Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.
In this video, Sobel talks about state, local government and education (SLED) organizations and how they’re responding to new cybersecurity initiatives with John Zanni, CEO of Acronis SCS, a U.S. public sector cyberprotection provider based in Scottsdale, Ariz. They discuss why SLED organizations are a prime target for ransomware attacks and how MSPs can help them with certifications and funding opportunities. Zanni predicts upcoming trends in the security landscape.
Transcript follows below. Minor edits have been made for brevity and clarity.
SLED-level organizations make attractive ransomware targets
Dave Sobel: I talk a lot about cybersecurity on the show. I’ve been talking a lot about federal engagement. But you think that there’s a lot more action at the SLED level — that state, local government and education level. Tell me why you think there’s so much action at that level right now?
John Zanni: It’s a great point and I appreciate you asking me that. We all know the federal government is a target of attack from bad actors, especially certain nation-states. What a lot of these cities and states don’t understand, and small hospitals and even nonprofits, is that because of the way the bad actors go after these entities with ransomware for example, or malware, or now what they call ‘killware,’ it’s done in a programmatic way, which means there’s really little cost for them to go after thousands or tens of thousands of entities. As long as they succeed in a number of them, even if they don’t get a lot of money per agent, agency or per group, it ends up being a significant source of revenue for them. And I use that term because they do run it like a business. They look at return on investment. The other advantage is that a lot of these cases, the infrastructure is not up to date. You might have a part-time IT person managing that infrastructure for a local, small city. They’re just a prime target of getting thousands or tens of thousands of dollars over and over again, instead of trying to go for the big $10 million or $50 million payout.
Sobel: They look a lot like small businesses really. That’s what they end up looking like, right?
Zanni: Exactly, except more complex. You take the state of Arizona, for example. It is a federated system. Some of the city budgets come from the state. Some of it they have to supply themselves. School districts are the same. Take a K-12 school district; they have other items that they need to assign those budgets to, for example omicron.
Sobel: When you’re working with these, how much are you finding that these organizations try and do it themselves with an internal IT department and how much are they doing it with external contractors and vendors?
Zanni: It’s a mix. It really just depends who you talk to. What I’m seeing is the smaller the city or the smaller the entity, it seems like more that they just have a trusted IT provider that might be supporting multiple 3,000 to 5,000 person cities or 50 doctors’ offices. And they don’t understand that there are tools out there that could help them be much more effective, especially through managed service providers that provide full IT services that’ll help them be protected.
Certifications confirm data protection measures
Sobel: I want to get into a couple of specifics of things that we’re seeing happen right now. There’s been a lot of talk around certifications for cybersecurity solutions like [Federal Information Processing Standard] FIPS 140-2. How much of it is related to this space? What size providers and SLED need to be thinking about certifications like FIPS 140-2?
Zanni: The way to think about it is, when I was in the early ’90s, before I was in tech, I’d go to buy a piece of technology for my home. Whether it was a router or some software, I would buy when it said ‘certified for Windows.’ At that time, Windows was the big thing. Because I knew if it had that stamp, it would work. It’d be easier to work. This is the same thing. I don’t recommend anybody to go and get a FIPS-certified solution or get certified themselves because it’s quite involved. It takes 18 to 24 months, a lot of money. But what they need to do is, wherever they’re getting their IT technology — whether it is storage, backup and recovery, anti-ransomware — you need to ask them what certifications they have. If it is FIPS 140-2 certified, then it has government-grade encryption, both at rest and in transport. It allows you to feel good that someone’s not just giving you a marketing spiel, but they actually got that certification. And it’s not just FIPS. It’s HIPAA. It’s CJIS [Criminal Justice Information Services]. It’s NIST 800-171. We could take two hours if I went through every control there. If you are NIST certified, then you at least know that somebody audited the system and said, ‘Well, these guys are doing everything they can to make sure your data’s protected.’
Sobel: I want to pick on one in particular because I want to get your take on it. That’s the Cybersecurity Maturity Model Certification or CMMC. This is one where it’s become a mandate at some level and we’re seeing more of that. But again, my analyst take on this is I keep seeing two sides to this. There’s one side that says, ‘CMMC is a great framework and it’s working really well to help give us some insights.’ And then I have other experts that are telling me, ‘Well, with 2.0, they’ve actually neutered it a little bit. There’s a lot more self-assessment to it.’ That it’s a lot less helpful. If I’m standing in for the customer in a way with my level of analysis to it, how do I interpret this and how do you look at CMMC?
Zanni: So, just a little context on the CMMC. It has five levels, and I know they’re talking about changing it to three levels depending on the level of security you need to have, where level one is just basic security, similar to at your home. I assume you lock your door at night and close your windows before you go to bed. Then there’s another set of levels above that, which is really for sensitive data, but not classified or secret or top-secret data. And then there’s the levels for data that just cannot get into bad actors’ hands. And what they did is they’ve actually done a pretty good job of separating the controls you need and what you need to do to protect that data tied to its sensitivity. Unfortunately, with version 1.0, there were 171 controls in total over 17 domains. It became cost-prohibitive for a small business to become CMMC certified. On top of that, there were a small number of auditors, which means the prices were ridiculously high, and there were requirements that just made it nonviable. In comes 2.0, which is to try to get this compromise where if I’m a three-person, five-person shop, maybe even 20 people, that I can still meet the criteria that allows the U.S. government to buy from me without having to essentially invest millions of dollars for what could be a million dollar a year business or a two million dollar a year business, and getting access to that technology. I think we have a few more years of finding that right balance, and that’s why you’re seeing this. But overall, the principle and what they want to accomplish is good and frankly, super important.
Sobel: So, your take on it is that 2.0 is heading in the right direction, tangentially?
Zanni: Correct. It is. It might have overcompensated. The other part it doesn’t do, which we’ll have to see how that plays out, is one of the ways you could meet those requirements is through partnering with other technology providers. For example, if you use a provider that already has FIPS 140-2 storage, that meets a lot of the controls and the requirements, and you don’t have to go implement it yourself. I see businesses coming up, like virtual CIOs. If you can’t afford a few hundred thousand dollars a year for a CIO, you can now use a service that costs you much less that helps you provide those capabilities that you would need. Also, it depends what you supply. If you’re supplying a little widget that does something where the risk of it being an entry point for a bad actor is pretty low, that’s just different than if you’re providing some network protocol, which could be hacked.
Federal infrastructure bill offers up SLED security funding
Sobel: Gotcha. That makes some sense. I’ve been talking a lot on this show about the infrastructure bill and the investments that the federal government is making to try and beef up security. What are you seeing, since you work directly with a lot of the customers, what are you seeing as the impacts of that short-term now with some of that funding now that it’s in play, at least? What are you seeing as the impact?
Zanni: The short-term is a recognition by the federal government that SLED is super important and a point of attack by the bad actor. The bill designates over a billion dollars over the next four years to state, local, tribal and territorial entities, another 250 million for rural areas. That’s absolutely fantastic. It’s money that’s there for those guys to really update their systems, hire some people to put in place the automation so that they can be protected. The challenge with the bill, when I talk to some of these smaller cities or entities, is they have no idea how to get the money.
What’s not clear yet is, ‘What do I need to do to actually qualify for that grant?’ That I don’t go and put in all this infrastructure and protect myself, and then the federal government says, ‘Oops, you didn’t do this one thing and so we’re not going to give you any money.’ There’s work there to do. And we saw this with COVID and the grants around COVID, where there was money left on the table because people just didn’t know how to go after it. The small business bill, right? That’s where the work lies, how do you get access to that money? And then once you do, then you find some IT providers that can help you really protect yourself.
Sobel: Gotcha. I could also say that this is an opportunity for the IT providers to dig in and figure that out and help customers navigate it, right?
Zanni: Correct. Yes. It’s a very, very fair point. It’s just difficult. Even for us as an IT provider, I’d love to have a blog that says, ‘Here are the 10 steps you need to do to get your fair share of the money.’ It’s just not very well-defined and, for better or for worse, we’re in a country where if I make promises and then they don’t get the money, I could get sued for owing them that money. You have to navigate carefully, but it’s there.
How SLED organizations can get federal funding for cybersecurity
Sobel: So, what are we looking for, then, in terms of guideposts or direction to help navigate that? Particularly if we think, I always cite the fact that around 90% or more of all IT services providers are less than $5 million in revenue. This seems like a great area to be looking at, but now we’ve just warned it’s hard. How do they start looking at navigating this?
Zanni: My experience in dealing with these SLED entities is most all of them already have their trusted vendors and IT providers. And if they need to be on certain programs, they’re already on the program. If I was one of those vendors or IT providers, I’d go to my customer and say, ‘Look, there’s this money here. Let’s work together to figure out how to go get it.’ And I know it’s not a silver bullet. It’s not magical. But it’s what you need to do. And say, ‘Look, I can build out a program or a solution for you that’ll be within the constraints of the cost, but we need to work together to figure out what you need to do to actually get those funds in and when you would get it.’ And then it’s about navigating the system. And it takes time, but the ones who put in the effort will get access to amazing amount of funding and really be protected.
Sobel: Well, if it was easy and everyone was doing it, it’d be a commodity, right?
Sobel: We don’t like commodity businesses. We like hard businesses.
Zanni: Right. The good news is the technology’s there. It’s really just about getting the funding.
Predictions on future security landscape
Sobel: Got it. The last question area I wanted to go over with you is I want a little bit of predictions from you. I’m trying to get a feel from various experts on their take on the landscape. If I go to really, really high level, you’ve got groups like the big analysts that are saying, ‘A G20 nation is going to respond to a cyber incident in a physical way by 2024.’ For me, that points to, this problem is going to get worse, of security in general, almost before it gets better. What’s your take on the security landscape? Are we going to get better this year? Is it going to continue to get worse, more of the same? What’s your take?
Zanni: I think it will get worse and better at the same time. What I mean by that is you have to understand, advanced technology has really been commoditized. You can go to Microsoft Azure or Amazon AWS and get access to AI technology compute services, which an individual could not do in the past. The bad actors attacking these systems have easy, low-cost access to pretty advanced technology, which means that it’s going to get worse. At the same time, there are more and more sophisticated tools like ours, and we’re not the only one in the market that can combat these bad actors. And now through the infrastructure bill, we see there’s funding from the government to help protect yourself. I think what you’re going to see is those that really are proactive to protecting themselves, it’ll get better. Those who think they can wait another year or two are going to find themselves attacked and having a worst-case scenario, to pay a lot of money, or best-case scenario, to be down for days or weeks at a time. Loss in productivity is still loss in money.
Sobel: It’s interesting to me that you said that — I’m going to follow up there — the worst-case scenario is downtime. Do you think that there’s reputational damage or not, where it comes to these breaches now? Or are they so commonplace that it just doesn’t matter anymore?
Zanni: Oh, absolutely. There’s reputational damage, which you don’t see unless you’re really paying attention. In many cases, there are — let’s just say, employees in the technology sector that disappear after there’s been a breach. I don’t know. It’s weird. Being attacked and telling people about it is like getting one of those embarrassing diseases that you just don’t want anybody to know, and you want it to go away. What happens is that they, of course, spend a lot of money getting a forensics team to come bring them back up. A lot of people don’t realize that it’s not like, even if you pay the ransom, you’re up an hour later. Bringing systems back online is hard and complex. Then the leadership will change the organization because someone screwed up, but they won’t talk about it because they’re embarrassed. And there is legislation, by the way, going through government, both federal and some states, to force reporting so there’ll be more awareness around this problem and even more funding, which I expect.
About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro’s 20/20 Visionaries and MSPmentor 250.