00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. Today we have joining us, Michael Grande, the CEO of Vancord, and Brian Doyle, the Co-Founder of vCIOToolbox and Cybrance.
Brian Doyle 00:22
Thanks for having me on.
Jason Pufahl 00:24
So if we could, I'd love to start a little bit with your background, and maybe background prior to your work in the vCIOToolbox.
Brian Doyle 00:31
Sure, yeah. I mean, I won't go into the big, big scheme of things, but we'll just go into, you know, I've been around probably a little bit over 25 years now in the IT services arena, you know, started with a traditional system integrator, kind of moved into a situation where the .com boom came in, and we went from eight employees, to 52 employees, back down to eight, how I became an entrepreneur was the accidental entrepreneur, where I was told there was no paycheck on Friday, I don't know who your customers are. So if you want to take them, go for it. And that's how we launched our, our old company, Proactive Technology. So now to fast forward a bit, you know, that was really just a traditional MSP, although it started as a professional services org, we were early into the MSP world in 2002, providing managed services, we then, I acquired, so, we're acquired and part of a partnership, actually more of a merger, where we acquired regional data centers. And then it is where cybersecurity or security as a whole really entered my life much, much more fast and rapidly. And, you know, I left there, start, worked as a hired gun, starting up a couple other data centers with another organization. And then in my time of non compete, it was just a question of what should we do next? And I know, that'll be something we'll chat about, so I'll hold that.
Jason Pufahl 01:49
So, co-founder of two software products, why don't you spend a second on kind of what those are, and frankly, I'm really interested in what the need you saw, that led you to want to fulfill them.
Brian Doyle 02:00
Yeah. So they're very related, right. So, you know, we've got two products, one that's really geared to the IT service providers set, and answers some of the requirements that they have in terms of multi-tenancy and being able to support a wide group of customers. And then we have our GRC product, the GRC product's entitled Cybrance, and that's really geared for the commercial marketplace. But we utilize that platform as part of the overall vCIOToolbox platform, which is the name that we use for the platform that goes out to the service providers. And you know, if you really think about it, obviously, it's looking at security and compliance. But it's also working to build a common communication language to talk to your customers. So in the world of service providers, you know, they love talking in bits and bytes, right, you know, it's all about those kinds of things. But the business people sitting across from the table aren't really in tune with that. So you know, the need to get specifically to what you're asking for Jason was, we saw that customers didn't understand why the roadmap was before them. They felt they were buying, buying on blind faith. And it was a struggle, same thing for internal companies or internal IT departments as well. We're putting together these budgets, but now we got to build a business case to take to committee, do we actually have a justifiable reason? So everything kind of hinges off this concept of a strategic plan in our platforms, that serves really as the north star to guide both IT service groups and internal IT departments.
Michael Grande 02:56
And did you have any key lessons from all those years running an MSP and being involved in larger corporations as well, from an IT perspective, that really paid off?
Brian Doyle 03:33
Yeah, I mean, you know, it really did work out because I did have a little foray into large corporate world. And that really gave me a sense on how real senior leaders wanted to be communicated to and how short they wanted the message to be. We used to joke about the one pagers that were in six point types, everything you could in one spot. And you know, between that, and what I really saw with the end user community, and this is a struggle that service providers have, where, you know, they're not viewed as anything more than a commodity partner, sometimes these days, and you got to uplevel that perception to being the guy that's going to step in and be the CIO. And we got to give them the tools so they can speak that business language. And that's, that's one of the things that drove us to build the initial product, we came to market first with vCIOToolbox. But we soon learned because we had customers coming in buying that product that were not service providers, that the same struggles can happen in smaller or more mid-sized organizations who are struggling with how to get that security and compliance story back to their ownership, and really be able to convey a message that makes them take action.
Michael Grande 04:34
And with regard to risk management, and sort of the growth that many companies and commercial entities or even nonprofit entities are looking for more controls, understanding more compliance issues, can you speak to that a little bit?
Brian Doyle 04:46
Yeah, I mean, you know, obviously, what's driving a lot of the compliance story, you know, outside of the regulated entities, is the need for cyber liability insurance. And we're certainly seeing that it's becoming an interesting proposition in the market today. It's getting increasingly more difficult to get, it's getting more costly, and claims are starting to be rejected, even to the point where now there are cases of fraud out in the marketplace where claims were paid, then it was determined that the original application was false, and now the DOJ is getting involved. And those are some scary things all around, right. So we're seeing small, small to mid sized businesses really looking and saying, hey, we're not regulatory bound, but are there frameworks? Are there risk management procedures we can bring in? Just to make sure that we're protecting our most valuable asset or business.
Jason Pufahl 05:33
Right, can you operate more maturely, ultimately? So both of your products are geared toward, I say, specific strategies, vCIOToolbox which was more for your traditional IT strategy, the CIO, Cybrance is really more of a risk management sort of standard and regulatory compliance tool for CISOs. Did you develop them that that uniquely, what was your original thought going into that?
Brian Doyle 05:56
So, our original vision was, start in the service provider space, totally. So we came to market with what was really a need there called, Quarterly Business Review, which is exactly what you're saying, Jason, speaking to, being the CIO, bringing it to the CEO, a plan of action you can take. We saw very quickly, though, that they really needed more advisory. And that's kind of where we stretched into the GRC space. And once we got into the GRC space, combined with the experiences I had, in the data center, preparing for those GRC audits, we saw that there had to be an easy way for people to collaborate, collect data, present that data beyond the spreadsheet, even be able to engage auditors into the process. But more importantly, be able to tie it back to business objectives kind of the thing missing from a lot of GRCs, where you're able to show and quantify, hey, when we go deliver this project, this many controls are going to be solved. And this is the business need, that's going to be satisfied in the process. So you know, our USP, Unique Selling Proposition, is really trying to empower executives who are trying to communicate with their corporate teams, the tools that have the compliance conversation, but at the same time giving a common set of tools that most CISOs are comfortable with and understand.
Jason Pufahl 07:04
So I think it's really powerful, though, that you're in a space where you're trying to enable the CIO or the CISO, to describe themselves as a business enabler instead of a cost center, because that's really traditionally been a challenge, right, getting budgets justified, demonstrating that you bring value to the business and that you're simply not, you know, spending money or costing money for something that in a lot of times, people just don't understand what the outcome is.
Brian Doyle 07:27
And I know you've talked about this in the past, Jason, the CISO is still having a tough time getting a seat at the real C-level table, and you know, more and more, that's starting to shift a little bit more. And we're trying to help empower that conversation for them by giving them just a very simple methodology to put it out there. And, you know, I've kind of spoken to that methodology a couple of times, it's, you know, not huge rocket science, it's really working with your key stakeholders and end user business owners and saying, what are you trying to accomplish? What are the key objectives you're going after? And obstacles in the way of your business? And where do we feel the security gaps are? And then, you know, undertaking your risk assessment and compliance assessment to then see how can we satisfy those gaps, and where can we show projects do tie back to business needs? So they kind of have a two pronged effect, right?
Jason Pufahl 08:09
And how do you prioritize, and can you use that to justify, you know, the order of events and demonstrate improvement over time? Which is such a key thing in our industry.
Brian Doyle 08:16
Yeah, I mean, that improvement over time is the most critical part of it.
Michael Grande 08:23
I was gonna, you touched on a few things. Do you have any sort of top number of points that you think CIOs need to be focusing on these days?
Brian Doyle 08:31
You know, CIOs are, have to be focusing on the legitimacy of their applications when they're going for cyber liability insurance. You know, this is becoming, you know, one of those problems, you know, you think back to when Sarbanes-Oxley came to be in GLBA, right, it was kind of the financial underwriting now, we're kind of looking at the same kind of thing happening here at the at the security level.
Michael Grande 08:49
The verification and efficacy of the information.
Brian Doyle 08:52
Yeah, you know, I mean, everybody wants the lowest, lowest premium possible and certainly needs the insurance. But you've got to be cautious of, how far are you stretching that truth? Because it could come back and bite you someday. So that's one thing. You know, obviously, other things that CISOs or our CIOs are running into is the talent gap. Yeah, there's really such a shortage of true, you know, senior level cybersecurity professionals in the marketplace today. It is tough to find those people. And I would conversely say, and, you know, this is anti service provider in some respects, but know your service provider's credentials and capabilities too. We take for granted as businesses that use managed service providers that they're doing everything for us. And oftentimes, they don't have the skill sets in place, although I will say the ecosystem has gotten much better of services that can support those upstart vendors and make sure they've got the right talent at their disposal.
Michael Grande 09:44
Somewhat tangential here, but do you see a day where there's some sort of maybe not regulatory control, but some sort of licensing from a MSP or service provider perspective?
Brian Doyle 09:55
I joke around about that all time like, the lady that cuts my hair needs a license. But all I need to be an MSP is 150 bucks and go down on the state of Connecticut, right. But, you know, the reality is there is and there is a group, and I'm going to screw up these initials for the service provider community, especially NTISP, which is a group now that's really trying to push in lobby for legislation to make it a little bit more difficult for new entrants to come in to validate that the end user concerns are going to be there. And I think you're seeing since some of the breaches have happened at service provider levels, and at software levels, you're starting to see that insurance companies are writing into their plans, you can't use XYZ platform now, too. So there's a lot of changes that are going to change the complexity of doing business. And, you know, again, go back to the CIO, make sure all your products aren't on that list, right?
Michael Grande 10:43
Yeah, absolutely.
Jason Pufahl 10:44
So we've been lucky to work with you for a while, right. So we use vCIOToolbox to manage a lot of our sort of more traditional MSP clients, we've certainly moved into the Cyberance space for the GRC purposes, it's been a really valuable tool for us, I think it's given,
Brian Doyle 10:57
You guys were my guinea pig when we first started, so to be fair, this is a tradeoff.
Jason Pufahl 11:01
It's been great to help you identify areas of opportunity even over the last couple of years. So one of the things that I've been gratified to see is just your growth. I know you're having some success now outside of this even, with with some other relationships. I'm curious, you want to talk to those?
Brian Doyle 11:18
Yeah, we're having a lot of fun these days, you know, it's great when you get past that initial startup phase, and you get into that acceleration phase,
Jason Pufahl 11:25
People know who you are a little bit.
Brian Doyle 11:26
You have a little bit more to go do some things with, and we have a lot of fun things that have really helped us come to market. You know, we have a podcast that you've been nice enough to be a guest on with me. We haven't had you yet.
Jason Pufahl 11:35
I think I have another date scheduled at some point, right?
Brian Doyle 11:37
Yeah, yeah. So, you know, so our podcast has been a big part of our kind of outreach component. And we're very big on thought leadership, right? I don't care if you know, hopefully, you find your way to my product. But really, as a community of IT professionals, we all need to do better. And we need to be out there sharing the little sliver that we know. And that's the other part, make sure you stay in your lane, if you're gonna go try to do this.
Michael Grande 11:59
Absolutely.
Brian Doyle 12:00
The second thing that we've been into is obviously trying to build our company. So we're fortunate enough this year to be brought into the ConnectWise PitchIT Accelerator Program for 2023. And that's a great program where they brought 27 different emerging IT vendors in to really help educate them on different facets of the business that they might not have expertise in. So we had 16 different speakers that ranged on topics from how to get your p&l correctly to how to get yourself visibility on social media, all kinds of different topics that you know, small, upstart emerging vendors are struggling with, and, you know, helped pass some education. And we were fortunate enough, there was a pitch competition where we had to give a five minute pitch and if you say, well, five minutes and one second, nope, you were ushered off, boom, the hook came in for you,
Jason Pufahl 12:46
And you're not a talker at all, so I'm sure it's really easy for you to get that in there.
Brian Doyle 12:49
That was my biggest fear. How do I stay in the five minutes, right? So the good news there was we, well, the news that's coming up as we record this today is we were brought into the finalists. So three finalists will be presenting out in ConnectWise, this IT Nation event in November, it's a collection of 4,000 service providers that are going to be there. So you know, from a branding perspective, it's gonna introduce us to a lot of new people that don't know us yet. But you know, really what we love in this journey has been listening to folks like you, Jason and our customers who are educated in certain areas there. And the part we love about being a smaller company is we can be more nimble to adapt. Right, so if you show us something that, you know, we can improve upon, we're able to listen to that. And we're able to make those adjustments. And that's kind of a core tenant in our mission that we hope never to lose.
Jason Pufahl 13:39
Yeah, well, I mean, I can say, you know, I work closely with Ken as well. And you know, every time I want to discuss something, he's more than eager to listen, right. Whether it fits directly into the development cycle is a different story, but always, always open and always recognizing that there's opportunities to improve the product.
Brian Doyle 13:53
And we'll have to give him the full credit there. That's our CTO, Ken Fearnley. Without him, there'd be a far different product.
Michael Grande 14:02
I'm all set.
Jason Pufahl 14:03
Yeah. So, I think, Brian, I appreciate you joining today. I appreciate you watching us set all this up and getting everything together.
Brian Doyle 14:09
This is great. You're giving us more ideas, you know, we, we look like semi pros.
Jason Pufahl 14:17
We make the room look bigger than it is I think is the goal. Thanks for joining, thanks for sharing a little bit about your background, I think vCIOToolbox and Cybrance. And frankly, I think the the value that they bring to two groups of people, the CIOs and CISOs, that frankly have a really difficult time getting their message out and understood, I think they're really valuable. They've been valuable for us as a company. I think they're valuable for the sort of those direct sales that you're looking at.
Brian Doyle 14:42
Appreciate that, you know, we try to meet the need, right. And it's great to hear that, you know, we're helping make that impact and hopefully help those customers we work with better secure themselves and for the service providers grow.
Michael Grande 14:54
And good luck at IT Nation.
Brian Doyle 14:56
Thank you very much.
Jason Pufahl 14:57
And of course, if anybody has any interest in looking at vCIOToolbox, more closely or Cybrance, you can reach out to me directly, to Brian, the information will be in the podcast. And yeah, we can help link everybody together. Brian, thank you.
Brian Doyle 15:10
Thank you guys, appreciate it.
15:12
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.