Transcript:
Welcome to Gone phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone phishing.
Connor Swalm:
Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor Swalm, CEO of Phin Security, and I am joined by a million things I gotta say here. A wonderful friend of mine, a great person in general, CEO and co founder of OIT and the co founder of
Ray Orcini:
MSP Media Network.
Connor Swalm:
There we go. I got it.
Ray Orcini:
Which often gets confused for MSP News Network. All the time. Yeah, I get. Yeah.
Connor Swalm:
How are you doing today?
Ray Orcini:
I'm good, dude. I'm good. It's another beautiful day in Miami. As per the rules of Miami Summers, my ac is broken. So if you see melting or suddenly getting shorter, you know what happened. But I'm doing great, man. Thanks for having me on. How you doing?
Connor Swalm:
I'm doing amazing. I was going to say, if we see a ghostly arm reach from the side and slightly dab your forehead with a towel, we'll know it's because the AC is not on. Right?
Ray Orcini:
Or that. Or the palm fronds. Just cooling me down.
Connor Swalm:
Yeah, absolutely. So for those of you who don't know, Ray. Ray is one of the first folks that I met in the air quoted MSP industry here. He is an amazing person, knows a lot about msps. Started at an MSP and building one. So that's what we're going to be talking about with Ray Orcini. So I got a question for you, Ray. What is the current state of the MSP industry? And that is a broad question because I wanted you to take it anywhere.
Ray Orcini:
I mean? I think it starts with, can I curse?
Connor Swalm:
No, it will get bleeped out, but you can. Absolutely.
Ray Orcini:
We use dolphins. I'm all for it. So, no, I mean, the state of the MSP industry is interesting because we keep hearing cyber insurance all over the place, right? We hear about breaches, we hear about security, we hear about tool fatigue. At the same time, we hear about clients that are refusing to pay via Ach or automated methods of payment. We have all this stuff going on. And sometimes I know for the msps, it can feel inundating. Right? Like, overwhelming. Like all this stuff is going on and I got to keep track of it. And CISA keeps notifying me. The comptia Isaac keeps notifying me every five minutes of the next great zero day CVSS 10.0, we're all screwed, right? And I look at it and I see this is an amazing opportunity. Regardless of the government regulation, regardless of the cyber insurance policies shifting, regardless of the increased security that's necessary, I see this as an amazing time. Look at Carnegie, look at Ford. People made their billions, well, millions at the time, but they made their millions when struggle was happening, when there were difficulties because they did it better than anybody else. So the msps that I've been begging to catch up to enterprise years ago by bringing on an automation person, as of three or four years ago, I was saying most msps need to have an automation person on in house, however they call it. Now we're seeing tools that do those automations and there's tons out there, I won't drop names or anything, but there's tons of those tools out there making it easier for msps to do these.
And what I'm seeing is we have more access, more education, more community today to be able to solve challenges than we've ever had ever. Right, which is how you and I met, the benefit of community putting us together, right? And so I think you have all the resources that were available to only the Henry Fords or only the Carnegie's at the time. You have those resources yourself today. Any MSP is capable of making crazy amounts of money, Scrooge McDuck amounts of money, by just taking these things by the horns and signing up with vendors that will solve challenges like your cyber insurance or like your automation or anything else and make it easy. I think this is a great time to be an MSP.
Connor Swalm:
What was it like when you were starting your MSP? I'll let you decide how many moons ago that was.
Ray Orcini:
So it starts again with, can I curse? No, I'm kidding. So, you know, when I started my MSP, I often say, so you know, I'm a moderator of our MSP, the largest MSP community on the planet. So I'm a moderator of but because I value community so much, but I often say I wish I would have had those resources when I was starting out. When I was starting out, it was whoever I knew locally to me and the way I got into it. My big brother from big brothers, big sisters was an IBM engineer and he would take me out and taught me computers, going out to jobs and it was awesome. But as I gained local networking colleagues in Miami, I was able to build my skills and obviously going to conventions stuff like that. It wasn't like there is today where you have Reddit, you have MSP geek, you have MRU it pool party, the Facebook groups, tech tribe, you have tons of resources today where anything comes up. And you have an almost infinite amount of peer groups. When I was doing it, we had to f around and find out, to be honest. Like you, I had the benefit of previous business experience, so that helped a lot. But truth of the matter is, a lot of it was just see what happens. Whereas today I'm jealous of the msps that have all these resources.
Connor Swalm:
So other than msps now having access to these online communities, having access to I don't know, should I throw in Chat GPT so we can make the nice cool little label on the podcast episode?
Ray Orcini:
I assume that's who made the show notes. Yeah, absolutely.
Connor Swalm:
What do you see as folks having access today as anything? In addition to those two things.
Ray Orcini:
See there's stuff like polite post, right? How many emails have you ever had to write where what you wrote down, you know damn well you should not be saying, especially in a business email. I'm notorious for writing out those angry emails, first erasing it, then restarting it. But you have polite posts today where you can write your anger email, get that out of your system, and then it spits back a really nice email and you can send that to your client. You have really cool tools in the space now that will aggregate all the comments from a ticket and only put in the most important and notable comments in the time entry and all of this so you can take, let's be honest, the most expensive resource in an MSP is the employees, right? And you can have them do what I like to call the meaningful touches, logging time entries. Let's be honest, you were with me at MSP Geekcon. I had a whole room of people complaining. Half the room was complaining about time entries. The other half the room was owners. Also complaining about the lack of time entries. And so we can get my $100,000, $150,000 year engineer out of doing time entries and automate it and let it do it for them so they can do the important stuff of figuring out what the hell happened or making whatever better. These are opportunities MSPs didn't have before. They didn't have eight months ago, much less now, or much less ten months ago. So they can take advantage. And it's awesome.
Connor Swalm:
What do you think now is when all of these new things are coming about? Is there new focus in the MSP market? Is there something else driving it, what's going on?
Ray Orcini:
So I'll liken it to. I've always said MSP is about ten years behind enterprise, right? RPA is a perfect example. We've seen roost. PIA thread has some automation, but RPA. Robotic process automation, that stuff is fairly new to the MSP space. Within the last 24 months. This stuff is 15 years old in enterprise land for Uipath, right?
Connor Swalm:
Yeah, exactly.
Ray Orcini:
Even look at like auto hotkey, right? Like even simple examples that are not as complex as a rooster. Pia. But they exist. Or look at stuff like Sim, right? Sim and sock. These are standard fare in most enterprises for decades. This is now becoming a point of contention in msps because of the breaches and all that. I think the difference is, I'll liken it to my 3d printer I bought a couple of years ago. I love my toys. I bought an ender three V two because all my research and my deep dive, ADHD like, hyper focus research on. This stuff told me that the ender three V two was the best entry level DIY 3D printer. I'm like, awesome bet. Bought everything, got it set up, printed one test print. I printed my little boat. It has a name, but I forget the boat's name. The tugboat. And then every other print was miserable. And then I had to level it again, and I was struggling with leveling, and then I scratched one of the beds and it became a miserable experience that stayed in the box and I stayed in the corner of the room. I never touched it again. Fast forward a few months ago, I bought this one from bamboo, called bamboo. Labs x one carbon. And that is literally, I pick one of the, well, now nine colors attached to it, nine filament colors, send it over. And if it's multicolors, multicolor and it prints and it's fast as hell, and when it's done. I don't have to worry about it. It auto levels it does the lidar detection, see warps in the boards and whatever. And all of that is a roundabout way to say things are easier now. Was there ML? Absolutely. We had to sign up for an AWS service or an azure service and understand how this stuff works. Yeah, machine learning is not good. Were there generative chat model, like large language models available ten years ago? Absolutely. Could you go to chat OpenAI's website, Chat GPT, and log in and use it? No, that didn't exist. That showed up seven months ago. All that to say, I use my 3d printer now. It's printing right now. It's 24/7 making stupid little alligators. By the way, if you buy a fun toy, don't show your staff because then they want the toys too. Now I'm printing like 20 of these. Things, but all that to say, it's easier to make use of them now, right? This is the Apple model versus the Android model. And I'm android user, but I understand the desire for an Apple product. I get it. And I think, yes, yeah, it's all about the blue. So now politepost.net, you can go to Chat GPT's website if you don't want to use Chat GPT. Bing has barred.
Connor Swalm:
Google has barred.
Ray Orcini:
Google has barred. Bing has the other thing that yells at you. You watch MSB dispatch for that, but told the user it wasn't lying. But everybody has their thing, so you not only have easy to access tools, but they're plentiful. If you don't like this vendor, go to this vendor. So we have this awesome convergence, all this. And I think that's why we're seeing. It so much today, because it's so accessible now.
Connor Swalm:
That makes a lot of sense. This concept of this industry in some ways is about ten years behind the adoption of the enterprise market other than robotic process automation. What do you think is going to be happening?
What adoption are we going to be seeing in this industry over the next two, three years?
Ray Orcini:
Well, I'll use your own company as an example, and I know that's not the point of this, but Phin security, right? Cybersecurity and awareness training, these things we're still forcing clients to use this stuff a little bit, right? And you're doing the good job of trying to make it easier, trying to apply the Apple model, make it as intuitive and as easy to apply as with that, with enterprise clients. Look at it. You have sexual harassment training, you have EEOC training, you have diversity training, you have mountains and mountains of training and it's not a conversation, it's just part of the job. Well, in enterprise security, awareness training is also part of the job.
It's been that way for enterprise for years. Msps are just getting into it. So what I see coming is that a lot of these things, I think Msps are going to feel more comfortable about saying, this isn't a conversation, this is just the base requirements. Just as simple as, I have to offer you services and you have to pay me with money. Right?
That's how this works.
Connor Swalm:
Got it.
Ray Orcini:
But think of how easy that transaction is, how obvious and how much it's built into your dna. You understand that transaction. I do something for you pay me something that is normal. We need to get, like, the training stuff and the automation stuff and the AI stuff, we need to make that so it's all just part of the DNA as well. So these aren't thoughts. So we can focus on the bigger stuff. Automating and building amazing things that nobody else can offer. Making your true market differentiator.
Connor Swalm:
Yeah, I see a lot of that happening in the different conversations I have. With not only some existing partners, but folks like you that I've known from my start in this industry a while ago, is there's a big change around. Okay security is a huge issue. It's at the forefront of a lot of people's mind. But that baseline that you had mentioned, that those table stakes, so to speak.
Ray Orcini:
Yeah.
Connor Swalm:
Do we even agree on what those table stakes are as an industry? Not really. You ask ten people right now what those table stakes are, and three of them will give you the answer that fifth wall will give you, which is whatever your cyber insurance policy says, and the other seven will have a completely different answer.
Ray Orcini:
It's like I heard Reed right in my ear, as you said. No, but it's absolutely true. I mean, if I asked an MSP Do you use AV with your client? They'd laugh. Why are you asking me? Why is no an option? Why is that even part of the conversation? You know what I mean? And we need to make all these other things that are baseline things part of it. And the downside of it is, if we don't, that's where the regulation. That's where the government regulation is coming in and saying, well, we all agree these things should be done. I want us to get there before the government gets there, for the simple reason that if we get there, we can set the terms and we can start focusing on the bigger and better stuff if the government does it, because they don't. I mean, CISA has admittedly said they don't understand our space yet. They're doing a lot to get into the space, but they want to learn more, but they're not there yet, and they're trying. 99% of government is not trying. So if msps can get to it first, fantastic. And then make it easy for everybody.
Connor Swalm:
Maybe a part of this conversation is a statement that, I forget who said this to me. Is when you're talking with small to medium sized businesses, which is the predominant client of an MSP, you need to make a statement. You're not small enough to get hacked. You're not small enough to have an incident. You're too small to make the news. And that's why you won't hear about. And because the mindset, especially with somebody like when I talk with Wes Spencer. You're probably too small to get targeted. You're not too small to use a very well known password manager that ends up getting breached and then have your accounts compromised and get swept up into the millions of other people that are going to have their credentials abused.
Ray Orcini:
Well, that goes into vendor audits, due diligence, recurring audits. That's s bombs, that's a whole other sub processors, that's a whole other can of worms. Probably take another hour talking just about think.
Connor Swalm:
And I've seen this a little bit in some of the requests that I have to deal with in Phin right now is the amount of due diligence, the quote unquote maturity that our partners now expect of us and our security posture. It's definitely gone up since we first started. I think a lot of that is to do with some of it's due to with now we're a bigger company serving bigger partners. But a lot of that has to do with a mindset shift that I've seen in the industry so far. Let's wrap this up on a piece of advice. This wild world navigating security and vendors and all this stuff, what's one piece of advice you'd give to an MSP who's either listening to this and trying to grow or maybe trying to get started?
Ray Orcini:
Be comfortable with being uncomfortable. That's not a unique thought. I didn't come up with it myself. I'm not going to pull an office line here. But the truth of the matter is look at your to do list. Look at the thing that gives you dread and then do that first. If you can do that first, the rest of your day is going to be easy. It's no different than batters on deck. Putting a couple of donuts on the that to get used to the heavier weight and take it off. And it's light as feather when you get to the batter's box. Same thing. So just get comfortable with being uncomfortable.
Connor Swalm:
Well, you heard it here first. If you're looking to get started looking to grow in general as a person as a business, in any area of your life, do the uncomfortable thing and you'll probably end up growing in the process.
Ray Orcini:
Yep. I like to follow what the Navy Seals say. Embrace the suck. Embrace the suck.
Connor Swalm:
Embrace the suck. You heard it here first. Hopefully not. But maybe sweet once again. I am Connor, CEO at Phin, host of the Gone Fishing podcast, here with my wonderful friend Ray Orcini, and you will catch us on our next episode.
See y'all soon.
Ray Orcini:
Bye.
Connor Swalm:
Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phin security at Phinsec.io. That's P-H-I-N-S-E-C IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.