Gray Leaf Media Page

The Gray Leaf Tech Talk: Ray Steen of MainSpring Inc.

Posted by Richard Stephens on Jun 11, 2020 1:02:37 PM
Richard Stephens
Find me on:

 

John Laub, CEO of Gray Leaf Technology Consultants chats with Ray Steen, Chief Strategy Officer at MainSpring Inc, a managed service provider in the Washington D.C., Northern Virginia, and Maryland area. They discuss who MainSpring is, how they provide critical services to their clients, the state of technology in a COVID-19 world.

 

 

Podcast Transcript:

John Laub:
All right, welcome to Gray Leaf tech talk. And my name is John Laub. I'm the CEO of gray leaf technology consultants today with me is Ray Steen. Ray is a chief strategy officer for MainSpring inc. They're a managed services provider in the Washington DC area, and also in Northern Virginia and in Maryland. And we've been, we've known each other for a long time. Gray Leaf and MainSpring have worked together for a lot of years and we've worked really just helping, just working together, helping MainSpring clients, just identify pain points and create solutions to just resolve those impediments. And I met while we were working together as contractors. It seems like a long time ago now re and then sometimes it seems like it was just yesterday, but we were together as contractors. It's where you're mad at the federal emergency management agency. Incredibly.

John Laub:
It's been almost 10 years ago. I think when we first met. And I was a technical consultant. Ray was a stakeholder relations and outreach project manager, but after we kind of went our separate ways of FEMA, we, we continued to work together. So really what we're going to do is just talk, have a, have a discussion today. It's kind of an open, open chat. I'll tell you a little bit about Ray and then Ray, I'll let you talk about yourself a little bit, but Ray has a he lives in Northern Virginia and he has five beautiful kids and one of them is a, is a technical prodigy of sorts. And I wouldn't be surprised if one of them pops her head in and just checks in on Ray cause you know, Ray, Ray's a great dad and you know, so really today's meeting is just talk about MainSpring and you Ray. So Ray tell, tell us a little bit about yourself. Tell us a bit about your kind of professional background and how did you get to where you are today?

Ray Steen:
Thanks John. How am I died here today? I have no idea where I came from. You know, my, my background is in strategic communications and public relations actually. I spent a good part of my life in the commercial and nonprofit sector working for four organizations around building awareness and understanding just the the American red cross disaster relief mission. You know, 10, 15 years later after working in the the private sector for federal government, you know, working together at FEMA to again, help people through disaster situations. And I guess now that I'm talking about it, maybe that's, you know, maybe that's kind of the common thread you know, now we're now I'm in a consulting capacity working for a small it for supporting even more than 50 organizations in DC Metro area head off disaster, you know, really before, before comes true.

Ray Steen:
And you know, I'm, I'm if there's anything that comes, that's come to me over this period of the last couple months, it's that I'm proud that many, if not if not all of our clients are in a better situation and have been well prepared for, you know, the disruption in their workforce, maybe not the disruption in their business and their revenue but it makes me feel good that we've been, you know, we've we've, we were there to help prepare them for this, that they were able to, to act swiftly and at least keep, you know, keep their operations and their staff safe throughout this time. So glad to be here. Yeah. I, you know, I never thought that disaster was a common theme job, and now, now you got me thinking maybe it follows me.

John Laub:
Well, definitely helping people out is part of, part of what you do. Right. And and you're very good at it. Tell us a little bit about MainSpring though. And, and, and so MainSpring is a managed services provider, so, so we're really, really, what does that mean and what exactly does an MSP do?

Ray Steen:
Sure. Well, I can tell you that, you know, that the area being in the DMV belt, you know, it's, there's no shortage of managed services providers, you know, we're, we are we are in an area that's rooted in technology and cybersecurity. I would say the managed service providers category has largely been dominated around being a help desk and being that remote monitoring and patch management organization for as an outsourced it, so many organizations, you know, small to medium size businesses, nonprofits, and associations that are focused on their core mission. They have gone they've lent on they've leaned yeah. Providers to be the outside consulting team the it firm to help desk. And, and what has evolved in over over the years is they're really looking for somebody to be that a C level advisor. And that's something that really drew me to to our organization over six years ago, John, you and I worked in the consulting space you know, for the federal government.

Ray Steen:
We oftentimes did not have the latest and greatest tools at our disposal to equip to equip the mission and the the public sector and the private sector, you know, now have the ability to kind of, you know, kind of hand in hand. We certainly do government consulting means free does for the army. And we, we lean on a lot of that expertise and we leverage the tools and our best practices that are disposable. So we can help organizations really select the right infrastructure, select the right tools. My favorite part of it. So the role is really just bringing good table at the right time, because not every organization has the money or the, the the maturity from the it perspective to to move on everything at the exact same time. So I enjoy, I enjoy working with with our team. We have a very proactive model, which I know is overused in our space. But in the truth, it's a productive meeting. We try to prevent problems from happening more than once in many cases at all. And we do that through through continuous process improvement, which, you know, runs through, through in the organization and something that I know greatly it is heavily dedicated to, you know, in the development space.

John Laub:
Tell me a little bit about, you know, this, this proactive nature of what you do and, you know, what, what does, what does it really mean? And, and, and really why, why, why, why should, why should clients care about that?

Ray Steen:
Sure. Well, when I sit down with, with some of our clients and I get to meet, I understand why it is that they decided to come on board with me and spring some of the same problems that they carry with them resonated to our model. I don't know what I don't know about it. I find myself doing IP related or planning or budgeting and that's not my job or my role, and I'm the least qualified person to do it, but because I have because it rolls up under me, that's what I do. And these are some of the things that are new clients or prospects often say, and why they want what they're looking to do. I have no idea how efficient we are as an organization. I don't know how efficient our employees are. I don't know how many how many are suffering silently with issues and not asking for help.

Ray Steen:
I don't know how many work rounds that they have established. I don't know what software applications they're looking at or, or using because of the shortcuts of their current processes. I don't know what happened, you know, when there's a major disaster I don't really have a protocol that I could flip a switch and you know, what we're going to do. And I also don't know what our it costs are going to be. And those are the same problems that seem to resonate to persist through and through with every prospect that I've used to meet with. I don't meet with prospects anymore. I spend most of my time with our clients and our clients. I'll, I'll, I'll when I need them. I'll understand why it is. They decided to, to join with us because they're looking to solve those issues. And while every organization needs all layers of the it help desk and continuous monitoring, patching and auditing, and that advice they needed in a way that is aligned to their business.

Ray Steen:
So when an organization suffers from an outage or they have a server failure, or they have this come up and all of a sudden they don't have it to respond. And another company that they've hired like a managed service provider, if they benefit from it, that's not true alignment, and that's really not true partnership. So what we've, what we've found is a different way who deliver all those services, but to align our, our whys of why we, why we do what we do, the only way that our organization benefits is if a company stays in business and growth. And that's the only one that we played that we profit and, you know, yeah. That by, you know, doing things like you know, on boarding only a couple of clients a month because we spend a considerable amount of time to learn an organization, to meet them well course to reverify things that may be the point of contact that we've met with thought but didn't know what's happening in other departments.

Ray Steen:
And then laying out a really simple road map for them to follow that adjusts based off of their circumstances. It needs, you know, there's no good in delivering an IEP assessment and then a plan, and then marching toward that for three years, logic, Becca me ask, we've seen a lot changes in even three months. So to be able to assess what our recommendations and way forward is sort of return on investment on what that investment is going to be in terms of hours and efficiency and risk, and then constantly be able to reprioritize and act quickly on nodes. I think gives organizations the kind of agility that they need to you know, to continue to work and feel comfortable that their staff are adequately supported and that they're, but with the right tools and then be able to pivot with any pivot.

John Laub:
So really, it sounds like you guys just don't, you know, you just don't, you know, you're just not feeling help desk tickets. It sounds like you do, you guys are doing some real consulting. It sounds like you know, you don't you know, the, the idea that you're not going to come in and say, okay, you know, we've done this a thousand times and we know exactly what you need. Instead, what I heard was, you know, you kind of embrace the concept that, well, you know, you're unique, right? Your clients are unique. Each one of them is different and you take the time to listen and work with them and ask good questions and figure out, Hey, what is the right points? What are the pain points? How do we engage? How do we solve you know, the issues at the right cost that really are irrelevant to you and the deliver the most business value was that, would that, would that be a correct statement? So tell me Ray, about, so with this, with this approach is, is, is, are there organizations that are kind of better suited to that model or, or, or less suited to that?

Ray Steen:
I wouldn't say that there's necessarily industry that is better suited, although those that understand and know that it is not is an important part of their business, but not what they need to invest manpower onsite 24 hours a day on I would say the organizations that believe that efficiency and risk and the amount of time that is spent in those areas, it is a soft cost worth monitoring and measuring improvement toward. So meaning the number of hours that they're theirs, their staff are dealing with it related decisions, it related problems, or the number of hours that their senior staff are spending on selecting the right software, managing vendors managing crises evaluating new tools doing budgeting beyond the, the, the, the, the annual budgeting. All of that time is time that can be spent working on the business, working on the organizations you know, revenue streams working on employee related activities for retention and growth, and really should be something that should be led by a CIO.

Ray Steen:
And I say, CIO, in the true sense that it's beyond the technology CTO, I think is probably something where most organizations that hire an MSP, they think they're getting a CIO and they get it. They're getting a CTO. Who's probably commissioned to sell product a versus understanding the organization, what their business initiatives are. And how does information flow throughout the organization and through different departments. And where are the challenges, you know, how is payroll process, how are time cards coming in so that you can reduce you know, time entry issues? How it's, you know, how, how, how are you measuring your accounts receivable? You know, what's your cash flow. So it goes beyond the ITE that goes into business areas of focus, where we like to be able to lean on our expertise and our portfolio of clients and share real world experiences. And honestly say, you know, we've worked with associations in this space before they have they've used this product before. Here are some of the benefits, and here are some of the the challenges. And, and that, that's the best part I think, of every week is that Friday know I was talking about the things on the infrastructure and the bits okay. Solving, how can we help this organization within the next two weeks? What's the most they can do beyond the technology, because they've already checked out the technology part of their brain. And they're leaning on our CIO to ask for recommendations in areas that they think are the most important at that time.

John Laub:
Can you expand on a little bit more,

John Laub:
You hear that term a lot virtual CIO or virtual chief information officer, can you, can you talk a little bit about what is it about that virtually that that is so powerful and how does that, how does that role mean, you know, for different tech partners?

Ray Steen:
Sure. Well, like I said, I think, I think most tech partners have locked in on that VCIO term, but they're probably delivering very technology focused industry specific knowledge and expertise in that role. And they've also focused on, you know, the products that they're that they're selling, you know, one of the best I mentioned it earlier, you know, that that's part of, I think being in the commercial world is being able to play with current modern tools, whereas in the federal space where, you know, we were, we were kind of a little bit behind the curve because it takes longer for newer software to, to enter that space in the commercial world. I really believe in, and we all do, and it starts at the top that we need to be able to use any tool at our disposal with we're a Microsoft partner.

Ray Steen:
Of course, we're all on Apple partner. You know, we, we have worked with a variety of tools and solutions, and we don't subscribe to focusing on selling product and making margins off product. You subscribed to understanding what the business need is determining whether that solution really fits the organization and their culture, and then implementing a solution over time at the right speed. So, you know, John, you and I have worked long, long, a long time together and we've done a lot. In fact, we built our business on SharePoint, Microsoft SharePoint, but it's not for everybody. Sometimes there are other solutions that are available and, you know, we have brought other solutions to the table for that. And I think being able to lean on an, on a adviser, that's more focused around the longterm success of the organization and the support of the organization. Then the products is really what distinguishes the difference between the CTO and the CIO, the virtual nature of it is I'm not really sure why the V's always been there. They're real people.

John Laub:
Yeah,

Ray Steen:
They're local. They need to be able to meet face to face, and of course do this as often as necessary without limit. And that's, you know, that's, that's another that's another piece of the puzzle, you know, not limiting our clients to, you know, a quarterly business meeting where we're going to, you know, fill their fill their brains with jargon and Nike road map recommendations, and then walk out for another quarter and come back. There is a there's very much a relationship that needs to be made right from the on boarding time. And [inaudible] meet with, you know, beyond the heads of, of the organization to understand the culture of the organization so that when they make those recommendations they are you know, they are rooted in understanding of where the organization can adopt new technology on their you know, ready timeline.

John Laub:
So you're not trying to come in and have a predefined agenda. You don't try to sell a tool or a product you're you're. Is it safe to say you're pretty much solution agnostic, right?

Ray Steen:
Correct. Our only currency is time, time, and risk that those are the, or that we, that we focus on on the infrastructure side, it's not until we really shore up those those infrastructure risks and productivity issues. Before we get into some of the scalable conversations, you know, organizations want to be able to do more with less, they want to be able to stretch their grant money and to making software selections into let's say, a new CRM or a new marketing tool. And, and that's where okay, those can, can really do some work and understand and relate, you know, real world examples with real world clients what's worked and what hasn't to shorten the timeline. Cause no, no, client's going to tell you, Oh, it's been great. I just thought an individual, it took them two and a half years to Salesforce. That was a long time. Imagine, you know, now two and a half years ago, maybe you might not have gotten that. Not to say it's the wrong solution, but I think at the time, if you knew that it was going to take that long to implement a change, you know, it would be good to lean on somebody that knows the organization and the impact that that timeline is going to have on that kind of transformation.

John Laub:
So I imagine you have a lot of different clients, you work with a lot of different industries. Tell me a little bit about, you know, when you, when you're, when you're working with a client, a new client, maybe what, what, what type of clients do you look for that are really good matches? Is there anything that kind of stands out as far as, you know, certain clients and their needs that are really a good match?

Ray Steen:
Sure. I mean, those that are growing and expanding, I mean, I think you must most partners out there would probably say the same but those that are focused on growth and adopting new new processes to make themselves more efficient. Okay. The organizations that seem to always be a good match on that realm are the nonprofits and associations because they understand and how hard it is to attract and retain talent. And I think I forget the article that I read, you know, a while ago, but it's one that I always kind of hark back to, and I probably should have it at my fingertips, but you know, one of the top three reasons that people work at an organization and they're able to retain that talent is because they feel like they have the tools to succeed. You know, course acknowledgement is right up there and pay and benefits it's right up there, but having the tools to succeed, you know, I've, I've been fortunate to work for an it firm.

Ray Steen:
I don't think there's any, you know, any costs is spared to make sure that we have the tools to be as efficient, productive as possible, but that's not the case in in the world today. And I think the I think employees have a choice of where they want to work and they see that the tools and the resources that are provided to them, whether it be a, you know, help desk at their disposal or a CIO, they can call it any time and say, you know, Hey, I was thinking about, Mmm, no burn and upgrading to a different solution so that we can, you know, better aligns is this, you know, this department's goals to meet the organization's mission to be able to do that is a very powerful asset. And I think is something that, you know, of course, we look for people that are looking to invest in and advice and technology to further their goals.

Ray Steen:
But then, you know, those that actually care about the productivity of their employees, because at the end of the day, the first thing that RBC IO is, are going to talk about is how productive has your staff been over the last month for the last quarter or the last six months? And we're going to watch that data and trend over time. And we're going to be able to explain why they were peaks and why they were valid. And then we're going to be able to target those areas to see if they are not an anomaly or they're a trend. If they're a trend, then if we're going to come together with the rest with a solution. And because we're focused on productivity, it's our job to make sure that few, few tickets then even fewer repeat issues come in. And that people feel like they know what, what to do every day. They know where to reach for help, and they know where they're going to be going in the next year.

John Laub:
You know, I can't help, but think talking to you that, you know, you, you seem, you seem like a coach and I happen to know you are a coach. You're a soccer coach. And it just, just occurred to me that, you know, do, do you, do you find like the work that you, that you do, you know, coaching soccer does, is there things that you kind of have found useful coaching your soccer team that kind of translates into your professional life and the work that you do with organizations?

Ray Steen:
I think understanding why they, why you should be doing what you're doing first. You know, I, I have I do coach I, I'm trying to remember you 14 boys team, and I've got a, I use six or running around here who you mentioned might be popping her head in that time and then three other soccer players or one former and two other in between. So the thing that I the routine that I like to to follow in every practice is of course, we start off with something that's routine and team building. And then we, we have these breakout sessions where we talk, what we're going to be doing. You can just practice in the next practice to prepare for the next game, why we're going to do the drills that we're doing so that there is purpose behind it.

Ray Steen:
And we can ask those questions upfront, and then the buy-in it takes place when they start seeing some of the results of, of that practice. I think that's very similar to the way you know, we approach our clients. We, we talk about why why we are going to be recommending a solution. Usually it's rooted in data if not some kind of urgent business case and why we're going to take the approach that we're going to take and what success looks like after that. So when we go through a project or when we implement a new solution, we have already agreed before we do that. What the new world is going to look like, what the department's going to experience during, and then after that. So it prepares them for that game. So, you know, preparing for a launch of a new product, preparing for a system upgrade you know, we don't need people in the middle of the game, turning over to the coaches and putting their hands up and going, what do I do?

Ray Steen:
And I'm surprised by this result and the same goes for our clients. We don't need people in the middle of an implementation or after they should turn it around. Okay. So what was going on and what do we do now? You know, we have to have a pretty, a rock solid process around our projects and it goes to planning, implementation, and evaluation before we release something. And then of course, being the support team and understanding that change is hard being there on the ground and virtually for when, you know, unexpected things happen and being able to respond. So that's probably the one thing that I would, I would relate to the business. You know, we, we, we prepare our clients for what's coming. We talk about, you know, why we're doing, we're going to do. And we talked about the process and what's going to happen afterwards, so

John Laub:
I can tell how much, you know, this, this, you're your, you know, you take this very, very, very, very you know, this is exciting for you. I can tell, you know, it's, you know tell me a little bit about, I want to switch gears for just a moment, but tell me a little bit about you, Ray, as far as like what to you.

John Laub:
It's like the perfect vacation. Tell me, you know, if you could, if money were no object kind of what, what to you would be the perfect vacation.

Ray Steen:
Perfect vacation would be one that I don't plan every single minute and every day when I'm there to do those Meyers, John, you know, I remember doing those back in the army days and my Myers Briggs. Mmm. Whatever persona at work is the exact opposite. So I always had a challenge of which, which version of me am I going? Am I going to answer these questions for, cause they repeat the same questions over and over. Cause they want to double check that you're not changing your answers. And at least the Myers Briggs that I took 10 years later, I took the same test. I finished the same way. So I guess there's some truth in it. I would say the best vacation is, you know, it's just a family getaway to the beach and unwind and play a ton of sports.

Ray Steen:
gI've I've tried to make a home, a little bit of a vacation on the weekends. We are in my backyard. It looks like a carnival between bounces and trampolines bag costs. I can't even tell you. And I'm, I'm just like a kid out there I like to play. And I'm very competitive. My kids will tell ya. So I like to have a whole marathon of, of sports and games with the family. So really I'd like to do just that, but not my own house for one. So I'm looking forward to a time of you know, putting my feet in the sand and kicking back.

John Laub:
Do you have any guilty pleasures,

Ray Steen:
Fantasy sports? You know, above me is a I'm a Chicago bears fan through and through and yeah, no, I have I've taken some lessons from some of my friends who are outdoor sports fans and have named their kids after, you know, some of their favorite sports teams, players. And I just skipped it and I named, you know, my, my son my fourth child was deemed as bear. That way I could assure you, you can not show up and be a packer fan one day. And my youngest daughter, her name is Boston, so that she'll never Dawn the purple and gold of the Laker. I am, I am dead serious when it comes to sports. And I miss my fantasy sports as well. It's, it's what I scroll through on my phone late at night or early in the morning or when I'm sitting on a bridge somewhere and not moving. So and I think sports has a healing power, so I'm looking forward for it know to come back both in real life and in fantasy.

John Laub:
Excellent. All right. Well, let's talk, let's get back to main spring. So tell me Ray a little bit about, so we talked about kind of, you know, in generality is kind of how you interact with clients and the types of things you do. Tell us a little bit more about services though. Like what, what services do you provide and kind of what benefits to those provide clients?

Ray Steen:
Sure. Any and this fee or IP partner worth their salt is going to provide a help desk with an Austin. Great. Mmm.

Ray Steen:
That's tried and true all of our, it people, our employees of, of MainSpring the story and how our it support team ended up down in Florida. I think Karen, because you know who we are as a business, I'm the manager of the support center wanted to move closer to home. And the leadership at the time, this predates me offer for him to, to, you know do both Florida and set up our support team. So we were fortunate enough to grab some very unique it engineers and some really smart, awesome NASA contracts. The government space down in Florida and our support team is remarkable. And I know everybody would say that. But I think the last time I looked the satisfaction scores, you know, the buttons you can push the stars or the smiley faces.

Ray Steen:
I mean, it's been like 99%, you know, for years, every time I get, you know, one of our clients puts in a survey of the entire management team and, and others gets copies of the survey and that important satisfaction. So I use them probably too much. I can hear my colleagues screaming from towns beyond because I don't bother to try to fix anything because I believe my time is valuable and they could fix it 10 times faster. So I put tickets in and they saw them right away. And I don't know why I'm amazed, but you know, they're pretty remarkable. So that's important. And an important piece of that is, you know, they take the time to know you and they also take the time to help prevent that problem from happening ever again. That's really important. And to, to our model I have, you know, we've, we've got a team of people that are cyber experts that are constantly monitoring networks and patching systems.

Ray Steen:
My computer, you know, I wish the same was the same from my home network. But from my, my personal computer, I'm going to have to, I'm going to have to have a meeting of the minds of my it guy here to see if our systems are packed. Oh yeah. Although he does come second. Perfect. Every time that's a problem because he's that eager for it. But yeah, every organization should be patching and monitoring systems and traffic and alerting you know, those that are that are, that should be alerted. And then also you know, don't when there's a network outage before it happens, you know, I think it's, I think it's an incredible benefit to be able to no, before coming to the office, that Comcast is down and we knew it before Comcast told us, and to tell us that it's going to be a six hour window and I should turn around and go work from home for the day.

Ray Steen:
And that's something we do for our clients. So, you know, that's something that, you know, I think you know, a few people probably understand or know that that exists, that could be really valuable. So that's the infrastructure that reactive version of version reactive part of our model is very important. It, it it is the part of the organization that our clients interact with most because it's the day to day productivity and efficiency at the staff members that will protecting the piece that I mentioned before, that's the proactive piece. It's really the yes, continuous auditing of our clients, you know, every, every month there's a meeting of the minds that they, they have, there's an infamous name for it that that shall not be, you know shared, but they gather, they argue, they discuss with passion, all the issues that came in from our clients.

Ray Steen:
And they take great offense to, because they understand that we promised our, our clients that they would be efficient. And if there are things that have come in to the support team that should not have come in or should not have come in again we relate those back to a continuous auditing scorecard, where we look at every best practice that is user a drain on the organization's productivity through an audit. And that same audit we measure risk. You know, there are best practices for security. And so by tying real world, real client issues to those failed audit points and the recommendations, we now have an ability to prioritize projects, to fix those non-compliances because we can tell you that that, that issue that you're experiencing your organization has consumed X number of hours for your staff over the last quarter. And while it's, it's not a sexy, you know, technology solution, something that you should put in place to protect those hours from continuously adding up on your soft costs and draining your staff could and frustrating your staff, because at some point your staff are going to give up and say keeps happening.

Ray Steen:
I'm not gonna keep putting it. You know, not going to keep asking you for help, if you're not going to solve the real issue. So the all continuous auditing the proactive piece of it, it's something that we have to do regularly, not once a year, because the audit points change because the best practices change industry shares this best practices, the government shares best practices, and we update our audits based off of those best practices. And all of that really translates into a lot of technical failures and, and successes on an audit that then get articulated and non-complicated way by RBC IO to our clients. Okay. First how compliant you are to best practices. Here's how productive you were over the last quarter. The recommendations you took last quarter led to an improvement in your productivity and your efficiency and reduce your risk by this many percentage points.

Ray Steen:
And as a result, your staff, or this just percentage happy, that's a, those metrics. And that executive summary is very different than the old world MSP, which is look at how many problems we solved. Wow. We love our help desk. You know, they answer the phone really fast and they solve it really fast and sure we keep growing. So we deserve to have more problems. No, you deserve to have the fewest problems possible and to know what those problems are, and to have something proactive in place to prevent them from happening. Otherwise, you're going to lose your staff because they're gonna get frustrated. You're not going to see the games that can be gained out of looking in a proactive, IC model and a partnership. And you're constantly going to be reacting and saying things like I never know when my it spend is going to be, my people are really unhappy. They feel unproductive. How do we do more with less? You do more with less by being proactive on on the IP front and understanding what your clients need, the problems are, and then putting solutions in place to reduce the friction.

John Laub:
Wow. That's amazing. You know, you know, so, so what you're saying really is that, you know, these virtual CEOs, they're real people, they're actually in person, they're there, they're people that show up. Right. And, but the, the audit is really, you know, I mean, I imagine that the audit really is know, really allows companies because it's just so, so here's my thought. I mean, a lot of times, you know, we, we, we, we, we know things aren't where they need to be, but we don't know why. And so we were like, you know, it's like, I don't know what to do. And it sounds like this audit is, is hugely instrumental because now, you know, these auto points really get to the heart of various matters and, you know, some business, you know, it could help conceivably to help them save money and even generate new revenue. Would you agree? Right.

Ray Steen:
They get to focus. They get to focus on their business and, and take the IP part of their company and rely on a partner that is going to do that's gonna take time and risk and, and use those as barometers for you know, determining a way forward. And that, I don't know a company or a person who doesn't want time back in their day or their workweek or their schedule to, to reuse that time, you know, to invest in either client delivery or, you know, improving their employee wellbeing or leading their business or making sound decisions.

John Laub:
Our time is almost up, but I didn't want to, there was one important thing I wanted to make sure to cover. Right. and you know, I think that a lot of companies in our area and probably everywhere are very, very concerned about the cybersecurity maturity model certification. So CMS. So tell us a little bit about that and what, what, what should, what should they be doing about that?

Ray Steen:
The short end of it is they should be pursuing their NIST 801 71 guidelines, which have been out there for years. CMMC is the government's way of repackaging and reinforcing a standard that has been in place for some time where they know that organizations that do business with the government are a risk area, how they handle data, how they manage their network provides a wormhole in for cyber criminals. And so the government has asked anybody that does this with the government to continue to work towards the standards that were laid out with yeah, , it's under one, one, and they've created a new model, understand them, see where it should be easier for them to understand what level they need to reach. In addition to that, the government is putting his money where its mouth is. And if that, and it's accrediting test assessors outside, independent assessors to verify for the government that anybody do that needs to be CNC certified, it's actually meeting those requirements.

Ray Steen:
That's a difference in the past where self assessments and self assessments were acceptable, the day will come where you will be asked to meet with an assessor, like an auditor right. Like meeting with the IRS. So they probably won't like, like that comparison to verify that they are actually meeting the requirements that have been laid out, and then there's United one 71 handbook. And and that there's a plan to meet those requirements, right? The government has always worked with small businesses to say, please show us a plan, a plan of action and milestone a poem and assistant security plan to show that you take this seriously, that you're working towards something that's still in place. It's, it's still valid today. So while CMC is continuing to shape and communicate how it's going to roll out how it's going to train the assessors, how organizations that do work or build the federal government or the government in its entirety how they should be preparing for that.

Ray Steen:
I think the best advice would be continuing to work with your it firm on understanding where you are in meeting those requirements and what requirements you should have in place. In most cases, if you're meeting 80% of of those requirements, you know, the top 20 security protocols you're going to be in a lot better shape than those that have been ignoring it and believing that the government isn't going to come knocking someday it, nobody is going to be outside of the scenes CMMC requirements. They've made that very clear. What hasn't been clear. It's been the timeline of course, current events have, have affected that timeline. But the good news is, you know, I would say that most organizations that are working with it firms those it firms are well aware that the requirement exists and they should've already been having conversations with their clients about what to do to prepare for that, because it's beyond just passing an audit.

Ray Steen:
It can possession a lot of our clients, if it is a, a leg up on competition you know, John, you and I were, I worked in the government space as consultants for years. I don't even want to work for, you know, work with companies who have met the security requirements and, or have a plan or those that haven't started. And that's how contracts are awarded contracts are awarded because the government feels comfortable about the requirements and prime contractors and subcontractors partnered together to form good teams and good team members are those that are best position can meet those, those requirements to work with the government. So a lot of the CMMC standards can be scary, but they are when decompose really best practices in it. And I think if you're, you know, I think there's a lot that can be gained by organizations and meeting some of those requirements. Anyway, a lot of those requirements are a part of our audit for organizations that don't need to meet CMMC accreditation. And that's because we they've been known to reduce problems and prevent problems and reduce risk. So there's a lot of valuable pieces of, of the CMMC model. And I'm sure we're going to continue to learn more if they continue to release information.

John Laub:
So speaking of security, it seems like a day hardly goes by where we don't hear of a ransomware attack and, you know, organizations being extorted for vast amounts of money. Tell me about what is, does MainSpring do anything to help their clients protect themselves against ransomware? And if so, what, what do you do?

Ray Steen:
Sure. Well, beyond the infrastructure and modern tools, yeah. You use them on the backend. Everybody knows that people are the weakest link for an organization when it comes to ransomware. We're all busy people. We're running around with sometimes two, three devices a day, oftentimes we're on the road and communication happens quickly, text message, emails, phone calls, and the sophistication of ransomware attacks has come in the form of video, voice, text, and email scams, posing to colleagues. It was going to be prospects or clients asking for people to take action in those electronic communications, whether it's texting back, clicking on a link or attaching to the opening and unattached an attachment. And so what we've done is we have become huge proponents of security awareness training. And back in the day, you know, back in the army days, it was through eight hours of briefings and you get your certificate, maybe attack you pass the computer based training module, and then you never talked about it for a year.

Ray Steen:
Similar to the auditing process, a lot changes. The, the tactics that criminals use change seemingly weekly. Yeah. Often monthly and I'm amused by our our provider that, that gives us the tools to roll out a security awareness training today at some of the sophistication that's being used at any rate, the modern, the modern for cybersecurity training is really to enroll all of our clients and their staff into an ongoing security. And we were in this program where they awesome tested by our team in the form of fake phishing attempts and attacks. And the best part about that is really the immediacy of the learning. So when someone clicks on one of our campaigns, they see exactly that they fell for the the attack and what they could have looked for in that attempt to improve.

Ray Steen:
And it's that kind of immediate corrective action that has really kind of taken a foot in microlearning. In addition to that, we're able to look on a very large scale for organization and see what their virtual risk score is. So very much like an assessment, we do the IQ assessments that we do continuous auditing. We get a score for organization, and it helps senior leadership understand where they are on a spectrum of risk. How do they compare to the, their their organizations in their industry and how do they compare Mmm. Based off of their seniority in their organization? Cause we know that, you know, the more senior you are in an organization, the higher risk that you present if you're not staying up to speed with the latest and greatest. So in addition to that, you know, everybody has has a magical button in their email where they can click a button and say, I'm not sure if this is right or not, but I'm not even going to go any further and I'm going to hit a button and I'll let the it firm determine whether it's real or not.

Ray Steen:
And that's powerful because you know, when, when the stop think connect campaign came out under national that's curious Alliance, they wanted people to stop think about what they were looking at and then connect with them, the visual in a different form, Picking up the phone and calling them, or connecting a scammed with scam and determined whether it was fake or or legitimate. And this magical button, you know, allows an org, allows a person to act on it without really acting on it and doing harm. So being able to send a message that they think is suspicious, get a little bit of a forensic guy on it. And then response back is a powerful, you know, shield that they can hold.

John Laub:
And then

Ray Steen:
We provide very micro learning training modules to our staff, you know, two minutes, three minute videos on some of the most modern you know, spear, phishing attacks, and now where attempts that they can, you know, they should be aware of. And it's not the old hour long power BI power point.

John Laub:
That's amazing too. I mean, so really what you're doing is along with that kind of micro learning, you're doing with video training and things like that, you're actually simulating phishing attacks, but in a completely safe manner where these, these phishing simulations are very convincing, end users are all getting them at some point throughout the, you know, the workweek apparently. And they, if they, if they don't detect, it's a phishing scam and they do click it, they know it's completely safe, but they they're automatically, there is that feedback. Slack was what you're saying. Right, right.

Ray Steen:
Yeah. There's positive feedback. Yeah.

John Laub:
Positive feedback. It says, Hey, you know what, guess what these are, maybe the things you could have looked for and you know, this time, you know, it's, but I imagine when they do hit that button, the magic button, you mentioned that reports that I imagine they're catching real phishing attacks conceivably. Correct.

Ray Steen:
Absolutely. And by doing so they are alerting, you know, their IP firm a have an opportunity to help safeguard the rest of the staff because they're doing, they're doing their neighbors a favor and identifying you know, an address that, that probably should be blocked so that nobody else has to has to go through the same.

John Laub:
You mentioned the first line of defense earlier, which is really making sure all the firewalls are kept up and making sure that the threat protection all is all in place. However, you know, we both know that you know, hackers are smart people and they're always seeking to circumvent these firewalls. And so they'll create new domains. They'll do all kinds of very innovative and creative things to get around. And even the best I was reading a statistic recently Ray that's that said that even the best firewalls allow seven to 9% of these threats through. So, you know, when you mentioned the last line of defense, right, being the user, that's such a powerful way to make sure that you're really training your users to, and your clients to be very, very good detectors of these phishing attacks, which is really amazing.

Ray Steen:
Okay. I find the training very powerful and very modern and very easy. And it's it's, it's been satisfying to see our clients to improve on a security awareness training, whether they want to call it training or not, they are sharpening their skills and they are, they're improving the security posture for their organization. And they're protecting intellectual capital. The organizations that are there using it the most are finding other ways to using it, the training modules to, you know, improve areas beyond just spear fishing, like better understanding PCI compliance and safety handling of credit card information and protecting personnel small personally identifiable information. So security can run deep. It can, it can it can get complex, but I like the platform we're using. And I think it's a very effective training and education tool.

John Laub:
So really our time is about up. But if somebody wants to discuss how MainSpring might be able to help their business, how can they reach out to you?

Ray Steen:
Sure. we've got a website called go MainSpring.com. It's got a lot of information up there, like case studies a little bit more about who we are as a team. I like our, our people page and we've got some nice bio's up there. We've got a very diverse staff and very experienced staff that that had been with the organization for a very long time. And you know, they're, they're a great bunch. So yeah. Check out, gomainspring.com.

John Laub:
So go MainSpring that's G O M A I N S P R I N G . com. Correct. If you're looking for someone to discuss your business, if you're feeling some pain points and you're just trying to figure out, Hey, I need someone maybe with a new set of eyes to chat, or you just want to find somebody to discuss compare soccer, coaching styles please feel free to reach out to Ray Steen. And I'm sure he'd be able to set up a free appointment and, and talk and figure out, Hey, you know, is there some way we can help? Oh, thanks. Thanks everyone. And we'll see you next time.

 

Topics: agile, Gray Leaf Technology Consultants, Gray Leaf, Business solutions, SharePoint, Teams, OneDrive for Business, OneDrive, O365, Cybersecurity, Ransomware, Security Consulting, Disaster Recovery, Disaster Recovery Plan, telecommuting, Working Remote, Email Phishing, Phishing attack, Podcast, MSP, Managed Service Provider, gograyleaf




To find out more about Gray Leaf or discuss your ideas, click here to send us a message.