Ep 250 | Cyber Consultants at it again; managing remote MSP workers; compliance isn’t security
Weaver Outrage Meter: Low
Cyber Consultants at it Again
We have been coming across a unique brand of marketing and website design company lately; yes, you guessed it, they also do cybersecurity. It seems difficult not to come across cyber security “experts” these days, even if that claim may be dubious.
- Marketing gets into cybersecurity
- Cyber consultants need understanding of MSPs
- First do no harm!
Managing MSP remote workers (ticket reviews)
Since the pandemic remote work has exploded. The same is true within the managed services sector. MSPs, however, have some unique methods they can use to ensure their remote technical staff are actually being productive.
- Unproductive remote workers
- Lack of data
- Ticket review benefits
Compliance isn’t Security
With so much noise around compliance, I thought it might be nice to explore some fundamentals around compliance, what it is, and what it is not.
- Security isn’t compliance either
- Being secure is its own goal and reward
- Compliance is about communication and transparency
Full Transcript:
You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone.
And now your host, Charles Weaver.
All right, folks, added again tons of material to get through today, so I’m just going to dive right in, and I got to start with a little bit of a clarification of a couple of episodes back.
I made some comments about good MSPs and bad MSPs, and I was listening and watching the episode, and I thought to myself, before anybody takes it the wrong way, I better clarify it and add to it what I was really wanting to say so that there’s absolutely no chance of misinterpretation.
And I think it was two episodes ago I was talking about MSP organizations that have MSP Verify reports and made a comment about good and bad MSPs.
And I wouldn’t want anyone out there to think that because you don’t have an MSP Verify report that you’re a bad MSP.
That is absolutely categorically not the case.
That’s not what I said.
And I don’t want anyone to even think or hint that that’s what I said.
If you go back and listen to it, what I was talking about is the job of the modern customer to identify the MSP and to ask probing questions and to get to a level of comfort with that MSP before they make a purchasing decision, which is very important.
And the job of the MSP is, of course, to communicate as much information upfront to that prospective customer, to let them know all the things that they need to know to make that buying decision.
And no doubt, MSP Verify reports accelerate dramatically that process, makes that process a lot easier.
Does it make the MSP that holds that report perfect? No.
And does it guarantee that that MSP is going to win every deal? No.
Again, no.
It doesn’t even guarantee that that MSP is going to be a perfect fit for that customer. Right?
Because there’s a whole separate episode here of what makes a really good match between MSP and customer.
And having an MSP Verify report is just a communication device.
It’s a compliance device, yes, but it’s a communication device first and foremost, and it tells the customer or a prospect-customer things, important things that they need to know before they make a purchasing decision of who to go with as my managed service provider.
But the contrary, the absence of an MSP Verify report does not mean that the MSP that doesn’t have the report is a bad MSP, if you get what I’m saying.
Now, that MSP may have a much steeper hill to climb when it comes to the effort that they have to put into answering questions that the customer is asking them.
And the customer may end up having a much more, shall we say, maybe a little bit more difficult sales cycle to get to the eventual comfort of pulling the trigger and actually moving forward with that MSP absent something like an MSP Verify report that can communicate that.
So again, I just wanted to make sure that there was no misunderstanding.
Just because you don’t have an MSP Verify report doesn’t make you a bad MSP.
I think you guys get what I’m going at.
Anyway, on to more important things, and we’ve got a lot of important things to talk about today.
The first one, our old friends, the cyber consultants are at it again. And if you’re new to this program, new to the MSP Alliance, you may not be aware that we’ve been around for 23 years, so we’ve seen a lot of stuff. And we keep our finger on the pulse or we try to keep our finger on the pulse of the global MSP community. And we thrive at, or we’re really good at picking up really small details, small, little trends from remote, sometimes corners of the world. And we spot those and we say, okay, is this something that is spreading? Or we connect what might otherwise be disparate, unconnected trends that very few people see out there, and we can connect those and say, okay, well, are these related? If so, why are they related? How are they related? And what does this mean for the larger MSP community? And that’s kind of what we do in part.
And we’re starting to see some other trends now, specifically in the cybersecurity consulting class, if you want to call them that. And we’ve talked about this previously, you guys are probably very familiar with our views on the cyber consultants that are coming out and doing their thing. And here’s what we’ve started to observe recently, and it’s a very recent trend, how should I put this? When a managed service provider presents themselves to us, let’s say just for becoming a basic member, right? Not certification, just they want to apply to be a member. And they fill out the application on the website and they list who they are, their domain, and we go to their website and we check for those that have websites. We’re actually starting to see cyber consultants that don’t have websites. And they’re telling us, no, we don’t ever want to have a website, which is a curious thing in the area of security, why not have a website? But that’s a separate topic. So we go to these websites and we look at them and we figure out, okay, what are they doing? Are they a managed service provider? Are they doing something else? And when you start to commingle what I would call highly advanced cybersecurity managed services consultant style offerings, and you mix that with, in the same sentence, marketing, website development, domain registration, what I would consider fairly low-hanging fruit from a managed service provider’s standpoint, regardless of size, those things are in congress. They don’t go together. They’re not natural solutions. You get what I’m saying?
You get what I’m saying? And so when you see one company that presents itself like that, from the website language, it looks like they’re doing mostly marketing – digital marketing, website marketing, website design, search engine optimization, SEO, good services, but not services that a lot of MSPs offer. Why don’t they offer that? Because the MSP is way up here. They’re doing things that are far beyond SEO and marketing. They’re more valuable to the MSP and to the customer. Right? If a customer needs marketing services, they generally don’t go to an MSP, they go to a marketing agency. Pretty common sense stuff, right? Why are these marketing agencies claiming that they’re also doing managed services and then also claiming, we do cybersecurity, we do vulnerability assessments, we do vulnerability scanning. Now you got me curious. Now you got me thinking something doesn’t fit here. Something in this equation is not adding up. And folks, I’m right on this one. I’m telling you I’m right. I can tell this because it’s not just one. It’s happening now more and more frequently.
They’re coming out and they’re applying, and they’re getting this message from some place, and I don’t know where it is. Maybe they’re going to conferences. Maybe they’re hearing it from the conference circuit. That could be. Maybe they’re getting recruited by some of the security vendors who are pushing out these scanning tools and just saying, hey, I knight you an MSP. Go and scan and scan all day long, and that’s what makes you an MSP. I don’t know. I don’t know what they’re being told, but what I’m seeing does not make me feel more comfortable about these firms.
And some of you may be saying, Charles, how can you make a snap judgment about these companies? They may be perfectly capable MSPs. Well, that’s true, but again, I do this for a living, folks. If you don’t want to use the term handicap, I can assess an MSP pretty quickly. If not by their website, then certainly by the things that they say and the types of capabilities that they articulate. To me, in writing or talking to them, whatever. I can pretty much come to a quick conclusion of what skill sets they have, what tools they would need to deliver those, and what skill sets of the people behind it to actually deliver that as a service. That’s what we do here. It’s what I’ve been doing for a long time.
And so it just doesn’t add up when someone has a website that is really half focused on marketing, SEO, web design, domain registration, and then they say, oh, also we do this. It would be like someone saying, hey, I sell 1976 Dodge Darts for those of you who are not old enough. Those are really old cars… anyway. And also I sell Lamborghinis. Brand new Lamborghinis, right? You wouldn’t have those two things, those two cars in the same car lot, they’re not the same, right? One doesn’t fit the other. That’s my point. There’s something weird going on here, and they’re getting it from someplace. I don’t know the source of where they’re getting it from, but it’s happening.
And if you’re asking yourself, “Charles, why is this important? Why are you yet again talking about these cyber consultants? What is your deal with them?” Here’s the deal. If you haven’t been paying attention for the last three years, here’s the deal, folks. The deal is these cyber consultants are having a negative impact, a disruptive impact – disruptive not being a good thing in the market, in my phrasing of it – negative disruption. They’re having a negative impact in the market by disrupting the natural existing relationship between MSP and customer.
Now, you might ask a follow-up question and say, “Well, if the MSP is bad, why is that a bad thing?” We’re making a whole lot of assumptions with that. But in that hypothetical, bad MSPs ought to be uprooted and removed from existing customer relationships very quickly. We’ve been well documented for a long time. If you’re an underperforming bad MSP, if you’re not performing actual managed services but you think you are yeah, I would be the first person to say it. Actually I wouldn’t, I’d be the second person to say it. You know who the first person would be to say it? Every other legitimate MSP out there who doesn’t want bad MSPs or companies claiming to be an MSP but doing it poorly. They don’t want them in the market. They want them yanked out faster than believe me, I know. I talk to the MSPs. They tell me this all the time. They’ve been telling me this for a long, long time.
What I’m saying now is these cyber consultants who are very, very new onto the scene are embedding themselves in between customer and MSP and causing disruption. They’re not helping the situation. In nine out of ten cases, they’re doing harm. And one of the first things, just like the Hippocratic Oath for physicians, I think the same truth is held in the managed services profession, which is, first, do no harm. That’s what every MSP ought to be doing, is helping their customers, first and foremost. And when you have these third-party consultants wedging themselves in there saying, “Rip out that firewall. Don’t do this. That’s bad MSP. Use a different MSP.” But there’s no basis for their authority. There’s no basis for their experience because they have none. That’s the point. They’re like newly minted cyber consultants. How do I know this? Because no legacy cyber consultant that I’ve ever talked to, ever, says, “Oh, by the way, we also do SEO marketing over here.” They wouldn’t. It’s nickel-and-dime stuff. It wouldn’t even register on their radar for stuff that would be meaningful to them to deliver or meaningful for their customers. It would be so beneath the level of dialogue that that MSP is having with their customers, that it’s not even funny. That’s the point. That’s the point. Something’s fishy going on here, folks, and we’re going to keep an eye on it. And again, what I really like to know, and maybe you guys out there have an inkling of this and if you do, drop us a note. I’d love to hear from you about where you think these consultants are coming from, but they’re getting their marching orders from some place. Vendor – distributor – conference? I don’t know. It’s coming from some place, but we’re going to keep an eye on it. If you have thoughts, drop us a note, drop us a comment, send me an email. Actually, I’d love an email from you guys if you’ve got insight into this. Love to hear your thoughts.
On to the next topic, managing remote workers. And this is based off of a conversation I just had in the last week or so, talking to an MSP business owner who was – and not a small shop either – fairly good sized shop. And this business owner made a comment about having started the process post-pandemic to bring their remote workers back into the office and having a little bit of friction, a little bit of a difficult time doing that. And the reason was this business owner is doubting the productivity of his service desk. So service technicians working on the help desk or service desk, the knock, doesn’t really know if they are fully being productive. And that’s the point because after asking him some follow-up questions, I got to the point where he doesn’t know, he has suspicions. He thinks that they’re underperforming, he thinks that they’re not really productive, but he has no way to prove it one way or the other. He could have economic proof. He could look at the numbers and say, okay, well, headcount is up, salaries are up, but we’re not actually delivering more services or scaling at the same level that we used to. That could be an economic indicator of scale inefficiency.
So through talking, got back to a tried and true kind of an old standby, best practice standby that is something that I’ve seen used many, many times to great effect and is actually part of the MSP Verify framework. It’s part of that standard. It has been for a very long time, and that is ticket reviews.
And some of you may be saying, well, what does a ticket review have to do with remote worker productivity? I’ll tell you, this is not just for remote workers, by the way. Even if you have an office, even if you still have your people coming into the knock, it should be for you, it should be for any MSP out there. You should be doing this, period.
What is that? Doing a regular ticket review.
Now there are many reasons why you would want to do a ticket review. It has a lot to do with just general service change management. If you’re a fan and follower of ITIL, the IT Infrastructure Library, this follows that kind of framework and philosophy a lot, but this is an MSP-specific tweak – best practice – whatever you want to call it. Do a regular ticket review meeting.
How does that play out? You ask, for example, if you were to do a weekly or bi-weekly or monthly. I think monthly would probably be the least frequent cycle that you would want to follow. I like weekly because depending on the volume of tickets you have, it’s really good, especially if you’re in a remote work environment. It’s fantastic to get your team together in that capacity, virtually, at least on a weekly basis, if not more regularly. But weekly, I think, is about the most frequent cycle that you would want to follow.
Every week you get your service desk together for 30, 60 minutes, and you randomly pick closed tickets and you go through those closed tickets and again, randomized, so nobody knows whose ticket is going to be called. It’s going to be completely potluck, who gets their ticket yanked that week. And you do it five or six times and you go through and you open up the ticket and you say, how was this ticket processed? You look at it from a documentation standpoint. You look at it from the quality of the guidance delivered. You look at it from a review process.
For example, if your MSP happens to have any type of higher level tier two, tier three type of hierarchy, which many MSPs do, you might look at a ticket from that standpoint if it was like a change request, a user addition, user offboarding that might frequently involve a higher level of tier review of the ticket before it can be closed properly.
And you look at the ticket and say, did it follow proper procedure? Essentially that’s what you’re doing, but you’re doing it in front of your service desk team and so it becomes kind of a really nice learning experience. And yeah, it’s a little bit of pressure. I mean, it’s pressure on everybody to kind of up their game because nobody wants to have their ticket pulled and they wrote a bunch of smiley faces and they weren’t really paying attention and they didn’t really follow protocol. They closed the ticket and nobody wants to be that person. And so it should have a general overall effect of raising the bar of performance with your service team.
And it also is a good educational lesson because everybody gets to benefit from how properly to do things and how to avoid things that are not done properly. Both are on display in that type of formalized ticket review.
And you do it just as a matter of course. That in and of itself can have really powerful positive impact on productivity. It can really – I wouldn’t say force – but it can encourage change in otherwise underperforming – or people that maybe deviate too much from your process, maybe they haven’t been trained properly. Maybe they’re still new on the job. Maybe they just aren’t paying attention. They need to be corrected. Maybe it’s a work-from-home scenario where there are too much distractions and it’s evidencing itself in a ticket that’s not being completed properly. Any one of those things could be happening. And a ticket review – a formal ticket review process can really do wonders in uncovering that type of inefficiency identifying it and correcting it.
Now, a ticket review has a ton of additional kind of separate security and compliance-related benefits. I don’t want to get into all of those, but I’ll just say if you have any aspirations of going through and getting MSP verified or SOC 2, you’re going to want to have a ticket review process. I’m just telling you right now, it’s a really good thing to have. Even if you have never gone through a certification, but especially if you’re planning on it or you are doing it right now, start doing it immediately. There’s no reason to wait. It’s easy. It shouldn’t cost you anything, and trust me, it will have a ton of benefits.
And I think what you will see, if you’re like this other business owner that we referenced, you should start to have a lot more comfort in the overall quality of your service desk team. And you will start to really identify, depending on the randomized sampling of the tickets, right, how many you’re doing and the frequency and all that and the size of your team, of course you’ll start to get who’s doing it the right way, who’s doing it maybe not the right way. And then you’ll be able to start to apply remediation accordingly, maybe give extra training. Maybe you rearrange some people. Maybe you have certain people have tickets reviewed more regularly because they need additional training. Whatever it is, the point is you have the information. And absent that ticket review process, it’s really hard to just go in there and do it yourself and expect the team to understand why they’re being either reprimanded or why they’re being praised. It kind of puts that out in the open for everyone to see and everyone can benefit and grow and become better as a technician, as a group, and as an MSP organization. So I’m a big fan of it if you are in the situation where you have remote or maybe they’re all back in the office and you’re just not sure about your service desk, maybe that’s not the right way to look at it. Maybe you just want your service desk to be even better. Ticket reviews are the way to go. Trust me.
Okay, last but not least, someone actually made a comment in one of the comments of the videos in the last few weeks about compliance isn’t security. I thought that was a really good comment because everybody’s talking about compliance these days and that comment is right. Compliance isn’t security. What does that mean? If you are jumping onto the compliance bandwagon because you believe that if you can say, I am compliant with this, that is going to mean that you are also secure. That is not the same thing. How could it not be the same thing, you might be asking because don’t most compliance frameworks ask you about security? Yes and no. There are a ton of ISO frameworks that don’t ask really anything about security. There are – ISO 27001 – does. CMMC, NIST… Right? That is security specific. Does it involve everything in an MSP organization that might impact security? Absolutely not. There are huge gaping holes in that framework and in other frameworks relative to how MSPs operate specifically that would be relevant to security. So I wholeheartedly agree with the concept that compliance does not necessarily equal security.
I would also say that security doesn’t equal compliance. Flip it around. If you are a security-sensitive MSP organization and you live and breathe security, it doesn’t necessarily mean that you’re compliant either. Right? There are a lot of really good, highly performing MSPs who have really good security internally baked into their process, who nevertheless have compliance gaps.
How is that, you may ask. Well, you could have really good security, but you could have a lack of documentation. You could have a lack of evidence of something that, despite how good your security is, you can’t communicate that to somebody. Let’s say maybe an auditor, an MSP Verify auditor might ask you for something and you say, “Well, I don’t actually have a ticket or a screenshot or anything for that, but I do this, I’m really secure.” Does that help? No. Right?
Security, compliance, they can influence one another. They can heavily impact one another. But if you have one, it does not mean you have the other. That’s really important for everyone to understand. Compliance is not security. Security is not compliance. You should be secure, period. Even if you’re not compliant, you should be secure as an MSP.
If you are compliant as an MSP, well, that’s good. Demonstrating compliance is a completely separate question. And again, as we’ve just learned, that doesn’t necessarily mean that you’re secure in any other way either. It just means that you think you’re compliant.
Compliance is about communication and transparency of what you do. And hopefully, at least in our scenario, in what we do, in the work that we’ve been doing with MSPs for 23 years, compliance is about communicating, among other things, the security of the MSP. That is a large component of what we do. It’s what we’ve been about for a very, very long time, is not just hiding the good work that MSPs do. It’s about communicating it as effectively as possible to a customer who wants to know all about all those good things you’re doing. Right?
And for a very, very long time, historically speaking, MSPs would keep those kind of trade secrets. I think they would think they were trade secrets, but they were really just internal best practices, security best practices and procedures that they would follow and they would kind of hide them and say, “I don’t want to really share that with you, it’s proprietary, we have special sauce and all that fun stuff, right?” They just don’t want to share it.
And out of that lack of sharing came an even brighter light that is now being shown on the MSP sector, which is, no, we’re asking you to open up yourselves to external review because we demand to see what you’re doing with security because that directly impacts your customers. And that’s a fair question.
And again, I wouldn’t want anyone to think back to that good MSP – bad MSP discussion we had at the beginning of this episode. I wouldn’t want you to think that just because you think you can say you’re compliant with something that you necessarily have security. You could be compliant with a variety of different frameworks and not be as secure as you should or can’t demonstrate that security as well as you should be able to to a customer or regulator or whomever.
And I would say that they’re heavily reliant on one another, and you need to look at security and compliance as part of the same ecosystem. They’re part of the same family, they’re not identical, but they must be articulated and approached in the same way.
Because if you do that, then you look at everything you’re doing in security in your practice, and I mean everything from backups to encryption to MFA, to password management policies, to onboarding and offboarding, to change management, to internal network scans, to SIM SOC as a service, XDR style technologies focused inward in your MSP network. Those things are all really good, and those things are all really necessary for security, but they’re also really necessary for evidencing the compliance story that you’re probably trying to tell. And that’s how they really connect and interact together.
So hopefully that helps because I definitely do get a lot of good questions from MSPs who kind of use those two terms interchangeably, and they really are not. They’re not interchangeable terms. They are distinctly very different terms, but they do have connections to one another and they do influence the other, and that is very much true.
So we’re probably going to be doing a lot more education on those types of topics in the future. Hopefully, this helped.
And again, be on the lookout for these cyber consultants and send us a message if you get a line on what the heck is going on there because that’s really baffling and we’ll certainly keep an eye on our side.
And until next time, be safe.
Thanks for listening. If you enjoyed today’s episode, please give us a like. Make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone.
