Making Compliance Simple for MSPs (EP 879)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers, where we hope to help you run your business better, smarter and faster. We are in the midst of summer. We are moving on with our vendor profiles for the IT Nation PitchIT program.

We're getting close, folks. I think all of the contestants have passed the midway point of their 16 week boot camp, and they are all looking to be on the final stage at IT Nation Connect in November and hopefully get that $70,000 grand prize. So we're continuing on. 

I am interviewing all of the contenders. And today we are interviewing Blacksmith InfoSec. I have Jared Casner with me. 

He is one of the co-founders. Blacksmith InfoSec is a cybersecurity company specializing in compliance as a service. And it is tailored for small and medium sized businesses. 

And of course, us as managed service providers. Well, Jared, welcome to the show. Well, thanks, Uncle Marv. 

Appreciate you having me on. All right. So let me just ask a nice, easy question to start.

How's boot camp going? Boot camp is great. We've had some just incredible speakers coming in and talking to us, folks that are other vendors in the space that have been there, done that before us, some MSPs involved, folks outside teaching us about sales and marketing. It's just been a wonderful experience all the way through. 

All right. Now, your company is one of the youngest. I think you guys started in 2023, right? That's correct. 

Yeah, we're not quite two years old yet. All right. But not new to the MSP space. 

Actually, we are. We are sort of new to the MSP space, but also not new to the MSP space. So my co-founder and I both have used MSPs in the past in our past lives.

In my case, I've been out in Silicon Valley for the last 15 years and outsourcing our IT to managed service providers. I will say that the managed service providers that I've used have been more of the trunk slammer variety, which is, you know, I'll just say down to some very frugal CFOs that I've worked with in the past that have been not very optimized on or forward thinking when it comes to IT services and like, oh, we'll just leave engineering to sort that out. My co-founder has had a chance to work with some truly excellent MSPs along the way in his past as a BSO, where he was working hand in hand with some MSPs.

And those are some of the first partners that we joined up with when we started the business. All right. I just made a note here. 

I want to hear about trunk slammer MSPs, but that will be another podcast. Let's talk about Blacksmith InfoSec. So I'll be honest, compliance as a service.

It's been very popular over the years, and I'm going to ask you, you know, what makes you guys so much better than the others? Yeah, so honestly, I think part of what makes us at least different, I don't know about better, but certainly different from the others is our backgrounds. We don't come from the MSP space directly. We're coming at this from, in my case, the Silicon Valley startup mindset.

My co-founder stands the actual practitioner as a BSO and delivering compliance services into businesses. So for me personally, it was partnership opportunities with MasterCard that led me down the, I need to figure out how to be SOC 2 compliant and actually putting that security program in place. Working at health tech companies and dealing with HIPAA compliance and SOC 2 compliance and putting all those security programs in place, putting the building blocks in place, and doing that on a shoestring budget.

My co-founder's stance, it was really over hundreds of companies that he worked with as a BSO. Again, how do I get a small business to compliance from the ground up when they're on a shoestring budget, when they don't really know what they're doing, why they're doing it? In fact, I can tell you how many of your customers, Marv, are asking for compliance and saying I really want to do this. Asking for it? Come on now.

Yeah, I'll bet the answer is zero. Nobody wants to be compliant. They're doing it because they have to, right? They're doing it because they have to.

And a lot of these companies are being dragged into it, kicking and screaming. And so what we've tried to do is really democratize the whole system, which is, as Silicon Valley speak, we're making it easy and accessible for the non-technical end-users of the compliance platform to understand what they're doing, why they're doing it, and start baking that into their DNA as an organization. So maybe they don't want to do it, but at least they understand why they're doing it, and they understand the value that it has along the way.

Yeah. So just to clarify my answer, yeah, nobody's asking for it, although I did have one customer who just said, look, we know it's coming, so we're going to get ahead of the curve. So that's the closest I've gotten to that.

Let me ask in terms of your key features and offerings, of course, because most of the things we think about have to be around our NIST requirements, our incident response plans, security awareness training. What other things are you guys offering? Yeah, so all of that, we do the policy generation for you, and we've templatized the whole thing. We call it bowling with the bumpers up or paint-by-numbers approach, so giving you the templates in a way that you can't mess them up.

They're already there, and we have taken a very different approach to a lot of our competitors in this space also with the policy creation, where it's, I'm not giving you the WYSIWYG editor that lets you change anything you want to because I've seen too many times where small businesses or MSPs have just totally botched the implementation of those policies and the creation of those by being able to go in and edit them manually. And so it's a much more streamlined approach. We give you the compliance roadmap.

We have integrations into ConnectWise so that you can actually mirror that into a ConnectWise project and be able to build directly through ConnectWise and generate your project plans directly in ConnectWise and that two-way integration. So as your techs are checking things off, it's checking things off of the compliance roadmap and bringing your clients closer to compliance and then reflecting that in the reporting that you're giving to them. The risk register, right? Because at the end of the day, all of these compliance frameworks, they're really better thought of as risk management frameworks.

It's how do I help reduce the risk of an incident? And when there is an incident, reduce the impact of that incident, right? It's all about risk management. The user audits, right? It's the entire security program. It's all the things that you need to do across the entire board for the security program to bring that, to help your clients become more secure, but also achieve compliance along the way.

All right. Now, when it comes to your platform, I know that you guys offer white labeling so that we can make it look like us to our clients, but how much interaction do clients have inside the portal versus what we provide for them? So you cannot own the risk for your clients, right? Period. Your clients have to own their own risk.

So it's a co-managed opportunity. Everything that your client sees in the portal, you see in the portal, but it's your portal that they're logging into, but it's their policies. It's their compliance roadmap.

It's their tasks. It's their risk register. It's everything that you can see, they can see, and vice versa, with a little bit of a caveat that when it comes to your ConnectWise integration and other integrations that we have in the platform, that's for you to manage and automate the tasks that you have as an MSP, but really everything that's in there is their system.

And then you guys can talk to your clients about, hey, what's on this roadmap? You can do yourself if you want to, or we're happy to do that for you. And so you get both the monthly recurring revenue of the compliance offering, but also the non-recurring revenue or the NRR for the project work that you're going to do on their behalf when they say, yeah, I went ahead and turned on MFA in my Microsoft tenant myself, so I don't need you to do that, but I don't know how to configure my firewall. Great.

I got you. Here's the project. Let me go off and do that for you, right? So it's how do I co-manage that risk and work together to help your clients? And so when you get the more frugal ones that know they need to do it, they can invest themselves.

And when they want you to move faster or help them move faster, you can get in there and work together on that every step of the way. All right. I saw a term on your website called holistic security.

Yeah. Can you explain that a little bit more for me? I mean, it's just like it sounds, right? At the end of the day, if you're not thinking about security for the entire company, and I'm not just talking about cybersecurity, right? We're not just talking about vulnerability management. We're not just talking about MFA.

We're talking about risk management across the entire organization. And so helping your clients start to think about what are some of the financial risks, right? Look at SOX compliance. SOX compliance is a great example of putting in the right financial controls.

And yes, you're using IT controls to do that, but putting in those controls so that there's a double trigger on a wire transfer, especially over a certain amount so you don't have somebody, when you get that text message from the CEO saying, I need you to go out and buy $500 worth of gift cards, where's the accountability and the double trigger on that to make sure that there's actually some accountability there, right? It's looking at risk across the entire organization and helping you as the MSP be that trusted partner who's not just coming in your TBRs and talking about, hey, here's how many tickets we closed in the last quarter. Instead, you're coming into that TBR saying, hey, what are your business objectives for the next quarter? What are your rocks for the next quarter? Let me help you achieve those. And here are the ways that IT can help support your business going forward and make you more efficient and effective and also increase your security posture along the way.

All right. And then underneath that, where I saw that, there was a thing for competitive pricing. It seems as though the platform is geared towards MSPs, but then you also say on the website that there are reseller discounts available.

Does that mean that we can just simply resell the portal to clients that need it and let them do their thing? Yes. So we are a sell-through, not a sell-to, meaning I'm not selling you the MSP. I'm selling through you as the MSP into your client base.

And more importantly, and actually, I don't even want to sell through you. I want you to be selling your compliance offering to your customers. And how you choose to do that is a little bit of a choose-your-own-adventure, right? If you want to just offer the platform and say, go forth and conquer, by all means, go ahead and do that.

I would strongly encourage you to wrap that in some services of your own, even if it's just providing some expert services and some project management work along the way for that MRR. So it's not just the platform. It's a little bit of your time as well to help drive some of that.

But at the end of the day, we talk about compliance a little bit like your GPS in your car, right? There's not really a start and an end. So the analogy kind of breaks down a little bit. But at the end of the day, if you're telling your client, we're going to help you get to or achieve compliance in X, Y, or Z frameworks, you can have them tell you, all right, I want to walk there.

I want to take a bike. I want to take a car. I want to take a plane, right? So the speed and the cost to get to compliance is going to change.

And I say get to compliance very loosely here because, again, compliance is an ongoing journey. But the speed and the cost to get there is variable. It's up to what the client wants to do.

But you can work with them and use our platform to help manage and navigate that and let them, again, choose their own adventure in a lot of ways of what they want to be doing, when they want to be doing it, how much they want to spend today versus tomorrow, and make that investment slowly over time to achieve a level of compliance and security and risk management, most importantly, that is really second to none. All right. I want to go back and ask a question I didn't think I would ask.

But when it comes to dealing with MSPs, you come from the mindset that you had some, I don't know how we want to call those experiences, but the Trunk Slammer MSP. And now you're turning around and working with MSPs. What made that transition or was it all your partner that said, yeah, MSPs are good, you can work with them? No, honestly, it was, so we built the platform initially to go straight to small businesses.

And we sold it into a bunch of our past employers, small businesses and startups. And every one of them would start working through their compliance roadmap and get to a point of, oh, I'm in over my head on a technical level here. I don't know how to configure a firewall.

I don't know how to do X. I don't know how to do Y. And so they'd bring in their MSPs. And the MSPs started looking at this and saying, oh, this is really cool. How do I do this for the rest of my clients? We said, oh, this is an interesting point.

Ding, ding, ding. Yeah. Ding, ding, ding. 

And so that was a little over a year ago. March of 2024, we pivoted and went almost exclusive. At the time, we went almost exclusively channel.

We have since gone exclusively channel. But it built in multi-tenancy and white labeling and made this an MSP first approach. We spent the next six months on kind of a listening tour, talking to MSPs, going to ASCII events and IT Nation Secure and Channel Pro events, right? We went out and were meeting people and asking questions and learning the MSP community because, candidly, we were new to it, right? We had worked with some really excellent MSPs in the past and some less excellent MSPs in the past.

We had worked as a not great, being perfectly candid, I was not a great customer of an MSP. There were probably MSPs that wish they could have fired me because I didn't really understand the MSP model and how to make it work. And so getting in, understanding the community, getting and becoming embedded, just asking questions for six months made us realize this is home, man.

Why did we do anything other than go straight through MSPs? This is where we needed to be in the first place. So by IT Nation Connect last year, we had our first booth and really have been, since I want to say October of 24, exclusively MSP and just going through the channel. All right. 

Has there been anything that has stood out to you in terms of that feedback that you've gotten from MSPs besides the fact that we need to do this? No, I mean, I think the biggest thing is just the nature of the community in the MSP space, right? And I'm not just talking about the MSPs, but also the vendors. Both sides of the equation have really opened their arms to a bunch of new guys in the space. And we just couldn't be happier. 

We get real feedback. I tell everybody, Marv, I've got a lot of really good friends that tell me how amazing I am, which is great for the old ego and I feel good about myself when I talk to those folks. What I love about the MSP community, both the MSPs and the vendors, is I've made some really great friends that won't just tell me how great I am but will also tell me when I've got spinach in my teeth and will say, you said a thing that I didn't like or your product doesn't, I needed to do X and it's almost there.

And getting that real feedback and being able to adapt and learn and grow along the way has been just such a rewarding experience for me. I just wouldn't trade anything. All right. 

Well, let me give you some feedback because I, listen, this was not planned, but I have on my desk, I have on my desk all the pins that I kind of go through when it comes to swag that I've gotten from conferences. And there's your pin in the midst of this pile that I was considering as a best swag item. I like the little thingy at the bottom to, you know, to grip the pin and all of that and it writes real smooth and stuff.

So there's some great feedback for you. Awesome. Yeah, I will. 

I will take that back to my marketing team. I will tell you that at ChannelCon last year, we were voted or named the fifth best pen of the conference by a 12-year-old girl who was walking through the showroom floor. So I take that as high praise that we got some good pens.

We got to talk about that because if she's evaluating pins to that level, that's pretty, that's more than I do. So. Oh, it was, she had not only evaluated them, but she had written out sentences with each pen as part of her evaluation and the smoothness of the writing.

And it was, it was pretty impressive the way she, the level of detail she went to. Okay. All right. 

I don't feel so bad with my analysis of swag. A 12-year-old girl is doing that. All right. 

Well, Jared, before we get too distracted here, let me do what I've been trying to do with everybody and give you two to three minutes here to hopefully this is your first go at the pitch. And I'm going to stand back and let you tell the listeners why Black Info, whoops. Was I even, yeah, Blacksmith InfoSec. 

Go. Wow. This is my first opportunity to do this pitch.

So bear with me here. But Blacksmith InfoSec was created specifically with small businesses in mind. We wanted to make compliance affordable, accessible, and easy to do for any level of technical ability.

We have been very successful at making it affordable and accessible. Figuring out the, of any technical ability was a little bit harder. And that's where the MSP community really stepped in and became that trusted partner for us as we're going forward.

We've given the MSPs the tools to be able to build a security program for a small business that is a co-managed opportunity that increases trust for the MSP, increases revenue for the MSP, increases security and compliance for their end clients, and does this all in a way that starts to bake in that security and compliance mindset in the business every step of the way. It makes the change management very smooth and simple. It makes the compliance journey understandable.

And it's really truly holistic in the sense that we're covering the entire gamut of the security program. We're not going to give you the entire security stack, but we're going to give you the entire security program so you know exactly what needs to be done and when it needs to be done and can manage that security program alongside your clients to deliver compliance in a way that is truly unparalleled. All right. 

Thank you very much. Jared Casner with Blacksmith InfoSec. The compliance as a service platform specifically designed for MSPs to deliver scalable, affordable, and multi-tenanted security and compliance solutions to their clients.

Not so bad, Jared. Thanks a lot. Well, thank you. 

I clearly need some practice on that one. I'm going to be going back to the drawing board, but this has been a lot of fun. All right. 

Well, I wish you luck going through the rest of your boot camp and look forward to seeing you in Orlando at IT Nation and I guess hopefully seeing you as one of the final three on stage. I'm looking forward to it. I will definitely see you in Orlando hopefully from the stage, but we'll be there.

We just confirmed our booth or kiosk for IT Nation, so looking forward to it. All right. Very nice. 

Well, folks, there you have it there. Again, Jared Casner, Blacksmith InfoSec. Check them out. 

Vote for them. Do whatever you need to do to get to see them in Orlando at IT Nation Connect. That is going to do it for this episode.

We'll be back with a few more of the vendor profiles for the 2025 IT Nation PitchIT program. We'll see you soon. Holla!