Title Slide

Navigating the Digital Wilderness: A Managed Cybersecurity Fireside Chat

We are constantly connected to the digital world. From social media to online shopping to SaaS for business, our personal and company information is stored and shared on a daily basis. Every online interaction exposes us to potential cybersecurity threats, making it necessary for us to be aware and vigilant about protecting our data.

This raises concerns about privacy and security, leaving many wondering who they can trust in the vast cyber landscape.

Two Guys Walk Into a Podcast…

In this “Fireside Chat” with Michael Kennedy (Ostra) and Evan Francen (Security Studio), you’ll gain insights into the latest cybersecurity threats and how businesses can better protect themselves and their customers. 

You’ll also learn about the importance of building a strong security culture within your organization, from training employees to implementing proper protocols.

How Safe Is The Platform?

One of the key players in safeguarding our digital information is the company or platform we are interacting with. It’s important to know who we can trust in this digital wilderness and the measures they take to keep our data safe.

When it comes to online privacy policies, most of us simply click “agree” without reading through the fine print. However, as responsible users, we must take the time to understand where our data is going and how it will be used. This allows us to make informed decisions about the platforms we use and holds companies accountable for their actions.

But how can we trust these policies? With an endless stream of data breaches and hacking scandals, it’s easy to feel like no company or platform is truly secure. However, there are steps that responsible companies take to ensure the safety of their users’ data.

Encryption is one such measure. This is the process of converting information into code to prevent unauthorized access. A reputable company will use robust encryption methods to protect sensitive data such as passwords and credit card information.


“Understand what the name of the game is. It’s risk management.”


A Data Breach! Now What?

Another essential aspect to consider is how a company handles its data in case of a breach. One way to do this is through regular backups and secure storage systems. In the event of a breach, this allows for quicker recovery and minimizes the impact on user data.

Additionally, responsible companies have dedicated teams and protocols in place to detect and respond to any potential threats or breaches. This includes regular security audits and updates to their systems to stay ahead of any vulnerabilities.

Do Privacy Policies Mean Anything?

Furthermore, companies that value the safety and privacy of their users will have clear and concise privacy policies in place. These policies outline what data is collected, how it is used, and who has access to it. Users must review these policies before agreeing to share their personal information with a company.

Honesty: The Best Policy

Transparency is another important factor when it comes to safeguarding user data. A responsible company will be open about any data collection practices and provide users with options to control what information is shared.

Stay In School, Kids!

Lastly, responsible companies prioritize educating employees on proper data handling procedures and regularly conduct training sessions on cybersecurity best practices. This ensures that all employees are knowledgeable about protecting user data and can identify potential threats or breaches.

Final Thoughts

In conclusion, choosing to share your personal information with a company is a decision that should not be taken lightly. It’s important to do your research and only trust companies that prioritize the security and privacy of their users. 

Remember, you have the right to control who has access to your information and it’s crucial to exercise this right to protect yourself from potential risks. Remember these tips when navigating the digital landscape and always prioritize your online safety.

The brutal reality is that no one is immune to cyber-attacks. Individuals, businesses, and even governments have fallen victim to hackers seeking confidential information or monetary gain. It’s not a matter of ‘if’ your data will be targeted, but ‘when.’

That’s why taking proactive measures to protect your digital identity is absolutely necessary. This can range from simple actions, such as regularly updating your passwords and using multi-factor authentication, to investing in more advanced security software and services.


Video Transcript

Frank Gurnee (00:00:26):

Good afternoon everybody, and thank you for joining us today for this fantastic fireside chat or Jungle Chat, as we can see in some of those more white background chat <laugh>. So either way, my name is Frank Gurney. I am the channel director at Security Studio. And we have a lot of really fun stuff we’re gonna be doing today. But I do have a couple a couple knuckleheads here with me. So with that, I’d like to introduce them. So, first and foremost, I have Michael Kennedy on the line, also known as Kennedy. And so Michael Kennedy is recognized as a cybersecurity industry. Trailblazer, he’s a founder of Ostra Cybersecurity is a multi-layered, fully managed security service. Austra’s solution combines Fortune 100 caliber tools, tech, and talent to ensure threats are not only detected and hunted, but also fully remediated for business of all sizes. Previously, Kennedy led, built and scaled security platforms for Fortune five companies before setting out on a mission to protect SMBs Kennedy, good to see you. How are you doing today? Yep.

Michael Kennedy (00:01:30):

Thank you. Thank you. Frank.

Frank Gurnee (00:01:32):

Also, on the line, we have Evan Francen. So if you don’t know who Evan Francen is, he is the CEO of Security Studio. He’s the co-founder and CEO of FR Secure as well. He’s an expert level security consulting, which is an expert level security and consulting company. And Evan has over 30 years, 30 years only. Don’t look that old to me, Evan. But a practical experience in information security and is a well-known thought leader and specializes in the industry. He founded Security Studio in 2017, and co-created the software’s key capabilities, including the S two score. Evan is continually working on the mission of fixing a broken information security industry and advising, high profile profile cybersecurity breaches to developing the first ever vcso training program. So, with all that he is also an author of a very cool book called unsecurity. And with that, how are you doing, Evan?

Evan Francen (00:02:29):

Good to see. Good. Yeah, you can just call me security guy. I’m cool

Frank Gurnee (00:02:31):

With that security guy. Very, very cool. So with that, we’re gonna get started here. Mike, do

Evan Francen (00:02:36):

You have a, do you have a pipe right now?

Michael Kennedy (00:02:39):

No, no. It’s my glasses. Oh, okay. Frank wanted me to thought, wanted me

Evan Francen (00:02:43):

Put up a pipe. I’m like, man, I You went all out, brother. Yeah,

Frank Gurnee (00:02:45):

See, I, I, yeah, we did, we did discuss that. We thought the pipe would be a nice touch, you know, next to the fire, but

Michael Kennedy (00:02:52):

Yeah, this fire is gonna get hot, so we better get this going and get it over with because no marketing’s idea around a fireside chat, but it’s already like 75, 80 degrees here, so it’s gonna get hot. Can

Evan Francen (00:03:04):

Imagine how much we were talking about that, about this fireside chat thing. And so I took a lighter and I was like, I could start a fire too, but this is my wife’s garden, so I think that wouldn’t,

Michael Kennedy (00:03:15):

Yeah, that’s smart. No.

Frank Gurnee (00:03:17):

Well, excellent guys. We so we really wanted to create this around being more of a video podcast style, just so you guys know what the format’s like no slides, no you know, no craziness here. We’re just gonna be three dudes talking and really it’s about you guys today. So with that, you know, I wanted to start you guys with kind of a year in review. I mean, I know 2023 is just about at an end here. We’re all kind of getting ready for the holiday season, and there’s been a lot that’s been going on out there as far as security is concerned. You know, there’s been a number of high profile breaches this year. I mean, a few that affected me personally the MGM Breach 23, and me, LastPass, there’s been a ton of ’em. And a lot of these large companies have large budgets. You know, we hear a lot from our MSP and IT partners that their customers think it’s never gonna happen to them. Right. And I’m just wondering what you guys are thinking about one, how do MSPs or IT companies or anybody deal with that mentality of, you know, it’s not gonna happen to me. And, you know, what do you think about all these breaches as well? Let’s start with Kennedy. What do you think?

Michael Kennedy (00:04:37):

So from an, from an MSP standpoint, I, the first thing that comes to my mind always is SolarWinds and how, you know, in that supply chain as an MSP, how do you ensure that you’re being protected? And, and then protecting your customers, you know, ’cause those are, those are the, that’s the end goal is to protect those customers. And are you protecting yourself and providing the right tools to protect those customers. So I really think that’s created a lot of change in the thinking that, you know, people are looking at the supply chain differently. The other side of it too is like, from that customer standpoint, you get a lot of that apathy in, in clients and customers that, oh, we don’t have any data. It’s not gonna happen to me, but you, you see, you know, business email compromise is just crazy right now. And, and we’re seeing more and more of these like, high profile companies being attacked and targeted. But there are probably five times the 10 times that of these small businesses that don’t have to report that are being, having breaches or having to pay and getting ransom.

Michael Kennedy (00:05:59):

I don’t know, I if I, if there’s a, like a right answer of trying to convey that message. Mm-Hmm. <Affirmative>. But it, you know, it comes back to like, what we always talk about is the education. We need to educate ’em. We need to bring ’em into speed into the place. We don’t wanna take ’em all the way to the paranoia, like where I live, but we wanna, you know, bring them up closer to that and that, and that awareness side of things. So and I think, you know, and I think later we’ll move, talk about it too, of like risk assessment and you know, bring it to a customer’s attention and being honest about it and authentic about here’s the products, here’s the solutions you have, this is what you need to implement. Right? And otherwise it’s out of our hand.

Frank Gurnee (00:06:45):

So yeah, having that conversation with the, with the customer in some way, shape or form Mm-Hmm. <Affirmative> and how to start that obviously is, is a big one. But at the same time, I think you made a good point there of like, you know, we see all these news stories, we heard about those big breaches that I just mentioned, including SolarWinds, that, that you said hit the MSP world. But at the same time, you, you don’t hear about the small businesses, right? I mean, that’s the, the thousands that are getting hit every day that are having issues. Those are, those are the ones that even though they’re not hearing about it, it’s a huge issue for them. They just don’t realize it. Right. And so, I, I totally get that. And Evan, any thoughts on this? This subject?

Evan Francen (00:07:24):

Yeah. Well, I mean, sadly, 2023, it’s a lot of, it’s the same old, same old, you know what I mean? It’s for a long people that have been in this industry for a while, it’s you know, that’s just, we’ve made progress. You know, I hate to be negative all the time because I think that’s one of the things that ends up, you know, shooting ourselves in the foot, is we’re trying to help people. Positives, you know, I think it’s, it’s front and center more mm-Hmm. <Affirmative>, we’re starting to see, I think, more of a move towards accountability. We still have a long ways to go. The bad things are, you know, I think pe not enough people still take it seriously. There’s a lot of ignorance still, you know, in our industry, even amongst our own clan. You know, you talk about, you know, basic fundamental things.

Evan Francen (00:08:13):

You talked about the solar winds breach. You know, I, I grew up early in my career, I was a network guy. You know, I was a big Cisco, you know, and I can’t ever imagine putting in a firewall without using it properly, right? I mean, a firewall, it’s not just ingress, right? It’s egress. That’s the reason why we’ve got inbound and outbound rules on firewalls. And so I’ve always, and life was simpler then, right? I mean, it was easier for me to control traffic flows on a network because I didn’t have so many traffic flows. Right? But, you know, so until we get, there’s just, until we get the fundamentals, it doesn’t matter. It, it really doesn’t, you can continue. You almost keep, it’s like you keep pushing the ball further and further away from you, right? The more and more technology you continue to adopt without using it properly.

Evan Francen (00:09:06):

And if you don’t know how to use it properly, that’s fine. We all start there, right? But you need to learn how to use it properly, otherwise people suffer for it. And today, you know, with that lack of accountability, I’m not sure too many people feel the pain. You know, it’s more of a shared pain, right? If I have a breach, I gotta send a letter, but I get so many letters anyway. Nobody really is gonna hold you accountable for it. Yeah. Well, those things will continue to just kind of mass up and there’s going to be a day when we’re all going to have to pay for it. Yeah. Or you’re gonna have to pay for it, you know yourself. So we’re trying to get out ahead of that, but until people slow down a little bit, I think we’re still gonna be chasing.

Frank Gurnee (00:09:46):

Yeah, that’s a good point. Evan. And I, I, you know, one of the other things that that came to mind while you’re, you’re talking about that is that I know you’ve been really close and, and had a lot of information around kind of government compliancies and things that they’re building in the government to help <laugh>, right? Help Mm-Hmm. <Affirmative> you know, this whole cybersecurity threat thing. And have you, are you hearing about things that are gonna drive compliancy or drive specific things that small businesses are gonna have to do? No matter what Is that, is that coming down the pipe?

Evan Francen (00:10:25):

Yeah, I mean, it, it will, I mean, either you choose to do it or you get forced to do it. And one of them is a hell of a lot less painful. Mm-Hmm. <affirmative>. Right? I like to use the analogy of like, and one of them is checking the box, which I doesn’t do it anyway, right? You’ve got the letter of the law and the intent of the law. It was like, you know, I’ve raised five kids and they all lived, I think they’re all still alive. And it was a difference between, it was a difference between me telling them to clean the room and them actually wanting to clean the room.

Frank Gurnee (00:10:56):


Evan Francen (00:10:57):

One was actually clean, the other one wasn’t. Right. You picked up stuff, but, you know, I, I look under your bed or, you know, look in the closet somewhere. So it’s the same kind of just human nature, I think, until people actually want to do this, and they won’t want to do this unless they see an advantage to it or there’s pain associated with it. And right now we’re still kind of in this gray area where I don’t see the advantage.

Frank Gurnee (00:11:23):


Evan Francen (00:11:24):

Or I don’t feel the pain. Yeah.

Frank Gurnee (00:11:25):

And that, you know, I, and I think in the MSP world, and as more MSPs start to go down the cyber road just like, you know, their managed service offerings that they had for so long, they built out their stack of services. That was, it was non-negotiable. It’s part of a managed service agreement is to have these pieces in place. And I think that’s what we’re gonna start to see as well, is like every customer of a, a managed service provider or any other cybersecurity consultant or anyone has to have these pieces in place in order for them to be able to provide service to them. And I think that’s, that’s a way you kind of get a handle on these things, if that makes sense.

Evan Francen (00:12:04):

What, I’d love to see us to sell more. Like, I would be thinking the same thing. If you came to me as an MSP and you wanted to sell me security services, or you wanted to do an assessment of my business, whatever, if I don’t see the advantage in it, if I don’t see what’s in it for me, then I’m not gonna do it. I’ve got other stuff to do. I’ve gotta grow my business. I’ve got, you know, bottom line I’ve gotta deal with. So us as security people, it’d be a lot better to, for us to approach that way. What’s in it for you? Well, what’s in it for you is a more efficient business. What’s in it for you is, you know, all chances are pretty good. We’re going to be able to remove a whole bunch of software that you’re paying for that you’re not actually using that’ll improve your bottom line. So taking that approach as opposed to kind of the fear tactics. ’cause Everybody, you know, they’re, they’re deaf to it. Yeah. That would be too.

Michael Kennedy (00:12:59):

Yeah. Yeah. And they have the insurance, the insurance that they think they have. And Yeah, we right though we have, we have to get it some normalization in it, and we have to do, I mean, and you kind of touched on it too, we have to share the same languages when we talk about this and, and not, not go in with this, the fearmongering and, you know, predatory sales tactics towards people. It’s the education and it’s showing ’em where the ROI and the importance of doing this to, to the business. Like, you always talk about it too, avin about, you know, knowing, understanding their business so that you can talk to them in their business language versus coming in and saying, you need security tool because it’s ’cause you do. Right. So,

Frank Gurnee (00:13:47):

Yeah. And then you know that you speak, you speak well, sorry, Evan to the stand, you know, standardization, I think that was the normalization, right? That you’re

Michael Kennedy (00:13:55):

Talking about. Yeah. Yep.

Frank Gurnee (00:13:56):

Standardizing the practice around the things that are doing. And this just as I was saying, really is the way that managed service providers built their businesses because it was, you had an RM tool, you had a PSA, you had Yeah. A backup and disaster recovery device. You had antivirus tool. You know, you had all these things that you, you had in there and it was a standard way of doing business. So it’s gotta go that route as well. Sorry, go ahead Evan.

Evan Francen (00:14:20):

No, I was just agreeing with you guys. The actually, I forgot what I was gonna say.

Frank Gurnee (00:14:26):

Oh, no worries. What do you guys think that that 2024 is gonna look like? Do you guys think it’s just more of the same, do you think with all this AI stuff that’s gonna be something Skynet, is that coming in <laugh>? I dunno. You know, what do you think? No,

Michael Kennedy (00:14:39):

Not, not, not yet. I don’t think we’re ready for, I think maybe about three years is when we’ll have Skynet. Okay. But I I I think it’s gonna be continuation of the same. Yeah. I think that, I think there’s a huge desire for an easy button and, and, and really just, you know, when you talk about AI really kind of look at the ease and the sophistication of the attacks, they’re, they’re shifting and they can really write a very very telling email or business email <inaudible> phishing or, or phishing with, with like a chat GBTE and, and shoot it out. So I think there’s gonna be, it’s easier to have access for people to, to do those attacks. And, but I think, you know, there, there’s also a lot of businesses and MSPs that we’re kind of talking to, are really looking for more of that kind of that easy, you know, ability to reduce the noise or reduce what they’re kind of looking at.

Michael Kennedy (00:15:47):

You know, we’re, we’re still I don’t, I don’t know. I I, there’s a lot of times too, I think about we’re still trying to find our way after Covid and how we interact with people and how we kind of had that shift and that mentality. And now we’re virtual, we’re not virtual remote users, not remote users. Cloud versus not cloud. And there’s this kind of, we’re in this like this, this, I don’t know, Meyer, what are we, where are we going? Or what are we doing? But I, but what I see a lot of is that it’s, people are looking for something that, that it’s like this easy. And, and I don’t know if that’s part of it. You know, we really some influx in what the, the ease of grocery shopping, the ease, and I want something, I just click a button and then I have it delivered here. Yeah. And I think I, go ahead. Yeah,

Frank Gurnee (00:16:40):

That’s a good point. And and Evan, you know, this is funny because it, it fits right into kind of what we, we talk about a lot, but I feel like in cybersecurity in general, you know, if you’re doing consulting and you’re doing services, there just isn’t an easy button. And even though every vendor out there wants to build that <laugh>, the reality is in risk and in, you know, figuring all this stuff out. You just, you, you can’t throw something on the network and it’s gonna do it. Right? No, I mean, you, you have to, you have to get your feet dirty. And I think one of the things I learned from you, Evan, a while back, is, you know, we sell hard work a lot of times. What are, what are your thoughts around this concept of an easy button around cyber risk and cyber in general?

Evan Francen (00:17:25):

Well, I mean, I think longer term, I think for, for businesses that actually want to be around, you know, long term, you know, you gotta think beyond one year anyway. Mm-Hmm. <affirmative>, I would wanna put my pos my business in a position to have competitive advantage right. In the marketplace. The, when I look at the way I can integrate information security into my business and actually enable my mission, make more money, top line and bottom line ideally you’d see a lot more planning. I, ’cause there’s gonna be a day when the people that didn’t plan for this are the ones that are gonna be not to use scare tactics. Yeah. But it’s, it’s just, it’s logic. Yeah. It’s just logic. And so when the compliance comes, you can’t wait for the government on anything. So waiting for the government to tell you what to do or to provide services for you, good luck with that.

Evan Francen (00:18:19):

I mean, it’s, it’s, again, it’s not gonna provide you the competitive advantage. So in 2024, I think you’re gonna see a lot more of this us trying to find ourselves out thing. And I think there are people in our industry that already know the answers, but you’ve got other powerful people in our industry that kind of don’t want the answers to be known. Right? Right. I mean, if I was going to, you can’t do informa, for instance. I can’t do information security without doing a risk assessment period. Now, the question is, you can do a crappy risk assessment or a good risk assessment. That’s up to you. The right type of risk assessment would be one that would be actionable, that would give me something to do afterwards to improve or manage my risk. It would put risk into perspective. The easiest people to take advantage of from an attacker’s point of view, whether you’re a red teamer or a blue teamer, is to take advantage of ignorance. You know, the people that aren’t paying attention are the easiest targets. Mm-Hmm. <affirmative>, you know, and I think there’ll be a time when the people that are doing it right will get tired of paying for the people that aren’t doing it. Right.

Evan Francen (00:19:26):

You know, why would I, why should I have to pay more in insurance rates? Why should I have to pay more bank fees when I’m a responsible, you know, I’m responsible to the technology I’m using. My, my account didn’t get hacked, so why am I paying for the people that whose accounts did get hacked?

Frank Gurnee (00:19:45):

It’s, it is interesting you brought up insurance too, because I feel like that’s another area where we’re already seeing this, these huge changes, right. In the way that the insurance companies kind of,

Evan Francen (00:19:55):

And that’s the frustrating part. We, we told them this. Yeah. I mean, that’s the frustrating, your nine question questionnaire is not going to be enough to underwr insurance. You’re checking, you’re checking the box. Yeah. And so that, that mentality, and again, people aren’t gonna change unless they see an advantage in it for them, or they feel the pain from it. There’s a great question here from an anonymous attendee. Do we think CISOs facing jail time will have no impact? What about the SEC reporting requirements? And I wanted to address that because the one who’s ultimately responsible for information security in any organization isn’t the ciso. It’s not the ciso, the one who’s ultimately responsible for information security at any organization is who’s ever the top of the list. So the CEO, the board, if there is a board, but it’s not the ciso. So I think what, what what’s gonna happen with the CISO piece is who the hell wants to be a ciso?

Michael Kennedy (00:20:50):


Evan Francen (00:20:51):

I’m not gonna be a CISO be, and if you want me to be ultimately responsible for information security, then gimme the checkbook.

Michael Kennedy (00:20:57):


Evan Francen (00:20:58):

But you won’t gimme the checkbook. So, you know, that’s a catch 22. The SEC thing, it’ll be like any other compliance we had. HIPAA did the same thing. GLBA did the same thing. I mean, on and on. We just keep repeating the same mistake. So what will happen with the SEC is people will do the minimum necessary to get compliant and then call themselves good. But until, you know, until you hold a board, if you hold a board of directors responsible for information security at a public company, you’re gonna see some changes.

Frank Gurnee (00:21:28):

Yeah. The, the problem with, with all of that, that you’re saying though, you know, just meeting compliance is you’re not doing the best security for your company at that point, right?

Michael Kennedy (00:21:36):

No, no. You’re checking a box. And when you, and when something does happen, and what the problem is is you’ve kind of brushed that under the rug already. You’ve not done the security assessment, you’re not aware, you’re not implementing the plans against those things. Yeah. And what I was saying

Evan Francen (00:21:50):

In our industry too, if we had, like, if you don’t do these three things, whatever those three things are, make two, maybe one, if you don’t do this one thing, you’re negligent. And just pick one thing. You know, we don’t have to argue about it in our industry about, well, it should be this, it should be that. Just pick one who caress

Michael Kennedy (00:22:08):

Long as inventory forward asset inventory <laugh>.

Evan Francen (00:22:12):

I could get on board with that one.

Michael Kennedy (00:22:13):


Frank Gurnee (00:22:14):


Michael Kennedy (00:22:16):

What, what I was saying, go ahead. I, yeah, I wanna say, when I was saying easy button, I wasn’t referring to like an easy button. I got security or an easy button. It’s what I think what pe what I feel like is, and you kind of touched on it, is the industry has been sold a specific product and a specific, like this will take care of it. No more worries. And what the, what I think MSPs and, and clients and the industry’s looking at is like that that’s a false narrative that it wasn’t. Now I ha I’m still getting all these alerts that I gotta go address to you. I thought you were taking care of the alerts. I thought you were doing the remediations. I still had a breach, but I have you and I’ve been paying you, you know, tens of thousands of dollars. And so that’s what I think people are looking at for, is they want to reduce stats based what they thought they got. That they’re really, I I would say 24 p that won’t become more of a focus for organizations.

Frank Gurnee (00:23:12):

Yeah. It is interesting that you, you can’t just throw money at something and it’s, and I’m protected. Right. It just doesn’t work. Right.

Evan Francen (00:23:18):

Well, that’s what I was saying about the ignorance, right? Yeah. ’cause It’s not just the, your traditional bad guys that are the ones taking a, that, that take advantage of <crosstalk>. We have people in our industry, lots of them, lots of the biggest names in our industry who are taking advantage of people by selling them products they don’t need that don’t work, that don’t solve a problem.

Michael Kennedy (00:23:38):


Evan Francen (00:23:38):

And they’re making millions, billions of dollars from it. You know, and I’m not gonna mention the na, I would love to mention names. Maybe I’ll do that in a d different podcast. Yeah. But one that comes to mind, their tagline is to end cyber risk. What? You can’t.

Michael Kennedy (00:23:55):


Evan Francen (00:23:56):

That’s impossible. So what I would love to see is I would, you know, the FTC has, you know, laws, oh yeah. We have laws against this, you know, this false advertising truth in advertising is a thing. I would love to see us enforce that. But I think the government itself, I think is ignorant enough outside of a few people to be able to do that. Yeah. But we, I thought that me off probably more than anything is when somebody in our industry who comes off as somebody who you can trust, sells you something that you can’t need. That you don’t need. Yeah.

Michael Kennedy (00:24:31):

You don’t need. Yeah. Frank, we better get moving before he starts calling.

Frank Gurnee (00:24:35):


Michael Kennedy (00:24:35):

So we

Frank Gurnee (00:24:36):

Don’t want was gonna say, great. Great. Isn’t

Evan Francen (00:24:38):

My face turning red now? <Laugh>?

Frank Gurnee (00:24:40):

Well, we just, great venture. Last call.

Michael Kennedy (00:24:42):

We did you pick up the phone and started calling the FTC to yell at us? So yeah, that, yeah, that was,

Frank Gurnee (00:24:47):

That’s part of our last call, wasn’t it? <Laugh>? We live next now. Yeah. Guys, our next, our next subject really we wanted to jump into kind of circles of trust, mental health a little bit. You know, so with that, you know, we know that MSPs have a ton of technical knowledge. You know, a lot wanna be seen as the expert. Cybersecurity’s pretty new for most of them. So what advice would you guys have for them to navigate those feelings of kind of stress or anxiety or inadequacy of not always having all the answers when it comes to cyber because it is new as they enter kind of this new, new bus side of business for, you know, that is all new to a lot of them. Any, any thoughts of how to deal with that?

Evan Francen (00:25:34):

I think there’s three things that make an MSP really successful. And I think any consulting company, it’s trust, credibility, and likability. So I think as an MSP, if you focus on those three things and whatever service you’re gonna provide, so if you don’t know the answer to something information security related, it’s okay to say that you’re not necessarily paid to know all the answers. You’re paid to provide all the answers. So relying on, so, you know, relying on a partner, relying, you know, Mike’s, I’ll give you Mike’s phone number. I’ll put it in the chat. You can call Mike anytime. He’ll help you. I won’t because I don’t want to No, I’m, I’m kidding. But

Frank Gurnee (00:26:14):

Yeah, I was gonna say I know, I know you will actually <laugh> Yeah, I was gonna

Michael Kennedy (00:26:17):

Say <laugh>.

Evan Francen (00:26:18):

<Laugh>. Yeah. But you know, I’m correct

Michael Kennedy (00:26:20):


Frank Gurnee (00:26:21):

Even if your wife doesn’t want you to, you will

Evan Francen (00:26:23):

<Laugh>. The truth is, I’m 30 some odd years in this industry. Yeah. I don’t have all the answers. I still have to go to people and find out what this is and how this works. And, but what I won’t do is, is, and that’s where I think imposter syndrome comes in, is when you try to act like you’re somebody that you’re not. Correct. Authenticity. You should, should, yeah. Should you should feel uncomfortable doing that because you’re probably doing a disservice to your customer. Right? Right. So playing in that gap, you know, I see on a, you know, Lyle asked a question. You know, I think some MSPs are scared to work with InfoSec companies to do proper risk assessments for their clients. The MSP is too focused on the stack that they’re afraid to do what the risk assessment will find.

Michael Kennedy (00:27:06):

Mm-Hmm. <affirmative>.

Evan Francen (00:27:07):

And we’ve run into this, this is nothing new. We’ve run into this, you know, forever be because we treat it like it’s an IT issue. Right? Right. This is not an IT issue. This is a great opportunity for the MSP. Even if you find that there are some tech things that you didn’t install correctly that maybe they didn’t, they didn’t need them, right? You can continue down the path of just ignorance and, or you can actually address it at some point. And this is a great opportunity for you to elevate it to where it actually belongs, which is with the board, which is with the ceo EO. So anything you find that looks bad at the organization, it’s actually a reflection of them. It’s not a reflection of you. Yeah. So I, I wanna point that out because I think a lot of people struggle with that. Well, what if I find that I did crap wrong forever? Well, you learn from it and, you know, let’s adjust.

Michael Kennedy (00:27:59):

I’ll, I’ll admit something here. I used to when I was a, when I had a little MSP shop myself, I used to configure Windows machines, and I would go in and I would disable updates, Microsoft updates for people, because you don’t need that. And then it’ll suck up your bandwidth and cause problems with your computer and then create more phone calls for me. I mean, it was, again, it was 20 years ago I was doing it, but it, you know, now I would go <laugh> if it, if it had been more recent, I would go back to all of those people and talk to them about it. You touched on like the, and then somebody mentioned transparency. And the question too, that authenticity you to, to have authenticity, you have to know yourself. Mm-Hmm. <Affirmative>, you have to be honest with yourself to be able to be honest and be authentic with other people.

Michael Kennedy (00:28:46):

And, and, and that, you know, everything you said around, if you don’t know, it’s okay not to know. It’s okay not to, you know, it, it’s okay to surround yourself with people that are smarter in the industry and, and, and what, and so that, that, and I didn’t think about it. And it’s interesting from the imposter syndrome too. Why we get sucked into that is because we, we are trying to compare our insides to other people’s outsides. Because I look outside and I see something, or someone, or an MSP or a security vendor, and, you know, I’m, I’m looking at what I internally. And so having that authenticity, knowing that we don’t, I don’t know at all. And then having friends and, and people like you guys to, to talk to about it. So that is the number one that makes a

Frank Gurnee (00:29:40):

Ton of sense. Kennedy. And, and you know, the, it it reminds me, Evan, of, of a couple conversations you and I have had where you’ve been out at events or shows, and there’s a bunch of guys who are just full of themselves, <laugh>, right. Who know everything. Right. And, and just being in those situations and feeling like that inadequacy, like maybe you don’t know as much as those guys do, but, but do they really, at the end of the day, they’re just posturing, right? I mean, they’re just, they’re, they’re just trying to show off in front of everybody else. So I don’t think that that’s,

Evan Francen (00:30:13):

We do a lot of posturing. And I think Yeah. And it’s, it’s never a question of intelligence either. I think I’ve been, I’ve had CEO many, you know, CEOs over the years, you know, who say they feel stupid or, you know, I’m asking a stupid question. It’s like, this isn’t an intelligence thing. It’s just a learning thing. Right? Yeah. Right. A lot of the things that I’ve learned over the years have nothing to do with how smart I am. They just happened to be things I was part of. I was there, I got my kicked. It hurt. You know what I mean? Mm-Hmm. <affirmative>. And I wanna save other people from going through that, that same thing. Right? So yeah, the same will happen with MSPs When you’re first starting out anything, it’s gonna feel uncomfortable. It’s gonna feel very mechanical. You’re gonna have to, what I tell a lot of people who start in this industry is where you lack credibility. Borrow somebody else’s.

Frank Gurnee (00:31:08):


Evan Francen (00:31:08):

So an an example that would be like I’ve, maybe I’ve never done an assessment before, or I’ve never, I’ve never been a bcso before. And so I’m gonna take what I learned from somebody who’s been a vcso for many years, and I’m gonna say what they say and do what they say, not trying to be them, but to borrow their credibility. And so then when I get challenged, which is the part I think where a lot of us feel threatened, you know, really uncomfortable. ’cause What happens if a customer asks me, well, why did you ask me that question? Why? Why is this so important? Mm-Hmm. <affirmative>, you can, that’s when you can borrow credibility. Well, ’cause, you know, according to this thing that I read from Mike Kennedy, it said, these reasons are why it’s important. Right? Yeah. So that’s a way you get away with, you know, not having that experience, you know, steal somebody else’s experience.

Frank Gurnee (00:32:01):

Yeah. It’s interesting that we see, like, I see this a ton on the, the kind of partner side of things. Like, you might get an MSP or IT company who’s really interested in doing all this stuff and like going down this path, but then they’re, they don’t have their employee buy-in. And that can be an issue. And you guys are both business owners. So I, you know, this wasn’t on our, our list of things to talk about, but I think it, it’s important because you are both business owners. You both understand this. Like, you guys go to things and you get excited and you find something that you think will really help your business and help you grow in the future. How, how do you guys get that buy-in from your employees? Or, or even make that decision, Hey, you’re gonna go down this path, right? That, is that something you guys wanna Yeah. Talk about a little bit.

Michael Kennedy (00:32:47):

Yeah. Berating ’em until they accept it doesn’t really, doesn’t work. <Laugh>

Frank Gurnee (00:32:50):

Doesn’t work.

Evan Francen (00:32:52):

Physical threats, no

Michael Kennedy (00:32:53):

Physical threats. You know, I think I, you know, for me, I, I, I’m a very collaborative person and, and, and, and I’m a, and I’m an overthinker. I think of butt thinking. And so when I see that type of stuff, or I hear those commentary, then it, for me, it’s coming, bringing it back to the, to the organization and saying, Hey what do you guys think about this? Look at this product. And then challenge when they, and if they don’t, then challenging ’em. Why aren’t they looking at that product and, and validating against, or, or or a, a show to go to, or a marketing exercise or anything along those lines of, you know, how, how do, how do we challenge and work together as an organization to propel us forward? Because, you know, I, I am, you know, there’s a, there’s a, you can’t really see it, but there’s a, a, a framed squirrel picture back there that my aunt gave me. ’cause I, squirrel and shiny objects are horrible for me. And so I’ll have a new shiny object every afternoon. And, and so I, I have to rely on the, the people that I work with to ensure that we validate that and, and we go through it. And getting that buy-in is, is really important. But also

Frank Gurnee (00:34:09):

Helping them to see that vision of where you see the company going next. Right. Because I think sometimes we can throw things at, at, you know, employees and people and, and say, Hey, here, here, we want this done. But without giving them that vision of, look, here’s where we’re taking the business over time, context

Michael Kennedy (00:34:25):

Behind it. Yeah. How

Frank Gurnee (00:34:25):

That’s gonna really make it make it happen might be important. Any thoughts there, Evan?

Evan Francen (00:34:31):

Yeah. I mean, it, it, it, some people are good leaders, some people aren’t. You know, I think it it comes, there’s a couple things I think are really important. You know, one is, you know, do, do your employees trust you? Do they think that you’re credible? Hmm. You’re not an. So it’s the trust, credibility, and likability piece that still, you know, applies

Michael Kennedy (00:34:55):

Authenticity, authentic. Yeah.

Evan Francen (00:34:56):

But at the end of the day, everybody, everywhere is always, whether it’s out, out in front of your mentality or it’s subconscious, everybody’s always wondering what’s in it for me?

Frank Gurnee (00:35:08):


Evan Francen (00:35:09):

So being able to paint the picture of how this decision benefits you, right. It benefits us corporately, but you specifically, this is how it benefits. And I think the more you can prove those things out, the more you kind of add to your credibility bank account. Yeah. Mm-Hmm. <Affirmative> there are times when you do have to spend your political capital where you just need to overrule something for whatever reason. Mm-Hmm. <Affirmative>. But I think always being cognizant of how much political capital I have in my account, and, you know, trying to add to that.

Frank Gurnee (00:35:44):


Evan Francen (00:35:44):

It’s a big deal.

Frank Gurnee (00:35:45):

Well, both you, both of you guys are really huge on education and educating folks. And it shows in austra and security studios, onboarding of new partners. It’s really about taking them through a path of education to get them up to speed and, you know, to a whole nother level, really at the end of the day of, of even becoming the CISOs for our side. And, and you guys take them through a huge education path on the Ostra side. Where does that passion come from for, for you guys? I mean, what’s, what’s the idea or thought or mindset around educating?

Evan Francen (00:36:26):

I’d rather you do the work than me.

Frank Gurnee (00:36:28):


Michael Kennedy (00:36:30):

I was gonna say, I mean, very self I hate saying this, but selfishly from an operational standpoint, then in a process and communication, all of that, it’s, it comes back to the more that we communicate, the more that we educate, the more that with the time that we spend with you going through what we do, what you do, how we develop synergies together, you know, maintains the healthiness of our relationship and operationally long term, it it reduces all that back and forth noise. You know, we’re, so there’s that piece of it. But then also the other side of it is too, that, you know, what we kind of talked a a little bit earlier about, of getting to a place where we have the common language, we share the same values, we share the same messaging around what we’re trying to accomplish in this industry. And if we can align in that during that education process, getting the feedback from those partners to say, you know, that’s not gonna work with my clients. And if you did it this way, it would work. Having that feedback loop is, is critical so that we can adjust as well. But really it’s, it come, it comes back to just such a, a, a synergistic operational side. When, when we’re all happy and headed in the same direction, we’re all super happy. So, yeah.

Evan Francen (00:38:08):

I, I agree. And it’s, it’s a big mission. You know what I mean? My mission isn’t about me. You know, it’s not about how much money I can make. It’s not about, it’s just not about me. Right. The mission is about us. It’s about this industry and everybody who’s affected by it. And I think the more you can teach, the more you can empower, the more you can benefit, you know, personally with a career, you know, maybe a new career. What I don’t want you to, I think part of the education motivation too, is to, to stop you from doing it wrong. Mm-Hmm. <affirmative>. Because this is, you know, and I’ve said it a million times, this is not a product industry. This is a service industry that’s dominated by products. Totally different. Right? So because people are the biggest risk, right? Yeah. They’re the ones who cause most of the issues.

Evan Francen (00:39:03):

What, and it’s not the end user clicking on buttons that I’m talking about. It’s the developers developing crappy code. You know, why do I have to patch all the time? If you didn’t have bugs, you probably wouldn’t have to patch all the time. <Laugh>. You know, I mean, they’re not, you’re not patching for new features. Those are called upgrades. Yeah. Right? And so, you know, it’s, it’s us corporately as people, we have to do better than this. There will, we will pay the price. And so I think, you know, giving it your all try and to empower people, you know, to consult other people. Well, yeah. And then also being open to criticism. ’cause I don’t have all the answers. We already talked about that. And so if I’m teaching this way and you’re like, yeah, but that doesn’t work. Being open to that criticism, you’re not attacking me personally.

Evan Francen (00:39:45):

You’re attacking the way I’m doing something, right? Yeah. And so being open you know, well, you know, you’re, I benefitted tremendously from this industry. I’m live in, I live in Mexico, I live in this. I don’t want any more money. I want other people to benefit, right. By doing good security. So if you can live out a good example that you can do security correctly and to make money, they’re not mutually exclusive. But the thing is, if you focus on the mission, you’ll make money. If you focus on the money, you won’t make the mission. So totally different. So going out there and selling people products that they don’t need, going out there and giving them crappy advice because you were afraid to say that you didn’t know the answer. Things like that, you know, oftentimes that’s putting money or ego ahead of the mission and people suffer for it.

Frank Gurnee (00:40:34):

Yeah, for sure. No, that’s great. And you know, and I think it all goes back to what we were talking about earlier, which is standardizing the way that all of these things are done. ’cause If there’s no standardization around the services that CISOs or MSPs or anybody provides, then you’re just kind of, everybody’s doing something differently, right? Which doesn’t serve anyone at the end of the end of

Evan Francen (00:40:55):

The day. There’s a good question. Another good question. Look at that. Yeah. Marketing thing.

Frank Gurnee (00:41:00):

<Laugh>, we have a good question. Let’s take a look at questions.

Evan Francen (00:41:03):

What does good marketing look like? Pretty pictures,

Frank Gurnee (00:41:07):


Evan Francen (00:41:07):


Frank Gurnee (00:41:09):

Yeah. That makes, I would

Michael Kennedy (00:41:10):

Say if you, if you’re following LinkedIn, I would say not empty Bowes

Evan Francen (00:41:14):

Headphone cases. Oh God.

Frank Gurnee (00:41:16):


Evan Francen (00:41:17):

<Laugh>. Alright guys. But that’s the thing. But that’s the thing. If you, if you had a product that was actually as good as a lot of these people say is they would be rushing down your door to come by from you. Yeah. But the thing is, you don’t have that product. You may say you do, but again, anybody with discernment knows well enough that you don’t. And so I think what good marketing is, is it’s honest, it’s transparent. And in all of that, what’s in it for me as a buyer, right? How would I benefit from this? How would I benefit from your service? How would I benefit from your product? And don’t make up some. Like truly. And I can hold you calm to that. That would be good marketing. ’cause Then I would buy it and I’d be like, oh my God, everything you said, yeah, you did. Right. And I’m, I’m gonna go tell the masses about this. That

Frank Gurnee (00:42:09):

Actually leads us into our, our next conversation point, which is, you know, there’s all these vendors out there that are, that are jumping on the cybersecurity bandwagon. You know, they’re all talking, but it, it feels like there’s a lot of misinformation going on out there. How do MSPs know what to believe? I mean, what would you guys say? How, how do you, how do they know?

Evan Francen (00:42:30):

Well, I love that that first que I think it’s tied to that first question that Jason posed, you know, in the chat. Mm-Hmm. <affirmative>, yeah. Understanding the basics of what information security actually is. Mm-Hmm. <affirmative>. Right? That’s what keeps you safe from buying the crap. You know, because you think, if you think about it, like, what I’d rather mis, I’d rather not spend a dollar on information security than misspend a dollar on information security. Because at least one, I’m not ignorant enough to believe that I’m actually protecting myself. I’m not living in a false sense of security. And I didn’t away that dollar. Right? So when you, what are the fundamentals of information security One, understand what the name of the game is. It’s risk management. Risk management, not risk elimination. Impossible. So anybody who ever tells you that they can end cyber risk, it’s.

Evan Francen (00:43:22):

You can’t, right? So it’s risk management. Well, what would I need to do in order to manage risk? One, I would need to understand it. I would need to diagnose it, right? Like I take a car to a an auto mechanic. They run diagnostics before they start pulling out the wrenches and tearing your car apart. The same thing with information security. So before I’m going to manage something, I have to understand it. So that would require a risk assessment, right? And so risk, we overuse that word a lot. It’s likelihood of something bad happening. And the impact, if it did, it’s not vulnerabilities that’s different. It’s not threats that’s different. It’s when a threat compromises a vulnerability, that’s when you have a risk. So I think understanding those basics. And then if you did a good risk assessment, I think then you build a roadmap. You did. ’cause Part of the management is assessing it, then making decisions. What are we gonna do? Yeah. There are these 10 risks that are unacceptable. They’re just too much for us. Right? Let’s do something about them, and then that will lead to your budget. So it’s all tied in nicely together, but it’s all work, you know, it’s simple and people get confused, but simple must mean easy. No different things.

Michael Kennedy (00:44:39):

Yeah. Right.

Evan Francen (00:44:40):

So that’s, that’s how you do it.

Frank Gurnee (00:44:42):

Well, I know we’re, we’re at the, our 45 minutes here guys. And I, I, do you guys have a, a little extra time? We can, we can spend here if, if you on the call coming

Evan Francen (00:44:52):

Into drone flying time, but whatever,

Frank Gurnee (00:44:53):

Right. If those of you on the call here can, can stay a few, few more. We have a few more questions we can go through. And of course I’d like to get through your questions as well. But all of this subject, you know, that we’re talking about really, you know, speaks to this, this mindset or idea of guarantees. And I’ve heard this from a number of cybersecurity companies out there, vendors touting a hundred percent ransomware protection, or, you know, something of this nature. I mean,

Evan Francen (00:45:21):


Frank Gurnee (00:45:23):

Possible. I mean, I, I can’t see how it would be,

Evan Francen (00:45:28):

Are they watching this

Michael Kennedy (00:45:29):

Cross? No, we can’t. Yeah, a hundred percent of the time. Nobody’s a hundred percent. That’s all you gotta think about. Yeah. Nobody’s a hundred percent. It’s all a bunch of, and that, that goes back to your previous question around, you know, how do you, you know, wade through this noise? Yeah. And, you know, just don’t trust vendors who say like that. I mean, ’cause and, and to Evan’s point about risk assessment of like, there’s no, nobody’s a hundred percent. It’s just not, it’s not possible. I mean, there’s just no way. And well, I, and

Evan Francen (00:46:07):

If, and if that’s what your goal is, if you’re actually driving towards that, yeah. You’re going to fail. Yes. And you’re going to be disappointed. So just, you’re just setting yourself up for failure right out of the gate.

Michael Kennedy (00:46:17):


Evan Francen (00:46:18):

It’s the goal isn’t even to prevent all breaches. Correct. That’s not the goal. You can’t do it. Nobody can do it. It doesn’t matter. No ai, nothing. It’s impossible. We’ve seen it forever. Right? So take it from somebody who’s been in this industry and seen this same crap recycle over and over again. Oh

Michael Kennedy (00:46:35):

Yeah. Yeah.

Evan Francen (00:46:36):

So if I know I can’t prevent all bad things from happening, then I should have something in place to detect it and then respond to it.

Michael Kennedy (00:46:42):


Evan Francen (00:46:43):

This is all very logical business

Michael Kennedy (00:46:46):

Mitigate. Yep.

Evan Francen (00:46:48):

And you know, so, and if you don’t, and if you don’t have expertise in those areas, then find somebody that you can trust who does, has ex does have expertise. Somebody who’s not going. Like if you said to, to me, like I’ve, I’ve heard like invisible processes, you know, I was in a meeting and I was asking them, oh, this is a really cool technology. Can you tell me how it actually works? And they said, well, you know, it went on to something. I’m like, okay, I’m still not getting that. Explain to that more. Well, it’s invisible processes. I’m like, what? There’s no such thing as an invisible process. <Laugh>

Michael Kennedy (00:47:25):

What? Un what about protecting unknown threats?

Evan Francen (00:47:30):

Yeah. I don’t know.

Frank Gurnee (00:47:32):

Yeah. Unknown <laugh>.

Evan Francen (00:47:34):

I don’t know how you do it, but,

Frank Gurnee (00:47:35):

Yeah. Interesting. No, I mean, that all makes sense, guys. And, and you know, it’s just, it’s more of, more of, that’s how you weeded it, weeded out the, you know, those folks and, and you know who you can trust if they’re saying things are creating guarantees. It’s just not correct. Well,

Evan Francen (00:47:53):

And in this, in this industry, as a rule of thumb, I would never buy anything from anybody who told me that I needed to have it. Right? Meaning if it was a salesperson, right? I should already know. Like, it’s the same thing, like at my house, right? So take this. ’cause We used to be two different things, right? Cybersecurity or information security and life, right? They were separate from each other. Like I wasn’t online until I booted up my modem and connected to a OL, right? So they were separate things, but they’re not separate anymore. There’s an intersection between everything I do in daily life and everything I do. Cyber. I mean, they’re just, you can’t separate them anymore. Mm-Hmm. <Affirmative>. So the same risks, the same concepts of risk apply, right? So if you were going to guarantee me that I’m never going to get hacked, can you guarantee me that I will never get in a car accident?

Evan Francen (00:48:42):

Can you guarantee me that I’ll never trip going down the stairs? Can you guarantee me that I’ll never have a heart attack? Can you guarantee me I’ll ever have any of these things? No, you can’t because that’s life, right? So what we do is we do things to manage that, right? Mm-Hmm. <Affirmative>, I manage the risk of me having a heart attack by maybe not smoking, watching my weight getting exercise, if that risk is important enough to me, right? And the same thing with cyber. There’s some risks that maybe just aren’t important enough to you, but what’s not acceptable and it’s not defensible, is to be ignorant to just not know, not care, play my, you know, like, play. You’d have better chances at MGM where they lost your information.

Michael Kennedy (00:49:23):

Mm-Hmm. <Affirmative>. Yep. Exactly. Well,

Frank Gurnee (00:49:25):

That’s great. You know, I wanted to get one more question out before we kind of get to the q and A here. And you know, that’s it. If, if you two were MSPs today, you know, handling networks for small businesses you know, what would you be focused on doing in your business in 2024? Like what, how to help these guys and, and what would be those next steps for you? Any thoughts?

Michael Kennedy (00:49:50):

Security assessment. I would go and, and sit down with it every single one of the clients and walk them through security assessment first and foremost. And then, and then take that back. Because then that, that enables me to understand the gaps that I’m not providing them. And it understands the gap, the gaps of what tools or solutions that I need to look at as an MSP to bring in to, to provide them. But sitting in <laugh> this, I would sit down and do an S two assessment, an assessment with these one of these clients, and then identify like what you just said, Evan, what, where’s the risk? And, and then what, what weight do we put against that risk? And then, and then work, build a plan together, partner with that business, and build a plan together and get the remediation done.

Evan Francen (00:50:39):

Yeah. Yeah. I think absolutely. And I, and not missing out, like and I’m learning all the time, you know, I mean, 30 some odd years, and I’m still like, ’cause I was stuck on this thing. I, I was with a bunch of CIOs at a round table and they kept talking about speaking the language of business, speak the language of business, speak the language of business. And I was on this round table and I was the only security guy there. And they asked me, you know, and I wasn’t saying anything. I was just listening. And then they noticed I didn’t say anything. And they’re like, Evan, what do you think? And I, and I didn’t think before I said, what? I said, none of you speak the language of business.

Evan Francen (00:51:16):

And they’re like, what? And they were just blown away. I’m like, yeah. Because all I hear is like, it’s so hard to keep up with the unrealistic technology demands of the business. It’s, you know, we’ve got all these assets, we don’t have enough staff, we don’t have enough budget. And I’m like, none of that speaks to me like you speak the language of business. No. So then the, this is, this was the learning thing. ’cause Then I thought about us, you know, I thought about information security people, and do I speak the language of business? I mean, I’m not gonna beat these guys up and I’m not doing it. And so I, I did research on what the language of business is and the language of business according to what’s his name? Who’s the guy from Omaha?

Michael Kennedy (00:51:56):

Oh, Warren.

Evan Francen (00:51:57):

Warren Buffet. Yeah, Warren. Because he knows a lot about business, you know what I mean? He said the language of business, and this was a quote is accounting. And I was like, son of a. All right. That makes sense. So as an MSP, if I were starting an MSP today, or I was providing consulting services for a small to midsize business, I would approach it as how can I use, how can I provide value to your business and make you more money,

Michael Kennedy (00:52:27):


Evan Francen (00:52:28):

Either top line. So a competitive advantage in the marketplace depending on what market we’re operating in. You know, some, some places touting security gets you business, right? Or gets you through the third party vetting process faster. Right? Right. Whatever. On the bottom line, if I know complexity is the worst enemy of security, I’m looking for every opportunity possible to simplify this crap. So if I walk into a small to mid-size business and I find I would do an asset inventory, what stuff do we have here? Right? Now that we don’t need, we’re not using anymore legacy hardware software that we’re paying for, that we’re not using. ’cause From a, from a risk management perspective, I just reduced risk quite a bit because those are things I don’t have to configure anymore. I don’t have to secure them anymore. I don’t have to worry about passwords. They’re gone from a business perspective. At the same time, this is the alignment that I’m talking about. At the same time, I just saved my, my small to mid-size business, a couple hundred thousand dollars, which by the way, totally paid for all the risk stuff that we did. So I think always looking for opportunities to show how you provide value to them. I’m gonna get paid either way. If I don’t provide value, I I hope you’d fire me.

Frank Gurnee (00:53:46):

Right. No, those are, we

Michael Kennedy (00:53:48):

Call that, yeah, we call that pro, we call that profit bleed. Reducing profit bleed.

Evan Francen (00:53:53):

Yeah. Yeah. Good. That’s a great, I’ve never heard that term, but I like that.

Frank Gurnee (00:53:57):

Yeah. Yeah. Great points, guys. So I wanna jump in some of the questions here. I know we only have about five minutes till the top of the hour, so we’ll try to go through these quickly. I’m not sure that you guys can recommend any tools or software. Someone asked if if there were any tracking vulnerability tools that you guys would recommend for smaller organizations. Anything that you guys, it’s

Evan Francen (00:54:20):

Not gonna come down to the, it’s not gonna come down to your choice of tool. It’s gonna come down to how you use it.

Frank Gurnee (00:54:25):

Yeah. There’s

Michael Kennedy (00:54:26):

How you, how you, how you

Evan Francen (00:54:28):

Address it. That’s almost a commodity now in our industry. So you’ve got, you know, Nessus, Qualys, rapid seven. I mean, there are a number of players. You

Michael Kennedy (00:54:35):

Open source, you open source ones too that you can set up yourself for free. Yeah.

Evan Francen (00:54:40):

So going down that route, whatever tools you’re researching just learn how to use them. Right.

Frank Gurnee (00:54:47):

Okay. Let’s see here. What do you guys think good cyber marketing looks like? Any messaging that you’ve found that resonated with customers and is honest. So, so marketing for them to their potential customers. Anything that comes to mind that might

Evan Francen (00:55:02):

Resonate? It starts with a beard.

Frank Gurnee (00:55:05):

Good. You need a beard. Everybody needs a beard. We need

Michael Kennedy (00:55:06):

A beard. No, we don’t need a beard. I think it’s, it, it’s the authenticity, right? Yeah. You know, not, we talked about it not having a hundred percent, or not having guarantee the, just the fin the finite we do, you know, we’re, you know, it’s, it’s the, the messaging that comes across is we wanna, we wanna partner, we wanna, how do we help you?

Frank Gurnee (00:55:27):

And I don’t think marketing fear is the way to do it either. That’s just correct.

Michael Kennedy (00:55:31):


Frank Gurnee (00:55:31):

Something that, well,

Evan Francen (00:55:33):

They, they had a saying, they have a saying at FFR Secure, they’ve used for years that if you see Evan panic, it’s time to panic <laugh>. So, I mean, that means that there’s a time for fear, right? There’s a time to be afraid. But, you know, you gotta be really careful. And when you play that card, man, because people are, it, we got taught, that’s a crazy thing about this industry too. We were taught this stuff as like little kids, you know, in nursery rhymes. Remember the boy who cried wolf?

Michael Kennedy (00:56:02):

Mm-Hmm. <affirmative>.

Evan Francen (00:56:04):

I was already taught this. So, you know, are these boys who are crying wolves or men? I guess, I dunno what gender we’re talking, but there would be people that are crying wolf to sell you something and there’s no justification for it. So, you know, continue to ask it, ask the questions.

Frank Gurnee (00:56:22):

No, very good. This is just a statement. So you hit a great point, Evan. Linking the business need to, a personal benefit creates buy-in, we’ve seen this in implementing good cyber practices and linking them to employee’s, personal online shopping, banking activities such as that. So that was a great point from Matt. We had an anonymous attendee. Attendee let us know that Kennedy’s beard routine is, is more intense than his haircare routine. So that’s always good.

Michael Kennedy (00:56:48):

It’s called laziness. Laziness. <laugh>.

Frank Gurnee (00:56:52):

Somebody said the box with lots of exclamation marks. So <laugh>. And then we have from Carrie, absolutely risk management. But what about people management? Get it, people are risk. But any other thoughts on that that you guys can provide?

Evan Francen (00:57:09):

What comes down? I mean, we were taught this in college too. I don’t know if how many people went to college, but psychology 1 0 1, right? They taught you you know, Pavlov, I think it was you know, how to motivate dogs, but people kind of what’s in it for them? What pain do they have if they don’t do it right? So it, it comes down to the same thing. So put it into their language in ways that they can understand. And people are so unique that you can’t, you can’t just generalize, right? Because what works at FR Secure in my company or security studio, my company may not work in your company. I don’t know what motivates, I don’t know what your culture is in your organization. So that’s why can training and awareness program is really limited in its effectiveness. It has to be custom to the people that you’re actually serving so that it resonates with them

Frank Gurnee (00:57:59):

All. Perfect. and I think we hit on this. Lyle’s had just talked about the a hundred percent guarantees and, you know, outside of that, if the market’s flooded with that, how do we educate people on business and risk mitigation? Like if there’s all these guarantees out there going on and people, you know, marketing that way, how do you get guarantee

Evan Francen (00:58:20):

That someday you would die?

Michael Kennedy (00:58:21):

Haven’t watched. Yeah. Have him watched Tommy Boy <inaudible> out parts.

Frank Gurnee (00:58:25):

There you go. <Laugh>

Michael Kennedy (00:58:27):

In a box and slapping hundred percent guarantee on it.

Frank Gurnee (00:58:30):

Yeah. Yeah. Good, good point. I mean, that, that is you know, you’re, you’re just gonna have to combat it with reality, right? Reality. And, and that, that there just is no guarantee. But

Michael Kennedy (00:58:41):

You know, and, and it, and it’s okay. I think the other thing too is we get this like, we ha we have to win the deal. We have to win the deal. We have to win the deal and, and, and, and go through it. It’s okay not to win the deal. It’s okay that we’re not a, like Evan said it a couple of times, it’s okay that we’re not a fit for your business. I dunno how many times I’ve told people that’s it’s okay that, you know, we’re, we’re not gonna work for you. You know, and six months later we get a phone call, it’s like, you, you, we need you. ’cause The path we went didn’t work out for us. And that’s great, but you can’t, we’re not magicians. We’re not, we don’t have, you know, that ability to change people’s minds, right? You can only express and be authentic. And if they, if they don’t onboard, okay, it’s okay.

Evan Francen (00:59:29):

Yeah. There’s plenty of others that do want to get on board. Yeah. I’ve done the same thing with, with executive management that just, you know, they don’t give a and it doesn’t matter. You try all the different angles, try to figure out all the different ways, and they still don’t care. Rather than me continuing to waste my time here and maybe get it over this hump, screw it, I’ll go, I’ll go work for other places where they actually have good management.

Frank Gurnee (00:59:53):

Yeah. Right. So we’re at the top of the hour, guys. There’s, there’s one last question here that I, I’d love to hit and then we’ll we’ll, we’ll get our ending going here. But Jason asked, other than fr secure C-I-S-S-P mentor program, blogs and ostra.net blogs, are there any publications, websites, organizations that are better than others for staying up to date on cybersecurity news and events? Do you guys have any recommendations where these guys can go to check out stuff?

Evan Francen (01:00:20):

I can tell you what I do. I, I I actually don’t go to any news source. I create Google search alerts. So there’s certain things that I’m interested in hearing about on a regular basis. And so with Google you can, you know, set up certain search criteria and then have it email you digest of those things. Mm-Hmm. <Affirmative>. So I get sources like if I’m interested in, you know, counties that have been hacked, you know I’ll do a search with county breach data, whatever, whatever my search criteria are, and then I’ll get updated on those. ’cause Then I can read it without somebody’s interpretation of what it is. Right.

Frank Gurnee (01:01:05):


Michael Kennedy (01:01:06):

Any thoughts? I use, I use an app Flipboard and I configure it the same way that Evan talks about. I have different parameters in there for a secure related industry related just world events type stuff. And then I, I go through and I, and read myself. I mean, there, there are a lot of good organizations and a lot of really good people out there that, that publish podcasts, that talk industry related stuff. That, you know, I just, I read through that stuff as it comes too. But yeah, I customize, I do the same thing. Customize

Evan Francen (01:01:41):

And certainly what my friends are doing, you know what I mean? Mm-Hmm. <affirmative> people that are really respecting this industry. So, you know, and I’m not pitching it. I think it’s good, you know, like Hackle Box, my good friend, you know, Oscar, you know, leads that, and I always want to kinda keep up to date on what he’s up to and what he is doing. So. Mm-Hmm. <Affirmative> That’s a good point. You know, Mike, the those podcasts as you make friends, you know, in this industry, follow your friends, see what they’re up to.

Michael Kennedy (01:02:07):

Mm-Hmm. <affirmative>.

Frank Gurnee (01:02:08):

Awesome. Well, guys you know, this has been super informative. We’re, we’re planning to do, you know, a series of these over time. So I think that’d be great. At the end of this, you guys they’re listening. We’ll have a survey, just like to know what it is. Two questions I think or something. So, so let us know what you thought of it and anything that you wanna see in the future or talked about. So feel free to, to fill that out for us at the end. Any final thoughts? Kennedy, I’ll, I’ll start with you. Any final thoughts?

Michael Kennedy (01:02:39):

I’m not sitting in front of a fireplace next time it’s too hot. Too hot.

Frank Gurnee (01:02:42):

Now you’re sitting here dying <laugh>.

Michael Kennedy (01:02:45):

We gotta do one in Mexico. Sitting around a bonfire together. Yeah.

Evan Francen (01:02:49):

Come out with me, man. Yeah, I think, you know, start with protecting what’s most important to you. Yeah. Start with protecting yourself and your family. You know, we talk about business a lot, but at the end of the day, you know, what are your kids doing? You know, because I can recover from, if you hack my bank accounts, which has happened many, many times ’cause it’s just nature of the beast, I can recover from that. What I can’t recover from is you stealing one of my children’s innocence. Yeah.

Michael Kennedy (01:03:20):


Evan Francen (01:03:22):

I can’t recover from that stuff. So start there. You know, start with personalizing this, get yourself, get your family secure, and you’ll be, you’ll, you’ll be amazed at how much you learn from doing that, that you can then take to your work. So my, my, it’s the same with like, when I tell, when people ask me, you know, how do I get into, you know, pen testing and I’m like, hack yourself,

Michael Kennedy (01:03:43):


Evan Francen (01:03:44):

Yeah. What do you mean? Like, hack your house? Like I, you know, and the normal, you know, American House has like 12, 13, 14 devices connected to the network, right. Hack all that crap. Yeah. You’re not gonna go to jail for that and you’ll learn so much. So the same thing. You know, make this personal, protect your family, protect yourself, and see where good things go from there.

Michael Kennedy (01:04:04):

Yeah. Have I, I make my kids read data privacy policies.

Evan Francen (01:04:08):

It’s torture. They

Michael Kennedy (01:04:09):

Want in, they wanna install Snap Snapchat on their thing. Okay. Read the policy and tell me where, what, where your data’s going, and then you can have it. Right. So, nice. That’s awesome. And they, yep. Yep.

Evan Francen (01:04:20):

That’s borderline torture a little bit. It’s

Michael Kennedy (01:04:23):

Close, but they need to know that they do. I want them to have that thinking process. Right. So yeah. Don’t

Frank Gurnee (01:04:29):

That on everything. Right. Oh, great. Great stuff guys. This has been super informative and awesome. Really appreciate your time from both of you. And, and I think that we’ve, we’ve learned a lot today. We went over a little over, but most people have stayed with us, so that’s fantastic. If you guys wanna learn a little bit more, this was not about, you know, our, our solutions or anything like that, but if you’d like to learn more about ostra ostra.net, feel free to jump over there and check those guys out. Mm-Hmm. If you’d like to learn more about Security studios, just security studio.com, check us out and thanks everyone for joining us today. There’s been a great fireside chat getting Kennedy all warmed up there.

Michael Kennedy (01:05:09):

Okay, thank you. Have a

Evan Francen (01:05:10):

Merry Christmas guys.