INCH360 Panel: Working with MSPs or Outside Cyber Services

Welcome to the Cyber Traps podcast. Today we have a very special episode for you. I am your host, Jethro Jones. We will be talking about the Inch 360 conference that took place in Spokane, Washington. This conference is a must attend event for cybersecurity folks here in Spokane, Washington, and it was a great opportunity for me to connect with cybersecurity folks here in Spokane and learn about a lot of things that are going on in the world of cybersecurity.

Right now, this episode is one of the sessions from the conference. I hope you enjoy it. This session is titled: Working with EM S Pees or Outside Cyber Services. Alright, we're gonna get started everybody. So, I'm Nolan Garrett, I'm the CEO and founder of Torchlight and you may have also heard of us as Intrinium. It's a company that does managed security, managed IT and cyber security consulting nationally. Um, based here in Spokane actually.

Um, I want to start with, you know, just thanking Heather and Drip7 and all of the sponsors. Thank you so much for putting this together. Uh, really appreciate it. Uh, I've heard a lot of great things from the various people I've spoken to about how great this event has been, so thank you. And also, just a note, I didn't think very clearly, um, don't heckle the primary coordinator during their talk if you have to go after them.

So, please be nice to me, Heather, don't heckle me too much if, if you could. Alright, um, we're going to jump in, um, I'll have you each kind of introduce yourself, and then we'll just go through some questions, uh, we'll open questions up to the audience, and um, probably wrap up, because we've got about 30, 40 minutes to do it. So, uh, if you'd like to start, John, go ahead. Well, I'm right in line, so that, that makes sense. Uh, my name's John, uh, John Hansman with Truett.

We're also a managed service provider, cybersecurity consulting. Uh, one of the things that differentiates us, uh, is we are What we, what I call a full stack only managed IT provider. So we really do everything based on risk assessments, what we find there, and then create a plan, so. Oh yeah, you have your own mic. I am Sahan Fernando. I am the Chief Information Security Officer for Rady Children's Hospital and Health Center. Uh, we are the largest pediatric health system in California.

Uh, not sure outside of there. And uh, U. S. News and World Report Top Ten. uh, for PEDS overall. Uh, prior to joining Rady, uh, I worked locally actually with, uh, Nolan and a few others in this room, uh, doing everything from working in the security operations center to incident response and engineering, uh, architecture, uh, janitor duties and, um, a few other things probably. Uh, I also, uh, serve on the board for the health ISAC. And do a few other things here and there.

Uh, I also coach at Gonzaga for men's rowing. And a couple, you know, extra things to Sahan. I approached him over the weekend when, uh, somebody wasn't able to make it and asked him if he could, you know, pop in and do this. So thank you for changing your schedule last minute to make it happen for us. Bryce? Um, I'm Bryce Lemming. I'm the Public Safety Systems Manager for, uh, Spokane Regional Emergency Communications which is our 911, um, phone system and dispatch center.

Um, I've been in IT for about 20 years. I started my career in the military, and then moved to, uh, the private sector. I worked for a wireless internet service provider for a couple years, and then after that I moved into public safety. And, uh, I've been working with Shrek for, uh, That's what, that's the acronym for it anyway. Awesome. Shrek. Shrek. Yeah. Awesome. Um, for 13 years. Awesome. All right.

Let's uh, let's hop into some of the questions here and then we'll open some up to the audience. So, um, question number one, in the current digital landscape, are cyber security add ons like training, password management, uh, email filtering, are those things essentials for businesses that have more than five employees? What's your perspective?

I think, I think we should ask the crowd after we had all these sessions because I think If you've been paying attention, the answer is yes, like it's a resounding yes, you have to have all those things if you're in business today. Yeah, absolutely. Any other feedback, comments? Yeah, sure, yes, um, yes, of course, especially if it's a small, small organization, like, we're pretty small. We have, we have, um, four people in our IT department, including myself.

So, um, there's a lot of gaps there. So we have to fill those gaps and, and a lot of expertise that's, you know,

that's directed towards specific systems. So, um, it's good to have an outside, you know, look at things. So I think that's very important, for sure. Yeah, absolutely. I know one of the questions, uh, in the previous panels, you know, was talking about how do, like, SMBs, small businesses or startups, you know, figure out how to implement security, you know, from the ground up.

And, you know, one of the things that, that I've definitely identified is, You know, the small businesses tend very much to really focus on trying to get the business off the ground or be profitable. And in some ways, they almost get the short end of the stick. I've heard this terminology on LinkedIn and Twitter about, or I guess it's not Twitter now, Um, you know, about being at the short end of the security poverty line if you're in the SMB, right?

Like, all of the enterprises have the money to spend. And if you're in the SMB world, you have very limited resources, and I think that your service providers are going to be a very big piece of who's going to bring that to the table for you and bring an enterprise level of quality, um, to something you probably couldn't do on your own, for sure.

Um, you know, going on from there, you know, some vendors, they kind of downplay the need for comprehensive cyber security, uh, to remain competitive in pricing, because SMBs. How does this approach contrast with the evolving nature of cyber threats? I mean, information security is, is, is a science of risk management, I would say. And so, if you're saying that that's not part of your competitive advantage, I think that really discounts the idea of availability of whatever it is you're offering.

Uh, right? I mean, for those who aren't familiar with the CIA triad, that's confidentiality, integrity, and availability. And those components, balancing all of that, right? If we're not Balancing the risk that includes the administrative and technical controls and the appropriate investments commensurate with the risk we're talking about. Uh, I, I think that's really, you're, you're assuming more risk than you're probably comfortable doing so and doing it in an unknowing way is even worse.

Well, I guess the question becomes, are you making your decisions based on risk or on finances? Sometimes you walk into, and of course I talk with small business owners all the time, and you run across some who say, I'm going to make this based on what's best risk level for my business, because I'm collecting information, because I don't want to get hacked, because I don't want to lose my business to this stuff. And then you have people who say, I just don't want to spend the money.

And, and so the, the question is, is like, if you're talking about, Cybersecurity and Risk. We've just said, we saw, like Whitworth, I was impressed. They had a lot of stuff in place, and they still had a really big incident. So, what if you have nothing in place, and you get hacked? Is insurance going to cover it? There's those kind of questions. I think you have to, like, be real about what's happening in the world and ask. Ask yourself, is getting the best deal worth it? Yeah, absolutely.

You know, I'm going to jump to a different question because you mentioned it. What do you think businesses can do to effectively bridge the gap between cyber security insurance and security operations center services? And how do you feel MSPs play a role in that, and at what level? Yeah, I think that was my question. So, um, we went through that. We just recently acquired our SOC. Um, and we, we have managed services through another vendor that's separate from our SOC.

Um, we, we really wanted to make sure that, um, our insurance plan and our SOC communicated. And that there was, that there was, um, that when we needed to activate, um, our IRP, that, um, and there was an incident, that, uh, that they, That

they worked well with each other, right? So that we can get all the resources that we needed, and that we were going to be covered correctly. And then our SOC, and, uh, they were also helping us understand where our shortcomings were with our insurance plan. So this was, it was really helpful that they were actually partners before. Um, we go through, I know we don't like name dropping, but we go through EIG as for our insurance company.

And, and their, um, the SOC that we chose, their, their Well-versed in, in that company and they have connections with them already. Yeah. So that was, I felt, I felt that was really important to, to get that going so that we can, um, um, really mitigate the amount of time or, or, you know, the increase or make things quicker in our response. Right. And, and, uh, and that there wasn't anything that we missed and that we weren't hanging out with liability. That makes sense.

I mean, we talk about tabletop testing, right? The whole point being to have practice before you got there and making sure your vendors are integrated into practice together is critical as well. Well, I think you said the key word. You said partnership. And I think a really good MSP provider is providing a partnership. Understanding that you having good cyber security insurance.

That is going to pay out if you have or when you have an incident is really key and that's where the MSP comes in, right? Because we're putting things in place to ensure, we're, we're effectively checking the boxes on that insurance form, that really long insurance form you have to fill out and ensuring not that you just check the boxes but those Those things actually exist so that when you have an incident and the insurance company asks you, Did you have 24 hour SOC? Are you encrypting data?

All those questions that they ask that you can actually say yes. So they go, Okay, looks like you did everything you should. And so there's no reason why we shouldn't help you with this incident. Absolutely. If I might add some perspective there, not necessarily disagreeing.

In my experience, it is rare to find someone that is that comprehensive at the right price point, at least at the more SMB level, and at the enterprise level, they tend to insource it, but, uh, dealing with the insurance companies is, uh, day to day for me, and underwriting has become incredibly complex, uh, and while there are a lot of discovery questionnaires, it is worth noting, especially for the audience, it is Uh, when you activate that retainer, they're actually in charge

of the investigation and there is that, that balance there of if you're hoping that they flip the bill, you're also ceding control of the narrative, the investigation, your recovery, uh, when you can actually restore services, uh, you're ceding all of that control to them.

They pick who they're going to bring in for incident response, um, and like you kind of mentioned, if they might say, well, you didn't pick someone off of this obscure clause, you didn't pick a provider that we sanctioned, So, you know, this entire claim is null and void. Um, so there are a lot of things because they are also very good at risk management to, to be aware of and cognizant of and, and make kind of that informed decision.

Uh, you know, and there have been incidents where, you know, we say, we go to the insurance company and say, hey, we think there might be a thing, we're putting you on notice. And they immediately want to come in and wrap everything under legal privilege and, and try and control the investigation. Uh, and then similarly.

You know, right up the road from us recently, another healthcare system was, uh, was hit with ransomware and they weren't allowed to share any information, which is very atypical because generally, especially within healthcare, you want to provide some heads up to other partners, not just on the tech side, but also operationally, you know, you're doing ambulance diversions. We kind of need some context on what's going on. So I'm sorry. Well, I was going to say, I think you're right.

And, and I think part of it is, You've got to be careful because there's insurance regulation but there should be a level of partnership with you the client and helping you ask the right questions to your insurance vendor so that they then know that you have the right incident response vendor and you've got all those things in place. There's nothing wrong with asking those questions ahead of time just to make sure that everything you're getting from your managed provider.

Is going to be covered and they have the right tools that match what your provider, what your insurance company is asking for. I think it's also a good idea to audit your, your insurance plan every year too because I'm noticing that it's changing every year and the pricing changes and then their service level changes, right? So having a partner like that to help you understand where your gaps are at would be, would be really helpful.

I think it's where risk assessment on a regular basis is also really important as well. I'm kind of curious, it sounds like you just recently went through the underwriting process, not to divert too much. Go ahead and moderate, it's all you, man. Did you find that, you know, the market's become increasingly, I mean, almost less competitive? Because our experience is that there are less people that are willing to even offer these sorts of policies.

So I guess it really depends on how many incidents they've had, right? So, um. We haven't had anything. We're a relatively new organization, and um, it was kind of like a writer on top of our regular insurance plan. And then that was kind of concerning to me because I don't, they didn't understand, they didn't understand the IT security part. I would, I was thinking, right? So, because it was just an overarching insurance policy.

So, um, I, I noticed that Some of the service level changed, like they wouldn't cover, their coverages were changing each year, even though our pricing was going up. So, actually understanding what they do cover, and how, and when, and what the whole, and what it actually looks like when you have an incident is important. And we, and I, our partners actually help us understand what that, what that looked like. Well, and again, I'm going to disclaim again, I'm not an insurance person, so.

Just saying that, but there is a difference between insurance add ons and actual cyber security insurance, and that's something you should talk to your agent about, just so you understand the difference, because what you're saying is accurate from what I've seen. There are less and less policies available for cyber security insurance or less providers willing to jump into the space. And in some cases it depends on the market or the business that you're in.

So, I just renewed my cyber security insurance and it was like, last year there was five, this year there were three. So that, that's, that's a real legitimate thing, and it really depends on the industry that you're in, and how much risk they've seen, and whether they're willing to take that on. Yeah, I agree with that. That's um, I think it's very important that they understand your business. They understand your flows, they understand your critical infrastructure, all of that.

I think that that's huge, even with, and especially with our managed services too, they need, that's Well, I don't know why I didn't say this in my introduction, but I just wrote a chapter in a, in a cyber security book. And My particular thing that I wrote it on was the cost of an incident. And what you'll find is add ons don't generally cover enough to cover a real cyber security incident.

So, and I did a lot of research, way more than I expected to do on the topic, and it was astonishing just the amount of money that can be spent for a cyber security incident, and then you look at just regular premiums and they don't cover it.

I've seen quite a few policies, especially offered to SMBs that cover 50, 000 worth of incident response, which sounds like a lot of money, but that's like a day worth of effort, you know, when you're in the middle of it, and then you're on the hook for the rest. They won't cover it. Yeah, if you're a million dollar company, you're talking about a 200, 000 to 300, 000 incident potentially. Exactly.

Alright, let's take some questions from the audience if we have some., the question was, you know, if you're evaluating an MSP, how much due diligence are you doing and what does your risk assessment or vendor management process look like for selecting that vendor and making sure that that vendor is appropriately covered when they're managing your business operations? I'll say it this way. If you ask me that question directly as a business owner, I wouldn't be offended.

Like, if you ask me questions like, Hey, do you have Arizona Mission Insurance? What kind of training are you doing? I'm not going to be offended by that because I'm proud of what I have. And so, I think that you shouldn't be afraid to ask what might seem like maybe offensive or hard questions to a managed service provider because that's important to your business to know that. I think you should ask the question.

I think that's a great point. Great question. Yeah, and I wouldn't be afraid to get legal involved too when it comes to, comes to that if you have a legal department or if you have a, you know, somebody on retainer or whatever. But, um, I think that that's, that's what we did.

We, we, we have a, we had a consultant help with that to help understand, um, what, what the, um, MSP was providing and then what our insurance company, um, what they would cover and then to make sure that every, all the bases were covered. Fortunately, E& O is pretty standard, like, requirement. You know, like, you should have it in our industry. There was a portion in that question that, no offense, wasn't restated.

I want to just answer very quickly, which is, at least at our level, we don't have someone else fill it out. So that's not necessarily a concern for us. I would imagine if you are having assistance, then yeah, you would want Want that sort of coverage.

Um, and if you weren't aware of it, then hopefully you're here and you found out, um, as far as the due diligence process in a more total sense, uh, you know, in my role, there's a good amount of time, especially this time of year, uh, spent on assessing that risk, both from an operational capacity, from a legal capacity, uh, you know, we're fortunate to have legal counsel on staff. Um, you know, General Counsel and other staff attorneys.

Uh, and so we, we do a lot of contract review, um, myself included. We're looking at different clauses in there. We do assessments on, based off of the, uh, you know, the nature of the relationship. You know, it's going to favor, you know, again, going back to CIA. Depending on what they're doing for us, we might look a lot deeper into certain parts of that triad. Um, you know, so if they're directly patient supporting availability's gonna be huge.

If it's something related to our emergency department flow versus maybe a less critical application, but still dealing with a significant amount of, uh, PHI or PII, uh, we're gonna do a little bit more on the integrity and confidentiality side and we take, we take a look at their shop as well, especially. As the amount of records involved scales, as the amount of money at stake scales, we start to look a little bit deeper. Um, I'm not a snob. I don't demand a SOC 2 and things like that.

Some of my peers do. Uh, but I think we take it with a bit of nuance that that's just a report and not everyone needs to have it. But it's great if you do and we'll look through it. Um, but we've got questionnaires and we have conversations. Um, you know, we've got riders that guarantee. certain controls both administratively, as well as, uh, from a technology standpoint. And we try and balance the risk, uh, for new vendors, as well as existing vendors through kind of all of those, those facets.

Awesome. Um, I think I saw a few other hands go up when I asked for questions. I have other questions out here? So, so the question was how, you know, you're all running, you know, these various portions of the cybersecurity, you know, portion of your business or an MSP or what have you, how are you keeping yourselves educated and up to date and making sure your skills and competencies remain relevant while you're focused on a broader array of things that might not just include cybersecurity.

So two things we do as an MSP, and this is just my company, for some of the cyber security safeguards, we actually outsource, like I have my partner here who was on one of the last panelists, so we outsource some of the things to others that are more on the comprehensive level, so like if it's directly looking at incident response, at looking at log ingestion, all of those things, Um,

it's, it's better for me as an MSP to hire a team and outsource that, uh, as far as like my individual employees. Uh, we're smaller, we're actually a four, we don't, it doesn't look like it, but we're a four person shop. So, it's just my wife and I and two techs. Uh, from the very beginning, we just said, hey, we're going to invest time and pay our guys to take trainings and pay for the trainings themselves. That's just some of the things that, that we've done on our own.

Um, and that's what I recommend. We have, we invest heavily in. Just training and then also having an outside person come in and help our team, uh, grow in that, in that technical area. So. I've got longer, so you go ahead. Yeah, mine's pretty short. So. So actually, we, we rely quite a bit, our IT department, on our managed services to understand what's, what's important now.

And, and our SOC in particular, um, we have weekly meetings with them and, uh, we go over all the, you know, the current threats and vectors that are, you know, that are happening. And, um, and then I, that kind of pointed me towards DRIP 7, and Heather, she's been, she's going to be helping us create our training program for our IT department, but not just them, but also the whole agency.

So, um, um, we, I guess we just, we rely on, on our partners to help, to help us understand where, um, what direction we need to, we need to, um, focus our trainings on. So, uh, for me personally, uh, there's a few things and it, part of it, I think you kind of touched on it, uh, pretty heavily in your, your answer. The culture for my team, um, I didn't necessarily say this earlier, but, uh, so we're, we're hybrid.

We do have a partner that helps us with 24 by 7 coverage and augmenting our detection and response pipeline, um, and activities. Uh, but we're fortunate to have the resources to have a good amount insourced as well, so we're not fully reliant on them. Uh, and so, from the managed service, you know, provider, really the MSSP side, they do help us quite a bit in outsourcing those responsibilities.

Uh, you know, having the resources to focus exclusively on the detection and response pipeline, making sure that we understand the telemetry that's going in. Um, we're constantly working on the right artifacts that are kind of A part of that pipeline because cost is a factor and we can't just send them everything. And also, um, there are things that we aren't in scope that we need to handle internally. Uh, and so that what goes into kind of staying up to date. I mean, conferences are huge.

Uh, I was all last week and leaving tomorrow again for, um, various continuing education conferences. Uh, some networking groups, uh, go a long way. I read a lot. I have some newsletters that. really go a long way. When I have the rare time to listen to podcasts, sure, uh, podcasts go a long way.

It's, it's about finding those sources that are, uh, the right use of your time, I would say, and just keeping up on where are, where is the industry going, uh, again, understanding the risks and then also just how does the technology work. Um, I think one of the things that is relevant to the answer for the, your question, uh, specialization is really great, especially at the enterprise. But for me, I feel it's still so important to have a broad base of just what the heck's going on.

And I, I was very fortunate to have those opportunities early in my career. Uh, admittedly, maybe working slightly too much. You don't want to look at old time cards, but, uh, regardless, right?

Just trying to understand a little bit more about how everything works because it's harder for us to be effective in information security if we're just speaking from kind of the bastion of Well security said do the thing and we don't actually understand the impact, we don't understand the magnitude, we don't even really understand how the app works, we just see the output of a Vuln scanner and just say go, go fix it.

Well, and I would say too, one of the big pivots for our business is we really moved towards MSSP in the last year and a half of our business. Uh, it's peer groups for us, so I'm a part of a really large cyber security focused peer group. And just like you, I'm going to conferences four or five times a year and listening to podcasts. I listen to them more because I drive a lot. So I, I just listen to a lot in the car.

And then we, we put that information out to our staff and our staff meetings and through like teams, news articles and things that we're learning. So I think peer groups for any industry are phenomenal. Like they just help you gather information. And then you, with us, we're seeing nationally. 300 minute managed service providers who are experiencing all the same stuff and they openly post incidents that are happening and how they're responding to them and things like that too.

Do you have any recommendations for the crowd on kind of general ones to get started in? Some podcasts, uh. Or peer, or peer groups. Yeah, well if you're, well if you're an MSP, uh, come talk to me and I'll tell you. Uh, but there's, there's one. Uh, I don't know how many MSPs we actually have in the room, but I, I, I'm part of the Chris Weiser's group, if you know who that is. Uh, the seven figure MSP. They've been phenomenal.

Uh, and then as far as podcasts go, uh, I have to look at my list, because now they're on auto. I can look at my podcast list, but there's some really good ones out there that do both news, so like I get a five minute and a 30 minute brief every day. And then I had, then usually on Fridays they have a actual topic where they tear down something that happened and go through the details of it.

So, if you're, if you're wanting to just have some basic knowledge, there's some good resources out there, podcast wise, or, uh, or what not, just to be able to at least understand the threat level that's happening. And I would, oh, just real quick, I would also add there are local information security groups, um, I don't know if there's still 2, 600 around, but, There's DEF CON 509 and some other ways to engage. I guess I was just going to ask you, I mean, we, our industry is pretty unique.

And so we have our peer groups, we kind of, or our partners actually, we're starting to come together. Um, we have a network, we have networks that touch each other in our, where we're at. And, uh, so we're working with those people too. You know, like we've invited, um, our other agencies to our tabletop, um, exercises, um, and, um, so I, I think that's, I think that's another method too.

I mean, just within your own industry, I think you were kind of talking about that with your, with yours, but, um, that's, that's what we do too. We, we, we, um, leverage. Our, uh, our partners and, and, and try to open up lanes of communication. Most likely your peer groups within your own industry are talking about this now because it's such a big issue, a big hot topic, so you can utilize that as well. Yeah. Yep, I agree. So, you know, we covered a little bit.

I want to move on to this question. Um, you both talked about, you know, having a hybrid relationship with the SOC and managing that and, you know, weekly meetings with the SOC that you have and how you coordinate that. How, how do you manage the performance of these vendors, you know, understand and evaluate whether they're kind of meeting the requirements for you in an ongoing way once you've selected them? How do you make sure they're doing a good job?

What's your process and approach for that? Thank you. Uh, I feel like I have a long winded answer. I think my viewpoint is slightly biased since I used to work for an MSSP, but I will say that I still somewhat believe there's only so much you can do to have the accountability there because, you know, proving a false negative, you know, the absence of anything wrong is obviously impossible. So, uh, you know, at a certain point it's What are the established criteria for success with them?

I mean, sure, you have penetration tests come through. How much do they catch? Uh, you know, you can have those conversations. Talk about the artifacts that did or did not show up. Um, you know, the, the old school mentality of just like, well, time to response, mean time to detection. A lot of those things, I think, they sound really great on paper, but mean time to detection, again, how do you, how do you consistently keep that metric up to date? scale it very well, right?

Because you're assuming that you're going to have the artifacts to begin with to show here was initial infection to time to detection and you know, those, those are just tough things to pull off.

Um, the other things that from an accountability standpoint we do, I mean, they're, they provide us with various materials, they help augment our, um, our CTI program, uh, which is counter threat intelligence, um, they're, they're a part of that, uh, and so I think there's a little bit of accountability of Are you also letting us know, it's anecdotal, but are you letting us know the things that we know are out there that, you know, we found through

another source that you probably should also let us know, um, given your role? Well, I'd say, too, like, I'm on the flip side, right, because I'm, I'm the guy you're auditing, so. Um, one of the automatic things that we've built in is, like, business reviews. So you're meeting with your team weekly, which is I don't, I honestly don't meet with my people, my customers weekly unless there's a problem. But, uh, usually it's quarterly for us. So we usually do a quarterly business review with them.

And we, we cover, like, did you have any incidents in the last, this last 90 days. Uh, we did some, we do regular phishing tests. You know, uh, did we have anybody who, who fell for those? Uh, here's where you're at in education. Is everybody caught up? Here are new things, new trends that are changing. So we actually go through those things quarterly with every one of our clients just to make sure that they're up to date on that stuff.

I think that it's, while I take some responsibility for my client's cyber security, it's also They need, as a CEO, they need to know what's happening in their own business, and I think, uh, to be a really good partner, we have a responsibility to help. Give them that information so they know what's happening. Yeah, absolutely. So ask for it. So, you know, out of curiosity, so, you know, we talked about performance management. Looks like I've got time for one question maybe, maybe two.

Um, performance management, let's talk about selection real fast. Are there any key critical criteria that you think are important to prioritize when selecting an MSP or MSSP? What are those and why do you believe that those are the ones to be prioritized? Yeah, I can start.

It was really important for me for our managed service providers to understand our business, understand our workflows, um, and then understand our partners too, um, and, cause we're all gonna come to the table when an incident happens, so that was really important, and they needed to demonstrate that, they needed to show that they had relationships with these, these other organizations already, and, um.

So that was, that was, that was the most important part for us is to make sure that they under, because our business was, is unique and, um, we can't go down ever, um, we can't, we can never stop taking 911 calls and we can't stop communicating with our officers and, and medical professionals too. So, I mean, it's, it was really important that they understood our business. Yeah. So industry alignment, you know, or, or at least that business alignment critical.

Yeah. I mean, that's, that's usually normal, right? I mean, but it was, it was exceptionally important to us. Yeah. Absolutely. Absolutely. Yeah, I mean, I would fully, fully concur with that. Um, enough, enough contextual awareness of how to be effective. And we don't use too many managed service providers as an organization, um, especially from a technology standpoint.

Um, but regardless if it's MSP or MSSP, I think there's, uh, a little bit of just the BS factor of like, do you actually know what you're talking about? Because there's just, uh, a lot of, uh, A lot of people have a very good story to sell and capability to execute is a completely different conversation.

Um, and, you know, that was one of the first things when I joined was actually finally having the organizational buy in to bring in, uh, support for Security Operations Center because we were just, when I got there we were really just limping off of who we had at the time, uh, internally. It just really, we were trying to get it to the next level. My predecessor did a great job with, uh, the resources that they had.

Uh, you know, obviously the, the world's evolved, and so capability to execute is huge. Um, I think, again, just coming from a fairly technical background, I also have my own opinions on, let's say character references. Um, you know, understanding a little bit more intimately the folks who work at these companies and do I buy into the work that they do, the research I see, um, the outputs of kind of what they do. That's a, that was a big factor for me in my selection of kind of who.

Who do I think is really going to help augment the gaps that we have? And especially that highly specialized area, um, again, and kind of the detection response, you know, things that we can't do as well internally. Um, financial stability is also a bit of a thing. Um, see I told you, it was, it was, Heather was right, it was worth waiting until the end. I mean the dirty other secret is some people have less tolerance for VC funding than others.

Uh, and so if they're very heavily, heavily VC funded. That can be a part of the equation because that kind of changes incentives for them as your provider versus, um, if they're a little bit more self sufficient, you know, their, their incentives are much, much different from my perspective, so.

Yeah, I think, uh, if you're talking about, like, maybe you're smaller, I think when you first walk into that first conversation with your, with a potential MSP, uh, I think they should be asking you important questions about cybersecurity and what you're doing. If they walk in and they just count up workstations and give you a price, they're probably not a managed, or they're probably not a cyber security focused company.

I, I think that they, they have to be doing some level of understanding your business, understanding your risk level, asking really good questions, and doing a longer, the sales process is not a day, it's more like a month in reality with a good MSSP. And so it's really a relationship that starts and takes a while to build up, uh, to make sure you have the right fit for your organization. I worked in a 24 hour monitoring center for home security for 20 years.

And understanding that versus like the, the, what it's like when you do go down. I don't know if it's ever happened, but I remember a couple times where we like had a full on phone outage.

And to under, to have a company that understands that pain point and what that's like, and to just be ready to put, help you put redundancies in, I think it's super, super, super important, and you have to just make sure that you, they understand that, and they're willing to partner with, on that, because, especially if you're unique.