Ep 248 | North Dakota mandates cyber education; MSP recession planning; CaaS dangers MSPs should avoid
Weaver Outrage Meter: Low
North Dakota Announces Mandatory Cybersecurity Education
North Dakota just announced a new educational mandate for grade school students to learn more about cybersecurity. Such a move is not only a smart one, but it is going to have a positive impact on future generations of cybersecurity professionals.
- Cyber skills gap acknowledged
- Good example of government leadership and action
- Good news for MSPs (and other employers) in the near future
MSP Recession Planning
More talk about a recession here in the United States; it seems inevitable that we are headed into, or may already be in a recession. What, if anything, can you do to prepare? Credit tightening will impact service providers, but more so on the reactive side. VARs, system integrators, break/fix companies, these are the types of IT business models most vulnerable to tight credit markets and will feel the financial pain more acutely compared to an MSP with steady, predictable recurring revenue and cash flow.
- Historical impact of recessions on MSPs
- Credit markets tightening, who will suffer most?
- Can MSPs thrive during recessionary periods?
CaaS dangers MSPs should avoid
Compliance as a Service is getting more attention in the IT channel. With such attention, MSPs (and non-MSPs) are both jumping onto the CaaS bandwagon. But, just as with most things in life, there are right ways and wrong ways to go about developing a CaaS strategy and offering. Here are some helpful tips to get you pointed in the right direction.
- Beware of reactive CaaS providers
- Scanning is not compliance
- If you’ve never been through an external organizational certification or audit, CaaS is going to be more challenging for you
You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.
Okay, folks, ton of information to cover today, so I’m just going to hop right into it. We’ve taken kind of a new format here, and I’m trying to get more and more diverse material into every episode because I think that that’s actually a little bit better, and I think people seem to like it because we’re definitely getting a lot more visitors, viewers, and listeners across all the multiple platforms that we’re on.
So if you like what you’re hearing, what you’re seeing, give us a, like, subscribe. Tell your friends, tell your neighbors. We certainly would love that.
But I’m going to jump right into the first story today, which is kind of a nice story. All right. I read it, and I thought maybe this is going to be bad, but it’s actually a really good thing. And North Dakota, there’s a link into the show notes that you guys can read the story for yourself.
But not that long ago, maybe a week or two ago, the state of North Dakota in the United States here passed a law, or it’s passing I think it was signed into law that basically mandates cybersecurity education from kindergarten through 12th grade in state schools in North Dakota.
And there’s not a lot of detail about what the curriculum is going to look like, but basically it sounds like it’s going to be baseline cybersecurity education is going to start to make its way into the classrooms in that state of North Dakota.
Now, I think that that’s a really good thing. I’d be hard pressed to hear anybody say that that’s a bad thing, right. I just can’t come up with a reason why it would be bad.
But we’ve been talking a lot about in past episodes, these ideas that people have been putting forth, like cybersecurity tax ideas, things that I thought are a little bit fringe, a little bit unwieldy, and not really going to fix the problem.
And when I saw this story from North Dakota, I said to myself, this is a really good approach because this is one area where government can actually do a good job and they can start to bring awareness.
And there are kind of three areas that I think that this type of a law in both North Dakota and hopefully many other states and not just in the United States, but I think many other places around the world could start to incorporate mandatory cybersecurity education from a very early age is a really good thing.
And here’s why.
Number one, we know we have a cyber gap, a skills gap. We have it in the professional levels of managed services. We have it in non-managed services environments in just the general corporate world in America. And elsewhere and it needs to be filled. And the only way you fill it is you either take existing adults and upskill them and train them on those things, but that’s only going to solve the problem. Right now, you still have a problem of what about the future generations who are going to be coming out into the workforce. They need to be conversant in these types of thematic areas.
And I think that – that cybersecurity education mandate is a good thing to pass to help shore up future generation skills gaps that are a definite problem, right? There are national security problems here. There are national security problems in Canada and anywhere you have a civilization, you want young people coming out of their school with a baseline understanding of what matters in cybersecurity and what we in the MSP profession are doing and have been doing for quite a long time.
So I think that’s one good area, and I think that it’s a good example of government leadership to be out encouraging not just the adult education around cybersecurity, which that really seems to for the last three years have gotten most of the attention. And I understand why and I’m not opposed to that. But I think here is one really good, not a change, but a good policy that is aimed at systemically fixing cybersecurity education, at least in that state.
Now, I think every other state in the United States ought to be following some similar type of law. I mean, if you don’t want to mandate it, fine, but at least offer it. At least start to say, look, you know, kids, you are on devices. You’re looking at things that you know are communication devices, but they can also be surveillance platforms on you, right? So there’s privacy issues, there’s data security, information security issues. There’s a lot of stuff that kids probably don’t think of these devices that they’re on so much. They don’t think of them as things that need to be respected and understood. And this type of a law really challenges that premise and aims to correct it.
And again, I think it’s a good template for many other states, many other jurisdictions to follow and to in some way start to encourage from a very early age youngsters to be aware of cybersecurity issues and to understand how important they are. And I think that there’s going to be maybe not that far off, but I think there’s going to be a really good windfall benefit to the managed service provider community because it’s not going to be that long before these kids start to graduate with cybersecurity training. I would say training. But cybersecurity education fundamentals, maybe where at least they can start to be aware of this more and maybe even start to think about, hey, maybe I want to make a career out of cyber. Maybe I want to be in tech. Maybe I want to be more in information technology. Maybe I want to be on the front lines with the MSPs. Right? Wouldn’t that be exciting? I think that those are all good things and the more education the better. So I thought that was a good bit of news. Check out the story, I’ll post it in the notes, let me know what you guys think. But I think it’s a good move for the state of North Dakota and it’s a good move ultimately for all of us, including MSPs.
Moving on to some economic issues. And if you read the news, watch the news, consume it in any way, it’s probably unavoidable that you’re hearing recession talks, right? People are saying either we’re going into a recession or some people are saying we may be already in a recession right now.
Now, you’ve heard me talk for the last couple of months, certainly as early as February when we met last with our Inspire peer group. They didn’t seem to have any indication that things were slowing down, right? Now, granted, these are more mature MSPs, they’ve got maybe a bit more of a refined approach. They’re not seeing anything. Doesn’t mean that some of you aren’t feeling something, but at least as of February, it wasn’t percolating up to that level.
Now we’re going to be meeting with that group in a month or so. So that’s going to be a very interesting meeting where we see really if there’s anything economically that has changed from their standpoint. But from our standpoint right now, I would say that whether or not we are in a recession, whether or not we are going into a recession, there are some things that you can be doing to plan and prepare for this.
Now, the planning preparation might be too late if we’re already in a recession. And the question is, what could I have done to prepare for it? Well, you could have done some things last year to prepare for a recession now, but that doesn’t mean that you can’t start making changes now for any future recessions. This is assuming that we’re already in one and the benefits are going to be too late.
But I’ve got kind of a couple of areas that I think if we’re in a recession, if we’re going into a recession, or when we go into the next recession, because we always will have recessions, the things that you can control that can have a material impact on your personal life and on your business and the business you work for or work with, as an MSP matter.
And one thing that we’re seeing absolutely, especially with all of these Silicon Valley Bank and other bank failures and bank troubles that we’re reading about, are the credit markets, right? I kind of teased this on social media last week, that we’re going to be talking about the credit markets. And when I say credit markets, I mean the general tightening, the fiscal, monetary tightening. It’s not fiscal, it’s monetary tightening that we are seeing now, the shrinking of the supply of money, actual physical money in the market is coming down.
Previous years leading up to this, they had been expanding it, they’d been printing more money, they had been buying more debt. Right? Quantitative easing is the phrase that they would frequently use. Now we’re going into the opposite cycle. They’re trying to remove that excess supply of money from the market and that’s going to create tightening of the credits – credit markets. What does that mean? That means it’s going to be more difficult for you to lend/borrow money. It’s going to be more difficult if you’re a lender, if you’re a bank, but if you’re an MSP, it’s going to be more difficult for you to access capital.
Who is that going to really impact? Is it going to impact MSPs? Yes, yes it will. Is it going to impact break-fix, value-added resellers? In my opinion, more so.
Tightening credit markets have always historically had a larger negative impact on reactive IT providers, break-fix companies, whatever you want to call them, business models where you are moving large, particularly hardware which already has been constrained through supply chain problems and disruption for the last three plus years.
You’ve now got on top of that a credit crunch which is going to make it more difficult either for you as an MSP or more difficult for your customers to be able to access credit, to procure some of those hardware purchases that they need to get.
And so yes, it can have an impact on your MSP business because there are many MSPs out there who move product. We’ve said this before, there are very, very few hundred percent or dominance managed services companies where the majority of their revenue is only managed services and not some sort of product, either hardware or software. So it will have an impact on MSPs.
I don’t think it’s going to be as bad as it would be if you were more break-fix. Meaning if you are a managed service provider but you also are maybe doing some reactive work, you have reactive customers, it’s all going to come down to that mixture, right?
If you’re greater than 50%, if you’re 50, 60, 70% managed proactive managed services, anytime I say managed services, I mean proactive. If you’re greater than 50% in proactive managed services, I would say that the chances are that any type of credit tightening is going to have less of an impact on you.
If you are less than 50% managed services, maybe you’re at 30% managed services, maybe you’re at – the remainder of your revenue is a mixture of professional services, reactive break-fix services and product. I think you’re going to have a big problem. I hope I’m wrong, but I would say that that’s where it’s going to manifest itself.
So when you start to see reports – this is why I’m saying this, guys, to you. When you start to see reports of credit markets impacting MSPs, think about what I just said and make sure that you understand that when those types of reports come out, it’s going to have a different impact. Depending on where you are in the managed services maturity model. The more mature you are, generally speaking, tight credit markets are going to have less of an impact on you because you are going to have more recurring revenue. I’m speaking just for you financially, right? You’re going to have a base of revenue that it’s going to come in that will be largely unable or less likely to be disrupted by a credit crunch.
Whereas the less mature you are and the more dependent on revenue from things like professional services, like projects that involve selling and deploying and installing large blocks of hardware and software, that type of and especially if you’re selling it on credit. If you’re buying it from a distributor on credit, if you are passing that through and the customer is getting it through credit, that may be disruptive. You may have customers who say, you know what, no one’s lending to me, right? Silicon Valley Banks of the world, they won’t lend to me anymore. At least they’re not lending to us for a quarter or two. That’s happening now. Those are going to have potential impacts. But again, more so on the more reactive side of the channel, not so much on the proactive side. I could be wrong, but historically speaking, that’s what’s happened.
And I think back to my earlier question, “Charles, what do I do now?” Right? What can I do now to prepare? I would say you continue to as rapidly as you can move away from reactive and go towards proactive.
If you are still vulnerable, you still have customers who say, I still get it. 23 years in, I still hear from MSPs who say, yeah, I got this group of customers, I can’t get rid of them. They just won’t budge off of that break-fix model we keep selling them. Think of what damage that type of customer is doing to your business right now, not the least of which is what are they doing to themselves, the customers, by staying on a break-fix model?
You know, I think that there’s a time, and the time is long gone where MSPs can and should start to wean themselves off of companies that just won’t go managed services. And if they don’t want to do it and don’t want to upgrade to managed services, cut them loose, let them go find someone else. And hopefully fewer and fewer and fewer shops will actually be doing break-fix to the point where these companies will have to face reality and have to take responsibility for the infrastructure and the data that they have and that ultimately is moving towards a managed services model. So that would be my recommendation for anyone who wants to avoid future recessionary impact onto their business model.
Finally, this actually came up in a few calls last week and thought that we’d pass this on and some helpful tips on how to avoid this. The ‘compliance as a service’ drum is beating really loudly and it’s global. And I know a lot of MSPs are out there feeling pressure to make some decisions, and I think that I respect that and we’re trying to help as many MSPs as we can.
But it’s becoming really evident to me that there are some, what I will call the same problems we’ve seen in break-fix and reactive IT compared to proactive managed services and proactive IT management. It’s happening in compliance. It’s the same kind of split is happening again in compliance and I suppose shocked that it wouldn’t have happened. But we’re seeing it now.
What do I mean by that? Is there such a thing as reactive compliance? Absolutely. I think we’re seeing some of it now. We’re seeing companies who aren’t managed service providers. We’re seeing them become very involved or want to become very involved in compliance as a service in a way that really has potential danger if this activity isn’t corrected.
What danger am I talking about? I’ll give you a couple of examples starting with one real good example. I’ve started to hear from a lot of providers statements along the lines of, yes, we’re in compliance as a service. And when asked by us, what are you doing? Well, we’re scanning, we’re scanning our customer environments. And I say, you’re scanning? What are you scanning? Well, we have an ongoing, continuous vulnerability scanning service and tool that we use. And we run that scan every week, every month, or every quarter, and we just keep doing it. And that’s our compliance as a service product, our chief product right now.
And I took a moment, pause, and I thought and I said, well, that’s good. That’s good that you have scanning. And in fact, vulnerability scanning is a really, really good idea. In fact, it’s part of the MSP best practices. It’s part of MSP Verify. It’s had that as a requirement for well over a decade. So it’s good. But it’s not good for you to think that scanning is compliance because some of these people actually think that that’s it, that’s all I need to do. All I need to do is just scan or have some sort of monitoring tool that’s monitoring like it’s a technical solution to the compliance question.
And that right there tells me that there is a real big gap of understanding about what compliance is and about what the tools, the individual tools necessary for compliance to be achieved, those are not the same things, not the same things at all.
So, number one, beware of reactive compliance as a service companies, and I’m talking to you MSPs out there, if you start to see your customers get contacted by some of these, what I’ll call reactive CaaS providers, be ready to jump in and set the record straight and start to educate your customers. In fact, I don’t even think you ought to wait for that to happen. You should start educating your customers now on what it means to be compliant in whatever area that they are sensitive to or exposed to. Meaning if they’re banking customers, then banking compliance is what impacts them. If they’re in healthcare, then it’s healthcare. If it’s in insurance, or if it’s in legal, then it’s them. If it’s in federal US DoD, then it’s CMMC. You get my point.
Scanning is not compliance. Scanning is important. Scanning is a MSP necessity today, both internal to the MSP network, but also as a service. That’s not what I’m saying. It’s very, very important, but scanning alone is not compliance. Sorry. Not even close. Not even close.
And this leads me to my next point, which is the real thing. I’ve had enough of these conversations now over the last few years, but they’ve accelerated over the last six months, where we’re starting to hear from even MSPs who are saying, we’ve never been through external organizational certification or audit before, but we want to jump headfirst into compliance as a service. And it’s becoming real clear to me that these MSPs have some fairly big gaps in their knowledge about compliance and the knowledge of what is going to be involved in delivering that downstream to a customer, right? And so that’s why I think that they’re latching onto these kind of easier, more tech driven solutions to act as a compliance as a service proxy. Right. So they’re saying, well, yeah, I’m in compliance as a service. What are you doing? Well, I’m scanning my customer environments, or I’m doing a pen test on an ongoing basis for them every quarter. That’s my compliance as a service. Okay, that’s a good service, but it’s not a compliance as a service. You get the difference. Not the same thing. Good to have, good to deliver, but not CaaS, not compliance as a service. Not even close.
When your customers come to you and say, hey MSP, do you deliver? Can you help me with compliance as a service? What they’re likely asking you right now, today in most of the jurisdictions across the world is they’re asking you, can you help me evidence and demonstrate compliance to somebody else? Who’s asking me, are you compliant with any given framework? What they’re generally not asking you about is are you getting your network scanned by somebody? Now, that may be an individual question. For example, it might show up in an insurance, a cyber insurance policy questionnaire or pen testing or something like that. Very, very common. But those are point questions, pointed questions. Those are not, are you doing pen testing, are you doing vulnerability period? If you answer those questions, yes, then that’s it, no more questions. That’s not what’s happening. Those are not frameworks. Guys, you see the difference?
There’s more to compliance than just that, more to scanning, more to pen testing. It’s involved, it’s about backup, it’s about data handling, it’s about change management, it’s about onboarding and offboarding. It’s about a ton of things that different frameworks have different areas of focus, but they care about a wide variety of things that they want to see from the organization in question.
And you as MSPs need to be conversant in not only those frameworks, but you have to understand how to help that customer get from point A to point B. And it’s not going to be just with scanning. It’s not just going to be with scanning or pen testing. They will be incorporated, yes, but that’s not going to get the job done. There is more that needs to be done.
And so my biggest concern here is that any MSP, any entity calling themselves an MSP goes to a customer and says, I’m going to deliver you a compliance as a service product. And the entity makes a mistake that causes a real big problem downstream to the customer. And you don’t think that that can happen? Of course it can happen. We haven’t seen it yet. But mark my words folks, it’s going to happen and it’s going to happen. And it’s going to be, I hope not big, but I think it’s probably going to be a big issue.
Someone’s going to make headlines somewhere for having said something that the downstream customer takes as gospel and they’re going to say, yeah, we’re compliant because my MSP said we were because they’re scanning our network. And then someone else is going to say, well that’s not enough. They told you that you were compliant because they scanned your network. You see where I’m going with this. There’s going to be a coming to reality. There’s going to be a true-up at some point.
And so if you are going to get into compliance as a service, and I think you should, right, if you’re listening to everything that I’m saying and thinking, man, Charles really doesn’t want you guys to be into compliance as a service. Not what I’m saying. I want all credible MSPs who are willing to do this because I think there’s a lot of good defensive reasons why MSPs ought to be into compliance as a service, I want you to do it safely. I don’t want you to be at more risk because you’re doing something that you don’t know how to do, number one.
Number two, I think it’s a really valuable service that most customers, most of your customers in managed services are going to want. Number two. Number three, if you don’t do this, someone else is going to. They may be better or worse than you at compliance. I would rather them be worse than you because I think that MSPs are in a really unique position and a good position to deliver fantastic compliance services downstream to customers. I believe that.
But I’m also saying you need to be smart about it, you need to be educated about it. You need to really understand the frameworks that you’re working with. And first and foremost, you need to stop buying into kind of the snake oil compliance by numbers approach of if all I’m doing is delivering pen testing and scanning as a service, then that’s it, that’s got me covered. It’s not nearly enough and we’re going to be doing a lot more on this topic.
We’re doing educational roadshows, we’re doing dinners, we’re going to be in Charlotte, Dallas, I think we’re going to Michigan, I think we’re going to Florida, I think we’re going to Atlanta and a ton of other places. We’re doing webinars.
The point is, we’re putting a lot of effort, a lot of resources into compliance, understanding it. What does it mean, what does it not mean, how to do it intelligently, how to do it well, and most importantly, how to make it something that is ultra, ultra sticky between MSP and customer.
Because in my opinion, compliance as a service is meaningless – It’s just another product to sell. It is meaningless to you unless it strengthens the relationship between you and your customer. And for me, that is everything. And it’s a golden opportunity for MSPs out there to really further strengthen that relationship and that stickiness and that trusted advisor status that all of you have earned very much so over years and years of dedicated service.
I don’t want that to go away. You don’t want that to go away. And I think compliance as a service is a great way to strengthen that and to grow that status.
So be safe out there. Sign up for our webinars. Sign up for some of these dinners. If we’re going to be in your neighborhood, we’d love to see you come out. And if you have any comments or questions, please send them to us, email them, put them in the comments sections. We’d love to talk to you guys and hear from you, hear your thoughts, maybe your experience. If you’re seeing some of the stuff and it rings true, that’s really great feedback and we’d love to hear it.
Until next time! Thanks for listening! If you enjoyed today’s episode, please give us a like, make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone!