Hey, this is Jennifer Tribe and you’re listening to Frankly IT, episode 77.
Happy holidays! I hope you get some R&R time to spend with family, recharge your batteries, and of course, listen to all your favorite podcasts.
Today’s episode is a roundup of some of the best and most popular episodes we aired in 2020. Gosh, and a lot happened this year—around the world and also on this show.
20 Minutes, 7 Insights, 1 Interesting Year: 2020 Recap
We started 2020 as the show called Frankly MSP and kicked off the year with Frankly MSP Live in Santa Barbara, California in early January. It was one of the first conferences on the calendar but what we didn’t know then was that it would also be one of the last in-person events for the year. Eep. We feel so lucky to have connected with everyone in such a beautiful spot before COVID-19 sent us all home and kept us there.
I first mentioned the coronavirus on episode 60, which came out on Feb 20. It was still really early days I remember being uncertain about whether I should even mention it at all. Was it going to turn out to be no big deal?
As I record this it’s mid February 2020 and I’m curious… if your MSP business is at all being affected by a virus. But a different kind of virus than the ones we normally talk about on this show. … the coronavirus or COVID-19 as it’s now been officially named.
I saw one thread on a MSP Facebook group talking about some difficulties getting certain parts or devices in stock because of low downs in the supply chain in Asia. Here at Auvik, we’re starting to feel a few ripples with the cancellation of Cisco Live in Melbourne, Australia which was originally slated to take place the first week of March but has now been cancelled. We were attending that show as a sponsor and now of course won’t be.
Fortinet Accelerate Europe, which we were also scheduled to attend, has been cancelled. That show was to be in Barcelona in late Feb.
And Mobile World Congress, another huge show like Cisco Live—we weren’t scheduled to attend but that’s another huge tech conference that was to take place in Barcelona in late February—and that has also been cancelled.
So far, we haven’t seen any event cancellations in the Americas so that’s good news at least. But like I said, I’m curious—are you feeling any effects at all from coronavirus on your MSP business?
Well, yeah. COVID turned out to be kind of a big deal and not just for Asian supply chain slowdowns or event cancellations.
The entire Auvik team went on work from home in mid-March. That meant I no longer had access to my podcast studio so some of you may have noticed some changes in the recording sound. Good news there that I’m finally fully set up in a new home office studio with all of my usual recording gear.
In May the podcast went on break for a couple of months, and not long after we came back from that break, we changed our name. Now we’re Frankly IT, the podcast for IT leaders everywhere.
Now here we are looking back and apart from the coronavirus, there were 2 major themes that ran through our interviews this year. One was cybersecurity and one was IT leadership.
I’m going to start with a look at some of the security episodes.
In early February, again before COVID was really on anyone’s radar in a big way, I spoke to Jon Clay, the director of Global Threat Communication at Trend Micro, about what were shaping up to be the big cybersecurity threats in 2020. We covered failure to patch (a very basic but perennial weak spot),ransomware, IoT vulnerabilities, bad actors targeting home networks (hmmm, a bit of foreshadowing of some of the challenges we’d see in the work from home movement there) and using AI to create deep fakes.
This is still kind of a proof of concept, but with the ability for threat actors and malicious actors to utilize artificial intelligence and machine learning, we’re starting to see these what we call deep fakes, which is essentially using artificial intelligence to build, whether it is a voice only or a video of a person and making it sound like them, even though it’s not them. So it’s not the person actually in the video. It’s not the person actually talking on the audio, but they actually utilize A.I. to mimic them. Create their faces, create their voices. one of the things we talked about before is business email compromise, which is a threat that a lot of organizations are dealing with, where you get an email message into your financial team and it’s purporting to come from the CEO, the CFO, asking that that person in the email to wire transfer money out to an account, the account being the criminal account.
We think that with deep fakes, potentially what we’re going to see and we’ve actually seen one already where a fake voice enabled instructions came into an organization via a voicemail asking that person to wire transfer money. They did wire transfer the money. So that’s where we see the challenges. I think in the initial area we’ll see voice only as it’ll be more likely that you could utilize a voicemail scam inside an organization and in a business versus a video. I don’t think you’ll start seeing managers videotaping themselves giving instructions for their employees to do. Not likely. If we’re going to see video, it’s more likely going to be around political issues, political campaigns. Or we could see, for example, a deep faking a CEO talking about issues with the organization that could affect their stock price, which would then make the actors behind it could be looking to either short or long their stock and try and utilize social media to expand them this deep fake video of the CEO saying something potentially either positive or negative about the organization.
But Jennifer, the beauty about this is there’s an easy solution to this, which is 2 factor verification.
Frances Dewing, the CEO of a cybersecurity software company called Rubica, joined us in an October episode to talk more about security vulnerabilities, including the ways attackers were taking advantage of weak home networks, echoing Jon Clays’ early heads up. In particular, she spoke about how current security technologies and protocols just aren’t realistically built for the way people behave and how that was really exacerbated by the pandemic.
It’s the default kind of reaction for a lot of corporate security teams when COVID hit and everyone was pushed into 100% remote work was to roll out corporate VPN to bring those users back into a secure corporate network, because frankly, most of our security layers have been designed around the office infrastructure or the office network. I think IT teams recognized OK, people are at home on their very basic insecure home routers. Let’s port them back in and make sure they’re secure. The problem with that is that assumes that your user is going to boot up their computer in the morning and immediately connect to the corporate VPN and stay connected all day long. And that’s not how people use corporate VPNs.
They turn them on to access their files or services and then disconnect and continue to do email, web browse, etcetera on that same device. And this is actually become a threat vector rather than a protective layer given that cyber criminals have now realized this. And so what they’re doing is, is infecting people’s devices when they’re disconnected from the VPN and then using the corporate VPN as their tunnel back into the network. So they’re literally using it to piggy back in and propagate malware in the corporate ecosystem. This comes back to the fact that corporate VPNs were really not built for this 100% remote working scenario that we’re in. And they weren’t built for this kind of practical reality of how users actually behave.
Over the summer, I spoke to Rob Shavell, the CEO at Abine, about protecting networks and users from threats — but not Dark Web threats like some of things that Jon Clay and Frances Dewing were talking about. Instead, Rob talked about what he calls threats from the “light web” – these are attackers using readily available and legally acquired data to gain network access.
So when you’re protecting a network, I think typically the way I.T. professionals have thought about that is, what are the threat vectors for a data breach? And how do we protect against those continuously. And how do we set up our network protocols and rules and security procedures to minimize the risk of those. And one of the emerging risks that we see is what I’ll just call like the light web as opposed to the dark web.
What I mean by that is the massive amount of information that can be correlated to either users that you’re protecting on your network or customers that the network or company is supporting, the greater availability of personal information that can be bought not on the dark web, not taken nefariously from a zip file, from a data breach, but rather just purchased out in the open from a variety of data brokers.
One key point for anyone running a network to understand is the root cause of where this data is coming from that’s used for these social engineering attacks and credential attacks and sophisticated kinds of fraud. And the root cause of it, unfortunately, isn’t just social networks. So a policy that says, hey, don’t ever reveal your employer name or status on a social network, doesn’t protect against some of these profile-based, data broker-based threats because this information is getting gathered at the source from a bunch of different public records databases.
These are typically state government registries, things like the DMV, voting records, court records, this kind of thing. And they used to live in file cabinets and now not just been sucked onto the web, but have been continuously updated and correlated by the data broker industry, which has increased the sophistication of what its tools are able to crawl and update to a level now where pretty much anything is easily available for a small price.
Switching gears now to IT leadership, 2020 offered a number of interviews with coaches, authors, and consultants talking about effective strategies for leading IT teams.
We start with Bob McGannon, author of a book called Intelligent Disobedience. Bob shared how you can cultivate growth, efficiency, engagement and performance within your team—simply by knowing when to bend the rules & teaching your team how to do the same.
Bob: The phrase intelligent disobedience comes from the world of seeing eye dogs. You don’t want the dog to obey its master’s every command because they’ll both get hit by a truck.
A dog goes through 12 to 18 months of training to teach it to obey and then the next 12 to 18 months teaching it when and how not to obey, to protect itself and its master. My concept is in a leadership setting, probably the same skill that’s needed. Business processes that are effective work let’s say 98 percent of the time and they yield the outcome that are intended to yield. But what happens during the other two percent? What do managers do? What do managers allow their people to do?
Be it an outage that’s not expected, some sort of new idea that surfaces that has to be incorporated, and maybe it came in late, but it’s a great idea. How do you engage in intelligent disobedience to get the best outcome? That’s the concept that I love to talk about in the in the leadership setting for intelligent disobedience.
Jennifer So this is really about knowing when to not follow the process or not follow the rules.
Bob: Exactly. And and the intelligent bit also means that you have to be very cognizant of what’s going on.
Bob: It’s not only knowing when you can get a better outcome by not following the rules and processes, but also understanding the context and the boundaries around which you can vary from, bend or maybe break that process.
More recently, in Episode 74, I was joined by Melanie Parish, a leadership coach and the author of a book called The Experimental Leader. Her premise is that you can apply the principles of agile development to people leadership, and that it really helps improve not only your performance and your confidence as a leader but also helps your team perform as well. Here’s Melanie talking a little about the experimentation part of her concept.
You want to see what you can do. You would manually do it first because you want something that’s quick turnaround. You want a prototype. So if you want to close more tickets, I wouldn’t say you build software to track it first. I would say that you actually do it manually in the beginning. We’re not looking for efficiency in the beginning as we start to collect data. We’re looking for what we can learn. And then we stop experimenting at some point because we feel like we have developed the right solution. At that point, you can invest. But in the beginning, you want to prototype as much as you can. And efficiency is not the goal in those early experiments.
You want proof. It’s like the proof of concept. You want proof of concept before you invest. what do you think you’re gonna learn? Test that. How do you need to shift it? Because if you invest in your solution too early, you may waste a lot of time, money and you may not create a solution that solves the problem you think it will.
Prototyping always seems like it’s super inefficient until you think of what it saves you in the long run. Because it gives you more elegance. It’s okay to try something and be inefficient in the beginning. You look for flow first, then you get efficient after you have flow.
Consultant Todd Kane was a repeat guest on the show in September and we talked about why it’s so hard to be a good IT service manager and how you can handle those challenges. One helpful thing he recommended was really understanding how company goals cascade down to department and team and individual contributor goals, and how to help your team make those connections between the various levels of goals so they know what they need to do and why.
I often suggest that if you’re in the service management role and you’re not being consulted or brought into the annual or quarterly executive planning sessions, then advocate for that. So you can contribute towards the planning and understand more deeply what the goals of the organization are. that’s really key around that contribution towards the strategic vision and how that matches with the execution planning. And then you carry that down to hopefully divisional goals. the goals of the company will be drastically different than, say, the marketing part of the group and the sales part of the group and then the technical delivery of the team as well. So each of those groups potentially has their own strategic plan and then the individuals within that team have to understand how their daily contributions actually contribute towards those goals.
I’ve originally trained in Gazelles, which is the Verne Harnish organization, which was sort of the predecessor or the seeds for EOS, for Traction. So a lot of people will be familiar with that type of planning. And if you’re not absolutely read up on Traction systems or Gazelles, they’re excellent planning tools for organizations. you can actually take it one step further and develop scorecards for individuals where the scorecards are developed in a way to seed the lead indicators for the individuals.
And you can help them to understand these are the corporate goals. These are the divisional goals. These are your individual goals. And you can help them understand how they actually track forward. In order for you to do this, the team does all of these things, and that’s how the divisional goals meet the strategic vision of the organization. So everyone understands how they fit within the goals and the challenges that are going to be met by the team collectively for the company’s goals.
Also in the fall, I talked to Julie Forsythe, the VP of Engineering at Auvik, about how to build and grow productivity on your technical team . She shared her insights on using a Top 10 list of priorities and how that helps focus everyone — team members, team leaders, executive management, internal or external clients that you’re doing work for — on what’s really important.
IT is often an interruption driven service. And so where possible, it’s important to plan and prioritize known projects and work items with stakeholders and customers. It’s important to get agreement across your stakeholder group to ensure that the priorities that are set for those projects will deliver to the needs of the business and to our customers. It’s, of course, important to leave time for interruptions. But managing expectations with the projects that you will and won’t do within any given month, quarter or half are important. So that when it is time to execute on those plans and projects, we know that they’re important. We know that their priority for customers and stakeholders and they get the resources that they need to be done well in a reasonable amount of time.
Prioritization is something that we talk about very easily, but it’s something very difficult to do, especially with a room or a Zoom full of all of your stakeholders. Often I.T. teams are looked at and asked to do all the things and given the resource constraints that any I.T. department has, it’s really important to nail down those two or three top priorities in a period of time. For us, it’s quarterly. And those are the things that we’ll focus on. It’s equally important to ensure your stakeholders understand the priorities that have been agreed upon so that the person or the group that’s asked for something on the list that’s not getting actioned can take appropriate steps and plans on their own to fill that need short term or as appropriate.
Going in to help identify the availability of I.T. or technical resources definitely helps when we’re transparent about the availability and time that we have. It helps with the conversation. All the teams that are coming to the table are often resource constrained themselves. And so I think they do understand that there’s only so much that our group can do and they appreciate that we’re trying to find a path that is reasonable, including them in the discussion so that they can be part of it and advocate for the work that they need done.
I hope these clips have piqued your interest. I highly recommend going back and relistening to past episodes with particular insights for you or catching them for the first time if you haven’t had the chance yet. I’ll put links to every episode in today’s show notes. And I’ll remind you that in the show notes for every episode are resources for further reading or exploring. Links to books, articles, other podcasts, training programs, contact information for the guests and so on so definitely check those out if you’re looking to dig deeper on any topic.
And hey, while you’re there, say hello. I’d love to hear what you think of the Frankly IT podcast. How has it helped you? What changes have you made in your business or career based on insights from the show? What would you like to see more… or less of. Like I said, you can leave comments on any show notes or you can email me directly at franklyit at auvik dot com.
Either way, don’t be a stranger. I want to hear from you.
And that’s a wrap on 2020. ‘Til next time, this is Jennifer Tribe.
Happy holidays and as always, thanks for listening.
Links from this episode
- Using Soft Skills to Deliver Hard Results in Your MSP – FMSP 060
- The Biggest Cybersecurity Threats for MSPs in 2020 – FMSP 059
- Security for Humans – FIT 071
- Network Security Threats From the “Light Web” – FMSP 066
- Why Great Leaders Teach Their Teams to Break the Rules – FIT 067
- Experiment Your Way to Great IT Leadership – FIT 074
- How to Step Up and Shine as the IT Service Manager – FIT 070
- Driving IT Productivity With a Top 10 List – FIT 069
Like what you hear? Listen and subscribe.