Whether you are aligning your cybersecurity to CIS Top 18, the Cybersecurity Trustmark, or any of the many other frameworks, you are bound to get stuck in an attempt to achieve perfection. I sit down with Charles Love of Showtech Solutions to tackle the challenges of progress in the face of paralysis. Stay to the end to get the Ten Commandments of Framework Implementation.
[00:00:01] Welcome everybody to another episode of MSP 1337. For those of you that were with us last week, you may have heard my voice pitch shift. Maybe I sound a little bit like Mickey Mouse. To be fair, I was in Orlando. It was IT Nation. So Disney and my voice probably go hand in hand.
[00:00:19] And this week is kind of on the tail end of IT Nation wrapping up and some conversations that were had at IT Nation. And then this morning on an MSP Ignite Secure Outcomes Integrator call.
[00:00:33] Well, we, I, it's not an epiphany, but it was a, this probably needs to have some attention attached to it. And I've asked Charles Love, who is part of that integrator group, to help navigate what we're calling control paralysis.
[00:00:49] When an MSP tells me that they've been working on, you know, software inventory and they're hoping to get it done in the next few months, red flags go up. When someone says they're working on vendor management and they're going to need another two to three weeks to finish it up.
[00:01:04] I've come to this one conclusion and Charles can help me here.
[00:01:10] What is the enemy of good?
[00:01:13] Do nothing or, or the enemy of good, I think is perfection, right?
[00:01:17] Like I think if you strive for perfection and you can't stop until you have this epitome of perfect, well, then you just keep going.
[00:01:26] So Charles, welcome to the show. I appreciate you being on as always.
[00:01:31] Let's kick it off with the analogy that you gave that maybe will help our audience take a different look.
[00:01:39] Whether they're going through the trust mark or they're just going through CIS or fill in the blank framework.
[00:01:45] The way you described it, I think makes it a whole lot easier to, to navigate.
[00:01:50] Yeah. So let's kind of, kind of recap that little conversation. I'm happy to be here as always, by the way.
[00:01:56] Thank you.
[00:01:57] Thank you.
[00:01:57] So when we're in peer group, you know, we talk to people who say, oh my God, I'm stuck on this one thing and I've been on this one thing for six months or six weeks or six days.
[00:02:07] Sure.
[00:02:07] It doesn't really matter.
[00:02:08] And I'm like, well, damn, I spent like a couple hours on that one. Why are you stuck on that for so long?
[00:02:15] And it comes, you're really deep into it and you deep, sorry, you, you dig deep into it and find out they're going through analysis paralysis.
[00:02:25] Right.
[00:02:26] That's a word that you and I use that untangled like a, like a lot.
[00:02:30] Yeah.
[00:02:31] Um, where you want it to be perfect before you launch it.
[00:02:36] Right.
[00:02:37] Right.
[00:02:37] Where, you know, you know, name your auto manufacturer, whatever, when they make a car, it's darn good.
[00:02:44] It ain't perfect.
[00:02:45] And they ship it.
[00:02:47] Yeah.
[00:02:48] Right.
[00:02:49] Windows, windows get shipped.
[00:02:51] iPhone, iOS, the newest one gets shipped.
[00:02:53] And then what do they do?
[00:02:55] They fix it.
[00:02:56] They, they little increment fixes to address little increment things.
[00:03:00] If Apple wanted to make an iPhone that was perfect, damn thing would never be launched.
[00:03:06] Right.
[00:03:07] We, we wouldn't be launching rockets and catching them midair.
[00:03:13] Right.
[00:03:13] Right.
[00:03:13] We're going to, we're going to blow up a few rockets along the way.
[00:03:16] Looking down on the launch pad as the rocket is rising.
[00:03:20] Yeah.
[00:03:20] Yeah.
[00:03:21] So, so one of the things that we run into a lot of peer group with a lot of these, I don't care if you're doing Trustmark or CIS or whatever, is everyone wants everything.
[00:03:29] Yeah.
[00:03:38] Yeah.
[00:03:39] Yeah.
[00:03:46] Yeah.
[00:03:58] So there's a hundred and something odd controls you got to work through.
[00:03:59] Oh, is this the right font?
[00:04:01] I haven't put my letterhead in here.
[00:04:03] And it's like, oh, awesome.
[00:04:04] It also doesn't support anything that you're doing.
[00:04:07] Yeah.
[00:04:08] So like I, I came across this.
[00:04:10] So I've gone through CIS controls two and a half times now.
[00:04:14] We're almost done with the third time.
[00:04:16] And I found myself when I was doing the second time around, I like, I found a new format.
[00:04:21] I like, I was like, oh, this format looks so much better.
[00:04:25] And then what do I do?
[00:04:26] I go back to one and I update that format and I go back to two.
[00:04:30] And then six hours later, I'm like, why am I doing this?
[00:04:34] Right.
[00:04:35] The, the auditor doesn't care if I'm in times Roman, just as long as it's not comic sans,
[00:04:40] I guess.
[00:04:40] Right.
[00:04:41] Like wing ding, wing ding is not good.
[00:04:43] Well, and truth be told, the pretty thing I'm writing into like a word document or whatever,
[00:04:48] I'm just going to copy and paste the contents into my GRC.
[00:04:52] Right.
[00:04:53] Right.
[00:04:53] So then you get, you get people stuck in the GRC going, well, do I use GRC A, B, C?
[00:05:00] Well, this vendor gives it to me for free.
[00:05:02] Yeah.
[00:05:02] So it is 12 other ones.
[00:05:03] Right.
[00:05:04] So everyone.
[00:05:05] No way.
[00:05:05] I have Excel.
[00:05:06] I have Excel.
[00:05:07] Why can't I use Excel?
[00:05:08] Yeah.
[00:05:09] Like, like everyone gets stuck.
[00:05:11] So just, just go.
[00:05:13] Right.
[00:05:13] It could be ugly that the ship can, can go sideways or windows.
[00:05:18] Windows can lose screen.
[00:05:19] Exactly.
[00:05:20] So, so the analogy I kind of came up with is in, in, in my experience in 25 plus years
[00:05:29] of being in it, as long as I know what the end goal is supposed to be.
[00:05:36] Yeah.
[00:05:37] I can get there.
[00:05:39] Right.
[00:05:39] So if, if the server needs to be 2022 and I know what 2022 looks like and I'm running
[00:05:46] 2008, God forbid, I know how to get it.
[00:05:50] I know how to step it from 2008 to 2012.
[00:05:53] Right.
[00:05:54] I know how to get it there because I know the end goal of it.
[00:05:57] Right.
[00:05:57] So let's, let's kind of dumb this down.
[00:06:00] The result is a cookie.
[00:06:03] Okay.
[00:06:04] Now notice I said a cookie.
[00:06:06] I didn't say a chocolate chip.
[00:06:07] I didn't say snickerdoodle.
[00:06:08] I didn't even say an Oreo.
[00:06:10] Right.
[00:06:10] Right.
[00:06:11] Whoa, whoa, whoa, whoa.
[00:06:12] That, that, that just don't, don't go with Oreos is dangerous.
[00:06:16] That's almost like two cookies in one.
[00:06:19] Three or yeah.
[00:06:20] It's like a sandwich or whatever you want to call it.
[00:06:21] But it's kind of like the hot dog.
[00:06:24] The hot dog is a whatever.
[00:06:26] It's a whole other conversation.
[00:06:28] Like steak.
[00:06:28] Um, yeah, but, but the end goal here with, with just call it any compliance guide you're
[00:06:36] working on any control, whatever.
[00:06:39] What I see a lot of my peers struggle with is they don't realize, or they've never seen
[00:06:44] the end result, which is a cookie.
[00:06:47] So they're trying to engineer their version of a cookie.
[00:06:51] Right.
[00:06:52] Where if I go, Hey, here's what it's supposed to look like.
[00:06:57] Well, I can, I can figure out how to get there.
[00:06:59] Right.
[00:07:00] So everyone is, is, is arguing or not really arguing, but everyone is stuck on how much
[00:07:06] sugar am I supposed to do?
[00:07:08] Right.
[00:07:09] Is it gluten free cookie?
[00:07:10] Or is it, you know, just all these crazy things that are skimmy cookies about their cookie
[00:07:14] looking like the cookie that they saw in the magazine or how you make cookies versus how
[00:07:19] they're going to make cookies.
[00:07:20] And then we have no problem arguing over, well, we're only a 5% MSP.
[00:07:24] We're not a 12% MSP.
[00:07:25] And now you're going to a completely different cookie strategy because, well, my oven is
[00:07:30] smaller than your oven.
[00:07:32] Well, so, so here's the thing.
[00:07:34] I didn't say it's an edible cookie.
[00:07:37] I just said it's a cookie.
[00:07:38] Right.
[00:07:39] Right.
[00:07:39] So what, what people do is they, they get, they get stuck on, I want to make this thing
[00:07:43] the best so I never have to go back to it again.
[00:07:45] You want the Martha Stewart version of the cookie.
[00:07:49] Yeah.
[00:07:49] But you haven't had somebody judge your cookie yet.
[00:07:51] Right.
[00:07:52] Right.
[00:07:53] And so like when it comes to Trustmark, which we're in the process of going through, I'm
[00:07:59] not going to say our policies are perfect.
[00:08:02] They're, they're okay, but I can't worry about what a team of auditors are going to read and
[00:08:09] interpret from the data I'm putting in.
[00:08:11] And so I'm going to do what I feel is the best.
[00:08:15] So with, with various platforms, we're given all of the ingredients, right?
[00:08:21] Kind of like if, if I were to give somebody, if I were to give my 19 year old a bunch of
[00:08:25] ingredients and say, make something.
[00:08:28] He's like, I'm going to make a mess.
[00:08:31] Right.
[00:08:31] Cause he, he's not going to know, like, what do you want me to make?
[00:08:34] Am I making a cookie?
[00:08:36] Am I making a cake?
[00:08:37] Am I making a brick?
[00:08:37] Like what's, what's happening here?
[00:08:40] So like, this is where peer groups are so important.
[00:08:43] I absolutely have called Mike Stewart and said, Hey, I'm totally stuck.
[00:08:48] Can I copy your homework?
[00:08:50] Right.
[00:08:51] Where I not so much, let me get a copy of your thing and I'm just going to check, you know,
[00:08:56] find, replace.
[00:08:58] Yeah.
[00:08:59] There's things that you do that they don't do.
[00:09:00] And so all of a sudden, you know, Hey, how come you have this column in your spreadsheet?
[00:09:04] And you're like, well, because we have these vendors, you know, well, we don't have
[00:09:06] those vendors.
[00:09:07] For sure.
[00:09:08] But, but that is me seeing the cookie.
[00:09:11] Right.
[00:09:12] Right.
[00:09:12] So when I, when I call Mike and I go, Hey, show me, show me how you're handling this.
[00:09:18] It's the aha moment.
[00:09:20] Right.
[00:09:21] Or I'm like, I've been so focused on bullet points versus number thing.
[00:09:26] You just said, we do this thing.
[00:09:28] Here's the information.
[00:09:30] And I'm like, you probably spent 20 minutes on it.
[00:09:32] He goes, yeah.
[00:09:33] And I've been spending two days off.
[00:09:35] Right.
[00:09:35] So I think we can add to the cookie analogy that I think might help this.
[00:09:40] Cause I think right now we're talking about all these things that still turn out to be
[00:09:43] a nasty cookie.
[00:09:44] We ever have, everybody's had, you know, as Christmas is right around the corner, everybody's
[00:09:49] had sugar cookies.
[00:09:50] Right.
[00:09:50] And there's lots of traditions where people get together, decorate sugar cookies, go to
[00:09:55] a store, go to a Starbucks.
[00:09:56] They've got this beautifully decorated sugar cookie.
[00:09:59] The reality is when you get together with kids to make sugar cookies, it looks like Frankenstein
[00:10:05] threw up on a sugar cookie.
[00:10:06] Right.
[00:10:07] But the reality is they all still taste the same.
[00:10:10] They all taste like sugar cookies.
[00:10:12] And all you want to make sure that you get is one that has plenty of frosting on it and
[00:10:17] who cares what it looks like.
[00:10:18] Right.
[00:10:19] And I think that's part of the problem right now.
[00:10:21] We're more worried about what we look like than what we're doing.
[00:10:26] Yeah.
[00:10:26] It goes back to analysis paralysis.
[00:10:29] Right.
[00:10:30] I have a hundred controls to write.
[00:10:35] Like, I can't even get through my emails in one day.
[00:10:38] You want me to write a hundred controls?
[00:10:40] Sure.
[00:10:40] So what I've been doing is I've been working with the guy who's helping show tech on this.
[00:10:47] And I say, here are three things I want you to focus on this week.
[00:10:51] Just three.
[00:10:53] Right.
[00:10:53] And this way, it's not a hundred something.
[00:10:57] It's just a three.
[00:10:58] And you know what?
[00:10:59] If I give them three to five small little things, I want you to do whatever.
[00:11:03] It's accomplishment.
[00:11:04] It's not trying to boil the ocean.
[00:11:07] It's taking a cup out of the ocean and boiling said cup.
[00:11:10] And I think the other way that I would also put some challenges to those going through
[00:11:15] this is give yourself a time cap to be done and move on.
[00:11:22] Not to, I'm going to come back to this again later.
[00:11:24] Just say, Hey, I'm going to work on control one for an hour.
[00:11:29] I'm going to do my asset inventory.
[00:11:30] And if I get one or two of the safeguards and they're actually done great, but I'm going
[00:11:34] to move on after this.
[00:11:36] I am going to go look at control two and then control three, but I'm not going to spend
[00:11:41] more than 30 minutes to an hour on each of these so that I can at least wrap my head around
[00:11:46] what is it that we are doing or are not doing versus until I have satisfied every single
[00:11:54] thing inside this control to a level of perfection that my mom and dad would be proud of.
[00:11:59] I'm going to still be on this control.
[00:12:01] And it's a normal problem to have, right?
[00:12:04] We see this across the board.
[00:12:05] Nobody wants unhappy clients.
[00:12:07] You don't want your kids turning in, not their best effort when it comes to homework.
[00:12:11] But the reality is this isn't homework.
[00:12:14] This isn't about you getting graded on your work.
[00:12:17] This is about you recognizing that you have to start with something.
[00:12:22] And as it matures over time, as you master the content, you will start producing masterpieces.
[00:12:28] It's another analogy would be like being in a band and saying, I'm going to play the trumpet.
[00:12:32] If you've never played the trumpet before, nobody in that band wants you in the band with
[00:12:35] them.
[00:12:35] Or heard it.
[00:12:36] But as you continue to learn.
[00:12:38] Yes.
[00:12:39] Yeah.
[00:12:39] Or heard it.
[00:12:40] Like, no, but that's what it is, right?
[00:12:41] Like, here's an instrument.
[00:12:42] And they take the trumpet and they're yelling into the open part, right?
[00:12:46] Like, no, no, no.
[00:12:47] That's not how it goes, sport.
[00:12:48] Right.
[00:12:49] Flip it around.
[00:12:49] Oh!
[00:12:50] Binoculars.
[00:12:51] Don't look through the wrong end of binoculars.
[00:12:53] You'll never get anything done.
[00:12:55] Yeah.
[00:12:56] But that's just something that so many people are so focused on is absolute perfection.
[00:13:05] And I'm not saying it needs to be junky.
[00:13:07] But chances are, 90% of the controls you're already doing, it's just not documented.
[00:13:14] Right?
[00:13:14] Right.
[00:13:15] So, Show Tech had a bit of a stall for six months.
[00:13:18] Yeah.
[00:13:19] Because I was giving process questions to the techs.
[00:13:27] Right.
[00:13:27] Right?
[00:13:28] And it took me a while to realize they don't know how the magic is done.
[00:13:32] They just get to benefit from the magic.
[00:13:34] They don't know vendor management.
[00:13:35] They don't know, you know, all that kind of fun stuff.
[00:13:38] They use the vendor.
[00:13:39] Yeah.
[00:13:39] They just, they log in.
[00:13:41] They do their thing.
[00:13:42] Sure.
[00:13:42] They close their ticket, right?
[00:13:44] So, when it comes to, like, my position with the whole ecosystem with the techs,
[00:13:49] doing this, I'm here for guidance.
[00:13:51] I'm here to dictate the, or to help articulate, not really dictate, the magic of the things
[00:13:58] that we do.
[00:13:59] I absolutely look at vendors yearly, things like that.
[00:14:03] You and I, we've talked about this on the podcast many times.
[00:14:06] The techs at the office have no unearthly idea that I renew contracts every year.
[00:14:12] Right.
[00:14:13] And to be honest, up until we've done this, I didn't even have it documented.
[00:14:19] So, now it's documented.
[00:14:21] And then we go forward.
[00:14:22] So, let's go back in time.
[00:14:23] So, I actually was just talking about this internally.
[00:14:27] We were talking about, you know, sort of the readiness path that someone needs to be on
[00:14:32] when it comes to CIS top 18 or the trust market.
[00:14:35] And you can look at it through two lenses.
[00:14:36] You can look at it to where you say, I'm adopting this framework, which will help you
[00:14:41] look at what you have that's chaotic or not mature enough.
[00:14:46] And you need to go back and fix it.
[00:14:47] Or there's the flip side of it is instead of pursuing the framework, as you look at it,
[00:14:51] you're like, oh, I got a lot of things to get in order in my house.
[00:14:55] What I think is really interesting is that for the most part, the hangups are tied to
[00:15:02] do we have leadership in place?
[00:15:04] Is governance intact?
[00:15:05] And is it as an MSP, like you mentioned peer groups, like peer groups are the things that
[00:15:10] you've ironed out like, oh, that's how I should have my chart of account structure.
[00:15:14] Oh, I need to hire when I hit that certain threshold.
[00:15:17] And those components that if they're not properly structured and mature, then tackling things
[00:15:23] like cybersecurity as a way in which to bolster your own cyber hygiene and be able to successfully
[00:15:30] deliver cybersecurity services to your clients is just going to be you're selling a product
[00:15:35] or a service and you're still stacked like a house of cards because you're as a business,
[00:15:39] as an operation, you're not ready for it.
[00:15:43] And I'm not saying don't go do those things, but I think as you look at your own business
[00:15:50] and that's why I wanted to ask you, like you talked about, you know, the six month stall,
[00:15:54] you talked about, you know, a signing process or that you didn't have documented.
[00:15:58] Like if you look back over the years, I mean, we've been doing the MSP space for a very long
[00:16:03] time.
[00:16:04] Even when you came into Untangled, what do you think was the number one thing that kept us
[00:16:09] from being successful with cybersecurity initiatives?
[00:16:14] Process and procedure.
[00:16:15] Huh.
[00:16:16] Right.
[00:16:17] And people recognizing that they were responsible for making those things come true.
[00:16:23] Yeah, for sure.
[00:16:25] But everything is only as good as the information you have at your hand.
[00:16:29] Right.
[00:16:30] So today.
[00:16:32] Right.
[00:16:32] And this is this is this is why people stall.
[00:16:35] Microsoft just dropped a major bombshell today.
[00:16:38] Um, they're like, hey.
[00:16:42] As of April 1st.
[00:16:44] Monthly NCE agreements now will have a five percent increase or you can prepay for the year.
[00:16:52] Right.
[00:16:53] And a change like that is not something you could have prepared for.
[00:16:58] No.
[00:16:58] Right.
[00:16:59] So that small little change that, hey, prices are going up by five percent less the customer
[00:17:04] prepays.
[00:17:05] Nobody's going to prepay, in my opinion.
[00:17:09] But that's something where.
[00:17:11] That's a big that's a big check.
[00:17:13] Or much.
[00:17:14] Yeah.
[00:17:14] Like, well, if somebody to save five percent of somebody's paying a thousand dollars a year,
[00:17:18] they got to cut me a twelve thousand dollar check just to save five percent, that ain't
[00:17:23] going to happen.
[00:17:24] Right.
[00:17:24] So their bill is just going to go up by five percent.
[00:17:27] But the reason I bring that up is things change.
[00:17:32] Right.
[00:17:32] You got to be fluid.
[00:17:34] You know, we we're in the middle of renewing all of our MSP contracts right now.
[00:17:37] And then all of a sudden this drops.
[00:17:39] We're like, oh, my God.
[00:17:39] Right.
[00:17:40] And the team is panicking.
[00:17:43] I'm like, well, funny story.
[00:17:44] This is why we didn't renew the Microsoft side, because I had a feeling that was
[00:17:48] coming.
[00:17:49] We're only renewing the MSP side.
[00:17:50] But this all goes back into the process.
[00:17:53] So just like we have with our with our compliance, things like that, as new things come up, I
[00:18:01] don't have to redo the entire process.
[00:18:05] I just have to update it.
[00:18:07] Well, I think about the licensing thing.
[00:18:09] I mean, this seems like it's something that you don't even have to necessarily redo
[00:18:12] contracts.
[00:18:12] It's really more of a notice of or a disclaimer or an FYI.
[00:18:17] Hey, unless you want to switch to annual billing on your 365 licenses as of April, May, whatever
[00:18:24] it is, it's going up by 5 percent.
[00:18:27] You don't have to do any more than that.
[00:18:29] This isn't a contract to change.
[00:18:30] This is a vendor has made.
[00:18:33] Here's the new deliverables.
[00:18:34] As long as your T's and C's are dialed in, as Brad Gross would say a certain way, you're
[00:18:40] just fine.
[00:18:41] Your job is to to let them know and not wait for them to tell you what they want.
[00:18:46] But take this back to the compliance conversation, right?
[00:18:49] To one of the controls.
[00:18:51] Yeah.
[00:18:51] When a variable changes, a lot of times somebody is just going to go, all right, a variable
[00:18:56] has changed.
[00:18:57] I need to go back to start and do it over again.
[00:19:00] I'm saying, no, no, no.
[00:19:01] Just just move forward.
[00:19:04] Update and move forward.
[00:19:05] Right.
[00:19:06] We're not we're not trying to catch the SpaceX rocket ship on the first go.
[00:19:11] Right.
[00:19:12] Using that as an analogy.
[00:19:13] He blew up a couple of ships.
[00:19:15] Right.
[00:19:15] Some dumped in the water.
[00:19:17] Yeah.
[00:19:17] Some blew up.
[00:19:18] Things like that.
[00:19:19] It wasn't perfection from the get go.
[00:19:22] And MSPs to get to that cookie.
[00:19:25] Right.
[00:19:26] They need to send out some nasty taste of cookies.
[00:19:29] Right.
[00:19:29] And and, you know, add a little bit more salt.
[00:19:33] Add a little bit more.
[00:19:34] Whatever.
[00:19:34] I don't know.
[00:19:34] I don't know what goes into a cookie, but more sugar, not salt.
[00:19:38] But it's it just can't be perfect all the time.
[00:19:42] I know it's hard hearing for me because I usually am.
[00:19:45] I'm joking.
[00:19:47] But you just you just got to move forward and cycle through.
[00:19:51] Like I said in the beginning of the call, I'm on my almost third pass of CIS.
[00:19:56] And each time the iteration of our controls are getting far better and better.
[00:20:01] And I'm more excited every time we do it.
[00:20:04] But I get to the end like a game and I start over.
[00:20:09] And now I know what to do better because like certain controls.
[00:20:13] Oh, my Lord.
[00:20:14] The first time we tried it, it took days.
[00:20:16] Right.
[00:20:16] Now the revisions are like, I don't know, 30 minutes.
[00:20:19] Right.
[00:20:19] Yeah.
[00:20:21] It my physical building hasn't changed.
[00:20:24] Right.
[00:20:24] My inventory hasn't physically changed.
[00:20:26] How I collect that data may have changed.
[00:20:28] We just got to tweak it a little bit.
[00:20:30] Well, I think that's a really good a good way to put this.
[00:20:32] I think I think, you know, we've got about 10 minutes left.
[00:20:35] I think I would like to propose let's share that the 10 commandments, if you will, of what
[00:20:40] it means to go through a framework.
[00:20:43] And I think the first one is don't allow, you know, the enemy of great be the enemy of
[00:20:49] good.
[00:20:49] Right.
[00:20:49] Like the the just the paralysis that everybody's running into of saying, well, I got to get
[00:20:53] it to this level.
[00:20:54] That's not the point of this.
[00:20:56] And when we talk about the iterations of, you know, IG1, IG2, IG3, you have to put into
[00:21:02] context for those that maybe aren't familiar with how this came about, that the implementation
[00:21:07] groups were not because you're too small to do it all at once, because they actually
[00:21:12] put these in place because the Fortune 100, the Fortune 500, they were not able to do
[00:21:17] it without breaking it into smaller pieces.
[00:21:20] It's a capability model.
[00:21:21] And your capability has nothing to do with how many employees you have.
[00:21:25] Obviously, that can factor into how quickly you can do something.
[00:21:29] But your capability is defined by your understanding of what it is that you have to do and how to
[00:21:35] get it done.
[00:21:36] So just because you have five employees doesn't mean you can't do certain things.
[00:21:39] It just means that you're probably not going to do it with your own internal resources.
[00:21:43] And I think that's where a lot of people get stuck.
[00:21:45] They're like, well, until I can afford to hire 25 people to run my NOC or my SOC, I'm
[00:21:51] just going to skip this one.
[00:21:52] It's like, well, no, no one's proposing that you become an MSSP and have all of these things
[00:21:58] in place.
[00:21:58] But if you're evaluating a product or a service, are you prepared for the FTE that comes with
[00:22:05] managing that?
[00:22:06] Or does it take your FTE and reduce it?
[00:22:09] Like, those are all things you've got to take into consideration before adding a tool or
[00:22:13] adding a new process procedure.
[00:22:15] Like, if it's more work than it's worth, reevaluate.
[00:22:19] And I don't know.
[00:22:20] I think for me, the second commandment would be if you're waiting until you have perfect,
[00:22:28] then you're not ready to pursue the trust mark or the CIS framework.
[00:22:32] Because you're never going...
[00:22:33] It's not a perfect...
[00:22:34] It's not a thing that has perfect baked into it.
[00:22:37] Because like we were talking about with the analogy, your cookie is going to constantly
[00:22:41] change.
[00:22:43] It's not always going to look the certain way.
[00:22:45] And at some point, you're just going to go, hey, we have a cookie that actually tastes
[00:22:49] good.
[00:22:50] Does it look good?
[00:22:51] No, it does not look good.
[00:22:52] But you know what?
[00:22:53] We had a cookie that looked really good, but it tasted terrible.
[00:22:57] And you just kind of keep moving through that iteration.
[00:23:00] Well, so here's kind of another, just using the cookie analogy, right?
[00:23:04] Man, you're making me so hungry right now.
[00:23:06] I know.
[00:23:07] Well, think about it.
[00:23:08] When you make a cookie, you don't taste test it all throughout the process.
[00:23:13] You don't sit there and spoon a cup full of eggs and put it in and be like, this is
[00:23:20] great, right?
[00:23:21] You wait until the end.
[00:23:23] Right.
[00:23:23] And then you taste the cookie.
[00:23:25] Or at least until all the ingredients have been mixed together so you can get salinoa.
[00:23:28] Maybe.
[00:23:29] But if you, if you like, I may or may not have been known to down a tube of cookie dough
[00:23:36] stuff, right?
[00:23:37] Yeah.
[00:23:37] But, but, but still the cookie dough tube isn't what the end cookie tastes like.
[00:23:44] No.
[00:23:44] Right.
[00:23:44] So put that into a control.
[00:23:47] Wait until you made the darn cookie before you taste it.
[00:23:50] Right.
[00:23:51] Stop tasting it midway going, this, this tastes terrible.
[00:23:54] Yes.
[00:23:55] Because it's raw egg.
[00:23:56] Well, and it's funny because when you look at CIS.
[00:23:58] Most of the control domains, the first safeguard is actually identifying like, Hey, maybe you
[00:24:04] should write down the recipe for your cookie.
[00:24:07] And then it gives you steps of how to go about doing that.
[00:24:10] Okay.
[00:24:11] This is when you mix it.
[00:24:12] This is when you add the dry stuff to the wet stuff.
[00:24:14] Like it's all right there.
[00:24:15] And yet we're hung up on all of them being done at the same time.
[00:24:19] So we don't do any of them at all.
[00:24:22] Yeah.
[00:24:23] And that's a problem.
[00:24:24] I see a lot of our peers making.
[00:24:26] Well, so that's two commandments that we just made up on the spot.
[00:24:29] So the third one, I think you just identified is like, you know, stop tasting it throughout
[00:24:33] the process.
[00:24:35] Right.
[00:24:35] Like get to a cookie, then reevaluate.
[00:24:40] Because if you don't, you're going to get stuck in that.
[00:24:42] Oh, I need to add more vanilla.
[00:24:44] I need to add more, whatever.
[00:24:45] Like you're just going to not get what you, it will never be what you want.
[00:24:49] And even when you get the cookie to taste like what you want it to taste like, what are the
[00:24:52] rest of the employees thinking your organization about the cookie?
[00:24:56] Yeah.
[00:24:57] And, you know, I think about like a peer review.
[00:25:02] So like, you know, you watch the Chicago Med or something like that.
[00:25:06] And something doesn't go right.
[00:25:09] And they hold a review room full of people and then they walk through the case.
[00:25:13] Right.
[00:25:14] So another thing I see a lot of MSP struggles with where the person who's making the
[00:25:21] policy or whatever is dictating.
[00:25:24] And not collaborate.
[00:25:26] So another one would be collaborate, don't dictate.
[00:25:30] Right.
[00:25:31] So number four, collaborate, don't dictate.
[00:25:33] Yeah.
[00:25:34] Because what I think the process may be sitting on my supposed high re-tower is very different
[00:25:41] than what is actually happening.
[00:25:43] I say that as a joke.
[00:25:44] Right.
[00:25:45] But like, if I think the process goes a certain way, well, let's talk to the team.
[00:25:52] Because if we get collaborative answers, I'm like, well, you know, I never thought of it
[00:25:56] that way.
[00:25:57] And now we're going to come out with a really good recipe for a really good cookie when I
[00:26:02] have everybody involved.
[00:26:03] And it's funny because I was actually going to say the exact same thing verbatim that you
[00:26:08] just said for number four as well.
[00:26:10] So I would say for number five then, which is kind of, I'm not sure if this is a bullet
[00:26:15] point with a number or a bullet point with a bullet point.
[00:26:18] I think it can stand on its own.
[00:26:20] I would argue that if everyone in the organization isn't involved in your goals with surrounding
[00:26:28] a framework, then you're wasting the entire organization's time with the framework.
[00:26:35] It is a all inclusive or you're not inclusive.
[00:26:38] And the reality is this goes back to the whole culture thing.
[00:26:42] And your employees will choose to follow things that they understand when you give them the
[00:26:46] answers to their why.
[00:26:48] If you do not, either you're going to be trying to cycle employees because out of the organization
[00:26:54] and new ones in, which we know is not a reality that any of us want to pursue, or you are
[00:27:01] recognizing that maybe what you've put together, if you can't solve for the why, needs to be
[00:27:06] rewritten.
[00:27:08] For sure.
[00:27:09] All right.
[00:27:10] You need to come up with a number six because this is getting harder than I thought.
[00:27:13] Yeah.
[00:27:14] Should have said five.
[00:27:17] You know, get buy-in, right?
[00:27:22] It's kind of like when you buy a piece of software and you go, hey, team, here's the
[00:27:27] software I want you to deal with.
[00:27:29] They'll never respect me.
[00:27:30] No.
[00:27:30] Right?
[00:27:32] But if you go, hey, here's three pieces of software I want you to evaluate.
[00:27:35] Let's figure out which one we like best, pros and cons, all that fun stuff.
[00:27:38] Not just because they took me to dinner.
[00:27:41] Yeah.
[00:27:41] At, you know, IT Nation.
[00:27:43] Yeah.
[00:27:44] You know, because the techs will just never.
[00:27:46] It does.
[00:27:47] But the techs will never.
[00:27:49] If they don't have the buy-in, they won't move forward.
[00:27:53] It'll just be like, ah, that's Charles's wacky software because he got a free dinner.
[00:27:57] Yeah.
[00:27:57] That kind of stuff.
[00:27:58] Yeah.
[00:27:59] So then I'll say that number seven is if you're doing this alone, you're failing because the
[00:28:07] reality is it goes back to what you said before.
[00:28:11] If you've never made a cookie before, then you don't know what a cookie looks like.
[00:28:15] So unless you have something to model this after, you are basically just swimming in the
[00:28:19] water and you don't know which way is up or how deep the water is.
[00:28:23] So get involved in a peer group.
[00:28:25] Get involved in, you know, talk to your vendors.
[00:28:29] Talk to the communities.
[00:28:30] Like the reality is there's a lot of stuff out there that can at least help you understand
[00:28:34] what cookies are supposed to look like.
[00:28:36] If that's the only thing you get out of those communities or peer groups, I would consider
[00:28:41] that a success.
[00:28:42] So that's my number seven.
[00:28:43] You go with number eight.
[00:28:44] Good luck.
[00:28:46] So number eight is going to be know where your products fit.
[00:28:52] And there's a couple of vendors who I've been helping where like it's going to start coming
[00:28:59] more and more prevalent.
[00:29:00] I think we saw the Pax A Beyond where people were putting little signs on their table like
[00:29:05] the ones I don't like.
[00:29:06] We solve for.
[00:29:07] I don't like the word solve, but we assist with control for.
[00:29:12] Yeah.
[00:29:12] Right.
[00:29:12] We, we, we assist or we map to because just because they quote unquote solve for something
[00:29:19] doesn't mean you're going to use it that way that they're intending.
[00:29:22] Right.
[00:29:22] But they can help.
[00:29:24] We stop bad things from happening.
[00:29:25] It's pick us.
[00:29:26] Right.
[00:29:27] Yeah.
[00:29:28] But just, just know where all of your vendors fit on whatever framework you're working on.
[00:29:35] Right.
[00:29:35] So this one, this one might come before that.
[00:29:38] So, so, so, so this one might come before your eight.
[00:29:41] So instead of saying this is a nine, it could be, let's push eight down and nine goes above
[00:29:44] it.
[00:29:45] And I think this is the, don't go looking for tools and third-party products and services
[00:29:50] until you have an understanding of the people process.
[00:29:56] And maybe then technology, like you've got to understand the what and the why before you
[00:30:01] start evaluating whether or not there's a vendor that can help you solve this, because there's
[00:30:06] two categories that this can fall into.
[00:30:08] Well, three.
[00:30:09] So you can find a product or service that helps validate or verify that the tool is
[00:30:15] being satisfied.
[00:30:16] We see this in a lot of automation products that help look at the current technology posture
[00:30:21] within an organization, right?
[00:30:23] It's not actually solving a safeguard, but it's giving you evidence to support safeguard
[00:30:26] being addressed.
[00:30:27] The other one that I think comes to mind is maybe it facilitates.
[00:30:30] Like this is the spreadsheet that houses your inventory.
[00:30:33] It's not actually being used to get your inventory.
[00:30:36] Right.
[00:30:36] Um, and then you have things that, um, to your point, they partially are fully made a
[00:30:42] safeguard.
[00:30:43] But again, if you're just out there Googling, you know, vendor products that meet safeguard
[00:30:48] four dot three, you're taking a really big risk because it's based on a certain way it's
[00:30:54] implemented.
[00:30:54] And if you haven't wrapped your head around that process and what that looks like and how
[00:30:59] it impacts your staff.
[00:31:01] Plus what's the risk change?
[00:31:02] Like, is it, does it put you in a place where like, Hey, we want to be the number one or
[00:31:07] number two in this domain.
[00:31:09] And by satisfying that security control perfectly, you eliminate yourself from being able to
[00:31:15] even be in that category.
[00:31:16] I mean, just think if you decided tomorrow to go after exclusively the DOD space and all
[00:31:22] the tools you use do not meet the requirements for say FedRAMP or some of the things that go into
[00:31:27] that.
[00:31:27] You're kind of working yourself out of your own opportunity because you don't have the
[00:31:32] right things in place.
[00:31:35] So I'm not sure necessarily that eight or nine has to go in a certain order.
[00:31:38] So that leaves us with 10.
[00:31:40] So we got, that's the last one.
[00:31:41] It's on you.
[00:31:42] I got a good one.
[00:31:44] Kiss it.
[00:31:45] Right.
[00:31:46] Keep it simple, stupid.
[00:31:47] That's it.
[00:31:48] Right.
[00:31:48] Like we don't, the policies do not need to be thou shalt not, not have factor name,
[00:31:57] like just have two factor turn.
[00:32:00] Right.
[00:32:00] Like we, we don't, we don't have to be a lawyer that writes out a 32 page dissertation on factors
[00:32:08] and things like that.
[00:32:09] Just, just, just say where possible enable two factor.
[00:32:13] They're not legally binding documents.
[00:32:15] They're meant to be a rule book that gives those that ask a picture of how you follow
[00:32:22] rules as an organization.
[00:32:25] Yeah.
[00:32:25] I mean, ask Clippy, right?
[00:32:27] Ask Clippy or Copilot.
[00:32:29] You know what I mean?
[00:32:30] Uh, hey, help me with this.
[00:32:32] Yeah.
[00:32:33] And it'll, it'll spit out something and you can just kind of dumb it down.
[00:32:36] Right.
[00:32:36] Keep it simple.
[00:32:37] The policy doesn't need to be 400 pages because remember your team has to follow.
[00:32:42] So if your policy is 400 pages, they ain't reading it.
[00:32:45] I ain't reading it.
[00:32:46] And your auditor ain't reading it.
[00:32:48] I'd say two pages is a lot for a policy.
[00:32:51] Yeah, for sure.
[00:32:53] Because usually you get the, the creep of the process and procedures are starting to
[00:32:57] ooze into the policy.
[00:32:59] And there actually are frameworks out there and we don't need to go down the rabbit hole
[00:33:03] of that, that actually look for that.
[00:33:05] They want that in there.
[00:33:06] But again, that's for an auditor, right?
[00:33:09] Like auditors want to see and not have to ask any questions.
[00:33:13] What we're talking about is the policies that you use to have your organization be successful
[00:33:19] in your maturing of cyber hygiene.
[00:33:22] Yeah.
[00:33:23] And, and I will tell you on the sales side of things, customers are now starting to ask,
[00:33:28] Hey, what framework?
[00:33:30] I had one the other day.
[00:33:32] I couldn't have been more happier.
[00:33:32] Like, are you guys NIST certified?
[00:33:35] I'm like, well, it's not really a thing, but we, we, we follow.
[00:33:39] And I was able to go through the whole trust mark CIS thing.
[00:33:42] Right.
[00:33:43] Just because, just because I pay for certain software doesn't mean I have NIST certification.
[00:33:47] Right.
[00:33:47] But I'm like, you know, I, we do CIS.
[00:33:49] It's based upon a lot of the same things.
[00:33:53] So that's, that's a far better conversation to have than no.
[00:33:58] Right.
[00:33:58] And just say no.
[00:34:00] And there is a framework coming out at the end of the year that will be an internationally
[00:34:04] recognized standard called SMB 1001.
[00:34:07] They may change the name of it, but essentially if you're an MSP, this is the type of framework
[00:34:13] that your clients would likely be following.
[00:34:16] And there's some things in there that are really interesting.
[00:34:19] And one of them is, you know, do you have, you know, the, the cyber professional or the
[00:34:23] IT professional.
[00:34:24] Then the second one is like, you know, engaging in MSP.
[00:34:26] But when you start to walk through some of the safeguards that are in that framework, they're
[00:34:32] going to ask legitimate questions to you, the MSP, like, Hey, are you doing these things
[00:34:38] too?
[00:34:39] How do you envision helping us achieve these goals?
[00:34:42] Because we know that it's important.
[00:34:44] We're going to see more of that.
[00:34:46] And the funny part is as much as we talk about how we may someday be regulated, I think insurance
[00:34:51] and our clients will determine what we do as an organization.
[00:34:55] And I think that's pretty impressive to know that the SMB world, especially is starting
[00:35:00] to recognize that bad things can happen to them even when they're sleeping.
[00:35:04] Like the bad guys did not take time off between 5 PM and 7 AM or whatever it is.
[00:35:10] Right.
[00:35:12] Oh, holidays always weird me out.
[00:35:14] Right.
[00:35:14] Like, cause that's when they get really active.
[00:35:16] And every day is black Friday.
[00:35:17] Now, come on, who are we kidding?
[00:35:18] Like it starts in June with Amazon.
[00:35:20] So like, yeah.
[00:35:21] Uh, Charles, any last things to say to our audience?
[00:35:26] No, just the last thing.
[00:35:27] If, if you don't have like a brain trust, right.
[00:35:30] Through a peer group, something like that.
[00:35:31] People you trust.
[00:35:32] You need to find that.
[00:35:33] I'm, I'm a big advocate of, of peer groups because you get to ask really stupid questions
[00:35:38] all the time, but in a very safe place.
[00:35:42] And you and I both know this, uh, for those of you listening, uh, Charles, what's your
[00:35:46] LinkedIn?
[00:35:48] I think it's just Charles J love on LinkedIn.
[00:35:50] Got it.
[00:35:51] Um, I couldn't tell you off the top of my head what mine is right now.
[00:35:54] I just drew a blank, but I will tell you if you find us on LinkedIn, if we're not connected,
[00:35:58] connect with us, we're happy to answer questions because we understand that sometimes you have
[00:36:03] to get some of the initial questions out of the way and we get it.
[00:36:06] We know that most MSPs at some point in time, no, they have a question that sounds really
[00:36:11] stupid.
[00:36:12] I kid you not.
[00:36:13] There are no stupid questions in this space.
[00:36:15] I promise you, but I get it.
[00:36:17] It's getting a few of those questions out of the way to realize you're not the first one
[00:36:22] to have that question.
[00:36:23] And sometimes when you are the first person, even if it seems trivial, there's somebody
[00:36:30] else in the same room that was like, I had that question too.
[00:36:34] And I was afraid to ask it.
[00:36:36] Absolutely.
[00:36:37] So I'll leave you with a quote and it was from my freshman English class in high school.
[00:36:42] He had it on the wall.
[00:36:43] He said, he who asks, asks a foolish question is a fool for five minutes.
[00:36:48] He who does not ask any questions or a question at all is a fool forever.
[00:36:54] So there you go.
[00:36:56] I'd rather feel dumb for five minutes.
[00:36:58] If I can get the answer that I'm looking for, then to continue down this path of paralysis
[00:37:02] analysis.
[00:37:02] So for those of you who've been listening, this has been an episode of MSP 1337.
[00:37:07] Thanks and have a great week.