How MSPs Can Harness Shadow IT to Add Value for Clients
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of fin security, and welcome to gone phishing.
Connor Swarm:
Hey, everyone. Welcome back to another episode of Gone Fish. And I'm your host, Connor, the CEO at Fin security. And I am joined once again by the senior product marketing manager of SaaS at Moffitt, one of my great friends, John Harden.
Connor Swarm:
John, how are you doing today? I'm good, Connor.
John Harden:
Appreciate you having me on. It's a good time to come back. I enjoyed our last session. It was a really good show.
Connor Swarm:
So last time we talked on the podcast, we talked about what shadow IT is what shadow SaaS is, why it's important today, why people are even using software and hardware and accounts that their IT team hasn't explicitly given them access today. What I'd love to talk about is what should cybersecurity and IT teams do. In response to that? And a key piece here is I'm. In the MSP industry serving MSP's. You're in the MSP serving at MSP's. Where do MSP's fit into all this? Cause they're managing the shadow it, I guess, on behalf of potentially other it teams at other companies. So where do MSP's fit into all this?
John Harden:
Yes. This is a tough part of the problem right now, right? Because the shadow it management and the SaaS management space for MSP's is really brand new. This is something that they haven't been doing for 1015 years. But you know, what they have been doing an eternity is really software inventory. I always find it funny. I talk to folks all the time. That come to me and go, why should I do SaaS managers? What is your MSP master service agreement. Say with your customer? Does it say you're managing their software on their behalf? And they don't like that question a lot because they realize all of a sudden that they say they're doing this. But the times just really haven't kept up and it's not their fault. That's the key thing it's really not their fault. But what does MSP's have to do.
With software management or SaaS management and shadow it management? Same things they really had to do with software inventory management. Right. It's about managing the inventory of assets that are out there where data is at and building a repository list, making sure things are approved and unapproved, making sure there's not bad services in use. And that there's not data risks inside those bad services. And I say, just like you're watching for cbes on the software that's installed on the desktops, you're watching for bad actions inside of the SaaS tools or people logging in with personal accounts, you know, work account sharing accounts. Has that vendor been part of a supply chain attack or not supply chain attack, but have they been hit by a vendor breach which opens up a supply chain attack internally in the organization?
So fundamentally, I think MSP's have the same responsibility for SAS that they do with their desktop software, which is inventorying it, managing it, working with the customer to ensure that it's part of their conversation that they're having so that it's not just something happening out of the visibility of both the MSP and the end client. There's some tactics I can get into. But I'd be curious what your thoughts are on that Connor.
Connor Swarm:
I think the most important something we touched on briefly in the last part. In the last episode here was what matters most is visibility and yourself said it. It's like most employees who are using. These accounts and these devices and these. Softwares that aren't licensed or aren't given the blessing by the IT team or the department of no, they're doing it.
Out of convenience, not only because it's more convenient for them, because they get their job done better. There's all this pressure from above to create outcomes not only for the IT team, but also for the employees at an organization. So I really like the perspective of Don't view this completely as a bad thing. What's important is not that there is no shadow it in existence. What's important is knowing what shadow it exists, because then you get to decide what to do with it. I was talking with a friend of miine at a conference recently who believe they use office SaaS management, actually, and they made a statement that's like, we had like six productivity tools when we've only bought Monday.com dot. It's like, well, if we bought Monday for the whole team, why isn't everyone using it?
And then they went and they asked like, well, why? What do you like about this? What do you like about this? It's like it opened up the opportunity to have a question about is what software and hardware are buying, not the right move for this organization. And we'd be doing better, which was.
John Harden:
Aw, man, you got me. You hit me right on the nose. Because this is my favorite part of the whole thing here. You know, we've talked last time about shadow IT isn't inherently good or bad, but my goodness, as an MSP, and I can say this because I spent about ten years in the MSP space, what a holy grail of opportunity. We have looked for a very long time to come and be strategic with our customers, and we have strategic conversations in different ways. Like, I'm not saying that not everything is strategic, and it doesn't just have to be exclusively SaaS, but what a holy grail of an opportunity to go to your client where today you might be just sending questionnaires or spreadsheets and asking what sas they use. But to displace that what question and replace it with a why question, like Why are you using this? Why do we have six productivity tools? Why are we putting this in there? Why is it better? And I think what really I've seen a lot of success in is embedding shadow it as a tracker in the quarterly business review. This is something that took us a while to figure out here at SaaS. What do we do with this data?
But once we started coaching, our MSPs on bringing top ten shadow it SaaS down to their customers. It was a eureka moment. We literally had a partner come up to us at the conference at Battlecon. And say word for word, I used. to be fearful of going into my qbrs because I'd have nothing interesting to talk about. But my customers want to know about the shadow it. We want to know about what's going on there. And because SAS is this magical, like half business, half it problem, it's something that the person on the other end of that QBR wants to talk about. Like, it's not just another we secured you from 49,555,000 security events, good for us.
It's not another pat on our back. It's a conversation about it. And in that inherent nature of like shadow it not being good or bad. We coach our partners again to talk about not going, is this approved or not?
Just asking 1 simple question for all ten shadow-it assets, whether you use a tool like on access management to do it or not, approach shadow it like this. What business problem is this solving for you? And then just shut up and let the customer start talking. And you will unlock more about that business and their use of it and their use of SaaS, those QBRs, than you ever have in a spreadsheet.
Connor Swarm:
Or questionnaire. That makes a ton of sense. I go back to a statement that. I've heard a buddy of ours, Alex Farling, say all the time. Because if you show up to QBR and your statements are essentially, look how many backups I backed up, look how many anti spams I anti spammed, and look how many firewalls I firewalled. It's like you're not telling the customer anything new. You're not helping transform their business. You're just saying you're giving them thumbs up. Look it, look, we did our job, essentially. We did it poorly because we're not helping you move forward. We're just telling you what we did.
John Harden:
Which is.
Connor Swarm:
Yeah, that's interesting is, hey, did you know, like a really interesting use case I could see is you as the MSP going to the client and saying what you just said, which was, all right, this is what your people are using. This is the use case. Like the business use case. This is the outcome they're helping you get that you were completely unaware of. It's like this. What's really important is not that it's happening, it's knowing that it's happening.
John Harden:
There's a perfect analogy for this. Every one of us went to grade school, right? And we remember were shooting for the a's. I don't know. I was like a c student. But you got ABCDF. Why we got rid of e, I still haven't a clue. But AbCDF, and it inherently is what I call a cf job. It's not a Charlie Fox trot, which is a good, I mean, it kind of is a Charlie Fox trot, too. But it's a CF job, like going to your customer and saying, I firewalled this many firewalls I backed up this many backups XYZ on this whole track of what you did, that's a c job.
Like, you're going to get average. Nobody's going to be like, way to go, MSP. You did something amazing. You did what you were supposed to do. The only way you don't get a C is by not doing what you just did. But being able to come in and be strategic during your QBR can turn you from a CF type of an MSP to a ac type of an MSP, which means you come in strategically.
And you wow them and you're getting curious and you're learning about their business and you're talking about how it isn't a cost center but a productivity center. How all of a sudden you went from a CF MSP to a CA MSP, where you can wow your customer and actually get an a, and they can come to you and go, actually thank you for doing what you're doing in the it. It's a thankless job in general, but being able to flip that script makes a massive difference. Yeah.
Connor Swarm:
You go from somebody there giving a report to a trusted advisor who's helping them grow their business, which is, that's what's going to keep you in that organization, working with those people or companies. And for MSP's that aren't tracking shadow it. What are some of the risks that they're unknowingly retaining by not having this level of visibility into it?
John Harden:
Yeah, I mean, it goes down to the cybersecurity matrix or maturity curve. Right at the very front of that maturity curve is identify. And so I always challenge businesses that have all these advanced mechanisms of defense. For their customer that have no visibility into SaaS. So what are the risks?
One of the key predominant risks is all this data sprawl, potential data, accidental data exfiltration, all this non continuous data that's running around in their business that they have no visibility on. So the first risk is for the client, which is the data which you're building all these cybersecurity programs to protect, by the way. You just don't see any of this out here. That's your first risk, your second risk, I kind of joked, but really, you are in a bit of a risk if your master service agreement says you're doing software inventory. We all know that as an MSP. Our customers just assume we're doing everything anyway.o you might as well be doing it.
But I think there's a risk here in the sense that should data lead to a third party event or supply chain attack risk coming to your business what's in the risk for you, as the MSP is if something happens and you're liable because you weren't protecting what you said you were in your master service agreement, it's actually real, actual business risk to you. But I don't like playing on FUD I think a real risk for the MSP is the fact that, you know, SaaS management's the table stake.
I refuse to believe that every MSP in three to five years will not be doing SaaS. It's fundamental, like, you have to be doing it. Everything's moving to the cloud. Everything's moving as fast. Like 62% of the time, the employees at work, they're in the browser. It doesn't matter what time, what industry you're in, manufacturing, accounting, law, like, they're all in the browser, so you gotta manage it. It's just a matter of time. But what you're at risk for right. Now versus just not being up there by the time it gets there. Inefficiency.
All the time wasted manually documenting this stuff, which is wrong, by the way, because you're not getting the real data. Inefficiency.
Like, think about employee onboard and off board. Like when you don't even know what they're using. How can you actually properly do this? People spend hours trying to gather these lists together. So if you want something that's going to hurt your business now it's inefficiency. You got something that's going to hurt your business later, it's probably going to be that fact that you're going to be catching up to the majority. If you want to know something that puts you at risk, it's this fact that you could probably say you're doing it and your client will love you doing it so I don't like playing on flood. Let's get you to an AC, because AC MSP instead of that CF MSP.
So you can be on that next stage.
Connor Swarm:
I think the most important part was the story you told of transferring from the CF to the AC is in a world where, let's face it, there's very hard to differentiate yourself from the other MSP's serving your local region and the other folks that you're working with. If you are that AMSP and you are helping them transform their business by coming with things that are above and beyond, look how many backups I backed up for you this quarter. It's like, anyone can do that. I'm pretty sure that maybe a very technical person who wasn't even it at that company could do that without you, could figure out how to run backups properly in today's day and age. And to tie this back to a topic that we've talked about on the podcast before, which is like cyber insurance, and knowing what you are actually responsible for, I could see a world where if you are responsible for it, and when a breach occurs, like we've transitioned from that, it not that if mentality to so when mentality, if you do have that somewhere written in the hundreds of pages of the documentation you've signed with that client that says, yes, we will manage your shadow, your software for you and the applications on your devices.
And you just fundamentally abdicate yourself of all that responsibilities that's going to come back to bite somebody somewhere.
John Harden:
Well, and there's another layer inside that cyber insurance story. There's that box you have to check which says, I'm doing single sign on. And if one of those apps are outside that single sign on threshold, then you're putting yourself and your customer at risk with that cyber insurance. I mean, take the traveler's case where they rejected insurance because that user didn't actually have MFA. Well, what we can do, or what SAS management can do for an MSP is give you that list of main apps that need to be moved into. That SSO threshold so a customer is more protected and is at lower risk, but also is adhering to what they say on their cyber insurance questionnaire. So SSO and MFA are that next leg.
Like, that's an advanced leg of SaaS management that we've helped, but in general, like, getting visibility is probably the most important thing to get started, and then you can mature what you do with it from there.
Connor Swarm:
I hadn't even thought about that. Is once you've identified the software and the hardware and the accounts, you can actually bring that into what you're already managing and you're probably doing really efficiently and effectively. So, hey, employees are logging into these tools. Let's now add that to the allow listed stuff inside of our Microsoft. Inside of Microsoft unless and force SSO to log into those. As opposed to saying, nope, you're not going to do this at all.
It's all right.
John Harden:
Now.
Connor Swarm:
We've made this secure and we'll give it the thumbs up. We're okay with it.
John Harden:
Yeah, yeah. Being able to just see what apps are out there that don't have SSO can be a whole we've got a lot of partners coming in and just building a list and saying, we're going to work on these five apps this quarter, then these five. And they're protecting their customer, and the customer is going to be stickier as a result.
Connor Swarm:
I really like that. I, again, it's just about constantly helping your client and your companies transform. That's what it's all about. If folks, if MSP's or if companies.Anyone that's listening wanted to learn more, either about you or about SAS management. In general, where would you recommend they go?
John Harden:
Yeah, so if you want to meet me or have a conversation, I've spent. Excuse me. I spent years and years studying SAS management, almost obsessively. So if you ever want to chat about it, I'm always here to chat. Catch me on LinkedIn of course, John Harden. And then if you want to learn more about what SAS management can mean for an MSP or for your internal. Business, go to ovik.com and click SAS. Management at the top. Be happy to help you get into the offer. Try 14 days, see if it's good for you.
John Harden:
Awesome.
Connor Swarm:
That is auvik.com. And of course we'll have links to not only John on LinkedIn but Offik as well in the show notes. So you're at all interested in that?
John Harden:
I don't know.
Connor Swarm:
Maybe you've been avoiding figuring out what tools the companies that you work with are using because you know it's happening. I mean, listen, all of us are using software that like rit folks aren't aware of because it's convenient.
John Harden:
It's just convenient. But knowing is the battle even if you don't solve it, you need to know about it.
Connor Swarm:
Yeah, if you don't know you're on an airplane and you're not flying it. The second you do know, you could decide where you'd like to pilot.
John Harden:
It can manage your risk.
Connor Swarm:
Manage your risk.
John Harden
Awesome.
Connor Swarm:
Well, thanks so much for joining, John. I had a blast chatting with you and yeah, it's always great talk with you for everyone listening.
Connor Swarm:
Thanks so much for joining in and we'll see you on the next episode of the podcast. Bye.
John Harden:
Cheers.
Connor Swarm:
Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits.
Then check us out Phinsecurity at Phinsec IO. That's Phin sec IO. Or click all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.