Uncle Marv welcomes the team from Compliance Scorecard to discuss the latest developments in compliance and security for MSPs. The conversation covers recent changes at Compliance Scorecard, the importance of cybersecurity frameworks, and exciting new features in their upcoming software release.
Uncle Marv kicks off the show with updates on recent hurricanes affecting Florida and the Carolinas. He then introduces Tim Golden, Desiree Thomas, and Austen Gray from Compliance Scorecard. The team discusses the recent rebranding of Compliance Scorecard and their new investment from Bellini Capital. They emphasize the growing importance of compliance for MSPs and their clients, touching on frameworks like CMMC, HIPAA, and SOC 2.
Desiree highlights the need for education in the industry, explaining how compliance can be a powerful tool for MSPs to have meaningful security conversations with their clients. Austen describes his role in helping MSPs implement compliance programs for themselves and their customers. Tim reveals exciting news about Compliance Scorecard's upcoming Version 6 release, including a new Trust Center feature that allows MSPs and their clients to showcase real-time compliance data publicly.
The group also discusses Compliance Scorecard's recent signing of the CISA Secure by Design pledge, demonstrating their commitment to cybersecurity best practices. The episode concludes with a lighthearted "Florida Man" segment, where each participant shares an outrageous local news story, culminating in Uncle Marv's tale of a man wielding a flamethrower in Port St. Lucie.
Websites & Links:
People mentioned for shout-outs:
=== Show Information
=== Music:
[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals, system administrators, managed service providers, whoever you are out there, if you support business, this is the show for you. We try to help you run your business better, smarter, and faster. The show is presented by our good friends over at NetAlly and I'll chat about them a little bit later.
Tonight is going to be, shall I say, an interesting show. If you've joined us for the first time, this is the Wednesday live show. This show is a combination of video shows, audio shows, I do shows from conferences, and what you may want to do is subscribe to wherever you're listening.
We're live on all the streams, YouTube, LinkedIn, and the Facebook. You can also head over to ITBusinessPodcast.com, click on any of those pod catchers, and follow the show anytime you're on the go. Tonight, Tim Golden and his new crew from, how do I really want to say this?
Compliance Risk is a very good company and if you don't know them, you need to know them. But Tim Golden has a new set of cohorts and we're going to introduce them tonight. If you're here wanting to know how things have been since Hurricane Milton last week, well, it's been good.
We did not get hit by the storm, in a sense. Remember, we're in South Florida. I know that some of you don't believe that anything below Orlando exists, except for Miami Beach, because you guys want to go there.
But South Florida was, for the most part, spared except for Port St. Lucie, where we had the most tornadoes hit ever in a day in the United States, as a result of this hurricane. I did shows last week that were kind of a prelude to the hurricane as it came upon shore and we talked to some people on the other side and they are all doing well, although I haven't heard from Rayanne. But I did see on the Facebook that she is home with power and she had to throw out all of her food in the fridge.
But everybody is doing well. We're still basically waiting to hear from some people up in North Carolina that had to deal with Hurricane Helene. That was a bad storm.
There are still about five, six hundred thousand people in Florida without power. I don't know how many in Carolina. So that is our update on the storms.
I'm sure you guys have seen the news and been paying close attention to that. But for those that reached out to me, asked how we were down here, the wife and I were fine. We went to work every day.
That's how bad it was. So joy there. There's some other news.
I will start by saying next week there will not be a live show. I will be in St. Petersburg at the ASCII Edge event. And that is the last ASCII event of the year and known as the ASCII Cup.
There's going to be a party. There's supposed to be a dress up thing. I ain't doing it, but I will be there next Wednesday and Thursday.
So that's where I will be. I will be doing some interviews there. So you will get podcasts next week.
In fact, you'll be getting lots of podcasts over the next three weeks. ASCII Edge, DattoCon, IT Nation. It's going to be a whirlwind of a tour.
So let us skip the rest of the news and get right to the folks. And I think I messed up the name of this. The company, they went through a change last year.
They went through a bunch of changes. And the name is actually Compliance Scorecard. And who's in the chat?
What was that? Oh, hello, LinkedIn user. Holla.
Sounds good. Thank you for joining. And let's go ahead and get started.
I'm going to bring out the folks from Compliance Scorecard. Tim, and he is going to introduce his new buddies over there. Desraie and Austen.
Tim, how are you doing? And you're muted. Unmute yourself.
[Tim Golden]
Talking away on mute. This is my first time doing this, so I'm a little nervous. You know, I have to make sure.
[Uncle Marv]
You've been on the show before, man. You know what to do.
[Tim Golden]
I know what to do. Yeah. So first and foremost, I'm glad that you are safe.
I'm glad that your family is safe. You know, my heart goes out to all of our friends, families, and colleagues down in Florida. Yeah.
All right. I want to fly down there and help, but I'd probably be in the way.
[Uncle Marv]
We've got it covered down here. If anybody needs help, it's the people in Nashville, North Carolina. And this is how good it is in Florida.
Brad Gross isn't even here. He lives 15, 20 minutes from my office, but he's up in Buffalo, New York. That must be nice.
[Tim Golden]
He literally just texted me a picture standing outside Niagara Falls like 20 minutes ago. I'm not kidding. Jerk.
Jerk. But Brad's a great guy. I love Brad.
[Uncle Marv]
So I was saying before the show, Desraie and I have known each other for quite a while. She's talked about coming to the show, never did it. And it took her boss, her new boss to say, get on the show.
And here you are.
[Desraie Thomas]
I am so happy to be here. I feel like every single time I've ever seen you, I was like, so when are we going to do that? Let's do this.
Let's have an idea. I have an idea. Do you have an idea?
Let's do an idea. And then we get back home and clearly it's just taken years and years. You need to be in the right place at the right time with the right things to say.
Listen, I'm always here.
[Uncle Marv]
I'm here. I got no problems. You're the one that's always busy.
[Desraie Thomas]
That's true. I don't like to be bored. That is very true.
[Uncle Marv]
All right.
[Tim Golden]
I just want to say that Austen and I got the black shirt memo and Uncle Marv and Des got the blue shirt memo. So we're all color coordinated here.
[Uncle Marv]
It works out on the tic-tac-toe square when you watch the screen. All right. So Austen Gray also knew the team.
So let's do this. Why don't we start with telling us your positions there at the company now? And I think, let's see, Desi, were you there first about a month ago?
[Desraie Thomas]
I was. I came in. I was the first one to come in.
Very excited to be here. But I did have the amazing opportunity of working with Austen before. So also super exciting because working with Austen again, I was really, really excited.
But I came on about two months ago. I was looking for a job and super-duper excited when Tim approached me and offered me the opportunity.
[Uncle Marv]
Nice. And what are you doing there? What's the actual position?
[Desraie Thomas]
So my actual position is a senior sales development specialist. And my goal and target is to help MSPs, help them have the risk conversation with their clients. I love security.
Anyone who knows me knows the idea that business owners, MSPs or SMB business owners are the people who spend 80 hours a week working for themselves. So they don't have to work 80 hours or 40 hours a week for somebody else. And that's a lot of time.
That's a lot of Christmases and holidays and kids birthdays and things that you're missing to put that effort into your business. So if we can have a security conversation that can support an industry, I wanted to say. So with Compliance Scorecard, I'm helping the MSPs have that conversation with their end users because there's remember back in the days when you talk about data backup and disaster recovery and we're talking about Florida, the storms and floods and people still weren't getting those disasters don't happen to me.
And so they wouldn't be doing backup. And then the whole we had the trigger moment where you get these bad things that start happening in ransomware and all of a sudden it becomes more logical to the SMB. I want to help the conversation become more logical to the SMB where we're not talking about fear.
We're talking about the reality of the situation is your business means so much to you. And if one thing is to happen, you will lose your business. That's a lot of time of your life that can be gone.
And so I'm hoping I'm going to put everything I can into helping the conversation and helping talk about risk and compliance and how to keep the SMBs more secure.
[Uncle Marv]
Right. We do need that conversation. A lot of us want to they want we want to sell.
We want to help our clients. But having that conversation sometimes is difficult. So that'll be great.
And Austen Gray. Yeah.
[Austen Gray]
Hey, Uncle Marv, I appreciate you bringing me on the show. So I joined Compliance Scorecard because honestly, to be quite frank, we're we kept losing out to Compliance Scorecard for other MSPs. There's really only a couple other solutions out there.
And I'm like, well, why are we losing out? Like, what is Compliance Scorecard doing differently? Or what have they figured out that, you know, Austen hasn't for the channel?
Right. So I realized what, you know, Tim was doing. I wanted to be a part of the team.
Dez joined. And that was even more of a reason for me to want to come over because I loved working with Dez when I was over at Ostendio. So now my role is full cycle sales.
So from the initial meeting all the way to selling the deal to doing the onboarding and then helping them have that risk conversation. And ultimately, what a lot of it is, is when we're having conversations with MSPs, they want to help their clients get compliant, but they also need to become compliant themselves. And that's getting their own house in the order.
And that's a lot of the times where they're starting and then they're helping their downstream clients get compliant, whether that's FTC or it's going to be HIPAA or some other compliance framework out there.
[Uncle Marv]
Very nice. Very nice. Well, guys, glad you're aboard.
Tim let's do a little bit of a recap, because some people, they may not know all that's happened in the past year. So you, I mean, you got rich, you changed the name. Let everybody know what's kind of been happening with the compliance scorecard.
[Tim Golden]
All right. So I didn't get rich, but we did get an investment from Arnie Bellini and Bellini Capital. We talked about that last time we were on the show, Uncle Marv.
We have now brought in a VP of sales to help us in that regards. We have an amazing team with both Austen and Des here. We always talk about the right person in the right seat at the right time.
And Des mentioned that earlier with, hey, it is the right time to get you on with Uncle Marv. So all the pieces are coming together and we're really excited here to kind of build this. As Austen pointed out, there's such a need in the MSP space to understand these things.
We've been talking about it for years. It's not coming. It's here and it's been here.
I mean, look what just happened with the CMMC art rule just a couple of days ago. And so being able to have this amazing team is, I don't know, I'm just like, woohoo, but I'm also like, ah.
[Uncle Marv]
All right. Yep. There's a lot.
So let's go back and talk about just simply, you know, because I mean, most of the people here probably do know, but what do MSPs need to know about compliance as a service? Because that's probably the misnomer that we have. Well, I'll just subscribe to this.
You guys will take care of it and I don't have to worry about it.
[Tim Golden]
So this is why I have Des and Austen, because I tend to geek out on the technical aspect of like, they need backup, they need training, they need this, they need policies, they need an assessment, you know, geeky tech talk. This is why we have a good team now that can speak on our behalf. Austen or Des?
[Desraie Thomas]
I want to start with education because I know it's the biggest thing that we have to focus on as a company. And it's the biggest thing that I think is going to be the trigger point within the industries and the MSPs is compliance can be super scary. The number of times we've been at events over the last little bit and I have MSPs who I think are some of the smarter MSPs in the room where they talk to me and I'm like, you're using words I don't understand, and they're brilliant and they're good to chat.
But then they come up and they start talking about compliance and they're saying, every time I have a client who wants to become compliant, I run away or a prospect or every time I have a client who needs to be compliant, but they don't want to, and I don't want to eat the risk. So if they don't want to, and I don't want to eat the risk, how do I keep the security conversation going? And I like to think that compliance is about that educational approach that not necessarily, I know compliance is super important and we talk about HIPAA, we talk about CIS and we talk about all these things.
And that yes, is where we're going, but there's kind of a middle ground about MSPs where your end users are coming to you and they don't even know what they're talking about. And they're having conversations with you and you're not sure what they're talking about. And then if you look at a baseline MSP, there's not really trust mark is coming there with come to you, which is great.
There hasn't been a baseline for cybersecurity within a business. And so I think this compliance conversation not only is so much value because it's talking about security and it's helping the MSP not just be a seller, like the SMB might think that they're just trying to sell me another product because you just want another a hundred dollars or $2,000 or $5,000 because let's face it, technology is expensive, cybersecurity is expensive. So with compliance, you can have that educated approach with the SMB where A first is helping the MSP become more secure because they're basing their security on some sort of framework.
And then with the SMB, instead of now going the MSP who goes to their client and says, you need to have password management. How many times do you still talk to people who use password or 2FA? You need to have 2FA.
These are all things that the end user is like, I don't want to, I don't want to. Now we see it a lot better than it used to be, but I think that's the next curve. And I think that compliance with the shifts that we just, you were just talking about Tim, it's going to be one of those things that it's slow at first.
We're going to do a lot of cool things like education, cohorts, we're going to really help the MSPs have this conversation. But what also it's going to do is that I don't think anyone on this call will disagree with me if I say that there's going to be a tipping point in the industry and technology where compliance becomes a must have. And it's a must have that's going to cost more money if you don't do it than the reverse.
[Uncle Marv]
There's going to be fines. Stop right there because I want to ask this question because you talked about MSPs having the conversation and clients saying, I don't want it. Haven't we got to a place where most MSPs, and I'm asking for a friend, are at the place where a lot of this stuff has just simply included because it has to be and we can tell our client, listen, if you want to work with us, you're getting it, period.
I am not putting myself or my business in harm's way because you say no. And I'm going to put it on there. And if you choose not to use it, that's on you.
But there's a lot of things in place that I will force you to use, whether you want to or not, just because we have to. Now, luckily, I work with a lot of lawyers. They know they need it.
They just try to weasel themselves out of it. But that's what I'm doing is, and I spent all day this morning reworking a couple of my billing plans so that I've got my basic security and my compliance security. So everything that I have to document and manage for their security requirements, they're going to pay more.
But there's only two plans. You get basic coverage, which still has some basic cybersecurity. You still have to do MFA.
You still have to do this. I've still got to do the vulnerability scans. But now if you want me to document and audit and all that stuff, you want an annual risk penetration scan, that's where the second plan comes in.
So I know I just rambled there, but are we there yet where people are starting to do it? Or is this part of your education that you still got to tell techs how to do this?
[Desraie Thomas]
I was wanting to bring you on every one of my sales calls. Can you just come on my sales calls? Can you tell the MSPs this?
I'm going to answer your question with a question.
[Uncle Marv]
Go ahead.
[Desraie Thomas]
Is there a discussion in the industry where an MSP does those things and another MSP has a fight to the cheapest dollar and where they're undercut and undercut and undercut. So if you're not necessarily selling on value, the issue with technology is that the SMB, they only see the amount they're spending. They don't see the value.
But what do you think? Do you think that what you're saying is 100% right? And I want to say that we're there.
[Uncle Marv]
Oh, I get undercut all the time. I mean, here's the thing. I'm a smaller MSP.
Some would say boutique. Some would say solo tech, joint slammer. I don't care.
Say what you want. You're great.
[Tim Golden]
Don't ever say that.
[Uncle Marv]
They say all the time.
[Tim Golden]
Don't ever devalue yourself.
[Uncle Marv]
But it's weird if I go up against a larger MSP and they tell me that I cost more, I'm like, I don't cost more. The stuff that you need costs more. It doesn't matter where you get it from.
So if you're getting a cheaper price, are you getting all of these things included with that? And that's where the discussion goes.
[Tim Golden]
I was going to say value. So you made the comment must have, and we're starting to see it almost daily now in our conversations with our partners and our prospects around. I have a customer that needs insert something.
SOC2, FTC, their customer's asking. It's just happening. It doesn't matter the framework.
It is becoming more and more prevalent. However, back to Desraie's point, we as MSPs, I'll put my MSP hat on, have a huge, huge education challenge in front of us for our companies, our MSP companies and their companies. Because the buzzwords get tossed out.
Somebody heard it in a BNI meeting or a board member found a buzzword or a Google article or attended a conference and said, we need two SOCs. I'm sorry, SOC2. So it is here.
We're hearing it all the time. It just keeps coming up more and more. And at some point it needs to move beyond a checkbox into a real program.
And that is kind of where we as Compliance Scorecard differentiators may simplify that process.
[Uncle Marv]
All right. So Austen, you know, Des is going to be out front, you know, doing all the hip-hop, hurrahing and all that stuff. So how are you going to swoop in on the backside and make sure that all of this happens, you know, throughout the full cycle?
[Austen Gray]
Yeah. So I think it comes down to like having a good understanding of the MSP and really where they're trying to go. So when we talk about security and compliance, these compliance frameworks, all they are is just like roadmaps or frameworks that you adhere to that you can follow.
And you have all these controls. The reason you have those controls in place is because you're going to reduce the risk. That's the only reason you're implementing it.
If you're implementing a control for no reason, there's no reason on that end to implement something like that. So my end is what I'm doing is I'm really trying to help the MSP implement Compliance Scorecard so they're successfully getting their house in order. And then they can do the same thing for their downstream customers when they need to become HIPAA compliant, SOC 2 compliant, or any other framework.
[Uncle Marv]
All right. So Tim, you mentioned the other day. So I had noticed, let's see.
Well, these happened before. So explain what happened two days ago with the CMMC.
[Tim Golden]
Yeah. So we've been talking about this. Well, what?
2019, 2020? I don't even know anymore my dates. We've been talking about this whole idea of CMMC, the rulings, the controls, the who is, who isn't, all of that stuff.
And so it's a process. And it's actually this particular one with 800-171, the DFARS rules, the 32 FAR, these processes that the federal government always moves slow. But in this time, they haven't.
I mean, it has been pretty rapid if you think about how long it took or how short it took to get to where we are today. And where we are today is we have a final ruling. That final ruling put out some things on who's in scope, who's out of scope, what to protect, what the controls.
I don't want to get into all the gory details because this is not a CMMC conversation. But the fact of the matter is CMMC is now here. It is now real.
It will start showing up in contracts before you know it. And for those of you that haven't started that we're waiting, you're already a year too late.
[Uncle Marv]
Let me ask this because some people are like CMMC won't apply to me because it's only going to apply to government or whatever stuff. Who's going to really be affected by this?
[Tim Golden]
So there's two components that applicability, right? And that is if you have a contract with the federal government, either in the Department of Defense or whatever, there are clauses in those contracts. Defense has them, Ed has them, just about every department has different clauses in those contracts.
So Johnny's lug nut, I make lug nuts, I sell them to tank manure, they make the tank, I have a contract, I have the clause in the contract, it applies to me. Where the interesting part starts to devolve is I buy my steel from Desraie Steel Company. Are they in scope?
The steel company buys their liquid like so up and down that chain and that's whole supply chain of that's the waterfall effect or the downstream of the nuance of Raytheon, you know, the big 10, they're going to push those things downstream to their other levels and then downstream and then downstream and how deep those levels go. Some of that has been defined in the ruling, some of it is not. But the fact of the matter is if you are anywhere in that supply chain, regardless of whether you have the actual contracted language, it's good business practice.
But whether it's CMMC, whether it's CIS, whether it's a mouthful of acronyms of frameworks, it's still good business practice to follow a framework and do a thing and assess yourself and working with an MSP to get assessed.
[Uncle Marv]
Des, I know you're shaking your head like the puppy in the back of a car, you know, but are you shaking because you're just simply agreeing or do you have something to add?
[Desraie Thomas]
No, I'm really excited so many different times and then remembering that I'm supposed to be polite and not interrupt people and this isn't just my show, there's other people in the audience, weird. I said two things that Tim said that I just really wanted to highlight because Tim, you're awesome. You can go really deep and we can talk about the in-depths of the ins and outs and I am not that person.
I'm super smart, but I'm not the type of person, I have not been following compliance for 20 years. I don't think I've been really working this year.
[Tim Golden]
Nor do you want to.
[Desraie Thomas]
But when you first started talking, you said it's with CMMC, if they are doing it now they're a year too late and that's why I'm so excited to be a part of this conversation, especially now. Because like we talk to MSPs who have these conversations, like I have a client who wants to do SOC 2 and now they have to spend like 50, 60, 70 hours, exaggerations in there somewhere, learning how to do it and learning how to do it on themselves because that's going to be his way. Or else they're going to learn how to do it on their client.
Which then that 50, 60, 70 hours, I know when I'm learning how to do something it's going to take me double or triple the amount of time because I'm learning how to do something as you're doing it. You're also making mistakes. Do you want to do that in front of your client?
I don't think so. And then the whole idea of like what you're saying that the baseline of security, what Austen had said that these are frameworks, this is a road map of what you want to do in your business. I sometimes think there's MSPs who clearly are in us and they are inundated and they want those clients, they want to be HIPAA, they want to do all those things.
But there's a whole industry that doesn't want to do that and it's kind of being dragged along being like, well what do we do next? Like how do we be security? It wasn't that long ago that I was arguing with people about being like I don't do anything in the cloud.
That was their baseline of their business, their MSP business. So I don't do anything in the cloud. That's not, that's in my time of working in the industry, which is only like 10 years.
So that shift I think has to change. We saw it starting to happen when we started talking about CompTIA and I would be in all these CompTIA meetings. I've been involved in several of the different communities and they would have these conversations about the MSPs would be like, there's no governing, there's no baseline security.
You have an MSP who literally doesn't believe anything should be in the cloud next to an MSP down the street. And the MSP doesn't believe it in the cloud is teaching the information to the same SMB as the MSP who is doing things at three times the price of doing things right. They're teaching the same thing, but they're wrong.
And so I'm super excited for being able to have this conversation. And I think that compliance is just, it's like insurance. It's just forcing us to have it sooner.
But like Austen was saying, it's only a roadmap. You can pick a different roadmap. If you pick a client that you have to fit in, that's one thing.
But if you can just imagine presenting to your clients, this is the roadmap of security that I put into my business and that I will put into yours. And I think that is a very powerful conversation.
[Tim Golden]
And let me just, I was going to say, you just reminded me of something. So Marvin, you want to talk about full circle? Mm.
Back when I was at the MSP and we were evaluating cloud solutions like Datto or some say like Datto, I swear that Dez and I had conversations around, Hey, Tim, you should be a, you should be a Datto user when she was at Datto. And I'm like, we're not doing the cloud now with the cloud. Here we are what seven, eight, nine, however many years later, and we're working together again, full circle.
Now that I thought about Austen, you know, I'd love to give you an opportunity to chime in Marvin. I don't know if you have questions specifically for Austen or whatnot.
[Uncle Marv]
Well, let me ask you this Austen, because Dez has talked about the fact of, there are going to be MSPs that don't want to do this because of whatever reason, either they just, they don't think they have the time. They don't think they have the resources. Do I have to hire somebody because that 50 to 60 hours, you know, I can't afford to hire somebody to do this for me.
What, what would you say to that?
[Austen Gray]
Yeah. And that aspect, what I would say is work with us here at Compliance Scorecard. And what you can do is you can work with our head of professional services and we can run the whole program for you.
So we have a couple of ways we do this, right? So it's either an, I do, we do, or you do method. It can be a combination of all of those together.
And the reality is, is there's going to be MSPs that like, I don't want to touch compliance at all. I want to be hands-off and we have clients just like that, partners that are just like that, right? And for those partners, what we're going to do is do the whole professional services, manage the compliance programs for their downstream customers.
So in regard to managing compliance, like I totally understand why some MSPs aren't going to want to manage it, because it can be a lot of work and there's nothing against that. That's where you can leverage us. And instead of losing that opportunity of working with that prospective client or your current client and going to another managed service, they can still keep it in house and work with us as an outsourced.
[Uncle Marv]
All right. So I know that I tried to prep you guys and I kept seeing everything about new features and new things in version five. So let me first ask, is version five even real?
And if so, what is nice and new about it?
[Tim Golden]
Actually version six is coming out if not tomorrow, then Monday. We don't ever do releases on Fridays. So if it's not tomorrow, it'll be Monday.
So yes, version six will be out.
[Uncle Marv]
Well, then skip five. Tell me what's big with version six.
[Tim Golden]
So the big thing about version six, I suppose I can let the cats out of the bag.
[Uncle Marv]
Nobody will see this until Monday. So you're good.
[Tim Golden]
Well, the first is, you know, as a compliance company and getting our own house in order, getting our SOC 2 and our ISO 27001. We spent a good chunk of September prepping for that. And with that came a blue team, red team, rainbow team, green team penetration test.
Oh, right. So big piece of that was rolling out a bunch of things to prep for the penetration test to make sure like we do have our own house in order. We do have our act together.
We only have a couple of minor findings. So a little bit about version six was security first, make sure we're actually doing the things that we say we're doing by some third party trying to hack us. So that was one component.
Now that's might the gory details of that won't be in the release notes, of course. But the second biggest component is trust center. Now, trust center is this concept of I as the MSP, or you as the downstream client, can now have a public facing web page that is branded with your logo and your stuff shows real time compliance data.
So as an MSP, or as Johnny's lug nut, when you start to get those stupid security questionnaires, you can say no, no, no, go look at our trust center from compliance scorecard, see our real time data. And then if there's things on there that you have questions, we might entertain answering your 700 page questionnaire. So trust center is a way for the MSP to have their own trust center, and their customers to have their own trust center, publicly available, password protected or not all that fun stuff as a way to help thwart off some of those really long stupid security questionnaires that nobody actually answers anyways.
[Uncle Marv]
Right. So let me just ask a clarification question, because I have through a competitor, a cyber risk board that I can send them to, but it doesn't have a ton of details that they can use to answer questions. Are you saying that this trust center, they will actually be able to go there, look at what's there and oh, I can put that in for answer 142?
Is that what you're saying?
[Tim Golden]
Yeah, if you give me if you're willing to, and you give me five seconds, I could pull it up and show you what it looks like. Let me just two factor, you know, I got to log in.
[Uncle Marv]
Man, that two factor, you know, clients don't want to make sure you're showing the right screen there, Tim.
[Desraie Thomas]
I don't know what you're looking at when you're off time.
[Tim Golden]
So in one screen, I have secure by design and the other screen, I have you and the other screen, I have a whole bunch of other stuff.
[Uncle Marv]
Am I adding this to the stage now?
[Tim Golden]
Because give me one second.
[Uncle Marv]
Okay, not that one.
[Tim Golden]
What am I showing again? Trust center.
[Uncle Marv]
Yes.
[Tim Golden]
I'm going to do this on the staging site because it has a little bit and I'm, you know, not ready to roll out our version yet, because I'm still updating it. But here is what a trust center would look like. You can share that.
So, you know, white labeled with the end customers logo. So MSPs can do this for themselves and their customers, a little introductory paragraph, some points of contact, what frameworks they are working towards real time data on where they are on various frameworks, knowledge base that's sortable, searchable, you can sell this is all fictitious data, but you get the idea, they can actually click into actually viewing these documents if I've chosen. I've made this all public on the stage site for now.
But you can see, you know, the actual documents, any related documents, all that fun stuff. And this is fully editable and customizable by the MSP or their customer to be able to prove trust and prove trust with real time data as you're doing work with your customer and alongside your customer. There's a lot of trust centers that, you know, platforms put out, you just mentioned yours.
We like to think ours is a little better because it's actually real time data. And we can't lie. I've seen a lot of trust centers where marketing gets a hold of it and says, Oh, yes, yes, yes.
Yeah. And they're not necessarily true, quote, quote, this is all based off of real time data.
[Uncle Marv]
All right. Very nice. So folks, there you go.
A peek into what's going to be released next week.
[Tim Golden]
There's a bunch of other minor stuff, but, hey, listen, we build in public, you can go to our release notes and see everything there. Right. So thanks for allowing me to share that.
[Uncle Marv]
Well, thank you for breaking that news here on the show here. That's what I like to do.
[Tim Golden]
So let's have a lot more breaking news, but I don't think I can share that yet. Maybe in three weeks.
[Uncle Marv]
Well, let me ask this question. When do I get my version of checkers that I can put up here?
[Tim Golden]
And so did you see this?
[Uncle Marv]
Yes, literally.
[Tim Golden]
This is a prototype.
[Uncle Marv]
Yeah. And I can see an Uncle Marv's IT business podcast right there where you were talking logo. Since you don't have yours there yet, I'll put mine there.
[Tim Golden]
Mine.
[Uncle Marv]
Not on checkers.
[Tim Golden]
Well, yeah. Well, again, prototype. We're just so.
All right. I'm going to throw this out to the audience. Everybody who's listening.
Right. Comment in chat. Did checkers have a collar with the logo or should checkers have a bandana with the logo?
All right. So give us your vote. Comment in chat.
A collar with the logo or a bandana. OK. Or a tattoo.
Or a tattoo. Oh, yeah. We're going to do a little tattoo over here.
[Uncle Marv]
But is the bandana going to be removable?
[Tim Golden]
I think so. What I said. I think so.
Yeah, I just worry about the collar and we have grandbabies choking hazard.
[Uncle Marv]
All right. So let me set this because there are people that kind of turn it on and listen, but don't watch. They might be ironing.
They might be doing something else. But we already have. Let's see.
Brad Gross has already put a comment in there. Collar bandana can fall off.
[Tim Golden]
Yeah, that's a good idea.
[Uncle Marv]
There we go.
[Desraie Thomas]
I'm going to take this from a marketing perspective.
[Uncle Marv]
Tom, collar.
[Desraie Thomas]
What is the value of the product? Are you doing it for branding? And if it's branding, what Brad is saying is right.
If you can take off the branding, where is your value? If that's what you're doing it for.
[Uncle Marv]
Yeah. Needs to be something that cannot be removed.
[Tim Golden]
So checkers is your compliance companion. So yes, it's a branding. Who doesn't love a stuffed animal?
I mean, I've got, I've got cloudy behind me. I don't know if you can see cloudy behind me. I've got them all up there.
Whoa, sorry.
[Uncle Marv]
Well, I'm working on something, you know, I need to get all the animals up here. So I want to redo my backstage here and have all the animals and Tim is gone.
[Tim Golden]
No, Tim is back. No, I'm fixing my stupid camera. I have all the teddy bears.
[Uncle Marv]
You have all the teddy bears, all the bears.
[Desraie Thomas]
It's almost embarrassing. I impact the box that you have, that you have in your life, that you've had since you were a kid. And then you're like parents sent you away with, where I get the stuff out of my house.
[Uncle Marv]
All right, quick, before I bring Tim back on, what's something that, that he's embarrassed you guys, or what has he done since you guys have started that you're like, Oh, Tim, please don't do that again.
[Austen Gray]
I don't know. I know what's been embarrassing for him is if you ask him about the Vegas trip.
[Desraie Thomas]
Oh no.
[Uncle Marv]
Oh, look, look at here. Maureen is actually in the chat here. Shouldn't be able to take off the logo.
There we go. All right.
[Austen Gray]
I'm still the caller.
[Uncle Marv]
And now that we've got the wife on, let's bring Tim back.
[Tim Golden]
Don't ask me about the Vegas trip. Maureen already knows there's nothing to be told here.
[Uncle Marv]
Well, let's do this. Let me take a quick moment and thank my sponsors. And that way you don't have to worry about talking about the Vegas trip.
So let me do this real quick. You guys can stay on. Just try not to interrupt me too much here.
But the IT Business Podcast, as I said, is presented by NetAlly. They are your number one ally when it comes to network testing and analysis. So whether you're deploying, managing or troubleshooting complex wired and wireless networks, NetAlly has the tools to get the job done right.
I have a go bag with everything from the Lynx Sprinter to the EtherScope to the CyberScope. And I use one of those just about every day, every trip. And if you saw me drinking from my mug, Super Ops is the sponsor that is our mug sponsor and our floor demand sponsor.
Streamline your operations with Super Ops, the all-in-one platform for service desk invoicing project management. And then TruGrid is your secure remote access to your Windows desktops and apps. And it eliminates firewall exposure and internet latency.
[Tim Golden]
So Marv, you mentioned your mug. Are you a Yeti person?
[Uncle Marv]
Um, yes, I am.
[Tim Golden]
Checkers, Yetis.
[Uncle Marv]
Oh, is that going to be part of the swag rotation?
[Tim Golden]
Um, maybe. I'm going to spit the stupid camera again. Maybe.
I bought a couple personally. And so I'm trying to figure out the best way to deal with those.
[Uncle Marv]
All right.
[Tim Golden]
They are terribly expensive. I will just say that.
[Uncle Marv]
Yes, they are.
[Tim Golden]
I am a Yeti snob. It's Yeti or nothing.
[Uncle Marv]
No.
[Tim Golden]
So when I saw that Yeti came out with compliance scorecard blue, I had to buy a couple.
[Uncle Marv]
Of course.
[Tim Golden]
Des was fortunate enough to get one. Austen will eventually get one. Maureen has one.
But I only have a handful.
[Uncle Marv]
So I need a Checkers and a compliance scorecard Yeti. Are you going to be at any of the events coming up? ASCII, IT Nation, Datto?
Pack one for me.
[Tim Golden]
Checkers won't be ready for a couple of months. We have to place the order. So that takes a while.
I'll make them all. So, but I'm sure we'll be at a show at some point where we will see each other and we will work out best swag of the year, Checkers. Because I know you do that.
[Uncle Marv]
I do that. That you got to get them in early enough to get some votes. So here we go.
[Desraie Thomas]
I'm going to bring sourdough bread for your best swag of the year and see how that works.
[Uncle Marv]
You might have to bring it to my booth. I don't know if they'll let me in the vendor hall to come get it.
[Tim Golden]
We will figure that out.
[Desraie Thomas]
It wouldn't be the first time I've walked around an entire conference handing out pieces of homemade sourdough bread.
[Uncle Marv]
Yeah, and that's not creepy at all, Des. Don't take candy from a stranger. Don't take bread from Desi.
[Desraie Thomas]
Every single person is happy, mostly. Maybe until the next day, but whatever. That's not my fault.
[Austen Gray]
It's only not creepy when Des does it. But if I was to do it, I'm sure it would be very creepy.
[Uncle Marv]
All right. Let me ask this one thing before we get off base here. We had talked about the fact that you guys just did last month a compliance scorecard signing of the Cybersecurity Infrastructure Security Agency, CISA, secure by design pledge.
Can you quickly chat about that?
[Tim Golden]
Yeah, sure. Actually, I'm sharing that over there, right? So the secure by design pledge has some pledge goals around MFA and passwords and so on and so on and so forth.
Now, this isn't like a requirement, but this ties back into our drinking our own champagne, eating our own dog food and working through that. So we have committed as compliance scorecard to the pledge by working through the six principles that are part of the design pledge and ensuring like two factor. I'll just pick on that for a second.
There are so many apps that either don't offer it or it's an upcharge. When we built compliance scorecard from the start, it was multi-factor all the way. In fact, it was Fido keys in the beginning that I had to reduce a little because at that point in time, nobody even knew what a Fido key was.
[Uncle Marv]
A little too secure.
[Tim Golden]
Yeah, I had to dumb it down. So we looked at all six of the principles and kind of determined what is our goal, what is our commitment, and how are we measuring that progress? Along the way, right?
And so we do a lot of work in the community with CompTIA. We talk to CISA a lot. And so we just decided, hey, we're doing some of this stuff, but we want to make that commitment to our MSPs and to your customers that we take this stuff seriously, that we eat our own dog bones or wag our own tails and do this stuff internally.
[Uncle Marv]
All right. Very good. Now, is there any teeth to this?
I mean, is it just a pledge or do you actually have to go out and show that you're doing all the six pledges?
[Tim Golden]
So, yeah. So we have a monthly call, not just me, but all of us that have done these. We're not the only one.
There's a whole bunch. There's 229 companies that have taken this pledge, right? Even some of our good friends and our competitors have come on board here, which is a good sign.
And a lot of this is to think about that whole supply chain, that whole risk. We don't want another SolarWinds or we don't want another big name event to happen. So we are making these pledges.
The teeth to it is there are measurement components. And we kind of self-report to each other during these monthly calls. And so is it a legal binding thing?
Is that I'm going to go to, you know, fine? Is it a complete? Not exactly.
But it will help the industry as a whole to take like dealing with vulnerabilities, having a vulnerability disclosure, patching our own stuff, right? No default passwords. That's a good one.
And then obviously MFA.
[Uncle Marv]
Nice. For those of you watching either now or later, I have put the link to this pledge in the chat. If you are on YouTube or the Facebook, you'll see it in the chat.
If you're on LinkedIn, you won't see it. But if you go to the show notes or the website after this, the link will be there. So you can see that as well as well as the link to compliance scorecard and a link to some forgotten photos of Tim in Vegas.
[Tim Golden]
So the Vegas thing wasn't all that bad. It was. Yeah, it was no nothing illegal, nothing illicit, nothing all that bad.
[Uncle Marv]
It was just listened to what happens in Vegas stays in Vegas. Unless you've had a drink or two and tell us later.
[Tim Golden]
Well, you know, I don't drink. But so where are we headed next, Marv? Do we go to nine o'clock?
I always forget.
[Uncle Marv]
I'm actually trying to keep us at nine o'clock. So actually what we're doing now is we're doing one of the best segments that everybody loves, Florida Man. And you can either challenge Florida Man with a story of your own or you can answer a random question.
And let me go ahead and begin by saying that everybody was worried about Florida Man. How would Florida Man do during Hurricane Milton? We did not disappoint everything from Lieutenant Dan, who would not leave his boat in the wake of Hurricane Milton coming ashore.
The man who and he survived the man who left his dog outside during the hurricane who got arrested. There were a bunch of Florida Man stories, but the Florida Man story that I have is going to be fantastic. You're going to love it.
But I will ask you guys first. Do you guys have a story to challenge what I may bring up or you want to answer a random question? And look who's all excited.
Look who's excited.
[Desraie Thomas]
I did. It's not my own story. But then originally I was saying this earlier and I started like thinking about my own stories around me and Calgary and Canada and poor older winners are really long.
I realized that people get a little crazy and violent and I didn't think I should share any of those stories. But if you ever want to look up weird stories in Canada, there are some weird stories. But when I was thinking about Florida and the closest version that I can come across coming from Calgary, Alberta, that would be the 10 days of Calgary Stampede.
If anyone who has never been to the Calgary Stampede, it's a 10 day rodeo. They call it the greatest outdoor show on earth. And imagine oil and gas, Alberta, everyone's super in business.
And then Stampede hits and nobody's in business. And every business pretty much shuts down and starts at breakfast and goes to all night at different for pancake breakfasts and drinks and food and bars and everything. Anyways, so one of my favorite Stampede stories was there was a gentleman who got a $20,000 fine when he decided that he wanted to take a balloon, an air balloon over the Stampede grounds.
But what he did was took a chair and a bunch of hot air balloon and a bunch of balloons and tied them to the chair. And he did this until he floated up in the air and went through airspace. And then they had to get him to come down because he was way up high.
And he got a maximum fine. And then he did it again two weeks later. But that time he did it, I think, in Mexico.
I don't know. Don't call me on exactly where. But then he did it in Mexico.
And they apparently were OK with it.
[Uncle Marv]
All right. So what kind of chair was it again? Was it a lawn chair?
Was it? I mean, it couldn't have been something that heavy. An aeronautic chair?
[Desraie Thomas]
Just a lawn chair with a bunch of balloons.
[Uncle Marv]
And he strapped himself in, I assume, right?
[Desraie Thomas]
Yeah, he strapped himself in. I did learn that he is like a certified hot air balloonist or whatever the word that they would be. And he was trained to do this.
So this is something apparently he's like been trained to do. And apparently, if you know how to do it, it is possible. And so when he did it in whatever Mexico or wherever that he allowed it, when he did it again, he actually did it for a commercial.
And yeah. Yeah. So that would be the Calgary Stampede story that I'm willing to share on live internet because other stories I am not supposed to share.
[Uncle Marv]
Nice. Nice. All right.
Austen, do you want to take a stab?
[Austen Gray]
Yeah, I have one.
[Uncle Marv]
You got one? OK.
[Austen Gray]
Yeah. I think, Des, your other ones that you were thinking about were probably a little too spicy. We have one called the UFO man in Springfield.
So essentially what happened was this guy, he's calling the police, right? He's like, hey, there's a UFO outside. Like, I'm literally seeing this extraterrestrial thing.
The police are like, there's nothing. Don't worry. They don't see anything, right?
They ignore it. Calls back again. Then he calls again.
Finally, the police show up, right? Of course, they go and do their procedure. They examine everything.
They're like, dude, we don't see a UFO at all. Like, what are you talking about? Later on, he's like, well, I might have accidentally consumed something I shouldn't have consumed, which was causing the altered states in his mind of why he was seeing some extraterrestrial UFO out there.
So that would be my best Florida man story for where I live in Springfield.
[Uncle Marv]
OK.
[Desraie Thomas]
That's like an average Wednesday.
[Austen Gray]
Springfield is a smaller city now, so there's not a whole lot going on. And that right there going on is a lot.
[Uncle Marv]
Probably half the police force was there, right?
[Austen Gray]
Right. Honestly.
[Uncle Marv]
Ah, Tim, you've been down on this rodeo before. What do you get?
[Tim Golden]
Well, you know, there's lots of stories I could share. Let me tell you about this gentleman that went to Vegas for a conference. And as he was walking the strip in the, you know, in Vegas and doing his, you know, hanging out with his people, chit chatting, you know, there's always those street performers.
They're singing. There's the, you know, 700 Elvis's. There's the Chippendales.
There's the, you know, the feathery people with the skimpy costumes. And they're just, you know, they're just walking. They're having a good time in Vegas.
And they're hanging out, not really, you know, kind of oblivious, but just doing their thing, you know, after a 20 hour day and a 47,000 hour flight and whatever. They're just hanging out and walking through the strip. As they approach, and one of the, you know, this guy's not really paying attention.
He gets assaulted by what appeared to be a seven foot tall, I'm assuming female, because all she had was just a little couple of things and was assaulted with whips and choking and mothering and all kinds of other things happening as this poor guy was just walking with the staff through Vegas. And I, that was, that was, yeah, that wasn't a New Hampshire story. But I, you know, it was a friend that I heard about this story happening in Vegas at some conference recently.
[Uncle Marv]
And wasn't one of the feathery people?
[Tim Golden]
Oh, yeah. Like, as I understood it, there was probably, there's probably more material in, in, in checkers bandana than they had in their entire outfit. Okay.
But it was a friend.
[Uncle Marv]
Gotcha.
[Tim Golden]
That was assaulted and choked and smothered.
[Uncle Marv]
And just so you know that people are watching, there is a big no in the chat. As you started that story.
[Desraie Thomas]
I don't know why Maureen wouldn't want you to tell that random story of that random person and that random trip that we were on. That's weird.
[Tim Golden]
Listen, hey, the guy's got nothing to hide. Like, he's transparent. He actually wears his heart on his sleeve.
All right. All right. So I don't know if that compares to a Florida story, but it was definitely a Vegas story that I've heard.
[Uncle Marv]
All right. Well, let me tell you about this story that happened just yesterday. This is how current these Florida man stories are.
And this happened in Port St. Lucy, which again, the place where all the hurricanes, I mean, all the tornadoes hit during the hurricane, uh, Port St. Lucy is about an hour and 20 minutes north of me. I have a client there. And, uh, police responded to reports of an explosion and smoke in Port St. Lucy. And when they arrived on scene, they encountered 39 year old Joseph Morton wielding a handheld flame thrower. Now, since you guys probably are like, we don't believe you. Well, let me show you some video here.
Um, oh, let's go back. Come on. Um, yeah.
So there is a police body cam of the incident and yes, he is wielding a flamethrower, uh, officers, uh, asked him to give it up. He refused to drop the device when ordered and pointed it at the officers. Uh, they showed restraint opting for non-lethal methods.
And one officer was able to get close enough to disarm him after retreating into his home and then re-emerging. He was tased by police. So he now faces charges of aggravated assault with a deadly weapon against law enforcement officers.
And just in case you're wondering, owning a flamethrower is legal in Florida as it is in most of the United States. However, um, using it as a threatening weapon is not legal. So that is what he is, uh, be in charge with.
Um, let's see here.
[Tim Golden]
Are you sure he wasn't just trying to thwart off all those roaches and stuff that, and gators that Florida has?
[Uncle Marv]
Well, what is, let me, let me do this. Cause I, I did not play the audio cause I thought there was music, but, uh, if you could hear the audio, um, can I do this here?
[Tim Golden]
Should we like mimic what he's saying? Like, Hey dude, what the F are you doing?
[Uncle Marv]
It's an F in the flamethrower. He's like, I can F and light anything in my yard that I want. Yeah.
That's, uh, that's all there. So I'll have the link to that, uh, that viral video. So you can hear for yourself, uh, everything that was, that was being said and you can watch him being tased in his doorway.
[Tim Golden]
So, so let me ask you, how does, how does electric tasers that could cause a spark work well with a flamethrower?
[Uncle Marv]
Well, if you watch the video, they got the flamethrower first.
[Tim Golden]
Uh, cause I could see things going sideways even more so in Florida and that whole scenario.
[Uncle Marv]
Yeah. This sounds like something that should have happened during 4th of July, where he was using the flamethrower to light his own fireworks.
[Desraie Thomas]
So I did just see, um, Ted roller when I posted online, trying to find a story and Ted roller shared a Florida story with me that I thought was just fun. Apparently after the hurricane, there were some people riding their lawnmowers and fishing.
[Uncle Marv]
Yes.
[Desraie Thomas]
I love that. I was like, this is amazing. That's like a perfect way to spend your time.
[Uncle Marv]
Yeah. There was a Tampa man that actually was in his own house in a canoe paddling and was showing, you know, streaming his story to the news.
[Desraie Thomas]
I saw that too. You and I were on, we were on watching like online content together. We should have had popcorn and just chat.
[Uncle Marv]
You know, what's funny is even if, yeah, even if I get links sent to me all the time and I have to, you know, during those storms, I'm on storm watch. So I'm watching all the channels and seeing all of this stuff. There was, there was a lot of crap going on.
There is. There is.
[Tim Golden]
Yeah. People are crazy.
[Uncle Marv]
Yep.
[Tim Golden]
All right. Well, God is good. Beer is great.
And people are crazy. Oh, sorry. Des doesn't like cowboy music.
[Uncle Marv]
But you like banjo music.
[Desraie Thomas]
I do. I love a good banjo.
[Uncle Marv]
If I could play music on here.
[Desraie Thomas]
There's so many weird things about me.
[Uncle Marv]
I have never said that about you.
[Desraie Thomas]
Spend more time together.
[Uncle Marv]
No, I've called you interesting.
[Desraie Thomas]
Bless her heart.
[Tim Golden]
I'm going to play the timekeeper because Des does this to me all the time when we're in conversations with prospects and I'm 45 minutes into geeking out into a 10 minute conversation I'm supposed to be having. It is 9.01. Is your bedtime? No, no.
But I did ask a few minutes ago, what does the timeline look like?
[Uncle Marv]
This is about right. I just felt I wanted to give you guys some breathing room. Austen has sat here all night, barely getting a word in edgewise.
And I know why. Tim and Desi are here. So Austen, let me do this.
Let me give you the floor. I'm actually going to mute the two of them and I will let you have the last word. Anything you want to say, compliance scorecard, Florida man, Springfield, take us home.
[Austen Gray]
Yeah, I gotcha. So if you need help with risk and compliance, come to compliance scorecard. Reach out to us.
We are the resource for you guys to help out with your MSP. Signing off.
[Uncle Marv]
Boom. That's how you do it. I want to say thank you to Austen.
Thank you to Desraie. Thank you to Tim Golding. I will have the links in the show notes.
That is going to do it for this episode of the Idea Business Podcast. Check the website. Sign up on your favorite pod catcher.
Remember, no live show next week, but there are always going to be podcasts out there. I will see you either in St. Petersburg or Miami or Orlando if you are attending any one of those. So that's going to do it.
We'll see you next time. And until then, Holla!
Sr. Sales Development Specialist
A seasoned customer relationship expert and Sr. Sales Development Specialist at Compliance Scorecard, I specialize in integrating compliance seamlessly into business practices for managed service providers. With a knack for cultivating strong partnerships and offering tailored insights, I simplify complex compliance processes from governance management to user adoption. My experience spans roles as a Fractional Channel Chief at Aportio Technologies and Co-Host of The Channel CRO podcast, where I engage industry leaders to explore the alignment of marketing and sales. Passionate about driving business growth and translating intricate information into accessible strategies, I thrive on fostering trusted relationships that help partners succeed.
CEO/Founder
Tim Golden, Founder, Compliance Scorecard
For over two decades, I’ve dedicated myself to helping Managed Service Providers (MSPs) turn compliance from a daunting challenge into a powerful strategic advantage. As the founder of Compliance Scorecard, my mission is to empower businesses with the tools and knowledge they need to operate securely, manage risks effectively, and grow with confidence.
In 2024, I was honored to receive the CompTIA Cybersecurity Leadership Award—a testament to my unwavering commitment to safeguarding businesses in today’s complex digital landscape. My journey as an award-winning speaker has taken me to conferences, webinars, and executive roundtables across the industry, where I share actionable insights on governance, risk management, and cybersecurity.
As a dedicated advocate for MSPs and cybersecurity and an industry speaker, I’m passionate about demystifying complex topics and delivering practical, actionable advice. My approach to speaking on compliance, risk management, and cybersecurity is down-to-earth and accessible, ensuring that every audience member—whether an experienced MSP or someone new to the field—leaves with clear steps to enhance their business and security posture.