Inside Right of Boom 2024: Highlights for MSPs

* Recorded on Wednesday, March 27, 2024. Please note since this recording, Covalence has been renamed Field Effect MDR.

What were the key cybersecurity trends, topics, and lessons we took away from Right of Boom 2024? Even more importantly, how can MSPs put these business ideas into practice to work more efficiently and stay competitive in an ever-evolving industry?

We sat down with the founders of two leading MSPs to discuss key highlights from Right of Boom and:

• The current business challenges facing MSPs and how to overcome them
• The surge in compliance and how MSPs can get ahead of that curve
• How having the "risk conversation" can unlock greater growth

Recapping Right of Boom 2024

Before we get into some of the topics we have for today, I want to quickly reflect on Right of Boom. From my point of view as a vendor, the recurring theme was around community and education—an event MSPs can attend to gain knowledge about the current risks and threats to their business and their customer base, and to take some things back home to apply to their business.

Especially this year, they had a different cadence than in previous years. There were both technical sessions and business-oriented sessions, and the structure was really designed to bring awareness to both groups—the business leaders and the more technical people. That sort of cross-pollination of awareness between different areas was really valuable.

I really liked the format this year, where it alternated between technical and business sessions. Some people there are on the technical side of the house and got to really see under the hood of some of these attacks. Others are on the business side and really appreciated the business side of the conversations.

The MSP community itself is very collaborative and supportive. Many attendees regularly see each other at different events, bouncing ideas off each other, sharing wins, sharing vendors, and things like that. A number of the presenters actively operate MSPs or MSSPs and were happy to share content that would normally be behind closed doors. They were putting it out there as resources for all the attendees to use. I think that’s why we’re seeing Right of Boom scale the way it has. It’s grown tremendously over the past few years, and we’ll continue to see that.

You brought up a good point about business, which is a perfect segue into our first topic—business challenges that MSPs are currently facing.

What are some challenges you’re seeing today for MSPs?

From what I see inside my business, and what I hear from my colleagues, staffing is the biggest challenge. Finding local, qualified, available staff who want to work, join a team, and either be back in the office or part of the virtual side of the business is difficult. That challenge is forcing many of us to look overseas for good-quality staffing as well. Even then, if you have an immediate need, it could take six to nine weeks before you find the right person to bring onto your team and integrate them with your clients. It’s getting much more difficult on the staffing side.

From a business standpoint, another major challenge is selling at the right price so we’re covering the new expenses we face. There are so many new tools, vendors, and aspects of security that have to be covered. I sometimes joke during discovery calls with new prospects that security isn’t just installing Norton Antivirus and calling it good, like we might have done 15 or 20 years ago. Now, there are upwards of 30 different areas that have to be protected within a full security program. To execute on that and help clients with compliance, you have to make sure you’re going in at the right price and showing the value behind it.

Cybersecurity—or security in general—is not a tool you buy, it’s a practice you instill. It’s important to bring that concept home to both existing and prospective clients so they understand it’s not just about installing a piece of software or doing one thing. You have to take a much more holistic view. There are so many different aspects of cybersecurity to cover, and if you want to provide true defense in depth, the amount of correlation needed between tools and platforms to see where risk lies is a real challenge.

Being able to bring everything under one roof, or at least one platform, is key. Simplification is critical—simplify as much as you possibly can.

What did we learn at Right of Boom that’s helping navigate these challenges as MSPs?

First off, there’s no silver bullet. If you’re looking for that, stop your search because it doesn’t exist. That said, there are certainly tools and vendors that do some things better than others.

The one thing I really pulled away from that as well, which came from the Verizon Data Breach Investigations Report, is that small and mid-size businesses are now facing the same challenges and attacks that large enterprises are facing. We’re all having to protect our organizations from the same types of threats coming down the pipe. If you look at the common elements, it’s phishing, credential breaches, and vulnerabilities being exploited. That’s where we have to focus our energy these days.

There are more people in our space, and every month more vendors are coming in. Some of those vendors were in enterprise for a long time and are coming down into the MSP space, re-tooling their offerings to match the MSP business model. That has pros and cons. The biggest con is more vendors, more tools, more expense. The biggest pro for it is these vendors can do things for smaller MSPs that we couldn’t staff ourselves. I couldn’t staff a full 24/7 SOC right now, but through vendor selections I’m able to do that. Now I can go to market with solutions that help small, medium, and large businesses.

One of the key areas for me was speaking the right language to your client or prospect. What that means: if I’m working with a medical facility and I hear terms like clinics and patients, I’m not going to refer to their organization as a company or a firm; I’ll call it a clinic. CPAs are different—they refer to their organization as a firm. If we clue in on these small language differences, the prospect starts to feel like we understand their business better, and it builds trust between myself, my company, and the prospect more quickly.

Adding to that, take complex IT speak—acronyms and technical talk—and break it down into language the prospect and customer understand. I’ve found better success when I don’t go in talking tech. I address the compliance or security need. I explain that there are roughly 30—and growing—areas under cybersecurity that must be addressed, and that our solution covers all or some of those areas depending on what the client wants to invest in and their risk tolerance.

If we use too much tech jargon and too many acronyms, we create uncertainty and doubt, and it becomes polarizing in the conversation. We don’t want that. We’re trying to create trust and demonstrate that we know what we’re doing, and that we’re going to help the organization. We’re going to come in and help your organization. We’re going to protect it, secure it, and keep your people working.

So, basically, ensure that you’re showing your customer or prospect that you truly understand and know their business. It’s easy to say, but show that you care—care to understand and explain things to them. In that process, you’re learning about the client, their business risks, and what keeps them up at night. By doing that and speaking their language, you start to relate with them and they relate with you.

Thoughts on a business versus technical conversation?

With prospects and existing customers, when we talk about improving cyber posture, it’s really about business results and risk—tying the technology to actual business workflows and processes. If there’s risk at a technical level, there’s potential risk at the business level too, and we need to talk about the impact.

Steer clear of the TLAs—the three-letter acronyms—and avoid fear, uncertainty, and doubt. A lot of vendors show up trying to be the boogeyman and create unease for a prospect. What a prospect cares about is running their business. They know technology helps, and they know there’s risk; they just don’t understand what that risk means. It’s on us to highlight what the risk is, what it means to the business, and what results they need from technology to support the business.

Any new acronyms or categories you heard at Right of Boom?

FUD—fear, uncertainty, and doubt, and TLA. As far as technical acronyms, I don’t recall picking up anything new. From a business-speak standpoint, the ones already mentioned are what stick out.

Not so much on acronyms for me either. There were some new vendors with innovative approaches to the problems they’re trying to solve. At a high level, those problems are real. Whether those vendors have the right solution is yet to be seen; many were quite young and coming in from the enterprise space. We’re seeing a number of organizations that operated in enterprise trying to move down into the MSP/MSSP space serving small and mid-size businesses.

What are you seeing when it comes to compliance?

There are two camps of organizations we deal with: those that realize they have these compliance needs and are looking for a partner or a way to solve them, and those investigating only because it’s being pushed down from a customer or an organization they’re a member of. From the Canadian perspective, we don’t have an identical framework to some of what’s required elsewhere, but we are seeing more interest in it. It’s something people are being brought to do a bit more begrudgingly, at least in the small and mid-size business space.

We definitely have more top-down regulations in the United States versus Canada. We have clients and prospects who come to us because requirements are being pushed down from insurance carriers. If you want a cyber insurance policy, do you meet these 15, 20, 30-plus items you need to check off? When they know they don’t, they come to a company like ours, and we help them navigate that. If they’re an existing client, we can show them which areas are covered and which areas need to be addressed according to the document.

Another thing that’s newer since last year is the FTC Safeguards that came down from the Federal Trade Commission for entities that hold personal information, like CPA tax firms or auto dealerships. That regulation states, across nine bullet points, that you must have an overarching security program. My education to prospects and clients is: they don’t mean software; they mean an institutional program that covers everything from the technical side to the administrative side, to training, to reporting. And it’s a journey, not a destination—it’s continuous.

In 10–20 user environments that are mostly or entirely cloud-based, they may perceive a lower IT support need, but they know they have a security need and a compliance need. That’s opened the door to sell managed security and managed compliance without the traditional IT support. We have several clients like that: all virtual, distributed employees, everything cloud-based, and we’re still getting good rates to deliver managed security and managed compliance.

For example, CPA firms starting this year, when they renew their license with the IRS—when they file for that number—they have to file their incident response plan. If they don’t have one and don’t know how to create one, they come to companies like ours. These are some of the doors being opened in our industry to help with protection and create additional sales.

Are clients willing to adopt cybersecurity easily?

If I get pushback in this context, it’s: “We’re all virtual. Everything we use is in the cloud. We’ve got younger staff. We don’t need IT support.” But they know they need managed security and compliance.

Some prospects push back on everything, and those are the ones you politely walk away from because they’re not a good fit. There’s another IT guy out there who will serve them to the capacity they’re willing to invest in their own business. But most MSPs focus on prospects and clients that understand the need to invest in proper support, security, and compliance inside their organizations.

How has Field Effect helped you solve some of those critical problems?

What can I say about Field Effect and our experience? It’s been great.

In terms of the challenges it’s solving, it’s about bringing together a number of different aspects of security under one roof and one pane of glass. The structure of Actions, Recommendations, and Observations (AROs) has made it easy for our team—some are technologists but not seasoned security analysts—to look at an ARO, get context, understand next steps if they’re unsure, and have a path to get help by escalating to the Field Effect team. It’s more visibility, one pane of glass. It’s been the “easy button” compared to taking a bunch of tools, trying to bring them together, monitoring them cohesively, and then having support.

Field Effect MDR has also uncovered various things inside our client base that we weren’t aware of because other tools weren’t alerting on them, or due to misconfiguration. We found a misconfiguration in our RMM tool because of an ARO, which is an alert that tells you an action needs to happen, the recommendation, or an observation.

We discovered a misconfiguration where Windows updates and patching were working, but the big version upgrade wasn’t applying. We got AROs on that and dug in. It’s helping us find vulnerabilities through ongoing vulnerability scanning that we were unaware of. It’s also allowed us to expand third-party patching, because scanning helps us find applications in the client base that were missed on the third-party side.

It makes us feel like we’re not just waiting for a compromise. We’re much more proactive and able to reinforce environments before there is a compromise.

Anything else to add? 

With Field Effect in place, it’s reassuring to have an arm’s-length tool or platform doing crosschecks to make sure patches are happening and vulnerabilities are addressed.

One of the biggest fears in the MSP space is: it says you’re patching, but did the patches actually apply? Did you miss anything? I won’t name any RMMs, but they’ve all had issues over time—even with operating system patching—where an RMM would say you’re patched because the patch was deployed, but did it apply successfully? You might see 100% patching, and then after the reboots, anyone who didn’t get the patch appropriately would drop the number. I’d rather know that at a much earlier stage.

The same goes for third-party software. If you find software in an environment that shouldn’t be there and it has a vulnerability, as much as you want standardization, depending on the organization and their maturity in their tech stack and operations, you’ll find shadow IT. Again, that crosscheck is really handy.

Where the easy button helps is at the service desk—or the security side of the service desk—because the way Field Effect presents it to my staff is in plain English: here’s the problem, this is what it means, and here’s the recommendation to fix it. If you need help, here’s a button to get support. That has made a huge difference for our team.