Episode
23

Security is Not Optional

With the threat landscape continuously shifting, keeping security top of mind when it comes to the implementation of managed services is more important than ever. Jason and Matt sit down with Michael Grande, CEO, and President of TBNG Inc. to discuss why oversight can cause issues for any type of business, no matter the size or type of data they have, and how being proactive is key. In the age of ransomware attacks— security is not optional.

CyberSound episode 23

Episode Transcript

[00:00:01.210] – Voiceover

This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.

[00:00:12.010] – Jason Pufahl

Welcome to CyberSound. I’m your host, Jason Pufahl. And today, I’m joined by Matt Fusaro, Senior Security Engineer of Vancord. Hi, Matt.

[00:00:19.510] – Matt Fusaro

Hi. Nice to be back.

Expand Transcript

[00:00:20.770] – Jason Pufahl

And Michael Grande, the CEO and President of TBNG, Inc. Hey, Mike.

[00:00:25.690] – Michael Grande

Hey, Jason. Hi, Matt. Thanks for having me.

[00:00:28.090] – Jason Pufahl

Yeah, I’m looking forward to it. So today, we’re joining from both of our offices. You’re out in Milford; we’re in Glastonbury. So we’ll see how it goes today.

[00:00:36.730] – Michael Grande

Absolutely.

[00:00:38.350] – Jason Pufahl

So we wanted to focus a little bit today on the idea that security is now really a requirement for MSPs. I think you’ve been in this space for, well, you can correct me if I’m wrong, I think about 15 years, running an MSP. I’m interested in your thoughts around how security has become more integrated, more ingrained in that whole MSP process. And I have to imagine there’s been a pretty significant evolution over the last 15 years that you’ve seen.

 

[00:01:10.330] – Michael Grande

Yeah, absolutely. And we’re lucky to have Matt with us, who spanned the spectrum of both IT consultant and MSP, and now security. So it’s a really unique perspective that he could bring to this. But I start with the thesis that demand has driven differentiation. From our perspective…TBNG began originally as a IT consultancy, mostly centered around project implementations and design and things like that. And over time, as clients began to expect and need more, really grew more into a managed service practice. Through the latter years, I would say, probably over the last 10 years, there’s been a blurring of lines of what once were called systems integrators, and consultants, and maybe even VARs (Value-Added Resellers).

[00:02:09.910] – Michael Grande

Now they have this expectation of providing certain products and security types of services to their clients. So, demand from a client perspective has pushed the industry over, certainly more now than ever, towards security. And there’s so many other factors that are pushing on that. But, that client-demand really is where everything started, really moving over from systems, over to how to secure those systems and networks, and things like that. So we’ve seen it ourselves over the last 10 years, for sure, this major speeding up that’s taking place and brought us more over towards the security space. And we’re seeing it from an industry perspective as well.

[00:02:56.170] – Matt Fusaro

Yeah. I’d echo what Mike said there. I’ve worked with Mike for, well, goodness…13 years now or so, worked in the MSP side for a good decade. And I’d say it started out as… We always had security on our minds. We would design things securely as we could, but it was always a goal, not ‘let’s bake it in right from the start and make sure that it’s a primary piece of how we deploy infrastructure, how we structure projects, how we take care of our monthly customers.’ Yeah, it’s really evolved, and it needs to be from the start or you’re doing it wrong.

[00:03:34.690] – Jason Pufahl

How much of an expectation do you find it is for clients now? Has there been a major change from, “Hey, can you implement this so that my network works?” versus “Can you implement it? And by the way, when I’m done, I want to make sure that we are secure.” The security is a component. How much of a priority is it for people?

 

[00:03:54.550] – Michael Grande

So, I feel that it ranges based on the complexity of the client–and that’s not to diminish the importance of a small client or a large client. And I think it just really comes down to that understanding and expectation of what the end-result is and then the steps to get there. Matt made a great point before, which is baking in security or having it top-of-mind when implementing a solution. For many years, having it top-of-mind when implementing a solution was quite enough.

[00:04:29.110] – Michael Grande

The threat landscape has changed so much over the last several years. There’s so many news articles, there’s so much. There’s a proliferation of ransomware that’s happening. That there’s an expectation by clients now. Even calling, perhaps, an unsophisticated technology client–someone who really just wants to focus on their business and not really be concerned about what their technology is or what it’s doing, but views technology, support MSP, whatever the role might be, as a business enablement tool. Having that conversation, there’s an expectation that there’s a security element built into everything, whether it’s a migration to cloud services or moving their email over from one on-prem to cloud.

[00:05:19.570] – Michael Grande

There’s so many different variations but this expectation exists now, and it’s important for MSPs. We see it, for sure, on a daily basis, that you need to be upfront with conversations with clients and very clear about what you are able to deliver and what would be a different type of service. So, I would agree with those thoughts that that change has been…a best effort isn’t quite good enough anymore. It used to be enough to at least set up a good foundation. Now, it’s really got to be top-of-mind.

[00:05:56.170] – Matt Fusaro

Yeah. A lot of those things are a lot more accessible now. So 10 years ago, if you were thinking about putting in a system such as a SIM or an EDR product (or endpoint detection response), you’re talking about large amounts of money to get that done. And then who’s going to manage it? Who’s going to look at it? Again, 10 years ago, people wanted their stuff to just work so that they could maybe automate the business process, have email…you know, the basics. But now, all their data is there. They need to make sure that they’re not getting things like ransomware.

[00:06:30.910] – Matt Fusaro

The scary stories that they’ve heard for years are now becoming realities for them, and they’re paying attention now. So, yeah, it’s nice that this stuff is a little bit more accessible. There’s people that understand how to manage it. There are services out there. So yeah, it’s definitely changed from the defender end as well.

[00:06:49.030] – Jason Pufahl

And there’s a real perspective shift now, too. I think both you and Mike have mentioned ransomware. We have conversations all the time where customers will say, “Well, my business is too small,” or “The data that I have isn’t of interest to attackers.” And I think ransomware has changed that. And now I think people really are concerned that they can have a significant business interruption through oversight of some really basic or fundamental things. And we’re seeing that shift. And there’s an expectation that everything that you do has a security–at least some security thinking to it–to try and reduce risk. And it’s all about risk reduction ultimately.

[00:07:27.670] – Matt Fusaro

Yeah. Ransomware has really changed all of that for everyone. As bad as ransomware is, it’s put security on the mind of a lot of people, right?

[00:07:38.030] – Michael Grande

I was reading an article recently, and I won’t proclaim or even lead a conversation on Web 3 (dot) 0. But what’s very interesting is I think that there’s been a paradigm shift that exists not only in the business community, but I think just in society in general, that people have an assumption that their information, for the most part, is already publicly available and that there’s just not a lot of privacy anymore. They’ve opted into as many things as they want from a social media perspective and various other e-commerce perspectives.

[00:08:20.810] – Michael Grande

So, I think that the change with ransomware more being a bit of a hostage-taking situation where, “Well, there’s aspects of this data that I need and I don’t want to lose,” rather than, “Oh, there’s an exposure of data.” I won’t say that I can quantify or qualify which is more important to an individual, but I would say that with that expectation, it’s leveled the playing field from multinational large enterprise and mom-and-pop small business, whereas everyone essentially could be a victim.

[00:09:00.710] – Michael Grande

One of the other points just to touch on, and there’s a few areas here, but maybe we can go through it. The speed with which security has become an emphasis or an important item for MSPs to consider, and ultimately, organizations that either rely on some IT management firm or internal team…what we’ve seen is it’s been sped up, if you will, by the difficulty of finding qualified and skilled security experts.

 

[00:09:33.230] – Michael Grande

The amount of products and applications that general IT support staff or an MSP is responsible for managing has just grown so much. And, as we talked about the evolving attack surface and all these different areas where there’s vulnerabilities that may at one point not have been vulnerable, and with technology advancements now, are at risk. And then layer on top of all of that, and in some degree, it sort of pervades.

[00:10:03.050] – Michael Grande

Everything is regulation, and regulatory pressures, and laws that are put into effect in different industries. It’s not just a niche financial services industry that has old, archaic banking regulations that they need to comply with now. Now, almost every industry–and as we’re seeing in Connecticut with new laws that are being passed–there’s an expectation at some point that almost any type of registered entity will have an expectation of delivering some level of security to their client base. And that’s going to drive even faster this shift over towards security as an emphasis.

[00:10:43.070] – Matt Fusaro

Yeah, I think that’s one of the reasons why you’re finding in the job market right now, security professionals are getting very expensive and hard to find. There’s the paradigm that you have to work in is so large. Michael was just talking about it. Now we have to be very aware of compliances, even for smaller clients. So that makes the job very difficult. I think that’s why more and more companies are going out to MSPs that are housing these types of centers of expertise, right?

[00:11:13.310] – Jason Pufahl

Yeah. And I think the decision making in this space is a lot harder now than it used to be. If you go back, I don’t know, I’ll say 10 years, security really was, “Do you have a firewall? Did you do something to your network to try and keep bad actors from the outside from getting inside?” And it’s way more complicated than that now. It really is regulatory compliance. It’s understanding privacy. It’s potentially being involved in some legal review if you do actually have an incident. There’s dozens of security controls that you can implement, all with varying quality.

 

[00:11:52.110] – Jason Pufahl

But it’s a really challenging landscape to be in. And I think what we see a lot is discussing with customers and them saying, “Well, you provide support. I must be secure, right? There must be no way that I’m going to get compromised now, because you’ve done some things for me.” And they don’t really know what those things are. And it’s really complicated to articulate to somebody that, “Yes, we’re patching; yes, we’re doing some vulnerability management, but there’s a lot of places where you should probably put some effort to building a more robust security program.” And simply by having an MSP doesn’t make you secure, right?

[00:12:29.550] – Jason Pufahl

It doesn’t make you immune to attack, right? You just need to do those really smart, fundamental things to at least reduce the likelihood of a problem happening.

[00:12:39.750] – Jason Pufahl

Mike, I’m curious. I know we’ve talked about that very idea a bunch–how to educate clients and make them understand where some of their risks are. And TBNG Consulting has spent a lot of time on onboarding processes for customers, to really engage in that educative process. Can you describe that a little bit?

[00:13:02.250] – Michael Grande

Sure. One of the most important aspects of any client becoming a client, really, is what we refer to internally and externally as our onboarding. It’s so important that it’s a mandatory engagement that takes place at the beginning of any managed service contract that we enter into with any client. And we’ve defined a variety of deliverables that the client should expect, and whether or not it’s something that they stay with us for three or five or 10 years. Or it’s something where it’s a brief, smaller engagement, or we’re doing some work on behalf of a different client. But, there should be a set of deliverables that the client knows is their proprietary information and they carry that with them.

[00:13:54.990] – Michael Grande

And that’s one of the results of our onboarding–to really ensure that it’s a more successful relationship moving forward outside of that. And that could encompass what a lot of firms call it, “network discovery.” And some of the things that you get into a client, you realize that maybe they don’t even realize that they have had living on their network for a long time, or could be potential exposures or problem areas, or who’s working remotely with secure VPN or not. So there’s a variety of different things that go into that.

 

[00:14:25.890] – Michael Grande

And then secondly, it’s analyzing where those security gaps could take place and what those risks are. And ensuring that there’s a conversation that takes place with the point of contact and the stakeholders at the organization, because really, it doesn’t need to be a business. It could be a non-profit or a school or a government entity that could be working with an MSP. And ensuring that that’s a very clear and open dialogue so that those expectations are set very early on.

[00:14:56.550] – Michael Grande

And, hey, we’ve discovered X, Y and Z. A best practice would be to do “this” and move into this type of engagement. And it doesn’t need to be opportunistic. It really needs to be more consultative and providing a roadmap to a client, so they understand, “Okay, we are aware of these things now. And where do we want to be? And then how can we work together with a trusted advisor to build a roadmap and a budget that makes sense for our business and our risk?”

[00:15:28.590] – Michael Grande

Ultimately, if that conversation happens sooner, it’s a much better outcome than when something terrible happens, and it’s more of a finger-pointing issue. “Well, you never told me,” or “I didn’t know,” or “This happened.” And truly, one of the successes of TBNG Consulting over 15, 16 years now. is that very transparent, very upfront approach of, “We’ve learned this. We see this. This is an action that can be taken. This is how we can work with you.” And we’ve designed a lot of specialty approaches for clients, creative financing solutions for clients who didn’t have an expectation that they would need to invest in some type of infrastructure or cloud service. And truly, I think that’s part of the thing that’s made us successful.

[00:16:17.190] – Michael Grande

But that upfront conversation, just so important.

[00:16:20.550] – Jason Pufahl

I think that’s that partnership piece, right? So I think what you really described there is, you’re getting to know a client, helping position to them a future direction. And that might take 12, 24, 36 months to maybe achieve, but you’re setting the expectations of, “For the business you’re in, here’s a reasonable security level to attain, and let’s work together to get you there.” And I think, generating that level of understanding at the beginning is just so important, and it really does give something for everybody to strive towards.

 

[00:16:54.990] – Matt Fusaro

Yeah, I think because it’s a partnership, it has to go both ways. And I think that’s something that, when I worked with TBNG Consulting, we focused very heavily on, making sure that the client understood the types of things that we were doing to protect their information too. For you guys out there listening: If you’re ever looking for an MSP, make sure you’re asking those types of questions. There’s going to be a lot of data that you share back and forth, and finding out how do you protect it, how are you managing it, what types of controls do you have in place. That’s a really important part that I think a lot of clients, quite honestly, always missed when they talked with us.

[00:17:31.950] – Matt Fusaro

We tried to be very proactive about it, but the questions never really came a lot. But yeah, it’s something you should definitely consider when you’re looking for one.

[00:17:42.150] – Jason Pufahl

Is there anything, Mike, that jumps out to you? If people are vetting or validating an MSP, what are those key qualities, do you think?

[00:17:51.150] – Michael Grande

Well, I really look at it two-fold. One, if you’re looking at an MSP, or really, any type of consultant that’s going to touch technology, and there’s an expectation of a secure relationship that needs to be involved with data, with information, or whatever…make sure that they integrate security into what they’re doing, and that it’s essentially part of their DNA and their fabric.

[00:18:19.590] – Michael Grande

Internally for themselves, what steps do you take as an MSP to make sure that your own data is safe, and that your employees don’t create a risk event for a client in those types of situations that can occur? And that’s a really key element of what we’ve done over many years, is really invest heavily, internally on a lot of those steps to ensure that our fabric is matching the evolution of what’s happening in technology as best we can. There’s limits on what every organization can do, but that’s a really key component.

 

[00:18:57.330] – Michael Grande

And secondly, security really needs to be viewed as a critical business investment for any organization. Not only should you engage with experts with integrity and that are keeping your business top-of-mind, but you should also take the right steps to protect yourself and mitigate risk from insurance perspectives. Make sure that any organization that you’re working with has appropriate errors and omissions insurance, correct cyber-liability policy. Those types of steps can really ensure that someone has a positive track record. And do that internal vetting to make sure that your trusted IT partner is really…can be trusted.

[00:19:44.850] – Jason Pufahl

Yeah, I mean, that’s all good advice. And what’s interesting about it is we’re spending a lot of time talking about how an MSP can provide services, but the reality is: If you’re going to provide your own IT operations and security, the same basic principles apply. You want to make sure that you’ve got your insurance in place to protect yourself, and that you’re doing the due diligence to understand what the threat landscape is, and you’re patching.  All the things that we’re doing for clients, they’re all the same things you need to do if you own a business and you’re providing your own IT services.

[00:20:17.430] – Jason Pufahl

So I think 15 or 20 minutes always goes fast, especially when there’s three of us in here chatting. Mike, I appreciate you joining. I always like to talk with you, and talk around a little bit here about how the industry has changed, and how we’ve evolved, and where things are going. So I appreciate you joining today and sharing your insight here on the MSP side.

[00:20:42.090] – Michael Grande

Thanks for having me. There’s…We probably only scratched the surface of all the things that could be discussed when it comes to the relationships here between MSPs and security firms, and the integration of the two, and maybe where the future is going. So it’s very exciting and I appreciate you having me on.

[00:21:01.050] – Jason Pufahl

And Matt, thanks for joining and just sharing how you had experience on both sides, which is unique.

[00:21:06.810] – Matt Fusaro

Oh, yeah. I’ve enjoyed this security journey, if you will, that started out with Mike, and here I am today, so great.

 

[00:21:15.510] – Jason Pufahl

And on that, if people are interested in talking about how to choose an MSP or looking for one, feel free to reach out to us at Vancord on LinkedIn, ping us in Vancord Security on Twitter. We’re happy to have a conversation, even if it’s purely in the space of, “What’s the best direction for me to go?” We’re happy to have a conversation there. So as always, thanks for listening to CyberSound. Mike and Matt, thanks for joining. And everybody have a good afternoon.

[00:21:44.670] – Voiceover

Stay vigilant. Stay resilient. This has been CyberSound.

Episode Details

Hosts
Guests
Michael Grande
Categories