Skip to content

How Is Security Different From Managed IT? | EP 023



Connor Swalm:

Welcome to gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security. And welcome to Gone phishing.

Hey, everyone. Welcome back. It is Connor, CEO at Phin with another episode of Gone Fishing. And we have a wonderful friend of mine, a great guest. He's been on the podcast before, Wesley. Spencer with us today.

Wes Spencer:

Shucks, thanks. And you even called me Wesley. Only you and my mom call me that.

Connor Swalm:

I'll call you whatever you want. You want Wes? You want Wesley?

Wes Spencer:

I prefer Wesley for you.

Connor Swalm:

Wesley. Wesley Spencer in the flesh. And Wes, you got a new gig. Tell us about it.

Wes Spencer:

Yeah, I'm actually not even in my home studio today. I joined up with Cyberfox. Been really excited about that. If you know Adam Slutzkin, he's one of the greater coaches and mentors in. The industry and had an opportunity to. Come over there as their vice president of security strategy. So just a few weeks in, so I'm brand new, and there's nothing but. Fire hoses I'm sucking from constantly.

But it's a lot of fun. I'm in the cyberbox hq today, actually. 

Connor Swalm:

That's awesome. Well, I can't wait to see you crush it in yet another role. Being the wonderful smiling face with all the great words you normally say and. All the really wise advice. So looking forward to a ton more.

Wes Spencer:

Appreciate that.

Connor Swalm:

So today we're going to be talking. About how is security different for managed it? Now, I think you actually chose this. Title, so I'll let you dive into it first. But then I'm sure I'll have a few questions for you.

Wes Spencer:


So a couple of things to think about, right? If you look at the journey of msps, and I'm going to give an example of this, I was talking to an MSP at Datocon last year, and he know, he goes, I feel like msps have got the great bait and switch. He said in the old days, I was just doing nothing but slinging hardware and fixing printers.

That was great.

That's why I started my business when hardware was heavy in the industry. And then all of a sudden, managed service comes down. He's like, I'm okay with that. I had to learn a lot more about it operations and Itil and it. Leadership, but I was okay with that. He goes, but then all of a sudden, cybersecurity came down market in 2018 and onward, and he's like, I'm not ready for this. And it's pushed me into a world that I was not ready for that.

I never saw coming. And it's totally different than a lot of things. And you see this, right? There's a lot of what I would call residue Connor of managed service that exists inside of trying to get into security. For example, we still are in a very break fix era in the sense of a lot of msps will give to their clients. Here's all the things we can do in security.

Does that sound good?

No, I'm not paying for that.

Oh, okay. Well, how about we do this and.

This and this instead?

Well, that still sounds too expensive. I've never paid for that before.

Oh, okay.

Well, how about we just start with.

This one thing, and then we'll figure.

Out how to grow from there?

Okay, that sounds good.

And it's broken, right? That's not working for us in security. It's not right for the client, and it's not right for the MSP. And that's where I think a lot of us are at right now in. The industry, if that makes sense.

Connor Swalm:

Yeah, I talked to a ton of msps. Some of them are still in that. I guess the way they kind of phrase it is we make cookie cutter. Solutions for our partners or for our. Clients, whatever they'd like to refer to them as. The difference that I see is if your client is dictating what that is. Versus if you're dictating what that is really important, specifically because you're the. One that's supposed to have all the skills and all the expertise and be. Able to provide the protection your clients. Coming to you, because they can't do. It on their own.

Wes Spencer:

Yeah, exactly. So here's a way to think of it. If your Security services are being sold. Like a restaurant, right. I go in and I open what sounds good to me. I think I'd like this. Today, I'm the ultimate decision maker at a restaurant because it's about me and about what I want to eat versus. When we're talking about security. It's a whole lot less about what you think you need and what sounds good to you and a whole bunch more about your organization and your risk profile and your revenue and your industry and what could happen to you from a regulatory perspective, a legal perspective, if something happens to your organization. And so there's a whole lot less of the.

There should be a whole lot less of the client trying to figure out what it is they think they want, what it is they think they need. And it needs to be a lot more of us guiding them into what. We know that they need based upon. Those things, their revenue, their industry, their risk profiles and thresholds. And you don't do that unless you start asking those questions to really understand their business and understand where they're at. And even helping them understand what would. Be the impacts if they don't make these investments. Right. It's a different shift for sure in security than I think we're used to. If we haven't gone down that road before.

Connor Swalm:

Yeah. A good friend of ours, Reg harness. He calls cybersecurity shamans. We've all heard security Sherpas. He's like, I don't know. I've always loved this picture of somebody throwing some dust into a fire, and then all of a sudden this mythical creature comes out. That's basically how we should be. For. All of what we need to be the spiritual leader of security services, so to speak. I hope that doesn't get turned into a quote here. There should be spiritual leaders of security.

Wes Spencer:

Connor Swalm:

Cybershaman. There's going to be a new title somewhere. Chief security shaman officer or something like that.

Wes Spencer:

I love it. But, yeah, no, I think there's a lot of truth to that. And so maybe just to get practical. For a minute on how to start doing that. Right.

If you're an MSP and what you're doing is running, like, a network detective scan and chucking it on the desk, you enable the security option, right? So you can show them a couple of things that's not going to really move the needle for the client. It's not going to give them the things that they need. What I think it really comes down to is you got to figure out how to build risk assessment into your. Day to day work with your clients. So in the managed service world, one. Of the things msps have been taught for the better part of two decades. Is begin managed it service with, like, an IT assessment. Well, in the world of security, you should begin your work with the client, beginning with a risk assessment.

Right? So I think there's familiarity there. But the difference is, in the IT world, you were told, just buy this. Software, run the scan and give them the output. That doesn't work in security. It's got to be a conversation about. How do you make money? What are the inputs to that?

What does your supply chain look like? What are your cyber insurance requirements? What are your specific industry regulations and compliance requirements? And then what would all that look like in the cost of a data breach? And you educate them on that.

Right. That takes some sit down, one one conversation. That might take more than even one meeting in particular. And so I want to get practical on this podcast for a minute so msps understand. Okay. So that's how I get there. Now, it's challenging, Connor, because I think you've seen the same thing. That's not a natural conversation for a lot of msps, and maybe it is. For the owner, but not a whole. Bunch of the folks that are actually client facing. They don't come out of security roles. They don't have that natural understanding, and so they feel like they're an imposter.

And they don't tiptoe into it. And the client comes back and says. I don't need it. I don't want it. I've never needed it before. We pull away because we're not sure how to handle those objections. And so I think that's where it begins. How do you make money? What are the things that are in your business that if they were to. Go down, it would be significant in your disruption? How can we design a security program. That'S going to protect your ability to. Keep those systems running and allow you. To grow and scale?

Right, and here's a plan for this. Here's maybe three steps based on best. Practice that we want to work on. This month that are really important for us. Right. You see, all of a sudden, that changes into a conversation that a client should listen to and engage in, because. You'Re talking about protecting their business and helping them scale into the future.

Connor Swalm:

I think a lot of partners that.I work with and a lot of people that I talk to lose sight of that is your job is to. Make sure that technology and infrastructure is never the reason your client isn't successful. And it goes back to the old dilemmas like, well, what are my it. People doing for me anyways? It's like, well, have you had to. Call us in six months? No, of course not. There it is. Things have been working. You're welcome. And it's usually a thankless job as a result. 

Wes Spencer:
Yeah, it is. And so we do need to learn how to get beyond the red tape discussion. Right? You're nothing but a cost to me. I didn't hear from you. So what is it that you're doing for me? Right. And so I think there can be some ways that we can do that. Right?

We can build some KPIs, some key performance indicators, some metrics into what we're doing on a day to day, or really, I should say a month to month. So you got to figure out, what does that look like from that perspective. Right. You can't say your firewalls had 400,000 alerts and all of them were blocked.

That doesn't mean anything to a client. Right. But what you can do is you can say some things like, hey, here is the average cost of what a data breach would look like. Here's the number of records that your organization has in place that we're defending against. According to really good data from Ponamon. A nonprofit that shows $181 per record. Cost of a breach, your kind of exposure would be this much money. This is what we're defending against. Right.

Then you can start from there and then begin to show some things like compliance. Let's say you're using cis and you've educated the client why the cis journey is important, and you can walk them. Through, hey, we're now 48% through your cis journey. We've started with the most important things. Look how important this is. And you can start to build some.

Of these things into a client that says, okay, I understand that. I understand how that makes a lot of sense. I understand why that's valuable to my organization, because, again, you're helping me grow and scale, and you're helping me make sure I can achieve my objectives and the results and the revenue we're trying to generate all these kinds of things. So, yeah, I think it's a shift that we got to learn how to speak better, and if we do it. I think we'll find more success.

Connor Swalm:

I definitely think so, as well. You had mentioned something earlier. You said this is kind of a. Place of uncomfortability for a lot of. Partners, for a lot of msps to chat about. How do they begin going, about getting the security expertise? What would you recommend to them to. Those that are listening?

Wes Spencer:

I'll steal a page from my good friend ZB from DKB. Innovative, really good MSP out in know. He always talks about eating your own tacos, right? It's much better than eating your own dog food. Right? Those Texans always correct us on that. So I do think there's a little bit of you don't get in it. Until you start doing it. Like, hey, look, if I want to.

Go run a marathon, I don't go from couch potato to marathon. There's some effort that goes into that, and you feel awkward the first time you hit the running circle, right, and you hit your knees a lot and out of breath. But what you notice is the more you start to do it, the better you get. And so what are those mechanics that get you there into like the cyber marathon, so to speak? Well, I think one of those is. Knowing that you can speak with confidence. By following a best practice.

And so I see this all the time. There's a direct correlation between you and your MSP's commitment to complying to a security framework and then your cybersecurity revenue success. There's a direct correlation there. So I'll give you an example of this. Take the CIS controls, which I'm a huge fan of. And by the way, I do a podcast on that. It's Just google it. We go through every single control in the CIS controls.

And when you start doing that, it. Builds for you muscle memory and confidence to know that you're not just speaking. From the hip, you're really following a best practice framework. It's just one example. If I'm sick and I go into a doctor and that doctor wants to. Well, I don't really know, I'm just going to try this thing and try this thing, I'm going to be pretty unhappy with that clinical experience versus if.

They say, well, I'm well trained as. A doctor and these are the things that we're going to do as part of your diagnostic process. We're going to send you here and here. These are based on your symptoms. This is what we do. We're going to take the results from. That and we're going to use that. To input our diagnosis decision and hopefully arrive at a treatment plan. That treatment plan is designed specifically for the symptoms you present and the symptoms we've tested for.

That's what I want to hear. That's the confidence. Says this doctor knows what I need to ultimately get to health and success. That's what you do in cyber, right? It is a combination of tools, it. Is a combination of knowledge, it's a combination of conversations and question asking and then presentation of all of that into a treatment plan that's unique to the client. Now, here's the thing. I don't think that treatment plan has to be 100% unique for every single client. Give you another example. To paint an example, let's say you're like a clothing shop, like a really.

Nice bespoke clothing shop. And David Powell, a good friend of mine, uses this analogy and he says on the front end, I go in, and I feel so good because they're measuring me up my shoulders and all this stuff. But in the back, they're actually just. Going to the assay bank, closed door. They'Re grabbing any suit off the rack. And they're making a couple fine adjustments to it. But then they give it to me and they say, this is a custom suit and I feel like it is a. Custom suit because it kind of is. But it wasn't all. It wasn't like they were actually creating the suit from scratch.

Connor Swalm:

Right, right.

Wes Spencer:

And that's what I'm talking about for you. As an MSP, 90% of what you. Can do can be rinse repeated. You just got to get to the. 10% uniqueness for that client and then make sure it's presented to them in. That way based on their maturity, where. They'Re at, their budget, their needs, all. The things we talked about before.

Connor Swalm:

So these cis controls, of which I'm a huge fan of as well, and. I believe you and I have been on several, I don't know, webinars, podcasts, presentations, hundreds of things on them. Are they flexible enough. For msps, for partners, for security providers to use on a regular basis in the way you're just described?

Wes Spencer:

Well, they're not perfect, but one of the things I love about that is cis controls are themselves sort of an open living document. And when I talk to Phyllis Lee, the director of the controls, she's very open and receptive to conversations on where that needs to grow. And maybe something that's in IG three, the advanced implementation, they say, oh, Phyllis, I wonder if we should pull this back into IG one, the basic level. And she's very open to those conversations.

And so I think it's really good.

Because it's a very practical implementation. It's very, do this, do this. And we msps love that approach. We love the tell me what to do and how to do it. If you give me that, I can follow it. I'm not hating on the NIST CSF. But the CSF from NIST themselves is very descriptive. And you still wonder, scratching your head, be like, well, how do I do that? And what's the most important to start. On, and I'll give you a little hint on this, is, if you're curious. Like, Nist knows this and CiSA knows this. And so one of the things that.

CiSA just came out with is what's called the cybersecurity performance goals, the cpgs. You can go download them from CISA themselves, it's free. They created those because they realized we've. Created this huge overarching document, almost 2013. So a decade ago, and we've heard from a lot of people that struggle. With what's most important. So the cpgs are a way to address that. So I just say that to reverse. And say, you can start with the cpgs from CISA or you can start. With the CIS controls. I'm agnostic. Choose that you wish. But I think most msps find the. Most value from the CIS controls.

Connor Swalm:

I always make a big statement that. In the same way that the law is an approximation of morality, compliance frameworks are an approximation for security. It's a great place to start, but like you said, you need somebody running. To Joseph bank at the end of. The day to stitch things together on their own, to make it the security package for that.

Wes Spencer:

Yep. Yep, you can do it. And I think for msps, it feels intimidating. But again, it's muscle memory. The more you start doing it, you will build the confidence, you will build the knowledge, you will build the best practice, and you will find success in doing it. And also, I think you'll find a lot of industries that you tend to work well inside of and you can. Grow out of that capability.

Connor Swalm:

Yeah, well, you heard it here first.

If you want to get good at security, just start doing. Guess maybe I should put a disclaimer on that somewhere, but start learning. At least I'll put it there. But anyway, thanks so much for joining us today, Wes. This has been a blast.

Wes Spencer:

You're welcome, my friend.

Connor Swalm:

I'm Connor, CEO at Phin , host of the Gone Fishing podcast, joined by Wesley Spencer today from Cyberfox. And we will see you next time.

Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at That's P-H-I-N-S-E-C IO. Or click all of the wonderful links. In our show notes. Thanks for fishing with me today, and we'll see you next time.