Enable your business to thrive in a disruptive world

Digital Trust is a make or break for your business

In today’s digital world where most business is done online and data breaches are becoming more common, digital trust has become a valuable commodity for those companies that earn it. This phenomenon – where trust has become the currency of which businesses differentiate themselves from others – is starting to change the way businesses look at security. A report by CA Technologies, says that 86% surveyed said that security is more important to them than convenience when choosing a product or service online. What does Digital Trust mean? We do business with those whom we trust, but we do more business with those whom we trust more.

Digital trust is under attack

Unfortunately, digital trust is under attack more than ever before:

  • 300% spike in cybercrime during the COVID-19 pandemic
  • 57% of attacks are missed by traditional antivirus solutions
  • 69% of businesses spend more time managing tools than defending against the threats

Only the cyber resilient will survive and thrive. Digital transformation has not only brought new business models and opportunities, but also new vulnerabilities. Advanced threats and attacks push the security of most companies to their limits. More remote workers increase the exposure to security risks, and most organizations lack the expertise to deal with increasingly complex threats. So while businesses are becoming aware of the importance of cybersecurity, most have no idea whether they are sufficiently protected or not.

How protected is your business?

While cybercriminals can destroy your business and all you built, 83% of business owners don’t have a contingency plan for dealing with security threats. As a result, when attacks happen – even small ones – they can be incredibly costly and time-consuming.

When thinking about your cyber protection strategy, there are important questions that need to be asked. Foremost among them: Are the critical assets that power your business safeguarded? Those assets include your data, devices, and, just as important, your reputation.

Why your business should outsource your security strategy

Like most business owners, you want to focus on your core business – your drive and area of expertise likely isn’t cybersecurity.

Outsourcing your cybersecurity strategy makes sense because, if chosen properly, a managed service provider (MSP) can ensure the unique cybersecurity needs of your organization are met, enabling you and your employees to focus on the business. If they truly understand your business’s unique priorities and risk tolerances, the right MSP can keep your cybersecurity effective and as simple as possible – becoming a trusted advisor and an extension of your team. 

So, one of the most important skills of any technology partner is excellent listening skills. A managed service provider should be your trusted advisor and fit into your environment (not the other way around) to become a true partner and part of your team. By focusing on your point of view and aligning with your business goals, an MSP can build a security program specific to your business’s needs. Ensuring your organization’s cyber resilience makes it a safe, thriving environment that welcomes innovation, maximizes productivity, and is able to cultivate the digital trust of your customers.

A sound cybersecurity practice is not just technology: it’s people

Enabling cyber resilience means ensuring your business uses best-in-class technology, but it also is reinforced with people. A trusted technology partner should be an expert in providing cyber leadership. Comprehensive endpoint detection, protection, and response plans enable an MSP to help you monitor and manage all of your business’s data, applications, and systems – regardless of location. Balancing that technology with human intelligence is critical. Security awareness, training, and processes that enable your team as the first line of defense are key to thriving in today’s disruptive world.

Its time to make digital trust a top priority

Over the past year, people around the world have moved online and now conduct most of their lives digitally – whether personal or professional. For most, this shift has required increased trust from all of us. The shift to a digital world impacts your business, its brand, and the trust of your customers. Trust is a big business; loss of consumer trust can wreak havoc on your business’s brand reputation and finances.

Keeping cybersecurity as simple as possible and instilling a relationship with a trusted IT technology partner who understands your unique business requirements are key to a successful outcome in today’s disruptive world.

Technology for Business Podcast – How Do I Budget for IT?

Join founder Chris Taylor and Sales Director Ann Mauer as they sit down to discuss the question “How Do I Budget for IT?”. They dive into the why, what, and how of SMB IT budgeting. Have questions you’d like to hear discussed? Send an email to info@cit-net.com or head over to www.cit-net.com/podcast.

Have a question for Chris or Ann? Email info@cit-net.com.

Listen now

Episode Transcription


Technology for Business Podcast

Tara Klocke: [00:00:00] Welcome to today’s C I T tech for business podcast. Today, we are sitting down with Chris and Anne. We’re going to discuss how to budget for it. So we’re gonna kick it off. We’ll have you guys introduce yourselves and throwing in a question for you. Tell us your best vacation destination.

Chris Taylor: Go ahead, Anne.

Ann Mauer: Hi everyone. Ann Mauer, director of sales. I would say my, my favorite vacation destination was just recently when I went to Greece. It’s a beautiful part of our world and the country is amazing and people are very friendly and absolutely, absolutely a stunning, stunning part of the world. How about you, Chris?

Chris Taylor: Well good afternoon, Ryan one. I’m Chris Taylor, one of the founders of CI I T been in the technology business for now 35 years, finding that hard to believe. Huh? Anyway 30 years running CIT as the organization, [00:01:00] another five years, I was in the system builder business. So lots of technology, my background, and my favorite place.

I’m gonna use two places because one’s just not enough. So the Amalfi coast of Italy is probably one of the coolest destinations I’ve been. And then anywhere in the mountains, in the Western part of the United States on snow and skiing in the mountains is another awesome destination.

Tara Klocke: I think all of ’em are wonderful.

It sounds great. When are we booking the trip to go is kind of my next question for you guys. Let’s go. Let’s go.

Ann Mauer: Let’s get it done,

Tara Klocke: but I’ll make sure we get back on track. So I’m gonna kind of lead us off with the question that everybody kind of wanna know is why is it budgeting so important to an organization?

Chris Taylor: Yeah. I mean, I think the, really the, the key thing with budgeting is have a predictable forecastable technology spend, right. Too many organizations go into. And one of the things that we hear from them is it’s, it’s too much roller coaster, right. Spend a lot, you know, there’s no consistency. So by at [00:02:00] least establishing a budget for your technology and, and technology going forward, we have a baseline that we base it off.

It’s not always perfect. It’s a evolution of a budget, but having a budget rather than no budget helps with smoothing out those highs and lows of technology.

Ann Mauer: Yeah, I would agree with that. And it’s imperative to control cost. I mean, at the end of the day and, and accurately forecasting, you know, the spend when it comes to staffing levels, support contracts with external managed service provider, all of those.

Come into play when you’re really looking at your total cost when it comes to it spend and being, I think more, more importantly with the pandemic, we’ve learned a lot about how do you control those costs and how do you accurately make investment in it to help you grow your business. And I think that that’s very important to, to that planning and that strategic budget budget.

Chris Taylor: And I think the other, I mean, [00:03:00] if we look back, it used to be that we would just go to our clients and customers and talk about buying new technology, the latest and greatest, the fastest, you know, it always, always spending, spending, spending on the latest today. Our clients really wanna understand. Why should we spend money on technology?

What is it doing for the core business? Not just buying faster, newer, but you know, how do we lifecycle manage? How do we, how do we do we really need all this horsepower? How do we be more efficient with that technology spend? So it’s much more of a business conversation around that budget than it is just buying new fast, cool technology.

Ann Mauer: well, and I think it’s also too changing the, the impression of technology too, right? We budget for electricity and, and gas and natural gas and those expenses that just become part of running a business. And I think shifting our clients to, to help them understand that if you’re not budgeting for it and you depend so heavily on it, [00:04:00] right.

That planning really needs to be executed correctly. Because it. If you take away the technology, how do we operate as organizations and, and having accurate spend associated to those costs is very important.

Tara Klocke: Great. That actually leads me into my next question. So we’ve kind of established it. Budgeting is super important to that organization, but how is the timing factored in of my budget?

How far do I look? What’s the forecasting look like? Can you guys elaborate on that? Yeah.

Chris Taylor: So most of our clients, we try to, we try to get ’em out to five years, right? So we look at 12 24, 36, 60 months, right. To try to help understand what that looks. It’s very difficult. I think to go out much more than five years, but we try to give them, you know, in the next 12 months, what does it look like?

What does it look like in the next three years? And then what does that really? That out far out five year look like? So we can try to [00:05:00] smooth out that angle budget. We may not spend it all in one calendar year, but it’s a, it’s a longer term budget, right?

Ann Mauer: And I think the timing of that is really associated to when manufacturers make changes, right?

When we have organizations running applications and Microsoft, for example, changes the operating systems. And, and, you know, Sunset some of those OSS it’s, it’s the timing of, of planning in advance of when that’s happening. So you’re, you’re not bleeding edge, but yet you’re still moving forward as the technology changes.

So it’s, it is, it’s a lot about forecasting and, and, and leaning on the manufacturers for when they’re going to, you know, sunset, you know, products as well is really important to that, to that to that.

Tara Klocke: Great. So I wanna know too is how, how do I start? What kind of percentage do I look at of my budget? What all is [00:06:00] considered kind of in that technology piece too, of, you know, do I look at CapEx OPEX? So if you guys can kind of talk a little bit more from a business side and then also from the technology side,

Chris Taylor: Yeah.

So there’s lots of, of budgeting mechanisms out there, right? There’s a, there’s a percentage of, of revenue in the organization that really varies depending on the industry, how much regulations involved, how high tech the organization is, what their use of technology is. There’s historical. We, we can always look back historically that 1, 2, 3, 5 years also to kind of look forward, we can use history, right?

It really depends on industry that you’re in what you have for internal resources, how you leverage external resources. Cause. Both the internal resources and external should be part of that budget. Right? So your employees, your resources, plus your contracted resources in the case of, you know, a partner like CIT.

So we really need to look at it holistically of, of not only [00:07:00] services, but what does that product budget like as well? And those are kind of two different components, right? What does the service component look like on an annual. Basis. And then what does that product spend look like? And that product could be staggered over that five year period, right?

Where it’s not all in one year. So lots of different. And you can, there’s lots of different methods out there, but you know, the big thing is have a budget, establish a budget. You know, it’s not so much concerning to what is the perfect budget it’s cuz every organization industry’s a little different, but establish the budget, try to get some accuracy around it.

And then look forward to that five.

Ann Mauer: Yeah. And, and I would say to just comment on that as well is based off of the industry, you know, the, the more compliance regulated organizations typically have to follow some more stringent guidelines to, to the services and the things that they’re, they’re doing in their environments from a regulatory perspective.

So understanding the [00:08:00] industry, understanding. What those requirements are, can really also help you identify what that spend needs to be. And I think too, it’s important to note the, the. The way that we compute today has changed. Right? And so we have the ability to leverage, you know, cloud as we, as we plan for our customers, right.

We wanna make sure that we’re being strategic and understanding. Does it make sense for certain components of their environment to move to cloud compute you know, that digital transformation into other services. And that really does then change the, how you procure that, that, that budget right. Moves more into an operating expenditure.

So all of those, those thoughts and, and those Kind of those initiatives really need to be planned for. But really understanding what’s available for customers I think is really important as well, you know, and, and sometimes it’s a fit and [00:09:00] sometimes it’s not, but at least evaluating where it makes sense.

And that kind of changes how you, how you budget for that, right? Because it then does move from a capital expenditure into that OPEX spend and making sure that, that, you know, organizations understand. Changes and they can plan accordingly for that.

Chris Taylor: Yeah. And if you look at some of the industry drivers, especially in these last five years and, and really over the last two years with you know, coming through and out of this pandemic the budgeting has become a little bit of a moving target, right?

We, we had a move. We had to move a lot of workload to cloud. We had to move a lot of workload to home offices. So, you know, our budgets changed quite a bit from pandemic, but even prior to pandemic, the, the budgeting around security had become a huge, huge component of that it budget. So if we take and we look at today, you know, security costs are.

The product costs, which typically our [00:10:00] industry can get more product for the same price or the same product for a less cost is now increased. So the price of the product has gone up. The price of labor’s gone up and the price of security has gone up along the way over these last five years. So. These budgets in the last, especially two years have really been taxed because there’s been so much change.

And then obviously the focus around security all costs more money at the end of the day. So we’ve been trying to help our customers just try to look out forward, try to get, you know, increases, especially around things like security are, are rapidly increasing and you have to get those into budget or else they’re hard for a lot of organizations to, to.


Ann Mauer: right. Well, and I think too, there’s the supply chain issues have, have really caused, caused some, some havoc for customers as well, even if they did have budget. Right. You know, the availability of goods is, is even more difficult to come by. So then that even becomes a more strategic planning as to when you’re going to make these projects [00:11:00] move forward based on the availability of the, the products and that you need.

Chris Taylor: That hasn’t helped. So

Tara Klocke: yeah, I think a lot of organizations, how to quickly make that change once COVID hit and kind of figure out what does this look like now? Cuz we gotta make something happen. But a question too is, you know, we’re establishing our budget, but who really owns that it budget? Is it our cross departs?

You know, is it at a sea level? Let’s talk a little bit about that.

Chris Taylor: Well, I, I think it’s across the whole organization, right? I mean, the, the cost of that in most organizations, most, every user has some touch with technology. So I think that budget is across the organization and that’s why you’ll see some of the.

The estimating tools out there based on organizational size revenue, percentage of revenue, number, number of people, things like that to try to spread that cost amongst the organization. You know, I think [00:12:00] it’s, you know, it’s typical that the, the financial person in the organization’s working pretty in tune with either the internal technology or the external provider to lay out that budget.

But yeah, it has to get allocated across the organization because it’s not just a single depart. That’s a cost center, right? It’s it’s a organizational cost.

Ann Mauer: And I think too, Chris, I think putting it into an a support per endpoint. Pricing model right at the end of the day you know, some organizations are, well, is it a total spend?

I mean, how should I be budgeting for this correctly? And you know, some say, if you can identify the number of endpoints in your environment and then allocate a cost associated to that. Full support over a 12 month timeframe. That’s how most organizations I think are trying to get to where, you know, they, if they are in a managed service agreement and they’re getting a lot of services included in that, in that agreement, but what are those additional costs?

[00:13:00] Right. Whether what are the soft costs, whether it’s life cycle replacement of hardware deployment costs new projects, you know, we, we have to replace a server. What does that holistic cost look like? And in breaking that down to a per endpoint you know, per endpoint conversation kind of helps yeah, the organization put it into.

Full budget

Chris Taylor: and, and trying to establish, you know, there there’s resource costs, both internal and external resources. There’s that maintenance cost just to keep really kind of the utility of technology, keep the lights on per se. Right? So you’ve got resources, external internal to that utility cost.

And then you’ve got the projects. How do we, how do we move that technology forward? How do we get new gear? How do we get faster gear we need to, so you have to really kinda look at all those, bring them together. Determine if it’s internal resources or external and try to leverage. The efficiencies of that.

Right? And that’s where really, we talk about leveraging a good [00:14:00] partner along with your internal resources. If you have them to try to get the most bang for the dollar for technology spend, because it doesn’t make sense to hire at all, you know, and in some cases, doesn’t, it doesn’t make sense to contract at all.

So that has to fit into that budget conversation about how do I balance internal technology. Focus people and my external people and how do I pay for it? All right. And what, what’s the balance there? And that is a tricky exercise that we walk through with our clients quite a bit,

Ann Mauer: I think. And I think it’s helpful to have a framework.

Right. I think it’s helpful to have a checklist. I think if you can have a. Data, you know, if you’re, if your it department either internal or externally can report on some of the data that, that your systems are generating can also help you make those decisions. You know, we, when we work with our customers on that basic life cycle refresh, there are certain, you know, critical components of an environment that we say.

A life [00:15:00] expectancy. Right. I think unfortunately manufacturers do build in obsolescence in their products right. Because they wanna sell hardware. So how do you plan for that? Right. And we wanna make sure that our customers are getting the return on their investment over the length of that, that, that solution.

So Chris, would you agree like over, if you looked at a, a traditional environment you know, most customers have a firewall, most customers are running some type of internal server system, desktop laptop computing devices. I mean, those, those do have a life cycle. I think it’s dependent on a. How much you’re pushing on, on that year.

Right. But I, for most of our customers, we’re saying, you know, firewall three to five years. Right. You know, the more that we ask of, you know, cloud compute right. And pushing more to. More to the cloud. We need to have bandwidth. Right. [00:16:00] And so as, as customers grow you know, the firewall component needs to be changed out.

So, you know, three to five years on those systems, typically servers you know, five to six years. A lot of the server replacement costs is associated again to the core applications that they’re running and planning for. When, when Microsoft sunsets, you know, they’re operating systems and, and kind of the dependency on the, those two obviously we wanna make sure that we’re not running.

Old legacy hardware, right? Because that then becomes, we, we potentially have some hardware failure components at some point, and making sure that our customers are running some manufacturer support warranties on that core gear is really important. We wanna be able to have the ability to call those groups to get replacement componentry.

What other things, you know, endpoint devices. Laptops [00:17:00] desktops again, typically a three year life cycle. Most oftentimes we’re telling our customers. Try to replace at least a third of your fleet of your endpoint devices so that you’re not holistically changing those all out at the same time. Cause that gets very expensive.

You know, just making sure that a, if they have data in their environment, that they’re leveraging that data to make better business decisions. And just monitoring those components. So obviously at CIT, we track a lot of those hardware, software components for our customers, so that we can build out what that strategic plan looks like.

And I think that that helps just provide again, a better plan at the end.

Chris Taylor: Yeah. And I think two major technology changes that have. Clients understand budgeting better has been virtualization and the, and the cloud migration, the workload, you know, moving workloads to the cloud, right. It, it hasn’t, it, it is it, you know, everything isn’t more expensive, right?

I think we’ve become better at utilizing [00:18:00] hardware and utilizing it up with virtualization. We’ve found ways to move CapEx cost to operat cost and moving up to cloud workload. So we. Trying to, you know, it’s not all Gloo and doom. We’re, we’re trying to decrease where we can the budget as well. Right. So if you can use hardware more efficiently, faster, bigger, better, rather than just replacing every five years, because the built in hardware obsolescence, it makes that.

Model more efficient, same with, as we move those workloads to the cloud, we decrease our on-premise hardware capacity workload that we need. So it’s shifting cost, but hopefully it does help try to reduce that budget over time as well, because there’s plenty of things adding to the budget. So we’re trying to help, you know, it’s, it’s not all up up up.

We try to help re reduce it with certain technology changes that are happening as.

Ann Mauer: Right. Well, and I think it goes to the framework, right? I mean, with most of our customers, we’re, we’re taking the N framework the national Institute of science [00:19:00] technology and those recommendations from the federal government.

Right. Of how we wanna, we wanna be able to provide the same level of Planning, you know, that meet some of those requirements for our SMB customers that we’re supporting so that they’re, they’re looking forward for the, the next you know, what is the next security software solution that they should be looking forward towards?

And I think, you know, the executive order with the passing of having EDR and running in your environment also is something that. To be part of that planning conversation, right? Because, you know, we’re, we’re all gonna be in a position where our technology spend has to increase as the demand on, on securing our environments is, is necessary at the end, end of the day.

Tara Klocke: Yeah. And I’m really glad that you brought up that point because we’re talking a lot about the budgeting side of, you know, even that old [00:20:00] hardware and end of life on operating systems, that there is a risk for cybersecurity where they can get in cuz you are running old technology and. I did wanna mention if you guys hadn’t caught that before we had a podcast earlier with Kyle and Jake talking about migrating to the cloud, cuz there are still a lot of questions of, is that the right path for me?

Is it secure? So if you haven’t listened to that, I would suggest going out and talking about that and kind of helping you understand a little bit, but I did wanna kind of see on the, is it side and then that budgeting, you know, where do we go? So we’ve got that budget established. How do we look at it forward thinking, can we adjust as we go?

Where, where can I add that in? Because yes, it’s gonna be maybe expensive in the long run, but you gotta start that budget because you’d rather have that slated. Where you don’t have something happen with a cybersecurity [00:21:00] incident coming in because you chose not to upgrade or do something like that. So I just kind of wanted to make that statement and then you guys can have any

Ann Mauer: remarks on that.

Chris Taylor: Yeah, and most of those budgets are, are fluid, right? I mean, they’re gonna move, they’re gonna change. They’re gonna morph. They’re gonna switch the buckets that they’re in because of those changes. Obviously we’re spending a lot of time talking to clients about making sure they’re budgeted for those security pieces of the puzzle.

Right. And, and that’s not just putting in the latest and greatest security that’s as you mentioned, Terry, getting rid of old technology that’s unsupported get rid of, out of date and a live product. That’s unsupported. Along with that looking forward as to what’s coming next and most of our clients.

If, if they weren’t regulated, they weren’t required to kind of keep up with some of that. It was really on, on their, you know, timeframe. Now when, when the industry has come forward, when they try to do their cyber security renewals, they’re being asked the same thing that the regulated clients are doing.

So we really need to spend some time talking about that part of the [00:22:00] budget around security, right? Where are we at? How comfortable. Do you think we can check all the boxes when your, when your insurance carrier comes to the door next time? And if not, let’s start getting, let’s start chipping away at those.

Let’s get ’em in the budget. Let’s get the top priority ones first and let’s start chipping away because we know it’s coming, right. It’s not a matter of, of if it’s a matter of when they’re gonna, you know, come ask for these certain things to be done with your technology. And if we wait too long, it just becomes a, a harder budget to deal.

So we try to get out in front of that as best we can typically at least 12 to 24.

Ann Mauer: Yeah. I mean, ideally if you have a checklist, something that you can look at your current environment, right. Identify the age of the gear. When is the, excuse me, when is it due to sunset? Right. And then planning for those replacement costs.

You know, that’s something that we, we want to be part of with our customers because you know, it’s, it’s better to plan for. Spend [00:23:00] today. And, and granted, there’s a lot of unknowns with where the market’s going today, but we have to be realistic in what that true number is to support the organization.

And be far more strategic, you know, honestly at the end of the day, technology should drive opportunity and business value. And, and when we’re dealing with, you know, legacy hardware and, you know kind of some inefficiencies based off running old gear, there’s soft costs. That’s involved there that if we just allocated correctly for a budget, To replace and move forward.

I think that there, that that soft cost with efficiencies and performance at the user level, that pays dividends, right? If, if you have somebody who’s consistently not having to deal with technology issues that there’s benefit there. And that’s really where we want our customers to get to at the end of.

Tara Klocke: That’s great. So we’re gonna be kinda wrapping up the podcast today. [00:24:00] Chris and Anne, do you have any like final words of wisdom that you wanted to throw out there for our listeners?

Chris Taylor: Yeah, I, I would just not be afraid of the budget. Right? Let, let get something established. It needs to start somewhere if you haven’t already.

And if you do have a budget established, I think it needs to be review reviewed at least annually. If not quarterly, we try to review with our customers on a quarterly basis to make sure you know, where are we at to that budget? Is it way under, is it way over? Where, where do we need to allocate? How do we accrue and get out in front of it?

So it’s, it’s, it’s. It’s not as scary as it sounds. I think it’s fairly easy to get started. We can give you some baselines industry stat type of numbers to use. And then from there we just build on it and make it better, bigger, better, faster,

Ann Mauer: stronger. Yeah. And I would, I would just also, I mean, there’s, again, what we’re seeing right now with supply and demand issues with core computing gear you know, just be patient, right.

It’s [00:25:00] it’s everyone in the industry is, is. Kind of struggling with this right now. And, you know, I think if you have allocated budget, you know, try to get those orders in sooner so that you at least are in the top of the line for when it, when that fulfillment is, is available. So.

Tara Klocke: Great. Well, thanks again, Chris and Ann.

So glad to have you on today. And it was a great discussion, so thanks for it, budgeting all the things and we got it all wrapped up. So I did wanna say let us know of any sort of feedback or additional topics that you would like to hear on our pod. You can visit C I net.com/podcast. Or you can email us@infocnet.com.

And we look forward to chatting with you

Ann Mauer: guys next week. Thanks for rolling. Thanks.

Technology for Business Podcast – Zero-Trust Part I

This week we chat with Todd, Nate, and Ashley about Zero-Trust and what it is. They’ve got castle moat and decorative hand towel analogies and so much more. Stay tuned for Part II of how to implement coming soon. Have questions you’d like to hear discussed? Send an email to info@cit-net.com or head over to www.cit-net.com/podcast.

Listen now

Technology for Business Podcast – Maturity Model

Myths include: This week Tara sat down with Todd and Scott to chat more about the Maturity Model (and their favorite vinyl).

Listen in to learn more about:

  • How do you define the Maturity Model?
  • Who should consider Maturity Models?
  • Is there more than 1 application for the MM?
  • How does this apply to technology?
  • How can organizations benefit?
  • How do we use it to drive technology/business alignment/Compliance?

Have a question for Todd or Scott? Email info@cit-net.com.

Listen now

Episode Transcription


Tara Klocke: [00:00:00] Welcome today to CIT’s tech for business podcast. Today, we are sitting down with Todd and Scott, and we’re going to discuss the maturity model. I wanna kick it off for both of you guys. First, make a lovely introduction. Secondly, tell me your favorite record that you have on vinyl.

Todd Sorg: Go ahead. Okay. Um, I am Todd Sorg.

I am CIT’s chief operations officer. I am also the chief information security officer, uh, favorite vinyl record. Uh, I’m gonna break the rules and I’m gonna make it two. So, um, I’m gonna start with my, my very first personally owned vinyl was kissed double platinum. Bought that with my own money, just a young kid loved it.

Fantastic. Played the crap out of it. And then, uh, in my teen years, I’d have to say it was probably guns and roses, appetite for destruction.

Scott Patsy: Great choices. I [00:01:00] have both those on vinyl currently. Um, my name is Scott Patsy. I am the manager of strategic engagement here at CIT. Uh, thank you, Tara, for putting this together.

These are really fun. My, um, You can’t ask me about music, cuz we could spend an hour just talking about that. And I can’t really answer this question, um, without saying that my favorites continue to evolve and change all the time. And so right now in this moment I also have two favorites. Um, I just got a five, um, final five LP, uh, grateful dead collection from.

Cornell 1977. Now Cornell 1977 is a sought after a very renowned live show from the dead. You can go very deep down the rabbit hole. That is the grateful dead. And so Cornell 1977 for me. Uh, and then I’m gonna pick on something very new that I really like. And I just bought on vinyl also. Um, [00:02:00] the debut self-titled release spot from a band of sisters called wet leg.

Really great. Um, modern. Rock, uh, I, I highly recommend it.

Tara Klocke: Well, I didn’t know I was going to stump you to and make you make this hard decision, but how about we get to something that I know you two know a lot about, which is the maturity model. So tell me how you guys would, would define this. What does that look like?

Scott Patsy: Yeah, I can, uh, I’ll jump in here, Todd, the, the, um, when I think about the maturity model from, you know, I’ll, I’ll, I’ll, uh, I’ll I’ll disassociate that, um, with, from technology specifically in this moment and just define the maturity model as being a measurement. The ability of an organization for continuous improvement in a particular discipline.

Um, so what the maturity model ultimately does is judge how a company or a [00:03:00] system is at improving itself from a given state allowing leadership to observe the company’s current maturity level based on industry PR industry practice, um, of the current discipline under. Tyler. I don’t know if you had anything to add to.

Todd Sorg: Yeah. I mean, I think that’s pretty spot on, I guess the, the comments that I’d add to it is maturity models are really just that. I mean, at some point you’re trying to measure where you’re at today, where you’re going. And obviously in most cases, if you use the analogy of you can’t eat an elephant in one bite, there are steps that typically go with it.

And that’s essentially the concept of the maturity model is I’m here. I wanna. There as I continue to grow. And, um, how do you do that? And the maturity model is kind of giving you that formal process of putting it together and helping you move forward.

Scott Patsy: Yeah, I, I would, I would even supplement that to add on to the ultimate part of the ultimate goal being, um, not [00:04:00] only to realize for a company to realize its current maturity, this is where we’re at today, based on whatever we’re trying to analyze in the best practice associated with that, um, measured best practice that is we’re not making it up.

Right. Um, But, uh, and, and then ultimately what the next level is to get to what the goal is. But a quality maturity model process should also help you identify or help a company identify two other really important details. And that is, you know, okay, what are the steps to take for us to get to level two or level three, you know?

Um, and then ultimately determining what the financial or human resources it will take to, to make that move.

Tara Klocke: Okay. So I have another question for both of you then, who should really consider applying maturity models into their organization?

Scott Patsy: I would say, um, any [00:05:00] organization that is looking to improve upon itself in any way, it doesn’t have to be technology, right.

Um, any organization can improve how. Choose to hire people, um, you know, how they onboard new employees, um, how they adapt processes, how they adapt policy, you can really apply this to any size business in any place inside of your organization where you’re looking to improve. You know, I, I don’t know that there’s another way to say it it’s, it doesn’t apply just to one, you know, you don’t have to have 50 employees or whatever.

Todd Sorg: Yeah, I’d agree. I mean, uh, essentially what it is is it’s, like I said, it’s kind of a formal process that helps organizations kind of improve. And, um, even organizations, there’s a, there’s a local brewery in town in Minnesota here. That’s got a saying that says they have big ambitions to big, ambitious to stay small.

Um, and while that sounds like, Hey, we’re not really trying to do [00:06:00] a lot. We’re not trying to, to be one of the biggest. Uh, manufacturers of beer and distribution of it. That doesn’t mean that they’re not trying to continue to improve who they are, make better beer, be it more efficient, deliver what their customers are looking for.

And the maturity models will apply to somebody as small as this really, really small micro brewery or somebody as big as a 500 plus organization. Yeah, kind of that’s

Scott Patsy: I really like that. What was that statement again?

Todd Sorg: they have big ambitions, big ambitions to stay

Scott Patsy: small. That’s great. I really like that.

Tara Klocke: Well, and that kind of brings into my next question. So regardless of your size, is there like one way in particular that you go about applying this maturity?

Scott Patsy: There are, um, within the maturity model concept, there are, there are lots of standards over time that have been. Developed. Um, and if you do some research, you know, [00:07:00] Googling , um, there are a number that have, that have, have been, you know, put together already, um, that an organization could attach itself to, to kind of help this process along.

And that’s kind of in part what I would certainly encourage, you know, don’t, don’t make it up. Um, look within the discipline. In which you are trying to improve and see if there’s a maturity model, you know, out there that, um, that you can, that you can utilize. There are, you know, we can get into some very specifics here within the technology, uh, discipline or how they apply it to technology.

But, um, just know that, you know, within, um, lots of different industries and lots of different disciplines, there are, there are already some very well built. Maturity models.

Todd Sorg: Yeah, I was gonna expand on that a little bit too. So there isn’t just a single maturity model that’s out there. So, [00:08:00] um, we’ll dig into a little bit of ’em today, but you know, it’s just kind of giving you high level stuff.

Um, there are many organizations that already implement those. So for example, there are project management, maturity models that are out there. Um, there are technology ones, a lot of people are probably familiar with CMMI, um, they’re cybersecurity maturity models. So you can get into ones that are basic for finance and so forth.

So there’s a lot of ’em. They do apply. And like I said, at the beginning, the intent of this is really trying to find ways to help organizations continue to mature out. Um, so

Scott Patsy: go ahead. No, I would, I didn’t mean to step on, I would even say, you know, something that people are really. Most people are, are, are probably pretty familiar with, or at least I’ve heard of as, as like an ISL standard, you know, within manufacturing, very similar, right?

That’s a very well known, pretty global standard for how a manufacturing organization matures its process. Right? And, and, and the, and the big benefit in that world is if your ISO, you know, [00:09:00] act certified. Um, that means there are certain criteria that you’ve met that ultimately. Your customer is looking for you to have accomplished.

And so that’s one giant benefit in that scenario is if you’ve met the criteria in a particular standard, you can do business with a particular customer or a customer will even come to you specifically, based on the fact that you have met that ISO standard, you meet that criteria. You have matured as an organization to such agree that you’ve been awarded that standardization.

Todd Sorg: Yeah, I’ll expand on that a little bit too. So, so prior to, to joining CIT, as you know, we’re all, we’re all CT CIT and it up here. Um, I used to work for a manufacturer and, and one of the questions that you kind of ask is why do you go through a process like this? And, and I kind of mentioned it’s because you wanna continue to improve as organizations, but there are a lot of other reasons for it too.

Scott just touched on, we can [00:10:00] get more revenue because of it. We can land projects, we can separate ourselves from our competition. But, you know, another one and, and this is where I was kind of focusing very heavily at the front is just trying to make sure that your processes are very repeatable. Um, so there’s a whole slew of good reasons why they do it and when you’re going, Hey, I think if you’re considering this in your organization is I think we’re gonna move forward on something, this like this.

You can then circle back with your stakeholders and say, I wanna move forward because I think it sets us apart. I think it’ll help us drive additional revenue. I think it’ll help make our processes repeatable and, and predictable and so on and so forth. So there’s a lot of really good reason to do that.

And almost everybody inside of every organization wants those things. They want more money, they want more revenue, they wanna make it more efficient and so on and so forth. Yeah, absolutely.

Tara Klocke: Like who, who wouldn’t want that for their organization? And. In case anybody said, no, this is a podcast on technology.

So I do wanna dive into a little bit about how does this apply [00:11:00] to technology? Yeah,

Scott Patsy: that’s a, that’s why we’re ultimately here. Right? Um, so there are a few ways that we can kind of look at that. Um, I think the important one today is to help, um, You know, the listener here understand, um, broadly how the maturity model can apply to technology.

But then more specifically, how does C I T use the maturity model, um, to help our customers ultimately, you know, align their business goals with what technology can do, right. Um, I think a good broad place to, to start maybe, um, Todd, you can help out here is, uh, something that’s kind of on the forefront front of everybody’s mind today being cyber security.

And there are a number [00:12:00] of, of, uh, places where this applies. Um, and, and, and Todd, I would invite you to kind of start and I I’ve kind of got some, some stuff queued up here to, to discuss about it.

Todd Sorg: Sure. Yeah. So thanks for that. But, but cybersecurity is really easy because as Scott mentioned, it’s top of mind right now, it’s easy to talk about.

Um, but the nice piece about it is there is a decent amount of compliance out there that kind of helps build what frameworks look like today. Um, so you look at those highly regulated industries, your healthcare, your finance, et cetera. They’re all trying to do exactly that. As I mentioned early on, you really can.

Do it all in one chunk, there’s a variety of reasons for it. The complexity, the cost, et cetera, cetera. Um, in the compliance industries or the regulated areas, the reasons why they have to do it is because they’re being asked to do a lot. The reasons why there is compliance and regulations is because there’s a lot of risks in those industries, whether that’s because they’re being insured, um, by insurance companies or by the D I C or whatever the case may be.

They’re the ones that [00:13:00] are saying, Hey, there’s a lot at risk here. We wanna see you do it. Essentially, what they say is there’s kind of a foundation that you need to get in place for the maturity model and they call it baseline in the finance industry. And then as you continue to grow and get better, the next stage is called evolving.

So again, you’ve kind of got the basics I can block. I can tackle. Now I’m starting to get it a little bit better. And then once the next stepped up is intermediate. So you’re doing about average. That’s about what most organizations are trying to do if you’re in that industry. And then you get up to advanced and then at the very top of the scale as innovative, and the intent is.

Most organizations aren’t really striving to be innovative when they’re in the SMB market, which is typically where we focus and that’s because they don’t have the revenue, the horsepower, et cetera. But there are leaders in every industry that are going to be innovative, even if they are small, there’s, there’s plenty of people that are really trying to turn their industry on their head.

And they’re trying to be living in that innovative state as well. [00:14:00]

Scott Patsy: Yeah. Yeah. That’s great. Um, I’ve got a, um, uh, kind of what I have queued up as some, an example, really within cybersecurity kind of, you know, how and where that applies. And so, um, I think, uh, if there’s anybody out there listening to this that is, um, kind of tapped into what.

The cybersecurity industry is doing the maturity model that we see relatively, um, consistently is what’s called the cybersecurity maturity model certification, the CMMC, um, which is an assessment framework published by N the national institutes of standard and, and, and technology. And what the CMMC does, is it, um, It’s got a whole list of about 14, what they call domains, um, that, uh, um, are specified for, um, analysis, um, to address the CMMC and, [00:15:00] and those are access control, awareness and training, audit, and accountability, configuration management.

I’m not necessarily gonna list all. 14 of ’em, but you can kind of understand what they’re trying to accomplish their incident response, um, personal security, physical protection. There’s, uh, there’s a whole list of things to, to get through and to mature through, um, within the CMMC and those domains and, and, and an example of that is, um, Kind of the framework that we’ve been hearing about is, um, you start at, you know, a particular level of maturity and as an organization meets those maturity requirements, it would, you know, move on to the next level.

Right. And, and within the CMMC, the first level is access control and the first level and level one. Then within access control is what they call authorized access control. And, and they call that out and they say limit system access to authorized users, [00:16:00] process pro uh, uh, processes acting on behalf of authorized users or devices, including other information system.

And so once an organization has done that limited. Information system access to authorized users. It can kind of check that box and move on to, um, the next aspect of level one. Again, being access control, which is transactional and functional control limit information system, access to the types of transactions and functions that authorize users are permitted to execute.

Um, so you can kind of see how this moves the next, uh, uh, uh, aspect of level one is external connections, verify and control slash limit construction, uh, connections, um, to and use of external information systems. Um, Uh, and so they, once you have kind of done these things, checking the box, you move on to the.

[00:17:00] Piece of that. And AF once you’ve matured through level one, level two, uh, again, within the access control domain. And I know we’re getting in the weeds here, I hope everybody’s following me. Um, level two is then starts with, um, the ion of duties and so separate the duties of individuals to reduce the risk of malevolent activity without conclusion.

And, and, and, and the CMMC is, is, is, there are lots of questions it’s very in. Um, and for cyber security at this level, it really should be, but you can see within the different levels, what they’re doing, they’re ultimately tightening the security restraint so that the right people can get access to the right information, um, or ultimately to limit access.

um, only to a certain set of people internally or externally. Um, and this goes on and on and on, and there are lots of levels and lots of questions, certainly not gonna read ’em [00:18:00] all, but you can kind of get the gist here of, again, the process by which an organization meets a particular criteria within a level in order to check a box and move on to the next.

Tara Klocke: So I definitely heard a lot of compliance compliance, but then how do I take my organization and align that with those models? What do I do? Do I do that myself? Can I reach out to somebody to help? Or how do I check some of those boxes?

Scott Patsy: Yeah. Yeah, that, that that’s that’s thank you, Tara, for reeling us in a little bit.

um, the question there really is. Okay, well, how does CIT help, you know, our customers? How do we use the maturity models to help our customers? Um, because our customer base is one that tends to be, uh, what we refer to as, as SMB. Uh, um, and I’ll clarify a little bit to say C I T S customers that have, um, you know, a pretty broad range of, uh, uh, of user basing.

We’ve got customers. They have five to, to, [00:19:00] to 500 users is, is, is kind of how we categorize that. And today, um, we are using maturity models, um, both within our cyber security and strategic engagement departments to drive. Really help our customer drive that level of maturity within each respective discipline.

Um, and, and I, I really, I firmly believe that that word using that word drive is an important aspect of this. I would say that our customers look to us in these cases to help them mature. Through these processes, and it’s not something that they necessarily are prepared, have the, or have the bandwidth to accomplish on their own.

So they really need us to, to help move them forward. Um, cybersecurity obviously is very focused on maturing the. Um, it, uh, cybersecurity for our clients. Um, well the strategic engagement department takes a [00:20:00] broader approach in maturing overall. It best practice within categories, such as it infrastructure, where we’re analyzing servers, workstation, storage, switching, um, backup and recovery.

It budgeting, um, and big picture items like the organization’s cloud strategy or the ability of it assets to meet, uh, uh, uh, business demand. Um, I will, uh, I’ll take this moment to kind of pick on an easy criteria, um, where, where, uh, um, Strategic engagement focuses. And that is, um, that’s the, that’s the it budget.

So I’m just gonna talk through this briefly. So, um, if we were using the maturity model to analyze a customer’s it budget, um, we, we, uh, we would do that. We kind of have five levels within budgeting, um, and we. Make these statements, we ask the customer, these questions, um, you know, where do you fit today? Um, within this model.

Um, [00:21:00] and so if I think of the it budget, kind of it being one through five, number one being no formal it budget exists. Technology is purchased ad hoc. It budget percentage of revenue is unknown today. Um, or number two, being some it purchases are made based on specific recommendations, but were not planned for in advance.

Most it hardware, software and service expenses are paid for as needed. During a point of pain, it budget, percentage of revenue is still unknown. Um, level three then is, um, you know, you can, you can kind of hear that it continues to get better as you mature. Um, level three is, uh, a list of technology purchase has been documented.

However, no specific annual it budget is followed. Some hardware software service purchase is purchased in advance based on a roadmap. Uh, some are still purchased ad ho. And again, it budget percentage of revenue is, is less than industry average. Uh, number four, [00:22:00] then we would continue to get better. An it roadmap has been documented annual it budget has been created most are all it.

Hardware, software, service expenses, expenditures are made in advance. Um, and then number five is a formal budget exists. The organization, um, and business leadership are aligned on technology solutions that support business goals. And so the question is, well, boy, Scott. Yeah, we are at a number one and we really wanna get to a number two and number three and number four.

And, and, and we need your help getting there. Right. Um, and so that’s where we. Use strategic engagement to help, you know, drive, um, organizational leadership, our customer’s leadership to working through those maturity levels. If no formal budget it budget exists today, then let’s build a cadence together so that we can work with you to.

Identify the items that are attached to the it budget, what [00:23:00] the cycle is for these things and build some predictable repeatable processes around, um, maturing you to the next level so that we can get from no formal it budget exists to you have a roadmap we’ve helped you document that roadmap we’ve identified within, um, you know, quarter by quarter, what the it purchases are that are going to be made.

We’ve identified. Um, when assets will refresh, we’ve identified when new hardware will need to be purchased based on warranty or support expectation, um, expiration, excuse me, we’ve identified when, um, you know, projects need to get accomplished based on that budget. Um, And then to help an organization, um, uh, uh, review that quarterly budget and review budget, percentage of revenue and see where it fits within its industry.

Um, so that’s kind of how we would take something as, um, really as important, [00:24:00] um, and as transformational as the it budget and moving it from, ah, we really don’t have a formal it budget. We kind of just buy stuff when we need, when we identify a pain point to a formal budget exists. Organization business leadership is aligned with, um, uh, not only making it purchases, but, um, helping those purchases, uh, ultimately drive business.

Todd Sorg: So I’m gonna boil that down a little bit. um, I, I think, uh, what Scott said was great. I, I think all of that aligns extremely well. And if you were, I mean, I, I’m not trying to make fun of Scott in any way, but I think if you were kind of going through the process, I kind of highlighted, and I said, you got a baseline and you work your way up to innovative.

Exactly how he laid that out. They followed right into those steps. Right? So you kind of figure out where you’re at and where you’re going. One of the things that I kind of wanted to point out right away is I have worked for a fair number of organizations. Um, prior to this particular role in everywhere I’ve ever been, I’ve found that [00:25:00] the reoccurring theme is senior leadership hates surpris.

Right. And that’s budgeting. That’s break. That’s fix it’s it’s all the unknowns. Right? So when Scott’s pointing out heavily, you wanna get to this area where it’s repeatable, it’s understood. You’ve got budgeting, et cetera, for anybody that’s in charge of it, responsible for it or any. Other area having that predictable model does eliminate a lot of that friction and it removes the surprises.

So you’re less likely to have the president CEO’s laptop die unexpectedly, or your backup system didn’t work. And now I’m looking for a $20,000 investment or whatever the case may be. Those things are being eliminated. Um, now when it comes to cybersecurity, You know, Scott had mentioned this too, is a lot of organizations don’t have the horsepower to be able to kind of do that for them.

So there are partners out there. C I T be one of them having the ability to say we can help translate that. So I wanted to touch on the CMMC [00:26:00] piece real quick too, is, um, as Scott was reading through that, While it’s clearly in English that doesn’t necessarily make it easy to understand. Right? You go through all that and you say, whoa, what does that even mean?

There are organizations, there are people that do know how to make that very actionable and say, here’s where you’re at today. We can get you to the next step easily by doing X, Y, and Z. So there are very clear ways to do it. Um, And I, and I apologize, I didn’t mean to cut Scott off in any shape, manner or form.

I just kind of wanted to point out that the surprising thing is, is really, should hopefully resonate with a lot of people and being able to, to minimize that if not completely eliminated is something that most organizations are after.

Tara Klocke: And no fault to Scott’s, um, own, he is very passionate about this subject.

So it’s so nice and refreshing to be able to have somebody be a part of CI I T that wants to talk about that. And he is in that perfect position, um, to do so. Um, so great job guys. [00:27:00] I appreciate, um, all of that. So I did wanna kind of, um, lead us out to the end and we’ll kind of wrap anything up, but Todd or Scott, do you have any, um, final words that you wanna get in there?

Todd Sorg: Yeah. I wanna know when we’re scheduling the music one. Yeah, right. yeah. When can

Scott Patsy: we let’s have a grateful dead podcast, which is the best version of ahea. awesome.

Todd Sorg: This was great,

Scott Patsy: Tara. Thank you so much.

Tara Klocke: Well, thank you. Uh, Todd and Scott, I very much appreciate your time. And as always, we love to talk and sometimes we tangent, but again, talking about the passion, we love to see that, but for those of you that are listening, we always are looking for, um, you know, feedback on some other suggestions.

So please make sure to do that. Um, you can visit our website, which is CT net.com/podcast. Or you can email us at info C I. Net dot. [00:28:00] And as always, we look forward to chatting with you guys next week. So, and are.

Technology for Business Podcast – Myths of Managed Services

In this week’s episode, Kyle and Alex sit down to chat about the Myths of the MSP (Managed Service Provider).

Myths include:

  • A MSP is there to replace your IT Staff
  • Once you sign up all your problems will go away
  • Only people without IT staff need MSPs
  • & more!

Have a question for Kyle or Alex? Email info@cit-net.com.

Listen now

Episode Transcription

Kelsey Sarff: [00:00:00] Welcome everybody to today’s tech for business podcast. Today, we’re sitting down with Kyle and Alex and we are talking about myths of the managed services. It’s going to be a fun one. Let’s kick it off with you guys. Introducing yourselves.

Kyle Etter: Hi. Thanks, Kelsey. I’m Kyle I’m the president and CEO at CIT.

Alex Piper: My name is Alex Piper.

I’m the manager of managed service.

Kelsey Sarff: Awesome. And you guys are gonna be here in a little bit more for me today as I put forward our lovely myths.

The first myth is, “Once you sign up all of your problems go away.”

Alex Piper: Yeah, no, it’s gotta be one of my favorite ones. Um, when thinking about this topic of myths about what we do and the magic that we can do behind closed doors, it takes a little bit more than just signing up.

It takes, you know, it takes us a little bit of time to kind of get through your network, get you on board. I bring you in, you know, any MSP who’s going to be coming in and bringing you to their managed service platform is going to, it’s going to take them some time to [00:01:00] get, to learn your environment. And we’re not gonna be able to solve your problems right away.

We’re going to collect your problems. We’re gonna learn what it is and we’re going to grow together. But it’s unfortunately not one of those things. That’s an instant sign on the dotted line. We all get to move on with our lives. Um, and everything’s going to go smoothly. Um, Kyle, anything you want to add?

Kyle Etter: Yeah. Yeah. I, I think it’s even more so I have the understanding that as things are, uh, brought to light that even has, you know, more activity and there may be some, you know, like my RA caused some short-term pain, uh, to get through those sides of it. Cause, uh, typically highlights areas that need to be improved and adjusted to make it even in a more supportable environment.

Usually, that form of the pain may be an additional investment typically, you know, there’s. Older devices, those types of things, just immediate recommendations and that need to be, uh, addressed to improve the supportability of the networks. So, you know, I would plan for typically coming in, if you’re not coming off of a [00:02:00] mature managed service provider, that you’re probably likely going to be requested to make some additional investment, uh, to help improve the supportability, not always immediate, but certainly in the, in the near future, those things will certainly have.

Make the network at the moment, a lot of the problems go away. It’s not just the provider. There’s a combination of the information recommendations that ultimately drives the more supportable network.

Kelsey Sarff: That makes sense. I’m going to ask a follow-up tangent question here. Tangent alert. How long would you say it typically takes a managed services onboarding?

How long would somebody be looking?

Alex Piper: Yeah, probably you’re probably looking at, you know, just from doorstep to doorstep, from signing to, you know, us being, you know, an average MSP being out there probably about 30 days. And then from there probably another 30 to 60 days for us to really start to learn that.

Get all the tools collecting all that data coming with those recommendations [00:03:00] that Kyle talked about a little bit about pain points. Here’s what we’re seeing in your network. That could be potential pain points and starting to build that list, um, of, uh, topless items of what we were going to want to look at.

Kyle Etter: Yeah. I like to set Customer expectations around 180 days, or, you know, really starting to see some of the results sides with it. Um, as, as I like to mention, you could be, you know, ready to receive calls and get the information within 30, um, you know, your other, other areas of. Discovery trend analysis, those another, uh, more in-depth deployments, uh, optimizations of the network and systems, you know, some security or mediations, typically it could take, you know, 90 plus and then to kind of cook, you know, get it all working together is really about 180 days.

So I wouldn’t judge any managed service provider in any shorter period of time with that. If it’s [00:04:00] working or not in any shorter period, it’s just not enough time. For the systems and the processes to really start to take hold. Um, and, and I don’t want to make the idea that after 108 days it’s perfect.

Um, but you should start to see progress after 180 days. I would not judge it any sooner than that.

Kelsey Sarff: Makes perfect sense. All right.

Myth number two is, “Only people without IT staff need MSPs.”

Alex Piper: Yeah. I’m going to say that is not true. Uh, we have, you can have. Environments that definitely like you cater towards the people who don’t have it sass.

Cause that’s what we’re here for. We’re here to give them that, help them with that pain point of not having that staff. Um, but with that being said, a lot of our clients do have it staff and we’re there to help them in any way possible. Um, you know, you [00:05:00] could be anything from just being a contact expert in a certain area, which, you know, your MSP is going to know yours.

Engineers who are certified in a lot of different areas and be able to provide a lot of different knowledge bases where, you know, your local IT or not, anybody onsite won’t have that knowledge. And you can just supplement to that little bit, just, you know, is there to help, you know, S you know, you progress and grow your business and your IT.

Kyle Etter: Yeah, I it’s there’s, there’s so much value in what the processes and systems from the managed service deliverables bring to even customers with existing it staff. Because the, when I used to have conversations with customers about is driving towards. Efficiencies. And a lot of those efficiencies, we have efficiencies of scale and our managed service offering.

I mean, we do it day in, day out. We know how to monitor. We know how to, how to react, you know, how to know if something’s up or [00:06:00] down. We know how to, uh, you know, re-respond to performance, you know how to do, you know, Asset tracking and those other general areas, we know how to keep systems up to date and patched, and we know what’s required for security.

So those general across the industry, it doesn’t really matter. Um, those we’re very efficient at it. We do it day in, day out. We’re very good at it. Where the customer’s it, staff start to then gain the time and effort is to work with where their rubber meets the road there, their data, and how they’re interacting with their support users and then to their customers, with their data and their systems, because when it gets specialized into their particular investment, That’s where we lose efficiency.

So, you know, once customers have a certain size, you know, the many times we recommend they have an IT staff that we can’t fill that need. And, uh, you know, I think Alex, Alex is smiling on that. Cause it’s, you, you, you can’t promise [00:07:00] that as a managed service provider, because you just, again, you just lose the efficiency of scale.

So it’s pretty easy to understand where the, where it comes. I always advocate for customers. When they look at saying, well, we could build, we could have our own monitoring system and we could do our own ticketing system and we could do these things. But again, you’re just adding to your problems because now you’ve got another system to manage.

You got another, you just added to your plate, you didn’t subtract. And you know, we can attest the systems that monitor the customers don’t work as well as the other things. They are not a set it and forget it. Type of product. They are ever-evolving, ever-changing. They have their own set of support. We have dedicated people that handle that, and that’s the efficiencies of scale you want to get.

So I think customers with staff have a hundred percent, uh, benefits, um, looking at utilizing MSP cause it’ll gain better efficiencies with their people and there it is, and it’ll [00:08:00] actually deliver better it technology to their bills.

Alex Piper: The Tufts to that. You just have the hours, I mean, work 24 hours, just for an example.

We’re 24 hours, seven days a week where you’re having, you’re paying somebody 40 hours. Multiple people for 40 hours’ worth of work. I mean, you’re getting that around the clock. Somebody watching your network holidays for here, you know, you’re kind of getting that you want to take PTO and you’re the only IT person that’s where we can come in and just, you know, let you relax for your, you know, for your trips to Florida, for S for a week, you know, that’s where we can kind of come in and help.

Help you out, you know, it doesn’t have to be somebody who doesn’t have any staff. You need help just in just that there, but we can supplement that staffing in those peak times.

Kyle Etter: Yeah, absolutely. Do you mean an IT guy gets to take time off?

Alex Piper: occasionally?

Kyle Etter: Yeah. Yeah. Unfortunately, IT doesn’t sleep. And, and, uh, I think again, as Alex steam going to test the, uh, model of alerts that come in overnight and on [00:09:00] weekends, it doesn’t shut down.

When most people, you know, take off on Friday at five o’clock. Quite to the contrary, we tend to see a lot of systems that, that, that have issues over those overnight hours and over weekends and, and on holidays. And it’s, those are the times you want to make sure you don’t have someone on glass if you would be able to react and get information out sooner, you know, does help because yeah, one or two people just can’t do it alone.

There’s a, it does take, you know, good systems and those things. So having a good partner to back. As well as getting those escalation points, it’s, uh, it’s not realistic to think that one, one or two people in an IT staff at many organizations can know everything about every product they’re required to have some administration support with.

So having an existing partnership to be able to reach in and say, I need help with this firewall or this, the server problem in those areas is, is a [00:10:00] nice way to ensure that you can get things resolved much faster.

Alex Piper: I had a smile. When you said like, you know, after hours is when the most tickets come in, you know, it problems never happened during the eight of five.

They always happen on a Friday at four o’clock when everybody wants to leave for a long weekend, you know? And it, it’s just that extra layer that they give you is you can kick them off, you can get them going, or you have that person where you can go home and take care of what you need to come back. You know, you get that extra layer of knowing that, that person’s there to help you while you’re not there.

Or can’t be.

Tara Klocke: I think that’s also a great point. Cause I think there for a while, it used to be kind of us versus them in the industry that they always felt threatened about an MSP coming in, where that’s really quite shifted in the fact that we’re here to help supplement that and form that great relationship with them because we’re not trying to come in and overtake them, but also offer some great solutions for them at the same time.

Kelsey Sarff: So I love the fact that we had [00:11:00] that discussion point, so lovely. Yeah, that kicks off beautifully. Another myth that I got coming up way to tee it up without even knowing.

“An MSP is there to replace your IT staff” is our next myth of the day

Alex Piper: Yeah, no, we want to work with you. I promise you that, like, there are things that you know about your network.

We won’t, you know, you’re, you know, the employees, you know, the inners and outers, the day-to-day business that we don’t, we’re just here to help with providing new tools, providing new knowledge, providing you after hours, we’re here to provide you other it solutions. Our toolset, Kyle hit it, hit it earlier about just the sheer volume of tools that we can provide or connections with vendors that we have.

You know, you, you know, you think of managed services, you think of just day-to-day support. You know, we, you know, an MSP, a good MSP can provide you solutions in so many different areas. If it’s platforms in development in insecurity [00:12:00] and you know, just growth plans and stuff like that. I mean, you know, it’s, you’re not just.

You know, to replace them, you’re here to help them grow and to take some of their pain points away. Instead of like Kyle said, he hit it on the head earlier where it’s like adding more tools and in your own monitoring tool, adding your own ticketing tool. Yes. It’s nice to have it in-house, but when you can rent those services and utilize somebody else’s tool where they have their own admin team, keeping it up and having that updating and patching and everything like that, taken care of where it takes some of the low hanging fruit off their plate.

That’s where an MSP can really show the value of your company to your IT staff. Is this take that low-hanging fruit off their plate and let them focus on the big day-to-day stuff and let us cover the day-to-day.

Kyle Etter: I think having your, the people that are on staff, being able to support users at a certain size. I think you reach a size over, you know, a hundred plus employees, depending on the technologies using it, [00:13:00] how much you’re using, you know, having, having somebody to be able to directly work and interact with the users in your line of business applications is where we see a lot of synergy on the, on the system side.

You know, smaller organizations, again, it all depends on, you know, the complexities of your technology and how much you have going on. Um, but you know, there’s, there’s such a tremendous augmentation that it provides and helps, and we’ve seen it, you know, proven in many organizations when they release the kind of the day-to-day.

Functions that are again very general. And then they focus on the business needs of the technology that, that, that it really starts to become a differentiator for that organization. And they, they look at it not as a, as a, just an expense area, but it’s going to be a differentiator, but yet you find the synergies to make it work.

Yeah. I just think I’ll make that analogy there. I’m sorry. Alex says, [00:14:00] he told me the analogy that nobody changes your oil at home anymore. Very few people do because you can go to an oil change check. And they can change your oil and 15, 20 minutes or less. And you don’t. And for about the same cost of you going into a store, buying the oil, setting aside an afternoon, and then having to drive someplace and find a place to dispose of the oil and go through those things.

The net result is very little differentiator because they’re very efficient at what they do. Um, they’re not there to change a transmission or, you know, replace your engine. They changed the oil, that’s what they do. Um, and they’re very good at, and they’re very efficient. They can do it. Cost-effectively and it’s, it’s, it’s kinda the same idea.

Um, very efficient at, at certain aspects of network operations, network security, there’s other areas, but once it relieved the more specialized stuff up to the province onsite.

Alex Piper: Yeah. And the good [00:15:00] ones. I mean, I was going to go a different direction, but I think that’s perfect. One, you know, oil change. I get like 20 points.

I mean, that’s also what we’re doing. We’re also looking at other stuff over there, making sure your lights work, you know, making sure everything else is there working. I mean, the oil change is a great example. You take it someplace. Cause you’re getting usually just slightly more than sometimes it’s an oil change, you know, you’re getting your ears, you’re getting your tire, putting your, you know, air put in your tires and stuff like that.

So getting that little extra thing that you know, they’re going, that we’re always looking at we’re in and out of networks all day. Um, so, you know, we see a lot of different environments and, you know, you start to build your know what works, what doesn’t work recommendations. You start to see stuff at a quick glance than somebody who has been staring at the network for the last 20 years.

Kyle Etter: Yup. Yup. How long does it take you to, to find an ISP outage Alex?

Alex Piper: Uh, minutes, if that I have a tab, literally, it’s just me clicking the tab and clicking refresh a couple of times to see if it shows up. [00:16:00] Honestly.

Kyle Etter: So the commonality, you know, I mean, you start to see X number of customers all go offline at the same time in a general region.

You have an indication of an ISP outage immediately. So commonality of that, again, there’s just numerous benefits to get brought to the table, but it doesn’t take away from, um, you know, the value that onsite it can do as well.

Alex Piper: Yeah, it’s funny that you say that, you know how fast, you know, now with customers being all over the place, you know, you can be an MSP that’s down, you have an MSP down in, you know, hurricane area.

We have customers who are down there that we are overnight. Guys will watch. They’ll refer. The hurricane center and just see if there’s anything coming that we need to be aware of to start shutting down gears plans stuff, you know, we’re watching power outages, just silly things like that, that you don’t think about, but that’s what we’re here to do.

You know, let us know your power company and we’ll go, they have the outage maps. Readily available online now that this is little things like this, the peace of mind at two in the morning that we’re [00:17:00] going to know that it’s a power outage, not wake you up in the middle of the night or wake you up and say, there are no outages you might want to head in, um, because your network’s down.

Kyle Etter: Yup. Yup.

Kelsey Sarff: So it’s the whole illusion of being mind readers, right? That you’re like, yes, it can definitely. Fortune tell, tell the future. Um, I know that we’ve talked a lot about right. Networks and tools and you guys are like, we know our tools, we’re the experts, but…

Next myth, “Once somebody signs up for a managed services, suddenly that team’s going to know everything about their network and tools.”

Alex Piper: Yeah. We kind of hit on it a little earlier about, you know, Kyle talking about like the timeline and stuff like that, that it takes us a little while too. Up to that point. I mean, I mean, you could call the same day that that provider shows up depending on what their rules of engagement are. If they want a little cool-down or, or anything like that, but you can start calling, I mean, is it going to be smooth?

I mean, short of it being a very [00:18:00] like, you know, have you tried rebooting, um, and it fixes your problem. It probably is going to take us a little bit, cause we’re not, we’re still collecting data passwords, knowing how your network’s laid out. Um, So it, you know, it like Kyle kind of talks about it, you know, buy from doorstep to doorstep like that 180 days and stuff like that.

I think it’s. You know, point, you know, I was kind of talking about like that, you know, 30 to 60 days after is when we start, you start to begin to see the efficiencies, start to increase all your tools are in there. We’re starting to build some baseline data and we’re not there yet. Um, we’re starting to track the trends and seeing this computer reboots, and it’s not supposed to.

Your server after, after everything happens, like those things, we start to track those what you’re, that’s what you’re hoping for from that MSP during that time period, you don’t want them to, I mean, you want them to jump in immediately and know everything about your network, but you want them to learn your network and not in give it time and grow with [00:19:00] it.

I set up just jumping in. We’re going to know your problems. Cause that’s why you’re coming to us. You’re going to tell us your pain points. We’re going to be readily watching that on day one. It’s just everything else is what’s going to take us.

Kyle Etter: Yeah. I mean, the tools help to gather a lot of information and we have processes to ensure or get the required information.

We’ll know we need to support a properly, but it’s not that much different than if you were to hire somebody and they were to come in. You wouldn’t expect them on day one to be in, you know, a hundred percent efficient. No, it takes time to learn. There’s still a learning period. So there is still a Betty period to collect and understand, start to know the systems, the software, the people.

You know, the key, where the most value is and where those areas are. And that’s just part of the relationship-building process to go through. No network is the same. I mean, none of them are, they all have unique DNA to them, and they all have [00:20:00] unique, uh, systems and processes.

Each business has developed its own way of doing things. Yeah. So we have to learn that process as it goes through, like any MSP. Well, so, you know, yeah, yeah. Just plan for the time I, to go back again to that 180 days is a good thing to put in your mind to say you should expect to see, you know, improvements and trends, you know, and start to see the relationship.

Start to move forward. After about 108.

Kelsey Sarff: That makes perfect sense. Going kind of backtrack. We were talking about distance and supporting people that are maybe across the country, as far as MSP staffing goes.

The myth that we’ve got now is, “MSPs are staffed overseas.”

Alex Piper: Yeah, that’s a good one. Um, in a sense, It’s somewhat true and somewhat not.

It kinda all depends. Um, there’s a lot of MSPs will outsource overnight work, uh, overseas to help with the time difference and everything [00:21:00] like that. Um, so you, you see a lot of that. So I, you know, I can’t straight debunk it and say it, you know, or anything like that. Cause there is the truth behind it. There is um, some that you just do have it for that after our support, um, You know, but when it comes to that, you know, there are things you have to think about if they are doing it, you know, what’s the language barrier you’re going to be like, if you call in the middle night, what’s the time difference?

What’s the compliance, are they compliant? Can they support your environment? Are you somebody who deals with compliance issues? There are a lot of things to kind of put in mind when you do go overseas. So if you’re another MSP thinking about it, you know, those are things that think about if you’re looking for a.

You know, watching this it’s, you know, do they, or won’t they, we don’t, we staffed 24 hours here in the U S we’re not just located right where we are, but we’re all over the US. Um, they help us with, uh, you know, we have people on both coasts to help us from, you know, we chase the sun a little bit. Um, [00:22:00] And that’s what a lot of people will do.

Um, but I can’t the straight say no. Um, but I think there’s a, it’s usually that after-hours is where you find that niche or where they are.

Kyle Etter: Yeah. Yeah. I mean, it is definitely gonna vary from size and pricing structure and the other sides of when it introduces overseas. Um, but if you’re in the market looking the.

So typically it’s, it’s a disclosure, you know, they will disclose that as Alex had mentioned, really for compliance, if you’re doing any government based work or any side of that, you know, they, they, you can engage oversee support if they’re doing any kind of U S government work, um, defense contractors, there are all kinds of, of, um, different regulatory, um, organizations that will prohibit that from them working on it.

Definitely, something to confirm. I would say of our interactions with other MSPs over the country in different, uh, um, different conferences [00:23:00] and those things typically not, um, but not a hundred percent, you know, across the board. So it’s definitely worth asking. It may be engaged or. It can help cost, you know, so, I mean, in, in the effort side of that, you do it as an MSP to, as Alex mentioned, it helps with the time, you know, obviously their daytime is opposite of ours, so it helps for overnight and shift side with it.

Um, and typically there can be a labor cost savings, so can help them provide the service at a lower price to their customers through that side. So there are valid reasons to look at it. Um, but you’d need to make sure that it fits and works for you.

Kelsey Sarff: Yeah, that makes perfect sense. And I’m kind of going to find our next myth, that kind of tangents lovely off that..

“that MSPs are just sitting around, waiting for you to call in.”

So these guys that may or may not be located in the us cross seas, they’re clearly just sitting there waiting for you to call.

Alex Piper: Yep. Um, love [00:24:00] it. I appreciate this one. Um, okay. As much as I’d love to say yes for just sitting there waiting for your call, but the good ones aren’t and you know, and I’m fortunate that we aren’t, we’re being very proactive in your environment.

You know, you’re, if your MSPs are sitting there waiting for your phone call, it’s great. They’re going to answer the phone. They might be able to solve your problem, but what else are they not doing? What are they ignoring? Where, you know, if they’re being proactive, they’re monitoring that network. They’re patching, they’re helping you plan for that growth.

That’s really where, you know, you’re hoping that that managed service, that your MSP is really driving towards. Yes. Do you want your help desk? They’re ready to answer the phone. Of course, but, and they will be, they’ll always answer the phone. It’s just, that you want to make sure they’re doing other than just sitting there waiting for your prompt problem.

They’re not just sitting there twiddling their thumbs, watching, you know, reading something online. They’re actually doing something in your network or somebody else’s network, and they’re being active in there for you.

Kyle Etter: Yeah. I mean, it’s, [00:25:00] it’s part of the cost analysis side of it. I mean, obviously, an MSP can’t supply, you know, all these services and those other things and have a dedicated person waiting for every customer to call it.

That is just not the way it’s going to cost out. And, you know, so you’re, you’re gaining the efficiencies with the systems and software Alex, there’s a proactive side to the event, you know, trying to prevent the users from needing to call in the first place. So that occurs side through there. And then you, you know, typically we publish our service levels.

You know, most MSPs do have the service level side of it, where they quantify and they’re going to categorize the calls. So not all calls are equal. And I think that’s, there’s an educational process that needs to be communicated to staff when engaging a managed service provider and understanding that, you know, you’re, you’re formatting out of your printer, not working right, is different than a customer with their whole network down.

You know, so the [00:26:00] reaction times and expected response is you are going to vary depending on that. And to plan accordingly. I think all MSPs want to serve the customer as fast as possible. And the service levels are always the afar outer range that you measure against to beat. But you do have to understand they’re not all equal.

Um, and you may be faced with, you know, waiting to have 30 minutes or an hour for a call back on certain things. That’s just part of the process that you gain from that. But it does piggyback on that earlier conversation of certain customers of certain sizes having onsite. It maintains those expectations because if you have no complex systems or you have enough staff on those, having your onsite, IT staff feel that will support those systems and those other things, and allow the MSP to do what they do really well can help as well.

You have to do that full analysis to see where it really [00:27:00] fits best.

Alex Piper: Yeah, no, I think those are fantastic points. You know, just about everything, just looking at it, you know, it’s a whole approach. It’s a whole package that you have to look at. It’s, you know, it’s, everything comes with something else.

Like the SLA is all service levels, agreements, you know, like that comes in. Yes. We don’t want to hit them and we want to, we want to beat every single one of, well, we don’t want to hit. Top of it and just scoot by, you know, you want them sitting there, but also you have to understand if it is something, you know, it kind of helps for you to vocalize what you’re experiencing to your best advocate.

Um, when calling in or sending that email in, if it is critical, you have to, you know, letting that provider know helps them give you that level of service in the timely manner that you you’re expecting them to do, but that level set needs to happen as.

Kelsey Sarff: I think we could tangent, I could have a whole other half an hour discussion. Okay. Let’s look at, let’s [00:28:00] talk just about the service level. Um, but as we are getting up to the end of time here, I wanted to thank you. But I thought all of this was amazing. I know that we have more myths. So maybe part two coming in the future, we’ll do a trailer.

Everything will with stranger things themed. It’ll be amazing to dress up like the eighties. I can see it now, but thank you guys so much for sitting down and chatting today. As everybody can tell the love tangent. We want to talk about just about anything underneath the sun. So you can always get ahold of our speakers online.

We’re at cit-neck.com backslash podcast. There’s a lovely form. Fill everybody’s favorite out there. Feel free to drop questions or topics. If you want to connect one on one, they’re always willing and able to do that for us, you can send us an email at info@cit-net.com. We look forward to chatting with everyone next week.

Technology for Business Podcast – Physical Security (Cameras, Sensors, & more!)

Join Kyle and Todd as they chat about physical security for SMBs. This episode covers traditional and new physical security technology available. Plus, how manufacturing, education, and even CIT use this new cloud-based physical technology.

Our speakers discuss Verkada we chat about new technology. If you have questions or would like to see a demo in action email info@cit-net.com or call 651.255.5780.

Listen now

Have a question for Kyle or Rob? Email info@cit-net.com.


Technology For Business Podcast Season 1 Episode 5: Choosing an Managed Service Provider (MSP)

Kyle and Rob sat down this week to chat about choosing a Managed Service Provider (MSP). They discuss pros and cons, questions you should be asking, and how to know whether or not an MSP might be a good fit for your SMB.

Listen now

Have a question for Kyle or Rob? Email info@cit-net.com.

Episode Transcription

Transcript has been edited for clarity

Kelsey Sarff: [00:00:00] Good morning. Welcome to today’s CIT tech for business podcast. Today, we’re sitting down with Kyle and Rob to discuss what to consider when hiring an MSP. Just a little moment to introduce myself. I know this is our fifth tech for business podcast. I’m Kelsey I’m part of our marketing team, and I’m going to be asking these guys just a couple of questions, help us keep centered from all of our tangents that we love to have.

But I’m at kick it right over to you guys. Why don’t you guys give me, give us your first name, your title, and then we’ll dive right into it.

Kyle Etter: Thanks Kelsey. Um, my name is Kyle Etter. I am the President and CEO at CIT.

Rob Cramer: Hey, good morning. I’m Rob Cramer. I am the Director of Managed Services, a CIT.

Kelsey Sarff: Awesome. Thank you both.

As I kind of let us into in our intro talking about MSPs this morning, managed service providers. What are MSPs?

Rob Cramer: Well, that’s a great question, uh, to different people. Managed Service providers mean different things, but in general, a managed [00:01:00] service provider is an organization that you can call this, going to help answer, uh, computer quote questions for your users, whether that’s, um, you know, how do I install this Microsoft application?

How do I print? I’m having problems printing. Can you fix it for me? Um, sometimes it’s more important to talk about what they’re not, and we can get into that.

Kyle Etter: Yeah, I think just to add to that a little bit. So there’s an agreement typically it’s a monthly reoccurring fee. Uh, usually based on users are devices that you have, um, to support your it infrastructure.

So, as Rob mentioned is obviously there’s typically a help desk there’s technical expertise provided. By the MSP partner that you choose. And then there’s a set of tools, typically automation to help control costs as well as, as, uh, bringing in a management framework for how you manage your IT infrastructure.

So it usually provides us some software for, for management, for things [00:02:00] like patching of Microsoft patching, patching or what we call third-party applications, your web browsers, different components, um, making sure that things are up or down if the servers or firewalls are key components in your it infrastructure to automatically monitor for their status, as well as other things.

How much disc space is in used is the processor running high CPU usage, those types of things. So you have a lot of metrics and, and other things that get gathered by those tools. So very valuable, but it’s a combination of obviously, um, trained and experienced personnel plus software and services, and a monthly agreement is at a high level.

What it is. It definitely varies by the. Our a MSP on how they package it, but it’s, uh, the end of the day, that’s kind of sums up what it is.

Kelsey Sarff: Awesome. That makes [00:03:00] sense. It’s still a lot of things, right, right out of the gate that you’re like, we can do this for you. Congratulations. And some of these are going to have acronyms, just like the name of it.

Um, but you guys briefly mentioned it, right? These are all of the things that MSP can do. Kind of made my brain go – are our MSPs just local companies, or can they be bigger organizations that tend to have more outsourcing? What’s kind of the range of where you can find MSPs and where they’re local.

Rob Cramer: You can find them everywhere.

Um, you got any of those peas that are, that are anything from a, from a one or two-person company that, that support, uh, you know, small groups within their area, uh, to very large national organizations that have, uh, thousands of engineers spread across the world. And the trick is finding the one that’s the right fit for you.

Uh, you know, somebody who’s going to be, uh, well suited to your organization who can really partner with you, learn your, your ins and outs of your, your unique, uh, environment, um, and help support you on that. So, um, [00:04:00] smaller, large, uh, you know, there are advantages in both directions, uh, finding the right fit is really what’s.

Kelsey Sarff: No, that makes perfect sense and launches right into my next question. How do you find one with all of those options out there?

Rob Cramer: That’s a great question. Um, you know, I, I guess I’d start off with, uh, you know, looking at, uh, some of the common options asking friends or colleagues, you know, who they’ve worked with, if they have any recommendations, cause find somebody, uh, you know, that, that somebody else has wanted to recommend usually is a good indicator.

That they’re, they’re a solid company that they’re gonna be. Do a good job supporting your environment, um, you know, going to Google and just typing in a search and just randomly calling somebody, you don’t know what you’re going to get. You could be getting a, you know, a one-person shop out of, uh, out of 10 book to, uh, and they don’t know, you know, your environment, they don’t know, you know, your, your industry.

Um, and when they go on vacation, you still lose your support. So, you know, sometimes you’re looking for that organization is just the right size that they have enough engineers. When somebody is on vacation, you still get to call and you still get to talk. Somebody [00:05:00] still get support. But they’re not so big that you’re just a, you know, a, um, you know, a small fish in a big pond, if you will, that, uh, that they don’t really know anything about you, they don’t learn your environment.

You’re just, you know, it’s just another person calling you. You could just be, as we’ll be calling, uh, you know, a manufacturer someplace and talking to a help desk in India, you don’t, you don’t really know. Right. Finding that right organization, um, asking around, asking, like I said, asking your peers, asking the other organizations in your industry, uh, if they’re using a master spider who they’ve used and who they like, uh, is probably one of your, your really strong indicators of a good place to start.

Kyle Etter: Yeah. That’s what I was going to say too. I think, I think the referral side is always a strong aspect. Um, you know, as as mentioned, there are national ones. You know, being a local provider, can it be slanted towards believing? There’s a lot of value in, in the local, uh, provider, just because. From what we’ve seen over the years, just being remote, um, is not enough.

You know, there is [00:06:00] definitely times, you know, you need to be onsite and you want to be onsite. Do you want to make the connection? It’s, it’s, it’s gonna there’s things you would need to do to keep upgrading on the systems and other components. And it’s just, um, you know, nearly impossible to just, you can’t do it all.

Um, it just, um, if you have onsite support to handle those things and you just need some augmentative, then possibly, you know, a national provider, could it fill the need for you, but, um, in many cases where you’re truly looking for, you know, an it partner that can be more holistic. And usually we find from, for the customers we work with, you know, the intention or the expectation is, is that they’re looking for, you know, Onsite remote, you know, the whole, the whole gamut, you know, the whole end game is to say they want it working, um, and keep the systems, keep their users productive.

And, um, you know, quite often, you know, a local provider I think provides a little more closer relationship, closer [00:07:00] alignment with what the customers are actually expecting.

Kelsey Sarff: Perfect. Oh, sorry,

Rob Cramer: nah, go ahead. Well, I just asked you add a little bit to that. Comics excellent point. And that is, uh, you know, managed service providers, uh, as, as we are, um, we gather a ton of data.

We learn a lot about the customer’s environment. Um, and one of the things that that lends itself to is really looking towards the future. And as we move forward, you know, what’s going to be the best fit for the order for the customer in the future. Do they need to be looking at a specific type of technology or, or something, you know, that’s coming down the line, or do we need to make some changes to their system to optimize it?

Having that holistic coverage, where you actually have engineers who can come onsite and can have that hands-on expertise for you. Um, really kind of fills out that managed service, a service desk environment and allows you to kind of have the other side of it. So if you don’t have that local it presence and you, and you, you need that kind of help, uh, looking for a provider that [00:08:00] has kind of that full packages is going to be variable.

Kelsey Sarff: Yeah, that makes perfect sense. Just really, really quickly that kind of brought up the question, right. That I say I’m the customer. And of course in today’s world I’m hybrid, or a lot of my workers are remote and yes, it’s great to have somebody on site, but how does that work? Let’s say that I have right employees that are all working from their homes, somebody in Hawaii, somebody here would a local MSP still be able to provide the support that.

Rob Cramer: Yeah, actually, uh, very, very effectively. And, um, if you’re the type organization who may have a local network administrator, um, with an organization like. Ours will give you access to the tools. So you can actually use our tools to help support your remote users wherever they have to be. Um, so just like we use it to help promote in and shadow somebody to screen and, and solve a problem.

Uh, look like an IT person could use that same tool to do that work as well. So yeah, it is very effective. Um, having the knowledge of the organization, uh, learning about their unique software and applications and [00:09:00] how their users need to phone. Um, really is, is more critical than where they’re sitting.

Uh, you know, when, when the pandemic hit, we saw this, this mass migration to this hybrid environment, um, and those organizations who had, uh, some pre-planning for that who had some users who traveled in time had some, uh, ability to work remotely, uh, actually were able to make that transition very easy.

And organizations that are fairly static, very in-house. Um, they had to scramble a bit, and they had to lean pretty heavily on people like, uh, like their main service provider to help them figure out how to get their users out to the house and still be able to do what they need to do. And, um, it was a, it was a very interesting time to see how different organizations reacted to that.

Kyle Etter: Yeah. Yeah. Very, very much so. And I also think that you know, the tools themselves give such. Ease of access to get to those devices, but you know, to have a local provider that can prep those devices and has them sent to those remote workers when [00:10:00] they are ready for upgrades, you know, we see a lot of synergies and a lot of value in that as well.

Um, just the consistency of the support provider to understand the nuances that everybody’s, it systems has. Nothing is a one size fits all. It never is. They’re never the same. So. You know, the, the way that they prefer to have their devices set up and what the user’s expectation is of the workstation, when they receive it, you know, needs to be planned out a quarterly.

So when you send it to that remote worker, you don’t want them to be as productive, as fast as possible. Um, and we find a lot of synergy and, you know, the pre prep, pre imaging, um, even with cloud connected desktops and Azure ID and those things, you know, you want to go through. Prep on those devices too, before they go to the users.

And I think a national provider, a very difficult time executing.

Kelsey Sarff: I smell a future podcast coming there about prepping devices, [00:11:00] 30 minute discussion. So yes, we’ll like tuck that one in our pocket for a future one. Um, but let’s say that I am a customer. I have X number of employees. Is there a certain number of employees that when I’m interviewing an MSP?

I should say yes. You’re going to be a good fit or no, I’m either too big for you or you’re too big for me. Do you guys tend to come across that when talking to people.

Rob Cramer: You know, Kyle can speak a little bit to that probably more than I can as he’s in a lot of those pre-meetings. But, uh, if I look at the kind of customers that we have, um, we have a lot of customers from very small, um, you know, five, 10 users, um, all the way up to, you know, to several hundred users.

Um, so, so does that mean that that one size fits all? No, but, but there is a point I think you will find. Um, that you need to know the organization you’re partnering with has the backend infrastructure and capacity to handle, uh, the, the types of issues you’re going to [00:12:00] have. Um, did they have the training and stuff you need?

Um, a lot of the larger organizations will tend to get a little bit more complex. They may very well have, um, a more advanced environment. Uh, and, and if you’re working with an MSP, that’s a. Um, a little on the smaller side, they may not have the breadth of experience and knowledge that you’re looking for.

So, yeah, it is an important question to ask. Um, does that mean that one organization can’t service both? No, uh, as I said, we, we have many customers that kind of span the, the environment size. Would I want to take on a, you know, 10,000 user organization? I don’t think I’d be ready for that. You know, I, I think I’d have questioned whether or not we have the capacity to handle the number of calls and stuff, but, um, that doesn’t mean it’s not possible.

It really depends on the environment, and what their expectations are.

Kyle Etter: Yeah, I think it’s a no again, there is no one size fits all on this side of it. It’s how it’s the role the MSP provides, um, can be adjusted accordingly. Um, the smaller [00:13:00] organizations Rob said once you’re, you know, you’re typically less than, uh, you know, 50 full-time employees, you know, an MSP essentially could be your it department.

You know, they, they handle the onsite. They provide the remote help desk. They manage the systems, they do the upgrades, and they handle everything. As you start to get larger. Um, and definitely, uh, more than a hundred plus users, typically you start to see a need for an onsite. It person, somebody within the organization that is now a full-time employee, but the MSP is augmentative.

They handle projects, they handle, you know, keeping an eye on the systems. 24 7, they provide the management platform. That resource uses, um, as an augmentative side of it, but then that employee is more focused on the users, um, for the customer’s productivity, as well as their data, their systems, their line of business applications.

As you get bigger, those become complex. I know we might [00:14:00] talk a little bit about this. Let’s go through there is where it’s a struggle for an MSP is once you get into that internal line of business systems MSPs, we can’t go that deep into the organization side of it. It’s a more, you know, um, higher level.

It support for the functional. Now, the desktops and the patching and the health of the networks and the security of the systems and those things. But once you get into that data, you know, having somebody onsite who really understands that keeps the users okay. Comes very productive and most larger employees.

That’s where it really starts to, to be a need, but an MSP can provide a tremendous augmented. Consistent support that has, you know, for, for us, we’re 24 by seven. I know there are other MSPs around. So looking for those that you have somebody on glass, you know, around the clock that can, you know, give you a call.

If the system’s reporting offline, they can potentially take to make sure things are patched to give you the management platform to manage it. There’s a tremendous value in that. That [00:15:00] again, having somebody internally to try to build that themselves just takes them away from the core business, um, because the MSPs do a very, very good job of that.

It’s what they’re purpose built for.

Rob Cramer: Kyle’s point there, you know, we’re, we’re not going to know a lot of those line of business applications. However, for some of our customers who were kind of in that in-between category, they don’t have a local it person, but they have kind of a unique application.

Um, we proxy that we will call the vendor on their behalf. We’ll get the tickets set up and we’ll, we’ll work with the user to try and solve that problem. We don’t necessarily have that expertise, but. Broker the connection and help translate for you for the person on the technical side, uh, to the business side.

Uh, so, um, you know, we can act as kind of the intermediary for those calls as well. When we. Good point.

Kelsey Sarff: Perfect. I was going to say two things first. Can you give an example of some of those line of business applications, which ones are easier to practice proxy with? Which ones are maybe a red flag to be [00:16:00] like, Hey, you’re going to have to use their support.

Well, that’s kind of a grab bag, but just if somebody was like, how do I look at my applications and know whether this is going to be a problem child at work it’s…

Kyle Etter: fairly easy.

Um, a lot of those, you know, accounting for any of your counties. And so it kind of falls in the ERP side of it. Do you want it to get into those things? Um, I won’t name anyone by naming the ones. Um, and obviously some things that are custom-built side with it. Um, and even some of it is just the data workflow that some organizations have evolved into how they’re using, you know, your Word and Excel documents, their files share structure.

Companies have evolved over the decades of, of how they’re using just, you know, uh, unstructured data that just sits on a file share within it. Um, in very unique ways, ran into those things and they have very unique processes with all the print and share and execute a [00:17:00] workflow within their business side of it.

So, um, you know, it could be very far-reaching, uh, and for an MSP to walk in the door and just have, you know, Th there’s no magic sauce to just say, boom, we get it. We understand everything. There’s it, it takes, you know, it takes time and certainly to go deeper into those things. Again, we have to rely on the vendors or somebody onsite to champion those products so that we can make sure that the systems are operational and healthy, and available.

Up to the point of, then once it’s in the application, it gets much more complex, but that just requires a lot of collaboration and making sure that you’re talking, which I think circles back. I think the importance of the local, because you need that regular cadence and communication to keep everybody on the same page, just as you would, if they were internal, you need to make sure that the teams are talking, whether they’re external, not, you gotta have.

And [00:18:00] that’s definitely what we’ve seen over the years is just that they need to w when we’ve seen things start to become problematic between our services and the customer increasing the cadence between our managed team and the customers’ teams. Resolve those challenges, whether we go to a weekly call and then make sure things are quieted down because some system upgrade went through, there’s a spike in calls.

Users are upset. The customer comes upset and starts talking more or accuracy things start to get back on track. People are collaborating better, and then you start to move forward. So it’s not that much different than what you do internally between departments things aren’t working. You got to get people meeting.

To resolve things. And that’s, you got to look at your MSP, and that way it kind of extension to say they don’t have a crystal ball. They’re not going to feel walk in and see things under, you know, behind the curtain. So you gotta, you gotta get people talking.[00:19:00]

Rob Cramer: Uh, one of the things that came out of college that came to my mind was, um, uh, you know, we talked about the calls and the Cades and stuff with the customer, um, to be clear, it’s not always an IT person. We’re talking to the customer when, when we’re talking about those applications, that who’s, that point of contact is for the, for the, um, the line of business application.

Sometimes that is the. The accounting person, sometimes that is the office administrator, but they have the knowledge that local application that, that there is interface locally on-site for that support. Uh, when we’re, when we’re troubleshooting.

Kelsey Sarff: No, that all makes perfect sense. And I know it can be, right, a whole deep dark hole of it’s hard within 30 minutes to say, “Hey, here’s all of the things that you can look at.” But in that vein, if you had to really high level say I have a business, I’m looking at MSP. When would an MSP maybe not be the best fit and when should I maybe look to hire somebody internal

Rob Cramer: boy, that’s a tough question.

Um, [00:20:00] There are a lot of different things. I think that play into that. First of all, um, you know, what’s your technology environment like today? Um, is it fairly stable? Is it, um, is it functioning and providing the resources you need to do, your business moving forward? If it’s just kind of hanging on, buy, buy, buy, buy a shred of life.

And it’s kind of about to die. That may not be an indication you want an MSP, but rather just a technology part of it can come in and help you kind of bring some new life into that. Get it up to upgrade it, get it stable. Um, and then to maintain it going forward. You would want to look to an MSP, somebody who can help you, um, as you look to the future to make sure that things are again, patching it, that they’re healthy, that you’ve got, you know, good, uh, security in place.

Um, and then as new things come around and we understand your business, we should be able to work with you during things like quarterly business reviews to say. Here are some things you should be playing for. Did you know that Microsoft server 2012 R two [00:21:00] goes into life and in October of 2023, we should be planning an upgrade?

We should be looking to make sure that we’re staying ahead of this so that we can do it in a controlled manner and not get blindsided all of a sudden and have to scramble because that’s always going to put you in a bad situation. So, um, if you’re, if you’re in a good situation today, and you’re just looking for that, that help, that, that kind of, that, that security and that, that support to keep things.

It’s a great time to start talking to an MSP. Um, if you’ve got to look like an IT person and you go, you know what, this person’s going to be out for a period of time, they’re gonna take some vacation. They want it, they want it. Some, you know, they have a personal life too. They can’t always be available. I need somebody to help them to augment them.

That’s another great reason to look for an MSP. Um, you know, we’re not there to replace that IT person, we’re there to be their partner to be their henchmen, if you will to help them keep that environment working. If coming to an MSP and saying, Hey, my environment’s a complete mess.

I need somebody straight into that. Somebody who’s holistic. Like, like [00:22:00] we are, we can work with you. We can work with your environment. We can get you upgraded and then transition that into our maintenance and support and managed services. So there are a lot of different things that can play into that.

Um, is there one right time for every company now that you kind of gotta look at it and say, what are my needs? Uh, am I, am I growing to the point where I don’t know how to keep this functioning? I don’t know what the future holds. I need some, some advice then it’s probably a good time to talk.

Kyle Etter: Yeah. Yeah.

I think it’s very far-reaching, but I think Rob makes a very good point. What I’ve seen from customers. If, if, if they’re, if you’re looking at the MSP and you’re thinking it’s there, they’re going to go into that managed service contract is going to alleviate all your IP problems and you have a lot of it problems that are not going to be the fixed.

You know, Y you, you may have had somebody else managing the, it, whether it’s another managed service provider, or it was somebody internal or an independent contractor. If the IT budget wasn’t realistic if you were not [00:23:00] investing in the correct IT infrastructure. And that is the reason for the issues, just switching to another provider or bringing an MSP.

And there was not. That by itself, fix it. You’re going to have to, you know, allow for, and have strategic conversations to make sure that you’re investing in the IT infrastructure to make it work right. The customers that we work with. Uh, continuing to invest in drive the most value out of it. Invest in there.

It, it, it, it is not inexpensive. It’s not something that needs to be managed for the least cost possible. That has never been a successful model. I’ve done this for over 30 years. The customers with the least cost is never proven successful. I’ve never seen it. Um, why there can be some costs. Benefits of the MSP side of it.

Again, we mentioned some of those on providing the platform, providing the augmentation, providing those things. That’s just working smarter and using, you know, people in their right [00:24:00] seats to drive the most value out of your IT spend. And, you know, it can definitely be done in those customers that we engage with that do that, you know, there’s tremendous synergy and they really drive their it systems and we see them actually produce better results for their customers in that.

The end goal, you know, and that works. It looks tremendous side of it. So, you know, take a close look. My advice is to make sure you have a realistic budget for this.

Rob Cramer: Technology is a tool it’s a tool to use in your business to help your business, to move forward, and to service your customers. And just like any tool, you gotta take care of it.

If you don’t take care of the tool, it’s going to fail you when you need it. The most.

Kelsey Sarff: No, that makes perfect sense. Right? There are all of these tools, all of these options, and just kind of wrapping it up for today’s discussion, because I feel like we could probably turn this into a whole series of, I could go on so many changes.

It’s about all of these things, but let’s say that I am looking at somebody and I’m looking at their tool set, and I’m looking at all of the in-house services beyond, right. You go to the MSP website and they’re like, we can do printing and we can do [00:25:00] all of this and your brain goes, do I need all of that? And again, I’m sure it’s custom to the customer, but is there something that if you were looking at the checklist and you were being like, okay, what are some of the kind of differentiators between MSPs that are maybe red flags or things that you’re like a pro tip?

That’s a great thing to have.

Rob Cramer: I think in, in this, um, in this current, uh, environment that we all live in, um, uh, any provider that you’ve partnered with, any MSP that you look at, uh, really should have a strong security focus. You want somebody who’s going to be looking out for your environment to make sure that we’re doing the right things, to keep you as secure as possible.

Um, that, so their tools should reflect that. So if they’re not using, um, current tools, things like an in-point detection response, or what’s called EDR. Um, you know, traditional antivirus is fine, but EDR is really, um, you know, uh, an important factor for securing those endpoints. Um, and again, it’s really the recommendation that, that I would expect most MSPs to be making to their customers today.

So [00:26:00] looking for a customer for an MSP company that has a strong focus on keeping your environment secure, as well as being able to support you, um, around the clock when your business needs it. Uh, I think those are some of the key factors that you should be doing.

Kyle Etter: Yeah. I, I think having the managed service provider, having security trained personnel on staff is also, you know, in 2022 and incredibly important.

Um, you know, just because nobody has a good us security incident, free card, it seems there’s a lot of things that come through there and having, you know, experts to go through those things. And. I think it’s an important point. Not all MSPs are equal. I know when you see the proposals that look very static, we all present very similar things in a little different manner, but it can be confusing, you know, ask about how the.

Oh, they secure their systems. Ask how their staff handle these after hours? How do they handle a [00:27:00] security incident? If it were to occur, what would they do? Um, you know, I vet those out. Um, if, if they’re too small for your needs side of it, you’re going to find a pretty large gap there.

And that’s going to be, you know, strenuous on, uh, in a critical situation to make it worse. You know, and ask how they approach the IT budgeting side of it. As another thing, as we just talked about that side of it, do they help with having realistic budgets that are strategic and aligned with the business?

So you have predictive spend as much as possible with this. That brings in the security, uh, and investment sides of those and the operational budget and just the overall support of the systems. How do they account for it? How do they do it? And then how do they secure the systems? Because MSPs, in this side of it, we all know that we’re under, you know, under the scope of the, of the, of the threat actors to come after, because there’s, you know, we have access to system sides of that.

So [00:28:00] if your MSP is not. You know, you’re opening yourself up for an issue there as well. So just stuff that you want to definitely ask to make sure that they have things covered. Um, we’re a SOC two type two. We went through that certification. We invest in a tremendous amount of tools, sides of those.

The EDR Rob mentioned is, you know, definitely one thing we, we rolled in early last year side of that, into the platform side of it, because you need to keep evolving these. It’s well beyond just patching and the ability to remote control and 22 is what you want your MSP to be.

Rob Cramer: That sounds like it routes up really well. I’ve not got a lot more to say on that topic.

Kelsey Sarff: Like, and that’s the cherry on top, and no, as I’ve mentioned on this one, I feel like we could talk with both of you and multiple different series. I’m hoping that this sparks good questions for people where people are like, “what did you mean by that?”

And that we can turn it into a whole other series, but thank you both for [00:29:00] sitting down today, what is an MSP? All for good things, but how do people get in contact with us, if they do have those questions, they can. It’s info@cit-net.com or they can head on out to our podcast page, which is cit-net.com/podcast.

There’s a form on there. You can send us an email, or call us. These guys love to talk. If you haven’t caught on by now five episodes. And we’re like, yeah, we can talk all the time. We just keep ourselves on a timer for these. So we’re going to be back next week with another episode, but thank you both so much for joining another tech for business podcast.

Technology For Business Podcast Season 1 Episode 4: Budgeting Migrating to the Cloud

Join Kyle and Jake as they kick off our first budgeting discussion by discussing budgeting migrating to the cloud. They’ll talk at a high level about understanding your current technology environment, designing a future cloud environment, and setting up a migration timeline.

Listen now

Have a question for Kyle or Jake? Email info@cit-net.com.

Technology For Business Podcast Season 1 Episode 2: Technology planning for SMBs

Join Todd and Scott as they answer the question “How can the small/medium business better align their business goals with the technology solutions and what is required to support those goals?

Want to connect with our speakers? Email info@cit-net.com or call 651.255.5780.

Technology For Business Podcast Season 1 Episode 1: Multi-Factor Authentication (MFA): The basics and why does my business need it?

Join Todd Sorg (COO and CISO) and Nate Schmitt (Director of Cybersecurity) from CIT as they chat about all things MFA. Whether it’s examples of MFA/2FA or addressing employee concerns when implementing MFA they’ve got advice for your small to medium-sized business.

Want to connect with our speakers? Email info@cit-net.com or call 651.255.5780.

Listen now


00:00:01 Kelsey Welcome to the first CIT tech for business podcasts. Today we’re sitting down with Nate and Todd and we’re going to talk about multi factor authentication, our first acronym, we’re kicking off strong MFA leading in you guys. First off, let us a little bit about you and what is MFA

00:00:18 Todd Thanks, Kelsey, I am Todd. I am Cit’s chief operations officer. I am also our chief Information Security Officer. I’ll let Nate introduce himself and he can kick off the MFA overview as well. 

00:00:31 Nate Yeah, and my name is Nate. I’m our director of cyber security here at CIT. Just help oversee the operational components of our department.

So multi-factor authentication, also known as two factor authentication, is really the core is basically another form of authentication and there’s multiple variants to this, but essentially it’s a mix of something that you have something you know and something that you are and as long as you have two of the three of those to log into a system that’s what multi factor or two factor authentication is. 

00:01:13 Nate 

So what does that look like for something that you know is something likely going to be like a password or something like a PIN code? 

Then there’s something that you are. That’s something that’s going to be like biometrics. So for example, in order to log into some computers, you need to touch your fingerprint or you know you see things on you know some of those crime shows where they’re doing the iris scanning to get into the secure facilities. That’s something that you are. 

Then there’s something that you have, and this is where this is most common in business.  Uhm, due to you know, privacy concerns with the biometrics and everything, but something you have is something that’s going to look like either your cell phone and, you know, in order to do like a push notification to it, it’s going to be something that could be a USB that you have to plug in. 

So I have in front of me. A hardware token that, in order to log in after I put in my password, I plug this into my computer.  I touch it and it just activates and sends off another code, so that’s another form. Then they even have ones, I have another little hardware token in front of me which looks like a little credit card. This is something where it has little battery in it. I click on it, it generates A6 digit code and then from there I enter in that code as well. 

So I put in both my password and a code from something that is in my possession, so that’s what multi-factor is in general. 

00:02:51 Nate 

Where is it used is a whole different discussion, and I’ll let Todd take that over. 

00:02:58 Todd 

But I wanted to back up just to hear before we went too far where we use it. 

It’s been around for for decades.  It’s not a new technology.

People have been using it for banking where you get a text message. Or something along those lines, and that’s typically referred to as 2FA, but the reason why? 

What reason why I interrupted Nate is I just kind of wanted to kind of back up and say why do we use it, right? And the biggest reason that typically comes up and everybody that’s here can kind of expand on it. But what ends up happening is that people typically have issues with passwords. 

Passwords are painful, they’re difficult to remember, so people tend to make them easy to remember, and that’s, you know, your phone number, your childhood best friend, whatever it is your pet and what makes matters worse is that people then use that password everywhere. And if you’re looking at social media or LinkedIn, your work, your work, email and accounts, etc.  More often than not, most people tend to reuse it over and over and over. 

00:03:52 Todd 

Again, inherently what ends up happening is if something ever happens and it could be anything from if you’re in the Twin Cities, there was a Star Tribune hack, there was also a hack that happened on the the meters downtown Minneapolis where they were able to take account names and passwords and post that on through what’s referred to the dark web, and once that’s been out there, if you’ve ever had that information harvested from you, it’s now out in the wild.

So how do you protect it? 

That’s where multi factor comes in. 

So I just wanted to make sure we covered that piece real briefly, so we’ve got that whole picture of what it is, where it came from, why we’re worried about? 

But the answer is, passwords are bad. People hate them, and we could get into that a little bit later on. You know, what can we do about it?  Can we rely more on biometrics at some point in the future? But it’s a little bit off topic of where we’re at at the moment. 

Uhm, where most people will try to implement a multi-factor authentication tool set.  Is anything that’s quote-on-quote “Internet facing” more often than not, one of the larger threats that we’re seeing in our business, and this has been true for for years we’ve we’ve been kind of banging the drum on multi factor for about five years at least. And that’s how I bet that’s the idea. So you could kind of see a correlation there, but email is probably the biggest, so Microsoft has done a really nice job of pushing everybody in the cloud. Google is doing the same. They’re huge providers. 

Once people move their email to the cloud, some of the inherent security that was in having email inside an organization started to be exposed to the Internet. 

And typically most people were signing in with the email address. Which is more often than not, first name, last name, first letter, last name or vice versa, and and then at the company, so that part is super easy to figure out and then you just start going down the list, right? It’s winter, 2022 exclamation point and so on. Then I’m in. 

So in order to protect that that’s where multi factor is coming along. 

00:05:47 Nate 

Yeah, a quick stat that comes to mind. So this was all the way back in 2019, but Microsoft did push out an article, and I’m sure that the numbers have only increased since then, just given the nature that people continue to move to the cloud. But back in 2019 Microsoft put out an article that said their login services for this or their cloud services have attempted logins over 300,000,000 times a day that were fraudulent, and so the article is saying if you implement multi-factor authentication on the accounts it reduces the risk of account compromise by 99.9% right it it’s. 

Everyone, there’s a couple different attacks that people are going to take to try and get to your account fishing. You know, we’ve talked about fishing here at CIT many, many times, but fishing for those that don’t have the full understanding on (phishing) that is an attacker will send you a fraudulent email attempt to elicit your username and password, and then they’ll use that to then log into your account so it’s a fraudulent way of capturing your credential. 

That’s one method, one of the other common methods which for example Todd had mentioned is password reuse. 

If you’re compromising one account, you reuse the same password and it’s leaked out on the dark web you take that and go attempt to log into other services with that and then the last one is just what they call password spraying so you just or password stuffing. You just attempt to push as many passwords as possible for a particular user until one is successful, right, and by having the multi factor, all of those methods are defeated. 

Uhm, there is some considerations to take into play at which we can get into a little bit later too, but, for the majority, if you just implement multi-factor, you reduce about 99.9% of all attempts to log into the system fraudulently. 

00:07:54 Todd 

But you kind of mentioned that already about the statistics. Do you have a rough idea of what number of attacks are coming from email so we can use our own examples of what we’re seeing most of our customers suffer? Does it typically end up being in the the world of cyber security? They refer to it as business email compromise. 

Do you have a sense on how many attacks we see coming in through email specifically? 

00:08:22 Nate 

Even if we take a look at CIT systems, if I pull up any given day, there’s hundreds of them, right? It’s it’s just the simple fact of the password.  Spraying is real, right? Everyone has our email addresses. It’s entered in someone’s database dump, right? Because for example, if we continue to push on things like the Star Tribune or the Minneapolis, the parking that was compromised, right? And they had the email addresses. If you have ever used your work account for that it’s floating out there. t’s on a list. People are just going to attempt it with all the common passwords. There’s some big password lists out there that are known to be highly effective because people tend to just pick bad passwords across the board so, yeah..

…it’s hundreds of times a day for any organization, even if you’re small. 

00:09:18 Todd 

Yeah, yeah, I think that’s great. It’s a great key.

Once Upon a time we were used to talk about organization sites and people used to say hey, I’m way too small to be attacked and and that really isn’t the case anymore. 

Statistically, it’s something along the lines of 5660% of all attacks happen against small businesses, and the reason is because it’s easy, they don’t always have the wherewithal, the technical, technical ability to understand what they should be doing, and so on and so forth so the attacks are real and it does impact everybody. 

I’m sure people see it even happening at home. I get stuff from PayPal and Apple and you name it, I get attacked all the time that I need to click on something or reset something all the time. Uhm, staying on statistics. The reason why I ask Nate about the percent of attacks is I think it’s still somewhere in the high 90s of all attacks that are coming in tend to be fishing and that’s somewhere in the high 90s. 

And as he mentioned, if you can protect correct services and your identity with 99.9%. I mean that’s significant, right? And and the number one tool being MFA. 

There are some statistics we can share this out to, you know, you probably for those that are listening, won’t be able to see this, but we can share it in the channel. And if you’re interested, we can find ways to get you the information as well, but there was the United National Cyber Security chief said that 80 to 90% of all attacks, not just email. All attacks can be circumvented by having multi-factor in. So how we started out? This meeting is what is, but what’s the threat and what are you doing about it? 

Ultimately, that’s why we keep talking about multi-factor authentication. One last statistic, in case you’re wondering, well, sure this has been something we’ve talked about for years. We’ve got it statistically, there was 55% of all organizations have multi-factor enabled only 55% so only half and even in those cases a lot of times people are. Very picky and choosy on how they do it, so they may only do it with their tech team. Or they may only do it with their administrators and so small number of organizations. I shouldn’t say small ’cause half US is a significant number…

…but half (of businesses) still don’t have it, so it’s a major problem and it is still where we see most attacks coming from and can be circumvented by putting multi factor in place. 

00:11:31 Tara

So Todd, maybe I have a question about that – You mentioned that there’s over half organizations that don’t have that. Why do you think that is? What barriers are they looking at (in order) to be like I I don’t have time to do MFA talk a little bit more as to why that’s the case. 

00:11:50 Nate 

I think that right your question answered one of them. They don’t see that they have time to implement it, right is. Often these are slightly lengthier engagements. You know, it doesn’t need to be complicated, but the more time you put into ensuring that it’s a smooth process, the smoother the adoption is going to be.It’s easy to just to go into a system and say everyone has it on. 

That’s where your user friction is going to come into play, and absolutely everyone is going to be upset that day as they are trying to sign into things. 

So user adoption is. One of those items that you need to be pretty cognizant of when you’re implementing it. There’s also some additional strategies that you need to take in order to actually implement it successfully. 

So for example, if the user friction is, “I don’t want to put this code in every single time I’m logging in.”

You can do things to say well, maybe let’s bypass multi-factor from within the office right there is. (There is) some residual risk there that maybe the organization is willing to accept because, for the most part, if someone does have the password and they are attempting to log in, it will likely come from outside of the office. That doesn’t mean that maybe that user’s computer is compromised and there’s a some type of script that calls in from internally, but again, the likelihood is significantly. 

So if your employees are constantly working from the office, you could still bypass multi-factor. 

The larger you put that bypass you know, maybe it’s the the state the the country, right? The bigger the risk becomes, but there are strategies that you can implement without. 

I’d say the other (user friction) one is cost.

there’s a lot of different multi factor solutions out on the market, so if you’re only looking at doing something like email, all of the major email providers now are implementing it or offering it for free, right? You can implement it in Office 365 G suite. There’s no additional cost. 

If you’re looking to use some type of third party service. Then you’re going to start seeing those licensing costs for you know more of a per user cost there. The the other component that I would say is – how far do you want to implement multi-factor across the organization, right? 

You know Todd mentioned that the most common one that’s going to be abused is going to be your email system, so start there. Then you can start looking at other services as well, such as your VPN critical business applications. Once you start wanting to implement multi-factor on those additional systems, that’s where some of the paid services come into play, because they do extend out to additional services and different protocols. User friction cost. 

I think the other big (user friction) one that I’ll let Todd maybe expand on a little bit more is executive buy in. 

Yeah I I would say the two things that I would say by far are the biggest thing that I see as resistance is more often than not when you go through it you are going to put a little bit of friction in between your employees and and them getting work done. 

00:15:21 Todd 

Uhm, the typical pushback that you will get back from that employee is (action description – I’m holding up my phone This is my phone.) The company doesn’t pay for it. I am not putting your business application on my phone. 

The reality is, there are ways to start to build up the the adoption right? So you can be a little forceful with it and you say, OK, great, well we’re just going to give you a token. We’re going to give you a business phone and bear with me when I walk through some of this because I’m not actually encouraging you to go out and buy 100 phones. But when you start to go hey employee, I’m going to give you 2. I’m going to give you a phone and they’ve got their own person. 

They’re going to think, “I don’t want two phones just to avoid putting in the six digit code”, and they’ll usually adopt it. Or you give them a token and they’re like, “This is inconvenient. I have to make sure I have it with me when I’m logging in from home. I gotta go grab my keys ’cause it’s on my keychain.” Whatever the case may be, that’s usually where they’re kind of pushing back and then inevitably what ends up happening is you go OK, well, here’s a solution, here’s a solution, here’s a solution (action descriptionholding up fingers to count all three items).

They’re (the user is) like, “The reality is, it’s it’s so convenient to just have it on my phone that I carry with me everywhere anyway. I’ll just go ahead and do it and the reality is, it’s not really all that complex.”

It’s not a heavyweight thing, it’s not dipping into any of your personal information. It’s just an app and it’s only doing a couple of things. It’s either generating A6 digit code or longer or it’s pushing you with content that says is this you.

When it comes to Executive adoption (the thought is that) it is inconvenient. 

A lot of people don’t want to be bothered. I’ll give a good example. And as I said, multi-factor’s been around for ages. Back many, many years ago in the early 2000s I had joined in organization and the very first thing I did was (our remote connections is really insecure.) (say) “Let’s implement multi-factor”, and I implemented it. It probably lasted about a month before the CEO said, ” I can’t stand it. Turn it off.” uhm now? 

The security threats weren’t nearly what they are today, but I learned a lot during that time too, so one of those strategies, or several of the strategies Nate covered already is you start small

It starts (with) going well, let’s start with a small group that are my power users. Maybe that’s it and then you get a few other people that go OK. It’s working. It really isn’t that bad and you start to expand it or you. Less than some of the security requirements, as Nate said, you can make an area trusted it’s work, work as trusted I’ve got the adoption in. People are getting used to the fact that when I’m at work I don’t get prompted when I’m at home. I do OK. It’s not a big deal and then you go OK, we’re going to ratchet it up a little bit. We’re going to add another location. We’re going to add another application. We’re going to whatever, and so you can continue to build on the security and you can get that buy in just naturally. 

You know, probably many people have heard the term, and I don’t mean this in a derogatory way is, It’s a bit of a boiled frog scenario as as you start to do what they realize you know really isn’t that bad. Not that we’re trying to boil our employees, but you know conceptually is you just do it a little bit at a time and you’re improving your security as you go. 

00:18:23 Nate 

So one last user friction that I I wanted to call out that’s not as common, but it does come up from time to time is Union policies.

So if you want to have an employee start downloading an application on their phone or start carrying around, you know, a phone just for phone calls and stuff. Sometimes Union policies will say, well, you need to start reimbursing the employees for that. There is a cost associated with that, and so that definitely feeds into some of the other considerations.

That’s sometimes where hardware tokens come into play. You know it’s maybe a $20 hardware token, right, or that’s one time cost.  It’s not reoccurring, so you can still implement multi-factor without having to, you know, start reimbursing for cell phones or paying for the phones outright. 

It’s one that I don’t commonly hear, but on more of the the production environments you know, and I I’m not going to get deep into compliance here, but things like CMMC, right? It’s starting to ask for multi factor.  CMMC tends to be a lot of the manufacturing firms where there’s a lot of union employees so. 

00:19:40 Todd 

Yeah, I’ll expand on the compliance piece too. I mean, there’s a lot coming up. If you’re in any compliance industry, health care, finance, you name it. As Nate mentioned, manufacturing, it’s going to be something that you’re probably already experiencing. As I mentioned, you know you’ve been being prompted for an additional code from your bank for days for weeks, months, years, whatever the case may be, it is coming in. 

This is just me expanding a little bit, in my opinion…

…Compliance is coming and it’s going to be expanding over the next five years, so there are going to be reasons why you’re going to have to adopt something like this. 

So if the threat of cyber attacks isn’t enough, there are going to be other things, and you can already see it’s happening. So This is why I’m saying it. 

If you look over the last year, the Biden administration had come out and said the cyber attacks are getting worse and worse. We’re spending tons of money. We’re constantly under attack. What are we going to do about it? They built out an executive order and they specifically say you’ve got to have MFA, if that’s not enough, the insurance companies are doing it too. 

So if you’re looking at cyber security insurance and almost everybody is asking for it at this point. Uhm, they’re going to be looking forward as well. Uh, as I’m going down this compliance thing, I’ll wrap this up briefly and I’ll pass it back to Nate. But as you’re looking at the compliance thing, I was actually working with one of our customers and they were going through the insurance process and they don’t have any of the compliance from CMC Healthcare. Any of that. But the insurance organization had come in and they did what I would consider pretty much a full IT audit where they were looking at data diagrams. They’re looking at security protocols. I mean, it was everything, so I actually went on site and met with the insurance adjuster just to make sure that we covered all of the information. That we needed to cover and it was significant. It took an hour and obviously MFA is included in that. 

It’s kind of the way life insurance used to be where with life insurance you could just sign on the dotted line (and) off you went. You got a whole bunch of coverage and that’s changed over the years to whereas the underwriting is going (to say) now I need blood work and I need to wait. You and I need health background and family history and yadda yadda. 

It’s just gonna get worse, and where I was going with it… and like I said, I was going to wrap that up quickly and I didn’t, so I’ll stop talking and pass it back to Nate. 

00:22:02 Kelsey 

Yeah, can I interrupt for just just a hot second, as we’ve kind of gone down the compliance path and all of these good things. Kind of looking back at if you’re having user friction and you’re having people there, like, “I don’t want to do it. I don’t have this code pushed to my phone. It’s too much work.” Why is it effective at actually preventing? These attacks, what is it doing for me?

I’m like yeah I get it, I get the phone, I put it (the code or push notification) in and congratulations. So we’re saying yeah, it’s 99, or over 99% effective? Why? 

00:22:30 Nate 

Yeah, a good question there. Before I jump into that. While Todd was talking, I decided to go look at our system here just to see how many of that password spraying attempt I saw in our system in the last 24 hours. It was just shy of 200 attempts, right? I can see the logs, so again, we’re not a big company by any means. It happens all the time, so. 

Why is it (MFA) so effective, right?

So if I just called out, there’s nearly 200 attempts in the last 24 hours to password spray our environment there. The reason why it (MFA) is so effective is, even if a password is compromised the threat actor is not going to have the other form of multi-factor, or the the other form the second form, or the third form of multi factor. 

In order to get into the system so password I’ve showed this to people before is, I say here’s a dummy account in, like a Gmail or something, right? Here’s the password. I’ll give you 100 bucks if you can get into that, because I have the multi-factor keys here. It just doesn’t happen. I’ve never paid someone out, because they would have to retrieve that file from me or that hardware token from me in order to get into place.

So, where we typically see multi-factor fail is not the the technology in itself. 

It’s still the user. 

So there are websites that will try and capture the multi-factor token and pass it through to the legitimate site and then redirect the user so they’ll still log in, but it’s the user who has fallen for a fraudulent website, still entered in their password and given up the multi-factor code gave it both of them to the attacker. Then the attacker just goes logs in and you know there is a timing on these tokens where maybe they’re good for five minutes. Maybe they’re good for 15 minutes. It allows for users to have a grace period to access their phones sitting on the desk access the email, access the text message so if you give it up right away, and then you hand it over. Is someone immediately? They’re going to use it first, right? 

I I just worked with another organization where their multi-factor was a phone call, right? 

So this is actually a pretty common attack method at the moment it’s called. MFA bombing.

So what you do is you just bug the user enough until they just say “I can’t take it anymore”, accept the phone call, and that was the phone call that was the MFA prompt and the attacker just logs in, right?  

So in the instance that I was looking at with that other customer, it was attacker tried to log in, was prompted with a 6 digit code. They weren’t able to get that, so then they switched over to the backup which is a phone call. Sent the user a phone call. It failed because the user didn’t accept it. 30 seconds later sent another one. It failed. Sent the next one. The user said “I’m sick of this call” accept, and the attacker logged in, so yeah. 

00:25:47 Todd 

Another one I’ll throw in. We don’t see this as often in the endpoint of this is you still need training when you deploy the tool, but we have seen people that have deployed the push technology so that is when you log in and you get a push to your phone that says was this really you? You know we have had people that have been attacked where someone was like, “yeah, I just logged in” and they’ve allowed the attacker in even though they didn’t personally sign in. So there is kind of a training aspect that goes with it. 

Uhm, one last thing that I kind of wanted to dive into – I know we talked about the threats and the attacks and whatnot, but as we’re wrapping this up I just kind of wanted to kind of re illustrate some of the real concerns and and ultimately I we talked about compliance. We talked about the threats we talked about all of that stuff. The reality is the reason behind that is because of the cost, and the cost is built up from a lot of different things. 

From the ransomware, if you get attacked from ransomware, ransomware more often than not they started nowadays. They started around $1,000,000 and they start to get talked down to something real. It includes downtime, it includes unproductive employees, etc. Statistically, the last time I looked at it we were somewhere on average, so that’s average across all SMB market, not you’re a bigger company. You get bigger ransomware, etc. It’s about $500,000 down time, about two weeks, so that’s fairly significant, and if I can deploy something like MFA and protect 90% to 99.9. It’s something you really gotta start to consider and go, “boy, I can reduce my risk by $500,000 in a given year. 

That’s probably (worth it for) something that’s little bit of friction, a little bit of build up. We can find a way to move forward. It’s a good way to start looking at it and thinking about it and go where do we go from here? 

00:27:33 Nate 

Yeah, and the one thing that I’d add to that is the cost is going to be dependent on the the application or system that the threat actor is obtaining access to, right so? So Todd was mentioning ransomware that could have been multi-factor on a VPN for example, right, someone had a compromised password, attacker gets into the VPN. Most companies don’t have a dedicated demilitarized or DMZ zone for VPN users, they just say once you pass through, you have full access to the network. 

That’s where those ransomware costs are going to come into play. 

It could be something like your email system, right? Someone in there just obtaining data. Maybe it’s a fraudulent wire transfer that they’re trying to set up, whatever that number is it could be 10,000, I’ve dealt with the ones that are $500,000 wire transfers, right? 

It’s just a matter of; What are they accessing? What are the costs? and whatever…

…the ransomware remediation costs are I promise that it’s far more than the cost of implementing multi-factor at the end of the day.

00:28:39 Todd 

Yeah, so so kind of as a last thought from me (and Nate can jump in on this too If he’s got any) but the last thing I have is we did talk about, sometimes there’s friction, sometimes there’s a technical hurdle, if you will, beause there are ways to go about it, there’s paid solutions etc. Obviously if you need help, reach out to your trusted partners. There’s a lot of help out there or there course you can go do your Google searches as well. 

So in the end when you need help, reach out. Reach out to those (technology partners) that you trust and you can get some good support from. 

00:29:07 Nate 

Yeah, I I guess my final closing thought is:

Everyone scared of user friction, but in almost every case, it ends up being more of a concern that doesn’t always come to fruition, right, is that the impact is actually fairly minimal if you implement it correctly. So, a lot of those concerns are unfortunately, just not fully grounded based on facts, right? Just feelings. 

00:29:41 Kelsey 

Awesome, thank you so much Todd and Nate for sitting down and chatting about MFA and all of the things that we could go into it. I’m sure that you guys would love to chat with anybody for an extended period of time about any of this that we could tangent on a lot of things. But that wraps up our first Tech for Business podcast here today. 

If you guys have more questions that you want to ask feel free to reach out to info@cit.net.com or give us a call 651.255.5780 or we’re also online at www.cit.net.com/podcast, but that’s our little marketing spiel on there that. 

We’re here to answer your questions anytime about any cyber security needs or technology for business, and we will chat with you guys next week.