Technology for Business Podcast – Maturity Model

Myths include: This week Tara sat down with Todd and Scott to chat more about the Maturity Model (and their favorite vinyl).

Listen in to learn more about:

  • How do you define the Maturity Model?
  • Who should consider Maturity Models?
  • Is there more than 1 application for the MM?
  • How does this apply to technology?
  • How can organizations benefit?
  • How do we use it to drive technology/business alignment/Compliance?

Have a question for Todd or Scott? Email

Listen now

Episode Transcription


Tara Klocke: [00:00:00] Welcome today to CIT’s tech for business podcast. Today, we are sitting down with Todd and Scott, and we’re going to discuss the maturity model. I wanna kick it off for both of you guys. First, make a lovely introduction. Secondly, tell me your favorite record that you have on vinyl.

Todd Sorg: Go ahead. Okay. Um, I am Todd Sorg.

I am CIT’s chief operations officer. I am also the chief information security officer, uh, favorite vinyl record. Uh, I’m gonna break the rules and I’m gonna make it two. So, um, I’m gonna start with my, my very first personally owned vinyl was kissed double platinum. Bought that with my own money, just a young kid loved it.

Fantastic. Played the crap out of it. And then, uh, in my teen years, I’d have to say it was probably guns and roses, appetite for destruction.

Scott Patsy: Great choices. I [00:01:00] have both those on vinyl currently. Um, my name is Scott Patsy. I am the manager of strategic engagement here at CIT. Uh, thank you, Tara, for putting this together.

These are really fun. My, um, You can’t ask me about music, cuz we could spend an hour just talking about that. And I can’t really answer this question, um, without saying that my favorites continue to evolve and change all the time. And so right now in this moment I also have two favorites. Um, I just got a five, um, final five LP, uh, grateful dead collection from.

Cornell 1977. Now Cornell 1977 is a sought after a very renowned live show from the dead. You can go very deep down the rabbit hole. That is the grateful dead. And so Cornell 1977 for me. Uh, and then I’m gonna pick on something very new that I really like. And I just bought on vinyl also. Um, [00:02:00] the debut self-titled release spot from a band of sisters called wet leg.

Really great. Um, modern. Rock, uh, I, I highly recommend it.

Tara Klocke: Well, I didn’t know I was going to stump you to and make you make this hard decision, but how about we get to something that I know you two know a lot about, which is the maturity model. So tell me how you guys would, would define this. What does that look like?

Scott Patsy: Yeah, I can, uh, I’ll jump in here, Todd, the, the, um, when I think about the maturity model from, you know, I’ll, I’ll, I’ll, uh, I’ll I’ll disassociate that, um, with, from technology specifically in this moment and just define the maturity model as being a measurement. The ability of an organization for continuous improvement in a particular discipline.

Um, so what the maturity model ultimately does is judge how a company or a [00:03:00] system is at improving itself from a given state allowing leadership to observe the company’s current maturity level based on industry PR industry practice, um, of the current discipline under. Tyler. I don’t know if you had anything to add to.

Todd Sorg: Yeah. I mean, I think that’s pretty spot on, I guess the, the comments that I’d add to it is maturity models are really just that. I mean, at some point you’re trying to measure where you’re at today, where you’re going. And obviously in most cases, if you use the analogy of you can’t eat an elephant in one bite, there are steps that typically go with it.

And that’s essentially the concept of the maturity model is I’m here. I wanna. There as I continue to grow. And, um, how do you do that? And the maturity model is kind of giving you that formal process of putting it together and helping you move forward.

Scott Patsy: Yeah, I, I would, I would even supplement that to add on to the ultimate part of the ultimate goal being, um, not [00:04:00] only to realize for a company to realize its current maturity, this is where we’re at today, based on whatever we’re trying to analyze in the best practice associated with that, um, measured best practice that is we’re not making it up.

Right. Um, But, uh, and, and then ultimately what the next level is to get to what the goal is. But a quality maturity model process should also help you identify or help a company identify two other really important details. And that is, you know, okay, what are the steps to take for us to get to level two or level three, you know?

Um, and then ultimately determining what the financial or human resources it will take to, to make that move.

Tara Klocke: Okay. So I have another question for both of you then, who should really consider applying maturity models into their organization?

Scott Patsy: I would say, um, any [00:05:00] organization that is looking to improve upon itself in any way, it doesn’t have to be technology, right.

Um, any organization can improve how. Choose to hire people, um, you know, how they onboard new employees, um, how they adapt processes, how they adapt policy, you can really apply this to any size business in any place inside of your organization where you’re looking to improve. You know, I, I don’t know that there’s another way to say it it’s, it doesn’t apply just to one, you know, you don’t have to have 50 employees or whatever.

Todd Sorg: Yeah, I’d agree. I mean, uh, essentially what it is is it’s, like I said, it’s kind of a formal process that helps organizations kind of improve. And, um, even organizations, there’s a, there’s a local brewery in town in Minnesota here. That’s got a saying that says they have big ambitions to big, ambitious to stay small.

Um, and while that sounds like, Hey, we’re not really trying to do [00:06:00] a lot. We’re not trying to, to be one of the biggest. Uh, manufacturers of beer and distribution of it. That doesn’t mean that they’re not trying to continue to improve who they are, make better beer, be it more efficient, deliver what their customers are looking for.

And the maturity models will apply to somebody as small as this really, really small micro brewery or somebody as big as a 500 plus organization. Yeah, kind of that’s

Scott Patsy: I really like that. What was that statement again?

Todd Sorg: they have big ambitions, big ambitions to stay

Scott Patsy: small. That’s great. I really like that.

Tara Klocke: Well, and that kind of brings into my next question. So regardless of your size, is there like one way in particular that you go about applying this maturity?

Scott Patsy: There are, um, within the maturity model concept, there are, there are lots of standards over time that have been. Developed. Um, and if you do some research, you know, [00:07:00] Googling , um, there are a number that have, that have, have been, you know, put together already, um, that an organization could attach itself to, to kind of help this process along.

And that’s kind of in part what I would certainly encourage, you know, don’t, don’t make it up. Um, look within the discipline. In which you are trying to improve and see if there’s a maturity model, you know, out there that, um, that you can, that you can utilize. There are, you know, we can get into some very specifics here within the technology, uh, discipline or how they apply it to technology.

But, um, just know that, you know, within, um, lots of different industries and lots of different disciplines, there are, there are already some very well built. Maturity models.

Todd Sorg: Yeah, I was gonna expand on that a little bit too. So there isn’t just a single maturity model that’s out there. So, [00:08:00] um, we’ll dig into a little bit of ’em today, but you know, it’s just kind of giving you high level stuff.

Um, there are many organizations that already implement those. So for example, there are project management, maturity models that are out there. Um, there are technology ones, a lot of people are probably familiar with CMMI, um, they’re cybersecurity maturity models. So you can get into ones that are basic for finance and so forth.

So there’s a lot of ’em. They do apply. And like I said, at the beginning, the intent of this is really trying to find ways to help organizations continue to mature out. Um, so

Scott Patsy: go ahead. No, I would, I didn’t mean to step on, I would even say, you know, something that people are really. Most people are, are, are probably pretty familiar with, or at least I’ve heard of as, as like an ISL standard, you know, within manufacturing, very similar, right?

That’s a very well known, pretty global standard for how a manufacturing organization matures its process. Right? And, and, and the, and the big benefit in that world is if your ISO, you know, [00:09:00] act certified. Um, that means there are certain criteria that you’ve met that ultimately. Your customer is looking for you to have accomplished.

And so that’s one giant benefit in that scenario is if you’ve met the criteria in a particular standard, you can do business with a particular customer or a customer will even come to you specifically, based on the fact that you have met that ISO standard, you meet that criteria. You have matured as an organization to such agree that you’ve been awarded that standardization.

Todd Sorg: Yeah, I’ll expand on that a little bit too. So, so prior to, to joining CIT, as you know, we’re all, we’re all CT CIT and it up here. Um, I used to work for a manufacturer and, and one of the questions that you kind of ask is why do you go through a process like this? And, and I kind of mentioned it’s because you wanna continue to improve as organizations, but there are a lot of other reasons for it too.

Scott just touched on, we can [00:10:00] get more revenue because of it. We can land projects, we can separate ourselves from our competition. But, you know, another one and, and this is where I was kind of focusing very heavily at the front is just trying to make sure that your processes are very repeatable. Um, so there’s a whole slew of good reasons why they do it and when you’re going, Hey, I think if you’re considering this in your organization is I think we’re gonna move forward on something, this like this.

You can then circle back with your stakeholders and say, I wanna move forward because I think it sets us apart. I think it’ll help us drive additional revenue. I think it’ll help make our processes repeatable and, and predictable and so on and so forth. So there’s a lot of really good reason to do that.

And almost everybody inside of every organization wants those things. They want more money, they want more revenue, they wanna make it more efficient and so on and so forth. Yeah, absolutely.

Tara Klocke: Like who, who wouldn’t want that for their organization? And. In case anybody said, no, this is a podcast on technology.

So I do wanna dive into a little bit about how does this apply [00:11:00] to technology? Yeah,

Scott Patsy: that’s a, that’s why we’re ultimately here. Right? Um, so there are a few ways that we can kind of look at that. Um, I think the important one today is to help, um, You know, the listener here understand, um, broadly how the maturity model can apply to technology.

But then more specifically, how does C I T use the maturity model, um, to help our customers ultimately, you know, align their business goals with what technology can do, right. Um, I think a good broad place to, to start maybe, um, Todd, you can help out here is, uh, something that’s kind of on the forefront front of everybody’s mind today being cyber security.

And there are a number [00:12:00] of, of, uh, places where this applies. Um, and, and, and Todd, I would invite you to kind of start and I I’ve kind of got some, some stuff queued up here to, to discuss about it.

Todd Sorg: Sure. Yeah. So thanks for that. But, but cybersecurity is really easy because as Scott mentioned, it’s top of mind right now, it’s easy to talk about.

Um, but the nice piece about it is there is a decent amount of compliance out there that kind of helps build what frameworks look like today. Um, so you look at those highly regulated industries, your healthcare, your finance, et cetera. They’re all trying to do exactly that. As I mentioned early on, you really can.

Do it all in one chunk, there’s a variety of reasons for it. The complexity, the cost, et cetera, cetera. Um, in the compliance industries or the regulated areas, the reasons why they have to do it is because they’re being asked to do a lot. The reasons why there is compliance and regulations is because there’s a lot of risks in those industries, whether that’s because they’re being insured, um, by insurance companies or by the D I C or whatever the case may be.

They’re the ones that [00:13:00] are saying, Hey, there’s a lot at risk here. We wanna see you do it. Essentially, what they say is there’s kind of a foundation that you need to get in place for the maturity model and they call it baseline in the finance industry. And then as you continue to grow and get better, the next stage is called evolving.

So again, you’ve kind of got the basics I can block. I can tackle. Now I’m starting to get it a little bit better. And then once the next stepped up is intermediate. So you’re doing about average. That’s about what most organizations are trying to do if you’re in that industry. And then you get up to advanced and then at the very top of the scale as innovative, and the intent is.

Most organizations aren’t really striving to be innovative when they’re in the SMB market, which is typically where we focus and that’s because they don’t have the revenue, the horsepower, et cetera. But there are leaders in every industry that are going to be innovative, even if they are small, there’s, there’s plenty of people that are really trying to turn their industry on their head.

And they’re trying to be living in that innovative state as well. [00:14:00]

Scott Patsy: Yeah. Yeah. That’s great. Um, I’ve got a, um, uh, kind of what I have queued up as some, an example, really within cybersecurity kind of, you know, how and where that applies. And so, um, I think, uh, if there’s anybody out there listening to this that is, um, kind of tapped into what.

The cybersecurity industry is doing the maturity model that we see relatively, um, consistently is what’s called the cybersecurity maturity model certification, the CMMC, um, which is an assessment framework published by N the national institutes of standard and, and, and technology. And what the CMMC does, is it, um, It’s got a whole list of about 14, what they call domains, um, that, uh, um, are specified for, um, analysis, um, to address the CMMC and, [00:15:00] and those are access control, awareness and training, audit, and accountability, configuration management.

I’m not necessarily gonna list all. 14 of ’em, but you can kind of understand what they’re trying to accomplish their incident response, um, personal security, physical protection. There’s, uh, there’s a whole list of things to, to get through and to mature through, um, within the CMMC and those domains and, and, and an example of that is, um, Kind of the framework that we’ve been hearing about is, um, you start at, you know, a particular level of maturity and as an organization meets those maturity requirements, it would, you know, move on to the next level.

Right. And, and within the CMMC, the first level is access control and the first level and level one. Then within access control is what they call authorized access control. And, and they call that out and they say limit system access to authorized users, [00:16:00] process pro uh, uh, processes acting on behalf of authorized users or devices, including other information system.

And so once an organization has done that limited. Information system access to authorized users. It can kind of check that box and move on to, um, the next aspect of level one. Again, being access control, which is transactional and functional control limit information system, access to the types of transactions and functions that authorize users are permitted to execute.

Um, so you can kind of see how this moves the next, uh, uh, uh, aspect of level one is external connections, verify and control slash limit construction, uh, connections, um, to and use of external information systems. Um, Uh, and so they, once you have kind of done these things, checking the box, you move on to the.

[00:17:00] Piece of that. And AF once you’ve matured through level one, level two, uh, again, within the access control domain. And I know we’re getting in the weeds here, I hope everybody’s following me. Um, level two is then starts with, um, the ion of duties and so separate the duties of individuals to reduce the risk of malevolent activity without conclusion.

And, and, and, and the CMMC is, is, is, there are lots of questions it’s very in. Um, and for cyber security at this level, it really should be, but you can see within the different levels, what they’re doing, they’re ultimately tightening the security restraint so that the right people can get access to the right information, um, or ultimately to limit access.

um, only to a certain set of people internally or externally. Um, and this goes on and on and on, and there are lots of levels and lots of questions, certainly not gonna read ’em [00:18:00] all, but you can kind of get the gist here of, again, the process by which an organization meets a particular criteria within a level in order to check a box and move on to the next.

Tara Klocke: So I definitely heard a lot of compliance compliance, but then how do I take my organization and align that with those models? What do I do? Do I do that myself? Can I reach out to somebody to help? Or how do I check some of those boxes?

Scott Patsy: Yeah. Yeah, that, that that’s that’s thank you, Tara, for reeling us in a little bit.

um, the question there really is. Okay, well, how does CIT help, you know, our customers? How do we use the maturity models to help our customers? Um, because our customer base is one that tends to be, uh, what we refer to as, as SMB. Uh, um, and I’ll clarify a little bit to say C I T S customers that have, um, you know, a pretty broad range of, uh, uh, of user basing.

We’ve got customers. They have five to, to, [00:19:00] to 500 users is, is, is kind of how we categorize that. And today, um, we are using maturity models, um, both within our cyber security and strategic engagement departments to drive. Really help our customer drive that level of maturity within each respective discipline.

Um, and, and I, I really, I firmly believe that that word using that word drive is an important aspect of this. I would say that our customers look to us in these cases to help them mature. Through these processes, and it’s not something that they necessarily are prepared, have the, or have the bandwidth to accomplish on their own.

So they really need us to, to help move them forward. Um, cybersecurity obviously is very focused on maturing the. Um, it, uh, cybersecurity for our clients. Um, well the strategic engagement department takes a [00:20:00] broader approach in maturing overall. It best practice within categories, such as it infrastructure, where we’re analyzing servers, workstation, storage, switching, um, backup and recovery.

It budgeting, um, and big picture items like the organization’s cloud strategy or the ability of it assets to meet, uh, uh, uh, business demand. Um, I will, uh, I’ll take this moment to kind of pick on an easy criteria, um, where, where, uh, um, Strategic engagement focuses. And that is, um, that’s the, that’s the it budget.

So I’m just gonna talk through this briefly. So, um, if we were using the maturity model to analyze a customer’s it budget, um, we, we, uh, we would do that. We kind of have five levels within budgeting, um, and we. Make these statements, we ask the customer, these questions, um, you know, where do you fit today? Um, within this model.

Um, [00:21:00] and so if I think of the it budget, kind of it being one through five, number one being no formal it budget exists. Technology is purchased ad hoc. It budget percentage of revenue is unknown today. Um, or number two, being some it purchases are made based on specific recommendations, but were not planned for in advance.

Most it hardware, software and service expenses are paid for as needed. During a point of pain, it budget, percentage of revenue is still unknown. Um, level three then is, um, you know, you can, you can kind of hear that it continues to get better as you mature. Um, level three is, uh, a list of technology purchase has been documented.

However, no specific annual it budget is followed. Some hardware software service purchase is purchased in advance based on a roadmap. Uh, some are still purchased ad ho. And again, it budget percentage of revenue is, is less than industry average. Uh, number four, [00:22:00] then we would continue to get better. An it roadmap has been documented annual it budget has been created most are all it.

Hardware, software, service expenses, expenditures are made in advance. Um, and then number five is a formal budget exists. The organization, um, and business leadership are aligned on technology solutions that support business goals. And so the question is, well, boy, Scott. Yeah, we are at a number one and we really wanna get to a number two and number three and number four.

And, and, and we need your help getting there. Right. Um, and so that’s where we. Use strategic engagement to help, you know, drive, um, organizational leadership, our customer’s leadership to working through those maturity levels. If no formal budget it budget exists today, then let’s build a cadence together so that we can work with you to.

Identify the items that are attached to the it budget, what [00:23:00] the cycle is for these things and build some predictable repeatable processes around, um, maturing you to the next level so that we can get from no formal it budget exists to you have a roadmap we’ve helped you document that roadmap we’ve identified within, um, you know, quarter by quarter, what the it purchases are that are going to be made.

We’ve identified. Um, when assets will refresh, we’ve identified when new hardware will need to be purchased based on warranty or support expectation, um, expiration, excuse me, we’ve identified when, um, you know, projects need to get accomplished based on that budget. Um, And then to help an organization, um, uh, uh, review that quarterly budget and review budget, percentage of revenue and see where it fits within its industry.

Um, so that’s kind of how we would take something as, um, really as important, [00:24:00] um, and as transformational as the it budget and moving it from, ah, we really don’t have a formal it budget. We kind of just buy stuff when we need, when we identify a pain point to a formal budget exists. Organization business leadership is aligned with, um, uh, not only making it purchases, but, um, helping those purchases, uh, ultimately drive business.

Todd Sorg: So I’m gonna boil that down a little bit. um, I, I think, uh, what Scott said was great. I, I think all of that aligns extremely well. And if you were, I mean, I, I’m not trying to make fun of Scott in any way, but I think if you were kind of going through the process, I kind of highlighted, and I said, you got a baseline and you work your way up to innovative.

Exactly how he laid that out. They followed right into those steps. Right? So you kind of figure out where you’re at and where you’re going. One of the things that I kind of wanted to point out right away is I have worked for a fair number of organizations. Um, prior to this particular role in everywhere I’ve ever been, I’ve found that [00:25:00] the reoccurring theme is senior leadership hates surpris.

Right. And that’s budgeting. That’s break. That’s fix it’s it’s all the unknowns. Right? So when Scott’s pointing out heavily, you wanna get to this area where it’s repeatable, it’s understood. You’ve got budgeting, et cetera, for anybody that’s in charge of it, responsible for it or any. Other area having that predictable model does eliminate a lot of that friction and it removes the surprises.

So you’re less likely to have the president CEO’s laptop die unexpectedly, or your backup system didn’t work. And now I’m looking for a $20,000 investment or whatever the case may be. Those things are being eliminated. Um, now when it comes to cybersecurity, You know, Scott had mentioned this too, is a lot of organizations don’t have the horsepower to be able to kind of do that for them.

So there are partners out there. C I T be one of them having the ability to say we can help translate that. So I wanted to touch on the CMMC [00:26:00] piece real quick too, is, um, as Scott was reading through that, While it’s clearly in English that doesn’t necessarily make it easy to understand. Right? You go through all that and you say, whoa, what does that even mean?

There are organizations, there are people that do know how to make that very actionable and say, here’s where you’re at today. We can get you to the next step easily by doing X, Y, and Z. So there are very clear ways to do it. Um, And I, and I apologize, I didn’t mean to cut Scott off in any shape, manner or form.

I just kind of wanted to point out that the surprising thing is, is really, should hopefully resonate with a lot of people and being able to, to minimize that if not completely eliminated is something that most organizations are after.

Tara Klocke: And no fault to Scott’s, um, own, he is very passionate about this subject.

So it’s so nice and refreshing to be able to have somebody be a part of CI I T that wants to talk about that. And he is in that perfect position, um, to do so. Um, so great job guys. [00:27:00] I appreciate, um, all of that. So I did wanna kind of, um, lead us out to the end and we’ll kind of wrap anything up, but Todd or Scott, do you have any, um, final words that you wanna get in there?

Todd Sorg: Yeah. I wanna know when we’re scheduling the music one. Yeah, right. yeah. When can

Scott Patsy: we let’s have a grateful dead podcast, which is the best version of ahea. awesome.

Todd Sorg: This was great,

Scott Patsy: Tara. Thank you so much.

Tara Klocke: Well, thank you. Uh, Todd and Scott, I very much appreciate your time. And as always, we love to talk and sometimes we tangent, but again, talking about the passion, we love to see that, but for those of you that are listening, we always are looking for, um, you know, feedback on some other suggestions.

So please make sure to do that. Um, you can visit our website, which is CT Or you can email us at info C I. Net dot. [00:28:00] And as always, we look forward to chatting with you guys next week. So, and are.

Technology for Business Podcast – Myths of Managed Services

In this week’s episode, Kyle and Alex sit down to chat about the Myths of the MSP (Managed Service Provider).

Myths include:

  • A MSP is there to replace your IT Staff
  • Once you sign up all your problems will go away
  • Only people without IT staff need MSPs
  • & more!

Have a question for Kyle or Alex? Email

Listen now

Episode Transcription

Kelsey Sarff: [00:00:00] Welcome everybody to today’s tech for business podcast. Today, we’re sitting down with Kyle and Alex and we are talking about myths of the managed services. It’s going to be a fun one. Let’s kick it off with you guys. Introducing yourselves.

Kyle Etter: Hi. Thanks, Kelsey. I’m Kyle I’m the president and CEO at CIT.

Alex Piper: My name is Alex Piper.

I’m the manager of managed service.

Kelsey Sarff: Awesome. And you guys are gonna be here in a little bit more for me today as I put forward our lovely myths.

The first myth is, “Once you sign up all of your problems go away.”

Alex Piper: Yeah, no, it’s gotta be one of my favorite ones. Um, when thinking about this topic of myths about what we do and the magic that we can do behind closed doors, it takes a little bit more than just signing up.

It takes, you know, it takes us a little bit of time to kind of get through your network, get you on board. I bring you in, you know, any MSP who’s going to be coming in and bringing you to their managed service platform is going to, it’s going to take them some time to [00:01:00] get, to learn your environment. And we’re not gonna be able to solve your problems right away.

We’re going to collect your problems. We’re gonna learn what it is and we’re going to grow together. But it’s unfortunately not one of those things. That’s an instant sign on the dotted line. We all get to move on with our lives. Um, and everything’s going to go smoothly. Um, Kyle, anything you want to add?

Kyle Etter: Yeah. Yeah. I, I think it’s even more so I have the understanding that as things are, uh, brought to light that even has, you know, more activity and there may be some, you know, like my RA caused some short-term pain, uh, to get through those sides of it. Cause, uh, typically highlights areas that need to be improved and adjusted to make it even in a more supportable environment.

Usually, that form of the pain may be an additional investment typically, you know, there’s. Older devices, those types of things, just immediate recommendations and that need to be, uh, addressed to improve the supportability of the networks. So, you know, I would plan for typically coming in, if you’re not coming off of a [00:02:00] mature managed service provider, that you’re probably likely going to be requested to make some additional investment, uh, to help improve the supportability, not always immediate, but certainly in the, in the near future, those things will certainly have.

Make the network at the moment, a lot of the problems go away. It’s not just the provider. There’s a combination of the information recommendations that ultimately drives the more supportable network.

Kelsey Sarff: That makes sense. I’m going to ask a follow-up tangent question here. Tangent alert. How long would you say it typically takes a managed services onboarding?

How long would somebody be looking?

Alex Piper: Yeah, probably you’re probably looking at, you know, just from doorstep to doorstep, from signing to, you know, us being, you know, an average MSP being out there probably about 30 days. And then from there probably another 30 to 60 days for us to really start to learn that.

Get all the tools collecting all that data coming with those recommendations [00:03:00] that Kyle talked about a little bit about pain points. Here’s what we’re seeing in your network. That could be potential pain points and starting to build that list, um, of, uh, topless items of what we were going to want to look at.

Kyle Etter: Yeah. I like to set Customer expectations around 180 days, or, you know, really starting to see some of the results sides with it. Um, as, as I like to mention, you could be, you know, ready to receive calls and get the information within 30, um, you know, your other, other areas of. Discovery trend analysis, those another, uh, more in-depth deployments, uh, optimizations of the network and systems, you know, some security or mediations, typically it could take, you know, 90 plus and then to kind of cook, you know, get it all working together is really about 180 days.

So I wouldn’t judge any managed service provider in any shorter period of time with that. If it’s [00:04:00] working or not in any shorter period, it’s just not enough time. For the systems and the processes to really start to take hold. Um, and, and I don’t want to make the idea that after 108 days it’s perfect.

Um, but you should start to see progress after 180 days. I would not judge it any sooner than that.

Kelsey Sarff: Makes perfect sense. All right.

Myth number two is, “Only people without IT staff need MSPs.”

Alex Piper: Yeah. I’m going to say that is not true. Uh, we have, you can have. Environments that definitely like you cater towards the people who don’t have it sass.

Cause that’s what we’re here for. We’re here to give them that, help them with that pain point of not having that staff. Um, but with that being said, a lot of our clients do have it staff and we’re there to help them in any way possible. Um, you know, you [00:05:00] could be anything from just being a contact expert in a certain area, which, you know, your MSP is going to know yours.

Engineers who are certified in a lot of different areas and be able to provide a lot of different knowledge bases where, you know, your local IT or not, anybody onsite won’t have that knowledge. And you can just supplement to that little bit, just, you know, is there to help, you know, S you know, you progress and grow your business and your IT.

Kyle Etter: Yeah, I it’s there’s, there’s so much value in what the processes and systems from the managed service deliverables bring to even customers with existing it staff. Because the, when I used to have conversations with customers about is driving towards. Efficiencies. And a lot of those efficiencies, we have efficiencies of scale and our managed service offering.

I mean, we do it day in, day out. We know how to monitor. We know how to, how to react, you know, how to know if something’s up or [00:06:00] down. We know how to, uh, you know, re-respond to performance, you know how to do, you know, Asset tracking and those other general areas, we know how to keep systems up to date and patched, and we know what’s required for security.

So those general across the industry, it doesn’t really matter. Um, those we’re very efficient at it. We do it day in, day out. We’re very good at it. Where the customer’s it, staff start to then gain the time and effort is to work with where their rubber meets the road there, their data, and how they’re interacting with their support users and then to their customers, with their data and their systems, because when it gets specialized into their particular investment, That’s where we lose efficiency.

So, you know, once customers have a certain size, you know, the many times we recommend they have an IT staff that we can’t fill that need. And, uh, you know, I think Alex, Alex is smiling on that. Cause it’s, you, you, you can’t promise [00:07:00] that as a managed service provider, because you just, again, you just lose the efficiency of scale.

So it’s pretty easy to understand where the, where it comes. I always advocate for customers. When they look at saying, well, we could build, we could have our own monitoring system and we could do our own ticketing system and we could do these things. But again, you’re just adding to your problems because now you’ve got another system to manage.

You got another, you just added to your plate, you didn’t subtract. And you know, we can attest the systems that monitor the customers don’t work as well as the other things. They are not a set it and forget it. Type of product. They are ever-evolving, ever-changing. They have their own set of support. We have dedicated people that handle that, and that’s the efficiencies of scale you want to get.

So I think customers with staff have a hundred percent, uh, benefits, um, looking at utilizing MSP cause it’ll gain better efficiencies with their people and there it is, and it’ll [00:08:00] actually deliver better it technology to their bills.

Alex Piper: The Tufts to that. You just have the hours, I mean, work 24 hours, just for an example.

We’re 24 hours, seven days a week where you’re having, you’re paying somebody 40 hours. Multiple people for 40 hours’ worth of work. I mean, you’re getting that around the clock. Somebody watching your network holidays for here, you know, you’re kind of getting that you want to take PTO and you’re the only IT person that’s where we can come in and just, you know, let you relax for your, you know, for your trips to Florida, for S for a week, you know, that’s where we can kind of come in and help.

Help you out, you know, it doesn’t have to be somebody who doesn’t have any staff. You need help just in just that there, but we can supplement that staffing in those peak times.

Kyle Etter: Yeah, absolutely. Do you mean an IT guy gets to take time off?

Alex Piper: occasionally?

Kyle Etter: Yeah. Yeah. Unfortunately, IT doesn’t sleep. And, and, uh, I think again, as Alex steam going to test the, uh, model of alerts that come in overnight and on [00:09:00] weekends, it doesn’t shut down.

When most people, you know, take off on Friday at five o’clock. Quite to the contrary, we tend to see a lot of systems that, that, that have issues over those overnight hours and over weekends and, and on holidays. And it’s, those are the times you want to make sure you don’t have someone on glass if you would be able to react and get information out sooner, you know, does help because yeah, one or two people just can’t do it alone.

There’s a, it does take, you know, good systems and those things. So having a good partner to back. As well as getting those escalation points, it’s, uh, it’s not realistic to think that one, one or two people in an IT staff at many organizations can know everything about every product they’re required to have some administration support with.

So having an existing partnership to be able to reach in and say, I need help with this firewall or this, the server problem in those areas is, is a [00:10:00] nice way to ensure that you can get things resolved much faster.

Alex Piper: I had a smile. When you said like, you know, after hours is when the most tickets come in, you know, it problems never happened during the eight of five.

They always happen on a Friday at four o’clock when everybody wants to leave for a long weekend, you know? And it, it’s just that extra layer that they give you is you can kick them off, you can get them going, or you have that person where you can go home and take care of what you need to come back. You know, you get that extra layer of knowing that, that person’s there to help you while you’re not there.

Or can’t be.

Tara Klocke: I think that’s also a great point. Cause I think there for a while, it used to be kind of us versus them in the industry that they always felt threatened about an MSP coming in, where that’s really quite shifted in the fact that we’re here to help supplement that and form that great relationship with them because we’re not trying to come in and overtake them, but also offer some great solutions for them at the same time.

Kelsey Sarff: So I love the fact that we had [00:11:00] that discussion point, so lovely. Yeah, that kicks off beautifully. Another myth that I got coming up way to tee it up without even knowing.

“An MSP is there to replace your IT staff” is our next myth of the day

Alex Piper: Yeah, no, we want to work with you. I promise you that, like, there are things that you know about your network.

We won’t, you know, you’re, you know, the employees, you know, the inners and outers, the day-to-day business that we don’t, we’re just here to help with providing new tools, providing new knowledge, providing you after hours, we’re here to provide you other it solutions. Our toolset, Kyle hit it, hit it earlier about just the sheer volume of tools that we can provide or connections with vendors that we have.

You know, you, you know, you think of managed services, you think of just day-to-day support. You know, we, you know, an MSP, a good MSP can provide you solutions in so many different areas. If it’s platforms in development in insecurity [00:12:00] and you know, just growth plans and stuff like that. I mean, you know, it’s, you’re not just.

You know, to replace them, you’re here to help them grow and to take some of their pain points away. Instead of like Kyle said, he hit it on the head earlier where it’s like adding more tools and in your own monitoring tool, adding your own ticketing tool. Yes. It’s nice to have it in-house, but when you can rent those services and utilize somebody else’s tool where they have their own admin team, keeping it up and having that updating and patching and everything like that, taken care of where it takes some of the low hanging fruit off their plate.

That’s where an MSP can really show the value of your company to your IT staff. Is this take that low-hanging fruit off their plate and let them focus on the big day-to-day stuff and let us cover the day-to-day.

Kyle Etter: I think having your, the people that are on staff, being able to support users at a certain size. I think you reach a size over, you know, a hundred plus employees, depending on the technologies using it, [00:13:00] how much you’re using, you know, having, having somebody to be able to directly work and interact with the users in your line of business applications is where we see a lot of synergy on the, on the system side.

You know, smaller organizations, again, it all depends on, you know, the complexities of your technology and how much you have going on. Um, but you know, there’s, there’s such a tremendous augmentation that it provides and helps, and we’ve seen it, you know, proven in many organizations when they release the kind of the day-to-day.

Functions that are again very general. And then they focus on the business needs of the technology that, that, that it really starts to become a differentiator for that organization. And they, they look at it not as a, as a, just an expense area, but it’s going to be a differentiator, but yet you find the synergies to make it work.

Yeah. I just think I’ll make that analogy there. I’m sorry. Alex says, [00:14:00] he told me the analogy that nobody changes your oil at home anymore. Very few people do because you can go to an oil change check. And they can change your oil and 15, 20 minutes or less. And you don’t. And for about the same cost of you going into a store, buying the oil, setting aside an afternoon, and then having to drive someplace and find a place to dispose of the oil and go through those things.

The net result is very little differentiator because they’re very efficient at what they do. Um, they’re not there to change a transmission or, you know, replace your engine. They changed the oil, that’s what they do. Um, and they’re very good at, and they’re very efficient. They can do it. Cost-effectively and it’s, it’s, it’s kinda the same idea.

Um, very efficient at, at certain aspects of network operations, network security, there’s other areas, but once it relieved the more specialized stuff up to the province onsite.

Alex Piper: Yeah. And the good [00:15:00] ones. I mean, I was going to go a different direction, but I think that’s perfect. One, you know, oil change. I get like 20 points.

I mean, that’s also what we’re doing. We’re also looking at other stuff over there, making sure your lights work, you know, making sure everything else is there working. I mean, the oil change is a great example. You take it someplace. Cause you’re getting usually just slightly more than sometimes it’s an oil change, you know, you’re getting your ears, you’re getting your tire, putting your, you know, air put in your tires and stuff like that.

So getting that little extra thing that you know, they’re going, that we’re always looking at we’re in and out of networks all day. Um, so, you know, we see a lot of different environments and, you know, you start to build your know what works, what doesn’t work recommendations. You start to see stuff at a quick glance than somebody who has been staring at the network for the last 20 years.

Kyle Etter: Yup. Yup. How long does it take you to, to find an ISP outage Alex?

Alex Piper: Uh, minutes, if that I have a tab, literally, it’s just me clicking the tab and clicking refresh a couple of times to see if it shows up. [00:16:00] Honestly.

Kyle Etter: So the commonality, you know, I mean, you start to see X number of customers all go offline at the same time in a general region.

You have an indication of an ISP outage immediately. So commonality of that, again, there’s just numerous benefits to get brought to the table, but it doesn’t take away from, um, you know, the value that onsite it can do as well.

Alex Piper: Yeah, it’s funny that you say that, you know how fast, you know, now with customers being all over the place, you know, you can be an MSP that’s down, you have an MSP down in, you know, hurricane area.

We have customers who are down there that we are overnight. Guys will watch. They’ll refer. The hurricane center and just see if there’s anything coming that we need to be aware of to start shutting down gears plans stuff, you know, we’re watching power outages, just silly things like that, that you don’t think about, but that’s what we’re here to do.

You know, let us know your power company and we’ll go, they have the outage maps. Readily available online now that this is little things like this, the peace of mind at two in the morning that we’re [00:17:00] going to know that it’s a power outage, not wake you up in the middle of the night or wake you up and say, there are no outages you might want to head in, um, because your network’s down.

Kyle Etter: Yup. Yup.

Kelsey Sarff: So it’s the whole illusion of being mind readers, right? That you’re like, yes, it can definitely. Fortune tell, tell the future. Um, I know that we’ve talked a lot about right. Networks and tools and you guys are like, we know our tools, we’re the experts, but…

Next myth, “Once somebody signs up for a managed services, suddenly that team’s going to know everything about their network and tools.”

Alex Piper: Yeah. We kind of hit on it a little earlier about, you know, Kyle talking about like the timeline and stuff like that, that it takes us a little while too. Up to that point. I mean, I mean, you could call the same day that that provider shows up depending on what their rules of engagement are. If they want a little cool-down or, or anything like that, but you can start calling, I mean, is it going to be smooth?

I mean, short of it being a very [00:18:00] like, you know, have you tried rebooting, um, and it fixes your problem. It probably is going to take us a little bit, cause we’re not, we’re still collecting data passwords, knowing how your network’s laid out. Um, So it, you know, it like Kyle kind of talks about it, you know, buy from doorstep to doorstep like that 180 days and stuff like that.

I think it’s. You know, point, you know, I was kind of talking about like that, you know, 30 to 60 days after is when we start, you start to begin to see the efficiencies, start to increase all your tools are in there. We’re starting to build some baseline data and we’re not there yet. Um, we’re starting to track the trends and seeing this computer reboots, and it’s not supposed to.

Your server after, after everything happens, like those things, we start to track those what you’re, that’s what you’re hoping for from that MSP during that time period, you don’t want them to, I mean, you want them to jump in immediately and know everything about your network, but you want them to learn your network and not in give it time and grow with [00:19:00] it.

I set up just jumping in. We’re going to know your problems. Cause that’s why you’re coming to us. You’re going to tell us your pain points. We’re going to be readily watching that on day one. It’s just everything else is what’s going to take us.

Kyle Etter: Yeah. I mean, the tools help to gather a lot of information and we have processes to ensure or get the required information.

We’ll know we need to support a properly, but it’s not that much different than if you were to hire somebody and they were to come in. You wouldn’t expect them on day one to be in, you know, a hundred percent efficient. No, it takes time to learn. There’s still a learning period. So there is still a Betty period to collect and understand, start to know the systems, the software, the people.

You know, the key, where the most value is and where those areas are. And that’s just part of the relationship-building process to go through. No network is the same. I mean, none of them are, they all have unique DNA to them, and they all have [00:20:00] unique, uh, systems and processes.

Each business has developed its own way of doing things. Yeah. So we have to learn that process as it goes through, like any MSP. Well, so, you know, yeah, yeah. Just plan for the time I, to go back again to that 180 days is a good thing to put in your mind to say you should expect to see, you know, improvements and trends, you know, and start to see the relationship.

Start to move forward. After about 108.

Kelsey Sarff: That makes perfect sense. Going kind of backtrack. We were talking about distance and supporting people that are maybe across the country, as far as MSP staffing goes.

The myth that we’ve got now is, “MSPs are staffed overseas.”

Alex Piper: Yeah, that’s a good one. Um, in a sense, It’s somewhat true and somewhat not.

It kinda all depends. Um, there’s a lot of MSPs will outsource overnight work, uh, overseas to help with the time difference and everything [00:21:00] like that. Um, so you, you see a lot of that. So I, you know, I can’t straight debunk it and say it, you know, or anything like that. Cause there is the truth behind it. There is um, some that you just do have it for that after our support, um, You know, but when it comes to that, you know, there are things you have to think about if they are doing it, you know, what’s the language barrier you’re going to be like, if you call in the middle night, what’s the time difference?

What’s the compliance, are they compliant? Can they support your environment? Are you somebody who deals with compliance issues? There are a lot of things to kind of put in mind when you do go overseas. So if you’re another MSP thinking about it, you know, those are things that think about if you’re looking for a.

You know, watching this it’s, you know, do they, or won’t they, we don’t, we staffed 24 hours here in the U S we’re not just located right where we are, but we’re all over the US. Um, they help us with, uh, you know, we have people on both coasts to help us from, you know, we chase the sun a little bit. Um, [00:22:00] And that’s what a lot of people will do.

Um, but I can’t the straight say no. Um, but I think there’s a, it’s usually that after-hours is where you find that niche or where they are.

Kyle Etter: Yeah. Yeah. I mean, it is definitely gonna vary from size and pricing structure and the other sides of when it introduces overseas. Um, but if you’re in the market looking the.

So typically it’s, it’s a disclosure, you know, they will disclose that as Alex had mentioned, really for compliance, if you’re doing any government based work or any side of that, you know, they, they, you can engage oversee support if they’re doing any kind of U S government work, um, defense contractors, there are all kinds of, of, um, different regulatory, um, organizations that will prohibit that from them working on it.

Definitely, something to confirm. I would say of our interactions with other MSPs over the country in different, uh, um, different conferences [00:23:00] and those things typically not, um, but not a hundred percent, you know, across the board. So it’s definitely worth asking. It may be engaged or. It can help cost, you know, so, I mean, in, in the effort side of that, you do it as an MSP to, as Alex mentioned, it helps with the time, you know, obviously their daytime is opposite of ours, so it helps for overnight and shift side with it.

Um, and typically there can be a labor cost savings, so can help them provide the service at a lower price to their customers through that side. So there are valid reasons to look at it. Um, but you’d need to make sure that it fits and works for you.

Kelsey Sarff: Yeah, that makes perfect sense. And I’m kind of going to find our next myth, that kind of tangents lovely off that..

“that MSPs are just sitting around, waiting for you to call in.”

So these guys that may or may not be located in the us cross seas, they’re clearly just sitting there waiting for you to call.

Alex Piper: Yep. Um, love [00:24:00] it. I appreciate this one. Um, okay. As much as I’d love to say yes for just sitting there waiting for your call, but the good ones aren’t and you know, and I’m fortunate that we aren’t, we’re being very proactive in your environment.

You know, you’re, if your MSPs are sitting there waiting for your phone call, it’s great. They’re going to answer the phone. They might be able to solve your problem, but what else are they not doing? What are they ignoring? Where, you know, if they’re being proactive, they’re monitoring that network. They’re patching, they’re helping you plan for that growth.

That’s really where, you know, you’re hoping that that managed service, that your MSP is really driving towards. Yes. Do you want your help desk? They’re ready to answer the phone. Of course, but, and they will be, they’ll always answer the phone. It’s just, that you want to make sure they’re doing other than just sitting there waiting for your prompt problem.

They’re not just sitting there twiddling their thumbs, watching, you know, reading something online. They’re actually doing something in your network or somebody else’s network, and they’re being active in there for you.

Kyle Etter: Yeah. I mean, it’s, [00:25:00] it’s part of the cost analysis side of it. I mean, obviously, an MSP can’t supply, you know, all these services and those other things and have a dedicated person waiting for every customer to call it.

That is just not the way it’s going to cost out. And, you know, so you’re, you’re gaining the efficiencies with the systems and software Alex, there’s a proactive side to the event, you know, trying to prevent the users from needing to call in the first place. So that occurs side through there. And then you, you know, typically we publish our service levels.

You know, most MSPs do have the service level side of it, where they quantify and they’re going to categorize the calls. So not all calls are equal. And I think that’s, there’s an educational process that needs to be communicated to staff when engaging a managed service provider and understanding that, you know, you’re, you’re formatting out of your printer, not working right, is different than a customer with their whole network down.

You know, so the [00:26:00] reaction times and expected response is you are going to vary depending on that. And to plan accordingly. I think all MSPs want to serve the customer as fast as possible. And the service levels are always the afar outer range that you measure against to beat. But you do have to understand they’re not all equal.

Um, and you may be faced with, you know, waiting to have 30 minutes or an hour for a call back on certain things. That’s just part of the process that you gain from that. But it does piggyback on that earlier conversation of certain customers of certain sizes having onsite. It maintains those expectations because if you have no complex systems or you have enough staff on those, having your onsite, IT staff feel that will support those systems and those other things, and allow the MSP to do what they do really well can help as well.

You have to do that full analysis to see where it really [00:27:00] fits best.

Alex Piper: Yeah, no, I think those are fantastic points. You know, just about everything, just looking at it, you know, it’s a whole approach. It’s a whole package that you have to look at. It’s, you know, it’s, everything comes with something else.

Like the SLA is all service levels, agreements, you know, like that comes in. Yes. We don’t want to hit them and we want to, we want to beat every single one of, well, we don’t want to hit. Top of it and just scoot by, you know, you want them sitting there, but also you have to understand if it is something, you know, it kind of helps for you to vocalize what you’re experiencing to your best advocate.

Um, when calling in or sending that email in, if it is critical, you have to, you know, letting that provider know helps them give you that level of service in the timely manner that you you’re expecting them to do, but that level set needs to happen as.

Kelsey Sarff: I think we could tangent, I could have a whole other half an hour discussion. Okay. Let’s look at, let’s [00:28:00] talk just about the service level. Um, but as we are getting up to the end of time here, I wanted to thank you. But I thought all of this was amazing. I know that we have more myths. So maybe part two coming in the future, we’ll do a trailer.

Everything will with stranger things themed. It’ll be amazing to dress up like the eighties. I can see it now, but thank you guys so much for sitting down and chatting today. As everybody can tell the love tangent. We want to talk about just about anything underneath the sun. So you can always get ahold of our speakers online.

We’re at backslash podcast. There’s a lovely form. Fill everybody’s favorite out there. Feel free to drop questions or topics. If you want to connect one on one, they’re always willing and able to do that for us, you can send us an email at We look forward to chatting with everyone next week.

Technology for Business Podcast – Physical Security (Cameras, Sensors, & more!)

Join Kyle and Todd as they chat about physical security for SMBs. This episode covers traditional and new physical security technology available. Plus, how manufacturing, education, and even CIT use this new cloud-based physical technology.

Our speakers discuss Verkada we chat about new technology. If you have questions or would like to see a demo in action email or call 651.255.5780.

Listen now

Have a question for Kyle or Rob? Email

Technology For Business Podcast Season 1 Episode 5: Choosing an Managed Service Provider (MSP)

Kyle and Rob sat down this week to chat about choosing a Managed Service Provider (MSP). They discuss pros and cons, questions you should be asking, and how to know whether or not an MSP might be a good fit for your SMB.

Listen now

Have a question for Kyle or Rob? Email

Episode Transcription

Transcript has been edited for clarity

Kelsey Sarff: [00:00:00] Good morning. Welcome to today’s CIT tech for business podcast. Today, we’re sitting down with Kyle and Rob to discuss what to consider when hiring an MSP. Just a little moment to introduce myself. I know this is our fifth tech for business podcast. I’m Kelsey I’m part of our marketing team, and I’m going to be asking these guys just a couple of questions, help us keep centered from all of our tangents that we love to have.

But I’m at kick it right over to you guys. Why don’t you guys give me, give us your first name, your title, and then we’ll dive right into it.

Kyle Etter: Thanks Kelsey. Um, my name is Kyle Etter. I am the President and CEO at CIT.

Rob Cramer: Hey, good morning. I’m Rob Cramer. I am the Director of Managed Services, a CIT.

Kelsey Sarff: Awesome. Thank you both.

As I kind of let us into in our intro talking about MSPs this morning, managed service providers. What are MSPs?

Rob Cramer: Well, that’s a great question, uh, to different people. Managed Service providers mean different things, but in general, a managed [00:01:00] service provider is an organization that you can call this, going to help answer, uh, computer quote questions for your users, whether that’s, um, you know, how do I install this Microsoft application?

How do I print? I’m having problems printing. Can you fix it for me? Um, sometimes it’s more important to talk about what they’re not, and we can get into that.

Kyle Etter: Yeah, I think just to add to that a little bit. So there’s an agreement typically it’s a monthly reoccurring fee. Uh, usually based on users are devices that you have, um, to support your it infrastructure.

So, as Rob mentioned is obviously there’s typically a help desk there’s technical expertise provided. By the MSP partner that you choose. And then there’s a set of tools, typically automation to help control costs as well as, as, uh, bringing in a management framework for how you manage your IT infrastructure.

So it usually provides us some software for, for management, for things [00:02:00] like patching of Microsoft patching, patching or what we call third-party applications, your web browsers, different components, um, making sure that things are up or down if the servers or firewalls are key components in your it infrastructure to automatically monitor for their status, as well as other things.

How much disc space is in used is the processor running high CPU usage, those types of things. So you have a lot of metrics and, and other things that get gathered by those tools. So very valuable, but it’s a combination of obviously, um, trained and experienced personnel plus software and services, and a monthly agreement is at a high level.

What it is. It definitely varies by the. Our a MSP on how they package it, but it’s, uh, the end of the day, that’s kind of sums up what it is.

Kelsey Sarff: Awesome. That makes [00:03:00] sense. It’s still a lot of things, right, right out of the gate that you’re like, we can do this for you. Congratulations. And some of these are going to have acronyms, just like the name of it.

Um, but you guys briefly mentioned it, right? These are all of the things that MSP can do. Kind of made my brain go – are our MSPs just local companies, or can they be bigger organizations that tend to have more outsourcing? What’s kind of the range of where you can find MSPs and where they’re local.

Rob Cramer: You can find them everywhere.

Um, you got any of those peas that are, that are anything from a, from a one or two-person company that, that support, uh, you know, small groups within their area, uh, to very large national organizations that have, uh, thousands of engineers spread across the world. And the trick is finding the one that’s the right fit for you.

Uh, you know, somebody who’s going to be, uh, well suited to your organization who can really partner with you, learn your, your ins and outs of your, your unique, uh, environment, um, and help support you on that. So, um, [00:04:00] smaller, large, uh, you know, there are advantages in both directions, uh, finding the right fit is really what’s.

Kelsey Sarff: No, that makes perfect sense and launches right into my next question. How do you find one with all of those options out there?

Rob Cramer: That’s a great question. Um, you know, I, I guess I’d start off with, uh, you know, looking at, uh, some of the common options asking friends or colleagues, you know, who they’ve worked with, if they have any recommendations, cause find somebody, uh, you know, that, that somebody else has wanted to recommend usually is a good indicator.

That they’re, they’re a solid company that they’re gonna be. Do a good job supporting your environment, um, you know, going to Google and just typing in a search and just randomly calling somebody, you don’t know what you’re going to get. You could be getting a, you know, a one-person shop out of, uh, out of 10 book to, uh, and they don’t know, you know, your environment, they don’t know, you know, your, your industry.

Um, and when they go on vacation, you still lose your support. So, you know, sometimes you’re looking for that organization is just the right size that they have enough engineers. When somebody is on vacation, you still get to call and you still get to talk. Somebody [00:05:00] still get support. But they’re not so big that you’re just a, you know, a, um, you know, a small fish in a big pond, if you will, that, uh, that they don’t really know anything about you, they don’t learn your environment.

You’re just, you know, it’s just another person calling you. You could just be, as we’ll be calling, uh, you know, a manufacturer someplace and talking to a help desk in India, you don’t, you don’t really know. Right. Finding that right organization, um, asking around, asking, like I said, asking your peers, asking the other organizations in your industry, uh, if they’re using a master spider who they’ve used and who they like, uh, is probably one of your, your really strong indicators of a good place to start.

Kyle Etter: Yeah. That’s what I was going to say too. I think, I think the referral side is always a strong aspect. Um, you know, as as mentioned, there are national ones. You know, being a local provider, can it be slanted towards believing? There’s a lot of value in, in the local, uh, provider, just because. From what we’ve seen over the years, just being remote, um, is not enough.

You know, there is [00:06:00] definitely times, you know, you need to be onsite and you want to be onsite. Do you want to make the connection? It’s, it’s, it’s gonna there’s things you would need to do to keep upgrading on the systems and other components. And it’s just, um, you know, nearly impossible to just, you can’t do it all.

Um, it just, um, if you have onsite support to handle those things and you just need some augmentative, then possibly, you know, a national provider, could it fill the need for you, but, um, in many cases where you’re truly looking for, you know, an it partner that can be more holistic. And usually we find from, for the customers we work with, you know, the intention or the expectation is, is that they’re looking for, you know, Onsite remote, you know, the whole, the whole gamut, you know, the whole end game is to say they want it working, um, and keep the systems, keep their users productive.

And, um, you know, quite often, you know, a local provider I think provides a little more closer relationship, closer [00:07:00] alignment with what the customers are actually expecting.

Kelsey Sarff: Perfect. Oh, sorry,

Rob Cramer: nah, go ahead. Well, I just asked you add a little bit to that. Comics excellent point. And that is, uh, you know, managed service providers, uh, as, as we are, um, we gather a ton of data.

We learn a lot about the customer’s environment. Um, and one of the things that that lends itself to is really looking towards the future. And as we move forward, you know, what’s going to be the best fit for the order for the customer in the future. Do they need to be looking at a specific type of technology or, or something, you know, that’s coming down the line, or do we need to make some changes to their system to optimize it?

Having that holistic coverage, where you actually have engineers who can come onsite and can have that hands-on expertise for you. Um, really kind of fills out that managed service, a service desk environment and allows you to kind of have the other side of it. So if you don’t have that local it presence and you, and you, you need that kind of help, uh, looking for a provider that [00:08:00] has kind of that full packages is going to be variable.

Kelsey Sarff: Yeah, that makes perfect sense. Just really, really quickly that kind of brought up the question, right. That I say I’m the customer. And of course in today’s world I’m hybrid, or a lot of my workers are remote and yes, it’s great to have somebody on site, but how does that work? Let’s say that I have right employees that are all working from their homes, somebody in Hawaii, somebody here would a local MSP still be able to provide the support that.

Rob Cramer: Yeah, actually, uh, very, very effectively. And, um, if you’re the type organization who may have a local network administrator, um, with an organization like. Ours will give you access to the tools. So you can actually use our tools to help support your remote users wherever they have to be. Um, so just like we use it to help promote in and shadow somebody to screen and, and solve a problem.

Uh, look like an IT person could use that same tool to do that work as well. So yeah, it is very effective. Um, having the knowledge of the organization, uh, learning about their unique software and applications and [00:09:00] how their users need to phone. Um, really is, is more critical than where they’re sitting.

Uh, you know, when, when the pandemic hit, we saw this, this mass migration to this hybrid environment, um, and those organizations who had, uh, some pre-planning for that who had some users who traveled in time had some, uh, ability to work remotely, uh, actually were able to make that transition very easy.

And organizations that are fairly static, very in-house. Um, they had to scramble a bit, and they had to lean pretty heavily on people like, uh, like their main service provider to help them figure out how to get their users out to the house and still be able to do what they need to do. And, um, it was a, it was a very interesting time to see how different organizations reacted to that.

Kyle Etter: Yeah. Yeah. Very, very much so. And I also think that you know, the tools themselves give such. Ease of access to get to those devices, but you know, to have a local provider that can prep those devices and has them sent to those remote workers when [00:10:00] they are ready for upgrades, you know, we see a lot of synergies and a lot of value in that as well.

Um, just the consistency of the support provider to understand the nuances that everybody’s, it systems has. Nothing is a one size fits all. It never is. They’re never the same. So. You know, the, the way that they prefer to have their devices set up and what the user’s expectation is of the workstation, when they receive it, you know, needs to be planned out a quarterly.

So when you send it to that remote worker, you don’t want them to be as productive, as fast as possible. Um, and we find a lot of synergy and, you know, the pre prep, pre imaging, um, even with cloud connected desktops and Azure ID and those things, you know, you want to go through. Prep on those devices too, before they go to the users.

And I think a national provider, a very difficult time executing.

Kelsey Sarff: I smell a future podcast coming there about prepping devices, [00:11:00] 30 minute discussion. So yes, we’ll like tuck that one in our pocket for a future one. Um, but let’s say that I am a customer. I have X number of employees. Is there a certain number of employees that when I’m interviewing an MSP?

I should say yes. You’re going to be a good fit or no, I’m either too big for you or you’re too big for me. Do you guys tend to come across that when talking to people.

Rob Cramer: You know, Kyle can speak a little bit to that probably more than I can as he’s in a lot of those pre-meetings. But, uh, if I look at the kind of customers that we have, um, we have a lot of customers from very small, um, you know, five, 10 users, um, all the way up to, you know, to several hundred users.

Um, so, so does that mean that that one size fits all? No, but, but there is a point I think you will find. Um, that you need to know the organization you’re partnering with has the backend infrastructure and capacity to handle, uh, the, the types of issues you’re going to [00:12:00] have. Um, did they have the training and stuff you need?

Um, a lot of the larger organizations will tend to get a little bit more complex. They may very well have, um, a more advanced environment. Uh, and, and if you’re working with an MSP, that’s a. Um, a little on the smaller side, they may not have the breadth of experience and knowledge that you’re looking for.

So, yeah, it is an important question to ask. Um, does that mean that one organization can’t service both? No, uh, as I said, we, we have many customers that kind of span the, the environment size. Would I want to take on a, you know, 10,000 user organization? I don’t think I’d be ready for that. You know, I, I think I’d have questioned whether or not we have the capacity to handle the number of calls and stuff, but, um, that doesn’t mean it’s not possible.

It really depends on the environment, and what their expectations are.

Kyle Etter: Yeah, I think it’s a no again, there is no one size fits all on this side of it. It’s how it’s the role the MSP provides, um, can be adjusted accordingly. Um, the smaller [00:13:00] organizations Rob said once you’re, you know, you’re typically less than, uh, you know, 50 full-time employees, you know, an MSP essentially could be your it department.

You know, they, they handle the onsite. They provide the remote help desk. They manage the systems, they do the upgrades, and they handle everything. As you start to get larger. Um, and definitely, uh, more than a hundred plus users, typically you start to see a need for an onsite. It person, somebody within the organization that is now a full-time employee, but the MSP is augmentative.

They handle projects, they handle, you know, keeping an eye on the systems. 24 7, they provide the management platform. That resource uses, um, as an augmentative side of it, but then that employee is more focused on the users, um, for the customer’s productivity, as well as their data, their systems, their line of business applications.

As you get bigger, those become complex. I know we might [00:14:00] talk a little bit about this. Let’s go through there is where it’s a struggle for an MSP is once you get into that internal line of business systems MSPs, we can’t go that deep into the organization side of it. It’s a more, you know, um, higher level.

It support for the functional. Now, the desktops and the patching and the health of the networks and the security of the systems and those things. But once you get into that data, you know, having somebody onsite who really understands that keeps the users okay. Comes very productive and most larger employees.

That’s where it really starts to, to be a need, but an MSP can provide a tremendous augmented. Consistent support that has, you know, for, for us, we’re 24 by seven. I know there are other MSPs around. So looking for those that you have somebody on glass, you know, around the clock that can, you know, give you a call.

If the system’s reporting offline, they can potentially take to make sure things are patched to give you the management platform to manage it. There’s a tremendous value in that. That [00:15:00] again, having somebody internally to try to build that themselves just takes them away from the core business, um, because the MSPs do a very, very good job of that.

It’s what they’re purpose built for.

Rob Cramer: Kyle’s point there, you know, we’re, we’re not going to know a lot of those line of business applications. However, for some of our customers who were kind of in that in-between category, they don’t have a local it person, but they have kind of a unique application.

Um, we proxy that we will call the vendor on their behalf. We’ll get the tickets set up and we’ll, we’ll work with the user to try and solve that problem. We don’t necessarily have that expertise, but. Broker the connection and help translate for you for the person on the technical side, uh, to the business side.

Uh, so, um, you know, we can act as kind of the intermediary for those calls as well. When we. Good point.

Kelsey Sarff: Perfect. I was going to say two things first. Can you give an example of some of those line of business applications, which ones are easier to practice proxy with? Which ones are maybe a red flag to be [00:16:00] like, Hey, you’re going to have to use their support.

Well, that’s kind of a grab bag, but just if somebody was like, how do I look at my applications and know whether this is going to be a problem child at work it’s…

Kyle Etter: fairly easy.

Um, a lot of those, you know, accounting for any of your counties. And so it kind of falls in the ERP side of it. Do you want it to get into those things? Um, I won’t name anyone by naming the ones. Um, and obviously some things that are custom-built side with it. Um, and even some of it is just the data workflow that some organizations have evolved into how they’re using, you know, your Word and Excel documents, their files share structure.

Companies have evolved over the decades of, of how they’re using just, you know, uh, unstructured data that just sits on a file share within it. Um, in very unique ways, ran into those things and they have very unique processes with all the print and share and execute a [00:17:00] workflow within their business side of it.

So, um, you know, it could be very far-reaching, uh, and for an MSP to walk in the door and just have, you know, Th there’s no magic sauce to just say, boom, we get it. We understand everything. There’s it, it takes, you know, it takes time and certainly to go deeper into those things. Again, we have to rely on the vendors or somebody onsite to champion those products so that we can make sure that the systems are operational and healthy, and available.

Up to the point of, then once it’s in the application, it gets much more complex, but that just requires a lot of collaboration and making sure that you’re talking, which I think circles back. I think the importance of the local, because you need that regular cadence and communication to keep everybody on the same page, just as you would, if they were internal, you need to make sure that the teams are talking, whether they’re external, not, you gotta have.

And [00:18:00] that’s definitely what we’ve seen over the years is just that they need to w when we’ve seen things start to become problematic between our services and the customer increasing the cadence between our managed team and the customers’ teams. Resolve those challenges, whether we go to a weekly call and then make sure things are quieted down because some system upgrade went through, there’s a spike in calls.

Users are upset. The customer comes upset and starts talking more or accuracy things start to get back on track. People are collaborating better, and then you start to move forward. So it’s not that much different than what you do internally between departments things aren’t working. You got to get people meeting.

To resolve things. And that’s, you got to look at your MSP, and that way it kind of extension to say they don’t have a crystal ball. They’re not going to feel walk in and see things under, you know, behind the curtain. So you gotta, you gotta get people talking.[00:19:00]

Rob Cramer: Uh, one of the things that came out of college that came to my mind was, um, uh, you know, we talked about the calls and the Cades and stuff with the customer, um, to be clear, it’s not always an IT person. We’re talking to the customer when, when we’re talking about those applications, that who’s, that point of contact is for the, for the, um, the line of business application.

Sometimes that is the. The accounting person, sometimes that is the office administrator, but they have the knowledge that local application that, that there is interface locally on-site for that support. Uh, when we’re, when we’re troubleshooting.

Kelsey Sarff: No, that all makes perfect sense. And I know it can be, right, a whole deep dark hole of it’s hard within 30 minutes to say, “Hey, here’s all of the things that you can look at.” But in that vein, if you had to really high level say I have a business, I’m looking at MSP. When would an MSP maybe not be the best fit and when should I maybe look to hire somebody internal

Rob Cramer: boy, that’s a tough question.

Um, [00:20:00] There are a lot of different things. I think that play into that. First of all, um, you know, what’s your technology environment like today? Um, is it fairly stable? Is it, um, is it functioning and providing the resources you need to do, your business moving forward? If it’s just kind of hanging on, buy, buy, buy, buy a shred of life.

And it’s kind of about to die. That may not be an indication you want an MSP, but rather just a technology part of it can come in and help you kind of bring some new life into that. Get it up to upgrade it, get it stable. Um, and then to maintain it going forward. You would want to look to an MSP, somebody who can help you, um, as you look to the future to make sure that things are again, patching it, that they’re healthy, that you’ve got, you know, good, uh, security in place.

Um, and then as new things come around and we understand your business, we should be able to work with you during things like quarterly business reviews to say. Here are some things you should be playing for. Did you know that Microsoft server 2012 R two [00:21:00] goes into life and in October of 2023, we should be planning an upgrade?

We should be looking to make sure that we’re staying ahead of this so that we can do it in a controlled manner and not get blindsided all of a sudden and have to scramble because that’s always going to put you in a bad situation. So, um, if you’re, if you’re in a good situation today, and you’re just looking for that, that help, that, that kind of, that, that security and that, that support to keep things.

It’s a great time to start talking to an MSP. Um, if you’ve got to look like an IT person and you go, you know what, this person’s going to be out for a period of time, they’re gonna take some vacation. They want it, they want it. Some, you know, they have a personal life too. They can’t always be available. I need somebody to help them to augment them.

That’s another great reason to look for an MSP. Um, you know, we’re not there to replace that IT person, we’re there to be their partner to be their henchmen, if you will to help them keep that environment working. If coming to an MSP and saying, Hey, my environment’s a complete mess.

I need somebody straight into that. Somebody who’s holistic. Like, like [00:22:00] we are, we can work with you. We can work with your environment. We can get you upgraded and then transition that into our maintenance and support and managed services. So there are a lot of different things that can play into that.

Um, is there one right time for every company now that you kind of gotta look at it and say, what are my needs? Uh, am I, am I growing to the point where I don’t know how to keep this functioning? I don’t know what the future holds. I need some, some advice then it’s probably a good time to talk.

Kyle Etter: Yeah. Yeah.

I think it’s very far-reaching, but I think Rob makes a very good point. What I’ve seen from customers. If, if, if they’re, if you’re looking at the MSP and you’re thinking it’s there, they’re going to go into that managed service contract is going to alleviate all your IP problems and you have a lot of it problems that are not going to be the fixed.

You know, Y you, you may have had somebody else managing the, it, whether it’s another managed service provider, or it was somebody internal or an independent contractor. If the IT budget wasn’t realistic if you were not [00:23:00] investing in the correct IT infrastructure. And that is the reason for the issues, just switching to another provider or bringing an MSP.

And there was not. That by itself, fix it. You’re going to have to, you know, allow for, and have strategic conversations to make sure that you’re investing in the IT infrastructure to make it work right. The customers that we work with. Uh, continuing to invest in drive the most value out of it. Invest in there.

It, it, it, it is not inexpensive. It’s not something that needs to be managed for the least cost possible. That has never been a successful model. I’ve done this for over 30 years. The customers with the least cost is never proven successful. I’ve never seen it. Um, why there can be some costs. Benefits of the MSP side of it.

Again, we mentioned some of those on providing the platform, providing the augmentation, providing those things. That’s just working smarter and using, you know, people in their right [00:24:00] seats to drive the most value out of your IT spend. And, you know, it can definitely be done in those customers that we engage with that do that, you know, there’s tremendous synergy and they really drive their it systems and we see them actually produce better results for their customers in that.

The end goal, you know, and that works. It looks tremendous side of it. So, you know, take a close look. My advice is to make sure you have a realistic budget for this.

Rob Cramer: Technology is a tool it’s a tool to use in your business to help your business, to move forward, and to service your customers. And just like any tool, you gotta take care of it.

If you don’t take care of the tool, it’s going to fail you when you need it. The most.

Kelsey Sarff: No, that makes perfect sense. Right? There are all of these tools, all of these options, and just kind of wrapping it up for today’s discussion, because I feel like we could probably turn this into a whole series of, I could go on so many changes.

It’s about all of these things, but let’s say that I am looking at somebody and I’m looking at their tool set, and I’m looking at all of the in-house services beyond, right. You go to the MSP website and they’re like, we can do printing and we can do [00:25:00] all of this and your brain goes, do I need all of that? And again, I’m sure it’s custom to the customer, but is there something that if you were looking at the checklist and you were being like, okay, what are some of the kind of differentiators between MSPs that are maybe red flags or things that you’re like a pro tip?

That’s a great thing to have.

Rob Cramer: I think in, in this, um, in this current, uh, environment that we all live in, um, uh, any provider that you’ve partnered with, any MSP that you look at, uh, really should have a strong security focus. You want somebody who’s going to be looking out for your environment to make sure that we’re doing the right things, to keep you as secure as possible.

Um, that, so their tools should reflect that. So if they’re not using, um, current tools, things like an in-point detection response, or what’s called EDR. Um, you know, traditional antivirus is fine, but EDR is really, um, you know, uh, an important factor for securing those endpoints. Um, and again, it’s really the recommendation that, that I would expect most MSPs to be making to their customers today.

So [00:26:00] looking for a customer for an MSP company that has a strong focus on keeping your environment secure, as well as being able to support you, um, around the clock when your business needs it. Uh, I think those are some of the key factors that you should be doing.

Kyle Etter: Yeah. I, I think having the managed service provider, having security trained personnel on staff is also, you know, in 2022 and incredibly important.

Um, you know, just because nobody has a good us security incident, free card, it seems there’s a lot of things that come through there and having, you know, experts to go through those things. And. I think it’s an important point. Not all MSPs are equal. I know when you see the proposals that look very static, we all present very similar things in a little different manner, but it can be confusing, you know, ask about how the.

Oh, they secure their systems. Ask how their staff handle these after hours? How do they handle a [00:27:00] security incident? If it were to occur, what would they do? Um, you know, I vet those out. Um, if, if they’re too small for your needs side of it, you’re going to find a pretty large gap there.

And that’s going to be, you know, strenuous on, uh, in a critical situation to make it worse. You know, and ask how they approach the IT budgeting side of it. As another thing, as we just talked about that side of it, do they help with having realistic budgets that are strategic and aligned with the business?

So you have predictive spend as much as possible with this. That brings in the security, uh, and investment sides of those and the operational budget and just the overall support of the systems. How do they account for it? How do they do it? And then how do they secure the systems? Because MSPs, in this side of it, we all know that we’re under, you know, under the scope of the, of the, of the threat actors to come after, because there’s, you know, we have access to system sides of that.

So [00:28:00] if your MSP is not. You know, you’re opening yourself up for an issue there as well. So just stuff that you want to definitely ask to make sure that they have things covered. Um, we’re a SOC two type two. We went through that certification. We invest in a tremendous amount of tools, sides of those.

The EDR Rob mentioned is, you know, definitely one thing we, we rolled in early last year side of that, into the platform side of it, because you need to keep evolving these. It’s well beyond just patching and the ability to remote control and 22 is what you want your MSP to be.

Rob Cramer: That sounds like it routes up really well. I’ve not got a lot more to say on that topic.

Kelsey Sarff: Like, and that’s the cherry on top, and no, as I’ve mentioned on this one, I feel like we could talk with both of you and multiple different series. I’m hoping that this sparks good questions for people where people are like, “what did you mean by that?”

And that we can turn it into a whole other series, but thank you both for [00:29:00] sitting down today, what is an MSP? All for good things, but how do people get in contact with us, if they do have those questions, they can. It’s or they can head on out to our podcast page, which is

There’s a form on there. You can send us an email, or call us. These guys love to talk. If you haven’t caught on by now five episodes. And we’re like, yeah, we can talk all the time. We just keep ourselves on a timer for these. So we’re going to be back next week with another episode, but thank you both so much for joining another tech for business podcast.

Technology For Business Podcast Season 1 Episode 4: Budgeting Migrating to the Cloud

Join Kyle and Jake as they kick off our first budgeting discussion by discussing budgeting migrating to the cloud. They’ll talk at a high level about understanding your current technology environment, designing a future cloud environment, and setting up a migration timeline.

Listen now

Have a question for Kyle or Jake? Email

Technology For Business Podcast Season 1 Episode 2: Technology planning for SMBs

Join Todd and Scott as they answer the question “How can the small/medium business better align their business goals with the technology solutions and what is required to support those goals?

Want to connect with our speakers? Email or call 651.255.5780.

Technology For Business Podcast Season 1 Episode 1: Multi-Factor Authentication (MFA): The basics and why does my business need it?

Join Todd Sorg (COO and CISO) and Nate Schmitt (Director of Cybersecurity) from CIT as they chat about all things MFA. Whether it’s examples of MFA/2FA or addressing employee concerns when implementing MFA they’ve got advice for your small to medium-sized business.

Want to connect with our speakers? Email or call 651.255.5780.

Listen now


00:00:01 Kelsey Welcome to the first CIT tech for business podcasts. Today we’re sitting down with Nate and Todd and we’re going to talk about multi factor authentication, our first acronym, we’re kicking off strong MFA leading in you guys. First off, let us a little bit about you and what is MFA

00:00:18 Todd Thanks, Kelsey, I am Todd. I am Cit’s chief operations officer. I am also our chief Information Security Officer. I’ll let Nate introduce himself and he can kick off the MFA overview as well. 

00:00:31 Nate Yeah, and my name is Nate. I’m our director of cyber security here at CIT. Just help oversee the operational components of our department.

So multi-factor authentication, also known as two factor authentication, is really the core is basically another form of authentication and there’s multiple variants to this, but essentially it’s a mix of something that you have something you know and something that you are and as long as you have two of the three of those to log into a system that’s what multi factor or two factor authentication is. 

00:01:13 Nate 

So what does that look like for something that you know is something likely going to be like a password or something like a PIN code? 

Then there’s something that you are. That’s something that’s going to be like biometrics. So for example, in order to log into some computers, you need to touch your fingerprint or you know you see things on you know some of those crime shows where they’re doing the iris scanning to get into the secure facilities. That’s something that you are. 

Then there’s something that you have, and this is where this is most common in business.  Uhm, due to you know, privacy concerns with the biometrics and everything, but something you have is something that’s going to look like either your cell phone and, you know, in order to do like a push notification to it, it’s going to be something that could be a USB that you have to plug in. 

So I have in front of me. A hardware token that, in order to log in after I put in my password, I plug this into my computer.  I touch it and it just activates and sends off another code, so that’s another form. Then they even have ones, I have another little hardware token in front of me which looks like a little credit card. This is something where it has little battery in it. I click on it, it generates A6 digit code and then from there I enter in that code as well. 

So I put in both my password and a code from something that is in my possession, so that’s what multi-factor is in general. 

00:02:51 Nate 

Where is it used is a whole different discussion, and I’ll let Todd take that over. 

00:02:58 Todd 

But I wanted to back up just to hear before we went too far where we use it. 

It’s been around for for decades.  It’s not a new technology.

People have been using it for banking where you get a text message. Or something along those lines, and that’s typically referred to as 2FA, but the reason why? 

What reason why I interrupted Nate is I just kind of wanted to kind of back up and say why do we use it, right? And the biggest reason that typically comes up and everybody that’s here can kind of expand on it. But what ends up happening is that people typically have issues with passwords. 

Passwords are painful, they’re difficult to remember, so people tend to make them easy to remember, and that’s, you know, your phone number, your childhood best friend, whatever it is your pet and what makes matters worse is that people then use that password everywhere. And if you’re looking at social media or LinkedIn, your work, your work, email and accounts, etc.  More often than not, most people tend to reuse it over and over and over. 

00:03:52 Todd 

Again, inherently what ends up happening is if something ever happens and it could be anything from if you’re in the Twin Cities, there was a Star Tribune hack, there was also a hack that happened on the the meters downtown Minneapolis where they were able to take account names and passwords and post that on through what’s referred to the dark web, and once that’s been out there, if you’ve ever had that information harvested from you, it’s now out in the wild.

So how do you protect it? 

That’s where multi factor comes in. 

So I just wanted to make sure we covered that piece real briefly, so we’ve got that whole picture of what it is, where it came from, why we’re worried about? 

But the answer is, passwords are bad. People hate them, and we could get into that a little bit later on. You know, what can we do about it?  Can we rely more on biometrics at some point in the future? But it’s a little bit off topic of where we’re at at the moment. 

Uhm, where most people will try to implement a multi-factor authentication tool set.  Is anything that’s quote-on-quote “Internet facing” more often than not, one of the larger threats that we’re seeing in our business, and this has been true for for years we’ve we’ve been kind of banging the drum on multi factor for about five years at least. And that’s how I bet that’s the idea. So you could kind of see a correlation there, but email is probably the biggest, so Microsoft has done a really nice job of pushing everybody in the cloud. Google is doing the same. They’re huge providers. 

Once people move their email to the cloud, some of the inherent security that was in having email inside an organization started to be exposed to the Internet. 

And typically most people were signing in with the email address. Which is more often than not, first name, last name, first letter, last name or vice versa, and and then at the company, so that part is super easy to figure out and then you just start going down the list, right? It’s winter, 2022 exclamation point and so on. Then I’m in. 

So in order to protect that that’s where multi factor is coming along. 

00:05:47 Nate 

Yeah, a quick stat that comes to mind. So this was all the way back in 2019, but Microsoft did push out an article, and I’m sure that the numbers have only increased since then, just given the nature that people continue to move to the cloud. But back in 2019 Microsoft put out an article that said their login services for this or their cloud services have attempted logins over 300,000,000 times a day that were fraudulent, and so the article is saying if you implement multi-factor authentication on the accounts it reduces the risk of account compromise by 99.9% right it it’s. 

Everyone, there’s a couple different attacks that people are going to take to try and get to your account fishing. You know, we’ve talked about fishing here at CIT many, many times, but fishing for those that don’t have the full understanding on (phishing) that is an attacker will send you a fraudulent email attempt to elicit your username and password, and then they’ll use that to then log into your account so it’s a fraudulent way of capturing your credential. 

That’s one method, one of the other common methods which for example Todd had mentioned is password reuse. 

If you’re compromising one account, you reuse the same password and it’s leaked out on the dark web you take that and go attempt to log into other services with that and then the last one is just what they call password spraying so you just or password stuffing. You just attempt to push as many passwords as possible for a particular user until one is successful, right, and by having the multi factor, all of those methods are defeated. 

Uhm, there is some considerations to take into play at which we can get into a little bit later too, but, for the majority, if you just implement multi-factor, you reduce about 99.9% of all attempts to log into the system fraudulently. 

00:07:54 Todd 

But you kind of mentioned that already about the statistics. Do you have a rough idea of what number of attacks are coming from email so we can use our own examples of what we’re seeing most of our customers suffer? Does it typically end up being in the the world of cyber security? They refer to it as business email compromise. 

Do you have a sense on how many attacks we see coming in through email specifically? 

00:08:22 Nate 

Even if we take a look at CIT systems, if I pull up any given day, there’s hundreds of them, right? It’s it’s just the simple fact of the password.  Spraying is real, right? Everyone has our email addresses. It’s entered in someone’s database dump, right? Because for example, if we continue to push on things like the Star Tribune or the Minneapolis, the parking that was compromised, right? And they had the email addresses. If you have ever used your work account for that it’s floating out there. t’s on a list. People are just going to attempt it with all the common passwords. There’s some big password lists out there that are known to be highly effective because people tend to just pick bad passwords across the board so, yeah..

…it’s hundreds of times a day for any organization, even if you’re small. 

00:09:18 Todd 

Yeah, yeah, I think that’s great. It’s a great key.

Once Upon a time we were used to talk about organization sites and people used to say hey, I’m way too small to be attacked and and that really isn’t the case anymore. 

Statistically, it’s something along the lines of 5660% of all attacks happen against small businesses, and the reason is because it’s easy, they don’t always have the wherewithal, the technical, technical ability to understand what they should be doing, and so on and so forth so the attacks are real and it does impact everybody. 

I’m sure people see it even happening at home. I get stuff from PayPal and Apple and you name it, I get attacked all the time that I need to click on something or reset something all the time. Uhm, staying on statistics. The reason why I ask Nate about the percent of attacks is I think it’s still somewhere in the high 90s of all attacks that are coming in tend to be fishing and that’s somewhere in the high 90s. 

And as he mentioned, if you can protect correct services and your identity with 99.9%. I mean that’s significant, right? And and the number one tool being MFA. 

There are some statistics we can share this out to, you know, you probably for those that are listening, won’t be able to see this, but we can share it in the channel. And if you’re interested, we can find ways to get you the information as well, but there was the United National Cyber Security chief said that 80 to 90% of all attacks, not just email. All attacks can be circumvented by having multi-factor in. So how we started out? This meeting is what is, but what’s the threat and what are you doing about it? 

Ultimately, that’s why we keep talking about multi-factor authentication. One last statistic, in case you’re wondering, well, sure this has been something we’ve talked about for years. We’ve got it statistically, there was 55% of all organizations have multi-factor enabled only 55% so only half and even in those cases a lot of times people are. Very picky and choosy on how they do it, so they may only do it with their tech team. Or they may only do it with their administrators and so small number of organizations. I shouldn’t say small ’cause half US is a significant number…

…but half (of businesses) still don’t have it, so it’s a major problem and it is still where we see most attacks coming from and can be circumvented by putting multi factor in place. 

00:11:31 Tara

So Todd, maybe I have a question about that – You mentioned that there’s over half organizations that don’t have that. Why do you think that is? What barriers are they looking at (in order) to be like I I don’t have time to do MFA talk a little bit more as to why that’s the case. 

00:11:50 Nate 

I think that right your question answered one of them. They don’t see that they have time to implement it, right is. Often these are slightly lengthier engagements. You know, it doesn’t need to be complicated, but the more time you put into ensuring that it’s a smooth process, the smoother the adoption is going to be.It’s easy to just to go into a system and say everyone has it on. 

That’s where your user friction is going to come into play, and absolutely everyone is going to be upset that day as they are trying to sign into things. 

So user adoption is. One of those items that you need to be pretty cognizant of when you’re implementing it. There’s also some additional strategies that you need to take in order to actually implement it successfully. 

So for example, if the user friction is, “I don’t want to put this code in every single time I’m logging in.”

You can do things to say well, maybe let’s bypass multi-factor from within the office right there is. (There is) some residual risk there that maybe the organization is willing to accept because, for the most part, if someone does have the password and they are attempting to log in, it will likely come from outside of the office. That doesn’t mean that maybe that user’s computer is compromised and there’s a some type of script that calls in from internally, but again, the likelihood is significantly. 

So if your employees are constantly working from the office, you could still bypass multi-factor. 

The larger you put that bypass you know, maybe it’s the the state the the country, right? The bigger the risk becomes, but there are strategies that you can implement without. 

I’d say the other (user friction) one is cost.

there’s a lot of different multi factor solutions out on the market, so if you’re only looking at doing something like email, all of the major email providers now are implementing it or offering it for free, right? You can implement it in Office 365 G suite. There’s no additional cost. 

If you’re looking to use some type of third party service. Then you’re going to start seeing those licensing costs for you know more of a per user cost there. The the other component that I would say is – how far do you want to implement multi-factor across the organization, right? 

You know Todd mentioned that the most common one that’s going to be abused is going to be your email system, so start there. Then you can start looking at other services as well, such as your VPN critical business applications. Once you start wanting to implement multi-factor on those additional systems, that’s where some of the paid services come into play, because they do extend out to additional services and different protocols. User friction cost. 

I think the other big (user friction) one that I’ll let Todd maybe expand on a little bit more is executive buy in. 

Yeah I I would say the two things that I would say by far are the biggest thing that I see as resistance is more often than not when you go through it you are going to put a little bit of friction in between your employees and and them getting work done. 

00:15:21 Todd 

Uhm, the typical pushback that you will get back from that employee is (action description – I’m holding up my phone This is my phone.) The company doesn’t pay for it. I am not putting your business application on my phone. 

The reality is, there are ways to start to build up the the adoption right? So you can be a little forceful with it and you say, OK, great, well we’re just going to give you a token. We’re going to give you a business phone and bear with me when I walk through some of this because I’m not actually encouraging you to go out and buy 100 phones. But when you start to go hey employee, I’m going to give you 2. I’m going to give you a phone and they’ve got their own person. 

They’re going to think, “I don’t want two phones just to avoid putting in the six digit code”, and they’ll usually adopt it. Or you give them a token and they’re like, “This is inconvenient. I have to make sure I have it with me when I’m logging in from home. I gotta go grab my keys ’cause it’s on my keychain.” Whatever the case may be, that’s usually where they’re kind of pushing back and then inevitably what ends up happening is you go OK, well, here’s a solution, here’s a solution, here’s a solution (action descriptionholding up fingers to count all three items).

They’re (the user is) like, “The reality is, it’s it’s so convenient to just have it on my phone that I carry with me everywhere anyway. I’ll just go ahead and do it and the reality is, it’s not really all that complex.”

It’s not a heavyweight thing, it’s not dipping into any of your personal information. It’s just an app and it’s only doing a couple of things. It’s either generating A6 digit code or longer or it’s pushing you with content that says is this you.

When it comes to Executive adoption (the thought is that) it is inconvenient. 

A lot of people don’t want to be bothered. I’ll give a good example. And as I said, multi-factor’s been around for ages. Back many, many years ago in the early 2000s I had joined in organization and the very first thing I did was (our remote connections is really insecure.) (say) “Let’s implement multi-factor”, and I implemented it. It probably lasted about a month before the CEO said, ” I can’t stand it. Turn it off.” uhm now? 

The security threats weren’t nearly what they are today, but I learned a lot during that time too, so one of those strategies, or several of the strategies Nate covered already is you start small

It starts (with) going well, let’s start with a small group that are my power users. Maybe that’s it and then you get a few other people that go OK. It’s working. It really isn’t that bad and you start to expand it or you. Less than some of the security requirements, as Nate said, you can make an area trusted it’s work, work as trusted I’ve got the adoption in. People are getting used to the fact that when I’m at work I don’t get prompted when I’m at home. I do OK. It’s not a big deal and then you go OK, we’re going to ratchet it up a little bit. We’re going to add another location. We’re going to add another application. We’re going to whatever, and so you can continue to build on the security and you can get that buy in just naturally. 

You know, probably many people have heard the term, and I don’t mean this in a derogatory way is, It’s a bit of a boiled frog scenario as as you start to do what they realize you know really isn’t that bad. Not that we’re trying to boil our employees, but you know conceptually is you just do it a little bit at a time and you’re improving your security as you go. 

00:18:23 Nate 

So one last user friction that I I wanted to call out that’s not as common, but it does come up from time to time is Union policies.

So if you want to have an employee start downloading an application on their phone or start carrying around, you know, a phone just for phone calls and stuff. Sometimes Union policies will say, well, you need to start reimbursing the employees for that. There is a cost associated with that, and so that definitely feeds into some of the other considerations.

That’s sometimes where hardware tokens come into play. You know it’s maybe a $20 hardware token, right, or that’s one time cost.  It’s not reoccurring, so you can still implement multi-factor without having to, you know, start reimbursing for cell phones or paying for the phones outright. 

It’s one that I don’t commonly hear, but on more of the the production environments you know, and I I’m not going to get deep into compliance here, but things like CMMC, right? It’s starting to ask for multi factor.  CMMC tends to be a lot of the manufacturing firms where there’s a lot of union employees so. 

00:19:40 Todd 

Yeah, I’ll expand on the compliance piece too. I mean, there’s a lot coming up. If you’re in any compliance industry, health care, finance, you name it. As Nate mentioned, manufacturing, it’s going to be something that you’re probably already experiencing. As I mentioned, you know you’ve been being prompted for an additional code from your bank for days for weeks, months, years, whatever the case may be, it is coming in. 

This is just me expanding a little bit, in my opinion…

…Compliance is coming and it’s going to be expanding over the next five years, so there are going to be reasons why you’re going to have to adopt something like this. 

So if the threat of cyber attacks isn’t enough, there are going to be other things, and you can already see it’s happening. So This is why I’m saying it. 

If you look over the last year, the Biden administration had come out and said the cyber attacks are getting worse and worse. We’re spending tons of money. We’re constantly under attack. What are we going to do about it? They built out an executive order and they specifically say you’ve got to have MFA, if that’s not enough, the insurance companies are doing it too. 

So if you’re looking at cyber security insurance and almost everybody is asking for it at this point. Uhm, they’re going to be looking forward as well. Uh, as I’m going down this compliance thing, I’ll wrap this up briefly and I’ll pass it back to Nate. But as you’re looking at the compliance thing, I was actually working with one of our customers and they were going through the insurance process and they don’t have any of the compliance from CMC Healthcare. Any of that. But the insurance organization had come in and they did what I would consider pretty much a full IT audit where they were looking at data diagrams. They’re looking at security protocols. I mean, it was everything, so I actually went on site and met with the insurance adjuster just to make sure that we covered all of the information. That we needed to cover and it was significant. It took an hour and obviously MFA is included in that. 

It’s kind of the way life insurance used to be where with life insurance you could just sign on the dotted line (and) off you went. You got a whole bunch of coverage and that’s changed over the years to whereas the underwriting is going (to say) now I need blood work and I need to wait. You and I need health background and family history and yadda yadda. 

It’s just gonna get worse, and where I was going with it… and like I said, I was going to wrap that up quickly and I didn’t, so I’ll stop talking and pass it back to Nate. 

00:22:02 Kelsey 

Yeah, can I interrupt for just just a hot second, as we’ve kind of gone down the compliance path and all of these good things. Kind of looking back at if you’re having user friction and you’re having people there, like, “I don’t want to do it. I don’t have this code pushed to my phone. It’s too much work.” Why is it effective at actually preventing? These attacks, what is it doing for me?

I’m like yeah I get it, I get the phone, I put it (the code or push notification) in and congratulations. So we’re saying yeah, it’s 99, or over 99% effective? Why? 

00:22:30 Nate 

Yeah, a good question there. Before I jump into that. While Todd was talking, I decided to go look at our system here just to see how many of that password spraying attempt I saw in our system in the last 24 hours. It was just shy of 200 attempts, right? I can see the logs, so again, we’re not a big company by any means. It happens all the time, so. 

Why is it (MFA) so effective, right?

So if I just called out, there’s nearly 200 attempts in the last 24 hours to password spray our environment there. The reason why it (MFA) is so effective is, even if a password is compromised the threat actor is not going to have the other form of multi-factor, or the the other form the second form, or the third form of multi factor. 

In order to get into the system so password I’ve showed this to people before is, I say here’s a dummy account in, like a Gmail or something, right? Here’s the password. I’ll give you 100 bucks if you can get into that, because I have the multi-factor keys here. It just doesn’t happen. I’ve never paid someone out, because they would have to retrieve that file from me or that hardware token from me in order to get into place.

So, where we typically see multi-factor fail is not the the technology in itself. 

It’s still the user. 

So there are websites that will try and capture the multi-factor token and pass it through to the legitimate site and then redirect the user so they’ll still log in, but it’s the user who has fallen for a fraudulent website, still entered in their password and given up the multi-factor code gave it both of them to the attacker. Then the attacker just goes logs in and you know there is a timing on these tokens where maybe they’re good for five minutes. Maybe they’re good for 15 minutes. It allows for users to have a grace period to access their phones sitting on the desk access the email, access the text message so if you give it up right away, and then you hand it over. Is someone immediately? They’re going to use it first, right? 

I I just worked with another organization where their multi-factor was a phone call, right? 

So this is actually a pretty common attack method at the moment it’s called. MFA bombing.

So what you do is you just bug the user enough until they just say “I can’t take it anymore”, accept the phone call, and that was the phone call that was the MFA prompt and the attacker just logs in, right?  

So in the instance that I was looking at with that other customer, it was attacker tried to log in, was prompted with a 6 digit code. They weren’t able to get that, so then they switched over to the backup which is a phone call. Sent the user a phone call. It failed because the user didn’t accept it. 30 seconds later sent another one. It failed. Sent the next one. The user said “I’m sick of this call” accept, and the attacker logged in, so yeah. 

00:25:47 Todd 

Another one I’ll throw in. We don’t see this as often in the endpoint of this is you still need training when you deploy the tool, but we have seen people that have deployed the push technology so that is when you log in and you get a push to your phone that says was this really you? You know we have had people that have been attacked where someone was like, “yeah, I just logged in” and they’ve allowed the attacker in even though they didn’t personally sign in. So there is kind of a training aspect that goes with it. 

Uhm, one last thing that I kind of wanted to dive into – I know we talked about the threats and the attacks and whatnot, but as we’re wrapping this up I just kind of wanted to kind of re illustrate some of the real concerns and and ultimately I we talked about compliance. We talked about the threats we talked about all of that stuff. The reality is the reason behind that is because of the cost, and the cost is built up from a lot of different things. 

From the ransomware, if you get attacked from ransomware, ransomware more often than not they started nowadays. They started around $1,000,000 and they start to get talked down to something real. It includes downtime, it includes unproductive employees, etc. Statistically, the last time I looked at it we were somewhere on average, so that’s average across all SMB market, not you’re a bigger company. You get bigger ransomware, etc. It’s about $500,000 down time, about two weeks, so that’s fairly significant, and if I can deploy something like MFA and protect 90% to 99.9. It’s something you really gotta start to consider and go, “boy, I can reduce my risk by $500,000 in a given year. 

That’s probably (worth it for) something that’s little bit of friction, a little bit of build up. We can find a way to move forward. It’s a good way to start looking at it and thinking about it and go where do we go from here? 

00:27:33 Nate 

Yeah, and the one thing that I’d add to that is the cost is going to be dependent on the the application or system that the threat actor is obtaining access to, right so? So Todd was mentioning ransomware that could have been multi-factor on a VPN for example, right, someone had a compromised password, attacker gets into the VPN. Most companies don’t have a dedicated demilitarized or DMZ zone for VPN users, they just say once you pass through, you have full access to the network. 

That’s where those ransomware costs are going to come into play. 

It could be something like your email system, right? Someone in there just obtaining data. Maybe it’s a fraudulent wire transfer that they’re trying to set up, whatever that number is it could be 10,000, I’ve dealt with the ones that are $500,000 wire transfers, right? 

It’s just a matter of; What are they accessing? What are the costs? and whatever…

…the ransomware remediation costs are I promise that it’s far more than the cost of implementing multi-factor at the end of the day.

00:28:39 Todd 

Yeah, so so kind of as a last thought from me (and Nate can jump in on this too If he’s got any) but the last thing I have is we did talk about, sometimes there’s friction, sometimes there’s a technical hurdle, if you will, beause there are ways to go about it, there’s paid solutions etc. Obviously if you need help, reach out to your trusted partners. There’s a lot of help out there or there course you can go do your Google searches as well. 

So in the end when you need help, reach out. Reach out to those (technology partners) that you trust and you can get some good support from. 

00:29:07 Nate 

Yeah, I I guess my final closing thought is:

Everyone scared of user friction, but in almost every case, it ends up being more of a concern that doesn’t always come to fruition, right, is that the impact is actually fairly minimal if you implement it correctly. So, a lot of those concerns are unfortunately, just not fully grounded based on facts, right? Just feelings. 

00:29:41 Kelsey 

Awesome, thank you so much Todd and Nate for sitting down and chatting about MFA and all of the things that we could go into it. I’m sure that you guys would love to chat with anybody for an extended period of time about any of this that we could tangent on a lot of things. But that wraps up our first Tech for Business podcast here today. 

If you guys have more questions that you want to ask feel free to reach out to or give us a call 651.255.5780 or we’re also online at, but that’s our little marketing spiel on there that. 

We’re here to answer your questions anytime about any cyber security needs or technology for business, and we will chat with you guys next week. 

Is Your Company Ready for a Cyberattack?

Is Your Company Ready for a Cyberattack?

Can you ever be ready for a cyberattack—yes, you can!

Asking if you are ready for a cyberattack is like asking if you are ready for an accident. When an accident occurs, you can have insurance and the coverage you need to take care of the problem—with a cyberattack, if you have a cybersecurity partner on your side, you can do the same.

If you are not already prepared for a cyberattack, it is imperative you understand the serious and imminent dangers of an attack.

With global cybercrime damages predicted to cost up to $10.5 trillion annually by 2025, having a quality cybersecurity service is no longer an option, it’s a requirement. Hackers are coming at your company from all angles, intent on stealing (or holding hostage) your most valuable assets, and you need to be ready.

It’s no longer a matter of, “you should probably do something about that,” it’s a, “you NEED to make the necessary adjustments as soon as possible,” and here’s why.

Cybercrime costs organizations $2.9 million every minute, and major businesses lose $25 per minute as a result of data breaches. It takes 280 days to find and contain the average cyberattack, while the average attack costs $3.86 million. Companies in the United States have the highest average total cost at $8.64 million per breach, and it is estimated that half of all data breaches globally will occur in the United States by 2023. If you haven’t already, take a minute and look at one of the many cyber threat maps to see how many attacks are detected every second—there are hundreds of thousands every day!

That’s why you need to understand what kinds of threats you are up against and how your defenses will fare.

A cybersecurity partner can help ensure the safety of your company’s most critical assets. The reason to rely on a cybersecurity partner is because teams like ours are full of cybersecurity experts who have the extensive education and experience needed to combat various types of cyberattacks. If you have some kind of cybersecurity product installed to your network of devices, you are going to be able to prevent a good number of attacks, but without an expert who constantly reads reports and anticipates the different attacks, you are at risk. Experts don’t need to turn to an incident response manual every time there appears to be a threat. You need a team to be on constant lookout for things such as zero-day attacks and other unseen threats that may appear.

Attacks can come from your cloud, servers, firewalls, SDS systems, personal devices, and more.

With a threat detection solution—such as Security Information and Event Management (SIEM) continuously monitoring your environment—you’ll not only get preventative software, but real-time notifications on serious threats, not false positives. In addition, if an attack is detected, our team of experts will start working with you to find a solution within minutes of an attack.

Analysis finds that 80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations.

Although the reality of cybersecurity threats and malicious attacks is challenging, CIT is here to help you realize your cybersecurity capabilities and risks and provide recommendations for improving your overall defense in-depth for the best possible cybersecurity outcomes.

Let’s discuss!

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

If you’ve spoken to anyone in the cybersecurity industry in the past few years, you’ve probably heard at least once “multi-factor authentication (MFA) is one of the best things you can do to protect yourself and your organization.” But what, you may be asking, does that specifically entail? MFA comes in all different shapes and sizes and like anything else in the cybersecurity and technical worlds, there is a fair amount of nuance in the available technologies. There are many things to consider when attempting to determine what type of MFA is best for you and your organization, including security, ease of implementation, ease of use, cost, etc. Let the below information serve as a high-level overview of those considerations for the four most common forms of MFA: SMS OTP, software TOTP, hardware TOTP, and push OTP.

SMS One-Time Password (OTP) 

  • Description: a random, numerical password, usually six digits, sent via SMS message to a designated mobile device. The password can only be used once.
  • Advantages: easy to implement and better than no MFA at all. It can also be free or inexpensive to set up (disregarding the cost of the mobile phone).  
  • Disadvantages: requires the user to own a mobile phone that can receive SMS text messages. One of the least secure forms of MFA (see Vulnerabilities).
  • Vulnerabilities: susceptible to SMS intercept attacks, wherein the text message is “intercepted” by a cyber attacker who receives the text message instead. SMS intercept attacks can be accomplished in a variety of ways, including SIM-swap scams, mobile number port-out scams, and SMS-stealing malware. Several high-profile security breaches have occurred over the past few years that were the result of SMS intercept attacks, including the 2018 data breach at Reddit and the 2019 compromise of Twitter CEO Jack Dorsey’s Twitter account.
  • Other info: SMS OTP was deprecated by the National Institute of Standards and Technology (NIST) in 2016.

Software Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via an authenticator app installed on the associated mobile device. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once. There are a variety of authenticator apps available, including Google Authenticator, Duo Mobile, Authy, etc.
  • Advantages: more secure than SMS OTP and fairly easy to deploy, though not as easy as SMS OTP. It is can also be free or inexpensive to set up (disregarding the cost of the smartphone).
  • Disadvantages: requires the user to own a smartphone and install a mobile app. The security of software TOTP is heavily dependent on the authenticator app being used, as well as the parameters specified by the authenticating server. TOTP relies on a shared secret key that is portable, often shared via a QR code, which makes it susceptible to cloning.

Hardware Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via a hardware token, like a key fob or smart card, with a digital display. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once.
  • Advantages: very secure, as most hardware tokens are difficult to compromise remotely. The use of hardware tokens does not require users to own a mobile device or smartphone or install an authenticator app.
  • Disadvantages: can be very expensive (~$15+ per token). Hardware tokens can be difficult to deploy, as they are set up using NFC, which can be temperamental to use. The hardware tokens, which can be quite small, can be easily lost. Additionally, some hardware tokens, such as Yubikeys, require a physical connection to the device attempting the authentication and are thus not compatible with devices that do not have the token’s connection type (i.e., USB-A, USB-C, Lightning, etc.). Hardware tokens with more than one connection type are available, but they tend to be more expensive.

Other info: Push One-Time Password (OTP)

  • Description: a push notification is sent to the user’s device via an installed mobile app, giving the user the option to approve or deny the authentication request. The push notification usually includes the context of the authentication request, such as the IP address and corresponding location from which the login request originated.
  • Advantages: very secure, as the authentication communication is out-of-band and encrypted. Unlike TOTP, push OTP links a single device to the user’s identity, so it is not susceptible to cloning. It is easy to deploy and extremely easy to use, requiring only the click of a button to approve the request. It can be free or inexpensive (disregarding the cost of the smartphone).
  • Disadvantages: possible for users to accidentally approve fraudulent requests. It requires the user to own a smartphone and download a mobile app. Push OTP requires that the smartphone have an internet connection and it is a relatively new technology that is still not widely supported.
  • Other info: often used as a replacement for passwords. The push notification does not usually carry the OTP, but upon approval by the user, a unique OTP is generated internally on the device and sent back to the authenticating server to verify it.

Why should an organization consider using a security framework?

NIST framework

Why should an organization consider using a security framework?

Historically, organizations have invested significant amounts of time and budgets into their current security posture.  Up until recently, that posture was largely designed to protect the traditional office space.  With more people working remotely than ever, that security posture and program may not fit with the new requirements of protecting employees that may be working anywhere at any time. 

A security framework is designed to help organizations:

  • Understand their current cybersecurity posture
  • Define or update a cybersecurity program
  • Help communicate requirements and future state with stakeholders
  • Identify opportunities or needs for new or revised standards
  • Assists in prioritizing potential projects to help reduce risk to the company
  • Enables investment decisions to address gaps

What is NIST?

The National Institute of Standards and Technology developed its cybersecurity framework to strengthen the security of United States critical infrastructure.  Like most security frameworks, NIST can be applied to any sized organization in any industry.  The NIST framework includes five cores. 

Those are:  Identify, Protect, Detect, Response, and Recover.


Naturally, most security programs begin with the Identify stage.

  • Identify can include the review Inventory of assets, data, Users, Systems, and the boundaries of where all those items can be located.  After which, most will complete assessments, which may include gap analyses, a self-assessment or questionnaire, a review of the technical infrastructure, as well as potentially reviewing those of their supply chain vendors and partners. 
  • Assessments are performed to help define risks allowing the organization or that of its partners, to develop the appropriate security controls to address those risks.
  • Identify also includes the traditional governance process of building or revising security policies and procedures, change management processes, vendor management processes, and so on.


Once the identify process has been completed building a security program begins with defining and applying security controls to help mitigate the risks as well as help build processes to protect the organizations’ assets and people.

  • The Protect core focuses on building administrative and technical controls to protect data, identifiable information, and all company assets.
  • Some tools that assist with this function include building out Identity Management, applying a least privileged access model to limit users’ access to only what they need to complete their daily tasks.  Applying multifactor authentication (MFA) on external-facing systems, limiting access to management interfaces, continuously reviewing and remediating vulnerabilities.
  • Building out a cybersecurity training program that should include training of current threats and should include frequent phishing simulations.
  • An example of administrative controls can include ensuring no one user can approve a wire transfer without a second person’s confirmation.
  • Physical controls can include physical access management through locked doors, badging as well as the use of security cameras.

Detect Icon


As organizations continue to mature Detection and response capabilities become a priority.  The detection core is designed to help build a formal detection process for the various threats organizations face every day. 

  • Advanced Detection tools help gather information from disparate systems across the network, from Cloud environments, 3rd party threat intelligence, and system vulnerabilities.  Correlate that information providing event alerts and insights on a variety of threats.  Such as external attacks on systems, anomalous user behavior as well as helping with Data Loss Prevention.  Common detection tools include SIEM solutions, Endpoint Detection, and Response tools.

Respond Icon


As organizations mature their detection capabilities the next step would be to respond to detected threats.

  • Building out response processes and procedures is also a core capability of NIST. Cybersecurity Incident Response plan is a common 1st step in building out and formalizing response capabilities.  Understanding that over 94% of organizations had a security event in 2020, building a plan to respond is crucial to help the organization better understand their capabilities and outline how communications flow.
  • Once an Incident Response Plan has been developed working through a variety of tabletop exercises will help organizations validate and test their plan and capabilities.
  • Tools such as Endpoint Detection and Response are absolutely critical tools that need to be budgeted and deployed for every organization regardless of industry or size. 
  • EDR tools have the capability of detecting, shutting down malicious processes, quarantining, ability to remove the malicious file as well as potentially providing valuable logging capabilities for forensic investigation in some cases.

Recover Icon


Developing and implementation of a Disaster Plan is the final pillar of the NIST Framework.

  • In the event that all of the other tools and processes don’t stop an event from happening, having a well-documented and tested disaster plan is also needed for every organization.
  • Deployment of backup solutions that validate backups, replicates to the cloud, are configured properly, and tested is a requirement for every organization that has any sort of business-critical data, even if that data is stored in the cloud.

Regardless of whether or not compliance is a requirement for your organization, a security framework such as NIST can help provide a solid foundation, through the general guidance, for maturing your security posture.