MSP 1337 | Cybersecurity Education & Security Guidance

In this episode of MSP1337, Chris Johnson is joined by Jeff Majka, founder of Security Bulldog, to unpack why MSP‑delivered SOC services are at a breaking point, and how AI and automation are forcing a reset. They explore why traditional tiered SOC models and white‑label thinking no longer scale, how ungoverned AI adoption collides with zero trust, and why speed and decision quality now matter more than raw data or CVE counts. From ticket overload and false positives to exploitability, continuous monitoring, and breach resilience, the conversation underscores a hard truth: MSPs must redesign security operations around automation-first workflows that reduce noise, protect high‑value assets, and preserve human judgment for what truly matters in an AI‑accelerated threat landscape.

Chris Johnson sits down with Ido Green of Espresso Labs to explore how AI and local agents can reduce cybersecurity noise, offload Level 1 work, and continuously enforce compliance, without losing human control. They discuss guardrails for safe automation, multi-vendor telemetry, drift detection, evidence collection at scale, and why “reporting gaps” isn’t enough if you can’t execute remediation and preserve proof. The episode closes with a roadmap for frameworks, partnerships, and insurance-ready visibility.

A sit-down with Hamid Ganadan, author of “Not Buying It: The Art of Selling to Scientists, Doctors, and Other Professional Skeptics,” on how MSPs can sell to skeptical, highly educated buyers. This is an exploration of the psychology of decision-making, shifting prospects from skepticism to curiosity, leading with feelings over facts, crafting insights that differentiate offerings, and timing data to validate rather than trigger doubt. Hamid shares practical scripts, a lead follow-up case study that massively improved response rates. Selling cybersecurity doesn't have to be painful.

In this episode of MSP 1337, Chris Johnson sits down with Jim Harryman to break down why passing audits doesn’t equal real security, and why MSPs get into trouble when frameworks turn into checklists.Drawing from firsthand experience with SOC 2 Type 2, CIS Controls, and the GTIA Cybersecurity Trustmark, Jim shares practical lessons on evidence quality, shared responsibility, inherited security, and the dangers of assumptions. They unpack why SOC 2 excels at governance but leaves technical gaps, why CIS is the most effective starting point for MSPs and their clients, and how Trustmark helps operationalize governance for MSP-specific realities.The discussion tackles common traps—template-driven compliance, perfection paralysis, and tool-chasing—and replaces them with a disciplined, momentum-driven approach focused on outcomes, accountability, and continuous validation. From third-party vendor management to proof over screenshots, this episode is a reality check for MSPs trying to balance assurance, security, and business growth.If you’re relying on audits for peace of mind, or struggling to turn compliance into real-world resilience, this episode will reset how you think about frameworks, governance, and what “good” actually looks like.Learn more about Trustmark: gtia.org/Trustmark

Most MSPs don’t fail at cybersecurity because of missing tools; they stall because they miss the maturity inflection point where governance must replace tactics. In this episode, we break down what actually defines cybersecurity maturity, contrasting technical frameworks with governance-driven models that reflect real organizational behavior.Using the GTIA Cybersecurity Trustmark’s four-level maturity lens alongside Josh’s five-step cybersecurity maturity journey (built from cyber insurance and CIS Implementation Groups), we explore how organizations move from checkbox security to leadership-driven, repeatable governance. We dig into why people and process ultimately outweigh tooling, how intentional training and tabletop exercises expose true readiness, and why cost and complexity increase as risk declines.If you’ve ever wondered why MSPs plateau despite “having all the right tools,” this conversation reframes maturity as a business and leadership problem, one solved by clarity of purpose, decision rights, and governance that scales.

In this episode, we unpack one of the most misunderstood topics in the MSP industry: insurance. From Errors & Omissions to cyber insurance, we break down what these policies actually cover, and more importantly, what they don’t. The conversation challenges the assumption that buying insurance equals risk transfer and explores how liability really plays out across MSPs, clients, and third‑party vendors.We discuss why cyber insurance typically protects only the insured entity, how E&O applies to negligence and misconfiguration, and why insurance requirements vary dramatically based on client size, maturity, and risk tolerance. The episode also dives into supply‑chain risk, litigation realities, and why MSPs must align insurance decisions with their business model, client profiles, and overall risk strategy, rather than treating insurance as a checkbox.Ultimately, this episode reinforces that trust is built through risk conversations, not policies, and that MSPs have a critical opportunity to mentor clients on what good risk management actually looks like.

Clear communication is one of the most overlooked and most costly challenges in IT service providers. In this episode, Chris sits down with Amy Reczek, communication and presence expert, to unpack why misalignment happens between leadership, teams, and clients, and how understanding the “why” behind communication changes everything. From ineffective meetings and virtual body language to intent versus impact, this conversation dives into the human gaps that tools and systems can’t fix, and what ITSP leaders can do instead.

The critical importance of going beyond just getting technology to work, addressing the underlying security, scalability, and proper implementation, rather than just fixing symptoms. Eric Hansen, of Inland Productivity Solutions, emphasized the importance of starting troubleshooting at the very beginning, even when engineers claim they've already done everything. He discussed their hiring process, which prioritizes people skills and problem-solving abilities over technical expertise, using unsolvable scenarios to test how candidates handle pressure and know when to escalate. While Eric and I might have found a few rabbit holes in this episode, I hope you will hear a recurring theme: delivering cybersecurity in everything you do with your clients. "We're still in the people business."

A real-world phishing incident. Real financial impact. Real lessons for MSPs.In this episode, we unpack a phishing attack that led to unauthorized access to an Azure subscription and significant financial loss for an MSP client. The conversation goes beyond the incident itself to examine where policy gaps, weak controls, and unclear ownership increased liability, and what changed when the MSP committed to cybersecurity maturity.Joined by Chad Holstead, we walk through how pursuing the GTIA Cybersecurity Trustmark helped transform the MSP’s security posture, improve privileged access controls, and dramatically change the insurance conversation, lowering costs while increasing coverage. This isn’t about adding more tools; it’s about leadership, governance, and proving maturity before advising clients.If you’re an MSP talking cybersecurity to customers, this episode makes one thing clear: secure your own house first.For more GTIA On location interviews, head over to YouTube and just search GTIA On Location or use this link

Google Ads can disappear overnight, and for millions of businesses, it has. In this episode, John Horn of Stub Group breaks down the growing cybersecurity risks behind Google Ads account suspensions and why 39 million accounts were shut down in 2024.We explore Google’s automated, all‑or‑nothing enforcement model, how website vulnerabilities, phishing attacks, and account takeovers trigger suspensions, and why recovery is often harder than prevention. The conversation also dives into the impact of AI on search behavior and SEO, the rise of click fraud, and why Google still dominates search advertising despite the emergence of AI platforms.If you advertise online or manage digital infrastructure, this episode offers practical guidance on securing ad accounts, preparing websites for advertising, and avoiding costly mistakes that can shut down growth overnight.

Cybersecurity maturity isn’t earned in audits, it’s earned in the operational moments where governance either shows up… or it doesn’t. Today’s conversation with Mike Stewart of Anchor Networks goes deep on MSP maturity. How leadership tone, culture, and repeatable decision systems turn policies into actual behavior.We cover why security awareness must be frequent (not annual), why “the why” behind policies matters, and why AI is now a governance challenge as much as a technical one—especially as acceptable use expectations evolve. The goal: use AI to reduce overload and automate routine work, while strengthening critical thinking and verification habits.

Managed Service Providers are being pushed to “get compliant fast.” In my discussion with Bruno Leqoc, we reframe the challenge. Compliance isn’t security, and lasting compliance depends on security maturity first. Highlighting how AI policy can extend existing governance frameworks, why Microsoft Secure Score is a practical readiness indicator, and why foundational controls (MFA, patching, device management/remote wipe) must come before certifications and GRC tooling. In this episode, we also explore MSPs’ expanding responsibilities in data privacy and governance amid fragmented U.S. state laws and why client alignment and continuous maintenance are the true costs of compliance.

Exploring the fast-moving intersection of AI governance, ethics, and cybersecurity, examining how organizations are struggling to adopt AI responsibly while keeping pace with innovation. The conversation highlights a growing disconnect between enthusiasm for AI tools and the absence of clearly defined use cases, governance models, and security guardrails.As AI capabilities rapidly expand, Dr. Adeel Sheikh Mohammed emphasizes that organizations must move beyond checkbox compliance and adopt a shared, strategic approach to AI risk, ethics, and cybersecurity maturity.

Phishing simulations are one of the most debated tools in cybersecurity awareness, but do they actually work?In today’s episode, we’re joined by David Shipley, former soldier turned cybersecurity researcher and founder of Beauceron Security, to unpack what the data really says about phishing simulations, human behavior, and why zero clicks has never been, and will never be, the goal.

Have you ever been stuck in an elevator? What happens when you push the call button? Physical safeguards managed by a 3rd party are often ignored or marked as N/A. What happens when processes and procedures don't get updated after a change? Listen in as Charles Love of ShowTech Solutions shares his experience of being trapped in an elevator and what we should all take away in lessons learned.

A much-needed discussion on the fast‑shifting world of data privacy in 2026 and what it means for MSPs on the front lines. From the tangled web of U.S. state privacy laws to the rising risks hidden in modern data flows (yes, even your car!), guest Andy Sambandam, Clarip CEO & Founder, lays out why every security breach is now a privacy breach, and why security and privacy are officially a forever marriage. We dig into transparency, consent, data mapping, retention policies, and the growing pressure on businesses to actually practice what their privacy policies preach. If you want to stay ahead of compliance, client expectations, and real‑world data risks, this episode gives you the clarity and direction you need.

In this episode, we cut through the AI hype with Alane Boyd to unpack what MSPs really need to know about today’s AI landscape. We cut right to the chase on data‑privacy pitfalls and free-tool misconceptions, and on the rise of AI agents that go far beyond simple automation. We explore practical, business-ready use cases, how to build safe and effective AI policies, and why better prompting (and better balance with our mental health) matters more than ever. If you’ve wondered how AI can help your team without putting your data at risk, this episode delivers the clarity you’ve been looking for. If you are looking to connect with Alane Boyd, her website is biggestgoal.ai

Chris Johnson and cybersecurity expert Robert Siciliano dive into the human side of security, exploring why default trust and denial make people vulnerable to social engineering and cyber threats. They discuss the cultural framing of security, the importance of personalizing security practices, and why leadership must model proactive behaviors. The conversation introduces the concept of a “strategic human firewall,” emphasizing that proper protection comes from security appreciation, not just awareness. From AI-driven fraud and voice cloning to practical steps like password managers and two-factor authentication, this episode highlights how mindset shifts and personal responsibility are key to resilience in today’s threat landscape.

Resilience and Continuous Improvement for ITSPs as we go into 2026. I discuss what it means to be on a resilience journey with Charles Love of ShowTech Solutions. ShowTech Solutions has reached a milestone in its maturity journey, achieving Assured status, and continues to advance its maturity process. Experiences and lessons learned that will help any ITSP on their own journey.

Predictions and challenges in the technology and cybersecurity space for 2026, with a focus on Microsoft ecosystem changes, licensing, security, and the impact of AI and Copilot. I had a chance to catch up with Shay Cohen of Optimize365.io this week, and I think you will find his insights on the future of CoPilot and other unique changes we can expect in 2026.

In 2026, AI will increasingly integrate into business processes, emphasizing strong data quality and security as prerequisites for success. AI agents, distinct from chatbots, will operate with machine identities to automate tasks while supporting, rather than replacing, human decision-making. This is just a glimpse of the insights Ben Wilcox of ProArch shared this week.

Looking ahead to 2026 trends and challenges in the MSP (Managed Service Provider) space, focusing on AI, automation, security, risk management, and social engineering. In a conversation with Josh Hohbein of Centrex IT, we discussed the key challenges and opportunities as we enter 2026.

Predictions for the Managed Service Provider (MSP) cybersecurity landscape in 2026, with a focus on risk management, the continued importance of basic cyber hygiene, open-source adoption, and the strategic use of risk registers. Did I say Risk Register? Dom Kirby brings it home: the importance of the Risk Register and its role as we enter 2026. He advocates that MSPs move beyond discussions of technical tools and engage in business and risk conversations with their clients.

I sat down with Chris Loehr to discuss the varying approaches businesses are taking toward cybersecurity spending as they plan for 2026, highlighting the influence of private equity and the unpredictability in budget increases or reductions even within the same industry.

From what keeps us up at night, to just meeting the minimums and nothing more to be compliant. Dorota Ulkowska of Accurate Networks and I discuss the recurring challenge of clients, tiny businesses, resisting recommended cybersecurity practices due to cost, perceived inconvenience, or a belief that risks are exaggerated, with Dorota providing real-world examples from their experience at Accurate Networks.

Sitting down with Bobby Glen James of Boteka about the importance of simplicity in IT security for MSPs. Bobby shares lessons from decades in the industry, advocating for Lean IT practices, streamlined technology stacks, and a service-first approach that avoids hardware upselling and long-term contracts. Practical insights on risk management, prioritizing critical systems, and building resilient, client-focused MSP services.

By the end, it is hard to believe that in 2025, less than 30% of all Web Domains have properly configured SPF, DMARC, and DKIM records. Yep, less than 30% of the top 10 million domains. I sit down with Al Iverson of Valimail to talk about DNS records and the importance of SPF, DMARC, and DKIM records. Might sound a bit boring...At the end of November, bulk mailing will stop working for your company if you don't have those records configured correctly.

Once upon a time, I was an MSP. Looking at everything that MSPs have to keep track of, both internally and client-facing, can be overwhelming. I sat down with Dor Eisner of Guardz.com to talk about the biggest challenge facing MSPs.

With IT Nation Connect Global only a week away, we wanted to share some of the workshops and the value frameworks play in helping shift the conversations about cybersecurity from speed and feeds to Risk. Josh Hohbein of CentrixIT to get his perspectives and why he is so passionate about helping other MSPs and their clients better understand how frameworks help and the importance of the GTIA Cybersecurity Trustmark.

First ever monlogue with CJ... I recap some of the things I found to be of interest over the past few weeks with Pax8 EMEA and ChannelCon EMEA... Tell some stories and then looking forward to MSP Global. This one is short and sweet and I hope you find some entertainement in it.

Incident Response Planning and tabletop exercises have been discussed on the show several times. However, how do you get culture adoption and buy-in from all staff? I sit down with Amanda Lachapelle of Auvik to talk about IR Games, how to do them, and the importance of doing them, not just internally but also with your clients.

A Discussion around the global proliferation of cybersecurity and technology events, noting regional differences, the heavy concentration of events in October, and the increasing overlap in topics and audiences. Chris and Henry Timm of Phantom Technology Solutions also reviewed the agendas and standout features of key events they plan to attend—PAX8 Beyond, Channel EMEA, and MSP Global—highlighting session themes, notable speakers, and unique elements shaping the month’s cybersecurity dialogue.

Pax8 Beyond EMEA 2025 is less than a week away, and I wanted to take a minute to talk about the cyber sessions. What Matt Lee, of Pax8, is doing (today's guest), specifically his AI and CTF session. We might drift a bit in our conversation and go down a deep rabbit hole when setting up a home lab on the cheap. Enjoy!

Using a framework to assess a client is a great way to baseline security and compliance. We explore the challenges, hurdles, and best outcomes when you look at who is responsible for different pieces. Some safeguards can only be implemented or addressed by the MSP. Other safeguards require the participation of both MSP and the client. Lastly, some safeguards require the client to lead. Jim Harryman of Kinetic Technology Group shares their approach to get the desired outcome.

At Channelcon25, I was able to capture a few of our members in some in-person interviews on different topics. Dustin Bolander of Beltex Insurance had some really interesting insights that I wanted to share before we get to cybersecurity month.

Identity is who we are, and it is constantly being subjected to many different threats. I sat down with Kristen Costagliola CTO at Syncro, to talk about the challenges and some of the solutions to help MSPs and their clients make good decisions about protecting their identity.

In the current threat landscape, one can easily become overwhelmed. I sat down with Noam Morginstin, founder of Exigence, to talk about realistic ways MSPs can begin building their Incident Response Plan and how to tackle successful Tabletop Exercises and prepare for resilience.

If you are an MSP, there is probably at least one tool in both the physical space and the digital space that you were just awestruck when you finally got your hands on it. I sit down with Charles Love of ShowTech Solutions to talk about some tools from the wayback days and how the tools today are in some ways truly transformational in how they save us time, make us more accurate, and help us take better care of our clientsIf you are a Managed Service Provider (MSP), you likely have experienced a moment of awe when you finally got your hands on a tool—whether it was in the physical realm or the digital space. I recently sat down with Charles Love from ShowTech Solutions to discuss some of the tools from the past and how today's tools are truly transformational. They save us time, enhance our accuracy, and allow us to provide better care for our clients..

How do you get your clients to take cybersecurity seriously? I sat down with Ann Westerheim of Ekaru to discuss strategies for helping MSP clients improve their cybersecurity posture.

Getting to compliance... Do you end up with more to do because you have the GTIA Cybersecurity Trustmark Assured? I sit down with Chase Griffin with ShowTech Solutions to talk about their experience and what has transpired since achieving Assured status and how that changed their outlook on improving their compliance to a standard and setting them up to be resilient.

When a client is hit with ransomware, it can be paralyzing. After the tabletop exercises carried out at #ChannelCon25, Jason Comstock of Clarity Technology Solutions explored ransomware and the path to recovery. Stay tuned to the end for Jason's after-action report.

With more than 100 attendees for a full day of networking and learning. The TD preday and another 30+ next door for MSP-Ignite peer group facilitated discussions, it was a learning and growing experience for all. I sat down with Roddy B. of ShureWeb to get his take and perspective. We went off script a few times, and I'll be sure to bring some more insights in future episodes. Insights to be had for sure all the way around.

Charles Love of ShowTech Solutions and I sit down to discuss Channelcon25. Why you should attend and a preview of some of the sessions. From MSP-Ignite and their peer group style conversations to Tech Degenerates and many other communities coming together for a Monday Pre-day and then rolling into the daily agenda, centered, of course, on sessions that pertain to Cybersecurity and perhaps a path to developing the skills to help you on your GTIA Cybersecurity Trustmark journey.

With some of the recent events in the ransomware space, I had a chance to hear firsthand from Dave Alton of Strategic Integrated Resources. I asked the question, "What is concerning you today?" This discussion has some action items that you can do with your own clients. Whether you are dealing with business email compromise, wire fraud, or are just worried about a vendor, you will want to listen in as Dave shares. Also, stay tuned to the end. ChannelCon and the Tech Degenerates preday is less than 2 weeks away.

Cybersecurity Insurance and Risk Management are generally conversations we avoid in the ITSP space, but with recent events, Matt Lee and I sit down to talk about how the two complement each other, the pitfalls, and some tips for protecting yourself through both.

With more than 30 ITSPs through their first assessment cycle, I wanted to take some time to get feedback on why it is an important process for any ITSP. A raw conversation with someone who will pull no punches on providing feedback as it pertains to the Trustmark and the history of what Trustmarks have come out of GTIA for its members. Charles Love of ShowTech Solutions provides significant insights that allow everyone to find at least one nugget.

The challenges and opportunities facing Managed Service Providers (MSPs) in 2025 are ever-changing, and the twists and turns keep any MSP on their toes. As I sat down with Brian Rodgers of Aeko Tech, we discussed several topics and found ourselves hitting on a recurring trend: the ever-evolving role of AI in business operations. Here are the four areas we covered: Client Education - If they don't understand the why, they tend not to comply. Entrepreneurial Resistance - You have heard it before, "I got this." Compliance misunderstandings - Attempting to check a box when asked to have a risk mitigation strategy, and last... Customization over productization - which translates to compliance solutions, must be tailored: one-size-fits-all packages often fall short.

Where does my data go? What data was sent across the API? How do we separate the signal from the noise? Pedro Castillo of Onum and I sit down to talk about what might be the subsequent transformation of data processing since Akamai came on the scene. Onum's mission is to address the challenges in data management and cybersecurity. Enjoy our raw conversation, which just got captured; we agreed to share it immediately.

A fireside chat with George Bardissi of bVoIP and me at the 1Stream by bVoIP Partner Gathering. Mistakes we made, the challenges we overcame, and then we jump into some interesting questions ranging from AI and Insurance to the Cybersecurity Trustmark and how it benefits MSPs. This is a different format and was recorded with a live audience.

Sitting with Henry Tim of Tech Degenerates and Phantom Technology Solutions to talk about GRC platforms. What makes it a GRC platform? How important is a GRC in my MSP? These questions and several others are tackled, and I think we have found some answers.