Transcript:
Connor Swalm:
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing. Hey, everyone.
Welcome back. I am Connor, CEO at Phin, and I am bringing you another episode of Gone Fishing with Tom Lawrence.
Tom Lawrence from Lawrence Systems. Lawrence Systems business technicalities. That YouTube guy, that YouTube guy who runs an MSP and talks a lot and fun stuff. I mean, you got a lot of. Good things to say. Sometimes.
Tom Lawrence:
Sometimes I try. I try to know a little helpful to people. I engage a lot with the community and things like that, which is probably a good starting point for our topic today.
Connor Swalm:
So today we're going to talk about. Well, I have some questions for you on a subject that I think you're way more qualified to talk about on. Than I am just looking at your YouTube channel and having known you for. A year or so now, but in the MSP space, what are some things that separate the good vendors from the average vendors? And I'll even throw an extra thing. In here and maybe even the bad vendors, whether it's security or it tools. What separates them in general, in your mind?
Tom Lawrence:
I think a lot of it. There's a couple of things, and this is a really challenging topic. And the problem is, from the external, we can look at community engagement and things they do. I think that's an incredibly important part. It's how do they work with the community? Are they selling all the time, or are they actually taking the time to engage, put out good information that might be helpful, maybe engaging even further. And Huntress has kind of become in the MSP community, I got to give them a shout out because they're almost like a standard, like, hey, just do what huntress does. And they get some hate from other Vendors. One like, they do it too much.
But I'm like, no, there's a very clear strategy, and they're not the only ones doing it, but they've been doing it for a while, so it's easy to kind of point at them. The other side of it is this is the part that's a little bit harder, but also very meaningful. If you take the time to understand the community is figuring out who works. There is something that actually matters to me. And when I know that someone works somewhere, and I'll talk about different hacking people or things like that. You look at the backgrounds of some of the employees. I'm friends with some of the people at, like, blumera. How do I know they're cool? I don't even know the CEO's name, but I know Amanda Berlin's there. And why do I know Amanda Berlin? She speaks at hacking conferences.
I'm like, okay, you hired someone who does really smart things to work on that backend that's a little bit harder, a long way to figure out if some of the companies are good, but it does matter if you can figure out some of the people that are on their teams. So those are two of the factors I really look at. How do they treat the community? How do they engage? How does their product look? And of course, bad marketing. Are they overselling it? We will solve all problems. You will never have a cybersecurity issue using our magic. And if you ask them, there's been a few companies that I flat out turned down because they've been evasive. Like, hey, what's the transport layer security you're using for your mesh network? This was a pretty common and open question.
I've asked vendors the evasiveness of, hey, Tom, would you like to sign an NDA and try your product? I'm like to talk about what security you're mean. I'm asking cipher questions, not proprietary information. And if you rolled your own crypto, I'm going to run away scared from your product. Please don't tell me you tried to reinvent crypto because it's not necessary. You can use normal ciphers. Just tell me what cipher you're using. So I have some idea of how you're doing the transport layer. If someone technical engages, engage back with them in community forums. And that's like one of those first times that I'll engage with them that I'm like, no, I got to drop this vendor or draw my do not call back list. One of them was just so evasive.
I was like, I don't think you guys have a good product because you just hide a lot of things here.
Connor Swalm:
I've definitely seen you and Jason Slagel. I'll give him a shout out. Get into.
Tom Lawrence:
I don't want to say screaming matches.
Connor Swalm:
I also don't want to say get. In trouble, but you've definitely aired some. Laundry of like, hey, this doesn't feel right. And then everyone needs to, so that's cool.
Tom Lawrence:
Jason's well known for his LinkedIn posts and throwing rocks at definitely. That's a phrase he uses that sometimes he throws rocks at vendors. Matter of fact, one of the vendors that I'm using, one of the things is because I was talking about Slagel's looking to your product. They go, yeah, he asked before about it. We wouldn't let him have it because we knew it wasn't ready. So he said he would have throw rocks at the first iterations of it. We were working on it. And they're more mature company for all the features. And so now they welcome also, I actually really like. I think they still have it on their website. Roost rewst. Yeah, they have a quote from Jason Sligel that says they haven't annoyed me yet. That's their blessing from him, that they've accomplished something.
We have not annoyed while he uses the product and he hasn't annoyed us. Those are important things. I like that companies that kind of play around with it, they don't just try to wrap everything in corporate marketing speak. They actually want to engage and they want a Jason Sligo poking at their product or a Tom Lawrence looking at it and asking about it. You kind of get these feelings like this. I want to know that they have a good program where they care about security. They have, especially once you get to a certain size. What's your pen testing program look like for internal? I'll certainly throw them under the bus right now because they've been under the bus for a little while, which is fortinet. They're a very popular in the MSP and it world.
Last I looked, their market cap is somewhere around $54 billion. They're not a small player in the it space in general. But I did a video yesterday about their long history of bad coding practices that has been consolidated from security researchers. To me, that is not the proper way to do it because they've had problems dating back over the last four years. And clearly when you have four years of continuous problems in a single product, you either need to refactor all that.
Connor Swalm:
Code or keep getting talks about you.
Tom Lawrence:
At black hat, that talk about magic backdoors that you, by their own admission, they accidentally left in through some bad coding, their own write up. I read from their website. I started with security researchers to point it out, but they did put a response on there and I'm glad they're responding. I'm glad to see that they're not just sending cease and desist orders, but those are all these things I think about for any of these vendors. When I say community engagement, I just don't mean do nice things and throw parties at the community like, hey, cool, you've got a nice write up. There's been a couple of DNS people I kind of called out for the way they were handling DNS, and that turned into a really good response. They actually embedded my video in their.
Connor Swalm:
Blog and took it apart and were right.
Tom Lawrence:
I actually told them they were correct. They had a couple of things that I misunderstood, and it was a fun back and forth engagement. Matter of fact, I ended up making a video with them to understand better how they did filtering. So those are fun moments where I called them out, threw rocks at it, my rock, for hits on some and, well, I missed on others, but I'm also willing to admit when I'm wrong. So it made a fun back and forth blog post. And matter of fact, they reached out to me, can you do something on us again? That's our most popular blog post. Like even a few years later, when people search us, it comes up, but it's a good technical breakdown for how they're doing filtering. And I said, do more of that.
It's not me that drove it's people like the technical details. A lot of technical founders run msps, so we are still engaged on how the product actually works.
Connor Swalm:
Maybe they'll start dripping you. Hey, Tom, we think we're doing this incorrectly with our product. Would you care to make a video on it real quick? They'll start seeding the things that are. Definitely incorrect just so that they can make another one.
Tom Lawrence:
Yeah, but I think those are all kind of factors that go into thinking about it. It doesn't make it easy for the less technical msps. The people who are maybe a little less technical, really good business managers, I meet some of those too. They hire some technical people, so they kind of have to rely on some of the more technical crowd to advise them on it. But overall, it's not an easy task. It starts with good sales rep who doesn't harass you, the slow, easy sales process, and moving on from there.
Connor Swalm:
Yeah, if we're a fit. That's a belief I always had. But it sounds like what you're getting. To is the relationship an MSP has with its customers is incredibly. I want to use the word intimate because quite literally, you're in control of.
Not only their it, their growth capabilities, their infrastructure, but also are they going to be able to open up their doors tomorrow because you took security seriously and having your vendors know that the. Vendors you're working with take that relationship because if they're the source of a breach, then you're at risk, and then your clients at risk, knowing that they take that relationship just as seriously, and evaluating that in some way, all of this feels like you're trying to get to the bottom of, do they actually care? And are they putting their best foot forward and not just telling us they're doing it? Yeah.
Tom Lawrence:
And when you think about larger companies, one of the cool things is Bitwarden. I've sent this to several of the vendors. I said, how close can you get to this? And what Bitwarden has done. They started as an open source password manager, and still an open source password manager, but the open source, I know a lot of people there because I was promoting it. We started using it long before the last pass incident. But one of the things they do is they alternate different code audit companies that do it, and then they make all. I don't mean kind of. I mean they make the full code audit report public, which when you look at things like, oh, cool, we're soc two compliant. No, you got a bunch of carve outs that you kind of buried.
You gave me this really light generalized report and things like that. You always ask for these NDAs to sign, the more. See the more detailed ones, and I'm like, why? I mean, come on, just say what they found, because they know it was all fixed. Like, here's what they found. We fixed it, and here's a dumped report. I think as vendors become more transparent like that, you're going to build better confidence with the tom Lawrences and Jason Sligels of the world who just want to know, oh, cool. You didn't have the way you were implementing this particular feature, but then you fixed it.
Connor Swalm:
Awesome.
Tom Lawrence:
There's a code update for it. So great. Who cares if you had a problem? We care about how you responded to it, how you fixed it, and maybe even go a step further, talk about how you would handle these IR type incidents, because we're seeing, and have seen the largest ransomware attack in history is coming up on its two year anniversary. That was done from a company that clearly was not doing any thorough code auditing. You don't have a fail open if you're code auditing. Sorry. That's just how that works in amateur code. Someone who's amateur reviewing code is going to go fail open. Found it. Yeah. Cool, man. That's first day in the job stuff, and it was out there hanging out and was exploited at such a scale.
We don't know how these companies really be clear like, what are you going to do if this happens again? What are you going to do if you have an insider threat as opposed to just an external problem? How are you going to handle it? Because any of these vendor relationships aren't just a financial transaction. They become tied to me and my insurance policy because there's an agent I have to load on my system for many of these things or a tie in with your office tenants. And what happens if something does a thing and starts doing something that we didn't expect it to do? A threat actor does it. That all comes down to me to fix it and explain it to the clients and possibly make an insurance claim that I don't want to make.
Connor Swalm:
Nobody likes getting insurance involved.
Tom Lawrence:
Oh, man. You think lawyers are bad?
Connor Swalm:
Yeah. A thought popped in my head that. You and Jason should do some kind of twitch live stream. You know how some people do live code reviews and they just absolutely eviscerate it? You should just do live reviews of an MSP's tool stack. It's like, oh, this vendor's best. These people don't do this.
Tom Lawrence:
This doesn't do this.
Connor Swalm:
Here's a hole in the services you're providing. Are you aware of it? I wonder if that would be popular. Or if that would just be weird. I don't know. I don't know. I'm for it.
Tom Lawrence:
Me and him have some fun ideas because we've been working more together. So we have some fun ideas we're going to be rolling out. We have some more content. We already recorded some, but we just haven't had a chance to publish it all yet.
Connor Swalm:
So in the midst of seeing how. Involved in the community and how serious a lot of vendors take their relationship, in the midst of people like you and Jason and many others being very. Outspoken about issues they see, how is it that some msps or some people in general, still struggle to find quality partners to work with, quality security vendors or it vendors to work with?
Tom Lawrence:
I think our industry is still maybe a little bit somewhat immature, and the problem is double fold for how the tools are sold. It kind of blows my mind that there's not been a, well, I can't say not. There's channel partners who's coming up with something interesting, and what I'm fascinated about them is you have someone actually doing something different than, hey, let's get a booth. And as you know, very directly, these booths are outlandishly expensive. Trade show events aren't like, oh, we go pay $500 to be here. No, you got to add another zero behind that for what it costs to be at a big event. And that does include your even larger enterprise, events like black hat and things like that.
You're talking about companies that spend a quarter million dollars for a little booth, hoping to grab you when you walk by the event, shake your hand a card, scan your badge, and just to get the lead. So, with a lot of that out there, it's hard for a smaller startup who may have the best of intentions. You kind of need some of that capital coming in. You got to be innovative on how to get in front of these people. So I think that's why we have so many vendors, because they're on the money train. And if they're not trying to figure out how to take that huge dollar spend they have at one of these events, they have to be aggressive. They have to be this whole overly aggressive salespeople sometimes. How do you fill that gap?
How do we really capitalize on the fact that, okay, we just spent, plus employees, 50, $60,000 to be at this event. How do we turn that into actual sales numbers? That's a real business question. Vendors have to ask that. Drive it. It's not like they just want to call you every day and make a sale, but they have to, or they won't make it to the next event.
Connor Swalm:
Yeah, no, that's absolutely right. I always go back to an experience I had. The first conference I ever went to was a conference called it Nation Secure in 2021. And the first thing that stood out when I got to the first vendor hall. Well, the first was, wow, people drink a lot. The second was, wow, this is a lot of word vomit you brought up. In a previous episode. You were on XDR MDR.
I've talked with Wes about, how long can we make this acronym? And will marketing still approve? It's like Mxaidr, Kyle has spooner Dr. Out there somewhere. It's a holistic approach to something like global inclusivity or something of insane. And I think that ties back to the, hey, if we don't catch your. Eye, if we don't scan your badge, if these aggressive salespeople aren't able to get a lead or make their quote. Or whatever, it's like, this was such an expensive spend. We won't be back. We won't be back here.
Tom Lawrence:
I'll go ahead and disclose this. I think what would be a fun idea that a lot of us talked about doing is a mystery science theater thing where we watch vendors pitch and then try and figure out what it is they actually do because we may or may not have watched that before. And I had a group of us in a chat just watching live vendors do pitches and go, they didn't kill it. I'm still not clear what they did. Boy, they got a lot of buzwords. Boy, they said AI 17 times. And just kind of to have this fun where me and several other people, including Slago of course, kind of make fun of it from the background. Maybe someone watched that on twitch as well.
Connor Swalm:
That's why every time at our booth, I remember one time at our booth. We literally just had our logo and then cardboard cutouts of various celebrities and just had people come take pictures and they're like, what do you do? It's like we're a security awareness training platform. There you go. What else do you do? That's it. If you're interested in that, I'll tell you exactly how we do it. But if you're not, just come take a photo with us and hang out. Yeah.
Tom Lawrence:
There's a simplicity that you got to try to come down to convey your message if you are really complicated.
Connor Swalm:
Or you try to be.
Tom Lawrence:
And this is where I see vendors going in a bad direction in the hyperscaler vendors where I was at the Acronis event, and they want to be the one agent to rule them all. We are going to do everything with our single agent. It's going to be backup, RMM, et cetera, data loss prevention, everything we can throw at it. And I still haven't seen anyone play that successfully. I mean, do I want a single agent? Yes. The want is there, I just don't know if they can be. And it also becomes difficult because we've dealt with vendors where we felt like, hey, we really like the one thing you do, but by trying to do that thing, I get a barrage of upsell and I get a cluttered dashboard with grayed out things going. Click here to subscribe.
You want to use us for all these other services? I'm like, no, they're not mature enough. They're not a fit for what we do. You don't have the right feature sets for us. We like this one core thing, but now we're so annoyed by your dashboard and your salespeople. I'm fine just blocking your domain at this point and going with another product because you've tried to be the everything store. Now I get that back end is often, if you're financed by a lot of private equity, they want to see growth over time. Once you've reached a market saturation which you can't. Growth pivot. What else can you sell them? That's what the PE meetings are about at that point. So it's a dangerous slope to get in, because being the everything store doesn't necessarily mean you're good at it.
Connor Swalm:
I'll quote someone that you know as. Well, and somebody super involved in our business, and Finn and my life. Reg harness, the CTO and the founder of Autotask from a long time ago. He said most MSP vendors exist to just sell more solutions to msps. They don't drive outcomes. They just exist to sell more software. Yeah.
Tom Lawrence:
And that's where. What does the extra S stand for? An MSP stuff? Yeah, MSSP. Come on, just tell me what you're selling on the back end and things like that. Those are the ones that kind of drive me nuts. They're bundling companies that they reach out to me, and I'm always vague on some of those. They don't make the best vendor fit for me or probably a lot of other people. It sounds cool selling all the pack. We're so and so, and we're an MSSP, and we sell everything. But what is the everything in the back end? Oh, you don't have to worry about that. We take care of that magic for you. Well, I kind of want to know what you're using on the back end. It kind of matters if you're new.
Connor Swalm:
To the MSP space.
Tom Lawrence:
You may think, oh, they're a one stop shop for all the things, but some of them, and I haven't used them enough. But I've engaged with some of the technical people there to know. Some of them are talking about, and I can't believe they have that extra. I'm like, no, I think that s is for shill. In your particular instance, sir, the s is for shill. You heard it here, and it makes it harder because you don't want that reputation among the vendors because there's some really good ones out there. I don't know if they give you that used car dealer vibe, that walk away, step away. I don't know how to describe that in a more technical term.
Connor Swalm:
I don't know either. But for those of you listening, I hope, or watching us right here, seeing our beautiful faces, I hope you got. Some value on how to actually evaluate vendors. It sounds like there's a combination of ask around for your friends, see who's involved in the community, ask who actually takes the relationship that you have with. Your client very seriously and then is transparent. Seems like transparency was a huge piece of this conversation. So, yeah, do your due diligence, ask. Them questions, and if they don't want to answer, maybe that's a red flag.
Tom Lawrence:
Absolutely. Thanks.
Connor Swalm:
Sweet. Well, everyone, I'm Connor, CEO at Phin, joined by the wonderful Tom Lawrence. Thanks for listening. Thanks for watching, and we will see you next time. Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phinsecurity at phinsec.io. That's P-H-I-N-S-E-C IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today, and we'll see you next time.
