Build MSP Security Like a Pro with Roddy Bergeron (960)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and MSPs to help us run our businesses better, smarter, and faster. We are here today with a, it's not really a newscast, it's not really a vendor profile, but we're here talking with Sherweb Cybersecurity Technical Fellow about turning security from a tool list into an actual operating system for your MSP. I'm talking about the man you know and see all around the place, Roddy Bergeron. 

Roddy, welcome to the show. Marv, pleasure to be here, and I like the fact that you like, people think that I'm popular. I like that. 

You are, man. I always think of myself, I'm just a guy trying to do what's best in the space and in my little slice of heaven, right? And you know, if I get name recognition for it, that's great, but like my whole job, right, or like what I found passion in on the MSP side is like, how do I make things better, right? From security to risk management to everything else. And I was, and like, I found that passion and like, I'm lucky. 

I'm one of the few people who have the role of like cyber security evangelist in the space with a company that actually supports that vision and idea that I brought to the table, right? So that's what I do, right? Like that's my whole thing is helping MSPs look at their cyber security programs and profiles and do a little bit, how can we make it a little bit better, right? I don't sell anything. I'm not a salesperson. I have no quota. 

I don't, I don't generate any revenue. No, but you're known as the person that can take a complex security thing and turn it into a simple practical playbook for us. And so for that reason, whenever, I mean, I'm in peer groups and I'm having discussions and I hear all the time, Oh, you should talk to Roddy. 

So that's what happens when I'm being talked about positive. The other, the other half of my life, you know, it's like I'm a, I'm an elected official, right? Like I'm on the school board over in Lafayette so like you don't get the praise being an elected official over a, over education system. Right. 

So it's always good to be in a space where like people see you, appreciate you and see the good that you're doing. Right. And that's, that's one of my loves for the space is like people see you and they, you know, they, they, they see the passion you have for what you do. 

And that's what I, that's why, that's why I'm still here right after 15 years in the MSP space. That's why I'm still a part of it. All right. 

So we should let listeners know if, if the audio sounds a little funky, it's because Roddy is joining us from right of boom. He is there, I believe in the hotel room and doing the best we can with the Wi-Fi there. Yeah. 

Wi-Fi is a little choppy, right? It's a, it's Vegas, right? You never know what's going to happen in Vegas. Yeah. They don't want you on the Wi-Fi. 

They want you in the casinos. They're trying hard today. I'll tell you that.

All right. So Roddy, let's do a quick little thing. I normally try not to do this, but I think a lot of people who may not know the title you have cybersecurity technical fellow.

It's not one of those, you know, channel chiefs. It's not vice president of ecosystems channel, whatever those things are. Explain your title and what it is that you actually do there at sure web.

Yeah. Yeah. So originally I'd asked that show up, call me the chief smile officer, but that got passed really quickly. 

So we decided on cybersecurity technical fellow, and it's just a mystery of a title. Like we still like me, my running joke when I start a presentation, like, you know, cybersecurity technical fellow over at sure web. I don't know what a cybersecurity technical fellow does, but like I'm in here. 

But the whole, the whole purpose of the job, right. Was sure web saw a need to have some more speak to the space about where we need to be cybersecurity wise. And I was already doing that, right. 

Like I was working with other vendors and I was on the MSP side, right. When I was helping run a business, I was helping other MSPs build their security program. I was in all the peer groups. 

I was on stage with vendors and I was doing all that in my spare time. And, you know, sure web saw what I was doing. They saw a need. 

And they brought me on board just to say, to do a couple of things. Hey, right. Like they need someone who can, can speak and build out the security program. 

Right. So like right now I'm working on a, like we always talk about 10 MSPs about, all right, you should adopt the framework. CIS controls is fantastic. 

Right. But we never really tell them like, what's the first step? What's the third step? What's the ninth step? What's the, you know, what does the, what does the pathway look like to implementing CIS controls? Like I'm building a guide right now. It should be available in a few months.

Just basically saying like, what is step one? What is step two? What do I look at? How do I reevaluate what I'm currently doing, et cetera. Like that was the whole point of me coming to sure web is like taking the space instead of turning everything into a pitch into here's where you need another product. I kind of flipped it upside down and started talking about how like the last thing we need to talk about is product because there's people process and policies that need to go in place first. 

Right. Like people we can't have the right policies. We have the right policies. 

We can have the right processes. Once we figure out our processes, then we can put tools in place to help us with those processes. Right. 

And we had it backwards a little bit in the space where like everybody who got up and talk and the language that we use as vendors right now, I'll throw myself into the vendor bucket because I'm a vendor now, was like, buy these tools. Here's why you need them. Here's the problems. 

Here's the potential for bad things to happen. And then what the MSPs were absorbing from that is like, that works for me. I'm a technical person.

I'm going to turn around and tell that to my clients. Well, most non-technical people don't care. Right. 

They don't care about the technical piece. They care about their business. So like my whole point was like, we need to speak to a way, we need to change the way we speak so that when MSPs absorb it right through the education process, that they turn around and talk the way that matters to their clients. 

So that's what I was brought on. So I do that. Like I do the education piece. 

I also help with our vendor onboardings. So I work with our vendors like Huntress and SentinelOne and Palisades and all the other security vendors just with like, how do I help them with the education piece? Like how do I help them have a conversation around what truly matters? I tell them like the 95-5 approach, 95% education, 5% talk about your business. I work with our vendor management team and our product team on finding new vendors to bring onto the line sometimes in non-conventional spaces. 

And that's pretty much it, right? Like I just work on security initiatives at Sherweb and that's pretty much what a fellow does. And we're still redefining what an actual fellow does, right? Like I'm the MC at the Sherweb kickoff every year. So apparently I'm presentable, you know. 

So like my role keeps changing a little bit, but it's always focused around what's best for not just our partners, but the MSP space and the security space as a whole. All right. So you said a couple of things there. 

And before we get into the things we thought we would talk about, I want to ask you this question because you made a comment about tools. And I've been having this discussion off record with a bunch of people that we're starting to bring on record. And you know, most MSPs have a decent stack. 

And we were kind of figuring out that the problem isn't tools, even though a lot of vendors, and I'm not going to say that Sherweb s one of them, you know, always talk about get our tool and solve this problem. You said something that makes me think that it's a little bit more about, you know, how do you see MSP with strong tools, but weak operations or something else? Have you figured out what that whole thing is? Is there something else? Yeah. So again, I go back to, like, I tell a story as part of this conversation, right? So when I was on the MSP side, a major vertical was legal. 

Not a lot of people like to touch legal because it's attorneys, right? They're sticklers for detail and everything else. And they live by their contract language. But I was having a conversation with one of my good attorney friends who's also one of our clients. 

And he just kind of like, shakes his head. He's like, man, not to be offending to you, but he looked at me and he said, I've been knowing you for a while now. And he's like, this stuff doesn't matter to me because we were talking about uptime and we were talking about a number of tickets closed. 

And we're talking about, like, we're going to roll out this new cool security tool, right? Like I say, it's an MDR. So at 2 a.m., it's going to handle security problems. I don't care. 

He's like, I just want to make sure I can get my work done. And when he told me that at first, I was offended because, like, attorneys sometimes they speak in very strong language and they speak very direct when they need to. And I was just like, I was kind of offended. 

I was like, who's this guy to tell me, like, how do I, like, about the tech stuff and, like, how he doesn't care and everything. I left that meeting and I sat in my office and I was like, you know, he's kind of right. He's kind of right that, like, the conversations we were having and the way we were having those conversations was about what I wanted to see the business have, right? I wanted to see them protected. 

But we weren't talking about outcomes and we weren't talking about business processes and we weren't talking about, you know, two to three years down the line, how can this security program or visa, so just insert whatever line of business the MSP has, how does this affect their business? And we started revamping our QBR process and we started talking more about them, right? So we spent five minutes out of every hour of our QBR talking about ourselves, what our MSP was doing, what we did, and we turned the table around and said, like, all right, what do you want? Like, what is it that's going on? How's, what's, what's, what's life like in ABC law firm? And let's talk about the outcomes that we want to have together. And I think that's where we missed the boat a lot on our conversations. Because, again, the conversation from the vendors has all been, like, here's a problem, here's ransomware, here's data leakage, here's whatever new AI problem is out there. 

And then the next words out of our mouth is, here's how our tool can fix it. And, like, that does not translate to how you talk to a partner. A partner doesn't care about the technology, they care about the outcomes.

And the conversation has to change around that. And the conversation has to change around, how do we talk about the people inside the organization and how they become a part of the security program, right? Whether or not they're end users, or they're data handlers, or whatever you want to call them. How do we put policies in place? We have governance now, we have guardrails of, like, the business can do X, Y, and you start to have them think in terms of operational maturity and how their business can benefit from it. 

And for too long in the space, I'm not going to say it's a problem that no one's trying to solve. We just kept talking about technology. And, like, no one cares what kind of firewall you have in the closet, right? As long as it keeps the internet going and it keeps the bad guys out, right? That's the main point of it.

But, like, when you talk about, like, the new FortiGate that you're putting in, that's, it's got, you can do 100 gigabits, you know, speed, and it has all these fancy features, it does not resonate with most small business owners, right? So, the way that we educate as vendors has to change. The way we talk to MSPs has changed, because, like, they absorb that language and it resonates with them, but it doesn't resonate with their partners or their clients who are actually the ones consuming the product. Because we've been focusing too much on just, like, pushing this onto the MSPs, pushing whatever tool we have, we need, you know, net new MRR this month, and we haven't really focused on, like, how do we get them to, and I hate to use the word enablement, I think that gets thrown around a lot, but, like, it's true, like, how do we get them to have conversations with their partners that matter to them? So, I mean, how do they have conversations with their clients that matter to their clients instead of what matters to, how do vendors talk to MSPs, right? And that's the whole other, like, when we talk about intrinsic value with MSPs, like, you know, why do, how can I, how do these people charge $300, $400 a month and no one bats an eye, right? And we saw that in our own MSP, where, like, we were slowly raising prices, and the ones who didn't look at us as, like, just another line on a financial sheet, but, like, felt the intrinsic value of what we brought to the table and how we aligned with their business and how we helped them with business outcomes, like, that mattered, I want to say just as much or even more than the actual amount that we were, that they were spending on it, right? And, like, that comes, I mean, I'm rambling a little bit on, but I think that conversations, especially around, like, just focusing a security program around tools has to change, because there's conversations that has to happen, there's outcomes that need to be mapped, there is, roadmaps need to happen around security programs, around control frameworks, around methodology, that has to come first before we install that first tool, right? And it's just, I don't find that's happening or it's resonating across a whole lot of the space right now.

Yeah, so I let you go because you were saying some good stuff, so don't worry about it, I'll cut you off if you're really rambling, I'll cut you off. I felt like I was, I felt like I was, I was, like, getting around the point and then, like, trying to slice it through, but yeah. Yeah, but, I mean, those are the conversations we need to have, because, like you said, I mean, I just had a conversation, well, I didn't just, so for the last two days, or three days, I've had a conversation with one particular client, they are a law firm, they are my number one vertical, so I understand exactly what you're talking about, and this one had a change in leadership, the managing partner that has been there from the beginning, retired, there is a original managing partner there, who's not really technical, he's not really operational, and so there are younger attorneys that are stepping in and trying to help determine the path of the firm, and they are the ones looking at all of the bills now, and they're like, well, what are we paying for, and one attorney in particular, in his mind, he's thinking, well, I can, I can hire a company that'll do IT and marketing for, for half of what Marvin charges, and the office manager said, uh, I don't think so, here's what he does, and she, she, on my behalf, went down the list and talked about everything, and it wasn't based on the tools or the stacks or anything, I mean, she basically was like, look, when you call, he answers, and he gets things fixed, and we almost had a hack a couple of months ago, Marvin took care of that, you know, she just went down the line and stuff, so yeah, those, the way we talk to clients does need to change, and you're right, all they care about is outcome. 

Yeah, like I, the word, the quote I always use is like, people won't remember what you did, but they will remember the way you made them feel, right, and like, think about the human conversations that you have, when someone talks about Uncle Marv, right, they don't say, man, Uncle Marv went on, fix my tire, right, or Uncle Marv, he, he bought me a drink at the bar one night, no, they say like, oh, Uncle Marv, he's a great guy, like, they talk about you, and how, the first thing they say is how they feel about you, and then if you press them, they will tell you exactly the things that made them feel the way they do about you, right, good or bad, right, Uncle Marv's a great guy, Uncle Marv's not a great guy, like, whatever the words are, the first thing they talk about is how they feel about you, because that is the first thing you think about when you think of a person, right, we think about how they made us feel, and that's the same thing that we have to work on, because we are such technical nuts and bolts engineer type people, and I, guilty, guilty, I was a technical person, I was an auditor for a CPA firm, you can't get more technical and more nitpicky about things, more geeky than that, right, yeah, like, you're, you just sit there, and you're scrolling through permissions in a, like, ORBAC, in a, in a, in a financial system looking for discrepancies, and looking for people over permission, it's a very, it was a very technical job, and I had to learn this skill, right, like, I'm not the public speaker I was 10 years ago, you probably wouldn't have saw me on stage talking too much, right, I didn't do it, but I had to learn to open up, I had to learn how to communicate, I had to learn how to talk to people, and just make people feel heard and seen, right, that's the biggest thing, but, like, we're such technical people, that, like, we live in that room, that's what we're comfortable with, we're comfortable talking with the tech, we're comfortable talking about endpoint protection, and, and, you know, time on ticket, and stuff like that, because, like, those are, those are things that are technical that we know, and we feel, but at the same point, like, the soft side of things has to happen with the business, right, and when I mean soft, I don't mean, like, just, like, buying them donuts, or, like, you know, getting them, getting them, like, snacks on Friday morning, or something like that to the office, like, that is part of it, but, like, how do we align with the business part of this, right, so you have to have the technical skills to run an MSB, you have to have the business skills, but then the other part of that is, like, where's the soft skills at, right, around how we operate a business, because it still partially matters to small businesses, right, when you start getting enterprise space, it's all, it's a lot of numbers, and it's a lot of metrics, and things like that, but in the small business space, like, you still, and I'm going to, I'm going to kick myself for saying this, we're still handshake and, and type deal, right, like, it still happens, even though I'm frowning upon those types of deals, but, like, that's still the type of deals that still go on, right, like, we want to make sure that we're aligning with the business, and that we're talking in a way that makes that business grow. Even a digital handshake is still a handshake, you know, people want to feel good about the decision they made, and that plays a part, you know, whether we see them in person or not, so I like that. And I've been on that soapbox for a while, so I'll tell you, started at Sherweb, it'd be almost, it's about two years ago, almost two years to the date, right, that I had my first presentation at Sherweb, so I got onboarded, and, like, the first thing my supervisor told me was, like, hey, VIP event happening in, like, three weeks, we all have our big partners, we want you to give a security talk, right, and I was like, okay, cool, I can whip something up, so I wrote something up, and it was on, how do we do better with QBRs, and then how do we hold our vendors accountable, right, so, like, first talk I ever do at Sherweb, and I can't remember the exact thing that I said, but we're in a room full of our big partners, and I was like, you know, the days of a vendor buying you a steak dinner, and that's all it takes for you to sign a contract is over, right, there's so much risk involved, there's so much liability, and, like, not even touching on, like, insurance subrogation and things like that, right, where, like, you can get in a lot of legal trouble just by not doing what you're supposed to be doing as a key provider, or even putting into a contract and not doing it, I think you have to hold your vendors accountable and make sure they're doing the right thing, and then, like, I wrap up, and, like, we look at the agenda for the afternoon, and then that night, we're, like, taking partners to a steakhouse, and, like, the next guy that came up was Michael Slater, who's our director of security and Microsoft sales, right, and he goes, like, hey, guys, just because we're taking you to a steak dinner doesn't mean we're trying to, like, you know, hassle you or anything like that. 

I felt a little bad, because, like, you know, that was my first foray, right, into Sherweb, like, just talking about what I was passionate about, and that kind of put us on blast, but, you know, we laugh about it now, but it was kind of, like, hey, you know, you're calling us out on that, and I'm, like, well, good, we should probably do better, right, like, I don't mind taking partners out to dinner, but, like, the thing is we also need to make sure we have a conversation with them about why we're the right choice, right, here's what we do to help protect our partners and our systems, and here's what we do to make sure our vendors that we bring up to the line are doing better and helping you guys out, and, like, that's what matters to me. That's what makes us, like, a great vendor or a great partner is, like, we want to make sure that you succeed and that we don't just, you know, we don't just wow you with everything under the sun, right, like a Sherweb jacket and, like, a drone that you win at the conference booth, right, and then that's why you sign a contract, like, we want to win your business because you feel comfortable with us and that we're giving you all the right things, right, right margins, right, you know, right attention, good support, etc., like, that's what matters. Well, I'll tell you what also matters is swag and that shirt with the pocket that you have right there, I almost, that almost made it to the finals of the swag competition for last year, so.

Yeah, and, like, they're seasonal, so I have, like, so every show we change the pocket out. Oh. So I have, like, I have my, I have my, this is our latest one, our sports, my semi-sports one, but I have the football-themed one, I have the beach-themed one, I have the Sherweb regular one. 

There was a time where we did white instead of black and blue shirts, so we stuck with dark colors, but there was one data con where they had white Sherweb shirts, and I've been trying to find one that's somewhere in storage and they cannot, they will, I'll tell you, if you find a white Sherweb pocket shirt, you have struck gold, that thing is, that thing's worth potentially tens of thousands of dollars. I'm looking up in my rafters and I've got another hundred shirts or so in the box, I'll have to open them up and see if I have one, but now I'm going to have to pay attention to my tour to see if I get the different shirts, because I got two with the, with the pocket, one's red and I forget what the other one is, so we'll keep track of that, but let's do this, let's transition into some of the stuff we want to talk about, some of the announcements you guys have done, so following what you just said about the way we talk to each other and stuff, on January 12th you guys announced Cyber MSP Community, and it sounds like it's just exactly what you're talking about, it's a place for collaboration, it's open to all MSPs, regardless of distributor, marketplace, and it's basically a place where everybody can chat and figure stuff out, right? Yeah, yeah, so that was one of the things I first brought to Sherweb when I started, was like, I want a space, and it could be whatever, it could be an informal peer group, it could be meetups, whatever, but I just want a place where anybody who wants to share information, share problems, just learn, right, because that's a big part of it, we need a space for that, and I really didn't know what it would look like, and we worked on it on and off, while we worked on other things over the years, and then finally we got to a point where we're like, I feel like this is right, so what we came up with was this community is an open space, it doesn't matter if you're an MSP, or you're, you know, a freshman in college who wants to get into the security space, or you just want to listen, or feel better about yourself, because you're not having the problems that someone else is having, right, like whatever you're at, wherever your needs are, we built a space for it, and part of that is, when I'm open discussions, we want to build community resources, so, you know, hardening guides for Office 365, or like, here's some free security tools that we come across, right, GitHub repositories, scripts, you know, good things for like CIPP, because CIPP is, our CIP is a good partner with us, like here's some, some scripting, and some configuration for that, all the way down to like, what's going on in the news today, so there's a channel for like, here's news that we find that we think is relevant to IT practitioners, and here's threat intelligence, so like, I built an AI agent that does threat intelligence research, like I was using it for my own, and then I was like, hey, it'd be great if this thing could actually, you know, if we could actually put into a format where like, it was a little bit more legible for semi-technical people, not fully technical people, so I rewrote it, so it produces the output of like, let's pick one, notepad plus class, right, like that just happened with their incident, like, how does that attack work, break it down into like, here's the things you need to look for, here's what's happening, I think it's like, Crusalis is the name of the dropper or whatever, right, like here's what it looks like, here's what it does, here's how it obfuscates itself, so like, kind of getting into the technical weeds on it, but like, giving people just some insight of like, here's what's going on, you post alerts when there's like, zero days, so like, whenever there's another, I'm not going to pick a firewall in there, because they're all guilty of SSL VPN problems, but here's what's going on over here, here's another zero day, you know, they had an incident last week with like, ScreenConnect, like, ScreenConnect instance was being abused to drop, you know, to maliciously being used, like, here's what you need to look out for, here's what you need to do to help prevent these things, so like, just an open resource, right, that Sherweb s putting in, they're like, again, we don't do any sales pitches in it, there's no, in fact, we have a blanket, like, I don't want any sales people from Sherweb in the community, right, like, trust me, that was not an easy conversation to have with the sales people, because they were like, wait, you're inviting our, you know, our partners in, and you don't want us to be a part of it, like, no, because like, I don't want you, I don't want to turn to a pitch session, I don't want to turn to like, it's hard to turn off, like, I see a problem, and I see how I can help, and kind of going into pitch mode a little bit, you know, so like, we've had vendors come on, so like, Keeper came on, and like, we had a conversation with them, going into it, of like, I want this to be educational, like, I want people to walk away, and go like, okay, but what does Keeper do, because like, I don't want to be about Keeper, I want to be about a certain topic, so like, we did one on identity, and identity management, and like, what threats are they seeing from their side against identity, right, so very educational, very informal, like, in fact, Friday, I'm filming from Rite of Boom, Ash Cooper from CI, from SIP, right, she's going to come on, and she's going to talk about, like, how do we build our own communities inside of our business, like, what is a community, what does it do, what does it not do, what do we want out of a community, and she's going to talk about, from her perspective, of like, how do we build these communities inside of our organization, so like, we can have these types of relationships that a community should have, right, so like, we're blending a little bit of the technical side with a little bit of the human side, too, because it goes back to my overarching philosophy of like, people come first, like, when we talk about a security incident, we got to think about the impact on people, when we talk about, like, how do we build a security program, the first step is like, well, what people are a part of that security program, like, we have to bring back the human side a little bit, and balance it with the technical know-how, so that's what we're, that's what we're working on, right, like, we're trying to give people a balanced approach, and give them a space where they can have discussions, and, and, and absorb information as well, and wherever they're at, right, like, they can just be starting off, or they could be a seasoned security people who just want to have a space to, to post information, or post what their findings are, right, it's, it's a blend, and it's open, like you said, it's open to anybody, regardless of where they're at, who they are, who they're with, they don't have to be a partner, they could be just, just anybody starting off, like, we've got, we've got some very big names in there, big MSPs, and we've got people who are just one-man shops. All right, so is this marketplace, I mean, not marketplace, like, so the cyber MSP community, you mentioned no sure web salespeople, what about others from the marketplace, are they all, are they also banned from being in there? Right now, they are. 

There's another conversation we had, it's like, hey, but you do have some technical resources at some of our vendors, right, like you talked before, God, I'd love John Hammond from Huntress to pop in and give some insight, right, but we're trying to limit that right now, because we don't want to turn it to just a bunch of vendors talking about stuff, like, we want to be meaningful to the, to the individuals that come into it, and we want it to be their own space, right, so, like, right now, we're doing a lot of the heavy lifting on making sure there's content in there, and, like, bringing content to the table, but eventually, we want this, we want the community to run itself, and sure web be hands-off, right, like, we still want to support it, like, both from a, from a, from a resource perspective and a financial perspective, like, support the community however we can, but we want it to be its own, and, like, to the point where, like, the long-term plan for it is, like, I don't want to be a part of it, I don't want to run it anymore, I need to hand it off to somebody who's a part of the community who's not sure web that is the long-term, the long-term plan, a long-term insight is that this isn't a community for sure web, it's a community for other people, and, like, eventually, the, the baby bird has to, you know, fly out of the nest and become its own, and that's what we want it to, that's what we want it to become, like, long-term vision wise. Right, so, you heard me slip with the name marketplace, and we talked about it, so, most people know sure web as the cloud distributor, mainly with 365, hosted exchange, blah, blah, blah, you guys have done some additional integrations, you mentioned Huntress, Checkpoint is in there, you guys just did a AI-powered DMARC email authentication partnership with Palisade, or you launched Palisade? Yeah. And I guess that is, that is going to be positioned as an AI-driven DMARC solution? Yeah, so, Palisade's, Sam and them over there, right, like, first off, Canadian-based, so, like, they got, they're, they're, they're super special to us at a, at a sure web for their, for their, their Canadian partnership that we have with them, but, like, they're, yeah, they're great, like, so, DMARC solution, right, so, so that's been a, been a growing need in the space for email security is, is managing DMARC, which, if you've never, if you've ever had to do it manually, it's a pain in the butt, it's a lot of time and effort, and the DMARC providers like Palisade help with that, right, great, great, fantastic partnership, great support, great people there, I've met most of the team at Palisade, like, as part of our vendor, you know, our vendor due diligence, our vendor, our vendor management, like, we talk with a lot of the, a lot of the people that, that are at the, the company, so, this is a wonderful solution, it's part of our growing, I guess, portfolio, so, whenever I got there, this is another, this is another Roddy sticks his foot in his mouth moment at Sherweb, and I'm going to just be, I'm going to be real, they asked me, like, what's some of the problems you see at Sherweb from someone who's on the NSP space, and I was like, you want me to be candid, you want me to be, like, real, and they were like, yeah, I was like, our line card, security line card sucks, like, that's what I told our VP, our VPs at upper management, and they were like, that's kind of bold of you, that's what they told me, and I said, well, it's true, right, and I was like, I was like, let's map our security tools to CIS controls and look at the gaps in it, and I was like, this is, this is a real, this is a real assessment, and so I started working on that, and, like, I presented it to them, I was like, here's where we're missing a whole lot of A, either categories that are important, vendors that are important, or just completely missing the mark, mapping our products to CIS controls, and that's when we started with, okay, so what do we need, and then we started building a list of vendors, reaching out to vendors, and, like, it's been a roller coaster of onboardings the last year, year and a half, right, like, when I got on, we just finished onboarding, I think SentinelOne, or SentinelOne was about to be onboarded, and, like, since then, I can't tell you all the security products that we've onboarded, Huntress, got Palisades, I'm going to, I'm going to draw a blank, and then I'm going to start naming all the vendors that we've onboarded since then, but a good, a good bit of security vendors, and then the list is still massive and ongoing, and there's still negotiations and contract stuff going on with other vendors that are going to come, but just trying to provide, again, a cure, like, I know a lot of people call this a marketplace, my plea to the vendor team, right, at Sherweb was, like, I don't want every single vendor, right, like, I want to have good community relations with everybody, that's fine, but I want, like, a, I don't want to have to, and it goes back to, like, how do we support the tools that we put in that marketplace, and, like, if we have 15 DMARC solutions, supporting that becomes hard on our side, right, I'd rather have three or four really good DMARC providers and support those three or four in-house, like, have good solid support, where if a partner calls, they have a problem, we have a team that can address it, and they don't have to widen their base of knowledge to try and understand 15 different DMARC solutions, I could never do it, so I know I can't, if I can't do it, I don't want to give someone else that same task, right, and that's been part of the challenge, too, it's like, who do we bring on, when do we bring them on, who's down, who's down the line for that we need to bump up, because we don't have this solution in place, so you can see, right, you can see coming up in the next few months, a lot of products coming, because we've been working with that, a lot of vendors that don't have distribution deals that will be coming onto the marketplace, Huntress was the first one, we were their first disty, right, that they had to work with, and that was a long time of going back and forth and understanding the relationship and how it would work, so that's what we want to do, right, we want good relationships with our vendors, we want a curated list of vendors that hit the high marks, and we want to make sure that, you know, as part of being a good marketplace, that we support all the products, or at least provide good support for the products that we have in place, right.

So I will agree with you, from my perspective, I think there are enough marketplaces, so I think it's fair to say, look, we don't have to have everybody be a part of our marketplace, there's enough marketplaces, everybody is everywhere, there's tons of vendors, and it does make it difficult if I go to somebody, if I'm partnering with Sherweb, and I want to do an integration, I don't want to have to sift through an endless line card, and does this work, does this work, you know, I want it all to be, you know, procured for me. Yeah, and that's part of it, right, like if you come to us, and we're just like, all right, we got to have battle cards for 15 different products, right, that you didn't have to go sort through, or we have to help you sort through, because a little bit of a logistical nightmare for us to try and figure out, like, who's better than the next, like, depending on what you're looking for, we want to have a solution for it, we want to help you check your boxes, or meet your risk management, or your control check boxes, whatever it is, but at the same time, like, again, we understand that we don't need everyone under the sun on the line for it, right, and it's a hard conversation to have with some vendors, of like, we've told some vendors, like, we don't think you're ready yet to be on the line card, which is fine, right, there's some things that need to change, their API might be immature, or underdeveloped, or whatever, but like, we want to make sure we have a good quality experience, onboarding experiences, integration experience, billing experiences, right, like, we have, we have to, I'm telling you, our platform people, if we had 10 times as many vendors on our line card, like, just trying to get the billing integrations correct would be, like, that's all they would do, right, so, like, we understand the challenges of having a marketplace, but not having, like, but having a curated marketplace, right, and I think that's the term I keep going back to, where, like, it hits the high notes, it meets everyone's needs, again, we can provide support, we can provide documentation and educational opportunities around it, and we're not creating, like, we're not over-complicating the selling process, either, we're pitting all these vendors against one another, right, when it comes down to a single sale, right, like, that's part of the, part of it, right, now, will we, do we have gaps still in the marketplace? Of course, right, like, there's things that I want, I could tell you, like, going up to, like, your, your Black Hat, right, and seeing all the vendors there that don't even touch the MSP space that I see opportunities for, it's amazing, right, like, I've talked to a handful of vendors that want to get into the MSP space, they don't know how, they don't understand the space, and I'm, like, this is where we need to be at, this is where we need to pull these vendors in, who have good products, they, I feel like they align with the, with what MSPs want, they're just in a different space right now than us, and, like, we need to pull those people in as part of the maturity process, right, because I'm going to go on a rant for a second and say, when you get outside of the MSP space, we are not talked about really great, right, we are, we are tech jockeys, we are computer janitors, I mean, you, you, you name the derogatory term that people would have for an MSP, and that's what they think about us, but I can tell you, from being in those spaces where you have, like, big internal IT shops, they don't necessarily do a better job than an MSP, because they get so siloed, and they get so nose-blown to their own problems that they don't see it, so, like, because there's a, there's a problem there, right, when, in, with, with people and vendors who don't operate in the MSP space, like, they're still thinking MSP from 10 years ago, where, like, we've gone through a lot of maturity over the years to get where we're at today. Yeah, I, I had a conversation about a week ago with somebody that works for one of those large consulting, you know, we're talking, you know, I don't know, 2,000 people company, and their idea, you know, of managed service providers, it's basically, you know, oh, you guys are the trunk-slammers of the IT space, it's like, wait a minute, not all MSPs can, can be that bad, but you're right, that, that perception is there.

Yeah, and that's, look, that's, it's kind of, kind of our own problem, right, so, I, I've said this a lot, and I know my other security advances have said this, like, what, what qualifications are you forced to have to become an MSP, right, like, there's none, like, tomorrow, anybody can go get an LLC and be like, all right, we're, we're Bajoran brother MSP, and they start doing tech work, right, you can't do that, well, let me not say you can't do that, I'm going to speak in, I'm going to speak in generality, if you're an attorney, you have to pass the bar, if you're a CPA, you have to pass the CPA exams, right, if you're a doctor, you gotta go through residency and go through the whole thing, like, but we're entrusted with tons of sensitive information and sensitive systems, and, like, I can just be a technology provider or a security consultant tomorrow without having to go through any proper training or credentialing, and, like, that's a part of the success of the MSP is a low barrier to entry, right, like, anybody can do it, at the same point, it's a part of the detriment, because who differentiates one MSP from the other, there's no, there's no, there's no qualifications, there's no certified MSP program that, like, that, like, globally, people recognize, right, like, there's no, like, what's the, how do I want to phrase this so I don't sound bad? Well, let me, let me, let me do this for you, so we are still in a lower stage of the auto mechanic industry, where anybody can open up a shop, but, you know, in order to be a certified shop, you have to pass the qualifications of whatever dealership you're working with, or they have a recognized ASE program, where they can say, yes, we have passed all of the, you know, tests and standards, and, you know, they can hang that shingle on their wall, and everybody knows it. You're right, we don't have that, we did have certifications, A+, Network+, MCSE, that sort of stuff, but we haven't quite figured out a way to, to standardize that plaque on the wall that everybody recognizes and respects. Yeah, that's a good, that's a good way of putting it, you know, we don't have a, like, we don't have, I don't say globally recognized, but we don't have an industry recognized certification, right? Like, you talked about the, the CompTIA A+, and Network+, and things like that, but like, outside of the tech space or the HR space, like, if you're a, I don't know, if you're a, you're a dentist, you have a dentist practice, do you know what A+, and Network+, means? Like, probably not, right? But I know what the, I know what, it's a, I know what a certified CPA or an attorney who's passed the bar, like, generally I know what that means, it means they've gone through some kind of process and passed some kind of test that's recognized nationally in the U.S. or recognized globally, depending on where you're at, right? We don't have that, and the ones that we do have don't have good name recognition, or good, or people who don't know about it, outside of the space. 

Well, it's, it's got to be publicized, just like, you know, if anybody wants to check up on a lawyer, you know, there's a bar number, they can go to the state bar site and search, and find, you know, whether that attorney is licensed, or disbarred, or on suspension, or anything like that. So there's all of that. Let me do, let me do this real quick.

I don't want to stop you from talking, but I do want to ask one question, because I wanted to get your perspective. Sure. Of course, we had the MS-365 outage, and luckily, Microsoft was, you know, kind enough to put out their advisories, letting us know that it was their issue. 

But of course, clients were calling me, and I would say, nope, it's a Microsoft thing, and their question was, well, can you do anything? Is there anything we can do? And I'm like, no, it's Microsoft. But I have to imagine, I know that, so I'm, I'm a partner with AppRiver, and I know that I talked to somebody there, they were getting hammered. I imagine Sherweb is getting handled, you know, hammered and stuff. 

What was your thought on how to deal with a situation like that? So, look, what I always tell people is that conversation comes way before that incident happened. And I used to, the analogy I used to give is from my own problems of life. We had a backup solution in place, right? One of our legal firms, their server completely died, and the conversation we had to have was like, hey, because of the nature of the backups and the data, like, you're going to lose about three days  worth of data. 

Now, their response to us is, we never talked about this. We don't, well, like, we don't have a process in place. Like, we don't even know what we did the last three days to be able to recreate it, put it back into the system. 

We thought, term being thought, because it wasn't declared, but we thought you guys were backing up every hour, right? Every hour? Yeah, there was no conversation going on. Like, we had nightly backups, right? It's just the way that, the way it fell or something like that, I forgot the whole problem. But that conversation around what do we do, and what are the terms or process around that comes before the conversation happens. 

It's part of our QBR process. It's part of our business continuity planning. It's part of our tabletop exercises or whatever, is to talk to a client about, like, how long can you survive without email or Teams, or if you have some Azure instances, like, what happens when those Azure instances go down, right? And how long can they be down for before we have to actually do something, right? That's a tough one, because it depends on the business and their nature, right? Like, if I got enough, if I have a local cache on my email, and I have all my projects in a project management system that's not Microsoft related, and I can continue, let's say I'm a manufacturing company, and my machines are still running, right? Maybe I can get through a few days before, you know, my email starts working again, I can start processing new orders, things like that. 

Maybe I'm an eCommerce shop, and if I'm down for an hour on Black Friday, like, I lose a million dollars, right? Like, that conversation about how do we pivot from it is, and what do we do, right? If it's down for an hour, what do we do? Is it down for a day? Is it down for a week? We used to have these conversations all the time with partners, because, you know, we had a lot of legal clients in New Orleans, and, like, what happens if a hurricane comes, and, like, you don't have a business to operate for six weeks, right? Well, before you can even walk into the business because of flooding, et cetera, et cetera. Each client is going to have a different response, and you're going to have to have a different game plan for them. What I can tell you this is that when it comes to any cloud application, right, it's a tough one, because normally the services don't have any kind, there's no kind of, how do we recover the service, unless it's an Azure issue where you can spin up a server in a different cloud or a different region or something like that, but when it's a software, when it's SaaS, when it's email, when it's a line of business application, what do you do, right? Like, what is the plan around that? I can tell you for email, what we used to do is, like, and I know a lot of people now, they don't use the MX records for their email provider, but if that goes down, right, your hose, but we used to use MX records, our spam provider had an emergency inbox we could access, right, so is that a feature that we could have? How do we look at the queue that's going on to see what emails are in place, et cetera, et cetera, and then what's our backup plan for it? That's a hard one to do with any kind of line of business application that's in the cloud, but you do have to have a way of mitigating that, like, we had a client, medical client, everything was done, it was all EMR, electronic medical records, right, we were like, what happens if you go down, if the EMR system goes down for two, three days, they're like, oh, we can do paper charting, right, and so that was an option, right, like, if it's an extended outage, we can do paper charting. 

The problem we found out was, like, all the medical records were electronic, and they didn't have a backup phone, so you didn't know whose medication, who had to get which medication at when, so we had to put a process in place, we found out through the provider, they had a backup tool, through that backup tool, we could download just the medical records of Mars, right, so we could download those, that way, if there was an outage, we at least knew what the person's medication was the day before, and hopefully that didn't change, or if we had a change from a doctor, we knew about it, so it's, so the roundabout way is, like, talk to the client, because they're going to know their business process better than you, so no assumptions, you can't just be in there, be like, this is going to fix your business outcome, no, I need to understand the business process, we need to walk through what happens when this breaks, it can be done through a tabletop exercise, et cetera, but, like, what happens when this goes down, what's more important in the event of an outage, is payroll important, is getting client orders out important, et cetera, like, get a list of priorities, get a list of business processes where, like, if this is down for a day, it permanently damages the business, if this is down for a week, it permanently damages the business, if this is down for a month, it permanently damages the business, and then you prioritize that, the one that can only go down for a day before there's permanent damage to the business, that needs to be prioritized, and we need to have a backup plan of how we either limp along, or how do we restore that service somewhere else, if we can, and then that's the cost benefit of SaaS, right, like, it's easier, we don't have to buy the infrastructure, the hardware, manage the hardware, hopefully never have to worry about a raid, a raid dying at 2 a.m., right, and having to be woken up at 7 a.m. to go try and figure that out and do restores, right, because that's all should be handled in the cloud side, trade-off of that, though, is, like, we're at the mercy of downtime from the SaaS provider, but I have no solid answer, like, how do you fix this, you know, like, things are going to come up, Cloudflare is going to have an outage, AWS is going to have an outage, what do you do, right, like, how do you, how does the business limp along until that service comes up, that's a conversation to have with your clients, and we go back to the conversation we had at the beginning of the hour, how do we show value, how do we do intrinsic value, how do we get ingrained into the business process, like, that's part of the conversation, is sitting down and saying, you rely on us for, you rely on technology to run your business, but what happens when technology hurts your business or does something bad, right, and how do we pivot, how do we, how do we, how do we show resiliency when there is a problem? That was a couple of discussions I had, we, we have had the conversation, and customers did want their 365 backed up, but they declined to do any sort of continuity, and, you know, that discussion was, look, we gave you these options ahead of time, and you said no, I think the thing, though, is to be able to remind them of, that they said no, and they're like, I don't remember that. Yeah, you gotta let the, you gotta let the issue cool down a little bit before you have that conversation, because I've gotten, and this is, this is old, old me, I got into some shouting matches with some attorneys where I was just like, I told you, you shouldn't have done, and like, yeah, you can't tell an attorney, you shouldn't have done that, because that's a, you know, attorneys love a good argument, and then, you know, I've never met an attorney that's lost an argument, I'm just, I'm just going to say that. Even if they were ruled against by the judge, they didn't lose the argument. 

The judge was crooked, the judge was crooked, he didn't understand why, and I guess that's me, or the judge was out golfing with the, with the opposing counsel. Yeah. No, but like, that's part of it, it's like, you gotta have a time and place for the conversation, and well, I tell some really nasty stories about incident response, right, where like, man, the time and, at the time and place, like, you are dealing a lot more with people's emotions and humans' issues than you are dealing with technical issues at the start of an incident, because like, emotions are high, so you pick and choose when you have that conversation, but it should be done, not saying it shouldn't be done, but like, it should be done timely, but not immediately, because like, emotions are high, and like, we gotta make sure the business is okay. 

Once the business is fine, or we figure the business is fine, we have a conversation about what happens, what happens when this happens again, here's the options, we brought this option up before, and you declined it, as things changed, you know, like, that's part of the conversation, because yeah, I've gotten to some, some pretty angry shouting matches with attorneys about what they should have done better in the past, and what they declined, and like, it's not a good, it's not a good, not a good place to be. And have a copy of that, you know, so that you can, whether it's an email or a document to say, here's the email where you said, no, don't worry about it, so I didn't. Yeah, we had gotten into doing declination letters for a little bit, and like, there's legal opinions all over the place about declination letters of like, you know, hey, you declined this, so we have it as part of the sign, a sign off, or like you said, an email, or whatever, a paper trail. 

I always tell people, it doesn't, I've been, you know, I've been, my RSP has been sued before, right, like, I'm not afraid to say it, but like, that amount of, you always carry liability, like, you start a business, you start a business, you know, you're going to have some form of liability, you have some form of risk. Explaining to a client, or a partner, whatever you want to call them, and then having their denial of whatever documented doesn't eliminate your liability, but it does lower it to a potentially an acceptable level for you. I always tell people, there's a difference between having, in a civil lawsuit, owing $100,000 and owing $10,000. 

Our MSP could absorb a $10,000 settlement, or whatever, or suit $100,000, and that's a little bit, it's a little bit more than I'm willing to allow to let go. So, that reminds me, I have a situation that I will legally be allowed to talk about in about 11 days, so. That'll be a good one. 

I love a good, I love a good gag order. Yeah. So, that'll be fun. 

Yeah, there's something I can't talk about, and I'm just speaking generalities about it, but yeah, there's a lot of fun stuff out there. That's what got me really interested in subrogation, like insurance subrogation, of like, who owns what liability in the event insurance gets involved? Like, there's a lot of, there's a whole discussion we have just around that. So, I was not going to bring that up because of our time, but because you did, let me go ahead and ask the question, because there's a whole discussion I think I've heard, or I've seen you talk about where, you know, security is not about stopping the bad guys, it's about contracts, insurers keeping the business alive. 

But in terms of cyber insurance, you've actually tried to talk about what is it, what is the difference between what the insurers are asking for and what we're providing? Am I right on that track with what I was thinking? Yeah. So, we select the second vertical that we worked with our MSP, excuse me. Sorry. 

So, our MSP had a few major verticals, legal being like half the business. Second one was insurance, and we used to work with insurance providers on those pesky questionnaires. I hated questionnaires because I don't think they captured the true picture of security at a partner or a client's office. 

So, like, asking if we had endpoint protection is one thing. Knowing if it's installed across all the endpoints and configured correctly is a different thing, right? So, same thing with firewalls. Do you have a firewall in place, and is it up-to-date, supported? Yes. 

But I also have RDP open to the outside world, right? Like, that's a major issue that I don't think is always addressed from an insurance risk perspective. It's probably changed. I haven't done a questionnaire in about a year, year and a half. 

But a lot of insurers are moving more towards integrations with certain vendors. So, like, I want to make sure your Office 365 checks all the boxes. As part of your insurance requirements, we're going to have an integration or a third-party app that monitors your Office 365 and makes sure, like, the traditional access policies are in place, nothing bad's going on, etc. 

I think we're going to see, or we're starting to see the same thing, too, with, like, endpoint protection, etc., where they integrate with certain vendors. Not all insurance providers are doing this, but I think that's the route that they're going to start going. The other route is that insurance is starting to offer their own EBR, MBR monitoring services, etc., which I don't agree with. 

I think that's a conflict of interest, because the question I pose to an insurance provider who does that is, who holds the bag whenever there's a bad update to the EBR, MBR? I hate to point out CrowdStrike. It happens to so many endpoint vendors out there, but, like, CrowdStrike, right? Like, if you're using CrowdStrike and you're telling me I have to have CrowdStrike on every single machine as an insurance provider, and then CrowdStrike has a problem, who's responsible? Is CrowdStrike responsible, or is you as the insurance provider responsible? Does my insurance policy kick in, or do I subrogate back to the insurance provider, like, to pay out? Like, how does that work? And it's very complex, but I also have the other hat on that says, like, who understands risk better than insurance people? And that's the other side of things. Like, they do understand risk. 

They live in risk. They live in financial, they live like, the financial version of risk, right? Where, like, an issue can have actual dollars and cents consequences. So I always go back to that, too. 

Like, they have something, but the feeling I get and the conversation I have with insurance providers is that their actuary data is so new all the time, because, like, the IT world changes. It's not like automobiles where we have, like, decades of automobile accidents, and then we improve safety measures around them. Like, we're still kind of wild west on the IT side where, like, there's frameworks. 

We don't always follow the frameworks the same way. You know, there's regulatory issues. There's, like, HIPAA and CMMC and NIS2 in Europe and, like, you know, all these other ones, but they're not all uniform. 

Not everybody follows them, especially in the U.S. So, like, as an insurance provider, they're kind of struggling on historical data, because, again, a tax chain, IT world changes frequently, so they can't rely on decades of actuary data. So, like, that's the other challenge that I think of around insurance is, like, I follow actuary data, but is that actuary data actually reflecting real-life situations in real world configurations in real world small business, you know, the world of the small business? And, like, I think that's the challenge, is, like, we're at a crossroads where, like, we're asking somebody to step up and make a singular IT framework regulation that's universally followed, and I would like to see the IT world set that and have, like, a bar association where, like, we're self-regulated. But insurance has kind of beaten it to the punch, and, like, I don't want providers writing that regulation, but no one's doing it, so it could become problematic.

Yeah, I can see that. And so, listen, you live in what I call hurricane zone number two, so I'm in hurricane zone one, and we have that issue with home insurance, where a lot of providers, you know, are bailing the state of Florida because of all the damage, and they're, like, you know what, the risk is too great, we're not even going to consider it. I see cyber insurance in that same sort of boat, where in the beginning, they were writing policies, just writing policies, thinking it was, hey, free money. 

Then they had to start paying out on claims, and now they're, like, oh, wait a minute, we need to put some stuff in place. They talked to somebody who said, yeah, just do these things, but yet those things don't necessarily mesh with what we're doing, and you're right about who's responsible, because if you're telling me to put something on, okay, that's not my responsibility, because I didn't really agree to that. And I think that's where the rub is, is when something happens, who's going to fix it? And most insurance companies don't fix something. 

They'll pay to have it fixed, and sometimes they'll have their preferred vendors on the list that'll fix it, and then, you know, people will be like, well, I don't want that company to fix it, I want my company to fix it. So that's where we're going to be. Now, and then, like, if you've ever had to deal with insurance, especially in an incident, the turnaround times to get, like, a forensic person or to get systems can sometimes be a week or two wait before they actually start doing the work. 

So, like, you're down during that time, too. So, like, that's the other flip side of insurance is, and it used to be the conversations I would have as part of incident response is, like, we'd sit down in a room with, like, me, like, as soon as we figured out, like, this is a uppercase I bad incident, right, because I never declare something a breach, that is, attorneys can only say that word, but I would get the attorney, CPA, the insurance person, the owner, and myself on a call or in the same room, and I'd be like, all right, here's what's going on. How do we fix it? And, you know, and I tell the owner, if you want the insurance to handle it, you're going to be down for a considerable period of time, right? Like, you're not going to be up and running tomorrow or the day after, potentially.

You may be down for a month or two months while they do forensics and they do their engagement and they clone machines and they figure out what happened and, like, but insurance's whole purpose is to try to make you whole again, and they will do the best they can. Now, during that discovery process, they may find some things that, like, you aren't doing right, like, you signed off on if you weren't doing right, and they may limit your claim, right? Like, that's the, that's the ups and downs of cyber insurance, right, is, like, they, they are, they, I mean, their whole, their whole point is, like, they need to be profitable on the, on the, the insurance, on their own, they need to be, they need to make profit in their business, let me put it that way, and, like, they will look for reasons not to pay out the full amount, right, or pay out the, you know, a million dollars for, for these claims, like, they are going to look for ways to limit their amount based on misconfigurations or one-offs or, you know, something that you didn't account for, didn't know for, right? So, it's a, it's a strange place to be right now with regards to, like, insurance and everything, like, I feel like it's still, we're still figuring it out. I, I'm a huge fan, like, if I'm going to make a plug, Dustin Bollander is a real good friend of mine, he does insurance, all his balance insurance stuff off of him, I love talking to him, because, like, he runs an MSP and he sells cyber insurance, so I'm just like, dude, you get the full spectrum of both sides of the issue, and he has a lot of good things to talk about. 

All right, I'm going to cut you off there and try to land this plane, because we have gone way past our, our destination, but it's, I, I told you, if, if the conversation is good, I'm going to let it go, and I appreciate you taking the time, sharing the stories, being open, and I guess, in some cases, vulnerable, and that. I'll take my licks, right, for saying things that are controversial or maybe make it look like, you know, maybe, maybe don't benefit Sherweb 100%, but, like, it's the right thing to say or do in the long run, like, that's what I want, and, like, like, I want to, I want to make sure that, like, we were talking about this, it was Matt Lee and I, and I was like, I just want to have, like, and I love Matt, like, look, Matt and I are the same guy at two competing Disneys, but, like, we're, we, we love each other, and we talk about just the work that we do together, and, like, I said, I just want to leave, like, a lasting mark or a legacy or whatever you want to call it, right, like, of you did something, you didn't revolutionize things, they're not going to write a history book about Roddy's changing of the security in the MSP space, like, I'm not going to be in a history book, I don't want to be in a history book, but, like, I want to have a lasting impact, and that goes beyond the work I do at Sherweb or the work I do, it's part of my community and my vision and my passion and my ethics and my morals to just do what needs to be done right and not worry about blowback from, you know, my employee, my employer or whatever, they won't, and I'm not trying to put Sherweb in a bad light or anything, they support the work I'm doing, but, like, I will say what needs to be said and done what needs to be done and not worry about, like, does this benefit financially the company that I work for, like, it's not what I'm here for. All right, so that's probably an interesting situation. 

My guess is, or my question is, who separates you two to say it's time to get home for dinner? Because I can see you guys just talking away. We've had some really deep conversations about what we, like, the position that we're in, the work that we can do, and the amount of just vendors and people that we interact with, right, where, like, there's a lot of shared common goals and values that Matt and I share, and, like, I knew Matt before he went to PAX, and Matt knew me, and, like, we work together on various projects and roadshows and security boot camps and stuff together, and, like, we, like, we put all the, you know, the business stuff aside to make sure that the visions that we have work, and we bounce things one on another, and we're having a tough time, like, Matt's there for me and whatever, and, like, it's funny, because, like, people are like, oh, man, you guys work for competing distributors, and I'm like, yeah, there's plenty of room for us. In the end, it's the same goal, right? Yeah, it is the same goal. 

It's the same shared values, except Matt has a way better and nicer beard than I do, I have to say, like, it's a majestic looking thing, like, I've never been up close and personal to it. You have time to catch up. I was there whenever he shaved it all the beard at Ice Nation a few years back, maybe in a beard shaving charity event, and I was like, Matt, and I think, like, three weeks later, he had a full-grown wizard beard back, and I was like, how did you do this? Yeah, he's got some secret product that we don't know about, so I'm going to have to... It's something, man. 

Yeah, we're going to have to do a secret mission to find out what that is. So, well, Roddy, let's go ahead and try to end this here. I want to say thank you again, Roddy Bergeron, folks, Cyber Security Technical Fellow at Sherweb, and a big proponent of MSP strategy, education, and content. 

So, of course, Sherweb.com is where you can go to find out information on them, the marketplace, but there's a separate link for the cyber MSP community. I'm going to put that in the show notes. It's got a weird little thing like info.Sherweb.com slash cyber MSP dash community.

So, there's a lot going on in that URL. Yeah, so I'll put that there if you want to have some more discussions, get some playbooks, some war stories, all of that in the cyber MSP community, that'll be great. And, of course, when you're out and about on the road, Roddy's at all your usual places, I think, right? Yeah, yeah, everywhere.

All right, Roddy, well, we will catch up again. We'll talk more, but for now, let's go ahead and end off and say again, thank you. Enjoy your time out at right of boom, not Vegas. 

Let's put it that way, if that makes sense. And we look forward to hearing about everything that's happening out there when you get back. For now, that's going to do it, folks. 

I know this is a long episode, but you know when the conversation is good, I let it go. So, thank you for staying with us to the end, and we'll be back with more from the IT Business Podcast. And until then, Holla!