Modern Cyber with Jeremy Snyder - Episode
45

Dave Sobel of MSP Radio

In this episode of Modern Cyber, Jeremy sits down with Dave Sobel, host of The Business of Tech podcast and an expert in the MSP space. They explore how managed service providers (MSPs) approach cybersecurity, the evolving landscape of small business security needs, and the intersection of AI and IT service management.

Watch Now
Dave Sobel of MSP Radio

Podcast Transcript

Alright. Welcome back to another episode of Modern Cyber. We've got a topic that a lot of us and I think a lot of our audience who tends to live in enterprise land are gonna learn a lot about in today's conversation because we're talking to somebody who kind of comes not not so much from the other end of the market, but from a side of the market that has a very different set of requirements, a very different set of needs, and very often different tech stacks. So we're going to learn a lot about what that looks like, what that customer looks like, what that organization looks like, and what those needs are from today's guest. Today's guest is Dave Sobel.

Dave is the host of the Business of Tech podcast and owner of MSP Radio, recognized as a leading expert in delivering technology services. He operated an award winning MSP for over a decade, including being a finalist for Microsoft's worldwide partner of the year. Wow. That's actually for people who are know the Microsoft ecosystem, just knowing that you were in the run as finalists, that's actually a big achievement here. Think you underplay that a little bit in your bio here, Dave.

But but he did all of that before transitioning to roles at vendors like level platforms, GFI, LogicNow, and SolarWinds. Dave has authored a book on virtualization, cohost the killing it podcast, and has earned accolades like CRN channel chief and Microsoft MVP for virtualization. Dave lives near the Washington DC area, enjoys travel, food, craft beer, retro video games, and cheering for the nationals and capitals with his wife and 2 cats. Dave is also, by the way, somebody that I've known for a number of years and I've learned a ton from over the years. So, Dave, thank you so much for taking the time to join us on Modern Cyber.

Jeremy, thanks for having me. I didn't underplay it. See, I just spent time on the things that are important. You know, the Nats, the cats, beer, my family, like, you know, the stuff that's important. I noticed you say Nats and cats, but Wizards is surprisingly off the list.

Is that just because they're terrible or just because you're not a basketball fan? Not a huge basketball fan. It's it's you know, like, it's so I I always laugh. I'm a baseball, hockey guy, like, flip between the 2 sports. That's my that's my rhythm.

I'll I love live sports just in general. Fair enough. Fair enough. Well, Dave, like I said in the intro, I think you bring a unique perspective on the MSP side of things because you've spent so long in that space, and you've done so much work in that space and continue to do work in that space through your podcasts and your publications and things like that. So I guess just to start things off before we dive into kind of the state of cybersecurity for the MSP world, how do you define an MSP today in 2025 as we start recording?

Yeah. It's an overloaded term that's become an absolute mess for those of us that think about it. Right? So I start with the customer. Most businesses are small businesses, and we often over overlook that.

And they have technology needs, and they are often do delivered by another organization. By the way, that can be as informal as the nephew's cousin's brother who comes in and fix the computers on the weekend, all the way up to a formal organization that does that. 87% of this space does less than $10,000,000 in revenue. So I define managed services provider as the technology company that engages with a customer on a recurring contractual basis to deliver technology services. That's the broad based version of it.

That is a subset of IT service providers, which is any of the ones that help solve technology needs for businesses. We we can then just subdivide that into a million classifications, MSP being the lead one there. Okay. So a couple of things I wanna dig in just to kind of make sure I have a good understanding of this ecosystem and of the MSPs and of the end customer. So you said kind of starting with the end customer as the place to start looking at this group of organizations and trying to understand it.

What does the typical end customer look like? I know I've heard things over the years. Oh, it's the typical doctor's office, the lawyer's office, the things like that. Is that accurate or is that kind of a, you know, the older view of things and things have changed over time? Or what what would you say there?

No. It's it's still pretty accurate. Anybody when if you ever want to 3 weeks, every business you encounter in your life, ask them how they address their technology. Because then you can never unsee the world. You'll go to the dentist.

Somebody helps them with their technology. You'll go to the doctor. Somebody helps them with their tech you'll talk to your accountant. Somebody helps them with their technology. You'll go to, the, you know, the fast food chain or a restaurant.

Somebody helps them with their point of sale so you can never unsee it once you start asking who's there. Okay. Like likes like. So small companies tend to work with smaller providers. Midsize companies tend to work with medium sized providers.

And large customers tend to work with large places. So so, like, the big players. You know? Like, if we think government contracting, right, you're gonna get into your GDITs and your Booz Allen Hamilton. So, like, these quick they're delivering managed services for large government organizations and Fortune 5 100s all the way down to, you know, Joe's Computer Shack, probably serves Joe's Crab Shack or Jane's Crab Shack.

Yeah. Got it. Got it. And so you talked about how, you know, 87% I think of businesses are small businesses and the vast majority of MSPs are those under 10,000,000, but when you go through that, you're also implying that there are MSPs that are serving the higher end, the larger organizations, not the higher end, but the larger end of the market when it comes to organizational size or when it comes to the size of the MSP. So presumably, there are also MSPs that are doing 100 of 1,000,000 of year, year end revenue.

There are. And in and in particular, what's interesting is is that as this space has matured, we're also seeing a flood of private equity money. Unsurprising to anybody that's watching this space. So there are private equity backed managed services providers that are getting much more, like, national reach. And I would equate this to, like, you know, think about, like, your H and R Block or something along those lines, where in accounting services, you have that kind of reach.

It can look like that. It can also look like, you know, a conglomerate where they've got one larger corporate investor in each individual location is kind of independently owned and operated loosely. And I'm putting those in, like, big air quotes. Where, like, they operate as a collective, but they also have local leadership over, let's say, a local brand. That's another way of doing this.

So we're seeing maturity in the way these companies have assembled themselves and how they're Yeah. Yeah. So I want to kind of understand across all of those to the extent possible, and I know that, you know, the answers are gonna be slightly different for different sizes of organizations, But across all of those, how do these companies think about themselves as cybersecurity vendors, partners, providers? What's the right way to think about that? Yeah.

Yes. Yes. Yes. So so it's interesting. This is one of those interesting where cybersecurity becomes a difficult to classify bit the smaller the customer range gets.

Right? So in particular, we think of anybody who's delivering technology services has to be delivering some level of cybersecurity. Just hands down. Because the customer has an expectation of that. And Okay.

We get into I I wanna observe that for all of us listening, a lot of this is really an we'll get into academic definitions. Sure. Because if if I put my customer hat on, will they just include security in their umbrella of solve my technical problems? Yeah. Make the computers work.

Right? That's awful, like in a way you wanna think of it as, like, the business owner who runs, you know, say, you know, let's let's take a law firm. Law firm is a great one to tell you. So so 5 or 6 partners, bunch of paralegals, they've got, say, 30 or 40 people in the organization, and they go, just make all this tech work. Right?

We need to be able to go to and they include implied in that is all of the problems that I might might face. And the moment we connect anything to the Internet, one of the problems we face is cybersecurity. Right? Is that Absolutely. So so the customer is is implying in their ask, just solve this.

Now note I said implied because that's important because they don't necessarily understand all of the threats or all of the bits that they need to deal with. Now the technology provider has to address that. Now how how they choose to address that, that's where they get into individual strategies and how much they embrace it and how deep they're gonna go into into cybersecurity. But just for, amusement's sake, and I'll reference some study that I just dug into, there was a recent MSSP benchmark. So managed security service provider benchmark that compared MSSPs to MSPs.

And one of the things that fascinated me was that all the m s MSSPs said we don't do backup and disaster recovery. And I would think any cybersecurity plan has to include backup and disaster recovery. Yeah. That's considered an MSP job. Yeah.

So that frames the thinking, right, as it gets really fuzzy, particularly the smaller the organization is that has to bring it all together. If you're again, my hypothetical law law office or my other favorite is, like, HVAC and heating firms. Right? Like, we've got a Yep. Here, we we both live in the DC metro area.

This is where I'm saying Michael and Son, they're really big. Right? They're across, like, the whole state. They have they're super advanced. All those guys come out with iPads and a whole networking.

I know there's a technology provider behind that, and that cut you know, provider is solving the whole thing. So long answer to say, yeah. It gets really fuzzy when you get down into this. They have to be cybersecurity providers. Oftentimes, that's thinking about it very tactically.

Like, what is the stuff I have to do in order to keep this business running? So I'm really curious about a couple things in there, and there's two points in particular that jumped to my mind, and I wanna get your take on both of them. Number 1 is that, there is a book that I'm reading right now from one of our, a guy on our advisory board. It's called If It's Smart, It's Vulnerable, and it's a book about how actually connected devices, they ship with vulnerabilities, and they're notoriously difficult to service in the field because actually updating them is like a bios update or a rom flash or something like that. And most home users aren't really comfortable with that.

And frankly, the scale of any device that has some scale to it. So if you're talking about, let's say, like, tens of 1,000 of, quote, unquote, smart fridges out in the wild, getting people to go update their fridge across these 10,000 is, like, is a pretty big challenge. You've got different networks. You might have different configurations. You don't necessarily test the updated bios for every combination.

It's a mess. But in that book, one of the things that that comes out is that, you know, the the fastest growing risk to most organizations over the last 5 ish years has been the rise of the kind of ransomware as a service type of organization and the criminal gangs behind them. And, you know, one of the top defense strategies, and this is a cyber defense strategy, is improve your backups. You know, 3 to 1. 3 backups, 2 different media types, one of which is disconnected or offline and is, you know, no longer can't be overwritten, can't be encrypted, accessed, etcetera, and instead sorry, outside of, like, a break glass emergency scenarios.

And, you know, from my days working IT, by the way, when I started IT and cyber were the same thing. There weren't separate IT and cyber departments. It was just all a little bit like you described. The customer assumes that the IT is taking care of the cyber, needs of the organization. Right?

But, you know, we used to burn CDs or DVDs, as data volumes grew and drop them in a safety deposit box at the at the bank, you know, go into the vault and with a key and open them up and take them in, and after x number of months, the old ones would get shredded. We we actually had a shredder in several companies that I worked at that you could just pass the DVD through. And so, you know, first of all, I definitely think of backup as a security strategy, but the other part of it is that, like, I do wonder for those MSSPs who say, hey. We don't do backup or disaster recovery. Is there, like, a perception issue around it where if you are an MSSP, you can expect a higher valuation from things like a private equity acquirer who's looking at the space and says, well, you know, MSSPs, we value at, I don't know, 3 times revenue, but MSSPs, we value at, like, 5 times revenue.

And so there's, like, a positioning and a branding kind of, or image perception type of, problem around that. Or how how what do you think? Yeah. I mean, I I think that there's a lot everybody likes to invest in cybersecurity right now. Right?

Because they call it a big big need. My pushback always on this is is, like, that old approach really wanders you too far from the customer for my liking. Like, you know, what what you're like because it it's the the security service has become about growing the security service, not about solving the customer's need. And, you know, and and and I think when when we get it when we start doing it, I don't live over in that portion of it for the exact reason that it for my taste, it's too far from the customer. Again, so if if I'm a if I put my business outcomes hat on, right, which is the starting place for the way customers invest in technology, I struggle to find a return on investment on security the same way that I can tell you a return on investment on, say, improved workflow or Yeah.

You know, or or productivity gains or making, you know, we can have the whole AI debate. Right? That's a Yep. Yep. Fun to air we won't, but it's fun to explore because we could look at it from the business outcomes perspective.

Right? I can tell a customer, hey, spend a dollar, you get a buck 25 back. A cybersecurity is a risk management conversation for any of us that are smart about it, right? And I like to tease the cyber guys and go, I can give you infinite money. All the money.

Big giant McScrooge McDuck bags of it. Yep. And you won't actually solve my problem. You will risk manage it to the to the to the world, but you'll still have all kinds of outcomes. And by the way, Janus in accounting can still screw it all up.

Right? And and it's it's like, well, but I gave you all the money, like, all of it, and I still don't get a business outcome based on it. And I think that's that's a struggle. Right? And I'm realistic about this conversation.

I just wanna frame that for security people, like, you kinda have to put get back to the customer of what they're trying to accomplish. Yeah. Yeah. And their their outcome is I want good outcomes with my technology. I want it to enable my business.

I wanna be productive. I wanna lock the doors against cyber criminals. I could get all that stuff, but you have to understand that there's a discussion there. And when we get into, like, the whole valuation stuff, it's like, ah, it's wandered too far from the customer for my liking. Yeah.

It's funny. I mean, we've had this conversation on this podcast many times with several different guests about how, you know, one of them brought up the analogy, the most secure computer in the world is the one that's turned off encased in cement and at the bottom of the ocean. And even then, you can't be sure. Maybe there are radio wave signals that you could bounce off that they right. You know, you can concoct all kinds of outlandish scenarios, but some of which may have technical validity and who knows.

Right? And and I totally take your point around the cybersecurity being an infinite a potential infinite well of investment with an uncertain outcome. By the way, the same is true of almost any business initiative. Almost every business is, you know, has some inherent risk in the organization that could be anything from, you know, from, let's say, like, a salmonella outbreak on a supplier to lettuce in a fast food chain. Right?

You know, there's there's always risk management in any level of business, and cybersecurity is just one of those other risks. It happens to be a risk area that, in my opinion, is the risks are ramping up faster than the risk mitigation strategies are. And that's the thing that I think about as being, let's say, the key thesis around why you would invest in cybersecurity right now in 2025. And there is, by the way, an AI discussion that we will have a little bit later in today's conversation. But I I I just want to kind of understand from your perspective.

Right? On this risk management calculation in particular, is it something that is more painful for the end customers of the MSPs, the the general MSPs of the world, because dollars are tighter and because budgets are a little bit, you know, more stripped at that level? 100%. So it's a 100%. There's actually 2 parts to that.

So the first is we're just not talking about the same raw dollars. Right? Like, you you get that, like so we'll we'll talk about my theoretical law firm. Right? So so they're probably doing, what, 3, 4, $5,000,000 a year in revenue?

Like, really that's a really good law firm. Right? They gotta pay all their people. They gotta pay taxes. They gotta pay for the building.

They've gotta pay all the licenses. Yeah. Like, we get down to IT technology. The technology infrastructure is probably 5 to 7% of overall operations. Yeah.

5 to 7% of 3 to $5,000,000. That's your total spend, everybody. Total spend. Yeah. Total spend.

I gotta give them productivity software. I've gotta be them hardware. Just the basics. Right? Like email document management, storage, etcetera.

Yeah. All the I gotta give them all of those things, by the way. And help desk service, I've gotta, like, you know, fix the printer. I gotta do all of those things. Oh, and now on top of that, I have to layer on all of those other bits.

The second part of that is is, by the way, is I love the the risk, framework here, and I understand that. The customer takes security risk. The provider takes security risk. The vendor does not take security risk. Yeah.

And I I I wanna highlight that, you know, love them all. Love all the security vendors. God, everybody's coming at it from the perspective that they want to do right. I do not believe that anybody's in security because they're, like, trying to take advantage of the customer. But I will admit that I've seen 1 or 2, but let's let's keep going.

For the premise here, let's assume good intention. Let's assume that the industry is trying to do right by the customer. But they're not assuming any of the risk. Right? All of the if if their product fail your salmonella problem.

Right? If the manufacturer introduces disease into the system, there's real risk for them, like, of going to jail. Yeah. Yeah. But if a cybersecurity product fails, well, not really any actual legal risk.

They're probably gonna get tied up in court. So I get all that. But anybody find a case where the vendors actually been found guilty? Like, no. Not really.

Like, it's not really. But just a handful across thousands of cases. And and by the way, to your point, there's a couple of vendors that I know that do actually provide an insurance policy along with their license, but there are few and far between. You know, there are the outliers. And there are and pretty and pretty restrictive.

Right? So it's not it's not a shared model. I don't know the details, but I assume there is going to be some disclaimers and, you know, kind of limitations of liability. And I'm gonna I'm gonna pick on I'm not gonna name them because this would be mean. But, like, one of my my my interface annoyances so I use a popular EDR platform on mine and its interface tells me every day, you are safe.

Big green letters. And I look at it and I just wanna give it the middle finger because it's like, okay, you just made that claim, but if anything happens, you are on your own is the also the answer. Right? Because the software doesn't actually provide any guarantee to its effectiveness. See all see Dave's earlier statements about risk mitigation.

This is important to think about in the stack. The reason I talk about this so much is the customer has a lot of issue. The service provider is being asked to assume an awful lot of risk, but they don't get to tell the customer, well, we aren't liable if things go wrong. Because they will get called into court, and it's happening right now, you know, where providers are being called into court, and their vendors are not standing by them and saying, we got your back. There's a lot of good luck, right?

So I look at this and say, like, again, if we're in a risk management business, it's a big risk for this provider community that I'm talking about Yeah. Who does not have infinite resources to work with. Well, so let's talk about that. So with the resources that they do have, what are the types of risks that they are able to manage today? Well and this is this is where, like, I will push back on my own on the providers and say a lot of them are not even doing the basics very well.

Okay. We have a lot we have a lot of pushback. You know, we talk about backup and disaster recovery. Whoo, Bonelli. That's a problem area still.

The number of customers that still do not do a really good job systematically of managing their backups and recoveries plans is not small. It is a significant it is still a significant bit. Basic stuff. Multifactor authentication. Right?

We're all proper security people. We will all quickly not. Oh, you gotta totally have that. Right? Yep.

Yep. Yep. Yeah. Not so much. Let's let me point out that it's not mandatory.

It's only now It's only now becoming mandatory from the major cloud providers to be rolled out from that and not necessarily mandatory for all customers all the way through. You know, you you can have a Google Workspace account, a Microsoft 365 account without enforcing multifactor authentication from the vendor Okay. Much less the service provider being able to enforce it. We know password management is just a disaster. Right?

We we know this is a thing. Yes. Yes. Anybody ever done troubleshooting for your parents, trying to manage their passwords? Yeah.

That's what SMBs are like. Fair enough. Imagine that space, that lawyer who can't manage their passwords very well. Yeah. That's still a real thing.

Like, we still have a lot of basic cyber hygiene stuff that has to be done just culturally to make this, an actual impact on the difference. Okay. So so there's some of the basics that some of these MSPs aren't doing very well. But let's say, like, if you kind of zoom out and you try to take a macro view on the m s MSP space right now, 2 questions come to mind. Number 1 is, what is kind of the the mode, if you will?

What is the most typical kind of security service offering that MSPs are out there offering? And then I guess the second part of the question is, like, how do you think that shapes up over the next 3 years? Because one of the things that it sounds to me like kind of implied from something you said at the very beginning, Customers are assuming that the MSP is taking care of these cyber needs. And so my question is 3 years from now, if you're an MSP that's not covering the at least the basics, ideally, you know, coming up to kind of the mode average level and then maybe trying to do a little bit better. Are you still relevant to as an MSP, or are you, you know, gonna be consigned to the dustbin of history?

So I think you're being very generous to even say they have 3 years. I think they're now if they're not doing a good job of that. But I will observe that so so when I look at this this space, right, there there's lots of, research that gives us insight into the financial viability of these businesses. Okay. But 20% of this market is killing it.

Right? They're making really good money. It's a really good services business. They can grow it. They're dropping real profit to the bottom line.

That's why the private equity money is flowing in. But I will also observe that roughly 30% of this space every quarter is either breakeven or losing money. Okay. Right? So That's pretty that's a pretty large number for a whole you know, outside of, let's say, the venture backed startup community where, like, you know, roughly 90 plus percent of companies are losing money.

That's a that's a high number. Yeah. 100%. Now remember, really big space. Tens of thousands of players in this space.

Right? Like, all and I'm just and I'm when I'm throwing out the tens of 1,000 numbers, I'm just thinking about the US. If I go into if I do a global analysis of that, that number gets way bigger real fast. Sure. Probably 100 of 1,000.

And note I said each quarter, it's not the same ones because they're churning in and out. Right? They're they are they will go out of business if they are not making enough money for a period of time. They will churn out of the industry. New ones get created.

It's not hard to start an IT services provider. You pretty much just put up a website and declare you are 1, because the guy who cuts my hair has more licensing than somebody who delivers IT services. Yeah. Yeah. And I, you know, and I am a listener to your podcast and I've heard some of the conversation around this around I've I've weirdly feel like it was the state of Louisiana was one of the first to enact some state level legislation around Yeah.

Registering and having some minimum certifications and qualifications. But that was just to service public sector contracts in that state environment. Right? A 100%. And by the way, not even certifications, literally just registration.

Okay. And the reason they put that in place is so Louisiana had a whole bunch of ransomware issues, you know, about 5 or 6 years ago, super headlines, shut a good portion of it down. The Secretary of State literally did not know who all of the IT firms serving the state were because they didn't have a list of them. Gotcha. It was that simple.

His his problem was not the I need to wade in. It was literally we're going down. We're dealing with a ransomware problem, and I don't have a list of all the providers that are engaged with the state. So I don't know who to communicate with to manage the crisis. And Katie was literally that fundamental and he just said, I just need to register these guys so that when we're trying to coordinate responses, I know who to talk about.

Again, if you think about a small town, right? Who's out, who's, you know, their city government, for example, is working with a provider. That's a couple of small businesses working together. Yep, yep. And I'll always smile and go double thumbs up, right?

That's the American dream, right? Is businesses doing that kind of stuff, building business together. But it's really small business. And so it's hard when you're trying to do a larger coordination effort to understand who's all there. So you're right, the initiatives were initially around just trying to understand who's out there, we are a long way from any kind of actual certification.

Yeah. Well, by the way, I mean, this is very reminiscent of most new security offerings in new technology spaces. It always starts with visibility and hygiene. If you just don't know that that stuff is out there, we've lived through wave after wave of new tech innovation, and it always starts with that problem is you just don't know what you have. Right.

So very reminiscent of that. I want to come back. What was it from the first part of my question? What do you think is the mode offering relative to security for MSPs right now? Like, what are most of them doing?

Is it password manager help you implement multifactor? Is it patching? Is it vulnerability? What is it right now? Basic cyber hygiene.

Right? They're coming in. They're gonna make sure that we're gonna have and part of that, by the way, is modernization of the infrastructure itself. We're gonna make sure you're running, you know, current versions of software. We're gonna manage do patch management.

We're gonna do backup and disaster recovery planning. We're gonna do the elements of password management, multifactor authentication enforcement. We're gonna put in put in place basics, firewalls, EDR, you know, like, you know, we don't talk about antivirus in the same way, but we talk about endpoint management, whatever makes makes sense for that particular customer. Note there's a little bit in what I just said of pick the one that makes sense. Right?

Because I don't need to come in there with giant SIM solutions for a small office, right? I have to make sure that this all comes and is appropriate. So we're gonna do those kinds of services and know that we have to do that on a budget. And then we're gonna layer on top of that some level of compliance services, right, making sure that they are actually doing the kinds of stuff to be compliant with the laws and the data management that they are under. We always talk about HIPAA when it comes to health care.

We talk about PCI when it talks to financials. Like, it's the same kind of thematic stuff. But the one thing that those good providers are doing is they're systemizing that, right, so that they can do it, and they can do it in a very systematic way and replicate that over time. One of the secret sauces of a good managed services provider is that they look at their entire customer base like one big enterprise with just lots of remote locations, like, philosophically. Yeah.

And if I move that units or teams or whatever, however they would think about it. But yeah. And if I that way, if I can do patch management at scale, I get efficiency. If I do help desk at scale, I get efficiency. If I'm doing, you know, all of those components at scale and I treat all my customers like a big organization, yet I still have to do a really good job of keeping all their data separate and keeping their own like, they can't ever have any across the streams kind of problem.

But as long as I do that, I can get some efficiency that a large organization would get. Well, talking about patch management and doing things at scale, one of the questions that comes to my mind is, if you've got x number of customers, call it a few 100 to a few 1000, how heterogeneous are those environments? And then, you know, kind of follow-up question to that is if we're thinking about organizations that are often living on a budget, to me that suggests that they're often going with kind of some of the lowest price offerings on the market when it comes to, let's say, like basic computing requirements and things like that. So I'm thinking of the $200 Windows low end notebook. Is that is that a correct or an accurate perception?

And if so, like, that comes with a lot of risk on it itself. I mean, Windows in particular is, in my opinion, the least secure operating system kind of commercially available on the market right now and and is, by the way, also the most targeted. So it has its own inherent security vulnerabilities, but then it has a targeting problem where, you know, it's getting 80% of the attention from the criminal gangs. But some of the best management tools and ability to do management, we get into we're getting a little bit close to the tech stack stuff here. Yeah.

The technical stack to manage Windows machines at scale in a multi tier differentiator way is much more mature over on the Windows side. Okay. Okay. So in answer to your question, really good MSPs tend to work with technology leaning customers who will not settle for the low for the lowest common denominator. So they're not buying $300 laptops coming out of, you know, Costco and cobbling us all together.

The the higher performing organizations. They're gonna invest money in technology and they might be even delivering it, you know, via leasing, hardware as a service. Like, there's like, they might go to clever solutions in the cloud with virtual, desktop infrastructure. Like, you can do some really clever investment here to make that process better. The tools are far more mature when I think about the Windows ecosystem.

So a lot of this is very Windows centric because of that. Now I have a I know there are some some great vendors over on the Mac side. I want to recognize them and say that there's some good solutions. But in terms of starting to think about this from a heterogeneous perspective, because you're right, I've got Windows machines, I probably got a couple of you know, I've got some Macs in there too, I've got all of the other soft all of the other platforms that I have to manage, their networking hardware, their printers, all of the other devices, The heterogeneous management stacks are much more mature over on the Windows side. Okay.

Okay. So you're not seeing you mentioned virtual desktops and and virtualization there. I mean, one of the things that obvious is this kind of an obvious candidate for me is, hey, let's just, like, replace all those Windows machines with Chromebooks, virtual desktop. We reduce our actual spend. We reduce a lot of our footprint.

We certainly reduce the management overhead quite a lot. Is that a trend, or is that, you know, kind of here and there? It's a it's a it's a trend, but I wouldn't say it's any level of dominant. Right? Okay.

It you know, again, it's also good in very specific scenarios. Kiosk based machines do really well with this. Knowledge workers, a little less so. Right? And particularly because then we always get into the wrinkle of some odd line of business application.

Yep. This is a little less of the case, particularly as we move towards software based on SaaS delivery. But a lot of industries still have really weird line of business applications with very specific implementation requirements. Yeah. I mentioned HVAC is another one that that I was looking.

So, like, not all those solutions have moved into the fully into the cloud. Right? And so you end up you end up with an endpoint management's problem where you still have to put those into into place. And by the way, the really good solution providers are also standardizing what their tech their customers buy. Most customers, particularly in this space, don't really care what they buy.

Like, they really take the recommendation of the MSP because, hey, they know it. They know they're gonna get support. They know they can call up the provider. Exactly. And the provider is not gonna be, oh, I what is this thing?

I've never seen it. I don't know how to manage it. And they're and they're gonna put their stamp of approval and I say, we will promise that that's going to have the correct level of uptime. We're gonna manage that. We're gonna take on the the problem with that.

We've got a fleet management system that goes along with that. You've got a problem. We've got a new we're gonna deploy a new one. They've got we've standardized the deployment scripts. They have thought about this Yeah.

Very much the way enterprise IT has. They're just happening to do it off cross businesses that will never actually cross paths. Yeah. You you mentioned something there that I wanna dive into with maybe what the last two topics that we've got time for today. And so one of those is is on the SaaS side because I tend to think of these organizations outside of that kind of, you know, edge case line of business specific application as being primarily a set of users who have needs that are generally fulfilled by SaaS providers.

Most of the time, take your HVAC, take to your law firm, take whatever. I'm gonna need some document management. I need some accounting software. I need, I don't know, ticket management, you know, whatever the case may be. But these are things that exist in the world, and, frankly, most of these organizations are probably better served by adopting a third party SaaS solution that's going to get updates and it's going to have, you know, some level of vendor provided security oversight updates, blah blah blah, then they would be hosting those things on prem or in house.

Is that kind of accurate of the state of the industry? Yeah. I mean, it it is. And we're leaning heavily to there's still a lot of room to go there. Right?

And and a lot of those, you know, if we think about it particularly for the again, it's small businesses selling to small businesses. Right? So we have we have the problem of these vertical stuff. You know, I like to to always remind everybody, like, a Salesforce implementation, really hard. Like, really, really hard.

Yeah. Yeah. Imagine trying to do that if you're a small that that law firm that we just talked about. Right? Like, you're you're not gonna be able to really do that.

You need stuff at the box. But the problem out of the box then is you immediately bump into all of the requirements problems of that business, and there are 5 other things that they need to be able to do. Right? So the the answer is yes. Thematically, that is exactly the way that we're seeing it.

It's not nearly as smooth as we would like it to be because of the dynamics of these businesses. Right? Yeah. So we end up with that with that problem of, yeah, you're trying to solve it for the greatest, you know, common denominator here, but when we get into these smaller businesses, it's not exactly that easy to do. Then remember, the other element of this is all of the training and implementation services that have to be effective, which you have to deliver at the right level at scale, but in a very small per unit cell.

You know, I I always talk and remind all the SaaS people, god, they love it when they're selling thousands of licenses. What happens when you sell a 5 pack? Yep. Yep. Right?

Your your effort to onboard is still the same in terms of time and effort. You're just not getting the economy of scale of doing it for a1000. You have to do the same level of work for 5. Yeah. Yeah.

It's a great point. And it's something that I think a lot of tools don't really accommodate both sides of that well. I've seen tools that are great for user groups of 5. Honestly, a lot of security tools are actually kind of designed for that because a lot of companies have a smaller cyber org than they do the the organization as a whole. So it's, you know, if I'm selling to 5 people who work in the SOC or they're, you know, ingesting data into their SIM, pretty easy to cover those 5.

Very different from selling document management to all 1,000 employees of that organization. So, yeah, I take that point pretty well. And that's the thing to think about is just to remember that that is that is a real problem. It's the and it's the effectiveness problem. Like, I'll laugh and, like, one of the biggest things that I remind, you know, providers when they ask me is is, like, go back and make sure you've done a really good job of implementing Microsoft 365.

Most of them, you know, they buy email and they get the basics and then they just start working. They didn't actually set up workflows and permission. Yeah. Or I go through setting, you know, kind of the the 365 equivalent to his name. I can't remember of, like, group policy objects around, let's say, like, document sharing or or account configurations or what have you.

Yeah. I totally get what you're saying. Yeah. And that and it's that bit. Right?

That's the actual value. Like, customers are gonna really love that that you do that. But by the way, it's hard. Like, it's it's not easy to do that, and you have to do that in a very personalized way. Walk them through the project.

You've gotta find a way to do that at an economics that makes sense at that size. Yeah. Makes sense. Well, I wanna close out today's conversation talking about the thing that I know is on everybody's mind as we as we kind of pod here in early 2025, and that is AI. So I'm curious, a, what is the state of AI adoption across the MSPs and then across their end customers?

And then I'm I'll have some follow-up questions. Yeah. So the thing to remember about this space is is they I like to to remind everybody that while they are builders of technology solutions, they're much more like assemblers. Right? Okay.

And they they because, you know, it it's a little less the artisan craftsmanship of building a house and more like us taking standard components and putting them together to make them work. If I think about the the typical way so so a lot of AI right now is very much in the, you need to build. I write code to make things happen. That's not how technology is being implemented in most of these size businesses. They're taking off the shelf software, customizing it, making it fit within the demands of the customer business, and then then training them and bringing up the speed.

In AI, this is super messy. Right? Because a lot of the AI, when we talk about it, it's very broad. That means a lot of things. We're not necessarily implementing algorithms.

What we are doing though is is, for example, let's pick on them because it's easy, chat gpt. Right? So a lot of people have have put a lot of business owners have started playing with ChatGPT. And then, by the way, so have their employees. And maybe not even telling their their bosses that they're doing it.

So there because a lot of this is all just stuff you can just go get, right? You can buy AI software or AI enabled software. Putting aside that a lot of the marketing means this is meaningless. And you then in your business have to figure out what that means. Now, what I've been telling a lot of the MSPs to do is the real opportunity right now is helping those organizations come up with their policies and procedures on what's allowed and what's not.

Answering the question of when are appropriate times to use AI driven technologies, in particular, if we're thinking about this in the context of generative AI, you know, disclosure is important. Right? It's much more important to tell employees, hey, we're not against generative AI. We just need to know where it's being used so that we understand it. And it can be used in these scenarios, and it shouldn't be used in these scenarios.

And here, we're gonna give you playgrounds to to test things out so that we can have a conversation about it. We don't want this to happen at a level that is hidden from all of us. But what I really wanna what particularly if if you're coming at this from, like, a developer type mindset, remember that we're not talking about people writing code or even using ChatGPT to create code. What we're doing is we're using end users that are looking for these new features to do something for them. AI is something that they will use that is embedded in a product, not something that they will create on their own.

Got it. Got it. And so for the MSPs themselves, are they kind of the bridge to enable that assemblage, if you will, or are they typically doing some of that assembly on behalf of the customers so that the customers can, to your point, just use it? The really sophisticated ones are doing both. It's an and, not an or.

Right? Is is that you're looking for opportunities to again, if we'd step back to the basic premise, we're we're these IT service providers, MSPs, are looking for ways for technology to help the business outcomes of their customers. I think we can all agree that there are elements of AI that are gonna be really impactful on customer outcomes, and they are helping their customers navigate that. Now I do not have an expectation that most of them say, for example, are impacting directly to the models. I don't think they're Yeah.

Yep. I don't think they're creating their own models. I think, at best, they're doing, you know, they're they're doing some level of prompt engineering. Like, they're building prompt. Yep.

They're interacting with that way. I don't even know for sure that they're doing a good job of all the data management and all of the stuff required to be effective. I'm not sure most of these organizations have their data in a way that is ready for AI. Now, that's an opportunity. Again, I've been telling my listeners the I think data management and data preparation is a whole space.

I think you can lean into that. And even if we're wrong on AI, there's a lot of value that you can get out of bringing your data house into order. So, cool, there's work we can do right now. But I wanna frame it in those sentences. And again, I use this analogy of, like, Janice in accounting.

Right? Janice in accounting may be using ChatGPT, and you don't know what she's putting into it and how she's using it. That's the worst outcome is that we don't know what's happening in in this shadow IT, shadow AI outcome. Yeah. Yeah.

So we come back to visibility. But just to make it concrete for for your HVAC example, if we think about Michael and Sons, if I'm hearing you right, what we're hearing is, you know, this type of organization, they're not going to be using predictive analytics and AI to predict when Dave's heater is going to go out. They're going to be using more some AI across their customer database to understand, hey, what's the this time of year, what's the right offer to put out there that's going to generate the most business for us? Yeah. I think that's great.

I'll tell you the the one example that I use all the time that I think is, like, interesting to me as most is I talk about solving the reporting problem. Yeah. The report the reporting problem is one that let and particularly galling in small businesses because Yeah. You have all this data about your business. You'd like to make good informed decisions about your business.

Yeah. It all lives in these systems. And you end up with 1 of 2 solutions. Either the vendor gives you a bunch of pre canned reports that I then pull data out and it's probably 80% of what I'm looking for, but it's missing a little bit and I have to do some Excel wizardry, right? Yeah.

Yeah. Yeah. Or the other half of it is they give me a report builder, and I have to build my own reports, and I probably have to employ someone who has to be an expert in report building. And why most of these organizations will build 2 reports that they that they live on forever and try and both of them are bad solutions. Yeah.

But generative AI does give us the ability to talk to the data. Yep. You can then say, like, I want to ask my data about a bunch of stuff and it comes back in all of the creative ways and presents that to me. That's summarization, which we know generative AI is quite good at. It is a user interface that is easy, that is flexible, that allows us to be very natural.

We don't need as much training. It solves the reporting problem. So when I think about the best case for AI and particularly generative AI right now, it's allowing smaller customers to do more interesting things with their data. Yeah. Yeah.

I think that's a great note to leave today's conversation on a really inspiring thought. Dave said, well, thank you so much for taking the time to join us on modern cyber. For people who are looking to learn more about the space and get informed, I can heartily recommend the Business of Tech podcast. Please tell our audience where to find that and where to find more about some of the work that you do. Jeremy, thank you for the kind words.

Everything is on my website at business of dot tech. There's a big blue button where you can find all of the resources, both the podcast and the YouTube channel, depending on how you like to get that. I do a daily digest of all my news stories comes out in email. Whatever works for you, easiest to do at business of dot tech. There you have it, business of dot tech.

To our audience on Modern Cyber, thank you so much for listening. We are a little bit backed up on guests right now. I know in the last couple of episodes, I've been asking for people for suggestions. You responded overwhelmingly, so now we have the opposite problem. So stay tuned.

In a couple months, we'll be looking again. Until the next time, thank you again for joining us on Modern Cyber. Bye bye.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.
Request Demo

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!