Technology for Business Podcast – How Do I Budget for IT?

Join founder Chris Taylor and Sales Director Ann Mauer as they sit down to discuss the question “How Do I Budget for IT?”. They dive into the why, what, and how of SMB IT budgeting. Have questions you’d like to hear discussed? Send an email to or head over to

Have a question for Chris or Ann? Email

Listen now

Episode Transcription


Technology for Business Podcast

Tara Klocke: [00:00:00] Welcome to today’s C I T tech for business podcast. Today, we are sitting down with Chris and Anne. We’re going to discuss how to budget for it. So we’re gonna kick it off. We’ll have you guys introduce yourselves and throwing in a question for you. Tell us your best vacation destination.

Chris Taylor: Go ahead, Anne.

Ann Mauer: Hi everyone. Ann Mauer, director of sales. I would say my, my favorite vacation destination was just recently when I went to Greece. It’s a beautiful part of our world and the country is amazing and people are very friendly and absolutely, absolutely a stunning, stunning part of the world. How about you, Chris?

Chris Taylor: Well good afternoon, Ryan one. I’m Chris Taylor, one of the founders of CI I T been in the technology business for now 35 years, finding that hard to believe. Huh? Anyway 30 years running CIT as the organization, [00:01:00] another five years, I was in the system builder business. So lots of technology, my background, and my favorite place.

I’m gonna use two places because one’s just not enough. So the Amalfi coast of Italy is probably one of the coolest destinations I’ve been. And then anywhere in the mountains, in the Western part of the United States on snow and skiing in the mountains is another awesome destination.

Tara Klocke: I think all of ’em are wonderful.

It sounds great. When are we booking the trip to go is kind of my next question for you guys. Let’s go. Let’s go.

Ann Mauer: Let’s get it done,

Tara Klocke: but I’ll make sure we get back on track. So I’m gonna kind of lead us off with the question that everybody kind of wanna know is why is it budgeting so important to an organization?

Chris Taylor: Yeah. I mean, I think the, really the, the key thing with budgeting is have a predictable forecastable technology spend, right. Too many organizations go into. And one of the things that we hear from them is it’s, it’s too much roller coaster, right. Spend a lot, you know, there’s no consistency. So by at [00:02:00] least establishing a budget for your technology and, and technology going forward, we have a baseline that we base it off.

It’s not always perfect. It’s a evolution of a budget, but having a budget rather than no budget helps with smoothing out those highs and lows of technology.

Ann Mauer: Yeah, I would agree with that. And it’s imperative to control cost. I mean, at the end of the day and, and accurately forecasting, you know, the spend when it comes to staffing levels, support contracts with external managed service provider, all of those.

Come into play when you’re really looking at your total cost when it comes to it spend and being, I think more, more importantly with the pandemic, we’ve learned a lot about how do you control those costs and how do you accurately make investment in it to help you grow your business. And I think that that’s very important to, to that planning and that strategic budget budget.

Chris Taylor: And I think the other, I mean, [00:03:00] if we look back, it used to be that we would just go to our clients and customers and talk about buying new technology, the latest and greatest, the fastest, you know, it always, always spending, spending, spending on the latest today. Our clients really wanna understand. Why should we spend money on technology?

What is it doing for the core business? Not just buying faster, newer, but you know, how do we lifecycle manage? How do we, how do we do we really need all this horsepower? How do we be more efficient with that technology spend? So it’s much more of a business conversation around that budget than it is just buying new fast, cool technology.

Ann Mauer: well, and I think it’s also too changing the, the impression of technology too, right? We budget for electricity and, and gas and natural gas and those expenses that just become part of running a business. And I think shifting our clients to, to help them understand that if you’re not budgeting for it and you depend so heavily on it, [00:04:00] right.

That planning really needs to be executed correctly. Because it. If you take away the technology, how do we operate as organizations and, and having accurate spend associated to those costs is very important.

Tara Klocke: Great. That actually leads me into my next question. So we’ve kind of established it. Budgeting is super important to that organization, but how is the timing factored in of my budget?

How far do I look? What’s the forecasting look like? Can you guys elaborate on that? Yeah.

Chris Taylor: So most of our clients, we try to, we try to get ’em out to five years, right? So we look at 12 24, 36, 60 months, right. To try to help understand what that looks. It’s very difficult. I think to go out much more than five years, but we try to give them, you know, in the next 12 months, what does it look like?

What does it look like in the next three years? And then what does that really? That out far out five year look like? So we can try to [00:05:00] smooth out that angle budget. We may not spend it all in one calendar year, but it’s a, it’s a longer term budget, right?

Ann Mauer: And I think the timing of that is really associated to when manufacturers make changes, right?

When we have organizations running applications and Microsoft, for example, changes the operating systems. And, and, you know, Sunset some of those OSS it’s, it’s the timing of, of planning in advance of when that’s happening. So you’re, you’re not bleeding edge, but yet you’re still moving forward as the technology changes.

So it’s, it is, it’s a lot about forecasting and, and, and leaning on the manufacturers for when they’re going to, you know, sunset, you know, products as well is really important to that, to that to that.

Tara Klocke: Great. So I wanna know too is how, how do I start? What kind of percentage do I look at of my budget? What all is [00:06:00] considered kind of in that technology piece too, of, you know, do I look at CapEx OPEX? So if you guys can kind of talk a little bit more from a business side and then also from the technology side,

Chris Taylor: Yeah.

So there’s lots of, of budgeting mechanisms out there, right? There’s a, there’s a percentage of, of revenue in the organization that really varies depending on the industry, how much regulations involved, how high tech the organization is, what their use of technology is. There’s historical. We, we can always look back historically that 1, 2, 3, 5 years also to kind of look forward, we can use history, right?

It really depends on industry that you’re in what you have for internal resources, how you leverage external resources. Cause. Both the internal resources and external should be part of that budget. Right? So your employees, your resources, plus your contracted resources in the case of, you know, a partner like CIT.

So we really need to look at it holistically of, of not only [00:07:00] services, but what does that product budget like as well? And those are kind of two different components, right? What does the service component look like on an annual. Basis. And then what does that product spend look like? And that product could be staggered over that five year period, right?

Where it’s not all in one year. So lots of different. And you can, there’s lots of different methods out there, but you know, the big thing is have a budget, establish a budget. You know, it’s not so much concerning to what is the perfect budget it’s cuz every organization industry’s a little different, but establish the budget, try to get some accuracy around it.

And then look forward to that five.

Ann Mauer: Yeah. And, and I would say to just comment on that as well is based off of the industry, you know, the, the more compliance regulated organizations typically have to follow some more stringent guidelines to, to the services and the things that they’re, they’re doing in their environments from a regulatory perspective.

So understanding the [00:08:00] industry, understanding. What those requirements are, can really also help you identify what that spend needs to be. And I think too, it’s important to note the, the. The way that we compute today has changed. Right? And so we have the ability to leverage, you know, cloud as we, as we plan for our customers, right.

We wanna make sure that we’re being strategic and understanding. Does it make sense for certain components of their environment to move to cloud compute you know, that digital transformation into other services. And that really does then change the, how you procure that, that, that budget right. Moves more into an operating expenditure.

So all of those, those thoughts and, and those Kind of those initiatives really need to be planned for. But really understanding what’s available for customers I think is really important as well, you know, and, and sometimes it’s a fit and [00:09:00] sometimes it’s not, but at least evaluating where it makes sense.

And that kind of changes how you, how you budget for that, right? Because it then does move from a capital expenditure into that OPEX spend and making sure that, that, you know, organizations understand. Changes and they can plan accordingly for that.

Chris Taylor: Yeah. And if you look at some of the industry drivers, especially in these last five years and, and really over the last two years with you know, coming through and out of this pandemic the budgeting has become a little bit of a moving target, right?

We, we had a move. We had to move a lot of workload to cloud. We had to move a lot of workload to home offices. So, you know, our budgets changed quite a bit from pandemic, but even prior to pandemic, the, the budgeting around security had become a huge, huge component of that it budget. So if we take and we look at today, you know, security costs are.

The product costs, which typically our [00:10:00] industry can get more product for the same price or the same product for a less cost is now increased. So the price of the product has gone up. The price of labor’s gone up and the price of security has gone up along the way over these last five years. So. These budgets in the last, especially two years have really been taxed because there’s been so much change.

And then obviously the focus around security all costs more money at the end of the day. So we’ve been trying to help our customers just try to look out forward, try to get, you know, increases, especially around things like security are, are rapidly increasing and you have to get those into budget or else they’re hard for a lot of organizations to, to.


Ann Mauer: right. Well, and I think too, there’s the supply chain issues have, have really caused, caused some, some havoc for customers as well, even if they did have budget. Right. You know, the availability of goods is, is even more difficult to come by. So then that even becomes a more strategic planning as to when you’re going to make these projects [00:11:00] move forward based on the availability of the, the products and that you need.

Chris Taylor: That hasn’t helped. So

Tara Klocke: yeah, I think a lot of organizations, how to quickly make that change once COVID hit and kind of figure out what does this look like now? Cuz we gotta make something happen. But a question too is, you know, we’re establishing our budget, but who really owns that it budget? Is it our cross departs?

You know, is it at a sea level? Let’s talk a little bit about that.

Chris Taylor: Well, I, I think it’s across the whole organization, right? I mean, the, the cost of that in most organizations, most, every user has some touch with technology. So I think that budget is across the organization and that’s why you’ll see some of the.

The estimating tools out there based on organizational size revenue, percentage of revenue, number, number of people, things like that to try to spread that cost amongst the organization. You know, I think [00:12:00] it’s, you know, it’s typical that the, the financial person in the organization’s working pretty in tune with either the internal technology or the external provider to lay out that budget.

But yeah, it has to get allocated across the organization because it’s not just a single depart. That’s a cost center, right? It’s it’s a organizational cost.

Ann Mauer: And I think too, Chris, I think putting it into an a support per endpoint. Pricing model right at the end of the day you know, some organizations are, well, is it a total spend?

I mean, how should I be budgeting for this correctly? And you know, some say, if you can identify the number of endpoints in your environment and then allocate a cost associated to that. Full support over a 12 month timeframe. That’s how most organizations I think are trying to get to where, you know, they, if they are in a managed service agreement and they’re getting a lot of services included in that, in that agreement, but what are those additional costs?

[00:13:00] Right. Whether what are the soft costs, whether it’s life cycle replacement of hardware deployment costs new projects, you know, we, we have to replace a server. What does that holistic cost look like? And in breaking that down to a per endpoint you know, per endpoint conversation kind of helps yeah, the organization put it into.

Full budget

Chris Taylor: and, and trying to establish, you know, there there’s resource costs, both internal and external resources. There’s that maintenance cost just to keep really kind of the utility of technology, keep the lights on per se. Right? So you’ve got resources, external internal to that utility cost.

And then you’ve got the projects. How do we, how do we move that technology forward? How do we get new gear? How do we get faster gear we need to, so you have to really kinda look at all those, bring them together. Determine if it’s internal resources or external and try to leverage. The efficiencies of that.

Right? And that’s where really, we talk about leveraging a good [00:14:00] partner along with your internal resources. If you have them to try to get the most bang for the dollar for technology spend, because it doesn’t make sense to hire at all, you know, and in some cases, doesn’t, it doesn’t make sense to contract at all.

So that has to fit into that budget conversation about how do I balance internal technology. Focus people and my external people and how do I pay for it? All right. And what, what’s the balance there? And that is a tricky exercise that we walk through with our clients quite a bit,

Ann Mauer: I think. And I think it’s helpful to have a framework.

Right. I think it’s helpful to have a checklist. I think if you can have a. Data, you know, if you’re, if your it department either internal or externally can report on some of the data that, that your systems are generating can also help you make those decisions. You know, we, when we work with our customers on that basic life cycle refresh, there are certain, you know, critical components of an environment that we say.

A life [00:15:00] expectancy. Right. I think unfortunately manufacturers do build in obsolescence in their products right. Because they wanna sell hardware. So how do you plan for that? Right. And we wanna make sure that our customers are getting the return on their investment over the length of that, that, that solution.

So Chris, would you agree like over, if you looked at a, a traditional environment you know, most customers have a firewall, most customers are running some type of internal server system, desktop laptop computing devices. I mean, those, those do have a life cycle. I think it’s dependent on a. How much you’re pushing on, on that year.

Right. But I, for most of our customers, we’re saying, you know, firewall three to five years. Right. You know, the more that we ask of, you know, cloud compute right. And pushing more to. More to the cloud. We need to have bandwidth. Right. [00:16:00] And so as, as customers grow you know, the firewall component needs to be changed out.

So, you know, three to five years on those systems, typically servers you know, five to six years. A lot of the server replacement costs is associated again to the core applications that they’re running and planning for. When, when Microsoft sunsets, you know, they’re operating systems and, and kind of the dependency on the, those two obviously we wanna make sure that we’re not running.

Old legacy hardware, right? Because that then becomes, we, we potentially have some hardware failure components at some point, and making sure that our customers are running some manufacturer support warranties on that core gear is really important. We wanna be able to have the ability to call those groups to get replacement componentry.

What other things, you know, endpoint devices. Laptops [00:17:00] desktops again, typically a three year life cycle. Most oftentimes we’re telling our customers. Try to replace at least a third of your fleet of your endpoint devices so that you’re not holistically changing those all out at the same time. Cause that gets very expensive.

You know, just making sure that a, if they have data in their environment, that they’re leveraging that data to make better business decisions. And just monitoring those components. So obviously at CIT, we track a lot of those hardware, software components for our customers, so that we can build out what that strategic plan looks like.

And I think that that helps just provide again, a better plan at the end.

Chris Taylor: Yeah. And I think two major technology changes that have. Clients understand budgeting better has been virtualization and the, and the cloud migration, the workload, you know, moving workloads to the cloud, right. It, it hasn’t, it, it is it, you know, everything isn’t more expensive, right?

I think we’ve become better at utilizing [00:18:00] hardware and utilizing it up with virtualization. We’ve found ways to move CapEx cost to operat cost and moving up to cloud workload. So we. Trying to, you know, it’s not all Gloo and doom. We’re, we’re trying to decrease where we can the budget as well. Right. So if you can use hardware more efficiently, faster, bigger, better, rather than just replacing every five years, because the built in hardware obsolescence, it makes that.

Model more efficient, same with, as we move those workloads to the cloud, we decrease our on-premise hardware capacity workload that we need. So it’s shifting cost, but hopefully it does help try to reduce that budget over time as well, because there’s plenty of things adding to the budget. So we’re trying to help, you know, it’s, it’s not all up up up.

We try to help re reduce it with certain technology changes that are happening as.

Ann Mauer: Right. Well, and I think it goes to the framework, right? I mean, with most of our customers, we’re, we’re taking the N framework the national Institute of science [00:19:00] technology and those recommendations from the federal government.

Right. Of how we wanna, we wanna be able to provide the same level of Planning, you know, that meet some of those requirements for our SMB customers that we’re supporting so that they’re, they’re looking forward for the, the next you know, what is the next security software solution that they should be looking forward towards?

And I think, you know, the executive order with the passing of having EDR and running in your environment also is something that. To be part of that planning conversation, right? Because, you know, we’re, we’re all gonna be in a position where our technology spend has to increase as the demand on, on securing our environments is, is necessary at the end, end of the day.

Tara Klocke: Yeah. And I’m really glad that you brought up that point because we’re talking a lot about the budgeting side of, you know, even that old [00:20:00] hardware and end of life on operating systems, that there is a risk for cybersecurity where they can get in cuz you are running old technology and. I did wanna mention if you guys hadn’t caught that before we had a podcast earlier with Kyle and Jake talking about migrating to the cloud, cuz there are still a lot of questions of, is that the right path for me?

Is it secure? So if you haven’t listened to that, I would suggest going out and talking about that and kind of helping you understand a little bit, but I did wanna kind of see on the, is it side and then that budgeting, you know, where do we go? So we’ve got that budget established. How do we look at it forward thinking, can we adjust as we go?

Where, where can I add that in? Because yes, it’s gonna be maybe expensive in the long run, but you gotta start that budget because you’d rather have that slated. Where you don’t have something happen with a cybersecurity [00:21:00] incident coming in because you chose not to upgrade or do something like that. So I just kind of wanted to make that statement and then you guys can have any

Ann Mauer: remarks on that.

Chris Taylor: Yeah, and most of those budgets are, are fluid, right? I mean, they’re gonna move, they’re gonna change. They’re gonna morph. They’re gonna switch the buckets that they’re in because of those changes. Obviously we’re spending a lot of time talking to clients about making sure they’re budgeted for those security pieces of the puzzle.

Right. And, and that’s not just putting in the latest and greatest security that’s as you mentioned, Terry, getting rid of old technology that’s unsupported get rid of, out of date and a live product. That’s unsupported. Along with that looking forward as to what’s coming next and most of our clients.

If, if they weren’t regulated, they weren’t required to kind of keep up with some of that. It was really on, on their, you know, timeframe. Now when, when the industry has come forward, when they try to do their cyber security renewals, they’re being asked the same thing that the regulated clients are doing.

So we really need to spend some time talking about that part of the [00:22:00] budget around security, right? Where are we at? How comfortable. Do you think we can check all the boxes when your, when your insurance carrier comes to the door next time? And if not, let’s start getting, let’s start chipping away at those.

Let’s get ’em in the budget. Let’s get the top priority ones first and let’s start chipping away because we know it’s coming, right. It’s not a matter of, of if it’s a matter of when they’re gonna, you know, come ask for these certain things to be done with your technology. And if we wait too long, it just becomes a, a harder budget to deal.

So we try to get out in front of that as best we can typically at least 12 to 24.

Ann Mauer: Yeah. I mean, ideally if you have a checklist, something that you can look at your current environment, right. Identify the age of the gear. When is the, excuse me, when is it due to sunset? Right. And then planning for those replacement costs.

You know, that’s something that we, we want to be part of with our customers because you know, it’s, it’s better to plan for. Spend [00:23:00] today. And, and granted, there’s a lot of unknowns with where the market’s going today, but we have to be realistic in what that true number is to support the organization.

And be far more strategic, you know, honestly at the end of the day, technology should drive opportunity and business value. And, and when we’re dealing with, you know, legacy hardware and, you know kind of some inefficiencies based off running old gear, there’s soft costs. That’s involved there that if we just allocated correctly for a budget, To replace and move forward.

I think that there, that that soft cost with efficiencies and performance at the user level, that pays dividends, right? If, if you have somebody who’s consistently not having to deal with technology issues that there’s benefit there. And that’s really where we want our customers to get to at the end of.

Tara Klocke: That’s great. So we’re gonna be kinda wrapping up the podcast today. [00:24:00] Chris and Anne, do you have any like final words of wisdom that you wanted to throw out there for our listeners?

Chris Taylor: Yeah, I, I would just not be afraid of the budget. Right? Let, let get something established. It needs to start somewhere if you haven’t already.

And if you do have a budget established, I think it needs to be review reviewed at least annually. If not quarterly, we try to review with our customers on a quarterly basis to make sure you know, where are we at to that budget? Is it way under, is it way over? Where, where do we need to allocate? How do we accrue and get out in front of it?

So it’s, it’s, it’s. It’s not as scary as it sounds. I think it’s fairly easy to get started. We can give you some baselines industry stat type of numbers to use. And then from there we just build on it and make it better, bigger, better, faster,

Ann Mauer: stronger. Yeah. And I would, I would just also, I mean, there’s, again, what we’re seeing right now with supply and demand issues with core computing gear you know, just be patient, right.

It’s [00:25:00] it’s everyone in the industry is, is. Kind of struggling with this right now. And, you know, I think if you have allocated budget, you know, try to get those orders in sooner so that you at least are in the top of the line for when it, when that fulfillment is, is available. So.

Tara Klocke: Great. Well, thanks again, Chris and Ann.

So glad to have you on today. And it was a great discussion, so thanks for it, budgeting all the things and we got it all wrapped up. So I did wanna say let us know of any sort of feedback or additional topics that you would like to hear on our pod. You can visit C I Or you can email

And we look forward to chatting with you

Ann Mauer: guys next week. Thanks for rolling. Thanks.

Technology for Business Podcast – Zero-Trust Part I

This week we chat with Todd, Nate, and Ashley about Zero-Trust and what it is. They’ve got castle moat and decorative hand towel analogies and so much more. Stay tuned for Part II of how to implement coming soon. Have questions you’d like to hear discussed? Send an email to or head over to

Listen now

Technology for Business Podcast – Maturity Model

Myths include: This week Tara sat down with Todd and Scott to chat more about the Maturity Model (and their favorite vinyl).

Listen in to learn more about:

  • How do you define the Maturity Model?
  • Who should consider Maturity Models?
  • Is there more than 1 application for the MM?
  • How does this apply to technology?
  • How can organizations benefit?
  • How do we use it to drive technology/business alignment/Compliance?

Have a question for Todd or Scott? Email

Listen now

Episode Transcription


Tara Klocke: [00:00:00] Welcome today to CIT’s tech for business podcast. Today, we are sitting down with Todd and Scott, and we’re going to discuss the maturity model. I wanna kick it off for both of you guys. First, make a lovely introduction. Secondly, tell me your favorite record that you have on vinyl.

Todd Sorg: Go ahead. Okay. Um, I am Todd Sorg.

I am CIT’s chief operations officer. I am also the chief information security officer, uh, favorite vinyl record. Uh, I’m gonna break the rules and I’m gonna make it two. So, um, I’m gonna start with my, my very first personally owned vinyl was kissed double platinum. Bought that with my own money, just a young kid loved it.

Fantastic. Played the crap out of it. And then, uh, in my teen years, I’d have to say it was probably guns and roses, appetite for destruction.

Scott Patsy: Great choices. I [00:01:00] have both those on vinyl currently. Um, my name is Scott Patsy. I am the manager of strategic engagement here at CIT. Uh, thank you, Tara, for putting this together.

These are really fun. My, um, You can’t ask me about music, cuz we could spend an hour just talking about that. And I can’t really answer this question, um, without saying that my favorites continue to evolve and change all the time. And so right now in this moment I also have two favorites. Um, I just got a five, um, final five LP, uh, grateful dead collection from.

Cornell 1977. Now Cornell 1977 is a sought after a very renowned live show from the dead. You can go very deep down the rabbit hole. That is the grateful dead. And so Cornell 1977 for me. Uh, and then I’m gonna pick on something very new that I really like. And I just bought on vinyl also. Um, [00:02:00] the debut self-titled release spot from a band of sisters called wet leg.

Really great. Um, modern. Rock, uh, I, I highly recommend it.

Tara Klocke: Well, I didn’t know I was going to stump you to and make you make this hard decision, but how about we get to something that I know you two know a lot about, which is the maturity model. So tell me how you guys would, would define this. What does that look like?

Scott Patsy: Yeah, I can, uh, I’ll jump in here, Todd, the, the, um, when I think about the maturity model from, you know, I’ll, I’ll, I’ll, uh, I’ll I’ll disassociate that, um, with, from technology specifically in this moment and just define the maturity model as being a measurement. The ability of an organization for continuous improvement in a particular discipline.

Um, so what the maturity model ultimately does is judge how a company or a [00:03:00] system is at improving itself from a given state allowing leadership to observe the company’s current maturity level based on industry PR industry practice, um, of the current discipline under. Tyler. I don’t know if you had anything to add to.

Todd Sorg: Yeah. I mean, I think that’s pretty spot on, I guess the, the comments that I’d add to it is maturity models are really just that. I mean, at some point you’re trying to measure where you’re at today, where you’re going. And obviously in most cases, if you use the analogy of you can’t eat an elephant in one bite, there are steps that typically go with it.

And that’s essentially the concept of the maturity model is I’m here. I wanna. There as I continue to grow. And, um, how do you do that? And the maturity model is kind of giving you that formal process of putting it together and helping you move forward.

Scott Patsy: Yeah, I, I would, I would even supplement that to add on to the ultimate part of the ultimate goal being, um, not [00:04:00] only to realize for a company to realize its current maturity, this is where we’re at today, based on whatever we’re trying to analyze in the best practice associated with that, um, measured best practice that is we’re not making it up.

Right. Um, But, uh, and, and then ultimately what the next level is to get to what the goal is. But a quality maturity model process should also help you identify or help a company identify two other really important details. And that is, you know, okay, what are the steps to take for us to get to level two or level three, you know?

Um, and then ultimately determining what the financial or human resources it will take to, to make that move.

Tara Klocke: Okay. So I have another question for both of you then, who should really consider applying maturity models into their organization?

Scott Patsy: I would say, um, any [00:05:00] organization that is looking to improve upon itself in any way, it doesn’t have to be technology, right.

Um, any organization can improve how. Choose to hire people, um, you know, how they onboard new employees, um, how they adapt processes, how they adapt policy, you can really apply this to any size business in any place inside of your organization where you’re looking to improve. You know, I, I don’t know that there’s another way to say it it’s, it doesn’t apply just to one, you know, you don’t have to have 50 employees or whatever.

Todd Sorg: Yeah, I’d agree. I mean, uh, essentially what it is is it’s, like I said, it’s kind of a formal process that helps organizations kind of improve. And, um, even organizations, there’s a, there’s a local brewery in town in Minnesota here. That’s got a saying that says they have big ambitions to big, ambitious to stay small.

Um, and while that sounds like, Hey, we’re not really trying to do [00:06:00] a lot. We’re not trying to, to be one of the biggest. Uh, manufacturers of beer and distribution of it. That doesn’t mean that they’re not trying to continue to improve who they are, make better beer, be it more efficient, deliver what their customers are looking for.

And the maturity models will apply to somebody as small as this really, really small micro brewery or somebody as big as a 500 plus organization. Yeah, kind of that’s

Scott Patsy: I really like that. What was that statement again?

Todd Sorg: they have big ambitions, big ambitions to stay

Scott Patsy: small. That’s great. I really like that.

Tara Klocke: Well, and that kind of brings into my next question. So regardless of your size, is there like one way in particular that you go about applying this maturity?

Scott Patsy: There are, um, within the maturity model concept, there are, there are lots of standards over time that have been. Developed. Um, and if you do some research, you know, [00:07:00] Googling , um, there are a number that have, that have, have been, you know, put together already, um, that an organization could attach itself to, to kind of help this process along.

And that’s kind of in part what I would certainly encourage, you know, don’t, don’t make it up. Um, look within the discipline. In which you are trying to improve and see if there’s a maturity model, you know, out there that, um, that you can, that you can utilize. There are, you know, we can get into some very specifics here within the technology, uh, discipline or how they apply it to technology.

But, um, just know that, you know, within, um, lots of different industries and lots of different disciplines, there are, there are already some very well built. Maturity models.

Todd Sorg: Yeah, I was gonna expand on that a little bit too. So there isn’t just a single maturity model that’s out there. So, [00:08:00] um, we’ll dig into a little bit of ’em today, but you know, it’s just kind of giving you high level stuff.

Um, there are many organizations that already implement those. So for example, there are project management, maturity models that are out there. Um, there are technology ones, a lot of people are probably familiar with CMMI, um, they’re cybersecurity maturity models. So you can get into ones that are basic for finance and so forth.

So there’s a lot of ’em. They do apply. And like I said, at the beginning, the intent of this is really trying to find ways to help organizations continue to mature out. Um, so

Scott Patsy: go ahead. No, I would, I didn’t mean to step on, I would even say, you know, something that people are really. Most people are, are, are probably pretty familiar with, or at least I’ve heard of as, as like an ISL standard, you know, within manufacturing, very similar, right?

That’s a very well known, pretty global standard for how a manufacturing organization matures its process. Right? And, and, and the, and the big benefit in that world is if your ISO, you know, [00:09:00] act certified. Um, that means there are certain criteria that you’ve met that ultimately. Your customer is looking for you to have accomplished.

And so that’s one giant benefit in that scenario is if you’ve met the criteria in a particular standard, you can do business with a particular customer or a customer will even come to you specifically, based on the fact that you have met that ISO standard, you meet that criteria. You have matured as an organization to such agree that you’ve been awarded that standardization.

Todd Sorg: Yeah, I’ll expand on that a little bit too. So, so prior to, to joining CIT, as you know, we’re all, we’re all CT CIT and it up here. Um, I used to work for a manufacturer and, and one of the questions that you kind of ask is why do you go through a process like this? And, and I kind of mentioned it’s because you wanna continue to improve as organizations, but there are a lot of other reasons for it too.

Scott just touched on, we can [00:10:00] get more revenue because of it. We can land projects, we can separate ourselves from our competition. But, you know, another one and, and this is where I was kind of focusing very heavily at the front is just trying to make sure that your processes are very repeatable. Um, so there’s a whole slew of good reasons why they do it and when you’re going, Hey, I think if you’re considering this in your organization is I think we’re gonna move forward on something, this like this.

You can then circle back with your stakeholders and say, I wanna move forward because I think it sets us apart. I think it’ll help us drive additional revenue. I think it’ll help make our processes repeatable and, and predictable and so on and so forth. So there’s a lot of really good reason to do that.

And almost everybody inside of every organization wants those things. They want more money, they want more revenue, they wanna make it more efficient and so on and so forth. Yeah, absolutely.

Tara Klocke: Like who, who wouldn’t want that for their organization? And. In case anybody said, no, this is a podcast on technology.

So I do wanna dive into a little bit about how does this apply [00:11:00] to technology? Yeah,

Scott Patsy: that’s a, that’s why we’re ultimately here. Right? Um, so there are a few ways that we can kind of look at that. Um, I think the important one today is to help, um, You know, the listener here understand, um, broadly how the maturity model can apply to technology.

But then more specifically, how does C I T use the maturity model, um, to help our customers ultimately, you know, align their business goals with what technology can do, right. Um, I think a good broad place to, to start maybe, um, Todd, you can help out here is, uh, something that’s kind of on the forefront front of everybody’s mind today being cyber security.

And there are a number [00:12:00] of, of, uh, places where this applies. Um, and, and, and Todd, I would invite you to kind of start and I I’ve kind of got some, some stuff queued up here to, to discuss about it.

Todd Sorg: Sure. Yeah. So thanks for that. But, but cybersecurity is really easy because as Scott mentioned, it’s top of mind right now, it’s easy to talk about.

Um, but the nice piece about it is there is a decent amount of compliance out there that kind of helps build what frameworks look like today. Um, so you look at those highly regulated industries, your healthcare, your finance, et cetera. They’re all trying to do exactly that. As I mentioned early on, you really can.

Do it all in one chunk, there’s a variety of reasons for it. The complexity, the cost, et cetera, cetera. Um, in the compliance industries or the regulated areas, the reasons why they have to do it is because they’re being asked to do a lot. The reasons why there is compliance and regulations is because there’s a lot of risks in those industries, whether that’s because they’re being insured, um, by insurance companies or by the D I C or whatever the case may be.

They’re the ones that [00:13:00] are saying, Hey, there’s a lot at risk here. We wanna see you do it. Essentially, what they say is there’s kind of a foundation that you need to get in place for the maturity model and they call it baseline in the finance industry. And then as you continue to grow and get better, the next stage is called evolving.

So again, you’ve kind of got the basics I can block. I can tackle. Now I’m starting to get it a little bit better. And then once the next stepped up is intermediate. So you’re doing about average. That’s about what most organizations are trying to do if you’re in that industry. And then you get up to advanced and then at the very top of the scale as innovative, and the intent is.

Most organizations aren’t really striving to be innovative when they’re in the SMB market, which is typically where we focus and that’s because they don’t have the revenue, the horsepower, et cetera. But there are leaders in every industry that are going to be innovative, even if they are small, there’s, there’s plenty of people that are really trying to turn their industry on their head.

And they’re trying to be living in that innovative state as well. [00:14:00]

Scott Patsy: Yeah. Yeah. That’s great. Um, I’ve got a, um, uh, kind of what I have queued up as some, an example, really within cybersecurity kind of, you know, how and where that applies. And so, um, I think, uh, if there’s anybody out there listening to this that is, um, kind of tapped into what.

The cybersecurity industry is doing the maturity model that we see relatively, um, consistently is what’s called the cybersecurity maturity model certification, the CMMC, um, which is an assessment framework published by N the national institutes of standard and, and, and technology. And what the CMMC does, is it, um, It’s got a whole list of about 14, what they call domains, um, that, uh, um, are specified for, um, analysis, um, to address the CMMC and, [00:15:00] and those are access control, awareness and training, audit, and accountability, configuration management.

I’m not necessarily gonna list all. 14 of ’em, but you can kind of understand what they’re trying to accomplish their incident response, um, personal security, physical protection. There’s, uh, there’s a whole list of things to, to get through and to mature through, um, within the CMMC and those domains and, and, and an example of that is, um, Kind of the framework that we’ve been hearing about is, um, you start at, you know, a particular level of maturity and as an organization meets those maturity requirements, it would, you know, move on to the next level.

Right. And, and within the CMMC, the first level is access control and the first level and level one. Then within access control is what they call authorized access control. And, and they call that out and they say limit system access to authorized users, [00:16:00] process pro uh, uh, processes acting on behalf of authorized users or devices, including other information system.

And so once an organization has done that limited. Information system access to authorized users. It can kind of check that box and move on to, um, the next aspect of level one. Again, being access control, which is transactional and functional control limit information system, access to the types of transactions and functions that authorize users are permitted to execute.

Um, so you can kind of see how this moves the next, uh, uh, uh, aspect of level one is external connections, verify and control slash limit construction, uh, connections, um, to and use of external information systems. Um, Uh, and so they, once you have kind of done these things, checking the box, you move on to the.

[00:17:00] Piece of that. And AF once you’ve matured through level one, level two, uh, again, within the access control domain. And I know we’re getting in the weeds here, I hope everybody’s following me. Um, level two is then starts with, um, the ion of duties and so separate the duties of individuals to reduce the risk of malevolent activity without conclusion.

And, and, and, and the CMMC is, is, is, there are lots of questions it’s very in. Um, and for cyber security at this level, it really should be, but you can see within the different levels, what they’re doing, they’re ultimately tightening the security restraint so that the right people can get access to the right information, um, or ultimately to limit access.

um, only to a certain set of people internally or externally. Um, and this goes on and on and on, and there are lots of levels and lots of questions, certainly not gonna read ’em [00:18:00] all, but you can kind of get the gist here of, again, the process by which an organization meets a particular criteria within a level in order to check a box and move on to the next.

Tara Klocke: So I definitely heard a lot of compliance compliance, but then how do I take my organization and align that with those models? What do I do? Do I do that myself? Can I reach out to somebody to help? Or how do I check some of those boxes?

Scott Patsy: Yeah. Yeah, that, that that’s that’s thank you, Tara, for reeling us in a little bit.

um, the question there really is. Okay, well, how does CIT help, you know, our customers? How do we use the maturity models to help our customers? Um, because our customer base is one that tends to be, uh, what we refer to as, as SMB. Uh, um, and I’ll clarify a little bit to say C I T S customers that have, um, you know, a pretty broad range of, uh, uh, of user basing.

We’ve got customers. They have five to, to, [00:19:00] to 500 users is, is, is kind of how we categorize that. And today, um, we are using maturity models, um, both within our cyber security and strategic engagement departments to drive. Really help our customer drive that level of maturity within each respective discipline.

Um, and, and I, I really, I firmly believe that that word using that word drive is an important aspect of this. I would say that our customers look to us in these cases to help them mature. Through these processes, and it’s not something that they necessarily are prepared, have the, or have the bandwidth to accomplish on their own.

So they really need us to, to help move them forward. Um, cybersecurity obviously is very focused on maturing the. Um, it, uh, cybersecurity for our clients. Um, well the strategic engagement department takes a [00:20:00] broader approach in maturing overall. It best practice within categories, such as it infrastructure, where we’re analyzing servers, workstation, storage, switching, um, backup and recovery.

It budgeting, um, and big picture items like the organization’s cloud strategy or the ability of it assets to meet, uh, uh, uh, business demand. Um, I will, uh, I’ll take this moment to kind of pick on an easy criteria, um, where, where, uh, um, Strategic engagement focuses. And that is, um, that’s the, that’s the it budget.

So I’m just gonna talk through this briefly. So, um, if we were using the maturity model to analyze a customer’s it budget, um, we, we, uh, we would do that. We kind of have five levels within budgeting, um, and we. Make these statements, we ask the customer, these questions, um, you know, where do you fit today? Um, within this model.

Um, [00:21:00] and so if I think of the it budget, kind of it being one through five, number one being no formal it budget exists. Technology is purchased ad hoc. It budget percentage of revenue is unknown today. Um, or number two, being some it purchases are made based on specific recommendations, but were not planned for in advance.

Most it hardware, software and service expenses are paid for as needed. During a point of pain, it budget, percentage of revenue is still unknown. Um, level three then is, um, you know, you can, you can kind of hear that it continues to get better as you mature. Um, level three is, uh, a list of technology purchase has been documented.

However, no specific annual it budget is followed. Some hardware software service purchase is purchased in advance based on a roadmap. Uh, some are still purchased ad ho. And again, it budget percentage of revenue is, is less than industry average. Uh, number four, [00:22:00] then we would continue to get better. An it roadmap has been documented annual it budget has been created most are all it.

Hardware, software, service expenses, expenditures are made in advance. Um, and then number five is a formal budget exists. The organization, um, and business leadership are aligned on technology solutions that support business goals. And so the question is, well, boy, Scott. Yeah, we are at a number one and we really wanna get to a number two and number three and number four.

And, and, and we need your help getting there. Right. Um, and so that’s where we. Use strategic engagement to help, you know, drive, um, organizational leadership, our customer’s leadership to working through those maturity levels. If no formal budget it budget exists today, then let’s build a cadence together so that we can work with you to.

Identify the items that are attached to the it budget, what [00:23:00] the cycle is for these things and build some predictable repeatable processes around, um, maturing you to the next level so that we can get from no formal it budget exists to you have a roadmap we’ve helped you document that roadmap we’ve identified within, um, you know, quarter by quarter, what the it purchases are that are going to be made.

We’ve identified. Um, when assets will refresh, we’ve identified when new hardware will need to be purchased based on warranty or support expectation, um, expiration, excuse me, we’ve identified when, um, you know, projects need to get accomplished based on that budget. Um, And then to help an organization, um, uh, uh, review that quarterly budget and review budget, percentage of revenue and see where it fits within its industry.

Um, so that’s kind of how we would take something as, um, really as important, [00:24:00] um, and as transformational as the it budget and moving it from, ah, we really don’t have a formal it budget. We kind of just buy stuff when we need, when we identify a pain point to a formal budget exists. Organization business leadership is aligned with, um, uh, not only making it purchases, but, um, helping those purchases, uh, ultimately drive business.

Todd Sorg: So I’m gonna boil that down a little bit. um, I, I think, uh, what Scott said was great. I, I think all of that aligns extremely well. And if you were, I mean, I, I’m not trying to make fun of Scott in any way, but I think if you were kind of going through the process, I kind of highlighted, and I said, you got a baseline and you work your way up to innovative.

Exactly how he laid that out. They followed right into those steps. Right? So you kind of figure out where you’re at and where you’re going. One of the things that I kind of wanted to point out right away is I have worked for a fair number of organizations. Um, prior to this particular role in everywhere I’ve ever been, I’ve found that [00:25:00] the reoccurring theme is senior leadership hates surpris.

Right. And that’s budgeting. That’s break. That’s fix it’s it’s all the unknowns. Right? So when Scott’s pointing out heavily, you wanna get to this area where it’s repeatable, it’s understood. You’ve got budgeting, et cetera, for anybody that’s in charge of it, responsible for it or any. Other area having that predictable model does eliminate a lot of that friction and it removes the surprises.

So you’re less likely to have the president CEO’s laptop die unexpectedly, or your backup system didn’t work. And now I’m looking for a $20,000 investment or whatever the case may be. Those things are being eliminated. Um, now when it comes to cybersecurity, You know, Scott had mentioned this too, is a lot of organizations don’t have the horsepower to be able to kind of do that for them.

So there are partners out there. C I T be one of them having the ability to say we can help translate that. So I wanted to touch on the CMMC [00:26:00] piece real quick too, is, um, as Scott was reading through that, While it’s clearly in English that doesn’t necessarily make it easy to understand. Right? You go through all that and you say, whoa, what does that even mean?

There are organizations, there are people that do know how to make that very actionable and say, here’s where you’re at today. We can get you to the next step easily by doing X, Y, and Z. So there are very clear ways to do it. Um, And I, and I apologize, I didn’t mean to cut Scott off in any shape, manner or form.

I just kind of wanted to point out that the surprising thing is, is really, should hopefully resonate with a lot of people and being able to, to minimize that if not completely eliminated is something that most organizations are after.

Tara Klocke: And no fault to Scott’s, um, own, he is very passionate about this subject.

So it’s so nice and refreshing to be able to have somebody be a part of CI I T that wants to talk about that. And he is in that perfect position, um, to do so. Um, so great job guys. [00:27:00] I appreciate, um, all of that. So I did wanna kind of, um, lead us out to the end and we’ll kind of wrap anything up, but Todd or Scott, do you have any, um, final words that you wanna get in there?

Todd Sorg: Yeah. I wanna know when we’re scheduling the music one. Yeah, right. yeah. When can

Scott Patsy: we let’s have a grateful dead podcast, which is the best version of ahea. awesome.

Todd Sorg: This was great,

Scott Patsy: Tara. Thank you so much.

Tara Klocke: Well, thank you. Uh, Todd and Scott, I very much appreciate your time. And as always, we love to talk and sometimes we tangent, but again, talking about the passion, we love to see that, but for those of you that are listening, we always are looking for, um, you know, feedback on some other suggestions.

So please make sure to do that. Um, you can visit our website, which is CT Or you can email us at info C I. Net dot. [00:28:00] And as always, we look forward to chatting with you guys next week. So, and are.

Technology for Business Podcast – Myths of Managed Services

In this week’s episode, Kyle and Alex sit down to chat about the Myths of the MSP (Managed Service Provider).

Myths include:

  • A MSP is there to replace your IT Staff
  • Once you sign up all your problems will go away
  • Only people without IT staff need MSPs
  • & more!

Have a question for Kyle or Alex? Email

Listen now

Episode Transcription

Kelsey Sarff: [00:00:00] Welcome everybody to today’s tech for business podcast. Today, we’re sitting down with Kyle and Alex and we are talking about myths of the managed services. It’s going to be a fun one. Let’s kick it off with you guys. Introducing yourselves.

Kyle Etter: Hi. Thanks, Kelsey. I’m Kyle I’m the president and CEO at CIT.

Alex Piper: My name is Alex Piper.

I’m the manager of managed service.

Kelsey Sarff: Awesome. And you guys are gonna be here in a little bit more for me today as I put forward our lovely myths.

The first myth is, “Once you sign up all of your problems go away.”

Alex Piper: Yeah, no, it’s gotta be one of my favorite ones. Um, when thinking about this topic of myths about what we do and the magic that we can do behind closed doors, it takes a little bit more than just signing up.

It takes, you know, it takes us a little bit of time to kind of get through your network, get you on board. I bring you in, you know, any MSP who’s going to be coming in and bringing you to their managed service platform is going to, it’s going to take them some time to [00:01:00] get, to learn your environment. And we’re not gonna be able to solve your problems right away.

We’re going to collect your problems. We’re gonna learn what it is and we’re going to grow together. But it’s unfortunately not one of those things. That’s an instant sign on the dotted line. We all get to move on with our lives. Um, and everything’s going to go smoothly. Um, Kyle, anything you want to add?

Kyle Etter: Yeah. Yeah. I, I think it’s even more so I have the understanding that as things are, uh, brought to light that even has, you know, more activity and there may be some, you know, like my RA caused some short-term pain, uh, to get through those sides of it. Cause, uh, typically highlights areas that need to be improved and adjusted to make it even in a more supportable environment.

Usually, that form of the pain may be an additional investment typically, you know, there’s. Older devices, those types of things, just immediate recommendations and that need to be, uh, addressed to improve the supportability of the networks. So, you know, I would plan for typically coming in, if you’re not coming off of a [00:02:00] mature managed service provider, that you’re probably likely going to be requested to make some additional investment, uh, to help improve the supportability, not always immediate, but certainly in the, in the near future, those things will certainly have.

Make the network at the moment, a lot of the problems go away. It’s not just the provider. There’s a combination of the information recommendations that ultimately drives the more supportable network.

Kelsey Sarff: That makes sense. I’m going to ask a follow-up tangent question here. Tangent alert. How long would you say it typically takes a managed services onboarding?

How long would somebody be looking?

Alex Piper: Yeah, probably you’re probably looking at, you know, just from doorstep to doorstep, from signing to, you know, us being, you know, an average MSP being out there probably about 30 days. And then from there probably another 30 to 60 days for us to really start to learn that.

Get all the tools collecting all that data coming with those recommendations [00:03:00] that Kyle talked about a little bit about pain points. Here’s what we’re seeing in your network. That could be potential pain points and starting to build that list, um, of, uh, topless items of what we were going to want to look at.

Kyle Etter: Yeah. I like to set Customer expectations around 180 days, or, you know, really starting to see some of the results sides with it. Um, as, as I like to mention, you could be, you know, ready to receive calls and get the information within 30, um, you know, your other, other areas of. Discovery trend analysis, those another, uh, more in-depth deployments, uh, optimizations of the network and systems, you know, some security or mediations, typically it could take, you know, 90 plus and then to kind of cook, you know, get it all working together is really about 180 days.

So I wouldn’t judge any managed service provider in any shorter period of time with that. If it’s [00:04:00] working or not in any shorter period, it’s just not enough time. For the systems and the processes to really start to take hold. Um, and, and I don’t want to make the idea that after 108 days it’s perfect.

Um, but you should start to see progress after 180 days. I would not judge it any sooner than that.

Kelsey Sarff: Makes perfect sense. All right.

Myth number two is, “Only people without IT staff need MSPs.”

Alex Piper: Yeah. I’m going to say that is not true. Uh, we have, you can have. Environments that definitely like you cater towards the people who don’t have it sass.

Cause that’s what we’re here for. We’re here to give them that, help them with that pain point of not having that staff. Um, but with that being said, a lot of our clients do have it staff and we’re there to help them in any way possible. Um, you know, you [00:05:00] could be anything from just being a contact expert in a certain area, which, you know, your MSP is going to know yours.

Engineers who are certified in a lot of different areas and be able to provide a lot of different knowledge bases where, you know, your local IT or not, anybody onsite won’t have that knowledge. And you can just supplement to that little bit, just, you know, is there to help, you know, S you know, you progress and grow your business and your IT.

Kyle Etter: Yeah, I it’s there’s, there’s so much value in what the processes and systems from the managed service deliverables bring to even customers with existing it staff. Because the, when I used to have conversations with customers about is driving towards. Efficiencies. And a lot of those efficiencies, we have efficiencies of scale and our managed service offering.

I mean, we do it day in, day out. We know how to monitor. We know how to, how to react, you know, how to know if something’s up or [00:06:00] down. We know how to, uh, you know, re-respond to performance, you know how to do, you know, Asset tracking and those other general areas, we know how to keep systems up to date and patched, and we know what’s required for security.

So those general across the industry, it doesn’t really matter. Um, those we’re very efficient at it. We do it day in, day out. We’re very good at it. Where the customer’s it, staff start to then gain the time and effort is to work with where their rubber meets the road there, their data, and how they’re interacting with their support users and then to their customers, with their data and their systems, because when it gets specialized into their particular investment, That’s where we lose efficiency.

So, you know, once customers have a certain size, you know, the many times we recommend they have an IT staff that we can’t fill that need. And, uh, you know, I think Alex, Alex is smiling on that. Cause it’s, you, you, you can’t promise [00:07:00] that as a managed service provider, because you just, again, you just lose the efficiency of scale.

So it’s pretty easy to understand where the, where it comes. I always advocate for customers. When they look at saying, well, we could build, we could have our own monitoring system and we could do our own ticketing system and we could do these things. But again, you’re just adding to your problems because now you’ve got another system to manage.

You got another, you just added to your plate, you didn’t subtract. And you know, we can attest the systems that monitor the customers don’t work as well as the other things. They are not a set it and forget it. Type of product. They are ever-evolving, ever-changing. They have their own set of support. We have dedicated people that handle that, and that’s the efficiencies of scale you want to get.

So I think customers with staff have a hundred percent, uh, benefits, um, looking at utilizing MSP cause it’ll gain better efficiencies with their people and there it is, and it’ll [00:08:00] actually deliver better it technology to their bills.

Alex Piper: The Tufts to that. You just have the hours, I mean, work 24 hours, just for an example.

We’re 24 hours, seven days a week where you’re having, you’re paying somebody 40 hours. Multiple people for 40 hours’ worth of work. I mean, you’re getting that around the clock. Somebody watching your network holidays for here, you know, you’re kind of getting that you want to take PTO and you’re the only IT person that’s where we can come in and just, you know, let you relax for your, you know, for your trips to Florida, for S for a week, you know, that’s where we can kind of come in and help.

Help you out, you know, it doesn’t have to be somebody who doesn’t have any staff. You need help just in just that there, but we can supplement that staffing in those peak times.

Kyle Etter: Yeah, absolutely. Do you mean an IT guy gets to take time off?

Alex Piper: occasionally?

Kyle Etter: Yeah. Yeah. Unfortunately, IT doesn’t sleep. And, and, uh, I think again, as Alex steam going to test the, uh, model of alerts that come in overnight and on [00:09:00] weekends, it doesn’t shut down.

When most people, you know, take off on Friday at five o’clock. Quite to the contrary, we tend to see a lot of systems that, that, that have issues over those overnight hours and over weekends and, and on holidays. And it’s, those are the times you want to make sure you don’t have someone on glass if you would be able to react and get information out sooner, you know, does help because yeah, one or two people just can’t do it alone.

There’s a, it does take, you know, good systems and those things. So having a good partner to back. As well as getting those escalation points, it’s, uh, it’s not realistic to think that one, one or two people in an IT staff at many organizations can know everything about every product they’re required to have some administration support with.

So having an existing partnership to be able to reach in and say, I need help with this firewall or this, the server problem in those areas is, is a [00:10:00] nice way to ensure that you can get things resolved much faster.

Alex Piper: I had a smile. When you said like, you know, after hours is when the most tickets come in, you know, it problems never happened during the eight of five.

They always happen on a Friday at four o’clock when everybody wants to leave for a long weekend, you know? And it, it’s just that extra layer that they give you is you can kick them off, you can get them going, or you have that person where you can go home and take care of what you need to come back. You know, you get that extra layer of knowing that, that person’s there to help you while you’re not there.

Or can’t be.

Tara Klocke: I think that’s also a great point. Cause I think there for a while, it used to be kind of us versus them in the industry that they always felt threatened about an MSP coming in, where that’s really quite shifted in the fact that we’re here to help supplement that and form that great relationship with them because we’re not trying to come in and overtake them, but also offer some great solutions for them at the same time.

Kelsey Sarff: So I love the fact that we had [00:11:00] that discussion point, so lovely. Yeah, that kicks off beautifully. Another myth that I got coming up way to tee it up without even knowing.

“An MSP is there to replace your IT staff” is our next myth of the day

Alex Piper: Yeah, no, we want to work with you. I promise you that, like, there are things that you know about your network.

We won’t, you know, you’re, you know, the employees, you know, the inners and outers, the day-to-day business that we don’t, we’re just here to help with providing new tools, providing new knowledge, providing you after hours, we’re here to provide you other it solutions. Our toolset, Kyle hit it, hit it earlier about just the sheer volume of tools that we can provide or connections with vendors that we have.

You know, you, you know, you think of managed services, you think of just day-to-day support. You know, we, you know, an MSP, a good MSP can provide you solutions in so many different areas. If it’s platforms in development in insecurity [00:12:00] and you know, just growth plans and stuff like that. I mean, you know, it’s, you’re not just.

You know, to replace them, you’re here to help them grow and to take some of their pain points away. Instead of like Kyle said, he hit it on the head earlier where it’s like adding more tools and in your own monitoring tool, adding your own ticketing tool. Yes. It’s nice to have it in-house, but when you can rent those services and utilize somebody else’s tool where they have their own admin team, keeping it up and having that updating and patching and everything like that, taken care of where it takes some of the low hanging fruit off their plate.

That’s where an MSP can really show the value of your company to your IT staff. Is this take that low-hanging fruit off their plate and let them focus on the big day-to-day stuff and let us cover the day-to-day.

Kyle Etter: I think having your, the people that are on staff, being able to support users at a certain size. I think you reach a size over, you know, a hundred plus employees, depending on the technologies using it, [00:13:00] how much you’re using, you know, having, having somebody to be able to directly work and interact with the users in your line of business applications is where we see a lot of synergy on the, on the system side.

You know, smaller organizations, again, it all depends on, you know, the complexities of your technology and how much you have going on. Um, but you know, there’s, there’s such a tremendous augmentation that it provides and helps, and we’ve seen it, you know, proven in many organizations when they release the kind of the day-to-day.

Functions that are again very general. And then they focus on the business needs of the technology that, that, that it really starts to become a differentiator for that organization. And they, they look at it not as a, as a, just an expense area, but it’s going to be a differentiator, but yet you find the synergies to make it work.

Yeah. I just think I’ll make that analogy there. I’m sorry. Alex says, [00:14:00] he told me the analogy that nobody changes your oil at home anymore. Very few people do because you can go to an oil change check. And they can change your oil and 15, 20 minutes or less. And you don’t. And for about the same cost of you going into a store, buying the oil, setting aside an afternoon, and then having to drive someplace and find a place to dispose of the oil and go through those things.

The net result is very little differentiator because they’re very efficient at what they do. Um, they’re not there to change a transmission or, you know, replace your engine. They changed the oil, that’s what they do. Um, and they’re very good at, and they’re very efficient. They can do it. Cost-effectively and it’s, it’s, it’s kinda the same idea.

Um, very efficient at, at certain aspects of network operations, network security, there’s other areas, but once it relieved the more specialized stuff up to the province onsite.

Alex Piper: Yeah. And the good [00:15:00] ones. I mean, I was going to go a different direction, but I think that’s perfect. One, you know, oil change. I get like 20 points.

I mean, that’s also what we’re doing. We’re also looking at other stuff over there, making sure your lights work, you know, making sure everything else is there working. I mean, the oil change is a great example. You take it someplace. Cause you’re getting usually just slightly more than sometimes it’s an oil change, you know, you’re getting your ears, you’re getting your tire, putting your, you know, air put in your tires and stuff like that.

So getting that little extra thing that you know, they’re going, that we’re always looking at we’re in and out of networks all day. Um, so, you know, we see a lot of different environments and, you know, you start to build your know what works, what doesn’t work recommendations. You start to see stuff at a quick glance than somebody who has been staring at the network for the last 20 years.

Kyle Etter: Yup. Yup. How long does it take you to, to find an ISP outage Alex?

Alex Piper: Uh, minutes, if that I have a tab, literally, it’s just me clicking the tab and clicking refresh a couple of times to see if it shows up. [00:16:00] Honestly.

Kyle Etter: So the commonality, you know, I mean, you start to see X number of customers all go offline at the same time in a general region.

You have an indication of an ISP outage immediately. So commonality of that, again, there’s just numerous benefits to get brought to the table, but it doesn’t take away from, um, you know, the value that onsite it can do as well.

Alex Piper: Yeah, it’s funny that you say that, you know how fast, you know, now with customers being all over the place, you know, you can be an MSP that’s down, you have an MSP down in, you know, hurricane area.

We have customers who are down there that we are overnight. Guys will watch. They’ll refer. The hurricane center and just see if there’s anything coming that we need to be aware of to start shutting down gears plans stuff, you know, we’re watching power outages, just silly things like that, that you don’t think about, but that’s what we’re here to do.

You know, let us know your power company and we’ll go, they have the outage maps. Readily available online now that this is little things like this, the peace of mind at two in the morning that we’re [00:17:00] going to know that it’s a power outage, not wake you up in the middle of the night or wake you up and say, there are no outages you might want to head in, um, because your network’s down.

Kyle Etter: Yup. Yup.

Kelsey Sarff: So it’s the whole illusion of being mind readers, right? That you’re like, yes, it can definitely. Fortune tell, tell the future. Um, I know that we’ve talked a lot about right. Networks and tools and you guys are like, we know our tools, we’re the experts, but…

Next myth, “Once somebody signs up for a managed services, suddenly that team’s going to know everything about their network and tools.”

Alex Piper: Yeah. We kind of hit on it a little earlier about, you know, Kyle talking about like the timeline and stuff like that, that it takes us a little while too. Up to that point. I mean, I mean, you could call the same day that that provider shows up depending on what their rules of engagement are. If they want a little cool-down or, or anything like that, but you can start calling, I mean, is it going to be smooth?

I mean, short of it being a very [00:18:00] like, you know, have you tried rebooting, um, and it fixes your problem. It probably is going to take us a little bit, cause we’re not, we’re still collecting data passwords, knowing how your network’s laid out. Um, So it, you know, it like Kyle kind of talks about it, you know, buy from doorstep to doorstep like that 180 days and stuff like that.

I think it’s. You know, point, you know, I was kind of talking about like that, you know, 30 to 60 days after is when we start, you start to begin to see the efficiencies, start to increase all your tools are in there. We’re starting to build some baseline data and we’re not there yet. Um, we’re starting to track the trends and seeing this computer reboots, and it’s not supposed to.

Your server after, after everything happens, like those things, we start to track those what you’re, that’s what you’re hoping for from that MSP during that time period, you don’t want them to, I mean, you want them to jump in immediately and know everything about your network, but you want them to learn your network and not in give it time and grow with [00:19:00] it.

I set up just jumping in. We’re going to know your problems. Cause that’s why you’re coming to us. You’re going to tell us your pain points. We’re going to be readily watching that on day one. It’s just everything else is what’s going to take us.

Kyle Etter: Yeah. I mean, the tools help to gather a lot of information and we have processes to ensure or get the required information.

We’ll know we need to support a properly, but it’s not that much different than if you were to hire somebody and they were to come in. You wouldn’t expect them on day one to be in, you know, a hundred percent efficient. No, it takes time to learn. There’s still a learning period. So there is still a Betty period to collect and understand, start to know the systems, the software, the people.

You know, the key, where the most value is and where those areas are. And that’s just part of the relationship-building process to go through. No network is the same. I mean, none of them are, they all have unique DNA to them, and they all have [00:20:00] unique, uh, systems and processes.

Each business has developed its own way of doing things. Yeah. So we have to learn that process as it goes through, like any MSP. Well, so, you know, yeah, yeah. Just plan for the time I, to go back again to that 180 days is a good thing to put in your mind to say you should expect to see, you know, improvements and trends, you know, and start to see the relationship.

Start to move forward. After about 108.

Kelsey Sarff: That makes perfect sense. Going kind of backtrack. We were talking about distance and supporting people that are maybe across the country, as far as MSP staffing goes.

The myth that we’ve got now is, “MSPs are staffed overseas.”

Alex Piper: Yeah, that’s a good one. Um, in a sense, It’s somewhat true and somewhat not.

It kinda all depends. Um, there’s a lot of MSPs will outsource overnight work, uh, overseas to help with the time difference and everything [00:21:00] like that. Um, so you, you see a lot of that. So I, you know, I can’t straight debunk it and say it, you know, or anything like that. Cause there is the truth behind it. There is um, some that you just do have it for that after our support, um, You know, but when it comes to that, you know, there are things you have to think about if they are doing it, you know, what’s the language barrier you’re going to be like, if you call in the middle night, what’s the time difference?

What’s the compliance, are they compliant? Can they support your environment? Are you somebody who deals with compliance issues? There are a lot of things to kind of put in mind when you do go overseas. So if you’re another MSP thinking about it, you know, those are things that think about if you’re looking for a.

You know, watching this it’s, you know, do they, or won’t they, we don’t, we staffed 24 hours here in the U S we’re not just located right where we are, but we’re all over the US. Um, they help us with, uh, you know, we have people on both coasts to help us from, you know, we chase the sun a little bit. Um, [00:22:00] And that’s what a lot of people will do.

Um, but I can’t the straight say no. Um, but I think there’s a, it’s usually that after-hours is where you find that niche or where they are.

Kyle Etter: Yeah. Yeah. I mean, it is definitely gonna vary from size and pricing structure and the other sides of when it introduces overseas. Um, but if you’re in the market looking the.

So typically it’s, it’s a disclosure, you know, they will disclose that as Alex had mentioned, really for compliance, if you’re doing any government based work or any side of that, you know, they, they, you can engage oversee support if they’re doing any kind of U S government work, um, defense contractors, there are all kinds of, of, um, different regulatory, um, organizations that will prohibit that from them working on it.

Definitely, something to confirm. I would say of our interactions with other MSPs over the country in different, uh, um, different conferences [00:23:00] and those things typically not, um, but not a hundred percent, you know, across the board. So it’s definitely worth asking. It may be engaged or. It can help cost, you know, so, I mean, in, in the effort side of that, you do it as an MSP to, as Alex mentioned, it helps with the time, you know, obviously their daytime is opposite of ours, so it helps for overnight and shift side with it.

Um, and typically there can be a labor cost savings, so can help them provide the service at a lower price to their customers through that side. So there are valid reasons to look at it. Um, but you’d need to make sure that it fits and works for you.

Kelsey Sarff: Yeah, that makes perfect sense. And I’m kind of going to find our next myth, that kind of tangents lovely off that..

“that MSPs are just sitting around, waiting for you to call in.”

So these guys that may or may not be located in the us cross seas, they’re clearly just sitting there waiting for you to call.

Alex Piper: Yep. Um, love [00:24:00] it. I appreciate this one. Um, okay. As much as I’d love to say yes for just sitting there waiting for your call, but the good ones aren’t and you know, and I’m fortunate that we aren’t, we’re being very proactive in your environment.

You know, you’re, if your MSPs are sitting there waiting for your phone call, it’s great. They’re going to answer the phone. They might be able to solve your problem, but what else are they not doing? What are they ignoring? Where, you know, if they’re being proactive, they’re monitoring that network. They’re patching, they’re helping you plan for that growth.

That’s really where, you know, you’re hoping that that managed service, that your MSP is really driving towards. Yes. Do you want your help desk? They’re ready to answer the phone. Of course, but, and they will be, they’ll always answer the phone. It’s just, that you want to make sure they’re doing other than just sitting there waiting for your prompt problem.

They’re not just sitting there twiddling their thumbs, watching, you know, reading something online. They’re actually doing something in your network or somebody else’s network, and they’re being active in there for you.

Kyle Etter: Yeah. I mean, it’s, [00:25:00] it’s part of the cost analysis side of it. I mean, obviously, an MSP can’t supply, you know, all these services and those other things and have a dedicated person waiting for every customer to call it.

That is just not the way it’s going to cost out. And, you know, so you’re, you’re gaining the efficiencies with the systems and software Alex, there’s a proactive side to the event, you know, trying to prevent the users from needing to call in the first place. So that occurs side through there. And then you, you know, typically we publish our service levels.

You know, most MSPs do have the service level side of it, where they quantify and they’re going to categorize the calls. So not all calls are equal. And I think that’s, there’s an educational process that needs to be communicated to staff when engaging a managed service provider and understanding that, you know, you’re, you’re formatting out of your printer, not working right, is different than a customer with their whole network down.

You know, so the [00:26:00] reaction times and expected response is you are going to vary depending on that. And to plan accordingly. I think all MSPs want to serve the customer as fast as possible. And the service levels are always the afar outer range that you measure against to beat. But you do have to understand they’re not all equal.

Um, and you may be faced with, you know, waiting to have 30 minutes or an hour for a call back on certain things. That’s just part of the process that you gain from that. But it does piggyback on that earlier conversation of certain customers of certain sizes having onsite. It maintains those expectations because if you have no complex systems or you have enough staff on those, having your onsite, IT staff feel that will support those systems and those other things, and allow the MSP to do what they do really well can help as well.

You have to do that full analysis to see where it really [00:27:00] fits best.

Alex Piper: Yeah, no, I think those are fantastic points. You know, just about everything, just looking at it, you know, it’s a whole approach. It’s a whole package that you have to look at. It’s, you know, it’s, everything comes with something else.

Like the SLA is all service levels, agreements, you know, like that comes in. Yes. We don’t want to hit them and we want to, we want to beat every single one of, well, we don’t want to hit. Top of it and just scoot by, you know, you want them sitting there, but also you have to understand if it is something, you know, it kind of helps for you to vocalize what you’re experiencing to your best advocate.

Um, when calling in or sending that email in, if it is critical, you have to, you know, letting that provider know helps them give you that level of service in the timely manner that you you’re expecting them to do, but that level set needs to happen as.

Kelsey Sarff: I think we could tangent, I could have a whole other half an hour discussion. Okay. Let’s look at, let’s [00:28:00] talk just about the service level. Um, but as we are getting up to the end of time here, I wanted to thank you. But I thought all of this was amazing. I know that we have more myths. So maybe part two coming in the future, we’ll do a trailer.

Everything will with stranger things themed. It’ll be amazing to dress up like the eighties. I can see it now, but thank you guys so much for sitting down and chatting today. As everybody can tell the love tangent. We want to talk about just about anything underneath the sun. So you can always get ahold of our speakers online.

We’re at backslash podcast. There’s a lovely form. Fill everybody’s favorite out there. Feel free to drop questions or topics. If you want to connect one on one, they’re always willing and able to do that for us, you can send us an email at We look forward to chatting with everyone next week.

Technology for Business Podcast – Healthcare Cybersecurity Act 2022

Todd and Nate sat down to break down the Healthcare Cybersecurity act in this week’s episode. They discuss how this is new legislation and how it won’t be the last, what it is, and what it means.

Listen now

Have a question for Kyle or Rob? Email

Episode Transcription

Tara Klocke: [00:00:00] Welcome to today’s CIT at tech for business podcasts. Today, we’re sitting down with Todd and Nate to discuss the 2022 Healthcare Cybersecurity Act. Let’s kick it off with you guys introducing yourselves today.

Todd Sorg: Sure. Thanks Tara. Good morning. I am Todd. I am Chief Operations Officer. I’m also our CSO and

Nate Schmitt: I’m Nate.

I’m our Director of Cybersecurity.

Todd Sorg: Uh, today, as, as Tara had mentioned, we’re going to talk about, uh, an act that was introduced back in March. Um, and it is referred to as the healthcare cybersecurity act of 22, as Tara mentioned, um, as you may or may not know there’s a lot going on in the world, I’m pretty sure everybody feels it at this point.

The way that they act opens up as it, it says, and I’m going to read this directly, just so you have context for it is in the light of the threat of Russian cyber attacks. We may, we must take proactive steps to enhance the [00:01:00] cybersecurity of our healthcare, public health entities. Um, this was entered by Senator Rosen and as.

It’s no surprise. The increase in cyber attacks has been significant and it’s just been increasing year over year in the context of what we’ve seen over just recently in the last two years is a focus on health care industry specifically. Um, so for example, I think they said last year there was, um, a fairly significant increase about 50 million, uh, PII.

Records were disclosed and they were attributing that directly to the rapid move in the industry to digital. Um, part of that came as part of the pandemic. There’s just been this move to get more and more digitized. Um, one of the statistics that showed up for last year was that IBM came back and said that each data breach for the cost in healthcare specific is roughly around 9.2, $3 million in 21.

[00:02:00] Significantly higher than any other industry. Um, and it’s probably the reason behind that is the data that’s. There is just a lot more valuable than a lot of other industries. There’s a lot more PII that’s available for the bad guys to take. Um, and of course, when there are attacks, it’s also a lot more.

Pervasive and it can have a much larger impact. And I think Nate had a few things that he wanted to add on, on the possible impacts of attacks on healthcare in particular. Yeah.

Nate Schmitt: So as Todd mentioned, the healthcare cost for a data breach has just continued to skyrocket. Um, there is. Studies out there that, you know, will scour the dark web analyzing how much some of this data will actually cost to acquire.

Um, after the data has been exfiltrated or stolen from the network and being sold to other, uh, threat actors or, you know, other nefarious individuals, healthcare is at [00:03:00] least. Um, any on third industry per record, uh, that’s stolen. So this is something that was provided by HHS itself, uh, in their study. Uh, they said that the healthcare per record or a per capita, uh, record is about 400 or technically it’s $408 per record.

The next lowest is financial that’s 206. So. Health records are significantly more valuable to a threat actor. Um, simply just because of the sensitivity, as Todd had mentioned, um, one of the really important things that I did want to highlight here, just because so many studies out there do discuss how much a data breach cause and in the healthcare industry, I really do believe that’s completely missing the mark.

The entire intent of healthcare is to protect [00:04:00] individuals and their livelihood. Um, that’s why every healthcare person is in the industry. They’re there to help serve and protect and support others. So the one thing that I did want to mention is there’s actually over the last couple of years now, Ben, a couple of different cases of individuals, um, who didn’t make it, you know, they passed away.

Directly related to cyber threats. Um, one of the first ones that came out was in June of 2020. Uh, this one was, uh, there’s a kind of a whole lawsuit that’s going on. So there’s, it’s not completely founded in a basis quite yet, but it was an Alabama woman that lost an infant. Um, the umbilical cord got wrapped around the child’s neck and, uh, the whole monitoring and alerting system at that hospital was impacted from the cyber.

So it didn’t support, uh, allegedly didn’t notify the staff in [00:05:00] time to be able to save that child. Uh, so that was one of the first ones. And then in September of 2020, uh, there was a woman in Germany who was, uh, being rushed to a hospital and then due to a cyber incident had to be, will be routed about 30 kilometers in other direction.

Uh, didn’t make it again. So that’s where I think. Really the impact of cybersecurity comes on healthcare. The finances are really, really important, but as a health care facility and, uh, the business leaders and healthcare leaders, we have to take it a step further and going, this actually impacts human lives today.

Todd Sorg: Yeah, I think that’s a great point. It does. I mean, I just, in general cyber security impacts everybody, right? Unfortunately, um, it has a significant and potentially a much more. Impacts and the healthcare industry. And [00:06:00] as you mentioned, I think it’s a absolutely fantastic point is the individuals that work there, they do that for a reason, and there is a lot of intrinsic values and reasons they do that.

And so it can be considerably more dramatic, the impact from these kinds of things. Um, one thing that I kind of wanted to add on here was, uh, this is not necessarily new to healthcare. HIPAA has been around for, I don’t even know. I didn’t look it up because, and I don’t remember. But HIPAA has been around forever.

So the fact that there’s compliance out there, it’s not new. Um, I, I am going to give you just a quick snippet overview of what’s in this particular act and how they’re trying to move the industry forward. But one of the things that I kind of wanted to highlight, particularly in particular is that.

Compliance is here to stay. It’s not going away while we’re today. We’re talking specifically about healthcare. We’re starting to see it everywhere. And I think in a few other podcasts, we’ve alluded to it or even talk to it to some degree it’s coming. There’s a reason for it. Unfortunately, it hasn’t been something that’s been easy to address or [00:07:00] solve on a case-by-case basis.

And therefore that’s where you’re seeing the compliance come in. Um, so really, really briefly on a super high level. What this particular act is trying to do in summary is they’re saying that this particular act is designed to make sure to address as the cybersecurity staffing shortage. I’m going to circle back on this.

So Nate and I are going to talk about this a little bit more, but it’s really, really quick headlines. If you will. Required SISA and HHS to collaborate, including by entering into an agreement to improve cybersecurity in the healthcare and public health sectors, as defined by SISA authorized cybersecurity training to health care and public health sectors and the last, but not least require CSO to conduct a study on specific cyber risks facing the healthcare and public health sector.

Backing up. I wanted to go to that very first piece, which is addressing the cybersecurity staffing shortage. [00:08:00] I pulled some statistics before we got on the podcast today and just running through them really, really briefly. The shortage in cybersecurity is not going away. Um, I want to say two years ago, we were at roughly about 500,000 open racks today, looking at it from a report from Bloomberg.

It was over 600,000 security roles that were open as of March of this year. Uh, Diving a little bit deeper. What does that look like? One of the main certifications that the industry is looking for to prove that security individuals know what they’re doing and all that. They’re what they’re talking about.

Helping move the industry forward as it’s referred to as CISSP. Um, and it is a requirement or a certification that has years of experience as well as knowledge. Of those 600,000 openings over 106 of them are requiring the cer the CISSP certification itself, uh, to kind of give you a little more context of that.

There’s only [00:09:00] 90,000 Cisco certified security professionals today. So there’s more job openings than there are existing certified individuals.

Nate Schmitt: Yeah. The one other thing that, um, And this is even a challenge for CIT. We, we find it every single day is how you also keep security individuals, uh, motivated, engaged, and, um, compensated well enough to be able to, um, ensure the success of your organization, uh, right.

And help protect to the levels that they need to be protected at the. A couple of things. I, for just some basic statistics, cause Todd was mentioning the, um, this has been being in such demand. Um, for those that aren’t familiar with assess it’s the certified information system security professional. Um, it is one of the defacto certs for a security individual.

[00:10:00] Um, and it is also one of the most, um, Highly compensated certifications out there because it is specifically tied to a requirements you need to have so many years of experience in the industry to be able to obtain it and to have authorization for it. Just from a couple of simple numbers, you’re looking at at least a six figure income for an individual that has the test.

Um, so the reason why we bring that up is. There are entry-level roles, but you also still do need those industry leaders to be able to help guide and develop the security program within the organization. Um, what that means is the salaries need to be budgeted for, right. And then additionally cybersecurity, because it’s in such a demand right now, there is a lot of competitiveness on the market.

So you may even be able to, or may be required to have to pay a premium for that individual and for that retention, [00:11:00] um, in terms of additional, uh, retail. Continual training, helping a security professionals fight a mission. Right? So I kind of called this out a little bit earlier about the protecting human lives is saying, please just protect the systems and our finances isn’t enough to retain a security individual.

It may, for many of them, but at the core of many security professionals, They’re fighting for mission. They want to protect something, right? And so you have to align that strategy and vision, uh, directly to their roles. And then the other thing would be adapting rapidly to their growth. So if a security professional is growing rapidly, you have to adapt with them.

Um, for example, many organizations do annual reviews. That may not be enough to retain that individual. Uh, it’s really, really [00:12:00] hard. I’ve seen some people do quarterly reviews. Some people even do monthly reviews and adjustments on salary simply to stay competitive in the market. Right. So, um, just from a straight, a finance perspective, you have to budget have to adapt.

You have to train and you have to provide some type of vision to properly. Uh, Sustain these employees and retain these employees in the area.

Todd Sorg: Yeah, I think you’ve made a lot of really good points there. I mean, there’s a, there’s a lot of stuff that’s going on in that, that summary, which is a, it’s hard to find the individuals as we kind of talked about, right.

It’s also very difficult to train them, retain them, et cetera, et cetera. Uh, with that in mind, there is help to be had. Obviously, this is a little self-serving for me, and I apologize for doing this, but there are organizations like CIT that are doing this already. Right? We’re out there looking for tools.

We’re looking for individuals. We’re trying to find a way to full force multiply. [00:13:00] Because it’s difficult to find them. It’s difficult to pull them away. When the individual finds the right fit, they tend to stick. Uh, Nate touched on that a lot and that’s something that we’re, we’re trying to instill, but what that means to a lot of the people that we work with is in a lot of cases, they don’t have the opening, or they’re not large enough to afford that six figure salary that they’re going to go, Hey, how do I get that expertise?

And there are partners out there for you to find that will help you get in supplement where you need it. Um, the last piece that I wanted to touch on before we move on to the next piece is the intent of this really is finding and growing talent. There are schools and, and there’s been a significant increase in the training of cybersecurity individuals.

There are, uh, internships that are out there, et cetera. So some of that’s already happening, but this is the intent of this particular piece of the legislation is designed to say, It’s a big deal. We really need to address this on a national [00:14:00] scale. So that’s where that’s coming from. Um, what the details look like to be determined, but it’s coming.

It’s great news for the industry and it’s great news for companies and especially for healthcare. Um, the next item that was listed on here was required SISA and HSH to collaborate, including entering into an agreement to improve cybersecurity in the. Um, so one of the questions I was going to ask Nate is what, what do the people that potentially are listening to this podcast or watching on YouTube?

What can they do now, if anything, to, to get going on this particular piece? Or should they even worry about it at the moment?

Nate Schmitt: Yeah, it’s a good question. The, the, one of the main takeaways that. While reading this article, uh, or, you know, a bill was it’s very high level, right? It’s, it’s hard to take that and conceptualize, what does this mean for my day to day activities?

Um, because none of us necessarily work directly with HHS and then none of us [00:15:00] are directly working with Seesaw. So breaking that down a little bit further, um, in terms of. Information security collaboration between the federal government and the public sector and of critical infrastructure for healthcare individual.

Uh, there is the H I SAC, which is the information sharing platform. Uh, Isaac is the information sharing and analysis center. Um, there’s many different ice acts out there. There’s ones for, uh, financial. Uh, public schools, healthcare, right? Um, so the dedicated H Isaak is where these organizations can be connected to other healthcare facilities.

If one health care facility. Has indicators of compromise or some type of other upcoming threat information that may impact other hospitals, they’ll share that information out. [00:16:00] Um, so from a day-to-day perspective, if you’re not already part of the HIV, Zack be connected to it. Um, the other really critical component of that is if you’re not actively monitoring.

That’s an issue. Uh, you have to stay up to date on the latest threats. And then if we’re talking about maturing up like a security model, uh, for that organization, the last component I’d say is if your organization or your healthcare facility is experiencing some type of threats, shared back to the HII sec, protect the other health care facilities.

We’re all in this together. Um, we don’t operate in a vacuum anymore. Uh, we, we have to. Work together to protect the entire industry,

Todd Sorg: right? Yeah. It’s great. One of the things that I wanted to add, I was waiting for you to do we’re all in it together. Cause we are, um, one of the things I wanted to add onto it was the, the ice ax, just in general, they tend to be in [00:17:00] significant amount of information.

There were ways to automate that. Do they exist today? Uh, obviously you and I know the answer, but, but everybody listening may not. Um, but it’s not terribly reasonable for every organization to be able to, to get that kind of information digest it, apply it, et cetera. So what should they do in those particular instance?

Nate Schmitt: Yeah, there’s this was one of the requirements I’m not here to necessarily pitch a product, but one of the requirements of the healthcare industry is you have a SIM, which is a security information and event management tool. It’s essentially, what’s collecting all of the logs in the network. You have to retain the data for like seven years and everything.

With that being said, though, there are ways to ingest the HII SAC data into that SIM tool to parse through it. Identify if there was any threats discovered from your network logs and then raise an alert if something [00:18:00] is discovered. Um, that’s one of the quickest ways to be able to do that. Um, many, many security tools have these integrations, uh, today.

There are still healthcare facilities out there that do not have a SIM in place. It is a requirement. And then the other thing is you can integrate that threat feed into it.

Todd Sorg: Yeah. So, so just to kind of add that on there, I know we talked about it already, but the intent of that integration is that it’s there to automate the process for you.

You’re still using that enriched data to help you make decisions and, and detect things that are threatening to your organization in general. Um, I kind of did this earlier too, but what what’s the good news in this? And the good news is, is the healthcare industry is not on its own. We are getting support from the government, which we do need.

And so that is going to help push this forward. So in my opinion, while this hasn’t been approved and passed into law or anything we are, in my opinion is really going in the correct direction. So. Really excited about [00:19:00] that piece. The next piece that popped on here was authorized cybersecurity training to healthcare and public health sector, asset owners, operators on cybersecurity, risks and ways to mitigate them, looking at statistics again.

And I know I’ve been a little heavy on that in this particular instance, but just to kind of give you that additional context that’s out there is over the last several years, there has been a significant improvement in. Whether that’s tools or the frequency at which they happen. So, uh, looking at stats from 2018, where it was over 55% of organizations had not provided any type of mandatory training, uh, as of last year that has, is down to 44%.

So that’s, that’s great. We’re going in the correct direction. However, 44% is just shy of half of organizations nationwide that don’t have any type of training in place. And so, uh, well, I’ll pause. I’ll let me expand on [00:20:00] that. Why is it a big deal that the training is in place? What if I’ve got all these other security tools in place, whether it’s the feed from HII SAC or having a SIM solution in place?

Why do I need to train as well?

Nate Schmitt: Uh, I really hate this saying, um, is employees are the weakest link, uh, to, uh, security? Um, the reason why I hate that is it just almost tells you that no matter what you do, someone’s going to make a mistake. Right? Uh, that’s why training is so important because I truly do believe that your employees can be the greatest strength as well.

When the technology fails, the people can still alert and notify you of misconfigurations of suspicious activity. Something that if the tool misses it, they’re still there. Right. So empowering them to have a voice. Um, To even jump straight to the executive, there [00:21:00] should be a direct line of communication.

And I know this is a little bit off of the, um, the training component, but it does go to, uh, you know, if the business leaders that are listening to this or watching this right, is in addition to the training, make sure that there is a direct communication all the way to the top of if there’s a security.

Have a voice. And then the reason why I say that is, uh, egress insider. They had a survey, a data breach survey back in 2021. Um, these are some, I would say pretty somber stats for a security individual, and a business is 55% of it. Leaders rely on employees to alert them of cybersecurity incidents. And then.

So that means, you know, whatever tools or whatever were in place fit the employees still we’re 50% of those notifications. Um, here’s where it becomes a little bit more somber, 89% of those lead to some type of repercussion. Um, that is appalling. Uh, that’s [00:22:00] why I said empower the employees to be able to have the trust that if they do report something, even if they’re missing.

There’s not necessarily going to be re repercussions. Um, it only helps protect the long term. And again, taking this a little bit further, it’s not just that one incident, it’s maybe all the patient data behind that or on the extreme human life tied to that. Right. So it all starts with training the employees to identify different threats.

That may it’s suspicious. Pop-ups on their computer. Maybe it’s safe, internet browsing, uh, practices, um, using a password manager, right? Uh, don’t use the same password, uh, that again, we could go many, many different directions on what to train on, but the big thing is people can be the greatest strength.

And as the industry is still trying to adopt the technology you still need do.

Todd Sorg: Yeah, excellent [00:23:00] points. I agree. A hundred percent on the, the, the management style of if something were to go forward and there was a report going back and punishing and, or be impunitive as, is not a productive way of, of helping to continue to get that feedback because the, the workforce is.

Much larger slice than just the it department. They are the ones that you’re going to look to and say, please help us with this. When it comes to training itself, there are great tools out there. Um, there is, you know, we saw a very significant decrease in in-person training over the pandemic for obvious reasons, but you’ve seen a very good uptick in automated trainings that are out there as well, and they do make a difference.

And that includes doing simulated phishing SIM. Attack. So kind of giving you again, statistics, and I, hopefully I’m not boring you today with statistics, but I’ll use CIT as an example is when we first started doing cybersecurity training, our, our failure rate was pretty high. We were over 60% failure rate [00:24:00] and over the years we’ve been improving it and refining it to the point where we do our training and phishing every single week, we are down to less than 1% of people clicking on links.

Um, even less than that, of, of actually catching them in. And so just that sheer volume of training and repetition has a major impact. So if your employees now know what to look for, they can alert us a lot quickly, whether we’re in the security field, the it field, or however your organization is set up.

So it is a big deal. Again, getting the government behind this and pushing it forward, telling you, you need to be doing this. You need to be thinking about this and we’ll help you get the tools in place. Nothing, but great news from my perspective. And then the last item that we came up on here was requires SISA to conduct a study, to specify security risks facing the healthcare in public health sector specifically.

What does that mean to you? Why is it good news? What, where does it go from [00:25:00] here? Uh, it’s really, really vague at the moment. Again, Nate mentioned a while back that there’s not a lot of meat on the bone on this particular item, but it does give a lot of good going forward steps. It, it makes the government say, okay, we’re going to focus on healthcare because it is one of the major issues.

As I mentioned at the beginning, we were talking about 9 million. Breaches or some type of incident that’s significant. And it, it definitely requires the attention of the security industry, but then kicking it up to the government is great too. Um, so I’ll pause there and I’ll let Nate expand on that if he needs to.

Nate Schmitt: Yeah, I don’t, I don’t have much just because it is truly a very vague statement. I do believe a lot of this one is directly tied to more government action. Just like. Do something about it. If that’s the quickest way I could summarize it is there’s an issue. Do something about it. Right. And so, [00:26:00] um, there’s no more turning a blind eye to, Hey, you know, that hospital had ransomware, that hospital had ransomware, that one had it too.

Um, there’s more of a strategy starting to be put into place. Uh, and this really isn’t anything new. Um, if you go take a look at things like, um, you know, the. HIPAA long time ago. I think that was actually in the nineties. And then you had, high-tech kind of roll around with that, with the whole breach notification and, uh, actual penalties tied to that.

So it’s a very slow transition. We’re starting to see that rapid acceleration now. Um, this is where even in the last 10 years, we’ve started to see things like, uh, NIST and SISA and IC three, all these things. Government agencies dedicated to helping with, um, the cybersecurity posture of these organizations start to roll our own.

This is now just saying government, go do additional studies to help [00:27:00] feed the pipeline and making those form decisions. It doesn’t call this out. What this may indicate as you might have some, um, agencies that are going to maybe seek some information from the, the facility, uh, try and say, how are you doing it today?

What challenges are you facing? It, doesn’t call it out. Um, might come down the pipeline. But, uh, the government typically doesn’t like to call or anything. It’s usually larger studies than that.

Todd Sorg: Cool. Thanks, Nate. Yeah. So wrapping this all up, I mean, long story short from. I kind of started the, the conversation out there is legislation out there.

There’s new acts coming. We anticipate it continuing for the most part, we see nothing but good news coming from this. And it is really trying to get to the heart of the matter. And it is starting to get to the point where you, we should see very good guidance. Will there be a little bit of a burden placed on organizations to move?[00:28:00]

Yes, they are. They’re absolutely well, but don’t be intimidated by it. There’s help out there, whether it’s us or somebody else. There’s a lot of really smart people that can help you through the process. It is their job to understand it. It’s our job to make sure that we’re giving you the tools and the guidance you need to move forward.

Tara Klocke: I wanted to say a big, thank you both to. Todd and Nate today for this discussion that I think of as a really great and valuable way to kind of talk about this act that has been out there, but we know that these guys love to talk and they can tangent at times, but it’s always a great discussion. So thanks again.

Um, let us know if you guys have any sort of feedback about these podcasts. You can visit our podcast, or by emailing info@ and we look forward to chatting with you more next week. Thanks so much.

Technology for Business Podcast – Physical Security (Cameras, Sensors, & more!)

Join Kyle and Todd as they chat about physical security for SMBs. This episode covers traditional and new physical security technology available. Plus, how manufacturing, education, and even CIT use this new cloud-based physical technology.

Our speakers discuss Verkada we chat about new technology. If you have questions or would like to see a demo in action email or call 651.255.5780.

Listen now

Have a question for Kyle or Rob? Email

Technology For Business Podcast Season 1 Episode 5: Choosing an Managed Service Provider (MSP)

Kyle and Rob sat down this week to chat about choosing a Managed Service Provider (MSP). They discuss pros and cons, questions you should be asking, and how to know whether or not an MSP might be a good fit for your SMB.

Listen now

Have a question for Kyle or Rob? Email

Episode Transcription

Transcript has been edited for clarity

Kelsey Sarff: [00:00:00] Good morning. Welcome to today’s CIT tech for business podcast. Today, we’re sitting down with Kyle and Rob to discuss what to consider when hiring an MSP. Just a little moment to introduce myself. I know this is our fifth tech for business podcast. I’m Kelsey I’m part of our marketing team, and I’m going to be asking these guys just a couple of questions, help us keep centered from all of our tangents that we love to have.

But I’m at kick it right over to you guys. Why don’t you guys give me, give us your first name, your title, and then we’ll dive right into it.

Kyle Etter: Thanks Kelsey. Um, my name is Kyle Etter. I am the President and CEO at CIT.

Rob Cramer: Hey, good morning. I’m Rob Cramer. I am the Director of Managed Services, a CIT.

Kelsey Sarff: Awesome. Thank you both.

As I kind of let us into in our intro talking about MSPs this morning, managed service providers. What are MSPs?

Rob Cramer: Well, that’s a great question, uh, to different people. Managed Service providers mean different things, but in general, a managed [00:01:00] service provider is an organization that you can call this, going to help answer, uh, computer quote questions for your users, whether that’s, um, you know, how do I install this Microsoft application?

How do I print? I’m having problems printing. Can you fix it for me? Um, sometimes it’s more important to talk about what they’re not, and we can get into that.

Kyle Etter: Yeah, I think just to add to that a little bit. So there’s an agreement typically it’s a monthly reoccurring fee. Uh, usually based on users are devices that you have, um, to support your it infrastructure.

So, as Rob mentioned is obviously there’s typically a help desk there’s technical expertise provided. By the MSP partner that you choose. And then there’s a set of tools, typically automation to help control costs as well as, as, uh, bringing in a management framework for how you manage your IT infrastructure.

So it usually provides us some software for, for management, for things [00:02:00] like patching of Microsoft patching, patching or what we call third-party applications, your web browsers, different components, um, making sure that things are up or down if the servers or firewalls are key components in your it infrastructure to automatically monitor for their status, as well as other things.

How much disc space is in used is the processor running high CPU usage, those types of things. So you have a lot of metrics and, and other things that get gathered by those tools. So very valuable, but it’s a combination of obviously, um, trained and experienced personnel plus software and services, and a monthly agreement is at a high level.

What it is. It definitely varies by the. Our a MSP on how they package it, but it’s, uh, the end of the day, that’s kind of sums up what it is.

Kelsey Sarff: Awesome. That makes [00:03:00] sense. It’s still a lot of things, right, right out of the gate that you’re like, we can do this for you. Congratulations. And some of these are going to have acronyms, just like the name of it.

Um, but you guys briefly mentioned it, right? These are all of the things that MSP can do. Kind of made my brain go – are our MSPs just local companies, or can they be bigger organizations that tend to have more outsourcing? What’s kind of the range of where you can find MSPs and where they’re local.

Rob Cramer: You can find them everywhere.

Um, you got any of those peas that are, that are anything from a, from a one or two-person company that, that support, uh, you know, small groups within their area, uh, to very large national organizations that have, uh, thousands of engineers spread across the world. And the trick is finding the one that’s the right fit for you.

Uh, you know, somebody who’s going to be, uh, well suited to your organization who can really partner with you, learn your, your ins and outs of your, your unique, uh, environment, um, and help support you on that. So, um, [00:04:00] smaller, large, uh, you know, there are advantages in both directions, uh, finding the right fit is really what’s.

Kelsey Sarff: No, that makes perfect sense and launches right into my next question. How do you find one with all of those options out there?

Rob Cramer: That’s a great question. Um, you know, I, I guess I’d start off with, uh, you know, looking at, uh, some of the common options asking friends or colleagues, you know, who they’ve worked with, if they have any recommendations, cause find somebody, uh, you know, that, that somebody else has wanted to recommend usually is a good indicator.

That they’re, they’re a solid company that they’re gonna be. Do a good job supporting your environment, um, you know, going to Google and just typing in a search and just randomly calling somebody, you don’t know what you’re going to get. You could be getting a, you know, a one-person shop out of, uh, out of 10 book to, uh, and they don’t know, you know, your environment, they don’t know, you know, your, your industry.

Um, and when they go on vacation, you still lose your support. So, you know, sometimes you’re looking for that organization is just the right size that they have enough engineers. When somebody is on vacation, you still get to call and you still get to talk. Somebody [00:05:00] still get support. But they’re not so big that you’re just a, you know, a, um, you know, a small fish in a big pond, if you will, that, uh, that they don’t really know anything about you, they don’t learn your environment.

You’re just, you know, it’s just another person calling you. You could just be, as we’ll be calling, uh, you know, a manufacturer someplace and talking to a help desk in India, you don’t, you don’t really know. Right. Finding that right organization, um, asking around, asking, like I said, asking your peers, asking the other organizations in your industry, uh, if they’re using a master spider who they’ve used and who they like, uh, is probably one of your, your really strong indicators of a good place to start.

Kyle Etter: Yeah. That’s what I was going to say too. I think, I think the referral side is always a strong aspect. Um, you know, as as mentioned, there are national ones. You know, being a local provider, can it be slanted towards believing? There’s a lot of value in, in the local, uh, provider, just because. From what we’ve seen over the years, just being remote, um, is not enough.

You know, there is [00:06:00] definitely times, you know, you need to be onsite and you want to be onsite. Do you want to make the connection? It’s, it’s, it’s gonna there’s things you would need to do to keep upgrading on the systems and other components. And it’s just, um, you know, nearly impossible to just, you can’t do it all.

Um, it just, um, if you have onsite support to handle those things and you just need some augmentative, then possibly, you know, a national provider, could it fill the need for you, but, um, in many cases where you’re truly looking for, you know, an it partner that can be more holistic. And usually we find from, for the customers we work with, you know, the intention or the expectation is, is that they’re looking for, you know, Onsite remote, you know, the whole, the whole gamut, you know, the whole end game is to say they want it working, um, and keep the systems, keep their users productive.

And, um, you know, quite often, you know, a local provider I think provides a little more closer relationship, closer [00:07:00] alignment with what the customers are actually expecting.

Kelsey Sarff: Perfect. Oh, sorry,

Rob Cramer: nah, go ahead. Well, I just asked you add a little bit to that. Comics excellent point. And that is, uh, you know, managed service providers, uh, as, as we are, um, we gather a ton of data.

We learn a lot about the customer’s environment. Um, and one of the things that that lends itself to is really looking towards the future. And as we move forward, you know, what’s going to be the best fit for the order for the customer in the future. Do they need to be looking at a specific type of technology or, or something, you know, that’s coming down the line, or do we need to make some changes to their system to optimize it?

Having that holistic coverage, where you actually have engineers who can come onsite and can have that hands-on expertise for you. Um, really kind of fills out that managed service, a service desk environment and allows you to kind of have the other side of it. So if you don’t have that local it presence and you, and you, you need that kind of help, uh, looking for a provider that [00:08:00] has kind of that full packages is going to be variable.

Kelsey Sarff: Yeah, that makes perfect sense. Just really, really quickly that kind of brought up the question, right. That I say I’m the customer. And of course in today’s world I’m hybrid, or a lot of my workers are remote and yes, it’s great to have somebody on site, but how does that work? Let’s say that I have right employees that are all working from their homes, somebody in Hawaii, somebody here would a local MSP still be able to provide the support that.

Rob Cramer: Yeah, actually, uh, very, very effectively. And, um, if you’re the type organization who may have a local network administrator, um, with an organization like. Ours will give you access to the tools. So you can actually use our tools to help support your remote users wherever they have to be. Um, so just like we use it to help promote in and shadow somebody to screen and, and solve a problem.

Uh, look like an IT person could use that same tool to do that work as well. So yeah, it is very effective. Um, having the knowledge of the organization, uh, learning about their unique software and applications and [00:09:00] how their users need to phone. Um, really is, is more critical than where they’re sitting.

Uh, you know, when, when the pandemic hit, we saw this, this mass migration to this hybrid environment, um, and those organizations who had, uh, some pre-planning for that who had some users who traveled in time had some, uh, ability to work remotely, uh, actually were able to make that transition very easy.

And organizations that are fairly static, very in-house. Um, they had to scramble a bit, and they had to lean pretty heavily on people like, uh, like their main service provider to help them figure out how to get their users out to the house and still be able to do what they need to do. And, um, it was a, it was a very interesting time to see how different organizations reacted to that.

Kyle Etter: Yeah. Yeah. Very, very much so. And I also think that you know, the tools themselves give such. Ease of access to get to those devices, but you know, to have a local provider that can prep those devices and has them sent to those remote workers when [00:10:00] they are ready for upgrades, you know, we see a lot of synergies and a lot of value in that as well.

Um, just the consistency of the support provider to understand the nuances that everybody’s, it systems has. Nothing is a one size fits all. It never is. They’re never the same. So. You know, the, the way that they prefer to have their devices set up and what the user’s expectation is of the workstation, when they receive it, you know, needs to be planned out a quarterly.

So when you send it to that remote worker, you don’t want them to be as productive, as fast as possible. Um, and we find a lot of synergy and, you know, the pre prep, pre imaging, um, even with cloud connected desktops and Azure ID and those things, you know, you want to go through. Prep on those devices too, before they go to the users.

And I think a national provider, a very difficult time executing.

Kelsey Sarff: I smell a future podcast coming there about prepping devices, [00:11:00] 30 minute discussion. So yes, we’ll like tuck that one in our pocket for a future one. Um, but let’s say that I am a customer. I have X number of employees. Is there a certain number of employees that when I’m interviewing an MSP?

I should say yes. You’re going to be a good fit or no, I’m either too big for you or you’re too big for me. Do you guys tend to come across that when talking to people.

Rob Cramer: You know, Kyle can speak a little bit to that probably more than I can as he’s in a lot of those pre-meetings. But, uh, if I look at the kind of customers that we have, um, we have a lot of customers from very small, um, you know, five, 10 users, um, all the way up to, you know, to several hundred users.

Um, so, so does that mean that that one size fits all? No, but, but there is a point I think you will find. Um, that you need to know the organization you’re partnering with has the backend infrastructure and capacity to handle, uh, the, the types of issues you’re going to [00:12:00] have. Um, did they have the training and stuff you need?

Um, a lot of the larger organizations will tend to get a little bit more complex. They may very well have, um, a more advanced environment. Uh, and, and if you’re working with an MSP, that’s a. Um, a little on the smaller side, they may not have the breadth of experience and knowledge that you’re looking for.

So, yeah, it is an important question to ask. Um, does that mean that one organization can’t service both? No, uh, as I said, we, we have many customers that kind of span the, the environment size. Would I want to take on a, you know, 10,000 user organization? I don’t think I’d be ready for that. You know, I, I think I’d have questioned whether or not we have the capacity to handle the number of calls and stuff, but, um, that doesn’t mean it’s not possible.

It really depends on the environment, and what their expectations are.

Kyle Etter: Yeah, I think it’s a no again, there is no one size fits all on this side of it. It’s how it’s the role the MSP provides, um, can be adjusted accordingly. Um, the smaller [00:13:00] organizations Rob said once you’re, you know, you’re typically less than, uh, you know, 50 full-time employees, you know, an MSP essentially could be your it department.

You know, they, they handle the onsite. They provide the remote help desk. They manage the systems, they do the upgrades, and they handle everything. As you start to get larger. Um, and definitely, uh, more than a hundred plus users, typically you start to see a need for an onsite. It person, somebody within the organization that is now a full-time employee, but the MSP is augmentative.

They handle projects, they handle, you know, keeping an eye on the systems. 24 7, they provide the management platform. That resource uses, um, as an augmentative side of it, but then that employee is more focused on the users, um, for the customer’s productivity, as well as their data, their systems, their line of business applications.

As you get bigger, those become complex. I know we might [00:14:00] talk a little bit about this. Let’s go through there is where it’s a struggle for an MSP is once you get into that internal line of business systems MSPs, we can’t go that deep into the organization side of it. It’s a more, you know, um, higher level.

It support for the functional. Now, the desktops and the patching and the health of the networks and the security of the systems and those things. But once you get into that data, you know, having somebody onsite who really understands that keeps the users okay. Comes very productive and most larger employees.

That’s where it really starts to, to be a need, but an MSP can provide a tremendous augmented. Consistent support that has, you know, for, for us, we’re 24 by seven. I know there are other MSPs around. So looking for those that you have somebody on glass, you know, around the clock that can, you know, give you a call.

If the system’s reporting offline, they can potentially take to make sure things are patched to give you the management platform to manage it. There’s a tremendous value in that. That [00:15:00] again, having somebody internally to try to build that themselves just takes them away from the core business, um, because the MSPs do a very, very good job of that.

It’s what they’re purpose built for.

Rob Cramer: Kyle’s point there, you know, we’re, we’re not going to know a lot of those line of business applications. However, for some of our customers who were kind of in that in-between category, they don’t have a local it person, but they have kind of a unique application.

Um, we proxy that we will call the vendor on their behalf. We’ll get the tickets set up and we’ll, we’ll work with the user to try and solve that problem. We don’t necessarily have that expertise, but. Broker the connection and help translate for you for the person on the technical side, uh, to the business side.

Uh, so, um, you know, we can act as kind of the intermediary for those calls as well. When we. Good point.

Kelsey Sarff: Perfect. I was going to say two things first. Can you give an example of some of those line of business applications, which ones are easier to practice proxy with? Which ones are maybe a red flag to be [00:16:00] like, Hey, you’re going to have to use their support.

Well, that’s kind of a grab bag, but just if somebody was like, how do I look at my applications and know whether this is going to be a problem child at work it’s…

Kyle Etter: fairly easy.

Um, a lot of those, you know, accounting for any of your counties. And so it kind of falls in the ERP side of it. Do you want it to get into those things? Um, I won’t name anyone by naming the ones. Um, and obviously some things that are custom-built side with it. Um, and even some of it is just the data workflow that some organizations have evolved into how they’re using, you know, your Word and Excel documents, their files share structure.

Companies have evolved over the decades of, of how they’re using just, you know, uh, unstructured data that just sits on a file share within it. Um, in very unique ways, ran into those things and they have very unique processes with all the print and share and execute a [00:17:00] workflow within their business side of it.

So, um, you know, it could be very far-reaching, uh, and for an MSP to walk in the door and just have, you know, Th there’s no magic sauce to just say, boom, we get it. We understand everything. There’s it, it takes, you know, it takes time and certainly to go deeper into those things. Again, we have to rely on the vendors or somebody onsite to champion those products so that we can make sure that the systems are operational and healthy, and available.

Up to the point of, then once it’s in the application, it gets much more complex, but that just requires a lot of collaboration and making sure that you’re talking, which I think circles back. I think the importance of the local, because you need that regular cadence and communication to keep everybody on the same page, just as you would, if they were internal, you need to make sure that the teams are talking, whether they’re external, not, you gotta have.

And [00:18:00] that’s definitely what we’ve seen over the years is just that they need to w when we’ve seen things start to become problematic between our services and the customer increasing the cadence between our managed team and the customers’ teams. Resolve those challenges, whether we go to a weekly call and then make sure things are quieted down because some system upgrade went through, there’s a spike in calls.

Users are upset. The customer comes upset and starts talking more or accuracy things start to get back on track. People are collaborating better, and then you start to move forward. So it’s not that much different than what you do internally between departments things aren’t working. You got to get people meeting.

To resolve things. And that’s, you got to look at your MSP, and that way it kind of extension to say they don’t have a crystal ball. They’re not going to feel walk in and see things under, you know, behind the curtain. So you gotta, you gotta get people talking.[00:19:00]

Rob Cramer: Uh, one of the things that came out of college that came to my mind was, um, uh, you know, we talked about the calls and the Cades and stuff with the customer, um, to be clear, it’s not always an IT person. We’re talking to the customer when, when we’re talking about those applications, that who’s, that point of contact is for the, for the, um, the line of business application.

Sometimes that is the. The accounting person, sometimes that is the office administrator, but they have the knowledge that local application that, that there is interface locally on-site for that support. Uh, when we’re, when we’re troubleshooting.

Kelsey Sarff: No, that all makes perfect sense. And I know it can be, right, a whole deep dark hole of it’s hard within 30 minutes to say, “Hey, here’s all of the things that you can look at.” But in that vein, if you had to really high level say I have a business, I’m looking at MSP. When would an MSP maybe not be the best fit and when should I maybe look to hire somebody internal

Rob Cramer: boy, that’s a tough question.

Um, [00:20:00] There are a lot of different things. I think that play into that. First of all, um, you know, what’s your technology environment like today? Um, is it fairly stable? Is it, um, is it functioning and providing the resources you need to do, your business moving forward? If it’s just kind of hanging on, buy, buy, buy, buy a shred of life.

And it’s kind of about to die. That may not be an indication you want an MSP, but rather just a technology part of it can come in and help you kind of bring some new life into that. Get it up to upgrade it, get it stable. Um, and then to maintain it going forward. You would want to look to an MSP, somebody who can help you, um, as you look to the future to make sure that things are again, patching it, that they’re healthy, that you’ve got, you know, good, uh, security in place.

Um, and then as new things come around and we understand your business, we should be able to work with you during things like quarterly business reviews to say. Here are some things you should be playing for. Did you know that Microsoft server 2012 R two [00:21:00] goes into life and in October of 2023, we should be planning an upgrade?

We should be looking to make sure that we’re staying ahead of this so that we can do it in a controlled manner and not get blindsided all of a sudden and have to scramble because that’s always going to put you in a bad situation. So, um, if you’re, if you’re in a good situation today, and you’re just looking for that, that help, that, that kind of, that, that security and that, that support to keep things.

It’s a great time to start talking to an MSP. Um, if you’ve got to look like an IT person and you go, you know what, this person’s going to be out for a period of time, they’re gonna take some vacation. They want it, they want it. Some, you know, they have a personal life too. They can’t always be available. I need somebody to help them to augment them.

That’s another great reason to look for an MSP. Um, you know, we’re not there to replace that IT person, we’re there to be their partner to be their henchmen, if you will to help them keep that environment working. If coming to an MSP and saying, Hey, my environment’s a complete mess.

I need somebody straight into that. Somebody who’s holistic. Like, like [00:22:00] we are, we can work with you. We can work with your environment. We can get you upgraded and then transition that into our maintenance and support and managed services. So there are a lot of different things that can play into that.

Um, is there one right time for every company now that you kind of gotta look at it and say, what are my needs? Uh, am I, am I growing to the point where I don’t know how to keep this functioning? I don’t know what the future holds. I need some, some advice then it’s probably a good time to talk.

Kyle Etter: Yeah. Yeah.

I think it’s very far-reaching, but I think Rob makes a very good point. What I’ve seen from customers. If, if, if they’re, if you’re looking at the MSP and you’re thinking it’s there, they’re going to go into that managed service contract is going to alleviate all your IP problems and you have a lot of it problems that are not going to be the fixed.

You know, Y you, you may have had somebody else managing the, it, whether it’s another managed service provider, or it was somebody internal or an independent contractor. If the IT budget wasn’t realistic if you were not [00:23:00] investing in the correct IT infrastructure. And that is the reason for the issues, just switching to another provider or bringing an MSP.

And there was not. That by itself, fix it. You’re going to have to, you know, allow for, and have strategic conversations to make sure that you’re investing in the IT infrastructure to make it work right. The customers that we work with. Uh, continuing to invest in drive the most value out of it. Invest in there.

It, it, it, it is not inexpensive. It’s not something that needs to be managed for the least cost possible. That has never been a successful model. I’ve done this for over 30 years. The customers with the least cost is never proven successful. I’ve never seen it. Um, why there can be some costs. Benefits of the MSP side of it.

Again, we mentioned some of those on providing the platform, providing the augmentation, providing those things. That’s just working smarter and using, you know, people in their right [00:24:00] seats to drive the most value out of your IT spend. And, you know, it can definitely be done in those customers that we engage with that do that, you know, there’s tremendous synergy and they really drive their it systems and we see them actually produce better results for their customers in that.

The end goal, you know, and that works. It looks tremendous side of it. So, you know, take a close look. My advice is to make sure you have a realistic budget for this.

Rob Cramer: Technology is a tool it’s a tool to use in your business to help your business, to move forward, and to service your customers. And just like any tool, you gotta take care of it.

If you don’t take care of the tool, it’s going to fail you when you need it. The most.

Kelsey Sarff: No, that makes perfect sense. Right? There are all of these tools, all of these options, and just kind of wrapping it up for today’s discussion, because I feel like we could probably turn this into a whole series of, I could go on so many changes.

It’s about all of these things, but let’s say that I am looking at somebody and I’m looking at their tool set, and I’m looking at all of the in-house services beyond, right. You go to the MSP website and they’re like, we can do printing and we can do [00:25:00] all of this and your brain goes, do I need all of that? And again, I’m sure it’s custom to the customer, but is there something that if you were looking at the checklist and you were being like, okay, what are some of the kind of differentiators between MSPs that are maybe red flags or things that you’re like a pro tip?

That’s a great thing to have.

Rob Cramer: I think in, in this, um, in this current, uh, environment that we all live in, um, uh, any provider that you’ve partnered with, any MSP that you look at, uh, really should have a strong security focus. You want somebody who’s going to be looking out for your environment to make sure that we’re doing the right things, to keep you as secure as possible.

Um, that, so their tools should reflect that. So if they’re not using, um, current tools, things like an in-point detection response, or what’s called EDR. Um, you know, traditional antivirus is fine, but EDR is really, um, you know, uh, an important factor for securing those endpoints. Um, and again, it’s really the recommendation that, that I would expect most MSPs to be making to their customers today.

So [00:26:00] looking for a customer for an MSP company that has a strong focus on keeping your environment secure, as well as being able to support you, um, around the clock when your business needs it. Uh, I think those are some of the key factors that you should be doing.

Kyle Etter: Yeah. I, I think having the managed service provider, having security trained personnel on staff is also, you know, in 2022 and incredibly important.

Um, you know, just because nobody has a good us security incident, free card, it seems there’s a lot of things that come through there and having, you know, experts to go through those things. And. I think it’s an important point. Not all MSPs are equal. I know when you see the proposals that look very static, we all present very similar things in a little different manner, but it can be confusing, you know, ask about how the.

Oh, they secure their systems. Ask how their staff handle these after hours? How do they handle a [00:27:00] security incident? If it were to occur, what would they do? Um, you know, I vet those out. Um, if, if they’re too small for your needs side of it, you’re going to find a pretty large gap there.

And that’s going to be, you know, strenuous on, uh, in a critical situation to make it worse. You know, and ask how they approach the IT budgeting side of it. As another thing, as we just talked about that side of it, do they help with having realistic budgets that are strategic and aligned with the business?

So you have predictive spend as much as possible with this. That brings in the security, uh, and investment sides of those and the operational budget and just the overall support of the systems. How do they account for it? How do they do it? And then how do they secure the systems? Because MSPs, in this side of it, we all know that we’re under, you know, under the scope of the, of the, of the threat actors to come after, because there’s, you know, we have access to system sides of that.

So [00:28:00] if your MSP is not. You know, you’re opening yourself up for an issue there as well. So just stuff that you want to definitely ask to make sure that they have things covered. Um, we’re a SOC two type two. We went through that certification. We invest in a tremendous amount of tools, sides of those.

The EDR Rob mentioned is, you know, definitely one thing we, we rolled in early last year side of that, into the platform side of it, because you need to keep evolving these. It’s well beyond just patching and the ability to remote control and 22 is what you want your MSP to be.

Rob Cramer: That sounds like it routes up really well. I’ve not got a lot more to say on that topic.

Kelsey Sarff: Like, and that’s the cherry on top, and no, as I’ve mentioned on this one, I feel like we could talk with both of you and multiple different series. I’m hoping that this sparks good questions for people where people are like, “what did you mean by that?”

And that we can turn it into a whole other series, but thank you both for [00:29:00] sitting down today, what is an MSP? All for good things, but how do people get in contact with us, if they do have those questions, they can. It’s or they can head on out to our podcast page, which is

There’s a form on there. You can send us an email, or call us. These guys love to talk. If you haven’t caught on by now five episodes. And we’re like, yeah, we can talk all the time. We just keep ourselves on a timer for these. So we’re going to be back next week with another episode, but thank you both so much for joining another tech for business podcast.

Technology For Business Podcast Season 1 Episode 4: Budgeting Migrating to the Cloud

Join Kyle and Jake as they kick off our first budgeting discussion by discussing budgeting migrating to the cloud. They’ll talk at a high level about understanding your current technology environment, designing a future cloud environment, and setting up a migration timeline.

Listen now

Have a question for Kyle or Jake? Email

Technology For Business Podcast Season 1 Episode 3: SEC Compliance

Join Kyle, our president, and CEO, alongside Todd, our COO and CISO, as they discuss SEC compliance including; what it is, the positive outcomes, and takeaways.

Additional resources:

Want to connect with our speakers? Email or call 651.255.5780.

Technology For Business Podcast Season 1 Episode 2: Technology planning for SMBs

Join Todd and Scott as they answer the question “How can the small/medium business better align their business goals with the technology solutions and what is required to support those goals?

Want to connect with our speakers? Email or call 651.255.5780.