Ever wonder how you can turn the complexity of compliance regulations into an opportunity? We've got an episode for you. We've got Cam Roberson from Beachhead Solutions with us, sharing his insights on navigating the convoluted world of compliance regulations for MSPs. Prepare to be enlightened as we discuss the journey of transitioning into the channel, the challenges MSPs often face and how they can assist their clients in adhering to these mandates.
Dive deeper as we discuss the constant evolution of government documentation, and the ensuing improvement in compliance regulations such as HIPAA and HICP. We'll also highlight the important role of understanding which services map to specific requirements and how MSPs can assist with audits. Uncover the hidden opportunities in staying updated on these regulations and using them to differentiate your services. Don't miss out on an in-depth discussion on the potential risks for MSPs who overlook compliance and the recommended resources and tools for effective implementation. So, tune in, and let's steer your MSP business towards a competitive edge.
Cam's LinkedIn Profile
Cam mentioned that they’ve got the compliancy guide available for you and it's available under the following link: https://www.beachheadsolutions.com/lp/2024-msp-compliance-report
As declared by Cam in the episode, you can also reach out to him via email: croberson [at] beachheadsolutions [dot] com
Thank you for tuning in to Channel Voices! If you appreciate this resource please consider supporting us. Thank you!
To stay up to date follow us on LinkedIn and Twitter.
You can of course contact us on our social channels or by visiting our website: www.ChannelVoices.com
Subscribe to Channel Voices Scope, a monthly LinkedIn newsletter where we provide you with additional information accompanying the podcast. We hope you find this newsletter informative and useful for your career and organisation.
We would also like to invite you to join our growing Channel Ecosystems Community on Twitter, a community of channel professionals exchanging ideas, sharing insights and learning from each other. Let’s grow together!
Until next time 👋
address at some level these requirements that are coming down the pipe. The problem, I think, is that they don't know how they're addressing and that's the gap. And you're right the business, the client, needs to do their business. It's one thing to say we want you to manage our IT infrastructure, we want to have help desk, we want to have all these services in place. This is taking it to another level, because not only is the MSP relied upon for that, now they're going to be relied upon for helping them determine their own suitability to these mandates. What of your services map to this particular requirement? Do I need MFA? Do I need asset tracking? Do I need encryption? And how does the stack of services that you provide map to those? Because I need that to answer these questionnaires. I need it if I'm going to be audited.Maciej:
Hello, welcome and thank you for tuning into Channel Voices, the podcast for future channel leaders, where we learn the ins and outs of partner ecosystems through casual conversations with channel professionals from a variety of industries, partner types and geographies. My name is Maciej and I'm your host, Cam Roberson. Welcome to Channel Voices.Cam Roberson:
Hey, nice to be, here.Maciej:
To set the scene. Could you tell us a little bit about yourself and how did you get started in Channel? Maybe a little bit about your journey.Cam Roberson:
Well, I hope that'd be happy to. How much time do we got?Maciej:
We'll make time for you.Cam Roberson:
Yeah, somewhat accidental, machek, I had an ad agency for many years 12, I think where we help with marketing, messaging, building websites, collateral writing, copy, the whole gamut. And this company, Beachhead, was a client of mine and we got to be rather friendly. I think they liked what we did for them. And you know, sort of a couple of circumstances, somebody came and offered me some money to sell my business and I said very good, kind of conveyed that to my friends at Beachhead and they sort of said, hey, why don't you come? You know, run our marketing group. And I said that sounds like a pretty good idea. And I did and everything just sort of happened rather quickly actually and found myself marketing for Beachhead Solutions. I knew a little bit about the company, of course, but you know not so much of you know security services, saas services, but you know, turned out I really enjoyed it. Well, I don't want to go on too long, but Beachhead used to sell direct. We sold direct and we sold our product as a prepaid subscription it wasn't a monthly consumption based model and we sold direct to enterprise and medium sized business and small businesses. And then, you know, through the course of that and I started having more responsibility with respect to selling sales, we had recruited a reseller of our, a company that sold mostly hardware, but they had a particular client that needed our service. And, you know, one after another, they started bringing in clients. Well, and you know, we sold to them. They, you know, went to discount and they marked it up and it was a prepaid, you know, subscription for one or three years or whatnot. And then something happened, they, they started telling me that the purchase order was going to be coming from a finance company. Okay, and you know, come to find out, they were actually financing the product for their, for their, for their customers as if it were a asset. And so, you know, sort of clicked with me. Oh okay, so they're making monthly payments and they're handling accounting a little bit different, and so that was that sort of epiphany. And then we sort of learned about this MSP space and I I can remember it so distinctly and this goes back gosh, I want to say 10 years. Going to a show happened to be an ASCII member show and learning of this entire community of MSPs with relationships selling to small and medium sized business. Holy mackerel, this is, this is perfect for us. And so we, within the course of about six months, transformed our entire product to to be a monthly consumption based model selling to MSPs. That's how I get. That's the long story as to how I got into the channel Perfect.Maciej:
Perfect. Unlike others on the podcast that I have hosted and from you know my own experience and knowing people in the channel, a lot of them ended up in the channel by by just how, how how the life went, how the, how the job offers came about or how their career progression happened Right, typically through sales or marketing, right, and that's how people end up in channel. Yeah, it's not always like that, but, but it comes down to the fact that the so little knowledge still about channel, even though 75% of world trade goes through channel right, yeah, there still seems to be. You know, it's still a little bit of an enigma to people that are not directly involved with partnerships and channel or ecosystems in overall, right, yeah, no, I think that's true.Cam Roberson:
I certainly had no intention of. You know, I'm going to pursue the channel for my career. It just sort of happened and in many respects we sort of built our product to adapt to the channel because we we believe it's such a good fit for our service and for our platform. So, as I said, it certainly was not a plan, but I'm glad it worked out the way it did. For me the channel has been just a wonderful experience.Maciej:
Fantastic, yeah, today's topic and you already mentioned MSPs and adapting the product for the for the MSPs. So, as much as I am aware of MSPs and what they do, today's discussion is more around the compliance regulations that MSPs really need to pay attention to, and that's a topic that I don't have a lot of knowledge of. So I will be asking you quite a, quite a few questions here for me to clarify for me certain things. But you did give me a little bit of literature to read on, and there are. You know, there are some challenges that MSPs commonly face. From what I read, when dealing with regulations, and you know there's been mentioned of CMMC 2.0, nist, ftc, safeguards, hipaa. I mean, these are these are terms that don't mean much to me. I hope that the listeners will already have some knowledge around this and, if not, we'll point them to in the right direction, where to read up on that. But what are the key challenges, I suppose, that MSPs commonly face when dealing with these type of regulations?Cam Roberson:
Yeah, that's a great question. I'll tell you that for me, if you had, if we'd had, this conversation six months ago, I would not have been able to discuss it at great length with you. It's been baptism by fire and you know it's coming hard and fast, and what I've learned is that these regulations are already in place and sort of. You know, I felt a tremendous need to get versant quickly, and I think the same is true with our MSP community. It's just happening so fast and while I don't, you know, while I certainly can appreciate the workload that an MSP has as a business owner, I think this is something they need to be prepared for Because it's coming, it's already here. I'm guessing your listeners have been approached by their clients with getting help with a supply chain questionnaire, if they're doing government work, for instance, yeah. Or maybe a list of checkboxes of things I need to have in place for cybersecurity insurance, both of which are derived largely from some of the mandates that are coming down the pipe Right, some of which have been in place for a long time HIPAA, for instance. Kind of the bell wither, you know, here in the States anyway, but more and more frequently we're seeing the emergence of FTC safeguards and CMMC2 compliance being required. And you know, ftc in particular, which, just you know, finally got in its final implementation in June. Actually, they're being quite aggressive and probably for a very good reason, because there are a lot of people. First of all, it applies to a whole swath of businesses, perhaps millions in the US, but they're also going after some egregious, you know, security or lack of security-minded firms. You may have seen some of the press around car dealerships and we have a lot of our partners who are, you know, scrambling trying to get car dealerships up and running. Some real horror stories, frankly. But HIPAA has morphed into and produced a recent publication that provides a bunch more specificity to the requirements there. They are including all of these more and more discussion about MSPs, realizing that with small and medium-sized businesses, they're reliant a lot of times on the expertise of the MSP, and so they're bringing the discussion to include them, including guidance on how to find an MSP qualified to assist with these mandates. And so this is coming. You know, my hope is that MSPs really embrace this, both because you don't want to be embarrassed when your client comes and says, hey, I need help with being CMMC compliant, but also, you know, we I could go into marketing strategies empathize with our MSP community about how to distinguish, differentiate their offering, but it does represent an opportunity to really be cutting edge in terms of knowledge, documentation, being able to map the services that you provide to those that are required for these various mandates, and so forth. So you know it's coming, it's already here. It's both a, you know, intimidating, but also a tremendous opportunity, I think.Maciej:
And I suppose it's fair to say that you know. There, companies reach out to MSPs for help, not only to manage some of the things that they don't necessarily specialize in, but also rely on them when it comes to their knowledge of these types of regulations. Right, they just want to concentrate on their own product, on their own business and the things that they're not very well versed in. They want somebody else to come in and help with that. So, with that in mind, I suppose what are some of the trends or the insight that you might be able to offer? What do MSPs need to be aware of right now that might elevate them as a company and offer something in addition to, maybe, something that they're not offering today?Cam Roberson:
Yeah, the funny thing is I believe magic that most of them are offering a comprehensive suite of services that address at some level these requirements that are coming down the pipe. The problem, I think, is that they don't know how they're addressing and that's the gap. And you're right the business, the client needs to do their business. It's one thing to say we want you to manage our IT infrastructure, we want to have help desk, we want to have all these services in place. This is taking it to another level, because not only is the MSP relied upon for that, now they're going to be relied upon for helping them determine their own suitability to these mandates. What of your services map to this particular requirement? Why need MF A? Do I need asset tracking? Do I need encryption? And how does the stack of services that you provide map to those? Because I need that to answer these questionnaires. I need it if I'm going to be audited, and so I don't know if I'm answering your question. But it's kind of another thing and, as I mentioned before, I don't take this lightly. I know this is a fair amount of work for the MSP and it's additional work, but again, it's an opportunity and there is some good news. There's some silver lining on this, because I've gone through this exercise myself. There is a whole bunch more similar with these various mandates than there is dissimilar, and so good security is good security and most of them ask for, with slight variations, the same sort of things. And once somebody understands the controls in the language of the compliance mandates and they have a pretty good sense of where they stack up for on FTC safeguards for instance they're going to be in a much better position to adapt and help clients with CMMC and HIPAA and so forth. So there's some rather good news and I think it presents an opportunity. In fact, I've heard from several that say this could be the next big demand driver for our community is compliance and how to get compliance. So I think it represents a good opportunity to get ahead of it for those who are going to spend the work early. The other thing is, we'd certainly not like to see them lose business because if they come to their MSP partner and say, look, I need help with getting FTC compliant and they don't have the answers, I think the possibility of them finding either another MSP luring them away or them looking for somebody that can help them is pretty high.Maciej:
Obviously, security and compliance are such huge topics in today's business world. Right, because, yes, you are going to be audited. I mean, there's no doubt about that. Right, in some point in time you will be audited. You need to have your house in order. Security, it's so important because one piece of bad press, you know, something breached, it, might destroy a company. Right, in today's terms, I mean, that is huge and security is absolutely everywhere. It doesn't matter what type of business you run. It is everywhere, digital is everywhere. That's why security is so important. I was I'm thinking about your answer that you were given just there. You know, you said there's opportunities, there's that silver lining. Do you see MSPs potentially Some of them, right evolving into something else, into being more of the on the compliance side, rather than just providing the services? Right, because that's an interesting topic. Msps are growing as a whole, as a community. It's probably one of the fastest growing type of a partner in the channel today. Yeah, right, yeah. So with all of that in mind, I mean, what opportunities are there for MSPs and are they going to morph into something completely different than what they do today?Cam Roberson:
Yeah, yeah, that's a fantastic question and this was sort of another epiphany I had. Eight months ago. I was at a show and I had a couple of our partners, msp partners, amongst others. This was sort of an eye-opening experience for me. But come to me and say look, we are, we are actually going to be providing compliance services, either have spun off a separate organization or are providing within the framework of their current company. One of them is actually an authorizing agency for, or is in pursuit of being authorizing agency for, cmmc. So there's all kinds of different levels, but it is absolutely a direction and, I think again, a way to distinguish, differentiate your practice or build a new business because it absolutely needs it in the marketplace. I just think there's, you know, we MSPs as a rule understand the technology, certainly, they understand security it's taken a next level and being able to understand how that maps to what is required of these clients. But yeah, there's, you know, and that, at a minimum, needs to be, in my opinion, done. Msp needs to understand how they map to those mandates and, if there's a whole or a gap, to add the products that will fill that gap, either as a standard service or maybe just put in the bullpen for when these requirements come to be. But you know, we, like I said I eight months ago, I know very little of this. We had this epiphany. I didn't know much, but I've taken upon myself. I still don't consider myself an expert. I'll name names, if given the opportunity, of people in our space who know a whole bunch more than I and can be of assistance, I think, to many of your listeners. But I didn't know much and I took it upon myself because they told me that our product checked a lot of the boxes that were required. So I may have mentioned this in our back and forth emails. We built a over the last few months, a compliance guide, an MSP compliance agency guide and again I've learned. But we've had contributions from from John DePero, a visibility MSP, from Paul, who's an expert in FTC compliance. He's taught me so much HIPAA. Paul Redding, with the Compliancy Group. I've known him for years. He used to be a partner, an MSP partner of ours. He is without question the most knowledgeable person about the HIPAA security and privacy rules. What needs to happen Aaron Wyant, with Dispatch Tech down in San Diego I mentioned is pursuing the authorizing agency for CMMC. Those guys contributed to this Compliancy Guide and I'd be happy to provide that to you or to your listeners.Maciej:
Yeah, that'd be great. We can. We have the ability to put on some of those links and the names in the in the show notes so people can read up on this a little bit further. Because you were talking, I started laughing to myself because I recall when I, when we opened up the conversation, I called it HIPAA, but it seems like the standard is to pronounce it a hippo right Apologies to everybody who's listening, and they knew about this and they were laughing anyhow, a bit of humor.Cam Roberson:
Well, on a lot of times we go you know, spell it HIPAA, and it's actually HIPAA.Maciej:
So so you talked about the, the experts that helped you develop that framework let's call it right and when you got to know a little bit about it and were pursuing to grab that knowledge, I wanted to ask you you know, what are the watering holes, apart from the people that you spoke to? I mean, the best thing to learn is to surround yourself with the subject matter experts. Right, and that's how you then, that's how you learn. But if you don't have access to this and you really want to go and learn about this stuff, either as an MSP or a company that is thinking about bringing an MSP on to help them, what questions do they need to ask? Like they need to educate themselves a little bit first, and the second part of the question is so the first one is where do you get that knowledge right? And the second part is how often do these regulations change, do they get, how often do they get updated, and how can MSPs stay on top of that?Cam Roberson:
Yeah, it's a good question I probably end. You know, with FTC for instance, you've got to assign a resource or partial resource to be, you know, sort of full time on on this and to be up on the changes and you know implementation and you know care and feeding of this. There are services available also. You know, in fact, the folks that I just mentioned are providing those services and a lot of times that might be the right answer for a smaller MSP that doesn't have internal resources, a quicker way to get to that, to that point as far as understanding it. I yeah, that's a tough one. You know peer groups certainly leverage those those folks, because peer groups are incredibly important and and have a lot of resources, if not at the, the head of the group, then certainly with their members. Some people are going to be more versant on on these topics than others, the other maybe. Recommendation is, if you were to. You know the government documentation has really improved quite a bit. It used to be cut and dry and almost unreadable and you know like HIPAA, for instance, used to be really loose guidance. You know relied upon the, the reader, to ultimately implement a security plan and defend it and document it and and be sure that it was in place, but a lot of times it was for you to explain why the documentation has become much more readable and understandable and specific. And, like with HIPAA, for instance, they recently developed I think it's HICP publication and that's commonly referred to as hiccup. So so you got HIPAA. Now, okay, the next one's hiccup, and that document is, like you know, almost like a how to manual. There's images and, you know, little cartoons, things and it's like here's what you need to do. And, by the way, as I mentioned before, give this to your MSP and be sure that they understand how to do this and, as well, if you're going to be using an outside service for this, make sure that they qualify and look for these items. So, again, they're recognizing that MSPs are integral to this process, but they're suggesting who's qualified and who's not, and so if you're qualified, you know you'll get that business, if you're not, you may lose it, and so that's why I say it's important, I think, to sort of get ahead of it. Question number two yeah, they change, you know, I think what's? I think they're getting more specific and saying, okay, you know, rather than authentication control, we want multi factor authentication. You know, we're not going to leave it to your interpretation of what authentication control is. We want this thing specifically in place, which, by the way, is kind of one of the things that that's really pissing off the FTC auditors, because people don't like it, people aren't implementing it. I don't see them changing a lot, even from, you know, a few years ago. But as technology changes and the threats landscape changes, yes, you know, we're adding items to it, but, but ultimately, if you say you know asset control or asset access control, those, those functions. While they may, you know, change with the advent of new technologies or with new threats, they're pretty much that. That part of it is consistent. And again, the documentation online, those produced by the agencies, by the government, are really getting better. Not to make it sound like it's nothing there is, you do need to stay on top of it and somebody needs to do it. It's a burden, I hate to say it, but it is also, you know, as mentioned, a terrific opportunity to to get ahead of it and distinguish your offering, which is a challenge for for our MSP community. You know how to differentiate the value that I provide. We don't want it to be based on pricing. Please don't do that. Do it on the basis of providing more value, more expertise, more thought leadership, more knowledge for your clients.Maciej:
Right. So I suppose the risk of an MSP today not concentrating on these regulations, these compliances, it might actually put them at risk in terms with their own clients right, because those demands are going to rise and rise. The clients are going to get smarter about this as well, and we'll be looking for MSPs that offer that service that you know, that additional value apart from the regular services that they would typically provide right.Cam Roberson:
Yeah, I think so. I mean, you know, MSPs are all out there and talking to clients, and maybe your clients do, and you certainly don't want to have somebody approach your clients say yeah, gee, how does your client do with your? You know, regulated by FTC. Is your MSP able to help you with that? Are they able to assist with your cybersecurity insurance Questionnaire, Are they? Oh, they're not. It opens the you know the door for them to take your client away. So you know, at worst case I mean that's kind of a worst case scenario At best case it's a bit embarrassing not to have questions if they come to you and you've got a tremendous relationship with them. The best case scenario is you're a little embarrassed, you have to catch up, get those answers. Worst case scenario is you know, maybe before you even know it they're somewhere else because they need this service and you're not in a position to help them.Maciej:
In terms of resources, additional resources or tools, I suppose for MSPs or maybe even just people who are interested in this topic, is there anything that you would recommend you know so they can understand how to implement you know compliance regulations effectively?Cam Roberson:
Yeah, I, you know I mentioned those guys. They're very helpful. Know a whole bunch more about the. You know the very details of compliance. I can share with you what I did Magic and for us it's been very useful. And in fact the big difference between these things is, I mentioned, there's more similar than there is dissimilar right, the, the, the. There are two big differences if you go from one compliance mandate to the other. One is nomenclature. You know some, some might call it data sanitization, some may say you know expunge or kill outdated or no longer useful data. So the nomenclature changes, the organization changes. You know different ways of promoting it in different orders and if you, if you go to try and satisfy or map your services against one, you're going to do it serially. It's going to be a tremendous amount of work because there are they're different different terms, different all what, what we did.Maciej:
I'm not saying this is perfect.Cam Roberson:
we settled on an organization structure. For us, the most sort of common guidance is the NIST cybersecurity framework, csf. Why people call it? It's organized in you know seven different categories, gosh, I I'd like to remember where they identify, protect, detect, respond and recover. That's sort of the organizational structure. What we did for our product we mapped our controls in that fashion against the NIST cybersecurity framework. We did that before we did anything else. Then we mapped those in a if describing it verbally here it's a little bit difficult, but if you think of a spreadsheet we then mapped those controls into the controls of the specific mandates. We had a column for CMMC one and two. We had a column, and it's easier to do that way. You've got the framework. It's consistent. Now you're mapping it to the, to the specific controls required of the various mandates. I, you know, I think that's for us. It worked well. I would offer to anybody out there that that might be a good starting point for them. If an MSP wants to sort of begin assessing and mapping and documenting their controls, I could provide the raw spreadsheet files, and if they wanted to, you know. And then, if they use beachhead, fantastic, they got a head start. If they don't, though, they can at least use our information to see how we mapped it to that particular thing and then take the rest of their stack and services and do the same thing. Right, and it worked for us. You know, we we used it to build a matrix within that compliance guide that I mentioned, and I think it made good sense for us. I think it would also apply to to MSPs who are interested in in moving in that direction. So you know that might be helpful, be happy to help in any way I can. Those other guys extremely knowledgeable and I know them personally now, especially over the last six months. They're good guys. They'd be happy to help even if it weren't in the pursuit of dollars in business. Right, they're just good guys. They they're really forthright and helpful. They taught me a ton.Maciej:
Right. So instead of you're giving that those documents to me, I believe the best thing to do would be for people to reach out to you. Maybe on LinkedIn, we'll have the link to your LinkedIn profile in the in the show notes. So are people okay to reach out to you directly?Cam Roberson:
Yeah, you know I'm I. I have a presence, obviously, on LinkedIn, I LinkedIn reminds me of work, so I'd be even better and so, as a result, I don't check it all that frequently. I'm happy to have my email shared as well.Maciej:
Okay, perfect, so we'll include that in the in the show notes. Thank you for that. And then, obviously, we did talk a little bit about how you for a lack of a better word fell into the channel. Yeah Right, what's the one thing you wish you knew before you started your channel career?Cam Roberson:
Well, I would have gotten into it sooner. I think, honest to God, this is a. This is a great place to be and I don't know why the people in it are very, very cool and I'm going to buy cool. What do I mean? But, you know, helpful, like guys like I mentioned, like I've never seen a, a place where competitors help each other out and chat and are friendly. You know, we, we have all these shows magic that we go to and everybody's got a smile face, everybody's seemingly enjoying their, their careers. You know, for us, we, we don't have the ability to, you know, approach huge numbers of people, and so we, we leverage MSPs who are smart, ambitious business people who have developed relationships with their end clients. I can easily reach out to those folks or, more easily, and let them, you know, do what's right for their client base. Again, they have those relationships. I hope they'll keep those relationships as they. You know, we go through this process of of compliance.Maciej:
Thank you so much for educating me, and, hopefully, some of some of our listeners, on all of these very, very complex compliance regulations. Obviously, msps are going to evolve further Right, and time will only tell where. Where are they going to end up? What kind of a? What kind of business will they be running? Because, like I said, I think they're possibly one of the fastest growing type of partner in the industry. Yeah, so it'll be really fantastic to see what is it that they're going to develop into in the in the near and the in the far future as well. Yeah, yeah.Cam Roberson:
I yeah, it will be interesting and, and you know, those who who get on board sooner, I think are going to be in a better position to grow their business.Maciej:
Cam, thank you so, so much for joining me on Channel Voices today. We'll obviously keep in touch. As it is, as we're both in the channel, those relationships typically last, so hope to be speaking with you in the future as well.Cam Roberson:
Yeah, absolutely Magic has been my, my pleasure and, yeah, I look forward to continued conversations.Maciej:
And that's a wrap for this episode. I do hope you found it valuable and, if you did, please make sure to subscribe and leave a review. You can also follow Channel Voices podcast on LinkedIn, twitter and Facebook, or just visit channelvoicescom, where you can send me a message or leave a voicemail. All of the links are listed in the show notes and, once again, I appreciate you tuning in today Until next time.