As we wrap up Cybersecurity Month, I had a chance to sit down with Wayne Selk, VP of CompTIA Cybersecurity Programs and Executive Director of CompTIA ISAO, to discuss Risk Management and its role in cybersecurity—flashback to the late 90s and the changes we have seen that bring us to today.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:21] Welcome everybody to another episode of MSP 1337. It is Cybersecurity Awareness Month and we are wrapping up October with none other than Wayne Salk of Cybersecurity Programs and President of the ISO. Wayne, welcome to the show.
[00:00:38] President, holy crap I've gotten a promotion yet again.
[00:00:42] Aren't you the President of the ISO?
[00:00:44] Executive Director. But yes, I appreciate the vote of confidence there. Chris?
[00:00:51] Well, I think voting is coming up here real soon. Maybe some things will change.
[00:00:57] Well, early voting's already started.
[00:00:59] I'm going today actually.
[00:01:01] Yes.
[00:01:02] Shop the vote. There we go.
[00:01:04] So, we have kind of been on a roller coaster in October at CompTIA just with events and in moving through this Cybersecurity Awareness Month.
[00:01:14] And obviously, as we say in cyber programs, it shouldn't just be October.
[00:01:18] But I think one of the values that we have with October is that it's a harder push to get it in front of mind, not that it ever implies that we shouldn't do it outside of October.
[00:01:31] One of the things that you and I have been doing a lot of over the last few months, this whole year, has been largely around risk management.
[00:01:40] And I think the narrative that involves risk management is a big shift in the MSP space from what they're used to having conversations on.
[00:01:49] In fact, yesterday, I had a conversation with about 18 or so MSPs and they kept hitting on things like, well, we just protect everything.
[00:01:57] We just do security for everything.
[00:01:58] I go, well, okay, but how is that financially sustainable or even not a double-edged sword when someone says, yeah, our policy around, say, data retention is we don't delete anything ever.
[00:02:13] And I said, well, that seems kind of unrealistic because if that's your policy, then what do you do when someone does delete something and they're not supposed to?
[00:02:22] Because I think it's far more difficult to solve for that one than it is to the, this is our retention policy and things will get deleted.
[00:02:31] That is exceeding.
[00:02:32] Anyways, I digress a little bit, but it was really revolving around.
[00:02:36] And you had an article get published in Channel Pro Network, I think it was second week of October, around why MSPs must rethink risk landscape to stay ahead of threats.
[00:02:48] And I think that was not so much the beginning as it was a high things up in a nice little bow from what we've seen and what we've been engaged in for the last year, really.
[00:02:57] And I mean, since I came to cyber programs, this is what I've witnessed.
[00:03:01] So two years now, walk me through what you're seeing and how I'm just going to say the last few weeks has kind of impacted your journey on, on tour, if you will, giving presentations around risk management.
[00:03:14] Yeah.
[00:03:15] You know, it's, it's really the same old, same old.
[00:03:20] I mean, I've, I've been talking about risk for a while since the 1990s as it relates to cybersecurity, as it relates to businesses.
[00:03:32] I distinctly remember a conversation I had with one of my very good friends, who's also now on a, he's a co-host on a podcast now he was invited to do different podcasts than MSSP 1337.
[00:03:47] But, but we would actually have conversations around data and the risk associated with the data.
[00:03:57] Yeah.
[00:03:58] Now, let me take the audience back a little bit, right?
[00:04:02] Because in the, in the late nineties, cybersecurity wasn't really as mature as it is today.
[00:04:13] Sure.
[00:04:13] There, there were some things, and I think a lot of folks would, would kind of remember, absolutely everybody had a firewall.
[00:04:21] Absolutely everybody started to deploy antivirus.
[00:04:24] That was it.
[00:04:25] We did have, there were intrusion detection systems back then, but there were not intrusion prevention systems back then.
[00:04:32] Just, just so we can all call out Wayne's age.
[00:04:36] Uh, and browsers were largely the wild west.
[00:04:40] Right, right.
[00:04:41] And that, right.
[00:04:42] Uh, so, uh, checkpoint used to be the checkpoint and Cisco picks firewalls used to be the two primo.
[00:04:52] That was it.
[00:04:53] There really wasn't anything else in corporate America.
[00:04:57] Uh, besides one of those two firewalls.
[00:05:00] Uh, do you remember the physical firewall that you could actually install in a PCI slot of your desktop?
[00:05:06] Like it, it ran its own operating system and it went in and had your ethernet ports.
[00:05:10] And that, that was, uh, that, that was a little later in the game.
[00:05:16] Yeah, that was maybe 2001.
[00:05:17] Right.
[00:05:19] So the, the Cisco picks, uh, I think the minimum footprint for that was about for you.
[00:05:26] Uh, so, right.
[00:05:29] So if you're familiar with rack space design for you, uh, for units, um, it would take up one of those same thing with the checkpoint, right?
[00:05:38] I mean, they were not tiny like they are today.
[00:05:41] Uh, they certainly couldn't, you know, they're, I mean, today they're, they're just one new devices.
[00:05:47] Um, depending upon how many ports they, anyway, I'm going to.
[00:05:50] Yeah.
[00:05:50] So, uh, that's a multiplier of 1.75.
[00:05:53] So it was roughly seven inches tall.
[00:05:55] Correct.
[00:05:56] Yep.
[00:05:56] Uh, which was, which was unheard of.
[00:05:58] I mean, cause the cards were the.
[00:05:59] Well, on the weight of that thing against your rails, if you didn't have bracing for it anyways.
[00:06:06] Hey, but the, the challenge with those early firewalls, which most folks don't even realize today was that they were, you had to configure both the inbound and outbound.
[00:06:18] You couldn't, you just didn't have you cause there was no stateful at the time.
[00:06:24] Right.
[00:06:24] So if you created an outbound, it automatically creates the inbound today for you.
[00:06:29] Uh, in, in some cases, uh, if you have the stateful inspection.
[00:06:34] Cause you want to make sure that you're checking both what's coming in and what's going out.
[00:06:38] Um, but the firewall rules were outrageous and you had to be certified.
[00:06:44] Right.
[00:06:46] Right.
[00:06:46] So here we are.
[00:06:48] We're talking about data and we're talking about risk late nineties and managing to how you're mitigating risk to that data at the perimeter.
[00:06:59] And I know this is a long convoluted story.
[00:07:02] The point is it was very complicated.
[00:07:04] You make one mistake.
[00:07:06] You were better off starting all over from scratch rather than trying to find that mistake.
[00:07:11] Sure.
[00:07:12] Right.
[00:07:13] And so let's bring that to today.
[00:07:16] Right.
[00:07:17] So when we talk about risk inside of our organizations, we're all about everybody on that's listening is all about trying to find the easy button.
[00:07:27] By the way, it doesn't exist.
[00:07:29] Can we get close easy button?
[00:07:31] Yes, we can.
[00:07:32] That's because we do that by creating operational efficiencies inside of our organization.
[00:07:40] Now, in order to do that, we have to figure out the impact to our business.
[00:07:47] Right.
[00:07:48] Well, right.
[00:07:49] Be curious to know how many of your listeners have actually have.
[00:07:55] They've documented what their business objectives are for the next year, three year, five year, maybe even 10 year.
[00:08:04] I would, I would reckon to guess probably not many have taken it out that far.
[00:08:09] And even if they have done it when they started their business, three, five, seven years ago, is there still an alignment today with who they started out to be from an objective standpoint?
[00:08:21] Right.
[00:08:21] Because we know that the landscape of the ecosystem that is MSPs has flipped all of that upside down.
[00:08:28] Right.
[00:08:29] And, and so that leads to my next point, right?
[00:08:33] Which is what are the risks that are prohibiting you from achieving those business objectives?
[00:08:38] Well, first of all, if you haven't identified what those objectives are, then you're just place of love.
[00:08:44] Right.
[00:08:44] CJ place of love.
[00:08:46] Um, you're just shooting from the hip while, while, while.
[00:08:49] Right.
[00:08:50] And you're, you're using what we call MSP math.
[00:08:54] Right.
[00:08:54] So like labor overhead, cost of tools, profitability and Senate, right?
[00:09:00] Like it's, it's magic mass.
[00:09:02] Magic math.
[00:09:03] Am I making money at the end of the day?
[00:09:05] That's, that's really all anybody's asking themselves, but is it the right money?
[00:09:10] Is it the right amount of money in order to continue to sustain my business or to grow or to add new people or to add new tools?
[00:09:17] Right.
[00:09:18] In, into the mix.
[00:09:19] Can I take.
[00:09:19] Is there profitability without me?
[00:09:21] Right.
[00:09:22] So I would almost liken it to everybody still, I think to some degree has that break fix mentality while they're trying to also do manage services.
[00:09:35] Right.
[00:09:35] Uh, and because you're.
[00:09:37] And they should in some respects Wayne, because the reality is we, we created our businesses to solve problems that often involved putting chewing gum or string back on there to make it.
[00:09:48] Um, slightly less than it did before.
[00:09:51] Right.
[00:09:52] But if you understand the risks for your business.
[00:09:57] With standardized documentation policies that align to and mitigate most of the business risk processes that are standardized to make your team more efficient, more effective.
[00:10:10] You actually create a better bottom line revenue target that you can measure year over year, month over month, quarter over quarter.
[00:10:20] Right.
[00:10:20] As opposed to the wild, wild west, where you don't know what the heck is going to happen.
[00:10:25] You don't know how many hours are going to get spent.
[00:10:28] How much time is being taken up and you never seem to get ahead of anything.
[00:10:33] So right.
[00:10:34] That world in that wild, wild west world.
[00:10:36] How much are you actually protecting?
[00:10:39] How much are you actually protecting?
[00:10:40] Because I would argue you're probably not protecting a lot.
[00:10:43] You may think you're protecting a lot, but if you don't understand or have some idea of whether or not your existing security controls are being effective.
[00:10:57] Forget about your people for just a second.
[00:10:59] Right.
[00:10:59] But if you're also not being effective.
[00:11:01] Now I'm talking about your technology stack.
[00:11:04] Then how do you know?
[00:11:06] Right.
[00:11:07] Well, and don't forget that there's a there's a misconception, I think, or a myth that says because we've evolved away from the on-prem and that legacy infrastructure of it's behind a firewall concept that all I'm doing is protecting quote the endpoint things that live outside of this endpoint ecosystem is no longer my responsibility.
[00:11:29] And we're seeing that really every day like, yeah, no, no, no, no, 365 handles that.
[00:11:34] AWS cloud handles that as opposed to I have a significant responsibility of ensuring levels of protection in each one of those locations.
[00:11:44] Well, and I love the fact that you brought up Microsoft 365, right?
[00:11:49] Because I would also be curious how many of your listeners are actually running the security report against their own Microsoft 365 environment, right?
[00:11:59] I know every time someone does run it and they bring it up, they're like, I had no idea. Fill in the blank.
[00:12:07] I didn't know that feature existed.
[00:12:09] I know.
[00:12:09] It was one that had to manage it.
[00:12:11] The toggle switched back off again.
[00:12:13] How did that happen?
[00:12:15] I digress.
[00:12:16] Yes, we all can poke the bear that is Microsoft, but at the end of the day, we all know that if it goes away, we have a bigger problem on our hands.
[00:12:24] Oh, for sure. Right. For sure.
[00:12:27] And I guess that's my point behind risk.
[00:12:31] Risk is always there for us.
[00:12:33] It's something we don't like paying attention to, but we have to pay attention to it in order for us to ensure we're doing the right things for our business. Right?
[00:12:44] So I'm not just talking to the business owners right now.
[00:12:47] No.
[00:12:48] This is, it's everybody's responsibility, because if you as a technician are seeing something that is not properly aligned to policy or to process, you better be saying something.
[00:13:00] Sure. The age old see something, say something.
[00:13:04] Exactly. Because if, if, if, if you don't have the proper things in place, or even if you do, if, if something's not aligned correctly to the way the business is supposed to be operating, there could be a bigger problem going on inside of your organization.
[00:13:23] And you may end up having a terrible, horrible, bad day as a result of it.
[00:13:27] Yeah. And I think you were, you were quoted in talking about some of this, like reviewing, you know, on an annual basis and talking about the, I think it was the quote was, you, I dodged that bullet.
[00:13:38] And, you know, with regards to like vendor and technology.
[00:13:41] And I think what's really interesting about that is we often don't, don't prioritize after a significant change inside our organization, new tech, new vendor swap to tech, you know, tool out for a different tool that does similar things.
[00:13:54] We don't, we don't re, we don't re-evaluate at that point in time, the policies process procedures because, oh, well, we do that annually.
[00:14:04] And it gets misaligned with the changes that are happening in the organization.
[00:14:08] And when that annual event does occur, it's no longer a, you know, update.
[00:14:14] It's a, over the course of this next year, we will be reworking what would have only taken perhaps a day, a couple hours, maybe a week, but has turned into this mountain of a nightmare because it wasn't addressed at the moment in time that we made the change.
[00:14:30] Right. You know, and look, we can, a perfect example of what you're talking about is, I don't care.
[00:14:40] There's two of them in recent history, one of which would have been last pass and another one would have more recent would have been the CrowdStrike Falcon update issue.
[00:14:50] Right. That just hit the news again, because Delta did file the lawsuit.
[00:14:55] Delta Airlines filed the lawsuit.
[00:14:59] But, and I brought this up during one of the workshops.
[00:15:04] I think it was at Channel Con, right?
[00:15:08] I asked the audience, how many of you were impacted by Falcon?
[00:15:12] Very few.
[00:15:13] I think only two people raised their hands.
[00:15:16] But then I asked another question of everybody else.
[00:15:19] Everybody else running a similar endpoint detection and response capability.
[00:15:23] And just about all the hands went up.
[00:15:26] Yep.
[00:15:27] I asked them, I said, did any of you use the Falcon as an opportunity to go back and look at your process procedures and ask your vendor what happens if that happens to you?
[00:15:44] Right.
[00:15:45] Because we, that was the whole dodge the bullet comment, right?
[00:15:49] I don't have Falcon.
[00:15:50] I didn't have to worry about it.
[00:15:51] No, no, no, no, no.
[00:15:53] That's not true at all.
[00:15:55] You absolutely still need to worry about it, just not to the level that they were dealing with.
[00:16:01] Or maybe they do.
[00:16:02] Because I asked a similar question.
[00:16:04] I said, if one of your vendor products involved in your current delivery of services required you to go sit in front of every endpoint you have under management, could you do that tomorrow?
[00:16:17] And if you can't, what's your game plan?
[00:16:18] Because this is bound to happen again.
[00:16:21] It was like crickets in the room.
[00:16:23] Like, no one spoke.
[00:16:24] And then the panel moderator goes, thanks for adding color to CrowdStrike.
[00:16:30] Well, we often get lost in the fact that I don't have that technology in my environment.
[00:16:37] This is my point.
[00:16:38] Right.
[00:16:38] You can use that as an opportunity to learn and grow inside of your business and mitigate risk you didn't even see coming.
[00:16:46] Since the opportunity to find risk.
[00:16:50] Correct.
[00:16:51] The opportunity to really look at the changes in the threat landscape aren't necessarily from threat actors.
[00:17:00] And that's where I think a lot of folks also miss the mark when it comes to cybersecurity.
[00:17:09] All it takes is someone inside of your organization to make a mistake, not tell anybody, and that mistake continues.
[00:17:16] Right?
[00:17:16] Yeah.
[00:17:16] And you see that with tabletop exercises where, you know, the first thing they jump to is a ransomware situation.
[00:17:22] Like, well, what about if, you know, you have a flood in the basement and you no longer are operational?
[00:17:27] Like, can you solve that problem?
[00:17:28] Because I think if you can learn to go through the motions well with your team, then it doesn't really matter what the event occurring is because the team's prepared to work together in a moment of stress and conflict.
[00:17:44] Right?
[00:17:44] Like, we don't know what's going to happen.
[00:17:47] Right?
[00:17:47] Like, you don't know.
[00:17:48] It may be this is the first time this has ever happened to any organization ever.
[00:17:52] And you were prepared not for that event, but you were prepared to address the event without panic, without the knee-jerk reaction, and to operate in a methodical way to not put you at more risk than is already there.
[00:18:06] Right.
[00:18:07] And one of the things I always talk about, and I know you do too, is it creates muscle memory.
[00:18:14] Right?
[00:18:15] So when, you know, when you do repetition of exercises or you practice, practice, practice, you already know the moves that you need to do because you know what's coming at you.
[00:18:26] Well, when something, an event, again, doesn't have to be cyber related, but an event happens, you want folks to be on their game knowing what to do, what the initial steps are right off the bat.
[00:18:40] You don't even want them to think about it.
[00:18:42] You just want them to do it.
[00:18:43] Right?
[00:18:44] Right.
[00:18:44] And that's what we mean by muscle memory.
[00:18:47] We want them to just think and do and know that it's the right way regardless of what's coming at us.
[00:18:55] Because it's going to take shit.
[00:18:57] It's going to take jaunts, side paths.
[00:19:02] And, but as long as the stock remains the same, we can take those paths.
[00:19:09] And we can do it more so with a clear head of thinking, not that emotional knee jerk that you kind of brought up.
[00:19:16] Right, right.
[00:19:17] Right.
[00:19:18] So shifting gears a little bit.
[00:19:22] The DattoCon event is taking place in Miami right now.
[00:19:25] And there was a big announcement this morning that they have acquired SaaS alerts.
[00:19:30] And I thought that was an interesting play.
[00:19:35] I don't mean that as in like you should or shouldn't acquire SaaS alerts, but SaaS alerts is one of maybe a handful of vendors in the space that specialize in detecting anomalies and weird things happening in cloud applications.
[00:19:51] From a technology standpoint and easy button, I think this is really interesting because from a risk management standpoint, there's real value in having tools like that.
[00:20:02] And one of the things that comes up a lot, and I'd love your thoughts on this, is, you know, having a tool that does X.
[00:20:10] Like I had someone say this the other day, can my RMM tool be my inventory?
[00:20:14] And I said, well, I think your RMM tool can help facilitate or help aggregate information about your inventory.
[00:20:22] But to say that it's your authority on your inventory is, I think, extremely dangerous just because it's only as good as what you tell it to go and look at.
[00:20:30] Right.
[00:20:31] And I think this is a similar scenario, right, where this is a really valuable tool that's being added into, you know, the K365 ecosystem as part of their offering, where you now have yet another thing to help go and, you know, send off an alarm bell because, you know, MFA is not turned on on a series of accounts.
[00:20:53] But what I'm curious about is, are we also getting into a state of technology overload for the MSPs as it pertains to overshadowing in a risk management process the people?
[00:21:08] In risk management, not process.
[00:21:10] In risk management, the process, the procedures, the people are becoming overshadowed with this idea around because we've batted this to the ecosystem, we're making it easier and easier.
[00:21:20] When in fact, there's no real evidence of that yet in the context of managing risk.
[00:21:28] It's another console to manage, right?
[00:21:31] And how many, I mean, how many consoles can any one individual stare at?
[00:21:35] Let's just be honest and truthful.
[00:21:37] One.
[00:21:39] I know, right?
[00:21:41] That's called staring.
[00:21:42] Look, and this goes for any organization, right?
[00:21:46] Any vendor organization that's doing mergers and acquisitions to help improve because that's ultimately what they're trying to do is help solve for problems smaller organizations have.
[00:21:59] To your point about the people side, right?
[00:22:03] I always ask myself this question, and you already know how we set this up from a risk perspective.
[00:22:13] It's people, process, and technology, and they go in that order for a reason, right?
[00:22:20] Yeah.
[00:22:21] Because contrary to popular opinion from a vendor community perspective, they want you to buy a license.
[00:22:31] Well, what if you can solve for your risk without having to buy a license, right?
[00:22:37] Now, I'm not saying you're going to solve for all your risk.
[00:22:39] That's not what Wayne's saying.
[00:22:40] But if you can start with your people and start mitigating risk at your people level, maybe you just need to swap two individuals in your organization and you can eliminate 50%, whatever the case may be.
[00:22:54] Then align to your process.
[00:22:57] Process aligned to people aligned to your business risk.
[00:22:59] Sure.
[00:23:00] To help you with your objectives, right?
[00:23:02] This is no different than what we talk about.
[00:23:04] I think the technology, when we jump to technology and we miss those two, we're not doing ourselves any service here.
[00:23:13] We're actually handicapping the organization.
[00:23:16] One, you're spending too much money.
[00:23:18] Two, you may not have the right people.
[00:23:21] Right.
[00:23:21] And three, now you've got to catch your processes up, right?
[00:23:24] On how you're going to integrate that tech into your business instead of doing it in the right order and sequence and using technology to fill a gap.
[00:23:33] But here's what I'll say about this particular instance.
[00:23:37] And this goes for any technology, by the way, that you're looking to solve that gap for.
[00:23:43] As long as your people know how to operate without that technology and it can still fun, you know, you still have that safeguard without the technology, then you're okay.
[00:23:56] Right?
[00:23:56] Right.
[00:23:58] You know what I'm saying?
[00:23:59] Because your people have to fill in when that technology is not available.
[00:24:03] Well, and I think it's important to point out, I don't remember who I heard say this.
[00:24:07] They were talking about technology obviously being important in your ability to mitigate at some level risks to the organization.
[00:24:14] But it kind of went down this path that said, at the end of the day, you're only going to get to reducing it down to 50%.
[00:24:24] So no matter how many tools you throw at this, the pile them on top of each other, no matter how many you use, you're still only going to get it down to 50%, which means there's still a 50% probability that it is going to happen.
[00:24:36] And most of us are looking at more of how do we prevent and how do we minimize what's going to happen inevitably.
[00:24:46] And the better equipped your people and processes are is going to supersede the ability for a technology to minimize your, quote, blast radius than what people in process can do to minimize blast radius.
[00:25:00] Right.
[00:25:00] And so let's just define what that blast radius is, right?
[00:25:04] Like that blast radius is the impact on the organization.
[00:25:08] Right.
[00:25:09] And it's not a, it's not a positive impact by the way.
[00:25:12] Right.
[00:25:13] So you want to keep the, you want to keep that blast as contained as possible, as small as possible.
[00:25:21] I would, I would liken it to a grenade as opposed to a mortar shell.
[00:25:29] Sure.
[00:25:30] Right.
[00:25:30] Or even a nuke coming in.
[00:25:33] Right.
[00:25:33] You don't, you don't want to get to, you don't want to expose yourself to the point of not being able to protect yourself.
[00:25:39] Right.
[00:25:40] You, you, you want that, you want that lob coming over to be a grenade that someone can fall on.
[00:25:45] And, you know, it's a little, right.
[00:25:47] If you watch the movie, you do not want it to be anything bigger.
[00:25:54] And you don't want to find out that you weren't protect, you were protecting for the grenade and not the nuclear scenario.
[00:26:02] Right.
[00:26:02] Like you don't want it to suddenly be that, oh yeah, we didn't think about that.
[00:26:06] Like, and again, there's no perfect.
[00:26:09] No way to do this, but.
[00:26:11] Well, risk is very subjective.
[00:26:13] Risk is subjective between you and me.
[00:26:16] And it's also subjective between the organizations themselves.
[00:26:20] Right.
[00:26:20] And I think that's where things like the trust mark come in because those are not subjective.
[00:26:25] They are objective.
[00:26:26] And the approach to, I hate saying this, security does matter in your risk management process.
[00:26:34] Right.
[00:26:34] But if you're doing security correctly, you're, you're focusing on the objective things that you can do that are clearly defined from a prescriptive nature that can be improved over time to be saved best practice as opposed to a minimum baseline.
[00:26:49] And I think maybe for the few minutes, four or five minutes we have left, you know, there's two things that we don't see in really any framework that's out there that makes the CompTIA cybersecurity trust mark stand out.
[00:27:00] And that is, and you mentioned this in the article, you were talking about a cybersecurity culture first approach, like cybersecurity needs to be, and you know, every conversation should have some level of conversation that contains cybersecurity in it.
[00:27:15] And I think that's one of the areas where I believe the trust mark helps governance and leadership in my humble opinion is largely not about cybersecurity.
[00:27:25] It's about the ability to craft appropriate policies.
[00:27:29] It's about the ability to get your organization to say, hey, when leadership says we need to do something because it's best for us and our clients, that unless we have a reason to articulate why it's not.
[00:27:41] We should more or less keep our mouth shut unless we're finding a way to improve upon that process or procedure.
[00:27:48] You don't see that in most frameworks where there's this energy around leadership embracing this approach to getting everybody engaged and involved in it being a thing we do together, as opposed to being just told to do it.
[00:28:05] Right. And that's absolutely true, right?
[00:28:07] Which is why we tackle this from a risk-based perspective and not a technology-focused perspective, right?
[00:28:13] Because if we, and this is universal across even the clients, you talk to them about a business challenge that you're trying to help them with, not trying to solve for something they don't necessarily need from a technology perspective.
[00:28:27] They're going to listen to the business side.
[00:28:30] Yep.
[00:28:31] So when we talk about risk, we're talking about the business side of things now.
[00:28:35] And for some of your listeners, that might be a little bit more foreign because they probably don't have a lot of that experience today, which is where we can actually help them in the process of gaining that experience around business acumen to better understand business risk and how it really relates to your business first or the business as a whole.
[00:28:56] And then you can, you start working on this inside of your own organization.
[00:29:01] You're a lot more comfortable having those conversations downstream with your clients.
[00:29:05] And I would argue even your vendors, right?
[00:29:08] Because now you're like, hey, hey, you sold me this.
[00:29:13] You told me it would do X, Y, and Z.
[00:29:14] It's not.
[00:29:15] So what is the plan for us to accomplish and get rid of some of this risk that it's bringing into my organization?
[00:29:22] Wickedly different conversations, right?
[00:29:24] Absolutely.
[00:29:25] And I think at the end of the day, this is where, and we've all been there.
[00:29:30] CrowdStrike was brought up.
[00:29:31] We talked about SolarWinds.
[00:29:32] We've talked about a lot of different vendors having bad moments in history, right?
[00:29:36] And the future obviously is going to have some of those same bad moments for different vendors or even the same.
[00:29:42] But you hear this time and time again.
[00:29:44] I'm leaving vendor X because of whatever happened.
[00:29:46] And they're doing it in a knee-jerk fashion, which says, are you setting yourself up for a far worse scenario by the jump in your own organization today, regardless of what happens to those vendors?
[00:29:59] Because you don't have the proper setup with your people process and the ability to deliver on those things.
[00:30:07] But I saw one the other day that was really interesting.
[00:30:11] They jumped ship from an RMM vendor to go to another one.
[00:30:14] And the biggest hurdle that they are currently going through is the features that they had don't exist in the new vendor product.
[00:30:23] But they spent years developing.
[00:30:25] Right.
[00:30:26] And so you have to look at the overall risk to the organization.
[00:30:31] Does this make sense?
[00:30:33] You have to pull emotion completely out of it.
[00:30:35] Quit listening to the barracks lawyers.
[00:30:37] For those of you that are former military, you know what I'm talking about.
[00:30:40] And assess to your own organization, right?
[00:30:45] Yeah.
[00:30:45] You need to look at the risk.
[00:30:47] And not just the risk that's in front of you from that vendor.
[00:30:50] You need to look at your people, your process, your other technology from a time, talent, and treasure perspective.
[00:30:59] And that's where the business conversation comes in, right?
[00:31:03] Understanding your business to the point where you know my time, my talent, my treasure are all going to be impacted more if I change than if I just stick with the devil I know versus the devil I don't.
[00:31:16] Because nothing's stopping that new vendor from having the exact same challenge tomorrow.
[00:31:22] Right.
[00:31:23] Well, I think that's a good stopping point, Wayne.
[00:31:26] I think that pretty much covers, in a nutshell, risk management.
[00:31:31] I think you actually just captured the five modules of the risk management workshop in an under five-minute delivery.
[00:31:39] So, we're going to have to rework that workshop because it shouldn't be summarized.
[00:31:44] No, I'm just kidding.
[00:31:45] For those of you listening, this has been an episode of MSP 1337.
[00:31:48] Thanks and have a great week.