We had the opportunity to sit down with the Vice President and General Manager at Collabrance to discuss trends within the cybersecurity, what keeps the average cybersecurity MSP up at night, and the latest Collabrance IT offering.
Marketing and Sales Analyst
Matt: Hi Corey, thanks for taking the time to sit down with me for today’s interview. Before we get started I want to introduce you to our audience. Corey Kerns is the Vice President & General Manager at Collabrance LLC., a Master Managed Service Provider (MSP) located in Cedar Rapids, Iowa.
Corey received his Bachelors of Arts in Business Administration at Wartburg College and continued his education at the University of Iowa by graduating with an MBA.
He’s been at Collabrance for almost 4 years and most recently spearheaded the successful release of their new Private-Label Master MSSP pffering that includes over 20 different components focused on protecting Small-to-Medium Business' end-user data and information. Corey?
Corey: Thanks, Matt! I appreciate being the interview today. I’m looking forward to the conversation that we are going to have. Hopefully, we can continue to educate the channel with some of the risks that we have in terms of cybersecurity MSPs and their main customers.
Matt: Absolutely Corey, every year it feels like we see more sophisticated cybersecurity attacks from NotPetya in 2016 to WannaCry.
Although these attacks are extreme circumstances, how can Managed Service Providers prepare for cyberattacks before they happen?
Corey: That’s a really good question Matt. I like the way you framed the last part of the question saying, “Prepare for cybersecurity attack before they happen.” I think everybody’s starting to realize that they can’t prevent them in today’s age.
As you look at cyberattacks, everyone’s realizing and trying to shift their focus to not only trying to prevent them but also recovering from them. You hear phrases in the industry like, “It’s not if but when.” These cyberattacks and criminals are advancing the sophistication of their attacks.
We only have an hour or so to talk, Matt, and I could probably talk about this topic for the whole hour. But there are a few key areas where I think cybersecurity MSPs could prepare for an attack.
First, they need to make sure that they have the internal systems and procedures to respond to these incidents. You’re seeing it on the news, a lot of these attacks are starting from inside MSPs and criminals end up getting a hold of their systems. But having something like an incident response team and plan allows you to quickly respond to attacks. They also help to make sure that you have the necessary policies and procedures in their internal systems.
I also think that understanding the basics and following best practices such as patching firmware and limiting access is necessary. A lot of us in this industry can be our own worst enemy when we fall behind on preventative maintenance and the daily noise from our customers consumes us. But it’s about making sure we’re doing that preventative maintenance for our customers and that our internal systems have the necessary limitations, such as 2-factor authentication, so criminals can’t get into the system.
The last one is related to the policy and procedure side. It’s about taking the time to educate and understand customers, risk, and end-users. End-users can be their biggest asset or their biggest weakness. This includes educating those users on best practices in terms of what to look for and what not to click on. Also, they need to understand that they may have to make sacrifices to their convenience. This will ensure that the necessary security is implemented on their hardware or software. That can be a very difficult conversation to have because it deals directly with their productivity and efficiency. This isn’t a failsafe but it makes sure they’re maximizing their security frameworks and it helps prevent attacks.
There’s a lot that goes into preparing for attacks but those are the three main areas I try to help cybersecurity MSP’s focus on.
Matt: Corey, I know you mentioned that that was a great question but that was an even better answer on your part so I appreciate that. As you know, some cybersecurity attacks lead to massive breaches. It seems like yesterday we were hearing about the hundreds of millions of records being exposed from Equifax last year. Now, we are facing a breach five times the size of that with Marriott.
What would you say is the biggest cybersecurity concern for today’s average MSP?
Corey: That’s a really tough question and I believe there are a lot of different opinions out there. It’s interesting though, we just saw a recent one come out recently involving Capital One. Breaches are coming out at a faster pace than we can keep up with.
I think that I tend to agree with the majority of the channel in terms of the biggest concern, it’s the end-user. I mentioned in the previous question that they can be your biggest strength or your biggest weakness.
You’re seeing a lot of breaches happening because someone in an organization clicked on an email that exposed their credentials or allowed a hacker to gain access into their internal system. As we are the trusted advisors to our end customers, MSP’s really need to make an effort to educate those end-users on not only what to look for but if something looks fishy that they stop and think about what they are doing.
I think a lot of us, myself included, get consumed in the day-to-day. We are that hamster wheel running as fast as we can and click on anything we see. But it’s about taking a step back, looking at something, and making sure that we reach out to office manager or call your cybersecurity MSP so that they can investigate.
A lot of the industry is trying to focus more on how to educate the end-users and organizations on what to look for and their risks if something occurs. No technology in the world can stop an individual from clicking on something or exposing information that they shouldn’t.
Matt: Exactly Corey, I agree with you that the end-user is so crucial and important to the process. They can be the main source of a cybersecurity attack. As I mentioned in your introduction, Collabrance announced its private-label MSSP Offering. The announcement mentioned that there are “over 20 different components focused on protecting Small-to-Medium Business’ end-user data and information.”
How did you determine what were the most important components to include in the offering?
Corey: I think there’s a lot of us within the organization and within the channel that try to come up with these different types of solutions and offerings that help cybersecurity customers.
This was a long process for Collabrance. We’ve worked on it for the last couple of years and we approached it in a couple of different ways.
First, we mainly received feedback from our current channel partners, service providers, and the end-customers because they’re the people who have the most experience.
Second, we looked at our internal team for feedback. We have security experts on our team who are much more skilled than myself to be able to evaluate some of the stuff that is going on.
Third, we used security frameworks and regulations such as NIST, HIPAA, and PCI to be able to identify any gaps that we had in our current offering. That helped us identify where to add pieces in certain areas and if he had the technology support for our end-customers.
Fourth, we looked at competitor and industry analysis to look at what other companies are doing. If another company has a good piece included within their offering, we took that into consideration.
We layered in all of the feedback from all of those different areas are then we had our dedicated product development team create the plan that we put in place. So Matt, it started at the ground-level, moved internally, and then shifted to an industry focus.
Matt: Wow! A three year evaluation process is definitely a long time. I’m sure you guys took the necessary steps to evaluate each and every single component that goes into your offering. It’s definitely impressive and shows that you’re passionate about what you’re doing.
So to continue, are there plans to add more components to the offering as it matures?
Corey: The short answer to that question is yes.
But to expand on that, I think many people would say that security is not black and white. It’s a process that’s ever-evolving. As you look at the news and what’s going on with all of these different security incidents, the threats are evolving at a pace that I can’t believe. The individuals that are attacking and getting into certain systems are smart so we have to evolve.
We’ve established a roadmap that we’re adding cybersecurity components to as we see fit. Right now I would say what we’re looking at in the near future is what will help increase our end-user’s compliance.
There’s a lot out there that our customers need to not only meet from a risk mitigation and security standpoint but also from a compliance standpoint. Whether that’s vulnerability assessments or taking a look at the policies and procedures they have in place. For most organizations it’s two-fold. You have security measures and policies and procedures put in place.
We’re also looking into…
Additional multi-factor authentication
How we can make sure that there’s no chance for human error
How passwords are stored and utilized
Ensuring additional layers of security a criminal would have to get through
Hardening email security
That's currently where we’re headed in the near future but if you asked me this question next week it might be entirely different. It’s a back-and-forth between what’s going on with publicised security incidents and our goals.
Matt: Right, you mentioned in your answer that hackers and people who attack companies from a cybersecurity perspective are always learning and continuously trying to figure out new ways to expose vulnerabilities.
So how can MSSP’s stay ahead of the curb and prepare for something that will happen eventually?
Corey: Yeah, I think it’s hard to even think about that phrase, “Staying ahead of the curb.” If we were ahead of the curb I think we would be in a different position. I kind of mentioned this in a previous question but cybersecurity is a chess match. We make a move to prevent certain things and then criminals discover a new vulnerability. It’s a never ending match between hackers and security experts.
But from our perspective, what we do to be as close to the curb as possible is trust our dedicated product team and security experts. They are the ones on our team who are spending the time in the industry and doing the research to make sure that we stay informed.
We also leverage the network of our current customers. Whether that’s current cybersecurity MSPs, customers, suppliers, or channel partners. Each partner that we have is in a different sector so they naturally have experts in different fields that we can leverage. We build a network with them and share information back-and-forth that ends up turning into brainstorming sessions for new ideas and products.
Lastly, we work with peer groups and competitors. If we have information that will help the entire industry, we’ll share it for the greater good. It’s our duty to make sure that everybody has the information that is necessary to make the right business decisions or shift direction in order to overcome attacks.
Matt: Yeah and you mentioned how hard it is to predict something like that from happening but from a cybersecurity solution perspective, what’s the current trend there?
Is there a shift in focus and do you agree with the direction that they are moving towards?
Corey: I think you’re seeing two different types of shifts. First, there’s the email security and user education focus that I mentioned in a previous answer. Second, there’s a heavy movement toward the risk assessment side which is something cybersecurity MSP’s used to utilize.
I agree with both movements.
I think the focus on email security and user education is crucial to keeping an organization safe. If you think about the amount of information and data that is transmitted through those platforms, it’s kind of scary.
But continuing to educate and implement as much security as you can without constraining the business helps, even though there’s some sacrifice in convenience that goes with that. These are things that Collabrance already focuses on.
From the other standpoint, I do think it’s important to leverage risk assessments. We have to be able to identify any potential risks within an organization in order to put the proper mitigation steps in place. This is something Etactics has put a lot of time investing in with your risk assessment module and K2 Compliance.
In my opinion, I feel that there are some organizations and individuals who hope that they’ll find a “failsafe” cybersecurity solution. A lot of us in the industry rely too heavily on the products themselves and we don’t spend enough time on understanding the customer’s needs.That’s something that Collabrance preaches on.
There's nothing more valuable than taking the time to understand your customers.
We like to stay in the mindset that if an incident happens to a customer, what’s the first thing we that we need to do to get that customer back up and running? That question is going to differ from each customer that you work with and their cybersecurity solution can’t answer it.
It’s about combining a diligent approach with your customers and including sophisticated cybersecurity solutions. If a cybersecurity MSP is able to do that they’re not only going to be able to protect their customers but also differentiate themselves from competitors.
To conclude, I agree with the trends that are going on from a cybersecurity solution standpoint but there’s nothing more critical than spending time with your customers, educating them about their risks, and having a collective mitigation plan.
Matt: Okay. Now, as you know, behind every solution is a company. To conclude the interview, take us through the evaluation process for a vendor that provides a particular solution that Collabrance has decided to add to their security stack.
How do you narrow the selection process?
Corey: The first thing that came to my mind, Matt, would be to bring in a guest speaker. Someone who has been on the other side of the table and has gone through our vetting process.
I think they would say it’s a daunting process. We take our 3rd party evaluation process very seriously. Whether it’s a supplier, subcontractor, or partner we view them as an extension of our team. The customer may not even know they exist so we need to make that they are reliable and that we’ve gone through the necessary process to determine that. We view it almost as if the companies are employees we are hiring, they are a part of our team.
To give you an overview, it’s similar to the basic product development process.
First we identify a need. Whether that need is for an individual customer or across all of our customers.
Next, we build a strong business case and timeline on when we want to execute.
From there what we do is try to identify potential partners. During this step, everybody on our team collectively comes works together to identify who a potential partner or supplier could be.
After that we evaluate specific factors such as…
Does their corporate culture align with ours?
Do they fit in with our other MSP partners?
What’s their pricing?
What’s their reporting capabilities?
Where are they located?
This step will usually narrow it down to around three potential partners.
At this point we include our third party risk management team to evaluate…
What’s their hiring process?
Do they have a risk management and compliance program in place?
What’s their business continuity plans?
What’s their information security policies and procedures
Do they have the necessary network security and IT security controls in place?
During this entire process we are making sure that the people that we work with aren’t going to expose us and have a vulnerability that we didn’t know about. It’s about understanding what they do from start to finish from hiring to backend processes.
The evaluation can take anywhere between a couple weeks to a year depending on the solution we are trying to find.
But what’s more critical than the pre-sales process for us is scheduling regular reviews with the supplier. During these reviews we make sure that the relationship and service is what both parties originally agreed on. We want the relationship to be mutually rewarding.
If after the first 30 days we don’t think that the relationship has panned out the way we originally thought it would then we need to make an adjustment.
Aside from the Collabrance team holding those regularly scheduled reviews with suppliers, our risk management team also has a regular review policy. During their review they look at the risk for that particular supplier.
To wrap things up here, there are times that customers and our team get frustrated about how long it takes us to work through our evaluation process. But we truly view our suppliers as an extension of our team and we take that to heart.
We want to make sure that we do our due diligence to ensure that everything is in line with our approach to doing business with our customers. You and I both know that it only takes one failed roll-out or mistake to lose credibility with customers.
Matt: Alright Corey well I want to thank you for sitting down with me for the interview today. You not only established yourself as an expert in cybersecurity but also Collabrance as a master MSP organization.
Now I’m going to turn it over to you before we conclude.
Is there anything else you’d like to mention about Collabrance or anything going on in your life?
Corey: I appreciate the time today, Matt. It’s always great to sit down with you guys to talk. Collabrance is excited about the new products and services that we’re rolling out. We’re starting to view ourselves as an educator within the channel.
With that in mind, we do have an event coming up at our headquarters located in Cedar Rapids, Iowa. It lasts from September 10th - 11th and it’s premise is educational. We want to help cybersecurity MSP’s position themselves so it’s not going to be focused too heavily on the technical side but more so on sales and marketing.
We’re going to bring in outside experts to hold guest speaking sessions. If there are MSP’s that are interested in learning more about how to sell and market cybersecurity I would encourage them to check it out. It’s called the MSSP Sales Accelerator.
That’s the last thing I wanted to say other than we like to continue to educate people about the channel.
If anybody has any questions feel free to reach out to me or the Collabrance team if there are any questions about topics we’ve covered during this interview.
Matt: Corey, you know Etactics is going to be at that event, we can’t pass up that kind of opportunity so we’ll see you there!
Corey: Yeah we look forward to seeing you guys again.
Matt: Alright Corey, thank you very much!
Corey: Have a great day!