Why You Should Trust Us

TOM: All right, everybody. Welcome to this Tuesday Deeper Dive. We do these every Tuesday at 2 p.m. Central Time. I see we have a light turnout today, so I’m only guessing – only guessing here – that everybody has really nice weather and they’re out enjoying it. I hope that’s the case. At any rate, we’ll go ahead and get started here.

Today we’re going to talk about why you should trust us. From time to time, we’re talking to potential new clients, and invariably we go, “What are your qualifications? What’s your certifications? Are you licensed to do business in my state?”, this, that, and the other. The interesting thing about it is there are only voluntary certifications. Now, we are NIST Cybersecurity Framework compliant, but we haven’t done the formalization steps in order to say “Here’s all of our documentation, and this proves it” and it’s audited and things like that.

So today, I thought I would share with everyone the things that we’ve done, the things that we’re in the process of doing, and some other thoughts along those lines.

Needless to say, if you’re in the security business, it implies trust. We absolutely take that very, very seriously. Excising all of these demons that happened to SolarWinds when they had a backdoor password of SolarWinds123 or something ridiculous like that. We’ve excised those demons from our company years and years ago. We do things even above and beyond, like on our administrator accounts, we don’t use the actual administrator. That is for the clients’ use or for reserve. When we do our work, we have our own created user administrator account. So we log our own stuff with our clients. That’s just an example.

And that’s not even required. I don’t even think it’s part of the auditing process. But those are the kinds of things that we do above and beyond. We don’t talk about our clients in public because that just makes us more of a target as well as endangering our clients. And that’s generally speaking. We may publish a whitepaper or mention a client that, for whatever reason, want us to mention them or they’re doing some marketing stuff and they want to say “We use IronTech for that.” But generally speaking, we don’t really do that.

The main thing is that if we’re NIST Cybersecurity compliant – identify, protect, detect, respond, and recover – we need to take it a step further. One of the things that we’ve done is most everybody in the company is a member of FBI InfraGard Chapter of Arkansas. You can only be a member of a state chapter, but there is the national organization. If you want to know more about it, you can go to infragard.net. It is a public-private partnership with the FBI, and we have meetings quarterly and other special events, and briefings that aren’t generally available to the public, to things like this latest deal with the exchange servers.

And we have a lot of exchange servers out there. A few dozen. I don’t know how many. Quite a few. But we’d already updated all those. This wasn’t something that really sets us back when something like that occurs because we’ve already updated them. We stay on top of things like that.

This is really a way for us to stay up with the latest threats, the latest defensive tactics and strategies and things like that. Now, InfraGard is primarily critical infrastructure focused, like water utilities, electrical grid, petroleum, things like that. But we also work with court systems and law firms and other things in the legal industry, with bar associations and things like that. That’s something that we started – gosh, I don’t know, I guess I’ve been a member for 3 years, give or take. But all the key employees are members of InfraGard, and we’re pretty proud of that.

We are currently working on a certification called MSP Overwatch. They’re NIST compliant. That’s their big deal; they take the NIST Cybersecurity Framework and allow MSPs and MSSPs to become certified on 57 different controls. It’s all documented, and then it’s audited, and they issue a certification letter for it so we’ve got proof that we’re certified.

I thought I put it on the slide, but we’re forecast to have that completed – let’s see, this is March – in end of May. By the end of May of this year, we should be certified with MSP Overwatch. This is a relatively new organization.

We are getting certified currently with MSP Verify. This company’s been around for a very long time. They are the oldest outsourced IT company or MSP organization – MSP Alliance is what it is, and the MSP Verify certification has been around I think for well over 10 years. It takes it another step further than the MSP Overwatch. There’s a lot more to it. It’s a lot more involved. It usually takes about 6 months on average to get through the certification process.

And within their certification, they have specialties as well that can be added on. One of them is the NIST CSF, which we will already have done by the MSP Overwatch, so we can piggyback that on there. But it does cost more money to add the specialties in there. We anticipate being ISO 27001 and 002 certified as a specialty within the MSP Verify. They also have a data center that we should pass with hardly any effort because we use, quite simply, no arguments, the best data center in the world.

This particular organization is called Switch, and if you want to see an amazing data center, just go to switch.com. We’re using I believe the one in Las Vegas. It’s not far from McCarran Airport. I hope to visit it next time I’m out in Las Vegas. The data center is so incredible that they had to invent their own tier. Tier 5 Gold I think is the top tier, and this changes from time to time, but they actually created a whole new category that’s above Gold. I think it’s Tier 5 Platinum. We’re talking a 100% renewable energy data center, and it has been for a few years now, and state-of-the-art security, state-of-the-art cooling. It’s just phenomenal. The pictures just blow you away.

I’ve been on a lot of data center tours, and some of them have been very, very good. Very good data centers and some really unique, creative ideas. But ultimately, I always hold them up against Switch, the one that we use. I have yet to come across anything anywhere near the Switch data center quality. In fact, I’m sure they are already certified on a number of different things for all sorts of things. Security is a big part of their deal. So we’ll do that.

They also have a specialty in business continuity, which is very, very important for our clients, and we know it’s very important. So we’ll have a specialty in that.

And just like MSP Overwatch, it’s audited and you get a certification. You get the right to use the logos. Ultimately, by the end of July or sometime in July of this year, we should be MSP Verified, and then we will begin work on the other four specialties within that. I doubt those’ll take more than a month or two to get those wrapped up. So we will end up with the overall certification plus four more specialties.

Now, I’m not aware of anyone else in the space that has those certification levels from a company standpoint. There are plenty of individuals that have all kinds of certification titles after their name and things like that, but as a company, I’m not aware of anybody that has all of these things. I’m sure there’s some out there; I’m just not aware of them.

Some of you may be aware of registration for IT service providers. Louisiana, I believe, is probably the leader in this category. They actually require IT firms that do business in the state of Louisiana to be licensed or to be registered with the state. This is the first step to getting IT service providers to a minimum acceptance of quality. I don’t know how far this is going to go. I know that MSP Alliance, with their MSP Verify, is working closely with a lot of state and federal agencies to get it up to where you may be required to certified and pass certain audits and compliances.

But we’re a proponent of that. We are absolutely in favor. In fact, I speak to some of my political friends, saying, “Hey, where are we in this state? Where are we nationally on getting something like this?” Because it does damage to the entire industry when poor quality service providers are out there. There’s not a whole lot of them. I think everybody tries their best to do a great job. But without the formalities of documentation, certifications, and things like that, it’s somewhat easy to miss something here or there because you haven’t gone through the trouble of formalizing everything and really understanding why you do things a particular way and you always do them the same way. So we’re a proponent of that, and I totally support that.

I think that’s about it with state. This is a real quick Deeper Dive, by the way. This doesn’t come up very often with prospects, but I thought it would be real important to talk a little bit about it and to show you guys where we are, where we’re trying to get to, and how everything that we’re doing is better for everyone.

Anyone have any questions? Kindsey’s not here, by the way, in case you were wondering. She’s on vacation. Maybe that’s why the show is so short today. [laughs] Anyway, I’ve got the chat window, I’ve got the Q&A. I think I can handle a question. If you have any, pop it in there.

If you haven’t done it yet, I encourage you to – oh, I’m supposed to put the link in the chat. See? Kindsey’s not here, I can’t do it. Anyway, I encourage everybody to get a security and risk assessment. We do protect your privacy with those things, needless to say. That’s one of the reasons why it’s done somewhat manually, by the way. We’re automating that process to where you can complete it online, and we will offer that as soon as I’m assured that any information shared electronically remains secure. So it’s not just having an SSL on the website; it’s also how that data gets stored, can anybody access that data, and so on and so forth. As long as we get it secured, then we’ll have that ready to go here hopefully in a few weeks.

In the meantime, if you’re interested in getting a security and risk assessment, just send an email to sales@irontechsecurity.com and we will get that on the calendar for you and walk you through the process. It’s pretty painless. Usually for the smaller firms, you’re talking 20-30 minutes of your time.

Mary is asking, “What is the most important question to ask a potential provider?” The most important question. That is a really good question. I think how many years you’ve been in business is one of the most important. I don’t know that there is an important question.

Some people would say what is everyone’s certifications and degrees in. Personally – not that we follow this necessarily with the company, but I know a CEO of a multimillion-dollar startup that Sequoia Capital invest in – Sequoia Capital, if you don’t know, is one of the largest VC firms in the world. They’re right in Silicon Valley, and the guy didn’t even complete the first semester of college. One of the smartest guys I know. I know those are exceptions to the rules, but I myself was an economics major in college. I wasn’t an IT guy. IT was a hobby to me.

But then, having said that, we have degreed individuals in the office in IT, marketing, various other things, accounting, this, that, and the other.

Mary also asked, “Is it appropriate to ask for references?” Actually, I should’ve known that, Mary, but yes, that’s probably the most important question to ask. I would say especially – it’s a little bit different for us because we have to be careful giving the references out. And then you’ve got the whole problem with a vendor supplying the references. I think that testimonials go a long way towards that.

We purposely took who the testimonials were from off the website for security purposes, but those are actual live quotes. They’re not made up. All of them have been clients for a number of years, on the IronTech security site, and I think most of them are in the water utility sector. But we probably need to freshen that up a little bit and get some of the manufacturers and the – well, there are some attorneys, I think, on one of the websites, as well as financial firms.

So absolutely, references are the way to go. Especially if they’re an industry like you’re in. If you’re an accountant, ask us for some accounting references or look for those testimonials on the website. Same thing if you’re a doctor, if you’re a dentist, if you’re a manufacturer, if you’re a lawyer, if you’re a court system, water utilities. Those are what you want to try to get references on because there are unique things within those industries. There are things you need in water utilities, like industrial control systems. How do we monitor those? Things like that.

Now, we are also working on building metrics to where we’re actually going to – not only how many tickets we opened and closed for clients, but also how many threats we intercepted and what they were and what timeframe and how we go about protecting everyone.

Thanks for the questions, Mary. That was a big help. See, I knew when you asked that question, you already knew what the answer was, so thanks for helping me out there. [laughs]

If there’s no other questions, I think I’m going to call that a wrap for the day. Sales@irontechsecurity.com. There’s no obligation. Normal price, $795 for security and risk assessment. But if you guys are in bar associations or water associations, we commonly do larger webinars for those industries where you can get a heavily discounted one. In fact, I think tomorrow we’re doing Mississippi. At any rate, just keep your eyes peeled for that special code, and we’ll see you next week. Thank you.