In this compelling episode, recorded at the N-able Business of Security event in Austin, Texas, join us as we explore the remarkable journey of Christian Kelly, the visionary behind Xantrion's transformation. As Chief Technology Officer and Chief Information Security Officer, Christian shares his strategic insights on the pivotal decision to shift Xantrion's focus towards security, a move that not only redefined their business model but also set a new standard in the Managed Security Service Provider (MSSP) landscape. Dive into the thought process and challenges behind their bold decision to build their security and MSP solutions from within, rather than relying on external solutions. Christian discusses how this in-house approach enabled Xantrion to tailor their services to the unique needs of their clients, foster innovation, and maintain agility in a rapidly evolving cybersecurity landscape. This episode is not just a story of business acumen; it's a testament to the power of internal innovation and visionary leadership in the MSP sector.
Get an in-person rundown on what N-able has to offer including products, insights, networking and more.
The N-able Roadshow is visiting more cities than ever before in 2024. Take a look at our first group of locations; we may be in a city near you! -> http://spr.ly/6000RsTOq
'Now that's it: Stories of MSP Success,' dives into the journeys of some of the trailblazers in our industry to find out how they used their passion for technology to help turn Managed Services into the thriving sector it is today.
Every episode is packed with the valuable insights, practical strategies, and inspiring anecdotes that lead our guests to the transformative moment when they knew….. Now, that's it.
This podcast provides educational information about issues that may be relevant to information technology service providers.
Nothing in the podcast should be construed as any recommendation or endorsement by N-able, or as legal or any other advice.
The views expressed by guests are their own and their appearance on the podcast does not imply an endorsement of them or any entity they represent.
Views and opinions expressed by N-able employees are those of the employees and do not necessarily reflect the view of N-able or its officers and directors.
The podcast may also contain forward-looking statements regarding future product plans, functionality, or development efforts that should not be interpreted as a commitment from N-able related to any deliverables or timeframe.
All content is based on information available at the time of recording, and N-able has no obligation to update any forward-looking statements.
In this compelling episode, recorded at the N-able Business of Security event in Austin, Texas, join us as we explore the remarkable journey of Christian Kelly, the visionary behind Xantrion's transformation. As Chief Technology Officer and Chief Information Security Officer, Christian shares his strategic insights on the pivotal decision to shift Xantrion's focus towards security, a move that not only redefined their business model but also set a new standard in the Managed Security Service Provider (MSSP) landscape. Dive into the thought process and challenges behind their bold decision to build their security and MSP solutions from within, rather than relying on external solutions. Christian discusses how this in-house approach enabled Xantrion to tailor their services to the unique needs of their clients, foster innovation, and maintain agility in a rapidly evolving cybersecurity landscape. This episode is not just a story of business acumen; it's a testament to the power of internal innovation and visionary leadership in the MSP sector.
Get an in-person rundown on what N-able has to offer including products, insights, networking and more.
The N-able Roadshow is visiting more cities than ever before in 2024. Take a look at our first group of locations; we may be in a city near you! -> http://spr.ly/6000RsTOq
'Now that's it: Stories of MSP Success,' dives into the journeys of some of the trailblazers in our industry to find out how they used their passion for technology to help turn Managed Services into the thriving sector it is today.
Every episode is packed with the valuable insights, practical strategies, and inspiring anecdotes that lead our guests to the transformative moment when they knew….. Now, that's it.
This podcast provides educational information about issues that may be relevant to information technology service providers.
Nothing in the podcast should be construed as any recommendation or endorsement by N-able, or as legal or any other advice.
The views expressed by guests are their own and their appearance on the podcast does not imply an endorsement of them or any entity they represent.
Views and opinions expressed by N-able employees are those of the employees and do not necessarily reflect the view of N-able or its officers and directors.
The podcast may also contain forward-looking statements regarding future product plans, functionality, or development efforts that should not be interpreted as a commitment from N-able related to any deliverables or timeframe.
All content is based on information available at the time of recording, and N-able has no obligation to update any forward-looking statements.
One, two, three, four. Welcome to Now that's it Stories of MSP Success, where we dive into the journeys of some of the trailblazers in our industry to find out how they used their passion for technology to help turn managed services into the thriving sector it is today. This episode is taken from a conversation during the Enabled Businesses Security Program held in Austin, texas, in April 2023.
Speaker 2:All right, everybody, I want to introduce our next session lead. He is a CISSP with over 20 years of IT experience. He's the Chief Architect of Zantron's Internal and Client Technology Services. Please welcome the Chief Technology Officer, Chief Information Security Officer, Chief Architect at Zantron, Mr Christian Kelly. That's a lot of chiefs, All right. A lot of chiefs, Christian. Thanks for being here. I'm sure most of you know Christian. He's been around the community. He's been around the Enabled community for a long time, spoken it in power. But for those of the folks that don't know, you tell everybody a little bit about yourself.
Speaker 3:Yep. So, christian Kelly, I'm with Zantron. I've been with the company for close to 15 years now and, like was said, I've been in technology for a long time in a lot of different spheres, starting out of the consultant route all the way up through getting into information technology and then the last 10 years or so focusing primarily on security.
Speaker 2:You come from the beautiful, sunny state of California. Why don't you tell us a little bit about Zantron?
Speaker 3:Yes, so Zantron has been around for closing in on 20 years now and, like most MSPs, started as a small mom and pop and has grown to its current size. We're just under 100 employees. Again, we're mainly based out of the Bay Area but now have employees nationwide and are growing our national footprint to major metropolitan areas. We've built a culture and a team and we'll talk about it as we go forward here, but we've been growing kind of steadily over the last decade and with a real focus on security and automation and kind of growing our capabilities and internal resources and capability.
Speaker 2:So I think that's important to call out here real quick. You guys made an early pivot to security. Like very similar to Alex, I think, early on you realized security was important. Can you talk a little bit about that? Why you guys did what you did and really pivoted full force into the security spectrum.
Speaker 3:Yeah, absolutely. I think we, the owners, made the switch early from kind of the TNM to the MSP, kind of ahead of the curve. So by the time I joined close to 13 years ago we were already pivoting hard from the break fix TNM into the kind of fully managed space. And about seven years ago we really saw the writing on the wall around some of our clients. We work a lot with financial advisors and the kind of financial industry kind of regulated SEC compliance. We saw the need around having a strategy, kind of a program that we could put forward that would tick the boxes, that would cover the basis for our clients, and so we put our heads together.
Speaker 3:We kind of built out what we thought was the right strategy and thankfully we got it right we haven't had to mess with it too much of a single offering that we could bring forward to clients that would cover most security needs. We kind of have two flavors, kind of like Alex said, we have kind of our standard flavor you must be on this and then a more enhanced flavor of our offering. And we went out early and talked to a number of clients and most of it was transitioning our current MSP business to kind of our managed security MSSP business, and since the last few years it's solely. You know, most of our net new business, all of our net new business, obviously comes from that kind of security vein and the reason we win a lot of the business now is because of our security capability.
Speaker 2:So something that's really I think intriguing about Xantrion is you've built this security offering, and really your entire offering, with internal capabilities. So can you tell everybody why Xantrion chose to build their security offering internally, hire those folks, train those folks and I love this story. You told it when we were preparing, but just talk a little bit about why that was important to you guys.
Speaker 3:If we were talking in our table earlier. I think you know most of us have an engineering background. We want to build and I think that it's not always the right answer. I'll preface it with that. I don't think building is the right answer for every MSP, for every capability. In our case we were at the size that I felt it made sense to build most of our capabilities in-house. Not that we don't partner and use other vendors in technology, but when it came to building out our capabilities, our compliance capabilities, our security offerings, we did build them in-house.
Speaker 3:And it gives an avenue. It goes to the second question that we were talking about at our tables. It gives us an avenue for our employees' kind of internal growth and ability to know hey, I'm at the service desk today, but there is a world where I can get up and do become a security analyst if I do the right things, if I get the training, if I get the certifications, things like that. So we look at it both as we feel we're pretty good at delivering those capabilities. We feel like it gives us a nimbleness to be able to bring in services, to augment services, to customize our services to what our clients need, but it also allows us to have a path. Our culture is such that we wanna give our employees a path of growth, a way to enhance their careers, and so as we build out more capabilities and scale and are able to grow those teams, we're able to give more paths for our employees and because of that I feel we have great retention of employees. We have and our culture is really sound.
Speaker 2:You talked a little bit about that. You have about a hundred employees, but you have a group of employees that have been with you for a long time.
Speaker 3:So I have a number of teams that report up to me and I'm not 100% certain of this, but I think the average tenure of an employee that reports up to me is like eight plus years and that's so, again, our retention is strong. I think that Tom said is it three? We've had three people leave us in the last year, three volunteers. I think that goes towards people see a path, the culture of the company We've been talking over at our table. It's very open, people understand the direction of the company, the growth of the company, the financials of the company and I think all of that plays in really well for long-tenured employees and the strength of our internal teams.
Speaker 2:Yeah, and Tom has been part of one of our past programs. I think something that I learned is you guys have a very open book. You share your numbers with your employees, and so they know the direction you're taking the company and they know why you're spending money, where you're spending money, and they feel it. The other thing that I thought was really interesting was the number of CISSPs that became CISSPs as you were as employees.
Speaker 3:Yeah, actually we have, I believe, five CISSPs internally at Zantran and all of them went through that journey. They just started to finish with Zantran. So they went through the training, they got their capabilities, their years of experience and passed and got certified into that.
Speaker 2:That's fantastic, and you must be doing something right on the hiring space as well. Right, if you're hiring these folks and they're staying around for as long as they are. What are the types of things? What's it like? Obviously, in Oakland, silicon Valley, there's a ton of talent out there, but what are the types of folks that you're looking for to be able to bring into a Zantran?
Speaker 3:Yes, so that's interesting. You know most of, I think all of our hires over the last year or two years have been Service Desk.
Speaker 3:Okay, service Desk level and we're pushing outside of the Bay Area. Obviously, the Bay Area is an expensive place to hire, so, unless there's a reason for someone to be in the Bay Area, we're starting to hire Nationwide, which helps as we grow right. We want to double in size over the next, you know, four to five years. We're going to have to make some strategic hires at higher level positions in the company, but I think that those are going to be you.
Speaker 3:There's going to be some key roles that we need to fill, you know, maybe around you know GRC or whatever, but most of our positions, available positions, are going to come up from within our company. So again, I'm not directly involved, thankfully, in a lot of the hiring and interviewing. It happens at another level and they're very good at it. But they're bringing on, you know, customer success-minded individuals that we feel are going to succeed at the Service Desk and then, based on, you know, their abilities and growth. We kind of have eyes to where we think over the next five years this individual might become a VCIO, we might think this person might become an analyst or a project engineer or what have you, and we plan to grow our top tier team through up from the Service Desk.
Speaker 2:That's great. So obviously the benefits of building internal is, you see, that the staff have those capabilities and I always love this. I would hire tons and tons of Service Desk individuals and there was always this conversation of you know, can you be a career Service Desk individual or do they all have to have this? You know growth path out of the Service Desk and I've seen it work both ways and it's worked successfully both ways. But to be able to have what you guys have, which is we have a security offering in-house, if you want to be in the sock someday or you want to be part of that, that's a great opportunity. But there was another reason you talked about early on and it was when you go to market and you talk about, hey, this is who we are, this is who Xantrion is, and you get the questions around. Well, you know, how do you staff your security offering? You can say every single one of our employees is internal employees, right, and we talk a little bit about that. Why that's so important.
Speaker 3:Yeah. So I mean obviously the ability to say that anyone who can touch your client systems are full-time employees, background check, live scanned, you know, doj, whatever, we serve a couple of police departments so we're able to say, hey, everyone's US, everyone, you know, we can vouch for everybody. There's a, you know, there's an element of a sales kind of marketing opportunity with that that we use. I think that we are targeting markets. You know we're starting to target more directly to markets that kind of require that or that. That's a reason for how they might pick a vendor. I think I don't think that's for everybody, I don't think that's possible. You know I'm not up here saying, oh, everyone must build everything in-house. I don't think that's the right answer For us. It's worked.
Speaker 3:I think that we, you know, we're the type of company that continues to evaluate that in two years I might, you know, be around saying, oh no, we now buy X. Or, you know, we partner with another firm. We're not against that. If the right partner comes out and they have the right capabilities and they align with us, I think we would be open to it. But you know, as of now we can confidently tell our clients, you know, anyone touching your systems. It's us, it's our full-time employees and you can. You know I don't think all clients care about that, but I think sophisticated buyers. There's an element of risk associated with the more vendors. You know a vendor, some kind of supply chain issues that are starting to come more to the fore. We've started to get some interest in that as we talk to people and kind of understand if they're a right fit for us fundamentally as a client.
Speaker 2:Let's stay on that for a minute. Obviously there's some obvious risks about building everything internally, but maybe what are some of the things that folks aren't thinking about it? If they are planning to go out and sort of staff a number of security technicians internally, what are maybe some of the risks that folks might experience, and especially when it comes to scaling that as well?
Speaker 3:Yeah, I think you've got to be. I think you obviously you have to start with the right people. You have to start with the right capabilities. You know, not all of this was perfectly planned right. We got some really good people early on that we felt had the capability to build out these programs and build out these teams. And had we not had the right people at the right time, you know, the outcome likely would have been different. So, you know, we had, you know, having the right talent at the right place at the right time made a big difference for us and we were able to start building out those teams.
Speaker 3:Some companies get formed with, you know, a VC saying here's $20 million, build it. And I mean I'd love for someone to hand me $20 million and tell me to build it. It would likely be an easier road. We kind of had to build it as we went right. So when we again seven years ago, when we decided, hey, this is the way we're going to go it's not like we had the funding to necessarily back it up we had to make some investment, but we had to keep the business going and we kind of had to, you know, build it as we went and early on, you know, we probably claimed to have some capabilities. That we were. You know we're aspirational and you know, as we've grown we now can back up those, we can back up those claims better.
Speaker 3:But you know, I think that now, starting now, the buyers are much more sophisticated. I think that starting six, seven years ago, there was a little more room for, you know, clients not really understand. You know, edr wasn't a big thing. Having, you know, eyes on capabilities, mdr wasn't really that big of a problem. You know, six, seven years ago. Today, I think it's a little harder to just kind of start on your own and say, oh, we're just going to kind of build it as we go along. So I do think partnering and getting the right vendors in the mix today, if you're starting that journey, I think that that's likely a requirement until you have, until you can build out the teams and have the revenue to back it up and actually Are you all seeing a more sophisticated buyer when it comes to security, like when we're Christensen?
Speaker 2:Some of you All right. So how the heck did you do this Right? You built this internally. You talk a lot about automation and what you've built internally to be able to handle the majority of these capabilities. Can you share that with the group?
Speaker 3:Yes. So when we think about where we put our development dollars or where we focus our DevOps capabilities, we're not big enough yet to have fully siloed like oh, I'm just a DevOps guy. There's a number of people on our team that have those capabilities they span the sock and knock and some of the project teams but we look really closely at any way we can take work off of an analyst. So we get as everyone probably does. We get huge amounts of alerts that come in from. Take, for example, the Graph API from Microsoft. We've got 70, 80 clients that are feeding us all that Graph API stuff. So when we get one of those alerts, we create a ticket and we see what an analyst does, what smart things must be done in order to know is it a false positive, is it a true positive? Then we work hard to take away just like anything in automation, try to take away those extra steps.
Speaker 3:So having a platform that can go out and enrich data for us in this new cloud-first world has been very important, and being able to speak to clients about those capabilities is something that really helps in our sales process. So, again, we look at the world now as an API-driven framework. All systems are API-driven. We can make calls to and from any system based on any alert. So, like everybody here, it's not one vendor that we buy from. We have Sentinel-1, we have Microsoft Graph API, we have Enable, we have all of these systems and then building the platform that we build internally is the thing that stitches those all together. We're bringing both in our security offering and our kind of traditional knock offering. We're trying to build in capabilities where the kind of remedial tasks are done and then it feeds the engineer meaningful data that helps them make a decision of. Can I just mark this off or do I have to go and do more manual work to understand if this is?
Speaker 2:a threat or not. That's excellent Christian, all right. So before we get off this topic, what advice would you give the folks in the room that are maybe considering bringing some additional security resources internally versus partnering and just where's your brain around that. What sort of advice would you have?
Speaker 3:It's unique to every situation. I think we have to be careful, and I have to do this myself too, because I am predisposed to build. One of the Enable board members is sitting at our table and he said this engineers wanna engineer, we wanna build. And I think you have to be careful. I think you have to be careful to understand when it makes sense. I think we overestimate our capabilities. I think we do it, and it's something that you always have to check yourself on is make sure that you have the capability to build it, maintain it. Is it bringing some new meaningful value that can't be solved out of the box?
Speaker 3:There's a lot of solutions out there that can fit any problem and, if you're gonna like again going back to when we build, it's usually an integration build. It's not a capability build. We're trying to integrate disparate systems together. So I think there's value in that, because every tool set is different and there is no tool that brings them all together. As far as like building internal capabilities, I think that you again have to be sure that you actually have the talent, that you have the capability, that you've made the commitment that there's a way to actually scale that, to staff it. You have to start somewhere. But, yeah, just go in carefully and make sure that you can actually achieve what you're trying to pull out.
Speaker 2:Fantastic. All right, let's talk about a segment. We spent some time with Alex talking about aerospace. You guys spend a lot of time in a number of segments, but financial and RIA. Can you tell us a little bit about why Zantrion either fell into that or decided to go into that segment?
Speaker 3:Yeah, so I think, like Alex in the aerospace, we kind of happened upon I mean, not happened upon, but it wasn't a specific vertical we were talking to but we, you know, seven years ago, eight years ago, had a few RIAs and they started looking to us. For, you know, as the SEC was looking at, you know, more cybersecurity controls and understanding risk, with turning to us, a couple of our clients were expecting SEC audits. So we got early into that space. That was actually what we built.
Speaker 3:Our kind of initial managed security program was really focused around RIAs because they were the ones looking to us and asking for that advice. So we kind of fell into it and since then realized that hey, we have something that solves this problem. We've gone through some SEC audits, we've come out clean. The program we have clearly was kind of designed and is functioning. So then we marketed and kind of grew that segment. So we have a couple I don't know a dozen to 20 kind of financial firms and we continue to market and look at those. You know, as we look at new clients and RIA, it's like, oh yeah, we can, we got that that's. You know, as long as they're fundamentally aligned with us, we know that we can solve those problems pretty readily Awesome.
Speaker 2:Alex talked about. You know we're there to solve business challenges with IT. Are there different business challenges that you're solving in the financial RIA space than in some other segments and, if so, could you share some of this?
Speaker 3:Yeah, I think it always comes down to a business In the end. We're always solving business problems and I don't think RIAs have any different business requirements than any other business. They definitely look at risk different, right? They've got hundreds of millions of billions of dollars under management, so there is an appetite towards making sure that they're secure. So it's kind of teed up for you. You don't have to do the flow chart. They already know they have risks and they need to mitigate it. So from that perspective, you don't really have to sell the security aspect. We just come forward again with a solution and outcome. Hey, don't worry, I'm 100% in alignment.
Speaker 3:You won't see product names in our service addendums. We've swapped products out. We don't want to be locked into a particular thing. A lot of most of the products that we bring to bear come as part of our service, so we can swap them out. And we have, other than some Microsoft licensing, right, client's spider on my. I know some people put the Microsoft licensing in there too. We don't for a number of reasons. But short of that, pretty much all of the product comes through. So really, we're coming with an outcome. We're coming with a solution to their risk and governance and business and compliance problem. Yeah, short of the client already being fully aware that they'll need it, there's not a fundamental difference from a business perspective.
Speaker 2:Is that an extremely attractive segment Because they are just security aware and ready to essentially tell you what they need based upon their knowledge? Or are you in the boat where you like to go out there and try to explain what the heck security is to an industry?
Speaker 3:Yeah, no, they know they definitely are knowledgeable buyers. We do focus on it, the profile of an RIA though there's a lot of really small RAs and as we move upmarket and grow there's kind of a minimum. So finding RIAs now in the right footprint, the right size, is getting a little bit more challenging. But it's definitely something that you can do. We're aligned well and we focus on and we don't have to explain the security need. They definitely understand.
Speaker 3:What is interesting now is with the new, the SEC has floated out new requirements and new frameworks and that's getting a lot of interest. There's some very tight reporting deadlines on any breach or risk. It hasn't gone through yet, but they're saying that within 48 hours of a breach you need to notify all of your clients. So as an RAA, you're like how is 48 hours even long enough to understand if that's really a breach before you're going to be required to notify all of your partners and business individuals? So that's getting pushed back on and we hope that the SEC gives on that and allows a little bit more time for investigation.
Speaker 3:But there's a number of other things that are coming in and most of them are around governance, more prescriptive requirements, around having a security program and how you report on that program. There's a lot. I think it's funny. Most of these requirements, again, are self-imposed. There's no audit that you go through to be like I'm SEC compliant. It's similar, I think, to the 171, where you self-attest to these things. But what is changing this year is going to be at least hard requirements around the security program and auditing of that program. So they're saying, multiple times a year, this program has to be looked at, it has to be audited on, has to be reported on, which aligns really well with us, because part of that program is quarterly cadence of reporting, meeting, vulnerability management, assessment, remediation. All of that is baked into our core offering for RIA, so it aligns nicely with what we have. But we do see that likely being a business driver for more clients in that space as they try to wrap their heads around these new requirements and then understanding what MSPs can help.
Speaker 2:Fantastic, you read my mind, because that was going to be my next question. Why don't we take a few questions from the room? Raise your hand, we have a mic runner. So mic runners, so measuring quality in house was the question there.
Speaker 3:Yes. So that's an ongoing. We haven't solved that problem. Like any SOC, there's going to be a continual understanding of what the analysts are doing, how they're succeeding, starting obviously with good capabilities around understanding the tickets and catargerizing and understanding false positives, all of that type of stuff. So we're doing probably similar things to most other SOCs and NOCs in that space, but it's definitely we're at the stage now where we're really pushing into mid-market and more co-managed. That's our Chris had earlier. There's a strategy and then there's a plan and then there's execution. Our core strategy going into the next few years is to push up market. So we understand that with that we're going to have to even build out more processes and more understanding and more rigor around the capabilities.
Speaker 3:We found that when you're fully managed and there's big co-managed partners in the room that probably have already solved this and understand this completely. But for us, where a big portion of our space and segment is managed services and typically with a managed service, fully managed service, managed security service they're just looking for a business outcome. They want you to handle it, they want you to say you're good. If there's some kind of reporting, really it's just the tick boxes, but really they're looking for you to solve everything when you go into that mid-size enterprise co-managed. It's not that level of trust. It's not that level of just take it, we trust you, you've got it, we have a relationship with you. It is much more driven around the metrics, about the reporting, about the capabilities. You have to push your way in and make yourself visible At least that's what we've seen to keep the relationship going and to keep maybe chipping away and getting other pieces of that pipe.
Speaker 3:So we have a couple large enterprise clients that again we provide MDR services for patching services, for monitoring services for and we just find that relationship to be quite different. Even the VCIOs that manage a VCIO that can really manage an in-house personal relationship, shaking hands with the CEO and really having that Tide, is not always the best profile VCIO for the enterprise. Where it is a little bit more, there's a couple layers of separation. It's just a different market and a different type of service that you have to deliver. We haven't figured it all out, but that's where we see some of our growth and some of our capabilities going into.
Speaker 2:We'll leave a little bit of time here at the end for some additional questions. So think of those. So let's talk about this. Christian Xantron is definitely a major player, but how about some of the larger companies that you go up against? How do you guys differentiate yourselves? What are some of the tricks of the trade that you guys have come across to be able to win against some of those players?
Speaker 3:I like to be very transparent with clients in sales calls. I'm in a lot of those calls. Again, we're similar in a lot of ways to Alex, where we don't have a sales team. So it's again it's more of a understanding operationally if we're the right fit, if we're the right mix, and it's an engineer myself and VCIO levels that are on these calls to understand if we're the right fit or not. So I like to be very transparent about what our capabilities are, what we are and what we aren't.
Speaker 3:I never want to go in and make a claim to a client that we're something that we're not. That's not going to be good for us, that's not going to be good for them, not going to be a good outcome. So I think we started having more discussions with larger clients we might be up against. When I think of larger players, I know there's some very large MSSPs, but we're talking about Rapid-7s or Palo Alto, like big players with huge teams and they're like how are you like this? I'm like. I'm not Like. Just to be full disclosure, I am not Rapid-7. We're not a multi-billion-dollar company with unlimited huge resources and teams. But where I think that we've won and where we're kind of where we think our niche is is a lot of these companies have very defined offerings and clients want kind of fungible or nuanced capabilities that a large vendor might not have.
Speaker 3:For example, we were up against the Rapid-7 for kind of a vulnerability management program and you're going to have a hard time beating Rapid-7 in a vulnerability management program.
Speaker 3:I mean, they write the software, that's what they do all day, every day. But this client wanted some remediation capabilities and that's something Rapid-7, it's like Rapid-7 just wants to run that report and give it to you, and they wanted someone to run the report, help them understand it and then actually go and remediate those issues. And that was something that we could offer. We have the talent, we have the capabilities, we'd have the access if we built up that relationship. So I think finding where it's not always that we have to win because we're better at that exact thing and in a lot of cases we might not be, and I try to be transparent with that but where you do have capabilities, where, again, I think we're winning a lot, where it's multiple things that the client's looking for and they're not looking for a lot of vendors, and so being flexible and being able to kind of all look hard what your capabilities are to what that larger client might be asking, and again we'll only slice and dice and cut those up for larger engagements.
Speaker 3:If it's a smaller company, it's kind of like switch again. Yeah, you get our program.
Speaker 2:That's great. That flexibility is really powerful. I've seen a lot of MSPs be successful and obviously MSPs are successful in providing that flexibility, so that's great feedback. Let's talk. So we got an expert tomorrow around compliance. But I just wanted to ask you, christian, what are the types of things that Xantrion's doing to sort of help your clients, or different industries like healthcare or even finance that you mentioned, to address compliance requirements?
Speaker 3:Yes. So I don't think we've done anything like amazing or salt in in a much different way than others. We're lucky that we do have some capabilities internally that are very talented in that area. So we do kind of have a backstop for our VCOs. The problem is that backstop is not as big as I would like it to be, sure. So we are looking as again, we forecast into the next few years. I think we're going to have to invest and build up our GRC group. So yeah, I mean we do similar things, I think, to what everyone has.
Speaker 3:We have tools that we built that help understand risk and can quickly well, not quickly, but in a few hours map out what a client is doing against your typical frameworks and then build up a simple gap analysis to what capability are we trying to hit a one, two or three? You know we answer. Thankfully, we know a lot of the questions ourselves, so we can kind of pre-fill this out and then kind of bring it to the client with not a whole lot of interaction, can come up with a report that's meaningful, that can kind of help guide the client to what's next. From a pure compliance perspective. Obviously we work a lot with the SEC kind of framework and that compliance, a lot of that compliance is not like with all compliance. Everybody thinks that oh, it's just an IT problem or it's just a technology problem. That compliance from the SEC standpoint bridges how the company, the technical piece of it, is actually tiny in comparison to the whole program, but we give guidance and we lend our expertise and capability as it kind of overlaps with what we handle. But we don't have anything. You know, oh, we built this thing or this amazing thing. It's just I think focusing on that vertical and getting good at it is important in building up that capability.
Speaker 3:So I would say, you know, around the financials industries were pretty strong. We're looking to actually move. We have a couple clients bidding on kind of DoD style things, so we're looking to get into that next level that's. You know I'll probably be bending Alex's here a little bit, but you know I think once you build up one, it's easier to move yourself forward internally as well. Obviously we've gone through SOC attestations for, I think, seven or eight years now and we're also looking to add on to our own internal compliance, adding an ISO 2700 or adding some other internal capabilities. Right, if we get that right resource that could be kind of a front-facing GRC and then internal facing kind of help pull us forward in our internal compliance. We see that as a competitive advantage going forward as well. That's great. Thank you for that.
Speaker 2:All right, so here's the fun one that we asked Alex and we'll ask you as well is and I changed the wording on this so that it looked like a different question, but yeah, so what's one thing that you think MSPs might be missing the boat around right now?
Speaker 3:I don't know if missing the boat is the right frame for this, but I think understanding your own supply chain kind of risk and how that passes through the client and I don't mean like you know how software is developed per se, because it's difficult to get to that level, but just understanding who your upstream providers are and really coming into terms with what access they actually have into your environments and then doing proper vendor due diligence on those vendors to make sure you're comfortable with their programs as it passes through. Like I said, we don't have a lot of that because we keep a lot of it in-house. But as we look to partner up or use tools, we go through that process and we unfortunately find that a lot of the MSP specific software and services are not really up to the task, unfortunately. Like I would love to have you know some kind of magical CSP billing, whatever you know automation thing. But I have to give some random company now pretty high level access into all of my tenants which you know. Now with GDAP that's probably getting mitigated and there's some better answers there now. But as the industry matures I think kind of segmenting access will continue to get better and so that we can give more limited ability to our upstream vendors and providers, but up until now, a lot of it.
Speaker 3:You know we'll look at a tool that we're hearing a lot of chatter about and a lot of people are using and we'll actually go through a vendor kind of assessment and it just comes back that they don't have any kind of compliance program, they don't have any certifications of any kind, and it's usually because it's like an MSP built a thing internally and it was like, wow, this is really cool, let's turn it into a product and you get a couple other MSPs using it and you get a website and all of a sudden you're a product and people having to trust your development lifecycle down through to their system.
Speaker 3:So I think we you know there's a lot of tools out there and that's great but have a good risk program to understand each and every tool and service that you use, because it's going to protect you in case of an like you.
Speaker 3:Just because you do a vendor due diligence, you know assessment and you make a risk based decision doesn't mean that that vendor won't get compromised and it won't kind of ricochet down to you, but at least you'll have done your due diligence and if clients ask, you can say, hey, we ran this, they had, they said all the right things, we validated it and yes, there was a problem. But you know, at least we did our part. And that's the same guidance we give to clients that are looking to onboard new SaaS applications. Right, a lot of times they'll turn to us and say should we do this? And it's like, well, we can't tell you, but we can do an assessment and give you, you know, at least give you a piece of paper that meaningfully tells you what the risk is. And then you have to make a business. That's great.
Speaker 2:Thanks. What questions does everybody have for Christian? Raise your hand and we'll send the mic runner over.
Speaker 4:We've got any questions. Great talk guys. Thanks, christian and Chris. I'm finding when customers ask me for help filling out their cyber renewal policy because it asks all these high level engineering type questions they have no clue how to answer it. It's a great opportunity for me to upsell all our cyber offerings. Do you do that for your customers? Do they even know how to fill those out? And then a second unrelated question have you ever had to fire a customer part ways Because they would just not follow your advice?
Speaker 3:Yeah, I'll take that second one first. Yes, we have parted ways with a number of clients as we've ramped up over the last five years. It's kind of one of those things. Five years ago we had the program that we had already had it in place and it was like we're going to make all of our clients do at least X and you know that's a multi-year For us at least, that was a multi-year program to get all of our clients. We're raising your prices, we're bringing these new capabilities in right.
Speaker 3:That was a process we had to go through A we couldn't do it all at the same time because we just didn't have the internal capability and B clients pushed back and needed to go to next fiscal year. So as we segwayed through, we got to about 80%. And then there was that final 20% that didn't want to go and we just had to make hard decisions. But there was a story. There was one thankfully relatively small client that was majorly pushing back. They didn't want the price increase, they didn't care about security, et cetera, et cetera. There are a number of major issues with their client RDS servers, you know exposed. Finally, we were just like enough is enough, the risk is too much and we let them go. And during the month transition, as we were exiting and the new MSP was coming in, full-on crypto locker through an RDS hammered, we didn't do the IR for it. The other MSP at that point was in and thankfully, all of a sudden the checkbook started flying and they had to do, they had to rebuild and do all of that stuff. So, yes, we have parted ways just in time, as it turns out, with a couple clients that wouldn't take our advice on that. And then on the insurance thing, absolutely we find ourselves filling those things out. It seems like daily or weekly we're getting one.
Speaker 3:Normally kind of our process is the BCIO normally engages, answers all the questions the best of their abilities. We have a lot of standard capabilities through all of our clients, so a lot of it is easy for them to answer. It kind of pushes up to kind of the GRC, soc level. We'll review it. We're very careful not to over to say yes when there's even a hint of a maybe. We'd rather say no than yes. So definitely don't overstate your capabilities.
Speaker 3:Normally if it's a reasonable insurer, there's a conversation, so they'll say no and then they'll give you the ability to explain. Like you know they'll ask does every server have MFA to log in? And you're like, why? Like, have you heard of PowerShell? Like it's not built in, it's not a real capability. There's other mitigating capabilities password rotation, pam solution. You know all of that. So say no, protect yourself, make sure the client understands. Usually you can have a conversation and get to a positive outcome. But yes, it's absolutely a sales. I mean, for us it's not really a sales thing so much because we've already sold. So it's really just about massaging it and ticking the numbers. But if these came out a couple of years ago as we were trying to upsell, it would have been very helpful. Any other questions for?
Speaker 1:earlier you mentioned that you developed an in-house API integration layer between all your vendors. Could you maybe shed some light on how that was built? Is that in Azure AWS or using, like Azure API management or Azure Functions?
Speaker 3:Yeah, it's all built in Azure, azure Functions, it's all built in PowerShell. We needed to solve for the answer like are my systems protected? Do I know what my systems are? The problem with that is Sentinel-1 isn't a good indicator of if Sentinel-1 isn't installed and enable is not a good indicator of if enable isn't installed. Both of those things are vital for patch management, automation, security. So having an understanding of is there a system that doesn't have these agents Is a really hard problem to solve. And we looked out and there wasn't a tool out there that could do that. So we again that's where we decide we're going to spend dollars because those tools don't exist and it's basically an API-driven framework. It goes out, it pulls in all of our API details. So we pull in from Microsoft Graph, we pull in from Active Directory. We actually have PowerShell script that runs on each not all customers have Active Directory anymore, but there's 50% or 70% who do it queries data and pushes it to an event hub and then again it all kind of correlates down and we get kind of that global dashboard of computer name.
Speaker 3:Is it an Active Directory? Is it an Azure Intude? Is it in Sentinel? Is it Cisco Umbrella? Is it in Microsoft Defender. If we're using that, is it you know is Veeam. You know we use Veeam. You know there's just every API and integration hook that you can build. You can build. It just takes development time and upkeep, which isn't inconsequential, as it turns out, but it is again a tool that we use. We can say things again that others can't say, because how do you know, x is on everything. It's just a difficult either using spreadsheets or using APIs.
Speaker 1:Thank you.
Speaker 5:Shreve down here in front. Thank you, christian. Again, I think well, I think part of my question was answered already. But and you know it is obvious that you're into the build business, right, more than the buy. I think my question comes, you know, from a hybrid standpoint, right? I don't think you build all of it in-house, right? You're not into software development, r&d and all that. You know you still have to bring in partners for the tools. Where is that sweet spot? You know the spectrum is large, right, we're talking about. You know the manpower to menu or sock, and then you know the.
Speaker 5:APIs to you know, to bridge all your vendors together and then go into the vendor. What do you find that sweet spot between build and buy?
Speaker 3:Yeah. So I mean, obviously we don't build any actual tools for our clients. I mean, we probably want to get into the business of you know, better reporting. One day, when we get to this really awesome analytics, power BI kind of capability, we'll probably, you know, do something that's more visually appealing for our clients around reporting. For us it's build. The two things we build are what I said earlier, kind of you know, cross-platform capabilities as far as actual tooling, and then we've committed, at least for now, building our internal teams out to support our sock and you know capabilities.
Speaker 3:So you know, at this point we don't have an external MDR player. We're doing that in-house. You know we do our vulnerability scanning and remediation capabilities we do. You know where we get into IR and remediation. We're doing that in-house. We don't really touch forensics. We don't feel like we have a core competency there and it doesn't come up that often. If you're into forensics, you're generally in with insurance and insurance has people that they want to be dealing with that. So yeah, we, as far as in-house personnel, we're building it at this point all in-house for better or worse.
Speaker 3:And you know when we hit a wall, you know, I think we have to be open and I think that's you know. Leadership's job is to make sure we don't fundamentally say, oh, we're never going to partner, we're never going to bring someone in. You know we're constantly evaluating and I, in a year from now, we might have someone that's kind of in and has more access than we'd like, but hopefully we've vetted them in their secure and are adding value to our clients and you know, I think at that point we would be open to it. So I think it's just about knowing and trusting the people you are essentially giving the keys to the kingdom or allowing a negative outcome, a possible negative outcome. As long as you've validated that and you feel comfortable with that, I think we're all going to be there at some point.
Speaker 2:Christian, thank you so very much for being here this was great for everybody Awesome, great Thank you, thank you.