April 13, 2021


Gone are the days when every company had their own internal IT department.

We’re well into the era of Managed Service Providers.

But how do you find the right one for your business?

In this episode, Host John Verry speaks with Charles Weaver, Co-Founder at MSP Alliance, covers everything you need to know about MSPs — and what to know if you are one.

They discuss:

  • The importance of validating your MSP
  • MSPs vs. MSSPs, and how each fits into a world with competing security standards
  • What MSPs need to know about the future

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:00:00):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:25):

Hey, there. And welcome to another episode of the Virtual CISO Podcast. I’m your host, John Verry. And with me is Andrea VanSeveren. Good morning, Andrea.

Andrea VanSeveren (00:00:35):

Good morning. Hi John. Hi everyone. Great to be here today.

John Verry (00:00:39):

So what’d you think of my conversation with Charles Weaver?

Andrea VanSeveren (00:00:43):

I thought it was really good stuff. How you guys covered the MSPAlliance and the benefits and access it gives folks around cloud services and managed services, especially now that MSPs are going to need to be able to show compliance and GDPR, CCPA, CMMC and other compliance standards.

John Verry (00:01:04):

So I think you’re right, there’s been a market shift, because MSPs have started to become targets. And because of that, there’s a greater recognition in the supply chain, that folks that have access to sensitive data need to be held to a very high standard. So I agree with you. You see that now with let’s say the Polaris contract coming out of GSA where they’re going to be asking MSPs to become CMMC level pre-certified potentially. Which is a high bar and most MSPs are not yet at that level of security. So it’s going to be interesting. So from an MSP perspective, I think this is a great episode.

Andrea VanSeveren (00:01:39):

Me too.

John Verry (00:01:40):

I think Charles is probably the most knowledgeable person in the world on MSPs. I know that sounds like a crazy bit of hyperbole, but literally, this guy founded the MSPAlliance over 20 years ago and has spent the last 20 years fully dedicated on helping MSPs, service the industry, navigate the challenges and become security conscious. So I think he’s got a ton of great insights. So with no further ado, let’s get to the show.

John Verry (00:02:12):

Mr. Weaver, how are you today, sir?

Charles Weaver (00:02:15):

Fantastic, John. Good to talk to you.

John Verry (00:02:17):

Good to catch up as well. So always like to start super simple. Tell us a little bit about who you are and what is it that you do every day?

Charles Weaver (00:02:25):

Yeah. Charles Weaver. I’m one of the co-founders of the MSPAlliance. We are an association of around 30,000 managed service providers throughout the world, have been doing this for about 21 years now. And basically, we advance the cause of managed services wherever we can. That’s the short form answer. To accomplish that we do a lot, but that’s our main mission is to really promote managed services and managed service providers.

John Verry (00:02:54):

Yes. And I’ve actually been, as you know, I’ve been to a couple of your events and actually spoke on a couple, and I would say that MSPAlliance runs a really tight event and is a really good organization. So we’re excited to have you on today. Thank you. Before we get down to business, I always ask it’s my tradition, and you can tell what mine is. Wait, wait, wait. There it is. There’s the camera. What’s your drink of choice?

Charles Weaver (00:03:17):

Well, I see your bourbon over your, I guess your left shoulder. So yeah, bourbon would be mine typically for a situation like this. Maybe a Blanton’s with a single cube or a ball of ice.

John Verry (00:03:31):

Single cube. Happens to be a Basil Hayden’s. I hadn’t had it in a while and someone who was in the office also has some bottles on his shelf. And as I was getting my eyes, I’m like, I’m like, “Oh, I haven’t had that in a while.” So he probably just found out, he listens to this podcast, so he probably just found out that I broke into his bourbon staff. So maybe we’ll cut that from the episode.

Charles Weaver (00:03:52):

Yeah [inaudible 00:03:53].

John Verry (00:03:53):

Now, you are in, remind me where you’re located?

Charles Weaver (00:03:56):

Chapel Hill, North Carolina.

John Verry (00:03:57):

Chapel Hill, North Carolina. We’re seeing a lot of great bourbons come from non traditional Kentucky area, anything great down from North Carolina area that I should be looking for?

Charles Weaver (00:04:07):

They are producing a lot of, interesting enough, wine and other spirits. Actually we’re getting a lot of bourbons, I would say, from unique places like Virginia and Tennessee and and New York, actually. I don’t want to get into the politics of whether or not you can actually produce a bourbon outside of Kentucky.

John Verry (00:04:26):

You can.

Charles Weaver (00:04:27):

I don’t want to offend our members over there, but yeah.

John Verry (00:04:29):

You can. You mentioned New York, I mean, would that be, you’re talking about one of the baby Hudson’s so you’re talking about Widow Jane?

Charles Weaver (00:04:38):

Yep. Both actually. I’ve seen those frequently on our street where there’s a bourbon club in our street, and there’s a lot of people who’d like those New York. I’m kind of a purist. I go more towards the Kentucky variant of bourbon. Or if I got to go to scotch, then go to scotch.

John Verry (00:04:54):

Yeah, I don’t go to scotch, but yeah, out of Virginia Bowman, have you ever had the, I think it’s John J. Bowman?

Charles Weaver (00:05:01):

[crosstalk 00:05:01].

John Verry (00:05:02):

That’s a good one out of that particular area. So that’s talking about bourbon, something I could do all day, but it’s not something that you’re here to talk about. So let’s talk about why you’re here. So from my perspective, I think you started the MSPAlliance at an awesome time, because I think over that 20-year period, they’ve taken on an increasingly important role in organizations be able to conduct business operations. So can you talk a little bit from your perspective about that history? Because I know I look at it as, it started as specific outsourcing, it’s become more extensive outsourcing of entire departments. And I think now you’re seeing a similar path and you may or may not agree relating to security components of managed services.

Charles Weaver (00:05:47):

Definitely yes on the security. It’s funny. I’ve been hearing for 21 years this phrase or some variant of it, which is why boy, managed services is really hot right now. And it’s like, okay, yeah. Over 21 years, it’s like we’ve gone from the kids that nobody wanted. Everyone thought managed services was going to be a.com flash in the pan, it was going to go away. It wasn’t going to be around very long, and it proved them all wrong. And then we’ve gone through several of those inflection points I feel. And they’re more like plateaus where you just kind of get to a higher point and then people say, okay, well, is it done? Is it done? No, it’s not done. We’ve just been escalating. I agree with you completely. Security right now is the main thing. I would disagree that we have not been paying attention to security for 21 years.

Charles Weaver (00:06:46):

I reject that wholeheartedly because we had MSPs since the very beginning. I mean, a lot of those.com MSPs around were purely firewall managed service provider entities and business models. But I think that there’s always something to be said about raising the stakes as it were about security awareness. I think the MSPs are in a challenging spot right now, chiefly because they have not only their own house to maintain, but they also have to contend with customers who are not doing what they should be doing from a security standpoint and trying to tell the rest of the world, “Hey, look, I’m not responsible for them if that client doesn’t want to do what we need them to do.” And I feel that that’s a kind of a PR battle where we’re going to have to wage here soon.

John Verry (00:07:33):

Yeah. So I was not saying or suggesting in any way, shape or form that MSPs haven’t always had a security component to what they do. I mean, the fundamental implementation of a password is security. And access control fundamentally is security. So I think there’s always been a security component to what they’ve done. When I say that, I feel like it’s following that same arc. When we started with the MSPs, we started as, oh, let’s just outsource exchange. And then, oh, that’s working out pretty well. Let’s outsource exchange and server maintenance. And fast forward 10 years and suddenly you no longer had any IT people inside of your organization. We still had security people or people own security within the organizations. And now I think we’re starting to see the same kind of a change that increasingly more of that security direction, more of the strategic roles, more of the actual testing and things of that nature are beginning that same migration, much the same way that we saw that same migration and potentially to fully outsource security departments that are run by MSSPs.

Charles Weaver (00:08:38):

I completely agree with you, John. I think that you’re going to see as we always have different layers. You’ve seen this outsourcing security starting at the enterprise level. And then it always seems to go enterprise, mid-market, and then finally filters down to the SMB. But you’re essentially correct. I mean, here’s what we know. IT unemployment has been, even through the pandemic, has been relatively good for our sector. Security is even tighter, and it comes to the labor market for cybersecurity professionals, it’s incredibly challenging to find good talent. So all of those things bode well for the MSP who says, I either have a good stable of MSP technicians with technical security capabilities and/or I also have solutions and vendors in my supply chain and technologies that can do things with AI machine learning and the new stuff that we’re starting to see here with the kind of automated machine learning Sims. These are going to be force multipliers for the MSP that really they’ve never had before. So I think we’ve got a probably five, 10-year period coming up that’s going to be really exciting for secure.

John Verry (00:09:51):

So one more time, you’re going to have that period of wow. MSPs are really hot again. This is the latest iteration.

Charles Weaver (00:09:59):

10 more times. Yeah, exactly. Absolutely.

John Verry (00:10:02):

So question for you, and this is a question that I struggle with, and it’s certainly, it’s one that I struggle with and I have a horse in the game. I absolutely understand that my perspective can be influenced by who we are and what we do as an organization. So we’ve talked about this idea of, we went from, oh, a guy doing break fix and working on certain servers to the IT department being outsourced to the MSP taking on that CIO CTO role effectively, whether or not they label it that way or not. Many organizations have no IT people. So someone fills that seat. It’s the MSP.

John Verry (00:10:41):

So if we look at the same concept with the MSSP, this idea of the MSSP being responsible and/or MSP, especially if they’re blended, being responsible for setting the security direction, executing the security direction, and validating that the security direction has been executed well, feels a little Fox in the henhouse a little bit dangerous. How do MSPs walk that line? Do you see that as the same concern? How would they walk that line? What would be your suggestions to both the MSP and/or the people that are engaging in this piece?

Charles Weaver (00:11:12):

Yeah, it’s an excellent question. I actually feel the MSSP has a better business model argument to say to the MSP you need us. And here’s why, and now this is making a couple of assumptions. You remember the old master MSP business model in the early 2000s where you had chiefly at the behest of the software, the RMM software vendors who are wanting these master MSPs to kind of offload their onboarding of new resellers. And they really largely just outsourcing a knock and a help desk to new fledgling MSPs. That kind of flashed out. It doesn’t really that much anymore. It still does, but not to the sense that it did 15 years ago. The MSSPs saying we can provide a security operation center. And really, and I’m not talking just about a help desk.

Charles Weaver (00:12:06):

I’m talking they can actually do log analysis. They can take all the stuff that you would think of as a SIM. SIM as a service, where they’re really doing threat intelligence, they’re doing some really detailed stuff behind the scenes that no reasonable average sized MSP, let’s call it, would have the capabilities to do this stuff. I mean, it’s really next gen type of stuff. And I don’t think any MSP could reasonably invest and create that in time to come to market. I think they have to partner. And I think that that’s going to be, following your question or line of questioning here, I think that that is going to be something in the 10 years coming up that will be really exciting to watch because the stuff that I’m seeing is pretty revolutionary and it’s very needed in the market.

John Verry (00:12:58):

Got you. So when you think about, so are you seeing, because you work with, you said 20 or 30,000. So one of the problems that we’ve had over the years is that because I’ve run SOCKS and we’ve written SOCKS software, and very involved in incident response. One of the biggest challenges that we’ve always had is that there’s often a separation between the IT operations and the security operations. And we’d be sitting and saying, hey, we have this alert that looks really serious, but you need to actually have somebody who’s got admin credentials log in to this box and do X.

John Verry (00:13:33):

So there’s always been this hesitancy to have the outsource entity have that level of privilege. And now you’ve got RF, I’ve got the MSP, they have that, but in a perfect world that MSSP, in terms of purely incident response stuff, the MSSP being your MSP would kind of close that loop. It would be last mile if you will, are you seeing MSPs that are doing the MSP component as well? So you’re basically outsourcing both your IT ops and security ops to a single vendor.

Charles Weaver (00:14:04):

Meaning are we seeing customers doing that?

John Verry (00:14:06):

No, are we seeing the rise of MSPs that are not just strictly security? They’re crossing that line. They’re blending those two roles.

Charles Weaver (00:14:17):

I can’t say because it’s under embargo, so I’d be violating an embargo. But there’s going to be some big acquisition news coming up in our sector over the next couple of weeks with a software company, and I can’t say any more about it. But I think you are seeing a consolidation at a certain level of these companies that we saw data go public last year. They’re amassing a massive gravitational force of pulling all technology related to managed services, including security towards those types of companies. So should we think of that as something that’s going to continue? Absolutely. Are we seeing the MSPs do what you suggest and kind of consolidate both the security and the general IT?

Charles Weaver (00:15:07):

In some companies, yeah. I mean, yeah, there’s a lot of MSPs and we’ll say a lot, it’s more than just an anomaly. There’s a number of legacy MSPs who have developed security practices that are fairly robust and do both security and IT, and then there are some that are saying I’m going to be very disciplined and I’m just going to stick to my wheelhouse and my focus and I need security, but I’m going to partner that out. So I think you see both.

John Verry (00:15:35):

Got you. And from your perspective, your role in the world, your job isn’t to a pine on that, your job isn’t to encourage one model of the other. Your job is just to make sure that these organizations that are in either role are being well-represented in terms of the industry and that they’ve got the right credentials, validation, and upstream support. So you really don’t have a horse in that case.

Charles Weaver (00:15:58):

No, I don’t. I don’t care one way or the other. What I do care is, and this is ultimately where the pressure is on our head is, when we get asked questions from legislators or regulators, I like to have a good answer. I like to have an answer that says, “Hey, we’ve got the stuff under control, everything is fine.” And I honestly think that, we had 24 months of so-called MSPs being hit by ransomware. There’s no way around it. You can go do a Google search and you can see this stuff. And the insurance industry got involved and said, “Hey, we think MSPs are high risk.” Okay, fine. So we had that to deal with, and you’ve got Louisiana passing the first MSP regulation law effort.

John Verry (00:16:46):

Really?

Charles Weaver (00:16:47):

Yeah. Yeah.

John Verry (00:16:48):

I didn’t realize that.

Charles Weaver (00:16:51):

Yeah. We thought California and New York would be the first people to move, but Louisiana-

John Verry (00:16:56):

It’s always California. Louisiana is not where I thought it would come from.

Charles Weaver (00:17:01):

Yeah, me neither. But they actually came up with something that’s plausible and actually prob outsourcing managed services. It’s a registration law that went into effect actually February 1st of this year. But back to the point is that we’ve got a good message to tell. The issue is I think the controls, security controls. You know what I’m talking about when I say security controls have not filtered down, now below the enterprise level, I’m talking, have not filtered out to the end user yet. And you still have a pretty big disparity of what some organizations are still doing, even though they’ve outsourced to an MSP. And I think in their minds, they say, if I’ve outsourced, then this is taken care of. I don’t have any more risk. And that’s a real big… that’s an understanding gap we have to cross.

John Verry (00:17:58):

A huge gap. And look, I mean, I know you’re an MSP guy and there are some great MSPs and just the same way there are good doctors and bad doctors and good lawyers and bad lawyers. There are some bad MSPs out there. I know because we’ve done testing or gone into an environment and said like what the heck is going on here. So to that end and that maybe that’s a good logical extension. Don’t let me forget. I do want to bounce back to the clouded question, but let’s follow this thread for a second.

John Verry (00:18:26):

So you just brought up a really significant issue. There are some great MSPs, there are some perhaps not so good MSPs, there are organizations that trust their MSP so implicitly that that might actually not be the right way to do it. So what advice do you have for someone looking to select an MSP? So how do I know whether my MSP is going to be one of these ones that gets hit by ransomware? Or how do I know MSP is competent? How do I know they’re going to treat my data securely? How do I know they’re going to set me up for success?

Charles Weaver (00:18:57):

All fantastic questions. I get asked this a lot. That’s like asking me what kind of clothes should I wear today? Or what’s my favorite meal? I don’t know. What is your favorite meal? What do you like to eat? These are personal taste questions. What MSP should I be using? Can you recommend an MSP? And my first question is, what do you do? What do you need help with? Where are you? I mean, there’s like a litany of questions that I ask them. And then they finally realize, it’s not as [crosstalk 00:19:34].

John Verry (00:19:33):

It’s not a one size fits.

Charles Weaver (00:19:35):

Yeah. But back to the premise of your question, as I see it is, this is the fundamental challenge that we’ve faced as a profession, which is there is no, and we advocate against this, we don’t want licensure in our profession. We don’t think that it’s the best method for achieving optimal managed services market performance. But there’s no authority that says you are an MSP. You don’t have that with a doctor because I can go to a website and say, okay, do you have an MD degree? Are you licensed by the state? There’s a licensing body out there for physicians, for accountants, for attorneys, et cetera. We don’t have that for MSPs. And so we have a little bit of a more difficult job in picking the good ones and the bad ones. And there are bad ones. And there are people who call themselves MSPs, who are not MSPs, who should never be called an MSP. And I would never paint them with the brush of an MSP. But how do we get the customers out there to understand that?

Charles Weaver (00:20:42):

Well, it’s about transparency, first of all. And I think if the MSP is not transparent, be cautious. If you’re asking your MSP questions, legitimate questions, how they do things and a lot of security questions. Probably stuff that you would ask an MSP if you were evaluating them. And if you sense hesitancy, or if they’re not sure about what the question means. Those are red flags, red flares of maybe I shouldn’t be talking to you about taking over IT management.

John Verry (00:21:15):

So let me ask a question. So getting more specific though. So as an example, how important or something like industry certifications, like for the individuals, or for the companies themselves.

Charles Weaver (00:21:26):

Yeah. I mean, they’re hugely important at an individual level or if the MSP needs to have competent people who understand the technology. Are the vendor certs useful or not? I think Cisco and VMware and some of the other vendors do actually a pretty decent job of training their channel on the technology that they have. And I think that those are largely good. There are a handful of decent standards out there that are relevant in part to MSPs. Nothing was purpose-built for MSPs until a committee of our members got together in 2004 and solved that problem with MSP Verify. But I think that largely you’re talking about a very, we’re not a very open community, when I say that 15 years ago, I mean, I don’t know if you remember this at MSP world.

John Verry (00:22:19):

That time, that 2004 was around the time that I was speaking at your events because you were dancing with what is the right way to verify, build a program for the MSPAlliance to validate their own internal MSP members? And we talked about SOC 2, we were talking about ISO 27001. And I’ve got a fair degree of expertise at 27001. So that was why I was there to talk about 27001. And you and I had some conversations, and I think you guys went in a slightly different direction, a good direction by the way. But I think you went in a slightly different direction than 27001 at that point in time. Correct?

Charles Weaver (00:22:54):

We did.

John Verry (00:22:55):

You went more towards SOC 2, didn’t you? If I recall correctly?

Charles Weaver (00:22:58):

Well, at that time, it wasn’t even SOCK, it was still SAS 70.

John Verry (00:23:02):

Oh my God. I forgot it’s that long ago.

Charles Weaver (00:23:06):

This is like ancient managed services history. So we took bits of ITIL, ISO and Six Sigma Cobin and a handful of other frameworks, and a lot of our own just ingenuity. Stuff at that time, call it maybe eight to 10 years into managed services, where we had some decent operational understanding of how MSPs operated. Remember, 2004, 2005 was fairly, nobody was talking about this stuff, except for us that I’m aware of. But we settled on a standard we own and control and maintain, even to today. But what we did is we went to the accounting profession. So basically the SAS 70 and SOC 2 community and said, “Well, we want you to come in and be the independent validating body of our standard.” We actually looked at ISO, we looked at ISACA, we looked at a handful of other groups. We just felt that the accounting profession [crosstalk 00:24:09].

John Verry (00:24:09):

Well, so we can agree or disagree about whether an accounting people are good to assess IT controls of whatever. The nice thing about choosing the accounting profession is they can do an [inaudible 00:24:20]. They can do agreed upon procedures. So the nice thing is you want to have your own specific set of controls. Once you get to that point, unless you build a whole certification scheme with accreditation bodies, you can’t do that. So really your only choice was to go to them and say, ‘Hey, do an agreed set of agreed upon procedures using our standard. And then issue [inaudible 00:24:39] style report.” So I mean, I think you went the only direction that you could go. And I think it was also a good direction as well, to be blunt. I mean, I thought what you guys did was very nice.

John Verry (00:24:48):

So your MSP verified program, again, I’m trying to get back to trying to be helpful to people, because we get asked this question, a crap load, like my MSP, we just had a problem. I’m looking to replace them. Who do you recommend? So if somebody is looking at somebody and they’re part of your MSP verified program, is that “something that I would look for to verify their technical capabilities, their business viability, their knowledge.” Explain to me how that program works and should people be looking for that when they’re looking for an MSP?

Charles Weaver (00:25:22):

Yeah. So the short, not to make a commercial, but just to inform-

John Verry (00:25:27):

No, make a little bit of a commercial, because I think that’s really what you guys bring to the market is, some validation of these organizations that could be helpful to people.

Charles Weaver (00:25:37):

So we ask the MSP in essence, what do you do and how do you do it? We document their answer. And then we test it, or more importantly, the auditor, the CPA tests it, and then signs what their license at risk, I guess. They signed the opinion letter saying, yeah, this is actually correct. Or no, there’s actually, we found some areas. We call them exceptions in the industry. So that produces an MSP Verify report. You’re actually spot on. [inaudible 00:26:05] may have changed recently, but basically [inaudible 00:26:08] is the same standard that produces SOC 2. It’s the same thing that MSP verifies is under. And what it does is it gives a customer who’s saying, I’ve had four or five kind of not so great relationships with MSPs, who are you and why should I trust you? Reading that MSP Verify, it’s not a guarantee that you’re going to win that project. All it is, is a factual statement of what the MSP is doing with some reasonable amount of assurance behind it that it’s actually being done.

John Verry (00:26:45):

It’s a data point. It’s a data point. Which is all we want. You make good decisions with good data and you’re giving them good data.

Charles Weaver (00:26:53):

So a great example. So if I’m a customer and I want to know, does this MSP backup their own internal data? Because I’m concerned about the headlines about MSPs being hit by ransomware. So I go to objective eight of our standard and I say, okay, right. The MSP backs their stuff, their internal stuff, not backup as a service. The MSP is backing up their internal data every day. It’s encrypted, it’s in multiple places, or they air gap it, even better. I’m concerned about ransomware getting infected downstream into their backup areas. So if that’s interesting to me and a concern to me, I go and I have an answer. Does the MSP use multi-factor authentication internally? I can find the answer there. So there’s a lot of business security change management, corporate risk. Do they carry cyber security insurance? We cover that. There’s a lot of [crosstalk 00:27:52].

John Verry (00:27:54):

So you’re doing a lot there that I honestly I wasn’t aware you were doing. So in a weird way, you would help a lot for organizations that are trying to do their vendor due diligence. Because if you think about it, those are the questionnaires we’re sending out. Those are the data that we’re trying to gather. If you’re saying that they’re going to be able to produce a SOC 2 analog, if you will, that has all that information in it, that’s been third-party tested, that’s a pretty significant value prop to somebody who’s looking for an MSP.

Charles Weaver (00:28:26):

We think so. And it certainly, because keep in mind, this is getting more into the global politics of standards is that SOC 2 is pretty dominant in North America. Mostly U.S. and a little bit in Canada. The Europeans have not gone the route of SOC 2. They’re following you. GDPR is now being rolled out with the threat of ISO behind it. ISO 27001. So we know and MSP Verify, I might add. So we know that it’s not a one size fits all and MSP Verify is not right for a non MSP. I mean, it has some limitation obviously for companies out there, but if you’re an MD, it has global acceptance, it can be issued anywhere. And most importantly, the controls kind of transcends geopolitical boundaries and really apply to a global base.

John Verry (00:29:25):

So look, I’m an ISO 27001 certified leader. I love the standard. I think it’s a great standard. That being said, I mean, we do third-party risk management all the time on behalf of our clients. If somebody has got a SOC 2, yeah, SOC 2 is a great standard. I’m sure what you’re doing with MSPAlliance, if that was what was sent back during vendor due diligence for an MSP, I would look at that and go, this is great. Any of them give you information or give some level of assurance. And that it’s still the responsibility of the entity receiving the report to validate that it works on their behalf, right?

Charles Weaver (00:30:00):

Yes. It’s not a panacea. It doesn’t excuse the customer from asking probing questions and saying, “What is it that I really need?” And there is a certain amount of that answer has to be there. They have to have that information before they should be reasonably outsourcing, because otherwise it’s just going to be a kind of a shot in the dark

John Verry (00:30:23):

Question for you. So I know that you talked about, and I’m going to paraphrase things here, but I know that you talked about, you’re going to give me as the person looking at the report, some assurance of the internal controls that they’ve got operating. You’re going to give me some assurance about the viability of their organization as a business?

Charles Weaver (00:30:41):

Yeah.

John Verry (00:30:41):

Good. All right. And do you give me some assurance of their viability, their competency?

Charles Weaver (00:30:52):

So we don’t test them individually. So we’re not testing the help desk and like the level one, knock people, just giving them quizzes. We assume that they have that. What we will do, however, is we will test the larger system or process that the individuals serve. For example, we will test the backup system, the backup process. We will test the change management process. If they don’t have competent people in there, chances are that process is going to break. [crosstalk 00:31:21].

John Verry (00:31:22):

All right. So you’re giving me minimally, an indirect competency and probably some additional level beyond that. The competencies I think are a little bit easier for people to get, because like you said, they can look at individual certifications. I’m not going to let you come in and touch my Oracle database, unless you’re Oracle certified professional. I’m not going to let you administer system X without appropriate levels of certification. So I think you answer a lot of the questions that somebody that is going to reasonably ask, that’s a lot of value. And the other thing I guess that happens is to some extent, I can measure how serious someone is about their business, based on the fact that they’re willing to go through this process with you. I mean, someone who’s writing a check and somebody who is willing to ascribe to a set of standards and live to that set of standards is somebody who is serious about their craft. So I think that’s another piece of value proposition that you get out of it.

Charles Weaver (00:32:16):

Well, I agree with you. We still have a lot of work to do, and I’ll give you a good example. I could be wrong, but I think I’m pretty accurate. MSPs globally, who have MSP Verify and/or a SOC 2 or a functional equivalent of that, and I’ll even include an ISO 27001 certification. MSPs that have any one of those three, it’s probably less than 5% of practicing MSPs on the planet.

John Verry (00:32:48):

Wow.

Charles Weaver (00:32:51):

That’s not good.

John Verry (00:32:52):

So realistically, that’s not a bad thing. That’s not a bad, just general rule of thumb. Like if somebody says, how do I know I’m getting a good MSP? Look for one of those 5% and your odds are a hell of a lot better than just going to the phone book or asking your buddy.

Charles Weaver (00:33:09):

You’re being generous, John, because I-

John Verry (00:33:11):

No, I’m not being generous because I believe in what we do as a craft. I mean, I’m an ISO certified lead auditor. We’re an ISO 27001 certified organization. We’re a crest certified organization. Why? Because we’re committed to our craft because we’re trying to do things the right way. This cost us money. This cost us effective business efficiency operations. So I know if somebody else is willing to do the same thing, they’re committed to the craft. They’re trying to do the right thing.

Charles Weaver (00:33:36):

I guess what I’m saying is I think that number is way too low. We’re at a point now, the industry has been around since probably seriously, the mid 1990s. And being 25 years into this, we need to have much better adoption and better consistency across the global profession. Because that to me is, we’re never going to win that battle. I mean, it’s kind of a trajectory thing, but we need to be doing better.

John Verry (00:34:09):

Cool. So let me ask you another crazy question. This isn’t one that I asked you, or that we talked about, maybe me asking you. So I’m just curious, do you also advise MSPs on how to select good customers?

Charles Weaver (00:34:25):

All the time.

John Verry (00:34:26):

I’d be curious, because we have a lot of MSPs that listen to the podcast. Do you want to just touch on that briefly because I’m just trying to think of your value prop, because you sit in such a unique spot in the industry. So I mean, we’ve been talking about your value prop in one direction. You’ve got a huge value prop in the other direction as well.

Charles Weaver (00:34:42):

Yeah. I feel very strongly about the right customers for the right MSPs. And I think that the customers can select the bad MSP. There’s plenty of that. We know that. The good news is, when we hear MSP customers coming to us, they say something fairly similar, which is, “This is my fourth or fifth or sixth MSP.” Well, that tells me one thing, which is they’re still doing it. They still find it valuable. It’s not like they said, hey, after the first one or two, we gave up and we hired a whole full fledged IT, knock and help desk ourselves. No, they still believe in outsourcing, which is good. Now, I think where we’re headed is, I lost my train of thought with my segment there.

John Verry (00:35:36):

We were talking about how you might recommend to an MSP-

Charles Weaver (00:35:41):

The customers.

John Verry (00:35:42):

… Alliance member, their customers. Because there’s statistic and I’m going to screw up this statistic, but I’m close, that most organizations, most businesses, especially services businesses generate 130% of their profit from 80% of their customers, which basically means those last 20% lose you 30%. I know that we’ve got a lot of good MSP partners that listen to this podcast. So how does a MSP select a good question?

Charles Weaver (00:36:16):

So getting back to my original thought, the fact that the customers by and large, I think are dedicated to the concept of outsourcing their IT management rather than building it internally. That being said, the MSP needs to be quite diligent in getting the right customers. Because if you get the wrong customer, they do present just like a bad vendor, a bad supply chain vendor could be risky to you, I firmly believe that a weak link customer could be just as damaging to you as a company for a variety of reasons.

Charles Weaver (00:36:53):

And I believe that that’s absolutely true with the ransomware epidemic we had the last 24 months. It’s kind of died down now. I mean, you don’t hear about those attacks that much anymore. I think that barrier kind of ran its course. But I think that getting back to what I said earlier about controls and controls filtering down to the customer level, that’s important work that we need to do. And if the MSP doesn’t get a good handle on that, they’re dealing with a kind of a Maverick wildcard costumer that could really end a lot of stuff for them. And that’s dangerous.

John Verry (00:37:31):

So is it that they’ll end up with a customer that doesn’t listen? I mean, is that what you’re saying? Is that the customers that are not going to actually do what you say are the ones that are going to cause problems. And if so, what are those problems? And then the second question is, and I don’t know how you would select those customers or not select those customers.

Charles Weaver (00:37:51):

They would probably be the customer that says, “John, do I really have to use multi-factor authentication. It’s kind of tedious. It really is disruptive when I want to get on and do my day trading and play my games online. Can we just avoid that? Can you turn that off please? And, oh, by the way, I’ve got three or four consultants over here. They really need admin access to the servers that you’re managing. Would you mind turning that on for them? Do me a favor.

John Verry (00:38:21):

So this is no different than what we do. I would say then what you’re saying is the primary test is tone at the top. Get to the manager, get to the owner, get to the person who’s making the decisions. And if that person’s going to run fast and loose, you probably don’t want to work with them.

Charles Weaver (00:38:38):

Yeah. So I think where we’re getting at now is you have different styles, different sizes of customers and MSPs, but I think where we need to be right now is, if the MSP is dealing with a customer and the customer doesn’t have to outsource everything to the MSP. But if the customer says, look, you’re not handling backup, but we back it up or we have another vendor backing it up. You’re not getting the multi-factor authentication business, but we already do that. Or we had it done by somebody else. The point is that it has to be done. And the MSP has to ask those questions. They kind of know what they’re dealing with because they’re directly involving themselves in that customer’s business. And it can really blow back on them if something bad happens, ransomware being obvious.

John Verry (00:39:26):

And again, one of the things that I’ve talked to MSPs about is that when a client doesn’t follow your guidance, and then you’ve got ransomware, you’ve got some type of a security breach, the amount of time, energy, and effort that you spend cleaning up that breach and you probably are not being compensated for it. I mean, that, that’s where that 130% goes, that 80, 130, where we lose 30% on 20% of our clients that’s where we actually capture it. So yeah, I think that’s really interesting.

Charles Weaver (00:39:53):

I mean, the story everybody’s heard, I think, I’d like to know who it was. I forgot the company’s name, but it was an MSP out of New Orleans during Katrina. And the famous story was the customer thought that they were, said that they were backing everything up, saying that they were replacing the tape drives, those of you look it up, what tape drive is, if you’re not familiar with that. The customer said that they were doing it and the storm hit and the MSP said, all right, let’s go get those tape drives. And the office manager said, you know what? I know I was responsible for it, but I haven’t done it in three weeks. And so the MSP is expected, although it was completely not their fault to replicate all that three weeks of data to get them up and running. Those are very common stories and MSPs by and large do that work without grumbling. But I think that those days need to end fast.

John Verry (00:40:49):

They take a bath on situations like that, which is a problem. One last question that I didn’t ask, and I apologize, I’m going to circle back a little bit on selecting an MSP as a small business. One of the questions that I get asked all the time is I really like the sounds of this MSP, but they’re not geographically proximate to me. How important do you perceive geography being to selecting an MSP,

Charles Weaver (00:41:13):

None at all. And I’ll tell you why. I’ll tell you why. I think that the days, and I used to hear this a lot. The MSP stays very focused on their geographic area, largely because that’s as far as their truck rolls would take them. Three or four-hour circle around their headquarters would be their work zone. And the MSPs that were really successful, never had that problem because they never made geography a limiting or a barrier to scale or barrier to expansion of their business and getting good clients. And so I think most of it’s just a break-fix reactive VAR hold over mentality that we just haven’t shed yet, but the more progressive, more scalable minded MSPs, I don’t think they really look at geography as anything.

John Verry (00:42:10):

So just out of curiosity, and this ties into this, we move to the cloud, it probably matters less and less. Because you no longer need the one site to deal with a server issue or something of that nature. So when you’re saying that they might not need to be onsite, is that because logically, if I still do have a data center and I still have servers in it, I’m probably better off having a contract with Dell or whoever servers I’m using for break fix stuff. And the high value work that the MSP is doing can be done anywhere where there’s connectivity. If they can SSH or VPN to an entity to get to a server who cares where they are, is that kind of the thought process?

Charles Weaver (00:42:50):

Yeah, absolutely. A great example is that there was an MSP in the middle of the country. They’re not around anymore. They got acquired, but they were really specialists in Microsoft and they had clients all over the world and they did infrastructure. I asked them one time, how do you handle this stuff where you’re managing servers, but obviously you can’t go and send people all across the world. They said, “No, we have the stuff shipped to us. We configure it in our lab. We send it out to them.” They said, “Well, what happens if there’s a problem?” Well, they people, or we can go get on-site people.

Charles Weaver (00:43:25):

I mean, that wasn’t the challenge to them. It was the configuration initial setup. And then the real work began when the ongoing monitoring happen. If there’s a flare out of the disc drive, or if the motherboard goes out or something needs to be replaced, they would fix it. That’s not the role of an MSP. I mean, anybody can do that within reason. But yeah, I mean, that MSP had a very different kind of priority of where they stood in the supply chain stack. And again, didn’t allow geography to limit their presence and role with the customers.

John Verry (00:44:03):

So just for the record, I like your answer because that’s the answer I’ve been giving people. And I wasn’t a thousand percent sure I was right. But now I can say, I’ve got it on good authority, Charles Weaver verified that answer.

Charles Weaver (00:44:15):

Well, I’ll tell you what it also, the person that says the opposite, the person that says, “But my clients like to see me,” that’s a problem. That’s the guy that doesn’t want to be stuck in a knock. He wants to be out there with his Superman cap on, and he wants to show up at the office and everybody buys him a donut and the coffee and say, “Wow, this guy is our savior again, he saved us yet again.” That’s a hold over from a bygone era that I don’t think exists anymore.

John Verry (00:44:50):

And look, I mean, the MSP is self limiting at that point. Because if it’s a relationship based where I got to go out and have lunch with Charles Weaver every Wednesday, I can only have five lunches in a week. I’m going to limit the growth of my MSP. If it works for the company that’s receiving the services from the MSP. Great. If that’s what you want, that’s great. So I think you’re thinking of it from the MSPs perspective, not the end user’s perspective, which is interesting. So let’s talk about that. So one of the things you said, which I thought was really interesting, as you said, is you mentioned the cloud or how we go to the cloud, or as we go to the cloud becomes less important. The speed at which we are moving workloads to the cloud to me is staggering.

John Verry (00:45:31):

In my head spins on a daily basis, trying to keep up with the new language, the new services and things of that nature. What is the MSPs? It seems to me, the MSP is going to take on perhaps an even greater role as I go to the cloud. But now am I going to have multiple MSPs where one deals with on-prem, one deals with cloud one and cloud two, how is the MSPs role going to evolve? How has it evolved to this point? And where do you think it’s going to deal with this migration to the cloud, which is a nutty situation.

Charles Weaver (00:46:07):

That’s a forefinger answer.

John Verry (00:46:10):

I’ve had four fingers. You’re behind.

Charles Weaver (00:46:13):

I was going to say, you better fill up if you want me to answer that one. I’ll keep it short. You’re correct. The movement to the cloud has accelerated. The first inflection point or battle was 2009, 2010 when the global financial crisis created this kind of knee jerk reaction of, I don’t care what we’re doing, but get all that gear out of the closet, out of that data center, everything’s going to the cloud. And that caused two solid years of disruption in the market, because the MSPs were saying, what are you doing? You want all this stuff to change, do you have any… A, first of all, you think that this is going to save you money. It’s not. And that was the first rude awakening that customers had was when we thought everything going into the cloud was going to save us a bit load of money.

John Verry (00:47:00):

It’s like your cable bill. I literally just read, it’s so funny you’re talking about it. I read an article this morning and the guy basically said, there’s a new FinOps. Have you heard this term?

Charles Weaver (00:47:10):

No.

John Verry (00:47:10):

FinOps is a new discipline, financial FinOps, like DevOps, and FinOps is trying to control the cost of cloud surfaces because the guy writing the article kind of called it the cable bill of cloud, because you get in at this great price and you’re convinced that you’re going to save all this money. And then just every month it goes up and nobody can figure out what the bills are for. And nobody has the time to look at it and we’ve seen it here. Our cloud bill is like tripled this last year. And we’re like, “What the heck is going on?” And no one can figure it out.

Charles Weaver (00:47:44):

Right. So yeah, maybe they’re going to head the same way as the Telcos, but the cost thing was a very big unexpected effect of going to the cloud. And there was also a lot of security, privacy, and just general management issues of at that time and still to some degree today, hey, we have all these legacy applications. Does anyone bother to test all that stuff in Azure or an AWS? We had some real big migratory issues. Your statement is a true one and one that I agree with. The MSPs are going to have a greater role. It’s going to shift dramatically. The MSPs are gone that are just sitting around managing small business exchange server for their small offices. Those are gone. They’re onto Microsoft 365 now, Google apps or G Suite or wherever they’re calling Google Workplace, but they’re there now evolving-

John Verry (00:48:36):

Google One, isn’t it? I saw Google One the other day. I got an email, Google One, I’m like, what the hell is Google? They change names more than anybody does.

Charles Weaver (00:48:46):

Oh yeah, no. Yeah.

John Verry (00:48:47):

Sorry. I didn’t mean to disrupt you. I literally got something the other day, I’m like, I have no idea what Google One is. I got to go look it up.

Charles Weaver (00:48:54):

I’ll wait for Google Two.

John Verry (00:48:57):

Sequel.

Charles Weaver (00:48:58):

The MSPs are in a good position now because they play, it plays into, in my opinion, a user security role that the MSPs were born for, meaning instead of managing that small business exchange server, they now have the ability to manage users, manage data, manage privacy, manage security, manage the massive proliferation, including work from home that we saw from the pandemic. They have a lot more responsibility than just that one U rack server that used to be in almost every small business office throughout the world. So I think that the stakes have increased. Security is definitely at the top of that IT needs stack that they have to provide. And now they’re dealing with, I mean, think of the complexity, John, just all those different cloud environments. It’s not just, are they all in Azure? They’re not.

John Verry (00:49:53):

It’s staggering.

Charles Weaver (00:49:53):

They’re using Salesforce, QuickBooks online. They’re using everything in the cloud base.

John Verry (00:49:59):

Sage, Microsoft Dynamics, CRM, Microsoft, I mean, yeah, it’s staggering. I don’t know how people are going to keep… That’s why I was wondering, like even a little company like us when you look at all of the different components of what we’re doing, it would be hard to have a single MSP that would be well versed across all of them. I mean, they’d have to be pretty large to have enough people to be able to cover everything we cover.

Charles Weaver (00:50:25):

Yeah. That certainly is getting more complicated. I think that that was always the bane of every MSP is the change of technology and the rate at which it changes, because that means that in order for them to be compelling and cutting edge, they have to stay sharp. They have to be well-trained and read in on all the latest changes. But I think that this is a really good sign that the pandemic did a lot of damage economically, but the MSPs that were sitting on recurring revenue, they proved one thing, the managed services profession was in demand, stayed very much high in demand all throughout, if we’re still in the pandemic or coming out of it, I hope, MSPs were very dominant. They were very much relied upon by the global business community to get through that very tough period. So I think that the next evolution is going to be now that we’ve figured out work from home, someone damn well better figure out how to secure it. And I think that the MSPs are going to be a major contributor to that story.

John Verry (00:51:31):

Yeah. I couldn’t agree more. I mean, I think the problem you run into is that it’s incredibly challenging to keep people up to speed. I mean, somebody’s got to pay for that training, that awareness, that knowledge, and just somebody who pays attention to what AWS is doing. I mean, how many services they launch, like every week there’s something new. And I hear a phrase that I’ve never heard and I got to go to their website and figure out what’s Lambda. What’s this? What’s that? I mean, it’s this new stuff. So I agree with you. I think from an MSP perspective, I think this is going to be a golden era. One more time where you’re going to get that same comment, right? This is the golden era of MSPs for a different reason. I’m going to go one more reason.

John Verry (00:52:11):

I’m going to blow your mind, Charles. So the last thing we want to talk about is I think there’s another reason why this is going to be a really interesting year for your MSPAlliance and the MSPs that you support. So we all know about the cybersecurity maturity model certification CMMC, and I think any MSP that’s dealing with the DIB, Defense Industrial Base is got to be just all over this. A huge opportunity, whether or not they’re working with somebody like us at the upper advisory level. And we’re going to say, “Hey, guys, you got to migrate to GCC High. You got to migrate to FTP Now or Prevail, or one of these other services. You’re going to have to update your encryption. You’re going to have to move to a SIM solution. So you’re going to have to work with an MSP or an MMSP. So do you view that for your folks as both an opportunity and a threat, what’s the guidance that the MSPAlliance has given folks with regards to the CMMC in the DIB at least to start with?

Charles Weaver (00:53:11):

Yeah. So the folks in Washington actually reached out to us two years ago when they were coming out with, it was pre CMMC, but they were still pushing this and they were trying to come out with a cybersecurity framework for MSPs. I don’t know if you remember that, but-

John Verry (00:53:27):

No, I wasn’t even aware of that.

Charles Weaver (00:53:30):

Yeah. So it’s published. People can Google it and check that out. So I think that it’s always good for people to do more, have more discussion about MSP security. I think at some point there’s going to be, because you may remember FedRAMP?

John Verry (00:53:49):

Oh, we do a lot of work in FedRAMP. And now it’s StateRAMP, by the way. I don’t know if you’ve seen that?

Charles Weaver (00:53:54):

No. Well, okay. So that brings me to my point, which is you’ve got the feds acting, the U.S. federal government acting. You certainly have the Canadian federal government acting. You’ve got the European community at a federal level acting as one under GDPR with ISO. So you’ve got a patchwork quilt around the globe of different standards, different frameworks. And even in the United States, you’ve got CMMC underpinned by Nest, and pushing down through the federal/DOD community. But you’ve got a completely separate community in the federal government at the FFIC or FDIC level, which are promoting, not Nest, but promoting SOC through the FFIC examinations of the U.S. banks and they’re subsequent outsourcing to MSPs. So you’ve got some interesting political convergence that’s going to be like fireworks I think to watch. I’m not making predictions.

Charles Weaver (00:54:58):

I think all of these standards are good, but I think that having maybe some flexibility and give in the system is going to be good thing for the next five years, because the last thing that MSPs want to say is, all right, I’m servicing banks. The bank examiners telling me to get a SOC 2. And then I’ve got a federal contractor as a client and they want me to get CMMC. There’s gotta be some reasonableness is all I’m saying.

John Verry (00:55:25):

Yeah, I agree completely. So I think we both can agree that there’s a huge opportunity for MSPs in the defense supply chain right now.

Charles Weaver (00:55:32):

Yes.

John Verry (00:55:33):

May get out there, get in front of it, talk to people about this, lean into those conversations. There’s a learning curve, right?

Charles Weaver (00:55:40):

Yeah.

John Verry (00:55:41):

But lean into it. Now, to your point, and I agree with you completely. And I’m reading tea leaves a little bit here as well, but you’ve seen the Polaris contract, right?

Charles Weaver (00:55:51):

I’ve about.

John Verry (00:55:51):

Okay. And the GSA STARS II. And the Polaris contract definitely impacts MSPs. Because it’s an IT service provider contract to the government. And it says, if you are a provider to the government and you’re doing this, you should get aware of CMMC because we’re going to be asking for it. So thoughts, and by the way, I think the FFIC just so you know, like DHS has already kind of aligned behind CMMC. GSA is aligned behind. I’ve heard communication that the FFIC is getting behind it. So I suspect that we’re going to see the government kind of rally behind because all of the… CMMC was designed for something called CUI, Controlled Unclassified Information. The DID processes, if you’re a defense supply chain person, you’re touching COI, but by the way, if you are a university you’re touching CUI because student information is CUI. Financial information is covered under CUI, under the NARA National Association, National Archives and Records Association. So you can go and look up the CUI registry.

John Verry (00:56:56):

So I do think we’re going to see, if I was Batman, and I am, that we’re going to see a consolidation around CMMC around the government. So I think that SOC 2 request from the FFIC guy is going to be migrating to a CMMC level three request.

Charles Weaver (00:57:14):

It could, and we will be closely watching that because we have a lot of members in the MSP Verified program, who work with U.S. banks and deal very closely with the FFIC community. I think my education and experience with FedRAMP was that was an administrative issue, not necessarily a substantive issue. And so I will leave it to most bureaucracies to get in their own way and figure out exactly how to stop progress. And just remember, the original FedRAMP thing caused a lot of service providers to kind of back away and say, you want to put me through this, then I’ll just back out. And there could be the opposite effect, which is if they don’t make it something that is scalable, meaning that normal MSPs can handle. And I’m talking like, beyond just Azure, Rackspace, AWS, and those kind of global giants, because there’s a lot of downstream MSPs in the supply chain that provide really valuable stuff. I’m talking about very point solutions that you probably know very well. They’re database experts or they’re firewall experts or they help, they’re in a particular ERP application that the government uses whatever.

John Verry (00:58:33):

Folks have set critical to the manufacturing processes, that the DIB is completely reliant upon.

Charles Weaver (00:58:38):

And more to the point, stuff that the larger enterprise providers won’t touch, because there’s no money in it for them. So it’s not like this is an easy grab for those larger enterprise MSPs, not true. They have to really make sure that they don’t force out the ability of the customer, even a federal customer to select an MSP, because that is exactly what happened at the FDIC level when they realized we got a ton of MSPs handling U.S. bank infrastructure. If we come down really hard, we might have the satisfaction of knowing that we’re applying a consistent principle, but we could also lose a half of the MSPs handling infrastructure for U.S. banks, leaving them with what? Nobody? That will be disastrous. And the DOD I don’t think wants to end up in that situation. So those are public policy things that keep me up at night.

John Verry (00:59:35):

I think your thought process is excellent. And I think that we’re seeing the same kind of questions with regards to, because as you go down the CMMC food chain, if you go down the supply chain, the new interim rules basically say that an organization needs to ensure that the same standard is being pushed down the food chain. So now we have a situation where I’ve got, yeah, I’m a 300 person manufacturer. I have no choice, but to comply with this, but now I have an MSP. Am I going to ask them to comply? Or am I going to build out a methodology by which they can provide the service without having to comply themselves? So it’s going to be a fun few years trying to figure that out.

Charles Weaver (01:00:09):

Less comments is, don’t rule out the AICPA, they are already embedded in Washington. You want to believe they’ve got lobbyists all over the place, lobbying for tax rules. Don’t rule them out as being kind of a last-ditch participant in saying, “Hey, maybe the AICPA community should be involved in CMMC,” wouldn’t be surprised if they made a move.

John Verry (01:00:35):

So it’s so funny. I just literally was on a podcast and we were kind of like spitball and where this might all go. And my comment was that the AICPA, I thought might be the odd man out. And that would be because the, or the CPAs themselves are jumping. They don’t really care. Like if you’re a CPA firm, you can become an ISO 27001 registrar. And many of them are. You can obviously deliver SOC 2 type two service reports because you’re a CPA firm. They’re PCI DSS. Now they’re becoming, CMMC C3PAOs. So in a weird way, the actual CPA firms don’t really care as much as the ASAP does.

Charles Weaver (01:01:15):

Yeah. You could be right. I mean, it was more of a point to say, if the AICPA community, the accounting profession does decide to get into the CMMC business, that could radically change things for the better, in terms of that adoption that you think correctly. So it is coming.

John Verry (01:01:34):

Or for the worst.

Charles Weaver (01:01:34):

Or for the worst. We’ll see.

John Verry (01:01:37):

Because, look, I think all of us that are in this space would appreciate a little bit of clarity, but I think we all know that there are a lot of, as you referred to as political entities and in and factions that are trying to protect their fiefdoms.

Charles Weaver (01:01:53):

Take a look at Louisiana. Louisiana is I think doing a yeoman’s job of actually stepping in and regulating MSPs in a pro MSP way that is designed to help Louisiana state agencies outsource more to MSPs, not less.

John Verry (01:02:08):

Do me a favor, send me a link to that after this. We’ll include it in the show notes because I think that’s a really interesting data point. So we talked about evolution at the start. That’s how we started this. We talked about the evolution of the MSP. Care to read any tea leaves and kind of think about what’s next for MSPs? Or do you think we’ve already done that?

Charles Weaver (01:02:24):

Well, if you asked me what do MSPs need to do in order to stay relevant, I do feel like we’re at a point where they do have a lot to gain and they’ve got a lot to lose, right? I think 10, 15 years ago, the MSPs largely it was just, unless you don’t become an MSP, you’re just going to phase out or you’ll have kind of a, not that great of a business model, being a VAR and all the legacy problems that we know get associated with that. I think this year it’s a MSPs, you need to become weapons grade. You need to become very professional right now. The training wheels have come off. And I think that that’s where we’re at in 2021. And the MSPs call themselves MSPs, or it doesn’t matter.

Charles Weaver (01:03:16):

But if you are out there delivering a consistent remote access, remote management kind of hook into a customer’s system. I hate this, I don’t host anyone’s data, so I don’t need to be certified. You don’t need to audit me. I love that. That’s like, really? So what is your RMM software do every single day, 365 days a year? It just sits there benignly, not doing anything, come on. They really do need to start paying attention to their internal process, their internal security. And they need to do that very fast because the game has changed really. I think the days of taking kind of the on ramp to managed services has been long enough. We need to now have people who are doing it and everybody else.

John Verry (01:04:04):

Yeah. That was well said. I hope you prepared for this question. I gave you this question in advance. So we’re going to see if you did your homework, Charles.

Charles Weaver (01:04:13):

All right.

John Verry (01:04:13):

So give me a fictional character, a real person that you think would make an amazing or horrible CSO or head of MSP if you want and why?

Charles Weaver (01:04:22):

I think Lee Iacocca would make a great.

John Verry (01:04:24):

Oh my God, for making a Chrysler reference, well done. Well done. We’ll go K-car, Charles, do you drive a K-car?

Charles Weaver (01:04:35):

I do not.

John Verry (01:04:35):

I’m like, we’ve lost like 90% of the audience. I just want to know my grandparents told me about the K-car. I have no idea. No first person experience.

Charles Weaver (01:04:43):

No, no, I drive a LeBaron, but that’s besides, another story.

John Verry (01:04:46):

That’s a K-car. Well done.

Charles Weaver (01:04:51):

I think the good MSP, so we’re talking to the MSP or just a general?

John Verry (01:04:57):

Have fun.

Charles Weaver (01:05:01):

MSPs don’t really have CISOs. Do they? They don’t really.

John Verry (01:05:07):

I would argue that they should. And that’s probably why they got hit with ransomware. So let’s assume that they should, it seems like you probably wouldn’t have the ransomware as you, Charles.

Charles Weaver (01:05:16):

You would want someone like Lee Iacocca who knows how to solve a business problem. And I think that the MSPs have always had, they’d been technical people from the start and very competent technical people. And they’ve been a little light on the business and the other aspects of running a managed services business. And that’s where I think Lee Iacocca type of personality would do an amazing work within an average everyday MSP business.

John Verry (01:05:44):

No, and it’s so funny because at one point Lee Iacocca was a household name. And I remember he had the book. I mean, he became so famous for saving Chrysler that was a bestseller. And it’s kind of funny, I haven’t heard Lee Iacocca’s name in a bit, so this was a smile. Thank you.

Charles Weaver (01:05:59):

I was referencing, so you know, the Lee Iacocca of Chrysler, not his Ford days, because he used to work with Ford before he went to-

John Verry (01:06:06):

And do you know why was the Iacocca famous for being at Ford?

Charles Weaver (01:06:12):

If I’m not mistaken, he was involved in the race car and the Shelby.

John Verry (01:06:18):

Mustang.

Charles Weaver (01:06:18):

Mustang, yeah, yeah.

John Verry (01:06:20):

The Shelby Mustang, that’s exactly right. Lee Iacocca was actually a… one of the reasons I think Lee Iacocca was actually a great automotive executive, and I do think he was, was because he was a gear head. He was a motor head. I mean, the guy liked fast cars and he was involved in cars not because it was a job. It was because it was a passion.

Charles Weaver (01:06:39):

Notice, I didn’t say John DeLorean would make a great [inaudible 01:06:42] because no.

John Verry (01:06:46):

Michael J. Fox might disagree with you. I’m just going to say, just kind of go there. All right, well, listen, Charles, if an MSP or I’m assuming most of the time that someone would contact, it would be an MSP where somebody wants to be part of the MSPAlliance. Do people who are looking for an MSP contact you, and is that a way you should be contacted or not?

Charles Weaver (01:07:05):

We’re happy to talk to people, especially if it’s more of like a legislative or larger entities representing their own constituents. We deal with those types of questions. If you’re just an average customer, reach out to your MSP and start asking them due diligence questions, maybe, I mean, not to get too self-serving, ask them for an MSP Verify report.

John Verry (01:07:27):

No, that’s not how serving. That’s what you should be doing.

Charles Weaver (01:07:30):

Read it for yourself and make your own decision if you want to work with them.

John Verry (01:07:33):

I would agree. So just for the record, just so you know, my next personally asked me, I’m going to ask is ask them if they have an MSP Verify report. Excellent. Well, thank you so much for being on. If somebody wants to get in touch with you, what’s the best way to do that?

Charles Weaver (01:07:47):

Our website, wwwmspalliance.com is a good place. I won’t give up my, this is a security podcast, so I shouldn’t give out my personal email.

John Verry (01:07:58):

I mean, I can tell you that most people do, and most people are more security oriented. I mean, we’re talking about the most security oriented people. I don’t think an email is a big deal.

Charles Weaver (01:08:07):

[email protected].

John Verry (01:08:09):

All right. Well, listen, I will tell you that Charles is very good about returning emails. Charles, thank you, sir. Genuinely appreciate you coming on and had a lot of fun. I thought this was a really good conversation. I thought we serve two masters. I thought the MSPs that might listen are going to get something out of this. And I also think that end users that are trying to understand how do we engage in MSP successfully that you give them a lot of good guidance. So thank you.

Charles Weaver (01:08:30):

Appreciate it, John. Always a pleasure.

Narrator (01:08:33):

You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful.