thank you for tuning in to the talk show
i am andra hedden today i am joined by
the one and only david powell thank you
for joining hey great to be here it is
great to have him and i'm so excited for
the conversation that we are going to
tap into today really quick if you do
not know david he is a an industry
veteran today we're going to talk about
security and why he is the perfect
person to have in this conversation he's
had 20 plus years in the space he was
with three of the top 25 msps had a
couple of stints also with vendors so he
has a plethora of information to talk
about and some great stories he's a
great storyteller so you'll see a little
bit of that today also so this is going
to be this is going to be great so we're
going to tap into security as i
mentioned and really why the
conversation is so important right now
so start us off so yeah what does that
conversation look like right now around
security msps the vendor space ts up a
little bit so security's really scary
right is that i think the misperception
a lot of people have is that if in your
neighborhood if somebody's house got
broken into the facebook page would
light up people start texting their
friends the homeowners association would
come out and tell everybody hey there's
a break-in be extra vigilant all this
kind of stuff and no one would have like
any negative thoughts about oh their
house got broken into hahaha right well
in the business world everyone thinks
their business is in like a nice part of
town when it's really in like the worst
part of town right because no one's
talking about businesses getting
breached and having cyber security
problems there's like a stigma related
to that so the business community's been
kind of quiet about it so this is false
sense of security in the business
community that oh well no one wants my
stuff i'm too small when really everyone
is getting breached the news is filled
with story after story or story of
companies being breached but no one's
really kind of connecting those dots
that it's well the people next door to
me and the people down the street from
me it's people like me that are get get
them breached so the the awareness is
kind of there but it hasn't quite
translated into like action so you've
got a lot of people who know the risk
but is this kind of a femoral specter
out there where they can't get their
arms around it it seems big and scary
but they can't like necessarily put
their finger on what is it they don't
know what to do to start it right so
your large companies have security teams
focused on that small to medium
businesses don't they have msps that
they rely on absolutely so now they're
trying to figure out what do we do and
it's up to the msp to come in and say
hey here's what we think you ought to do
to improve your security posture so i
have not heard that type of analogy of
the what neighborhood is your business
but i think the thing i think is really
interesting about that is the whole
thought of oh it could never happen to
me right i think that i think one of the
things you're tapping into just like in
a neighborhood where oh well it's not
gonna happen to me i live in a great
part of town so you don't hold it
against others to not have a security
system or have the most intricate you
know alarms but when it comes to
business the stigma that you're
mentioning it is kind of a hush hush of
okay it's not gonna happen to me and
then we're we're we've got some things
in place we think we're taken care of
and so talk to me a little bit about um
the conversation around it and then two
how you think that msps should start to
have that conversation internally for
themselves and then how they should
start building something something out
to right to market so the conversation i
think most msps are having is wrong yeah
okay a lot of them are going to go what
i call scare and sell so they're going
doing an assessment and then they're
coming in with this binder and saying
android here's all the stuff you suck at
you know you're like yeah so the way i
kind of use it as an example to try to
get sales people to move away from that
is this idea like you know you've got
two great boys and if you went and
talked to a financial planner and said
hey we're ready to start planning for
college they're gonna say great you
gotta save five thousand dollars a week
and also if you go whoa i mean there's
no way we can make this happen and so
instead you're like oh forget it we'll
just take out a bunch of loans and buy a
big screen tv on the way home so feel
better right instead
hey can y'all just not go to dinner once
a week let's start there and put fifty
dollars away a week and build this
little plan so what happens similarly is
that msps go in and talk to their client
and they give them like here's all the
millions of things you gotta do and
somebody hey here's three things let's
focus on these three things we get those
done i'll give you three more and focus
on those so you got to give them a path
to take this actionable because what
happens is that when you scare and sell
it the bridge seems so it's a bridge too
far so then their like inaction
comes from that not action and you
really just want to get on this journey
right get on this journey so that's
where i think sales people for msps
really kind of struggle with that the
second thing is they're really really
really concerned about how to overcome
this objection that if you're my client
and i'm the msp and i come in and say
hey andrew i'm here to talk to you about
cyber security and you're like whoa
aren't you doing that for me already
right and now all of a sudden because
people equate technology and cyber
security as tied together and what does
an msp do well they do about technology
so therefore they must be doing my cyber
security right and it's really a whole
different conversation around risk and
risk mitigation and all this kind of
stuff so you have to go oh wait now we
do some of that for you let me let me
explain what we do do for you patching
an antivirus and stuff like that but
here's all this other security you need
to be considering and have that
conversation that sales people are
scared because they don't want to be on
the receiving end of like whoa wait a
minute i thought you're not you're
already doing that so talk to me about
really quick talk so so take it back to
the msp for a second so so obviously
sales teams we always say you know a
sales person sells what they know best
right a lot of times sales teams are
scared to have that conversation as well
because maybe the msp doesn't really
have their fully baked security strategy
in place so so one do you think that
msps are doing this right for themselves
do you think that they've got a great
security you know are they eating their
own dog food are they actually
practicing what they preach talk to me
about that for a second and then i want
to go deeper into what they can do and
offer you zero chance most msps are not
doing this well at all right and so the
analogy i like to use on that is
you know if i wanted to get into shape
and hired a personal trainer right and
so i get all my new gym clothes i went
to lululemon and got me some stuff you
know some guy stuff and you'll look all
ready to roll down at the gym and then
here comes my personal trainer and he
weighs like 400 pounds he's sweaty he's
shoving a big mac in his face and
watching it down with mountain dew i'd
be like i'm not listening to a word this
guy he has to say right is who takes
advice from a 400 pound personal trainer
who's slobbingly well that is
unfortunately the msp going out talk to
their clients they're the 400 pound
personal trainer as they're going out
and saying hey you need mr client to
improve your cyber security and you need
to get you know improvement in these
areas but they haven't done any of that
themselves right they've taken their
scarce resources their security experts
and they deployed them appropriately
into revenue producing activities
absolutely but they've ignored their own
environment so i feel like it gives the
sales people a lot more credibility that
if you go through that process of
self-assessment first so take your
security guys and do all the things and
be real open and honest with the rest of
the company around what you're doing
then the sales team can see how that
process plays out so then they can go
sit down with a client confidently and
say hey andrew let me tell you we just
put ourselves through this and we
thought we had this thing lit and we
found some things we had to improve let
me tell you how that process played out
in our own environment and then how this
would play out in yours and then it's a
little more vulnerable it draws them in
a little more and it walks them through
what the process would look like
that you did yourself and it gives them
comfort knowing that you have done the
things that you're trying to get them to
do and back to the other thing that you
said too about the if if
if you are going in too heavy right if
you're if you're leading and you're
going too strong into that sale and
you're saying hey these are all the
things you need to do this is everything
in your security practice that you
should have they're going to
procrastinate they're going to be scared
they're going to be overwhelmed it's
going to be too much
but with what you're just saying if you
say hey we we just did this it wasn't so
bad and and this is what we found out
and we actually found two even though we
are this space we found here were some
gaps and this is how we filled them and
so no i love that and then back to the
the sales rep they get more confident
and then they can sell it better as well
so i think those are some great tips so
do a quick internal audit if you haven't
already done this internally and and i
think those are some great tips for how
they can get in place and i think that
take them on the personal trainer right
is it the personal trainer some people
want to run a marathon some people just
want to lose a little weight some people
want to run a 5k right and you tailor
your plan
accordingly and nobody one day goes from
the couch to running 26 miles right so
there's a process in between no one goes
from the couch to run a 5k there's a
process in between so how do you give
them a process that's executable against
this goal depending on their risk
profile and risk tolerance maybe it's a
5k maybe it's a marathon
but you got to give them an actual plan
so how do you come alongside them as a
personal trainer like hey let's go run
them all together
right as opposed to just like here's all
the things you got to do and then
they're again in action results
absolutely no and i think that's such an
easy way to explain that so thank you
and and on on the flip side of that now
okay so if now you're teed up david's
giving you all the little nuggets to
start the internal process so now let's
take it to the flip side so let's if
we've got everything internally set up
we did our internal audit we know where
we stand we filled our own holes our
sales team is ramped up we feel good
talk me through what it looks like to
start to put together a security
offering a secure is an offering yeah
show me tell me and and tell everyone
tuning in
where we should go from here yeah so i
think there's a couple ways to think
about that one is are you are you
creating an offering or a practice right
so an offering would be we need a
multi-factor authentication offering
right so i have my standard core msp
set of offering you know and some people
have precious metals pricing or whatever
and good better best whatever it may be
and then we're going to have
multi-factor authentication with a layer
on top or advanced threat protection or
whatever it may be as an offering so
that's fine and that's a great
intermediate step and that's usually
vendor driven we select a vendor and
that vendor provides this thing for us
that we sell out and then i think most
sophisticated msps really kind of move
into that practice okay where they have
a practice of security where maybe they
can do the assessment beforehand maybe
they have skills in that and they have a
suite of offerings that they can offer
depending on what the client profile
looks like so what is their risk
tolerance what's their compliance
regulatory environment and that's really
in the kind of classic challenger model
that teach taylor take control is i want
to teach you like hey android here's
what you maybe didn't know that these
regulatory requirements require a view
okay and now i'm going to tailor my
offering is like okay so here's
based on these check boxes you have to
check these 10 things that i'll offer
will check these boxes for you and then
take controls like and we need you to
act you can't sit where you are you need
to move so that idea of kind of coming
in and understanding hey here's what
their whole scope looks like here's what
their profile looks like here's what
their risk tolerance is here's what
their compliance or regulatory
environment looks like and then how do i
build a suite of offerings that's
flexible enough to meet what their
requirements are and you know there's a
whole bunch of different things in there
i mean that can be you know cisco
umbrella that can be multi-factor
authentication that can be perched which
is what we do you know it's a sim we
have a sock that goes with it and so
there's all these different things that
you kind of layer in that stack
um that are applicable to some all most
whatever your client profile looks like
based on who you serve
do you have recommendations as far as
you mentioned a couple if if partners
are sitting there right now going okay
we're getting into this game we want to
be a you know a managed security
provider as well
what other you know vendor names do you
think should be in that stack obviously
perch you know
pieces of cisco anything else well
there's a bunch but i'll say it really
kind of i mean as much as i would love
to give you like a full name it really
depends on who are your clients right
right so if your clients if you focus on
healthcare hipaa has some specific
requirements right and so perch checks
those boxes because
those require log
um log aggregation log reviews stuff
like that financial services has some
cmmc
has some so i think it really kind of
depends on who do you serve should
determine what your suite is exactly
because if you build the stack and then
you go out that may or may not meet the
demands of what your client base looks
like so take your client first and say
okay what do we need to do to serve them
and then build your stack out of line
based on that yeah no i love that that's
a smarter so so so
building a practice yeah is is the
direction that that partners should take
so which i love so you've got the the
offerings are however you decide the
precious metal it and and however your
tiered programs look and then how do you
i want to go back a little bit to that
conversation that the sales rep that's
scared to have the conversation how do
you
think that a successful savvy sales rep
can position that chat with a current
client when you're upsell cross-selling
right you want to start and expand into
the clients that you already have versus
necessarily going out and finding new
that's always wonderful but you can go
deeper with the current ones you have
how do you advise or how would you share
with our partners to to not be afraid of
that conversation and here are some
quick lead-ins to how you can have that
conversation without being worried that
you're going to end up in an awkward
situation because they thought you were
already doing it it's a business it's a
business conversation for business
people okay right is i think that the
problem in lots of companies is they
view
cyber security as a technology thing
what is a risk thing right and
all of us have to factor risk all the
time i'm in a hurry but i'm also more
likely to be in a car accident if i
drive above the speed limit but am i
going to accept that risk to get there
on time or i could be a little late i
mean people
people plan for address and mitigate
risk all the time right and that's not
usually what the technical contact at
your msp
client is prepared to have that
conversation right they think in ones
and zeros and blinky green lights it's
like that so you've got to go have that
conversation with the business person
and then the education component has to
be
there you have to educate them on okay
here's what this looks like and then i
really feel that you need a story to be
able to tell them of how a breach would
happen so that they can see themselves
inside it because right now there's not
a good way to make it like real
so you know if you went to you know like
a
women's self-defense class right and
they would talk to you about okay you're
walking across the parking lot after
coming out of you know the store and
you're walking this guy comes up behind
you grabs you behind the net what do you
do and they like teach you you know what
to do you need to think through what
does a cyber security breach look like
here right and so someone has got
compromised credentials they have done
this they've done this they've done this
and all of a sudden being like oh so
that's how it happens you have to take
it from this like big scary thing that's
hard to wrap your head around put it in
the day to day and tell them this is
what this would look like you're going
to come in one day and 250 000 are going
to be out of your account you're going
to wonder why because your accounts
payable clerk wired the money who they
thought was you yeah but it wasn't you
mr ceo it was to some bad actor
somewhere so lots of times i feel like
we don't do a good job of telling the
story that the client can see themselves
in
that makes it real and then they're like
uh i don't think i have a response to
that i don't think i have a plan for
that i don't know how i would address
that what do i do to keep this from
happening to me absolutely i think i
think one of the so
in putting things in that in that real
term and the day in the life of whoever
it is that you're talking to is so
incredibly important and one of the one
of the pieces i'll tag that into the the
the communication lead gen piece as well
because it's it's that constant you know
figuring out how you need to turn that
conversation for them and then dripping
that to them as well having that sales
conversation but dripping communications
so that they can really start to
understand whether it is a particular
area so back to you know sending
communications saying look what happened
at your neighbor business look what
happened over here so that they can
start making it seem like wow it could
happen to us it's not just someone over
in a different state that we never come
for a big business so talk to us a
little bit about the you know
it seems like big businesses have got it
all figured out right you would think
large enterprises they've got these
massive security teams how do the
smaller businesses right or the smaller
msps figure out how to get these
practices up off the ground to be
competitive with security yeah so i
think you know the misperception with a
lot of small businesses is that who
wants my stuff right but if you and i
say we're idiots we decide we want to
rob a bank okay right so
i don't know if you've ever been in like
the downtown bank of america building in
downtown charlotte but it has facial
recognition
it has armed guards are we going to pick
that one or are we going to pick the
smallest bank in the most rural town of
florida cheeto where the closest cop is
an hour and a half away or something
like that you know so when people think
that well i'm too small that's a false
sense of security because if i'm a bad
guy do i want to go after
the the armed bank or the one that
nobody's looking at you're the one that
nobody's looking at so
and if i break into enough of those
banks
then there's a lot of money whereas you
know maybe the bank of america has more
in one but if the effort to break into
50 is pretty low well then maybe i've
gotten a lot more money with a lot less
risk from
that so i think that the getting guys to
realize okay it's not about being small
it's not that your stuff isn't valuable
because you know is 250 000 important to
your business a lot of small businesses
if they had to pay a ransom of 250 000
or someone had been phished and
erroneously wired 25 000 250 000 for a
small business is a lot of money and i
know
i mean i could rattle off countless
companies that have been in the middle
of that i'm aware of a mortgage company
and they had money in escrow and stuff
and the bad guys were sitting in their
email just watching it was time to wire
the money to this law firm and these
guys have gone out and bought the domain
the bad guys have bought the domain that
looked just like the law firm but they
used a capital i instead of an l
and so they even looked and well that
looks like the name of the law firm and
so they wired the money to the wrong
place right but the bad guys that sat
there they had looked at all the
transactions that were coming through
for months
and waited for one day when they found
the right thing and that's 250 grand
right and so that's a pile of money to
your small to medium business that's the
difference you're making payroll and not
making payroll so you just have to think
is you know the scale is different but
the impact is probably greater in the
smaller space you know that's a rounding
error for bank of america definitely no
absolutely and that's and i i love that
tip for anyone tuning in too because
even if you don't have the stories to
tell you can use these examples and and
share different things that that you've
seen happen or heard happen and use that
in your in your pitches in your upfront
conversation so that when you're going
out to find that new business it's it's
it's
really made apparent how lethal this can
be to a small business and it's not just
the targets of the world it's not just
the banks of america that hackers are
going after and
that's story collecting so ask your team
hey what what have you heard about what
have we fixed that stuff and gather
those stories and then socialize them so
that everyone has those and you're not
just kind of making it up on the fly
what about
what about from a standpoint of
other trends that you're seeing that you
think would be important for any partner
watching right now to be taking
advantage of
yeah so uh the big ones are increased
regulatory environments everywhere so a
big one that just came out in january
this year is called cmmc
and cmmc is a standard for dod
contractors
and it basically says it has the
elements of nist 800 171 plus other
stuff okay and
it's interesting is that it used to be
where if you came online and you didn't
meet a certain standard you could put it
on your plan of action and measurements
that your poem and say we don't we don't
do that now but in eight months we'll
have it done now cmmc is a pre-award
certification so you have to prove that
you have it done beforehand and it is a
mad scramble anyone that does work with
the gut with the dod is on it has to
comply with this and it is a crazy
scramble to get assessed and all kind of
stuff so there's i think there's a lot
of opportunity in cmmc there's a lot of
uncertainty in that and it is a kind of
a hot space where people are looking for
help interestingly the dod has had an
initiative in like the last decade
around supplier diversity we don't want
to just want to be raytheon and northrop
grumman we have a lot more vendors and
so they got a bunch of mom and pops
right and now i have these mom and pops
that have to adhere to the same stuff
that raytheon and northrop grumman wow
so it's a big it's a big deal so that
and then i really think that you're
hearing a lot more around um
how do we get the smbs to improve their
cyber security profile and so the
government regulatory bodies have gone
and looked at smbs and like well they
don't have an i.t team so they have to
then come to the msps and so
i wouldn't it would not surprise me at
all if there becomes like standards for
msps that they have to adhere to um so i
think that the more you can get ahead of
that from a security standpoint the
better off you are but i'll also say the
talent is really kind of hard because
it's a different type of nerd you know
yeah
your typical msp nerd is that in the
most loving the nicest way possible i
actually asked our team at a prior i
mean do you prefer nerds or geeks
against nerds
and um but you know your typical msp
nerd might be a scripting guy that he
learned python on the side or something
like that but they're going to be route
and switch and server and
vmware those kind of guys your security
guys are entirely different
kind of dude right um and so where do
you go find them so that talent is
scarce where you may have a guy on your
team that just kind of learned python
and scripting on the side right no one
just learned security on the site right
right so you're going to have to figure
out how can i dedicate headcount to this
and bring some headcount in to bring
that knowledge
um to there or it's just going to be a
really long gap for your internal guys
to kind of get up to speed you know on
that so i think you probably need to go
hire some talent internally
because the winds are definitely blowing
to where the small to medium businesses
are going to have to meet certain
requirements
just because they're they're at risk too
much right now and governments and the
banks and all kinds of stuff we're kind
of tired of dealing with them getting
breached
so i so i love this i hope you do too um
so these are all amazing nuggets and and
i hope that this has been really really
really helpful before we part and i
think we could talk about security for a
really long time um but before we we we
tune off
talk me through some some
quick tips anything else that you want
to share any stories you want to tell
anything that you think is is pertinent
that that partners would need sure
so i think the most important thing is
at msp
i've talked to hundreds and hundreds of
msps over the years and they tend to get
to a certain spot and they kind of stop
okay and i'll always ask them you know
and they'll tell me kind of where they
are and i'm like ah it's the charlie
story so okay uh the charlie story
charlie's for it the charlie story so
charlie was a guy that worked with me at
a place called tech links and charlie
was our best pre-sales engineer he was
our best implementations guy he's our
best tier three support guy he was just
the best charlie surprisingly only
wanted to work 40 to 50 hours a week
right and so we reached this point we
couldn't scale past charlie so we put
him on pre-sales and tier three suffered
we put him on tier three then pre-sales
suffered or implementations and so we
realized that we needed to scale charlie
so the way that we talked about it was i
said okay imagine if charlie opened a
restaurant and his best dish is grouper
of regrets right so the first night 20
people come charlie can plate 20 group
of regrets the second night 40 people
come he's kind of running around crazy
but he can still get it done the third
night he hires david and andrea to come
in and help him but the restaurant
people are not coming for david and
andrew's group of regrets they want
charlie's group forever grits so how
does he create a recipe that if you're
making it or i'm making is exactly the
same that he did and so it's his
conversion from people to process right
is that you've got to stop selling
charlie and our sales team was great at
selling charlie hey andrew charlie will
take care of you and you're like oh i
like charlie that's gonna be good
instead they had to grow like pivot
towards the process like here's what's
going to happen once you sign once you
sign you're going to get a call from our
onboarding team we're going to get
assigned an onboarding engineer
and you lay off this process and then
you're looking at going okay i can trust
that process is going to yield the
result i want i don't have to be
dependent on this guy right so most msps
that struggle with scale is because they
can't skill past their charlie whatever
their charlie's name is is that charlie
is the cog and they look at charlie as
an asset they'll talk glowingly about
charlie they're charlie but what they
need to do is figure out okay how do we
recipize right what he's doing
so that we can um put that off so if you
said what's about one great piece of msp
advice it was it's how do you have a
process that delivers the results
instead of the people that deliver the
results so that people become plug and
play not that they aren't awesome and
you don't want awesome people but you
got to have an awesome process to plug
awesome people into i think that is
amazing advice so i i really hope that
some of these nuggets resonated with you
so
process over people making sure that
you're actually having
practices not offerings and there's just
there's so many good things that david
just tapped into and i really really
really hope that this challenges you and
inspires you to go and perfect your
security offering and practice and and
putting it into play so if you've got
any additional questions feel free to
reach out we will make sure that they
get answered for you and thank you for
tuning in thanks