The Moving Target of M365 Security

Insights from one of SkyKick’s own designers of the Security Manager product, Lee Ramse. Hear first-hand how SkyKick approaches building tools for the realities of MSP and customer needs, how SkyKick keeps these tools updated, and a take on change management during these evolving times in the security industry.

1:03The Double-Edged Sword of AI
2:00Herd Immunity
6:48The Tangible North Star
8:41Simplicity & Repeatability in Evolving Times
10:58The 3-Body Problem of Moving Cheese
17:34A Decade of Partner Feedback
Read the transcript

Trent Schwartz: Welcome to the State of MSP Security, where we have industry experts discuss the cloud security industry. I’m your SkyKick host,, Trent Schwartz. Today, our guest is a colleague of mine, Lee Ramsey. Lee, thanks for joining us today. Maybe a few words about yourself.

Lee Ramse: Sure thing. It’s a pleasure, Trent.

Happy to talk with you yet again. Like we don’t in the office all the time, but maybe more officially, right? So like you mentioned, my name is Lee Ramsey. I’m a senior technical product manager for security manager and security navigator, and really looking forward to talk security. It’s what I do all day.

So looking forward to do more.

Trent Schwartz: Yeah, you do folks. Yeah, Lee does amazing stuff and is at the forefront of, designing and building out a lot of our most exciting features. So awesome to have you here today, Lee. Super excited. So the first question that we’re going to cover just generally speaking from your vantage point any recent trends you’re seeing in the cyber security industry or with our partners.

Lee Ramse: Yeah, absolutely. It’s a great question. And honestly, a broad one. There’s a lot going on. Obviously, cyber security is constantly evolving. There’s constantly, new threats. Um, AI is super fun both because, you can now talk to chat GPT, which is great, but also because it provides more sophisticated tooling to adversaries.

The good news is that, it also provides more sophisticated tooling for, Microsoft and other companies out there who are really on the forefront of protecting consumer data and resources. That’s a big one, but I think when we talk about the industry and some of the trends, obviously, some of the big ones are assessments for things like cyber security insurance.

That’s been a big pain point for a lot of our partners. So being able to readily get hands on critical information that, proves the sort of state of security, the overall security posture is really important to a lot of our partners. And of course, to their customers, that’s been a really big deal. Breaches are costly and not uncommon, unfortunately, anymore, even for smaller customers, right for smaller businesses. And so that’s the other thing we’re seeing that I think is I guess both sad but good, right? It’s sad on the one hand that smaller businesses are really having to think about cyber security where they maybe haven’t in the past, but at the same time being security minded, super important, right?

It’s one of those things where an ounce of prevention is worth the pound of cure, so to speak. And so everybody, you know, kind of up leveling when it comes to security, getting more information, more insight and more interested in security is important. I like to say that security is a team sport, because even though, most people are focused on their own individual Security or the company’s security at the end of the day there is a bit of a herd immunity to it, right?

The more secure everyone is the harder it is for bad actors or adversaries to gain access to other systems, right? Because a lot of times it’s not just the user or network that’s infected, but it’s, that infection, that that breach is used to breach other resources, sometimes other companies.

They can, spoof trusted email addresses to send attacks to other folks, things like that. And it’s really important that we’re all secure. That’s that’s something I’m really passionate about in particular is just making sure that everyone has some basic security understanding, ideally advanced security understanding.

And then of course for our partners, in my role that the tools to really be able to not only make their customers more secure, but also articulate to their customer, what they’re doing, why it’s important and why security is so important, right?

Trent Schwartz: I love that concept of herd immunity.

Because if fewer and fewer tactics, those bad actors out there the more those are unsuccessful, the more that they’re going to be forced to innovate and hopefully fall behind. So that’s a really good, way to think about this. And the other thing that you mentioned is that, yeah, it’s, tragic that, now these bad actors have access to things like AI, where they may be able to get stronger. That somewhat almost, unfortunately, strengthens our industry, doesn’t it? Throughout the history of, IT services, really, MSPs are there to solve problems. And they really have problems. Weren’t a threat, then this industry wouldn’t be booming. And so what we’re seeing is that these threats not only have evolved, the places where things can go wrong has obviously changed since 20 years ago.

And now that AI is evolving, we’re not sure where this thing is going to go, but that’s why we’ve got, you and your team who are constantly innovating against this platform. Um, actually along the same lines,are you finding that partners in trying to sell security services, are they bringing up any of these topics like, evolving threats or what are some of the effective techniques that they’re using to sell their customers on security?

Lee Ramse: Yeah, I think that’s the million dollar question, right? That’s the meat of it all, it really depends on the partner, but I think what we’re seeing with the partners that are doing it the best when it comes to selling security is that they’re breaking down security into something that’s a little bit more tangible, right?

When you talk about physical security, for example, I think most of us have a decent understanding of some, you know, locks uh, cameras, right? Alarm systems, it’s pretty analog, which is fine, but we all have just a general understanding of like, hey, how to secure a home, things like that.

But really, when you start talking about cyber security, and in particular, when you start talking about cloud security, and how to really lock down, like a Microsoft 365 tenant, make it safe, there are so many moving parts. There’s so many, there’s so much surface area and interconnectivity in cloud that it can be overwhelming.

So what we found is that the partners who are able to, sell to their customers the best, the idea of security are those that are just better, best able to articulate it right to provide something tangible, right? A lot of times, with security manager and security navigator, we focus on Microsoft secure score as a kind of a cornerstone or a way you can ground security into something tangible hey, here’s a number.

If it goes up. That means better, right? Just to like really dumb it down for some customers because they need that versus, here’s 150 different security controls that you need to, take off. And it’s I don’t know what any of those things mean, right? So being able to quantify what security looks like, what, how to quantify security posture and take the customer where they need to go and build really build that trust is really key.

And of course, secure scores is one way to do it. We work pretty extensively with Microsoft. So that’s our baseline. But there are a lot of other great security frameworks out there, both universal and also, region specific. And one of the things that we’re really focused on me and my team is making sure that we have.

Trent Schwartz: Those controls also available. So if a customer or you know a partner isn’t interested in using Microsoft Secure Score for whatever reason they want to use something else, a different type of framework like CIS or NIST or Cyber Essentials or Essentials 8, you know they’re able to do that and make sure that the framework for protection, the thing that makes the most sense to the customer is readily available at their fingertips. Yeah, and it’s so cool that we’ve worked all of these compliance frameworks into our offering. But the other thing that’s pretty awesome is just that these things exist, period. And, whether or not a customer ever achieves a hundred percent compliance to one of these, or if they get their secure score to the absolute maximum that they can think it’s really part of the success story of successful partners that they can dock, they can agree with their customer which goal they want to aim for.

And they can use that as a North star, understanding that if it’s the Microsoft secure score, then Microsoft is constantly curating the best practices. And these other compliance frameworks are also doing that. Do you have any thoughts around that?

Lee Ramse: Yeah, absolutely. Microsoft is spending billions of dollars on security, AI to help combat threats, more intelligent ways to surface, remediate, assess threats, as well as different security baselines within their own offerings.

I know that, one The things that partners struggle with in particular is that is that the surface area is so big that it’s sometimes difficult, not just from a commercial perspective, because a lot of times different security controls are hidden behind certain licensing, but also just because the sheer scope of the different things that you can do in each of the different, Microsoft portals or dashboards is just.

Overwhelming. And what I find talking with, partners sort of day in day out is that they really need something to help simplify, right? Because the real challenge when it comes to security, and especially for, smaller MSPs whose expertise may not be specifically in security, but more in, just cloud and infrastructural IT in general, Is that it really takes a lot of expertise.

And so being able to simplify security being able to give them some simple controls to, lock down tenants set really strong baseline security standards for their customers is really key and really standardization is what you’re looking for when it comes to A) being able to build a successful business practice on security and then B) also just keeping your customer secure.

Trent Schwartz: So being able to do something very repeatedly, very easily to make sure that it still keeps your customers safe has been really core to our strategy working with partners, both from an educational perspective and, of course, reflected in our product as well. Yeah, I can remember back to when M365 was still in beta, and I was in the admin console, and fortunately I memorized—I had muscle memory to know where everything was located. Logging in today, I’m no longer our admin, but gosh, how things change, right? Not only are the tools that are available constantly being added to, and that can be a challenge to keep up with, but they move around, right? Sometimes arbitrarily, right?

Are partners saying anything about our interface in particular? And, how it’s bringing together everything.

Lee Ramse: Yeah. There’s a couple of things, right? Obviously, the big kind of banner we. You hear partners rallying around is just simplicity, make it easier, kiss, right?

Keep it simple, stupid and that also applies to security. And so what we found is that one of the key challenges that I hear over and over again from partners is what you just brought up, right? Which is that, hey, there’s so many different portals. There’s a famous book called, Don’t Move my Cheese or Who Moved the Cheese.

And the idea is that, things are constantly moving right and constantly in flight, and so it makes it really difficult a to standardize. But right, what partners are telling me is that, hey, there’s three key challenges when it comes to that. That type of issue, right? Which is that as things move and change, the principal or the owner of the company, or, the manager or director of a team have to keep up on all the latest and greatest, all the things that Microsoft’s doing, not only from a features and licensing perspective, but also, where settings, key settings and key features are, where they’ve moved.

I also have to, update all my documentation when that happens, then I also have to retrain my team. And so you have this threefold cascading problem where when something moves that’s critical to your operations, it’s like you have to, A, know that it happened, B, update your documentation, and C, train your team, and you just have to keep going through those cycles.

So one of the things that we try to do in our product is as we update as we, follow that path because we also have to make sure, as Microsoft releases new controls that we also give partners access to those things that we’re reporting on the new things that Microsoft releases and then also, giving partners visibility into them and then also giving them the ability to manipulate and manage, those settings is that we keep the interface as simple as we can so that regardless of what the partner is doing in the product, the process is the same each time, right?

And typically just without a visual, it’s weird, but basically it’s just, pick the customer or customers you want to apply settings to, pick your settings hit run and the system will do the rest for you.

Trent Schwartz: Yeah, do we have any recent success stories of any partners needing to do something in our interface and finding it.

 Absolutely. So one of the, you know, I work with partners and our onboarding team really closely. I find that it helps keep me grounded in what’s going on within the market and with our partners in general, so that I can keep, ear to the ground as to, what partners are needing.

Lee Ramse: Obviously, I get feedback from the teams as well. But I also like staying hands on so I can hear it straight from the horse’s mouth, so to speak. And so recently, one of the one of the big questions I got was just like, hey, do you have a path that’s just, hey, these are the steps that we should do when, onboarding a new client into a security package?

What should we offer? And, how do we do it? And it was really eye opening oh, it’s we really need some even health at a really basic level of, Hey, can you just help us with the process? Because it’s just so overwhelming. There’s so many things to do where, how do I even get started?

And that was really interesting and eye opening. And one of the things that we do is we have a feature called workflows. It’s designed to do exactly that, right? It allows you to codify a process within the product itself. And you can basically create steps, make them required, make them optional so that you can really make the solution flexible for you and your team.

And so I was able to walk them through that, talk through some of the things that I hear other partners need or want to do with, from a security perspective, right? Running your assessments. First getting them into the system. So making sure they’re in the system connected to the things you need them connected to, running your assessments we have a really broad and powerful security assessment that you can use to take a look at a number of different factors across multiple Microsoft services across multiple customers, if you so choose, and then, you might want to take a look at something more specific.

A lot of times partners are focused on MFA and, how are they configured? Because that’s really one of the best If not the best single way to protect a tenant, like if you had to pick one, that’s probably it.

Trent Schwartz: Baffling that there are companies out there and end users out there that don’t have it enabled, but that’s an important one.

Lee Ramse: But you see it all the time, right? We have we have robust dashboards that kind of let you interrogate that in real time. And walking through some of those with customers and partners is really eyeopening because they’ll see, oh, hey, this one’s configured great. This one isn’t configured the way it should be based on, updated Microsoft recommendations and oh, hey, this one, there’s a bunch of users who aren’t protected at all.

 We need to have a conversation about it. So we see that all the time, but, being able to walk through that’s that really procedural step by step is the standardization is the basically the first step towards scalability. If you can’t standardize a process—if you don’t have a standard way of doing something—you can’t iterate or improve.

You’re just always playing the catch up game or catch as catch can. And that’s the biggest thing I see, that light bulb or that aha Eureka moment for partners is, Oh, Hey, I can actually standardize the process here. This gives me the tools I need to actually take a metered and standardized approach to security for my customers.

And that’s really cool to see when those dots connect, when that light bulb comes on. That’s my, honestly, the, my favorite part of my job is seeing the things we built resonate with partners. basically at the, feet on the ground boots on the ground level where it’s like, Hey I’m someone who’s responsible for delivering service and security to customers. Here’s what we do now. And then, seeing their eyes light up when you’re just like, Hey, here’s just a couple of clicks. We’ve assessed your customer security. Here’s how you’d remediate it with just a couple of clicks.

Trent Schwartz: Probably you want to have a conversation with them before, setting up MFA, since it’s going to cause some friction with users, they’re going to get prompted to register and things like that. And it’s probably good to give them a heads up beforehand, but those are really powerful moments. That’s a great success story there.

And yeah, just, an MSP being able to standardize on the way that they do things. That’s one of the key I think about Security Manager. But for the listener, I, as I know this product very well I just really want to make it clear that, we didn’t just build the standardization, right?

We built a platform that allows folks to create their own workflows or maybe rearrange the workflows that we recommend that are the most common. And also I believe that there’s some re-read re-write capability within these workflows as well. And so if our recommendation out of the box workflow isn’t quite right for a scenario, it’s that partners can essentially customize and save their own for each customer or even each user and choose for whom they’re going to expose certain workflows, right?

Lee Ramse: Yeah, absolutely. After a decade working with a Microsoft partner channel, I think the thing that I’ve, that I constantly come back to I think that the biggest I guess thing that’s important to do is to have a point of view, but allow it to be customizable, right? What we’ve, what I’ve found, like I say, in my career here is that, partners are looking for that thought leadership from companies like SkyKick whether it’s on things like migration or backup or cloud management, security management in this case but they also—everybody’s unique. Their customers are unique. They have unique processes. They have unique needs and so having a customizable point of view.

Is really the key to success, for us as a software company, but it’s what really allows us to serve the partner base in the best way possible. So you’re absolutely right. Being able to standardize on something and giving partners the tools to do that. And, having a point of view about it, but allowing partners to say, nope, that doesn’t work for me.

I I need it to work this specific way is really what we’ve tried to do with security manager. And again, it’s wholly customizable. And like you mentioned, workflows, you can customize basically any way you want to standardize the, and the way that works best for you, your business, specific customers, that kind of thing.

Really powerful. And seeing that reflected in the way that partners use the product has been a a really amazing experience.

Trent Schwartz: I’m sure our listeners would agree. I certainly do. Perhaps in closing, Lee, and this is all great information. We could do this all day long.

In fact, sometimes we do. You’re reminding me about one principle that We have over here at SkyKick which is how we design things, how we build things. And as IT professionals know, sometimes changes are made that seem arbitrary and the tools that we need or things move around.

But here at SkyKick, we do things a little bit differently, don’t we? We don’t just have the genesis of an idea internally. Tell us a little bit about how we decide to make a change.

Lee Ramse: Yeah, absolutely. Like most software companies and, obviously we have a really robust and structured process around engineering and project management and product management as well.

Trent Schwartz: But really our focus is always on the partners, right? When you all are successful, we’re successful. And so we never lose sight of that. Like I mentioned earlier, I’m in partner sessions multiple times a day, multiple times a month and week. And so that’s where I get the opportunity to both get a sense of what’s going on, with individual partners, the industry as a whole, but also an opportunity to get a sense of the changes that we’re planning on making and, get real time partner feedback on, what we’re building andhow it should work, how it should look, what things are needed to make it user friendly, to make it useful for their administration of M365, both from a security and administrative perspective. So yeah, it’s really about the partner voice. So that’s the thing we pay attention to the most. So if I’m hearing you, what you’re saying is that the people who design and build our tools and features actually talk to the people out there using it every day.

Lee Ramse: Absolutely.

Trent Schwartz: I don’t understand why, but

Lee Ramse: Sounds crazy. Might just work.

Trent Schwartz: Lee, thanks for letting us into your world. It’s fascinating.

Listeners, thank you so much for joining. Once again, this is our series on the cloud security industry that we’re calling the State of MSP Security. You can look for updated content regularly. Lee, once again, thank you for your time and thanks for listening, everyone.

Lee Ramse: Absolute pleasure. Thanks everyone.


Trent Schwartz

Director of Technical Partner Enablement Marketing

Lee Ramse

Sr Technical Product Manager

  • Subscribe on: