The Cybersecurity Crowd #7

What IT Leaders Are Facing, and How to Fix It

September 12, 2022

Anthony sits down with Stephen Hanson, Regional Director of Sales for Integris in the midwestern region, for a discussion on the problems and opportunities that IT leaders across the country are facing, and the possible methods of resolving these issues in the short and longterm.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or find us on your favorite podcast app.



Anthony DeGraw: Welcome to the Helpdesk. Today I have the pleasure of welcoming Integris Director Of Sales, Stephen Hanson. Stephen has spent a significant amount of time with the organization and legacy organizations that we brought together. Stephen is coming on to talk about specifically the struggles, problems, opportunities that are facing IT leaders all across the nation. From CIOs to IT managers and their teams.

Stephen has deep expertise in this space and has these conversations every single day with the current clients in his network, as well as new clients that are coming and talking to Integris all across the country. Stephen, welcome to the show, man.

Stephen Hanson: Appreciate it. Happy to be here.

Anthony DeGraw: Awesome. So we had four brainstormed categories that we were gonna walk through.

Overview of the issues

Anthony DeGraw: So I’ll give a brief overview of each one and then we’ll dive right into the first one.

Number one on our list when talking with Stephen was staffing issues. Hey, the MSP community in and of itself is dealing with staffing issues. I think the entire country just went through the great resignation and had staffing issues, but Stephen’s gonna touch on specific things he’s seen within the internal IT environment around staffing.

Number two is network consolidation, multiple locations, multiple connections, remote workforce. What does that network consolidation look like? What are the things that Stephen and his team are running into?

Number three was the day to day mundane work that these IT teams need to do, the non-sexy stuff. And how can you potentially get that off your plate and focus on the things you actually wanna do?

And number four was how do you fix it. Do you outsource it? Do you bring more in-house? Is there some sort of hybrid approach? Stephen’s gonna walk through a couple different scenarios on that end specifically about, what he thinks is best for each person.

I’m sure you’re gonna give some sort of lawyer response there, which is it depends, but we’ll dig in a little bit to the, “it depends.”

Staffing issues in IT – the “missing middle”

Anthony DeGraw: So with that, Stephen let’s start off right away with the staffing issues. What are you seeing man?

Stephen Hanson: It’s an interesting world we’re living in. It’s an interesting market.

I’ve never had more prospective clients and clients reaching out right now saying I’m really short staffed. I need people. And it’s unique because it’s a lot of different skill sets that are needed. I think the most common thing that we’re seeing for our organizations that have an IT team, a specific IT team is we’re seeing they have some really solid engineering types, you know, the high levels really enjoy doing that project based business. And then we’re seeing there is a decent amount of level one, the people that are taking the calls, maybe triaging them or trying to do some of the basic, restart the computer, “have you tried doing this, that?”

There’s really a lack of people in the middle. Anywhere in that kind of tier two, tier three, like “I’m not an engineer, I’m not doing full on projects, but I can solve more complex issues.” So that is, that’s really the number one thing that I’m hearing is just we’re missing out on those people.

And what we’re seeing is a lot of these people that maybe are in that space, that tier two tier three, they’re looking to become an engineer. That’s where there’s growth potential, there’s potentially earning potential. So we’re seeing people that are moving off into that more engineer, wanna be proactive, wanna do these more complex projects.

And so they just they need people. They need good people that can resolve more complex issues. Also, like you said, the great resignation, we’re seeing a lot of people leaving for those opportunities instead of staying with organizations. Even seven, eight years ago, it seemed like we would talk to IT teams and we would ask them about, what comprises their IT team right now.

And they would say well, I got this person he’s been here for eight years. And I got this person she’s been here for seven years. And they would go down the list and it was just all these tenured people. And lately, you know, we’ll ask what makes up your IT team? And they’ll say well, I had this person start last month, I had this person start a year and a half ago. It’s just a lot of newer people. And that onboarding, that ramping up, it takes time. And it takes a lot of energy. And I think it really burns some people out.

So it’s across the board. I know every industry is feeling it right now. We’re feeling it. There’s not a single vertical that isn’t affected by what we’re seeing, but it’s really common in our space right now.

Anthony DeGraw: Yeah, I wanted you to dive a little bit deeper too. It pings off of that tenured concept, which is the IT responsibilities have grown and changed. For those folks that have been in here 8, 10, 20, 25 years. What this looked like as a role, as a job, as a leadership position, 20 years ago, even 10 years ago, or five looks completely different now. From, on-site physical infrastructure and now having to have deep expertise in security and compliance frameworks.

Can you talk a little bit on that of like just the overall role and responsibility, how that’s changed for folks?

Stephen Hanson: Yeah, absolutely. So I’ve been with the organization for nine years, and it’s remarkable with how quickly in nine years, things can go from this end of the spectrum to that.

And everything now is so security focused. And security is so unique because security has never really broken. If you have a potential vulnerability, It doesn’t necessarily mean that you are down, that your organization is down. You’re not able to work. It just means that it’s a known vulnerability.

So you guys could be up and working and think that everything’s working just fine and have all these vulnerabilities within the network. And so adding that security piece and you mentioned compliance we’re seeing. Cybersecurity insurance driving a lot of what our clients and our prospective clients are asking right now. They want to get the best premium that they can possibly get on their cybersecurity insurance.

And they’re being asked to, check all these boxes. We need to do all these things before we can do that. We need to show them that we’re doing these things. So it’s gone from, a lot of just the reactive work. I think that’s what I used to see a lot when I first started was, we saw a lot of reactive, and now being reactive is not good enough. You really have to be proactive. Because if you’re trying to be reactive on security, it’s too late. You’re putting yourself at an incredible risk. And so it’s all about proactive right now and really there’s different skillsets, say somebody that has their, you know, CISSP. There’s different skillset that go along with security versus just your standard, senior systems admin or engineer. They blend, everything in IT seems to blend around security, but you can’t have the same person doing all of the above.

Anthony DeGraw: And going deeper on that too.

We talked about in our pre-call for this was, of these organizations that have these CIOs or IT managers, these IT teams. You talked to me about their reporting in whether it to be to the CFO or to the CEO in most of these organizations. Prioritizing IT cybersecurity and compliance as a CEO of, let’s say a middle market firm right now, I mean your board. Which I just came back from our board. Our board is asking about this day in and day out. It hits the news and it is what are we doing as an organization. And that’s funneling directly into those top level leadership positions with the staffing issues you just talked about.

What are you seeing as the pressure from boards and CEO and CFO sides of this business on the IT leaders you work with?

Stephen Hanson: It’s everything. It’s everything right now. If you lose the trust of your customer base as a CIO, if you were to get breached and you lose the trust of your customer base. It can be devastating for your business.

There’s absolutely the cost of downtime or just the potential like, ransomware, you’re encrypted, you literally can’t work. There’s the cost of that, but then just that, your brand loyalty and how much people wanna work with you, how much they trust you.

And like I said, that reactive approach, it no longer works. There’s a lot of solutions out there. There unfortunately is no silver bullet. There’s not one thing. There’s not a single company out there. They may claim this, but there’s not a single company that says, if you do this, you will be secure. Nothing will happen. We, you have to take that layered approach. You have to continue to layer on the different measures and really weigh the cost to the risk. Because, if you were to add every single security piece that’s out there in the world right now, you’d be spending hundreds of thousands, millions potentially, of dollars in security every single quarter.

And so you have to understand what your risks are and what your budget is. So a lot of it right now is trying to help establish budgets. What are the must haves? What are the things that, without a doubt, we have to be keeping an eye on these things. It was a few years ago, I’m so glad that this sort of shift happened and MFA just became a requirement. We did not see that when I first started, they were not doing it. We saw it a lot in banking, in financial services industries, but not really anywhere else. And now MFA is being a requirement. That’s such a good thing to do and have in place for your organization. So it’s just little things like that. I don’t know what it’ll be in five years, but it will continue to evolve.

And there will be new things because the people that are trying to get in and do malicious things, they continue to evolve. And so you constantly have to stay in front of it. It’s never set it and forget it. You constantly have to be, reviewing your network. What should we be doing?

And that’s where we come in a lot. We’re at the forefront of a lot of this. We talk to a lot of different organizations. We’re hearing the things that they’re being asked of, the scares that they have. It allows us to go out and have these really educated conversations with our clients saying, you guys haven’t experienced this yet, but I believe that it’s coming and you should be prepared for it.

Anthony DeGraw: Yeah, I think a word that you use there summarizes this whole staffing board responsibility, evolution of the IT folks, which is evolved, right? If you are not evolving, if you haven’t evolved in the last 10 or 5 years, you are behind the eight ball significantly and your organization either knows it already and are planning for it. Or they don’t know it yet and something major’s gonna happen. So continue to evolve the skillset, continue to reach out to partners to evolve your knowledge. It’s all out there. You can constantly be on webinars day in and day out of what are the threats. What should I be thinking about doing?

Network consolidation

Anthony DeGraw: So moving on to section two, network consolidation. So talk us a little bit through what you mean by network consolidation and what your clients are bringing up to you in terms of this area.

Stephen Hanson: Yeah. And this is another one that has really just taken off. This whole world of cloud. When I started nine years ago the idea of cloud was somewhat new.

We were still a lot of on-premise Exchange. Everybody had their email hosted at their their location, and then we saw this shift to this cloud based email. And then everything is just taken off from there and everything is SaaS based. Salesforce, HubSpot, whatever it is that you’re utilizing, you’re probably just subscribing to their cloud. And so with that, you get this importance on network. You gotta have an internet connection. You gotta have a really solid internet connection, possibly backup connections, redundant connections so that people can work.

If there’s ever some type of an outage and for really in that mid-market space, we see these organizations with multiple locations. And multiple locations can sometimes be a bear to manage because you’re dealing with different carriers. And it can become really a pain to manage all these different carriers to really understand if we do have a network issue where is the problem? We see a lot of finger pointing and I think that’s really common in our industry, you maybe have an internal network team, a firewall individual.

And that person might say, Hey, it’s not an issue with the firewall. It’s our internet. And then you’ll have the internet provider, the carrier saying, no, it’s an issue with your firewall or it’s an issue within your network or you’re switching.

And so we get all this finger pointing this, no, it’s not me. It’s them. And It’s something that we saw a lot of. And we realized that it was an opportunity in our industry to consolidate that and to have, more or less, a single throat to choke. You can’t point the finger at anybody else if you’re managing all of it.

So we have really taken that on and we have a team of network individuals that comprise our Network Services team and they are doing things like fully managed firewall.

I’m sure a lot of people know firewalls can become just a nightmare. Changes are made. They’re not documented. They have no idea. And then we’ll see auditors come in and they’ll ask, why were these changes made and they have no answers for them. It’s not a good position to be in. So ours is, it’s all documented. It’s on us to be updating, the hardware, the firmware, the patching. It’s as a service.

We’re again, seeing more and more organizations with those staffing issues, having a hard time finding network individuals. So it’s just, “we need somebody to come in and do that.” And then really all that is wrapped around being able to provide that support of the different locations as well and being the single number to call.

So, we’re unique. We’re a little bit like a boutique where we have about 35 to 40, and that’s growing, different carriers that we work with around the United States. So if you have this location over here and only this provider can provide fiber there, we will help manage that connection.

And if anything happens, you call us. It’s on us to reach out to them. And to resolve that issue and it can be different carriers at all of your different locations, no matter what you call us and it’s our responsibility. So we’ve seen, that’s really been popular in some healthcare organizations that have little clinics all around. Financial services, credit unions that have a lot of different branches.

It makes it so much easier to manage when you can just call one number.

Anthony DeGraw: Yeah, I completely agree. The one thing that grinds my gears the most is finger pointing as an MSP with the vendors that come into play there. We do not finger point. It’s all on us and we’ll work with those vendors to solve it.

This is just another reason why we would bring something like network services in house is to avoid the finger point. I love when you mention, one support line, one invoice, when you get upwards of 10, 15, 20 locations with multiple, you know, a primary and a backup connection in each one, all of a sudden these things start to multiply. And trying to deal with all those carriers and all these different states or locations. And not having fiber and maybe having to use cellular, it’s unreal how complex it can get. Love the overview on the network consolidation and how we can help folks in that area. Take that off their plate.

Stephen Hanson: Yeah.

Mundane, day-to-day work

Anthony DeGraw: Going into number three here, we got the day-to-day mundane work that needs to be done, but it does not drive your business forward. That IT teams and individuals hate doing. Yes. Now I got a laundry list of them. Patching, backups, antivirus alerts, blah, blah, blah. Talk to me about this. What are you seeing in this area?

Stephen Hanson: Yeah, just networks require a lot of caring and feeding. I think that’s what we’ve seen is that it’s one of the first things that people get dinged on, whenever they have any type of say, like a vulnerability scan. You haven’t patched your switch in X amount of months, there’s known vulnerabilities out there and you haven’t done anything. You haven’t restarted a server in a year. There’s just all these things that are required when you’re trying to manage a network.

And not to mention like backups, you mentioned that one. We have a team of individuals that just monitor backups. So they are sitting there looking at logs and if a backup fails it’s almost like a P1 for us. What’s going on? Why did that backup fail? Is it an issue with the hardware?

What do we need to do? Do we need to get new hardware out there right away? Because we know how. Important backups are, but it’s that idea that you probably can have somebody from your team doing it, but do they like doing that? Is it the right person to do that? I talked about how a lot of these teams are comprised right now.

You maybe have some tier one and then you have some really high level engineers. We found that high level engineers absolutely hate doing mundane tasks like patching and backups and managing antivirus. Some of these things that don’t drive the business forward, they’re the caring and feeding aspect of just maintaining a network.

And so it’s just having the individuals to do that. Most people and most clients that we talk to, they just don’t have the staff for it. And they don’t really see the value in hiring somebody just to do that. And so it really becomes, you know, advantageous and cost effective to look at an outside organization to assist with that.

Like I said, we have a full team of individuals that’s helping and assisting our clients with things like backups, with patching, with anti-virus. Something that they can take off their plate so that they can be strategic. So that they can worry about, the big security initiatives, the projects, the things that their company wants to do to help drive their business become a better business.

And so it’s just. I call ’em mundane, but they’re very necessary. Yeah. The mundane things are the things that end up getting people in trouble. So they’re so necessary and it just makes a lot of sense to, to have an outside organization assist with that.

Anthony DeGraw: I couldn’t agree with you more and I’m just gonna end this number three with a story that I like to tell from a CIO that I’m very close with.

So he’s the CIO of a community bank. I think he has upwards of 25 to 30 branches and headquarters across a couple different states now. He has a team of let’s call it seven to ten folks on his IT team. And he came to us in this exact thing. We started with an assessment of, hey, just want an outside organization to come in and assess what we got going on. Cuz we wanna make sure we’re doing everything right. One of the findings that came up in that assessment was your standard patching, right? They got, in trouble on a, on an assessment in terms of patching and staying on top of those things.

And he came to us and his standpoint was very simple. Hey, I have 7 to 10 folks, to Stephen’s point, they don’t wanna be focused on this. When I do have to have somebody focused on this, I have to take them off their normal rotation, their normal work week. I have to have them work from say 12:00 AM to 6:00 AM. So they gotta work all night long.

Maybe they’re pulling like an eight hour shift. Maybe it’s 10:00 PM to 6:00 AM. So it screws up their whole week. It screws up the team’s bandwidth, cuz that person gets taken off rotation. I gotta employ them for that night. They go in, they don’t do this all the time, so it never goes perfectly.

It always fumbles around. We always have lagging issues afterwards. Then they’re not there the next day, cuz they gotta catch up on sleep and get back to normal, which takes away from my current team and the bandwidth that they need. It’s a complete disaster in terms of me trying to handle this in house, then you get to the things like Stephen said in terms of compliance logs and documentation and reports on this stuff.

And it just ended up being a nightmare and there was nothing more important to him than can I just take this pain off of my current team, hand it over to you all who know what you’re doing and do it, tens of thousands of endpoints now at this point.

You could see the lift off of not only him, but also his team.

Stephen Hanson: Yeah.

How do you fix this?

Anthony DeGraw: Alright. Number four was, how do you fix this? Do you outsource, do you insource, do you do a hybrid approach? We talked a little bit about college graduations and IT roles out there, what are your thoughts on the overall fix to these three issues that we talked about?

Stephen Hanson: It’s a million dollar question, isn’t it? Like, how do you fix it? I wish there was just an easy answer to it. I think that the organizations that we’ve seen be the most successful with this. They have a really good combination of the two. They’ve been able to find areas that fit their team, that fit their team skillsets and keep those in-house.

And then the areas where they’re lacking, they’ve been able to partner with us and it’s this really good yin and yang of, this partnership that comprises this IT team. It’s not the same for everybody. It absolutely is not. There’s some organizations that we work with that have these rockstar network engineers, network administrators, that are so good with anything around the network.

And they just really don’t have anybody that wants to do, say, taking the phone calls of end users, just your kind of tier one fixing printer issues. And, I can’t get into my Outlook today and we’ve been able to step into that role and assist them there.

I’ve seen the vice versa where they really need somebody on the networking side. They have those, they have the people that can help with the kind of the Windows-based support or just desktop server support don’t have much on the networking side. So it’s just figuring out really what your skillsets are and where you have some gaps. And that’s what I love about the way that we approach this is, we just love partnering with businesses. We love finding those things that you don’t want to do, or that you don’t have the skillset for. Let us come in there and do that. We’ve never once gone with the approach of we’re gonna come in, we’re gonna take everything. I think some managed services providers have gotten a really bad rap for doing that. That has never been our approach. We don’t believe that it leads to longstanding relationships or just, good relationships at all. It’s such a small tightknit community, so we’ve never wanted to burn any bridges. We just want to come in and provide assistance and help where our clients need help.

And so again, how do you fix it? I don’t know the specific answer. But I do know that we can assist in trying to help build that direction.

Anthony DeGraw: Awesome. I think nothing speaks more to that than Stephen, what I’ve seen from you and your part of the organization, which is, you know, IT so and so leaves my current customer.

They go get a job somewhere else. And the first call they’re making is to Stephen and his team about, hey, can you come support me with these things at my new employer. To me, that is the definition of long-term partnerships and reputation at stake. And I’ve seen it time and time again coming from Stephen and his team there.

Stephen I want to thank you for coming on The Helpdesk and I can’t wait to get this out to our audience, man. Have a great Friday.

Stephen Hanson: Thanks Anthony. You too.

Anthony DeGraw: See ya boss.

Keep reading

AI (ChatGPT) and the Cybersecurity Implications for Your Business

AI (ChatGPT) and the Cybersecurity Implications for Your Business

With AI set to revolutionize how we work in the coming years, two of our Virtual Chief Information Security Officers, Darrin Maggy and Nick McCourt, and our CIO, Tony Miller decided to weigh in on the subject. The drumbeat to adopt AI in your workplace is loud right...

“Knowledge, You Can Teach”

“Knowledge, You Can Teach”

Scott sits down (in person!) with George Hall. George is the President of LINQ, a managed mobility services provider, and There Goes My Hero, a nonprofit dedicated to those impacted by blood cancer, both headquartered in Baltimore. George talks about his very eventful...

Multifactor Authentication Breakdown

Multifactor Authentication Breakdown

Nick and Susan's monthly episode is joined by Lexie Nelson, a vCISO at Integris. Today's topic is multifactor authentication. We're going through a full breakdown into MFA: how much it really protects you and your organization, the things to look out for when...