The Magnificent One's

Cyber Risk Isn’t IT, It’s a Leadership Failure | Chris Farr

Annheete Oakley

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 47:48

Send us Fan Mail

Cybersecurity is no longer an IT issue, it is a leadership decision that determines whether a business survives.

In this episode, we break down why modern cyber risk is a reflection of leadership, not technology. As companies move to cloud systems and remote operations, responsibility has not disappeared, it has shifted to the people making decisions about access, convenience, and accountability.

Chris Farr brings over 20 years of experience in IT and managed service leadership to explain why small and mid-sized businesses are prime targets, how attackers exploit human behavior, and why seemingly small decisions around passwords, email, and MFA can quietly create major vulnerabilities.

This conversation focuses on what actually drives resilience:

• why cyber risk is a leadership responsibility, not a technical task
• how convenience-based decisions create hidden exposure
• why small and mid-sized businesses are increasingly targeted
• how phishing and social engineering exploit predictable behavior
• the role of discipline, training, and accountability in reducing risk
• what separates a true technology partner from a basic vendor
• how cyber insurance is raising the standard for security

If you are responsible for protecting a business, this episode will change how you think about risk, ownership, and decision-making under pressure.

Subscribe, share this with someone responsible for protecting a business, and support the show: https://www.buzzsprout.com/1963905/support

This episode is supported by Dre’s Island Flava, a local Caribbean catering company serving authentic flavors and culture. Learn more here: https://dresislandflava.com

Support the show

This episode is supported by Dre’s Island Flava, a local Caribbean catering company serving authentic flavors and culture. Learn more here: https://dresislandflava.com

The Magnificent Ones: A Podcast for Clarity

SPEAKER_01

This is not a podcast for comfort. It's a podcast for clarity. In a culture flooded with noise, dangerous narratives, and emotional uncertainty, this space exists to examine what actually matters and what actually works. Here we question power itself, belief systems, and the assumptions most people inherit without inspection. Most people accept instead of dissect. This podcast is about correcting that. Welcome. Most businesses think technology failure looks like a server going down. But the real failure doesn't look technical at all. They look like lost trust. Miss payroll, data exposure, frozen operations. Customer quietly leaving. And suddenly technology is no longer the support function. It becomes a difference between survival and collapse. Today's conversation is not really about IT. It is about leadership under pressure. It is about decision making when the stakes are invisible. And when it's about why most dangerous risk in modern business are the ones executives don't fully understand. Our guest today brings more than 20 years in IT and over a decade in managed service provider leadership. Working directly inside businesses, navigating cybersecurity threats, operational breakdowns, and rapid digital change. He has watched technology evolve from background infrastructure to frontline business risk. He has seen companies grow because of smart decisions. And he has seen others collapse because of overlooked ones. This conversation is about what happens when leadership meets technology and when accountability meets cyber risk and when operational discipline becomes the real competitive advantage. This is a conversation about clarity in a world where complexity is growing faster than most organizations can handle. Chris, welcome to the magnificent ones. Take us back to the beginning. What originally pulled you into technology and what did the industry look like compared to what you see today?

What was the energy cost of computing back then?

SPEAKER_00

Well, as far as what got me into the industry, I really just like, you know, troubleshooting things. You know, that's really what got me into the IT world, where no matter if you see the same problem 10 times, you know, it it's always a different aspect to it and a different way to kind of approach that problem, depending on who's actually having the problem. So it's really one of those things that I always saw is it's not the same job every single day. So it's one of those things where, you know, you come into work, you don't necessarily know what you're getting into, you know, hour to hour. It just depends on how the how the technology's working and what kind of issues people are having. So that's what kind of you know inspired me to kind of move into that realm. And then as far as how it's changed, I mean, it's it's changed drastically, you know, just over that, even though it's been a while, it still feels like a short period of time. And, you know, we've gone from having, you know, mainframes and you know, large servers, you know, in a back room somewhere, you know, just uh now, you know, everything being cloud-based and you know, not having that infrastructure inside the building, you know, where people can work, you know, across the globe, across the country, you know, you'd have different offices set up at different places. And so that kind of turns the technology around a little bit, you know, and it makes you have to figure out a way to incorporate all that in together where used to it was for every building you've got, you've got to have the infrastructure inside each location, you know, to be able to bring those tools to the end user or to the employee to use.

SPEAKER_01

So I have a funny question to ask that just popped into my mind. What was the energy cost like back then compared to today? You had to think about that.

SPEAKER_00

That's it. I mean, because I mean, back then, I mean, in a server room alone, I mean, just the heat that you were putting out and just those large, you know, power supplies that were being pushed out. Oh, yeah, it was astronomical compared to now. But now you've just taken all the money that you were spending on power and energy back then, and you're just giving that to cloud providers now. So basically you've just taken the money, you know, and moved it from one area to the other. But then again, it's made everybody more efficient. So, you know, I'd much rather spend that money and be efficient than spend that money and just, you know, pay it to the power company.

What would shock you most about the IT world?

SPEAKER_01

Absolutely. So if we were, you know, if someone from say 20 years ago in IT walked, you know, in today, now what would what do you think would shock them the most?

Whats the Difference Between Technology and Responsibilities?

SPEAKER_00

I think the the part that would shock them the most is not being able to put your hands on physical equipment, you know, like you could back then. You know, you still got the workstations, you know, everybody's still got their computer and whatnot, the way their vessel to get out to whatever you know, the conduit that they need to get out to the data. But there's no physical hardware from a server standpoint to put your hands on. You know, for most people, there's still some out there that have that technology depending on what type of line of business app that they're using. But for the most part, I think that's that's what would shock them the most, though. It's just, you know, if something's broken, you know, where is it at? And then having to, you know, kind of peel that back and go, okay, it still exists. It's just not, it doesn't exist within this brick and mortar.

SPEAKER_01

So so if if if you had to to choose what has changed more since then or changed the most, would you say that the technology has changed the most or the responsibilities tied to it?

SPEAKER_00

Well, I think I could see that in both ways because the technology has changed just from the standpoint, like I was mentioning, as far as where's that data located? You know, where's that data housed? And then the responsibility of it is, you know, back then you were responsible for making sure those servers are backed up. You know, do you have a business continuity plan, a disaster recovery plan to get back up and running if something catastrophic happened to that hardware? Where now the responsibility's changed to we're going to put trust into a cloud provider, you know, to put the data within their ecosystem, and then you're responsible to make sure that that data is protected within their ecosystem, you know, and to make sure that all the boxes are checked from a compliance standpoint. So really the responsibilities have changed and the technology's changed basically kind of at the same aspect and at the same speed.

Cybersecurity Strategy: Small Businesses

SPEAKER_01

And I think that's very fascinating. You know, there was a time where when people thought of IT, it was, you know, fixing the printer, you know, resetting the password, you know, keeping the systems running. And today, you know, technologies, you know, the decisions that we make, they're you know revenue-based. It's understanding also who you're working with in the culture that they have within their business as you know, as a person in MSP. So my question to you is, you know, when did you personally realize that IT had shifted from support to strategic leadership?

SPEAKER_00

I would say probably in the past 10 to 15 years, it's been gradual, it was gradually getting to that level. But it there was a big shift, I would say around 10 years ago is what it kind of feels like. And I'm sure everybody in the industry would probably have a different, you know, uh year or a different time frame that they kind of felt it. But that's really when when I started to notice it was when, yes, you still needed people and your boots on the ground as far as fixing the problems, you know, fixing slow computers, replacing hard drives, those sorts of things that are, you know, still being done now. But then it kind of flipped where things went more, you know, just uh over the web, you know, which has been obviously growing for a long period of time. But that being able to set up remote offices and not have to have connectivity back to the home office, where that's where you really have to put that planning hat on, you know, and figure out a way to secure those offices, you know, to make sure that, you know, that the wrong people aren't getting into whatever you've got there as far as workstations, but just making sure that those locations have the infrastructure and the internet and whatever they need to be able to contact the data, you know, wherever it is to be able to grab all of that.

SPEAKER_01

Now, do you think that most leaders underestimate this shift? And where do you think they misunderstand the misstanding the misunderstanding show up most? Because I have a personal question that I would like to ask after that.

SPEAKER_00

Well, as far as that, I think the biggest thing that people miss nowadays is where they've kind of grasped the idea that they really need an IT partner or an IT specialist or, you know, professional on their staff in order to just make sure that they have the tools in their employees' hands to be able to move the business forward, you know, in the direction that they want to go, because everything is pretty much dependent on technology now. But where a lot of people miss the boat is also planning for those cybersecurity risks, you know, just those bad actors that are out there that are just, you know, wreaking havoc. I mean, everybody hears, you know, about these large companies, you know, that are at that may your your data may or may not have been viewed in a potential cyber event that they had. And I think a lot of people, especially in the SMB world, the small to medium business world, is that they think that they're too small to wind up on the on the radar, you know, of one of these bad actors, where, you know, nobody's too small. You know, it it it's a multi-billion dollar business of just these these hackers and these bad actors across the world that are just trying to find anything that's that's not secured to the way that it should be. You know, they're always going to take the path of least resistance, you know, and the smaller businesses are usually the ones that's gonna have the least resistance because either they don't have the expertise in-house or they haven't reached out, you know, to a partner and leaned on them to help them get as secure as they need be, as they need to be. And so I think they kind of miss the boat on that because they look at it, like I said, as far as not thinking that they're that they're thinking that they're too small to wind up on a radar, but they may be too small to wind up on the news, you know, to let the whole world know about it. But if something were to happen, you know, that could be the difference between I'm opening or I'm not opening tomorrow. You know, it could be a million-dollar mistake that happened, or it, you know, it could be a little uh a smaller amount, but still, even depending on the dollar amount, even if you're a small business and you know you're in a small community and you've got, you know, the geographical region that you're doing business in, you still take on that reputational risk at that point because then people are looking at you, you know, and going, is my data secure if you're a company that has, you know, any type of personal information for that person. So there's a little bit of a reputation risk and monetary risk that could go into play. And then, you know, depending on what type of business you are, you know, there's compliance risks and different agencies, you know, that you have to be accountable to as well. So yeah, I think just not thinking, just not taking cybersecurity as serious as they need to is where most, especially small businesses, miss the boat.

SPEAKER_01

Recently, one of I have a friend that works in IT and they work for a larger organization and and he works remotely as well. One of the issue issues that he was having was the entity that he was dealing with, they were opting for convenience versus security. And the the the the the same thing that you were talking about, the cybersecurity risk, you know, the mil multi-billion dollar operation going on. And yet, even though these people are stakeholders and they they're you know board of directors, they still sometimes opt for convenience over security. Now, in in your field, have you encountered similar situations where you you may have seen that there's a risk potential, but the group wants to focus on maybe convenience because it's not a monetary issue. It's just they just don't want to do it because it's not convenient.

SPEAKER_00

Right. Yeah, we say that all the time. I mean, it's something as small as multi-factor authentication, you know, where you log into something and you get a text message or you use an authenticator app and you have to put a code in. There's a lot of people who just don't even want to enable that just from the the standpoint of yes, it's gonna take you, you know, a few seconds longer to log into this website or access this program. But anytime that you make something more secure, it's always gonna be less convenient for you, right? I mean, and you could even kind of boil that down to something as simplistic as even your front door to your house. If you if you wanted to make it real convenient to walk in, just don't put a lock on the door, you know. But then you're not as secure as what you could be. So I think if you look at it from that standpoint, that, you know, it and at the end of the day, I mean, multi-factor authentication, passwords, password complexity, et cetera, it's no different than having a lock on your front door. You know, it's going to secure you in a way. Is it going to slow you down? Yes. And there, but there's a lot of people, like you said, I mean, there's people out there that just want a one-letter password. You know, I mean, that that that's still things in the industry that we're still fighting. No password complexity whatsoever. And at the end of the day, I mean, it for whoever is running the business, owns the business, you know, it's their decision. You know, you can only, even as an IT provider, you can only make them as secure as they want to be. You know, you can tighten everything down and make it just as secure as that you want to make it. But at the end of the day, they're the ones doing business within it. So it's their decision. You know, we're just there to kind of advise, and you know, we have the tools in place, the expertise, and the ways to make it happen. But if you don't get buy-in at the ownership level or the leadership team level of the company that you're working for, then none of that matters.

Cybersecurity Risk Management

SPEAKER_01

I think, you know, that's where the matter of consequence is. Like some people have to learn financially or perhaps take the reputational risk in order to learn about, you know, about security and the importance of it. And sometimes it may be experience because it hasn't happened to them yet, they think it'll never happen. So you know, have you worked with any organization navigating, you know, real operational pressure without naming any names? Can you share a scenario where poor technology decisions created a serious business risk?

The Human Components of IT

SPEAKER_00

Yeah, we we uh I I've worked with a company and it was one of those scenarios where, you know, during a quarterly business review, which, you know, where you're sitting down with them on a quarterly basis, which is kind of where to kind of build upon that, where a true managed service provider at the end of the day is doing more, you know, than just doing your break fix, just things that are breaking. So we also do what's called a quarterly business review or a technical business review, you know, on some type of cadence where as a partner to that company, you know, we've got a seat at their leadership table from a technology standpoint to kind of help guide the company or at least advise on do's and don'ts. You know, these are things that you should do based on best practice. These are different types of equipment that you may have that's, you know, getting a little age on it, that you may need to start, you know, budgeting for in the next year, six months, et cetera. And so, yeah, that there's been times of a particular company, you know, we've sat down with them and told them, you know, you we need to put these security protocols in place, you know, so your email is protected, you know, so there's no man-in-the-middle attack, or there's no one, you know, having access to your email that's circumventing emails that you think are going out to someone and they're getting in there and sending emails on your behalf to kind of manipulate wiring instructions or ACH information for payments or, you know, what have you. And there has been a scenario where, you know, we've we've explained all of those risks and they they just didn't want it, not necessarily from a financial standpoint like you mentioned, but just from that that just ease of use standpoint. You know, I don't want to do this extra thing because it's gonna slow my employees down. And then, you know, fast forward a little, you know, a few years later, it was a huge, you know, multimillion dollar mistake because payments, you know, for different types of accounts were moved around. And that particular company didn't have any type of cybersecurity insurance. And so without that, they're just left holding the bag. You know, they're the it's their responsibility to notify all their clients. It's their responsibility to, you know, to basically just eat all of that money that you know that went out. There was no insurance, you know, insurance company to fall back on. So what that does, though, it makes this company obviously, and luckily they were able to bounce back from it, you know, and build from it. But then the mistake they made was a whole lot more expensive, not just from the amount of money that they lost during the cyber attack or the cyber event, but it was then having to go backwards and start putting all these security protocols in place when if they would have just done it in the beginning, you wouldn't had to have paid for a forensic IT company to come in and go, where did this actually come from? You know, those forensic IT companies and those forensic accountants don't come with a cheap price tag. And so there's a lot of extra of that that's being paid out that if they would have just implemented the security protocols and got over the hurdles of just that that simplicity of doing your job day to day and putting a little bit of extra security on it would have saved them, you know, tons of money, you know, at the end of the day. And so there's a, and that's not just the only one. There's a lot of companies, you know, that just have to learn it the hard way, you know, and so you know, it it happens. But yeah, they always it's always nice when they're able to bounce back and come back from it, but they always go after the fact. They go with a much stronger security mindset, though, which is good. You know, it sets them up for success, it sets them up for, you know, just to be better. And then it's better for their clients as well. Their clients' data is protected, they're protected, and then they're able to actually get cybersecurity insurance because this day in time, you know, we assist our clients with filling out the questionnaires just to be able to get that insurance in place. And just the number of boxes that have to be checked and the number of protocols that have to be in place for these underwriters to actually write your policy for cybersecurity insurance, there's a lot of stuff that goes into play. It's all it's all good things. And that's that's one thing that's good about the insurance industry as a whole from the cyber side, because you know, insurance companies are in the game of not paying claims. So that's what they want to do. They want to set themselves up for success. And the best way for them to do that is to make sure that everybody that they're underwriting has all the security protocols in place. And so as companies go and get these policies, they're leaning on IT professionals to help plug all these holes and put these things in place to, you know, to make them insurable. So it's actually a win-win. They're pushing down a lot of protocol, and it's making companies get a little bit more tighter, you know, with their security.

MS: The Weakest Link in Cybersecurity

SPEAKER_01

I think one of the things that I value about what it is that you have talked about on numerous occasions is that, yes, there is the technology component to all of this, but there's the human component, and it starts with people. It all of this starts with people, and that's where the biggest risk happens. And also that's where you see most of your success. It's with people, whether it's your employees or with the clients that you're assisting or providing support to. And that's always fascinating to me because in this age of AI, you know, there's still the human component is still the biggest factor in all of this, and we always have to account for that measure. So, and I know that in your field, you know, today a lot of times people think of cybersecurity as simple, you know, IT work, essentially. That's an over simplify oversimplification. But what are things that most common security gaps that you see nowadays in the era of cybersecurity?

SPEAKER_00

Well, the the weakest link in cybersecurity is us. You know, it's like you said, it's the human factor. And, you know, you could put as many tools and as much security and protocols that you want in place, but you're still going to give every employee an email address and you're going to give every employee a workstation. And so emails come at you all day long, you know, and they're coming fast. And now they're getting kind of harder to look at to determine is one a phishing email? Is it a spam email? Did the person that is the name that's showing up in my email client, is that the actual person who sent me that email? And so a lot of that gets pushed down to the employees, to every end user that's using any piece of technology equipment on your network to go through social engineering training and buy that, you know, just just basic things to look at as far as an email to say, okay, this doesn't look right. The person, you know, normally I'm emailing with you and the grammar is is correct on it. Where this one, it just seems a little off. And so just paying attention to small things, you know, such as that, and to look at it because, you know, I could get an email from you. I don't know if your email account's been attacked or not. So it could be a bad actor that's laying in in wait in your email that's just contacting some of your contacts because there's already trust built there. And so the next thing you know, you know, you're asking someone to do something or, you know, wire this money, or, you know, go go purchase this stack of gift cards and send these to clients, you know, send it to this address, and you trust the person that it's coming from. So a lot of it is, you know, just training the training every end user, you know, just like I said, things to look out for and just paying attention, you know, those links that you're clicking in an email. Do you know the person who sent it to you? You know, so just because that you kind of the lock on the front door analogy I mentioned earlier, just because we put you know a lock on the front door and we make sure that only the certain people have keys to that front door. If you stand there at the front door with a key and you just prop the door open and allow anybody else to come in, that's kind of how you can do it with an email if you click a link. Or you know, if you get an email that looks like it's from Dropbox or from Amazon and they're You know, and it's saying to verify your credentials. You know, please click here to update your password and you click a link, you put in your username and your password to what you think is for a Dropbox or an Amazon or Microsoft website where it, you know, it could be, you know, a fake website where you've just given a bad actor access to whatever application that you gave them credentials to. So it's just a lot of training that person now. You can't just give them access, you know, to everything or whatever they need to do their job and expect that they're gonna keep it as secure as you're wanting it secure. And a lot of that gets pushed down from the leadership team and from higher up just to make sure that that cyber hygiene is in the culture of the company. You know, so that way everybody from the top down is following that same protocol. And then once that's in place, it kind of makes it flow a little bit better. You know, you can still have a bad day. People are gonna make mistakes, but the more we train them, the fewer mistakes that, you know, that they should be making.

SPEAKER_01

You know, something, you know, and I like to to call back to the things that you say because it's practical and it seems simple enough, but it's it it needs practice as well. For example, you know, taking the time to slow down and before just making a decision, whether it's clicking the email, because it seems harmless, right? Opening an email, it seems harmless. It doesn't seem like there would be any consequences. It seems familiar, but if you just take, you know, maybe an extra 10 seconds, right? As you said, the grammar is different, you know, something's different. You'd recognize those things before you click, and next thing you know, you're hacked, and you have some structural your structural integrity is now compromised. So what's a mistake that you see leaders often repeat over and over when dealing with something similar, you know, to this?

What Makes an IT Resilience Team?

SPEAKER_00

Well, I think the biggest part is just adopting a security policy or adopting that within the culture of a company and then it being, you know, on the on the front burner burner at first, you know, and everybody's excited about it. We're gonna make these changes, we're gonna do this, but then just through churn of employees, you know, you're getting new people in and people are leaving and just not following that same training or pushing that same mindset down amongst new hires, or just not keeping it, you know, in the forefront of the culture, you know, where it's something that it it's it's hot and new right now, so we're gonna concentrate on it. But then you kind of just go through it over a period of time and you say, okay, everything's going fine now, and you start kind of peeling away from that just because, you know, life gets in the way, or you know, a new, a new business strategy comes up, a new direction for the business, and then the security and the technology from that standpoint kind of takes a backseat. And then you fall into the same rut that you're in if you didn't even have those things in place to begin with, because you know, you'll look back and realize, oh, we've hired 10 more people since the last time we had any type of training, you know, on this. And so then you're in the same place that you were in before you had anything implemented. So I think the hardest part is just, or not the hardest part, but the the part a lot of people miss is just keeping it going. It's just one of those things that's easy to fall through the through the cracks if it's not top of mind.

unknown

Yes.

SPEAKER_01

I know you talk about, you know, operational maturity and accountability, and those are leadership concepts, you know, and they're not just technical ones. You know, what separates organizations that stay resilient from those who break down under pressure? You know, is it, you know, a budget or is it leadership discipline?

SPEAKER_00

I think it's more leadership discipline because it's one of those things from a budgetary standpoint. You know, it after time it just becomes a line item. You know, you you're you're paying for this service or you're paying for these types of tools to secure you. But the discipline is what gets you at the end of the day. It's just one of those that kind of just falls to the wayside. You know, you you go a period of time and nothing's happened, but then you you forget to think that the reason nothing is happening is because of the fact that we've got these things in place and we're keeping it top of mind and we're keeping the training push down and we're keeping that discipline and just keeping it pushed through the whole organization. So yeah, I would say discipline over the financial part.

MSP Network: What Makes a Great MSP?

SPEAKER_01

Absolutely. You know, if you think about it, you know, every modern business is now dependent on technology. You know, podcasting or even the the person that sells you know cookie baked goods utilizes technology. You know, it's not just the lemonade scan now has has a scanner, right? It's it it's it's all evolved and it all incorporates technology. Now operations depend on it, communications depend on it, customer trust depend on it. That means that technology failure is no longer just a technical inconvenience. You know, it is a leadership, it exposes it's a leadership exposure. So when those things do happen, it does expose what type of leader you have. Is it do you have a leader that had certain measures in place, or do you have a leader that just left things to just let the chip falls where they may and then see what happens when it happens and then evaluate from there. So, Chris, you know, do you think that executives fully grasp that their technology posture reflects their leadership posture in this day and age? I don't think a lot of them do.

SPEAKER_00

I I think, of course, there's some out there that do, but I think a lot of them are kind of set up for a disservice because of the fact that the things that are getting pushed down now and the things out there on the landscape as far as technology and cybersecurity, most people, you know, on the leadership teams don't necessarily have the IT background or the knowledge. And so if they're not set up for success from either having a IT or like a you know a chief technology officer on their payroll or at their company, if they're not depending on a third-party company to partner with, you know, and not just an IT break fix, just somebody who can fix your computers, but from a partner from a standpoint that they're help, they're they're helping to move your business forward, you know, because as long as if you do better, we do better kind of thing. And so, yeah, I think a lot of them, if they don't have it, if they don't understand that or grasp it, they really need to jump on with a partner or have someone on their staff that they do trust. Because, you know, everybody's not good at everything. So, you know, if you surround yourself with, you know, people smarter than you are in certain areas, it's gonna make everybody better and gonna move the, you know, move everything forward as well.

SPEAKER_01

You know, you've spent more than a decade at MSP leadership. What separates a great managed service provider from an average one?

SPEAKER_00

Being a great one is the ones that are more of a partner than a vendor. Because when when you when you when you move from just being a vendor, which is just somebody you're writing a check to every month, to do a certain service, you know, that that that's pretty much all you are. But see, if you're actually a partner to that company and you have a seat at their leadership team, at their leadership table, then you know, you kind of got common goals at that point. You want them to do well because the better that they do, like I was saying, the better that the MSP's gonna do. And just having that partnership, that's that's what sets apart, you know, just MSPs from great MSPs.

SPEAKER_01

So what should business owners look for when they, you know, that they usually like ignore when they're going through this process?

SPEAKER_00

When they're going through the process as far as finding a partner.

SPEAKER_01

Yes, yes. I apologize. Yes, when they're because of the relationship standpoint. So, you know, you, as you were saying, that there's a there's a it's a dual investment on both sides because you want to see that both parties are benefiting in the long-term, short term. So there's this partnership. So what should business owners look for with like the services that you provide to know that, hey, this is a good vendor that will later then translate translate into a business partner, essentially?

SPEAKER_00

Well, one of the first things I would do is ask for references. I mean, as important as technology is, and you know, by the time that you realize that you're with a bad partner or a bad MSP, by that point, you've pretty much given them the keys to the kingdom. And so, you know, you've opened up everything, you know, and they've got access to it. And, you know, they're they're helping you build something, whether it be good or bad. But it's it's harder to kind of peel that back and then jump ship and then move to another one after you've already, you know, invested that much time, effort, and energy. And so I would say definitely, you know, ask for some references in your industry, you know, whether that's your law firm or medical practice, et cetera. I would talk to somebody and just get just get a second opinion, you know, from somebody who's actually using the service. And then also make sure that they're bringing, you know, however many years of expertise to the table, you know, that from different industries as well, from your inside your managed service provider, just making sure that you're gonna be getting somebody who is a strategic thinker who can help move your business forward and not someone who can just, you know, hook up your computer, even though both of those are extremely important and you want somebody who can provide both of those services to you. But you want to make sure that they're they're they're they've got the the the more of the consulting type mindset and somebody who, you know, look at their business. Look at the MSP that you're gonna be doing business with. You know, how successful are they? You know, because if they're running their business well, then they're gonna be able to guide you into helping you run your business well from a standpoint of technology.

SPEAKER_01

Yeah, I think that a lot of time the technology itself gets blamed. So and because it's easy to do blame the technology, right? But you know, many of these incidents they start with human behavior and the decisions that we make and in in action as well. So, how important is it that employee training, you know, is to preventing these, you know, cyber incidents from from occurring?

Cybersecurity Training: Underinvestment

SPEAKER_00

It's one of the most important things. I mean, because it like I was saying, if you implement every tool, every security tool that you can imagine to put on every workstation and put every type of security on your network, if you if the end user doesn't understand the goal and understand what they need to do as that just one piece of that puzzle, then the whole thing's gonna fall apart. And so I that's one thing that going back to your previous question, a good managed service provider, they're gonna bring that training to the tape. They're gonna have at least some type of program, whether it's something they've created or a third-party product that they've kind of, you know, vetted and looked at, and they may be even using it themselves, that can push out regular training to the to every employee. And then whoever the point of contact is at that company, whether it's the business manager, whether it's the owner, they can get monthly or quarterly reports to show which employees have actually gone through that training. So that and who's actually passing, you know, the few questions at the end of it and make sure they paid attention to it. And then if you've got the same employees that just aren't hitting the mark as far as the training, whether they're not completing it or whether they're just kind of struggling a little bit with some of the material, then they can go back and kind of do some one-on-ones with that, whether that's engage your managed service provider to kind of work with that person one-on-one, or just have them go back through the material again, you know, just to get a refresher on it to kind of help make sure that they understand, you know, the severity of not following these protocols.

SPEAKER_01

So what why do you think why do you think some company companies consistently underinvest in these areas? Because sometimes, again, it's not the financial cost, right? It's the taking the time to, again, you're only as strong as your weakest link. So if you do notice that these individuals are constantly missing the mark, there's the investment component that isn't necessarily there, like taking the time to coach that person up to see where the gaps are. So why do you think that culture is not always consistent in in this area?

SPEAKER_00

Well, some of it does kind of fall back on the financial side of it, where if you if you're spending if you have an employee that's spending time going through that material, that's time not spent on doing their actual job. So, you know, a lot of them will look at it from that aspect. But as far as that, uh some of them too, if the person who's in charge of the program within their company, you know, whether whoever that point of contact is, if they don't have complete buy-in either, you know, it's kind of hard to push that down to each end user. So there's a lot, there's a lot it's kind of 50-50. Some some companies, you know, they they embrace it, they want it, they know how important it is. Others, you know, it's just more of a burden to them. You know, it's, yeah, we've got this training. People, some people may be going through it, some people may not be going through it. But I I think, I think on that side, it's just more of a time thing. You know, you've got your employees spending time on things that aren't necessarily making you money, you know, or not actually moving the business goal or, you know, helping their day-to-day job function. So I think it's just kind of trying to break that mindset. You know, it's kind of retraining the leadership team and retraining the people that are in charge of pushing this down to the companies and letting them know that yes, it is gonna take time out of their day, you know, uh regardless of however long it is, once a month, or, you know, whatever kind of cadence that it's on. But at the end of the day, it's also gonna help you from not making certain mistakes or possibly, you know, kind of helping from helping you from having a potential bad day with a cyber event. You know, because if you if if that person did not go through training and they clicked that bad link that we talked about, you know, that could potentially shut the business down for a day or two, or if not longer, you know, just while remediations are taking place, whether that's restoring data, you know, or or you know, having to go in to figure out how somebody got access to something. So if you don't take the time in the beginning to go through that, you know, and just and spend time on the uh at the front end, you're going to spend a lot more time on the back end potentially.

WSJDLive: Cybersecurity Trends

SPEAKER_01

So looking forward, you know, what are some business, some trends that business leaders should be paying attention to right now in the uh in the IT world?

SPEAKER_00

I think right now is I I I know I I sound like I'm beating a dead horse, but it's mainly cybersecurity. It's just it that it's just rapidly changing, the type of cyber event, because the word cyber event and cybersecurity, it embraces so many different things. You know, it encompasses a lot of different things. And those things, so to speak, are changing, you know, day to day, month to month. You know, just as you plug a hole, so to speak, you know, you plug this hole to keep someone from getting in, and everybody adopts that. And so that that hole is plugged, it goes back to the the bad actors taking the path of least resistance. They're going to find that next thing that's gonna be easy to attack, you know, to try to get the most bang for their buck across multiple companies. And so, yeah, I would say just staying on the forefront of that. And then that kind of goes into play with if you don't have an IT professional on staff or or outsource that you trust, you're kind of missing the mark on that because you don't necessarily know what to look out for. Because if you just kind of just Google cyber events, cyber attacks, you're just gonna get whatever just comes back at you. Where some of those, yeah, may apply to you, some probably don't, but there's probably a ton more that's not even listed that you're not even thinking about until it actually happens to you.

SPEAKER_01

So I have a curious question, because you you brought this up. You know, what do you think, you know, in your professional opinion, that is coming? It's on the horizon that most businesses are just not prepared for in the foreseeable future.

SPEAKER_00

Honestly, I think there's just going to be more and more attacks via email. I mean, I I know that sounds kind of simplistic, but it's just where everybody has an email address. Everybody has an email account, and everybody is way too trusting when it's what it when it comes to reading an email or thinking that email came from an actual person. So I I think it's one of those that it's in the forefront now. It's one of those things that's always happening. But even when we talk to clients, you know, they're shocked to know that the most vulnerable place they are in their business from a technology standpoint is their end user, and 99% it's their email. You know, that that's the way that you know those things come through because that's the way everybody is corresponding nowadays.

What Leadership Lessons Have Stayed With You?

SPEAKER_01

It's true. So, you know, after two decades in IT leadership, what leadership lessons have stayed with you the most?

SPEAKER_00

Really, is that and it kind of nothing to do with cybersecurity or anything like that. But I think that the biggest part is making sure that you've got the right people in the right seats. You know, that just because that you think this person can exceed at this particular duty or this particular job, you may realize that, you know, they they're kind of slipping in that area. But if you pivot and move them to a different aspect in the company or a different seat or a different duty, you know, they could take what they were doing tenfold, you know, and do so much better in a different role. And so I think that's been one of the things that's eye-opening just in leadership in general, it's just paying attention to, you know, how your direct reports are doing, you know, and just because they may not be hitting the mark, you know, at their particular job or they're dropping some things here and there, it may not be that it may be that that's not their strong suit. But then if you look around and you know, you've got a team of people, you you could just kind of you know move people around. You've got this person who's kind of weak in this area, you've got this person who's strong in this area, why don't we just take them and flip them, you know, and try that and see if that'll work. So I think the biggest part is just from the leadership as whole, is just taking a look at your team in general and realizing that one simple move, you know, from a job duty could just make you know astronomical changes and make things better for the organization as a whole.

SPEAKER_01

Well, what are some things that you've learned about making decisions in high pressure situations?

SPEAKER_00

When you're in a high pressure situation, you have to be the most calmest person in the room, you know, because as soon as you start, you know, overreacting or making knee-jerk reactions or meet knee-jerk decisions that don't necessarily need to be made right then, then you kind of put everybody else on edge. So I think the biggest part of being just the biggest part is just being calm in those high pressure uh things. Because, you know, in in IT in general, every time somebody has a bad day, whether their business is shut down because of an IT problem, whether it's something as simple as uh, you know, they they can't get to their files because their internet's down, or it could be something as catastrophic as, yes, they just had a cyber event. You know, just being the calmest person in the room and letting them know, hey, we're gonna get through this. You know, we're gonna make this happen. Here's the things we need to do to get from A to Z, you know, and this is what we need to do. So I think that's the best part is just staying calm through the whole thing.

SPEAKER_01

My follow-up would be what have you learned about accountability in those situations?

How Technology Led to a Better Business

SPEAKER_00

Accountability is accepted. You know, when you're accountable for something and and and it falls back, I mean, taking that radical responsibility, you know, always look back and realize, you know, what could you have done to make that situation a little bit better? You know, there's always, you know, there's always blame on on that could go all the way around, whether you're not necessarily the one who caused the problem. There's still things you could have done to kind of make that a little bit better. And then basically just being accountable for that, you know, and saying, okay, you know, next time we're gonna do this, we've got some different things in place that's gonna keep that from happening again.

SPEAKER_01

So can you share a moment where technology leadership directly changed the outcome for a business?

SPEAKER_00

Well, I think one is in in general is a client who was able to move to different parts of the country as far as a call center, you know, and it it it sounds simple, but just something as easy as time zone changes. You know, they were running a 24-hour call center. And with that, you know, you set up across the country, you can have different people staggered on different shifts. You know, in that way, instead of having to having to have people that will work a night shift in one particular area, you can kind of spread that around. And then with technology, you're able to kind of bridge that gap between the different offices and the different places that are around just by putting that connectivity, you know, back between the offices and then the connectivity back from having all of their data in a cloud environment where you're not dependent on servers, you know, that you're having to, you know, purchase and move into these different places that you're setting up across whatever geographical landscape.

SPEAKER_01

So what what's a what's an example of when a good decision prevented a crisis because everyone did their did they did their part? I think that's something that's that often gets you know overlooked. Sometimes we focus on what's always gone wrong, but we don't focus on the things that's gone right, and then we reinforce those positive behaviors so that we can then have a cre culture of, hey, we're thorough, we we check things. And you know, can you just give us an example of that, please?

SPEAKER_00

Yeah, we we've had quite a few companies that actually fit this build, but I mean, one in particular, you know, that they they they got every bit of the security tools, the security protocols, everything that we were had recommended. You know, they put everything in place, they sent their employees through training, everybody was up to speed on everything. And it they had an email come through where it was something to do with changing ACH information on some insurance payments for something for their health insurance. And they were able to look at that and realize that yes, I have emailed this person, but instead of it being at ABC domain, it was this person at abcdomain.com. You know, and so just for them being able to look at that email and understand that, okay, yeah, this the the grammar looks okay, the the verbiage of the email, everything seems legit, but that one domain just seems a little bit off. And they were able to pinpoint that, report it to us, and then we were able to let them know that yes, this is, you know, a phishing email. Somebody's trying to get access to your to your systems or to your information. And they were able to stop that right then, where if they would have changed that ACH information on the fly, there's no telling how much money, you know, would have wound up leaving. So they were able to, you know, put that stop gap in place and come out, you know, with no issues in the end. So we see a lot of that day to day, but you're right, though, it's it's so much easier to concentrate on the bad and what people aren't doing versus when you look at, okay, well, look at all these things that people are doing to make everybody's information safer and just make everything better at the end of the day, because so many companies have my information, your information. So the better that they do, you know, that's our stuff not getting out there along with everybody else that they do business with. So you you're right. It's so much it it it's so it's so hard sometimes to look at the bad and like think about everything that everybody is doing, you know, on the good side of that as well.

One Change for Cybersecurity and Stability

SPEAKER_01

Absolutely. That those could those could be the things. That prevent you know future attacks from happening because hey in situation A, these protocols were followed, nothing was missed. And when you when you're analyzing situation B, you you can see the gaps. You have something to stress, stress test it against, you know, and and and in the the environment of data, those things are important. So, you know, so it's my question to you, and this will be my final one, is if a business listening, listen, a business leader is listening today and could make one change tomorrow to reduce risk and improve stability, what would you tell them first?

SPEAKER_00

The first thing, if you're not doing anything from that aspect, I would say end user training, just getting everybody in the company, at least through some of some social engineering training. And that that's a broad term, but it's everything from you know looking at a identifying identifying a phishing email. Or, you know, when you go to a website, this one, you know, looks a little sketchy. It doesn't look like you know, you know, what I normally go to is there's there's a few things off grammar, you know, something as simple as just words misspelled. And those things that they're they're great because they that they teach the employees a lot of things from the business standpoint to help keep your data protected as a business owner. But they also then in turn help the employee out, you know, from their own personal cyber hygiene. You know, things such as don't use the same password for Amazon and Apple, keep things separate, you know, churn those passwords from time to time. So if you're not doing anything, I think that's something that could at least move the needle forward as far as getting things in place and changing the mindset a little bit, would be to engage in some type of training, cybersecurity training, social engineering training for every end user. And then once that happens, then you can build upon that. You can partner with someone, you can get some different tools in place, but without training and understanding and the end user knowing where do we even want to go with what we're about to put in, it really just kind of misses at that point. So I would always start with some type of training, get everybody on board, start from the top, push it down, and just embed that in your culture.

SPEAKER_01

Well, wonderful. You know, thank you so much for for all the information today. It's it's been a pleasure, Chris. Yeah, thank you. Technology used to be behind the scenes. Now it is the foundation everything stands on. And what today's conversation makes clear is this the organizations that treat technology as strategy will grow. The ones that treat it as support will struggle, and the ones that ignore it will eventually face consequences they never saw coming. Chris brought a grounded perspective from years inside real operational pressure where leadership decisions and technology realities collide. The conversation was not just about IT, it was about accountability, it was about clarity, and it was about understanding the risk shaping modern businesses. Chris, thank you for joining us. And to everyone listening, remember this technology doesn't just support leadership, it exposes. We will see you next time. If this podcast challenged you, good. Clarity often does. The point here isn't consensus or reassurance, it's to leave you more precise than when you arrived. Keep what sharpens your thinking, discard the rest. But don't confuse familiarity with truth. If this conversation mattered, follow the podcast and share it selectively with people who value depth and not noise. Until next time, stay disciplined with your thinking, selective with your attention and honest about what you're really optimizing for.

Head Shot

Annheete Oakley

Host
Head Shot

Philip Calcagno

Co-host