SkyTerra Podcast Episode 4: What Is the Difference: MSP vs MSSP

Welcome to the SkyTerra podcast, where we are empowering your business to do more. I’m your host, Ross Jordan. Every other week, we’ll explore the world of technology, what has changed, how it might impact your business and why it matters to you. We will bring you interviews with business and industry leaders and discuss how technological advances impact your business and our lives.

Whether you’re a tech enthusiast, a professional in the field or are just curious about the future, this podcast is for you. So grab your headphones and join us on this exciting journey into the world of technology. Let’s get started.

Welcome to today’s episode of the SkyTerra podcast. We are thrilled to have a special guest with us today, Armando Rivera. Armando is a seasoned technology professional with experience across the entire spectrum of small to large business, as well as international conglomerates. In addition to traditional business portfolios, Armando also has experience in state, local and federal technology ranks.

One point of interest for the host of this podcast is my experience with Armando. I have great respect for this man. I joined a technology firm in 2015 as a director of sales. Although I had experience leading business development teams in other verticals, I’d never worked in the technology industry prior to this engagement.

Armando was one of the first people to take me under his wing and help me understand the complex environments of his clients. His generosity, his ability to simplify the complex and to help me understand the pain points of technology, not only for the end user, but also for technology providers, continues to benefit me in my role every day.

I genuinely give credit to Armando for accelerating my success in this field. Armando is an experienced director. He’s got a demonstrated history of leading information technology for organizations of varying verticals and varying sizes. He’s a skilled team builder, a leader with experience in developing skills and business acumen for his team; a true servant leader.

Armando also works to help develop the personal journeys of his team, both professionally and personally. Armando holds a master’s degree and is a certified information security manager. Armando continues to be a friend, a mentor and a close confidant, still almost a decade after first meeting him. So join us as we dive into this conversation with a friend and a dedicated leader.

Armando, thank you very much for your time today. I sure appreciate you making time to visit with me. You and I are both members of the SkyTerra team. Different sides of the fence. I annoy you, you clean up my messes, you’re the one that’s in charge of the engineering team, you’re the one that makes decisions for our customers on a daily basis.

I wanted to grab you because there’s a lot going on with security. There’s a lot of things going on with data governance There’s a lot of things going on that now have tools they might not have had over the last decade or two. So let’s start off with telling us a little bit about you: How you came to SkyTerra.Tell us a little bit about what keeps you here and excites you, gets you out of bed in the morning. And then we’ll get into what we do for a living.

Armando Rivera: Hi, Ross. Yeah, my name is Armando Rivera. I’ve been in managed services, managed security for now 25 plus years. And I ended up here at SkyTerra because I needed a change. I needed to work for a company that embraced cutting-edge and even bleeding-edge technology. That had a focus on doing right by their client, managing their portfolio based on providing the best services and the most appropriate services for their clients, not for the company’s bottom line. And so I found it here. I joined a company that is ethical. 

Ross Jordan: That actually says a lot, doesn’t it? SkyTerra is one of those firms that, as I was looking to join, it was all about the leadership and the ownership. I don’t know how you can explain this, but there is a give-a-shit factor that you cannot get at other places that we definitely have here. 

We’re looking at security specifically, so help me understand, maybe from your perspective, what a client might want to consider, or make a part of their buying decision when they’re looking at a security solution. Maybe not a solution for a vendor, a vendor-based solution, but if somebody just got their first seat title and they just joined the organization, but they’re in charge of security for their team, what is it that they need to be looking for? How would you recommend baseline best practices? 

Lots of questions there, but tell us what somebody needs to be looking for when they’re looking at their security posture. 

Armando Rivera: Okay, the first thing is that there’s not a like a one size fits all. There aren’t base requirements in that sense. If you were stepping into that C suite, if you’re coming in and looking at it, you need to understand your infrastructure, your applications, user requirements, data requirements, legal and executive mandated compliance requirements. I mean, you might have a board that you’re answering to. Your recovery time objectives, your risk tolerance, what are you able to live with? 

And then from gathering all that information, you need to build a governance framework, a security governance framework, and understand it holistically. You need to understand, “Hey, this is my big goal here.” 

Where I see a lot of people make the mistake is they’re very reactive. And so a problem pops up and they end up solving each problem individually. And so you end up with almost disparate systems or a very blurry view of what you’re trying to accomplish.

So you need to take a step back and understand your organization. 

Ross Jordan: The challenge that you’re describing with the disparate systems, right? Somebody else might have made the decision on this. Somebody could have been thinking this was a good plan. It might just be an older system that you have in place. An old backup, for example, that’s sitting on a hard drive somewhere. 

When you have had to be faced with breaches recently… Somebody’s come into our organization needing help. Where are the areas where you’ve seen most of those breaches, most of those challenges come from? And what would somebody do to help remediate that?

It’s not like we can say, “oh, it’s always this is the way they get in.” It’s more about sometimes they get in this way, sometimes they get in this way. But when you’re in the mess, what’s the thing you wish they had more than anything else? Or they wish they would have done before the incident?

Armando Rivera: It is an interesting question. I guess that’s a two-part answer, maybe? If we’re coming in and it’s done with, like, it’s already happened, you’re asking how they got in. You’re saying it’s not one way in, but it kind of goes back to that governance and how you managed your IT.

Okay, so many times we’ve seen how something happens is because of the squeaky wheel and not sticking to your guns. You have somebody in power or somebody that has a really rigorous work schedule (tends to be your C suite and your sales folks) and they’re the squeaky wheel and policies that were put in place to protect the organization were exempted for these people.

“Oh, I’m traveling. It’s such a cumbersome process to do the X and X to access. I own the company. I don’t want to have to do X. You know, I shouldn’t have to. It should be easy for me.” And then the countermeasures that were put in place are exempted for maybe, you know, a week in Italy for this person to travel, or this person’s going to a convention, and it never gets closed back up. These squeaky wheels are the people who also are your high-profile targeted fishing attempts right there. That’s your spear phishing right there. Those are the guys you’re looking for. And they end up being with the least security. 

So that’s usually a big thing that I see. It’s a little difficult, but it kind of goes back to a vision and understanding of their organization. They meet as coming in to remediate a problem. It helps to be able to ask questions of somebody in the organization and they have a topography: You know, “I understand. I have these apps in the cloud. I have this here.” Just having a little bit better understanding. It ends up being a byproduct of sprawl and or change within the organization. You know certain systems go to certain people and then they have how they’re going to secure their divisions. And then you have a turnover, you had multiple security directors, a CISO, a CTO that have come and gone, or they’ve shrunk and they’ve gotten rid of the CISO and they converged both security and just IT support into one group. And it just gets muddled. And so we’re coming in and they don’t even understand their organization. 

Ross Jordan: Right? It’s muddy water. So when you’re building an organization’s security posture, where do you start? What are the things we as SkyTerra might do from a very general perspective to help a customer develop a strong security posture?

We do it in steps. We do it in layers, crawl, walk, run, right? We look at where you’re going and we roadmap how we’re going to get there from the person that has to do the work and is responsible for the work that’s done. What do you recommend at a high level that people do to secure their organization. 

Armando Rivera: That they do.Or the questions I’m asking to build that plan? 

Ross Jordan: I like your response better. Why don’t we go with the questions you’re asking? What questions do you ask an organization as you’re working into their security environment to understand what they need to do and ask them the right question so that muddy water doesn’t end up being what they’re stuck with at the end of the day? How do you do that? 

Armando Rivera: Okay. Well obviously I know who I’m going to be talking to, so I understand their vertical. I understand what their job is, what they’re doing, what are their goals, and then I need to understand like their scalability. Is this a company that right now is five people, but fluctuates between 2000 offshore subcontractors? Is this something that they’re planning to do? Are they going to grow? They came to us because now they’re trying to get to, you know, 200 people. If I understand their scale, then I start understanding their needs.

What are you looking for? What are your response times? What are you governed by? Are you falling under CMMC? Are you a government entity? Are you SOC 2? Are you publicly traded? These high-level legal entities that are dictating that you need to fall into these certain compliances. 

Is there an internal governing body that we need to make sure that we hit their needs? And then I start looking at what’s happened to them. What brought them to the table? Was it somebody new started the company or somebody new came into the portfolio? We need to get a better picture. Were they already previously breached or are they trying to obtain one of those certifications? 

And that really is kind of like the crux of the beginning, right? Once I have that, then we start getting into asset management. Like, okay, what do you have? What’s in the cloud? What are you trying to accomplish within your goals and what governs you?

Ross Jordan: Right. It’s a purpose-driven build. What security tools does Microsoft offer? Yeah, the company should consider when they’re looking at their own security platform. Very big question. There’s a lot of answers to that. 

Armando Rivera: Right? Almost the better question is what tools does Microsoft not offer? I mean, I can’t even really think of one. I mean, we’ve got identity management. We’ve got endpoint management all the way up to very, very tight XDR. So we could bring in prem, we can bring in all your cloud assets. We can bring in your IOT. We can manage multiple clouds through Microsoft to making sure that you don’t have permission-sprawl between your multiple clouds.

Let’s just say you are a Microsoft, Google and AWS shop. There’s an actual product where we could do permissions and check to make sure you don’t have sprawl and you don’t have over permissions. 

Ross Jordan: You mentioned sprawl and I still see, you know, I can’t even think of the movie now. But he’s firing into the car. Bruce Willis is in it. It’s one of those movies that never made it big, but I thought it was just phenomenal. Jack black. He’s got the chain gun on cigarettes out, right? It just sprawls. 

Armando Rivera: Yeah. He blows his hand off. What is that called? Oh my God. Jackal? 

Ross Jordan: You know it, right? Because he was so good in that movie. I can’t believe it didn’t make the noise that it should have. 

Armando Rivera: It’s I think it’s called the Jackal. 

Ross Jordan: The Jackal. You’re right, it is the Jackal. Phenomenal. 

Armando Rivera: Also, to close up on the last one, I guess the better answer would be, what tools do they not offer? The benefit of using Microsoft is that they’ve got a huge portfolio of tools. They’ve got all the way down to IoT endpoints server. You can bring in your prem. We can manage multiple clouds to make sure that you don’t have permission sprawl between your AWS and your Google and your Microsoft clouds, that they could handle all of that. And what’s even better is that it puts it into one tool.

So you’re able to manage these things and, and look at it from, I’m not going to say a single plane of glass because that is not true, but proverbial, right? There is the ability to access it through Microsoft and then they speak to each other into their XDR solution. So it can correlate alerts from all these different things and it makes sense of it; taking 345 small benign little alerts, but correlating them and saying “Uh oh, that’s a big thing.” 

That’s the benefit of using the Microsoft security suite. Is that correlation of all of those tools. 

Ross Jordan: Now, some clients have shared excitement about that. I’ve also had clients share they don’t want all their eggs in one basket. How do you feel about that? 

Armando Rivera: I’m not going to fight you on it. I’m not going to say that there’s a bunch of really great tools out there. The good thing about the Microsoft though is that they make it so that they can ingest quite a few of those tools as well. So you can have your other third-party tools and you can just bring it in so that those alerts are still correlating. 

Ross Jordan: Okay, so we’ve talked a little bit about what a breach looks like and what you’re finding after the fact needs to be done. We’ve also talked a little bit about the Microsoft ecosystem and what tools are available there. Let’s talk now about general security best practices. These are not going to be earth-shattering ideas. These are the ones where you say, “this is where you start, Mr. Customer. We need to do these things first.” 

For an executive or somebody in a position of power, when they take the position, what are the questions they need to be asking their IT team about their existing environment so that they can find out where they may have holes?

I mean, what does somebody say when they take that position that first day and say, “I need to understand this about my organization, about our framework, about our structure?” Is there a series of questions you would recommend somebody to ask?

Armando Rivera: Gathering all your stakeholders and then understanding your line of business applications and your mission critical data high level, you know, what are we producing?

More than likely, you’re producing either a widget or your information data. So understand what that is. And then how you’re generating that data and everybody that’s manipulating that data. And from there, that’s where you start looking at the security and understanding, “OK, I have this application that nobody’s touched. It’s in the cloud, and it is directly tied into what we do. It’s all of our IP. And we, I have this group of people out here that are spread out throughout the world that are accessing it. How are they accessing it?” So, it really is understanding that product or service; that data and then understanding how it’s being accessed. 

Ross Jordan: So it still goes back to having the big picture, understanding everything that you have in your organization and how it interoperates and how it works together. Very cool. 

Give us a security nugget. I mean, what’s something everybody should look at? 

Armando Rivera: Ouch. Um, 

Ross Jordan: That was nowhere on the list. It was just for me. I was sitting here thinking the next time I get on the phone with somebody, I have a repertoire of things I can talk about. And where I try to be of value to our clients, our customers, to our partners is in finding out the cost value, right? If you don’t do this, here’s what’s going to happen. Or here’s what could happen. But to me, I’m always looking down the road and I’m wondering, is there not something that I should have a conversation with every single client that I visit with?

Or is there not something you would recommend anybody working with a client, or any client themselves should not move forward without considering this first? It’s not a very well-structured question, right? But if I were to bring you a client tomorrow, what was the number one thing you’d want me to make sure I’d spoken with him about?

Armando Rivera: There’s a couple things here.  Don’t confuse backups as like recovery time. 

Ross Jordan: So there’s a difference between backup and spinup, right? 

Armando Rivera: Yeah. I guess understanding a client’s recovery time objectives: Just because you have a backup doesn’t mean you’ll be up and running quickly, right? Has that been tested? What does that look like? Have you even thought about it? You might have a backup of this data, but it might take you two weeks to recover it. How long can you be down without that critical information? 

And if that information made it out into the wild, what are the repercussions of it? Are you having to disclose that you had a data breach? If you had a PII leak, or is it that it’s actually your IP, it’s what you’ve been working for the last 10 years to develop this product that’s about to go to market. And now it’s leaked out and now you’re looking at investors and what are the ramifications of this?

Ross Jordan: That was pretty thorough. Actually, that’s a great question. 

Armando Rivera: Yeah, I’m trying to be high level because after that, then it starts getting into the minutiae. It goes back into how is it being accessed? Is it in SharePoint? Is it in SharePoint 2008? You know? .

Ross Jordan: Yeah. Is it is an R2 server that went out of style in 2010, you know? 

Armando Rivera: FINRA and biopharm… that’s our bread and butter, some of those big companies. If they were to have a data breach, especially on some of that IP, like all the biopharm is… I mean, that’s what they’re looking for, is your product about to go public? Yeah, you know, and how well are you doing? What are the clinical results on this thing? You know? 

[00:19:59] Ross Jordan: Absolutely. Right now would be the time to grab it before it goes public, right? Before it goes to the FDA. You could save yourself millions of dollars by hijacking that data. 

What do you want to talk about, man? I mean, you’re the one that does this every day. What should somebody know? What do you want to share?  

Armando Rivera: Well, if you’ve come to the point and you’ve grown and or you’re just looking for security services, make an educated decision. I mean understand who you’re shopping. Not all MSPs And MSSPs are the same. You know, it might be a great, huge organization, but they don’t technically have clients in your vertical.

Understand that they understand your business needs. What are their communication methods? If I go with this company, do they only work through chat? Can I get a live person? Where are they located? Is this a 24/7/365 organization or because I’m West Coast and they’re East Coast, they’re 8 to 5? That doesn’t align with my needs.

What are their SLAs? If I have an emergency, will they treat it to my level of an emergency? Will I have somebody on the phone working with me in 30 minutes to an hour or maybe even immediately? How do they handle an incident? But what are their processes? 

Also, they eat their own dog food. Everything that they are blurbing me, I would feel a certain level of internal comfort if they’re using those exact same products. Are they, are they putting into their practice the same thing that they’re preaching to me? What is their internal process look like? Check their SOC 2 certifications.

Ask questions as far as what they’re certified in. Understand their engineering credentials. Am I dealing with somebody that has a truly skilled set of security professionals? Or is this an MSP that has access to some Microsoft tools and are saying “I can deploy your XDR.” Yeah, you can deploy my XDR, but can you manage my XDR? Just making sure that everybody aligns.

And then, once you get to that point, what is their incident response look like? How do they handle an incident, right? What do they do? So, from my perspective, if you were to ask me how we do an incident response, our biggest and first concern is quickly identifying and declaring an event.

What does that look like? How are they going to get that information? I need to be able to quickly identify what an event looks like and declare it. And then after that, it’s alerting my CSIRT team (that’s your response team – cybersecurity incident response team) and then defining the channels of communication.

That’s both internally and externally. How are we going to communicate internally? And how are we going to communicate with the client right after that, starting at minute one, ensuring that we’re documenting times what we’re doing, what we’re touching and maintaining that chain of custody, just in case there’s something that comes out of this.

Obviously, that’s all real quick. Then, the first thing is we’re detecting and analyzing, understanding the scope of the breach. Is this one person? Is it companywide? If it’s one person, is it their chief scientist? Is it the CEO? What is this person doing? I mean, just because I say one person doesn’t make it any less, right?

Then after that, it’s containment, eradication and recovery. And it’s not saying recovery, like, okay, did I get data back up? There might be some legal ramifications that we need to recover from. And then make sure that there’s a post incident step after that.

Afterwards, we produce reports. We make sure that we’re helping you get through those legal requirements that might’ve been out there if there was a leak of PII information, and then ensuring that we do an entire analysis, figure out lessons learned and that we’re putting in place the proper preventive countermeasures now.

I’d be a fool if I told you that it would never happen again because that’s the name of the game. Security is always changing. So today’s countermeasures might not be what you need tomorrow, but making sure that we’re now installing countermeasures and that we’re now monitoring from that point forward and making sure that we’re at least on top of and looking forward.

So even if the next one happens, we’re one minute faster than the last time. That one minute might be absolutely critical. 

Ross Jordan: Yeah, especially as it proliferates through an organization, one minute can change the game significantly. Tell me a story about, I’m sure you’ve got a litany of them, but tell me a funny story about maybe former experiences, or maybe in past lives, somebody coming to you and being like, “Hey, I had a security event” and then you look at it and go, “What in the world were you thinking when you built this?” You have any of those funny stories you could share legally? 

Armando Rivera: Uh, yeah, legally. There’s a couple. Like I said, I’ve been in this game for a while. Previously, I had a scenario where we were picking up a couple of government contracts. In particular, some smaller municipal police departments that had crypto walled all of their data, and that’s including body cam footage, everything that was going into cases that they had done. It was extremely delicate. It was extremely documented. We’re talking about chain of custody to the 10th level to making sure that we could get this information back.

The forensic behind it was, I mean, we had federal. It was being investigated at the federal level so that we could make sure that everything was recovered what it looked like. And then what does that look like to a case that you’re trying to prosecute? You have to make sure that that data was original and maintained. So that one was a really touchy one. 

And then understanding that security is also internal. One of the touchiest ones we had was very, very profitable publicly traded company. That was a service provider for the oil field fracking industry. And the CEO engaged us in a frantic call. Because he was being held ransom, he didn’t know by who at the time, because somebody had accessed his email and a lot of his personal information and his extramarital affairs were being dangled in front of him.

Ultimately, this was a lack of internal security policies, a series of checks and balances of who has access to data and who can make those changes and making sure that they can’t do it in a vacuum, that there is somebody that would audit that person being able to access and change permissions. Ultimately, they didn’t like their review and had gained access to this man’s information. 

Ross Jordan: It’s not comical in any way, shape or form, but it was almost, retribution, right? Those stories highlight two important things that you brought up. First off, you have to look at your decision-making process as if the worst case scenario occurs, right? Having your data locked, having your information possibly being shared, like you mentioned… even the risk that generates by somebody else having possession to that, whether it’s IP or whether it’s competition, customer lists… there’s a lot of things that are critical to an organization.

That second story highlights the internal need; controls within the organization, large or small, is irrelevant. You’ve got to have internal controls. The only story I could add to that is we had a medical firm we were working with, and the receptionist was click happy; would click on everything and found a way to open something that was malicious. The next thing you know, patient data was accessible, and it was one of the things, and you might have even helped me in a previous life sort that out, too. There was somebody that was running out of Eastern Europe that was checking files at 2 o’clock in the morning. You know, and none of that was known until, wait a minute, something’s not right here.

I think something inadvertently got deleted. A customer record, a patient record, instead of being copied and pasted, was cut and pasted. It’s amazing how far they can get, how fast they can get, without you even knowing. 

As we tie this up, anything you want the general public to know about security or about just maintaining proper, I don’t even know the word, I mean, give me the baseline of what somebody should look at in their organization. It doesn’t have to be security related. Just, “come on people at least do this!” What would that be? 

Armando Rivera: Backing up and classifying and protecting your mission-critical data, your users, because that’s usually your point of entry. Making sure your users, their access devices, making sure that that is secure, and having email hygiene and training.

You can never assume that everybody in your organization has the same level of understanding of cybersecurity. We have dealt with absolute brilliant genius-level Ph. D. company owners and scientists that are amazing at the job that they do, but do not understand the ramifications of not maintaining a secure password manager, putting passwords on a plain text file or just clicking on everything that’s passed in front of them without any insight into what they’re doing and installing it.

Really the term to understand is that the problem usually originates between the keyboard and the back of the chair. 

Ross Jordan: That’s a great analysis. And actually, I can’t think of a breach that I’ve been involved with that that’s not truth. 

Armando Rivera: Yeah.  

Ross Jordan: It really is. 

Armando Rivera: Because it originates through social engineering, you find that weakest link.

Ross Jordan: Absolutely. And people typically are. Armando, I want to thank you very much for your time today. What have you got as a closing comment? 

Armando Rivera: Just because you throw money at something… you know, you can go out and buy all of the name-brand amazing tools out there… but if you’re not maintaining that tool, if you’re not managing that tool, if you don’t have somebody looking at the alerts that it’s generating and reacting on them in a timely manner, it does you no good.

That’s where an MSSP provides that value: You have a team looking at that tool, making sure it’s updated and making sure that somebody is responding to it. 

Ross Jordan: It’s actually really good advice. There’s a lot of times you’ll see that somebody buys the latest, greatest, newest, coolest. And then a year later, it’s needed updates. It’s needed actions. And it’s been telling you something’s wrong. You haven’t been acting on it. So that’s good advice. Sage advice.

Armando, thank you for your time today. Appreciate it. And I assure you there will be many more conversations as well as if there are viruses that come out. If there are newsworthy efforts that SkyTerra needs to communicate, I will be grabbing you to help put that information out there for people to consume. So definitely appreciate all that you do. 

Thank you for your time today. We appreciate you listening to the SkyTerra Technologies podcast.

For further information, you can find us on LinkedIn or at www.Skyterratech.com. Have a great day!