INCH360 Panel: Working with MSPs or Outside Cyber Services

Welcome to the Cyber Traps podcast.

Today we have a very
special episode for you.

I am your host, Jethro Jones.

We will be talking about the
Inch 360 conference that took

place in Spokane, Washington.

This conference is a must attend
event for cybersecurity folks here in

Spokane, Washington, and it was a great
opportunity for me to connect with

cybersecurity folks here in Spokane and
learn about a lot of things that are

going on in the world of cybersecurity.

Right now, this episode is one of
the sessions from the conference.

I hope you enjoy it.

This session is titled: Working with
EM S Pees or Outside Cyber Services.

Alright, we're gonna
get started everybody.

So, I'm Nolan Garrett, I'm the CEO
and founder of Torchlight and you may

have also heard of us as Intrinium.

It's a company that does managed
security, managed IT and cyber

security consulting nationally.

Um, based here in Spokane actually.

Um, I want to start with, you
know, just thanking Heather and

Drip7 and all of the sponsors.

Thank you so much for
putting this together.

Uh, really appreciate it.

Uh, I've heard a lot of great
things from the various people

I've spoken to about how great
this event has been, so thank you.

And also, just a note, I didn't think
very clearly, um, don't heckle the

primary coordinator during their
talk if you have to go after them.

So, please be nice to me, Heather, don't
heckle me too much if, if you could.

Alright, um, we're going to jump
in, um, I'll have you each kind of

introduce yourself, and then we'll just
go through some questions, uh, we'll

open questions up to the audience, and
um, probably wrap up, because we've

got about 30, 40 minutes to do it.

So, uh, if you'd like to
start, John, go ahead.

Well, I'm right in line,
so that, that makes sense.

Uh, my name's John, uh,
John Hansman with Truett.

We're also a managed service
provider, cybersecurity consulting.

Uh, one of the things that differentiates
us, uh, is we are What we, what I call

a full stack only managed IT provider.

So we really do everything based
on risk assessments, what we find

there, and then create a plan, so.

Oh yeah, you have your own mic.

I

am Sahan Fernando.

I am the Chief Information Security
Officer for Rady Children's

Hospital and Health Center.

Uh, we are the largest pediatric
health system in California.

Uh, not sure outside of there.

And uh, U.

S.

News and World Report Top Ten.

uh, for PEDS overall.

Uh, prior to joining Rady, uh, I
worked locally actually with, uh,

Nolan and a few others in this room,
uh, doing everything from working

in the security operations center to
incident response and engineering,

uh, architecture, uh, janitor duties
and, um, a few other things probably.

Uh, I also, uh, serve on the
board for the health ISAC.

And do a few other things here and there.

Uh, I also coach at
Gonzaga for men's rowing.

And a couple, you know,
extra things to Sahan.

I approached him over the weekend
when, uh, somebody wasn't able to

make it and asked him if he could,
you know, pop in and do this.

So thank you for changing your schedule
last minute to make it happen for us.

Bryce?

Um, I'm Bryce Lemming.

I'm the Public Safety Systems Manager
for, uh, Spokane Regional Emergency

Communications which is our 911, um,
phone system and dispatch center.

Um, I've been in IT for about 20 years.

I started my career in the military, and
then moved to, uh, the private sector.

I worked for a wireless internet service
provider for a couple years, and then

after that I moved into public safety.

And, uh, I've been working with
Shrek for, uh, That's what,

that's the acronym for it anyway.

Awesome.

Shrek.

Shrek.

Yeah.

Awesome.

Um, for 13 years.

Awesome.

All right.

Let's uh, let's hop into some of
the questions here and then we'll

open some up to the audience.

So, um, question number one, in the
current digital landscape, are cyber

security add ons like training, password
management, uh, email filtering, are

those things essentials for businesses
that have more than five employees?

What's your perspective?

I think, I think we should ask the
crowd after we had all these sessions

because I think If you've been paying
attention, the answer is yes, like it's

a resounding yes, you have to have all
those things if you're in business today.

Yeah, absolutely.

Any other feedback, comments?

Yeah, sure, yes, um, yes, of course,
especially if it's a small, small

organization, like, we're pretty small.

We have, we have, um, four people in
our IT department, including myself.

So, um, there's a lot of gaps there.

So we have to fill those gaps and, and
a lot of expertise that's, you know,

that's directed towards specific systems.

So, um, it's good to have an
outside, you know, look at things.

So I think that's very
important, for sure.

Yeah, absolutely.

I know one of the questions, uh, in
the previous panels, you know, was

talking about how do, like, SMBs,
small businesses or startups, you

know, figure out how to implement
security, you know, from the ground up.

And, you know, one of the things that,
that I've definitely identified is, You

know, the small businesses tend very
much to really focus on trying to get the

business off the ground or be profitable.

And in some ways, they almost
get the short end of the stick.

I've heard this terminology on LinkedIn
and Twitter about, or I guess it's

not Twitter now, Um, you know, about
being at the short end of the security

poverty line if you're in the SMB, right?

Like, all of the enterprises
have the money to spend.

And if you're in the SMB world, you
have very limited resources, and I

think that your service providers are
going to be a very big piece of who's

going to bring that to the table for
you and bring an enterprise level of

quality, um, to something you probably
couldn't do on your own, for sure.

Um, you know, going on from there,
you know, some vendors, they kind of

downplay the need for comprehensive
cyber security, uh, to remain

competitive in pricing, because SMBs.

How does this approach contrast with
the evolving nature of cyber threats?

I mean,

information security is, is, is a
science of risk management, I would say.

And so, if you're saying that
that's not part of your competitive

advantage, I think that really
discounts the idea of availability

of whatever it is you're offering.

Uh, right?

I mean, for those who aren't familiar with
the CIA triad, that's confidentiality,

integrity, and availability.

And those components,
balancing all of that, right?

If we're not Balancing the risk
that includes the administrative

and technical controls and the
appropriate investments commensurate

with the risk we're talking about.

Uh, I, I think that's really, you're,
you're assuming more risk than you're

probably comfortable doing so and doing
it in an unknowing way is even worse.

Well, I guess the question becomes,
are you making your decisions

based on risk or on finances?

Sometimes you walk into, and of course I
talk with small business owners all the

time, and you run across some who say,
I'm going to make this based on what's

best risk level for my business, because
I'm collecting information, because I

don't want to get hacked, because I don't
want to lose my business to this stuff.

And then you have people who say, I
just don't want to spend the money.

And, and so the, the question
is, is like, if you're talking

about, Cybersecurity and Risk.

We've just said, we saw, like
Whitworth, I was impressed.

They had a lot of stuff in place, and
they still had a really big incident.

So, what if you have nothing
in place, and you get hacked?

Is insurance going to cover it?

There's those kind of questions.

I think you have to, like, be real about
what's happening in the world and ask.

Ask yourself, is getting
the best deal worth it?

Yeah, absolutely.

You know, I'm going to jump to a different
question because you mentioned it.

What do you think businesses can
do to effectively bridge the gap

between cyber security insurance and
security operations center services?

And how do you feel MSPs play a
role in that, and at what level?

Yeah, I think that was my question.

So, um, we went through that.

We just recently acquired our SOC.

Um, and we, we have managed
services through another vendor

that's separate from our SOC.

Um, we, we really wanted to make
sure that, um, our insurance

plan and our SOC communicated.

And that there was, that there was,
um, that when we needed to activate,

um, our IRP, that, um, and there was
an incident, that, uh, that they, That

they worked well with each other, right?

So that we can get all the resources
that we needed, and that we were

going to be covered correctly.

And then our SOC, and, uh, they were
also helping us understand where our

shortcomings were with our insurance plan.

So this was, it was really helpful that
they were actually partners before.

Um, we go through, I know we don't
like name dropping, but we go through

EIG as for our insurance company.

And, and their, um, the SOC that
we chose, their, their Well-versed

in, in that company and they have
connections with them already.

Yeah.

So that was, I felt, I felt that
was really important to, to get

that going so that we can, um, um,
really mitigate the amount of time

or, or, you know, the increase or
make things quicker in our response.

Right.

And, and, uh, and that there wasn't
anything that we missed and that we

weren't hanging out with liability.

That makes sense.

I mean, we talk about
tabletop testing, right?

The whole point being to have practice
before you got there and making sure

your vendors are integrated into
practice together is critical as well.

Well, I think you said the key word.

You said partnership.

And I think a really good MSP
provider is providing a partnership.

Understanding that you having
good cyber security insurance.

That is going to pay out if you have or
when you have an incident is really key

and that's where the MSP comes in, right?

Because we're putting things in place to
ensure, we're, we're effectively checking

the boxes on that insurance form, that
really long insurance form you have to

fill out and ensuring not that you just
check the boxes but those Those things

actually exist so that when you have
an incident and the insurance company

asks you, Did you have 24 hour SOC?

Are you encrypting data?

All those questions that they ask
that you can actually say yes.

So they go, Okay, looks like
you did everything you should.

And so there's no reason why we
shouldn't help you with this incident.

Absolutely.

If I might add some perspective
there, not necessarily disagreeing.

In my experience, it is rare to find
someone that is that comprehensive at the

right price point, at least at the more
SMB level, and at the enterprise level,

they tend to insource it, but, uh, dealing
with the insurance companies is, uh, day

to day for me, and underwriting has become
incredibly complex, uh, and while there

are a lot of discovery questionnaires,
it is worth noting, especially for the

audience, it is Uh, when you activate
that retainer, they're actually in charge

of the investigation and there is that,
that balance there of if you're hoping

that they flip the bill, you're also
ceding control of the narrative, the

investigation, your recovery, uh, when
you can actually restore services, uh,

you're ceding all of that control to them.

They pick who they're going to bring
in for incident response, um, and like

you kind of mentioned, if they might
say, well, you didn't pick someone off

of this obscure clause, you didn't pick
a provider that we sanctioned, So, you

know, this entire claim is null and void.

Um, so there are a lot of things because
they are also very good at risk management

to, to be aware of and cognizant of and,
and make kind of that informed decision.

Uh, you know, and there have been
incidents where, you know, we say,

we go to the insurance company and
say, hey, we think there might be a

thing, we're putting you on notice.

And they immediately want to come in and
wrap everything under legal privilege and,

and try and control the investigation.

Uh, and then similarly.

You know, right up the road from us
recently, another healthcare system

was, uh, was hit with ransomware and
they weren't allowed to share any

information, which is very atypical
because generally, especially within

healthcare, you want to provide some heads
up to other partners, not just on the

tech side, but also operationally, you
know, you're doing ambulance diversions.

We kind of need some
context on what's going on.

So I'm sorry.

Well, I was going to say,
I think you're right.

And, and I think part of it is, You've
got to be careful because there's

insurance regulation but there should
be a level of partnership with you the

client and helping you ask the right
questions to your insurance vendor so

that they then know that you have the
right incident response vendor and

you've got all those things in place.

There's nothing wrong with asking
those questions ahead of time just

to make sure that everything you're
getting from your managed provider.

Is going to be covered and they have the
right tools that match what your provider,

what your insurance company is asking for.

I think it's also a good idea to audit
your, your insurance plan every year too

because I'm noticing that it's changing
every year and the pricing changes and

then their service level changes, right?

So having a partner like that to help
you understand where your gaps are

at would be, would be really helpful.

I think it's where risk
assessment on a regular basis is

also really important as well.

I'm kind of curious, it sounds
like you just recently went

through the underwriting
process, not to divert too much.

Go ahead and moderate, it's all you, man.

Did you find that, you know, the
market's become increasingly, I

mean, almost less competitive?

Because our experience is that there
are less people that are willing to

even offer these sorts of policies.

So I guess it really depends on how
many incidents they've had, right?

So, um.

We haven't had anything.

We're a relatively new organization,
and um, it was kind of like a writer

on top of our regular insurance plan.

And then that was kind of concerning
to me because I don't, they

didn't understand, they didn't
understand the IT security part.

I would, I was thinking, right?

So, because it was just an
overarching insurance policy.

So, um, I, I noticed that Some of
the service level changed, like

they wouldn't cover, their coverages
were changing each year, even

though our pricing was going up.

So, actually understanding what they do
cover, and how, and when, and what the

whole, and what it actually looks like
when you have an incident is important.

And we, and I, our partners
actually help us understand what

that, what that looked like.

Well, and again, I'm going to disclaim
again, I'm not an insurance person, so.

Just saying that, but there is a
difference between insurance add ons

and actual cyber security insurance,
and that's something you should talk to

your agent about, just so you understand
the difference, because what you're

saying is accurate from what I've seen.

There are less and less policies available
for cyber security insurance or less

providers willing to jump into the space.

And in some cases it depends on the
market or the business that you're in.

So, I just renewed my cyber security
insurance and it was like, last year there

was five, this year there were three.

So that, that's, that's a real legitimate
thing, and it really depends on the

industry that you're in, and how
much risk they've seen, and whether

they're willing to take that on.

Yeah, I agree with that.

That's um, I think it's very important
that they understand your business.

They understand your flows,
they understand your critical

infrastructure, all of that.

I think that that's huge, even with,
and especially with our managed

services too, they need, that's Well,
I don't know why I didn't say this in

my introduction, but I just wrote a
chapter in a, in a cyber security book.

And My particular thing that I wrote
it on was the cost of an incident.

And what you'll find is add ons
don't generally cover enough to

cover a real cyber security incident.

So, and I did a lot of research, way more
than I expected to do on the topic, and it

was astonishing just the amount of money
that can be spent for a cyber security

incident, and then you look at just
regular premiums and they don't cover it.

I've seen quite a few policies, especially
offered to SMBs that cover 50, 000

worth of incident response, which
sounds like a lot of money, but that's

like a day worth of effort, you know,
when you're in the middle of it, and

then you're on the hook for the rest.

They won't cover it.

Yeah, if you're a million dollar
company, you're talking about a 200,

000 to 300, 000 incident potentially.

Exactly.

Alright, let's take some questions
from the audience if we have some.,

the question was, you know, if you're
evaluating an MSP, how much due diligence

are you doing and what does your risk
assessment or vendor management process

look like for selecting that vendor
and making sure that that vendor is

appropriately covered when they're
managing your business operations?

I'll say it this way.

If you ask me that question directly as
a business owner, I wouldn't be offended.

Like, if you ask me questions like, Hey,
do you have Arizona Mission Insurance?

What kind of training are you doing?

I'm not going to be offended by that
because I'm proud of what I have.

And so, I think that you shouldn't
be afraid to ask what might seem like

maybe offensive or hard questions to a
managed service provider because that's

important to your business to know that.

I think you should ask the question.

I think that's a great point.

Great question.

Yeah, and I wouldn't be afraid to
get legal involved too when it comes

to, comes to that if you have a legal
department or if you have a, you know,

somebody on retainer or whatever.

But, um, I think that
that's, that's what we did.

We, we, we have a, we had a consultant
help with that to help understand, um,

what, what the, um, MSP was providing and
then what our insurance company, um, what

they would cover and then to make sure
that every, all the bases were covered.

Fortunately, E& O is pretty
standard, like, requirement.

You know, like, you should
have it in our industry.

There was a portion in that question
that, no offense, wasn't restated.

I want to just answer very quickly,
which is, at least at our level, we

don't have someone else fill it out.

So that's not necessarily
a concern for us.

I would imagine if you are having
assistance, then yeah, you would

want Want that sort of coverage.

Um, and if you weren't aware of it,
then hopefully you're here and you found

out, um, as far as the due diligence
process in a more total sense, uh, you

know, in my role, there's a good amount
of time, especially this time of year,

uh, spent on assessing that risk, both
from an operational capacity, from a

legal capacity, uh, you know, we're
fortunate to have legal counsel on staff.

Um, you know, General Counsel
and other staff attorneys.

Uh, and so we, we do a lot of
contract review, um, myself included.

We're looking at different
clauses in there.

We do assessments on, based
off of the, uh, you know, the

nature of the relationship.

You know, it's going to favor, you
know, again, going back to CIA.

Depending on what they're doing
for us, we might look a lot deeper

into certain parts of that triad.

Um, you know, so if they're
directly patient supporting

availability's gonna be huge.

If it's something related to our
emergency department flow versus maybe

a less critical application, but still
dealing with a significant amount of,

uh, PHI or PII, uh, we're gonna do a
little bit more on the integrity and

confidentiality side and we take, we take
a look at their shop as well, especially.

As the amount of records involved scales,
as the amount of money at stake scales,

we start to look a little bit deeper.

Um, I'm not a snob.

I don't demand a SOC 2
and things like that.

Some of my peers do.

Uh, but I think we take it with a bit
of nuance that that's just a report

and not everyone needs to have it.

But it's great if you do
and we'll look through it.

Um, but we've got questionnaires
and we have conversations.

Um, you know, we've got
riders that guarantee.

certain controls both administratively, as
well as, uh, from a technology standpoint.

And we try and balance the risk,
uh, for new vendors, as well as

existing vendors through kind
of all of those, those facets.

Awesome.

Um, I think I saw a few other hands
go up when I asked for questions.

I have other questions out here?

So, so the question was how, you know,
you're all running, you know, these

various portions of the cybersecurity,
you know, portion of your business or

an MSP or what have you, how are you
keeping yourselves educated and up to

date and making sure your skills and
competencies remain relevant while you're

focused on a broader array of things that
might not just include cybersecurity.

So two things we do as an MSP, and this
is just my company, for some of the

cyber security safeguards, we actually
outsource, like I have my partner here

who was on one of the last panelists,
so we outsource some of the things to

others that are more on the comprehensive
level, so like if it's directly looking

at incident response, at looking at
log ingestion, all of those things, Um,

it's, it's better for me as an MSP to
hire a team and outsource that, uh, as

far as like my individual employees.

Uh, we're smaller, we're actually a
four, we don't, it doesn't look like

it, but we're a four person shop.

So, it's just my wife and I and two techs.

Uh, from the very beginning, we just
said, hey, we're going to invest time

and pay our guys to take trainings
and pay for the trainings themselves.

That's just some of the things
that, that we've done on our own.

Um, and that's what I recommend.

We have, we invest heavily in.

Just training and then also having an
outside person come in and help our team,

uh, grow in that, in that technical area.

So.

I've got longer, so you go ahead.

Yeah, mine's pretty short.

So.

So actually, we, we rely quite a bit, our
IT department, on our managed services to

understand what's, what's important now.

And, and our SOC in particular, um,
we have weekly meetings with them

and, uh, we go over all the, you know,
the current threats and vectors that

are, you know, that are happening.

And, um, and then I, that kind
of pointed me towards DRIP 7, and

Heather, she's been, she's going to
be helping us create our training

program for our IT department, but not
just them, but also the whole agency.

So, um, um, we, I guess we just, we
rely on, on our partners to help,

to help us understand where, um,
what direction we need to, we need

to, um, focus our trainings on.

So, uh, for me personally, uh, there's
a few things and it, part of it, I

think you kind of touched on it, uh,
pretty heavily in your, your answer.

The culture for my team, um, I
didn't necessarily say this earlier,

but, uh, so we're, we're hybrid.

We do have a partner that helps us with 24
by 7 coverage and augmenting our detection

and response pipeline, um, and activities.

Uh, but we're fortunate to have
the resources to have a good

amount insourced as well, so
we're not fully reliant on them.

Uh, and so, from the managed service,
you know, provider, really the MSSP

side, they do help us quite a bit in
outsourcing those responsibilities.

Uh, you know, having the resources to
focus exclusively on the detection and

response pipeline, making sure that we
understand the telemetry that's going in.

Um, we're constantly working on the right
artifacts that are kind of A part of

that pipeline because cost is a factor
and we can't just send them everything.

And also, um, there are things
that we aren't in scope that

we need to handle internally.

Uh, and so that what goes into
kind of staying up to date.

I mean, conferences are huge.

Uh, I was all last week and leaving
tomorrow again for, um, various

continuing education conferences.

Uh, some networking
groups, uh, go a long way.

I read a lot.

I have some newsletters that.

really go a long way.

When I have the rare time
to listen to podcasts, sure,

uh, podcasts go a long way.

It's, it's about finding those sources
that are, uh, the right use of your time,

I would say, and just keeping up on where
are, where is the industry going, uh,

again, understanding the risks and then
also just how does the technology work.

Um, I think one of the things that is
relevant to the answer for the, your

question, uh, specialization is really
great, especially at the enterprise.

But for me, I feel it's still so
important to have a broad base

of just what the heck's going on.

And I, I was very fortunate to have
those opportunities early in my career.

Uh, admittedly, maybe
working slightly too much.

You don't want to look at old time
cards, but, uh, regardless, right?

Just trying to understand a little bit
more about how everything works because

it's harder for us to be effective
in information security if we're just

speaking from kind of the bastion of
Well security said do the thing and we

don't actually understand the impact,
we don't understand the magnitude, we

don't even really understand how the
app works, we just see the output of a

Vuln scanner and just say go, go fix it.

Well, and I would say too, one of
the big pivots for our business is

we really moved towards MSSP in the
last year and a half of our business.

Uh, it's peer groups for us,
so I'm a part of a really large

cyber security focused peer group.

And just like you, I'm going to
conferences four or five times a

year and listening to podcasts.

I listen to them more
because I drive a lot.

So I, I just listen to a lot in the car.

And then we, we put that information
out to our staff and our staff meetings

and through like teams, news articles
and things that we're learning.

So I think peer groups for
any industry are phenomenal.

Like they just help
you gather information.

And then you, with us,
we're seeing nationally.

300 minute managed service providers
who are experiencing all the same stuff

and they openly post incidents that are
happening and how they're responding

to them and things like that too.

Do you have any recommendations
for the crowd on kind of

general ones to get started in?

Some podcasts, uh.

Or peer, or peer groups.

Yeah, well if you're, well
if you're an MSP, uh, come

talk to me and I'll tell you.

Uh, but there's, there's one.

Uh, I don't know how many MSPs we
actually have in the room, but I,

I, I'm part of the Chris Weiser's
group, if you know who that is.

Uh, the seven figure MSP.

They've been phenomenal.

Uh, and then as far as podcasts
go, uh, I have to look at my

list, because now they're on auto.

I can look at my podcast list, but
there's some really good ones out there

that do both news, so like I get a five
minute and a 30 minute brief every day.

And then I had, then usually on Fridays
they have a actual topic where they

tear down something that happened
and go through the details of it.

So, if you're, if you're wanting
to just have some basic knowledge,

there's some good resources out there,
podcast wise, or, uh, or what not,

just to be able to at least understand
the threat level that's happening.

And I would, oh, just real quick, I would
also add there are local information

security groups, um, I don't know if
there's still 2, 600 around, but, There's

DEF CON 509 and some other ways to engage.

I guess I was just going to ask you, I
mean, we, our industry is pretty unique.

And so we have our peer groups, we
kind of, or our partners actually,

we're starting to come together.

Um, we have a network, we
have networks that touch each

other in our, where we're at.

And, uh, so we're working
with those people too.

You know, like we've invited, um, our
other agencies to our tabletop, um,

exercises, um, and, um, so I, I think
that's, I think that's another method too.

I mean, just within your own industry,
I think you were kind of talking

about that with your, with yours, but,
um, that's, that's what we do too.

We, we, we, um, leverage.

Our, uh, our partners and, and, and
try to open up lanes of communication.

Most likely your peer groups within your
own industry are talking about this now

because it's such a big issue, a big hot
topic, so you can utilize that as well.

Yeah.

Yep, I agree.

So, you know, we covered a little bit.

I want to move on to this question.

Um, you both talked about, you know,
having a hybrid relationship with the

SOC and managing that and, you know,
weekly meetings with the SOC that

you have and how you coordinate that.

How, how do you manage the performance
of these vendors, you know, understand

and evaluate whether they're kind of
meeting the requirements for you in an

ongoing way once you've selected them?

How do you make sure
they're doing a good job?

What's your process and approach for that?

Thank you.

Uh, I feel like I have
a long winded answer.

I think my viewpoint is slightly biased
since I used to work for an MSSP,

but I will say that I still somewhat
believe there's only so much you can

do to have the accountability there
because, you know, proving a false

negative, you know, the absence of
anything wrong is obviously impossible.

So, uh, you know, at a certain
point it's What are the established

criteria for success with them?

I mean, sure, you have
penetration tests come through.

How much do they catch?

Uh, you know, you can
have those conversations.

Talk about the artifacts
that did or did not show up.

Um, you know, the, the old school
mentality of just like, well, time

to response, mean time to detection.

A lot of those things, I think, they sound
really great on paper, but mean time to

detection, again, how do you, how do you
consistently keep that metric up to date?

scale it very well, right?

Because you're assuming that you're
going to have the artifacts to begin with

to show here was initial infection to
time to detection and you know, those,

those are just tough things to pull off.

Um, the other things that from an
accountability standpoint we do, I mean,

they're, they provide us with various
materials, they help augment our, um,

our CTI program, uh, which is counter
threat intelligence, um, they're, they're

a part of that, uh, and so I think
there's a little bit of accountability

of Are you also letting us know, it's
anecdotal, but are you letting us

know the things that we know are out
there that, you know, we found through

another source that you probably should
also let us know, um, given your role?

Well, I'd say, too, like, I'm on
the flip side, right, because I'm,

I'm the guy you're auditing, so.

Um, one of the automatic things that
we've built in is, like, business reviews.

So you're meeting with your team
weekly, which is I don't, I honestly

don't meet with my people, my customers
weekly unless there's a problem.

But, uh, usually it's quarterly for us.

So we usually do a quarterly
business review with them.

And we, we cover, like, did you have any
incidents in the last, this last 90 days.

Uh, we did some, we do
regular phishing tests.

You know, uh, did we have
anybody who, who fell for those?

Uh, here's where you're at in education.

Is everybody caught up?

Here are new things, new
trends that are changing.

So we actually go through those
things quarterly with every one of

our clients just to make sure that
they're up to date on that stuff.

I think that it's, while I take some
responsibility for my client's cyber

security, it's also They need, as a
CEO, they need to know what's happening

in their own business, and I think,
uh, to be a really good partner,

we have a responsibility to help.

Give them that information so
they know what's happening.

Yeah, absolutely.

So ask for it.

So, you know, out of curiosity,
so, you know, we talked

about performance management.

Looks like I've got time for
one question maybe, maybe two.

Um, performance management, let's
talk about selection real fast.

Are there any key critical criteria
that you think are important to

prioritize when selecting an MSP or MSSP?

What are those and why do you believe
that those are the ones to be prioritized?

Yeah, I can start.

It was really important for me for our
managed service providers to understand

our business, understand our workflows,
um, and then understand our partners too,

um, and, cause we're all gonna come to the
table when an incident happens, so that

was really important, and they needed to
demonstrate that, they needed to show that

they had relationships with these, these
other organizations already, and, um.

So that was, that was, that was the most
important part for us is to make sure

that they under, because our business
was, is unique and, um, we can't go

down ever, um, we can't, we can never
stop taking 911 calls and we can't

stop communicating with our officers
and, and medical professionals too.

So, I mean, it's, it was really important
that they understood our business.

Yeah.

So industry alignment, you know, or, or
at least that business alignment critical.

Yeah.

I mean, that's, that's
usually normal, right?

I mean, but it was, it was
exceptionally important to us.

Yeah.

Absolutely.

Absolutely.

Yeah, I mean, I would fully,
fully concur with that.

Um, enough, enough contextual
awareness of how to be effective.

And we don't use too many managed
service providers as an organization, um,

especially from a technology standpoint.

Um, but regardless if it's MSP or MSSP,
I think there's, uh, a little bit of

just the BS factor of like, do you
actually know what you're talking about?

Because there's just, uh, a lot of, uh,
A lot of people have a very good story

to sell and capability to execute is
a completely different conversation.

Um, and, you know, that was one of the
first things when I joined was actually

finally having the organizational
buy in to bring in, uh, support for

Security Operations Center because
we were just, when I got there we

were really just limping off of who
we had at the time, uh, internally.

It just really, we were trying
to get it to the next level.

My predecessor did a great job with,
uh, the resources that they had.

Uh, you know, obviously the,
the world's evolved, and so

capability to execute is huge.

Um, I think, again, just coming
from a fairly technical background,

I also have my own opinions on,
let's say character references.

Um, you know, understanding a little bit
more intimately the folks who work at

these companies and do I buy into the
work that they do, the research I see,

um, the outputs of kind of what they do.

That's a, that was a big factor for
me in my selection of kind of who.

Who do I think is really going to
help augment the gaps that we have?

And especially that highly specialized
area, um, again, and kind of the

detection response, you know, things
that we can't do as well internally.

Um, financial stability
is also a bit of a thing.

Um, see I told you, it was, it
was, Heather was right, it was

worth waiting until the end.

I mean the dirty other secret is
some people have less tolerance

for VC funding than others.

Uh, and so if they're very
heavily, heavily VC funded.

That can be a part of the equation because
that kind of changes incentives for them

as your provider versus, um, if they're
a little bit more self sufficient, you

know, their, their incentives are much,
much different from my perspective, so.

Yeah, I think, uh, if you're talking
about, like, maybe you're smaller, I

think when you first walk into that
first conversation with your, with a

potential MSP, uh, I think they should
be asking you important questions about

cybersecurity and what you're doing.

If they walk in and they just
count up workstations and give you

a price, they're probably not a
managed, or they're probably not

a cyber security focused company.

I, I think that they, they have to
be doing some level of understanding

your business, understanding your risk
level, asking really good questions,

and doing a longer, the sales process
is not a day, it's more like a

month in reality with a good MSSP.

And so it's really a relationship
that starts and takes a while to

build up, uh, to make sure you have
the right fit for your organization.

I worked in a 24 hour monitoring
center for home security for 20 years.

And understanding that versus like the,
the, what it's like when you do go down.

I don't know if it's ever happened,
but I remember a couple times where

we like had a full on phone outage.

And to under, to have a company that
understands that pain point and what

that's like, and to just be ready to
put, help you put redundancies in, I

think it's super, super, super important,
and you have to just make sure that

you, they understand that, and they're
willing to partner with, on that,

because, especially if you're unique.

Creators and Guests

INCH360
Guest
INCH360
A regional industry group focused on connecting cybersecurity and compliance professionals of all levels. The group will promote education, collaboration, and communication about resources, regional companies, and jobs.
INCH360 Panel: Working with MSPs or Outside Cyber Services