MSPs & ITSPs: Top Security Priorities for H2 2025

Shahin Pirooz:

Hi, everyone. We're out here at the Gaylord Rockies at XChange '25. Wanted to do this here and bring you with us, beautiful location, having some great conversations.  

Brian Moody:

Absolutely. So really heavily security-focused event. I think, you know, given what's in the news, it's appropriate. But as we kind of advertised... as we begin to look at 2025, what we wanted to kind of address are some of the top concerns and the top focuses that we're seeing from our partners and really from customers and industry specifically. We talk a little bit about the AI attacks, a little bit about ransomware, and the ability to recover. Supply chain, this is kind of a big one, and we'll get to that topic here in a minute. But just kind of talk about some of these top topics with respect to what our MSPs really should be focused on as we come into the latter part of 2025.  

Shahin Pirooz:

Yeah, we did a live stream a few months ago that was focused on what are the top threats this year. And we had intended, if you're following our LinkedIn and then joining this live stream and paying attention to what we put there, the the intention was to cover the top five things we see for the balance of the year and going in through '26. But getting here and having live conversations with folks, and we've had three boardrooms so far, with about 12 to 15 people, these are CEOs and leaders of their companies in the MSP space. We've got another boardroom happening today.  

The common thread we're hearing is supply chain, compliance, endpoint security, and all of these things I think are more important than some of the things that you're seeing in the industry. So trying to get everything wrapped up in a very concise dialogue around what's going on, what's happening, to the point you made, supply chain is probably one of the top hot things that we're seeing.  

We just saw recent attacks and massive data breaches in Google, in Salesforce, and most recently happening in Workday. And the one thread that we're seeing consistently people are dealing with and challenged with is that their customers who are dealing with the federal government and dealing with heavily regulated industries are requiring supply chain compliance all the way down the supply chain. So it not only affects their customers who need to become regulatory compliant, it also affects the supply chain, meaning the MSPs, the tools they use, the technologies they're leveraging. So that entire ecosystem of supply chain comes back to ultimately you. What are you doing to address not just security, but compliance and regulatory concerns that your customers might be having that trickle down to you?  

Brian Moody:

And I would say, not even so much with respect to the federal space, which obviously where you have all the CMMC pieces come in. But I was just communicating with a partner who had a one of their big customers is working on a major contract with a customer of theirs. And they are seeking guidance with respect to SOC 2 compliance, because in order to execute on that order, on that statement of work, the actual customer has to be SOC 2 compliant in order to sign the SOW. So, in that supply chain, what you're seeing is that requirement come down where you yourself and or even maybe your customer isn't regulated under a specific framework or what have you, but it's now being required because the company that you want to do business with is now requiring that that compliance.  

Shahin Pirooz:

Exactly. And, one of the topics that we shared, the three things that stood out were, as Brian said, AI, which is the use of AI both by the bad actors and internally. So how do you stay on par and keep up with the Joneses is by using AI, because the Joneses are all using AI. So if you're not taking advantage of AI in your organization to accelerate growth and accelerate productivity in your staff, you're gonna be left behind. But guess what? The bad actors have the exact same idea. If they're not using AI in their attacks, they're gonna be left behind, because the bad actors that do use it are getting more accurate emails, no language mistakes in the email. So it's not easy to spot something that doesn't sound English. They're capturing the tone of your CEO based on all the writings that that CEO has on the internet, and they're taking that and making a message that speaks like that CEO would speak in text. Then they're doing voice-based deepfakes, which can do phone calls and ask for something in the voice of the CEO.  

So bad actors are taking advantage of AI just as much as we will be. So AI is an important thing to think about. And the most recent thing is Anthropic put out their construct of MCP which is really trying to create model control connectivity, if you will, between all the large language models. How do you take your large language model and have it talk to external sources that you don't control and bring in data and be secure? So this whole construct is really designed around creating a marketplace of servers that have content that you can take advantage of and pull whatever generative AI you're developing, whatever infrastructure you're developing, how do you now secure this marketplace that can be across the board unknown, and there's multiple types of threats that can happen there, including pulling the rug. Really interesting model for pulling the rug in this context is a marketplace item is put out there that is super useful, gets connectivity and access by lots of people because it's super useful, and then they change the model, and they get a threat vector. So, you're using it, all your peers are using it, and now all of a sudden the bad actor decides, "We have enough people. It's time to weaponize this."  

So as you go forward, AI is something we need to put energy in and focus on, and we need to get some real solid security associated with AI. But I think what's really more pressing right now is this topic of supply chain security and compliance. So coming back to it, it's no longer a it would be nice to have a compliance practice to take to market for your customers, for yourself as an additional revenue chain. It is that, but it is now becoming a requirement. And anybody, any of your customers that are delivering services to anybody in the federal government, state and local aren't quite there yet, but anybody in the federal government for sure, that entire supply chain has to have some level of CMMC in it, which comes back to you if you're delivering IT services to them. So how do you make sure you're ready and you're protected? How do you make sure your customers are ready and they're protected and they have the proper control sets in place? There's a lot of players in this space that address one piece of IT security. We have built the cybersecurity as a service practice that covers endpoint, network, email, DNS, identity, and governance, risk & compliance.  

Brian Moody:

So, I think, really as I came on and joined this organization, is probably what impressed me the most about your foresight with respect to the platform. We've talked so much about how we built an enterprise security platform, a solution that we productized so that our partners can take it out to their customers. But the important piece of that is you brought the GRC component because so many of the customers have a challenge if they have compliancy, they have a framework, they have a regulatory body that is regulating them to a certain framework. You have to put all those control sets in, right? You have to put all those processes and everything in so that you are compliant. Well, it's the whole security framework on the back of that, the operational component of that, that implements the operational controls that help to make them compliant to the regulatory body.  

Shahin Pirooz:

Exactly.  

Brian Moody:

And you've brought both of those components into the WhiteDog platform. So our partners, it's interesting because we have a couple of different partners that we cater to that have been attracted to WhiteDog. Those partners that are the MSPs, the MSSPs, and then the solution integrators that are actually focused on the actual solution, the actual platform delivering to their customers. The second piece that we have, and we have a few of these customers that are the vCISOs. So the virtual CISOs have come in and are now working with customers on these GRC components. And we have one partner that has taken that idea of his business, because before he would work with these companies extensively to help them define the controls meet the regulatory requirements, and then he would make recommendations to the different security platforms and security toolsets that help that customer now map those operational capabilities—  

Shahin Pirooz:

Which they would acquire and integrate and implement and manage themselves.  

Brian Moody:

Themselves. You know, we've talked many times about the technical debt and the economics associated with that. It was just last night, we were on the vendor floor, and we had a gentleman that came into our booth, and he is a vCISO. He doesn't sell security products. He's focused in that component. And when he began to look at WhiteDog, he's like, "Wait a minute, I do all this, and then I can bring your platform in. It maps to everything that I'm telling them that they need to do." So, it was amazing to watch him shake his head and go, "Really? What's the catch?" What's the catch? What's the catch?  

Shahin Pirooz:

Yeah. It was a good conversation indeed. Whenever we're on the road, it's always good having conversations with the owners of these companies, your peers. The skepticism is healthy, in my opinion. We're getting skepticism that says, "How can this possibly be true? You're talking about doing all the things that I've been trying to do for the last five years, 10 years, whatever it is. But you're saying it's all built and integrated and I can be live in 30 days?"  

And that skepticism is like, "Yes, inspect us. Check us out." This trip we brought, unfortunately, he had a meeting during this time, so we couldn't have him join, but we're gonna have him join this dialogue, but James Berger, who has been on live streams with us before, he's the CIO and co-founder of BACS an MSP, a successful MSP in California.  

We brought him into the boardroom so that our prospective partners can hear firsthand from one of their peers that's using us. And James' approach to this thing is, "I was skeptical too. I've sat right in your shoes."  

And James and I have a friendship that goes back 25 years. And even with that, James said, "That sounds great, but what's the catch? How is this really gonna happen? I know you're saying go live is easy, and I know you're saying it's a 30-day onboarding, but there's no way."  

Our first customer with James, he was telling the story to the floor, our first customer with him that he wanted to try was a 300 seat customer, and he was expecting all kinds of bumps and ripples. And I'm not saying and he's not saying there weren't some ripples we had to deal through, but all those made us even better today than we were in '23. So, that customer he asked, "Can we do this? I have a need to go."  

And I said, "Absolutely. And we can get it done in 30 days."  

21 days later, that customer was up and live, having 24 by 7 security operations, endpoint security, email security, DNS security, identity security, and attack surface management with continuous incident response.  

Brian Moody:

And integrated 24 by 7 security operations.  

Shahin Pirooz:

Yes. So, when you're hearing it from the marketing perspective, when that dialogue is happening from an external marketing context, it does sound too good to be true. It does sound like it's impossible for this to happen in the way they're saying it does. But we'd be happy to connect you with any of our partners, if you're interested, to talk to them and understand how they have taken advantage of this and how it is real.  

And it really is designed to turn any MSP into an MSSP if they choose to. So if that is the mission and journey you're on, we know you've made investments. We know you've got a series of tools. And we put, we mentioned in January our announcement about Open XDR, which allows us to transition you from your tools to ours by monitoring what you have and letting you make financial and business-based decisions around, should we stick with these tools or should we look at a different way to do this?  

Brian Moody:

You and I have been in Silicon Valley a long time. I think we both got 30 plus years each.  

Shahin Pirooz:

I might have a couple white hairs.  

Brian Moody:  

You might have few gray hairs. And I think what we continuously see is innovation, change. Change is the only constant in Silicon Valley. But the biggest piece of this is you've created and have driven a paradigm shift in this whole idea of, and what we've seen in, in markets where things have gone to as a service. WhiteDog has productized security. We have brought a solution to market that's now productized, and this is a paradigm shift with respect to you don't have to build it. You don't have to manage it. And that was one of the things that James emphasized to a couple of our boardrooms is, "I tried this for a year and a half unsuccessfully, and now I moved to WhiteDog. I'm making margin at no cost." And it was a very interesting statement that he made.  

Shahin Pirooz:

And “I sleep at night.”  

Brian Moody:

And I think the other thing that you've brought up was to MSSP or not? Because what we're hearing is, if you're an MSP, don't try to become an MSSP. Do what you're really good at. James talks about this all the time. His core business is around being an MSP, not an MSSP. But customers are requiring, today it's a requirement, you need security in your environment. You can't go without. So they're now requiring their technical partners to provide these solutions.  

And James said, "I didn't want to become an MSSP, but my customers are asking for these solutions."  

With WhiteDog, he's able to deliver that, but he doesn't have any of the economic debt associated with it, none of the technical debt associated with it. And in this process, they got rid of about 10 tools. Now, not wanting to, but had to get rid of an employee that was around $160,000 technical debt, economic debt that was taken off of his books. And then he moved to a point where he made a very interesting point, is they actually with that time and then their margin that they've made over the timeframe, they have over 70 customers on the service now in 20 months.  

And he said, the other day, something that struck me, he said, "Because we have this margin and we're not managing this, I now have the time and the money to open a completely new enterprise focus for my organization. We now have better enterprise capability and are going after a larger customer base and a larger customer. Would not have had the time, focus, or money to have done that without moving to the WhiteDog solution."  

And I thought that was incredibly impactful around his business. How do you get to the next step in revenue, evolution, and customer service?  

Shahin Pirooz:

So I would say to kind of bring us back to our topic, the three things we think are still the most concerning topics to put energy into are AI in the context of productivity and in the context of security. Supply chain attacks and what that means to you and the supply chain you're using. And lastly, compliance.  

And obviously we've peppered in a lot about how you can make a ton of money with WhiteDog and become a more resilient security business than possibly doing it on your own. The message we'd like to leave you with is, come talk to us. Come ask us about how this works, what it does, what the underlying technologies are. We've taken about 60 enterprise grade products, 50 commercial and 10 open source, and integrated them into a product suite of about 20 products. That is there for you to take to market, white-label, co-label, resell, whatever suits your business.  

Brian Moody:

And I say the second aspect of this is, come talk to us. Come talk to our partners. And I think that's probably one of the things I'm most proud of is that we've got partners that have come to us and said, one, we'll come to a conference with you and be an evangelist for you because we believe that much in the partnership in WhiteDog. Come talk to our partners. Let them tell you how they're doing it and share their experience because I think you'll find that it could be a very similar experience for you.  

Shahin Pirooz:

And with that, we're back to the show. Thanks for joining us here. It was a pleasure to be able to do this while we're on the road. So appreciate you listening and look forward to talking.  

Brian Moody:

Thank you, everybody.

‍