Ever wonder how you can turn the complexity of compliance regulations into an opportunity? We've got an episode for you. We've got Cam Roberson from Beachhead Solutions with us, sharing his insights on navigating the convoluted world of compliance regulations for MSPs. Prepare to be enlightened as we discuss the journey of transitioning into the channel, the challenges MSPs often face and how they can assist their clients in adhering to these mandates.
Dive deeper as we discuss the constant evolution of government documentation, and the ensuing improvement in compliance regulations such as HIPAA and HICP. We'll also highlight the important role of understanding which services map to specific requirements and how MSPs can assist with audits. Uncover the hidden opportunities in staying updated on these regulations and using them to differentiate your services. Don't miss out on an in-depth discussion on the potential risks for MSPs who overlook compliance and the recommended resources and tools for effective implementation. So, tune in, and let's steer your MSP business towards a competitive edge.
Cam's LinkedIn Profile
Cam mentioned that they’ve got the compliancy guide available for you and it's available under the following link: https://www.beachheadsolutions.com/lp/2024-msp-compliance-report
As declared by Cam in the episode, you can also reach out to him via email: croberson [at] beachheadsolutions [dot] com
Thank you for tuning in to Channel Voices! If you appreciate this resource please consider supporting us. Thank you!
To stay up to date follow us on LinkedIn and Twitter.
You can of course contact us on our social channels or by visiting our website: www.ChannelVoices.com
Subscribe to Channel Voices Scope, a monthly LinkedIn newsletter where we provide you with additional information accompanying the podcast. We hope you find this newsletter informative and useful for your career and organisation.
We would also like to invite you to join our growing Channel Ecosystems Community on Twitter, a community of channel professionals exchanging ideas, sharing insights and learning from each other. Let’s grow together!
Until next time 👋
1
00:00:00
Cam Roberson: address at some level these requirements that
00:00:02
are coming down the pipe.
00:00:03
The problem, I think, is that they don't know how they're
00:00:08
addressing and that's the gap.
00:00:09
And you're right the business, the client, needs to do their
00:00:13
business.
00:00:14
It's one thing to say we want you to manage our IT
00:00:18
infrastructure, we want to have help desk, we want to have all
00:00:21
these services in place.
00:00:22
This is taking it to another level, because not only is the
00:00:28
MSP relied upon for that, now they're going to be relied upon
00:00:33
for helping them determine their own suitability to these
00:00:39
mandates.
00:00:40
What of your services map to this particular requirement?
00:00:44
Do I need MFA?
00:00:47
Do I need asset tracking?
00:00:48
Do I need encryption?
00:00:49
And how does the stack of services that you provide map to
00:00:55
those?
00:00:55
Because I need that to answer these questionnaires.
00:00:58
I need it if I'm going to be audited.
00:01:05
Maciej: Hello, welcome and thank you for tuning into Channel
00:01:09
Voices, the podcast for future channel leaders, where we learn
00:01:13
the ins and outs of partner ecosystems through casual
00:01:16
conversations with channel professionals from a variety of
00:01:20
industries, partner types and geographies.
00:01:23
My name is Maciej and I'm your host, Cam Roberson.
00:01:29
Welcome to Channel Voices.
00:01:31
Cam Roberson: Hey, nice to be, here.
00:01:33
Maciej: To set the scene.
00:01:34
Could you tell us a little bit about yourself and how did you
00:01:38
get started in Channel?
00:01:39
Maybe a little bit about your journey.
00:01:42
Cam Roberson: Well, I hope that'd be happy to.
00:01:43
How much time do we got?
00:01:46
Maciej: We'll make time for you.
00:01:47
Cam Roberson: Yeah, somewhat accidental, machek, I had an ad
00:01:53
agency for many years 12, I think where we help with
00:02:00
marketing, messaging, building websites, collateral writing,
00:02:05
copy, the whole gamut.
00:02:07
And this company, Beachhead, was a client of mine and we got
00:02:16
to be rather friendly.
00:02:16
I think they liked what we did for them.
00:02:20
And you know, sort of a couple of circumstances, somebody came
00:02:25
and offered me some money to sell my business and I said very
00:02:29
good, kind of conveyed that to my friends at Beachhead and they
00:02:34
sort of said, hey, why don't you come?
00:02:36
You know, run our marketing group.
00:02:37
And I said that sounds like a pretty good idea.
00:02:40
And I did and everything just sort of happened rather quickly
00:02:45
actually and found myself marketing for Beachhead
00:02:51
Solutions.
00:02:51
I knew a little bit about the company, of course, but you know
00:02:56
not so much of you know security services, saas services
00:03:00
, but you know, turned out I really enjoyed it.
00:03:04
Well, I don't want to go on too long, but Beachhead used to sell
00:03:07
direct.
00:03:08
We sold direct and we sold our product as a prepaid
00:03:14
subscription it wasn't a monthly consumption based model and we
00:03:19
sold direct to enterprise and medium sized business and small
00:03:22
businesses.
00:03:23
And then, you know, through the course of that and I started
00:03:28
having more responsibility with respect to selling sales, we had
00:03:33
recruited a reseller of our, a company that sold mostly
00:03:39
hardware, but they had a particular client that needed
00:03:42
our service.
00:03:43
And, you know, one after another, they started bringing
00:03:47
in clients.
00:03:48
Well, and you know, we sold to them.
00:03:51
They, you know, went to discount and they marked it up
00:03:54
and it was a prepaid, you know, subscription for one or three
00:03:58
years or whatnot.
00:03:59
And then something happened, they, they started telling me
00:04:03
that the purchase order was going to be coming from a
00:04:06
finance company.
00:04:07
Okay, and you know, come to find out, they were actually
00:04:13
financing the product for their, for their, for their customers
00:04:16
as if it were a asset.
00:04:18
And so, you know, sort of clicked with me.
00:04:20
Oh okay, so they're making monthly payments and they're
00:04:24
handling accounting a little bit different, and so that was that
00:04:28
sort of epiphany.
00:04:29
And then we sort of learned about this MSP space and I I can
00:04:35
remember it so distinctly and this goes back gosh, I want to
00:04:39
say 10 years.
00:04:40
Going to a show happened to be an ASCII member show and
00:04:45
learning of this entire community of MSPs with
00:04:51
relationships selling to small and medium sized business.
00:04:56
Holy mackerel, this is, this is perfect for us.
00:05:00
And so we, within the course of about six months, transformed
00:05:07
our entire product to to be a monthly consumption based model
00:05:12
selling to MSPs.
00:05:13
That's how I get.
00:05:16
That's the long story as to how I got into the channel Perfect.
00:05:21
Maciej: Perfect.
00:05:21
Unlike others on the podcast that I have hosted and from you
00:05:28
know my own experience and knowing people in the channel, a
00:05:33
lot of them ended up in the channel by by just how, how how
00:05:38
the life went, how the, how the job offers came about or how
00:05:42
their career progression happened Right, typically
00:05:46
through sales or marketing, right, and that's how people end
00:05:50
up in channel.
00:05:51
Yeah, it's not always like that , but, but it comes down to the
00:05:57
fact that the so little knowledge still about channel,
00:06:01
even though 75% of world trade goes through channel right, yeah
00:06:05
, there still seems to be.
00:06:07
You know, it's still a little bit of an enigma to people that
00:06:13
are not directly involved with partnerships and channel or
00:06:18
ecosystems in overall, right, yeah, no, I think that's true.
00:06:23
Cam Roberson: I certainly had no intention of.
00:06:25
You know, I'm going to pursue the channel for my career.
00:06:29
It just sort of happened and in many respects we sort of built
00:06:34
our product to adapt to the channel because we we believe
00:06:38
it's such a good fit for our service and for our platform.
00:06:41
So, as I said, it certainly was not a plan, but I'm glad it
00:06:46
worked out the way it did.
00:06:47
For me the channel has been just a wonderful experience.
00:06:52
Maciej: Fantastic, yeah, today's topic and you already mentioned
00:06:56
MSPs and adapting the product for the for the MSPs.
00:07:01
So, as much as I am aware of MSPs and what they do, today's
00:07:08
discussion is more around the compliance regulations that MSPs
00:07:13
really need to pay attention to , and that's a topic that I
00:07:18
don't have a lot of knowledge of .
00:07:20
So I will be asking you quite a , quite a few questions here for
00:07:25
me to clarify for me certain things.
00:07:28
But you did give me a little bit of literature to read on,
00:07:34
and there are.
00:07:35
You know, there are some challenges that MSPs commonly
00:07:38
face.
00:07:39
From what I read, when dealing with regulations, and you know
00:07:43
there's been mentioned of CMMC 2.0, nist, ftc, safeguards,
00:07:50
hipaa.
00:07:52
I mean, these are these are terms that don't mean much to me
00:07:55
.
00:07:55
I hope that the listeners will already have some knowledge
00:07:59
around this and, if not, we'll point them to in the right
00:08:03
direction, where to read up on that.
00:08:05
But what are the key challenges , I suppose, that MSPs commonly
00:08:11
face when dealing with these type of regulations?
00:08:15
Cam Roberson: Yeah, that's a great question.
00:08:16
I'll tell you that for me, if you had, if we'd had, this
00:08:19
conversation six months ago, I would not have been able to
00:08:23
discuss it at great length with you.
00:08:25
It's been baptism by fire and you know it's coming hard and
00:08:32
fast, and what I've learned is that these regulations are
00:08:36
already in place and sort of.
00:08:39
You know, I felt a tremendous need to get versant quickly, and
00:08:45
I think the same is true with our MSP community.
00:08:51
It's just happening so fast and while I don't, you know, while
00:08:58
I certainly can appreciate the workload that an MSP has as a
00:09:03
business owner, I think this is something they need to be
00:09:07
prepared for Because it's coming , it's already here.
00:09:11
I'm guessing your listeners have been approached by their
00:09:16
clients with getting help with a supply chain questionnaire, if
00:09:21
they're doing government work, for instance, yeah.
00:09:24
Or maybe a list of checkboxes of things I need to have in
00:09:29
place for cybersecurity insurance, both of which are
00:09:33
derived largely from some of the mandates that are coming down
00:09:36
the pipe Right, some of which have been in place for a long
00:09:39
time HIPAA, for instance.
00:09:40
Kind of the bell wither, you know, here in the States anyway,
00:09:44
but more and more frequently we're seeing the emergence of
00:09:51
FTC safeguards and CMMC2 compliance being required.
00:09:55
And you know, ftc in particular , which, just you know, finally
00:10:01
got in its final implementation in June.
00:10:06
Actually, they're being quite aggressive and probably for a
00:10:11
very good reason, because there are a lot of people.
00:10:13
First of all, it applies to a whole swath of businesses,
00:10:17
perhaps millions in the US, but they're also going after some
00:10:24
egregious, you know, security or lack of security-minded firms.
00:10:29
You may have seen some of the press around car dealerships and
00:10:34
we have a lot of our partners who are, you know, scrambling
00:10:39
trying to get car dealerships up and running.
00:10:42
Some real horror stories, frankly.
00:10:45
But HIPAA has morphed into and produced a recent publication
00:10:51
that provides a bunch more specificity to the requirements
00:10:55
there.
00:10:55
They are including all of these more and more discussion about
00:11:00
MSPs, realizing that with small and medium-sized businesses,
00:11:05
they're reliant a lot of times on the expertise of the MSP, and
00:11:08
so they're bringing the discussion to include them,
00:11:12
including guidance on how to find an MSP qualified to assist
00:11:16
with these mandates.
00:11:19
And so this is coming.
00:11:22
You know, my hope is that MSPs really embrace this, both
00:11:29
because you don't want to be embarrassed when your client
00:11:31
comes and says, hey, I need help with being CMMC compliant, but
00:11:36
also, you know, we I could go into marketing strategies
00:11:41
empathize with our MSP community about how to distinguish,
00:11:45
differentiate their offering, but it does represent an
00:11:48
opportunity to really be cutting edge in terms of knowledge,
00:11:54
documentation, being able to map the services that you provide
00:11:58
to those that are required for these various mandates, and so
00:12:01
forth.
00:12:01
So you know it's coming, it's already here.
00:12:05
It's both a, you know, intimidating, but also a
00:12:12
tremendous opportunity, I think.
00:12:14
Maciej: And I suppose it's fair to say that you know.
00:12:17
There, companies reach out to MSPs for help, not only to
00:12:26
manage some of the things that they don't necessarily
00:12:30
specialize in, but also rely on them when it comes to their
00:12:34
knowledge of these types of regulations.
00:12:36
Right, they just want to concentrate on their own product
00:12:39
, on their own business and the things that they're not very
00:12:43
well versed in.
00:12:44
They want somebody else to come in and help with that.
00:12:47
So, with that in mind, I suppose what are some of the
00:12:55
trends or the insight that you might be able to offer?
00:12:58
What do MSPs need to be aware of right now that might elevate
00:13:04
them as a company and offer something in addition to, maybe,
00:13:10
something that they're not offering today?
00:13:14
Cam Roberson: Yeah, the funny thing is I believe magic that
00:13:16
most of them are offering a comprehensive suite of services
00:13:21
that address at some level these requirements that are coming
00:13:25
down the pipe.
00:13:25
The problem, I think, is that they don't know how they're
00:13:30
addressing and that's the gap.
00:13:32
And you're right the business, the client needs to do their
00:13:35
business.
00:13:38
It's one thing to say we want you to manage our IT
00:13:40
infrastructure, we want to have help desk, we want to have all
00:13:43
these services in place.
00:13:45
This is taking it to another level, because not only is the
00:13:50
MSP relied upon for that, now they're going to be relied upon
00:13:55
for helping them determine their own suitability to these
00:14:01
mandates.
00:14:03
What of your services map to this particular requirement?
00:14:07
Why need MF A?
00:14:09
Do I need asset tracking?
00:14:10
Do I need encryption?
00:14:12
And how does the stack of services that you provide map to
00:14:17
those?
00:14:18
Because I need that to answer these questionnaires.
00:14:20
I need it if I'm going to be audited, and so I don't know if
00:14:25
I'm answering your question.
00:14:26
But it's kind of another thing and, as I mentioned before, I
00:14:32
don't take this lightly.
00:14:34
I know this is a fair amount of work for the MSP and it's
00:14:39
additional work, but again, it's an opportunity and there is
00:14:43
some good news.
00:14:43
There's some silver lining on this, because I've gone through
00:14:46
this exercise myself.
00:14:48
There is a whole bunch more similar with these various
00:14:53
mandates than there is dissimilar, and so good security
00:14:59
is good security and most of them ask for, with slight
00:15:04
variations, the same sort of things.
00:15:06
And once somebody understands the controls in the language of
00:15:12
the compliance mandates and they have a pretty good sense of
00:15:17
where they stack up for on FTC safeguards for instance they're
00:15:22
going to be in a much better position to adapt and help
00:15:25
clients with CMMC and HIPAA and so forth.
00:15:27
So there's some rather good news and I think it presents an
00:15:34
opportunity.
00:15:35
In fact, I've heard from several that say this could be
00:15:38
the next big demand driver for our community is compliance and
00:15:43
how to get compliance.
00:15:45
So I think it represents a good opportunity to get ahead of it
00:15:49
for those who are going to spend the work early.
00:15:53
The other thing is, we'd certainly not like to see them
00:15:57
lose business because if they come to their MSP partner and
00:16:01
say, look, I need help with getting FTC compliant and they
00:16:05
don't have the answers, I think the possibility of them finding
00:16:10
either another MSP luring them away or them looking for
00:16:14
somebody that can help them is pretty high.
00:16:18
Maciej: Obviously, security and compliance are such huge topics
00:16:23
in today's business world.
00:16:25
Right, because, yes, you are going to be audited.
00:16:28
I mean, there's no doubt about that.
00:16:30
Right, in some point in time you will be audited.
00:16:32
You need to have your house in order.
00:16:34
Security, it's so important because one piece of bad press,
00:16:40
you know, something breached, it , might destroy a company.
00:16:43
Right, in today's terms, I mean , that is huge and security is
00:16:49
absolutely everywhere.
00:16:50
It doesn't matter what type of business you run.
00:16:53
It is everywhere, digital is everywhere.
00:16:56
That's why security is so important.
00:17:00
I was I'm thinking about your answer that you were given just
00:17:03
there.
00:17:04
You know, you said there's opportunities, there's that
00:17:08
silver lining.
00:17:08
Do you see MSPs potentially Some of them, right evolving
00:17:14
into something else, into being more of the on the compliance
00:17:18
side, rather than just providing the services?
00:17:20
Right, because that's an interesting topic.
00:17:22
Msps are growing as a whole, as a community.
00:17:26
It's probably one of the fastest growing type of a
00:17:30
partner in the channel today.
00:17:32
Yeah, right, yeah.
00:17:34
So with all of that in mind, I mean, what opportunities are
00:17:37
there for MSPs and are they going to morph into something
00:17:41
completely different than what they do today?
00:17:43
Cam Roberson: Yeah, yeah, that's a fantastic question and this
00:17:46
was sort of another epiphany I had.
00:17:48
Eight months ago.
00:17:50
I was at a show and I had a couple of our partners, msp
00:17:53
partners, amongst others.
00:17:56
This was sort of an eye-opening experience for me.
00:17:58
But come to me and say look, we are, we are actually going to
00:18:03
be providing compliance services , either have spun off a
00:18:08
separate organization or are providing within the framework
00:18:13
of their current company.
00:18:15
One of them is actually an authorizing agency for, or is in
00:18:20
pursuit of being authorizing agency for, cmmc.
00:18:24
So there's all kinds of different levels, but it is
00:18:27
absolutely a direction and, I think again, a way to
00:18:32
distinguish, differentiate your practice or build a new business
00:18:36
because it absolutely needs it in the marketplace.
00:18:39
I just think there's, you know, we MSPs as a rule understand
00:18:46
the technology, certainly, they understand security it's taken a
00:18:50
next level and being able to understand how that maps to what
00:18:54
is required of these clients.
00:18:55
But yeah, there's, you know, and that, at a minimum, needs to
00:19:00
be, in my opinion, done.
00:19:02
Msp needs to understand how they map to those mandates and,
00:19:08
if there's a whole or a gap, to add the products that will fill
00:19:12
that gap, either as a standard service or maybe just put in the
00:19:17
bullpen for when these requirements come to be.
00:19:20
But you know, we, like I said I eight months ago, I know very
00:19:26
little of this.
00:19:27
We had this epiphany.
00:19:28
I didn't know much, but I've taken upon myself.
00:19:33
I still don't consider myself an expert.
00:19:35
I'll name names, if given the opportunity, of people in our
00:19:38
space who know a whole bunch more than I and can be of
00:19:43
assistance, I think, to many of your listeners.
00:19:46
But I didn't know much and I took it upon myself because they
00:19:52
told me that our product checked a lot of the boxes that
00:19:56
were required.
00:19:56
So I may have mentioned this in our back and forth emails.
00:20:03
We built a over the last few months, a compliance guide, an
00:20:08
MSP compliance agency guide and again I've learned.
00:20:12
But we've had contributions from from John DePero, a
00:20:16
visibility MSP, from Paul, who's an expert in FTC compliance.
00:20:22
He's taught me so much HIPAA.
00:20:25
Paul Redding, with the Compliancy Group.
00:20:27
I've known him for years.
00:20:28
He used to be a partner, an MSP partner of ours.
00:20:30
He is without question the most knowledgeable person about the
00:20:35
HIPAA security and privacy rules .
00:20:37
What needs to happen Aaron Wyant, with Dispatch Tech down
00:20:43
in San Diego I mentioned is pursuing the authorizing agency
00:20:48
for CMMC.
00:20:49
Those guys contributed to this Compliancy Guide and I'd be
00:20:54
happy to provide that to you or to your listeners.
00:20:59
Maciej: Yeah, that'd be great.
00:21:00
We can.
00:21:00
We have the ability to put on some of those links and the
00:21:03
names in the in the show notes so people can read up on this a
00:21:08
little bit further.
00:21:09
Because you were talking, I started laughing to myself
00:21:12
because I recall when I, when we opened up the conversation, I
00:21:17
called it HIPAA, but it seems like the standard is to
00:21:21
pronounce it a hippo right Apologies to everybody who's
00:21:25
listening, and they knew about this and they were laughing
00:21:29
anyhow, a bit of humor.
00:21:30
Cam Roberson: Well, on a lot of times we go you know, spell it
00:21:34
HIPAA, and it's actually HIPAA.
00:21:41
Maciej: So so you talked about the, the experts that helped you
00:21:46
develop that framework let's call it right and when you got
00:21:52
to know a little bit about it and were pursuing to grab that
00:21:58
knowledge, I wanted to ask you you know, what are the watering
00:22:04
holes, apart from the people that you spoke to?
00:22:06
I mean, the best thing to learn is to surround yourself with
00:22:09
the subject matter experts.
00:22:11
Right, and that's how you then, that's how you learn.
00:22:13
But if you don't have access to this and you really want to go
00:22:18
and learn about this stuff, either as an MSP or a company
00:22:22
that is thinking about bringing an MSP on to help them, what
00:22:28
questions do they need to ask?
00:22:29
Like they need to educate themselves a little bit first,
00:22:33
and the second part of the question is so the first one is
00:22:37
where do you get that knowledge right?
00:22:39
And the second part is how often do these regulations
00:22:44
change, do they get, how often do they get updated, and how can
00:22:48
MSPs stay on top of that?
00:22:51
Cam Roberson: Yeah, it's a good question I probably end.
00:22:54
You know, with FTC for instance , you've got to assign a
00:22:58
resource or partial resource to be, you know, sort of full time
00:23:01
on on this and to be up on the changes and you know
00:23:05
implementation and you know care and feeding of this.
00:23:08
There are services available also.
00:23:11
You know, in fact, the folks that I just mentioned are
00:23:15
providing those services and a lot of times that might be the
00:23:18
right answer for a smaller MSP that doesn't have internal
00:23:21
resources, a quicker way to get to that, to that point as far as
00:23:28
understanding it.
00:23:29
I yeah, that's a tough one.
00:23:31
You know peer groups certainly leverage those those folks,
00:23:35
because peer groups are incredibly important and and
00:23:39
have a lot of resources, if not at the, the head of the group,
00:23:45
then certainly with their members.
00:23:46
Some people are going to be more versant on on these topics
00:23:50
than others, the other maybe.
00:23:53
Recommendation is, if you were to.
00:23:56
You know the government documentation has really
00:24:00
improved quite a bit.
00:24:01
It used to be cut and dry and almost unreadable and you know
00:24:07
like HIPAA, for instance, used to be really loose guidance.
00:24:11
You know relied upon the, the reader, to ultimately implement
00:24:17
a security plan and defend it and document it and and be sure
00:24:21
that it was in place, but a lot of times it was for you to
00:24:25
explain why the documentation has become much more readable
00:24:30
and understandable and specific.
00:24:32
And, like with HIPAA, for instance, they recently
00:24:37
developed I think it's HICP publication and that's commonly
00:24:43
referred to as hiccup.
00:24:44
So so you got HIPAA.
00:24:46
Now, okay, the next one's hiccup, and that document is,
00:24:50
like you know, almost like a how to manual.
00:24:53
There's images and, you know, little cartoons, things and it's
00:24:58
like here's what you need to do .
00:25:01
And, by the way, as I mentioned before, give this to your MSP
00:25:05
and be sure that they understand how to do this and, as well, if
00:25:10
you're going to be using an outside service for this, make
00:25:14
sure that they qualify and look for these items.
00:25:17
So, again, they're recognizing that MSPs are integral to this
00:25:23
process, but they're suggesting who's qualified and who's not,
00:25:28
and so if you're qualified, you know you'll get that business,
00:25:32
if you're not, you may lose it, and so that's why I say it's
00:25:36
important, I think, to sort of get ahead of it.
00:25:38
Question number two yeah, they change, you know, I think what's
00:25:44
?
00:25:44
I think they're getting more specific and saying, okay, you
00:25:49
know, rather than authentication control, we want multi factor
00:25:52
authentication.
00:25:52
You know, we're not going to leave it to your interpretation
00:25:56
of what authentication control is.
00:25:58
We want this thing specifically in place, which, by the way, is
00:26:04
kind of one of the things that that's really pissing off the
00:26:09
FTC auditors, because people don't like it, people aren't
00:26:12
implementing it.
00:26:15
I don't see them changing a lot , even from, you know, a few
00:26:21
years ago.
00:26:22
But as technology changes and the threats landscape changes,
00:26:26
yes, you know, we're adding items to it, but, but ultimately
00:26:30
, if you say you know asset control or asset access control,
00:26:35
those, those functions.
00:26:37
While they may, you know, change with the advent of new
00:26:41
technologies or with new threats , they're pretty much that.
00:26:46
That part of it is consistent.
00:26:47
And again, the documentation online, those produced by the
00:26:54
agencies, by the government, are really getting better.
00:26:58
Not to make it sound like it's nothing there is, you do need to
00:27:04
stay on top of it and somebody needs to do it.
00:27:07
It's a burden, I hate to say it , but it is also, you know, as
00:27:11
mentioned, a terrific opportunity to to get ahead of
00:27:16
it and distinguish your offering , which is a challenge for for
00:27:20
our MSP community.
00:27:21
You know how to differentiate the value that I provide.
00:27:24
We don't want it to be based on pricing.
00:27:28
Please don't do that.
00:27:29
Do it on the basis of providing more value, more expertise,
00:27:34
more thought leadership, more knowledge for your clients.
00:27:39
Maciej: Right.
00:27:39
So I suppose the risk of an MSP today not concentrating on
00:27:48
these regulations, these compliances, it might actually
00:27:54
put them at risk in terms with their own clients right, because
00:27:58
those demands are going to rise and rise.
00:28:00
The clients are going to get smarter about this as well, and
00:28:04
we'll be looking for MSPs that offer that service that you know
00:28:08
, that additional value apart from the regular services that
00:28:12
they would typically provide right.
00:28:13
Cam Roberson: Yeah, I think so.
00:28:14
I mean, you know, MSPs are all out there and talking to clients
00:28:19
, and maybe your clients do, and you certainly don't want to
00:28:23
have somebody approach your clients say yeah, gee, how does
00:28:29
your client do with your?
00:28:31
You know, regulated by FTC.
00:28:32
Is your MSP able to help you with that?
00:28:36
Are they able to assist with your cybersecurity insurance
00:28:43
Questionnaire, Are they?
00:28:44
Oh, they're not.
00:28:48
It opens the you know the door for them to take your client
00:28:53
away.
00:28:54
So you know, at worst case I mean that's kind of a worst case
00:28:58
scenario At best case it's a bit embarrassing not to have
00:29:02
questions if they come to you and you've got a tremendous
00:29:05
relationship with them.
00:29:06
The best case scenario is you're a little embarrassed, you
00:29:09
have to catch up, get those answers.
00:29:11
Worst case scenario is you know , maybe before you even know it
00:29:17
they're somewhere else because they need this service and
00:29:21
you're not in a position to help them.
00:29:24
Maciej: In terms of resources, additional resources or tools, I
00:29:28
suppose for MSPs or maybe even just people who are interested
00:29:32
in this topic, is there anything that you would recommend you
00:29:37
know so they can understand how to implement you know compliance
00:29:42
regulations effectively?
00:29:43
Cam Roberson: Yeah, I, you know I mentioned those guys.
00:29:46
They're very helpful.
00:29:48
Know a whole bunch more about the.
00:29:50
You know the very details of compliance.
00:29:56
I can share with you what I did Magic and for us it's been very
00:30:03
useful.
00:30:03
And in fact the big difference between these things is, I
00:30:07
mentioned, there's more similar than there is dissimilar right,
00:30:11
the, the, the.
00:30:12
There are two big differences if you go from one compliance
00:30:15
mandate to the other.
00:30:16
One is nomenclature.
00:30:18
You know some, some might call it data sanitization, some may
00:30:24
say you know expunge or kill outdated or no longer useful
00:30:29
data.
00:30:29
So the nomenclature changes, the organization changes.
00:30:35
You know different ways of promoting it in different orders
00:30:41
and if you, if you go to try and satisfy or map your services
00:30:47
against one, you're going to do it serially.
00:30:50
It's going to be a tremendous amount of work because there are
00:30:53
they're different different terms, different all what, what
00:30:57
we did.
00:30:58
Maciej: I'm not saying this is perfect.
00:31:00
Cam Roberson: we settled on an organization structure.
00:31:02
For us, the most sort of common guidance is the NIST
00:31:08
cybersecurity framework, csf.
00:31:10
Why people call it?
00:31:11
It's organized in you know seven different categories, gosh
00:31:16
, I I'd like to remember where they identify, protect, detect,
00:31:21
respond and recover.
00:31:22
That's sort of the organizational structure.
00:31:26
What we did for our product we mapped our controls in that
00:31:32
fashion against the NIST cybersecurity framework.
00:31:35
We did that before we did anything else.
00:31:38
Then we mapped those in a if describing it verbally here it's
00:31:45
a little bit difficult, but if you think of a spreadsheet we
00:31:49
then mapped those controls into the controls of the specific
00:31:54
mandates.
00:31:54
We had a column for CMMC one and two.
00:31:57
We had a column, and it's easier to do that way.
00:32:02
You've got the framework.
00:32:03
It's consistent.
00:32:03
Now you're mapping it to the, to the specific controls
00:32:08
required of the various mandates .
00:32:12
I, you know, I think that's for us.
00:32:15
It worked well.
00:32:16
I would offer to anybody out there that that might be a good
00:32:21
starting point for them.
00:32:22
If an MSP wants to sort of begin assessing and mapping and
00:32:28
documenting their controls, I could provide the raw
00:32:32
spreadsheet files, and if they wanted to, you know.
00:32:36
And then, if they use beachhead , fantastic, they got a head
00:32:40
start.
00:32:40
If they don't, though, they can at least use our information to
00:32:43
see how we mapped it to that particular thing and then take
00:32:48
the rest of their stack and services and do the same thing.
00:32:53
Right, and it worked for us.
00:32:56
You know, we we used it to build a matrix within that
00:33:01
compliance guide that I mentioned, and I think it made
00:33:04
good sense for us.
00:33:05
I think it would also apply to to MSPs who are interested in in
00:33:11
moving in that direction.
00:33:13
So you know that might be helpful, be happy to help in any
00:33:17
way I can.
00:33:18
Those other guys extremely knowledgeable and I know them
00:33:23
personally now, especially over the last six months.
00:33:26
They're good guys.
00:33:28
They'd be happy to help even if it weren't in the pursuit of
00:33:33
dollars in business.
00:33:34
Right, they're just good guys.
00:33:35
They they're really forthright and helpful.
00:33:39
They taught me a ton.
00:33:43
Maciej: Right.
00:33:43
So instead of you're giving that those documents to me, I
00:33:50
believe the best thing to do would be for people to reach out
00:33:54
to you.
00:33:54
Maybe on LinkedIn, we'll have the link to your LinkedIn
00:33:57
profile in the in the show notes .
00:33:59
So are people okay to reach out to you directly?
00:34:02
Cam Roberson: Yeah, you know I'm I.
00:34:04
I have a presence, obviously, on LinkedIn, I LinkedIn reminds
00:34:09
me of work, so I'd be even better and so, as a result, I
00:34:13
don't check it all that frequently.
00:34:15
I'm happy to have my email shared as well.
00:34:20
Maciej: Okay, perfect, so we'll include that in the in the show
00:34:23
notes.
00:34:23
Thank you for that.
00:34:25
And then, obviously, we did talk a little bit about how you
00:34:30
for a lack of a better word fell into the channel.
00:34:32
Yeah Right, what's the one thing you wish you knew before
00:34:36
you started your channel career?
00:34:38
Cam Roberson: Well, I would have gotten into it sooner.
00:34:40
I think, honest to God, this is a.
00:34:43
This is a great place to be and I don't know why the people in
00:34:50
it are very, very cool and I'm going to buy cool.
00:34:53
What do I mean?
00:34:54
But, you know, helpful, like guys like I mentioned, like I've
00:34:59
never seen a, a place where competitors help each other out
00:35:06
and chat and are friendly.
00:35:07
You know, we, we have all these shows magic that we go to and
00:35:12
everybody's got a smile face, everybody's seemingly enjoying
00:35:16
their, their careers.
00:35:17
You know, for us, we, we don't have the ability to, you know,
00:35:24
approach huge numbers of people, and so we, we leverage MSPs who
00:35:31
are smart, ambitious business people who have developed
00:35:37
relationships with their end clients.
00:35:39
I can easily reach out to those folks or, more easily, and let
00:35:45
them, you know, do what's right for their client base.
00:35:49
Again, they have those relationships.
00:35:52
I hope they'll keep those relationships as they.
00:35:55
You know, we go through this process of of compliance.
00:35:59
Maciej: Thank you so much for educating me, and, hopefully,
00:36:02
some of some of our listeners, on all of these very, very
00:36:07
complex compliance regulations.
00:36:09
Obviously, msps are going to evolve further Right, and time
00:36:15
will only tell where.
00:36:17
Where are they going to end up?
00:36:17
What kind of a?
00:36:18
What kind of business will they be running?
00:36:21
Because, like I said, I think they're possibly one of the
00:36:26
fastest growing type of partner in the industry.
00:36:29
Yeah, so it'll be really fantastic to see what is it that
00:36:34
they're going to develop into in the in the near and the in
00:36:37
the far future as well.
00:36:38
Yeah, yeah.
00:36:39
Cam Roberson: I yeah, it will be interesting and, and you know,
00:36:44
those who who get on board sooner, I think are going to be
00:36:46
in a better position to grow their business.
00:36:51
Maciej: Cam, thank you so, so much for joining me on Channel
00:36:54
Voices today.
00:36:54
We'll obviously keep in touch.
00:36:58
As it is, as we're both in the channel, those relationships
00:37:00
typically last, so hope to be speaking with you in the future
00:37:05
as well.
00:37:05
Cam Roberson: Yeah, absolutely Magic has been my, my pleasure
00:37:10
and, yeah, I look forward to continued conversations.
00:37:15
Maciej: And that's a wrap for this episode.
00:37:16
I do hope you found it valuable and, if you did, please make
00:37:22
sure to subscribe and leave a review.
00:37:23
You can also follow Channel Voices podcast on LinkedIn,
00:37:27
twitter and Facebook, or just visit channelvoicescom, where
00:37:31
you can send me a message or leave a voicemail.
00:37:33
All of the links are listed in the show notes and, once again,
00:37:36
I appreciate you tuning in today Until next time.
Cam Roberson: address at some level these requirements that
00:00:02
are coming down the pipe.
00:00:03
The problem, I think, is that they don't know how they're
00:00:08
addressing and that's the gap.
00:00:09
And you're right the business, the client, needs to do their
00:00:13
business.
00:00:14
It's one thing to say we want you to manage our IT
00:00:18
infrastructure, we want to have help desk, we want to have all
00:00:21
these services in place.
00:00:22
This is taking it to another level, because not only is the
00:00:28
MSP relied upon for that, now they're going to be relied upon
00:00:33
for helping them determine their own suitability to these
00:00:39
mandates.
00:00:40
What of your services map to this particular requirement?
00:00:44
Do I need MFA?
00:00:47
Do I need asset tracking?
00:00:48
Do I need encryption?
00:00:49
And how does the stack of services that you provide map to
00:00:55
those?
00:00:55
Because I need that to answer these questionnaires.
00:00:58
I need it if I'm going to be audited.
00:01:05
Maciej: Hello, welcome and thank you for tuning into Channel
00:01:09
Voices, the podcast for future channel leaders, where we learn
00:01:13
the ins and outs of partner ecosystems through casual
00:01:16
conversations with channel professionals from a variety of
00:01:20
industries, partner types and geographies.
00:01:23
My name is Maciej and I'm your host, Cam Roberson.
00:01:29
Welcome to Channel Voices.
00:01:31
Cam Roberson: Hey, nice to be, here.
00:01:33
Maciej: To set the scene.
00:01:34
Could you tell us a little bit about yourself and how did you
00:01:38
get started in Channel?
00:01:39
Maybe a little bit about your journey.
00:01:42
Cam Roberson: Well, I hope that'd be happy to.
00:01:43
How much time do we got?
00:01:46
Maciej: We'll make time for you.
00:01:47
Cam Roberson: Yeah, somewhat accidental, machek, I had an ad
00:01:53
agency for many years 12, I think where we help with
00:02:00
marketing, messaging, building websites, collateral writing,
00:02:05
copy, the whole gamut.
00:02:07
And this company, Beachhead, was a client of mine and we got
00:02:16
to be rather friendly.
00:02:16
I think they liked what we did for them.
00:02:20
And you know, sort of a couple of circumstances, somebody came
00:02:25
and offered me some money to sell my business and I said very
00:02:29
good, kind of conveyed that to my friends at Beachhead and they
00:02:34
sort of said, hey, why don't you come?
00:02:36
You know, run our marketing group.
00:02:37
And I said that sounds like a pretty good idea.
00:02:40
And I did and everything just sort of happened rather quickly
00:02:45
actually and found myself marketing for Beachhead
00:02:51
Solutions.
00:02:51
I knew a little bit about the company, of course, but you know
00:02:56
not so much of you know security services, saas services
00:03:00
, but you know, turned out I really enjoyed it.
00:03:04
Well, I don't want to go on too long, but Beachhead used to sell
00:03:07
direct.
00:03:08
We sold direct and we sold our product as a prepaid
00:03:14
subscription it wasn't a monthly consumption based model and we
00:03:19
sold direct to enterprise and medium sized business and small
00:03:22
businesses.
00:03:23
And then, you know, through the course of that and I started
00:03:28
having more responsibility with respect to selling sales, we had
00:03:33
recruited a reseller of our, a company that sold mostly
00:03:39
hardware, but they had a particular client that needed
00:03:42
our service.
00:03:43
And, you know, one after another, they started bringing
00:03:47
in clients.
00:03:48
Well, and you know, we sold to them.
00:03:51
They, you know, went to discount and they marked it up
00:03:54
and it was a prepaid, you know, subscription for one or three
00:03:58
years or whatnot.
00:03:59
And then something happened, they, they started telling me
00:04:03
that the purchase order was going to be coming from a
00:04:06
finance company.
00:04:07
Okay, and you know, come to find out, they were actually
00:04:13
financing the product for their, for their, for their customers
00:04:16
as if it were a asset.
00:04:18
And so, you know, sort of clicked with me.
00:04:20
Oh okay, so they're making monthly payments and they're
00:04:24
handling accounting a little bit different, and so that was that
00:04:28
sort of epiphany.
00:04:29
And then we sort of learned about this MSP space and I I can
00:04:35
remember it so distinctly and this goes back gosh, I want to
00:04:39
say 10 years.
00:04:40
Going to a show happened to be an ASCII member show and
00:04:45
learning of this entire community of MSPs with
00:04:51
relationships selling to small and medium sized business.
00:04:56
Holy mackerel, this is, this is perfect for us.
00:05:00
And so we, within the course of about six months, transformed
00:05:07
our entire product to to be a monthly consumption based model
00:05:12
selling to MSPs.
00:05:13
That's how I get.
00:05:16
That's the long story as to how I got into the channel Perfect.
00:05:21
Maciej: Perfect.
00:05:21
Unlike others on the podcast that I have hosted and from you
00:05:28
know my own experience and knowing people in the channel, a
00:05:33
lot of them ended up in the channel by by just how, how how
00:05:38
the life went, how the, how the job offers came about or how
00:05:42
their career progression happened Right, typically
00:05:46
through sales or marketing, right, and that's how people end
00:05:50
up in channel.
00:05:51
Yeah, it's not always like that , but, but it comes down to the
00:05:57
fact that the so little knowledge still about channel,
00:06:01
even though 75% of world trade goes through channel right, yeah
00:06:05
, there still seems to be.
00:06:07
You know, it's still a little bit of an enigma to people that
00:06:13
are not directly involved with partnerships and channel or
00:06:18
ecosystems in overall, right, yeah, no, I think that's true.
00:06:23
Cam Roberson: I certainly had no intention of.
00:06:25
You know, I'm going to pursue the channel for my career.
00:06:29
It just sort of happened and in many respects we sort of built
00:06:34
our product to adapt to the channel because we we believe
00:06:38
it's such a good fit for our service and for our platform.
00:06:41
So, as I said, it certainly was not a plan, but I'm glad it
00:06:46
worked out the way it did.
00:06:47
For me the channel has been just a wonderful experience.
00:06:52
Maciej: Fantastic, yeah, today's topic and you already mentioned
00:06:56
MSPs and adapting the product for the for the MSPs.
00:07:01
So, as much as I am aware of MSPs and what they do, today's
00:07:08
discussion is more around the compliance regulations that MSPs
00:07:13
really need to pay attention to , and that's a topic that I
00:07:18
don't have a lot of knowledge of .
00:07:20
So I will be asking you quite a , quite a few questions here for
00:07:25
me to clarify for me certain things.
00:07:28
But you did give me a little bit of literature to read on,
00:07:34
and there are.
00:07:35
You know, there are some challenges that MSPs commonly
00:07:38
face.
00:07:39
From what I read, when dealing with regulations, and you know
00:07:43
there's been mentioned of CMMC 2.0, nist, ftc, safeguards,
00:07:50
hipaa.
00:07:52
I mean, these are these are terms that don't mean much to me
00:07:55
.
00:07:55
I hope that the listeners will already have some knowledge
00:07:59
around this and, if not, we'll point them to in the right
00:08:03
direction, where to read up on that.
00:08:05
But what are the key challenges , I suppose, that MSPs commonly
00:08:11
face when dealing with these type of regulations?
00:08:15
Cam Roberson: Yeah, that's a great question.
00:08:16
I'll tell you that for me, if you had, if we'd had, this
00:08:19
conversation six months ago, I would not have been able to
00:08:23
discuss it at great length with you.
00:08:25
It's been baptism by fire and you know it's coming hard and
00:08:32
fast, and what I've learned is that these regulations are
00:08:36
already in place and sort of.
00:08:39
You know, I felt a tremendous need to get versant quickly, and
00:08:45
I think the same is true with our MSP community.
00:08:51
It's just happening so fast and while I don't, you know, while
00:08:58
I certainly can appreciate the workload that an MSP has as a
00:09:03
business owner, I think this is something they need to be
00:09:07
prepared for Because it's coming , it's already here.
00:09:11
I'm guessing your listeners have been approached by their
00:09:16
clients with getting help with a supply chain questionnaire, if
00:09:21
they're doing government work, for instance, yeah.
00:09:24
Or maybe a list of checkboxes of things I need to have in
00:09:29
place for cybersecurity insurance, both of which are
00:09:33
derived largely from some of the mandates that are coming down
00:09:36
the pipe Right, some of which have been in place for a long
00:09:39
time HIPAA, for instance.
00:09:40
Kind of the bell wither, you know, here in the States anyway,
00:09:44
but more and more frequently we're seeing the emergence of
00:09:51
FTC safeguards and CMMC2 compliance being required.
00:09:55
And you know, ftc in particular , which, just you know, finally
00:10:01
got in its final implementation in June.
00:10:06
Actually, they're being quite aggressive and probably for a
00:10:11
very good reason, because there are a lot of people.
00:10:13
First of all, it applies to a whole swath of businesses,
00:10:17
perhaps millions in the US, but they're also going after some
00:10:24
egregious, you know, security or lack of security-minded firms.
00:10:29
You may have seen some of the press around car dealerships and
00:10:34
we have a lot of our partners who are, you know, scrambling
00:10:39
trying to get car dealerships up and running.
00:10:42
Some real horror stories, frankly.
00:10:45
But HIPAA has morphed into and produced a recent publication
00:10:51
that provides a bunch more specificity to the requirements
00:10:55
there.
00:10:55
They are including all of these more and more discussion about
00:11:00
MSPs, realizing that with small and medium-sized businesses,
00:11:05
they're reliant a lot of times on the expertise of the MSP, and
00:11:08
so they're bringing the discussion to include them,
00:11:12
including guidance on how to find an MSP qualified to assist
00:11:16
with these mandates.
00:11:19
And so this is coming.
00:11:22
You know, my hope is that MSPs really embrace this, both
00:11:29
because you don't want to be embarrassed when your client
00:11:31
comes and says, hey, I need help with being CMMC compliant, but
00:11:36
also, you know, we I could go into marketing strategies
00:11:41
empathize with our MSP community about how to distinguish,
00:11:45
differentiate their offering, but it does represent an
00:11:48
opportunity to really be cutting edge in terms of knowledge,
00:11:54
documentation, being able to map the services that you provide
00:11:58
to those that are required for these various mandates, and so
00:12:01
forth.
00:12:01
So you know it's coming, it's already here.
00:12:05
It's both a, you know, intimidating, but also a
00:12:12
tremendous opportunity, I think.
00:12:14
Maciej: And I suppose it's fair to say that you know.
00:12:17
There, companies reach out to MSPs for help, not only to
00:12:26
manage some of the things that they don't necessarily
00:12:30
specialize in, but also rely on them when it comes to their
00:12:34
knowledge of these types of regulations.
00:12:36
Right, they just want to concentrate on their own product
00:12:39
, on their own business and the things that they're not very
00:12:43
well versed in.
00:12:44
They want somebody else to come in and help with that.
00:12:47
So, with that in mind, I suppose what are some of the
00:12:55
trends or the insight that you might be able to offer?
00:12:58
What do MSPs need to be aware of right now that might elevate
00:13:04
them as a company and offer something in addition to, maybe,
00:13:10
something that they're not offering today?
00:13:14
Cam Roberson: Yeah, the funny thing is I believe magic that
00:13:16
most of them are offering a comprehensive suite of services
00:13:21
that address at some level these requirements that are coming
00:13:25
down the pipe.
00:13:25
The problem, I think, is that they don't know how they're
00:13:30
addressing and that's the gap.
00:13:32
And you're right the business, the client needs to do their
00:13:35
business.
00:13:38
It's one thing to say we want you to manage our IT
00:13:40
infrastructure, we want to have help desk, we want to have all
00:13:43
these services in place.
00:13:45
This is taking it to another level, because not only is the
00:13:50
MSP relied upon for that, now they're going to be relied upon
00:13:55
for helping them determine their own suitability to these
00:14:01
mandates.
00:14:03
What of your services map to this particular requirement?
00:14:07
Why need MF A?
00:14:09
Do I need asset tracking?
00:14:10
Do I need encryption?
00:14:12
And how does the stack of services that you provide map to
00:14:17
those?
00:14:18
Because I need that to answer these questionnaires.
00:14:20
I need it if I'm going to be audited, and so I don't know if
00:14:25
I'm answering your question.
00:14:26
But it's kind of another thing and, as I mentioned before, I
00:14:32
don't take this lightly.
00:14:34
I know this is a fair amount of work for the MSP and it's
00:14:39
additional work, but again, it's an opportunity and there is
00:14:43
some good news.
00:14:43
There's some silver lining on this, because I've gone through
00:14:46
this exercise myself.
00:14:48
There is a whole bunch more similar with these various
00:14:53
mandates than there is dissimilar, and so good security
00:14:59
is good security and most of them ask for, with slight
00:15:04
variations, the same sort of things.
00:15:06
And once somebody understands the controls in the language of
00:15:12
the compliance mandates and they have a pretty good sense of
00:15:17
where they stack up for on FTC safeguards for instance they're
00:15:22
going to be in a much better position to adapt and help
00:15:25
clients with CMMC and HIPAA and so forth.
00:15:27
So there's some rather good news and I think it presents an
00:15:34
opportunity.
00:15:35
In fact, I've heard from several that say this could be
00:15:38
the next big demand driver for our community is compliance and
00:15:43
how to get compliance.
00:15:45
So I think it represents a good opportunity to get ahead of it
00:15:49
for those who are going to spend the work early.
00:15:53
The other thing is, we'd certainly not like to see them
00:15:57
lose business because if they come to their MSP partner and
00:16:01
say, look, I need help with getting FTC compliant and they
00:16:05
don't have the answers, I think the possibility of them finding
00:16:10
either another MSP luring them away or them looking for
00:16:14
somebody that can help them is pretty high.
00:16:18
Maciej: Obviously, security and compliance are such huge topics
00:16:23
in today's business world.
00:16:25
Right, because, yes, you are going to be audited.
00:16:28
I mean, there's no doubt about that.
00:16:30
Right, in some point in time you will be audited.
00:16:32
You need to have your house in order.
00:16:34
Security, it's so important because one piece of bad press,
00:16:40
you know, something breached, it , might destroy a company.
00:16:43
Right, in today's terms, I mean , that is huge and security is
00:16:49
absolutely everywhere.
00:16:50
It doesn't matter what type of business you run.
00:16:53
It is everywhere, digital is everywhere.
00:16:56
That's why security is so important.
00:17:00
I was I'm thinking about your answer that you were given just
00:17:03
there.
00:17:04
You know, you said there's opportunities, there's that
00:17:08
silver lining.
00:17:08
Do you see MSPs potentially Some of them, right evolving
00:17:14
into something else, into being more of the on the compliance
00:17:18
side, rather than just providing the services?
00:17:20
Right, because that's an interesting topic.
00:17:22
Msps are growing as a whole, as a community.
00:17:26
It's probably one of the fastest growing type of a
00:17:30
partner in the channel today.
00:17:32
Yeah, right, yeah.
00:17:34
So with all of that in mind, I mean, what opportunities are
00:17:37
there for MSPs and are they going to morph into something
00:17:41
completely different than what they do today?
00:17:43
Cam Roberson: Yeah, yeah, that's a fantastic question and this
00:17:46
was sort of another epiphany I had.
00:17:48
Eight months ago.
00:17:50
I was at a show and I had a couple of our partners, msp
00:17:53
partners, amongst others.
00:17:56
This was sort of an eye-opening experience for me.
00:17:58
But come to me and say look, we are, we are actually going to
00:18:03
be providing compliance services , either have spun off a
00:18:08
separate organization or are providing within the framework
00:18:13
of their current company.
00:18:15
One of them is actually an authorizing agency for, or is in
00:18:20
pursuit of being authorizing agency for, cmmc.
00:18:24
So there's all kinds of different levels, but it is
00:18:27
absolutely a direction and, I think again, a way to
00:18:32
distinguish, differentiate your practice or build a new business
00:18:36
because it absolutely needs it in the marketplace.
00:18:39
I just think there's, you know, we MSPs as a rule understand
00:18:46
the technology, certainly, they understand security it's taken a
00:18:50
next level and being able to understand how that maps to what
00:18:54
is required of these clients.
00:18:55
But yeah, there's, you know, and that, at a minimum, needs to
00:19:00
be, in my opinion, done.
00:19:02
Msp needs to understand how they map to those mandates and,
00:19:08
if there's a whole or a gap, to add the products that will fill
00:19:12
that gap, either as a standard service or maybe just put in the
00:19:17
bullpen for when these requirements come to be.
00:19:20
But you know, we, like I said I eight months ago, I know very
00:19:26
little of this.
00:19:27
We had this epiphany.
00:19:28
I didn't know much, but I've taken upon myself.
00:19:33
I still don't consider myself an expert.
00:19:35
I'll name names, if given the opportunity, of people in our
00:19:38
space who know a whole bunch more than I and can be of
00:19:43
assistance, I think, to many of your listeners.
00:19:46
But I didn't know much and I took it upon myself because they
00:19:52
told me that our product checked a lot of the boxes that
00:19:56
were required.
00:19:56
So I may have mentioned this in our back and forth emails.
00:20:03
We built a over the last few months, a compliance guide, an
00:20:08
MSP compliance agency guide and again I've learned.
00:20:12
But we've had contributions from from John DePero, a
00:20:16
visibility MSP, from Paul, who's an expert in FTC compliance.
00:20:22
He's taught me so much HIPAA.
00:20:25
Paul Redding, with the Compliancy Group.
00:20:27
I've known him for years.
00:20:28
He used to be a partner, an MSP partner of ours.
00:20:30
He is without question the most knowledgeable person about the
00:20:35
HIPAA security and privacy rules .
00:20:37
What needs to happen Aaron Wyant, with Dispatch Tech down
00:20:43
in San Diego I mentioned is pursuing the authorizing agency
00:20:48
for CMMC.
00:20:49
Those guys contributed to this Compliancy Guide and I'd be
00:20:54
happy to provide that to you or to your listeners.
00:20:59
Maciej: Yeah, that'd be great.
00:21:00
We can.
00:21:00
We have the ability to put on some of those links and the
00:21:03
names in the in the show notes so people can read up on this a
00:21:08
little bit further.
00:21:09
Because you were talking, I started laughing to myself
00:21:12
because I recall when I, when we opened up the conversation, I
00:21:17
called it HIPAA, but it seems like the standard is to
00:21:21
pronounce it a hippo right Apologies to everybody who's
00:21:25
listening, and they knew about this and they were laughing
00:21:29
anyhow, a bit of humor.
00:21:30
Cam Roberson: Well, on a lot of times we go you know, spell it
00:21:34
HIPAA, and it's actually HIPAA.
00:21:41
Maciej: So so you talked about the, the experts that helped you
00:21:46
develop that framework let's call it right and when you got
00:21:52
to know a little bit about it and were pursuing to grab that
00:21:58
knowledge, I wanted to ask you you know, what are the watering
00:22:04
holes, apart from the people that you spoke to?
00:22:06
I mean, the best thing to learn is to surround yourself with
00:22:09
the subject matter experts.
00:22:11
Right, and that's how you then, that's how you learn.
00:22:13
But if you don't have access to this and you really want to go
00:22:18
and learn about this stuff, either as an MSP or a company
00:22:22
that is thinking about bringing an MSP on to help them, what
00:22:28
questions do they need to ask?
00:22:29
Like they need to educate themselves a little bit first,
00:22:33
and the second part of the question is so the first one is
00:22:37
where do you get that knowledge right?
00:22:39
And the second part is how often do these regulations
00:22:44
change, do they get, how often do they get updated, and how can
00:22:48
MSPs stay on top of that?
00:22:51
Cam Roberson: Yeah, it's a good question I probably end.
00:22:54
You know, with FTC for instance , you've got to assign a
00:22:58
resource or partial resource to be, you know, sort of full time
00:23:01
on on this and to be up on the changes and you know
00:23:05
implementation and you know care and feeding of this.
00:23:08
There are services available also.
00:23:11
You know, in fact, the folks that I just mentioned are
00:23:15
providing those services and a lot of times that might be the
00:23:18
right answer for a smaller MSP that doesn't have internal
00:23:21
resources, a quicker way to get to that, to that point as far as
00:23:28
understanding it.
00:23:29
I yeah, that's a tough one.
00:23:31
You know peer groups certainly leverage those those folks,
00:23:35
because peer groups are incredibly important and and
00:23:39
have a lot of resources, if not at the, the head of the group,
00:23:45
then certainly with their members.
00:23:46
Some people are going to be more versant on on these topics
00:23:50
than others, the other maybe.
00:23:53
Recommendation is, if you were to.
00:23:56
You know the government documentation has really
00:24:00
improved quite a bit.
00:24:01
It used to be cut and dry and almost unreadable and you know
00:24:07
like HIPAA, for instance, used to be really loose guidance.
00:24:11
You know relied upon the, the reader, to ultimately implement
00:24:17
a security plan and defend it and document it and and be sure
00:24:21
that it was in place, but a lot of times it was for you to
00:24:25
explain why the documentation has become much more readable
00:24:30
and understandable and specific.
00:24:32
And, like with HIPAA, for instance, they recently
00:24:37
developed I think it's HICP publication and that's commonly
00:24:43
referred to as hiccup.
00:24:44
So so you got HIPAA.
00:24:46
Now, okay, the next one's hiccup, and that document is,
00:24:50
like you know, almost like a how to manual.
00:24:53
There's images and, you know, little cartoons, things and it's
00:24:58
like here's what you need to do .
00:25:01
And, by the way, as I mentioned before, give this to your MSP
00:25:05
and be sure that they understand how to do this and, as well, if
00:25:10
you're going to be using an outside service for this, make
00:25:14
sure that they qualify and look for these items.
00:25:17
So, again, they're recognizing that MSPs are integral to this
00:25:23
process, but they're suggesting who's qualified and who's not,
00:25:28
and so if you're qualified, you know you'll get that business,
00:25:32
if you're not, you may lose it, and so that's why I say it's
00:25:36
important, I think, to sort of get ahead of it.
00:25:38
Question number two yeah, they change, you know, I think what's
00:25:44
?
00:25:44
I think they're getting more specific and saying, okay, you
00:25:49
know, rather than authentication control, we want multi factor
00:25:52
authentication.
00:25:52
You know, we're not going to leave it to your interpretation
00:25:56
of what authentication control is.
00:25:58
We want this thing specifically in place, which, by the way, is
00:26:04
kind of one of the things that that's really pissing off the
00:26:09
FTC auditors, because people don't like it, people aren't
00:26:12
implementing it.
00:26:15
I don't see them changing a lot , even from, you know, a few
00:26:21
years ago.
00:26:22
But as technology changes and the threats landscape changes,
00:26:26
yes, you know, we're adding items to it, but, but ultimately
00:26:30
, if you say you know asset control or asset access control,
00:26:35
those, those functions.
00:26:37
While they may, you know, change with the advent of new
00:26:41
technologies or with new threats , they're pretty much that.
00:26:46
That part of it is consistent.
00:26:47
And again, the documentation online, those produced by the
00:26:54
agencies, by the government, are really getting better.
00:26:58
Not to make it sound like it's nothing there is, you do need to
00:27:04
stay on top of it and somebody needs to do it.
00:27:07
It's a burden, I hate to say it , but it is also, you know, as
00:27:11
mentioned, a terrific opportunity to to get ahead of
00:27:16
it and distinguish your offering , which is a challenge for for
00:27:20
our MSP community.
00:27:21
You know how to differentiate the value that I provide.
00:27:24
We don't want it to be based on pricing.
00:27:28
Please don't do that.
00:27:29
Do it on the basis of providing more value, more expertise,
00:27:34
more thought leadership, more knowledge for your clients.
00:27:39
Maciej: Right.
00:27:39
So I suppose the risk of an MSP today not concentrating on
00:27:48
these regulations, these compliances, it might actually
00:27:54
put them at risk in terms with their own clients right, because
00:27:58
those demands are going to rise and rise.
00:28:00
The clients are going to get smarter about this as well, and
00:28:04
we'll be looking for MSPs that offer that service that you know
00:28:08
, that additional value apart from the regular services that
00:28:12
they would typically provide right.
00:28:13
Cam Roberson: Yeah, I think so.
00:28:14
I mean, you know, MSPs are all out there and talking to clients
00:28:19
, and maybe your clients do, and you certainly don't want to
00:28:23
have somebody approach your clients say yeah, gee, how does
00:28:29
your client do with your?
00:28:31
You know, regulated by FTC.
00:28:32
Is your MSP able to help you with that?
00:28:36
Are they able to assist with your cybersecurity insurance
00:28:43
Questionnaire, Are they?
00:28:44
Oh, they're not.
00:28:48
It opens the you know the door for them to take your client
00:28:53
away.
00:28:54
So you know, at worst case I mean that's kind of a worst case
00:28:58
scenario At best case it's a bit embarrassing not to have
00:29:02
questions if they come to you and you've got a tremendous
00:29:05
relationship with them.
00:29:06
The best case scenario is you're a little embarrassed, you
00:29:09
have to catch up, get those answers.
00:29:11
Worst case scenario is you know , maybe before you even know it
00:29:17
they're somewhere else because they need this service and
00:29:21
you're not in a position to help them.
00:29:24
Maciej: In terms of resources, additional resources or tools, I
00:29:28
suppose for MSPs or maybe even just people who are interested
00:29:32
in this topic, is there anything that you would recommend you
00:29:37
know so they can understand how to implement you know compliance
00:29:42
regulations effectively?
00:29:43
Cam Roberson: Yeah, I, you know I mentioned those guys.
00:29:46
They're very helpful.
00:29:48
Know a whole bunch more about the.
00:29:50
You know the very details of compliance.
00:29:56
I can share with you what I did Magic and for us it's been very
00:30:03
useful.
00:30:03
And in fact the big difference between these things is, I
00:30:07
mentioned, there's more similar than there is dissimilar right,
00:30:11
the, the, the.
00:30:12
There are two big differences if you go from one compliance
00:30:15
mandate to the other.
00:30:16
One is nomenclature.
00:30:18
You know some, some might call it data sanitization, some may
00:30:24
say you know expunge or kill outdated or no longer useful
00:30:29
data.
00:30:29
So the nomenclature changes, the organization changes.
00:30:35
You know different ways of promoting it in different orders
00:30:41
and if you, if you go to try and satisfy or map your services
00:30:47
against one, you're going to do it serially.
00:30:50
It's going to be a tremendous amount of work because there are
00:30:53
they're different different terms, different all what, what
00:30:57
we did.
00:30:58
Maciej: I'm not saying this is perfect.
00:31:00
Cam Roberson: we settled on an organization structure.
00:31:02
For us, the most sort of common guidance is the NIST
00:31:08
cybersecurity framework, csf.
00:31:10
Why people call it?
00:31:11
It's organized in you know seven different categories, gosh
00:31:16
, I I'd like to remember where they identify, protect, detect,
00:31:21
respond and recover.
00:31:22
That's sort of the organizational structure.
00:31:26
What we did for our product we mapped our controls in that
00:31:32
fashion against the NIST cybersecurity framework.
00:31:35
We did that before we did anything else.
00:31:38
Then we mapped those in a if describing it verbally here it's
00:31:45
a little bit difficult, but if you think of a spreadsheet we
00:31:49
then mapped those controls into the controls of the specific
00:31:54
mandates.
00:31:54
We had a column for CMMC one and two.
00:31:57
We had a column, and it's easier to do that way.
00:32:02
You've got the framework.
00:32:03
It's consistent.
00:32:03
Now you're mapping it to the, to the specific controls
00:32:08
required of the various mandates .
00:32:12
I, you know, I think that's for us.
00:32:15
It worked well.
00:32:16
I would offer to anybody out there that that might be a good
00:32:21
starting point for them.
00:32:22
If an MSP wants to sort of begin assessing and mapping and
00:32:28
documenting their controls, I could provide the raw
00:32:32
spreadsheet files, and if they wanted to, you know.
00:32:36
And then, if they use beachhead , fantastic, they got a head
00:32:40
start.
00:32:40
If they don't, though, they can at least use our information to
00:32:43
see how we mapped it to that particular thing and then take
00:32:48
the rest of their stack and services and do the same thing.
00:32:53
Right, and it worked for us.
00:32:56
You know, we we used it to build a matrix within that
00:33:01
compliance guide that I mentioned, and I think it made
00:33:04
good sense for us.
00:33:05
I think it would also apply to to MSPs who are interested in in
00:33:11
moving in that direction.
00:33:13
So you know that might be helpful, be happy to help in any
00:33:17
way I can.
00:33:18
Those other guys extremely knowledgeable and I know them
00:33:23
personally now, especially over the last six months.
00:33:26
They're good guys.
00:33:28
They'd be happy to help even if it weren't in the pursuit of
00:33:33
dollars in business.
00:33:34
Right, they're just good guys.
00:33:35
They they're really forthright and helpful.
00:33:39
They taught me a ton.
00:33:43
Maciej: Right.
00:33:43
So instead of you're giving that those documents to me, I
00:33:50
believe the best thing to do would be for people to reach out
00:33:54
to you.
00:33:54
Maybe on LinkedIn, we'll have the link to your LinkedIn
00:33:57
profile in the in the show notes .
00:33:59
So are people okay to reach out to you directly?
00:34:02
Cam Roberson: Yeah, you know I'm I.
00:34:04
I have a presence, obviously, on LinkedIn, I LinkedIn reminds
00:34:09
me of work, so I'd be even better and so, as a result, I
00:34:13
don't check it all that frequently.
00:34:15
I'm happy to have my email shared as well.
00:34:20
Maciej: Okay, perfect, so we'll include that in the in the show
00:34:23
notes.
00:34:23
Thank you for that.
00:34:25
And then, obviously, we did talk a little bit about how you
00:34:30
for a lack of a better word fell into the channel.
00:34:32
Yeah Right, what's the one thing you wish you knew before
00:34:36
you started your channel career?
00:34:38
Cam Roberson: Well, I would have gotten into it sooner.
00:34:40
I think, honest to God, this is a.
00:34:43
This is a great place to be and I don't know why the people in
00:34:50
it are very, very cool and I'm going to buy cool.
00:34:53
What do I mean?
00:34:54
But, you know, helpful, like guys like I mentioned, like I've
00:34:59
never seen a, a place where competitors help each other out
00:35:06
and chat and are friendly.
00:35:07
You know, we, we have all these shows magic that we go to and
00:35:12
everybody's got a smile face, everybody's seemingly enjoying
00:35:16
their, their careers.
00:35:17
You know, for us, we, we don't have the ability to, you know,
00:35:24
approach huge numbers of people, and so we, we leverage MSPs who
00:35:31
are smart, ambitious business people who have developed
00:35:37
relationships with their end clients.
00:35:39
I can easily reach out to those folks or, more easily, and let
00:35:45
them, you know, do what's right for their client base.
00:35:49
Again, they have those relationships.
00:35:52
I hope they'll keep those relationships as they.
00:35:55
You know, we go through this process of of compliance.
00:35:59
Maciej: Thank you so much for educating me, and, hopefully,
00:36:02
some of some of our listeners, on all of these very, very
00:36:07
complex compliance regulations.
00:36:09
Obviously, msps are going to evolve further Right, and time
00:36:15
will only tell where.
00:36:17
Where are they going to end up?
00:36:17
What kind of a?
00:36:18
What kind of business will they be running?
00:36:21
Because, like I said, I think they're possibly one of the
00:36:26
fastest growing type of partner in the industry.
00:36:29
Yeah, so it'll be really fantastic to see what is it that
00:36:34
they're going to develop into in the in the near and the in
00:36:37
the far future as well.
00:36:38
Yeah, yeah.
00:36:39
Cam Roberson: I yeah, it will be interesting and, and you know,
00:36:44
those who who get on board sooner, I think are going to be
00:36:46
in a better position to grow their business.
00:36:51
Maciej: Cam, thank you so, so much for joining me on Channel
00:36:54
Voices today.
00:36:54
We'll obviously keep in touch.
00:36:58
As it is, as we're both in the channel, those relationships
00:37:00
typically last, so hope to be speaking with you in the future
00:37:05
as well.
00:37:05
Cam Roberson: Yeah, absolutely Magic has been my, my pleasure
00:37:10
and, yeah, I look forward to continued conversations.
00:37:15
Maciej: And that's a wrap for this episode.
00:37:16
I do hope you found it valuable and, if you did, please make
00:37:22
sure to subscribe and leave a review.
00:37:23
You can also follow Channel Voices podcast on LinkedIn,
00:37:27
twitter and Facebook, or just visit channelvoicescom, where
00:37:31
you can send me a message or leave a voicemail.
00:37:33
All of the links are listed in the show notes and, once again,
00:37:36
I appreciate you tuning in today Until next time.