Weaver Outrage Meter: Low

AI Ethics in Managed Services

You heard correctly. Ethics in artificial intelligence. This is going to be a big issue moving forward and MSPs had better familiarize themselves with what is happening because before too long, MSPs will be dealing directly with AI devices and scenarios.

• Google CEO says he doesn’t ‘fully understand’ how new AI program Bard works
• AI teaching itself
• AI creating malware

Compliance reporting

All the discussion around compliance lately is missing one crucial element: reporting. Without reporting, no compliance exercise you undertake will be of use to anyone outside your organization.

• Compliance reporting
• Balancing transparency with security
• Lessons learned from FFIEC

Making Peace with Cyber Consultants

The old adage is “if you can’t beat ’em, join ’em.” Well, that’s not exactly the issue here but it’s close. Maybe a better way to put it is “if they can’t beat you, they should join you.” Cyber consultants are likely here to stay, which is not to say that we can’t (or shouldn’t) attempt to forge a pathway that is, if not together, at least on parallel tracks.

• Cyber workers are like anyone else…they all start from the beginning
• Cyber workers need to understand their own career path
• Cyber workers need to understand MSPs and be respectful of the role they have

 

Full Transcript:

 

You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.

 

Hello, folks. Just wanted to start off the program by saying I had a fantastic time. I joined another podcast this morning, and the team over at MSP Unplugged, Paco and Rick, were very gracious enough to invite me on to their program to just have a quick chat about the industry and a little bit about MSP Alliance. But it was nice, it was nice to be on another network, another platform, and talk to those guys. And I think it comes out next week, and we’ll certainly be posting a link to that if you guys want to go see it. But in the meantime, if you guys want to go check out MSP Unplugged, definitely encourage you to go give them a listen. Great guys and really had a lot of fun.

 

Okay, lots of stuff to cover today. AI ethics, you think, what in the heck does that mean? Why would artificial intelligence and ethics be uttered in the same sentence? Well, ‘Brave New World’ we’re living in today. And there’s a lot of stuff that’s coming out almost on a daily basis regarding AI. And believe it or not, it does impact the managed services profession. And I’ll explain why and how it does. But I’m going to go quickly through a couple of relevant news stories. Again, these are relevant, like in the last days, weeks, I think a month or two is the oldest one, but these are really new stories and some of it’s Chat GPT, some of it’s Bard, the Google platform, but it all implicates artificial intelligence at large and it all has a potential impact that the MSP community needs to be aware of. And I’ll close in this segment with what MSP Alliance is doing on the front of dealing with AI and how we view AI in the larger context of not only Cyber Verify but how we view the context of AI as both an enabler for MSPs and a threat. And it is both. And we’ll explain more of that later.

 

First off, there’s a handful of stories. The first story deals with, I think, just how little we understand. And if you are a follower of Elon Musk and you see what he’s been saying and you see what the Google CEO recently said, they’re not that dissimilar. They’re really not.

Now, Google’s CEO just came out and said that he doesn’t “fully understand” how their new Google AI program works. And I would say that’s a pretty interesting statement. And it’s scary. It’s scary as hell to hear a CEO of a company as big as Google say, “I don’t understand how this thing that we are working on, that we have developed works.”

 

And I think back, there’s a movie that’s – I think it’s about to come out this year about the life of Robert Oppenheimer, who is the person who created the first atomic bomb in the 40s during World War II. And there’s a lot of similarities between nuclear weapons and AI, if you think about it, right? Just in terms of the lack of knowledge that we have today about AI is not that dissimilar from the lack of knowledge that people back then in the 40s had regarding nuclear bombs. Right?

 

They didn’t know what the nuclear devices they were working on would do. There are some really famous quotes of the scientists talking about – this is before they ever detonated the first test devices, and so all this was very academic. All this was mathematical. They were literally writing out math formulas on a chalkboard and saying, if we get this type of a yield, this could – could it explode and ignite the atmosphere? Could the whole planet be destroyed if we detonate this device? Scary stuff.

 

Well, I’m pretty sure that AI falls into a similar category. Maybe it’s not as destructive as an atomic bomb, but I got to tell you, its potential to be destructive and to be used for bad, not just good, is definitely there. It’s right there for anyone to see if you care to look at it.

 

And starting with the Google CEO saying, “We don’t know how this stuff works.” I don’t know if this is an accurate story. I’ve seen some mixed reviews on this, but there was a story about the Google AI system teaching itself a new language. I don’t know if that report is accurate or not. There seems to be some contention, but it again goes back to what we don’t know, confusion, inconsistency about what AI is actually doing.

 

What we do know, this is a story, and we’ll post all these stories in the show notes so you guys can see it. We do know that Chat GPT, I believe, created a malware program, a program that could be used as a malware delivery device. This is not good in terms of its capability to be used for bad, and hence the question of ethics.

 

And I think that we’re going to start to see, and we are going to act maybe first. I don’t know. I don’t know if there’s other AI legislation that has already happened, but we are certainly going to act, I think, first in terms of our standard and the Cyber Verify platform that we’ve created, to really look at how MSP organizations leverage AI and how they look at those devices that have AI capabilities, and certainly to look at it from a privacy standpoint. Right?

 

What do we know about AI and data privacy?

 

Most of these platforms certainly have the capacity to ingest a lot of data without regard to copyright ownership, without regard to data privacy, without regard to if you look at everything that we’ve been talking about and seeing in Europe, with GDPR, right?

 

Go back years and years of MSP Zone and go back to articles we’ve written, talk about MSP world conferences where we’ve talked about GDPR and what they’re trying to do in Europe – right or wrong – I’m not taking a stand here.

 

They believe that they want to take a closer, harder look at data privacy and make it more difficult, not easier, to get European citizen data and spread it around, right? They want to keep that data private.

 

Well, guess what, folks? AI. Is going to do the opposite. It’s going to go in the direct opposite direction of where GDPR and other privacy frameworks are headed. There’s going to have to be a reconciliation at some point about that. There’s going to have to be some sort of discussion about what is AI doing and how is it doing it. And I think data privacy is a very good starting point, right?

 

I think, for example, we’re starting to see and recommend to MSPs going through Cyber Verify to update your privacy policy, your data privacy policy, to include things like, hey, you as an MSP employee are not going to take company data and put it into an AI device. Why? Because once you do that, it’s gone. You can’t get it back. It’s into a system that – doesn’t, won’t, and may not decide may not decide to comply with a GDPR request to delete the data.

 

I’d be really curious if anyone knows if this has happened. Has there been a request by someone in the EU to delete data that is inside an AI network or system, and has that been completed and has it been evidenced? Can you prove it? Right? I mean, that’s what GDPR has been about. That’s what they’ve been asking MSPs to help them with. Well, AI seems like it has the ability to undo that work overnight.

 

And again, I’m not a naysayer about AI. I think it has incredible potential. But Elon Musk, right, he founded or funded or I don’t know what his involvement, but he spent some money on the OpenAI Initiative, which I believe is the group that funded or helped fund Chat GPT. And if he’s saying right now, if you’ve seen some of his recent interviews, he’s saying, look, we need to have contingencies in place for cutting the power to AI systems globally. And he says that there’s certain networks or locations, density locations, where AI systems are located, where we would need to be able to cut the power to those areas in order to stop AI from doing something potentially damaging. If he’s saying it and he is in the AI investment business, maybe that’s worth paying attention to.

 

In addition to the data privacy issue, in addition to the security and the malware issue and the lack of control that we seem to have with AI.

 

We’re going to keep a close eye on this, folks. Again, I think that AI has potential, but I think AI is going to come down to how it’s used and if the potential to misuse AI is greater than its potential to use it for good.

 

Don’t be surprised if someone in legislative power says, “We’re going to regulate this.” It’s a weird world we live in. But I wanted to let you guys know that we are certainly keeping an eye on it. And if you start to hear things related to AI, don’t just tune it out, please keep an eye on it. Send us information. Send us your thoughts on this. Very curious to hear your thoughts on AI, but it’s something that MSPs are going to have to deal with at some point. I recommend dealing with it sooner rather than later, but on to the next item, compliance reporting.

 

And we’ve been talking, as you know, quite a bit about compliance over the last weeks, months and last year or two. And compliance, we talked about compliance versus security, how compliance isn’t security and security isn’t compliance. Right? Those are kind of similar concepts, but they’re not directly correlated always.

 

The issue of reporting or communication and compliance are also two issues that are linked, but not necessarily causally linked. What I mean is, if you have one, then you don’t necessarily have the other. That’s what I mean.

 

And with all the discussion that is taking place right now about compliance and people saying, “Well, compliance is a service, this is the wave of the future for MSPs, this is where we want to go.” Going to conferences, and I know conferences are talking about compliance, compliance is a service, I get it, I get the pressure is real. But think about this, just take a minute and think about what I’m about to say.

 

If you are in or want to be in the compliance business and you are an MSP, and so you’re either talking about compliance for your MSP organization or you’re talking about compliance for your customers, at some point you’re going to have to cross the bridge and deal with the issue of reporting. How do you communicate that compliance to anybody else?

 

If you’re an MSP, you could do all the great compliance work you want to do. And if you don’t know how to communicate it, if you can’t report it, what good is it? What good is all that work that you’ve done if people can’t see it, if people don’t know about it? Same is true with your customers. If you’re going to be in the compliance as a service business and you are doing all that great, great work for your customers, but they have no idea how to communicate that great work to anybody else that needs to know about it, what’s the point?

 

And so reporting comes down to a couple of issues.

 

A lot of you know, right, that the history of the MSP Verify certification goes back about 20 years now, and we spent a great deal of time after we constructed the standard and the framework, we spent a great deal of time struggling with how are we going to communicate and how are we going to report on this framework?

 

And it was debated vigorously early on. Do we have a certificate? Do we have just a sheet of paper saying, this MSP has completed this certification, they are now certified. Is that enough? There’s some frameworks out there that do that, right? ISO is very famous. CMMC looks like it’s headed down that path as well. We decided that wasn’t enough for us. We decided again 20 years ago thereabouts that we wanted the MSP Verify to have both the structure of the framework, but we also wanted it to have the reporting value so that an MSP could take the good, hard work that they’ve done and show somebody else outside their organization.

“Look, look at all this stuff that we’ve done in our organization. Read our report. It’s good for you to understand how we do things. The steps were taken for security, for data, privacy, all that good stuff.”

 

And we spent a lot of time figuring out what data, what details do we want in there? And at some point, we had to wrestle with the issue of are we giving out too much data? And we thought, well, we had some models like SAS 70, which soon became SSAE 16, which now morphed into SOC 2. And we had those templates, and we said, well, we were looking at MSP Verify reports and looking at those other audit reports and saying, well, “How could we make ours better? Right? Even though it’s signed by a CPA firm, how could we make that better?”

And so we made some tweaks. And one of the best modifications that we made in the reporting element came from federal government, US Federal government. I’ll keep the story short. We were asked to go to Washington DC. To the FDIC complex. The Federal Depositors Insurance Corporation, the folks that insure US banks. US Bank depositors, and they have a division called the FFIEC, Federal Financial Investigation Examination, whatever. I’ll look it up. FFIEC. They are the examiners who go out to the US Banks and they make sure that, among other things, US Banks are taking their IT properly. And if they are using an MSP, that they are evaluating those MSPs properly as vendors in the supply chain.

 

And this is over ten years ago, we were invited to go out there and to brief those examiners on MSP Verify and how we looked at the MSP community as they interfaced with US. Banks. And out of that meeting came a fantastic request by multiple examiners who said, “Could you make MSP Verify a public use report? And we thought about it for a second. We said, “Well, what do you mean? Said, “Well, we’ve got all these auditor reports out there, these SSAE 16 and SAS 70, I don’t think SOC 2 had come around yet, and they said, those are restricted-use reports. They’re good data, there’s a lot of data in those, but we can’t use it because it’s restricted. Could you make us an unrestricted public use report? And so we said sure.

 

Now that made us look at the data going into those reports and really pay attention to balancing the privacy and security of the MSP and the right or the legitimacy of the examiners to inspect an MSP and say, “I need to know as much as I can about your MSP. So I can judge whether or not they are going to continue to have access to bank infrastructure.” And that’s what their equation was all about.

 

But as they were going through that and asking us for input, we quickly realized, well, this doesn’t just apply to banks, this applies to every MSP customer and every MSP compliance request. Downstream that occurs. The MSP has to first and foremost be safe. The compliance work that the MSP has done in terms of documenting their policies, putting in writing things that they do, how they do it, evidencing how they do it, is all valuable for looking at and undertaking a compliance project.

 

But then the real tough job was how do you report it, how do you document it and do it in a way that is communicating the good things about the MSP, accurate good things about the MSP, right, but also not doing it in a way that puts the MSP and their larger customers at risk. And that was a very big thing for us. And I just want to keep you guys thinking about that, which is, don’t ever think about compliance only as, “Hey, I just downloaded a bunch of CMMC controls and I think we do all, yeah, we do all of them.” And think to yourself, “I’m compliant.” You thinking you’re compliant isn’t the same thing as someone else. Either testing you and, or reporting, issuing a report on that. That is a true test of compliance and it’s a true communication of your compliance benefits and compliance journey and compliance success. And so you can’t have one without the other. You can’t have compliance without some communication delivery mechanism. And that is really what we have been about. And I wanted you guys to be aware of that and just understand that they are very different things, but they’re closely aligned. And just because you’re compliant doesn’t mean that you’re also communicating or able to communicate that compliance if necessary, if required, to someone outside your organization who needs to know.

 

And let’s face it, there’s a growing, growing list of entities outside the MSP community who have a great deal of interest in seeing what the MSPs are doing. And these compliance reports are one of the best ways that they can, one of the best ways they can get that information from the MSP. One such example, and it comes with a huge benefit to the MSP. Can you guess what it is? Cyber insurance, right? The MSPs that have MSP Verify reports, who are taking those reports to their cyber insurance agents, they’re getting discounts, they’re getting cyber premiums lowered. It’s not because they’re compliant, it’s because they could prove it through reporting. I’ll leave you with that.

 

What I think we need is what the guilds had 500 years ago, and I don’t think we have that today, at least in the individual certification models that we have. And that is this.

 

We don’t yet have a firm enough structure to help guide these newly minted cybersecurity graduates who are coming out of these online certificate courses, two year, four year, what have you. They’re being produced in larger and larger numbers, and that’s good, but there’s no real sense of order after they come out of these curriculums, these curricula, to assess what their skill level is, what their experience level is, and really to say, okay, “You just came out of a cybersecurity certificate program. We think you ought to work for three years here at this level, under supervision with someone who does know cybersecurity before you can escalate your skills and craft to this.” Maybe it’s a level two or level three, whatever. We don’t have that construct. And because we don’t have that construct, we’re having these problems that I’ve been talking about for the past months and years, which are these cybersecurity folks coming out of these factories, these cybersecurity factories. And a lot of them are saying, because I’ve gone through that experience, I know a lot. And I think they think, “I know a lot more than everybody else, including the MSP.” That’s where the problem is. That’s where the friction is coming from. It’s not that they’re coming out and wanting to be in the cybersecurity industry. That’s not the issue. The issue is they have no sense of their place in the community and they have no sense of what the MSPs are doing, how long they’ve been in existence, the current role that the MSPs play, they don’t even understand their own individual knowledge and experience set compared to all the other cyber and just general security talent that has existed for decades before them. That’s a problem, right?

 

If I said today, “I’m going to go into the electrical business, I know a little bit about alternating in direct current.” That’s about it. I’ve seen some movies. I know not to be standing in water if I touch a live wire, stuff like that, basics. But I wouldn’t know where to begin. If I wanted to start working in the electrical field, I’d have to go and work my way up and start at the very beginning and say, “Look, I’m going to be an apprentice to somebody for a number of years before I can be of any value to somebody at a higher wage, at a higher rate of bill and where I could be safe in that field.” The same is true in cybersecurity. If you’re coming at this field from another field and everybody starts from the beginning, everybody starts at the same place. Where you end up is all up to you, but everybody starts at the same place, which is you start with zero knowledge and then you inform yourself through experience and education.

 

We need to cultivate a sense of community amongst the cybersecurity class. I’m talking about non-MSP affiliated cyber professionals who are out there, who are coming out into the workforce. Some of them are coming into the MSP sector and are actually getting very, very close to that apprenticeship style of experience because the MSPs are getting a hold of them and saying, all right, I recognize that you just got a certificate, you just graduated from this course, this school. You don’t know a lot, but I’m going to teach you. I’m going to teach you not only about the MSPs in general and how we work, but I’m going to teach you about our specific MSP organization and how we work specifically. And you’re going to get some good experience and I’m going to train you on our tools, on our methodology, on our process. That’s a great example of on-the-job apprenticeship style training.

 

Outside of the MSP sector, I don’t know that they’re getting anything close to that type of experience. I could be wrong, folks. I could be really wrong, but I could be right. I’m telling you, I don’t know. I don’t see it. It doesn’t mean that it’s not existing, it doesn’t mean it’s not happening. But I just don’t see in a non-managed services environment, these cybersecurity professionals going through any type of real significant apprenticeship-style training. Now, maybe there are a ton of vulnerability assessment, pen-testing firms that are hiring these professionals by the basket full. I don’t think that’s true, but I think that that’s possible. But even if that were so, there are, in an order of magnitude, 20 times the number of MSPs as there are the number of pen-testing firms out there. That’s probably accurate.

 

The point is that outside of a managed services environment, I just don’t think the cybersecurity professionals are getting the opportunities to educate themselves, advance their careers, advance their own personal knowledge and understanding of cyber, of security, of managed services. And we need to fix that. And that’s kind of why I titled this segment as ‘Making Peace with the Cybersecurity Consultants’. It’s not to run them down or make you guys think that there’s anything bad with them. I think that they’re legitimately people who want to learn a new trade or are interested in this sector for some reason. And I think we ought to be very encouraging of that.

 

But I also, and I’m speaking more to the cybersecurity professionals out there, if this may apply to you, you also have to be respectful of the larger community that you’re entering and acknowledge that you can do harm if you are not under the supervision of somebody or some organization that can help mentor and evolve and progress your training, your personal knowledge, skill set, and capacity to be better at what you do. That’s all. That’s all I’m saying. And I think if we can get to that point as quickly as possible, the better off we’ll all be.

 

Now, I personally think that the MSPs that I’ve talked to are completely willing to bring on these cyber professionals. But again, there’s got to be an expectation that you’re not coming from a less than one-year cybersecurity certificate course and then suddenly becoming a CISO for a Fortune 500 company. I think that there’s a lot of those cyber factories out there producing that type of literature, like get rich quick. I think that if, if you’re doing this to get rich, go find something else to do. It’s just my personal opinion. If you want to make a difference in the world, if you want to do something that has some meaning and has some personally rewarding benefits to it, cybersecurity is awesome. And MSPs can certainly use the help and they can teach you a ton in a very short period of time.

 

So I hope that this helps and it’s not going to be the end of our discussion of this topic, but I wanted to kind of tie a bow around this topic for a period and let you guys know my thoughts on the issue. It’s a complicated one. I’m sure it’s going to change and evolve over, over the, over time. But I do think that there’s a definite place and a role for the cybersecurity professional in the modern-day society. I think there’s some accepted and some non-accepted ways to go about incorporating them into the community. But again, if you have some thoughts, if you’ve got some experience, maybe you’ve hired some cyber professionals from these places and you’ve got some feedback, love to hear it. Send us an email, drop us a line, we’d love to hear about it.

But yeah, it’s an interesting topic, all of these AI cyber professionals. It’s an interesting world we live in and it’s only going to get more interesting as we go on. So until next time, stay safe. Thanks for listening. If you enjoyed today’s episode, please give us a like, make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone.