Owning Your Clients’ Cybersecurity Culture

Webinar transcript

Muna: Hello everyone! Good morning, good afternoon, and good evening to you wherever you may be. Thank you for joining us today and welcome. My name is Muna Assi, and I head product marketing here at Atera. We have a very exciting topic today with a very exciting guest. We’re going to talk about owning your client’s cybersecurity culture, both a security roadmap and a selling strategy. I’m excited for Atera to be partnering with ThreatDown by Malwarebytes today.

But just before we get started, I do see that we still have some people joining. So if you haven’t grabbed your coffee or if you want to get a cup of water, this is the opportunity. For those of you who’ve already joined, please let us know where you’re from. You can type in the Q&A box or in the chat box and introduce yourself. Let’s see who’s going to be the first one sharing with us. Wonderful, I see Edward. Hi Edward, thank you for joining us from New York. We’ve got Ben from Arizona. Welcome. 

Brian: Hey Ben, I’m from Arizona as well, so welcome! 

Muna: Great, thanks for that Brian. Okay, very much a US attendance today. Oh, we’ve got Alejandro from Spain. Welcome! 

Brian: And Scotland. 

Muna: And Scotland, there we go. We’ll be starting in just another minute, so let’s give a few more people time to join. I know a lot of you are running between meetings if you’re like us. We’ve got Natasha from Canada as well. Hello Natasha, thank you for joining. Wonderful. I think, Brian, we can kick it off, right? 

So again, welcome everyone. Before we get started and hand over the mic to Brian, I want to run through some housekeeping. For those of you joining us for the first time, this is our cybersecurity series. We run this series every month, each time on a different topic and inviting different partners. You can keep track of all of those events on the Atera events and webinars page. This webinar is being recorded. It will be available both on demand and we’ll also send it out to you via email probably within the next day or so. We’re also extending a complimentary copy of the 2023 State of Malware by Malwarebytes. You can find a copy of that in the documentation download section, but you’ll also get a copy in the email. I invite you throughout the session to please share with us your questions and your comments. Put those in the Q&A box. In the background, we’ve got Craig and Neil joining us here from Malwarebytes and they’ll be addressing those questions, but we’ll also be answering a lot of those questions at the end of the webinar, pending time. So please go ahead, type your questions and we’ll get to those. I do want to remind you of our usual ritual. We do have a very short survey with a few questions at the end which will help us determine if this was a good session and where we can improve. Also, if you do want to get more information or a more in-depth demo, feel free to ping us at the top there in the button or let us know in the survey. 

Muna: So without further ado, I’m more than happy and super excited to invite and welcome our guest, Brian Kane. Brian is a cyber evangelist. Hi there, Brian! Traveling, I see? 

Brian: Yes, I’m coming at you guys live from Frankfurt, Germany tonight. 

Muna: Wow, amazing! Are you polishing your German as well in Frankfurt, Germany? 

Brian: Not quite, but I’ve got translators, so it’s okay. 

Muna: Okay then, all’s good because this session is in English. So Brian, tell us a little bit about yourself. 

Brian: Absolutely. As you can see here, I’m an MSP owner. I started too early in my day. I went into franchising, opened 40 MSPs across the US specifically focused there. I’ve been a VAR and reseller. I’ve also done this for corporate oil and gas. I’ve been in IT in every which way, shape, or form over the last 24 years. Everything from airlines to shipping, tote barge, air cargo, things like that. What really drew me back though was, you know, I love helping partners. I spent about the last three and a half years really getting to work with MSP owners on building their business. A combination of owners that were struggling with their current business and wanted to grow, maybe they were running a break-fix and wanted to switch. Also, people who had just started their MSP, they just opened and they’re just trying to figure out their tech stack, figure out the moves to make, and where to go. I’ve been in this business for a long time and a lot of different ways. A lot of people always ask me why I decided to come to the dark side, which is come work for a vendor. The real answer is I wanted to be able to touch more people. I wanted to be able to help more partners and this was the easiest way to do it. They let me be agnostic and they let me really focus on how do I help partners. You’re going to see my deck today and I can tell you my deck is not a product deck. So hopefully you guys were not here expecting a bunch of product speak. I’m here to talk to you about cybersecurity, the industry, the future, what it’s doing, and how to help you really grow your businesses. Hopefully that’s what you want to get today because that’s what I’m planning on talking about. 

With that being said, I think we have a poll slide in the beginning or do we have that? 

Muna: We do. We can start with that, Brian, if you’d like. 

Brian: Let’s do that. Let’s throw a poll out here just to get some interaction going. Just let me know when that pops up. Do we see the poll? There we go. I see it in the background. Oops, I think we shared that too soon. There we go, still updating. It’s updating, we got some votes. For those of you that haven’t voted yet, how confident are you that your organization’s defenses are capable of detecting malware on endpoint devices before it spreads from workstations? This is super important. This doesn’t mean you don’t have anything in place, but just as a business owner or depending on what your role is, what’s your level of confidence that you can go to bed every night and know that your stuff is taken care of? I’m very confident in it. So just want to get a gauge for where people are at. All right, we’ve got a good spread here. We’ve got some people that are kind of confident. We got a few that are extremely confident. We got three people that are not confident at all. That’s okay. This is an honest, open place. This is a healing place. This is where we come to talk together and really hopefully help each other. 

With that being said, let’s go ahead. I’m going to jump into the first slide if that’s all right. For those of you that don’t know me, I love quotes. I’m a big fan of quotes. Continuous effort, not strength or intelligence, is the key to unlocking our potential. Something you’ll hear from me a lot when I talk about cybersecurity is that it takes practice. It takes diligence. It’s not just about being the best or how smart we are or all the certifications that people have. The breaches that happen, the bad things that happen, most of the time are because we forgot to do something that was actually very basic. It’s MFA or passwords or we didn’t remove an old account that should have been disabled because somebody forgot an HR process or things like that. It’s those small simple things. Because I’ll tell you what, guess what? Marriott had a full team of people. T-Mobile has teams of people. MGM has teams of people that are very certified, that are very smart, that are the best at what they do. And guess what? They still got breached. A lot of times it comes back to the basics. This is one of my favorite statements: it’s not if you get hurt, it’s when and how bad. This goes back to the concept of what can we do to reduce risk. That’s our jobs. That’s what we do every single day. Our job is to reduce risk. Nothing that you do is foolproof. If we had tools that were just 100% foolproof, we would just buy that tool and be done with it. Nothing’s foolproof because as soon as we build a defense, someone finds a way to knock it down. It’s a constant battle. It’s a constant struggle. We do our best to get in front of it. You guys will see throughout this. I’ll be the first one to tell you I hate slide decks. They’re awful. So I’m not going to beat you to death with slide decks. I actually have a few slides, but if I’m going to hit you with a slide deck, we’re at least going to have some fun. On the left, this is one of my favorites. Everyone here who runs an MSP has seen this, heard this. You come in and it’s like, “Hey, just tell me what you did. What did you click on? What happened here?” And the customer says, “Nothing. I didn’t do anything. It wasn’t me, I promise.” Well, when I go back in and I look at the logs, I can clearly see that you installed this, you added this, you removed this. So come on now. We know what budgets are like. I am aware that you guys go into your customers and you’re selling them on security, you’re selling them on backup, you’re selling them on monitoring and management, you’re selling them on productivity tools, you’re doing all this. We know the good stuff. We know what we should be doing. At the top, this is a cybersecurity program that you want to run. Down below, this is the budget that we have to work with. This is who we are. We’ve got two coconuts to click together. That’s where we’re at. So we make do with the best that we can. 

Let’s talk about that a little bit. I like to think 10, 12, 15 years ago when I started my first MSP, what were the challenges? What were the things that kept me up at night? I’m going to be honest, guys, if I had a firewall installed, I knew that the servers were backed up, I knew that AV was installed, and the ticket queue had less than 10 or 15 tickets in it, I felt pretty good. I felt pretty darn confident that I was safe, I was protected, that my customers didn’t have to worry. Let’s just be honest with ourselves, that is not the case anymore. Things have evolved. This is what it looks like now. And again, this is just the high level. This isn’t even everything, I promise. This is water just for anybody who is curious. This is so much more complicated than it used to be. I am not going to bore you guys with every bow on this, but here’s what I’m going to say. There are a few key things in here that I’m going to touch on that are critical that you need to be thinking about or that need to be at the forefront of your cybersecurity plan. The first one: TFA/MFA. Guys, this isn’t guidance anymore; it’s a requirement. You have to do it. This needs to be at the front of what you’re focused on. You have to be doing this. Security awareness training: This should be for every user that exists that you manage. This should be tied to them. For any of your customers that want to be insured for cybersecurity, it’s a requirement anyway. You should be attaching this to every license you deploy, not offering it as an add-on. It should be required and just attached. Just do it. I’m going to go into this a little bit more later, but an incident response plan: Again, absolutely critical. I’m even going to give you guys some resources to help you with this, as well as compliance. 

With that being said, let’s bump this forward a little bit. I like to start with why. One of my favorite books written by Simon Sinek is actually called “Start with Why.” If you have not read this book,

I recommend you read this book. It is a very good book and can really help you get to the root of why we’re doing what we’re doing. First off, it’s a journey, not a checkbox. That’s really hard for the engineering side of me to say because so much of what I do is tied to a checkbox. But it really is a journey, and here’s why that’s important. You’re not going to check every box out of the gate; it’s just impossible. So if you can accept that and instead put yourself and your team on a path to success, a path to being better at security, guess what? That’s the start, and it’s an amazing start. 

Number two, generate a belief in cybersecurity. This is critical. A belief is a big thing. There’s a concept that with MSPs, with vendors, with all this, we’re bringing people new tools to buy, that we’re coming in and just trying to feed on the FUD—the fear, uncertainty, and doubt. We’re just saying, “Hey, you’re scared, just buy more security and you’ll feel safer.” Guys, that’s not the answer; it really isn’t. That’s not how we want to win this battle. We do not win the battle with fear. We win the battle by letting people know why we believe in the tools that we want them to use and explain to them in layman’s terms, in real terms, why we believe it, why it’s important, and how it’s going to help them with their business. Raising the bar in security means being a partner with them, not just a service provider. I’ve lived in this boat for a long time. I’ve been in your shoes for so many years it’s not even funny. I can tell you the concept around service provider is dying. We’re not just there to say, “Here’s the service, we just do it for you.” Nope. We have to be a partner with them in this. They have to believe what we believe so that we can go after this together. Otherwise, it truly becomes you just selling them on the service and/or the product or subscription. I’ll tell you what, that’s a difficult battle and a struggle. If you can get beyond that to being trusted, to being the partner and helping them with the why, the how, the what, you’re going to be so much more successful at this. Did you open an attachment from an unverified email? We know this feeling. Sometimes the issue, and I’m saying this as someone who totally gets this, is between the keyboard and the chair. People are hard; working with people can be difficult. As an engineer and someone who operates primarily from the left side of my brain, and you guys can ask my wife and my children, it is the absolute truth—it’s how I operate. Having empathy is key and it’s difficult. How do we convert this? How do we take these incidents, these things that we’re dealing with, and translate them? How do we turn this into something that’s understandable to the customer? How do we relate the business benefit back to them? The best way that I’ve been able to do this is by selling the pain and the experience. 

I can go and sit down with a customer and talk to them about stories. For instance, I was working with a financial company that had just been through a breach. They came to me to help them. After digging in, doing my due diligence, and fully understanding what happened, their cyber insurance company denied their claims. Their internal IT person had filled out all their requirements and sheets and lied. They said they had implemented MFA—they didn’t. The breach happened through a password; there was no MFA. If MFA was in place, this breach would have never happened. This cost them almost half a million dollars. That’s a lot of money, and it’s really hard to look someone in the eyes and say, “Look, I can absolutely help you going forward, but the damage is done.” Luckily, this was a successful business, and they were able to deal with it. But here’s what they don’t calculate in that breach: they had to let their customers know what happened. They lost four major customers along the way—significant customers, millions of dollars in business. That’s the intangible sometimes that we don’t talk about when we talk about what a breach costs. We look at hourly, we look at RTO, RPO, we look at all these different things, but we forget sometimes the real-world hit. We forget sometimes the reputation hit and what it means.

When I talk to customers about this, I talk to them about the pain. This is real pain. I’m not trying to tell you, “Hey, you have to sell your customer on this is going to cost an extra $180 a month.” It’s not about the dollars and cents; it needs to be about the pain. We need to empathize with them. I understand what this means, I understand the cost. But I’ll tell you what, when a breach happens, the pocketbook opens. It’s about talking to them about let’s not get to that point. I would much rather sell you on $150 now, $200 now, $300 now monthly that solves a problem than have to talk to them about the tens of thousands or hundreds of thousands of dollars it’s going to cost them after it happens. Leverage your tech’s experience. Let your engineers get involved too. Show them how this happened to another customer. You don’t necessarily have to share the names and some of the detailed specifics, but let them see, “Hey, this is how we’ve dealt with this, here’s how we’ve run into this in the past.” I guarantee you most of you have an experience that you can talk about here. Share it, get into that with them. 

It’s not about the FUD; it’s about the preparedness. It’s about going into this prepared. Here’s my tech stack that I trust, here’s what I exercise with my customers today, here’s the minimum requirements that I set for my customers and for myself to protect them and to protect me. Don’t let yourself drop your standards for your customers; hold them accountable. Again, I speak from experience. I know what it’s like when someone comes in and they’re like, “Hey, I’m willing to spend money with you but only if you do X, Y, and Z and you do it my way.” Guys, you are the experts, not them. This is where you get to shine. “Hey, I’m a trusted partner, I can give you references to my customers. Let me show you why working with me and doing these things the way I’m showing you matter. Let my customers tell you why it matters,” versus just saying, “Hey, I’ll take your money and we’ll figure it out.” It doesn’t pay off in the end. 

Let’s have some fun. This is one of my favorite pictures. I love talking about this picture. Let me tell you why it’s my favorite. This is one of the best cybersecurity defense plans I’ve ever seen. It truly is. You want to know why? I’m going to tell you why. One, it’s written. I’m sure that if we did a poll right now or went to the Q&A, how many of you have a written plan for incident response for all of your customers? My guess is it’s not that great. Two, not only is it written but it’s physical. It’s physically written. I can access this plan. It is not in Box or OneDrive or in the shared network drive that, because we got ransomware, we now don’t have access to for the time being or until we recover. Three, can’t argue it’s pretty effective. Is it pretty? Nope, but it’s effective.

How do we combat this? How do we deal with this? Later on in the deck, I’m going to get you guys some links or tell you how to reach out and get some links for an incident response plan. Tabletops—I love doing tabletop exercises with customers. You guys should too. These are not scary things; these should be fun things. If you do it now, if you go through the scary part now, then when the scary part happens later, it’s less scary. A breach is going to happen, but at least now you’ve gone through it with them and they understand what it feels like. This goes back to empathy. We’re talking about feelings here. That’s hard. A lot of us are tech people, we think techy, we don’t think about feelings as much. Let this be about feelings. Let them feel what it’s like to go through a disaster. Let’s document an incident response plan. I don’t care if you use the same plan for every single customer; let’s just document it. You can bring customers together to do one of these. Also, when I do these, guess what? I typically uncover thousands of dollars in business because I’ve taken the time to sit down with the customer and talk through this.

Again, I’ve touched on this a little bit, but this is about value, not about features, not about upgraded tools and capabilities. It’s about understanding what’s needed to protect their business and why. Where do we go from here? This is different depending on where you’re based in the world. I know we’ve got people from all over the globe here. I manage a global business, and guess what? The answers to this next piece are going to be a little different for you depending on your region. But as I work with global leaders and global cybersecurity people, I’m telling you right now different regions in different areas of the world are starting to adopt these things. If you look these things up that I’m going to show you, I can tell you right now if you adhere to these things I’m talking about, the regulations you’re going to deal with are going to be similar.

Okay, so a lot of you question or sit down and probably say, “Where do I start? Where do I go from here? What happens next? What needs to be protected? What services, what products do I need?” Without direction, security becomes subjective. That’s a bad thing, people. Subjective security is a bad thing. We should always be basing our choices on some sort of guidance. Wouldn’t it be super cool if somebody created a map or a guide on how we do this? Well, guess what? They did. The Center for Internet Security (CIS) controls. Now granted, this may be different for some of you based on where you are, but I can tell you the way that this is broken down and the way this is set up, no matter who you are and where you are in the world, this still applies to you in some way, shape, or form. 

They have three lenses or levels, or whatever you want to call them: IG1, IG2, IG3. Essentially, they increase in level of complexity. What I’m going to talk about today is Level 1, IG1—what can we do to basically get to that basic level of security. I’m not going to walk through 18 different controls right here because that would take me a long time. But you know what? Maybe Atera and I will come back and do a webinar just based on those controls. What I want to touch on is you’ll notice that the green level is pretty light for most of these controls. It’s very basic. We’re going to have a link available that talks specifically about just that basic level and how to get there and how to achieve that. We don’t have enough time today to go through all of those, but we’re going to give you some links that get you an incident response plan as well as guidance on templates just to get through what Level 1 looks like.

Again, I talked about this in the beginning, and I’m going to come back to it now. It is a journey, not just a checkbox. I want to get you the links to give you some guidance to start that journey. Also, the ability to reach out to myself and my team on how we can help you start that guidance. Now, I’m going to tell you, my team, we don’t cover all of those steps; no vendor does. But we work with a lot of other people that can help you achieve this, and that’s where we want to start. 

Guys, if this doesn’t make you laugh today, I don’t know what will. This is hilarious. I imagine most of you are laughing in the background. I hope you are; if not, I’m sorry, maybe my humor wasn’t good enough. But on a webinar, I have to assume you’re laughing because it’s awesome. Guys, EDR and MDR, these things go hand in hand. Why? EDR is the requirement; this is what insurance is looking for. MDR helps solve this problem for you because most of you, I know this base, this is my base, these are the customers I’ve worked with forever. This is what Atera solves. Atera solves how do I help that small-medium business; that’s where they fit. And guess what? These are the people that need this. MSPs that don’t have 40 people on staff and a SOC that’s trained and ready to go 24/7. MDR solves that problem for EDR for you. # Caring About Security I’m going to bring this back around. If you care about security, they will care about security. What do I mean by that? I don’t mean that you guys don’t care. What I mean is you need to care enough to set some standards with your customers and say, “Guys, we’re not going to settle for this line. This is what we set the bar at. This is where we need to be successful in our business.” 

In-person training: Do some tabletops with your customers. This will help you grow your business. Your customers will appreciate it. Perform regular assessments and run through incident response plans. Running through incident response plans is going to help you grow your business. I always uncovered projects when I had these meetings. Look at the guidelines as to what you need to do just to get the basics going to get to Level 1. Perform regular assessments. This should be normal. Assess where your customers are at and how you can get them better.

Defensible security: Some of you said you were confident if I go back to that poll and look at it. For those of you that are extremely confident, great, that’s awesome. Run assessments against that confidence and let’s make sure you’re right. If you’re not, or maybe you’re most of the way right, let’s cover the gaps. For those of you that are somewhat confident, let’s run the assessments and fill the gaps. For some of you that are not confident, let’s get started. Start with Level 1 and let’s go from there. With that being said, I absolutely appreciate the time that you guys spent with me today. My email is up on the screen here. But I’m going to hand it back over to Muna to wrap this up. Reach out, we can get you some links. I’ll get Atera the links as well, so you should be able to get it from my team as well as theirs.

Muna: Thank you everyone so much, it was a pleasure to be here. Don’t leave us yet, Brian. First of all, thank you very much for that very informative presentation. I think I will reiterate, you talked about owning—was that 40 different MSPs? 

Brian: Yeah, I opened 40. I’ve owned MSPs, I’ve owned and sold two. I still own two more. 

Muna: There we go. I think that is real tremendous experience across different places, so thank you for that. We’ll be right back with some of your questions, but I do want to connect it back into Atera. I know that a big part of the audience that is with us today are actually Atera users or Atera triers. I want to reiterate the connection that we have here in terms of the strong partnership that we have with Malwarebytes. Within the Atera App Center, which is our marketplace or your destination for discovering, testing, and deploying a whole breadth of solutions, and as we talk specifically around the cybersecurity solutions, just reminding briefly that within the App Center we’ve got a wealth of cybersecurity, backup and recovery, email protection, obviously EDR, MDR, mobile, and so on. I do want to invite you to, if you still haven’t, go into the App Center, take a look at the solutions in there, take a look at what Malwarebytes has to offer. Beyond just being sold through the Atera platform, we are better together in terms of installation, in terms of your ability to sync clients between the platform, the centralized billing through Atera, and the fact that very importantly, as you’re looking to upsell and actually determine what you’ve installed for your different clients, seeing what subscription and inventory you have out there. But like Brian said, we’re not here to sell, but I do want to bring this to your attention. Now I want to go back into the Q&A, so I want to invite you all, if you still haven’t, please post some questions. I want to post some of these questions back to you, Brian. 

Brian: I put some stuff in the chat too. So if you guys are still connected, take a look at the chat. I put a link to the policy templates to enact CIS controls IG1 as well as an incident response plan template. Just throwing that out there. 

Muna: Thank you, Brian. I’ll be sure to add those links as well in the outgoing email so we’ll have those to you also with the 2023 State of Malware report. Someone here asked if we’re going to share the slides. We will share the recording and within that recording you will have the slides but not the individual slide deck. 

There is a question here for you, Brian. How do you use the concept of zero trust and should all companies implement zero trust? 

Brian: Absolutely, great question. I actually love talking about this. Zero trust really is a newer concept; it’s been around for a long time but to simplify it, it’s that concept of should we be using a whitelist or should we be using a blacklist. Again, I’m oversimplifying. Do I think every single customer needs this level? No, I don’t. But I can tell you there’s a lot of regulated industries that absolutely need this. For customers who want the ultimate level of protection, I absolutely agree because what we’re saying is there’s a difference between, “Hey, here’s the things that we know are bad, we’re going to block those,” and instead saying, “Here’s the things we know are good, block everything else.” I love this concept. What I’ll say is this: as vendors, we’re working on different ways to bring this to light because it is difficult. It’s difficult to fully map this because to build out zero trust right now takes weeks and sometimes even a month to truly get a customer dialed in because what happens is you end up blocking a lot of good things you didn’t realize you were going to block. So it’s a very hands-on approach right now. I think with AI and other things that we’re working with, we’re going to see this improve as we move forward. But now, the concept’s great; I just think we haven’t fully executed it right, but we’re getting there. Great question. This is something to watch and keep an eye on as vendors continue to expand on this. 

Muna: Thank you, Brian. I have another question here around how do you strike a balance between providing robust cybersecurity measures while respecting your client’s budget constraints? 

Brian: Absolutely. This is something that’s super common in small business. You’re absolutely right; they have budget constraints. It is super difficult to just match anyone’s budget. What I would say is this: you can say, “Look, this comes down to risk.” Here’s the basics. If you set your bar for the basics, it’s firewalls with IDS/IPS, antivirus with EDR and MDR, MFA enabled for all applications and devices, devices are all patched and up to date. It’s not that expensive to meet the baseline. Now, are there additional things that you can do to provide added security—identity management, zero trust, things like that? Sure. But what I would say is letting your customer know, “Hey, this is the basics, this is what it costs to provide a basic level of protection to your business.” I know you have a budget, but this is where I would come back and argue a little bit. I’ve had this conversation so many times. They have budgets for lots of other things that bring their business money. It’s harder from the IT side, and here’s why: they look at it as a cost. We get this; we know this. But here’s the thing: the second that they have a breach, we go from a cost center to a benefit. Helping them understand the risk as well as the cost of a breach from an empathetic standpoint, I think, is the best thing. It’s changing the perspective. It’s changing the voice that comes from. Instead of just scary like, “You have to buy this because if you don’t, you’re going to get breached and it’s going to cost you a bunch of money,” that’s scary; that scares me. Instead, letting them know, “Look, Mr. Customer, here’s why we need to talk about this. Here’s why the cost is this. Let me introduce you to another customer. Let me talk to you about how I’ve been through this before with others and what the cost really was.” So yes, the extra $300 a month is totally worth it when you think about the hundreds of thousands that you can lose in lost business, cost to recover, reputation hits, insurance, things like that. Again, it’s coming at it from a different point of view. I’d be happy to have an offline conversation with any of you if you want to talk about what that looks like more deeply. 

Muna: Wonderful, thank you for that. I think you briefly touched on AI, and that did bring out a question about, with the exponential growth of AI, do you have any fears or concerns about the strength of cybersecurity? 

Brian: To be fair, I think it’s a great thing. As a cybersecurity company ourselves, we’re looking at how we leverage AI to be better ourselves. It’s a matter of, I hate to say it, but it’s kind of adapt or die. We live in that world. We can’t sit back and live on what we know to be tried and true. We have to adapt; we have to adjust. If we don’t, we will die. It’s just the truth; it’s harsh, but it’s true. Our customers are adapting; the threats are adapting. Looking at different ways to leverage this to make your business better is important. One of the things that we actually love about Atera, and I’ll tell you, my team and I actually just met with Atera a week or so ago, the leadership, and talked about different ways we can leverage this to become better. How can we make security even stronger with partners like Atera? How can we leverage this with other things Atera does and bring more automation and tools to the customer base? This is absolutely top of mind. I think over the next 12, 18, 24 months, we’re going to see a lot of changes here, and I’m excited. Atera is absolutely on board, so are we, at how we can make things better for you, the customer. Just know that it’s absolutely something that’s top of mind in what we’re working on, and you should be looking at this too. 

Muna: Absolutely, and I second that, Brian. It’s really about partnerships, and you did say no one company is offering all of the solutions. The integration and bringing it together is exactly what customers need. I think we will go for a final question because we’re almost out of time. A question here about, do you have any recommendations on role-play style teaching suggestions or guides to show customers? 

Brian: This comes down to, everyone’s got different teams, which is fine. This comes down to, I love a good tabletop. Tabletops are great when it comes to role-playing. This is a matter of getting your customers involved, getting them hands-on with an incident. Talking them through what it would be like if a customer got fully infected, they lost their data, and what recovery looks like. Again, I can’t tell you what your team looks like, but I’m hoping maybe you have someone on your team that’s somewhat technical but maybe also somewhat okay at talking to people. I think a mixture of the owner and/or a technical resource doing an exercise like this together, not being afraid to be honest with your customers, letting them ask real questions about a breach and going through an incident with you. I found, pick a place—maybe it’s your office, maybe it’s a Top Golf, maybe it’s a lunch and learn—but take it somewhere fun. Potentially get people out of the office and walk through this. Make this interactive. Print out a script somewhat, go through this with them hands-on, be empathetic, talk about who’s going to call who, what this is going to look like, what the steps feel like, what recovery looks like, and how you’re going to help them and guide them through it. Make it soft, make it empathetic, but still make it real. Don’t be afraid to be honest and real about it. This can be a fun thing. 

Muna: I know we’re short on time, but there was a follow-up question here: How do you get stakeholders to participate in tabletop exercises? Brian: Invite them out for food or for something. I know it’s crazy and there’s a cost associated, but I can tell you I always—not sometimes, always—generated new business from doing these types of exercises. One of the best ways to get people out is to feed them or offer them something fun to do. Muna: Definitely, Brian. This has been super exciting and very informative. I really want to thank you for taking the time today to share with us this insightful information. It’s been a pleasure having you with us, and I think that we have a lot to talk about. We probably should do a follow-up of the series. 

Brian: Amazing, so we’ll definitely reach out. For everybody that joined us today, I do want to remind you we have a very, very short survey that I’m going to launch right now. I would appreciate your response. Thank you for joining us.