Turning Compliance into MSP Revenue (EP 985)

(0:12 - 0:48)
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, a show for IT professionals and managed service providers to help you run your business better, smarter and faster. So, a few weeks ago, I told you all that I was attending a lot of conferences at the first part of the year. One of those was the big MSP IT Expo here in Fort Lauderdale, where I ran into Jared Casner with Blacksmith InfoSec and first I was surprised, but that was all good and stuff.

(0:48 - 0:55)
But then I said, you know, it's been a while, we should do a show together. He said, absolutely. So, here we are, Jared, welcome to the show.

(0:56 - 1:04)
Thanks. Yeah, it was fun running into you. I forgot that Fort Lauderdale is home for you and so, I was surprised to run into you also, but very pleasantly.

(1:04 - 1:42)
So, it was nice to see a friendly face there, so it was good. And you were kind of in one of those weird corners of the vendor hall that I wondered how much traffic did you actually get while you were there? Yeah, you know, it was definitely... We are familiar with being in Siberia and when you're a young vendor and don't have a huge marketing budget, you kind of get shunted up to the side sometimes. But MSP IT Expo, it's an interesting show because they're really trying hard to lean more and more into the MSP side of the IT Expo.

(1:42 - 2:02)
It started off as a VoIP show and it's now transitioning into the MSP space. But they created kind of an MSP village, but the MSP village was in the back and wasn't terribly well marked. And so, we were kind of front and center in the MSP village, but also, the MSP village was not front and center yet.

(2:02 - 2:22)
So, it worked out all right. Off the beaten path, for sure. So, let me ask you this, because I did get some feedback from some of the other vendors and another part of the problem there, and hopefully they'll address it next year, is the convention center has a new building.

(2:23 - 2:48)
And so, a lot of the sessions and breakout rooms were like on the other side of the building. And a lot of people, if they walked out, it was too easy for them to walk out of the sessions and to their cars or from their cars to the new Omni Hotel and stuff. So, what was it like trying to get traffic driven there? Yeah.

(2:48 - 3:01)
So, a couple of things. Yes, you're absolutely right. And we've seen this at a couple of shows where you have sessions in one building or in one, sometimes even in completely separate hotels and the vendor hall in a separate area.

(3:02 - 3:14)
It creates some, I'll call it entertainment to drive traffic to your booth. The good news is both Mike and I had, my co-founder Mike and I had speaking sessions. And so, we were able to use that to sort of drive traffic.

(3:15 - 3:38)
You know, I think one of the things that MSP actually did a really good job of is, again, because they're trying very hard to transition away from sort of the telephony and sort of their roots and be more focused on the MSPs, especially as those VoIP providers try to transition. We saw this with copier vendors or copy repair shops moving towards managed services. We're seeing the same thing with the VoIP shops moving towards managed services.

(3:38 - 3:49)
And so, there was a lot of really good content. There were a lot of sessions I thought were really applicable to MSPs. And so, it was finding ways to drive MSP vendors to be there.

(3:50 - 4:21)
But there's this weird tension where if you're an MSP, if you're a vendor in the channel, it's hard to want to go and pony up the cost of being at a show where there aren't a whole lot of MSPs. And likewise, if you're an MSP, if there's no content for you, if there's no vendors for you, like, why are you going? And so, trying to find this weird balance. And I think the MSP folks are doing a really good job of focusing on the content, trying to make it as easy as possible for an MSP to justify being at that show, which then starts to build up the presence for the vendors and make the vendors want to come back.

(4:21 - 4:32)
And so, I think they were doing some really good things there. But you're absolutely right. That space is not terribly suited towards driving traffic back into the vendor hall.

(4:32 - 5:06)
So, it's this weird tension where... And I talk about this a lot, actually, where I think a lot of the shows try to bring people in the wrong way. Right? If you're a show and your big draw or your big headline is the musical artist at the end of the show, things like that, you're bringing people in for vacation and not for the content. And I think this is where... Yeah, there was some goofiness with having the vendor hall and the sessions in separate buildings across the street from each other.

(5:06 - 5:16)
At the same time, I thought the sessions and the content were really good. And so, it's a good way of driving people there. The after parties were really much more about networking and socialization as opposed to having a big name.

(5:16 - 5:34)
And so, I thought it was trying to drive traffic for MSPs, trying to bring MSPs in in a way that was much more useful to the MSP as opposed to just like, hey, come to Fort Lauderdale and party and hang out for a couple of days. We're going to actually educate you and give you some really good information. Yeah, I agree with that.

(5:34 - 5:47)
I think that the people that were there were more intent on making the full use of their time. Some people were only there for a day. So, they purposely tried to squeeze as much in as possible.

(5:47 - 5:57)
And I do agree with you where the sessions I think are very beneficial. So, I sat on a panel the first day. It was full.

(5:57 - 6:11)
I mean, I don't know how many seats were in there, 100, 150 or whatever, but it was full. And there were both MSPs and regular IT folks in there. And I actually got stopped at the door and answered some questions and stuff.

(6:11 - 6:39)
So, the question I was going to ask now, and this is way off track where we thought we would go, but at your booth, I'm assuming that you also got non-MSPs chatting with you and stuff. So, how did that conversation go for VoIP providers that have added on managed services or telecom that have added on? I'm sure that was a different conversation. How was that? Yeah, totally different conversation.

(6:39 - 6:53)
And it was interesting because we saw a couple of different approaches. The folks next to us, every time somebody walked by, are you an MSP? No, okay, just keep walking. I'm just very carefully pushing people along.

(6:54 - 7:09)
I sort of take the view that any conversation is a good conversation and I like to talk. And you know this about me, right? It's hard to give me a shout out sometimes. So, for me, it was a good way to at least have a conversation.

(7:09 - 7:26)
And I sort of looked at it as almost a challenge, right? If I can't articulate a value proposition to somebody who doesn't understand at all what I'm talking about, how am I possibly going to articulate my value proposition to somebody who has at least some idea of what I'm talking about? And so, I took it as an opportunity. It's shots on goal. It's an opportunity.

(7:26 - 7:30)
I'm not a salesperson. I'm not a marketing person. I'm an engineer.

(7:30 - 7:34)
I'm a developer. I write code. I'm in the weeds.

(7:36 - 7:58)
I joke, right? I was a psychology major for about three weeks in college before I realized I was much better at talking to computers than I was at talking to people. And so, I switched my major from psychology to computer science and really never looked back. And so, for me, getting the shots on goal, getting the opportunity to kind of run the pitch and practice, and even if it wasn't to my target audience, was still a valuable exercise for me.

(8:00 - 8:29)
Okay, I'm sorry. I just got so sidetracked. Yeah, I think when you wanted to zag, what do you want? Because, okay, so how do you get to college thinking you're going to do psychology only to backpedal and then realize you're better with computers? I mean, did you not know before you signed up for college that computers was the thing? Yeah, so I definitely knew before going into college that computers was the thing.

(8:29 - 8:37)
But mom and dad, I taught myself C++ in high school. I got my CCNA in high school. I was deep in the weeds of computers.

(8:37 - 8:42)
And I was like, oh, I don't need that computer science degree. I already know computers. I should do something different.

(8:42 - 9:05)
And so, I did psychology as much as a challenge as anything else. And then I realized, because I was also taking computer science classes at the same time, I was like, I'm having way more fun with these computer science classes. Then I actually am, despite the fact that I know how to code, despite the fact that I've got a CCNA, despite the fact that I'm in the weeds of this stuff and I've already been working professionally in software and in computing.

(9:05 - 9:10)
It's like, this is home. I need to stay in the tech. And so, yeah, I was, I don't know.

(9:12 - 9:30)
I briefly flirted with being a business major also, which, you know, in hindsight, now that I've started my own business, might have been a good idea to get that business degree at the time. I did end up getting an MBA later because, like, why not? So that makes more sense. Now, I did do business administration in school.

(9:31 - 9:43)
Who knows where I was going to go, but at least I had that to fall back on when I ended up in computers. Because I think most of us, well, let me rephrase that. Most of us older people ended up in tech.

(9:43 - 9:58)
Now, today, I think a lot of people are intentionally going into tech. So it is a much different world. We should probably do this, because for people that have been with us now for almost 10 minutes, we have not yet talked about what you do.

(9:59 - 10:17)
Blacksmith InfoSec is a cybersecurity company that builds compliance as a service tools, specifically for MSPs and small businesses. So we should probably tell, because I do have new listeners, by the way. I know not everybody, you know, has, you know, listened to all 900 plus episodes.

(10:17 - 10:25)
So we should probably at least give people a little bit of information about Blacksmith InfoSec. So let's do that real quick. Yeah, sure.

(10:25 - 10:41)
So I think you kind of set it up perfectly. We are a compliance as a service platform, which means we provide the software tools for MSPs to be able to deliver compliance services to their customers. So we're talking about SOC2, ISO, CMMC, FTC safeguards.

(10:43 - 10:55)
So any of those compliance initiatives that your clients need, we have the software tools to help you deliver those services. It's white labeled, it's multi-tenanted. It's an opportunity for you to be able to help your clients along their security journey.

(10:55 - 11:19)
But more importantly, we have that NFR, so you can get your own house in order. So especially for those of you who are servicing medical practices, they need you to sign a business associates agreement, and therefore you need to be HIPAA compliant. We give you the tools to be able to get your house in order and be able to sign that BAA with confidence, right? So it's that full stack security program in a box to make your life easier.

(11:19 - 11:42)
All right, quick question. The types of compliances that we need to do, I'm going to guess that about half the MSPs you talk to don't really have the situations where they need CMMC, SOC2, or anything like that. They fall more into companies like mine, where at one point in time, I did have medical offices.

(11:43 - 11:56)
Both of those have now been absorbed into a larger firm, and so I don't have those anymore. I had one financial client that was really somebody else's client. I came in to help, didn't need to do that.

(11:56 - 12:12)
Most of my clients are law firms, and lawyers feel like they don't have to be compliant. They'll just deal with it in court. So for most people, I think a lot of us are trying to rally around NIST and CSF and that sort of stuff.

(12:13 - 12:33)
Are your tools designed for maybe the MSP that is just a generalist or smaller? Can you guys work with us? Yes, absolutely. And this is one of the things that I talk about a lot. I actually, when we set out to build Blacksmith, compliance is maybe an end goal, but it's not necessarily the primary goal.

(12:33 - 12:52)
And we started off calling ourselves a security program in a box, and nobody knew what the hell we were talking about. And part of that is really because, to your point, this cybersecurity framework is sort of the baseline for everything that we do. There is no compliance for, or attestation, or third-party review, or anything like that associated with NIST CSF.

(12:52 - 13:16)
Same thing is true with CIS, whether if you're talking about IG1, IG2, IG3, these are all self-attestation things. But they provide a security framework that allows you to build on that. And all of the other security platforms or security programs out there, like CMMC, like HIPAA, like GLBA and FTC safeguards, those all baseline or map to NIST CSF and or CIS.

(13:17 - 13:42)
So the idea is, if you can treat your security program a little bit more like a 401k, you talked about the folks that fell into computers by accident later in life. Those folks are now starting to think about retirement. And I'm sure those folks are also looking at the saying, well, if I had just started my retirement savings today at 60, 65 years old, I'd be putting every penny I had into my retirement account.

(13:43 - 14:14)
I wish I had started this when I was 20, 22, 25, right? And the same thing is true with the security program. If you start your security program, if you start investing in security early on as a business, you start putting the right security practices in place, you start thinking about how you're gonna manage things and the change management that goes along with it and the cultural change that needs to happen, the total cost of ownership goes way down. And so then what happens is when your state issues a regulation, and so we'll take, we'll pick on New York State for a minute here, right? New York State has a myriad of things.

(14:14 - 14:33)
There's education law 2D that was passed, I think five or six years ago. And Department of Financial Services has some regulations for financial services organizations in New York that were all passed within the last 10 years. When those state level regulations come out, all of a sudden companies are going from, trying to go from zero to compliant.

(14:34 - 14:50)
And they say, oh crap, I don't know how to do this. And so if they've instead been investing in their security program along the way, guess what? That journey becomes a lot easier because it's, oh, hey, look, I'm already 87% of the way there. I don't need to worry, but this is an easy opportunity for me.

(14:50 - 15:03)
When one of your clients comes along and says, hey, Uncle Marv, I really love to do business with your MSP, but your competitor has a SOC 2 at a station and you don't. Oh, hey, no problem. I'm already like I've been built.

(15:03 - 15:15)
I can walk you through what my security program looks like internally. I'm already 93% of the way there. So if you need me to go the rest of the way, this is a big enough deal that I'm willing to make that final step right now.

(15:16 - 15:33)
And I can go get my SOC 2 at a station very quickly and easily because I know where I am along the way. So even if you're not thinking about compliance today, thinking about your security program and thinking about this holistically gives you a big leg up on the competition. And I'm not just talking about MSPs, I'm talking about your end clients, helping them think about this.

(15:34 - 15:47)
Because you're right, you brought up the law firms. There is no regulation for security and compliance for law firms. This is why we get things like the Panama Papers, right? Because law firms don't just duke it out in court.

(15:47 - 15:50)
It's no big deal. Yeah, that's what they do. And it's funny.

(15:50 - 16:04)
So I've been researching. So here in the state of Florida, the Florida Bar actually has put out what they call opinions. And those are just papers that suggest, here's what you might want to think about doing.

(16:05 - 16:14)
And all of my clients, I've asked them about it and they're like, yeah, okay, whatever. We're not doing that. And the only ones that do it are the ones that are forced to do it by their clients.

(16:14 - 16:30)
For instance, insurance companies. So law firms that are insurance defense, they will have to do some things because they can't, you know, all state, state farm, they're the ones dictating the security. So that's helped me a little bit.

(16:32 - 17:01)
I'm not going to ask you if you listen to the show, but I'm going to ask if you've heard about the Delaware Supreme Court ruling where Travelers and Blackbaud, the donor management software company, are being taken to court. And the Delaware Supreme Court said, yeah, you can be sued by the clients. Have you paid any attention to that? I have not seen that one, but it does not surprise me at all.

(17:03 - 17:29)
I'll give you the link to it. But the bottom line is what they're saying is that all of the things that we've been talking about where it comes to, you know, MFA and, you know, protecting data, these were all suggested things in certain verticals where, like you said, no compliance exists. They're basically telling us now, okay, you know what? These are going to be the baselines going forward.

(17:30 - 17:44)
So I assume that something like, you know, Blacksmith InfoSec will be able to help us with that. Even for clients that don't have those compliance needs, they're going to have to be able to prove something. Yeah, that's exactly right.

(17:45 - 18:10)
The idea, and this is why, like I said, we started talking about it as a security program in a box. It's how do I help you? How do I give you a framework where you can start to invest in your security program from day one? This is one of the things that I love, by the way. Even if you're not using a platform like Blacksmith, looking at CIS, you have IG1, IG2, IG3, which is, this is the joys of doing the recording live.

(18:11 - 18:43)
I can't for the life of me remember what IG stands for, but it's basically a set of criteria that tells you or walks you step-by-step through compliance. And so where CIS has been a huge boon for the MSP industry specifically is the ability to give you kind of that step-by-step walkthrough of the things that you need to do. NIST Cybersecurity Framework, I really like personally because it's a very broad umbrella, and it is what NIST 800-171 and CMMC are baselined off of.

(18:43 - 19:11)
And so I personally like NIST CSF, but it doesn't give you the opinionated and structured step one, step two, step three approach that CIS gives. So again, forgetting about whether you're using a platform to do this, using one of those security frameworks to drive your security program and say, here's what we're doing. And then putting in the opinion of, here's what we're going to do first, second, third, right? If you look at these things by themselves, they are 150 different controls that you have to map to and take care of.

(19:11 - 19:41)
And you look at that and you say, holy cow, how am I ever going to be able to do this? Taking a bite-sized approach, and I call it eating the elephant, right? You don't eat an elephant in one bite, you do it one bite at a time. And so I think part of the challenge that as MSPs and as small businesses, we see pretty frequently is when I look at this and I ask for a quote and I get a quote for, let's say $100,000 to go off and become compliant or build a security program, I freak out and I say, forget it. Now, inertia becomes my biggest problem.

(19:42 - 19:56)
An object at rest stays at rest, right? And so what I need to do is find a way to get rid of that inertia and start making progress, even if it's one thing at a time. And so, to your point, let's start with MFA. If that's the only thing I do, I've already made myself more secure.

(19:56 - 20:21)
If I do MFA using pass keys, where it's phish-resistant MFA, I've made it even better and it's lower friction, right? So I can find ways to make those baby steps along the way that will make my life easier. And so whether it's the Blackboard case and getting sued, again, you don't need a platform like mine. Blacksmith just gives you the tools to be able to do it a little bit more effectively in a scale, but you don't need a platform.

(20:21 - 20:28)
You can do it with a spreadsheet, that's okay. Like starting somewhere is better than starting nowhere. All right, well, way to sell yourself there.

(20:28 - 20:41)
You don't need Blacksmith. That reminds me of your video on your homepage where you guys were trying to describe the company and what to do next and that must've been fun. Yeah, look, we have fun.

(20:41 - 20:50)
I tell everybody, Mike and I are not sales people. We're nerds, right? This is why when we found the channel, we felt like we came home. These are our people, we get along really well.

(20:52 - 21:13)
Look, I want you to buy my software because you need it and you want it, not because some salesperson has twisted your arm into doing it or told you some fear story about why you need to have it. I'm gonna make your life easier, but you gotta be willing to put in the work, right? This is not a free thing where it's gonna do all the work for you. It's something where you and your clients have to be willing to invest.

(21:14 - 21:36)
Otherwise, it just doesn't make sense. So you're not gonna do to me what one of my vendors did where they basically hounded me the last three days of the month and said that, hey, well, discount goes away at the end of the month. I mean, look, we would be foolish not to offer discounts and have at least a carrot of some sort to entice people to sign.

(21:36 - 21:52)
But at the same time, no, we are very much like, when you're ready to work with us, great. We had, I'll tell you a quick anecdote, right? We just had an MSP sign with us last week. They kicked off a free trial with us a year ago.

(21:53 - 22:05)
And then all of a sudden we got an alert that they had logged into their demo tenant for the first time in a year. And we said, hey, what's going on? Oh, yeah, well, we kicked the tires a year ago. It wasn't the right time for us.

(22:06 - 22:19)
Now we have a client that's ready so, okay, great, let's go. It's gotta be when the time is right for you. Otherwise, it does us no good, right? If you come in and then you leave within six months, that doesn't do me any good.

(22:20 - 22:37)
Now we've invested in a relationship. You've invested your time in me and I've invested my time in you. And if it's not the right tool for you and you're gonna leave in six months to go somewhere that does fit your workflow a little better, like that doesn't, you haven't made your life or your client's life any better.

(22:37 - 22:51)
I'd much rather find, make sure that this is the right tool for you and for your clients. And I'll happily steer you to a competitor that is gonna work better for your use case if that's what it takes, right? I want you to be happy and I want you to be successful. All right, fantastic.

(22:52 - 23:02)
I had a note here to go back and to help you out on the IG, which means implementation groups. Thank you. Yes, it's the implementation groups of controls.

(23:02 - 23:11)
Thank you. We all have brain farts sometimes. No, and what I didn't remember is I knew there was one, two, and three, but I didn't know what one, two, and three were.

(23:12 - 23:26)
So for people listening who have time to Google while they're listening, whatever, IG1 is the essential cyber hygiene. IG2 is the intermediate protections and IG3 is the advanced protections. So, yeah.

(23:26 - 23:58)
And just for those of you who are listening at home, if you'd only do IG1, you will cover 74% of your attack service. So that is, if you can't do any more than the essentials, those essentials are going to give you a really good baseline coverage and it's very actionable and it's a subset of the entire CIS controls. And so again, if you're using a spreadsheet and CIS IG1, you are going to give yourself a significant leg up and your clients a significant leg up just by starting there.

(23:58 - 24:25)
And so again, whether you're using a tool to help manage it and make your life easier or just doing this the old school manual way, either way you can make your life better just by following some simple things. So please pick a security framework, stick to it, roll it out to your clients, help them out. Let me ask you this question because even though we've talked about it, you talked about the client that had it for a year before they did anything.

(24:26 - 25:12)
If you had to narrow something down, what should MSPs be paying the most attention to right now when it comes to security and compliance? The biggest thing is your supply chain, right? Third-party risk management is absolutely the attack vector du jour, right? We saw this just a couple of days ago with the Axios hack. And I don't know if your listeners are paying attention to this because if you are a JavaScript developer, this is your entire world and has been for the last 36 hours, 48 hours since that attack was announced. If you're not, you may have heard of it sort of tangentially, but Axios is a JavaScript library to help make API calls, right? It's just network traffic requests and it's a wrap around that.

(25:13 - 25:43)
And it's one that honestly should be almost obsolete at this point because the functionality is baked into the JavaScript ecosystem and native libraries now. But because it's been around for so long, it's getting 100 million downloads a week, right? So this is a big deal. With this attack, first of all, it was, we're not sure exactly how they got access to the maintainer's NPM account, but they got, the North Korean attackers got access to the package maintainer's account, published a malicious version that was very cleverly disguised.

(25:43 - 26:05)
It was a very sophisticated Trojan attack that was allowing remote access and infecting machines. And so, and then any infected machine now has all their credentials harvested and sent back to a command and control server, right? So very nasty attack. Now, I don't know that there are a whole lot of MSPs out there that are dealing with Java Scripts directly, but I guarantee you that their vendors are.

(26:05 - 26:34)
I was gonna ask, I was gonna say, I'm not dealing with that, but I know that you guys are and you guys, all your integrations are built on API. That's exactly right. And so if this is where that third-party risk comes into play, if you're not evaluating your vendors and evaluating not just, Marv, let me ask you, how are you doing third-party risk management, right? When a vendor comes and sells you something and right there, you're gonna have your salesperson calling you saying, there's three days left in the quarter.

(26:34 - 27:10)
I'm sure your phone was ringing off the hook the last couple of days because we're recording this on April 1st. And so the last couple of days at the end of March was, hey, are you gonna sign? Are you gonna sign? Are you gonna sign? Oh yeah, oh yeah. What are you doing for your third-party risk management? How are you evaluating your vendors? Well, I'll be honest and say that I wasn't doing as much before as I plan on doing because I actually am putting together a questionnaire that I am going to make new vendors fill out to answer some of those questions because I am going to start to do that.

(27:12 - 27:36)
And I'm doing it for two reasons, but to stay on track here, I'll be honest. I've asked a couple of questions about where their data is stored, where their servers are, because I know that with part of my protection, I've got to whitelist a lot of IPs and I got geo-blocking. So I'm asking in that perspective, but not anything based on APIs.

(27:37 - 28:39)
Yeah, so I will tell you, so Mike and I have our own podcast because, so I'll plug that real quickly here, but the Get Nisty podcast, and I can send you the link for that one. But our episode next week is going to talk about the Axios compromise, what happened, kind of breaking it down and not talking about it from a developer lens of, which is what most of the articles are focused on, is how as a developer can I avoid this type of thing, but focus more on the MSP lens and how as an MSP, can I think about third-party risk management and keeping myself safe when my vendors are exposed every day to the supply chain risk, right? Because the supply chain hits us all in different ways and at different times. And so we could spend a whole hour talking about SOC 2, how to read a SOC 2 report, third-party risk management, but I will tell you that that is by far, from my perspective, the number one thing that an MSP or small business can be doing is thinking about third-party risk management and what their supply chain looks like and how they are keeping themselves safe.

(28:39 - 29:07)
Because guess what? If your CRM gets compromised and all of a sudden all of your customer data is leaked, if your EMR gets compromised and all of a sudden your patient data gets leaked, right? These are all of our vendors. If we're not paying attention to what our vendors are doing for us and how they're doing it, guess what? That's where we have the most risk as a business. We have our own house to keep in order, but we have to also make sure that our vendors are keeping their house in order.

(29:08 - 29:10)
All right. All right. You plugged goodness.

(29:11 - 29:23)
I actually had meant to ask about that. I saw you guys' shirts the other day and I'm like, oh yeah, these guys made a podcast. That's our driver shirts where we got logos everywhere for the podcast.

(29:23 - 29:42)
Yeah. I tell you what I like. I like the little... I don't know what the tambourine has to do with podcasting, but... Well, so this is a Rick and Morty theme, John, right? So if you're familiar with Rick and Morty, there's one... Is that the cartoon? It's the cartoon.

(29:42 - 29:55)
Yep. And so there's an episode of Rick and Morty where they have to stave off an alien invasion by singing a song and they sing Get Schwifty. And so we did kind of a play on Get Schwifty with Get Nisty and that's sort of how this was born.

(29:55 - 30:09)
And so then we had some AI generated images of us turning us into Rick and Morty. And so every once in a while, you'll see us walking around as Rick and Morty dressed up. But in the meantime, that's our logo also is Rick and Morty from that Get Schwifty episode.

(30:10 - 30:17)
So... All right. Yeah, I don't watch cartoons anymore. So... And I don't think I ever watched that one.

(30:18 - 30:30)
Yeah, this is not your kids cartoon. This is definitely an Adult Swim kind of cartoon. Yeah, I... What was that? What's that other one? So I know that there's one... I mean, not The Simpsons.

(30:30 - 30:46)
I'm talking about... What's the one... The big Adult Swim... Is it Fatherhood or The Dad or what's the... There's King of the Hill. There's American Dad. There's... American Dad.

(30:46 - 30:55)
I think that's the one. American Dad, is that the one you're looking for? Yeah, I started to watch and I'm like, yeah, okay, I'm good. But I guess they're funny.

(30:56 - 31:14)
Yeah, you got to find your audience, right? And Rick and Morty definitely gets the nerd audience. And so I think one of the things that we found is in the channel, you get guys or people between about 35 and 50. And most of them have watched at least a few episodes of Rick and Morty.

(31:17 - 31:23)
And man, do I feel old now. Sorry, I didn't mean to. That's all right.

(31:24 - 31:40)
Had to happen one day. You know, I'll tell you, getting old is awful, but it sure beats the alternative. And so, you know, it's one of those... Certainly take it with what it comes with, right? All right, well, let's switch gears here.

(31:41 - 32:08)
Let me ask one more tech-related question. Of course, the big issue I think we all have is how do we monetize the compliance portion? So I know that I've spent, I'm not going to say how long, but I have redone all of my packaging stuff. So now a lot of these things are their line items so that if I have to do something, the customers know that that's going to cost extra.

(32:08 - 32:35)
I know a lot of us have kind of developed the concept of we're trying to do it as an all-in-one price. I'm not saying all-in-one support, but at least here's your price for everything and the customer doesn't know how much is allocated, you know, to support, to compliance, to cyber or whatever. I just take the advantage or the position of I'm going to tell you, if you want me to do compliance, it's going to be this much.

(32:36 - 32:57)
And they know right off the bat, so there's no fighting over it. They still may say, you know, well, too much or whatever. How do you talk with, you know, companies that are looking to add this? They know they need to add it, but they're struggling with, oh, how do I build that into my price? Yeah.

(32:59 - 33:38)
There's a couple of different things that we talk about and a couple of different strategies that I have found work really well. The first one is a lot of the things that you're already doing are moving your clients towards compliance, whether they know it or not, whether you know it or not, right? So the first thing you can do is start to map the tools that you have to compliance initiatives. And where this really comes into play is in your QBRs or whether it's quarterly or monthly or weekly or however frequently you're talking to your clients about progress that you're making, being able to, instead of talking about here's how many tickets I closed in the last X days, because your clients don't care about that.

(33:38 - 34:43)
They'll care, your clients are going to care about the one ticket that you didn't close within your SLA, not the 900 tickets that you did close within your SLA, right? And so you're sort of setting yourself up for failure when you talk about the statistics of here's how many things, how many tickets I closed. When you instead say, hey, I'm going to talk about our total risk level that we're tracking, some sort of risk score or our progress towards compliance, right? When you instead say, hey, here's our baseline where we're 38% today and by the end of the quarter, we're aiming to be 43% or vice versa, like 90 days ago, we were 38% and now we're 43%, right? So when you can show progress towards compliance and compliance in this case is compliance with even CIS or NISCSF, right? It doesn't need to be one that they are contractually or regulatorily obliged to do. It can still be a framework that you're helping them with but that helps show value along the way and then the flips, so that's sort of the first piece is aligning the tools and the techniques that you're already doing today to one of those frameworks, right? So you're not having to do anything extra except report.

(34:44 - 35:23)
So that's a very simple way to start. The second piece that you can do is now you start saying, well, these are the value added services, right? So now when you're going into that, again, going to that QBR and you say, hey, Marv, let me ask you, what's on tap for you in the next, what are your, I don't know, are you an EOS guy? I started to, but that's too much for me. All right, so if you're EOS, what are your quarterly rocks? If you're not EOS, like what are your quarterly goals? What are you planning on doing over the next quarter? Oh, you want to increase physical security or put in new credit card readers or whatever at your physical locations, great.

(35:23 - 35:39)
Here's how I can help you from an IT standpoint to get those things into place. So I want to be your strategic partner. And by the way, while we're doing that, we're gonna be doing X, Y, and Z that's also gonna help you improve your security posture overall, all right? So now you're becoming that strategic partner.

(35:39 - 36:26)
And again, you're not really having to do anything extra or differently than you were already doing, but what you're doing is creating this stickiness factor because your client knows that they can trust you to help move them towards their business objectives while also making them more secure along the way, right? So again, you don't necessarily need to do anything extra or different in your packaging. Now, if you have regulated or contractually obligated clients that do have some sort of compliance need, now you can start layering that in and saying, hey, I'm gonna help you with this. And now whatever my base price is per computer or per hour or whatever, like I'm going to include every quarter we're gonna be getting you 5% closer towards compliance or moving the needle by X percent.

(36:26 - 36:36)
And so you can add those on as sort of the standard operating procedure. And your client says, well, but Uncle Marv, I want to go faster. My client needs me to be compliant by the end of the quarter.

(36:36 - 36:44)
Great, I already have a list of all the things that you need to do. I'm gonna turn that into a project. And so now I've already got my monthly recurring revenue.

(36:44 - 36:50)
Now I'm gonna do my non-recurring revenue. I'm gonna get my project-based work and I'm gonna be able to charge you for that. And here's my hourly rate and I'm gonna help you achieve this.

(36:51 - 37:03)
Oh, you want to do some of this yourself? Guess what? You actually have to do some of this yourself. So here's the project plan that you'd have to do and I'll help like poke you every week to make sure you're doing your portion. Here's the stuff I have to do and what I'm gonna charge you for.

(37:03 - 37:21)
And you poke me to make sure I'm doing my portion, right? And together, we're gonna get you there because I can't own your risk for you. I can only help you own your own risk, right? Nice, so is our time up? No, I forgot to mute my computer. So I apologize for the dings.

(37:21 - 37:28)
I don't know if you could hear those dings. I heard them. This is what I get for not turning on Do Not Disturb.

(37:28 - 37:40)
So sorry about that. That's all right. So all of those were great things to do, especially the idea of, you know, if you're gonna roll it out over a period of time and then they say it has to be done faster.

(37:41 - 37:48)
Yeah, that's a project. That's a rush fee. That's whatever you need to call it to bill extra for making it expedient.

(37:48 - 38:10)
So fantastic. So Jared, I want to go ahead. Sorry, the one other thing I'll add here is when you start to layer that in, and so again, I think there are still a lot of MSPs that do like a bronze, silver, gold, or essential, take it the IG1, IG2, IG3, right? It's essential, advanced, extreme, kind of whatever, however you want to package those things.

(38:10 - 38:32)
When you can start packaging in, whether it's two hours a month, four hours a month, whatever it is, some sort of hourly rate into that, it lets you put a little differentiator on your pricing model. So again, forget about whether, because I agree with you, you don't want to be selling your tools, your stack. You want to be able to change your tools and your stack out without your clients.

(38:32 - 39:13)
So selling them those doesn't really help but selling them the value-added services that you're providing allows you to sort of raise that rate and say, instead of, you know, I know we're going from $100 per endpoint to $120 per endpoint, but here are the new things that you're getting out of that. We're gonna help you track your progress towards compliance. Oh, cool, right? So showing the value-add that you're giving to your clients is just a great way of talking about it that will help you increase your rates because, again, it's all well and good to have the services, but if you can't sell it and talk about what the value is to your clients, then why do I want that? I don't need to be compliant with X, Y, or Z, so why are you helping me towards compliance? Well, here's what that does for you by aligning to a security framework.

(39:14 - 39:21)
Oh, the light bulb goes off and they can see the progress, right? Yeah, they do. All right. I put notes down here.

(39:22 - 39:44)
One, that you embarrassed me by not vetting my vendors better, and two, asking me about EOS in a way that I had to answer. No, but I did. I was going to do EOS a couple years ago, and then I'm like, you know what? It's just me and some subs.

(39:44 - 40:00)
Why do I need to go that berserk? But I like EOS, so I don't want people to think that I'm anti-EOS. I love it, as a matter of fact. I just make decisions that work for me and my business, and at the time, that did not.

(40:01 - 40:39)
Yeah, and honestly, if you're setting... The value to me for EOS is giving you structure, and so whether it's EOS or OKRs or KPIs or pick your TLA, your three-letter acronym of choice, some mechanism for setting goals for what you want to do for the next quarter or year, tracking your progress towards those, holding yourself accountable. I don't care what system you're using but having some way of doing that where when you look back at the end of a quarter or end of some time period, you can look back and say, yeah, that was a good quarter or week or month or year or decade or whatever timeframe you want to look at it with. Knowing what success looks like gives you some way of measuring your progress towards it.

(40:40 - 40:46)
Absolutely. You must have a system. I don't care if it's just... Even I, I do have a system.

(40:46 - 41:02)
I don't talk about it. I don't tell anybody about it. It's my system. 

It works for me. Great. Yeah, that's all you need, right? That's what you need. 

Yep. Yep. I know in the MSP community, it's EOS and the pumpkin plan, but pick something, stick with it for a little while, adjust along the way.

(41:02 - 41:09)
There's no one right way or wrong way to do this. There's only the way that works for your business, and that's all that matters. The pumpkin plan is a system.

(41:09 - 41:23)
Yep. So, all right, Jared, thank you very much. Ladies and gentlemen, you can, of course, head over to blacksmithinfosec.com. That is the place to go to do your compliance as a service offering.

(41:24 - 41:36)
And you heard him say earlier, and I would just double check to make sure they can get an NFR for their own business, right? Yep. All right. I don't remember if I did one or not.

(41:36 - 41:43)
I should probably log in and check. I think I did. If not, never been a better time to try.

(41:45 - 42:00)
And then anytime you want to, we're happy to walk through the platform for you. So, we're here to help, right? And again, I don't care whether you buy our software or not, we're here to help. That's why we started the podcast, is to just answer questions about security and compliance.

(42:01 - 42:07)
It's why we love having these conversations. So, the education is important. All right.

(42:07 - 42:28)
And they have received the MSP Vendor Excellence Award, the MSP Impact Award, something for a channel program, all of these in 2025, category leader. So, get Nisty with Blacksmith Infosec. Awesome.

(42:30 - 42:34)
We got to go. Your alerts are going. No, I don't need to go.

(42:34 - 42:46)
I am perfectly fine to stick around for as long as you want me to, but I need to remember to turn off this stupid notification. So, I am so sorry. You turn those off, we'll go ahead and end the show.

(42:48 - 42:56)
We'll chat in a few minutes. Ladies and gentlemen, thank you very much. We've been hanging out with Jared Casner with Blacksmith Infosec.

(42:57 - 43:07)
You know what? Go to the front of their webpage and watch his video. That'll give you another laugh if you haven't had enough laughs here already. So, thank you for listening, folks.

(43:09 - 43:25)
I'm sorry. I just totally derailed things today, haven't I? Not as bad as Don Sizer. All the links to Jared, his website, his LinkedIn profile, all of that.

(43:25 - 43:37)
So, if you need help getting set up with the compliances service, they are the place to look at. We'll be back soon with another episode, folks. That's it.

(43:37 - 43:39)
I'm out. See you soon. Awesome.

(43:39 - 43:40)
Thanks, Barb.