:12] fishing are bad right that we're not in that business but we're all running email on a 40 plus

[00:27:18] year old technology called SMP last you know we could just fix that you know if Microsoft

[00:27:25] in Google decide that they were going to get rid of it we would solve the vast majority of

[00:27:32] that problem right now we wipe out an entire space of male protection security products but we

[00:27:38] actually get to root cause analysis and solve the problem but we get heaven forbid it's so hard

[00:27:44] to do we can't possibly change the underlying technology and I'll have to go I don't know last

[00:27:49] they checked we moved from SD to HD television because there was money to be made in it we moved you

[00:27:54] know from AM to FM to internet radio because there's there's reasons for it like we've moved from

[00:28:01] print to digital for mutton like we could do this we just aren't and so there's a certain degree of

[00:28:08] like in your utopia I want to get more to a root cause analysis of like let's actually work

[00:28:17] to solve the problems versus keep slapping band aids on this that get pushed down where you know

[00:28:25] we're just sort of continually addressing with more tools that would be my version of this.

[00:28:31] I mean I'm gonna push back a little bit you know yeah but look 3D television never took off

[00:28:36] because nobody bought the damn things okay and they didn't produce a content or and you know

[00:28:41] DNS sec came out and it was a beautiful beautiful solution for DNS that's a mission but you know

[00:28:46] Dan Dan Kaminsky pushed pretty hard on that even had a pre built a company I forget that

[00:28:52] I'm even if I still have the lighter he gave up where he pre built DNS servers and just grab them

[00:28:58] and go and nobody really picked it up significantly there's some pick-up of it but significantly

[00:29:03] because nobody picked it up so nobody else picked it up there has to be a you have to build up

[00:29:07] enough critical mass of people doing something and so you're right if Google and Microsoft decided hey we're

[00:29:12] not gonna use SMTP anymore we're gonna build a whole new mail subsystem and it's gonna be all brandy new

[00:29:17] and it's all perfect and it's encrypted from end to end and nobody can touch it nobody can break it

[00:29:22] and then you'll have Google and Microsoft doing it and there are enough of a tipping point to do it on

[00:29:27] their own do we want that that's another question because that's just what a bloody money please

[00:29:33] it's been a full-time emoji right now I will pay for that right now yeah but it's not ballistic

[00:29:41] do we want anti-trustic involved there or offer me the option right like that's about like

[00:29:47] like and so but my my get my point is is is it like offer me the option right you wanted to

[00:29:53] go to market yeah I'll give all give those providers $10 a month for a second version in email

[00:29:58] that tells me these are actually all authenticated because i mean a lot of MSPs and MSSP's especially

[00:30:03] MSPs are getting really pissed off because Microsoft is taking away a lot of their dollars m365 has

[00:30:08] been their mainstay for how many years now and the the likes and so we're a whole other topic on

[00:30:13] margins and how you actually build build businesses on top of that yes for every one of that

[00:30:18] whining I can show you providers that are killing it okay during doing technology

[00:30:24] implementations assessments working in the productivity layer and killing it on top of that

[00:30:28] Dave what is letting me on your show because i want to have the discussion with you okay

[00:30:33] i cast two alright so fair enough that's where we'll continue this conversation Josh will meet

[00:30:39] on on your show and you continue this fine debate but for now we're just about at a time for

[00:30:47] this segment but we've left just enough time to do one of our favorite recurring bits on the show

[00:30:54] which we call we speak geek so this is a show in tell game where we embrace the geek culture that

[00:31:01] people typically associate with the cyber nerd community because you know at the end of the day

[00:31:07] everybody's a little geeky about something and so Dave I ask you how do you speak geek

[00:31:15] I am a huge retro video game nerd in terms of collecting and keeping operating some of these old

[00:31:24] systems in fact you can see a little bit of it in my set just here i've got an old apple to

[00:31:29] G.S. my original childhood common or 64 monitor i had to replace the breadbox but that's my original

[00:31:36] I got a virtual boy I got a power glove and the one I got a rotate for the old school

[00:31:42] helico asteroid cade it is a triangular unit with a set of controllers a racing car control and a

[00:31:53] gun all in a triangular bit with removable cartridges dates to the late 70s I've got a pile of this

[00:32:01] stuff and my wife requires me to keep it all at my office but it does not take over the house

[00:32:07] but as I am a I am way into keeping those systems running even to the point of like we at least

[00:32:14] periodically I get my friends together who bring their kids over and we show off all of these old

[00:32:20] gaming systems that we grew up with just so they're gonna taste of what an old school Nintendo was like

[00:32:26] what the original actually box was like that kind of stuff yeah you know it's funny because I just played

[00:32:32] for the first time and I don't know how many decades duck hunt using the the old Nintendo

[00:32:40] I don't know what they called it it was just like the gun the light yeah yes i've got a yeah

[00:32:45] I've got a working zapper and an old school professional CRT to keep it all alive right here

[00:32:53] yeah the really obscure one that I have like a vague memory of because you mentioned the power glove

[00:32:57] too which I feel like that was like one of those that like didn't really take off like like it didn't really

[00:33:02] end up because it didn't work well yeah but I also remember there used to be this one I don't know

[00:33:07] if you know what I'm talking about where there was almost like a robot accessory and it would spin

[00:33:12] these gyroscopes and then we sure didn't get it okay you know what I'm talking about I do own the

[00:33:18] power pad which was like like pad that you roll out on the floor and it had it was 4 by 4 set of

[00:33:26] squares kind of like twister and you could run it into different daily occasions and stuff like that never

[00:33:31] invested in a rob just because there again there's only like two games that work with it right

[00:33:37] have I did a couple of times I mean that that would be a real like blast from the past that's

[00:33:44] all right favorite old nostalgic everyday game of all time hard to pick one but what would it be you know

[00:33:50] it I'm gonna go a little deep cut to see if listeners know it I am a ridiculous fan of blazing

[00:33:57] lasers on the Turbo Graphic 16 right he's I'm going deep and if anybody knows it it is a

[00:34:04] great that mups 30 years old is what that played the 30 years ago like oh easily yeah

[00:34:11] yeah that's an old it's old school because it's a Turbo Graphic's it's not just the same time

[00:34:16] is it a scroller top down scroller it's a vertical shooter a smart yeah as they call it so

[00:34:21] it and it's it's just got this catchy you know great music to it like it it's just easy for me to pick

[00:34:28] up when I just want like a quick experience like that sort of my obscure go to I own an original

[00:34:36] Turbo Graphics and the card so that I when I emulated I feel very validated that I'm not pirating anything

[00:34:44] well tell you what here's the deal then Josh can come on your show all I want to do is I just

[00:34:49] want to come over to your house one day and just go and just go play video games and I'll be happy

[00:34:55] it is good fun all right well that's gonna do it for the first half of the show but thanks once again

[00:35:01] Dave for being here really appreciated a fun conversation with the video games in super informative

[00:35:07] and helpful conversation with the supply chain security discussion so doubly glad you could be here

[00:35:14] as I said that's gonna wrap up the first half of our show but please everybody return for the

[00:35:18] second half of our episode featuring our big idea in business sign language how to write effective

[00:35:24] security services contracts that and more coming right up so we will see you in a moment on the other side

[00:35:37] all right welcome back to cyber for high or the managed security podcast once again I'm Bradley Barth with

[00:35:42] S. E. Media in the first half of our show we talked with Dave soble about supply chain security

[00:35:48] from an MSSP perspective but right now I'd like to welcome back my co-host for the day Josh

[00:35:54] Marpit because it's time for us to examine our MSSP industry strategy topic of the week presenting our big idea

[00:36:03] in business sign language how to write effective security services contracts there's a lot that

[00:36:10] goes into the creation of managed services contracts before the client ever puts their John Hankhawk on

[00:36:16] the dotted line as an MSSP you want to make sure that expectations for both sides of the relationship

[00:36:23] are spelled out clearly and co-genually the language within must address key terms and stipulations

[00:36:29] related to payments, roles and responsibilities, scope and scale of services, liability and plenty more

[00:36:35] in this segment we'll discuss some of the most important clauses to include in your MSSP contracts

[00:36:41] and how to avoid unfortunate omissions or vagueness that can result in confusion or disputes

[00:36:46] down the line. Josh glad your back for the second half and as always we're going to jump right into

[00:36:51] things so think a good place to start is contracts from an MSSP perspective working with a

[00:36:58] bunch of different clients is the best approach to try to go as boilerplate as possible and keep it

[00:37:05] as consistent and really stick to your terms as much as possible or as the reality that you're

[00:37:11] going to have to make these pretty customizable. The idea is to make them modular so the boilerplate

[00:37:17] has to be there you've got to have terms and conditions you've got to have payment terms you've

[00:37:21] got to have all the different things that are sort of housekeeping or administrative of a contract

[00:37:25] but when it comes to the services and the acceptance criteria of those services we should be modular

[00:37:30] you're going to have a client that wants you know two from Colombe and three from Colombe

[00:37:35] you're going to have a client that wants all of Colombe and nothing from Colombe and that's fine

[00:37:38] okay but each of those services, each of those products, each of those things has terms and

[00:37:43] conditions that go along with it and expectations that go along with it and acceptances that go along

[00:37:48] with it. If I'm buying your hardware well I tell you right at front I'm putting a 10% margin on it

[00:37:53] okay because that's my time or my money to set it up for you to get a prep for you to

[00:37:57] RMA if there's a problem for you whatever and if you want to get it for yourself that's fine

[00:38:02] go ahead and get it for yourself I'll tell you where to go I'll tell you what to get but then if

[00:38:05] there's an RMA problem you're dealing with it okay and if you want me to deal with it that's fine

[00:38:09] it's on an hourly basis and here's my hourly rate oh I don't want to pay an hourly rate well

[00:38:14] then give me my 10% markup and guess what it's included and everything you do and that's just

[00:38:18] for hardware then there's for every single service that you offer there are expectations and

[00:38:23] acceptances in but are implicit in all of those things so you write on each of those pieces and

[00:38:29] they can say take this out take this out take this out each module but they can't take out a piece of

[00:38:33] a module okay they have to be able to say I don't want this that's fine then you take on the

[00:38:39] responsibilities on the consequences that are implicit in them does that make sense? That makes

[00:38:44] perfect sense yes so boilerplate but modular sounds like the approach to go makes a lot of sense

[00:38:49] now what in your mind is the biggest mistake or omission that MSSP's are guilty of sometimes

[00:39:00] when presenting a contract to a client? They are guilty of not providing proper expectation setting

[00:39:08] they are guilty of saying we're going to do everything you need it'll be perfect and wonderful

[00:39:13] and roses and flowers and daises and yeah no okay there's always problems there's always

[00:39:18] going to be a log for j. There's always going to be a heart bleed there's always going to be somebody that

[00:39:22] that that smacks somebody for a fishing click or whatever it happens okay so you have to

[00:39:28] set up the expectations for when things go well when things go not so well and when things go

[00:39:32] disasterously wrong if you supply if you surprise a client that's a bad thing so whatever happens

[00:39:40] should be part of a process and by the way that includes offboarding the client if the

[00:39:44] client says we're going to leave well here's the process for that and that was in your contract

[00:39:49] from day one yeah kind of a cousin to the last question I asked are there certain areas

[00:39:56] in a contract where sometimes you have to watch out for fuzzy contractual language that ends up

[00:40:03] resulting later on in confusion or uncertainty you know we actually mentioned it in the last segment

[00:40:10] but indemnification is always interesting because who is responsible who has the liability

[00:40:15] I provide services to a medical community or medical corporation am I liable if their medical

[00:40:21] images get deleted well who owns the medical images where are they stored who owns that storage

[00:40:27] media is it a drawbow in the office is it a cloud storage provider using dropbox or an S3 bucket

[00:40:34] what if that S3 bucket isn't encrypted there there's so many questions there that you have to

[00:40:39] have again it's I know I'm harping on it and saying the same thing over again but it's a process

[00:40:45] everything is a process and everything the the responsibility the the shared responsibility model

[00:40:50] has to be understood for everything you do yeah for sure um i'll we've talked about some

[00:40:57] omissions or unclear passages let's kind of look at it from the flip side point of view what in

[00:41:03] your mind are some of the most important elements that have to be included and touched on in a

[00:41:12] contract what's what's right at the top of your list in terms of you know make sure this is of a must

[00:41:17] have in your contract to make sure that you you include in there what what would go on beyond that list

[00:41:22] from the client side from the client side i'd want to know what what's going to make my price is change

[00:41:27] what am I responsible for what are you responsible for service provider um if if we decide to change

[00:41:35] what's my notice period uh if we decide to change what are you own and what do I not own uh i know

[00:41:41] clients that their domains were owned by their service provider and uh if that gets awkward really fast

[00:41:49] um if you if i get three more people is my monthly price going to change by how much

[00:41:56] is if i get a hundred more people can you scale fast enough to help me okay uh how fast is my

[00:42:03] service level agreement how fast is my response period and what does response mean i i i knew one company

[00:42:09] that this was hilarious they had a major incident was the a seven one like things were down things were

[00:42:15] broken things weren't working they were sort of flapping in the wind if you know what i mean

[00:42:19] and uh they called up their service provider service providers that okay a ticket's been assigned here

[00:42:25] you go and like great that's fantastic what's the next step oh in the morning when people get in will

[00:42:30] work on it well our service level agreement says four hours yeah your service level agreement says four

[00:42:35] hours to a response resolution isn't defined yeah the header was found stay the ticket yeah

[00:42:43] uh you talked about from a client point of view from a provider point of view i would think one of the

[00:42:48] most important high priority things that you would want to have specifically spelled out in the contract

[00:42:54] is scope of work i mean that's especially true for situations like if you have like let's say you know

[00:42:59] offensive security pen testers and making sure that uh you're not you know testing something that

[00:43:06] the client is actually would say i don't know that's you know that's that's out of bounds you

[00:43:09] weren't supposed to mess with that or what to or if it's incident response you know what what

[00:43:14] actions you know are we allowed to uh to take or you know where ultimately uh do we have to you know

[00:43:20] make sure to escalate to you before we take any action scope of work i imagine has to be really crucial

[00:43:25] well it's it's it's it's hilariously funny sometimes i mean a friend of mine Jason Street you know

[00:43:32] has a famous story about oops i pen tested the wrong bank you know but it's it's it's really

[00:43:41] the scope of work like what am i doing who am i doing it for who's the owner of this business

[00:43:47] who am i responsible to what am i getting paid to do what am i not getting paid to do what is my

[00:43:53] service level agreement so what what time frame am i responsible for um and where it's so you got

[00:43:59] things like and i know i harp on this but the share responsibility model racie charts uh these all

[00:44:05] can literally be part of the contract you can have us a share responsibility model and racie charts

[00:44:10] in the contract and i've seen that done it's not a stupid thing because if this happens who do i

[00:44:15] inform who do i check with to see what the next step is who's who's responsible who's accountable

[00:44:20] oh my god you got a racie chart put that in the contract why not okay at these people just put words

[00:44:26] in there you don't have to you could put racie charts who could put share of this diagrams

[00:44:29] of share responsibility models data flow diagrams because remember i am responsible for you as you are

[00:44:35] now i'm pricing it for now if you change how you do business significantly we may need to repricet

[00:44:41] but if you can't show me that you had it this way oh look now you have it this way i can't say well

[00:44:47] it's time to repricet we got a talk guys so if you look provider point of view be as detailed and

[00:44:52] illustrative illustrative i think that's the right word as possible is absolutely a great idea

[00:44:58] yeah and you know what happens when you are in the the the contract uh negotiation phase and you

[00:45:06] are getting a bunch of pushback from a perspective client where they do have uh they are

[00:45:13] disputing uh certain terms and trying to make things more favorable for them um raise the

[00:45:18] you in certain circumstances give them some uh leeway there uh you know how how do you manage a

[00:45:26] potentially prickly uh situation like that you know i think there's a few ways to do it if they're

[00:45:32] going look we want you to be responsible for x we don't want to be responsible for that that's fine raise the

[00:45:36] price you know price the risk price the responsibility okay that's fine that's a legitimate discussion

[00:45:43] if they're uh i i read a recent discussion where an MSP was being asked to provide equipment on credit

[00:45:48] they'd never had any relationship with this company before they'd never had anything to do with them

[00:45:52] they didn't know them at all they just literally got called out of the blue and said hey we need

[00:45:55] you to buy us 100 computers we're gonna put it on you know 90 day terms and uh no big deal right

[00:46:00] you're like whoa wait a minute here that has red flags screaming all over the place okay so it depends

[00:46:08] some things it's gonna be like nope i'm done buy and fire them as a client you can't deal with

[00:46:12] that that's a risk you can't afford to take you know 100 $2,000 laptops you're out $200,000

[00:46:18] if they walk away or ghost you or or it's a scam but in a situation where they're going no you're

[00:46:24] responsible for all of our liability well okay but you're gonna pay for that risk you're gonna pay

[00:46:30] for that liability i will not take on unremunirated liability or if they are not willing to do that

[00:46:36] bye bye i'm not willing to take on or put my insurance there are a few million dollars with

[00:46:41] the liability because you want to have a crankfest you know sorry doesn't work that way yeah

[00:46:46] what about a scenario where um we know we talked about at times certain language maybe being a little

[00:46:54] fuzzy or maybe they're being an important omission uh what happens when you do get into that uh

[00:47:00] ocean area where something did happen some kind of incident or unforeseen event that really wasn't

[00:47:08] spelled out particularly well or even at all in the contract and now it becomes a matter of

[00:47:13] interpreting you know who's accountable who's liable who's responsible you know who does what

[00:47:20] there amongst the shared responsibilities how do you manage a situation like that so that hopefully

[00:47:26] it doesn't become you know some kind of a protracted legal issue well okay so this is a multi-facet

[00:47:32] an answer uh answer one is you look at it and you evaluate if this is gonna if if if i screwed up

[00:47:38] and it's gonna cost me 50 bucks worth of time just deal with it okay not worth your time but

[00:47:43] there's gonna at the next time the contract re-ups there's gonna be a contract caught a seal

[00:47:47] that's gonna clear up that exact issue anytime there's a fuzziness anytime there's a confusion

[00:47:53] the next time the contract re-ups there is an addition to the contract and all contracts

[00:47:57] every contract with every client that very clearly states how that works i i i make a joke and

[00:48:04] it's not a joke when i started in this business my s-a-d-l-bu is my statement of works

[00:48:07] were like a paragraph long they're now anywhere from two to five pages long because every time

[00:48:12] i get screwed i had a paragraph okay and they get longer and longer as time goes on so if

[00:48:19] it's not worth if the juice isn't worth the squeeze if you look at it and you're like wait i can

[00:48:23] see how they're saying that but it's not what i meant that's not what they meant that we discuss this i

[00:48:27] have notes on that mm-hmm the people who interpret things like that are known as lawyers okay

[00:48:33] yeah so you get into a legal battle fine you get into a legal battle it happens it's it's gonna

[00:48:37] happen in a long run every if you haven't been sued you haven't been in this business for a long

[00:48:42] okay yeah it happens to everybody i can't tell you i've been sued two or three times

[00:48:48] at least and i'm one of the easiest going guys around there is but i've been sued it happens

[00:48:54] life goes on you deal with it okay that's why we have insurance so we have an as an MSP or an MSSP

[00:49:01] or an even individual practitioner you have general liability insurance you have probably

[00:49:07] umbrella if you have a brick and mortar shop or an office even if it's a home office you have

[00:49:12] error in omission insurance hell if you're a if you're an MSP you may even have director an office

[00:49:16] insurance insurance okay hint hint you should have these things yeah absolutely well before we

[00:49:24] wrap up and move on to our next segment just any final key takeaways just sum up your your overall

[00:49:33] take or perspective on this contract issue for our listeners today what what's maybe just the most

[00:49:41] important best practice in terms of contract writing for managed security services

[00:49:47] that they could maybe take away from this conversation today the best example i ever got of a

[00:49:52] contract and and how when you've done it correctly is that whenever everybody walks away slightly grumbly

[00:49:57] it's a perfect contract okay contracts are there for understanding they're not there for punitive

[00:50:02] ness they're not there for nastyness they're not there to dig the other guy they're there so we can be

[00:50:07] very clear on what's yours and what's mine and how we handle all of those things that's simple

[00:50:13] that's simple all right well very good very helpful Josh really appreciate the insights and

[00:50:19] perspective there that's gonna do it for our big idea in business next up is a segment that we

[00:50:25] like to call dear cyber for hire now this is an advice column segment where we get to play

[00:50:30] marriage counselor between MSSPs and their clients to help mend fences when the relationship goes

[00:50:38] the following letters been dramatized and anonymized to protect the innocent but the conflict

[00:50:43] represented here is a very real problem that companies face and so Josh it's time to immerse ourselves

[00:50:51] now in some juicy MSSP melodrama and this complaint comes from the provider side of the relationship

[00:50:58] so fellas cue the music dear cyber for hire what started as a promising beginning to a blissful

[00:51:08] productive relationship has quickly fallen into dysfunction and it has nothing to do with my brand

[00:51:15] new partner we're still smitten there the problem is their ex their former flame is the ex from hell

[00:51:23] and they're trying to do anything in their power to sabotage us of course in this case I'm talking

[00:51:29] about my clients former MSSP who got unceremoniously dumped once my managed services firm entered

[00:51:38] the picture clearly they haven't taken the rejection too well they were fused to hand over the

[00:51:43] clients passwords or any other data information or reports that would be helpful to smooth over

[00:51:49] the transition shouldn't the clients well being and security posture trumped the pettingness of

[00:51:55] a terminated relationship please let me know if there's anything I can do to make this situation

[00:52:01] less awkward sincerely vexed and hexed by x in Texas Josh it's nice to see for once that the

[00:52:11] client isn't the problem from the point of view of the provider but this is still a problem

[00:52:17] none the less so what can the MSSP if anything do in this situation and I mentioned offboarding earlier

[00:52:24] and it's a big problem we've seen this all the time we see an MSP or an MSSP say well the domain is mine

[00:52:31] the the O365 account is in my master account I'm not turning it over to you um i don't know why

[00:52:39] they dumped us but we're not going to be nice to you at all okay and um it's horrible like it's a

[00:52:46] horrible horrible horrible thing because the idea is we should be professionals if they didn't

[00:52:51] get value out of us that's fine then they're not going to want to pay us and people that don't

[00:52:55] want to pay us I don't want to do business with anyway okay so if they didn't get value out of us

[00:53:00] move on hey next provider here's everything you need here's all of our notes here's I don't even

[00:53:05] care if dump all the tickets give them all the time I don't care it's fine because is it going

[00:53:08] to give me any value no and honestly at the end of the day if I take the time to be petty do you know

[00:53:14] what I'm not doing selling to new clients servicing my existing clients so why

[00:53:21] be petty for petty is sake oh what a stupid idea okay but if you're the MSSP or the MSP

[00:53:28] that's taking over and you have to deal with one of these petty idiots and yeah I'm sorry I'm

[00:53:31] going to call them they're petty idiots it's not worth the damn time to do this stuff but if you have

[00:53:35] to deal with one of these petty idiots just escalate all right if it's m365 account or an O365

[00:53:41] account that's in somebody else's master account call up packs eight call up Microsoft get it transfer

[00:53:45] right away if you can't get into the firewall fine what rules did you have in the firewall we don't

[00:53:52] know okay what do you do build a new rule set reset that firewall just don't waste time treat them as a

[00:53:58] totally destroyed and damaged client rebuild them from scratch if you need to okay but get it up

[00:54:04] and running I most of the clients that have that that aren't sophisticated enough to build into their

[00:54:09] contract that they own their own stuff they own their own data they own their own whatever they're

[00:54:13] going to be tiny anyway they're not going to have like 14,000 firewall rules they're not going to have

[00:54:17] a demand controller with 20,000 groups in it it's going to be you know hey look there's Jimmy

[00:54:21] and accounting there's Sally over there in sales and there's you know John over here in marketing that's

[00:54:27] our groups big deal I can build that in ten minutes and active directory just charge them an on-boarding

[00:54:33] fee do a decent onboarding show them how professional you are by onboarding them properly quickly

[00:54:40] efficiently and nicely and honestly you want to do almost all that anyway because you want to make sure

[00:54:44] that they don't leave any bombs behind logic bombs time bombs stupid bombs whatever okay build it right

[00:54:51] do it from scratch do the right thing the only real concern is their data now if it's if it's

[00:54:56] their data and it's probably in one driver share point or a 365 or drop box call them up

[00:55:01] call call drop box up call Microsoft up call those companies up prove to them that you are what

[00:55:07] you say you're doing what you say you're doing and then have a transport over data's back that's

[00:55:12] the one big concern all right yeah no absolutely and in many ways as you just said the the

[00:55:18] former provider is almost justifying the decision that the client let them go in the first place

[00:55:24] and by you staying professional as the new provider you're you're also justifying their decision

[00:55:30] to move on and you put yourself in a much better light so that that definitely sounds like

[00:55:36] very sound advice their Josh so appreciate the the thoughts on that another relationship save

[00:55:44] congratulations hopefully our listeners have learned from this and don't make the same mistake

[00:55:49] and remember if you've been struggling with your managed security services relationship whether

[00:55:53] you're the user or the provider we want to hear from you so please write to us it's cyber for

[00:55:58] hire at cyberriscaliance.com and we might use your letter in a future episode all right well it's

[00:56:05] all that's time to wrap things up but before we go we want to get a little random as we share with

[00:56:11] you all drum roll please our irrelevant news of the week now this is a real news pitch that I've

[00:56:18] received in my inbox for reasons that are really entirely inexplicable for me so Josh are you ready

[00:56:24] to get random it'll be painless I promise so as we know basically starting just about a week ago

[00:56:38] from one will recording this the phenomenon known as barbing hammer basically caused a big

[00:56:46] craze throughout the the movie going world everybody's going to see Barbie and up in high

[00:56:53] fact I try to and got very much sold out so I'm still trying to get in to see those films but

[00:57:02] I've been getting some pitches actually around Barbie for example I got a pitch saying that

[00:57:10] visaros swimwear again I'm gonna assume I got that pronunciation correct will unveil Barbie themed

[00:57:15] looks as his models sleigh the runway at the most anticipated swimwear event of the year new

[00:57:21] York swimweek 20 23 you know very exciting but not really particularly in the domain of

[00:57:29] cybersecurity their Josh but what I did decide to do was I decided to go to one of the generative

[00:57:37] AI engines and ask them what a hacker a computer hacker Barbie doll might look like

[00:57:47] and I had them generate that that image for us using the the night cafe generative AI engine

[00:57:55] and I'm gonna want to show you now and for our audience who might be listening you can go to

[00:58:03] our website and check this out too for an image but this is what I sent you an image of a Josh this

[00:58:09] is what a computer hacker Barbie looks like totally wrong there's no hurry there's no ski mask

[00:58:17] there's no gloves that's what I was waiting for I was waiting for like to even looking Barbie

[00:58:22] in the very stereotypical hoodie you know coding something and I just broke it yeah nothing like that

[00:58:30] but in a way when I I was disappointed at first when I saw that it was a very ordinary image of

[00:58:35] Barbie sitting at the computer and then I was like well maybe in a way this is apt because really

[00:58:40] right like we always talk about how the the hacker in the hoodie is such the the stereotype and not

[00:58:46] really reflective of what the the good and the malicious hacker community look like you have a lot

[00:58:52] of hoodies I don't know I like that you do have a lot of hoodies okay well I'm just saying not everybody

[00:58:56] is the is the bill bell a check of of of hoodie wears in the in the hacking world some people

[00:59:04] do wear other things so in a way I was like you know what maybe this is actually more accurate

[00:59:08] this way it's Barbie portrayed as just an average ordinary looking person on a computer because

[00:59:14] you really never know actually I'll be honest it looks like corporate Barbie that's what I thought

[00:59:18] it was like corporate fair enough it does kind of look a little bit and I try to because like before

[00:59:23] I went with this I did try a couple of other iterations too like I did try like a one point that I

[00:59:28] went like something like evil computer hacker Barbie you know I was I was trying things to see if

[00:59:34] I could get something you know a little bit more suspicious looking and a fairies looking and

[00:59:39] it just it just wasn't coming up so I was like all right so so be it this is what we ended up with so

[00:59:45] it's it's a cute picture it really looks like corporate Barbie not not hacker Barbie but I mean

[00:59:50] realistically even even the hacker cultures have been infected by the tropes that that are around

[00:59:57] the word hacker you know like I said the ski mask the hoodie that whatever yeah

[01:00:00] pros v. Joe's which is one of my favorite cyber ranges and CTF's they're their image their

[01:00:06] their logo is is just a hoodie with an empty empty face you know and and like that's that's their

[01:00:11] logo because blackers were hoodies right I mean they're just comfortable but that's that's the trope

[01:00:19] so we've been infected by the same tropes that the general public has so I was honestly

[01:00:24] agree with you I'm kind of surprised she's not wearing a hoodie yep absolutely yeah I

[01:00:27] final thought on that too is I also tried C. So Barbie and it was just you know basically her in a very

[01:00:34] professional looking get up so again there was really nothing about it that screamed C. So

[01:00:40] versus CEO or CFO or anything else so I don't know that maybe maybe just we aren't quite

[01:00:46] there yet with generative AI as much as we thought actually Josh it just it didn't seem to be

[01:00:51] doing the trick for us today but anyway just thought there was a fun little exercise

[01:00:57] to do for our our last episode of the summer until we come back so with that we're out of time

[01:01:04] as a reminder we are going on hiatus like I just said in August but fret not we will be back again

[01:01:10] later this year with episode 30 I would like to thank Josh Marpret one sorry Josh Marpret

[01:01:16] one last time for joining us today filling in as host meanwhile feel free to check out

[01:01:21] even more cybersecurity podcast content on the SC media MSSP Alert and Channel E to E websites

[01:01:28] until next time I'm Bradley Farth please reach out to us via our show page with your comments questions

[01:01:34] and insights about the business of cybersecurity we'll keep the conversation going on the next

[01:01:39] episode of cyber for hire your insights source or cyber outsourcing