Ensuring Compliance with Security Bill Format for Human Resources

Security bill format for Human Resources

[Music] all right welcome back to cyber for hire the managed security podcast once again I'm Bradley Barth with SC media in the first half of our show we talked with Merica KO at Double Shot security about removing the BS from the third party risk assessment process but right now I'd like to welcome back my co-host Ryan Morris from Morris management partners because it's time for us to examine our mssp industry and Market strategy topic of the week presenting our big idea in business pricing practices that fit the bill a great many mssp Security Professionals are truly passionate about making the digital world a safer place for businesses and their users but at the end of the day it is still a business and good cyber security isn't free and therein lies the strategy around pricing what pricing models work best for your organization and appeal most to your customer base and how do you ensure that your pricing policies are fair and transparent this session will examine the key considerations and best practices around pricing and billing so Ryan is always going to jump right into it there are a number of models for pricing and I would love to start by uh maybe giving a little bit of compare and contrast on some of these in your opinion you can go per device you can go per user you can go with a flat fee you can go with a per function scheme where you charge for each essentially a corporate Department uh using uh your your services uh what what are some of the Plus and minuses for all of those different uh pricing approaches that you can take you know it's a great question because this is surprisingly quite an emotional topic around the industry there are very many managed service providers who are convinced that in order to be a managed service provider everything we do must be included in a flat fee all inclusive everything you can eat one price pricing model now I understand the fundamental concept of predictability and consistency and pricing but I don't think that it's fair to impose the concept of one size fits all for every engagement every customer every scenario that we might encounter now as you mentioned there are a number of different schemes for pricing that that are prevalent across the industry there's the question of per device which in the beginning of the managed Services space and the early days of managed cyber security uh that was probably the most clean most defendable most explainable version of pricing you have this many servers you have this many switches you have this many workstations and laptops Etc this is the price per device these are the number of devices a times b equals your monthly fee now that started to get strained when we got into the world of multiple end user devices and multiple use cases for in-office and mobile workers and other kinds of remote Technologies it started to get so complicated with so many iterations that it it lost that luxury of being very explainable to the customer and it especially fell apart when we started to incorporate any device beyond the classic windtel infrastructure and end user stack right when we started to look at operational Technologies especially iot sensor based devices the quantities can go to the stratosphere pretty quickly and trying to figure out a scheme that would allow you to identify and charge per device without having astronomical levels of calculation it kind of forced people into a posture of saying well in order to protect that sensor based device over there I'm only going to charge you pennies per month at which point the customer rightly asks the question wait a minute if it only costs pennies per device what am I actually getting for that I think as a result that per device per unit under management has really aged out in the marketplace we still see some simplified environments where we're not yet covering uh things beyond the windtouse stack that we do actually still see in the research some people are using it but I find that it's less and less attractive to the end user right if you look at other schemes that that are popular out there per user or per business function I think that we can learn some things from just the architecture of cyber security right if you think about the way that we design our services rather than having just a perimeter-based approach to cyber security or only a layered approach across the the stack of Technology we find that there's an evolution towards the data Centric management and then beyond that even to the human-centric management of cyber profiles and cyber surfaces that need to be considered I think that's very efficient logic as we start to look at the the concept of pricing where we can say irrespective of the pieces of technology that might be involved or the the the tools that individuals might be using we can identify the behavioral characteristics of a person or a role within the organization and we can use that to Define both their logical access and authorization profile but at the same time how complex and therefore how costly it is to protect that individual when we go beyond the human or the role and into the data Centric kind of logic I think we find ourselves in an even more interesting calculation we're not here to protect just the devices or the environment but to preserve the principal asset which is the information that we're talking about that is a little bit more complex to calculate but I still think it's a move in the right direction and and that speaks to the reason why we're having this conversation to begin with none of these answers are easy and there is not one single version of a pricing calculation that applies to every customer to every service provider or to every security engagement all right now let's look at this another way you might be a managed security services provider that offers really a wide spectrum of different types of services and offerings so uh another question can be uh Do We Go a la carte with our pricing model uh do we bundle things together do we do some kind of a tiered system uh of services and so again I'm wondering if we look at it in that way what's your philosophy there Ryan you know My Philosophy has evolved over the years in the beginning I did like the idea of we are here to be the the resource to improve your cyber security posture therefore anything that we do to improve means that that ought to be included and it was hard to draw a line between firewalls and anti-virus and uh and network access control and some of the other technological definitions and so we we started to say you know what let's just make you as secure as possible and it costs a certain fee there had to be some sizing and some scoping calculation in there but the functional service we provided was everything included I've evolved on that concept based on seeing a lot of the research and then engaging with individuals managed service providers who have indicated that that really causes some expectation problems in the relationship and it also causes some scope problems right the first problem that I that I mentioned there the the expectations imagine that you are the client and I've said to you I have an all-inclusive everything is is covered approach to cyber security we will count the number of users in your environment and then everything we do in in the environment is going to be included in a single price okay but what exactly is everything right your version of everything might include all of those iot devices it might include artificial intelligence uh applications to uh and machine learning to do pattern recognition and predictive analysis your version of everything might include things that my version of everything doesn't include right if you look at the world of managed cyber security out there in today's production environment there is nowhere near a consensus of what all the correct Technologies tools and Protocols are there are as many different scopes of service portfolios as there are service providers so for us to say everything is included and that is just begging a question back from our customer of well you said everything was included but you didn't do this well we made a strategic decision we made a technological evaluation and we choose not to include that in our package well whose version of Everything Is Right the client or the service provider think that causes far more problems than it solves with Simplicity and accuracy for the pricing calculation as a result I'd buy much more the philosophy of either a bundled approach or a tiered approach there is a beginning level where we will do fundamentals there is an uh an advanced level where we will cover more of your attack surfaces more of the technological approaches to mitigation that that we are applying only in special scenarios and then there is that you know tip of the spear top of the pyramid level of service where we are going to be providing an extensive level of proactive coverage and service that is not necessary or cost Justified for every customer I think the biggest problem that I see with the idea of all inclusive pricing is that it locks out the vast majority of customers who might otherwise be ideal candidates for your service which is a really fancy way of saying you're making your target market smaller and you are eliminating a lot of potential paying customers by insisting that even the lowest End customer must agree to do all of the most high-end and inclusive services I don't think that's smart business and I don't think that that's the right way to approach a customer think of it this way in a contract Services business comprehensive pricing and increasing the average billable rate per customer environment that's one way to increase the opportunity size to increase the revenue for our organization but there's a much more meaningful way to increase our our overall revenue and that is to win more customers more rapidly right if we say everything is included and that means a lot of people are going to just say you know what I don't need all of that and I'm certainly not comfortable paying that premium price point for absolutely everything included we're going to lock out a lot of people and and eliminate some other billable relationships otherwise right think of it in the context of the pyramid they're going to be layers of customers who pay us a little there's going to be a layer of customers who pay us more and then there's going to be a smaller segment of customers who pay us a lot we'll win more customers we'll have shorter sales Cycles we will get the customer into a billable relationship much more frequently and much more rapidly which will optimize the top line of our business I think it's better cyber security practice to have tears but it is at the very same time better commercial practice to not lock out potential customers who would love to pay us for some of our services if not all of our services there are certainly instances Ryan of mssps that charge a premium for certain services but then certain things should really be standard and Universal for everybody as part of the overall package so I'd be curious to hear from you what in your mind should always be standard for everyone and what's okay to be reserved for just a premium pricing you know it's uh I'll put an asterisk on this conversation and say as of today there's a different version of standard than there was a year ago and a year from now what is standard is is going to have expanded as well it's a question of mass-market adoption of various Advanced Technologies the good news is the industry is always releasing new technologies new capabilities to address problems that we either couldn't address before or that required us to do a certain mix of manual services and tools-based applications that that weren't very efficient right the state of the art continues to advance in our industry that's great that means that what is standard is not going to be consistent I think right now that everything in the defensive posture everything from the the concept of zero trust down through basic blocking and tackling right the fundamentals of of defensive security posture I think everybody can agree that that is a logical Baseline that ought to be included in every tier I think that the more logical areas for us to have uh premium or a la carte services are in the developing areas of machine learning and artificial intelligence um we're still learning a lot about how to use AI for good while the bad guys are out there trying to use it more and more for evil that's such a rapidly evolving uh category we don't understand it well enough ourselves to have defined a standard therefore I really shouldn't be included in a basic package it should be something that we admit to the customer is rapidly changing we are not experts all the way yet because the the technology is just moving ahead at such a radical Pace but we will but we will best professional effort there's legal terminology that will defend us if we try our best even if it doesn't absolutely work perfectly I think that's a that's a good attribute characteristic for us to use for things that might be included in special circumstances I think that that the one area that I would include in standard that that a lot of people are not yet including in standard is the concept of not just defense and then incident response but the remediation and back to a steady state right to have been protected is one thing to have managed an attack is another thing to get back to a steady state where we are not only not actively being attacked but we know what the exploit was we've remediated for that and we are back to a place where we can say we are presently in a secure State I think that is something that we we really do a disservice to customers if we leave that out of our relationship packages uh it's not safe to assume the customer will do that work on their own it is not wise to leave that remediation and Recovery work undone therefore I think best practice would indicate we should include that as of today I have high hopes that a year from now a lot of this AI stuff will be more stable understandable and professionalized and we can start to incorporate that more and more into our basic approaches but as of now it's kind of experimental so it's not included in a standard package all right Ryan well we just have a couple of minutes left so final question for you uh pricing transparency I mean it's so important to be able to communicate things uh clearly and straightforward with your clients so where do things most often go wrong uh with pricing transparency where are there most often uh misunderstandings that arise leading to disputes you know I think the the the general statement of the most common source of disputes is unfulfilled expectations that were not clearly delineated described and agreed in contractual language right um I think we we want to get more engaged with our customers and so we tend to use language in agreements that sounds like well not only will we use this technology and apply our best efforts but we will eradicate your your vulnerability we will create the most secure possible environment you know in marketing terminology that might be okay but in legal terminology that is just a Minefield of unexplained expectations it's not something that that we can defend and therefore it's going to create the opportunity for disagreement with our customers I think we need to get comfortable with the concept of the only things included in this service agreement are those that are specifically listed and described here anything that is not specifically listed and described here is expressly excluded and will not be covered by this service it feels harsh it feels almost like a a an aggressive approach to the customer relationship but I think we need to be that deliberate about the way that we enumerate our relationship with our customers there can be no ambiguity there there cannot be any misunderstanding of not only what technologies are deployed and what services are provided but where is the division of responsibility between the service provider and the client we need to be more and more precise with contract language and add that boundary that very clear line that says anything before here that was described is included anything that is not described is not included the reason that I'm very adamant about that is in our research we've asked a lot of end users about how satisfied they are with the security practices that that they've engaged with the scope of services Etc um one of the distressing things that we've found is that customers who have not yet been breached or not recently been breached during the scope of this relationship they tend to re to report very very high levels of satisfaction and they will report very high levels of satisfaction even for services that are not included in their agreements now you might think that's nice that's a glow up kind of an effect of hey they love us so much they're satisfied even with the things that we don't do for them you know in a marketing sense again that might be nice uh in a legal sense my goodness that's a Minefield of potential disasters so uh we we see that there is a lot of assumption that goes on in our industry and it's only when things go wrong that you know the customer says hey wait a minute I thought you had that covered and then the service provider comes back and says it's not included in the contract we weren't doing that well I thought you were well we never said we were and then there's a finger pointing and and an assumption of blame that cannot be recovered from from a relationship scope perspective uh I think we just have to assume that misunderstanding is the enemy of cyber security so let's be crystal clear in our definitions and include that language that says very precisely if it is not described in detail in this agreement it is not included and let's get customers to sign on the dotted line to acknowledge that fact all right guys that's what we think about pricing what do you think what is your approach to calculation and the way that you uh not only determine the cost per customer but the way that you communicate that to your customers and the way that you defend the value of your approach to that we'd love to get some more feedback from the audience because this is obviously it's a very keen topic but it is also a very emotional topic so reach out to us at our email address cyber for hire at Cyber riskalliance.com you can hit the uh the show page and and follow the links for comments there but let's keep this conversation going in the meantime we would like to shift now to the next segment of our program and that is our relationship management segment that we call dear cyber for hire now this is our opportunity to mediate to uh to counsel and to hopefully improve the relationships between service providers and their clients in the cyber security field uh the letter that we're about to share has been stylized to protect all of those who are innocent in this scenario but believe us when we say this is a real situation that we hear from providers all the time in the real world and we want to help you figure this out so Bradley set us up what do we need to know about this week's letter all right thanks Ryan yep we're back with even more juicy mssp melodrama and this one comes from the provider side of the relationship so fellas cue the music deer cyber For Hire if Two's Company and three is a crowd what's thousands of people I can't possibly keep track of I'm as welcoming as I'm as welcoming as the next person but lately it feels like my partner is treating this place like an endless open house people coming in and out half the time I don't know anything about them allow me to elaborate my managed Services client is very relaxed in terms of their processes and policies around new employee onboarding and former employee off-boarding and I fear that this lack of Workforce identity management may result in overly lenient access permissions obsolete credentials that could one day be abused or other security and privacy risks a tidy home is a happy home so how can I get my client partner to clean up their messy Personnel problem sincerely overwrought over off-putting onboarding and off-boarding omissions and oversights in Orlando Ryan short of convincing the client to move to a managed I am service or a managed HR service how do you as an mssp help a client who clearly doesn't have their house in order when it comes to employee onboarding and off-boarding you know it I it's a great point that you make there right in the question there are categories of Technology designed specifically to address this precise problem in the world of business technology and cyber security and yet the adoption rates for those Services identity and access management and managed HR services are still incredibly low right I think this is not only an indication of a gap in technology and service coverage it is an indication more broadly of how not good at the human parts of businesses that most businesses actually are right and think about it like this small businesses tend to hire new employees very infrequently right think about a business that has uh 20 or fewer employees in the managed Services space a very typical profile of a customer or of a managed service provider that has a certain you know set of sales people some back office operators uh a big team of Engineers and we are managing our client engagements with this with this set of human beings how often each year does that organization actually hire somebody new and bring them on board one employee a year two employees a year if we had a particularly bad year with churn and we had three or four people leave we might add three or four back in in the course of 12 months um the the best lessons that we can learn in life are around frequency and familiarity anything that we do once or twice a year we will be very bad at right if you extend that logic to just the raw demographics of end user organizations in the world um what is it 95 of all businesses in the United States are classified as small or very small businesses it's only five percent that get into the medium and large size of organizations the vast majority of end user organizations higher occasionally infrequently and in a completely custom made-up way each time they try to figure it out almost all businesses statistically speaking are bad at Human Resources it's not a surprise in that environment that they would also be bad at documenting their people when they are bringing them on at defining implementing and actually tracking a a precise process for bringing people on and ensuring that security Protocols are applied and in managing the access rights for people as they depart the organization most of the time we're all just so busy we got you know multiple hats our hairs on fire we're running as fast as we can to keep up with all of our business and when that new employee does show up one day the typical experience for a new employee is I'm really busy I don't have time to sit down with you right now there's your desk here's your cell phone uh let's catch up at lunchtime and see how things are going okay that is an environment that is desperately ripe for very inefficient access management controls and I think this is one of the the this is one of the very most popular but least understood areas of security vulnerability all right Ryan well I appreciate your take on that and with that another relationship saved so hopefully our listeners have learned from this and don't make the same mistake and remember if you've been struggling with your managed Security Services relationship whether you're the user or the provider we want to hear from you so please write to us at Cyber for hire at Cyber riskalliance.com and we might use your letter in a future episode all right well it's almost time to wrap things up but before we go it's time for us to get a little random as we share with you drum roll please our irrelevant news of the week this is a real news pitch that Ryan or I have received in our inboxes for reasons that are entirely inexplicable to us are you ready Ryan I am ready all right well here we go the Naval History and Heritage command announced the winner of the 2023 new year's deck log contest winners the tradition of the midnight New Year's Day poem allows Sailors to write the first deck log entry of the New Year in verse first place this year went to Lieutenant artem sherbinin hopefully I got that pronunciation correct of the soon to be decommissioned USS Bunker Hill and his poem went like this as New Year's bells ring out tonight we celebrate our warships might in Poetic form we must recall bunker Hill's life before her 2023 mothball so Ryan uh this time I actually gave you a little bit of a heads up that we'd be doing this so maybe you'd get in that poetic frame of mind because I want us both to similarly recite a poetic New Year's log entry on the topic of cyber security so same scenario we're going to pretend like it just turned 2023 and we had to write a couple of lines of verse to sum up the New Year I'm gonna go first with mine and I call it the csos 2023 Lament with every single passing year our cyber threats grow more severe oh how I long for the simpler days of Melissa virus and Y2K that's that's my little uh poem and uh now uh Ryan I think you're gonna kind of uh improvise a little beat poetry for us see uh the extemporaneous is my style uh rhyming never ever was and and my Approach has always been a little bit more literal and a little less alliterative so uh I I will say that's a really long way of saying man I suck at poetry and yet I use words for a living I gotta say nicely done Bradley on your uh your csos lament uh I also have to just indicate a little bit of being impressed with the uh the service members uh poetry uh that the fact that that's not the only person who actually writes poetry in the ship's log boy that's actually really impressive to consider what they do for their jobs every day and then they can still actually write verse uh I will say I got no poetry anywhere around this topic I'm I'm focused exclusively on solve this problem and make money in the process so I'm just going to be thematic and stick with that all right fair fair enough Ryan uh still whenever you speak it just it just flows out like poetry to to me and I'm sure our listeners so I appreciate it very much speaking of poetic verse it's time for us to both disperse we're out of time let's bid a do until next week episode 22. uh meanwhile feel free to check out even more cybersecurity podcast content on the SC media mssp alert and channel e to e websites until next time I'm Bradley Barth and I'm Ryan Morris thank you very much for all of your insights that you do share with us on the program let's keep that conversation going please reach out to us via our email address or our show page and let us know what your insights comments and questions are about anything to do with the business of cyber security we'll keep this conversation going on the next episode of cyber For Hire your inside source for cyber Outsourcing foreign