38. Compliance First - Protecting Your Empire with Tim Golden of Compliance Scorecard
Welcome everybody to episode 38 of unhacked. Guys, like I say, every week unhacked is a deliberate misnomer. Truth is 97% of these breaches, roughly speaking, are preventable using basic security measures, and we're gonna talk about that today. But once you've been hit, you can never truly get unhacked. So week after week, we sit here and we break it down.
Justin:We talk about, what overwhelmed busy business owners should be doing to outsmart the Russian hackers. We give them the basics, the best practices, the frameworks as we're gonna talk about today with Tim. Thank you for being here, Tim, by the way. We're we're gonna we give everybody the 97%. This is the formula that you should be following.
Justin:And then at the end of the show, we're gonna close that 3% gap. Gap. So let's get started. I am Justin Shelley, CEO of Phoenix IT Advisors. I work with businesses in the Dallas Metro and more recently out here in, Northern Nevada, rural middle of nowhere.
Justin:Also went to Elko. Oh, sorry. That's that's where I'm at now. In Salt Lake and, possibly Idaho if you if you talk nice to me. And I am here with my regular cohost, Brian and Mario.
Justin:Brian, tell everybody who you are, what you do, and who you do it for.
Bryan:Excellent. My name is Brian Lashbow with b four Networks, based out of the Niagara Falls, Ontario area, and we provide support to businesses throughout the area. And I like to say that we primarily help business owners who are frustrated with technology remove that frustration that comes with dealing with technology, and that could involve everything from cybersecurity all the way to compliance.
Justin:Alright. Mario, you're up next.
Mario:Hello. Mario Zaki, CEO of Mastech IT. We are in, North Jersey, right right outside of, Manhattan. Been in business for, over twenty years now, servicing, you know, people with computers, businesses with computers, helping them pretty much, do everything IT. And after today, maybe compliance.
Bryan:Sorry. I love
Justin:it. In today's episode, guys, we are going to be talking with Tim Golden of Compliance Scorecard. Tim, thank you so much for being here. I know you've got, plenty of things to do, so really appreciate you joining us.
Tim:Justin, I'm I'm so glad to to be here. Thank you so much. Justin, I think I heard Idaho. Is that correct? And Mario, I might have heard Yep.
Tim:New Jersey. And, Brian, I think I heard Canada. Right? Am I correct?
Bryan:Right.
Tim:Yep. Yep. So so, Justin
Justin:Yes, sir.
Tim:What did Delaware, Idaho, could have been in New Jersey, can we find her a right shirt? But I'm I always gotta start off with a shit. I always gotta start off with a good show. I set the pieces here, and I've been waiting for that. Like, so what did Delaware?
Tim:Idaho. Could have been in New Jersey.
Justin:I can't. Ask her.
Bryan:I love it.
Justin:I got my own Utah, Idaho joke. How come all the trees in Idaho lean south?
Tim:I don't know.
Justin:Because Utah sucks. Anyway That's awesome.
Tim:So let me take a second to introduce myself. Tim Golden, founder and CEO of Compliance Scorecard, where we help MSPs just like you have that risk conversation with your customers by delivering our scorecards to them.
Justin:I love it. And, Tim, there's a couple things that caught my attention. The reason I really wanted you on in itself ish. Usually, when I bring people on here, it is pure selfishness. Perfect.
Justin:I have on Hack, this has been a journey for me. Podcasting itself has been a journey. I learn more by doing this show than anything else I've ever done in my life, I think. So, over the course of 2024, '1 of the things that evolved in my brain was to shift my business focus to a compliance first mindset.
Tim:Now I love that. Why are you not a partner?
Justin:Well
Tim:Get it. We need
Justin:to talk about that, actually. So, we are so you said and I'm gonna pop quiz you a little bit. Sure. You have a passion for empowering MSPs to achieve operational excellence. Tell me a little bit more about that because that's something that caught my attention.
Tim:Yeah. So, you know, operational excellence, what does that even mean? It sounds like big marketing fluffy words, and, yeah, it kinda is. But the idea behind it is, you know, the more you can document a thing, have a repeatable process, have everybody along the chain understand why you're doing that thing, not just to have the thing, but getting the buy in all the way up and down the chain. You can really start to gain to that excellence because everybody knows why and the operational efficiency because you have a documented repeatable process, Something that you can scale.
Tim:Something that you can then have a baseline and a standard to work towards, grow, and evolve through. And by understanding the why, building out the how, and bringing the people along the way, you will gain that excellence along the way.
Justin:Absolutely love that. I am a fan of EOS. Are you familiar with them?
Tim:Yes. Yeah. Actually, so it was really interesting. When we first founded Compliance Scorecard. It was literally just myself and my chief Wrangler my chief operate my my wife, chief Wrangler officer.
Tim:It's great. Operating officers. Literally just the two of us. And I'm like, you know, EOS, something I believe in, traction, you know, the right people, the right seat, the right time. But it was really hard with just two people.
Tim:So we kinda, like, made our own version of it. But now that we're, you know, well over, well, you know, I think 20 some odd, 25, I don't can't even count FTE. We have a bunch of people now. So EOS, traction, you know, it's taken us a well, not a lot of time, but a lot of time to find the right person for the right seat in the right role. We've kinda knew what those roles were, but, obviously, we needed to grow into all of those roles appropriately, hire accordingly, which, you know, hiring is not fun.
Tim:Unfortunately, I have other people beside me now in hiring decisions. So, yeah, US interaction is great.
Justin:And it it sounds like maybe you, you at least align with their documenting core processes because that's what I heard you say. You know, have those processes, roll them out, get buy in. That that really is a key component of EOS. I absolutely love it. I actually completely ripped off their oh, what are they they've got like a one pager accountability plan.
Justin:Yeah. What do they call it though? They have a different name for it. But
Bryan:I I know you called it the same page accountability plan, and I ripped it off you.
Justin:Right. That's right. So it's you start with, you know, he does, in the book, he comes in, he does that free evaluation two hour thing, and then you get into a deeper planning session, and then you get into your quarterly rotations. That's that's how I, approach my business and really how I work compliance into it. So
Tim:Well, one of our one of our, you know, very first advisers so we have an adviser council. Right? People that advise us. Right? Just, again, back to the roots.
Tim:It was just the two of us. Like and one of our advisers, Kyle, good friend of ours, now over at Empath, Tal Christiansen, was or is was, EOS, Pinnacle, Implementer, certified like, he was all the things. That was his core business for a long time. And so it's it's really helpful to kinda work alongside a coach in that kind of stuff. And it's Absolutely.
Tim:Something because a lot of, like, my twenty plus years in the compliance space, a lot of what I was doing there kinda mimicked EOS and traction.
Justin:So I was kinda doing this already.
Tim:I just didn't realize there was a name to it until somebody said, hey, go buy this book. And I'm like, oh my god. I'd like, I do like 80% of this, but in the wrong order and the total wrong way, but yeah.
Justin:Yeah. Yep. That's good stuff. Alright. We're gonna pivot, and I wanna talk about I wanna really, I wanna get into the nuts and bolts of this thing.
Justin:And I'll I'll just be honest. I'm gonna tell myself a little bit. There I'm gonna read a quote that I got off of Reddit, and I'm probably gonna beat this guy up for the rest of my life because partly because what he said was, like, the most asinine thing I've ever heard.
Bryan:But But also rings true.
Tim:A little bit. Yeah.
Justin:It kinda tweaked me just a little bit. So Yep. Okay. Here we go. Word for word.
Justin:Overnight, I received an odd request from a prospect. The prospect asked for a list of the best practices he puts in quotes that I would be applying. This got me laughing and then thinking, where do I get my best practices from? What are they? This has been bothering me as a start as I start with my coffee.
Justin:Thirty plus years of experience in the industry, and I doubt my list and your list are the same. Though they should have overlap if they are truly best practices. Right? Time to discuss this one and look at the policies in my RMM for my own comfort. It's been a while since I compared these.
Justin:Tim, you're familiar with what an RMM is. Correct? Is is that Yeah. Is that where you get your policies that you throw into compliance scorecard? Oh,
Tim:my goodness. RMM Well,
Mario:if you use the RMM to log in to somebody's computer and get their policies, I guess I guess that works. Right?
Justin:I don't know. I'd I mean, it's like thirty years, guys. Thirty years.
Tim:Thirty years, and my RMM manages my documentation, my attestation, my change management, my RMM and auto audit log, all my like, okay. Perfect. I'm done here. Like, everybody just go buy, you know, Kasei or ConnectWise or Ninja or yeah. We're done here.
Justin:Game over. Game over. No value add here.
Tim:Because your RMM can do it. Okay.
Justin:Oh, so, yeah, I mean, this this is really the core of what I would call the problem in in the world of technology or at least the world of MSPs is we are not regulated as an industry.
Tim:We're not.
Justin:Now, and we're gonna talk about the why it's so important that other industries are, and I I just still don't understand why we're not. But we're not. But other other groups are. So we're gonna get let's let's define compliance because that can mean a million things. Tim, this is the world you live and die in.
Justin:What is compliance? If you're talking to somebody who listen. His job is to run a business. He's got a million hats, a million things he needs to know and understand. He probably doesn't give a damn, what we're talking about.
Justin:What we're talking
Tim:There's a couple of questions. He doesn't give a damn. That's another component of this. Right?
Bryan:Yep. But
Tim:if if we think of compliance, right, and and we could relate this to multiple different analogies. Like Joe's Baker, for example. Joe's Baker doesn't give a crap about compliance, but Joe's Baker does care about the recipe for making the cake. Correct. Right?
Tim:Or or, you know, Johnny's Lugnut factory that does work for the Department of Defense and now, fall into this CMM eight hundred one hundred and seventy CMMC thing. Like, they should care because compliance, we like to reference that as the referee for cybersecurity. Right. Right? I like to put my hat on because we are scorecards, kind of play a little bit into the, you know, sport theme with compliance is the referee for cybersecurity.
Tim:It has the playbooks. It has the rules. It has the regulations. It knows how to play the game. It throws the flags up.
Tim:It throws the flags up when something is a foul. It the players now know what rules to follow. They know what guidelines to deal with. In our opinion, it's almost like having a referee during your favorite sports game, where that's the person, that's the key, that's the source of truth for things that you're doing along cybersecurity, along FTC, along, you know, any one of the mouthful of acronym frameworks. Compliance in its simplest form is having a rule book or a playbook in guardrails to follow.
Justin:Let me let me play devil's advocate a little bit for this guy who I just slaughtered from Reddit. Why do we need so many damn versions of compliance? You threw out several acronyms, and you just scratched the surface.
Bryan:Yeah.
Justin:That's the problem. There's there's dozens of frameworks. Why do we need so many
Tim:into that with well, they're getting into the politicalness of why things exist. Right? Good call. Whether it's the FTC regulating certain industries or or it's, the Department of Defense regulating their industry. There's, you know, some politicalness behind that on the lobbying bodies, the laws, the regulations, at least here in The US.
Tim:There's, you know, political components behind some of that. We don't we don't even need to get into. But at the core of many frameworks, at least for us, as we start to look at things, NIST, so the National Institute of Standards and Technology, and CISA, the Center for Internet Security and CIS Controls, which is slightly derived out of NIST. There are many paths back to NIST eight hundred fifty three, which is a giant control list, you know, ten twenty nine controls, that if you look at a bunch of the different industries, can somewhat correlate back to, not maybe not word for word, maybe not intent, back to something in a NIST control, at least in my opinion. Now cross mapping, a whole another can of worms.
Tim:We could probably spend a whole another episode talking about cross mapping. Yeah. I'm not gonna poke it.
Bryan:That sounds so exciting. Why don't we do that?
Tim:Yeah. Well, actually, you know, there's a lot of marketing jargon out there, and it it's bad around cross marketing, whatever. So to answer your specific question, why do we have so many frameworks? I don't know. Why do we have so many laws that govern different things?
Tim:And why do we not have laws that govern things that should be governed in in effect? Like, I don't know, HEPA, health care data. You know, we have PCI for a reason to protect credit card data and financial information. How much
Justin:difference so you're
Mario:you made
Justin:a good point. Sorry. I'm over I'm stepping on you there. Go ahead.
Tim:No. I just say we have different different laws because of different verticals and different industries and different interest groups pushing their agendas.
Justin:Okay. And and if, like you said, let's if we took politics out of it for a second, there there are some,
Mario:I
Justin:I guess, some nuances or some specialty areas with each of these frameworks, but you did point out they all kinda tie back to one master set of standards.
Tim:Is that fair? In my opinion Okay. You can now again, cross mapping aside because I don't believe in that at the moment. You can correlate as long as scope is the same, intention is the same. Like, there's other components of a compliance program that are the same because I'll just pick on one control, password policy.
Tim:Everybody knows like, hey, we should have good passwords. Best practices, have a good password. Right? Back to your Reddit post. Have a good have a good password.
Tim:Well, you know, some frameworks might say, have an eight or 10 character password and multifactor. Another framework might say, only administrative accounts need to have a 47,000 character password that changes randomly every five seconds. They're both talking about passwords, but the requirements in the intent is different. Right.
Justin:And here's another pop quiz. I heard, I haven't verified this, that they, whoever the powers are, that decide, what password should be, recently removed the recommendation to change your password every ninety days. What can you tell us about that?
Tim:NIST actually came out and updated the core, and it it and it actually moved away just from password as a control to, identity management. Right? And and understanding that as a human or as a device, a laptop, a whatever, there's identity tied to that and having strong identity authentication. So, you know, how many people log in to their phone with their face? I know I do.
Tim:I know I have been for a long time. And if it wasn't my face, it was my finger. Yep. Right? So there's a there's an identity aspect of that.
Tim:Now granted, I there's characters and I can type them in and get into it that way. But conceptually, the days of make sure you have eight characters and they're changed every 90 days and you go into your global, your GPOs and change them so that the policy object went and everybody ends up using the same eight characters across everything.
Bryan:That never happens. What are you talking about?
Tim:Can Can I anecdote a little story here for
Justin:a minute? Absolutely.
Tim:So my mother-in-law, she's very sharp for an 80 year old. And she's great. And, you know, we were talking about, like, they're they're older, you know, maybe we got twenty years left with them. I don't know, whatever. But, you know, she's very concerned about protecting her assets.
Tim:And so we got her a password manager for for their, you know, for my mother and father-in-law. I sat down with them, started she teaching them how to use one password, you know, appropriately sharing that with my wife so that there was a backup person, you know, like we should be doing. And you know when you get the little score that shows you how many reused or weak passwords there were? There were a few that I was like, oh my god. Let's change that right now.
Tim:Not that they were, you know, not that they were, you know, they were obviously conscious of being secure and wanting to do the right thing. That's why they asked. That's why, you know, I sat with them and got a password manager in place, but I'm like, yeah. These five were literally changing right now. Like, I'm just not waiting.
Mario:Password one.
Bryan:You would be absolutely shocked as to what we find out there in the wild. I have a prospect that I won't mention names. Every one of their Office three sixty five passwords are the same across the entire company because the one guy wants to manage it all and so they're all the same password. Wow. Including the admin?
Justin:Does that include his admin password?
Tim:And let me and let me guess. He just filled out one of those Facebook questionnaires about, you know, give me your give me your manufacturer name and your street name, and and we'll give you back your stripper name or something like that.
Bryan:Right. What's your favorite
Justin:color, Tim?
Tim:Yeah. Yeah. Go golden, of course.
Justin:Yeah. Oh, good times. Good times. So alright. I'm a I'm a CEO of a whatever.
Justin:Congratulations. Random organization.
Bryan:Thank you.
Justin:Thank you. Thank you. I've I've worked my ass off for this. I I you know, back to the original question. Not only do I care about regulatory frameworks, none of them apply to me.
Justin:Because I'm not in a regulated industry. You might be surprised. True true, but what would you? What would you tell me, Tim? Like how how would you?
Justin:You know Do I
Tim:know anything about you, Justin? You're a random CEO at a random company. What kind of company?
Mario:Construction. Let's say construction.
Justin:Let's do construction. That's a good
Tim:Awesome. So I love the construction analogy. Hey, have you ever heard of that thing called OSHA? I heard. And do you know what that is about?
Tim:Know, probably keeping probably keeping your people from falling off ladders and, you know, bad staging and, you know, pouring tar over, I don't know, Justin's head as the CEO because you don't wanna listen to him anymore.
Mario:But as long as you wear a hard hat, you're fine. Right?
Tim:Yes. Well,
Justin:see, you wear something that doesn't tell
Tim:you to wear a hard hat. Right? You needed to have a rule book or a playbook be like, wear a hard hat or reinforce the staging. There might have been some kind of compliance that, you know, something happened somewhere in the past, and now there's a playbook, a compliance thing that you now need to follow. So specifically with a construction company, OSHA.
Tim:Like, oh my god. Not that I deal with OSHA, but it's certainly something that you could relate to. Now if you're thinking about cybersecurity and compliance around that, Justin, as the CEO of the construction company, do you care about your insurance?
Justin:I mean, only if I have I hate paying that goddamn check every month. But
Tim:I know. I know. But what happens when Mario falls off the ladder and lands on Brian with a bucket of tar, and you're, you know, running with the feathers.
Bryan:Wait. This is being recorded.
Mario:Right? We could finally shave his head.
Bryan:I was gonna say, they've been trying to do that for ages now.
Tim:Right? So when that incident happens, you're gonna run right over to your insurance company and be like, listen, I didn't pay them. Right?
Justin:Right. Right.
Tim:Otherwise Right. You know, you're paying the medical bills and the things and the things and the things. Right? So you're gonna run to that insurance carrier and say, hey. Nope.
Tim:No problem. I'm covered. I've been paying you a hundred bucks a month to do a million dollars a second. Except now that cyber insurance, when that incident happens, because you have, Brian out in the field with an iPad, and he fell off the ladder and it you know, the iPad's not logged in because he doesn't have a strong password, right, from previous conversation. And Tim walks by and picks up the iPad, and now I have access to all your customer data because it wasn't protected.
Tim:Right? You know, Mario knocks Brian off the ladder, Tim snags the iPad, and Justin, I have all your data. Cyber insurance, probably not gonna pay if you're not following some kind of cyber insurance framework, for example.
Justin:Oh, what do you call that cliff?
Tim:I do call that cliff.
Justin:Cyber liability insurance framework. Don't fall off the cliff. No.
Tim:Our friends at our friends at fifth wall, you know, we we like to banter a lot. And I was chatting with Will Will Brooks. I don't know how long ago it was. We make memes all the time. He makes bet way better memes than I do.
Tim:And I was like, oh my god. We just invented a new framework. Cyber Liability Insurance Framework. CLIF, keep your customers from falling off the cyber cliff.
Justin:I love that.
Tim:And it's six things. It's very easy. Even you, Justin, as an MSP can do that with compliance.
Justin:What are they? What what are your six things?
Tim:Well, so cyber liability entry, if we're gonna go down this route. So, not all of them, but a vast majority of them have now started to determine there are certain things that you should probably have in place like security awareness training, you know, phishing, security awareness training, incident response documentation, I. E. Compliance, courtroom, Vulnerability scanning. Right?
Tim:Find the stuff and fix it. Backups. Because, you know, when the crap hits the fan and Mario's pouring, you know, concrete all over Brian, you wanna be able to recover Brian to some state. So backups. You know?
Tim:What did I say? I said training, vulnerability, backup, incident response, planning, documentation. You're putting me on the spot here. I'm trying to remember the others off the top of my head.
Bryan:That's alright.
Justin:I and I was curious
Tim:about platform that walked you through all of those things accordingly. You know? There might be one that could help with that. Just Wait. It looked like there
Justin:was something on your shirt there.
Tim:Yeah. You know, it's just this little, you know, check mark thing on A little level. Me on my hat, you know, brand everywhere, product placement. So here here's
Mario:Sorry. We we said security training, incident response plan, pen test, backup documentation. I'm missing one.
Tim:Yeah. Pen test is kinda define pen test. Like, is this a pen? Scanning.
Bryan:Just screeching
Mario:the pen and
Bryan:just test to see if it works.
Tim:Yeah. Yeah. Vulnerability scanning, documentation, backup, vulnerability management, security awareness training.
Justin:So on this subject, Tim, when you and I talked before we a couple weeks back, one of the things you mentioned is that insurance is the way in. And I know that you're talking to because your your target audience is us. Right? We're this show we're talking to our end users, which also filters down. You know, they are forced into compliance sometimes because of their customers.
Justin:But when you're talking to MSPs, you say insurance is the way in. What what's that about? Can you tell us? Say that again? What is why do you tell us that insurance is the way in when we're talking about compliance to our clients?
Justin:Like, if I'm gonna go and tell my client, hey, you we we need to get, let's get CIS eight point, zero. I mean, one in place. Yeah. Why where does insurance play into that? So,
Tim:again, back to relatability. Construction company doesn't care about cyber, but, you know, when Brian drops the iPad, there's a cyber incident. And so who covers that cyber incident but the insurance companies? And as you said, Justin, I'm writing that insurance check every month, like, that's a problem. And if I am trying to prove the defensibility, there's a new word for you, not new, but if I'm trying to be and defending our actions as the construction company, I wanna be able to say to my insurance company, I'm doing the things.
Tim:I'm not 100% compliant today, but I'm doing the things. I have backup today. I'm trying to get everybody on two factor that's, you know, taking a minute, but I'm building that defensibility. And so as an insurance carrier, I'm gonna look at some of my requirements. And if say, nine out of the seven things you don't have, I'm probably not going to insure you.
Tim:Right. Or maybe I have, you know, 14 out of the three requirements. Oh, like, my risk as an insurance carrier is, like, way reduced because they're building their defensibility. And so why do we suggest insurance as the way in? Because they are the people writing the check when the stuff hits the fan.
Tim:And we know the stuff will hit the fan, just not matter of when.
Justin:Absolutely. Yeah.
Tim:They're the ones paying out. And so if you can explain and have the conversation with your customer, let's bring in Dustin. Right? Our good friend, Dustin Bolender from Belltex Insurance. Let's bring in Dustin.
Tim:I can't talk about insurance legally. I can talk about, as your MSP, the things that we can do to build that defensibility. But Justin's here to answer all your legal questions around insurance and why they can or cannot insure you and what happens during those incidents.
Bryan:One of the neat things that I've I've seen well, not neat. It's actually horrifying, is that insurance companies will make you fill in a form Yes. And say, like, hey. Do you have this? Do you have this?
Bryan:Do you have that? And people will answer the form, and then they they just insure you blindly. Right? Got it. Got it.
Bryan:Happen is you'll you'll end up putting a claim in down the road saying, I think I'm covered. And meanwhile, you didn't do the things that Tim was talking about. And so the insurance carrier turns around and says, well, you said you were doing the things on your form and you're not. So even though you've been paying us for all this time, we're not gonna cover you. Yeah.
Bryan:And now you're stuck with nothing.
Tim:So funny that you mentioned that because literally on my fourth monitor over there is my insurance form for our good friend, Dustin, at Beltex that I'm literally sitting here like, okay. Sometimes I'm gonna fill that out because our renewal is up. Yeah. But, yes, as a vendor, I too have an insurance form I need
Justin:to fill
Tim:out and provide. And by
Bryan:the
Tim:way, we can do a lot of that with integrations through our platform. I know I keep plugging my platform.
Justin:But No. Plug it. We're gonna we're gonna we're gonna kinda wrap up with your platform, so no problem there.
Tim:Yeah. Yeah. But that's the thing. You know? If you no.
Tim:Not if because it does. When you lie on these security attestations
Bryan:Knowingly or not.
Tim:Right? Then they're gonna go right back to that and say, Wait a minute, you check the box at 2FA everywhere, except Brian exposed the fact that every account is the same password with no 2FA. Yeah, we're probably not gonna give you the ping out. So, yeah, you know, your construction company probably doesn't exist anymore.
Bryan:That's like saying you're a nonsmoker and you are. Hey. Whoops. I
Tim:resemble that remark.
Justin:Well, it's bad enough because I I hate these insurance payments so much. It's bad enough that I have to pay it, and now it didn't do me any good at all.
Tim:Right? Right? Right. It didn't do nothing.
Justin:Yeah. Another thing about compliance that kind of, it it sells it to me. So, again, back to the unregulated industry that is technology, at least technology providers like us. Let's you've got we've got our clients who are writing a check just like they're writing a check to the insurance company. They're writing a check to us and they expect us to be protecting them.
Justin:How do they know if if there's no form of standards? You know, going back to our our poor Redditor who, is thirty years in the industry and doesn't know what the hell he's doing to protect his clients. Guys, companies are writing checks to that provider all the time. So I if back to my, CEO hat here, I want my IT company following some framework and holding themselves accountable to it because otherwise, how do we really know that we're getting what we pay for from our IT company? So that's
Bryan:You made a really
Tim:you made a really good point in the beginning. Like, we're not a regulated industry yet. Right. Yep. And there hasn't been a good path for that yet.
Tim:And I keep using the word yet because I think it's coming. In fact, I
Bryan:I do too. Yeah.
Tim:I mean, I know it's coming. But I
Justin:well, you
Tim:know what? I'll just say, I know it's coming. Right. Whether it's the, you know, Global Technology Industry Association, formerly known as CompTIA or PRINCE, however you'd like to go by. Whether it's the Trustmark program that they have, or it's some other entity or organization, you know, it is coming.
Tim:But here's the thing. I can't even get my haircut unless I go to a licensed, you know, barber. Right. I call them hair person, whatever. I have a stylist who I've used in our office.
Tim:What do you
Mario:Justin, what are you saying right for? When was the last time you you went me and you went to a barber?
Justin:Dude, I polished this thing this morning.
Mario:What are
Justin:you talking about?
Bryan:I was there this morning. We
Tim:we MSPs literally hold the keys to Fort Knox. Yeah. Justin, your construction company is your Fort Knox.
Bryan:Mhmm.
Tim:And Brian has the one username and password across the entire organization. Yeah. But that's okay. We Brian, we have no standards for you because, you know, you're the only guy here besides me with hair. So maybe we fall into the standard with hair and they don't.
Bryan:But Yeah. Entirely possible.
Justin:It's a crazy world. So, Tim, I think it's I think it's time for us to just like you've been kinda teasing us a little bit. You've been even showing your logo off on accident here and there pointing to your hat. Tell us a little bit about complaints.
Mario:The call card.
Bryan:Yeah. Alright.
Justin:You got the coffee mug. Is it a Yeti though? Is it is it a brand name?
Tim:Only a Yeti. I am such a Yeti snuff Oh, let's see. There's checkers here. I am such a Yeti snake.
Justin:Yeah.
Tim:Yeti or nothing?
Justin:Exactly. I love it. All right. We're on the same page there.
Tim:Oh, I have one of those too.
Justin:I have a
Tim:Yeti. But mine is from Pax eight, Mario. I have one just like that same color, but it's Pax eight.
Mario:Robin, baby.
Tim:Robin, baby. Robin. Yep.
Justin:I I've had a couple of those, but I lost them somehow. I don't know. Yeah. Anyways, Tim, tell us a little bit. Give us your elevator pitch because you are and, you know, listen, this podcast is directed at business owners.
Justin:We're all business owners, and we actually have a fair number of, technical people, MSPs that watch at least parts of this podcast. So talking to us, what is it that your product does? How does it make our lives better so that we can make our clients' lives better?
Tim:Sure. So like I said in the very beginning, it's, you know, as an MSP, you wanna be able to have the risk conversation with your customers. And since your customers are listening to this, as a customer of an MSP, you want to know, are they doing a thing? Do they have the playbook? Are they following a guideline?
Tim:Are they aligning my business, my construction company to something? Right? That's the first part of this, this whole alignment component. And it's kind of something like, maybe I should patent, but it's this four part process that we bring to the MSPs who eventually bring that down to Justin's construction company. Right?
Tim:Alignment, authorization, adoption, and assessment. Very quickly. Alignment. Are you following a thing? Do you have a playbook?
Tim:Is a thing aligned to a thing? Right? Pretty easy straightforward to understand. Here's a set of controls, whether it's insurance or mouthful acronyms. Here's a set of things that we're gonna follow.
Tim:Here's the playbook. As the MSP, the authorization component, it ain't my stuff. It's the customers. It's Justin Construction Company. It is their stuff.
Tim:They need to authorize that. You need to work with your MSP as an end customer of an MSP and ask them, align me to something and then allow me to take ownership of that, to authorize that. Nothing different than, let's say, an employee handbook. Right? Same concept.
Tim:You have your staff sign an employee handbook or sexual harassment or an equal opportunity or an or or HR kind of thing. We're just kind of applying that to the cybersecurity and technology components. Align it, allow the business to authorize it and have ownership with it. Now, you as the MSP facilitating the work, right, charging for that work, by the way, and facilitating that work, you're in the best position because you know what they're doing tech wise. It would be like hiring an outsourced HR to manage HR while they're hiring an MSP to manage tech.
Tim:Right? As that customer then, what good is the employee handbook or the password policy or the acceptable use policy if end users don't adopt it? That's the third a, that adoption component. Remember how we started in the very beginning on the why conversation? Why are we doing this?
Tim:That's the adoption component, allowing the end users to know why do we do this? Why is it bad to have the same password everywhere? And then lastly, assessment cadence. You know, I spoke I was invited to a conversation with one of our MSPs and one of their largest customers. We had CEO, CFO, HRO, all the people on there.
Tim:And I, you know, and I asked the HR, person, I was like, when was the last time you updated your employee handbook? Had to think for a minute and was like, I don't know, like, I don't know. Probably when we built the company, like, fourteen years ago. And this is in the height of COVID. And I said I said, well, that's interesting.
Tim:It's COVID now. Is everybody working from home? Well, yeah. Oh, okay. And then, you know, do you have any, like, you know, time off policy?
Tim:Or and she said, well, yeah. And I was like, so the entire way you run your business has completely changed, but you have not done anything in your documentation that you had all your employees agree to. So your employees can pretty much do what they want because there's nothing telling them they can't.
Justin:Oh, and
Tim:why is that? Because we haven't updated the handbook. That's right. Because you had no assessment cadence in place to remind you to do that thing. Yeah.
Tim:So break it down, bring it all back. Alignment, are you aligning to a thing? Authorization as the business, you wanna own them. Adoption, end users need to know why. An assessment, don't let it become vapeware or shelfware and be forgotten.
Justin:Which is where most policies live. But it's not just the policies.
Tim:Right? It's that is one major component of our platform. Yes. Policy tracking, policy management, but also assessments. Right?
Tim:You pick that framework and you look at these are the gaps. Alright. Here's a great thing. Anybody know what risk register is? Brian, Mario, Justin.
Tim:You know what a risk register is?
Bryan:No. Beaches.
Tim:As a business owner, right, and this can apply whether an MSP or not, you probably need to understand where your risks are. For for for Justin, it's making sure Mario isn't tripping over the ladder. Correct.
Justin:Mario, I'm down.
Tim:So you do an assessment. You realize Mario's got big feet, and Brian always puts the ladder in the way. So we've been able to do a deal with that.
Bryan:Bad combination.
Mario:He does it on purpose.
Tim:Fine. So you identified a gap. You know, big feet, bad ladder, whatever. You identified a gap. Now, Justin, as as the business owner, you probably need to decide, do we wanna fix that, I e, mitigate the risk?
Tim:Do we wanna defer that? I don't know. Pretend it didn't happen. Do we wanna transfer that and Mario gets smaller feet and Brian move the ladder? Like, what do we wanna do with those gaps?
Tim:So a risk register gives you Amazon shopping cart of findings that you then you can apply a risk treatment to mitigate, accept, transfer, avoid, defer, the five various treatments of risk that you can apply. And as an MSP, you don't make those decisions. Your customer does. So for for the customers that are listening to this, ask your MSP, hey. Do you even know what a risk register is?
Tim:Because I listened to this fancy podcast, and they told me I should ask you about a risk register. Because you know what? I wanna make sure I do something about the latter in the wrong spot. K. I'm
Justin:I'm taking notes feverishly, but I'm gonna have to go back and relisten to some of that. That was,
Tim:Sorry. I rant. I love this stuff. It's
Justin:No. I love it. I I'm gonna throw a question at you, Tim, that this is, again, pure selfishness on my part because, you know what what we're here to do is break this down for business owners. You you give them frameworks, you give them best practices. As we've said before, none of us really know what that is, but we throw all this stuff at them and then we let them decide, right?
Justin:On that, as your clients, MSPs, run these assessments, compare against frameworks. Yep. Can you tell us, like, the top handful of deficiencies that they find? If your company
Tim:actually pull in because because
Bryan:we
Tim:have some statistics and auto logging and tracking in the background.
Bryan:I'm not playing
Tim:one of another window if that's
Justin:I can even give you time. Like, we can sit here and and shoot the shit while you're working on that if you need to.
Tim:So I can actually tell you because we do have some statistics, not that we track. So first and foremost, as a compliance company, we take our MSPs, customers, and their customers' data very seriously. Yeah. We don't have the capacity to log in to your stuff and see your stuff and do your stuff.
Justin:Okay.
Tim:However, we built a new feature out a couple months ago called leaderboard.
Justin:Nice. That's what I'm looking for.
Tim:Well, because, you know, compliance gets such a bad rap, and it's scary, and it's an ugly word, and I'm afraid. Well, we flipped that out on the head by providing a leaderboard and positively reinforcing good behavior. I love that. Yay. Inside my MSP, these are my customers.
Tim:Brian's got nine policies. Justin's done a risk asset. Like, inside the my instance as my MSP, I can see how well my clients are doing, and I can reward that good behavior. Globally, not every name, but we have a general sense of what frameworks people are doing, what gaps they have in those frameworks, how they're doing with like minded businesses. So we have a bunch of those stats.
Tim:And I can tell you if I log in over here, is this messing up my bandwidth at all before Yeah. Clicking around in the other screen? I'm not gonna share the screen because this is an internal tool for us.
Justin:Sure. Mhmm.
Tim:So we can understand how well our MSPs are doing.
Justin:It's okay, Tim. I've already hacked into your computer, and I'm watching everything you're doing. So don't worry about it. But I'm screenshotting this.
Tim:I'm just rambling on and on buying time while I'm waiting for my second factor of of authentic
Justin:Oh, it's a lot ahead of my own two FA. I hate that stuff. I've said before, if if security isn't a complete pain in your ass, you're doing it wrong. Alright.
Bryan:Alright. It's loading.
Tim:So I can tell you what frameworks, how many policies, how many and, actually, I haven't looked in a while, so it's probably a good idea because I tend to look once or twice a month and be like, oh my gosh. Just giving it a second to load on the back end. Alrighty. So let's see. The the top frameworks are CMMC and HIPAA and our own business risk assessment that we define as a business risk assessment that most every MSPs use, and then the policy and procedure assessment.
Tim:Somewhere in the neighborhood of, I can tell you how many entries, like so out of I don't know. Let's pick a number. I don't wanna give away specifics because this is a blog this is a blog post news article we're about to put out. Oh. So let's just talk roundish numbers.
Tim:Yep. So let's just say out of, I don't know, 400 assessments, give or take, we have identified, we being the MSPs, have identified around and now remember, an assessment could have a hundred questions or it could have five questions. So if we say 400 assessments, and then I say we have 2,000 findings. Okay. It's not a one to one correlation, obviously.
Tim:And out of that 2,000 findings, risk register. Again, round numbers. I'm kind of bumping these up by a few hundred. About 1,800 of those have some form of risk treatment. Mitigate, accept, defer, blah, blah, blah, blah, blah.
Tim:Is that the kind of thing you were asking, Justin? Yeah. I can say, oh, this is a great number. I'll give you this number. Over 2,100 policies deployed.
Justin:Oh, wow. Across
Tim:over 400 end customers.
Justin:Okay. So we're looking at four or five four or five each? Yes. Okay. Math on the spot isn't my strong point.
Tim:I mean, we have some some MSPs. I I could pull one here right now. They have 89 policies deployed. We have others that have on average, I would say the average number of policies per MSP is probably quick. Well, let me just pull up Excel.
Tim:Hold on. If I just kinda copy paste, click on the little average button, average. On average, there's 12 policies per MSP
Justin:per company. That sounds about right.
Bryan:Not bad.
Justin:Which is one of the strong points of your platform. Right? That because writing these platforms is a giant pain in the neck. And and then each client has to customize them for their organization. And one of the things, correct me if I'm wrong, that your platform does is helps the MSP create that base standard document, Let's say an acceptable use policy that they can push out to their clients and just make a couple of tweaks.
Justin:What is a five or 10% of the the work falls on the client? Everything else is done for them. Right?
Tim:I'll just do that. I like that.
Justin:Oh, there we go.
Tim:Hide the super admin component. But, yes, first and foremost, we have an extensive policy library that bring our twenty plus years of writing policy documentation as a baseline template for you as a jumping off point. Now everybody says templates, blah blah blah. They're a good jumping off point, and you should use them as the jumping off point. But our template is vastly different than what you're gonna see across the interweb because not only does it come with our twenty years of writing, FedRAMP moderate documentation, whole nother framework, we actually break them up into what's considered OSCAL, very structured machine readable language, right?
Tim:Not only do we provide the base documentation, but we even take it a step further with what goes in this box? How do I write this section? How do I write so TLDR section by section by section. Right?
Justin:I love that. I saw the TLDR. I'm like, damn it. I need this tool right now.
Tim:Right? Because we get it. Like, you're not versed in policy. We are. We give you some jumping off points, but we're like, Hey, keep in mind, you wanna do this and we wanna do this.
Tim:And like different frameworks will have different requirements and additional TLDR. How do I write this? So that comes with our years and years and years of experience. And here's the cool thing, right? You build out your library right at once, one click deploy to any customer.
Tim:You can custom tailor that further if you choose to, but it is literally one click deploy to your end customer on all the different policy frameworks and all the different regulatory frameworks. So, to answer your question, write once, deploy many. Right. Use our knowledge for the last twenty years as a jumping off point and align them to the business practices you're doing. Remember that first a.
Tim:You need to align them. We're gonna give you something to start with, but you need to make sure that and the and this is where everybody freaks out.
Mario:You know Does your platform allow us to upload, like, the proof that this is done? Or
Tim:So Like,
Mario:for audits to do it?
Tim:Tracking all that tracking directly in the platform. Okay.
Mario:I
Tim:didn't go through that. We have a live demo every week. People can go to compliancescorecard.com, click live demo, see all of this stuff in action. But yes, that is the core functionality. Remember the authorization and adoption and assessment?
Tim:All done on the platform. Mario, you write your template once, you know, your 10 base documents. You know, maybe there's ten hours worth of work. And by the way, now you have your own house in order.
Justin:Yeah. Exactly.
Tim:One click deploy to your customer. Your customer can then, whoever the authorizing official logs in and says, Yes, I agree or reject with feedback. Feedback loop. Once that's been aligned and authorized, then it's a click of a button to push out to an adoption campaign to all the end users with, here's the policy. Here's why we do a thing.
Tim:Here's what it is. Sign off. Kind of like you do with security awareness training. All that tracking, all that audit logging, all that change management, and then there's a knowledge base that you can share and embed and use that as a central repository for all your documents, even those HR documents. This is why HR people love this because, oh my god, I don't have to mail something out and try to keep a check with no.
Tim:All that can stay right in the black.
Justin:Yeah. Alright, guys. We're, we're getting towards the end here. So we're gonna start wrapping up. What I'd like to do is just kind of do rapid fire questions for Tim.
Justin:Brian and Mario, what have you guys as we've gone through this, what are some of the things that you'd like to know before we, close out here this week?
Bryan:Oh, putting us on the spot. Yeah. Okay. Why my question would be this. If there were I mean, I always like to treat cybersecurity as a journey, because not everybody can do everything all at once.
Bryan:It's just not possible. So they have to start somewhere, and they have to start implementing the first thing. In your opinion, Tim, what would be the first two or three things that a good business owner should have in place ASAP before they get anything else done when it comes to either compliance or cybersecurity?
Tim:Multifactor everywhere, period. Force it down there, throw. We're gonna keep saying, I can't believe it's 2025. We're still talking about this. Multifactor everywhere.
Tim:Not every like, everywhere, period. Your ADP, your, you know, your Facebook, your Twitter, like, everywhere. Every one of your Facebook page. Oops. Every
Justin:multifactor. K. Alright. Mario, you got something?
Mario:Yeah. So with with the with a a lot of these frameworks, some of them are, you know, like, I know, like, SOC two, it's, like, always ongoing. You're always taking, you know, proof and providing and stuff like that. Are there other frameworks that are kind of less tedious throughout the year?
Tim:Yeah. FTC safeguards is the probably a or is is one that will affect a lot of businesses listening to this podcast whether you believe it or not. And what I've been seeing happening with the FTC is going after starting with the big organizations, but, you know, stuff rolls downhill. It's a very I don't wanna use the word easy, but it is it is a framework that you and your MSP can work together to get you a good standard beyond just the seven or eight things in cybersecurity in in cyber insurance. Yep.
Tim:Alright.
Justin:Well, I think, you know, we're we're coming up at almost an hour here. So we're gonna start to wrap this thing up. Tim, one thing I wanted to dive more into that we're we're not going to, it's something that I talk about all the time, but, I'm just gonna mention it because it caught my attention. I think it was a a LinkedIn post where you talked about culture. Instead of punishment, let's focus on rewarding good compliance behavior and fostering a positive culture.
Justin:I would argue that in in, you know, you talked about adoption, that kind of peaked my interest. That's been a place where I've seen a lot of challenges, a lot of struggles as as MSPs where we're trying to take these overwhelmed, busy, not just, CEOs, business owners, but also their staff. You know, all of us have plenty of things to do without getting another stack of things we have to do, another stack of documents we have to read and sign off on, you know, two FA. Jesus Christ, I hate two FA, but we have to have it. Right?
Justin:Like but everything is just one more thing to do. And if we don't wrap a culture around this, I don't think we'll ever win the war of compliance or cybersecurity, period. And, yes, you can do this with a stick, but I loved that your way of doing that was with the carrot, the proverbial carrot. So, is that maybe as kind of a sign off, can you just run through how it is that you help MSPs instill that culture into their client base? One word.
Justin:Okay.
Tim:Why?
Justin:Okay. I love that. Yep. You you've already said that.
Tim:Start with why. Right? So Simon Sinek has a great book, Start with Why. It's about building a company, but it also applies to the same cultural aspects. And it is the hardest lesson I had to learn as an IT professional that just wanted to click buttons and lock stuff down.
Tim:Years ago, when we got that first thing, all I did was click buttons, lock stuff down, and pissed everybody off along the way. Mhmm.
Mario:And
Tim:it wasn't until I shifted the conversation with the staff and all the end users and bringing them on board and explaining to them, why are we doing this? Did you know that we are a government contractor? Well, yeah. Did you know that those government contracts require this stuff? Why?
Tim:Who cares? Did you know that we will lose $5,000,000 worth of annual income and you will not have a job if I do not put two factor authentication in place. Yeah.
Justin:There's the why that matters to them. Right. Personal. Yep. Right.
Justin:Perfect.
Tim:And then and until and what did Tim just do? Tim went into m to M365, or Tim went into a thing and just enforced two factor on everybody's account. At which point the CEO's knocking on my door, my phone's ringing, everybody's pissed off. And I had to go, Woah. Big bad Tim came in with a hammer as opposed to friendly, rewardful Tim came in with the why and help them understand that this is why we do this.
Justin:Yeah. Love that. I mean, I I love that. That's my takeaway. That's what I'm gonna wrap up with.
Justin:Guys, unless you have any final thoughts, final questions, Brian, Mario, no? Okay. Then we're gonna go ahead and close this one out. Tim, again, thank you. Thank you.
Justin:Thank you for joining us today. This is becoming a way of life for me, and, honestly, I think this is something that we are all going to either go kicking and screaming or willingly into the dark night of compliance. So, again, thank you for being here. Thank you for your perspective. Guys, if, I've got other MSPs on here listening, go to compliancescorecard.com.
Justin:Join the, the demo. Is it a is that what you Weekly. Product demo. Right? Weekly demo.
Justin:And those are live, not prerecorded?
Tim:Live every week.
Justin:We got q and a.
Tim:My team keeps telling me we need to ship that, but I still I still love doing the live videos myself. Yeah. So will they?
Justin:Yeah. I could tell you you're not, shy on camera, so that's good. Let's, yeah. I'll be on there. I've got a platform.
Justin:I'm not gonna lie. I I hadn't heard of you guys until more recently, so I definitely wanna do a comparison. I love what you're talking about here, and I'll definitely take a look. Awesome, Tim.
Mario:Thank you.
Tim:That's cool. And I'll just end it with, I heard you say I got a platform, which is great. You know, we work with a lot of other partners and integrations as who and what we are, but we are an MSP first. We are dedicated to MSPs first. When you look at the GRC space and the tools that are available in that, I'd like to say we are the only one that came from an MSP built by an MSP for MSPs, and we get you.
Tim:And not only do we get you, but we also know you need to sell it so we're affordable for you as well.
Justin:Beautiful. That those are magic words right there. Because what we do is expensive and everything's one more subscription we get to pay for. It's good times. So final words to our our audience.
Justin:Again, we've been talking a little bit technical today, a little bit in the weeds. Our our audience business owners, I like to I've I've got my own little framework that I invented, Tim, and I don't know if you're gonna love it or hate it, but, and just finding a really simple way for business owners to hold us accountable. This is what I tell people. And and use safeguards, use, frameworks, use compliance tools, however you do it. But look at these three areas in particular.
Justin:Look at your technology and make sure it's protected. Look at your data, make sure it's protected, know where it lives, know how it's being used, know how it's being backed up, and could it be restored. And then your people. Know your people, protect your people, their identity, policies, procedures, and all that. That's the 97% that I'm talking about week after week.
Justin:And frameworks just make it easy for us to make sure we're doing our job, and it makes it easy for you, mister and missus business owner to, get some transparency and and to know that we're doing what you're writing us a check for. Wrap that up with an insurance policy that covers that 3% gap. Make sure you have good cybersecurity insurance and that they will pay in the event of a breach. Right back to frameworks, guys. So there we are, guys.
Justin:Unhack.live. If you have any questions, if you'd like to reach out to any of us individually, Brian, myself, Mario, Tim, all of our information will be on unhack.live. Brian and Mario, as always, thank you for joining us. And, Tim, again, great stuff, and we will be in touch. Thank you, guys.
Justin:We'll see you next week. Thank you.
Mario:Thanks, Tim. Speak.
Creators and Guests
