From Checklists to True Compliance-as-a-Service (EP 947)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers, where we help you run your business better, smarter, and faster. For those of you joining us here for the first time, this is the weekly live show, where I come on here every Wednesday night, 8 p.m. Eastern, and we chat with some friends, some MSPs, vendors in the channel, and we have a nice little live discussion. You are welcome to join us in the chat with any questions, comments.

We just ask that you don't criticize our attire, that is off-limits. My guests tonight, Tim Golden and Shanna Utgard from Compliance Scorecard, they will be visiting with us and hanging out. But I do want to say, we are coming down to the wire, folks.

It is December, the last month of the year. We have a very, very limited number of shows left. As a matter of fact, there are only going to be four live shows that are happening.

This is one of them. Next week, we will have one, and that will probably be my last solo show of the year, because the week after that is going to be holiday week. And normally, I end out the year with a holiday podcast that it turns out to be a party.

We have some podcast awards. We will be doing that. But before that, the Tuesday before the holiday show, we are going to be having a non-IT business-like podcast.

It is going to be Techies and Trekkies. I'm only going to give you that much as a teaser, because we are working on some very interesting guests for that show. That is going to be Tuesday, the 16th at 4 p.m. Eastern.

That will be a live show. And then we are going to end up on December 17th, Wednesday night at 8 p.m. as our last show of the year. That is going to be our holiday podcast.

It is going to be a very special 90-minute edition. We are going to have guests from the previous year. We're going to have vendors.

We're going to have videos. We're going to have pictures. We're going to have laughs.

We're actually going to have adult drinks as well. So it is going to be a very lively show. Now, I want to draw your attention to the website.

And in case you all don't know where it is, the itbusinesspodcast.com website is where you're going to want to go, because it is live already. Up at the top right-hand corner, you'll see it there. The 2025 Podcast Awards.

The voting is open, so you will be able to go there. Of course, I'm going to ask for your name, email, and some demographic stuff. But we have gone above and beyond this year, and we have selected all of the trendy, all of the popular, all of the social media-enriched content.

I have AI-generated the favorites for all of the Podcast Awards this year. Best Guest, Best Episode, Best Vendor Swag. Those are the three categories that you have been voting on for the last year.

Actually, the last five years that we've done this. We are adding a fourth category this year, and it is going to be a very special selection committee only. And it is going to be one for Best Booth Etiquette.

So there will be a fourth mug given out this year. But I encourage you that while you're, I don't know, if you've got two screens up and you want to do it now, yes, you can go over there, but please stay with the show. It's going to be fantastic.

Or after the show, you have until 11.59 p.m. on Tuesday the 16th to vote. And again, you'll be voting for all of those categories. And of course, I'll ask you for a couple of things about the show, things you liked, things you didn't like.

Tell me all the good, the bad, the ugly, all of that stuff. But voting is open for the 2025 Podcast Awards. So be looking forward to that.

I want to say thank you to everybody. It looks like we have a plethora of people watching on all of the social media platforms. Again, we are streaming live on YouTube, LinkedIn, and the Facebook.

I see some familiar faces in there. Bill Campbell got a nice little holla shout out there. Tim, thank you for saying hello there.

Let's see here. Oh, Mr. Stoic. No, AI did not create that website for me.

I slaved on that website myself. I just couldn't figure out how to get my logo and stuff up there, but it is what it is. That is that.

So let's go ahead and get started with tonight's show. I have folks with me from Compliance Scorecard. And I think I have something in my ear here.

Nope, that is nothing I have to pay attention to. So tonight, and I don't have my glasses, so we're going to struggle with the read. Compliance Scorecard is a SaaS governance and compliance platform founded by former MSP leader Tim Golden to help manage service providers operationalize compliance as a service at scale.

The platform focuses on policy management, risk and gap assessments, evidence tracking, and reporting so MSPs can standardize how they deliver compliance outcomes to clients while generating recurring revenue and reducing manual effort. So let me first bring to the stage, Mr. Tim Golden. Tim, how are you? Hello, Uncle Marvin.

Oh, my gosh. Do you want a job? Because the way that you just presented our is amazing. Thank you so much for that warm welcome.

So excited to be back here and so excited to have good friends sharing with us. Yes. Yeah.

And so thank you so much for that warm welcome. I think you said it far better than I could. Well, I had a little... That I did have AI help with.

So that's what I came back with. Yes. I see you're in the holiday spirit.

You got your little... Is that your version of a Yuletide lodge sitting off to the side there? It is. It's actually a pair of Bluetooth speakers that are supposed to go on a tiki torch. Oh.

Outside. It's a tiki torch. But I was like, you know what? It's a little festive for my Yuletide log.

And you know, checkers over there getting warm by the fire. Yes. It is December, right? It is December.

Yep. All right. And I'm just checking the chat here because it looks like we have somebody being a Yahoo.

I don't know if he's just being funny or if we need to boot him, but we'll see. Somebody being not fun? I don't know. I mean, who's going to come here and ask me about my favorite NBA team and then ask, what the heck is this? Well, you know, those are YouTube folks.

I guess you get that. It's not the... What is it? The MSP sports guys? Is that the Facebook group that Scully created? Oh, yeah. I know.

Yeah, that's fun. But welcome to the wonderful world of live streaming. And I think you had your disclaimer in the beginning.

So whatever. Here we are. Yeah, it's the disclaimer.

This is my show. Opinions expressed here are my own and the guests are their own and live with it. Wait, Marvin, you're supposed to tell me what my opinion is supposed to be.

So that's going to be on my... That's on my MSP political show that'll be coming out in 2026. We'll vote on that episode, too. Yeah.

By the way, for those listening, I did drop the link in chat for you to go vote on the... I don't even know who is in there. But hey, head on over to Marvin's website. He did an amazing job building that all by himself with no AI, Brian, right? Mr. Stoic.

And head on over there. Cast a vote. Subscribe.

Do the things. Hmm. Oh, and guess what is not here? My video that I had made very special for this occasion.

That's a shame. Nope, I have it. Nope, nope.

I have it. And Tim, listen, you're a regular on the show. And I know that you will probably not take offense to this publicly.

But privately, you might. But I've just got to roll a little video clip here to introduce this person. Who is Shanna Utgard? And Shanna is currently the senior cybersecurity... Nope, that was before.

Her first guest appearance was all the way back in 2021. She was the first person to ever be here in studio in Fort Lauderdale, Florida. She has been a fantastic guest.

Shanna Utgard is joining us. Shanna, welcome back to the channel. How you doing? If I was any better, there'd be two of me.

Yeah, where'd you steal that from? I have been saying that for years and years. I laugh, oh my gosh, when my first in-studio appearance with you, that conference was the worst conference I had ever been to. I was chasing my case down with UPS.

Like, I still have that little, like, you know, iridescent bomber jacket in my closet just as a souvenir for all the headaches. But it was fantastic having you here. The first person ever to do an in-studio podcast with me back when there actually wasn't a studio.

It was just a desk in the corner. And I'm jealous. I don't even have one of those.

Yes, there it is. Look at that. I think I remember that episode, to be honest with you.

I think I might've actually participated. Like, I mean, I try to join most of yours, but I can't believe I'm- That was a way back. That was episode 381.

Is that one they can all vote on this year for best of show? No, that's too far back. Too far back. And the title of that show, do you remember the title, Shanna? Well, the first one was, I wired $2.1 million to a cyber attacker.

I don't remember what the second one was. Yeah, that was the $2 million Cybersecurity Education Show, is what that one was. And then the first, when it was just titled first, because you were here in studio, that was March 4th, 2022.

And then you joined me for the Star Trek Picard show, episode 699, last year in August. So yeah, you've been on here quite a bit. So let's start with the question.

Let me just ask it this way. And let the listeners know, you were in the channel. You worked with a company that I did some stuff with.

I'm still working with them, by the way. Then you left, went off and did some stuff. Now you're back.

Let's ask what happened. Yeah, so worked for the cybersecurity vendor. They were awesome.

I ended up going and working with my biggest and best MSP partner. Fun story, and it kind of ties everything together. They wanted to build out a compliance as a service offering and have somebody that had experience in compliance, experience rolling out new product offerings at MSPs, experience in compliance.

And I just happened to meet all of those requirements. So I was the VCIO of compliance, set up the entire offering, rolled it out to all of the clients, sold and supported the first umpteen CAS clients at the MSP, and then ended up leaving there. Took 10 months off.

I had a step kid who had a bone marrow transplant, and that kind of was a little bit of a wrench in your life. And then spent the last couple months doing some other type of sales and stuff that had the kind of flexibility to be able to accommodate doctor's appointments and all of that kind of stuff that I'm still going through. But you can take the girl out of the channel, but you can't take the channel out of the girl.

So now the opportunity with Compliance Scorecard was just kind of a perfect mashup of all of my previous experience. I've worked for a vendor that was specific in the MSP channel at first, and then I worked for an MSP doing compliance. And this is kind of like a, you know, see one, do one, teach one like the doctors.

So I've done it myself. I rolled it out at an MSP. I know exactly what it takes to do it.

When you don't have a platform like Compliance Scorecard, I know how to package it. I know how to price it. I know how to sell it.

I've done it all. All right. So which side, which side contacted the other first? Well, you, yeah, Mark, you had actually made the recommendation to me.

You're like, uh, my buddy, Tim, and he lives up by you. So I had applied for a role a while ago. It was like, I don't know, February or something of this year.

But the just timing wasn't right. It didn't quite work out at that point. And then we just kind of had been circling and circling and circling.

And then everything just kind of happened. I know you've just been stalking us. Since then is what you told me.

It's true. It's true. And I was kind of secretly stalking you too.

Like, you know, it's always interesting to find, you know, people that are like-minded, especially in the compliance or risk. But finding those people that are like 20 minutes away from you is like, what? That was pretty, that was pretty like, I mean, when we, you know, brought you on, we went and had lunch. Like, you know, most SaaS companies, they're spread out all over the globe.

And I'm like, you know, our other team members in Florida, which is fine. It's great. It works.

I'm like, I could go and have lunch. I could actually like shake hands and buy you breakfast or something. Like, it was just, that was super cool.

Yeah. We didn't have to ship my laptop to me. No, I saved like $12 on ship.

I mean, I spent $7,000 on breakfast, but yeah. Well, very nice. Glad you guys could hook up and make the connection and you're welcome.

Thank you. We're super excited to have her here and, you know, just be part of the team. You know, Marvin, you and I have talked over the last couple of years, trying to find the right people in the right roles and the right things.

And, you know, as a business leader, those are all hard challenges, you know, and, you know, and we've had a lot of changes over the last, even the last six months or so. And I think we're just starting now, getting in our groove, right. And kind of figuring this stuff out because, you know, I'm not a salesperson, but I'm, we're figuring it out.

Well, let's, let's talk to that just a little bit, because I would say in the last, what, 18 months, it has been almost exponential what you guys have been doing since we chatted with you in the Pitch It accelerator program. And you had a stroke of luck and had some stuff happen that moved some things along pretty quickly there. So from where you were then to where you are now, I mean, how big has the explosion gotten? 26 months.

Let's just start there. Okay. October, October, 26 months.

So November, it's December. So 25.3 days. So 26 months since, you know, the, what I call our first official, like when we became the thing, right.

The January to October, I mean, yeah, that beginning part, I use the October date because that's when Arnie invested in us. And that's where like my starting line. So from there, you know, exponential growth, you know, lots of team members.

We've gone from version 0.0 to, or about to launch version 10 in January. Version 10 is very, very exciting. You can talk about that a little later.

You know, you know, we've had ups and downs. We purchased a company that, you know, went down that whole pro services route and decided we're a SaaS company first. And so, you know, that whole like learning through that, bringing staff members on, seeing others move on to other positions and good for them.

Like we have always talked about the right person in the right role. And, you know, maybe sometimes we kept people a little too long, but that's okay. Like the lessons that we've learned, you know, as, and I see a lot of MSPs kind of mirror this.

We're really great at some of the technical stuff. We love clicky buttons and blinky lights. But, you know, the business operations side, that's where things tend to get tricky, you know, and for me personally, like sales kind of not my thing, but I've had to learn a lot in 22 months or less.

I've had to learn a lot in the last five months, bringing in a sales coach to help me. So yeah, we've had a lot of growth, a lot of change, a lot of challenges, and a lot of overcoming that we've been able to overcome along the way. So tell me this.

So when you first came out with the company, it was a different name, and people saw it pretty much as a checklist. You know, just help me help my clients be, you know, compliant. Give me all the things I need to check off that they need to check off and, you know, make it quick and easy.

You guys have actually done much more than that. You're now multi-module. Am I correct that you guys have added security awareness training, evidence collection, compliance control assessment, all of that stuff? All that stuff.

I would, the security awareness training, I want to make a little pin in that. We integrate with six different SAC platforms. Okay.

However, the policy component is first in the industry. What we just released, and, you know, we'll talk about AI, maybe. I've always been on the mindset of do what's right, not what's popular.

So we just didn't slap, you know, a chat bot and yay, we're AI now. We actually took 20 of our MSPs, work with them over a couple of months, and now launched it full platform wide. Marvin, you've had to work at corporate companies, right? You've had to sign the employee handbook or password, like those kinds of things, right? Just checkbox, like you said.

Oh, I read it. Did you actually read the handbook? No. Did you actually understand the handbook? Probably not.

And that's the problem with policies and procedures. Here's a document, check a box, move on. But what we built is twofold.

One, here's the document in the legal term, the words, we rewrite it with our private AI and explain it to me like I'm five in plain language. So you have the original version, you have the tell it to me like I'm five, and how does it affect me in my daily life? And then we actually are building test questions on that exact document. So it is tailored for that document in that company.

That's the training part that we're doing is not only just moving through a checkbox, but you're actually building corporate culture around understanding the documents in which run the company. Nice. Nobody's doing that.

So anyways, Shana, let me just bring Shana in real quick because I want to go back. So when we had that conversation and I made the reference, oh yeah, compliance scorecard, take a look at them. How much of what Tim has been talking about really made you think, yeah, that's where I want to go? Well, when I was at my MSP role, like when I worked for an MSP and was brought in to build out a compliance as a service offering, I looked at like, I looked at 21 tools.

I tried 17 of them out. Like I used all the ones that, you know, you can think of that come to mind, whether they're MSP focused or even, you know, the big boys that you listen to any, you know, tech podcasts and they're big sponsors of, or, you know, the ones that cost $20,000 a tenant, you know, for one framework. I looked at them all.

I used several of them. There wasn't anything that really existed that truly met the mark for MSPs. The two that I used that were, you know, designed for MSPs and owned by, you know, the big, large MSP companies just didn't do what they wanted to do.

And one of the big things that I've noticed too, that kind of touches on what Tim talked about with the policy side of things, something that really sticks out to me is in the compliance scorecard messaging. It's not just about compliance because let's face it, compliance isn't sexy. A lot of the times what this really is, is it's having the risk conversations with your clients.

And it's no different than like, I kind of look at it as a parallel track of how I entered the cybersecurity arena. It was like right before that wave really crested and everybody went, oh, my clients are asking about this. I need this.

We were like a little bit kind of ahead of that. So it was pulling teeth to get them to figure out how to sell it, how to package it, how to position it to their clients, how to get them interested and getting out of that. Like, well, you're my tech guy.

You do it for me into, well, what do you mean I need this? And why do I need this? And why is this important? And a lot of the times having that risk conversation with their clients, it ends up or cybersecurity conversation or whatever it is. It's kind of that like, like technical back and forth. The client pushes back.

They don't see the impact. They don't see the need. But the funny thing is like both of those situations, it's kind of rarely a tech issue.

The clients don't really like feel the risk or understand why it's so important. And then nothing changes. The MSP stays stuck in that like, you know, IT fix it team instead of being viewed as the strategic partner to their clients.

And then like platform, like what cybersecurity kind of became for a lot of MSPs, compliance or having a structured conversation is starting to flip that dynamic. And it gives the clients a really simple way to not only like see their risk and understand their risk, but also to own it. That risk should stay on the clients.

And I talked to so many MSPs and like I just had a call the other day where this guy said, I'm trying to make my business more bulletproof. So that conversation has to finally shift from why do I need this to how fast can I address this? And having them behind the wheel of making those kinds of decisions and documenting it. I also have a law in my background.

So I look at this kind of stuff. I think we've even talked about this before. That kind of like, you know, liability side of things.

I hear it from MSPs all the time is they're just kind of looking for a little bit of that like CYA factor. Compliance scorecard gives this like documented, structured, scalable, repeatable format to be able to have those risk conversations, document your client's decisions. So if they say, oh, I'm not worried about that, or I don't want to spend the money for that.

You have a record of it. So if anything ever goes sideways, you have an ability to go back to them and say, oh yeah, we talked about this and you made it. We talked about the risks.

We went through, you know, this was required under this framework, or it's just a general best practice, or your cyber insurance needs it, whatever, whatever's driving it behind the scenes. You decided that it wasn't important or you were going to, you know, push it off until, you know, Thursday of next year, or you don't want to spend the money on it. And you've got that documentation to also further protect yourself because at the end of the day, it's your client's risk.

It's not your mistake. So listening to both of you, great comments, great discussion. I want to ask this question and either of you can answer, but we have been talking about cybersecurity for what, 10 years now, well before COVID, well before AI, you know, became the pretty child on the block and stuff.

MSPs are still struggling with compliance. And we haven't really been able to figure out where the real failure point is. Because here's the thing.

MSPs don't want to tell clients, this is your problem. Because the client's going to be like, no, that's why we hired you. And yes, compliance scorecard seems to make it easier to do that.

But, but how do we, you know, what is the real struggle that we're going through in this, in this era? So I'll let Shanna chime in after me, because I really want to hear what she has to say. But I'll, I'll, I'll, I'll, I'll say this. When we started doing this, you know, I started this crap in 2006.

I've been doing it forever. It's second nature. It's like brushing my teeth.

So I'm like, what are you talking about? However, I also recognize, and this is why we started the company, where they are headed. Okay. We talk about CMMC, November 10th.

It's in effect. We talk about the new HIPAA rule that's coming out any minute now. So the things are happening.

Now, from an MSP perspective, it's been really exciting to watch the market shift. Over the last, even the last six to nine months, seeing the market shift. It has been really, so two years ago, I'm like, don't use the word compliance.

It'll freak them out. Right. And now that's why we say have the risk conversation.

So it's been really fun. Scary. I thought the market would be faster because MSPs are fast, but again, it's not as fast as we'd like to watch the market shift over the last 22 months, which excites me about the next 12 to 18 to 24 months.

Let's face it. I didn't go in anywhere. It's here.

We used to say compliance is coming. Now we say it's here. And so I've just been excited to watch that market trend and hockey stick on.

Like people are coming to us. Customers asking for CMMC. I had one MSP I talked to today.

He's got four CMMC customers and one FedRAMP customer. A seven, eight, nine months ago, you'd barely get an MSP considering CMMC. One today that's just a new customer today.

I have five regulated that I have to deal with. Help me. Jan, I want to hear what you have to say.

For me, it's been the market trend over the last couple of months. I think that compliance is kind of cybersecurity's younger sister at this point because from my vantage point, it's been going through almost the exact same like go to market hurricane path is kind of really what it's been for MSPs. Compliance was like, oh, well, we don't do that.

We don't do cybersecurity stuff. We don't. Well, yeah, you do.

You have a firewall that you manage for them. You install antivirus on their computers. So we rewind all the way back then.

Yeah, you were already doing cybersecurity stuff for them. You just weren't charging for it. You let it be optional.

You were still doing all of that stuff. You just weren't making any money off of it. It wasn't standardized.

Compliance is kind of at that same like wave beginning to crest. You're already doing all of these things for your clients. The problem is you're doing it in a reactive format where you're not doing anything.

You're not doing anything. And then all of a sudden, the client comes to you, spreadsheet, document, assessment, audit, whatever it might be in hand. And they go, help.

Whether it's something as simple as filling out their cyber insurance application. Do we do these things? Or they've just got someone in the back office like pencil whipping it. Or they come to you and they say, help me fill this out.

You're already doing this stuff for them. You're already answering the questionnaires. You're already taking them through like these kind of assessments.

You're already pulling evidence when whoever that third party. Because really, when you boil compliance down, all it is doing the things that some third party is asking of you and proving that you're doing them. No matter who that third party is, no matter what acronym is behind their name, whether it's cyber insurance or some like, you know, CMMC or a privacy regulation or whatever it might be.

Are you doing the things that you're supposed to do and can you prove it? So you're already gathering evidence when the clients are in that frantic scramble and saying, I need documentation that I have this, this. So you're already doing it. You're just not doing it in a structured way.

You're not doing it in a repeatable or scalable way. And you're not making money off of it. Even if it's just as simple as, you know, a compliance platform to manage, you know, their information for their cyber insurance application.

Because what I've seen out in the wild, real exact situation was a client got had business email compromise. Their cyber insurance provider was asking them for documentation and proof that multi-factor authentication was enabled on the email account when the threat actor gained the initial access, which was eight months ago. So the cyber insurance provider wanted proof that multi-factor was enabled eight months ago.

So if you have even just like a baby, you know, cheap and cheerful compliance offering where you're collecting documentation and evidence, you're making sure that whatever they're saying that doing is defensible and provable. That alone is a huge value add to your relationship. You shift from that, if it breaks, I call you to that strategic advisor that helps them understand the risks of their business and decide what to do about those risks.

Sometimes the decision is, well, we accept that risk. There's not really much we're going to do about it right now. It's not as much of a priority, but being able to take a look at all of them and say, okay, this gets some priority.

This we're not worried about, you know, this is handled because we've got some protection with our cyber insurance, whatever those, you know, risk strategies they want to deploy are, you've got that all documented as well. Yeah. Marv, are you hearing some synergies here? Yeah, I am.

And she's only been with us, well, last week was short, so a week and a half, two weeks. Yeah, but we've been grooming this process for months now, right? What are we, 10 months that we had that conversation? And I said, look over here, talk to these guys. So yeah, I know what I was talking about.

So I want to take what you guys just said, turn that into another perspective from the MSP side. But before we do that, I want to make sure that I say thank you to the sponsors, especially coming up to the end of the year. I did not show my mug at the beginning of the show.

We are presented by ThreatLocker, and they have been a fantastic sponsor. Zero trust, total control. But let me go ahead and bring up the screen here.

And ThreatLocker puts you in the driver's seat with deny by default protection, only trusted software runs while ransomware and unknown threats are blocked instantly. Fast allow listing, builds your inventory automatically, streaming security for IT teams with fewer alerts and absolutely no guesswork. Be sure to head over to the website, itbusinesspodcast.com slash sponsors and check out all of the other people that have been supporting us.

And thank you to the patrons that are giving individual contributions. Thank you very, very much. So with what you guys both said, we've talked about, you know, risk.

And one of the things that I've been doing with my customers is coming at it from the standpoint of, I'm going to protect myself before the opportunity arises for you to test me. Because that's what a lot of customers will do, where they'll assume you're doing stuff, but you guys never sit down and talk about, are you doing this? Yes, I'm doing this. We're doing this. 

Oh, are we paying for that? Well, no, because you're not paying for this. All of that stuff. That's one of the things we need to get to where we've taken compliance as a necessary evil and tried to figure out how to turn it into a profitable service line for us.

But we've seen over the last year and a half, where clients are now starting to sue their IT providers because of those discussions. We did have an episode on that not too long ago. Yeah, we did. 

And I've actually got two more locked and loaded that I'm trying to get a bunch of research on because there's more out there where the arguments are being made on both sides. Well, we presented that to us and you told us no. And then the client's like- What if you had a tool where for each one of those, even something simple as like CISIG1, right? Just some cybersecurity, basic hygiene, right? Risk, basic hygiene, taking them through those controls. 

And if there was a little section where you could go through and identify who's responsible for that, is that a client responsibility? Is that an MSP responsibility? Is it a shared responsibility? Is it something that's handled by a tool? If you could very clearly go through that with a client and identify exactly who is responsible for that and have documentation of that, wouldn't that make standing up to that in some kind of trial a lot more clear and convenient? That's what we've got to do. We already did it. You're ready to go, Tim? She's got this? All right. 

Well, we've got some stuff to talk about anyway that doesn't involve you, so you can go whenever you want. I'm kidding. I'm kidding.

No, but that's what we need to start with. I mean, in the fact of MSPs now need to come at IT support. And we've made jokes about this over the years. 

Well, you touched it, so if it breaks, you're responsible. And then we're kind of like, no. But having all these conversations, we try to talk about it in our MSA agreements. 

We try to cover all this stuff, but then the customer's like, I don't want to pay for that. Like you said, we don't have that much to protect, so I don't want to spend that extra money. But yet when something happens, they're willing to sue you because the insurance company isn't going to give them their insurance money that they thought was protecting them as well. 

These are the things that we need to look at here. The word that comes to mind, it's not my word, a bunch of us keep saying it, is defensibility. That's it. 

Defensibility. How are you helping? But even at a much higher level, you know, you asked about, oh, Henry. Hey, Henry. 

Great. So at an even much higher level, back to what you asked about earlier, Marv, which is we've been talking cybersecurity for 10 years. What about this compliance? Here's the thing. 

There's sort of two sides of the house. There's IT operations. Fix my broken printer, or in my case, throw the fricking printer out. 

IT operations, install Microsoft, do clicky buttons. But then there's business operations, and then there's cyber operations that, you know, we used to say the CIA triad, that's not this, but we're really good at IT operations. The industry as a whole hasn't figured out how to communicate business operations and cyber operations separately. 

We and the consumers at large have commoditized pieces of the industry and don't understand there are different segments. Just like in healthcare, you have specialty doctors, and that, and like you have brain surgeons, foot surgeons, whatever. It's similar in technology. 

You know, I go to every conference and I ask this question to everybody. Uncle Marv, can you define cybersecurity for me? No. Nobody can. 

That's the problem. Even us professionals 20 years in. Yeah, everybody has their own definition and their stuff. 

But let me ask this question, because I think one of the issues that we have is that businesses, companies don't look at IT as somebody that can sit across the table from them. You know, we are considered the same as the HVAC vendor, the plumber. You know, why are you trying to help me with business operations? We make the money, we tell you to fix our stuff. 

We're trying to figure out how to get a seat at the table, you know, where we're trying to do VCIO stuff, and we're trying to help them guide their business operations. You want us to protect you with business continuity. We need to sit on the other side of that. 

What is this business that we're trying to help you protect? Let's sit through and have that entire discussion. Am I right? Whose fault is that, do you think? I don't know that it's anybody's specific fault, except that these are things that I think have been holdovers from the way we used to do business back in the 70s, in the 80s, in the 90s. IT was that, I said it earlier, that necessary evil.

There are a lot of MSPs that have successfully gotten to that kind of fork in the road and been able to position themselves as those trusted advisors and have that seat, at the executive level. The big difference, I mean, just even look at how you structure your regular meetings with your clients. What kind of stuff are you going through in your QBRs, your TBRs, whatever you want to call it. 

Those interactions that you're having with the leadership at the client organization. Are you running through things like, this is what you're paying for. This is how many tickets I've closed for you. 

These are the projects that we've done. Are you running through a bulleted list of what you're paying me for? Or are you coming into that conversation with information that helps you earn that seat as a trusted advisor? Or are you justifying your existence as a vendor like the HVAC guy does? Are you giving them an invoice? Or are you giving them an actionable report at the end of the day, showing them the risks to their business and why you're giving them valuable information where you deserve that seat at that table? Well, the HVAC companies have gotten smart because not only do they give you an invoice, they give you those reports that will say, hey, look, if you were to schedule regular service twice a year, you will save money and not have to replace that unit for an extra five years and save money over this. I think that's where we've got to come in and be like, you know, keeping your operations running is going to make you more efficient, make you more money, save you money here if you let us help you with all those subscriptions, all those things that your employees are doing on the internet that you don't know about.

I just talked to a client yesterday where they didn't realize that they were paying for a bunch of Dropbox subscriptions. And the reason we found out is because one of the computers all of a sudden got full because somebody had just downloaded all this stuff. And I'm like, this is why I always ask you to let me come in and look at your whole environment. 

And they're like, we're going to let you do that from now on. And one of the most valuable exercises that I did when I was at my MSP as a VCIO was to do like threat assessments, tabletop exercises, because in the prep work for that, we would have conversations about, you know, basically uncovering like what are the crown jewels of your organization? Like what if you couldn't access it, if it stopped working, like what would make you absolutely dead in the water? Like what do you have that makes your business run? And if something bad happened to that, you know, we'd be in big trouble. Getting all of that information, I would turn around and pass that over to, you know, the account managers who are working with these clients on a regular basis, because like you need to have that deep understanding of exactly how they operate, what technology supports that in order to go into those like deeper conversations. 

That was one of the most valuable things because we're not generally like, you know, we're going through and we know the basics, we know generally what they do, what kind of technology supports that, but we're not having like those really deep, like, you know, deeper level conversations with them about that. All right, I'm going to play devil's advocate here for a second, you know, and I hear this a lot. Trina, you were talking about, you know, what keeps them up, you know, the things that concern them. 

I actually like to shift the conversation instead of what keeps you up, what scares you from falling asleep, to why do you get out of bed in the morning? Why do you make the widget you make? Why do you do the thing you love? See, it flips it to a positive conversation. So instead of asking what scares you, what drives you to do the thing you do and make the widget you make? And then our job as the IT professional is to protect that. Oh, I get up and I make donuts in the morning because my grandfather ate donuts with me growing up. 

That's amazing. How are you monitoring the temperature in your cooler to make sure your milk doesn't spoil? Oh, I bought this thing off of, you know, Chinabay.com. What? I, you know, I bought the thermostat that was hacked at the MGM and now they're going to hack me. But that's how we can shift it to a positive conversation and then use that to have the risk conversation. 

Oh my God, you love making donuts. We should probably protect your milk and eggs. Or whether expanding into, um, I had a client that we were charging $7,500 a month for a compliance as a service program because they, they started off as a very, very niche, uh, nonprofit organization in one market, like one metropolitan market.

And their big, you know, their BHAG, their giant goal that they had was to move into other like major metropolitan areas. And even just talking about what kind of compliance requirements, because the service that they provided ingested some healthcare information. So they were very worried about HIPAA, obviously. 

Um, but they were even looking to go down the road for something like HITRUST instead. So taking these, you know, basic requirements that since 1996, we have known that we have HIPAA compliance, um, and a little small organization saying, if we want to grow to this point, then we're going to need to have something that is scalable. And by understanding like where they wanted their business to go, we were able to get them, you know, $7,500 a month.

You can do the math on what that brings in every year, um, just on setting up and deploying and helping them manage. Cause we weren't managing it for them. Cause again, at the end of the day, it's their risk. 

So we were guiding them as that advisor through how to get to that, that big, hairy, audacious goal at the end. Yeah, there was a, there was a Reddit post on slash compliance, which is one of the ones that we manage. And the title was, I lost a $95,000 deal because I didn't have a SOC 2. Now the poster goes on to say, you know, I met with them, good qualifying, blah, blah, blah. 

We're about ready to sign the CEO. Everybody's on board. And then those IT guys said, do you have a SOC 2? No. 

And they lost the deal because of it. The point in all of that is your customers, customers. So you, the MSP, your customer, their customers are going to start asking your customers for these things. 

And that's where your customer will blindly sign stuff probably without reading through it or lose deals because they're not doing basic cyber hygiene. So I literally, I'm seeing this every single day. Yeah. 

Let me ask, let me ask this question because I want to make sure we don't run out of time. I want to ask the question from the standpoint of this, when an MSC or an MSP wants to launch compliance as a service, a lot of us start from a point of ignorance. We've, we've heard all the things we supposed to do. 

We've never paid attention, but when it comes time to start that, what are the first two to three internal changes that we need to make before we even touch a tool? I'm going to let Shanna actually answer that, even though I really tried to say, you raised your hand, dude. No, I'm going to let her, I'm going to kickstart and we'll let Tim explain what that is. No, no product pitch. 

No. I, do you have something before I chime in? I mean, eat the food you cook. Get your own house in order. 

Here is, well, yeah, get your house in order. What are the first two or three things that you as an MSP, as an IT service provider, as a IT guy need to do? Number one, dedicate a human. Have a body. 

Have the person accountable, responsible, and empowered to do the work. Have a body. That's the very first thing, but take that person and as leadership, empower them to take ownership. 

Have a championship, a championship, have a champion and don't let them bogged down by tickets or like give them a day a week. Pay them a day a week to do the work or 20 days a week, whatever. Have a human. 

Empower the human to take ownership and responsibility and don't give them crap for doing the work. Even if it takes them way longer, that's the first thing. The second mistake that we see most MSPs make, and I've been doing this for 26 months now, is they look at a control framework and they go 1.1 and they inventory and they run over to their RMM and they run over here and they run over there and they run down a rabbit hole of trying to fix the thing first. 

Now, there are two roles in a compliance as a service offering. Implementer, go click buttons, go install stuff, do blinky lights, highly important to do work, but the one that's most beneficial to you and your customer is that trusted advisor. Can I use that word? To say we are your trusted advisor. 

We are the facilitator. Our job is to help find stuff and help you make informed decisions. Anything you want to fix? Implementer, project work. 

That's the two components. Number one, have a human and allow that human to be the trusted advisor, not clicking buttons. Clicking buttons is project work and charge for that stuff. 

That's it. Sorry. Sean, I know you've only been there a little while, but doing this at that MSP before you came aboard, do you see a difference now or do you have a concrete example of how documentation, or should I say policy documentation and evidence tracking has saved either that MSP that you worked for or any other MSP scenario? Excuse me. 

We worked, so one of the organizations that we worked with had New York DFS regulations that they didn't even know about because there was like part of their overall organization did consulting and guidance for people who were trying to like get home loans or financing or that kind of stuff. So they ended up like by a long way around falling under the New York DFS regulations and they didn't realize it until they got a letter from the Secretary of State saying, hey, we didn't get anything for your annual filing. You're out of compliance. 

Like this needs to happen immediately, right now. So that was one of those like kind of scramble type moments, but they had a lot on the line, a lot of fines that was like risks to them, obviously. Situations where like it was already in place and it was helpful, those were kind of a little bit more of like baby compliance type stuff where we were collecting and gathering evidence and requirements for cyber insurance. 

That way, when they had claims and they had incidents, all the documentation and everything was already available and we could just go in and be able to pull that. I'm trying to think of other examples. Sure, some of them might come to me. 

Well, while you're doing that, Tim, isn't one of the problems we have is that we don't know where to keep all that documentation, all that logging. I mean, who keeps MFA authentication records for a year like they're supposed to? Compliance scorecard, those. I'm sorry, that's a famous plug. 

No, but that's the reality, right? You talked earlier defensibility, you talked earlier about insurance and getting sued and the things. If you start a program, you don't have to be compliant on day one. In fact, you won't be in compliance on day one, regardless. 

But you can iterate over time. You can start to build out some of these things over time. Marvin, you've heard me talk about this in the past. 

We got our FedRAMP thing back in 2006. It freaked me out. I had no idea. 

Come to find out, we were actually doing a lot of the things that we were supposed to be doing. We just didn't have it written down. And we didn't have those things written down and change managed and approved and logged and dealt with. 

So we had the written... I'm just looking at the comment that just came in on LinkedIn. Yes. So sure. 

Now, without talking too much about us, before we existed, I was doing that work in SharePoint. Actually, I was doing that work on the file server in the building. Spreadsheets, Word docs, the whole thing.

It got to a point where I couldn't do it at scale for a company with nine offices and 150 staff, one company. I'm an MSP and I'm trying to replicate that across 20 clients. So I wrote code to help me to do that work. 

Fast forward, oh, 20 years ago, GRC was a thing. Okay. But that's it. 

You can do this in... You can do it on frigging floppy disk or USB for all I care. No, not on floppy disk, Tim. Don't be ridiculous.

All right. You can do it on your file server or SharePoint, but you won't be able to do it at scale and you won't be able to do it efficiently. I know because I've lived that life as an MSP.

All right. We are coming up to the top of the hour. We didn't hit a lot of stuff that we wanted to get to. 

Let's go ahead and end with this. I'm going to do a question each. Tim, I'm going to start with you. 

Tell us the top new product feature service that people should know about Compliance Scorecard. Oh, our AI, our true AI, not some marketing baloney. What we're about to launch here come January, tying in all these little components with... Yeah. 

I just... I don't want to give too much away, but what we're building in the large language model, the machine learning and the AI components is going to blow your doors off. All right. And Shanana, who did your hair? I did my hair.

No, serious question. Now that you're back on this side of the channel, I'm sure you and Tim have sat and talked about where you see yourself, where you see things going. What do you see that is bright in the future for both you, Compliance Scorecard and Compliance as a whole? I think we touched on it a lot earlier, is that positioning as a strategic advisor and being able to gain a seat at the table, have those risk conversations with your clients, justify the investments that you're asking them to make, cover your tookuses. 

There's so much opportunity for this as another, as more and more of the MSP business is commoditized to a certain extent, being able to add that kind of value that nobody's going to be able to take away. Have those conversations. A lot of the MSPs that I talk to, they really love their clients. 

They want to help them make smart, well-informed decisions. They bang their head up against the wall having those kinds of conversations because they're like, I tell them they need these things, but they don't care. They don't see why it's important. 

They don't want to do it. They don't want to spend the money on it. Helping that conversation be easier. 

I think everybody wins. All right. Tim, you're shaking your head. 

Are you agreeing with everything she just said? My work is done here. I'm super excited to have another member of our team. I'm really excited to see where like two years ago, I was like, is this even going to work? Now, 25 months in, I'm like, yeah, it's getting there. 

It's working. The little engine that could. That's who we are.

All right. Well, Tim, Shanna. I always appreciate you having us. 

Thank you so much. Thank you for coming on. Thank you guys for hooking up so that we could do this. 

I would just say, Shanna, I've got your Yoda doll hanging right there. Thank you for that. Compliance Scorecard, folks, positions itself as the built by an MSP for MSPs with workflows aligned to how you sell, document, and support services across multiple regulatory frameworks.

Be sure to check them out. Talk to my buddy, Tim. Talk to my friend, Shanna.

Get yourselves on board. Defensible is the word that should make it a staple word for 2026. That is going to do it for this episode. 

Reminder, just a few more episodes left. December 17th is the Holiday Podcast Party and Award Show. I am putting into the chat right now the link for you to go and vote for your podcast awards, Best Show, Best Guest, and Best Swag, and then come join us on the 16th for Techies and Trekkies, and then again on the 17th for that last party. 

It is a blowout. I was going to say a different word, but it's a party. It's a podcast party, folks.

It's your show. You can say what you want. Yeah, I know.

I'm kidding. Thank you all for hanging out. I want to thank those of you that participate in the chat. 

Henry, Tim, thank you for joining us. I think it was Billy Campbell earlier, Tom, a few others there. Thank you for hanging out. 

Be sure to go over to the podcast page. Find your favorite pod catcher. Follow us. 

We're going to be doing some great things in 2026. Let me just tell you this, 10 years of podcasting, we will be celebrating for all of 2026. That's how good it's been. 

Thank you all for tonight. Tim, Shanna, look forward to the next one after stuff launches in January. Thank you so much for having us, and Merry Christmas to you and your family.

All right, folks, we're going to say good night here. Until next time, holla.