From CompTIA MSP Community to the larger IT Community at large. Dawn Sizer of 3rd Element Consulting and Henry Timm of Phantom Technology Solutions are great CompTIA community members who volunteer their time for not just CompTIA but other great communities that make us all better together. This is a great conversation around what is available to you both from networking and education down to tools and resources that can help you get involved and improve your cybersecurity posture.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone.
[00:00:21] Welcome everybody to another episode of MSP 1337. It is that time, it is cybersecurity month, it's October and I have Don Sizer of Third Element Consulting and Henry Tim of Phantom Technology Solutions.
[00:00:40] Don, Henry, welcome to the show. Thanks for having us.
[00:00:44] Hey, so it's cybersecurity month and one of the things that was put on my radar is that maybe as part of this conversation we would talk a little bit about CompTIA community and both of you being involved heavily involved in what we do on the CompTIA membership side.
[00:01:04] And then some of the other things I think we should talk about is to sort of expand that into what I think has been an interesting 2024 where there's lots of big events.
[00:01:16] And in fact, there's events that aren't big that keep popping up and blink and there's another event happening on a Tuesday or Thursday that you've never heard of before.
[00:01:25] And I think that's a lot of things that are largely in the IT services space focused on more of the technical or cybersecurity side of things.
[00:01:32] But I think it's important to recognize and I think this is a great opportunity to talk about it is community driven events are now emerging unlike anything we've ever seen before.
[00:01:44] And the experiences that we that I've heard and I know I think you've heard as well is that those experiences are saying this is what we need.
[00:01:53] This is what I'm confident in sending my employees to.
[00:01:56] I know the type of experience that they're going to have is beneficial to my company and they're not coming back with vouchers on all of the shiny things that we can buy.
[00:02:05] So I just want to start a little bit.
[00:02:08] We'll start on the CompTIA community because I think that's an easy baseline.
[00:02:13] We came off of Channel Con here.
[00:02:15] What?
[00:02:16] Not even a month and a half ago, two months ago.
[00:02:20] I'd love to hear what your experience was like there and what you see as far as the community for CompTIA goes.
[00:02:27] And then we'll expand that out into talking about some of the other community experiences.
[00:02:31] And obviously, Henry and I were just at one last week and Don, you're at one this week.
[00:02:36] So let's go in.
[00:02:37] Let's go in order.
[00:02:38] We'll do the oldest first and then we'll go to Henry for last week's and then Don with your literally in Vegas for the Tech Tribe event.
[00:02:47] So this is exciting.
[00:02:49] So Channel Con member event.
[00:02:52] What was that experience like for you?
[00:02:54] I think and this is me as an employee of CompTIA putting this out there.
[00:02:58] It was different than previous events that we've done.
[00:03:02] I think it had a different feel to it.
[00:03:04] And I'm just curious what your thoughts were on that.
[00:03:07] Yeah, I think the content this year was a lot better in the sense of more member driven type of content and more member driven interest.
[00:03:19] So some of the things that stuck out to me were some of the panel discussions, some of the discussion around CMMC and compliance and having CISA present there was really, really cool this year.
[00:03:36] Yeah.
[00:03:37] CISA is actually one of my favorites.
[00:03:40] A lot of people don't know that, you know, we often say government involvement is no, no, don't want the government involved.
[00:03:48] And I think this is one area that people need to give it, really give it a chance.
[00:03:52] The content and resources that they've produced have even found their way into supporting and facilitating success with satisfying safeguards in the cybersecurity trust mark.
[00:04:03] And we're seeing that the engagement with CISA and taking what we're doing as a community is getting arms and legs and moving upstream even at the government level of saying, hey, this is an industry that we have to support.
[00:04:19] We need to do more supporting than dictating to because they fundamentally have the ability to transform from a cybersecurity standpoint and a maturity standpoint that which we can't do on our own.
[00:04:32] So I've been, since I've been at CompTIA, seeing that CISA engagement starting to happen has been super exciting for me.
[00:04:39] So, Dawn, what about you?
[00:04:41] I wasn't able to attend ChannelCon this year, which is sad, but I have seen CISA at a number of other events.
[00:04:47] And I can 100% reiterate that they do have some great resources and tools and all kinds of different things.
[00:04:54] And it is interesting seeing them out at different events.
[00:04:57] Yeah, unfortunately, my kiddo is in his last year of hanging out at home.
[00:05:01] And it was his birthday right over ChannelCon this year.
[00:05:03] That's fair.
[00:05:04] In fact, I would argue that that's probably more important, significantly more important than, yeah.
[00:05:11] I can attest to that.
[00:05:13] I have one left in the hanging out at home.
[00:05:15] And even that is like, so you were gone this week?
[00:05:18] I didn't even know you were gone.
[00:05:20] So, yes, you hit in the basement.
[00:05:23] One of the interesting things that you can kind of see shifting in the industry right now is it's starting to turn into more of that conversation piece between some of these larger entities like CISA and even vendors like Microsoft are starting to open the dialogue with MSPs as opposed to just dictating things down to us, which I think is an awesome and welcome thing coming from our community.
[00:05:48] Well, in teaching, Microsoft specifically will come out to an event and teach how to use the tool, which I think has been interesting.
[00:05:55] I've seen them do Lighthouse.
[00:05:57] I've seen them do a number of different things and just conversations around that, which I think is fantastic.
[00:06:02] And that is, I feel like we're in uncharted territory.
[00:06:06] Yeah.
[00:06:06] Some of that, because I haven't seen that previously and we've been doing this for 20 years.
[00:06:10] So it's nice to see.
[00:06:14] I saw that too.
[00:06:15] The first Pax8 event I went to was a Pax8 Momentum where it literally was just workshops and breakout sessions that were either talking about success within your business, not about products that Pax8 has available to buy.
[00:06:31] And then on the security breakout sessions, it was really talking about leveraging what you get from your vendors or leveraging the resources that you have at your disposal.
[00:06:44] And I think that's an interesting conversation, regardless of what kind of an event it is, is that I think it's easy.
[00:06:50] And to your point, Henry, I love the shiny objects, but where's the training?
[00:06:55] I don't mean like a video series.
[00:06:57] I mean like actual hands-on training, whether it's virtual or not, to actually walk you through, you know, this is how we would envision you being successful with our product.
[00:07:07] Not here's a one sheet.
[00:07:08] And if you follow these four steps, you'll be successful.
[00:07:11] And you're like, well, step one had like 30 pages of things I have to do.
[00:07:15] You just told me to go do step one.
[00:07:17] So I think that's a really good observation that we're seeing that even with our own vendors is that they're taking note that if they want us to be successful, they can't just sell us the product or say, hey, you can be totally hands-off.
[00:07:31] We got this for you.
[00:07:32] And it's like, yeah, but you don't understand my client.
[00:07:34] What does that look like for you to say, I've got this?
[00:07:36] And I think there's been a lot of like crash and burn even in that world.
[00:07:41] Yeah, I think that some of that is coming from, you know, obviously MSPs are starting to request or require that out of their vendors, but you're also seeing community efforts.
[00:07:53] I know that like Matt Lee just did that CIS mapping that is starting to push vendors to start to realize that, hey, can't just be selling off of marketing terms.
[00:08:03] They actually need to look at how we fulfill some of these controls and things like CompTIA Trustmark.
[00:08:10] Like that's definitely shaking some heads awake on the vendor side as far as, okay, I need to pay attention and this now matters.
[00:08:20] And crazy, vendors are asking for it now too.
[00:08:22] They're like, when do we get a version of this?
[00:08:24] And I'm like, slow down, pump the brakes.
[00:08:26] Well, I don't want to just say, oh yeah, here's the 177 safeguards that you, Mr. Vendor, need to satisfy.
[00:08:32] And then they're like, no.
[00:08:35] It's been interesting too from the MSP side of things.
[00:08:38] It's when you're able to go back to a vendor and say, hey, look, I'm looking to align to Trustmark or I'm looking to align to CIS.
[00:08:45] What can you give me attestation wise to show me how your product actually aligns?
[00:08:51] And there are vendors that will do that and have done it very well.
[00:08:54] I've worked with a couple of them to get those out.
[00:08:57] And that's been actually very, very helpful.
[00:09:01] So when you're looking at the products that you're using, you have a direct comment from the vendor to say, this is how we fulfill this particular control if you're using it in this particular way.
[00:09:11] So I think that's helpful as well.
[00:09:14] Yeah.
[00:09:16] So shifting gears a little bit, I think we covered CompTIA.
[00:09:19] Well, at least the CompTIA event that's community driven.
[00:09:25] Henry and I last week were at Community Mines.
[00:09:28] This is the second Community Mines event for this year.
[00:09:32] Having been at both, I felt like it was probably one of the most encouraging for MSPs, giving them real things that they could take away and take back home.
[00:09:47] But there's a lot of networking that happens, right?
[00:09:49] When you're in that size of intimate environment of less than 100 people, you visually recognize all the faces by day two.
[00:09:58] And so sitting down and talking to any table is a whole lot easier than when every day is thousands of people that you didn't see on any of the previous days.
[00:10:08] So what was your experience?
[00:10:11] I mean, you've been to this before than just April, right?
[00:10:14] Like this has been something you've been involved in for a while.
[00:10:17] Yeah.
[00:10:17] So this is my third time doing this event with them.
[00:10:23] And really, you know, the community discussions, the hallway conversations that happen are huge.
[00:10:30] Just talking about larger industry issues and general awareness of what resources and things exist out there that for one reason or another, we're not just there's such a scattering of things across the industry that you may not be aware of.
[00:10:48] So kind of pulling on that larger knowledge base in the room and that brain trust to try and identify things that may be able to take back and benefit your organization.
[00:11:00] So for me, going to those types of events and taking part in their panels and so forth, a large part of it is just what is that additional tool or knowledge piece or process that I can take back to my team?
[00:11:15] Yeah, I would have said it's an opportunity to vendor bash, but I thought it was, I mean, obviously you always have those opportunities.
[00:11:22] But what I thought was really interesting about it is with some vendors that we all are excited about as they, you know, come out of like round two funding or are suddenly becoming a hot topic at the different events we go to because MSPs are starting to leverage the products.
[00:11:38] To be able to be able to have a gut check on, you know, does it do the things?
[00:11:42] Yes, it does, but does it do it at the level that I think it does?
[00:11:46] What are my, you know, setting realistic expectations for engaging with a new vendor?
[00:11:50] I thought there was some really interesting, you know, we go to a lot of events that have lots of vendors at them, right?
[00:11:55] And ironically, what was there a dozen vendors that were represented at Community Minds and three of the vendors there?
[00:12:03] If I was an MSP today, I would have probably signed up with them.
[00:12:08] And it's not because of Shiny Object, but because of the reality of the challenges that they address, particularly for smaller MSPs who don't have the deep bench strength or the ability to do this in-house.
[00:12:20] They're having to outsource and like, you know, where do I go?
[00:12:23] And I think when you go to an event like Community Minds or Tech Tribe or SMBIT, because it's community focused, when vendors are talked about or you engage with a vendor, they have a lot more riding on the line than they would at a more commercialized vendor-driven event.
[00:12:42] Because they care more about, in a lot of those scenarios, about you buying it.
[00:12:46] They're still going to be there next year, right?
[00:12:48] They have the relationship with the host vendor at a place like Community Minds or Tech Tribe or any of the community-driven events.
[00:12:55] If you're not delivering, you're probably not getting asked to sponsor and come back next year.
[00:13:02] Well, I think another part that's really refreshing is that a community-driven event like this really cuts through the sales and marketing BS.
[00:13:11] So you don't get content that is a thinly veiled sales pitch.
[00:13:17] You get someone that's trying to truly educate and add value.
[00:13:20] As a good example, I guess, is some of the sessions around automation or finance that a lot of these community events are putting together.
[00:13:34] Dawn, I think you're doing a session this week on account management.
[00:13:39] Yeah, account management.
[00:13:40] So yeah, my spiel this year has been mostly on the automation side of things.
[00:13:45] So it's actually nice to take a step back and get out of the tech side and do more business operation piece.
[00:13:52] I think it's one of the pieces that often gets left untouched.
[00:13:57] Like I think about smaller MSPs that are concerned or are challenged with what they believe to be turnover as a result of the industry is often because their account management strategies are often like,
[00:14:08] well, they're not calling because we're running things really, really well.
[00:14:12] And then they find somebody else who calls them because they're doing really, really well.
[00:14:18] Yeah.
[00:14:18] I mean, it's about the tool.
[00:14:20] Right.
[00:14:22] Sometimes it is, right?
[00:14:23] Sometimes.
[00:14:23] Sometimes, I mean, I have seen scenarios where, you know, an MSP gets fired because of a failure to really give the experience after tool failure or being able to articulate that, you know,
[00:14:34] they're not doing the blame game of, well, we bought this yesterday at fill in the blank show.
[00:14:39] We implemented it and it didn't go very well.
[00:14:41] It's like, yeah, who's trained on it?
[00:14:43] That is not the question that you should be asking because we're an MSP and by default, we already know how to install it.
[00:14:50] Yeah, for sure.
[00:14:52] So, Dawn, it's a good segue.
[00:14:54] You're at the Tech Tribe event in Vegas.
[00:14:58] Talk to us a little bit about what you're, I mean, you started down the path on your session, but talk to us about what you're expecting to get out of what largely for the audience listening,
[00:15:09] this is probably not something they've ever heard of before.
[00:15:12] They may be familiar with Tech Tribe, but a Tech Tribe event in the U.S., that's a big deal.
[00:15:18] It is.
[00:15:19] And what they did, they teamed up with another group called MSP Camp, which is really kind of funny because Tahir, who runs MSP Camp,
[00:15:27] was a marketing person for an MSP out of Florida and built up this really neat little niche market group and sold to other MSPs.
[00:15:39] And now they have their own community.
[00:15:41] Tech Tribe has their own community.
[00:15:42] The two of them came together to put together ScaleCon in Vegas.
[00:15:47] So here I am at ScaleCon for the very first time because obviously it's an inaugural event.
[00:15:53] And what I found out so far, obviously the event hasn't started yet, but there aren't paid speaking spots the way that most places have, which I think is really interesting.
[00:16:02] So what you're getting is true content, and a lot of it is member-driven content.
[00:16:07] I mean, you still have keynotes and some other things, but it's very focused on business operations, marketing, how to run that side of the house, which we don't get, which is fantastic.
[00:16:19] Because yes, we get the tools, we get the other pieces, the technology piece of it, the things that we all understand intrinsically, but we don't get the business side.
[00:16:29] So I'm super excited for this.
[00:16:32] Business and soft skills, right?
[00:16:33] The squishy stuff does not, in our industry, I think we collectively prefer not to talk about those things because that's not our comfort zone.
[00:16:44] We didn't start MSPs because our best part of what we did was to onboard new clients.
[00:16:50] The best part of what we did was deliver good service or deliver better service than the place we were at that we were not happy with, so we started our own.
[00:17:00] Sometimes that grass was what we thought greener on the other side, only to discover we were looking at our own lawn in the mirror.
[00:17:07] And so I sometimes wonder about that, looking back at my MSP before we started it, sitting there going, we can do this better than the current employer that we have.
[00:17:19] And we literally had all of the benefits that we wanted.
[00:17:23] We just didn't really recognize it.
[00:17:26] We were a little immature when we started, I think.
[00:17:28] But yeah, I think that's...
[00:17:30] So looking at the events that are coming up this month, and I don't know all of them.
[00:17:34] I know a couple.
[00:17:35] So this week, I leave tomorrow, or sorry, Thursday is CornCon.
[00:17:41] I know sounds...
[00:17:42] I mean, if Matt Lee said it, you guys would be like, oh yeah, CornCon, that makes perfect sense.
[00:17:47] Or HackerFest, or GurCon, or all the other names that were like, no idea what those are.
[00:17:52] CornCon is in the Quad Cities, hence Corn.
[00:17:54] It's in Iowa.
[00:17:57] And it is largely focused on the CISO space community.
[00:18:01] And so day one or the pre-day is driven by the individuals or the team behind the Verizon breach report.
[00:18:10] So we get to sit in a room and do tabletop exercises around or related to the Verizon breach report.
[00:18:17] And then we go into Friday, Saturday event, which those are rare.
[00:18:21] You don't normally see events that take place over the weekend or overlap into the weekend.
[00:18:25] And it is largely family kid-friendly.
[00:18:29] So they have all kinds of robotics type stuff for kids to say, hey, we want to be a family event.
[00:18:35] So that whether it's your mom or your dad going off...
[00:18:38] And they cater largely to the middle school, high school kid groups.
[00:18:42] So if your kid hanging out at home for the last time, this would be one of those events where it's like, bring the family.
[00:18:49] And so on Saturday night, they throw this big party, video games and all that, just to kind of bring the community part of this together and say, this is bigger than any one individual.
[00:19:01] So I'm doing a session on AI, of course.
[00:19:05] Mine is AI is killing my company, what to do about it.
[00:19:09] Zach from Centian is doing a session on hardening your assets, of course, would make sense since he's with Centian.
[00:19:19] But what's exciting about it is along the same lines, Don, and all the events we've talked about this far around community, is there is no pitching.
[00:19:26] In fact, the only room that has tech vendors is really just a room you can go in and check them out.
[00:19:32] And that's it.
[00:19:33] Like, there's no, like, called out tech pavilion time.
[00:19:36] It's just, we have vendors that are sponsoring this event.
[00:19:39] If you'd like to go show some appreciation, go check it out.
[00:19:42] And what's funny about it is not all of the vendors that are there have anything to do with the industry.
[00:19:47] So, like, one of the tables I always go to is, like, they focus on, like, fantasy literature and Dungeons & Dragons.
[00:19:54] That's their table.
[00:19:56] So they sponsor.
[00:19:57] And it's so cool.
[00:19:58] You're like, what does this have to do with tech event?
[00:20:00] Oh, wait, we're all nerds.
[00:20:01] That's why.
[00:20:04] So.
[00:20:05] Circling back, I guess I didn't call out.
[00:20:09] Do you have any, either of you have any other community events coming up between now and the end of the year?
[00:20:15] I can't make it to it this year, but I do want to call out B-Sides.
[00:20:20] Peoria has their chapter event coming up this month.
[00:20:25] Last year, fantastic, fantastic event.
[00:20:28] Cody Kreischinger runs that particular event.
[00:20:33] But, yeah, if you can hit any of the B-Sides, those are always fantastic.
[00:20:39] Would you explain that for the listeners?
[00:20:40] I think this is actually a somewhat obscure B-Sides, and they happen regionally all over the country.
[00:20:46] If you'd explain a little bit for those listening why B-Sides is actually so valuable.
[00:20:51] Sure.
[00:20:52] So I'll probably get this wrong, but the idea behind B-Sides is that it's all of the speaking sessions that didn't make the first cut for a lot of these other events.
[00:21:08] And they turned it into a secondary event, thus B-Sides.
[00:21:12] And it's a community-driven, community content event with no real vendor-driven content in it.
[00:21:23] And it's typically kind of a lot of workshop-related stuff and showing off practical knowledge and use cases.
[00:21:32] So, for example, last year there were exploiting lighting controllers at this particular B-Sides that I went to for some of the city smart lights.
[00:21:43] And, you know, going through responsible disclosure of such things.
[00:21:48] And they were showing off some of the local college things that I wished existed when I was in school where they essentially have a semester for these students to go through and red team with a local business.
[00:22:03] So showcasing some of those things that are just awesome, awesome things to be going on.
[00:22:08] And clarity for B-Sides is this is going back to the 80s and 90s when we had cassettes and records.
[00:22:18] Well, you didn't flip CDs, but it was the same idea that you might have a second disc show up in your CD case.
[00:22:25] And oftentimes B-Sides would be the songs that were intentionally, as it matured, they were songs that were intentionally never made it to the radio because the artist said,
[00:22:35] Nope, this is only going to be available on the release.
[00:22:38] It's the gem on the B-Side.
[00:22:40] And it's the song when you flip that cassette over that you heard for the first time.
[00:22:44] You're like, oh, man, that's the that's the stuff that, you know, that's the gem that essentially B-Sides is representing.
[00:22:50] Right. These are sessions that for whatever reason didn't make the cut too late on submission, didn't follow the theme.
[00:22:59] Maybe they presented too many times in the past in any number of reasons.
[00:23:03] But, yeah, I have I have I can agree to that.
[00:23:06] I went to Blue Team Con last year and they had B-Sides represented there in Chicago.
[00:23:11] And so there were some sessions at the beginning or the pre day that were along those same lines.
[00:23:15] They had one on operational technology that was made my head hurt because, you know,
[00:23:20] why would you connect a device that's been, you know, around for 50 years hasn't changed?
[00:23:24] And we're going to put it on the web so that, you know, not sure what green button does, but let's push it.
[00:23:30] It worked out well for Delta with the latest.
[00:23:37] Yes, I digress or we digress if we go down this rabbit hole.
[00:23:42] We also have a MeaCon in London that's happening.
[00:23:46] I think it's the 21st and 22nd or 22nd, 23rd.
[00:23:51] Obviously, another community driven event.
[00:23:54] Let's talk a little bit about some of the things that you guys are doing at CompTIA.
[00:23:58] Some of the things that you're involved with.
[00:23:59] We've got the Global Cybersecurity Task Force.
[00:24:01] I don't know if both of you are involved in that, but I know you're at least familiar with it.
[00:24:07] Yeah, I'm I'm on it currently and I'm going to drag Dawn into it kicking and screaming if I have to.
[00:24:15] That's what community is about.
[00:24:16] Healthy dragging, kicking and screaming.
[00:24:18] I mean, yeah.
[00:24:21] So the Cybersecurity Global Task Force has kind of gone through a couple iterations and kind of revitalized itself here recently and kind of semi relaunching.
[00:24:34] Sure.
[00:24:36] So they are meeting monthly.
[00:24:39] But the idea is that they're going to be kind of supporting the larger cybersecurity community globally and kind of being that add on because cybersecurity is involved in pretty much every asset and piece of CompTIA in some way or form.
[00:24:55] So it will be kind of that glue in between a lot of the different councils and working groups and things like the ISAO at CompTIA and really kind of helping share that knowledge and education and collaboration in between the different councils.
[00:25:15] So, yeah, and globally, you know, as we kind of globetrot and we're going to be in Berlin in two weeks for Pax8 Berlin or Pax8 EMEA, I think it's actually called.
[00:25:27] I think it's a really big challenge to talk cybersecurity as a global task force.
[00:25:35] You know, obviously, this is growing and the majority is based here in the U.S.
[00:25:39] But as I was in Australia and we're going to be in Berlin and London, there's an interesting gap that's existing.
[00:25:48] You know, the U.S. largely is leading it from maybe some of the maturity elements, but we're not regulated like these other countries are.
[00:25:56] And because they haven't really had a lot of carrot stick incentives around the regulations that they do have, there's a lot of struggle around getting, particularly in our space, solution providers to adopt because they're generally smaller.
[00:26:10] They don't have the resources and they don't have the guidance to get this done.
[00:26:13] And I think I'm excited to see where this goes with the global task force, because I think that's the group that can help influence the changes needed for those government entities to see success without the regulation being, you know, the hammer on the MSPs who, who quite honestly, if you break them, then who's providing the support services?
[00:26:34] It's not like we grow on trees.
[00:26:37] Well, I guess maybe saying that you're an MSP is something you can pull off of a tree.
[00:26:42] But to be a successful MSP, I think it's a little bit more complicated than that.
[00:26:46] And then the last one that I wanted to talk about now that, you know, Dawn's being dragged into the global task force, she might have some things to say.
[00:26:53] I'll circle back on that in a second, is that if you haven't read it, CompTIA just released the Cybersecurity State of the Industry Outlook for 2025.
[00:27:04] I just started going through it myself.
[00:27:06] There's some really interesting topics in there that it covers.
[00:27:10] One of them that jumped out at me because I like using the term AI in a sentence.
[00:27:16] It was an interesting statement, though, because it talked about the prevalence of AI that we all are familiar with.
[00:27:23] But it says, you know, what are you doing to manage it in your organization?
[00:27:27] And I think that's not the one that we want to hear.
[00:27:29] It's not we all want to hear that.
[00:27:31] How are you using AI in your organization?
[00:27:33] Not how are you managing the use of AI?
[00:27:36] So I thought that was good.
[00:27:37] And Dawn, any comments on the, you know, getting sucked into the global task force, kicking and screaming, because that's what community is all about?
[00:27:46] No, it's actually a really good thing.
[00:27:49] Just from the standpoint, some of the comments that you've made so far.
[00:27:52] I mean, I talk to vendors from all over the world all the time.
[00:27:55] And we compare and contrast how business works from one country to another and things along those lines.
[00:28:01] And I really, truly believe that having that thinking going forward will only help the MSP community in this country.
[00:28:11] Because quite frankly, we don't have to adhere to a lot of the things that are out there.
[00:28:15] So I think it's that forward thinking piece of where do we need to be and how do we get there?
[00:28:21] And what are the easiest steps to get us going in the right direction, right?
[00:28:25] So that's what I'm looking forward to.
[00:28:29] Awesome.
[00:28:30] So while there might be a little bit of feet dragging, it's not the kicking and screaming that maybe you guys were anticipating.
[00:28:36] It's just more along the lines of like, you know, how can I be of help and where do I plug in?
[00:28:43] So that kind of brings me to the last item on the list, which was, excuse me, the CompTIA Trustmark Working Group is our advisory group to help build out what the Trustmark is to the community for those getting ready to be assessed, wanting to show their maturity.
[00:28:59] And I think one of the testaments to community at large is some of the things that we're seeing happen in the industry.
[00:29:06] So, Don, I know that with Tech Degenerants, you guys are hosting a Thursday open office hours, I think it's called.
[00:29:12] I actually haven't been there.
[00:29:13] My boss, Wayne, has been a few times.
[00:29:16] I think I now have it on my calendar.
[00:29:17] So when I'm available, I'm going to try and make that work as well.
[00:29:21] Talk to me a little bit about how that's been going.
[00:29:24] Obviously, we have one for the community that I host, or sorry, that Lisa Person now hosts.
[00:29:30] We do about four of those a month.
[00:29:33] Our problem with the four that we do is that because we're doing them geography-based,
[00:29:37] we sometimes have one or two people show up, depending on the region of the world that we're catering to.
[00:29:43] And other times we have 30 or 40 people show up.
[00:29:45] So it just depends.
[00:29:47] I like it when it's the three or four because then we get real questions that they don't feel concerned that because it sounds like a stupid question,
[00:29:55] you know, everybody's going to judge them.
[00:29:56] And they know I'll judge them anyway, so they'll still ask the question.
[00:30:00] What are you seeing on your Thursday calls?
[00:30:02] And obviously, this is broader than to the trust mark.
[00:30:04] I think anybody asking questions about how to address a safeguard in any framework is a big deal to have that level of community engagement to ask those questions.
[00:30:14] A hundred percent.
[00:30:14] And I think that's what the drop-in group is about, right?
[00:30:17] Because it is not everybody that comes is doing trust mark, but they are involved in compliance in some way, shape, or form.
[00:30:24] And I think that's where the community aspect really starts to shine, right?
[00:30:30] You can say, oh, I know this person is working on that particular thing.
[00:30:34] Let me point you in that direction.
[00:30:36] They can probably answer that better than I can.
[00:30:38] Or I know we have talked about the trust mark and some of the issues that I've had with it,
[00:30:44] just in some of the pieces that it's pulled in from ISAO and some other places.
[00:30:48] And, you know, having that conversation of, hey, I actually talked to CJ.
[00:30:52] Here's what this actually means, what they're looking for.
[00:30:56] They're like, oh, well, that's easy.
[00:30:58] I can just either scope that in or out then.
[00:31:00] Like, yep.
[00:31:03] Or legacy.
[00:31:04] Legacy safeguards are mind-blowing to younger MSPs.
[00:31:07] And I don't mean younger people, but their MSP is newer.
[00:31:10] They built it all in the cloud.
[00:31:11] And it's like, it doesn't mean you don't have to answer the safeguard.
[00:31:14] It just means that you don't have to apply it.
[00:31:16] Correct.
[00:31:17] Correct.
[00:31:18] So there's pieces along those lines.
[00:31:20] I think that that's where a lot of the conversation is happening.
[00:31:23] And or what is this trust mark thing?
[00:31:26] How do I get involved?
[00:31:28] Right.
[00:31:28] So there was a lot of conversation that revolved around that.
[00:31:32] And now we're just down to, all right, what are you working on?
[00:31:35] Anybody have any questions?
[00:31:36] What does that look like?
[00:31:37] You know, and what is really funny.
[00:31:40] And I've done again, sessions on this particular thing.
[00:31:43] Cause AI keeps, you know, cropping back up.
[00:31:45] Right.
[00:31:45] You can ask the guy how I'm using these products.
[00:31:49] How do I solve for, for this?
[00:31:51] You know, and it'll tell you.
[00:31:53] And then like, okay, what would an auditor want to see?
[00:31:55] And then it would give you a nice list of documentation.
[00:31:57] So it's not the end all be all.
[00:31:59] You still have to think through it.
[00:32:00] You still have to apply your brain, but it does give you that step in the right direction.
[00:32:06] And perfect policies come right out of chat GPT.
[00:32:10] I've seen them.
[00:32:10] They're absolutely phenomenal.
[00:32:12] I know zero MSPs that could follow what was in the policy, but I've had that come up a few times.
[00:32:19] I'm going to flip that real quick.
[00:32:21] That CJ, I'm going to put that in my documentation for the auditor.
[00:32:27] These were all generated out of chat GPT.
[00:32:31] If you find any flaws with them, take it up with chat GPT.
[00:32:34] I think a big thing too, with a lot of these community working groups and Trustmark working
[00:32:46] group and so forth is that people are kind of coming together.
[00:32:51] So like the Trustmark in specific really encompasses a lot more than just what one particular framework
[00:32:58] is that a lot of us are accustomed to.
[00:33:00] So if we're accustomed to CIS, there's more to bite off there than what we're used to.
[00:33:07] So having someone you can bounce those questions and ideas off of is really beneficial.
[00:33:12] Because like Dawn, I've run into some things that are coming from the ISO side of things.
[00:33:19] I'm like, oh, that's what that's about.
[00:33:22] Yeah.
[00:33:24] It's funny you say that.
[00:33:25] So last week we did the breakout sessions.
[00:33:28] I did more on building your security stack the right way.
[00:33:31] Not that there's necessarily, well, there's plenty of wrong ways to do it, but not that
[00:33:35] there's only one right way to do it.
[00:33:36] But it follows the CIS top 18, not specifically the Trustmark.
[00:33:41] There's 123 of the 153 safeguards from CIS in the Trustmarks.
[00:33:46] I mean, I guess there's quite a bit of overlap.
[00:33:49] But when I was, I helped with peer groups.
[00:33:52] We see this too.
[00:33:53] So PAC State's got the peer groups that they're doing.
[00:33:56] MSP Ignite has their Secure Outcomes Program, which is MSPs that participate in smaller groups
[00:34:02] of eight to nine companies.
[00:34:04] It's almost like a peer group within a peer group.
[00:34:06] But accountability around just aligning your organization with a set of standards that's
[00:34:11] industry recognized versus trying to say, oh, well, we're PAC State or MSP Ignite or ASCII
[00:34:18] and we've got our own set of standards.
[00:34:19] I don't think that works very well because that creates more of an exclusivity around
[00:34:25] our way and our standards versus what has already been established as industry recognized
[00:34:32] standards that we can all align with.
[00:34:34] And I think the larger the community gets, the harder it is to have the falsehoods or the
[00:34:41] half-truths ever emerge because the amount of gut check and true on accountability just
[00:34:49] continues to grow with it because we're all using the same standards.
[00:34:52] So I think that's something I'm hoping to see continue to grow.
[00:34:55] So I mentioned a few.
[00:34:57] There's a lot of peer groups out there doing this.
[00:34:59] The ones that I'm familiar with were PAC State, ASCII and MSP Ignite.
[00:35:04] But I know Taylor Business Group and some of the others that are out there, TAG, they're
[00:35:08] doing this as well where they're saying this is starting to become one of the pillars within
[00:35:14] peer group.
[00:35:15] It's no longer just about your financials and operations and account management.
[00:35:20] It's now including cybersecurity has to be a part of this.
[00:35:24] And the one challenge I keep hearing over and over again, and as we wrap this up, maybe
[00:35:27] you guys have some insights on this, is cybersecurity as part of the conversation in a peer group
[00:35:32] session can dominate you ever being able to talk about anything else in peer group.
[00:35:38] 100%.
[00:35:40] Go ahead, Dawn.
[00:35:41] It's an easy rabbit hole to go down.
[00:35:43] And there are so many nuances to everything, right?
[00:35:48] Because if you're talking about one specific thing, you can talk about 30 different tools
[00:35:53] that people are using to solve for that particular thing.
[00:35:56] And then all the conversations around those.
[00:35:58] And it just keeps going and going and going.
[00:36:00] There's no good way to do it that is a standard because everybody has things a little bit different.
[00:36:09] And that's okay.
[00:36:10] But the conversations then are infinite.
[00:36:13] Yeah, the conversation around PAM tools alone can cause people's heads to spin forever because
[00:36:20] you're not just arguing about who has the better PAM tool.
[00:36:23] It's like, oh, I don't need that feature.
[00:36:25] What do you mean you don't need that feature?
[00:36:26] And the squirrel happens all over again.
[00:36:30] What about you, Henry?
[00:36:32] Yeah, I think a large part of it has to do around with the defensibility discussion with your peers
[00:36:37] is, okay, you've made these decisions.
[00:36:42] Defend that.
[00:36:43] The tool can only carry it so far.
[00:36:45] You need the policy and people around it to kind of bring it home and solidify that defensibility.
[00:36:53] But that's a huge part of that discussion that's happening in those peer groups.
[00:36:56] And that's actually, you bring up a really interesting point with talking about what is
[00:37:01] exactly that it does that's clear and understandable across those you're talking to with Matt Lee's
[00:37:06] definitions of does it facilitate, validate, partially meet, or fully meet a safeguard changes
[00:37:13] the conversation real quick within that group when you say, oh, we have this and it covers
[00:37:16] that.
[00:37:17] And you're like, well, does it?
[00:37:19] Because then you can have a non-rabbit hole conversation because you've got metrics that show
[00:37:25] against each one of those things, like where does it actually fit?
[00:37:29] And the other one is, and you guys are, you know, you hit on this.
[00:37:33] We talked about tools.
[00:37:34] If you're talking about CIS top 18, IG1, they've published, you shouldn't have to spend any money
[00:37:40] on any tools to satisfy group one.
[00:37:44] So possibly two and three, but I digress when you start saying open source and a more sophisticated
[00:37:50] tool does not mean that there isn't substantial cost to go with it.
[00:37:55] Any last thoughts before we send people on their way?
[00:38:01] All right.
[00:38:01] My only thought beyond all the rest of this is, you know, if you're using tools, test them.
[00:38:07] Like just because you bought a thing doesn't mean it does what it says it does.
[00:38:10] So find a way to test it, to make sure that you understand what it's really doing, especially
[00:38:16] on the cyber side.
[00:38:17] And bring it to your community or your peer group as a, as a, you know, fact checker,
[00:38:22] if you will.
[00:38:24] Yep.
[00:38:25] Yeah.
[00:38:25] I would say get involved in, in as many communities and peer groups as you can just
[00:38:31] does that force multiplier for your capabilities and knowledge.
[00:38:36] And, uh, obviously CompTIA has a, a lot of resources there around, uh, trust mark, uh,
[00:38:42] the global cybersecurity task force.
[00:38:44] You have the ISL, uh, the MSP communities, uh, and so forth.
[00:38:49] So, uh, lots of resources out there.
[00:38:51] I'm glad you said the ISL is like about ready to write stuff down.
[00:38:55] I'm like, if I miss this, I may get a pink slip for that one.
[00:38:58] But so for those of you listening, this has been an episode of MSP 1337.
[00:39:03] Thanks everyone.
[00:39:04] Have a great week.
[00:39:06] Bye.