Cybersecurity: Amplified And Intensified

14. Operating effectively with Todd Kane.

June 02, 2021 Shiva Maharaj/Eric Taylor/Todd Kane
Cybersecurity: Amplified And Intensified
14. Operating effectively with Todd Kane.
Chapters
Cybersecurity: Amplified And Intensified
14. Operating effectively with Todd Kane.
Jun 02, 2021
Shiva Maharaj/Eric Taylor/Todd Kane

Todd Kane has spent over a decade creating a management framework that has resulted in massive value for the companies he has worked with. Millions in higher margin projects/operations, millions in saved cash reducing employee turnover, and massive increases in team morale.

Todd has led groups for several of largest and high growth companies in western Canada. Experience with major businesses like EnCana, Canadian Natural Resources Ltd, WestJet, Bell Canada, Long View Systems, and Fully Managed.

His work has been recognized with numerous awards, both technical and business.

Microsoft, Small Business BC, Globe and Mail, Venture Magazine

Podcast #14 - Operating effectively with Todd Kane - YouTube

Todd Kane | LinkedIn
Evolved (evolvedmgmt.com)
Evolved Radio Podcast (evolvedmgmt.com)
MSP Productivity Accelerator (evolvedmgmt.com)
Service Manager Boot Camp (evolvedmgmt.com)

Eric Taylor | LinkedIn
Twitter: barricadecyber
barricade cyber solutions - YouTube
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

Todd Kane has spent over a decade creating a management framework that has resulted in massive value for the companies he has worked with. Millions in higher margin projects/operations, millions in saved cash reducing employee turnover, and massive increases in team morale.

Todd has led groups for several of largest and high growth companies in western Canada. Experience with major businesses like EnCana, Canadian Natural Resources Ltd, WestJet, Bell Canada, Long View Systems, and Fully Managed.

His work has been recognized with numerous awards, both technical and business.

Microsoft, Small Business BC, Globe and Mail, Venture Magazine

Podcast #14 - Operating effectively with Todd Kane - YouTube

Todd Kane | LinkedIn
Evolved (evolvedmgmt.com)
Evolved Radio Podcast (evolvedmgmt.com)
MSP Productivity Accelerator (evolvedmgmt.com)
Service Manager Boot Camp (evolvedmgmt.com)

Eric Taylor | LinkedIn
Twitter: barricadecyber
barricade cyber solutions - YouTube
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. Today we're here with Todd Cain of evolve management. Hey, Todd, how's it going? I guess Good to be here. So tell us a little bit about yourself.

Todd Kane:

So I've been in the MSP industry for, I guess a couple of decades. Now, originally, I was a VP of operations for a large, recognizable Canadian MSSP, kind of took them from the post merger, hang over, doubled in headcount doubled in revenue, crease gross margin and slash turnover, kind of recognize the tools that I was using in the industry, pretty universal. There was no sort of secret sauce to the individual companies that I was working in and making improvements in. So I decided to go back to my consulting roots. And now I'm a consultant to msps. And it service providers to increase margin, provide more profit and less stress for the owners and operators of MSP.

Shiva Maharaj:

So what are you seeing out in the market thesedays with your clients? How are they handling not just the growth, or the construction of business because of recent events, but the cybersecurity aspect of things?

Todd Kane:

Yeah, the the growth has been interesting, because in one hand, there is a lot of business that that is starting to turn around. No, it kept the lights on through the coronavirus pandemic. But it also created a lot of sort of stress events, increase in demand, you know, people saw kind of a 30 to 40% rise in workloads and support requests through the beginning of the pandemic, and then sort of tailed off and got even from there. But there was a sort of a surprising increase in business. I know one group that was adding seven clients a month and at one point added 15 clients in a three week period. So there's, there's sort of a half and a half knot type situation going on. And the operators that are able to sort of stay on top of it, and are able to onboard and are still able to market in some capacity have have really done well, which is, I guess been a bit surprising. There's also been some challenges, though, you know, like the, I think what we're going to start to see going forward is a real strong competition for talent. Because what the pandemic has proven is what I've always suggested is that people can work remotely if you manage them correctly. And that I think that was sort of the, the missing piece of this, like I have this expression, that visibility does not equal productivity, because people bad operators always had this thing in their head where like, I need to be able to see my staff to make sure that they're busy, which is the furthest thing from the truth, like, it makes no difference. What people found is that the productivity actually went up when people were at home. And the quality of life felt better for a lot of other people, after things sort of got a little quieter and settled down. But now what we're finding is, you know, if you live in, you know, say like rural Nebraska or northern Montana, you can work for an MSP in Texas or California or anything, the boundaries of where you hire people from, I think can become are going to get a lot more blurred and are starting to become a bit more blurred. So, retention and competition for talent, I think is gonna get really, really hot. In the next year or two.

Eric Taylor:

These companies are growing so fast. And some of them the that we talked to are really, really struggling just to keep the ones that they got. And, you know, I'm a part of a group that you may know, called ASCII, and some of them are talking about where a lot of their contracts are actually coming back to say, hey, these are still kind of tight, Can we switch over to the T&M? block our type of stuff? So what would you say maybe is the top one or two things or two things that he somebody msps, who are rapidly growing are doing really, really well,

Todd Kane:

I think being visible. The one that I that I noted that added a ton of clients in that three week period is vertical specific, which is a strategy, it's not necessarily one that I think you know, you want to jump on unnecessarily, a lot of people will tell you like you should, you should focus on a single vertical and just be really good at that. But it creates concentration. And then you know, in adverse events, you have a lot more risk on the downside. So you know, I'm not one of those people that says, you know, you should hyper specialize if you can, if you have an area of expertise, then great. And I think being visible and continuing to market and making sure that you're you're adding to the funnel, even if it feels like either you're busy or you're slow, like the otherwise people end up in the sales rollercoaster where everything sells at the same time because you know, there's those panic events where the owner and the salespeople kind of start pounding the pavement because it feels like times are getting dicey. And it's the it's the infrequency of those types of events that cause sort of the the the onslaught of sales. And I think if people were a bit more consistent with their sales and marketing, being a bit more visible wherever they can and that will become easier as the markets To open as well. And you know, you guys, I'm sure where the cybersecurity angle is one that is, is ever present, right and becoming, you know, over the last year or two, I think it became much more in sort of the forethought of most average business operators before a lot of people would think, Well, you know, I want to protect myself from ransomware. And I want to make sure that I have backups. And now the threat is so much more pervasive. And it's really difficult for the average person to to wrap their head around what needs to be done in order to protect themselves. So I think that the cybersecurity angle will increasingly be a bit of a differentiator for a lot of the MSP businesses out there as the sophistication and the understanding of the client base becomes higher. And that just becomes simply a demand and an expectation of the product, the MSP provider,

Eric Taylor:

as we're transitioning, still have a company called it simplified, but for many years are private, too. We were micro focus, we were doing veterinary clinics. That's all we did. Like our whole branding was just about an area and how it got really good because, you know, a lot of clinics were able to start coming to us, we were able to start growing really, really well in that space, but a time we tried to branch out of it. It's like, Oh, well, you're really doing this, how are you going to help my county, my legal firm things of that nature. So there is something that msps need to realize when they go that microfocus it can have backlash. Let you kind of you you hinted on it. I just want to kind of touch on but the the other use session and I really want to talk about for a minute is a lot of msps are going out there and wanting to be an MSSP Yeah, they want to throw that extra s on there, you know, because they're super, but I can't tell you how many times I've got to like, Yo guys, slow your roll, calm the F down and talk this thing through, there was a company out there, they're probably still doing a pre secure now is allowing msps to resell insurance policies for cybersecurity, but I'm not sure how it is up there in the BC but a lot of states down here you have to be a licensed insurance broker to resell a policy through an underwriter. It I mean, I'm here in South Carolina is that way a couple of people that I know in Michigan and Florida, it's the same way so that they'll just oh yeah, you can go and do it. You go and do it. No worries, no worries, just go ahead and do it and know if something ever happens. Good Lord, I hate to sue frickin the legal issues is going to ramification or laughing It's, it's, what would you I mean, I know what my two cents on the matter is. But any MSSP that's wanting to throw in that super special s onto their title, what would you tell them from a 30,000 foot view,

Todd Kane:

I had this conversation pretty regularly like because like, there there feels like a bit of a cash grab moment. And you Hey, I can add a ton of services. And this stuff is as good margin. It's, it seems like it's fairly easy to just add some skews, add some software to the stack and and now and then MSSP. And I agree with you, it's the furthest thing from the truth. Quite frankly, security is a much different type of skill set than it is from traditional IT infrastructure. One, the risks are higher, but it's a lot more like governance than it is like troubleshooting or architecture. And I think that's what people miss is that you can't just add three different pieces of software and all of a sudden, you're in MSSP, like there's a lot more that goes into it. And if you take the time and send someone for the relevant certifications, you know, you start stalking someone towards a CISSP, or some similar industry equivalent, and they actually have the relevant skill set, and you have the staff with the skill set to be able to develop that that section of the business, then great, but that's not most msps. So what I tend to advise people is just partner with somebody, right? Like, don't try to be everything to everyone, and look for great partners that are MSSP, they'll do the government and see you do the IT infrastructure. And there's a lot of great partnerships that are working that way. So you don't have to build it on your own. And you certainly can't build it just by adding skews and adding pieces of software. And that's what I see is, is sort of the missing component that people don't qualify or really understand for is, you know whether or not you're going to get into risk management and insurance. I think that's a terrible idea. Like, again, just kind of leave that to the experts. And if you can get you can get a cut of the margin on the resale great, but don't be the person holding the paper on that policy just seems completely unnecessary.

Shiva Maharaj:

I don't know, man, I think you're gonna have a lot of vendors going against you on that one because they just want to sell more product.

Todd Kane:

I 100% agree. And I think that's where it comes from is is the vendors quite rightly are trying to sell solutions. And I'm I don't blame the vendors for this, that these are decent solutions. But they're a component of the puzzle. And I think that's the distinction is without the governance and the understanding of how to build and secure security infrastructure. You Just wrap it with software called secure like that it just it leaves an element of risk that is unqualified from from a governance standpoint, right? Absolutely. But

Shiva Maharaj:

you know, there are vendors out there who will sell you a compliance framework. And they will say, Okay, now you can own that risk for your client by giving them this framework or implementing this framework we're selling you when you look the contract that you as a provider sign with your vendor, they assume zero risk. So if you're taking that marketing, speak from your vendors, to your clients, and you're pitching them that Yeah, I'm going to be in charge of your systems, I am your unlike your in house it guys. And that causes a transference of risk that most providers don't want. So I guess my question to you is, how do you help your guys your employees deal with things like that? Because you and I first came on each other's radar when I was looking for a CEO? And that's part of what you do with your consultant? The How do you manage the risk profile with the the internal staff? How do you get your clients to understand that just because they are buying a product from a vendor doesn't mean the risk isn't theirs based on how they sell it to their customer, perfect example Kaseya has their compliance platform and back in December, they were selling a CMMC audit plan CMMC hadn't been finalized. Up until that point, there were msps going through their clients saying, Hey, we can get you CMMC certified. I'm not saying Kaseya did it that way. But a lot of the msps thought by using lines manager, they would be able to make anyone compliance,

Todd Kane:

I think that highlights where the risk of this is, you know, how I typically sort of frame this for people is you want to go out and implement a NIST framework with with your your clients, or you know, certainly start with yourself, like secure your own house first, for God's sake. But if you're going to roll out a NIST framework, how do you do that? Right. And I get this question a lot is like, like, how do I build a security framework? First, you know, I have a podcast on evolve radio, the sky Gabriel Gump, but and he talks about don't build your own right. But then the difficulty is, as you go and look at these frameworks, they're not prescriptive, they're they're they talk about sort of the the the 10,000 foot view of the things that you should be securing. Now, if you get into like cis controls and things like that, there's, there are some better tool sets for helping you implement this stuff. But one, they're extremely rigorous if you actually implement them properly. But broadly, it's just sort of a list of recommendations and things that you shouldn't shouldn't do, which is a good place to start. But that's not being an MSSP. And that's sort of the thing that I try to communicate to people is that there are definitely some things that you should be doing from a security management and a risk standpoint. But unless you're going to go out and get some type of relevant industry certification, you don't know what you don't know. And I think that is the risk is, is if you don't, if you don't know, sort of the sort of the the proper ways to secure the infrastructure, that you're building the infrastructure that you're absorbing. And then you're just relying on these tool sets to sort of fill in the gaps, that That, to me is extremely risky. So you know, again, what I'm communicating to people is that someone has to own this internally, or your leverage partner, so that they understand what the implementation of these frameworks actually looks like. So that you're you're not sort of doing this sort of patchwork capacity, that creates a bunch of systemic risk, because you think you've done it well. But no one really knows if you've done it well or not, because there's there's either no internal knowledge or no third party verification of that, right, like a great example is people that start loading up all kinds of workloads into Azure, and they're on AWS. And the general assumption for kind of low maturity operators, from a security standpoint is the cloud is secure, Microsoft is taking care of this for me, and that's 100% not the case, right? Like, you can load up all kinds of workloads into Azure and make it incredibly insecure. If you don't know what you're doing that again, just comes back to the idea of, if you just try to wing it and do the stuff off the side of someone's desk, you're gonna end up with a with a serious headache, or something that is actually a business risk. So just don't do it until you have a partner or someone internally that can own this and really understands the security frameworks in detail, not just sort of following a list or some some toolset from a pentesting

Eric Taylor:

standpoint that we handle. We have classes every quarter about breaching cloud infrastructure, there are books written about breach and cloud infrastructure, it's just because you are in the cloud, just like you said, does not mean you're secure. The other thing that I want to make make note of is when companies are going through a compliancy, or whatever it is CMMC NIST, whatever the case is, each control needs to be thought out clearly. Like we'll take a take one of them that we went through recently is are you logging all of your data? Okay, that's a pretty broad frickin statement. I just sit back and think about it's like, Okay, what exactly are their meaning? And then I can't To me, it's like, okay, they're talking about my firewall. Where's that log log data, again, aggregated at? Where's my workstation? And my servers? Where's my switches? Where's my cloud infrastructure? Is my RMM and PSA, are those being logged? Or were those aggregated? If I'm using other third parties, you know, like times s that's integrated? Is there any logging with that? Is there you know, if you're using a unify controller, or Meraki, or you need to list out your entire stack for each and every control, and say, is it applicable? Is there log data? Is there something that you could be able to parse and go through, we beat up another vendor who was actually using a streaming service and I loaded up burp suite just to mess with a little bit just kept sending them to phase two, phase two or phase two or phase, they couldn't figure out where it was coming from now, like, I'm over here, guys, you know, just messing around with your API. But the vast things are security, I mean, everybody really needs to start listing out their entire stack of everything that they use, and apply it to each and every control. That's the only way you're going to get there. And until you start realizing, wow, this set of software or this solution, or this service is really janky. They're not going to change,

Shiva Maharaj:

Todd, as an operational guy, where do you sit with vendor selection and product selection with your clients?

Todd Kane:

I tend to have my favorites, I guess, like anyone would, I tend to be kind of cautious. And I tend to leverage partnerships from a security standpoint, especially. But, you know, I tend to suggest people stick close to their ecosystem, I suppose it tends to make more sense, from an integration standpoint, always look at, you know, who has the best API's, because I'm a big data nerd, and being able to aggregate data into some type of BI tool is particularly important. So from a security standpoint, you know, I'm not necessarily a security guy, I know enough to be dangerous. So from a security selection standpoint, I tend to leverage a lot of trusted partners, that I act as a MDR services from that aspect. And then I kind of have my my my favorites from a PSA or RMM selection, and then just sort of other tool sets that I'm not also I'm also not prescriptive, like all sort of suggest to people like, here's my favorites, and here's why. And if you guys feel differently, and this is your selection, that's totally up to you, you know, I don't think that we're in a situation where any of the solutions out there are necessarily bad. Because if that were the case, then you know, there would be some level of industry awareness or, or evidence towards that or sort of fit and fashion. It's much more about how you leverage it, how you use it, how you position it, and whether or not it fits the rest of the ecosystem and what you're leveraging towards in your business,

Shiva Maharaj:

I suppose. How do you feel about vendors who don't give you any insight into what they're doing into your tenants, that's the biggest issue I have in the MSP space, we have all the auditing for what we're doing with our data with what we're doing with our client data. And some of these, you know, managed SOC systems or MTR, MDR products, we can't see how their analysts are interacting with the data that we're putting in there. And we don't even know who they are. And if they're offshored, you know, there are security concerns, not necessarily compliance concerns, depending on what your or your client's vertical is, but how do you feel on the lack of insight and knowledge into what they're doing with our data?

Todd Kane:

I honestly, I haven't dug enough into it. I've whenever people are asking about who to use for security service or an MDR. Sort of my first comment is that it's the if on their face, they're kind of indistinguishable, right? So like you really need, I didn't mean MDR,

Shiva Maharaj:

specifically, and any vendor, like whether it's your PSA, your RMM QuickBooks, anyone, because especially as we go to the SAS base lifestyle, which I think if we're not there, we're gonna be there. Tomorrow, the vendors have the ability to go in to our tenants and see everything, there's very little that they cannot do with our data. And most of not most, a lot of them strip it down to a degree and they sell it, which they claim keeps the price down, that they charge us or our clients or, you know, down the chain.

Todd Kane:

Yeah, I think there's there is a there is an inherent risk to having the keys to the kingdom, right. This is why RMM vendors get a slap on the hand in some cases where the the access vector like a control or TeamViewer, those types of systems have had problems in the past where they've been used as a vector to get into a multiple clients, which is risky. There was another vendor that some vendors that I've seen that are leveraging an ad based model to either reduce cost or make things free, which I've told them I think is a really sort of risky strategy when you're dealing with the privacy and security concerns that msps are subject to that the leveraging and ad based models seems a little risky, you know, more broadly is sort of one of the things that always sort of surprises me about the tech industry. I always ask people in certain circumstances when they're choosing tools and their tech stack and whether or not they're an apple or an Android person. Because, to me, it sort of tells me whether or not they're going to like certain vendors or another. But the people that are Android based and security minded, I maybe I don't know enough, but my suspicions around sort of androids business model is the leveraging of the data that exists there. But a lot of people still feel like, you know, it's some it's somehow better than than Apple's privacy policies in that that framework. So I don't know. It's it's, it's a struggle. You know, there's, there's only so much that you can possibly understand and tracking all of these things. And I think that there's a high degree of relevancy around what data access those vendors have and how it's leveraged. And I think they should absolutely expose that, especially if there's any type of resale model

Eric Taylor:

now that we lost all the Fisher Price fanboys about Apple, let's carry on.

Todd Kane:

Yes, I'm an apple fanboy. I run it all, all Apple, and part of it, honestly, is privacy concerns, right? Like, I'm not paranoid about it. But you know, the, you look at the like, for example, I bought a new TV, and it's an Android TV, and it was like, fine, okay, whatever. But you know, the people talk about certain software that's pre installed, and it's difficult to remove. And it actively watches what you what you watch, and reports back for ad data, right. And there was a recent software update. And now the top bar is advertising a bunch of content from channels that I don't even have, right, like Disney plus stuff is coming up. It's like, come on, like, I don't need these ads, like I paid for this, this TV, I get it that, you know, I get some improvements in the software. And that's that's where a lot of this comes from. But, you know, it speaks to the point of what are the trade offs of you know, the the cost of this versus, you know, what I'm trading in turn as a product as well, right?

Eric Taylor:

Come on, you know, you want to build a snowman.

Shiva Maharaj:

So from a productivity standpoint, what do you recommend to your clients when you go in, because I'm sure there's a minimum baseline that you'd like to

Todd Kane:

see, I just didn't how how people are managing their internal productivity for staff, if I were to bring you into my company and

Shiva Maharaj:

say, Hey, Todd, you know, you're my CEO, get my people into shape, what are the what are your go to points that you typically do off the bat, so

Todd Kane:

I have a productivity course. And MSP productivity course. That is, well, well liked by the people that have taken it. It's a mixture of sort of a GTD light getting things done methodology around how to manage your time and your your energy. And then there's the second component around making it easier to track your time and the PSA, because, you know, this is sort of the the wart on any type of professional services industry, no one likes entering time. And that's a reasonable pushback. But it's also a necessity in our industry, where, even on fixed base contracts, we're still our costs are based on time and people. So understanding your costs on a contract, and a client basis is incredibly important, even rolling up more broadly to the costs of the company. But if you make it really difficult for people, and you know, you're making them track, bathroom breaks, and all kinds of crazy stuff in the system, it's reasonable that people push back on this. So sort of the stepping stone, I think, is explaining to people why, right, like a lot of people just simply tell them that they need to do these things. And that's not untrue. But at least explaining to people why you need the data. And I'm not just trying to be a tyrant. But I actually want to understand how your time is leveraged and whether or not I can make life better for you by by repositioning something or eliminating meetings that are unnecessary and gobble up a bunch of your time. So the Why is particularly important. And then some level of training and education to make things easier, I think is really, really helpful. Because the higher the friction point in managing your time and your energy, the more reasonable type of pushback that you're going to get from your staff. And then after that, it just becomes coaching and management, right, like a lot of people will unreasonably tolerate the misbehavior and the nonconformity around the expectations of the role, right. Like, we're all professionals working in a professional industry. And my expectation is, is that you can track your time as a fundamental administrative component of your job. And a lot of companies just don't enforce that. And then they're frustrated by the fact that they don't have good data. Yet, you know, they're, they're letting people kind of get away with this. And one of my favorite descriptions about a company culture is your company, your culture is defined by what you tolerate, right? It's not what you try to enforce on people or tell them what things are. It's that it's the lowest common denominator if you let people get away with the stuff and just sort of let the the the tail wag the dog on on time entry and things like that, then of course, you're not going to get compliance around it because humans naturally follow the path of least resistance. They have no incentive to enter time and they have all the incentive if there's no downside for not doing so that I think is a huge component to this and, and then just using metrics and understanding what your benchmarks are, and looking for areas of improvement is a huge data nerd. So dashboarding and reporting, and then helping people to to improve their lives and coach them on how to do better so that everyone can perform better together. Because ultimately, people want to be a part of a high performance and a successful team. Like no one wants to be on the losing team, and people will look around and see, you know, what is the level of effort from everyone else around me, and they, you know, you'll occasionally have some high fliers in, in some organizations, but, you know, if 50% of the staff is just not doing the things that are expected, then, you know, what can you expect from the rest of the people? Right?

Eric Taylor:

So what do you wait, when you start talking about tracking time and everything like that? What is a percentage of their day, do you say needs to be logged when I was working with another couple other companies that will remain nameless for security reasons, you know, they would always say, you know, anywhere between 80 and 85% of your daily activities need to be logged in the ticketing platform, that way you get away from, you know, you had a quick chat down the hall with production guy, you're using the restroom, you know, whatever the case is, you know, but 85% 80 or 85% of your time is actively logged. And the part B of that question, I know, at least in the cybersecurity space, we're having a massive issue of getting good talent. When I was in the MSP space. We knew that there was a bunch of pizza Tech's trunk Slammers, their idea security is a pf sense router performs the same thing as a do D grade, you know, Palo Alto, or Fortinet? Which I just want to start with the people with a wiffle bat. Because it's not how much do you think of that the lack of talent and getting good talent is allowing owners to look the other way, when trying to get these type of metrics, the first part around kind

Todd Kane:

of expectations, you know, 70, to 75%, utilization is achievable. Anything past 80% is law of diminishing returns where you're risking burnout, but you know, reasonably five and a half hours, six hours of the day should be logged against utilize time, which is basically time that creates value for the client or for the internal company. And then the rest of it is just generally waste, right? Like I don't go down the rabbit hole of tracking every 15 minutes of time and trying to figure out where that stuff goes, unless you're trying to split sort of this admin bucket into smaller buckets and figure out kind of where is that time going? There's a reporting exercise that can be done. But it shouldn't be the default, it should be if we're trying to figure out why person a person is 50% utilized? Where does the other 50% of the time go? Is it just simply waste where they enter admin time, wrote answered emails and was on the phone or talk to other people? Like, that's just a waste bucket? And that's generally fine, as long as it's within the standards of what you expect for the role. So yes, it's it's a reasonable expectation, and that that 70 to 75% is totally achievable. As far as whether or not you should sort of let that slide in order to have a better quality of life for the staff. There's maybe a small argument to be made there. But honestly, you know, everyone's replaceable, there's a huge open sea of potential labor that is available. And you know, quite frankly, no one is irreplaceable, from a knowledge standpoint, or a skillset standpoint, every MSP that you go into, that has not had a focused effort on the sort of the management policies of an organization has at least one person, that is usually one of the more senior that's been around forever, that is just not subject to any of the policies that everyone else is subject to, and they just, they managed to get away with it. And this comes back to that idea of being careful of what you tolerate in the business. And sure, you know, you may feel like, well, I can't get rid of this person, because they're really good at what they do. And maybe I wouldn't be able to fall to find somebody else. And I think there's some truth to that. But it's not nearly as true as people think, right? If you've got someone who is even 60%, as qualified, you spent six months trying to train them up to be as good as the other person. And they got up to 70 to 75% of the capabilities of that other person. And they had a better attitude, and were more compliant with the administrative policies, everyone would be better off. So I think it's taking an intentional approach about this. And what I find, almost categorically, when I go in to other organizations to support them with the implementation of a management framework, there's a simple rule of 50% of the people after you tell them to do something, they'll be like, Okay, sounds good. I'll go do that. There's about 20 to 30% of the people that you know, they kick the kick and scream a little bit, but you have some conversations with them. you convince them you sort of sway them around on this idea. They're like, okay, I don't love it, but sure I get it. Okay, yeah, let's do this. And then there's that 15 to 20% of the staff that just like dig their heels in and piss and moan and and just refuse to get on. I'm bored. And those people can either choose to find another job or they're going to get fired. And it's odd that this is such a consistent thing in most organizations with you've never taken a focused effort to the development and the management of your staff, you're going to find that this this sort of works out this way. And other thing that I tend to find is there, that person that, that sort of that that person that gets away with this stuff that the the, the the old timer that's been around forever, and you know, no, no one can figure out what he does. And he's magical about some things. When he eventually leaves or, or gets fired. The rest of the staff kind of breathes a sigh of relief is a man that should happen a long time ago. And you know, maybe it's rough for a month or two, but everyone finds that they're better off as a result of that change.

Eric Taylor:

Yeah, that last part describes like most of my my jobs where I'm just a rambunctious freakin aihole I think that's why I'm a good pen tester now cuz I just like to go around breaking stuff down.

Shiva Maharaj:

How often if ever have you gone in to your clients clients to help them operationally, because I'm willing to bet the problems I have, as a IT service provider, business owner are not that different from those of my clients or anyone else down the client chain?

Todd Kane:

Yeah, you're Yeah, you're 100%? Right, for sure. You know, honestly, I started my business to help owners and operators of businesses be better managers, because the you know, the the stat is, is people work an average of 12 years before they get any type of management training, which is crazy. Like, I joke that, you know, we would require someone to have some level of certification to be a book, book manager, like, you know, you shouldn't have a CPA or or an accounting degree or something before you're managing someone's book of any any significant size. But you'll give them a $2 million business unit worth of labor and just say, I'm sure you'll do fine. Let me know if you have any questions. And that's madness, to me. And the truth is, is like management sucks in most businesses, like that's just a universal truth, right? The MSP life focus and MSP is comes largely just from, it's an industry that I love. It's an industry that I'm recognized in and have some experience in. But the policy and the management framework that I ascribe to has almost nothing to do with it being an IT industry, the benchmarking and the dashboarding. Sure, like you got to understand sort of what good looks like in your industry so that those parts might be different. But how you actually coach manage people and develop a great internal high performance culture? That is pretty universal? Sure, to your question. I've never really sort of gone into clients of my clients, but I have, in some circumstances, gotten referrals from the msps that I work with who other companies that are not, that are either clients of those msps or, or just sort of friends of their of those msps and helped out some other companies that are outside of the it space. For sure. The

Shiva Maharaj:

reason I ask is because I think your productivity course can be helpful across the board. But again, I don't know if it's tailored towards the MSP. But there are many companies out there that if we could get them squared away, operationally, it would make our jobs as IoT providers so much easier because now you know, they have a playbook of who is in charge of what and when it comes time to make incident response plans or what have you, we know where to go as a provider and you know, we're not running around like a chicken without his head.

Todd Kane:

Yeah, I've certainly considered it and kind of making some of these the courses that I'm building more applicable in a broader base right now. They're built in a way that sort of the language that I use and what I talk about in the courses is very IT industry specific I've considered whether or not our rework them and make them more broadly applicable. It's just the the difficulty in why I don't sort of pursue that right now is that the management consulting industry is like it the MSP industry is is highly competitive, and there's a million people out there doing what I do and in a lot of cases, it's it's easier to specialize and sort of have a niche than to just sort of compete more broadly. Right. But I agree with you like the there's a lesson there as well. Shiva about the the role that the MSP should be playing in consulting with the business owners and we talk a lot about kind of the TBR and QPR cycle and that the the the the term that everyone loves to hate the trusted advisor

Shiva Maharaj:

there's a lot of work hate that term. I hate that term. I don't mind me Go ahead. What's the better term for for trusted advisor? Anyone have a preference? I'm willing to I'm willing an idiot, quite honestly. Like I'm the it idiot to my clients. But I mean, God Don't mind me.

Todd Kane:

Yeah. So the I think the important point is is like the MSP channel has gotten a lot more sophisticated over the last five years and are kind of getting keen to the idea around business management and high performance teams and those things and which is awesome. That's one of the cool things both the MSP channel in general is that they're they're very supportive and there's there's a high level of community where people are willing to share and they're not territorial and kind of keeping secrets from each other, which is awesome. I think that there's a lot that we know and have spent time on that is a value to the organizations that that we do it for. And the easiest entry point that I can sort of advise people on this is just simply sort of business efficiency in leveraging technology better, like how do you use teams? How do you use SharePoint or other file sharing technologies? Like there's simple entry points, you know, how do you think about the labor efficiency of your business? Like, what are the software tools or BI tools, like business intelligence tools that you're using in your business that could be applicable, you know, simple upgrades to, you know, accounting software, to, you know, maybe switching to dynamics, CRM, those types of opportunities are pretty prolific in a lot of industries. And that's what we've seen from the pandemic is a forced acceleration of digital transformation. And that's a big term that tends to get thrown around by CIOs and enterprise and stuff like that. But I think there's a high applicability to the MSP industry at our channel around digital transformation and the opportunities that it creates for consultative relationships with the clients. You know, I

Shiva Maharaj:

know part of what you do also is helping, you know, service managers msps. And it providers be more effective in what they do. Is there a point where you're leading them more down to at least being aware of the cybersecurity incidents that are going on where they can help identify what they're seeing on the front lines of service desk and kick it up to whether that MSP has a seaso? Or if they're outsourcing their security?

Todd Kane:

Yes. So Cybersecurity Awareness, interestingly, is the the courses are often built for, for the end users on the client side around like, what does a phishing attempt look like? And all of those things, there's some internal knowledge that's applicable there. But I'm actually have sort of in the background and building a small course, it's just kind of a quick course around how MSSP Tech's should think about security. And it's, it's a bit about sort of what the industry threat looks like, why msps are such a high risk vector for phishing and things like that, you know, why the risk is so much higher than it ever has been? And just generally, some things that you should think about, like two FA all things, right, like simple stuff, all the way up to, you know, what are some things you should think about when you're building technical infrastructure? And what are some of the base security pieces around this, and this is not meant to compete with like the industry security training, because what I found is like, you can go get security plus and CISSP courses, which is really, really detailed and exhaustive training, which is incredibly useful. But if you're just talking about level one, or level two tech and an MSP, that's not the type of security training that they need. They just need the basic fundamentals of how should I think about security and exactly that, like, what do I identify? Like, one of the questions that I have in there is, if a senior tech tells you to leave a system logged in and with an administrative user, because there's a line of business software that requires it, what do you do you call Eric and

Shiva Maharaj:

say, Come on in.

Todd Kane:

And that's the point it's like one of the there's a couple of responses to this, the sort of multiple choice question and one of them is just like, tell them get bent and lug the machine out, because that's what you should do. And technically, that's the right answer. But it's also the wrong approach, because then you've now broken the line of business software for the company. So it's tricky, like, you got to basically take it up to management and say, This is not a good way to run this piece of software, we need to advise the client that this is a terrible idea. And we should figure out some way to fix this, right? So that that's sort of like the seeds that you want to plant is just general security awareness, and not necessarily actioning it but just being able to call things out when you see them, right.

Eric Taylor:

So I mean, there's that this is the conversation that we're having with a lot of folks, you know, where security must meet your operational function ability, right? You You can't lock it down so much where you can't operate your freakin business. But you can't let a bunch of freakin line of business apps freakin dictate the security of the security posture of your business either. We have a wide gamut of different clients in the manufacturing and you know, accounting and just all this other stuff. But you have to start like, Okay, you guys are going to use this line of business out we all know this table. That is the biggest piece of crap. No, no man is full of owner abilities has got these problems. You guys are now off in your own little bucket in your own little VLAN. And y'all can just play Kumbaya over there. And you're going to stay out of the rest of this forgetting network. The other thing I want to ask you are the one thing I want to ask you is when you're starting to advise msps around cybersecurity, are you getting to the point where you're going to start telling them or advising them on some questions when they come up to a Yahoo like me how to handle me? What questions should they be asking a cybersecurity firm? Do they really know what the fuck a pen test really means? Or are you looking for a vulnerability scanner I can't tell you how many times I, even this week, I've had three calls, we want a penetration test, and what exactly do you want? Or we just want to see what's open? No, that's not a penetration test. But what is a penetration test? You're asking me to steal your crap and show it to you. One of the biggest things I know I harp on, there's plenty of people in your space, that are advising on cybersecurity, but they're not advising properly. But you know, it's one of my biggest soap boxes that I get on, are you advising them how to deal with a cybersecurity firm?

Todd Kane:

Not directly. And this is where sort of I'm relying on the experts, right. So like I said, I have some industry partners that that I trust more broadly in this space. And, you know, what I tell people is, do you want to build this internally, and like we said, at the top, this is that does not mean just going out and buying some software and, you know, wash your hands, and you're done. This means spending years building up the training and the sophistication of someone or multiple people within the company to really, really understand this and become a security expert, so that they can better understand the different components of a security policies security approach. And if you're not willing to do that, then you need to rely on the third parties that that can give you sort of better direction on that. And so as I said, I'm, I'm I'm deferring to the experts in the space. But I have seen enough of what you're talking about, where, for example, I occasionally have like industry, people that are not in it come to me and say, I'd like to get a security scan. And then you dig a little deeper. And they're, they're building a, say a web app, and they need someone to actually like do some some compliance testing and some some actual penetration testing. And again, like, all of these terms get very confused, quite rightly, by people that are not in this channel. So you know, you know, don't rely on someone who knows enough to be dangerous like me, you need to rely on on someone who has some level of sophistication, hopefully some credential around this and and can carry some level of expertise, right, I want to push

Eric Taylor:

my push back on you just a little bit and kind of circle back around to the topic here. So, you know, everybody knows Robin Robins, you know, we're not about the slammer. So don't nobody starts, you know, emailing her, please. But I'm not sure she still does it or not. But for a long time, her claim to fame with a lot of MSP is was, you know, the seven or eight things every business owner should be asking an IT firm, what I'm asking you is, are you creating a list, something like that? What every MSP should be asking a cybersecurity for me personally.

Todd Kane:

No, I'm not. Because as I said, I don't know enough about this industry. Because I don't know enough. Like if someone wanted to help me build it. Sure. But you know, it's

Shiva Maharaj:

one of the most honest answers I've ever heard about cybersecurity in my life. I don't see you for that one man. Well,

Todd Kane:

like I said, at the top like this is this is an area of of the biggest risks or the unknown unknowns. And there's a lot I don't know about cybersecurity, there's enough that I know about it, like I said, like I'm building basic security training for level one and level two, which is unable to FA don't use shitty passwords. Here's what a good password looks like. These are the things that you should think about in building security. Those are all fundamentals, and largely based on infrastructure. But if we get into like, what is NIST mean? What are the important parts of the CIS policy? What is the difference between MDR and other types of security response? Is it active versus passive? MDR? Like those, those are some of the simple ones, like, a lot of people think that I hire an MDR firm. And that means that you know, I have somebody who's gonna jump on top of any security issue that pops up and they'll take care of it for me, we don't we don't somebody

Eric Taylor:

like that.

Todd Kane:

And in most cases, all they do is say, hey, this looks bad. Somebody should take a look at this. Right? Like, that's the extent of their involvement. Right. So it's a crazy industry that is, is, you know, it's rightly confusing because I've been in the IT industry all my life. Like I had my first consulting company before I graduated high school, and I am quite, you know, I'm quite comfortable to say, I don't know enough about security to be able to advise people directly about security, right? Like, I'm gonna give you some, some some things to think about around how you approach this, but then absolutely defer to the ex. How do you feel about legacy systems

Shiva Maharaj:

for your clients and your clients letting their clients run legacy systems now to define what a legacy system is? To me? That is a system you're too goddamn cheap to upgrade. So you keep running it way beyond its life?

Todd Kane:

Yeah, I would say there's one other circumstance like you see this a lot in shipping companies, if they do logistics or freight of some kind, there's often an XP machine that is like, sectioned off on the on the floor because it has to print labels or something. And like, they like the vendor literally does not support an upgrade. I don't

Shiva Maharaj:

buy that though. I mean, that's what the vendor situating Oh, shit,

Todd Kane:

but you know, I see where this comes from. Because, you know, I spent A lot of my early it career in oil and gas and insurance, which are to company or to industries that are absolutely ripe with legacy systems and money. I mean, they will evolution money. Yeah, but like look at the colonial pipeline ransom event, right, like the skater systems. So the security event monitoring systems for like pipe flow and pressure controls and things like that, they were on a completely segregated network managed by a different it cut it group altogether, we were not allowed to touch them. Right. And it's because they're highly specialized. If there is alarms or you know, if the shutdown a pipe, for some reason, it costs literally hundreds of 1000s of dollars an hour. And a lot of those systems run on legacy equipment, because you know, the the vendors are old antiquated, and in a lot of cases don't exist anymore. Like we did a, we did a consolidation project between when we were doing a merger between two oil and gas companies, we found 20,000 individual pieces of software installed between both companies, we were able to rationalize it down to 1200, through a one and a half year project. And we still had systems that were built literally by a guy in his garage that had gone out of business five years ago, but it was a critical system that was required for the business to operate. Right. And like those are giant companies that absolutely have enough money to spend on this. But maybe either it's a lack of option or a lack of imagination. Don't have any options to get away from some of that stuff. I think in most cases, you're right. It's just like, no, it works. I don't want to touch it. Just leave it alone is typical. But honestly, there are some situations where it's it's just it's a shit industry. And there's there's no alternatives. Unfortunately, granted, that's

Shiva Maharaj:

true for oil and gas. I mean, their scale is out of the area of operation for an MSP typical, MSP is not even coming close to something half that size, or quarter that size. The average, MSP is dealing with, you know, a five user to a b 1000. Right. And when you're getting into CNC machines that use line of business applications, that just because they're someone in that end business has a sunk cost fallacy, and they think they can't do better. And if they were to upgrade, they'd probably save money on the power it takes to run a machine to support costs, and it'd be more secure, especially with insurers running for the hills these days, although I don't think the insurers are going to say that publicly after what happened to AXA The day after they announced no more cybersecurity coverage.

Todd Kane:

Yeah, this is I think you're right to highlight this as well as there's a lot of there's a lot of the insurance industry that are just saying like, this is so hot, we can't even touch it, like getting cybersecurity policies is become problematic for a lot of organizations that haven't had sort of an existing policy, and kind of coming to renewal time. They're like, What do you mean, my, my policy rate has gone up like 15 100%, right, because you know, Another week, another ransomware event, and they're getting a lot more sophisticated and a lot more expensive, the risk around this stuff is insane, for sure.

Shiva Maharaj:

I think a lot of the cyber insurance industry is gonna come back in and they're gonna make it a self attestation model, they're gonna give you a list of whether it's 10 or 100 questions, they're gonna ask you to answer it, they're not gonna ask you for the proof. And then if you come to file a claim, that's when they're going to go back to your application and say, Okay, show us this, this, this and this. Oh, you don't have it? You didn't have it in place. Yeah, you're denied.

Todd Kane:

And denied claims, a huge, huge increase of that, for sure. And that's

Shiva Maharaj:

how the insurance companies really make their money, right? They look for ways to not pay out on the claims.

Todd Kane:

Yeah, I was asked this recently. And I'm sort of curious about where this is going to go. Because the output around the colonial issue, I saw an article, I haven't dug into it yet, maybe you guys have seen this, where DHS is actually suggesting that there is compliance, that that has to be in place for a lot of these systems now. And this is this is sort of like the the thin edge of regulation coming into the industry. I've been on record as saying like, I don't think regulation of msps is practical, because it's such a huge industry. And how do you actually validate this with any reasonable assurance? Right. So I don't think that regulation is practical, but I think there's going to be some type of sort of policy and compliance leading towards regulation and maybe over like a 10 or 20 year period, this becomes more concrete. Are you guys like,

Shiva Maharaj:

I think in terms of regulation, and using DHS in the pipeline, they are going to regulate industries, and especially industries that are critical national infrastructure. And Eric and I spoke about this I think last week that I think in the case of colonial the government should have stepped in and privatized that I know that's a bad thought, No one wants to hear that. But if you can declare a state of emergency in 17 states because of the colonial issue, then the government could step in, take over the pipeline, bring everything up to scratch, technology wise, cybersecurity wise, and then go back and send the bill to the operators. So to answer your question, I think yes, they can regulate but they're gonna, they can't regulate us. I think what they can do is regulate the end. History like the oil and gas if you're producing you don't know if your national supplier put the regulations there because there are too many different types of it providers out there. It's almost like the doctors, you have radiologists rheumatologist general practitioners, you have to leave that to us because we know the insurance companies can't do it with how CNA got popped, actually got popped. And many insurance brokers continue to get popped on a daily basis as I'm sure Eric can attest, circling back to what you asked. It's gonna be industry specific,

Eric Taylor:

but can we please God make it actually enforceable,

Shiva Maharaj:

not of itself at the station?

Eric Taylor:

Well, even the HIPAA is not so fast citation. But

Shiva Maharaj:

yes, it is. Yes, it is. Everything in HIPAA is. Are you doing this? Yes, it's not are you doing this send the proof. It's and that's the same thing for most of the compliancy sets out there. I will go out on limb and say most compliance is just the illusion of control so that someone can say we did this but and what they're not doing, Todd, how many of your clients when you first meet them won't spend the money to really secure their house. But after you get through them, and you show them the story of what could happen, or probably like, yeah, we're gonna spend that money now.

Todd Kane:

The sophistication and the maturity of their approach varies pretty wildly

Shiva Maharaj:

for sure. Todd, do you want to tell everyone how they can reach out and get to you?

Todd Kane:

I have a weekly email and a fairly regular podcast can find me on LinkedIn, Twitter, what's your Twitter HOD a cane k any LinkedIn is where more of the professional stuff is not mostly professional, Twitter is not so much. And my website, easiest URL to find is it is a business.com. You can go there. And then you can see sort of list of services and links to the blog and podcast and my email list as well in the courses as well if you're interested in the productivity course. So the service manager course and how often is your

Shiva Maharaj:

podcast releasing episodes,

Todd Kane:

it's irregular, it's sometimes it's a couple of months, and sometimes it's one a month. So it's, it's just a it's a it's a labor of love, and I do it whenever I'm keen to have a guest on essentially a closing question for America.

Eric Taylor:

Now I appreciate the time today Todd has been pretty informative. A little the little bit of banter going back and forth on this one and I look forward to talking to you further in future episodes.

Shiva Maharaj:

Awesome. Appreciate it, guys. Thank you guys. Thanks again for joining us for the cybersecurity amplified and intensified podcast.