Guest Post

Regulation to address enduring MSP cybersecurity problem

Cybersecurity regulations and trends in the managed services market push for more formal MSP accountabilities to deliver and secure clients' technology.

Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

In this video, Sobel discusses cybersecurity regulations and MSP responsibilities with Jason Beal, senior vice president of global channels and partner ecosystems at AvePoint, a software vendor based in Jersey City, N.J. They discuss the balance MSPs must strike between cybersecurity and end-user productivity when building an IT service, and the future of technology management. Beal highlights the opportunity MSPs have in 2022 to reduce the number of vulnerabilities on their platforms.

Transcript follows below. Minor edits have been made for brevity and clarity.

Dave Sobel: A conversation with Jason Beal, we talk about regulation and the direction of management technologies into the future. This is a bonus episode of the Business of Tech.

We've known one another a long time. I think back to my MSP days and you two or three business roles back. But for those that may not know, what are you up to now?

Jason Beal: I'm still based in Southern California. I've been back in the United States for three years after spending about eight years in Europe. And I'm the senior vice president of global channels and partner ecosystems for AvePoint. I've been here about a year now helping the company rearchitect its go-to market and pivoting hard toward indirect and partner co-selling.

Sobel: I want to wander through two areas that I think you've been thinking about and get your take on these. The first is that I want to give you an opportunity to weigh in on some of the things that we're seeing in regulation. There's a bunch of stuff moving through Congress right now. There's a bunch of different bills. They have things around disclosure, or they've got things around the way remediation vulnerabilities should work and definitions of managed services -- all of these things. What's your take on some of these bills that are moving through or the bills as a general trend?

Beal: The leadership from the federal government is critical; it's helpful. A lot of this addresses problems that the industry itself has been trying to solve for decades and the arguments that we've been making to businesses, universities and governments for a long time. The leadership from the federal government, with the five different cybersecurity bills passed through the house in July, provides tremendous support and provides a lot of funding.

For instance, there's the state and local Cybersecurity Improvement Act. It's a $500 million grant for state and local businesses to help erect their digital barriers to cyber attacks. A lot of this is leadership around the critical infrastructure and departments of energy, leadership putting us at the forefront, putting attention to it is always helpful. I also think back to a couple months ago in June when the Biden administration put out a memo. And these are things that you and I and all of our friends in the industry have been working on for a long time. They gave these five best practices around backing up your data offline, patching systems properly, doing penetration testing, having instant response systems and segmenting networks. We've all been doing those and advocating those things, but again, leadership from the federal government, documentation, communication is only going to help compel businesses and universities in the government itself to pay more attention and to spend more.

Sobel: We've been serving regulated industries, but are we moving toward being a regulated industry ourselves formally? Is that where you think this is going? And what does that mean for us?

Beal: There will be more formal accountabilities for the IT providers, be they an ISV like AvePoint and the quality of our software and of our code. We can think, without naming names, back to just a few recent examples where the ISVs themselves have had vulnerabilities exposed and then, unfortunately, impacted their partners and their clients. Service providers and cloud service providers will have more formal accountabilities on the delivery of their technology down to the end customer.

We manage service providers through their contractual agreements with their end customers, whether it's their responsibilities for things like cyber insurance or it's their responsibilities under GDPR to provide "state-of-the-art technology" and to make "best efforts" to protect customer data and privacy. I think more and more of the industry itself will have more formal accountabilities.

Sobel: And you're exactly right: I don't think it's necessary to name names because it's almost interchangeable. The fact that several have high profiles in the IT community, the name is a little less relevant because I could swap that out. They were the ones that got hit. That's the not the important detail. The important detail is the risk of those channels.

As an ISV, how much do you think about where the responsibility for risk management is -- like what is your portion of that supply chain risk versus what the provider does? Because it's not 100% on either side. It's not all them. It's not all you. What's the bit that you think the ISV needs to own and be world-class at doing?

Beal: Probably two parts to answer that question. One is just this, you've heard the term, the "shared security responsibility models," whether it's public cloud shared security responsibility model or it's shared security responsibility that Microsoft itself has for its platform and its products. An ISV like AvePoint is the same. We're going to be responsible for the quality of the application, some of the plumbing, some of the hosting of it, the SaaS environments, the redundancy and the data center. And then our downstream constituents, be them the partners or the end users, will also have certain responsibilities for the application, how they're using it, the governance, backing it up, policies, permissions and data loss. There will certainly be a shared responsibility.

Secondly, because we're in the industry we even have more of a responsibility to protect our reputations so that we're not breached. You're a cybersecurity company, boy, you better not be hacked. If we're a company that's doing data management and backup, boy, we better not lose the data or make it unmanageable. In both respects, we have to pay attention.

Sobel: Let me offer you a premise then, and let's do this a little bit more forward-thinking in terms of the way that the market might be going. I think technology management of the future is around policy compliance when accessing cloud resources. That's the way the model is going, away from the idea of much more endpoint focus management to this idea of making sure that the business sets what's allowed, particularly access to data and the IT systems enforce that rather than a 'try and control everything' approach. What's your take on that premise?

Beal: You're right. As organizations we're struggling to find this balance between cybersecurity, cyber resilience and then end-user productivity and agility and access to all that information and data in this digital world. How do you strike that balance? How do you empower and at the same time protect? I always have these two mental images I like to describe when we talk around cyber resilience. If we look at the classic GRC, governance risk and compliance side of the house, then you conjure up mental mnemonics of people with clipboards and big filing cabinets, that old kind of records management and paper and heavy on audit side of the house that really was never driven out of IT and certainly never like a historical part of the managed security service provider or MSP business model. But GRC was critical. But again, think paper and records and audit.

On the other side, you had a lot of MSPs that grew up in that universe you talked about -- desktop management, server management, network, some applications and eventually SaaS applications.

Today we are seeing this convergence of those two sides of the house. You're seeing GRC be much more of an application, an IT driven challenge. And you're seeing MSPs now take on more and more of this opportunity, this responsibility around governance.

If you would've asked an MSP 10 years ago or asked a hundred MSPs, 'how many of you do governance and user policy and permissions and compliance and risk management?' maybe there would've been less than 10%. They've been pulled into this world because it's now a key part of an overall cyber resilience or cybersecurity strategy. The coming together of these two worlds is putting more of an onus on the managed service provider to do that, to do governance, to do compliance and help their customers in that way.

Sobel: You're talking to a lot of partners and you're thinking a lot about this IT cloud management control and protection space. What is the list of requirements you've identified that are the important bits for IT providers in this cloud management and control space?

Beal: When you're helping a business, look at your upstream and your downstream constituents and what access they may need to your systems and data, and make sure that you can provide the right level of access for external constituents in order to help service and expand your market. At the same time, we have to look at what is your specific industry or vertical market, because there are a myriad of different compliance and regulatory requirements for individual industries. Thereto, managed service providers work with their customers to understand what those requirements are and then to address those. The third vector would be around geography, the individual country or region requirements, where they are in the world or which governments they're governed by. There also will be a new host of challenges and requirements that the IT providers and the MSPs will need to address. Those three vectors are critical when trying to help an end customer with their cloud management, cloud access and cybersecurity strategies.

Sobel: I'm going to ask you to play investor for a second. You've been asked by an investment group to go build an IT services company. And as a guy who spent a lot of time thinking about this, what would you build? What would it look like?

Beal: I still firmly value and believe in that role of the local trusted advisor. As much as we've talked about that term in the last few decades, and as sophisticated as technology is -- being able to do remote delivery and having data centers all around the world -- I still believe in that local trusted advisor working with the business, understanding what they need to do, providing a technology roadmap and providing consultancy services implementation. I would start from there. Businesses, schools, governments still have needs. They still are not going to be the experts. Technology is incredibly complex, and you need to be incredibly specialized and have incredibly competent human resources to help your customers solve IT challenges. So, I would start there.

The second is that, more and more, when I talk to partners, there is this business model that's created around this, what they call this total ecosystem economic opportunity. More so than the resale of the technology, either hardware or software. In fact, I talk to many partners now who will say, 'We're nontransactional.' I'll say, 'What does that mean?' 'We're nontransactional. We don't want to resell even a software license let alone a piece of hardware. But our business model is around the technology. How do we co-create IP? How do we provide managed services, professional services, consulting services? How do we drive integration?' That business model -- where you're not dependent on any particular vendor's partner program, or what the discount is that they're offering, or what the list price of something is, but I'm going to create a lot of value around the technology -- is something that I would have in mind if I was going to be pitching an MSP or pitching an investor to start up an MSP business.

Sobel: I love that answer by the way because you're thinking and mine are a lot alike. I'm going to ask a little bit more specific, does that look a lot like a consulting business? Because it sounds like the main thing you're pitching is the advice is the product, right? The guidance is the product. Is that a consulting business that you're proposing?

Beal: It's a part of consulting. You need to earn the trust, the respect, the loyalty of an end customer through the consultancy, your expertise, again, that human capital. But as we know, consultancy businesses, a lot of professional service businesses, just aren't scalable. Your ability to scale is directly tied in many cases to labor hours. If I start a business, I'm always looking at destination planning. Where do we want to take the business and how do you increase a multiple? You're not going to get the highest multiple from consulting, from one-time services revenue. For a while, the Holy Grail was to try to get the entire business toward monthly recurring. I think in practicality -- certainly we've seen this with partners at AvePoint, we talked to many of my peers -- there's this hybrid model where a large portion, 40% to 60%, can be monthly recurring, but you don't want to walk away from opportunities.

In our case, migration is a one-time service and you want to help customers through migration, make sure they're doing all the proper planning and due diligence. Take the one-time project and have great monthly recurring. If you're going to have vendors that are going to help give you influencer fees and referral fees, take them. Nowadays partners need to be agile and create monthly recurring revenue but find other ways to monetize what you do well. Ultimately, that can drive the right multiple.

Sobel: That makes a ton of sense. Last question then. We're thinking about next year. As you look to 2022, what are you on the lookout for? What's the big thing that you think is a prediction or a direction for next year?

Beal: Managed service providers have an opportunity, but there's an immediate need for them to work with their customers on not just backing up but buttoning up these digital collaboration environments. I talk about our digital collaboration platform, but feedback that we're getting from partner conversations, from survey data, is that in this rush to move employees, students and government workers onto these collaboration applications during COVID to get the employees and students productive again, we jumped. We missed some of that proper due diligence, planning, user training and user guides, and they're on and they're vulnerable. We keep hearing that we went back into our end customer environments and there's vulnerability.

We need to button these things up. I think that's an opportunity in 2022. We've gotten through the storm here. Businesses are back up and running. Students are either online or in person again. Now let's go back and do that proper amount of governance work, user policies, admins, records management and data classifications. Let's do all that stuff again now to make sure that we are reducing the number of vulnerabilities and protecting against ransomware and other cyber attacks.

About the author
Dave Sobel is host of the podcast
The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Dig Deeper on Regulatory compliance for MSPs