Cybersecurity: Amplified And Intensified

Episode 21 - Tides of change with Dave Sobel.

July 19, 2021 Shiva Maharaj/Eric Taylor/Brian Weiss/Dave Sobel
Cybersecurity: Amplified And Intensified
Episode 21 - Tides of change with Dave Sobel.
Show Notes Transcript

Dave is the host of the Business of Tech podcast, and owner of MSP Radio. Dave is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT Solution Provider and MSP for over a decade, both acquiring other organizations and eventually being acquired. This firm was a winner of multiple awards, including being a finalist for Microsoft’s Worldwide Partner of the Year in the Small Business Specialist category. After his MSP experience, he has worked for multiple vendors at such companies as Level Platforms, GFI, LogicNow, and SolarWinds, leading community, event, marketing, and product strategies, as well as several M&A activities.

Dave Sobel | LinkedIn
Home - MSP Radio: The Voice of the Solution Providers

Eric Taylor | LinkedIn
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj | LinkedIn
Twitter: kontinuummsp
www.kontinuum.com   

Brian J. Weiss | LinkedIn
Twitter: bweiss805
www.itech-solutions.com 

BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. Today we have with us Dave Sobel update.

Dave Sobel:

You know, it's like there's nothing going on in the security world right now. So, you know, it's just quiet out there.

Shiva Maharaj:

It's all overblown man. What are you talking about?

Dave Sobel:

Exactly nothing to talk about it all. Clearly, we can go to lunch now. Great. Exactly. Well done. Well done. gent. So I wanted to kick it off. You want to introduce yourself? But anyone you know? Yeah, sure. Anybody who hasn't heard my blathering before? So I'm David Sobel, I am currently head of MSP radio and the host of the business of tech podcast, I spent about a decade as an MSP, you know, did a small regional MSP love doing it was super community involved, help grow peer groups and wrote a book and I'm Microsoft MVP, I did all that stuff. Then I sold that business. And I spent eight years on the vendor side and I worked for RMM vendors, I was a level platforms for two years I was with gfsi, we became logic now. And then of course, we got bought by this company no one has ever heard of called solar winds. And I was with solar wind, three years post acquisition, which is also a year post the IPO because I wanted to go through that process and learn how that all works. And I left in October 2019, well timed for those that are tracking that timeline. And now I am an independent analyst. And I looked at the media landscape. And I said, You know what, there isn't a guy who's an analyst who looks at it from the MSP perspective, there's a lot of guys that are looking at it from an m&a they a lot of guys that advocate for vendors are so vendor programs are all that stuff. But there's not somebody that says I want to I want to fight for the MSP. And I said I'm going to do that. And that's been the podcast and what I've been doing since then, and and obviously weigh in on things that are important so that I can offer another perspective. Now,

Eric Taylor:

before we get to really the crap show of the month, um, what would you say from your 30,000 foot view? What do you feel the state of the MSP or MSSP is currently compared to say, a year ago, two years ago? Well,

Dave Sobel:

so that's it's a really interesting question, because I was sort of smile and go, yeah, it hasn't changed much. And actually, that's some of the problem is that that actually, things haven't changed a whole lot in a while. But I think the landscape around msps has changed. And I think that's the bit that concerns me more than anything else is it's new pressures that we're not used to talking about, I talked about the pressure on my show of of the what's happening with private equity and the investment of money, how the financial incentives of the game have changed, the market itself has changed. But we did a great job of moving everybody to work from home. But now the world of work is very different. And the kinds of technologies we should be looking at, and the risks that are very different. But when I talk to msps, I'm hearing the same sort of stuff that I've been hearing for, you know, a decade. And it's the same answers. And I have to leave and go like guys that I think the markets changed. I mean, you know, call me crazy, but I spent all my time watching it. And I think the markets really different. But the answers are the same. And I point to I did a piece on e commerce earlier this year, that got everybody all riled up that I was pushing e commerce as much as I am. And I'm just like, watching the trends, guys. That's how people buy now. And I go to MSP websites, and nobody, nobody even offers me the opportunity to like book an appointment everything. And I'm like, I'm just pushing you towards I don't know what we were talking about five years ago, e commerce wise, much less right now. So to your question, I think things are too much the same. And I think that's anytime you look at that that's a market ripe for disruption. And so I'm I'm looking saying I don't want I don't like little small sub $5 million msps to get totally disrupted by something they don't seek

Eric Taylor:

out. Yeah, to the back, you know, I went through and I don't go through a lot of marketing platforms are stuff but like our website is very, very simple and very, very generic to degree. We don't even have a phone number posted up posted up on there. It's literally here's a calendar link, schedule an appointment, we found that there's been so much more quicker adoption for communication than than picking up the phone trying to get in touch with the right person, send in an email, like, oh, here's my calendar, schedule something it just worked. You know,

Dave Sobel:

I like and I practice what I preach. I mean, if you go to the business of tech is the podcast site, you know, stories, they're the links MSSP radio is the business right? Like that's the big word. I don't mind telling people I sell ads like that kind of stuff. Like if people want to if a vendor wanted to work with me, they literally know my website, they can put what they want in their cart, they can check out they can schedule a booking appointment with me it's all ecommerce. That doesn't mean I won't happily talk to them customize a deal like do all of the the high touch relationship selling but if they know what they want, why wouldn't I sell and I think msps want to think that way more because that's where the modern buyer is, before we

Eric Taylor:

get into some of the conspiracy. theories that we've got a little bit about cuz they're Yeah, I want to have a question that leads up to it the How do you think the financials stabilization of the MSP market, as you see still am, I still see, at least on my IR side, the incident response side, I'm seeing a greater divide of people who are flourishing and making a ton of epic money, and more and more msps think, oh, man, that are really, really frickin struggling?

Dave Sobel:

Yep. So if so the Let's be specific with the question because I try to be a good analyst on that stuff. So you're asking specifically about the performance of managed services providers, IP services providers in the current market. And I would agree 100%, I think the divide between the haves and the have nots is getting larger. Now the last stat I looked at, it was still 93% of all solution, providers are doing less than $5 million in revenue, right. But there's a, but there is a growing bit between those that are performing, you know, one to four or $5 million, versus those guys that are still at the lower end. But more importantly, at least going into the pandemic 25% of the market was breakeven or losing money, if we've not got true updated numbers kind of post yet. But I'm not expecting that to get worse, right? I think that so you've got a whole bunch of guys at the bottom that are not making any money. But you've got a bunch of guys at the top that are outperforming. I'm watching that that split and I you know, and I look and say like there needs to be from my perspective to keep this healthy. I want to see more guys jump from the ones that are struggling into moderately successful and then eventually successful business.

Shiva Maharaj:

How do you feel about the typical managed services versus a VAR type of setup more time and material? Because I am seeing a lot of clients getting burnt out on bad experiences with an MSP?

Dave Sobel:

Did we lose? Am I the only one we lost? David, can you hear me? We can hear? Okay, I didn't hear the whole question. That's why I wanted to and I've got him all locked up.

Shiva Maharaj:

So we've got I've been seeing a great divide between customers wanting typical time and material of our type relationship, you sell them the services or the software, and then they'll buy some block time from you versus going traditional managed services, not that there's a definition for managed services in any way, shape, or form. And that, to me, has been driven by bad or poor experiences that those customers have had with msps, in general. And my second part of that question is based on a video you recently put out that I saw last night, I think the RMM needs to die. But I'll let you get into that later.

Dave Sobel:

Two big questions. Let's do the first and then we can then we can talk about the RMM itself. So I always start this discussion with my core idea of what I think it services is, because I think this value statement has never changed. There is a incredible value in a company helping another small business midsize business with their technology needs and to be successful technology, I think that core value is 100% strong. And by the way, stronger than ever, because the technology is I mean, work from home, dispersion of work. All of these factors are all technology driven. So I think that space is incredibly important. What I also think is is that many providers have over rotated on these basic concepts that are pushed by the software vendors have, well you should sell them patching, you should sell them antivirus, you should sell them backup, you should sell them this long list of just kind of basic technologies. And as things have progressed into the cloud into the the new way of working, those core bits are not nearly as important. And a lot of customers are kind of wising up to but I actually want help with my technology. And they've been burned by somebody who will say, Well, I'm going to take care of all your technology problems, right? And, and we're going to wait and then a slide across there gold, silver, platinum paper, courts bullshit, you know, plans, and some customer signs on and it doesn't actually do what it said on the tin. And so they're looking going, I don't want another of those. I still want the core value. And an easy way to just check the core value of your customers say, Well, I'm just gonna pay you for your time. Like, they can make sure that I'm paying for the time on the help that I want. It's a simple measurement for them to understand something they don't understand. Right? And so then it makes it really easy for them. It's just really if you help me I will pay you. And if you don't, I won't because they've over promised these things they don't deliver. So that's my take to that is I still think there are there are guys that are doing what I might call a managed services contract meaning they are delivering a set amount of services for a set price each month and I have customers that love them for it right? Like, but everything I just talked about is not all the garbage that often we providers, and are encouraged by the vendors to latch on to. Right. And what we're seeing right now and in a way, it leads to your next question like the death of the RMM is we've kind of, we've got this push by well funded private equity backed companies that are looking to make money off this space, that are selling a dream, right? You buy this tool, you are instantly a managed services provider. And here we are a decade later where the myth is caught on and everyone thinks I must own this tool to be a managed services provider and be profitable. And everything I talked about a minute ago from the value statement does not include any of those tools. They might be useful, right? They could solve the problem, you could build your practice that way, or you could not. And where you get into my last bit, and I'll leave the more questions is like, when I project out to the forward way, I think about the future, right? And clot true cloud services, clue true dispersed work, where this stuff is all I just sort of looking at like the RMM is a is a relic of the past. It's solving a problem from 20 years ago with code from 20 years ago, that that doesn't include any of the stuff that I need in the future. Here's my basic statement of find me an RMM. That includes the concept of people like users as the center of the universe, not devices. Intune. Well, yeah, and by the way, I did a whole video going, I think into might be the future guys. Like I'm really looking at this into thing, and I think they've architecturally gotten the idea. I think there's something to Microsoft's approach. And by the way, though, I put that out, and everyone was like, Oh, my God, I'll never give up my RMM. I'm like, I don't know, guys, I think this isn't gonna work. You know? So anyway, that's it. So I'm with you. I think the RMS I think the RMM had a great run. I'm, like, I made money on mine, when it was part of my added services product. But you know, past performance is not an indicator of future results to Dave.

Brian J. Weiss:

But I want to I'd like to get more into the RMM in a bit. But before we dive into that hole, you brought up something an opening statement, I thought was interesting on how msps aren't changing to keep up with the times, right, there hasn't really been a change that you've noticed. And is there who can we blame for that? Right? Do we feel like with the vendors or the MSP community, because we are a pretty tight knit community where we share a lot of ideas, right?

Dave Sobel:

Right. But that that can reserve that can result in groupthink? Right? Yeah, if ever, and the same thing over and over. So look, I ultimately believe and i and i believe we've got to own this stuff. MSP owners are smart guys that can deliver what they want. And they have to own their own destiny, they have to own their own business strategy. But what I also want to observe is that the market has changed in 20 years, right, let's, let's look at the vendors. Many of the vendors that supported us there, the Big Four, right, I like to talk about the big four in this space, because they're very influential thing for providers, you know, datto Connect wise, because seya and enable, right? 20 years ago, we ended DeLorean and we're hanging out with the founders of all those businesses who don't work there anymore. Right? Like, who were small entrepreneurs, right? I have total like Arnie billini, you've got you got awesome a core, you know, in a really innovative interesting guys that are building solutions for their customers. And it's this, you know, dynamic entrepreneurial environment. And, and they grew and they grew successfully and I can do a whole I have a whole video for investors on how the business model is like really good on the vendor side, and they make a ton of money and they grow really well like in spline tools is a really good thing. So they got bought, right, like they got a bunch of money from private equity guys. But private equity has a is a different engagement style and business model that a founder driven growth model.

Shiva Maharaj:

I think a founder driven growth model is really about getting that buyout from the PE guys. But that aside, what I want to ask you because I think you came from the MSP side and you also came from the vendor side who drives the MSP market was in control of it right now or has been in control of it for the last 20 years.

Dave Sobel:

So okay, this is this is a great this is a really great question because I'm going to say the MSP msps are always in charge, unless they see their control. And right now they have ceded their control because they are because they are not, they are not willing to take risks or are voting with their dollars in a way that matters. And by the way, and I say Because I, I have been part of the machine, right? They are very, they have a large number of people on the vendor side who are paid very well to keep that the way that it is right to to build communities to invest in conferences to run around the country and by everybody be or question for you. Sorry to cut

Shiva Maharaj:

you author. Yeah. Because something you just said, You're a businessman, correct? Yeah. Oh, yeah. Capital will get along swimmingly. When you call someone, your partner. There's an equity split. Usually they're right. At Risk assumption, yes. And shared risk to the degree. Yes, you what irks me about this industry is all these vendors calling us their partners. And we have zero equity, zero stake in anything. And by

Dave Sobel:

the way, I did a whole video on risk assumption. Because by the way, let me tell you here, this is my point of, and you let them you let them call you partner, every single time you let them do it, right. Because and because you're the customer, they have a direct relationship with you, the customer, they love calling you partner, it's a brilliant move these, these, the underside of this is very smart. Right? It is driven by a lot of people that are very smart. And by the way, that's the name of the game. I'm a true capitalist at heart, everybody is to build their to their financial incentives of the way that they're going to grow their business. I do not blame these vendors at all their

Shiva Maharaj:

partner, they love me, because say a cares was built to save me partners so that I can continue paying the Kaseya bills and make it all the way through COVID. So they can keep paying those bills. Is that something you'd agree with? Yeah, I'm totally altruistic.

Dave Sobel:

It none of this is altruistic, everybody. Everybody's building these machines that are called businesses to generate profit, right? That's the point. And that's okay. I'm totally comfortable with that. Right. What I'm telling the MSP community is is MSP, I really want you to start asking the question of how are they making money? What risks do they have in their eye? Look, I don't disagree that cyber security, for example, is a problem. But what I'm also going to point out is, is there's a whole bunch of vendors selling us solutions with no risk assumption, no risk.

Shiva Maharaj:

I want to push back on that for a second, because contracts are great, but you could sue anybody, I could sue you for wanting your Power Glove behind you. And I wanted to spend the money. Good, right. But let's talk about risk here. Let's talk about Kaseya. Specifically, they had five or six vulnerabilities disclosed in April, by the Dutch firm. Yep. And that number can be off. So please don't quote me on that. Right. They put a web application firewall in front of their SAS platform, right has seemingly mitigated the reavell attack on Kaseya, hosted VSI. Okay, all right, they left their on premise partners out the dry by not informing them of a vulnerability or saying, hey, let's close up some ports. Let's maybe shut these down while we roll out a patch to me that is gross negligence. Okay, how would you rate that risk that is now borne by the MSP and their customers in spite of any contracts that may have been? So

Dave Sobel:

like, I'm gonna, I'm gonna push on this and sort of say like, Yeah, but but I think running your own on prem server is like just is, I think it's frickin crazy.

Shiva Maharaj:

I agree. But let's take that out of the equation, because there are people running their on prem server. So I'm more interested in focusing on the fact that you have however many hundreds or 1000s of partners running on prem servers, we're not given the heads up by the publisher of this product, that there's remote code execution or whatever the vectors of attack were.

Dave Sobel:

Okay, so but but I don't want to quite let go without a complete statement on the look, if you're running an on premise server in the in 2021, you are just assuming so much risk that I just can't, I will, I will I will answer this, but I would just need to reinforce you are just assuming so much risk. I've been thinking about it that in this scenario recently, where I'm the kind of guy that we get called is like an expert witness, right like that. But that's kind of my role in the universe, I guess. is is that you take an analyst like me, and if somebody called up and said, Dave, we're hiring you as an expert on managed services. I go thank you for the contract. And then I'd say and say what are your jobs is to we're we're a, you know, we're the end customer and we're suing our MSP thought about that scenario. And they said in the end, and they end customers suing the MSP saying we think it is not best practices to run an on prem server. Dave, you're an expert. What do you think? I think I'd have to say, yeah, I think you're right. I think that the MSP is negligent. Okay, so let's move up the chain right now. Do I think that an organization like like Kaseya should disclose that stuff? I think morally they should. I think disclosure law allows them to do what they want right now.

Shiva Maharaj:

I mean, forget law, because law I think can be interpreted, right. I think let's talk about doing the right thing, the right thing would have been, Hey, guys, shut down your VSI platforms. We can't tell you why. When they, you know, do their scans and they see because we all know the licensing. These things give good a lot of telemetry. Yeah. They did that, though. Like to they're like, I'm talking. I'm talking pre incident. I'm talking. This vulnerability was disclosed, I think, the fourth of April, right. Let's say you needed a week or two to vet that out. proof of concept that say, shit, this is bad. Sure, right. Right. By the beginning of May, on premise partners should have been told or whenever they put their wealth in place. Yep, they should have said, Hey, we need to shut this down. And they should have put on the afterburner and developing these patches, it took solar winds two days to issue in a Ryan patch, or a far more elegant Supply Chain Bridge. It's okay. It took us 10 days or nine days to issue a patch or patches, despite the fact that they've supposedly been working on those patterns since April.

Dave Sobel:

Okay, I think I think you can be 100% right. And I can be 100% right? At the same time.

Shiva Maharaj:

I'm always sometimes

Dave Sobel:

well, but but but this is where it gets this is where it gets sticky, right? I think everything you've just said I would I would not agree to and I'm not gonna like I'm not gonna argue what I'm, this is my statements of you have to understand the financial incentive of the vendor on the other side,

Shiva Maharaj:

like, essentially pre IPO. I get it, right. I'm talking about you know, people, all these vendors, they want to say, we are partner centric, we are partner first. Yeah. Right. None of them are and I think this is our time as well to call them out and say hey, you're not our partner, we are your customers. You need to treat us better but

Dave Sobel:

look, I always start with the businesses don't have emotions, like businesses are not businesses are not living things. They are entity they're legal entities that are structured to create a a thing sell it and make money right like that. That's what they do. That's right. I agree. So we're trying to apply morals right to a nonliving thing and like i i think the humans that work at these organizations are good human beings right? Like I don't I don't sit here and think that these are bad people. I mean, I work there right I like that. I work with these people I don't think they are like sitting there like Dr. Evil stroking the cat like plotting to take out like to have you seen Fred mikolas video,

Shiva Maharaj:

I kind of think he might have a cat or a dog that he's passed away.

Dave Sobel:

Not only have I seen the video I've commented on on my own right, like I broke out, I broke out some of the statements, but I don't think he's a bad like, I don't I literally just look at that I don't I don't judge him as a bad human being he is executing the business plan that he is incentivized to do which is around customer growth, customer retention. It is not he is unless I'm I mean, I've not directly asked him this question. And I keep telling msps to ask them this. Ask the executives how they are incentivized around protecting their customers from these issues, how they are incentivized let me point out my favorite thing to quote on this is you're right all the guys that solar winds like moved at a certain speed right, they also received their bonuses for 2020. Those executives cost the US taxpayer millions of dollars, but their board of directors and their incentive structure said Great job guys. Here's your here's your bonus. So what did they learn? Keep doing what you're doing. right because you are rewarded on what we've mote what we've incentivized you on well hold on there

Shiva Maharaj:

you know what solar winds it's an interesting thing that you just brought up I wouldn't just blame the board of directors I blame the government they halted trading on their stock Monday morning

Dave Sobel:

I'm looking at anything disclosure, I am a solar wind shareholder right like I got I as I was part of my compensation when I saw I have not sold all my shares. So

Shiva Maharaj:

I still want you want your split that you are sorry, you want your enable shares in a couple weeks or a couple months, because today's the last day

Dave Sobel:

I like always quip I am not a stupid man. Right. But with disclosure I like that like everyone to know I always talk about how I get compensated so people can understand what my motivations are. Right? And that's that's to the point is, I completely agree but by the way, this is why I cover on my show, I talk about regulation so much, right? Because that is the structure that governments put forth to set the guardrails of playing the game. And what's interesting to me is is every time I have the ring conversation I got a bunch of msps ago, I don't want the government involved in my business. And I'm just like, Guys, this is how the game is played, you set the government sets the guardrails, and we as good capitalists go at each other inside the playing field. That's the way that it works. And because my example on this always is is chemical companies, right, the cheapest way to dispose of waste, a very chemical company is dump it in the water, just like dump it down, the river will flow away, most of us like clean drinking water, right? Generally, I don't want like toxic green, three eyed fish kind of kind of environment from the Simpsons. So the way we manage that is regulation, we can have a totally smart debate over what that regulation should be. That's called politics. Right? Right. But you got to have some guardrails? And that's what we do. So anybody that says, Well, I don't want the government involved at all. It's like you're missing the game. The game is we set up the rules, we fight it out within there, there should be we are always debating the rules. I'm a baseball guy we're discussing, we're moving the mound, right? Because, like, that's the way this works. So I back to where's the responsibility, we as solution providers, and I'm including myself, because I get paid by solution providers need to focus on addressing this and own our own responsibility.

Eric Taylor:

Okay, so we're going to take that one full on here. And I've been waiting to get this one in so cool. All right, we're gonna take this thing back, and you know, me, I'm an asshole, but you know, I do. I endure, every group needs one is welcome. I am here. Um, so I mean, I come from the old school, you know, I don't look like I'm really old fart. But you know, I come from the old school stuff. You know, I was in Marine Corps with Oh, and I and I work for black box. And, you know, just doing all this stuff. I'm used to having walking over and seeing all my servers flippy flashy and doing all this other stuff. Yep. But I do agree with you to a degree, having an on premise solution to a degree is suicidal. But okay, for the people that we do a lot of incident response for there are regulations in place that you cannot have things in the cloud. Now, give me a moment because I know you're going to jump in there. I know how you are. The lawyers are definitely want to keep their server their Exchange servers on premise primarily, because they know when a subpoena comes down the line, you know, so make a subpoena Microsoft 365, and they don't ever have to be notified of it. But if you have an on premise exchange, you got that. Also, with the talking about the MSP space, almost none of the fucking RMM or the PSA is will give you true damn logging, like I have even in full disclosure, I do a lot of pentesting. I do. And this is the one thing I beat them up on all the time is simple fact of, I can go to your PSA or your RMM and I can start brute forcing the hell out of it. When does your RMM your PSA start saying, hey, you've got a frickin problem here. Somebody that you and I both know. You know, Steve Taylor was rockin MSP, he was on one of these things. And I was bruteforcing his freakin accounts the whole time driving him nuts. Why? Because I could and you know, they're looking at like, Oh, where's How do I stop this? They're like, we don't you don't know, you know, at least with an on premise solution. You have ways of doing mitigation. If you can't do it in house, definitely do get with some sort of external partners, you know, a black cube and Black Point and maybe purge. God forbid, I'm stalking them. But you know, at least you're you're looking to somebody to help secure your stack because I get it. You know, you don't know somebody's trying to breach your door

Shiva Maharaj:

is rocket cyber protected everybody?

Dave Sobel:

Eric, what I want to break. By the way, this is I love these kinds of bits. Because I always I always make this statement. I keep saying it because I want people to hear me on this is I do not have to be right. Okay, like I don't go into these discussions to win or to prove I go in to make sure we're having intelligent conversations and people make their own calls about the risk. If you're informed, you're good to go. In my mind, you've kind of lumped three things together. And I want to break them out a little bit. And the first is, you talked about like lawyers and customers laws are behind right laws are behind we can help fix that we the it providers space are the people that understand the application of technology and how it can be done. And we should be part of the discussion about helping lawmakers make those laws make sense for the modern world. Right that we I love to I love to cite an example recently about the negotiations over Brexit and encryption technologies because this is an example of how this all happened. They they were doing the negotiations with the EU, British Government, European government, they knew they needed to include encryption right? They knew that looks like well, we should include some encryption stamp. So what do they do? They went to the last law that they wrote in 2008. The last time they did a treaty, and they cut and paste the encryption section into the new Brexit negotiations, which is why like Netscape Navigator is included in the treaty that signed between the two governments.

Eric Taylor:

And the next point, I just want to interject there, I see what you're saying. But when we look at our own internal government with CMMC, you know, this is supposed to be the shining poster child of new secure cybersecurity. Yep. But the head of CMMC CMMC is now indicted. And there's been now the C three, PA, RCA three, whatever the hell it is, the auditor is now being charged with bribery, you know, we are looking for people to actually lead the way and they're corrupt as shit.

Dave Sobel:

I, again, we are, what my point is what we own the bit that we can control? Where are the msps, the IT service providers in this space that are getting involved? I can't even figure out what trade association is the one that we deal with come to doesn't do lobbying for us anymore. So like, I'm looking around going, I really would like to help I think I talked about this stuff, who would I partner with? And until we own this problem ourselves and get involved, it's left to others don't disagree with it, I'm just pointing out that I think we should be more involved in regulation than we are because most of the most of this space is just not understand.

Shiva Maharaj:

I got a question for Dave. Yeah, from the vendor side. Yeah. And this centers on zero knowledge. And then there's data mining us and our clients and selling that data, what do you think it would take to get the RMM and PSA vendors to adopt a zero knowledge architecture? on the platform? Is this motivation to do so? Would that not work? Okay, what would that be?

Eric Taylor:

Like, for example,

Dave Sobel:

a group of msps that simply will not purchase from them if it's not included? I mean, it's, I mean, I sort of smile and go Kaseya, the customers

Shiva Maharaj:

like you, we have no loyalty to each other. We are the first person to tear each other down and say that MSP shit come on board with

Dave Sobel:

this, but this is what trade associations are for, right? This is why you get involved with an organization that advocates on your behalf as a group on the things that you agree on together. Like, should

Shiva Maharaj:

we should do this to PAX eight, or do we go there, but there are other men? Yes. I'm just being facetious. I think it has to be by us for us.

Dave Sobel:

100% agree, I'm 100% with you, by the way, I'm screaming from the rafters it has to be you guys. Like it has to me, it literally can't even be guys like me, right? Like the guys are ant like, it literally has to be you guys doing it, the people that are actually operationally MSSP. Here's part of the problem. And y'all want to circle back a little bit, to kind of segue into this still staying in compliancy before we go down some other rabbit holes.

Eric Taylor:

Because I just don't want the whole thing just keep going. And we got a lot here is a liar. There's a lot here and we can go on for a while. But um, you know, like I was saying, you know, the CMMC was supposed to be our poster child. But you know, what do you think? I mean, we've already shown what kind of a dumpster fire that Joe Biden is doing with this whole executive order that is for the federal government and even states it in the US for the federal government. In his executive order, though, we are starting to see and I'm not seeing a lot of news and I even went through some of your stuff because I've been so busy. I haven't been keeping up with even some of your podcasts. But we've seen Texas come out with their own pretty rigorous freakin cybersecurity policy. Cut was in a Colorado just came out with there's just a couple of weeks ago, but there is the final details are being coming out. Do you think that it's going to be more like California and things that nature in Texas where each state is going to mandate its own cybersecurity policy that everybody has to apply to you? For now?

Dave Sobel:

Yeah, for now. So like, if your eyes My prediction, yes, for the extended period of time, I'm saying 1218 months, certainly through the midterms, probably through the 2024 election. I don't I'm not predicting federal move on this. Let's take a quick moment. And just the I'll dive in because you asked and I'm a nerd. You know, like the eo iOS are designed to use the power of the government spending to influence policy, right? Because it's not a law. It's guidelines. If you think about the president as CEO of the government, which is a really big business. He can say these are the rules of the way we buy stuff. That's his job, right? He can say this is what we buy. That's what we don't buy like that, like he can do those kinds of things. That's what an EEO does, is that it enforces saying, I'm telling my department and by essentially my HR department or my buying department, these are the rules I want you to use. And we're going to use the power of our spending to make that happen. So that if you're buying from us, you've got to comply with this way of doing business. You're right it doesn't affect the larger business. Because it's not a law. That's not like iOS do. That's where unless it's going to come out of Congress, you know, the House of Representatives in the senate working together to pass something. It's not a law. But I think it is way more likely that it will happen at the state level, because states can move on these kinds of things. You ask, you know, California, New York? Well, they're really big, big, there's a really big states, California has a lot of power, because of the number of businesses that are there, and the size of their economy, the UK kinda end up having to conform with California if there isn't a federal standard, but I think there's going to end up being a bunch of different versions of this to different states, I tend to like it coming from the federal level, because I think it's easier for us as business owners to manage that. I have a bias, of course, to my own region. I'm in Northern Virginia, when I ran my MSP, I had to be compliant in three localities at all times, I had to do DC, Maryland, and Virginia on everything, because I had customers in all three. So I like federal laws, because I've just practically lived through the complexity of 311. States. That sucks. So you're thinking like, do I think it's gonna happen? federally, no, I they can't get together to agree on dinner. So much less thinking that they're going to actually get to get through because, again, that gets into politics. And I won't dive too much down that way. But unless we incentivize them to solve those problems, they're not going to Alright, so you, so we were talking, that's the regulation. But let me do my middle bit, then. Because I said there were three issues the middle bit was is, look, I want the reason I'm delivering my message around on premises the way they are, is, you're coming with a very reasoned, smart, subtle argument around the choice of technology in that right. And I will completely agree with you. And other here's smart enough to do that stuff. You're making really good intelligent decisions. And when I look across the landscape, and I say, with a bit of a smile, going, a quarter of guys are losing money at this, right? If I give guidance that says, Well, you know, if you're smart enough, and you're able to put it together, and you can do on prem, there's going to be too much of this community that goes well, the expert says it's okay. Right. And what I'm also pushing back is, is there's a lot of vendors with who are doing what they are paid to do, which is sell software, which will encourage people to buy any way they can sell them, right? They won't, they will not tell a small provider who should not be running their own on premise or server, well, I won't sell to you, because I don't think you're you're going to be able to take this weapon of mass destruction and not use it correctly. Of course, they're going to sell it to them, everybody would do that. Right? Like every, of course, they're going to sell it to them. So I feel it's important for me to send very direct guidance of, I think it's insane. I just think it's insane. And if you've got a reason to tell me the analyst, that I'm smarter than you, Dave, and I can figure this out, go forth, man, kick ass, take names, but if I'm giving general guidance to the market, that's my take, that's a bad idea. It is far riskier than doing than nothing like then like a cloud solution. Right? So my guidance is intended to be bold, to give market direction, right. And

Eric Taylor:

again, you're speaking to the masses and I just want to take it that Dave's almost that I'm smart.

Dave Sobel:

Okay, then we get into the third bit, right, and then we get into kind of the, the vendor bit of this, right, I just I can I'm going to I am going to put the responsibility on the solution provider market and say you're buying these tools, you're letting them you're letting yourself you're taking the compromises that they are giving and you're saying I am willing to take the risk by giving you my money in exchange for that piece of software. Right you are you've got your requirement in your head you've got you know what you want right you know, the way you should do it but you take make the risk analysis that says Well, I can't get what I want but I want these other things. So I will give that software vendor my money for a piece of software that does not meet all of my requirements. And I have now assumed the risk of that and what my my my my video The reason I put the video out the way that I did I really hope everyone takes this to heart is I am not blaming Kaseya for anything on this what I will

Shiva Maharaj:

do well because

Dave Sobel:

but my my challenge is to be MSSP market Own your decisions and your decisions here. You want to change it if you cancel your contract with these software vendors and figure out another solution because you're smart as hell As all of you are, you're smart, you understand this, you're a technologist, you can come up with solutions to this problem, and you make them irrelevant. They're either gonna adapt or die. And right now we're in this portion where I think the market has gotten complacent in my this year, I sort of smile and go, guys, I make these predictions. That's what the videos are. For my December prediction video, I said that I thought the RMM market was going to get disrupted this year. Look what happened. Is, but but my statement was this is I think the market, I recognize that the market was compliant, because the vendors were not investing in anything new. I did an analysis of all their press releases, and they did more announcements about hiring new execs, or changes their partner programs, more versus creating new things, right? Our buying company, those The other thing they would do is they buy stuff. And the moment they buy stuff, we all snicker about it, right? They buy stuff. That's it, that thing is no longer getting developed. about it like that. Come on, I didn't even name a vendor, because you could listener, you could plug in all kinds of acquisitions to that statement. And my statement is true. The moment it gets bought development ends, because that is the playbook r&d is expensive. And if you're trimming for cost, and you're optimizing for profit, the easiest thing to do is not build more stuff. Just go buy it cross sell up your revenue at the top, you do really well.

Shiva Maharaj:

You need the article out of Bloomberg, that our buddy here, Brian Weiss was quoted in about the same incident.

Dave Sobel:

I think I did. But Brian, if you'd like to throw in there, I'd love to I'd love for you to weigh in part of

Shiva Maharaj:

part of that article. And then Brian, let you hop in on that, because I know that's your jam, because he has seemingly offloaded programming and r&d to Minsk, Belarus and Ukraine, which are inherently sympathetic, err on the side of Russia. How do you feel about that? If it's true, and the fact that federal agencies and the US Air Force uses VSI?

Dave Sobel:

If it is true, right, they would not be alone, I would, I would point point to reporting from the same organization about a large publicly traded organization that was involved in a breach earlier this year. That was one there have

Shiva Maharaj:

been so many,

Dave Sobel:

there have been so many. Perhaps the US government was very interested in that particular one. Tyler technologies or some other ones, you have named two companies, one of which is correct. So so but but my point is, is that there's this element of of like, Am I surprised no financial motivation is to find low cost development, organizations find the lowest cost way to deliver the solution. They have executed the business plan that they are motivated to do. So if you like, this is this is all finances. This is all running the PE playbook. I'm not surprised by this stuff. And by the way, neither is the market, as I highlighted in my video, like we've been taught like pro publica, and CIA, NSA all highlighted this risk back in 2018. Yeah, the

Eric Taylor:

FBI came out with massive, massive campaigns about it. I mean, it's been all over the place. I mean, yeah, I'm sorry, I'm not the trumple. Over Brian's been very good. You do your thing about Kaseya. Real quick before I go on a couple of different tangent.

Brian J. Weiss:

Yeah, I mean, I don't know, I spent three years, you know, telling my story to the industry trying to tell other msps you know, things I've learned, so they don't have to learn the hard way. But I've always kept kind of the vendor name out of it. This is the first kind of public story I mentioned. Okay. It was Kaseya. That happened, right? And I even had some peer group members reach out to me that know me very well. They're like, wow, I never even knew that was Kaseya. But one of the reasons I did it, regardless of the potential vendor blowback I might get, because there is politics involved in the vendor space. Right? I my personal feeling is I feel like these vendors, you know, and maybe I also feel like you've been given them a little too much slack. But in this particular call, I feel like they need to start taking ownership over the fact that they're enabling our industry to be complacent about security by being complacent themselves. And, you know, we should have something like what Microsoft has, where you log in, and there's a security center, and it's telling you all the things you have configured wrong, or what you need, you know, I mean, I mean, there's best practices with any product or software, to hardening for security and msps. You know, we came from doing things in house where we had like a firewall and an antivirus and a backup and we felt like we could protect things to Okay, we're gonna move out to the cloud to gain these efficiencies and gain extra security. Right, right. Because it's now security. We're depending on these cloud vendors to handle for us that we normally handled in house, right. And, but yet, we're handing it out. Off to this these benders that are complacent with security in their own actions. Therefore, it trickles down to us as the MSP. And we're having to find out about it the hard way. And then now react because of it right and yeah, jerk react and in some cases,

Dave Sobel:

right. And so I want to want to say like, you're not wrong in the way that I'm delivering the message is it actually is really intentional like, because, because I don't want to spend a bunch of time shaking my fist at vendors, what I want to do is actually make changes in people's businesses that make them able to independent without these guys, I always sort of quip, I don't spend my time worrying about CEO x and how much money he's made. I worry about the like, like the guys like you guys on the call, right? And if I spent all my time worrying about what the vendor should do, well, I mean, I can advise them right but i'm not i'm actually know the way that they're compensated. And I look at the flow of money, and I'm just some guy in my basement right making podcasts, right, like, I just thought, I say that with a with a bit though, like they're not going to change and making bank like that. If we if we believe our statement of we're hardcore capitalists, we're here to make money, we're playing the game, like the plan the game, right? And so but the people that can change are like the three of you and all of the listeners right like is we can change our behavior, and not reward that not shake our fists at them. But change. What we do. My video is about the idea of shaming, you sort of threw that out is like I think the RMM is dead. I think clinging to it is like this old thing. And I think this is an opportunity to take a moment and look at the way you deliver your services and deliver the way you go to market and decide what risks you want to take and work with with partners that are interested in taking the job and vendors right, but who are actually willing to make changes to their business, I in my video on risk, I am not endorsing, I am simply offering a different way of doing business. I like what rent what several one is doing with an actual warranty. Right? They put some skin in the game, I got a million dollar million dollar warranty on breaches, I am not making a technical analysis, I tell everyone to go out. And what I'm saying is there's an example of a way of a product and service you can engage with, with a vendor has some skin in the game, maybe maybe it could be as simple as demanding of these vendors as of like, Look, how are you putting money up to handle breaches? How is the executive team you know, dinged? If these if security isn't if you're not compliant with these things, or these kinds of things happen? What's your insurance policy that covers me make them hat make them have skin in the game? And if they won't, don't assume the risk on their behalf? Right? Like Yep, and that's exactly

Eric Taylor:

what we kind of dive into. So the, you know, Brian has seen me do it extensively. shivah has as well, you know, where we'll be on a call with a vendor, you know, and I'll ask him flat out, you know, the EUR USD farmer, if somebody like me goes poke around your networks are finding stuff, are you gonna sue me because I frickin disclose stuff to you. You know, and these are, I think that's kind of the point of this podcast. You know, even though we are and especially me, I am the one that will call the ship, the ship, this bay, the space, whatever you want to call it, you know, I don't care. You know, bring comes to whatever on air. You know, if you're, if you're garbage, you're garbage, I think you know what, Brian, but and I'm going to expand on that. I think more and more companies in and out of the MSP space, you know, if you're a software vendor, and you supply products, you should be able to look just like Microsoft does, you know, here's, our solution is insecure shit right? Here, go over here. And here's all the crap you need to do to secure it. There's nobody out there. I mean, again, seriously, thinking outside of MSP You mean break in Salesforce doesn't do it Appspot doesn't do it. You know, all these other guys. None of them are doing it like Microsoft and my I think Microsoft's leading the way. I agree. We need to educate the msps like these are the fucking questions you need to start asking your vendors yes or not

Dave Sobel:

I'm and by the way I'm right there with you and I want to stand side by side and one of the you know and push for is these are the we need to be asking very different questions. I rail constantly and I lurk in all groups right like I'm I'm trying to keep an eye on. I mean, the Reddit groups on slack groups and discord groups, I'm listening, the number of times people are debating Well, does it do this feature does it do that feature and I'm looking and going you're wasting so much valuable time it should be used on By the way, these are all just fine tools, they all suck about the same, right? They're fine, some more than others.

Shiva Maharaj:

But they also you can say I'm looking at you automate. But

Dave Sobel:

but but actually the question that they all suck. So let's actually have some conversations around these important things, rather than the debate over you know, the other debates right? And let's, let's have these these discussions and focus here. And by the way, vote with your wallet, don't know why these things, and my even voting with your wallet,

Shiva Maharaj:

right, you came from the vendor space? Yep. We know that. msps are too childish and petulant, in general, to play well with each other. Yep. That's a given. I mean, except when

Unknown:

they do. But yeah,

Shiva Maharaj:

you don't have that critical mass that you were talking about. Right. So I want to talk about getting to that critical mass. Okay. To me, the end of the road is a self governing organization. Yep. That we control? Yep. We write the rules. And if you want to do business with us as a vendor, meaning our organization and our members, just like the medical boards and everything else, yep, you have to be approved by us to sell into us. Yep. And if your product, it's like, just like what the government does, you have one our money this is what you need to check off now, is a logical step to getting to a self governing organization is to perhaps put together regional co Ops, or buying groups. So you get that, how do I put this, you're looking for that cooperation amongst the msps. So here's,

Dave Sobel:

here's what I think the strategy should be. Okay. And my standard statements guys have I'm not 100%, right, I'm offering perspective, try and jumpstart the idea. This is the play, I think works, I think what you're actually doing is you're focusing on the creation of some kind of code of ethics, as well as some baseline standards that you want from an operational perspective, I will plug in for a moment, my good friend, Carl polishchuk, has a draft set of legislation that he's floating about what he thinks that you can happen at the State House about some just some basics around the way that a state might look at keeping an eye on this. And the reason I think you build the around the code of ethics and the standards, and you partner with insurance companies to make these the standards of the way providers can get cyber insurance, right, so that you can actually start having a business relationship where it's about that shared risk, insurance companies would love to figure out some standards so that they're not paying out the ass and still sell you cybersecurity, right, because they want to make money on some insurance policies, they've got to get that risk under control, the expertise would make a ton of sense. And I think that partnership brings on enough providers together and aligns those financial incentives. And then the vendors have to be compliant to the standards that you've set in order for that group to use their software.

Shiva Maharaj:

I think you I think that's Eric and I, and I think Brian were part of another group that discuss this, we get together with the insurance companies, we show them a rating system, which is why CMMC was chosen the five levels, you get your risk based on whatever level you are, I think that's a great idea. However, being as old as I am, the experiences I have, I would much rather build our organization first get some legitimacy in there of how our standards do work. Yeah. Then you go to an insurance company, I don't want to build anything with them, because they're getting ripped off 10 ways till Sunday, every day.

Dave Sobel:

Sure. I'm, I'm sort of giving an end target. I think you're right to break it down in terms of the steps we get there. But

Shiva Maharaj:

one thing is what I want to go back to is what do you think about the co op idea, because I think that's the simplest way to just get people together. And I know msps are driven by saving 25 cents on a $3 agent. And I know you give them two pennies, they'll sell their mother. I know, let's do it that way. Get them together.

Dave Sobel:

Yeah, it's a it's a great way to jumpstart it. The other the other way to do this is and and and by the way, you know, like I the one of the reasons I interviewed and I would encourage everybody to listen to it is go listen to my interview last year with the Louisiana Secretary of State, the guy this is the guy who got the law passed. What really resonated to me about the interview was he's a pro business Republicans who literally is just saying, I just do not understand even who's out there. The reason I want registration and disclosure is literally I just don't even know who to talk to. There's all these people out there serving my local cities, my local governments, I don't even know who they are. So when I'm dealing upstream with the FBI cseh like doing those bits at a state level, he just I literally don't even have all the contact information or know who the relevant players are. I they these we can get started with very simple moves by owning and I think it however you get there, right? Co ops is one great way to help save money just could be as little as a list of registration and some basic ethics and iterate over time. By the way that's technology right?

Eric Taylor:

We're good at that.

Dave Sobel:

We're good at iterate improve the process. This should be all of this Gil's managed services providers are really good at. So however we get there, it's not going to be perfect. It's never going to be perfect. iterate, keep improving, and start working on it. And you're right, stop wasting time on the two cents. We're trying to debate over that antivirus versus this other antivirus. Who cares? web is trash. Like, I love I love it. I but but you'll notice I just don't buy it anymore. I just don't care.

Shiva Maharaj:

Like Like they're all you're not wrong. You know? It's it's a cesspool of a industry. Not that we're any different from any of the other guys, right? I just think

Dave Sobel:

what I love what I love, but let me let me be only because I can be debbie downer. But let me also be a little bit of like, I love this industry. And let me tell you why. The money there. Now it's this this is like this is the group of people that actually make communities work. Like really like, like, if I mean, I one of the I saw this morning, there was a story of a local animal shelter, literally who's dealing with the fallout on the ransomware. They're like, emailing around asking for all of their clients and patients to send in their pets records. And it's just like, I read that and it just breaks my heart because it's like, that's those are like, that's people's lives, right? Why does

Shiva Maharaj:

it break your heart? I really get into this, because that pisses me off?

Dave Sobel:

Well, because because it's our job. Our job is to help with technology. And I think people want that. And we want to, we want to leverage technology to grow business. And it's proven to make businesses better, and they grow better, and they engage better. And I want us to be part of the solution. Because I know that the providers that are dealing with all this are the guys that work 70 8090 hours a week for their clients and bend over backwards and like just kick ass to make a difference.

Shiva Maharaj:

I really don't that's romanticizing bullshit, because I am willing to bet if you go through the emails between that veterinary clinic and their provider, there are many proposals that were sent over. No, no, we're not going to spend money on those No, no, we're not going to that's too expensive. No, no. And then you have the service provider on the other end saying, Okay, fine. What kind of money can I get out from you? I'll just do the bare minimum to get paid.

Dave Sobel:

We can both be right at the same time. And that's actually time. Well, but but I because because I think this is it is actually also really true is you're right, right. But we as the good at certain levels, the good providers also need to help hold up the this is the teleconference. So by the way, we get the DeLorean and we go back to the 18 hundred's. you're describing doctors, right? Like like on the Wild West, there are a bunch of guys that were like hacks. And there are other ones that really cared about their customers. And you could not tell the difference. And how did they fix that argue Medical Association? How did lawyers fix it American Bar Association of

Shiva Maharaj:

those professions still haven't fixed it from a technology standpoint, they look at us as a cost center. Sure. And they're still rolling with Yahoo and Gmail.

Dave Sobel:

Totally, totally agree. Except for the ones that I find that don't right, and like, and then they're ones that are doing really great things with technology. And so it can be true, that of both statements can be true at the same time. And the reason I The reason I focus on the optimistic side is not because I want to be like, you know, ignoring the problems is I want to focus on the things that I can make a difference, right, like, and so like the areas where I can make things a little bit better, and get us a little bit closer. And that's it. I enjoy doing that bit. Right. And I can You're right, because you're right, it's it's bad. But there's also bits where it's good. And I know if we're working there too.

Eric Taylor:

I will say later we if I can interject real quick here, because this is a question that's been burning inside of me that I just want to scream from the mountaintops? When are we going to get to the point when we are literally slapping the crap out of msps, who do not walk away from these cheap, inefficient clients that refuse to spend money and putting themselves online? And I'll advocate this, because take this whole Kaseya thing or take any of the connectwise brap or whatever, I'm an incident response. Do I deal with crap all the time there? I'm dealing with the companies that have been compromised because and this is one of my latest ones, and fucking blows my mind that even as of today, there is a client or a prospect that we have that we are in negotiations that literally have 72 workstations in their medical facility that every last device is running a BMS Pico because the MSP one to save $1 because they just whenever I'm like when are we going to start saying you as a technologist, as an MSP as a network administrator, either used are standing up and say, Look, this is the minimum of whatever and give them the proverbial FAQ. If they are not going to stand up, stop going racing to the bottom of the fucking barrel, because that doesn't help any of us.

Shiva Maharaj:

I think that's really why we need to build that self governing organization time with the insurance companies to rate that risk. But that's tenure program. That's not going to happen overnight. And

Eric Taylor:

we, we keep talking about this. And we're at least five years into it. And dick it's been done, at least would be halfway there by now. What's stopping us from doing it today?

Shiva Maharaj:

banging this drum the loudest are the ones that enable the bullshit and sell the pizza.

Dave Sobel:

Yeah. And by the way, that's those are my statements of it's all follow the money, all financial incentives right there, there are there are groups making money off of this current situation that and that, that is me Look, cybersecurity products, right, make tons of money by having this

Shiva Maharaj:

be chaos when look at compliance. I mean, that's driving more cybersecurity spend than anything else. And compliance is not doing anything to drive security,

Dave Sobel:

I get yelled at when I go and go guys, this is what regulation is. This is why this is what it creates a floor. And I go back to my analogy, you don't like chemicals dumped in the water. I don't like customers being able to do whatever you can, you gotta have some rules of the road. Those come from a floor that is set by regulation that helps get the get the get the market going. And how should that creep done. Because by the way, worse in one way than the no regulation is bad regulation, right. And bad regulation, that is just a bunch of hoops to jump through, that doesn't make a difference. And so that's where my continued point is going to be is as msps IT service providers, the right have to come to gather have to put aside the garbage and start working on this problem. And it's a long road. But I'm also convinced that those that do it and leave here are the ones that are going to reap the benefits over time. So we need to create a trade associations what I'm hearing is my thinking, yeah, I or, or make one change, right. And by the way, make one change, meaning financially motivate them. That's their, what their memberships are demand is demanding and make it happen. Or create one you can either build or buy right.

Eric Taylor:

Outside of outside at least for will say US based associations or groups. Sure. Is there anybody really outside of ASCII? I mean, I know tech tribe has got a huge massive following, but he's in Australia, you know, he's awesome, dude, you know, respect to what he does. But in the States, is there anybody else except for ASCII?

Dave Sobel:

I mean, if the answer is is I mean, you, theoretically come to you, right? is a membership organization, you'd have to that you'd have, they remember their major business certification. Right. So that's, that's a piece of it all. So this come to you, they're a potential player asked, he's another player, you know, theoretically, the MSP alliance is is a is an organization that does is that looks at this space. You know, you could look at, you know, some of the media organizations theoretically Have some of this, you know, channel pro and so have pieces of this. You know, you can look at it from like organizations like, you know, MSP geek, you could talk to tech tribe as an external piece, but could have a, you know, could have a subgroup working on this. I feel like, there's lots of pieces out there that are probably going to need to be combined. I feel like

Shiva Maharaj:

you have to create the organization and then go out to those gentlemen or those groups you just announced today, Hey, brother membership in or can we post this to your group? And you know, yeah,

Dave Sobel:

I mean, I just had I think pieces of this, there's, there's no, this is not a slam dunk, right? There's not a one answer ready for us off the shelf. There's pieces, we're gonna have to build stuff. I'm exhausted, you guys, guys. No, no,

Eric Taylor:

no, I'm trying to be. So let's take one thing, we've all circled around that. Okay. So we've all just about everybody in this room, I, they agree that Microsoft is the de facto potential replacement for RMS, granted, you cannot, you know, push out, you know, scripts in real time and do some of the monitor, you know, into, it's got some work it's got to do is, you know, we've talked even as three and you know, some other circles and stuff like that, you know, into is will probably be 100% RMM replacement within three to five years, if not less, if not less, I think they may they may be a lot closer than we think and I think really highly of what Microsoft is doing. So I'm,

Dave Sobel:

I'm definitely and I particularly when I look at the big companies from the strategic you know, strategic sense, I'm looking at big tech right to understand who we could align to because my thinking there is okay, I got to look at the cloud providers I got to understand who's gonna play that makes sense for us in this space. Right? Amazon doesn't make their their partner DNA isn't quite that I use partner

Shiva Maharaj:

I know a nothing burger because they don't have an OS that we're all using in mass like Windows wide honestly.

Dave Sobel:

Yeah. But I guess I'm so because I'm, by the way, I'm a Mac guy like so I'm a little less focused. I don't care so much for the endpoint. I actually think about the workspace as the as the OS that matters. All right. So I'm thinking that the layer that the business layer where the company operates is the layer I think matters. I don't think operating system matters anymore. I think you're thinking you're debating the reason I dismiss Amazon is that they don't have like a Google workspace. They don't have an O 365. And 365. Like, they just don't have a play in workspace that matters. And by the way, I didn't even cite this on business tech, but I was watching because there's a rumor going around that they're going to partner with Dropbox and slack to come together to create kind of a workspace that might make them a player. But But I think that's the space we worry about. It's why I kind of like Google because you have Google workspace. I definitely like Microsoft, because they're the obvious piece your operating system that I care about is the business level one right the place that my data lives where your business process goes like that kind of stuff. I'm I would what I would be a bad analyst. If I didn't cite Well, there is Alibaba right. There's there's stuff going. But I don't think we're looking at the ones coming out of China for a US market. I don't

Shiva Maharaj:

I coming out of Minsk in Belarus for Kaseya, might as well just bring the Chinese into

Dave Sobel:

bed, we could write, it's a play. I think I you know, I would be IBM, Oracle, their clouds probably aren't big enough to really matter in here. And then you then you circle back around. And he's like, I love what Microsoft's doing, right? Like, I love I just love what Microsoft's doing. And all of the companies they're mature enough because they're on the other side of antitrust. Right? They're the only ones not getting in trouble, right?

Shiva Maharaj:

through it, they know how to structure things to stay away. Exactly. That's real. And

Dave Sobel:

we beat up on that we beat up on the partner term, right? But but they actually have through channel built into their DNA, right? Like they they get the idea of ministry for us all to have a job and exactly has done that. Right. And so so for me, Microsoft is kind of just the obvious, like, they just make sense. And why would I Why would I fight them for something, you know, fight to go find some better solution when they're like, so close to that. So that's, I love them from from a Bumble workspace. But despite back I hate teams, but like, you know, but I get them from a workspace perspective, I think you can totally build a business there. I think that's the bit that matters. I think I like what they're doing with Intune. I'm super intrigued with that. I mean, we're recording, as inspire is about to happen. And I'm super intrigued with what might happen with cloud PC, you know, in terms of them, and they may just take over all the management, right? And you're just running your business environment and cloud PC and run it on. Like, if I get I'm projecting way out to where the tech may go.

Shiva Maharaj:

for you based on that. Yeah. And this goes back to RMM. What do you really what those any MSSP you really need an RMM for these days? That's the question I'm asking. But guys, that legitimately is the question I'm saying, other than hopping into someone's user experience,

Dave Sobel:

right? Like, what do you need him for? And it's funny, because the moment I asked that, by the way, the religion comes in, and everyone says patching,

Shiva Maharaj:

but that fucking fanboys. They need they need something to rally around because they can't stand on their own. So my

Dave Sobel:

my answer to that, by the way, my answer to that is, is the technical director for the UK, his neighbour National Cybersecurity Center at their conference, just like three months ago, stood on stage, he said, I think everyone should turn on automatic patching. Like, I just think automatic patching should be the thing. I

Shiva Maharaj:

saw this last night with someone asking you this. And yeah, one of the slides, and I

Dave Sobel:

just I look at it Oh, like it because everyone gets all mad at me, right? Well, there's so many problems, and I'm looking going like, Okay, again, right? Like,

Shiva Maharaj:

don't get it, I think, and I'll tell you why. I'm just getting more facetious here. Okay. So it's not an attack, but you didn't ask them the question. How many of you msps are actually testing your patches, as opposed to leaving them for a seven day delay to read all the websites to say, Hey, this is blue screening of death?

Eric Taylor:

And how many because I could tell you, there's more than not, they just turn on patching and walk away just like a fucking backup system. They don't test and be like, Oh, damn, I got 60 film patches.

Shiva Maharaj:

And no reboots in a year.

Brian J. Weiss:

I mean, so jumping in real quick on RMM. I think the patching is dead horse, by the way.

Dave Sobel:

Okay. Good. I'm glad you guys feel that way. Because that's the bit when I say this stuff. It's the bit that I get attacked on so much. So that's why I start there, because I actually think it's like not that important.

Brian J. Weiss:

For me, for me, RMM is all the devices I managing, although it doesn't do mobile devices. So I rely on Intune for that. So then I'm wondering, okay, well, what device management things can I do in Intune? Well, right now, they don't really have support for network devices. So that's the major hole that I see right now that we rely on it RMM heavily for is anything that's not an iOS, you know Mac Android Write iOS or Windows.

Dave Sobel:

So this is where I get into the philosophy of this, right? And I'm gonna put my academic hat on guys. And I'm freely admitting like, this is me being an analyst. This is me being an academic on this kind of stuff. But I want to point out that philosophically, the way I think management is moving is baseline configuration to access data. And what I mean by that is, is you look at like the way the way Intune works, right, where it's much more around policy enforcement, that unless you hit a certain policy, you can't perform actions. And in a way, it sort of pushes away the responsibility, I just assume that the world is like this cesspool of endpoints, and they all suck, right? And like, they're all just horrible, virus ridden places that I don't really want to go, as long as the access to my data is so pinhole that they can only get to the right thing the way they want. And they're restricted out. That's zero trustful, zero trust security. I know it's hard to get to. And I know it's philosophically different. But for me, it's the idea of embracing that and stop worrying so much about enforcement against the endpoints, and worrying much more against protection against the court assets, and making sure that the exposure is so limited, that we're only allowing things through when they meet certain conditions and thinking that way. It's very different approach. But if we think that way, it flips this whole script, right, in terms of what we have to worry about. I have a question

Shiva Maharaj:

here. We all agree that the RMM either needs to die or be redone? What if msps or it providers started reusing real enterprise grade network gear that had an API to feed into a PSA to give that discovery data that asset management information and you use Intune, to pull the device data that you know of, and call it a day and then you you know, you use a managed SOC, that's not rocket cyber with a network tap, that can go out and map your network for you. To me, that's as simple as you can get me all encompassing.

Dave Sobel:

So by the way, this is where this is where I get to the point where I say, look, I love it, right? It's an idea. I love. And what I'm saying is, is I just what I'm hoping comes out of all of this, my stance in the market, the reason I'm making the videos on is I want everyone reexamining this. And I think that is that is one of several possible solutions to this right, there's probably going to be a couple of different ones. And I will take a look at my the three of you and go, you're way smarter at this than I am at this point, right? I'm I'm not, I'm not day to day operational on this stuff. I expect, though, that you're smart enough to figure out new ways what I'm focused on the reason I'm talking the way that it is, is I want people to question the assumption, right? Because there's this assumption of, well, I need the RMM. I need the PSA.

Shiva Maharaj:

Hey, the kool aid is real. It is

Dave Sobel:

I sold it. Like, look, i and i and i and i can say because of the times when I sold it, it was true, right? Like, and I look at that, and I because but but what was true in the past is not necessarily true now. And the market changes. Why like it be boring, it was the same all the time. And I'm just the one saying like, look, I think the markets changed. I think the things that I used that I approach that I advocated is no longer true, because new data has been presented to me. And I'm presenting my new data and my new perspective for other people to say, Go forth and make some money with this new idea.

Eric Taylor:

I got a question for the group, man just because it's my own ignorance. I don't know, you know, we look we, all of us here are 365 shops, no big deal, whatever, you know, all action back or whatever. Yep. Last time I looked earlier this year, there's nothing in the GC workplace that matches in tune to any degree unless you're doing the Chrome OS, you're doing Chrome OS. So So what would what would a Google shop do short of changing a Microsoft, I know I have customers in my IR right now that you know, if they could change everything in the Chrome OS, they would just to get away from Microsoft, because they just hate them. I think they have Burt's guards flattie or bats flying over, you know, radio with 5g radiation or something. But

Shiva Maharaj:

well, in that case, Google has taken the approach of Dave here and they want to create that business workspace, which is their cloud, Microsoft has said we want to own and operate the business workspace. And we want to own and operate the device or the OS, you reach that workspace from

Dave Sobel:

Yeah, and it's just slightly different philosophies. And by the way, remember, like in a Google world, you know, you could use you can still use like sort of policy enforcement around some of this stuff in terms of access. I'll sort of smile I'm small enough my little businesses is on Google. Just just, you know, I also happen to like zoom. So like there's other reasons to do. And, you know, I don't I don't have to build out a large infrastructure because it's just me, but I can have policy enforcement there. Around access to the data must be to fa, like, must be audited, like that kind of stuff. And then additionally, you're also there's the the implied blind spot there of Mac OS, right, which can also do policy enforcement on an enterprise level on Apple stuff, which is kind of oftentimes connected with the Google world. Right? So you could you could take that is, and again, this is where, by the way, we could brainstorm all of this, I trust that there are smart technical minds in this community, that once they get challenged to think differently, we'll come up with innovative ways of this. And by the way, I also know, there are some smart vendors that have also identified this flaw, and are starting to figure this out.

Eric Taylor:

Yeah, I know, if there was anything being put together already, you know, for those non Microsoft shop, though,

Brian J. Weiss:

the G Suite, I look at it as they stopped with the browser, right, the Chrome browser. And that's essentially why these Chromebooks are able to be managed is because all they are is a browser.

Dave Sobel:

Yeah. And by the way, you can enforce policy against groups against chrome too. So like, you can just like you can just access that and, and this is my statement of like, you can kind of not care about the endpoint so much, as long as the portal into the workspace is secure. Like, you can just sort of not worry about the endpoint so much, and it becomes a lot less important. And particularly because I mean, I think people d value, the other endpoint, like the mobile device like that, like people always like to dismiss about the phone, but you look at so many people, their actual way in to do so much stuff is that little slab of glass in their pocket.

Shiva Maharaj:

And that's where Microsoft is gonna win, because they folded MDN into and whatever you want to call it into that Azure AD.

Dave Sobel:

Well, they get they they clearly see the future of all of this,

Shiva Maharaj:

making the future, I think,

Dave Sobel:

yeah, and then they're, they're marching towards it. It's just, I mean, I think they're, they're always slower than we like. And by the way, there is always opportunity right ahead of Microsoft, right? Like, like those vendors, those software vendors that are in that space that are ahead of Microsoft always do. I mean, I made I made this point, when it was announced that I thought it was a huge deal when now enable did an integration with Microsoft and around Intune. And their solution was, well, we're just seeding all of that space into like, they integrated it. And you did all that work in Intune. And I smiled and goes, that's their strategy. They just came up all that space that like, clearly validates that we're going that way, they recognize that we need to have that stuff, but they're not going to build anything. Wow. Like, I think that's a big deal. So

Brian J. Weiss:

the I mean, datto deprecated, their mobile device management and their RMM. And I'm pushing like crazy to get them to do an integration with Intune. Trying to be a part of how that gets developed. So it doesn't fall short. But yeah, I mean, why reinvent the wheel, especially with something like mobile devices, where you've got all these different manufacturers, all these different OS versions, you've got certificates that need to be in place, there's, there's a lot more to an MDM product than an RMM product, for sure.

Dave Sobel:

And by the way, this meet, this is the conversation I want the community to be having, right? This is the conversation I want us to get into, around what's the future drive the requirements, ask vendors to support us in that, and it may not be legacy ones to policies by asking for that

Shiva Maharaj:

the msps are too comfortable saying our value is testing that patch that we read on a Reddit

Dave Sobel:

subreddit, this is where I'm gonna get very tactical, and I go, yeah, and guys, the group on here, the providers, go kick their butt, go kick their ass, go make the money, go be better. Like, like, this is where I get enthusiastic again and goes like, I don't need to, I want to change the industry. I love having that conversation. But at the same time, if I give tactical advice to really to smart msps they go forth, I'm gonna go wipe the floor with the complacent guys,

Eric Taylor:

I love it.

Shiva Maharaj:

Go for it. If you've been around, you've been around this business for a long time. Oh, god, I'm old. older than me, I would assume. On which side of 45 are you on? Oh, I'm, I'm right on it. All right. There you go. What are your thoughts on all of the thought leaders in the MSP channel, all of the experts in the guys like me have a little bit of pedigree and by a little bit, I mean, a lot. You know, you came from the MSP, you did a lot of things. But thank you, thank you for saying that. I appreciate that. There are a lot of companies now that are selling products to msps because they once ran a successful MSSP and their products are dogshit

Dave Sobel:

I can speak I can speak to my own personal philosophy on this. Okay, so when I sold my MSP and it was the end of 2011 going into 2012 I had a lot of people ask me, why are you gonna go be a consultant and my statement was, I ran away MSSP like, I don't be wrong, I do peer groups, I wrote a book, I do all this volunteering. I ran one MSP. I don't believe that running one. MSP makes me an expert on all things. And the reason I went to work for a vendor was I wanted to learn a lot more. I wanted to learn about how that side of the business works. And there's a reason why now I don't do consulting like this. I do. I, I do a news and commentary podcast, because I think I think I solve two problems. The first is I don't think MSP spend enough time focused on the actual important news. Right, like, like, we're spending way too much time worrying about booth Partner Program has changed a lot and who's bought who in the marketplace and what channel chief works, who cares? None of that makes it makes any of you money on a day to day basis, as I talked about the future of work and regulate all that stuff, right? I think there isn't a space TALKING ABOUT IT services there. And the second thing is, is I offer my perspective, as a guy who's done some of this work, I do not presented as the one solution to all things. And so what i what i The reason I my statement on that is that is my governing philosophy is I do not think I have all the answers. I think I asked good questions. And so I offer that to the world. If somebody thinks they're one way, is the way I just think they're always wrong. And it's and it's an absolute, that can actually be true. There isn't one way, because there's so many smart people in so many different kinds of businesses and so many different ways to go at it. And I just don't, don't buy into it. Now, I will always, always also see a system is always better than no system, right? And it's why this space does really well is that to somebody who doesn't understand marketing, or sales or technical delivery, if you don't have anything, buying something is always better. And that's why this space flourishes. And that's why people deliver some value and I won't, I won't be completely dismissive of the value of helping someone who has nothing. Now have some is that that fair on my philosophy of the cursor, that space? That's a really good non answer, but I'll take it. Well, it's because there's there's value to be had in everybody's business, if it's the right one to the right,

Shiva Maharaj:

I guess, you know, my thing is just there's a proliferation of too many experts, which is leading to too many cooks in the kitchen. And that's, that's really my issue

Dave Sobel:

that I'll 100% agree to, right, I guess is but by the way, it's also the sign of a healthy opportunity. When there's a lot of aftermarket players like after aftermarket consultants and add ons and all that stuff. It actually tells me that this is a pretty healthy market, and there's a lot of opportunity and money to be had. Because those people are there. You

Shiva Maharaj:

say that and I just hear there are a lot of suckers. Yeah. six to one half dozen, the other. Both true statements.

Dave Sobel:

Right. Like, both statements can be true at the same time.

Shiva Maharaj:

So Alright, guys, I have to jump off soon. So I guess anything anyone else would like to add?

Eric Taylor:

Now? Yeah, sorry. I've been kind of Mia. I've got a couple things hit me over here, though solely

Shiva Maharaj:

as an incident right now.

Eric Taylor:

Yeah, that's what I'm getting pinged about this new zero day flaw the thunder attack. That's not Part A sudden burst or anything like that, though. The gift of solar winds that keeps on giving. So I'm sure solar wind solar runs are enabled thorens solar wind solar winds, Orion?

Dave Sobel:

Well, I said it's on, there will always be a new one, you know, until we change.

Shiva Maharaj:

Here's a closing thought for me today's the last day to buy shares to get your enable. Hmm. Is this meant to drive down the share price?

Eric Taylor:

I think so. Timing wise, at least it makes sense. But hey, what do I know? We're watching this bear? See, there's

Dave Sobel:

I the simplest answer is always that always the true one. Right is generally a or not only. But generally, if it falls in that line. I do think that our opposition in the cyber war is very smart. We do not give them nearly enough credit for being as smart as they are. Right? If there is an impact that they can make. They're going to do it opportunistically to make money. They are a business. They are an incredibly worthy adversary. And we should we should understand that. And I don't mean to honor but we should respect that adversary and not take them to light because

Shiva Maharaj:

why I call the solar wind sack originally arrived. One beautiful and elegant.

Dave Sobel:

It is so be I'm 100% so beautiful. So well done. So well executed. It's It's amazing. And in the Kaseya one in a way you can actually see they made mistakes, right like those guys. They made some mistakes in there. And I think

Shiva Maharaj:

that was a statement, I think to say was a statement. I don't think they meant I don't think they cared to get data exfiltrate I think it was just I think they were more successful than they intended to be. I think it was just to say hey, Look at what we can do when we don't even try.

Dave Sobel:

And that should be the message we all take away and why I hope everyone is reexamining their choices. Because if that's that statement is true, and I am with you, I believe that if they can do more, we should be totally taking that seriously.

Eric Taylor:

All right. So awesome. Gentlemen. Dave, how does those who don't know about you again, how do they get in touch with you?

Shiva Maharaj:

Well, I don't know about you.

Dave Sobel:

Well, I never assume everyone knows that I'm I always really, I mean, this, I really appreciate everyone's trust and listening take my opinion is worth listening to. If you're interested in what I do, please subscribe to the podcast. It's a business of tech, there is a big blue button. I'm on all of the podcasts or platforms. That is my core business is producing that content for providers to give them some insight into that you can also follow me on youtube@youtube.com slash MSP radio. They podcast comm as a weekly video show as well as the long form editorials are there as well. If you really like what I do, you can support me on Patreon. It's patreon.com slash MSP radio because I am here to serve this community I've built a business that makes money when you guys are successful. So that's what I'm doing. You know, I

Shiva Maharaj:

heard only fans is a very thriving opportunity as well you know, nobody wants to see that content you want to put on there I'm just saying you can put this content on there and you don't need to take the blazer off

Eric Taylor:

that is that is totally dry. Yeah. I have heard if you reverse it, you can have people pay you not to send images of certain items other people

Dave Sobel:

next business idea. I do listen, I do listen to my Patreon

Eric Taylor:

reverse engineering.

Dave Sobel:

Guys, thanks for really appreciate you having me for the conversation and asking really smart questions. I like I love I love the conversation. I'm here to help on anything anybody needs. Thank

Shiva Maharaj:

you for your time. Thanks again for joining us for the cybersecurity amplified and intensified podcast.