February 11, 2025 • 60 mins
Tim Golden of Compliance Scorecard joins us to discuss the meaning and importance of measuring against an official security framework
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Justin (00:15):
Welcome everybody to episode 38 of unhacked. Guys,
like I say, every week unhackedis a deliberate misnomer. Truth
is 97% of these breaches,roughly speaking, are
preventable using basic securitymeasures, and we're gonna talk
about that today. But onceyou've been hit, you can never
truly get unhacked. So weekafter week, we sit here and we
break it down.
We talk about, what overwhelmedbusy business owners should be
(00:39):
doing to outsmart the Russianhackers. We give them the
basics, the best practices, theframeworks as we're gonna talk
about today with Tim. Thank youfor being here, Tim, by the way.
We're we're gonna we giveeverybody the 97%. This is the
formula that you should befollowing.
And then at the end of the show,we're gonna close that 3% gap.
Gap. So let's get started. I amJustin Shelley, CEO of Phoenix
(01:01):
IT Advisors. I work withbusinesses in the Dallas Metro
and more recently out here in,Northern Nevada, rural middle of
nowhere.
Also went to Elko. Oh, sorry.That's that's where I'm at now.
In Salt Lake and, possibly Idahoif you if you talk nice to me.
And I am here with my regularcohost, Brian and Mario.
(01:21):
Brian, tell everybody who youare, what you do, and who you do
it for.
Bryan (01:25):
Excellent. My name is Brian Lashbow with b four
Networks, based out of theNiagara Falls, Ontario area, and
we provide support to businessesthroughout the area. And I like
to say that we primarily helpbusiness owners who are
frustrated with technologyremove that frustration that
comes with dealing withtechnology, and that could
involve everything fromcybersecurity all the way to
(01:46):
compliance.
Justin (01:48):
Alright. Mario, you're up next.
Mario (01:50):
Hello. Mario Zaki, CEO of Mastech IT. We are in, North
Jersey, right right outside of,Manhattan. Been in business for,
over twenty years now,servicing, you know, people with
computers, businesses withcomputers, helping them pretty
much, do everything IT. Andafter today, maybe compliance.
Bryan (02:14):
Sorry. I love
Justin (02:16):
it. In today's episode, guys, we are going to be talking
with Tim Golden of ComplianceScorecard. Tim, thank you so
much for being here. I knowyou've got, plenty of things to
do, so really appreciate youjoining us.
Tim (02:26):
Justin, I'm I'm so glad to to be here. Thank you so much.
Justin, I think I heard Idaho.Is that correct? And Mario, I
might have heard Yep.
New Jersey. And, Brian, I thinkI heard Canada. Right? Am I
correct?
Bryan (02:38):
Right.
Tim (02:38):
Yep. Yep. So so, Justin
Justin (02:41):
Yes, sir.
Tim (02:42):
What did Delaware, Idaho, could have been in New Jersey,
can we find her a right shirt?But I'm I always gotta start off
with a shit. I always gottastart off with a good show. I
set the pieces here, and I'vebeen waiting for that. Like, so
(03:02):
what did Delaware?
Idaho. Could have been in NewJersey.
Justin (03:07):
I can't. Ask her.
Bryan (03:10):
I love it.
Justin (03:10):
I got my own Utah, Idaho joke. How come all the trees in
Idaho lean south?
Tim (03:16):
I don't know.
Justin (03:16):
Because Utah sucks. Anyway That's awesome.
Tim (03:21):
So let me take a second to introduce myself. Tim Golden,
founder and CEO of ComplianceScorecard, where we help MSPs
just like you have that riskconversation with your customers
by delivering our scorecards tothem.
Justin (03:38):
I love it. And, Tim, there's a couple things that
caught my attention. The reasonI really wanted you on in itself
ish. Usually, when I bringpeople on here, it is pure
selfishness. Perfect.
I have on Hack, this has been ajourney for me. Podcasting
itself has been a journey. Ilearn more by doing this show
than anything else I've everdone in my life, I think. So,
(03:59):
over the course of 2024, '1 ofthe things that evolved in my
brain was to shift my businessfocus to a compliance first
mindset.
Tim (04:08):
Now I love that. Why are you not a partner?
Justin (04:11):
Well
Tim (04:12):
Get it. We need
Justin (04:13):
to talk about that, actually. So, we are so you said
and I'm gonna pop quiz you alittle bit. Sure. You have a
passion for empowering MSPs toachieve operational excellence.
Tell me a little bit more aboutthat because that's something
that caught my attention.
Tim (04:32):
Yeah. So, you know, operational excellence, what
does that even mean? It soundslike big marketing fluffy words,
and, yeah, it kinda is. But theidea behind it is, you know, the
more you can document a thing,have a repeatable process, have
everybody along the chainunderstand why you're doing that
(04:52):
thing, not just to have thething, but getting the buy in
all the way up and down thechain. You can really start to
gain to that excellence becauseeverybody knows why and the
operational efficiency becauseyou have a documented repeatable
process, Something that you canscale.
Something that you can then havea baseline and a standard to
(05:13):
work towards, grow, and evolvethrough. And by understanding
the why, building out the how,and bringing the people along
the way, you will gain thatexcellence along the way.
Justin (05:27):
Absolutely love that. I am a fan of EOS. Are you
familiar with them?
Tim (05:31):
Yes. Yeah. Actually, so it was really interesting. When we
first founded ComplianceScorecard. It was literally just
myself and my chief Wrangler mychief operate my my wife, chief
Wrangler officer.
It's great. Operating officers.Literally just the two of us.
And I'm like, you know, EOS,something I believe in,
traction, you know, the rightpeople, the right seat, the
(05:53):
right time. But it was reallyhard with just two people.
So we kinda, like, made our ownversion of it. But now that
we're, you know, well over,well, you know, I think 20 some
odd, 25, I don't can't evencount FTE. We have a bunch of
people now. So EOS, traction,you know, it's taken us a well,
(06:14):
not a lot of time, but a lot oftime to find the right person
for the right seat in the rightrole. We've kinda knew what
those roles were, but,obviously, we needed to grow
into all of those rolesappropriately, hire accordingly,
which, you know, hiring is notfun.
Unfortunately, I have otherpeople beside me now in hiring
(06:35):
decisions. So, yeah, USinteraction is great.
Justin (06:40):
And it it sounds like maybe you, you at least align
with their documenting coreprocesses because that's what I
heard you say. You know, havethose processes, roll them out,
get buy in. That that really isa key component of EOS. I
absolutely love it. I actuallycompletely ripped off their oh,
what are they they've got like aone pager accountability plan.
(07:01):
Yeah. What do they call itthough? They have a different
name for it. But
Bryan (07:05):
I I know you called it the same page accountability
plan, and I ripped it off you.
Justin (07:08):
Right. That's right. So it's you start with, you know,
he does, in the book, he comesin, he does that free evaluation
two hour thing, and then you getinto a deeper planning session,
and then you get into yourquarterly rotations. That's
that's how I, approach mybusiness and really how I work
compliance into it. So
Tim (07:27):
Well, one of our one of our, you know, very first
advisers so we have an advisercouncil. Right? People that
advise us. Right? Just, again,back to the roots.
It was just the two of us. Likeand one of our advisers, Kyle,
good friend of ours, now over atEmpath, Tal Christiansen, was or
is was, EOS, Pinnacle,Implementer, certified like, he
(07:49):
was all the things. That was hiscore business for a long time.
And so it's it's really helpfulto kinda work alongside a coach
in that kind of stuff. And it'sAbsolutely.
Something because a lot of,like, my twenty plus years in
the compliance space, a lot ofwhat I was doing there kinda
mimicked EOS and traction.
Justin (08:11):
So I was kinda doing this already.
Tim (08:13):
I just didn't realize there was a name to it until somebody
said, hey, go buy this book. AndI'm like, oh my god. I'd like, I
do like 80% of this, but in thewrong order and the total wrong
way, but yeah.
Justin (08:25):
Yeah. Yep. That's good stuff. Alright. We're gonna
pivot, and I wanna talk about Iwanna really, I wanna get into
the nuts and bolts of thisthing.
And I'll I'll just be honest.I'm gonna tell myself a little
bit. There I'm gonna read aquote that I got off of Reddit,
and I'm probably gonna beat thisguy up for the rest of my life
(08:47):
because partly because what hesaid was, like, the most asinine
thing I've ever heard.
Bryan (08:52):
But But also rings true.
Tim (08:54):
A little bit. Yeah.
Justin (08:55):
It kinda tweaked me just a little bit. So Yep. Okay. Here
we go. Word for word.
Overnight, I received an oddrequest from a prospect. The
prospect asked for a list of thebest practices he puts in quotes
that I would be applying. Thisgot me laughing and then
thinking, where do I get my bestpractices from? What are they?
This has been bothering me as astart as I start with my coffee.
(09:18):
Thirty plus years of experiencein the industry, and I doubt my
list and your list are the same.Though they should have overlap
if they are truly bestpractices. Right? Time to
discuss this one and look at thepolicies in my RMM for my own
comfort. It's been a while sinceI compared these.
Tim, you're familiar with whatan RMM is. Correct? Is is that
(09:39):
Yeah. Is that where you get yourpolicies that you throw into
compliance scorecard? Oh,
Tim (09:46):
my goodness. RMM Well,
Mario (09:48):
if you use the RMM to log in to somebody's computer and
get their policies, I guess Iguess that works. Right?
Justin (09:55):
I don't know. I'd I mean, it's like thirty years,
guys. Thirty years.
Tim (09:59):
Thirty years, and my RMM manages my documentation, my
attestation, my changemanagement, my RMM and auto
audit log, all my like, okay.Perfect. I'm done here. Like,
everybody just go buy, you know,Kasei or ConnectWise or Ninja or
yeah. We're done here.
Justin (10:16):
Game over. Game over. No value add here.
Tim (10:18):
Because your RMM can do it. Okay.
Justin (10:22):
Oh, so, yeah, I mean, this this is really the core of
what I would call the problem inin the world of technology or at
least the world of MSPs is weare not regulated as an
industry.
Tim (10:34):
We're not.
Justin (10:35):
Now, and we're gonna talk about the why it's so
important that other industriesare, and I I just still don't
understand why we're not. Butwe're not. But other other
groups are. So we're gonna getlet's let's define compliance
because that can mean a millionthings. Tim, this is the world
you live and die in.
What is compliance? If you'retalking to somebody who listen.
(10:55):
His job is to run a business.He's got a million hats, a
million things he needs to knowand understand. He probably
doesn't give a damn, what we'retalking about.
What we're talking
Tim (11:04):
There's a couple of questions. He doesn't give a
damn. That's another componentof this. Right?
Bryan (11:08):
Yep. But
Tim (11:09):
if if we think of compliance, right, and and we
could relate this to multipledifferent analogies. Like Joe's
Baker, for example. Joe's Bakerdoesn't give a crap about
compliance, but Joe's Baker doescare about the recipe for making
the cake. Correct. Right?
Or or, you know, Johnny's Lugnutfactory that does work for the
(11:33):
Department of Defense and now,fall into this CMM eight hundred
one hundred and seventy CMMCthing. Like, they should care
because compliance, we like toreference that as the referee
for cybersecurity. Right. Right?I like to put my hat on because
we are scorecards, kind of playa little bit into the, you know,
(11:56):
sport theme with compliance isthe referee for cybersecurity.
It has the playbooks. It has therules. It has the regulations.
It knows how to play the game.It throws the flags up.
It throws the flags up whensomething is a foul. It the
players now know what rules tofollow. They know what
(12:16):
guidelines to deal with. In ouropinion, it's almost like having
a referee during your favoritesports game, where that's the
person, that's the key, that'sthe source of truth for things
that you're doing alongcybersecurity, along FTC, along,
you know, any one of themouthful of acronym frameworks.
(12:36):
Compliance in its simplest formis having a rule book or a
playbook in guardrails tofollow.
Justin (12:47):
Let me let me play devil's advocate a little bit
for this guy who I justslaughtered from Reddit. Why do
we need so many damn versions ofcompliance? You threw out
several acronyms, and you justscratched the surface.
Bryan (13:00):
Yeah.
Justin (13:00):
That's the problem. There's there's dozens of
frameworks. Why do we need somany
Tim (13:06):
into that with well, they're getting into the
politicalness of why thingsexist. Right? Good call. Whether
it's the FTC regulating certainindustries or or it's, the
Department of Defense regulatingtheir industry. There's, you
know, some politicalness behindthat on the lobbying bodies, the
(13:29):
laws, the regulations, at leasthere in The US.
There's, you know, politicalcomponents behind some of that.
We don't we don't even need toget into. But at the core of
many frameworks, at least forus, as we start to look at
things, NIST, so the NationalInstitute of Standards and
Technology, and CISA, the Centerfor Internet Security and CIS
(13:53):
Controls, which is slightlyderived out of NIST. There are
many paths back to NIST eighthundred fifty three, which is a
giant control list, you know,ten twenty nine controls, that
if you look at a bunch of thedifferent industries, can
somewhat correlate back to, notmaybe not word for word, maybe
(14:17):
not intent, back to something ina NIST control, at least in my
opinion. Now cross mapping, awhole another can of worms.
We could probably spend a wholeanother episode talking about
cross mapping. Yeah. I'm notgonna poke it.
Bryan (14:32):
That sounds so exciting. Why don't we do that?
Tim (14:35):
Yeah. Well, actually, you know, there's a lot of marketing
jargon out there, and it it'sbad around cross marketing,
whatever. So to answer yourspecific question, why do we
have so many frameworks? I don'tknow. Why do we have so many
laws that govern differentthings?
And why do we not have laws thatgovern things that should be
(14:56):
governed in in effect? Like, Idon't know, HEPA, health care
data. You know, we have PCI fora reason to protect credit card
data and financial information.How much
Justin (15:08):
difference so you're
Mario (15:09):
you made
Justin (15:10):
a good point. Sorry. I'm over I'm stepping on you there.
Go ahead.
Tim (15:13):
No. I just say we have different different laws because
of different verticals anddifferent industries and
different interest groupspushing their agendas.
Justin (15:23):
Okay. And and if, like you said, let's if we took
politics out of it for a second,there there are some,
Mario (15:33):
I
Justin (15:33):
I guess, some nuances or some specialty areas with each
of these frameworks, but you didpoint out they all kinda tie
back to one master set ofstandards.
Tim (15:41):
Is that fair? In my opinion Okay. You can now again, cross
mapping aside because I don'tbelieve in that at the moment.
You can correlate as long asscope is the same, intention is
the same. Like, there's othercomponents of a compliance
program that are the samebecause I'll just pick on one
(16:05):
control, password policy.
Everybody knows like, hey, weshould have good passwords. Best
practices, have a good password.Right? Back to your Reddit post.
Have a good have a goodpassword.
Well, you know, some frameworksmight say, have an eight or 10
character password andmultifactor. Another framework
(16:25):
might say, only administrativeaccounts need to have a 47,000
character password that changesrandomly every five seconds.
They're both talking aboutpasswords, but the requirements
in the intent is different.Right.
Justin (16:42):
And here's another pop quiz. I heard, I haven't
verified this, that they,whoever the powers are, that
decide, what password should be,recently removed the
recommendation to change yourpassword every ninety days. What
can you tell us about that?
Tim (16:59):
NIST actually came out and updated the core, and it it and
it actually moved away just frompassword as a control to,
identity management. Right? Andand understanding that as a
human or as a device, a laptop,a whatever, there's identity
tied to that and having strongidentity authentication. So, you
(17:28):
know, how many people log in totheir phone with their face? I
know I do.
I know I have been for a longtime. And if it wasn't my face,
it was my finger. Yep. Right? Sothere's a there's an identity
aspect of that.
Now granted, I there'scharacters and I can type them
in and get into it that way. Butconceptually, the days of make
(17:48):
sure you have eight charactersand they're changed every 90
days and you go into yourglobal, your GPOs and change
them so that the policy objectwent and everybody ends up using
the same eight characters acrosseverything.
Bryan (18:06):
That never happens. What are you talking about?
Tim (18:08):
Can Can I anecdote a little story here for
Justin (18:11):
a minute? Absolutely.
Tim (18:12):
So my mother-in-law, she's very sharp for an 80 year old.
And she's great. And, you know,we were talking about, like,
they're they're older, you know,maybe we got twenty years left
with them. I don't know,whatever. But, you know, she's
very concerned about protectingher assets.
And so we got her a passwordmanager for for their, you know,
(18:35):
for my mother and father-in-law.I sat down with them, started
she teaching them how to use onepassword, you know,
appropriately sharing that withmy wife so that there was a
backup person, you know, like weshould be doing. And you know
when you get the little scorethat shows you how many reused
or weak passwords there were?There were a few that I was
(18:58):
like, oh my god. Let's changethat right now.
Not that they were, you know,not that they were, you know,
they were obviously conscious ofbeing secure and wanting to do
the right thing. That's why theyasked. That's why, you know, I
sat with them and got a passwordmanager in place, but I'm like,
yeah. These five were literallychanging right now. Like, I'm
(19:19):
just not waiting.
Mario (19:21):
Password one.
Bryan (19:22):
You would be absolutely shocked as to what we find out
there in the wild. I have aprospect that I won't mention
names. Every one of their Officethree sixty five passwords are
the same across the entirecompany because the one guy
wants to manage it all and sothey're all the same password.
Wow. Including the admin?
Justin (19:41):
Does that include his admin password?
Tim (19:43):
And let me and let me guess. He just filled out one of
those Facebook questionnairesabout, you know, give me your
give me your manufacturer nameand your street name, and and
we'll give you back yourstripper name or something like
that.
Bryan (19:56):
Right. What's your favorite
Justin (19:57):
color, Tim?
Tim (19:58):
Yeah. Yeah. Go golden, of course.
Justin (20:03):
Yeah. Oh, good times. Good times. So alright. I'm a
I'm a CEO of a whatever.
Congratulations. Randomorganization.
Bryan (20:14):
Thank you.
Justin (20:15):
Thank you. Thank you. I've I've worked my ass off for
this. I I you know, back to theoriginal question. Not only do I
care about regulatoryframeworks, none of them apply
to me.
Because I'm not in a regulatedindustry. You might be
surprised. True true, but whatwould you? What would you tell
(20:35):
me, Tim? Like how how would you?
You know Do I
Tim (20:39):
know anything about you, Justin? You're a random CEO at a
random company. What kind ofcompany?
Mario (20:45):
Construction. Let's say construction.
Justin (20:47):
Let's do construction. That's a good
Tim (20:49):
Awesome. So I love the construction analogy. Hey, have
you ever heard of that thingcalled OSHA? I heard. And do you
know what that is about?
Know, probably keeping probablykeeping your people from falling
off ladders and, you know, badstaging and, you know, pouring
tar over, I don't know, Justin'shead as the CEO because you
(21:13):
don't wanna listen to himanymore.
Mario (21:15):
But as long as you wear a hard hat, you're fine. Right?
Tim (21:17):
Yes. Well,
Justin (21:18):
see, you wear something that doesn't tell
Tim (21:19):
you to wear a hard hat. Right? You needed to have a rule
book or a playbook be like, weara hard hat or reinforce the
staging. There might have beensome kind of compliance that,
you know, something happenedsomewhere in the past, and now
there's a playbook, a compliancething that you now need to
follow. So specifically with aconstruction company, OSHA.
(21:43):
Like, oh my god. Not that I dealwith OSHA, but it's certainly
something that you could relateto. Now if you're thinking about
cybersecurity and compliancearound that, Justin, as the CEO
of the construction company, doyou care about your insurance?
Justin (22:01):
I mean, only if I have I hate paying that goddamn check
every month. But
Tim (22:05):
I know. I know. But what happens when Mario falls off the
ladder and lands on Brian with abucket of tar, and you're, you
know, running with the feathers.
Bryan (22:14):
Wait. This is being recorded.
Mario (22:15):
Right? We could finally shave his head.
Bryan (22:18):
I was gonna say, they've been trying to do that for ages
now.
Tim (22:21):
Right? So when that incident happens, you're gonna
run right over to your insurancecompany and be like, listen, I
didn't pay them. Right?
Justin (22:30):
Right. Right.
Tim (22:30):
Otherwise Right. You know, you're paying the medical bills
and the things and the thingsand the things. Right? So you're
gonna run to that insurancecarrier and say, hey. Nope.
No problem. I'm covered. I'vebeen paying you a hundred bucks
a month to do a million dollarsa second. Except now that cyber
insurance, when that incidenthappens, because you have, Brian
(22:51):
out in the field with an iPad,and he fell off the ladder and
it you know, the iPad's notlogged in because he doesn't
have a strong password, right,from previous conversation. And
Tim walks by and picks up theiPad, and now I have access to
all your customer data becauseit wasn't protected.
Right? You know, Mario knocksBrian off the ladder, Tim snags
the iPad, and Justin, I have allyour data. Cyber insurance,
(23:16):
probably not gonna pay if you'renot following some kind of cyber
insurance framework, forexample.
Justin (23:22):
Oh, what do you call that cliff?
Tim (23:24):
I do call that cliff.
Justin (23:27):
Cyber liability insurance framework. Don't fall
off the cliff. No.
Tim (23:31):
Our friends at our friends at fifth wall, you know, we we
like to banter a lot. And I waschatting with Will Will Brooks.
I don't know how long ago itwas. We make memes all the time.
He makes bet way better memesthan I do.
And I was like, oh my god. Wejust invented a new framework.
Cyber Liability InsuranceFramework. CLIF, keep your
(23:52):
customers from falling off thecyber cliff.
Justin (23:55):
I love that.
Tim (23:57):
And it's six things. It's very easy. Even you, Justin, as
an MSP can do that withcompliance.
Justin (24:02):
What are they? What what are your six things?
Tim (24:06):
Well, so cyber liability entry, if we're gonna go down
this route. So, not all of them,but a vast majority of them have
now started to determine thereare certain things that you
should probably have in placelike security awareness
training, you know, phishing,security awareness training,
incident response documentation,I. E. Compliance, courtroom,
(24:28):
Vulnerability scanning. Right?
Find the stuff and fix it.Backups. Because, you know, when
the crap hits the fan andMario's pouring, you know,
concrete all over Brian, youwanna be able to recover Brian
to some state. So backups. Youknow?
What did I say? I said training,vulnerability, backup, incident
(24:49):
response, planning,documentation. You're putting me
on the spot here. I'm trying toremember the others off the top
of my head.
Bryan (24:58):
That's alright.
Justin (24:59):
I and I was curious
Tim (25:00):
about platform that walked you through all of those things
accordingly. You know? Theremight be one that could help
with that. Just Wait. It lookedlike there
Justin (25:09):
was something on your shirt there.
Tim (25:11):
Yeah. You know, it's just this little, you know, check
mark thing on A little level. Meon my hat, you know, brand
everywhere, product placement.So here here's
Mario (25:23):
Sorry. We we said security training, incident
response plan, pen test, backupdocumentation. I'm missing one.
Tim (25:29):
Yeah. Pen test is kinda define pen test. Like, is this a
pen? Scanning.
Bryan (25:35):
Just screeching
Mario (25:36):
the pen and
Bryan (25:37):
just test to see if it works.
Tim (25:39):
Yeah. Yeah. Vulnerability scanning, documentation, backup,
vulnerability management,security awareness training.
Justin (25:51):
So on this subject, Tim, when you and I talked before we
a couple weeks back, one of thethings you mentioned is that
insurance is the way in. And Iknow that you're talking to
because your your targetaudience is us. Right? We're
this show we're talking to ourend users, which also filters
down. You know, they are forcedinto compliance sometimes
because of their customers.
(26:11):
But when you're talking to MSPs,you say insurance is the way in.
What what's that about? Can youtell us? Say that again? What is
why do you tell us thatinsurance is the way in when
we're talking about complianceto our clients?
Like, if I'm gonna go and tellmy client, hey, you we we need
to get, let's get CIS eightpoint, zero. I mean, one in
place. Yeah. Why where doesinsurance play into that? So,
Tim (26:37):
again, back to relatability. Construction
company doesn't care aboutcyber, but, you know, when Brian
drops the iPad, there's a cyberincident. And so who covers that
cyber incident but the insurancecompanies? And as you said,
Justin, I'm writing thatinsurance check every month,
like, that's a problem. And if Iam trying to prove the
(27:02):
defensibility, there's a newword for you, not new, but if
I'm trying to be and defendingour actions as the construction
company, I wanna be able to sayto my insurance company, I'm
doing the things.
I'm not 100% compliant today,but I'm doing the things. I have
backup today. I'm trying to geteverybody on two factor that's,
(27:25):
you know, taking a minute, butI'm building that defensibility.
And so as an insurance carrier,I'm gonna look at some of my
requirements. And if say, nineout of the seven things you
don't have, I'm probably notgoing to insure you.
Right. Or maybe I have, youknow, 14 out of the three
(27:46):
requirements. Oh, like, my riskas an insurance carrier is,
like, way reduced becausethey're building their
defensibility. And so why do wesuggest insurance as the way in?
Because they are the peoplewriting the check when the stuff
hits the fan.
And we know the stuff will hitthe fan, just not matter of
when.
Justin (28:05):
Absolutely. Yeah.
Tim (28:06):
They're the ones paying out. And so if you can explain
and have the conversation withyour customer, let's bring in
Dustin. Right? Our good friend,Dustin Bolender from Belltex
Insurance. Let's bring inDustin.
I can't talk about insurancelegally. I can talk about, as
your MSP, the things that we cando to build that defensibility.
(28:26):
But Justin's here to answer allyour legal questions around
insurance and why they can orcannot insure you and what
happens during those incidents.
Bryan (28:39):
One of the neat things that I've I've seen well, not
neat. It's actually horrifying,is that insurance companies will
make you fill in a form Yes. Andsay, like, hey. Do you have
this? Do you have this?
Do you have that? And peoplewill answer the form, and then
they they just insure youblindly. Right? Got it. Got it.
Happen is you'll you'll end upputting a claim in down the road
saying, I think I'm covered. Andmeanwhile, you didn't do the
(29:02):
things that Tim was talkingabout. And so the insurance
carrier turns around and says,well, you said you were doing
the things on your form andyou're not. So even though
you've been paying us for allthis time, we're not gonna cover
you. Yeah.
And now you're stuck withnothing.
Tim (29:15):
So funny that you mentioned that because literally on my
fourth monitor over there is myinsurance form for our good
friend, Dustin, at Beltex thatI'm literally sitting here like,
okay. Sometimes I'm gonna fillthat out because our renewal is
up. Yeah. But, yes, as a vendor,I too have an insurance form I
need
Justin (29:34):
to fill
Tim (29:34):
out and provide. And by
Bryan (29:35):
the
Tim (29:36):
way, we can do a lot of that with integrations through
our platform. I know I keepplugging my platform.
Justin (29:42):
But No. Plug it. We're gonna we're gonna we're gonna
kinda wrap up with yourplatform, so no problem there.
Tim (29:46):
Yeah. Yeah. But that's the thing. You know? If you no.
Not if because it does. When youlie on these security
attestations
Bryan (29:56):
Knowingly or not.
Tim (29:58):
Right? Then they're gonna go right back to that and say,
Wait a minute, you check the boxat 2FA everywhere, except Brian
exposed the fact that everyaccount is the same password
with no 2FA. Yeah, we'reprobably not gonna give you the
ping out. So, yeah, you know,your construction company
probably doesn't exist anymore.
Bryan (30:19):
That's like saying you're a nonsmoker and you are. Hey.
Whoops. I
Tim (30:24):
resemble that remark.
Justin (30:27):
Well, it's bad enough because I I hate these insurance
payments so much. It's badenough that I have to pay it,
and now it didn't do me any goodat all.
Tim (30:34):
Right? Right? Right. It didn't do nothing.
Justin (30:38):
Yeah. Another thing about compliance that kind of,
it it sells it to me. So, again,back to the unregulated industry
that is technology, at leasttechnology providers like us.
Let's you've got we've got ourclients who are writing a check
just like they're writing acheck to the insurance company.
They're writing a check to usand they expect us to be
(31:00):
protecting them.
How do they know if if there'sno form of standards? You know,
going back to our our poorRedditor who, is thirty years in
the industry and doesn't knowwhat the hell he's doing to
protect his clients. Guys,companies are writing checks to
that provider all the time. So Iif back to my, CEO hat here, I
(31:24):
want my IT company followingsome framework and holding
themselves accountable to itbecause otherwise, how do we
really know that we're gettingwhat we pay for from our IT
company? So that's
Bryan (31:34):
You made a really
Tim (31:34):
you made a really good point in the beginning. Like,
we're not a regulated industryyet. Right. Yep. And there
hasn't been a good path for thatyet.
And I keep using the word yetbecause I think it's coming. In
fact, I
Bryan (31:47):
I do too. Yeah.
Tim (31:48):
I mean, I know it's coming. But I
Justin (31:50):
well, you
Tim (31:50):
know what? I'll just say, I know it's coming. Right. Whether
it's the, you know, GlobalTechnology Industry Association,
formerly known as CompTIA orPRINCE, however you'd like to go
by. Whether it's the Trustmarkprogram that they have, or it's
some other entity ororganization, you know, it is
coming.
But here's the thing. I can'teven get my haircut unless I go
(32:12):
to a licensed, you know, barber.Right. I call them hair person,
whatever. I have a stylist whoI've used in our office.
What do you
Mario (32:21):
Justin, what are you saying right for? When was the
last time you you went me andyou went to a barber?
Justin (32:26):
Dude, I polished this thing this morning.
Mario (32:28):
What are
Justin (32:28):
you talking about?
Bryan (32:29):
I was there this morning. We
Tim (32:32):
we MSPs literally hold the keys to Fort Knox. Yeah. Justin,
your construction company isyour Fort Knox.
Bryan (32:41):
Mhmm.
Tim (32:42):
And Brian has the one username and password across the
entire organization. Yeah. Butthat's okay. We Brian, we have
no standards for you because,you know, you're the only guy
here besides me with hair. Somaybe we fall into the standard
with hair and they don't.
Bryan (33:00):
But Yeah. Entirely possible.
Justin (33:02):
It's a crazy world. So, Tim, I think it's I think it's
time for us to just like you'vebeen kinda teasing us a little
bit. You've been even showingyour logo off on accident here
and there pointing to your hat.Tell us a little bit about
complaints.
Mario (33:17):
The call card.
Bryan (33:18):
Yeah. Alright.
Justin (33:19):
You got the coffee mug. Is it a Yeti though? Is it is it
a brand name?
Tim (33:24):
Only a Yeti. I am such a Yeti snuff Oh, let's see.
There's checkers here. I am sucha Yeti snake.
Justin (33:33):
Yeah.
Tim (33:33):
Yeti or nothing?
Justin (33:34):
Exactly. I love it. All right. We're on the same page
there.
Tim (33:37):
Oh, I have one of those too.
Justin (33:38):
I have a
Tim (33:39):
Yeti. But mine is from Pax eight, Mario. I have one just
like that same color, but it'sPax eight.
Mario (33:44):
Robin, baby.
Tim (33:45):
Robin, baby. Robin. Yep.
Justin (33:46):
I I've had a couple of those, but I lost them somehow.
I don't know. Yeah. Anyways,Tim, tell us a little bit. Give
us your elevator pitch becauseyou are and, you know, listen,
this podcast is directed atbusiness owners.
We're all business owners, andwe actually have a fair number
of, technical people, MSPs thatwatch at least parts of this
podcast. So talking to us, whatis it that your product does?
(34:08):
How does it make our livesbetter so that we can make our
clients' lives better?
Tim (34:11):
Sure. So like I said in the very beginning, it's, you know,
as an MSP, you wanna be able tohave the risk conversation with
your customers. And since yourcustomers are listening to this,
as a customer of an MSP, youwant to know, are they doing a
thing? Do they have theplaybook? Are they following a
(34:31):
guideline?
Are they aligning my business,my construction company to
something? Right? That's thefirst part of this, this whole
alignment component. And it'skind of something like, maybe I
should patent, but it's thisfour part process that we bring
to the MSPs who eventually bringthat down to Justin's
(34:52):
construction company. Right?
Alignment, authorization,adoption, and assessment. Very
quickly. Alignment. Are youfollowing a thing? Do you have a
playbook?
Is a thing aligned to a thing?Right? Pretty easy
straightforward to understand.Here's a set of controls,
whether it's insurance ormouthful acronyms. Here's a set
of things that we're gonnafollow.
(35:12):
Here's the playbook. As the MSP,the authorization component, it
ain't my stuff. It's thecustomers. It's Justin
Construction Company. It istheir stuff.
They need to authorize that. Youneed to work with your MSP as an
end customer of an MSP and askthem, align me to something and
(35:33):
then allow me to take ownershipof that, to authorize that.
Nothing different than, let'ssay, an employee handbook.
Right? Same concept.
You have your staff sign anemployee handbook or sexual
harassment or an equalopportunity or an or or HR kind
(35:54):
of thing. We're just kind ofapplying that to the
cybersecurity and technologycomponents. Align it, allow the
business to authorize it andhave ownership with it. Now, you
as the MSP facilitating thework, right, charging for that
work, by the way, andfacilitating that work, you're
in the best position because youknow what they're doing tech
(36:16):
wise. It would be like hiring anoutsourced HR to manage HR while
they're hiring an MSP to managetech.
Right? As that customer then,what good is the employee
handbook or the password policyor the acceptable use policy if
end users don't adopt it? That'sthe third a, that adoption
(36:39):
component. Remember how westarted in the very beginning on
the why conversation? Why are wedoing this?
That's the adoption component,allowing the end users to know
why do we do this? Why is it badto have the same password
everywhere? And then lastly,assessment cadence. You know, I
spoke I was invited to aconversation with one of our
(37:02):
MSPs and one of their largestcustomers. We had CEO, CFO, HRO,
all the people on there.
And I, you know, and I asked theHR, person, I was like, when was
the last time you updated youremployee handbook? Had to think
for a minute and was like, Idon't know, like, I don't know.
Probably when we built thecompany, like, fourteen years
(37:24):
ago. And this is in the heightof COVID. And I said I said,
well, that's interesting.
It's COVID now. Is everybodyworking from home? Well, yeah.
Oh, okay. And then, you know, doyou have any, like, you know,
time off policy?
Or and she said, well, yeah. AndI was like, so the entire way
(37:45):
you run your business hascompletely changed, but you have
not done anything in yourdocumentation that you had all
your employees agree to. So youremployees can pretty much do
what they want because there'snothing telling them they can't.
Justin (37:59):
Oh, and
Tim (37:59):
why is that? Because we haven't updated the handbook.
That's right. Because you had noassessment cadence in place to
remind you to do that thing.Yeah.
So break it down, bring it allback. Alignment, are you
aligning to a thing?Authorization as the business,
you wanna own them. Adoption,end users need to know why. An
(38:21):
assessment, don't let it becomevapeware or shelfware and be
forgotten.
Justin (38:26):
Which is where most policies live. But it's not just
the policies.
Tim (38:31):
Right? It's that is one major component of our platform.
Yes. Policy tracking, policymanagement, but also
assessments. Right?
You pick that framework and youlook at these are the gaps.
Alright. Here's a great thing.Anybody know what risk register
is? Brian, Mario, Justin.
You know what a risk registeris?
Bryan (38:51):
No. Beaches.
Tim (38:54):
As a business owner, right, and this can apply whether an
MSP or not, you probably need tounderstand where your risks are.
For for for Justin, it's makingsure Mario isn't tripping over
the ladder. Correct.
Justin (39:10):
Mario, I'm down.
Tim (39:11):
So you do an assessment. You realize Mario's got big
feet, and Brian always puts theladder in the way. So we've been
able to do a deal with that.
Bryan (39:18):
Bad combination.
Mario (39:19):
He does it on purpose.
Tim (39:20):
Fine. So you identified a gap. You know, big feet, bad
ladder, whatever. You identifieda gap. Now, Justin, as as the
business owner, you probablyneed to decide, do we wanna fix
that, I e, mitigate the risk?
Do we wanna defer that? I don'tknow. Pretend it didn't happen.
(39:41):
Do we wanna transfer that andMario gets smaller feet and
Brian move the ladder? Like,what do we wanna do with those
gaps?
So a risk register gives youAmazon shopping cart of findings
that you then you can apply arisk treatment to mitigate,
accept, transfer, avoid, defer,the five various treatments of
(40:03):
risk that you can apply. And asan MSP, you don't make those
decisions. Your customer does.So for for the customers that
are listening to this, ask yourMSP, hey. Do you even know what
a risk register is?
Because I listened to this fancypodcast, and they told me I
should ask you about a riskregister. Because you know what?
(40:24):
I wanna make sure I do somethingabout the latter in the wrong
spot. K. I'm
Justin (40:33):
I'm taking notes feverishly, but I'm gonna have
to go back and relisten to someof that. That was,
Tim (40:37):
Sorry. I rant. I love this stuff. It's
Justin (40:39):
No. I love it. I I'm gonna throw a question at you,
Tim, that this is, again, pureselfishness on my part because,
you know what what we're here todo is break this down for
business owners. You you givethem frameworks, you give them
best practices. As we've saidbefore, none of us really know
what that is, but we throw allthis stuff at them and then we
let them decide, right?
(41:02):
On that, as your clients, MSPs,run these assessments, compare
against frameworks. Yep. Can youtell us, like, the top handful
of deficiencies that they find?If your company
Tim (41:16):
actually pull in because because
Bryan (41:19):
we
Tim (41:19):
have some statistics and auto logging and tracking in the
background.
Bryan (41:24):
I'm not playing
Tim (41:25):
one of another window if that's
Justin (41:26):
I can even give you time. Like, we can sit here and
and shoot the shit while you'reworking on that if you need to.
Tim (41:31):
So I can actually tell you because we do have some
statistics, not that we track.So first and foremost, as a
compliance company, we take ourMSPs, customers, and their
customers' data very seriously.Yeah. We don't have the capacity
to log in to your stuff and seeyour stuff and do your stuff.
Justin (41:50):
Okay.
Tim (41:52):
However, we built a new feature out a couple months ago
called leaderboard.
Justin (41:57):
Nice. That's what I'm looking for.
Tim (41:59):
Well, because, you know, compliance gets such a bad rap,
and it's scary, and it's an uglyword, and I'm afraid. Well, we
flipped that out on the head byproviding a leaderboard and
positively reinforcing goodbehavior. I love that. Yay.
Inside my MSP, these are mycustomers.
(42:20):
Brian's got nine policies.Justin's done a risk asset.
Like, inside the my instance asmy MSP, I can see how well my
clients are doing, and I canreward that good behavior.
Globally, not every name, but wehave a general sense of what
frameworks people are doing,what gaps they have in those
(42:41):
frameworks, how they're doingwith like minded businesses. So
we have a bunch of those stats.
And I can tell you if I log inover here, is this messing up my
bandwidth at all before Yeah.Clicking around in the other
screen? I'm not gonna share thescreen because this is an
internal tool for us.
Justin (42:59):
Sure. Mhmm.
Tim (43:00):
So we can understand how well our MSPs are doing.
Justin (43:04):
It's okay, Tim. I've already hacked into your
computer, and I'm watchingeverything you're doing. So
don't worry about it. But I'mscreenshotting this.
Tim (43:10):
I'm just rambling on and on buying time while I'm waiting
for my second factor of ofauthentic
Justin (43:17):
Oh, it's a lot ahead of my own two FA. I hate that
stuff. I've said before, if ifsecurity isn't a complete pain
in your ass, you're doing itwrong. Alright.
Bryan (43:26):
Alright. It's loading.
Tim (43:27):
So I can tell you what frameworks, how many policies,
how many and, actually, Ihaven't looked in a while, so
it's probably a good ideabecause I tend to look once or
twice a month and be like, oh mygosh. Just giving it a second to
load on the back end. Alrighty.So let's see. The the top
frameworks are CMMC and HIPAAand our own business risk
(43:55):
assessment that we define as abusiness risk assessment that
most every MSPs use, and thenthe policy and procedure
assessment.
Somewhere in the neighborhoodof, I can tell you how many
entries, like so out of I don'tknow. Let's pick a number. I
(44:18):
don't wanna give away specificsbecause this is a blog this is a
blog post news article we'reabout to put out. Oh. So let's
just talk roundish numbers.
Yep. So let's just say out of, Idon't know, 400 assessments,
give or take, we haveidentified, we being the MSPs,
(44:41):
have identified around and nowremember, an assessment could
have a hundred questions or itcould have five questions. So if
we say 400 assessments, and thenI say we have 2,000 findings.
(45:02):
Okay. It's not a one to onecorrelation, obviously.
And out of that 2,000 findings,risk register. Again, round
numbers. I'm kind of bumpingthese up by a few hundred. About
1,800 of those have some form ofrisk treatment. Mitigate,
(45:27):
accept, defer, blah, blah, blah,blah, blah.
Is that the kind of thing youwere asking, Justin? Yeah. I can
say, oh, this is a great number.I'll give you this number. Over
2,100 policies deployed.
Justin (45:40):
Oh, wow. Across
Tim (45:46):
over 400 end customers.
Justin (45:51):
Okay. So we're looking at four or five four or five
each? Yes. Okay. Math on thespot isn't my strong point.
Tim (46:01):
I mean, we have some some MSPs. I I could pull one here
right now. They have 89 policiesdeployed. We have others that
have on average, I would say theaverage number of policies per
MSP is probably quick. Well, letme just pull up Excel.
Hold on. If I just kinda copypaste, click on the little
(46:24):
average button, average. Onaverage, there's 12 policies per
MSP
Justin (46:30):
per company. That sounds about right.
Bryan (46:33):
Not bad.
Justin (46:34):
Which is one of the strong points of your platform.
Right? That because writingthese platforms is a giant pain
in the neck. And and then eachclient has to customize them for
their organization. And one ofthe things, correct me if I'm
wrong, that your platform doesis helps the MSP create that
base standard document, Let'ssay an acceptable use policy
(46:56):
that they can push out to theirclients and just make a couple
of tweaks.
What is a five or 10% of the thework falls on the client?
Everything else is done forthem. Right?
Tim (47:06):
I'll just do that. I like that.
Justin (47:08):
Oh, there we go.
Tim (47:11):
Hide the super admin component. But, yes, first and
foremost, we have an extensivepolicy library that bring our
twenty plus years of writingpolicy documentation as a
baseline template for you as ajumping off point. Now everybody
says templates, blah blah blah.They're a good jumping off
point, and you should use themas the jumping off point. But
(47:33):
our template is vastly differentthan what you're gonna see
across the interweb because notonly does it come with our
twenty years of writing, FedRAMPmoderate documentation, whole
nother framework, we actuallybreak them up into what's
considered OSCAL, verystructured machine readable
language, right?
Not only do we provide the basedocumentation, but we even take
(47:55):
it a step further with what goesin this box? How do I write this
section? How do I write so TLDRsection by section by section.
Right?
Justin (48:07):
I love that. I saw the TLDR. I'm like, damn it. I need
this tool right now.
Tim (48:12):
Right? Because we get it. Like, you're not versed in
policy. We are. We give you somejumping off points, but we're
like, Hey, keep in mind, youwanna do this and we wanna do
this.
And like different frameworkswill have different requirements
and additional TLDR. How do Iwrite this? So that comes with
our years and years and years ofexperience. And here's the cool
(48:36):
thing, right? You build out yourlibrary right at once, one click
deploy to any customer.
You can custom tailor thatfurther if you choose to, but it
is literally one click deploy toyour end customer on all the
different policy frameworks andall the different regulatory
(48:58):
frameworks. So, to answer yourquestion, write once, deploy
many. Right. Use our knowledgefor the last twenty years as a
jumping off point and align themto the business practices you're
doing. Remember that first a.
You need to align them. We'regonna give you something to
start with, but you need to makesure that and the and this is
(49:20):
where everybody freaks out.
Mario (49:22):
You know Does your platform allow us to upload,
like, the proof that this isdone? Or
Tim (49:29):
So Like,
Mario (49:29):
for audits to do it?
Tim (49:31):
Tracking all that tracking directly in the platform. Okay.
Mario (49:35):
I
Tim (49:35):
didn't go through that. We have a live demo every week.
People can go tocompliancescorecard.com, click
live demo, see all of this stuffin action. But yes, that is the
core functionality. Remember theauthorization and adoption and
assessment?
All done on the platform. Mario,you write your template once,
you know, your 10 basedocuments. You know, maybe
(49:56):
there's ten hours worth of work.And by the way, now you have
your own house in order.
Justin (50:01):
Yeah. Exactly.
Tim (50:02):
One click deploy to your customer. Your customer can
then, whoever the authorizingofficial logs in and says, Yes,
I agree or reject with feedback.Feedback loop. Once that's been
aligned and authorized, thenit's a click of a button to push
out to an adoption campaign toall the end users with, here's
(50:22):
the policy. Here's why we do athing.
Here's what it is. Sign off.Kind of like you do with
security awareness training. Allthat tracking, all that audit
logging, all that changemanagement, and then there's a
knowledge base that you canshare and embed and use that as
a central repository for allyour documents, even those HR
(50:45):
documents. This is why HR peoplelove this because, oh my god, I
don't have to mail something outand try to keep a check with no.
All that can stay right in theblack.
Justin (50:55):
Yeah. Alright, guys. We're, we're getting towards the
end here. So we're gonna startwrapping up. What I'd like to do
is just kind of do rapid firequestions for Tim.
Brian and Mario, what have youguys as we've gone through this,
what are some of the things thatyou'd like to know before we,
close out here this week?
Bryan (51:13):
Oh, putting us on the spot. Yeah. Okay. Why my
question would be this. If therewere I mean, I always like to
treat cybersecurity as ajourney, because not everybody
can do everything all at once.
It's just not possible. So theyhave to start somewhere, and
they have to start implementingthe first thing. In your
opinion, Tim, what would be thefirst two or three things that a
(51:37):
good business owner should havein place ASAP before they get
anything else done when it comesto either compliance or
cybersecurity?
Tim (51:45):
Multifactor everywhere, period. Force it down there,
throw. We're gonna keep saying,I can't believe it's 2025. We're
still talking about this.Multifactor everywhere.
Not every like, everywhere,period. Your ADP, your, you
know, your Facebook, yourTwitter, like, everywhere. Every
one of your Facebook page. Oops.Every
Justin (52:08):
multifactor. K. Alright. Mario, you got something?
Mario (52:15):
Yeah. So with with the with a a lot of these
frameworks, some of them are,you know, like, I know, like,
SOC two, it's, like, alwaysongoing. You're always taking,
you know, proof and providingand stuff like that. Are there
other frameworks that are kindof less tedious throughout the
year?
Tim (52:36):
Yeah. FTC safeguards is the probably a or is is one that
will affect a lot of businesseslistening to this podcast
whether you believe it or not.And what I've been seeing
happening with the FTC is goingafter starting with the big
organizations, but, you know,stuff rolls downhill. It's a
very I don't wanna use the wordeasy, but it is it is a
(53:00):
framework that you and your MSPcan work together to get you a
good standard beyond just theseven or eight things in
cybersecurity in in cyberinsurance. Yep.
Alright.
Justin (53:17):
Well, I think, you know, we're we're coming up at almost
an hour here. So we're gonnastart to wrap this thing up.
Tim, one thing I wanted to divemore into that we're we're not
going to, it's something that Italk about all the time, but,
I'm just gonna mention itbecause it caught my attention.
I think it was a a LinkedIn postwhere you talked about culture.
(53:37):
Instead of punishment, let'sfocus on rewarding good
compliance behavior andfostering a positive culture.
I would argue that in in, youknow, you talked about adoption,
that kind of peaked my interest.That's been a place where I've
seen a lot of challenges, a lotof struggles as as MSPs where
we're trying to take theseoverwhelmed, busy, not just,
(53:58):
CEOs, business owners, but alsotheir staff. You know, all of us
have plenty of things to dowithout getting another stack of
things we have to do, anotherstack of documents we have to
read and sign off on, you know,two FA. Jesus Christ, I hate two
FA, but we have to have it.Right?
Like but everything is just onemore thing to do. And if we
don't wrap a culture aroundthis, I don't think we'll ever
(54:21):
win the war of compliance orcybersecurity, period. And, yes,
you can do this with a stick,but I loved that your way of
doing that was with the carrot,the proverbial carrot. So, is
that maybe as kind of a signoff, can you just run through
how it is that you help MSPsinstill that culture into their
(54:41):
client base? One word.
Okay.
Tim (54:46):
Why?
Justin (54:47):
Okay. I love that. Yep. You you've already said that.
Tim (54:49):
Start with why. Right? So Simon Sinek has a great book,
Start with Why. It's aboutbuilding a company, but it also
applies to the same culturalaspects. And it is the hardest
lesson I had to learn as an ITprofessional that just wanted to
click buttons and lock stuffdown.
Years ago, when we got thatfirst thing, all I did was click
buttons, lock stuff down, andpissed everybody off along the
way. Mhmm.
Mario (55:10):
And
Tim (55:10):
it wasn't until I shifted the conversation with the staff
and all the end users andbringing them on board and
explaining to them, why are wedoing this? Did you know that we
are a government contractor?Well, yeah. Did you know that
those government contractsrequire this stuff? Why?
(55:30):
Who cares? Did you know that wewill lose $5,000,000 worth of
annual income and you will nothave a job if I do not put two
factor authentication in place.Yeah.
Justin (55:42):
There's the why that matters to them. Right.
Personal. Yep. Right.
Perfect.
Tim (55:48):
And then and until and what did Tim just do? Tim went into m
to M365, or Tim went into athing and just enforced two
factor on everybody's account.At which point the CEO's
knocking on my door, my phone'sringing, everybody's pissed off.
And I had to go, Woah. Big badTim came in with a hammer as
(56:08):
opposed to friendly, rewardfulTim came in with the why and
help them understand that thisis why we do this.
Justin (56:17):
Yeah. Love that. I mean, I I love that. That's my
takeaway. That's what I'm gonnawrap up with.
Guys, unless you have any finalthoughts, final questions,
Brian, Mario, no? Okay. Thenwe're gonna go ahead and close
this one out. Tim, again, thankyou. Thank you.
Thank you for joining us today.This is becoming a way of life
(56:38):
for me, and, honestly, I thinkthis is something that we are
all going to either go kickingand screaming or willingly into
the dark night of compliance.So, again, thank you for being
here. Thank you for yourperspective. Guys, if, I've got
other MSPs on here listening, goto compliancescorecard.com.
Join the, the demo. Is it a isthat what you Weekly. Product
(56:59):
demo. Right? Weekly demo.
And those are live, notprerecorded?
Tim (57:03):
Live every week.
Justin (57:04):
We got q and a.
Tim (57:05):
My team keeps telling me we need to ship that, but I still I
still love doing the live videosmyself. Yeah. So will they?
Justin (57:11):
Yeah. I could tell you you're not, shy on camera, so
that's good. Let's, yeah. I'llbe on there. I've got a
platform.
I'm not gonna lie. I I hadn'theard of you guys until more
recently, so I definitely wannado a comparison. I love what
you're talking about here, andI'll definitely take a look.
Awesome, Tim.
Mario (57:29):
Thank you.
Tim (57:29):
That's cool. And I'll just end it with, I heard you say I
got a platform, which is great.You know, we work with a lot of
other partners and integrationsas who and what we are, but we
are an MSP first. We arededicated to MSPs first. When
you look at the GRC space andthe tools that are available in
that, I'd like to say we are theonly one that came from an MSP
(57:52):
built by an MSP for MSPs, and weget you.
And not only do we get you, butwe also know you need to sell it
so we're affordable for you aswell.
Justin (58:05):
Beautiful. That those are magic words right there.
Because what we do is expensiveand everything's one more
subscription we get to pay for.It's good times. So final words
to our our audience.
Again, we've been talking alittle bit technical today, a
little bit in the weeds. Our ouraudience business owners, I like
(58:25):
to I've I've got my own littleframework that I invented, Tim,
and I don't know if you're gonnalove it or hate it, but, and
just finding a really simple wayfor business owners to hold us
accountable. This is what I tellpeople. And and use safeguards,
use, frameworks, use compliancetools, however you do it. But
look at these three areas inparticular.
(58:46):
Look at your technology and makesure it's protected. Look at
your data, make sure it'sprotected, know where it lives,
know how it's being used, knowhow it's being backed up, and
could it be restored. And thenyour people. Know your people,
protect your people, theiridentity, policies, procedures,
and all that. That's the 97%that I'm talking about week
after week.
(59:07):
And frameworks just make it easyfor us to make sure we're doing
our job, and it makes it easyfor you, mister and missus
business owner to, get sometransparency and and to know
that we're doing what you'rewriting us a check for. Wrap
that up with an insurance policythat covers that 3% gap. Make
sure you have good cybersecurityinsurance and that they will pay
(59:27):
in the event of a breach. Rightback to frameworks, guys. So
there we are, guys.
Unhack.live. If you have anyquestions, if you'd like to
reach out to any of usindividually, Brian, myself,
Mario, Tim, all of ourinformation will be on
unhack.live. Brian and Mario, asalways, thank you for joining
us. And, Tim, again, greatstuff, and we will be in touch.
(59:48):
Thank you, guys.
We'll see you next week. Thankyou.
Mario (59:51):
Thanks, Tim. Speak.
Welcome everybody to episode 38 of unhacked. Guys,
like I say, every week unhackedis a deliberate misnomer. Truth
is 97% of these breaches,roughly speaking, are
preventable using basic securitymeasures, and we're gonna talk
about that today. But onceyou've been hit, you can never
truly get unhacked. So weekafter week, we sit here and we
break it down.
We talk about, what overwhelmedbusy business owners should be
(00:39):
doing to outsmart the Russianhackers. We give them the
basics, the best practices, theframeworks as we're gonna talk
about today with Tim. Thank youfor being here, Tim, by the way.
We're we're gonna we giveeverybody the 97%. This is the
formula that you should befollowing.
And then at the end of the show,we're gonna close that 3% gap.
Gap. So let's get started. I amJustin Shelley, CEO of Phoenix
(01:01):
IT Advisors. I work withbusinesses in the Dallas Metro
and more recently out here in,Northern Nevada, rural middle of
nowhere.
Also went to Elko. Oh, sorry.That's that's where I'm at now.
In Salt Lake and, possibly Idahoif you if you talk nice to me.
And I am here with my regularcohost, Brian and Mario.
(01:21):
Brian, tell everybody who youare, what you do, and who you do
it for.
Bryan (01:25):
Excellent. My name is Brian Lashbow with b four
Networks, based out of theNiagara Falls, Ontario area, and
we provide support to businessesthroughout the area. And I like
to say that we primarily helpbusiness owners who are
frustrated with technologyremove that frustration that
comes with dealing withtechnology, and that could
involve everything fromcybersecurity all the way to
(01:46):
compliance.
Justin (01:48):
Alright. Mario, you're up next.
Mario (01:50):
Hello. Mario Zaki, CEO of Mastech IT. We are in, North
Jersey, right right outside of,Manhattan. Been in business for,
over twenty years now,servicing, you know, people with
computers, businesses withcomputers, helping them pretty
much, do everything IT. Andafter today, maybe compliance.
Bryan (02:14):
Sorry. I love
Justin (02:16):
it. In today's episode, guys, we are going to be talking
with Tim Golden of ComplianceScorecard. Tim, thank you so
much for being here. I knowyou've got, plenty of things to
do, so really appreciate youjoining us.
Tim (02:26):
Justin, I'm I'm so glad to to be here. Thank you so much.
Justin, I think I heard Idaho.Is that correct? And Mario, I
might have heard Yep.
New Jersey. And, Brian, I thinkI heard Canada. Right? Am I
correct?
Bryan (02:38):
Right.
Tim (02:38):
Yep. Yep. So so, Justin
Justin (02:41):
Yes, sir.
Tim (02:42):
What did Delaware, Idaho, could have been in New Jersey,
can we find her a right shirt?But I'm I always gotta start off
with a shit. I always gottastart off with a good show. I
set the pieces here, and I'vebeen waiting for that. Like, so
(03:02):
what did Delaware?
Idaho. Could have been in NewJersey.
Justin (03:07):
I can't. Ask her.
Bryan (03:10):
I love it.
Justin (03:10):
I got my own Utah, Idaho joke. How come all the trees in
Idaho lean south?
Tim (03:16):
I don't know.
Justin (03:16):
Because Utah sucks. Anyway That's awesome.
Tim (03:21):
So let me take a second to introduce myself. Tim Golden,
founder and CEO of ComplianceScorecard, where we help MSPs
just like you have that riskconversation with your customers
by delivering our scorecards tothem.
Justin (03:38):
I love it. And, Tim, there's a couple things that
caught my attention. The reasonI really wanted you on in itself
ish. Usually, when I bringpeople on here, it is pure
selfishness. Perfect.
I have on Hack, this has been ajourney for me. Podcasting
itself has been a journey. Ilearn more by doing this show
than anything else I've everdone in my life, I think. So,
(03:59):
over the course of 2024, '1 ofthe things that evolved in my
brain was to shift my businessfocus to a compliance first
mindset.
Tim (04:08):
Now I love that. Why are you not a partner?
Justin (04:11):
Well
Tim (04:12):
Get it. We need
Justin (04:13):
to talk about that, actually. So, we are so you said
and I'm gonna pop quiz you alittle bit. Sure. You have a
passion for empowering MSPs toachieve operational excellence.
Tell me a little bit more aboutthat because that's something
that caught my attention.
Tim (04:32):
Yeah. So, you know, operational excellence, what
does that even mean? It soundslike big marketing fluffy words,
and, yeah, it kinda is. But theidea behind it is, you know, the
more you can document a thing,have a repeatable process, have
everybody along the chainunderstand why you're doing that
(04:52):
thing, not just to have thething, but getting the buy in
all the way up and down thechain. You can really start to
gain to that excellence becauseeverybody knows why and the
operational efficiency becauseyou have a documented repeatable
process, Something that you canscale.
Something that you can then havea baseline and a standard to
(05:13):
work towards, grow, and evolvethrough. And by understanding
the why, building out the how,and bringing the people along
the way, you will gain thatexcellence along the way.
Justin (05:27):
Absolutely love that. I am a fan of EOS. Are you
familiar with them?
Tim (05:31):
Yes. Yeah. Actually, so it was really interesting. When we
first founded ComplianceScorecard. It was literally just
myself and my chief Wrangler mychief operate my my wife, chief
Wrangler officer.
It's great. Operating officers.Literally just the two of us.
And I'm like, you know, EOS,something I believe in,
traction, you know, the rightpeople, the right seat, the
(05:53):
right time. But it was reallyhard with just two people.
So we kinda, like, made our ownversion of it. But now that
we're, you know, well over,well, you know, I think 20 some
odd, 25, I don't can't evencount FTE. We have a bunch of
people now. So EOS, traction,you know, it's taken us a well,
(06:14):
not a lot of time, but a lot oftime to find the right person
for the right seat in the rightrole. We've kinda knew what
those roles were, but,obviously, we needed to grow
into all of those rolesappropriately, hire accordingly,
which, you know, hiring is notfun.
Unfortunately, I have otherpeople beside me now in hiring
(06:35):
decisions. So, yeah, USinteraction is great.
Justin (06:40):
And it it sounds like maybe you, you at least align
with their documenting coreprocesses because that's what I
heard you say. You know, havethose processes, roll them out,
get buy in. That that really isa key component of EOS. I
absolutely love it. I actuallycompletely ripped off their oh,
what are they they've got like aone pager accountability plan.
(07:01):
Yeah. What do they call itthough? They have a different
name for it. But
Bryan (07:05):
I I know you called it the same page accountability
plan, and I ripped it off you.
Justin (07:08):
Right. That's right. So it's you start with, you know,
he does, in the book, he comesin, he does that free evaluation
two hour thing, and then you getinto a deeper planning session,
and then you get into yourquarterly rotations. That's
that's how I, approach mybusiness and really how I work
compliance into it. So
Tim (07:27):
Well, one of our one of our, you know, very first
advisers so we have an advisercouncil. Right? People that
advise us. Right? Just, again,back to the roots.
It was just the two of us. Likeand one of our advisers, Kyle,
good friend of ours, now over atEmpath, Tal Christiansen, was or
is was, EOS, Pinnacle,Implementer, certified like, he
(07:49):
was all the things. That was hiscore business for a long time.
And so it's it's really helpfulto kinda work alongside a coach
in that kind of stuff. And it'sAbsolutely.
Something because a lot of,like, my twenty plus years in
the compliance space, a lot ofwhat I was doing there kinda
mimicked EOS and traction.
Justin (08:11):
So I was kinda doing this already.
Tim (08:13):
I just didn't realize there was a name to it until somebody
said, hey, go buy this book. AndI'm like, oh my god. I'd like, I
do like 80% of this, but in thewrong order and the total wrong
way, but yeah.
Justin (08:25):
Yeah. Yep. That's good stuff. Alright. We're gonna
pivot, and I wanna talk about Iwanna really, I wanna get into
the nuts and bolts of thisthing.
And I'll I'll just be honest.I'm gonna tell myself a little
bit. There I'm gonna read aquote that I got off of Reddit,
and I'm probably gonna beat thisguy up for the rest of my life
(08:47):
because partly because what hesaid was, like, the most asinine
thing I've ever heard.
Bryan (08:52):
But But also rings true.
Tim (08:54):
A little bit. Yeah.
Justin (08:55):
It kinda tweaked me just a little bit. So Yep. Okay. Here
we go. Word for word.
Overnight, I received an oddrequest from a prospect. The
prospect asked for a list of thebest practices he puts in quotes
that I would be applying. Thisgot me laughing and then
thinking, where do I get my bestpractices from? What are they?
This has been bothering me as astart as I start with my coffee.
(09:18):
Thirty plus years of experiencein the industry, and I doubt my
list and your list are the same.Though they should have overlap
if they are truly bestpractices. Right? Time to
discuss this one and look at thepolicies in my RMM for my own
comfort. It's been a while sinceI compared these.
Tim, you're familiar with whatan RMM is. Correct? Is is that
(09:39):
Yeah. Is that where you get yourpolicies that you throw into
compliance scorecard? Oh,
Tim (09:46):
my goodness. RMM Well,
Mario (09:48):
if you use the RMM to log in to somebody's computer and
get their policies, I guess Iguess that works. Right?
Justin (09:55):
I don't know. I'd I mean, it's like thirty years,
guys. Thirty years.
Tim (09:59):
Thirty years, and my RMM manages my documentation, my
attestation, my changemanagement, my RMM and auto
audit log, all my like, okay.Perfect. I'm done here. Like,
everybody just go buy, you know,Kasei or ConnectWise or Ninja or
yeah. We're done here.
Justin (10:16):
Game over. Game over. No value add here.
Tim (10:18):
Because your RMM can do it. Okay.
Justin (10:22):
Oh, so, yeah, I mean, this this is really the core of
what I would call the problem inin the world of technology or at
least the world of MSPs is weare not regulated as an
industry.
Tim (10:34):
We're not.
Justin (10:35):
Now, and we're gonna talk about the why it's so
important that other industriesare, and I I just still don't
understand why we're not. Butwe're not. But other other
groups are. So we're gonna getlet's let's define compliance
because that can mean a millionthings. Tim, this is the world
you live and die in.
What is compliance? If you'retalking to somebody who listen.
(10:55):
His job is to run a business.He's got a million hats, a
million things he needs to knowand understand. He probably
doesn't give a damn, what we'retalking about.
What we're talking
Tim (11:04):
There's a couple of questions. He doesn't give a
damn. That's another componentof this. Right?
Bryan (11:08):
Yep. But
Tim (11:09):
if if we think of compliance, right, and and we
could relate this to multipledifferent analogies. Like Joe's
Baker, for example. Joe's Bakerdoesn't give a crap about
compliance, but Joe's Baker doescare about the recipe for making
the cake. Correct. Right?
Or or, you know, Johnny's Lugnutfactory that does work for the
(11:33):
Department of Defense and now,fall into this CMM eight hundred
one hundred and seventy CMMCthing. Like, they should care
because compliance, we like toreference that as the referee
for cybersecurity. Right. Right?I like to put my hat on because
we are scorecards, kind of playa little bit into the, you know,
(11:56):
sport theme with compliance isthe referee for cybersecurity.
It has the playbooks. It has therules. It has the regulations.
It knows how to play the game.It throws the flags up.
It throws the flags up whensomething is a foul. It the
players now know what rules tofollow. They know what
(12:16):
guidelines to deal with. In ouropinion, it's almost like having
a referee during your favoritesports game, where that's the
person, that's the key, that'sthe source of truth for things
that you're doing alongcybersecurity, along FTC, along,
you know, any one of themouthful of acronym frameworks.
(12:36):
Compliance in its simplest formis having a rule book or a
playbook in guardrails tofollow.
Justin (12:47):
Let me let me play devil's advocate a little bit
for this guy who I justslaughtered from Reddit. Why do
we need so many damn versions ofcompliance? You threw out
several acronyms, and you justscratched the surface.
Bryan (13:00):
Yeah.
Justin (13:00):
That's the problem. There's there's dozens of
frameworks. Why do we need somany
Tim (13:06):
into that with well, they're getting into the
politicalness of why thingsexist. Right? Good call. Whether
it's the FTC regulating certainindustries or or it's, the
Department of Defense regulatingtheir industry. There's, you
know, some politicalness behindthat on the lobbying bodies, the
(13:29):
laws, the regulations, at leasthere in The US.
There's, you know, politicalcomponents behind some of that.
We don't we don't even need toget into. But at the core of
many frameworks, at least forus, as we start to look at
things, NIST, so the NationalInstitute of Standards and
Technology, and CISA, the Centerfor Internet Security and CIS
(13:53):
Controls, which is slightlyderived out of NIST. There are
many paths back to NIST eighthundred fifty three, which is a
giant control list, you know,ten twenty nine controls, that
if you look at a bunch of thedifferent industries, can
somewhat correlate back to, notmaybe not word for word, maybe
(14:17):
not intent, back to something ina NIST control, at least in my
opinion. Now cross mapping, awhole another can of worms.
We could probably spend a wholeanother episode talking about
cross mapping. Yeah. I'm notgonna poke it.
Bryan (14:32):
That sounds so exciting. Why don't we do that?
Tim (14:35):
Yeah. Well, actually, you know, there's a lot of marketing
jargon out there, and it it'sbad around cross marketing,
whatever. So to answer yourspecific question, why do we
have so many frameworks? I don'tknow. Why do we have so many
laws that govern differentthings?
And why do we not have laws thatgovern things that should be
(14:56):
governed in in effect? Like, Idon't know, HEPA, health care
data. You know, we have PCI fora reason to protect credit card
data and financial information.How much
Justin (15:08):
difference so you're
Mario (15:09):
you made
Justin (15:10):
a good point. Sorry. I'm over I'm stepping on you there.
Go ahead.
Tim (15:13):
No. I just say we have different different laws because
of different verticals anddifferent industries and
different interest groupspushing their agendas.
Justin (15:23):
Okay. And and if, like you said, let's if we took
politics out of it for a second,there there are some,
Mario (15:33):
I
Justin (15:33):
I guess, some nuances or some specialty areas with each
of these frameworks, but you didpoint out they all kinda tie
back to one master set ofstandards.
Tim (15:41):
Is that fair? In my opinion Okay. You can now again, cross
mapping aside because I don'tbelieve in that at the moment.
You can correlate as long asscope is the same, intention is
the same. Like, there's othercomponents of a compliance
program that are the samebecause I'll just pick on one
(16:05):
control, password policy.
Everybody knows like, hey, weshould have good passwords. Best
practices, have a good password.Right? Back to your Reddit post.
Have a good have a goodpassword.
Well, you know, some frameworksmight say, have an eight or 10
character password andmultifactor. Another framework
(16:25):
might say, only administrativeaccounts need to have a 47,000
character password that changesrandomly every five seconds.
They're both talking aboutpasswords, but the requirements
in the intent is different.Right.
Justin (16:42):
And here's another pop quiz. I heard, I haven't
verified this, that they,whoever the powers are, that
decide, what password should be,recently removed the
recommendation to change yourpassword every ninety days. What
can you tell us about that?
Tim (16:59):
NIST actually came out and updated the core, and it it and
it actually moved away just frompassword as a control to,
identity management. Right? Andand understanding that as a
human or as a device, a laptop,a whatever, there's identity
tied to that and having strongidentity authentication. So, you
(17:28):
know, how many people log in totheir phone with their face? I
know I do.
I know I have been for a longtime. And if it wasn't my face,
it was my finger. Yep. Right? Sothere's a there's an identity
aspect of that.
Now granted, I there'scharacters and I can type them
in and get into it that way. Butconceptually, the days of make
(17:48):
sure you have eight charactersand they're changed every 90
days and you go into yourglobal, your GPOs and change
them so that the policy objectwent and everybody ends up using
the same eight characters acrosseverything.
Bryan (18:06):
That never happens. What are you talking about?
Tim (18:08):
Can Can I anecdote a little story here for
Justin (18:11):
a minute? Absolutely.
Tim (18:12):
So my mother-in-law, she's very sharp for an 80 year old.
And she's great. And, you know,we were talking about, like,
they're they're older, you know,maybe we got twenty years left
with them. I don't know,whatever. But, you know, she's
very concerned about protectingher assets.
And so we got her a passwordmanager for for their, you know,
(18:35):
for my mother and father-in-law.I sat down with them, started
she teaching them how to use onepassword, you know,
appropriately sharing that withmy wife so that there was a
backup person, you know, like weshould be doing. And you know
when you get the little scorethat shows you how many reused
or weak passwords there were?There were a few that I was
(18:58):
like, oh my god. Let's changethat right now.
Not that they were, you know,not that they were, you know,
they were obviously conscious ofbeing secure and wanting to do
the right thing. That's why theyasked. That's why, you know, I
sat with them and got a passwordmanager in place, but I'm like,
yeah. These five were literallychanging right now. Like, I'm
(19:19):
just not waiting.
Mario (19:21):
Password one.
Bryan (19:22):
You would be absolutely shocked as to what we find out
there in the wild. I have aprospect that I won't mention
names. Every one of their Officethree sixty five passwords are
the same across the entirecompany because the one guy
wants to manage it all and sothey're all the same password.
Wow. Including the admin?
Justin (19:41):
Does that include his admin password?
Tim (19:43):
And let me and let me guess. He just filled out one of
those Facebook questionnairesabout, you know, give me your
give me your manufacturer nameand your street name, and and
we'll give you back yourstripper name or something like
that.
Bryan (19:56):
Right. What's your favorite
Justin (19:57):
color, Tim?
Tim (19:58):
Yeah. Yeah. Go golden, of course.
Justin (20:03):
Yeah. Oh, good times. Good times. So alright. I'm a
I'm a CEO of a whatever.
Congratulations. Randomorganization.
Bryan (20:14):
Thank you.
Justin (20:15):
Thank you. Thank you. I've I've worked my ass off for
this. I I you know, back to theoriginal question. Not only do I
care about regulatoryframeworks, none of them apply
to me.
Because I'm not in a regulatedindustry. You might be
surprised. True true, but whatwould you? What would you tell
(20:35):
me, Tim? Like how how would you?
You know Do I
Tim (20:39):
know anything about you, Justin? You're a random CEO at a
random company. What kind ofcompany?
Mario (20:45):
Construction. Let's say construction.
Justin (20:47):
Let's do construction. That's a good
Tim (20:49):
Awesome. So I love the construction analogy. Hey, have
you ever heard of that thingcalled OSHA? I heard. And do you
know what that is about?
Know, probably keeping probablykeeping your people from falling
off ladders and, you know, badstaging and, you know, pouring
tar over, I don't know, Justin'shead as the CEO because you
(21:13):
don't wanna listen to himanymore.
Mario (21:15):
But as long as you wear a hard hat, you're fine. Right?
Tim (21:17):
Yes. Well,
Justin (21:18):
see, you wear something that doesn't tell
Tim (21:19):
you to wear a hard hat. Right? You needed to have a rule
book or a playbook be like, weara hard hat or reinforce the
staging. There might have beensome kind of compliance that,
you know, something happenedsomewhere in the past, and now
there's a playbook, a compliancething that you now need to
follow. So specifically with aconstruction company, OSHA.
(21:43):
Like, oh my god. Not that I dealwith OSHA, but it's certainly
something that you could relateto. Now if you're thinking about
cybersecurity and compliancearound that, Justin, as the CEO
of the construction company, doyou care about your insurance?
Justin (22:01):
I mean, only if I have I hate paying that goddamn check
every month. But
Tim (22:05):
I know. I know. But what happens when Mario falls off the
ladder and lands on Brian with abucket of tar, and you're, you
know, running with the feathers.
Bryan (22:14):
Wait. This is being recorded.
Mario (22:15):
Right? We could finally shave his head.
Bryan (22:18):
I was gonna say, they've been trying to do that for ages
now.
Tim (22:21):
Right? So when that incident happens, you're gonna
run right over to your insurancecompany and be like, listen, I
didn't pay them. Right?
Justin (22:30):
Right. Right.
Tim (22:30):
Otherwise Right. You know, you're paying the medical bills
and the things and the thingsand the things. Right? So you're
gonna run to that insurancecarrier and say, hey. Nope.
No problem. I'm covered. I'vebeen paying you a hundred bucks
a month to do a million dollarsa second. Except now that cyber
insurance, when that incidenthappens, because you have, Brian
(22:51):
out in the field with an iPad,and he fell off the ladder and
it you know, the iPad's notlogged in because he doesn't
have a strong password, right,from previous conversation. And
Tim walks by and picks up theiPad, and now I have access to
all your customer data becauseit wasn't protected.
Right? You know, Mario knocksBrian off the ladder, Tim snags
the iPad, and Justin, I have allyour data. Cyber insurance,
(23:16):
probably not gonna pay if you'renot following some kind of cyber
insurance framework, forexample.
Justin (23:22):
Oh, what do you call that cliff?
Tim (23:24):
I do call that cliff.
Justin (23:27):
Cyber liability insurance framework. Don't fall
off the cliff. No.
Tim (23:31):
Our friends at our friends at fifth wall, you know, we we
like to banter a lot. And I waschatting with Will Will Brooks.
I don't know how long ago itwas. We make memes all the time.
He makes bet way better memesthan I do.
And I was like, oh my god. Wejust invented a new framework.
Cyber Liability InsuranceFramework. CLIF, keep your
(23:52):
customers from falling off thecyber cliff.
Justin (23:55):
I love that.
Tim (23:57):
And it's six things. It's very easy. Even you, Justin, as
an MSP can do that withcompliance.
Justin (24:02):
What are they? What what are your six things?
Tim (24:06):
Well, so cyber liability entry, if we're gonna go down
this route. So, not all of them,but a vast majority of them have
now started to determine thereare certain things that you
should probably have in placelike security awareness
training, you know, phishing,security awareness training,
incident response documentation,I. E. Compliance, courtroom,
(24:28):
Vulnerability scanning. Right?
Find the stuff and fix it.Backups. Because, you know, when
the crap hits the fan andMario's pouring, you know,
concrete all over Brian, youwanna be able to recover Brian
to some state. So backups. Youknow?
What did I say? I said training,vulnerability, backup, incident
(24:49):
response, planning,documentation. You're putting me
on the spot here. I'm trying toremember the others off the top
of my head.
Bryan (24:58):
That's alright.
Justin (24:59):
I and I was curious
Tim (25:00):
about platform that walked you through all of those things
accordingly. You know? Theremight be one that could help
with that. Just Wait. It lookedlike there
Justin (25:09):
was something on your shirt there.
Tim (25:11):
Yeah. You know, it's just this little, you know, check
mark thing on A little level. Meon my hat, you know, brand
everywhere, product placement.So here here's
Mario (25:23):
Sorry. We we said security training, incident
response plan, pen test, backupdocumentation. I'm missing one.
Tim (25:29):
Yeah. Pen test is kinda define pen test. Like, is this a
pen? Scanning.
Bryan (25:35):
Just screeching
Mario (25:36):
the pen and
Bryan (25:37):
just test to see if it works.
Tim (25:39):
Yeah. Yeah. Vulnerability scanning, documentation, backup,
vulnerability management,security awareness training.
Justin (25:51):
So on this subject, Tim, when you and I talked before we
a couple weeks back, one of thethings you mentioned is that
insurance is the way in. And Iknow that you're talking to
because your your targetaudience is us. Right? We're
this show we're talking to ourend users, which also filters
down. You know, they are forcedinto compliance sometimes
because of their customers.
(26:11):
But when you're talking to MSPs,you say insurance is the way in.
What what's that about? Can youtell us? Say that again? What is
why do you tell us thatinsurance is the way in when
we're talking about complianceto our clients?
Like, if I'm gonna go and tellmy client, hey, you we we need
to get, let's get CIS eightpoint, zero. I mean, one in
place. Yeah. Why where doesinsurance play into that? So,
Tim (26:37):
again, back to relatability. Construction
company doesn't care aboutcyber, but, you know, when Brian
drops the iPad, there's a cyberincident. And so who covers that
cyber incident but the insurancecompanies? And as you said,
Justin, I'm writing thatinsurance check every month,
like, that's a problem. And if Iam trying to prove the
(27:02):
defensibility, there's a newword for you, not new, but if
I'm trying to be and defendingour actions as the construction
company, I wanna be able to sayto my insurance company, I'm
doing the things.
I'm not 100% compliant today,but I'm doing the things. I have
backup today. I'm trying to geteverybody on two factor that's,
(27:25):
you know, taking a minute, butI'm building that defensibility.
And so as an insurance carrier,I'm gonna look at some of my
requirements. And if say, nineout of the seven things you
don't have, I'm probably notgoing to insure you.
Right. Or maybe I have, youknow, 14 out of the three
(27:46):
requirements. Oh, like, my riskas an insurance carrier is,
like, way reduced becausethey're building their
defensibility. And so why do wesuggest insurance as the way in?
Because they are the peoplewriting the check when the stuff
hits the fan.
And we know the stuff will hitthe fan, just not matter of
when.
Justin (28:05):
Absolutely. Yeah.
Tim (28:06):
They're the ones paying out. And so if you can explain
and have the conversation withyour customer, let's bring in
Dustin. Right? Our good friend,Dustin Bolender from Belltex
Insurance. Let's bring inDustin.
I can't talk about insurancelegally. I can talk about, as
your MSP, the things that we cando to build that defensibility.
(28:26):
But Justin's here to answer allyour legal questions around
insurance and why they can orcannot insure you and what
happens during those incidents.
Bryan (28:39):
One of the neat things that I've I've seen well, not
neat. It's actually horrifying,is that insurance companies will
make you fill in a form Yes. Andsay, like, hey. Do you have
this? Do you have this?
Do you have that? And peoplewill answer the form, and then
they they just insure youblindly. Right? Got it. Got it.
Happen is you'll you'll end upputting a claim in down the road
saying, I think I'm covered. Andmeanwhile, you didn't do the
(29:02):
things that Tim was talkingabout. And so the insurance
carrier turns around and says,well, you said you were doing
the things on your form andyou're not. So even though
you've been paying us for allthis time, we're not gonna cover
you. Yeah.
And now you're stuck withnothing.
Tim (29:15):
So funny that you mentioned that because literally on my
fourth monitor over there is myinsurance form for our good
friend, Dustin, at Beltex thatI'm literally sitting here like,
okay. Sometimes I'm gonna fillthat out because our renewal is
up. Yeah. But, yes, as a vendor,I too have an insurance form I
need
Justin (29:34):
to fill
Tim (29:34):
out and provide. And by
Bryan (29:35):
the
Tim (29:36):
way, we can do a lot of that with integrations through
our platform. I know I keepplugging my platform.
Justin (29:42):
But No. Plug it. We're gonna we're gonna we're gonna
kinda wrap up with yourplatform, so no problem there.
Tim (29:46):
Yeah. Yeah. But that's the thing. You know? If you no.
Not if because it does. When youlie on these security
attestations
Bryan (29:56):
Knowingly or not.
Tim (29:58):
Right? Then they're gonna go right back to that and say,
Wait a minute, you check the boxat 2FA everywhere, except Brian
exposed the fact that everyaccount is the same password
with no 2FA. Yeah, we'reprobably not gonna give you the
ping out. So, yeah, you know,your construction company
probably doesn't exist anymore.
Bryan (30:19):
That's like saying you're a nonsmoker and you are. Hey.
Whoops. I
Tim (30:24):
resemble that remark.
Justin (30:27):
Well, it's bad enough because I I hate these insurance
payments so much. It's badenough that I have to pay it,
and now it didn't do me any goodat all.
Tim (30:34):
Right? Right? Right. It didn't do nothing.
Justin (30:38):
Yeah. Another thing about compliance that kind of,
it it sells it to me. So, again,back to the unregulated industry
that is technology, at leasttechnology providers like us.
Let's you've got we've got ourclients who are writing a check
just like they're writing acheck to the insurance company.
They're writing a check to usand they expect us to be
(31:00):
protecting them.
How do they know if if there'sno form of standards? You know,
going back to our our poorRedditor who, is thirty years in
the industry and doesn't knowwhat the hell he's doing to
protect his clients. Guys,companies are writing checks to
that provider all the time. So Iif back to my, CEO hat here, I
(31:24):
want my IT company followingsome framework and holding
themselves accountable to itbecause otherwise, how do we
really know that we're gettingwhat we pay for from our IT
company? So that's
Bryan (31:34):
You made a really
Tim (31:34):
you made a really good point in the beginning. Like,
we're not a regulated industryyet. Right. Yep. And there
hasn't been a good path for thatyet.
And I keep using the word yetbecause I think it's coming. In
fact, I
Bryan (31:47):
I do too. Yeah.
Tim (31:48):
I mean, I know it's coming. But I
Justin (31:50):
well, you
Tim (31:50):
know what? I'll just say, I know it's coming. Right. Whether
it's the, you know, GlobalTechnology Industry Association,
formerly known as CompTIA orPRINCE, however you'd like to go
by. Whether it's the Trustmarkprogram that they have, or it's
some other entity ororganization, you know, it is
coming.
But here's the thing. I can'teven get my haircut unless I go
(32:12):
to a licensed, you know, barber.Right. I call them hair person,
whatever. I have a stylist whoI've used in our office.
What do you
Mario (32:21):
Justin, what are you saying right for? When was the
last time you you went me andyou went to a barber?
Justin (32:26):
Dude, I polished this thing this morning.
Mario (32:28):
What are
Justin (32:28):
you talking about?
Bryan (32:29):
I was there this morning. We
Tim (32:32):
we MSPs literally hold the keys to Fort Knox. Yeah. Justin,
your construction company isyour Fort Knox.
Bryan (32:41):
Mhmm.
Tim (32:42):
And Brian has the one username and password across the
entire organization. Yeah. Butthat's okay. We Brian, we have
no standards for you because,you know, you're the only guy
here besides me with hair. Somaybe we fall into the standard
with hair and they don't.
Bryan (33:00):
But Yeah. Entirely possible.
Justin (33:02):
It's a crazy world. So, Tim, I think it's I think it's
time for us to just like you'vebeen kinda teasing us a little
bit. You've been even showingyour logo off on accident here
and there pointing to your hat.Tell us a little bit about
complaints.
Mario (33:17):
The call card.
Bryan (33:18):
Yeah. Alright.
Justin (33:19):
You got the coffee mug. Is it a Yeti though? Is it is it
a brand name?
Tim (33:24):
Only a Yeti. I am such a Yeti snuff Oh, let's see.
There's checkers here. I am sucha Yeti snake.
Justin (33:33):
Yeah.
Tim (33:33):
Yeti or nothing?
Justin (33:34):
Exactly. I love it. All right. We're on the same page
there.
Tim (33:37):
Oh, I have one of those too.
Justin (33:38):
I have a
Tim (33:39):
Yeti. But mine is from Pax eight, Mario. I have one just
like that same color, but it'sPax eight.
Mario (33:44):
Robin, baby.
Tim (33:45):
Robin, baby. Robin. Yep.
Justin (33:46):
I I've had a couple of those, but I lost them somehow.
I don't know. Yeah. Anyways,Tim, tell us a little bit. Give
us your elevator pitch becauseyou are and, you know, listen,
this podcast is directed atbusiness owners.
We're all business owners, andwe actually have a fair number
of, technical people, MSPs thatwatch at least parts of this
podcast. So talking to us, whatis it that your product does?
(34:08):
How does it make our livesbetter so that we can make our
clients' lives better?
Tim (34:11):
Sure. So like I said in the very beginning, it's, you know,
as an MSP, you wanna be able tohave the risk conversation with
your customers. And since yourcustomers are listening to this,
as a customer of an MSP, youwant to know, are they doing a
thing? Do they have theplaybook? Are they following a
(34:31):
guideline?
Are they aligning my business,my construction company to
something? Right? That's thefirst part of this, this whole
alignment component. And it'skind of something like, maybe I
should patent, but it's thisfour part process that we bring
to the MSPs who eventually bringthat down to Justin's
(34:52):
construction company. Right?
Alignment, authorization,adoption, and assessment. Very
quickly. Alignment. Are youfollowing a thing? Do you have a
playbook?
Is a thing aligned to a thing?Right? Pretty easy
straightforward to understand.Here's a set of controls,
whether it's insurance ormouthful acronyms. Here's a set
of things that we're gonnafollow.
(35:12):
Here's the playbook. As the MSP,the authorization component, it
ain't my stuff. It's thecustomers. It's Justin
Construction Company. It istheir stuff.
They need to authorize that. Youneed to work with your MSP as an
end customer of an MSP and askthem, align me to something and
(35:33):
then allow me to take ownershipof that, to authorize that.
Nothing different than, let'ssay, an employee handbook.
Right? Same concept.
You have your staff sign anemployee handbook or sexual
harassment or an equalopportunity or an or or HR kind
(35:54):
of thing. We're just kind ofapplying that to the
cybersecurity and technologycomponents. Align it, allow the
business to authorize it andhave ownership with it. Now, you
as the MSP facilitating thework, right, charging for that
work, by the way, andfacilitating that work, you're
in the best position because youknow what they're doing tech
(36:16):
wise. It would be like hiring anoutsourced HR to manage HR while
they're hiring an MSP to managetech.
Right? As that customer then,what good is the employee
handbook or the password policyor the acceptable use policy if
end users don't adopt it? That'sthe third a, that adoption
(36:39):
component. Remember how westarted in the very beginning on
the why conversation? Why are wedoing this?
That's the adoption component,allowing the end users to know
why do we do this? Why is it badto have the same password
everywhere? And then lastly,assessment cadence. You know, I
spoke I was invited to aconversation with one of our
(37:02):
MSPs and one of their largestcustomers. We had CEO, CFO, HRO,
all the people on there.
And I, you know, and I asked theHR, person, I was like, when was
the last time you updated youremployee handbook? Had to think
for a minute and was like, Idon't know, like, I don't know.
Probably when we built thecompany, like, fourteen years
(37:24):
ago. And this is in the heightof COVID. And I said I said,
well, that's interesting.
It's COVID now. Is everybodyworking from home? Well, yeah.
Oh, okay. And then, you know, doyou have any, like, you know,
time off policy?
Or and she said, well, yeah. AndI was like, so the entire way
(37:45):
you run your business hascompletely changed, but you have
not done anything in yourdocumentation that you had all
your employees agree to. So youremployees can pretty much do
what they want because there'snothing telling them they can't.
Justin (37:59):
Oh, and
Tim (37:59):
why is that? Because we haven't updated the handbook.
That's right. Because you had noassessment cadence in place to
remind you to do that thing.Yeah.
So break it down, bring it allback. Alignment, are you
aligning to a thing?Authorization as the business,
you wanna own them. Adoption,end users need to know why. An
(38:21):
assessment, don't let it becomevapeware or shelfware and be
forgotten.
Justin (38:26):
Which is where most policies live. But it's not just
the policies.
Tim (38:31):
Right? It's that is one major component of our platform.
Yes. Policy tracking, policymanagement, but also
assessments. Right?
You pick that framework and youlook at these are the gaps.
Alright. Here's a great thing.Anybody know what risk register
is? Brian, Mario, Justin.
You know what a risk registeris?
Bryan (38:51):
No. Beaches.
Tim (38:54):
As a business owner, right, and this can apply whether an
MSP or not, you probably need tounderstand where your risks are.
For for for Justin, it's makingsure Mario isn't tripping over
the ladder. Correct.
Justin (39:10):
Mario, I'm down.
Tim (39:11):
So you do an assessment. You realize Mario's got big
feet, and Brian always puts theladder in the way. So we've been
able to do a deal with that.
Bryan (39:18):
Bad combination.
Mario (39:19):
He does it on purpose.
Tim (39:20):
Fine. So you identified a gap. You know, big feet, bad
ladder, whatever. You identifieda gap. Now, Justin, as as the
business owner, you probablyneed to decide, do we wanna fix
that, I e, mitigate the risk?
Do we wanna defer that? I don'tknow. Pretend it didn't happen.
(39:41):
Do we wanna transfer that andMario gets smaller feet and
Brian move the ladder? Like,what do we wanna do with those
gaps?
So a risk register gives youAmazon shopping cart of findings
that you then you can apply arisk treatment to mitigate,
accept, transfer, avoid, defer,the five various treatments of
(40:03):
risk that you can apply. And asan MSP, you don't make those
decisions. Your customer does.So for for the customers that
are listening to this, ask yourMSP, hey. Do you even know what
a risk register is?
Because I listened to this fancypodcast, and they told me I
should ask you about a riskregister. Because you know what?
(40:24):
I wanna make sure I do somethingabout the latter in the wrong
spot. K. I'm
Justin (40:33):
I'm taking notes feverishly, but I'm gonna have
to go back and relisten to someof that. That was,
Tim (40:37):
Sorry. I rant. I love this stuff. It's
Justin (40:39):
No. I love it. I I'm gonna throw a question at you,
Tim, that this is, again, pureselfishness on my part because,
you know what what we're here todo is break this down for
business owners. You you givethem frameworks, you give them
best practices. As we've saidbefore, none of us really know
what that is, but we throw allthis stuff at them and then we
let them decide, right?
(41:02):
On that, as your clients, MSPs,run these assessments, compare
against frameworks. Yep. Can youtell us, like, the top handful
of deficiencies that they find?If your company
Tim (41:16):
actually pull in because because
Bryan (41:19):
we
Tim (41:19):
have some statistics and auto logging and tracking in the
background.
Bryan (41:24):
I'm not playing
Tim (41:25):
one of another window if that's
Justin (41:26):
I can even give you time. Like, we can sit here and
and shoot the shit while you'reworking on that if you need to.
Tim (41:31):
So I can actually tell you because we do have some
statistics, not that we track.So first and foremost, as a
compliance company, we take ourMSPs, customers, and their
customers' data very seriously.Yeah. We don't have the capacity
to log in to your stuff and seeyour stuff and do your stuff.
Justin (41:50):
Okay.
Tim (41:52):
However, we built a new feature out a couple months ago
called leaderboard.
Justin (41:57):
Nice. That's what I'm looking for.
Tim (41:59):
Well, because, you know, compliance gets such a bad rap,
and it's scary, and it's an uglyword, and I'm afraid. Well, we
flipped that out on the head byproviding a leaderboard and
positively reinforcing goodbehavior. I love that. Yay.
Inside my MSP, these are mycustomers.
(42:20):
Brian's got nine policies.Justin's done a risk asset.
Like, inside the my instance asmy MSP, I can see how well my
clients are doing, and I canreward that good behavior.
Globally, not every name, but wehave a general sense of what
frameworks people are doing,what gaps they have in those
(42:41):
frameworks, how they're doingwith like minded businesses. So
we have a bunch of those stats.
And I can tell you if I log inover here, is this messing up my
bandwidth at all before Yeah.Clicking around in the other
screen? I'm not gonna share thescreen because this is an
internal tool for us.
Justin (42:59):
Sure. Mhmm.
Tim (43:00):
So we can understand how well our MSPs are doing.
Justin (43:04):
It's okay, Tim. I've already hacked into your
computer, and I'm watchingeverything you're doing. So
don't worry about it. But I'mscreenshotting this.
Tim (43:10):
I'm just rambling on and on buying time while I'm waiting
for my second factor of ofauthentic
Justin (43:17):
Oh, it's a lot ahead of my own two FA. I hate that
stuff. I've said before, if ifsecurity isn't a complete pain
in your ass, you're doing itwrong. Alright.
Bryan (43:26):
Alright. It's loading.
Tim (43:27):
So I can tell you what frameworks, how many policies,
how many and, actually, Ihaven't looked in a while, so
it's probably a good ideabecause I tend to look once or
twice a month and be like, oh mygosh. Just giving it a second to
load on the back end. Alrighty.So let's see. The the top
frameworks are CMMC and HIPAAand our own business risk
(43:55):
assessment that we define as abusiness risk assessment that
most every MSPs use, and thenthe policy and procedure
assessment.
Somewhere in the neighborhoodof, I can tell you how many
entries, like so out of I don'tknow. Let's pick a number. I
(44:18):
don't wanna give away specificsbecause this is a blog this is a
blog post news article we'reabout to put out. Oh. So let's
just talk roundish numbers.
Yep. So let's just say out of, Idon't know, 400 assessments,
give or take, we haveidentified, we being the MSPs,
(44:41):
have identified around and nowremember, an assessment could
have a hundred questions or itcould have five questions. So if
we say 400 assessments, and thenI say we have 2,000 findings.
(45:02):
Okay. It's not a one to onecorrelation, obviously.
And out of that 2,000 findings,risk register. Again, round
numbers. I'm kind of bumpingthese up by a few hundred. About
1,800 of those have some form ofrisk treatment. Mitigate,
(45:27):
accept, defer, blah, blah, blah,blah, blah.
Is that the kind of thing youwere asking, Justin? Yeah. I can
say, oh, this is a great number.I'll give you this number. Over
2,100 policies deployed.
Justin (45:40):
Oh, wow. Across
Tim (45:46):
over 400 end customers.
Justin (45:51):
Okay. So we're looking at four or five four or five
each? Yes. Okay. Math on thespot isn't my strong point.
Tim (46:01):
I mean, we have some some MSPs. I I could pull one here
right now. They have 89 policiesdeployed. We have others that
have on average, I would say theaverage number of policies per
MSP is probably quick. Well, letme just pull up Excel.
Hold on. If I just kinda copypaste, click on the little
(46:24):
average button, average. Onaverage, there's 12 policies per
MSP
Justin (46:30):
per company. That sounds about right.
Bryan (46:33):
Not bad.
Justin (46:34):
Which is one of the strong points of your platform.
Right? That because writingthese platforms is a giant pain
in the neck. And and then eachclient has to customize them for
their organization. And one ofthe things, correct me if I'm
wrong, that your platform doesis helps the MSP create that
base standard document, Let'ssay an acceptable use policy
(46:56):
that they can push out to theirclients and just make a couple
of tweaks.
What is a five or 10% of the thework falls on the client?
Everything else is done forthem. Right?
Tim (47:06):
I'll just do that. I like that.
Justin (47:08):
Oh, there we go.
Tim (47:11):
Hide the super admin component. But, yes, first and
foremost, we have an extensivepolicy library that bring our
twenty plus years of writingpolicy documentation as a
baseline template for you as ajumping off point. Now everybody
says templates, blah blah blah.They're a good jumping off
point, and you should use themas the jumping off point. But
(47:33):
our template is vastly differentthan what you're gonna see
across the interweb because notonly does it come with our
twenty years of writing, FedRAMPmoderate documentation, whole
nother framework, we actuallybreak them up into what's
considered OSCAL, verystructured machine readable
language, right?
Not only do we provide the basedocumentation, but we even take
(47:55):
it a step further with what goesin this box? How do I write this
section? How do I write so TLDRsection by section by section.
Right?
Justin (48:07):
I love that. I saw the TLDR. I'm like, damn it. I need
this tool right now.
Tim (48:12):
Right? Because we get it. Like, you're not versed in
policy. We are. We give you somejumping off points, but we're
like, Hey, keep in mind, youwanna do this and we wanna do
this.
And like different frameworkswill have different requirements
and additional TLDR. How do Iwrite this? So that comes with
our years and years and years ofexperience. And here's the cool
(48:36):
thing, right? You build out yourlibrary right at once, one click
deploy to any customer.
You can custom tailor thatfurther if you choose to, but it
is literally one click deploy toyour end customer on all the
different policy frameworks andall the different regulatory
(48:58):
frameworks. So, to answer yourquestion, write once, deploy
many. Right. Use our knowledgefor the last twenty years as a
jumping off point and align themto the business practices you're
doing. Remember that first a.
You need to align them. We'regonna give you something to
start with, but you need to makesure that and the and this is
(49:20):
where everybody freaks out.
Mario (49:22):
You know Does your platform allow us to upload,
like, the proof that this isdone? Or
Tim (49:29):
So Like,
Mario (49:29):
for audits to do it?
Tim (49:31):
Tracking all that tracking directly in the platform. Okay.
Mario (49:35):
I
Tim (49:35):
didn't go through that. We have a live demo every week.
People can go tocompliancescorecard.com, click
live demo, see all of this stuffin action. But yes, that is the
core functionality. Remember theauthorization and adoption and
assessment?
All done on the platform. Mario,you write your template once,
you know, your 10 basedocuments. You know, maybe
(49:56):
there's ten hours worth of work.And by the way, now you have
your own house in order.
Justin (50:01):
Yeah. Exactly.
Tim (50:02):
One click deploy to your customer. Your customer can
then, whoever the authorizingofficial logs in and says, Yes,
I agree or reject with feedback.Feedback loop. Once that's been
aligned and authorized, thenit's a click of a button to push
out to an adoption campaign toall the end users with, here's
(50:22):
the policy. Here's why we do athing.
Here's what it is. Sign off.Kind of like you do with
security awareness training. Allthat tracking, all that audit
logging, all that changemanagement, and then there's a
knowledge base that you canshare and embed and use that as
a central repository for allyour documents, even those HR
(50:45):
documents. This is why HR peoplelove this because, oh my god, I
don't have to mail something outand try to keep a check with no.
All that can stay right in theblack.
Justin (50:55):
Yeah. Alright, guys. We're, we're getting towards the
end here. So we're gonna startwrapping up. What I'd like to do
is just kind of do rapid firequestions for Tim.
Brian and Mario, what have youguys as we've gone through this,
what are some of the things thatyou'd like to know before we,
close out here this week?
Bryan (51:13):
Oh, putting us on the spot. Yeah. Okay. Why my
question would be this. If therewere I mean, I always like to
treat cybersecurity as ajourney, because not everybody
can do everything all at once.
It's just not possible. So theyhave to start somewhere, and
they have to start implementingthe first thing. In your
opinion, Tim, what would be thefirst two or three things that a
(51:37):
good business owner should havein place ASAP before they get
anything else done when it comesto either compliance or
cybersecurity?
Tim (51:45):
Multifactor everywhere, period. Force it down there,
throw. We're gonna keep saying,I can't believe it's 2025. We're
still talking about this.Multifactor everywhere.
Not every like, everywhere,period. Your ADP, your, you
know, your Facebook, yourTwitter, like, everywhere. Every
one of your Facebook page. Oops.Every
Justin (52:08):
multifactor. K. Alright. Mario, you got something?
Mario (52:15):
Yeah. So with with the with a a lot of these
frameworks, some of them are,you know, like, I know, like,
SOC two, it's, like, alwaysongoing. You're always taking,
you know, proof and providingand stuff like that. Are there
other frameworks that are kindof less tedious throughout the
year?
Tim (52:36):
Yeah. FTC safeguards is the probably a or is is one that
will affect a lot of businesseslistening to this podcast
whether you believe it or not.And what I've been seeing
happening with the FTC is goingafter starting with the big
organizations, but, you know,stuff rolls downhill. It's a
very I don't wanna use the wordeasy, but it is it is a
(53:00):
framework that you and your MSPcan work together to get you a
good standard beyond just theseven or eight things in
cybersecurity in in cyberinsurance. Yep.
Alright.
Justin (53:17):
Well, I think, you know, we're we're coming up at almost
an hour here. So we're gonnastart to wrap this thing up.
Tim, one thing I wanted to divemore into that we're we're not
going to, it's something that Italk about all the time, but,
I'm just gonna mention itbecause it caught my attention.
I think it was a a LinkedIn postwhere you talked about culture.
(53:37):
Instead of punishment, let'sfocus on rewarding good
compliance behavior andfostering a positive culture.
I would argue that in in, youknow, you talked about adoption,
that kind of peaked my interest.That's been a place where I've
seen a lot of challenges, a lotof struggles as as MSPs where
we're trying to take theseoverwhelmed, busy, not just,
(53:58):
CEOs, business owners, but alsotheir staff. You know, all of us
have plenty of things to dowithout getting another stack of
things we have to do, anotherstack of documents we have to
read and sign off on, you know,two FA. Jesus Christ, I hate two
FA, but we have to have it.Right?
Like but everything is just onemore thing to do. And if we
don't wrap a culture aroundthis, I don't think we'll ever
(54:21):
win the war of compliance orcybersecurity, period. And, yes,
you can do this with a stick,but I loved that your way of
doing that was with the carrot,the proverbial carrot. So, is
that maybe as kind of a signoff, can you just run through
how it is that you help MSPsinstill that culture into their
(54:41):
client base? One word.
Okay.
Tim (54:46):
Why?
Justin (54:47):
Okay. I love that. Yep. You you've already said that.
Tim (54:49):
Start with why. Right? So Simon Sinek has a great book,
Start with Why. It's aboutbuilding a company, but it also
applies to the same culturalaspects. And it is the hardest
lesson I had to learn as an ITprofessional that just wanted to
click buttons and lock stuffdown.
Years ago, when we got thatfirst thing, all I did was click
buttons, lock stuff down, andpissed everybody off along the
way. Mhmm.
Mario (55:10):
And
Tim (55:10):
it wasn't until I shifted the conversation with the staff
and all the end users andbringing them on board and
explaining to them, why are wedoing this? Did you know that we
are a government contractor?Well, yeah. Did you know that
those government contractsrequire this stuff? Why?
(55:30):
Who cares? Did you know that wewill lose $5,000,000 worth of
annual income and you will nothave a job if I do not put two
factor authentication in place.Yeah.
Justin (55:42):
There's the why that matters to them. Right.
Personal. Yep. Right.
Perfect.
Tim (55:48):
And then and until and what did Tim just do? Tim went into m
to M365, or Tim went into athing and just enforced two
factor on everybody's account.At which point the CEO's
knocking on my door, my phone'sringing, everybody's pissed off.
And I had to go, Woah. Big badTim came in with a hammer as
(56:08):
opposed to friendly, rewardfulTim came in with the why and
help them understand that thisis why we do this.
Justin (56:17):
Yeah. Love that. I mean, I I love that. That's my
takeaway. That's what I'm gonnawrap up with.
Guys, unless you have any finalthoughts, final questions,
Brian, Mario, no? Okay. Thenwe're gonna go ahead and close
this one out. Tim, again, thankyou. Thank you.
Thank you for joining us today.This is becoming a way of life
(56:38):
for me, and, honestly, I thinkthis is something that we are
all going to either go kickingand screaming or willingly into
the dark night of compliance.So, again, thank you for being
here. Thank you for yourperspective. Guys, if, I've got
other MSPs on here listening, goto compliancescorecard.com.
Join the, the demo. Is it a isthat what you Weekly. Product
(56:59):
demo. Right? Weekly demo.
And those are live, notprerecorded?
Tim (57:03):
Live every week.
Justin (57:04):
We got q and a.
Tim (57:05):
My team keeps telling me we need to ship that, but I still I
still love doing the live videosmyself. Yeah. So will they?
Justin (57:11):
Yeah. I could tell you you're not, shy on camera, so
that's good. Let's, yeah. I'llbe on there. I've got a
platform.
I'm not gonna lie. I I hadn'theard of you guys until more
recently, so I definitely wannado a comparison. I love what
you're talking about here, andI'll definitely take a look.
Awesome, Tim.
Mario (57:29):
Thank you.
Tim (57:29):
That's cool. And I'll just end it with, I heard you say I
got a platform, which is great.You know, we work with a lot of
other partners and integrationsas who and what we are, but we
are an MSP first. We arededicated to MSPs first. When
you look at the GRC space andthe tools that are available in
that, I'd like to say we are theonly one that came from an MSP
(57:52):
built by an MSP for MSPs, and weget you.
And not only do we get you, butwe also know you need to sell it
so we're affordable for you aswell.
Justin (58:05):
Beautiful. That those are magic words right there.
Because what we do is expensiveand everything's one more
subscription we get to pay for.It's good times. So final words
to our our audience.
Again, we've been talking alittle bit technical today, a
little bit in the weeds. Our ouraudience business owners, I like
(58:25):
to I've I've got my own littleframework that I invented, Tim,
and I don't know if you're gonnalove it or hate it, but, and
just finding a really simple wayfor business owners to hold us
accountable. This is what I tellpeople. And and use safeguards,
use, frameworks, use compliancetools, however you do it. But
look at these three areas inparticular.
(58:46):
Look at your technology and makesure it's protected. Look at
your data, make sure it'sprotected, know where it lives,
know how it's being used, knowhow it's being backed up, and
could it be restored. And thenyour people. Know your people,
protect your people, theiridentity, policies, procedures,
and all that. That's the 97%that I'm talking about week
after week.
(59:07):
And frameworks just make it easyfor us to make sure we're doing
our job, and it makes it easyfor you, mister and missus
business owner to, get sometransparency and and to know
that we're doing what you'rewriting us a check for. Wrap
that up with an insurance policythat covers that 3% gap. Make
sure you have good cybersecurityinsurance and that they will pay
(59:27):
in the event of a breach. Rightback to frameworks, guys. So
there we are, guys.
Unhack.live. If you have anyquestions, if you'd like to
reach out to any of usindividually, Brian, myself,
Mario, Tim, all of ourinformation will be on
unhack.live. Brian and Mario, asalways, thank you for joining
us. And, Tim, again, greatstuff, and we will be in touch.
(59:48):
Thank you, guys.
We'll see you next week. Thankyou.
Mario (59:51):
Thanks, Tim. Speak.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Boysober
Have you ever wondered what life might be like if you stopped worrying about being wanted, and focused on understanding what you actually want? That was the question Hope Woodard asked herself after a string of situationships inspired her to take a break from sex and dating. She went "boysober," a personal concept that sparked a global movement among women looking to prioritize themselves over men. Now, Hope is looking to expand the ways we explore our relationship to relationships. Taking a bold, unfiltered look into modern love, romance, and self-discovery, Boysober will dive into messy stories about dating, sex, love, friendship, and breaking generational patterns—all with humor, vulnerability, and a fresh perspective.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.