Are MSPs Growing Their Tech Stacks Too Large? | EP 51
Connor Swalm
Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to gone phishing.
Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor, the CEO at Phin, and I am joined once again by Nick Wolf from Evo Security. Nick, how are you doing today?
Nick Wolf
I'm doing fantastic. Thanks for having me on again.
Connor Swalm
Oh, anytime. Thank you for educating folks. If you're listening, today we talked about MFA in a previous episode. We talked about privileged access management or Pam. Not the Pam from Step Brothers, but the Pam from cybersecurity.
Nick Wolf
I think I named the Pam situation.
Connor Swalm
Yeah, you did. You definitely helped me understand it. You know, it'd be really confusing if somebody added an end. So it's privileged access management and, like, networking or think. I don't think the jokes would ever stop flowing about that, but hopefully nobody does that. It's not in their best interest. So, a topic I talk about a lot, a topic I see discussed on Reddit, on Discord, on Slack, and all of MSP communities on LinkedIn all the time are MSPs and their tech stacks. In your opinion, are MSPs growing their tech stacks too large?
Nick Wolf
I do. I see it a lot. And that definitely puts a strain on their technicians as well as their new technicians that they have to hire. So I would always highly encourage vendors to msps to consolidate their vendors as well as their product lines as much as they can, for sure.
Connor Swalm
So what would an example of consolidating your product line be?
Nick Wolf
So instead of having three or four EDR tools, pick one, stick with that one. You'll probably get a better price from that vendor because your license count will go up. You'll be able to train your staff. So they're going to be subject matter experts on that one product inside and out. So whether it ends for EDR, for example, whether you're picking Sentinel one or Bitdefender or silence or malwarebytes, just pick one, stick with it, and try to be subject matter experts know the ins and outs of that specific EDR platform.
Connor Swalm
Why would anyone have more than one EDR tool that they give to their partners?
Nick Wolf
So some MSPs I speak to, they like to be vendor agnostic, which is good and bad. There is a valid argument there, like, hey, whichever EDR tool that the customer brings to me, we're going to manage. If they like Webroot, if they like Bitdefender, if they like Sentinelan, we're going to manage it for them. But they really shouldn't be, in my opinion. They really need to be the cybersecurity subject matter experts and say, hey, this is my stack. This is why we vetted and picked this stack. And this is why all of our customers at my MSP are utilizing this stack.
Connor Swalm
Yeah, I would have thought that if I were working with an MSP or if I had an MSP that was letting the client bring the tools to the relationship, that feels backwards. Yeah, that feels absolutely backwards at the end of the day. A statement we made in a previous podcast with you was you are the security expert in the minds of these small and medium sized businesses. They don't have the resources, they don't have the money, they don't have the time to learn. They don't have the energy, and a lot of them don't have the desire. They don't want to go out and educate themselves with cybersecurity to the extent that they could hire an individual. They just kind of want to write a check and say, hey, thank you for solving all of these problems. I no longer have to think about them.
Nick Wolf
Yep, and it becomes more sticky for the MSP. If you're recommending a cybersecurity stack, hey Mr. Customer, you're going to use me as an MSP. You're getting my EDR tool. You're getting my email security tool. You're getting my backup tool, my MFA tool. Those are four or five different tools that the end user customer doesn't have to worry about shopping around. You don't want to deal with a tire kicker end user that's like, well, I want to use Norton antivirus instead of Sentinel one. I want to use Mimecast instead of Proofpoint for email security. Go and lead with your tech stack that you and your technicians personally bet. That makes best sense for you and your specific MSP.
Connor Swalm
That makes a lot of sense. I will read so a person we've had on the podcast before, reg harness from orbital fire. He made this post the other day. He said, dear MSPs, are you feeling overwhelmed by everyone's expectations? Are you frustrated with your finances? Are you annoyed with vendors who compete with you? Are you tired of being the scapegoat for security incidents? Are you worried about finding talent? Are you suffering from tool overload? And are you stressed or burnt out? If this describes you're not alone. Most msps are experiencing these, and there's an elephant in the room that is the root of all of this, and it's basically kind of something you had just mentioned. The MSP industry wants to keep making money off of you by encouraging you to sell more cybersecurity solutions, even if they don't make sense and even if you already sell that existing solution. What are your thoughts on that? That was a lot to digest, but what are your thoughts on that?
Nick Wolf
Yeah, with cybersecurity vendors, sometimes there's just way too many cooks in the kitchen, right? A lot of things are important. Sassy is important, in Sims important, and socks important. But at the end of the day, what's the most important? If you could only sell your clients three things, what are they going to be? It's probably going to be your EDR, it's probably going to be MFA, it's probably going to be email security. And those are things that are hard to determine. If you can only pick three, what happens if you can only pick two or pick one? But yeah, vendor overload is definitely that we're seeing more and more, and I think some of the bigger players are trying to solve that problem. I mean, look at the two gorillas in the room. You got connectwise, you got Kaseya. Feels like every day they're buying another tool for their stack. Some tools get integrated better than others. Some don't get integrated too well. But yeah, that's why we see these billion dollar companies really trying to purchase as many tools as possible. That way, they could give MSPs in those ecosystems vendor consolidation. Hey, by being a ConnectWise partner, you now have access to these product lines to check these boxes. We'll send you one bill. By being a partner, same thing. And I'm sure there's plenty of other big vendor names out there that do it as well. Again, some better than others.
Connor Swalm
06:47
That makes a lot of sense. Do you think that this tool fatigue, this growing use of vendors, even in what you had mentioned, like using multiple vendors in the exact same product category, what is it a sign of? Is it a sign of changing times? Is it a sign of lack of education? What are your thoughts?
Nick Wolf
I just think it's a couple of things. Time is money, right? Time is definitely money. So if I can invest my time using one MFA app for all my clients, instead of two or three MFA apps, I'm going to pick the one MFA app. And the same thing is going to know with your backup tool. I was at datto for nine years. And really, one of the things that made data shine and grow so fast was that were one single vendor for everything, backup and disaster recovery related. We gave msps the backup hardware, the backup software, and the offsite backup cloud all bundled together into one single platform, which was a huge value proposition for data at the time, because again, rewind around nine years ago, msps are spread out. They had their backup software, they had their backup hardware appliance, and then they had their offsite backup cloud somewhere. So being able to consolidate that into one single tool was really popular for msps. And I think msps really like that, whether it's backup or EDR or whatever tool that they're going to be using Nowadays.
Connor Swalm
That makes sense. Yeah, vendor consolidation can definitely be powerful. But a point you had mentioned in one of the previous episodes as well. Is it also represents a single point of failure that for the exact same reason you'd recommend, hey, probably don't use Microsoft for everything, and also MFA like the authentication piece. I could definitely see an argument for working with incredibly large vendors as well across a large swath of your tool base.
Nick Wolf
Yes, and it's definitely important to vet your vendors, find out what's important with you. Do you want a vendor that is 100% channel only and only sells through MSPs, or do you want a vendor that might be larger, that has a small MSP offering, but they also sell direct, so there could be some channel or sales conflict? Run cybersecurity analysis against your vendors. Make sure that are they us based? How is their support team? Are they SOC certified? Try to ask those questions beyond just asking for the pricing sheet and seeing who's the cheapest.
Connor Swalm
Yeah, I've always advocated for asking. And if your vendor is not transparent with their own security posture, you should run for the hills. If they're not willing to help you understand how they are secure, how the heck are you going to help your client understand how using them is going to make you more secure? We talked about the prevalence of Pam in the last episode and how it's increasing in popularity. I'm seeing the exact same thing in third-party risk. And there's almost certainly one of the reasons, is there's just an incredible lack of transparency between partners and vendors at this.
Nick Wolf
Yeah, absolutely. Ask those tough questions. Hey, if your product fails, who's liable? Am I liable as the MSP? Are you liable as the vendor?
Connor Swalm
Figure that out.
Nick Wolf
Definitely. Do your due diligence with the vendor that you select and see how long that vendor has been around I feel like every day I run into a new vendor that will help me with cybersecurity and AI, because AI is the big buzword nowadays. So, like, all right, is this a pop up vendor or are they actually truly committed? Do they already have hundreds of clients using them?
Connor Swalm
AI is definitely a buzzword, and somehow it finds its way into other acronyms that continue to impress me every day, how marketing can come up with it.
Nick Wolf
I'm used to the original AI. Aim.
Connor Swalm
Aim. Oh, I thought you were going to say, like Alan Iverson, I'm a big Philadelphia guy.
Nick Wolf
Before the days of Slack and discord, we had Aim.
Connor Swalm
Remember that? Yeah. And all was right in the world and we all loved it and nobody was unhappy. Yes, there's this vendor bloat. There's people using multiple vendors to finish or work with the same set of tools to accomplish the same set of outcomes. But there's also something I'm seeing is there's something you had touched on is msps that have their clients choose their stack largely. And there's msps who. No, this is the set of solutions we sell. This is how they're implemented. And you have two options here. You could take it or leave it. Are you seeing the same thing and what are your thoughts about that?
Nick Wolf
Absolutely. I see it more and more being the take it or leave it for sure. Because you want customers that listen to you. Because, again, you're trying to be their subject matter expert for all things cybersecurity. If you're dealing with customers that's giving you a lot of pushback, that's a customer that is probably going to call into your support line, tie up your engineers, nickel and dime you to death. Where, hey, thanks, but no thanks. As much as I would love you as a customer, we're not a fit.
Connor Swalm
So for these msps that do a lot card, and the recommendation would be: Hey, you have to be this security expert, so you should probably sell a stack. Where's the line in between for pragmatism? Because at the end of the day the biggest thing that every MSP cares about has to be their bottom line, right? If they're not a profitable, if they're not a functioning business, they won't exist to provide more security. So how should they go about thinking about drawing the line? Or what would you say is some good recommendations for them?
Nick Wolf
I would say, again, ask other MSPs what they're doing next time you're at a trade show. Hey, what are you using for your EDR? Oh, you're using Sentinel One. I'm using Bitdefender. And swap your notes. Why did you pick Sentinel One? Why did you pick Bitdefender? Same thing for MFA. At the end of the day, there's always going to be that one person in the room that loves coke, and no matter what, he's always going to drink coke. And there's going to be the guy at the other end of the room that loves Pepsi. No matter what you do, he's always going to drink Pepsi.
Connor Swalm
And then there's going to be the other weirder guy in the room who prefers whatever the dollar store brand of cola is.
Nick Wolf
Yes.
Connor Swalm
I don't even know what it's called.
Nick Wolf
But at the end of the day, most users, they don't care if they're drinking coke or Pepsi. They care that they have soda at lunch. They care that they have EDR. Most users aren't going to care if Sentinel One's installed on their laptop or Bitdefender or if you're using Duo for MFA or Evo for MFA. They care that, hey, I have this product. Does the product do what it needs to do, and is it serviceable by my MSP?
Connor Swalm
You bring up a really good point. Is that most MSP founders, most MSP owners, most leadership at MSPs are incredibly technical, capable, intelligent people. However, your clients care very little for your technical prowess, if at all. The only thing they care about is the outcome. It's like, can you create more security? Can you make sure my it and my infrastructure actually stays up and running? Can I continue to exist as a business because I used you as a partner, and they don't care if you did that through carrier pigeons and smoke signals, or if you use the latest and the greatest MAIXDR, throw in several more acronyms.
Nick Wolf
Yeah. And in the long run, if you standardize on your stack and consolidate some of those vendors, I think it's going to be easier for msps to really help their clients qualify for cybersecurity insurance. Because if they have five different customers coming up with them with five different cybersecurity insurance policies, the MSP should know that all right, you're my customer. All right? You're using data for backup, like all my other customers do. So we're checking off that box. You're using Evo for MFA, so we're checking off that box. They're able to check off those boxes a little bit easier if all customers have the same cybersecurity tool stack and are rolled out the same. What you don't want to do is run into scenarios where you're onboarding a customer, where it's a little bit different because the customer is trying to save a buck and it's like, okay, they're using EDR, but they only wanted to buy EDR for their servers, so workstations are unprotected or same thing for backup. We're only backing up two out of the five servers. Like backup everything, protect everything, protect all users.
Connor Swalm
That makes a lot of sense for those folks that are listening. They're just thinking about this for the first time. Or they'd like to learn a little bit more about tool consolidation, vendor consolidation. How they should go about thinking about this. Of course, they should be reaching out to their peers and their peer groups. But what are some other places you'd recommend they go to?
Nick Wolf
Yeah, yeah. So I'm always on the, you know, that's like sort of the yelp.com of MSP vendors.
Connor Swalm
It is.
Nick Wolf
Who's using this vendor? Are they awesome or do they suck? I don't want to invest a half hour getting slideshowed to death by some sales rep at this vendor. So the MSP subreddit is very popular. I know we're on it. A bunch, a bunch of vendors are on there. A bunch of MSPs are on there. There's a bunch of Facebook groups as well. And when in doubt again, just do your due diligence. Check out the latest Gartner report of top EDR vendors, top backup vendors. And once you find those top vendors and you know that those vendors are good, take a look into their channel program, you know. Am I dealing with a vendor that is channel-only or more direct? Am I dealing with an awesome vendor, you know like Huntress? They do a great job speaking MSP. Or am I dealing with a vendor, you know, like McAfee antivirus? Like when was last time they did anything for the MSP space? Yet it's installed on basically everybody's laptop, you know, because it's included for free in most laptops nowadays. Just because it's free doesn't mean it's good.
Connor Swalm
You get what you pay for.
Nick Wolf
Yes, absolutely.
Connor Swalm
Get what you pay for sure. Awesome. Well, Nick if folks wanted to reach out to you. How would you suggest they do that?
Nick Wolf
Yeah. So evosecurity.com, if you wanted to learn more about MFA SSO privileged access management, that's what we do here at Evo or identity and access management for MSPs. So reach out to us@evosecurity.com or feel free to add me on LinkedIn.
Connor Swalm
We will. Folks of you that are listening, you want to reach out, we'll put links to those show notes we'll put links to those in the show notes so you can reach out to Nick, you can take a look at Evo's website, maybe take a look at any of the resources they have. But thank you again for I know you've been on several of these episodes so thank you so much for joining me. Thank you.
Nick Wolf
Wonderful having, thanks Connor. Always a pleasure.
Connor Swalm
17:25
Always a pleasure having you. Thank you. Bye.
Thanks so much for tuning in to Gone Phising. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phin security at Phinsec IO, that's Phinsec IO or click all of the wonderful links in our show notes. Thanks for fishing with me today day and we'll see you next time. Close.