MSP 1337
By Chris Johnson
Our goal is Secure Outcomes and together we can make a difference.
MSP 1337Jan 23, 2024
MSP Perspective on Recruiters
Cybersecurity should be front and center in every organization, and who you hire impacts how well you can implement it. In this episode, we discuss having the right staff and aligning with company expectations and goals. While not necessarily a cybersecurity focus, we highlight how cybersecurity plays a role in who you hire and what you might look for in your hiring process. Join me as I hear from Charles Love about his journey using a recruiter.
Cybersecurity Perspective on Social Media
Social media lives Social media is somehow a part of our everyday lives, and we see different platforms that cater to varying types of communication and content. With that said, when we misuse the platforms or share too much, we potentially risk all that we care to protect. Join me as I discuss the ins and outs of the appropriate use of Social Media and some world observations on what we can do better.
MSPs Need Recruiters Too
Cybersecurity is not the primary focus for hiring new employees but is vital to ensuring you hire the right candidate. I sit down with Ted White with Vertical Talent Solutions to discuss a strategy that lines up suitable candidates with MSPs so that the effort spent to get the right candidate isn't a pleasant and perhaps even enjoyable opportunity.
Where MSP and an MSSP Intersect
Ever wonder if you should be offering cybersecurity services? Are you taking on liability that isn't worth it? I sit down with Scott McCrady CEO of SolCyber to discuss the opportunities and benefits of partnering with an MSSP.
Fireside Chat Control 13 Network Monitoring & Defense
It is the Third Tuesday of the month, and we bring you to Control 13. This is an exciting Control (they all are) because it is often confused with being legacy, it is also potentially cost-prohibitive, and we believe it will likely only be doable when partnering with third-party resources. Matt Lee brings it home as he always does!
Collecting Evidence
MSP spend a lot of time and energy trying to align with standards from one of the many frameworks that are out there to improve their cybersecurity posture. Whether you do it to meet regulatory requirements, or are just looking to improve your business operations, how do you know when you are failing or succeeding? I sit down with Jim Harryman of Kinetic Technology Group to discuss how evidence comes into play. Policy Process and People are key to collecting that appropriate evidence and Jim and I are going to talk through how to make it part of your cultural habits.
Getting Started With Tabletop Exercises
Tabletop exercises or simulations can be daunting and scary. Join me as I sit down with Sarah O'Kelley from Choice Cyber Solutions as we discuss some tips and tricks to success with your first Tabletop.
Security Awareness and Skills Training
If you are familiar with CIS v8 Top 18 then you might be comfortable talking about Security Awareness and Skills Training. I sit down with Jim Harryman of Kinetic Technology Group to talk about the Why and the Proof that ever solution provider should be considering in their own traning.
Fireside Chat CIS Control 12
We are on Control 12 in our Fireside chat with Matt Lee and are digging into a control with only one IG1 safeguard and only one IG3 safeguard. Network Infrastructure comes with some rabbit holes and tangents, but I think you will find that this control is essential to most MSPs.
Parting ways with a client or prospect
As an MSP, many decisions go into taking on a new client or getting rid of an existing one. I sit down with Charles Love of Showtech Solutions to discuss when the decisions are tied to cybersecurity and where one should consider drawing a line in the sand.
Vendor and Product Evaluation
What does it look like to have an employee request approval for a specific tool? Do you have an evaluation process? What types of risks are introduced that you need to consider when evaluating a new vendor, product, or service? All of these questions and more are discussed with Chad Holstead of BKS Group.
Is Cyber Insurance Enough?
When a vendor fills a gap in cyber, they deserve to be heard. I sat down with Nick Wolf of Cork to discuss the cyber insurance industry and the space they fill. I'd say Cork is to cyber insurance like Aflac is to Medical insurance. Join Nick and I as we navigate the challenges with questionnaires, insurance questionnaires, and all the crazy around insurance and coverage.
Fireside Chat: Control 11 Data Recovery
Storage costs are relatively cheap compared to the cost of storage, but one might say that data recovery is where most MSPs have been very successful. Years back, we were challenged with costs around storage and destination fees costs, so we had to be selective about what we backed up. In today's world, the cost of storage is relatively cheap in comparison, but so many new variables complicate this process. Listen to Matt Lee of Pax8 as we dive deep into CIS Control 11 Data Recovery and explore all five safeguards.
Data Protection
Data protection is tough when you don't know where your data is or who might have access to it. Join me as I sit down with Prandar Das, cofounder of Sotero, as we discuss the challenges and the opportunities that AI and LLM bring as we continue to look at better ways to protect data. Stick around for the four tips to follow on your own journey to protect your data.
Risk of Risky AI...
How many buzzwords do we have in the MSP world? MSP, MSSP, Web 2.0, AI? At any rate, we now have AI as a buzzword to deal with. Kidding AI is a lot more than a buzzword. Join me as I discuss AI and the risks of AI with Jim Harryman of Kinetic Technology Group.
ToDo or not ToDo
How we manage our time for a work life balance plays a role in how we work in both in our strategic and tactical workflow. I sit down with Jason Slagle of CNRW to discuss how important keeping track of what we do in a planner or in our PSA or other tools is critical when things happen. Evidence is hard to come by after the fact.
Selling Cybersecurity Services
I have heard MSPs say, "we just eat the cost for some services." Whether they are services you have implemented internally are not, it doesn't mean you shouldn't sell those services. Liste to Bill Mulcahey of M6 Technology share his challenges and opportunities. Remember forward progress is good progress!
Fireside Chat - Control 9 Email & Web Browser Protections
We have made it halfway through the CIS Top 18 and Matt Lee of Pax8 delivers again with a compelling argument for Control 9's demanding our undivided attention.
Hiring Security Resources
Hiring cybersecurity resources and the costs associated with it. What does the job description look like, and what are the responsibilities? Mike Stewart of Anchor Networks and I discuss the challenges and opportunities of hiring staff to help with cybersecurity.
Data Backup and Air gapped?
I have had multiple conversations around backup vendors and the shift to solutions that are direct to cloud and other feature requirements that we didn't even consider 6-10 years ago. Remember the world before the data actors started doing data exfiltration. Join me with Matt Horning of Blue Tree Technology as we explore everything from the 3, 2, 1 and other backup models as well as airgapping.
2024 Outlook in Cyber
As 2023 comes to a close and you I thought in traditional fashion, we share with you our outlook for 2024. Joshua Smith of Reliaquest and I have a few optimistic observations that might have been shadowed by some Sky Net references, but I think 2024 has a lot of potential. Enjoy the holidays and we will see you soon in 2024.
Fireside Chat - CIS Control 8 - Audit Logs
CJ and Matt Lee of Pax8 discuss control 8, which pertains to audit logs. Some of the safeguards are easy to satisfy... just turn the logging function on and set to 90 days. Others will require more effort but all are reasonable for MSPs to pull off.
2023 Look back in Cyber
From tools and breaches to LLM, IoT and OT we talk about it all. Where we have been and how far we have come with Charles Love of ShowTech Solutions, and Joshua Smith of Reliaquest.
My Cell Phone's Been Cloned
We all know the dangers of connecting to Airport Wifi... Join Sarah Goffman and I as we discuss the dangers of connecting even your cellphone to public wifi.
Ideals vs Reality
What does future growth and sustainability look like in the MSP space? Acquisitions abound, SMBs and micro-SMBs bounce from one MSP to another... What is the future yield especially when we start discussing cybersecurity challenges and adopting even good cyber hygiene? I sit down with Eric Hanson of Inland Productivity to get his take on the future of client growth and where those net new clients might be. Whether with existing or new clients, they must recognize the need to improve their cybersecurity posture!
Fireside Chat - Control 07 Continuous Vulnerability Mgmt.
Deep dive into control 7 with some influences of other controls. We know that OS patch management, change management, Third Party App management and third party app patching aren't always prioritized the way it should be considering today's threat landscape. Matt Lee is on a pedestal on this control so stay tuned through the end as we run a bit long on this one.
ITN Connect Recap 2023
I sat down with Matt Fisch of Fortmesa to discuss observations and highlights from ITN Connect. From new vendors in the pavilion tackling niche cybersecurity challenges to conversations with Solution providers that show our industry is maturing.
Business Email Compromise
Maybe we have talked about this before? At any rate Business email compromise is a constant threat. We do Phishing simulations and other security awareness training to help our staff and clients make good choices, but we aren't always perfect. I sit down with Dan Gilligan with Integra MSP to hear his journey in dealing with this issue and the tools and training that have changed over the years to keep up with this evolving threat.
Insider Threats
What are insider threats? Tim Schnurr and I discuss the importance of cybersecurity in protecting digital assets and preventing insider threats in organizations. There is a overwhelming need for employee education, the use of data classification tools, and the implementation of monitoring tools to track data flow. This is a great way to have open conversations with your employees and your clients as to why it is so important to think before you click on a link, hit send in an email, or download/upload files to file sharing sites etc.
Industry Conference Overload
Thinking back ten-plus years on the industry conferences we have attended in person and online. With vendor mergers and acquisitions it is hard to determine which shows you should still attend and every day it seems there is a new road show, quarterly show or another membership conference. How do you make decisions to attend what is relevant?
Fireside Chat - CIS Control 10 - Malware Defense
As we go through the CIS controls we try to stay in sequence but as a result of some discussions at recent events, we decided to jump to Malware Defenses. Hopefully, Matt Lee's insights and my humor will be enough for you to endure 30 minutes on what you should do in your journey to address Malware Defenses.
Getting an Assessment...
We talk about frameworks, compliance, cybersecurity, and many things in between but we haven't discussed getting assessed against a framework or even the new CompTIA Cybersecurity Trustmark. I sat down with Omer Kasim Aslim of Lake Ridge to discuss assessments. How the different frameworks, whether prescriptive or not, are often looking for compliance to protect a specific type of data and not an organization's overall security. We go through several scenarios and Omer offers many tips and best practices. Enjoy!
Should I Sell Compliance Services?
In recent years we have seen Solution Providers begin offering services that are showing a shift in our industry around our client and client prospect needs. Five years ago very few solution providers would be comfortable talking about risk registers, GRC tools, PoAMs, and take a leadership role with our clients. Joine me as I sit down with Chad Holstead of BKS Group to talk about challenges, risks, and opportunities for positioning compliance as a service.
CompTIA Cybersecurity Trustmark Progress
From the trenches... I sit down with Jim Harryman of Kinetic Technology Group to discuss their progress through the new CompTIA Cybersecurity Trustmark. What are the significant challenges and what are the easy wins. A glipse into the journey that got Kinetic Technology Group to where they are today and preparing for their asessment at the end of the year.
Fireside Chat - CIS Control 6 Access Management
Fireside chat with Matt Lee brings us control 6. Access Management goes hand in hand with Account Management but if you have been following along we coverd control 5 last month. Join Matt Lee and I as we deep dive into each safeguard and discuss what you should be doing and then mapping it to the safeguards we cover.
Do I know my assets (IoT, IIoT, and OT)?
Each day we are bombarded by cybersecurity threats and this episode adds another vector you should be looking at as you address your asset inventory. Are you looking at the asset that controls your thermostat? How about the IP cameras you use to secure your office? These are just some of the many questions as I sit down with Huxley Barbee of Run Zero. It isn't all doom and gloom but the outlook is definitely scary if we don't start taking action to secure the devices that often are ignored or the responsibility and burden is assumed to be already handled.
Committing Fraud Through CMMC.
There is no question that CMMC is here to stay. It is a much-needed maturity model for measuring companies that cater to the Defense space and are doing what is needed to protect Confidential Unclassified Information (CUI). I sit down with Adam Duman of Vanta to discuss frameworks, contracts, cybersecurity challenges, and how all of these things impact a company looking to keep or add contracts within the defense space.
Preparing For A Storm.
In Cyber we often focus only on the events that come from the ether, the dark web, and we forget that disasters can come from all sorts of events. With a hurricane less than 24 hours from making landfall, I sit down with Charles Love of ShowTech Solutions to discuss their prep.
Was I a victim?
I am a big fan of Scott Augenbaum's book, "The Secret to Cybersecurity." Specifically, the 4 truths that we talk about with Tye Male, Senior Pastor of Wellspring church. Suspicious email, inconvenient timing, stress-inducing, and when it is all said and done... it has the potential to damage your reputation. Listen in to hear what Tye learned as it pertains to being vigilant and communicating the cyber dangers with friends and loved ones.
Fireside Chat - CIS Control 5 Hurdles
We are 1/3 of the way through the CIS Top 18 and I think Control 5 might be my favorite. Matt Lee joins me as we dive into all six safeguards and how important they are in the journey toward cyber resilience.
Cybersecurity for Big and Small MSPs
I remember the days when Joshua Smith and I decided we should build our own MSP. It was simpler times and Cybersecurity was defined largely by firewalls and antivirus. Today starting an MSP or even being a small MSP trying to get arms around cybersecurity is a daunting task. I discuss with Dor Eisner to talk about why he decided to build Guardz. Why the desire to focus on a solution for the smaller MSP and his overall look at the threat landscape. Together we can we can make it more difficult for the threat actors.
MSPs Need Compliance
There are lots of frameworks to choose from and some are more complicated than others. What is important is that you use some set of controls/safeguards or standards that are measurable and can be aligned with. I sit down with Alex Spigel to talk bout her approach to compliance and how things like responsibility matrixes can help. We are at channelcon23 and I hope to see many of you in person.
Showing Evidence
Over the past few months we have spent time on policies, how to tackle controls and safeguards in CIS Top 18, and we have even pointed out cybersecurity areas that might be overlooked. In this episode, as we all look at maturing our cybersecurity practice we look at how one might show evidence to support all of the efforts in creating policies, processes, and procedures. Thanks to Chase Griffin for highlighting that sometimes you do need some tools.
Fireside Chat - CIS Control 4 Hurdles
It is the 3rd Tuesday of the month and it is time for Control 4 With Mat Lee. This is a shorter episode but we get it done and got great insights on how to go about addressing CIS Control 4.
Policy Creation Involves Everyone!
Policies are the one thing no company wants to create but everyone has to have. We see them show up in employee handbooks, Written Information Security Plans (WISP), and System Security Plans (SSP), and there is no shortage coming from HR. In this episode, Charles Love of ShowTech Solutions, and I explore why policies should involve all staff. Either everyone gets it and acknowledges the need to follow them or they tend to not get followed at all.
Do You Know Who Your Users Are?
I don't often have vendors as guests on the show and so when there is an exception made it is because they are bringing something to the table that is exceptional. Discussing Single Sign-on with Nick Wolf Of Evo Security is a topic that we have touched on before but never in the context of how it might help you address CIS controls or other challenges within your internal management of users or users client-facing.
Fireside Chat - CIS Control 3 Hurdles
A little Chutes and Ladders, a little Yellow Brick Road. In this episode, I think you will find that Data Protection is a rather complex beast but through the guidance of Matt Lee of Pax8 you will have the tools you need to better protect what is important to you and your clients.
Counterintelligence and TikTok
This week we put a thought towards adding counterintelligence as something that should be part of your Business Continuity, Disaster Recover, and Incident Response. It makes sense when you hear what Darren Mott has to say. As a former FBI agent, his insights both from his time in the field and even now in his new role, are not to be missed. Why is TikTok bad? What are the personal risks that I am taking on by the decisions I make to use technologies like TikTok? What are the potential ramifications for me and my friends...? Not just today... what about 10 years from now?
Check Vendor's Security Posture
After we did, "A Doozy of a Story." I was presented with this Gem. It almost feels like a perfect storm but in fact it is a legitimate business and as I discuss the details with Eric Hanson, I want you to think about CIS Control Service Provider Management and Software Management. It is easy to forget that our vendors don't always take a security-first approach.
Cyber Insurance Industry Maturation
When cybersecurity insurance first came on the scene it was a new frontier. Everyone seemed to be selling it and everyone seemed to qualify for it. That was then... Sitting down with Reid Wellock of FifthWall was an enlightening discussion of where the industry is at and hope for the future. There are several pointers in this episode and even a book recommendation.