Decision-making and Procurement

In this inspiring episode of Breakfast Bytes, Felicia King delves into the pressing strategies businesses need to adopt to thrive in the year 2025. With intriguing insights, Felicia articulates why companies must stay competitive and adapt to the ever-changing landscape—focusing on the integral role of a Chief Technology Officer and the imperative cultural shift towards continuous staff training.
Felicia sheds light on the complexity of finding competent talent, the importance of establishing and enforcing effective policies, and the necessity of blending technology with human oversight. She compellingly emphasizes that regardless of workforce demographics, training needs to become a staple and an evaluated performance metric.
The episode is rich with anecdotes and expert advice, warning against the risks of ignoring technological and cultural progression, even as it highlights the detrimental impact of inadequate policy management and technical incompetency in various sectors. Felicia’s narrative provides actionable insights into aligning your organizational structure for maximum efficiency and effectiveness in the looming future.
Quick recap
Felicia King emphasized the importance of having a Chief Technology Officer (CTO) and a cultural shift towards ongoing training for staff to ensure compliance and productivity in businesses. She also stressed the need for effective utilization of technology, data classification, and vendor risk assessments, and warned against the lack of technical aptitude and security capabilities in marketing agencies. Lastly, she highlighted the importance of executive management teams taking an active role in managing risks and issues within their organizations, and the need for strategic adoption of technology and operational maturity.
 
 
Next steps
• Executive management team to establish a partnership with a qualified CTO/CISO for strategic technology guidance and risk management.
• HR/Leadership to implement a mandatory ongoing training program for all staff, with accountability measures tied to performance evaluations.
• IT team to develop and maintain a risk register and project backlog, with monthly budget allocation for addressing identified issues.
 
Summary
Surviving 2025: CTOs, Training, and Payroll
In the meeting, Felicia King discussed the key factors for businesses to survive in 2025. She emphasized the importance of having a Chief Technology Officer (CTO) to provide leadership and guidance on technology and policy matters. Felicia also stressed the need for a cultural shift towards ongoing training for staff, regardless of age, to ensure compliance with company policies and improve productivity. She warned against the misconception that a younger workforce automatically solves these issues. Felicia concluded by urging businesses to view their payroll as their primary inventory and to efficiently utilize it to avoid wasting resources.
 
 
Lack of Training and Policy Enforcement
Felicia shared a scenario where despite providing extensive training, staff members failed to use a technological system effectively due to a lack of enforced policy and cultural shift. She emphasized that if a manager had advocated for a policy and cultural shift, the staff could have taken just 15 minutes a few times a week to move the needle on their problem. However, because the manager did not prioritize training, the staff did not read the instructions and missed out on efficient use of the system. Felicia concluded that if everything else is secondary to sales, as the manager had told the staff, then training is not considered important.
 
 
Respecting Employers and AI Implementation
Felicia emphasized the importance of respecting employers, coworkers, and company policies for efficient technology utilization. She highlighted the need for understanding best practices and avoiding unnecessary tech support requests. Felicia also stressed the importance of data classification, retention, and policy management systems for AI usage and adoption. She underscored the necessity of a combination of policies, training, technical controls, and accountability to ensure successful implementation and utilization of AI in 2025.
 
 
Marketing Agencies' Technical Limitations
Felicia expressed her belief that marketing agencies struggle to execute effective marketing services due to a lack of technical aptitude and security capabilities. She attributed this to the agencies' refusal to hire qualified CTOs or CSOs, and their lack of technical training. As a result, they lose business due to ineffective marketing strategies and poor security practices.
 
 
Vendor Risk Assessments for All
Felicia discussed the importance of vendor risk assessments, highlighting that they are not only relevant to tech companies but also to law firms, accounting firms, medical offices, and investment brokerages. She mentioned that her company, QPC Security, offers vendor risk assessments and counterparty risk assessments, with a baseline cost of $300. Felicia emphasized that failing a basic vendor risk assessment can indicate serious issues within an organization's IT infrastructure.
 
 
Addressing Competence in Organizations
Felicia expressed her concerns about the lack of competence in various organizations, regardless of their size. She cited examples of IT service providers and larger companies where the collective intelligence of the employees was insufficient to identify and address public-facing security risks. Felicia emphasized the importance of having competent professionals in IT roles and the need for executive management teams to surround themselves with objective, knowledgeable advisors rather than yes-men. She concluded by urging the need for deep paradigm shifts in 2025 to remain competitive.
 
 
Maintaining Risk Register and Project Backlog
Felicia discussed the importance of maintaining a risk register and project backlog, and the need for organizational commitment to allocate time and budget for these tasks. She emphasized the necessity of regular meetings with the designated CTO and CISO, ideally quarterly or monthly, to discuss planning and initiatives. Annual meeting frequency is insufficient. Felicia also suggested a SWAG number approach for budget allocation, with the goal of completing a certain amount of work each month to address issues on the project backlog and risk register. She stressed the importance of teamwork and collaboration in managing these tasks.
 
 
Executive Management's Active Risk Role
Felicia emphasized the importance of executive management teams taking an active role in managing risks and issues within their organizations. She warned against the practice of delegating and abdicating responsibilities, which often leads to poor decision-making and unresolved problems. Felicia shared an example of a client who finally resolved a long-standing issue after the CEO took the time to have a crucial discussion. She stressed that the executive management team should be willing to have meetings and be informed about risks, even if they don't become experts in the subject matter.
 
 
Strategic Risk Management and Technology
Felicia discussed the importance of managing risk and adopting technology strategically. She emphasized the need for a policy and standard around printer technologies, as well as the adoption of wireless technologies, to avoid interference and reliability challenges. She stressed the importance of operational maturity and the need for a partnership with a CTO to achieve this. Felicia also warned that failure to make cultural shifts, adopt AI correctly, and implement technical controls could lead to a loss of competitiveness and potentially even business closure by the end of 2025.

In this episode of Breakfast Bytes, host Felicia King sits down with Dr. Eric Woodell, founder of Ameris and a leading expert in data center infrastructure and operations compliance. Dive into the world of data centers as Dr. Woodell reveals the shocking truths behind their operations and the risks that could be lurking behind the scenes.
Dr. Woodell shares his journey from nuclear submarines to becoming a key player in the data center industry, highlighting his relentless pursuit of truth and transparency. Discover why he believes that the current standards for compliance, such as SOC 2, may be nothing more than a façade, and how his groundbreaking audit program can change the game.
Explore the complexities of counterparty risk management and the importance of having real control over your data infrastructure. Learn about the potential pitfalls of relying on colocation facilities and public cloud services, and why owning your infrastructure might be the most cost-effective and secure option.
Join Felicia and Dr. Woodell as they challenge conventional wisdom, offering a fresh perspective on data center management and the critical need for accountability. Whether you're an IT professional, a business decision-maker, or just curious about the hidden workings of the digital world, this episode promises to engage and enlighten.
Quick recap
Dr. Eric Woodell and Felicia discussed the issues with the co-location industry, the importance of strong leadership in business, and the complexities and costs associated with maintaining multiple sites for redundancy. They also emphasized the need for proper documentation and certification in critical infrastructure and cybersecurity, and the importance of evaluating risks in business decisions. Lastly, they proposed the need for a significant industry alert regarding the unreliability of certain security standards and the development of a new standard in risk management.
 
 
Addressing Industry Issues and Certification Process
Dr. Woodell discussed the issues with the co-location industry, particularly the lack of proper maintenance and potential for fraud. He mentioned developing an audit program to track these issues but noted that the problem persisted. Eric criticized the SOC2 certification process, suggesting it was designed to generate fees and lacked legitimacy. He highlighted the inadequacy of the current certification process for cyber security, emphasizing the need for pressure to rectify these issues. Eric and Felicia also discussed the lack of a quality control process in their current system, with Eric sharing an example of a compliance issue at Equinix. The conversation ended with Eric expressing concerns about the legitimacy of a situation where a company lost their maintenance records due to a dispute with a labor provider.
 
 
Addressing Counterparty Risk in Vendor Evaluation
Felicia and Eric discuss the importance of addressing counterparty risk when evaluating vendors, particularly related to data extraction and contract terms. They criticize companies for writing contracts without clearly defining roles and responsibilities, leading to a lack of consequences for service disruptions. Felicia argues for the cost-effectiveness of owning and maintaining servers on-premise over using public cloud services. Eric agrees, acknowledging the potential for lower costs and better control with in-house IT management. They also discuss the challenges small to medium businesses face due to overreliance on public cloud services and the risks of data exposure from negligent co-location companies.
 
 
Leadership, Waste, and Oversight in Business
Eric and Felicia discussed the importance of strong leadership in business, using Apple as an example of a company that has thrived due to its leadership. They also shared their personal experiences of uncovering waste in organizations and the challenges of addressing it. The conversation then shifted to the issue of conflicts of interest and lack of oversight in the cyber security industry, with Equinix being cited as an example of stock manipulation and fraud. They also discussed the concept of 'unjust enrichment' and the lack of control and standards in the industry. The conversation ended with Eric sharing his positive experience with Vanguard, a company that was meticulous about compliance.
 
 
Managing Multiple Sites and Vendor Complexity
Eric discussed the complexities and costs associated with maintaining multiple sites for redundancy. He highlighted the exponential increase in complexity and costs as more sites are added, and the potential for introducing new problems. Eric also mentioned the frustration and indirect costs associated with dealing with multiple vendors. Felicia agreed, emphasizing the complexity of managing multiple vendors and the soft, indirect costs involved. They both agreed that having a small core set of sites, properly maintained, could be a more viable option. Eric pointed out the alarming rate of data center outages, likening it to the airline industry, and questioned why IT executives continue to pay for such unreliable services.
 
 
Competent Assistance and Counterparty Risk Assessment
Felicia and Eric discussed the importance of competent assistance in decision-making for clients in the industry, emphasizing the need for a CTO for contract review. They highlighted the issue of CEOs and CFOs seeking advice from friends rather than professionals, which can lead to legal issues and confirmation bias. The importance of independent audits and assessments in mission-critical facilities was also stressed, with Eric suggesting he could provide a solution for the lack of a standard for evaluating critical facility security. Felicia concluded the discussion by asking for Eric's recommendations for business decision-makers who want to better understand counterparty risk and make more informed decisions.
 
 
Industry Alert and New Risk Management Standard
Eric and Felicia discussed the need for a significant industry alert regarding the unreliability of certain security standards, particularly for critical facilities and cybersecurity. They highlighted the increasing scrutiny from insurance providers on third-party information security risk management and the importance of a high-quality CTO and CISO or a dedicated compliance manager. They also discussed the need for a new standard in risk management, particularly in the context of vendor and counterparty relationships, and agreed that the current approach was insufficient. 

In this riveting episode of Breakfast Bytes, host Felicia King delves into the often overlooked but crucial aspect of business technology: document management platforms. With a sharp focus on how organizations of all sizes can benefit from these systems, Felicia underscores the importance of operational maturity and strategic decision-making.
Through compelling narratives and real-world examples, she illustrates the perils of inadequate technology leadership. From misguided IT directors to costly missteps, Felicia shares stories from her 30-year career, shedding light on the vital role a Chief Technology Officer (CTO) plays in safeguarding a company's resources and ensuring seamless technology integration.
Listeners are invited to explore the intricacies of technology planning, from policy formulation to platform selection, and the far-reaching consequences of neglecting expert guidance. This episode is a must-listen for business leaders eager to avoid lighting money on fire and to achieve sustainable growth through informed technology investments.
 
Quick recap
Felicia King discussed the importance of document management platforms and the need for a technology executive in organizations of all sizes. She emphasized the significance of strategic architecture choices, operational maturity, and inclusive decision-making in implementing these platforms. Felicia also highlighted the challenges of managing contracts with consulting firms and stressed the importance of having a clear engineering and implementation plan before purchasing any technology.
 
 
Next steps
• Business leaders to consult with a qualified CTO before making strategic technology decisions, especially for document management platforms.
• Organizations to develop written requirements, document business processes, and create an engineering/implementation plan before purchasing new technology systems.
• Companies to review and potentially modify contracts with technology vendors to ensure compliance with organizational policies and support protocols.
 
Summary
Document Management and Operational Maturity
In the meeting, Felicia King discussed the importance of document management platforms for organizations with more than one employee. She emphasized the need for operational maturity and the use of systems to scale a business. Felicia also highlighted the necessity of a technology executive, even for small organizations, to navigate complex issues. She stressed the importance of understanding these matters, as they are too complicated to be handled by IT support alone.
 
 
Importance of Technology Executives in Orgs
Felicia discussed the importance of having a technology executive in organizations, emphasizing that an IT director often lacks the necessary skills and capabilities. She shared a past example where an IT director made a costly mistake due to lack of oversight, leading to significant financial losses and compliance issues. Felicia advised business decision-makers to use their technology executive in an advisory capacity to avoid such problems, particularly when making large purchases or embarking on significant projects.
 
 
Avoiding Costly Technical System Mistakes
Felicia discussed a long-standing relationship with a client that migrated to a new system, resulting in numerous issues. She reviewed the service contracts and master services agreements, discovering that the client was sold a system that was technically impossible to achieve an effective outcome with. The system violated its own requirements, leading to constant issues and financial losses for the client. Felicia emphasized the importance of using a chief technology officer to avoid such costly mistakes.
 
 
Strategic Architecture Choices in Document Management
Felicia discussed the importance of strategic architecture choices in document management platforms, emphasizing the need for operational maturity, understanding of business processes, and inclusive decision-making. She highlighted the cost implications of using platforms like Atlassian, Sharepoint, and iManage, and the need for a written set of requirements for any project. Felicia also pointed out the challenges of outsourcing document management platform implementations and the need for a highly qualified CTO for consultation. She suggested that Microsoft 365, with its advanced premium licensing and purview, could be a viable alternative to other platforms.
 
 
Managing Contracts With Consulting Firms
Felicia discussed the challenges of managing contracts with consulting firms and the importance of having a CTO to navigate these complexities. She highlighted the need for clear communication and contractual agreements to ensure project success, as she has often encountered issues with support protocols and project kickoffs. Felicia emphasized the importance of having a CTO who understands business, legal, and economic aspects to ensure smooth project implementation, completion, and ongoing support.
 
 
Clear Engineering Plan for Tech Purchases
Felicia emphasized the importance of having a clear engineering and implementation plan before purchasing any technology, likening it to buying a server without understanding its capabilities. She stressed the need for a Chief Technology Officer (CTO) to review proposals and ensure they meet the business's requirements, as well as to avoid potential breaches of contract with other vendors. Felicia also highlighted the value of having a CTO with the right skills, rather than relying on IT personnel, to make informed decisions.

In this compelling episode of Breakfast Bytes, host Felicia King delves into the complex world of cloud computing, exploring the intricacies of public cloud, private cloud, self-hosting, and premise servers. With insights from a newly recognized expert in the field, this episode promises to challenge conventional wisdom and offer fresh perspectives on hosting decisions.
Felicia unravels the hidden costs and maintenance challenges of managing workloads, whether in the cloud or on-premise. She highlights the significant financial implications and the importance of competent management, urging listeners to reconsider the assumptions surrounding the efficiency and cost-effectiveness of cloud solutions.
The episode takes a surprising turn with revelations from Dr. Eric Woodell, whose groundbreaking work questions the reliability of current data center practices. Felicia discusses how Dr. Woodell's findings, backed by Lloyd’s of London, cast doubt on the presumed dependability of cloud-hosted environments, drawing a startling analogy to the aviation industry’s safety standards.
As the narrative unfolds, Felicia emphasizes the critical need for effective vendor risk management and the pitfalls of relying on inadequate compliance certifications like SOC 2. She challenges listeners to rethink their approach to third-party risk management and the true value of certifications in ensuring data security and operational integrity.
Join Felicia King in this thought-provoking episode that not only informs but also inspires a reassessment of the assumptions driving today's cloud computing decisions. It's an essential listen for anyone navigating the evolving landscape of IT infrastructure and risk management.
 
 
 
Quick recap
Felicia discussed the importance of competent management and cost considerations in cloud hosting, and introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry. She also highlighted the high failure rate in the data center industry, the challenges of outsourcing workloads, and the limitations and misuse of the SOC 2 certification in the data center space. Lastly, she criticized the inefficiencies in vendor risk management processes and recommended a shift in focus towards real integrity processes.
 
 
Next steps
• IT teams to reassess their reliance on SOC 2 certifications for vendor and data center evaluations.
• Business leaders to review and update their Written Information Security Plans (WISPs) to ensure alignment with actual practices and legal defensibility.
• Organizations to develop more robust vendor risk management and counterparty risk assessment processes, considering factors beyond standard certifications.
 
 
Summary
Discussing Cloud Hosting and Legacy Workloads
Felicia discussed the topic of public cloud, private cloud, self-hosting, and premise servers, emphasizing the importance of competent management and the need to consider the cost of capital expenditure when comparing on-premise servers with cloud hosting. She highlighted the historical maintenance costs of legacy workloads, such as servers on-premise and in the cloud, and the potential cost-effectiveness of hosting physical servers in someone else's data center. Felicia also mentioned a newly recognized expert in this technology who is involved with a company that certifies cloud hosting providers for insurance by Lloyds of London.
 
 
Limitations of SOC 2 Audits and Expert Insights
Felicia discussed the limitations of SOC 2 audits, which are conducted by accountants (CPAs) who may not have the necessary expertise to assess data center operations. She introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry with extensive experience in auditing major organizations' assets in public clouds and colos. Dr. Woodell expressed his opinion that CPAs are not qualified to audit data centers and their operations, as they lack the ability to build and maintain them from scratch. He also shared his findings from years of audits, indicating that third-party vendors often fail to fulfill their maintenance obligations.
 
 
Data Center Industry Failure Rate Comparison
Felicia discussed the high failure rate in the data center industry, comparing it to the aviation industry. She used a metaphorical analysis from a speaker, who claimed that if the aviation industry had the same level of failures as the data center industry, there would be approximately 530 plane crashes per day. Felicia emphasized the significance of this comparison, noting that if people knew about these statistics, they might not use airplanes. She also mentioned that Lloyds of London, an insurance company, uses the speaker's certification program to assess data center risk. Felicia concluded that she believes in the speaker's numbers and calculations, and that the data center industry's failure rate is a cause for concern.
 
 
Outsourcing Workloads Challenges and Vendor Risk Management
Felicia discussed the challenges of outsourcing workloads, particularly in terms of reliability and support. She emphasized the importance of vendor risk management, counterparty risk management, and the underlying assumption of competency. Felicia also highlighted the need for workloads to be hosted where they can be supported by competent individuals. She mentioned the work of Dr. Eric Waddell, which has raised questions about the reliability of cloud-hosted services. Felicia also noted the shift in focus towards vendor risk management and third-party information security risk management, particularly in the insurance industry.
 
 
SOC 2 Certification Limitations and Misuse
Felicia discussed the limitations and misuse of the SOC 2 certification in the data center space. She highlighted that SOC 2 certifications are often conducted by CPAs rather than infrastructure architects, and thus may not be a reliable indicator of competency. She also pointed out that the certification is often used as a check-box exercise by business decision makers, rather than a genuine evaluation of a company's infrastructure. Felicia also touched on the HIPAA space, noting that the use of Business Associate Agreements (BAAs) is not always appropriate and can lead to unnecessary costs and risks. She emphasized the importance of third-party information security and risk management, and suggested caution when dealing with SOC 2 certifications and BAAs.
 
 
Addressing Vendor Risk Management Inefficiencies
Felicia discussed the inefficiencies in vendor risk management processes, particularly in relation to compliance certifications and the Written Information Security Plan (WISP) for tax preparers, accountants, and car dealerships. She argued that these processes often lack legal defensibility and do not align with reality, instead being mere theatre. Felicia also mentioned a class action lawsuit against a breached company, suggesting that the focus should shift to real integrity processes around vendor risk management. She recommended watching Joe Brunsman's YouTube channel for more insights on this topic.

Welcome to Breakfast Bytes with Felicia King. Today, we delve deep into the often-misunderstood realm of penetration testing. As business owners grapple with the necessity and costs associated with these tests, Felicia demystifies the process, drawing from her three decades of cybersecurity expertise.
In this episode, discover why traditional penetration testing might just be a costly theater act and learn the importance of continuous vulnerability assessments. Felicia shares compelling anecdotes and practical advice on how to genuinely safeguard your business without burning through your budget.
Join us as we explore the intricate dance between IT teams, automated tools, and the critical decisions that can make or break your company's security posture. This is not just another tech talk; it’s a narrative that could redefine how you view cybersecurity investments.
 
 
Quick recap
 
Felicia emphasized the importance of understanding the objectives of the test, and cautioned against overpaying for tests that may not be necessary or effectively scoped.
 
Next steps
• IT team to implement continuous vulnerability assessment and penetration testing platforms for regular, automated security checks.
• CTO/CSO to assess and oversee the implementation of security tools like Tenable One and Senteon for secure configuration management.
• Executive management team to allocate budget and provide support for IT department/MSP to implement necessary security changes and tools.
 
Summary
Test Scope and IT Consultancy Management
Felicia also advised that the test should be scoped correctly and conducted by the IT consultancy that manages the company's networks, servers, and applications. She cautioned against overpaying for tests that may not be necessary or effectively scoped.
 
External Testing Approach and Cots Definition
She argued that the approach of bringing in an external third party to conduct a test without proper consultation and scope can lead to incorrect results. She emphasized that this approach would be more effective in identifying and addressing vulnerabilities, and would provide demonstrable results. Felicia also clarified the term 'COTS' as defined by the National Institute of Standards and Technology in the context of information security technology.
 
Enhancing IT Configuration for Business Acquisition
She argues that this approach provides more meaningful and actionable information, enabling IT configuration personnel to effectively address identified gaps. Felicia also highlights the importance of using recognized and professional tools like Tenable One and Senteon for secure configuration management. She emphasizes that this approach offers a better return on security investment and is more beneficial for businesses seeking to be acquired.
 
IT Testing and Business Decision Makers' Guidance
She suggests that business decision makers should provide clear direction and funding for IT before such tests are conducted.
 

Good morning and welcome to another episode of Breakfast Bytes. I'm your host, Felicia King, and today, I'm joined by my colleague, Jeff Birner, hailing from Florida. Our riveting discussion centers around the recent CrowdStrike incident that has sent shockwaves through the cybersecurity community and beyond. This episode promises to offer insights and perspectives you won't find in the typical news coverage.
As we delve into the conversation, Jeff and I explore the core issues surrounding CrowdStrike, including its lack of trustworthiness as a counterparty and the legal implications of delayed security updates. We discuss the broader impacts of the incident, such as the staggering $5.8 billion in losses faced by companies worldwide, and discuss how technology decisions could have eliminated the impact.
Through engaging storytelling, Jeff and I break down the complexities of cybersecurity, offering practical solutions and strategies for organizations to consider. From the importance of testing updates to the choice of operating systems for critical infrastructure, this episode is packed with valuable takeaways for IT professionals and business leaders alike.
Join us as we navigate the nuances of the CrowdStrike controversy, highlight the lessons learned, and provide actionable advice to help you safeguard your organization against similar pitfalls. Whether you're a seasoned cybersecurity veteran or just starting your journey, this episode of Breakfast Bytes is a must-listen.
 

Felicia stressed the importance of informed decision-making in technology services and products, and the need for involving skilled professionals in decision-making processes. She also discussed the longevity of structural furniture, the challenges in network switch installation, and the need for a formal procurement process in the IT department. Furthermore, she highlighted the issues with current wall-mount cabinets and open racks, the business impact of operations beyond regular hours, the need for proper equipment maintenance, and the importance of having an on-site technical point of contact at every facility.
Action items
• Felicia recommends ensuring the IT department follows a defined procurement process with oversight from a technology executive.
• Felicia recommends establishing written requirements and standards for IT infrastructure like racks and cabinets.
• Felicia recommends implementing a policy for designating on-site technical contacts to handle basic equipment issues.
 
Summary
Informed Decision Making in IT Services
Felicia emphasized the importance of informed decision making in technology services and products, which is beneficial for all IT stakeholders. She pointed out the persistent negative financial impact caused by ill-informed decisions, often made by business leaders delegating to inexperienced internal IT departments. Felicia advocated for the involvement of skilled professionals, such as CTOs or senior architects, in decision-making processes to mitigate these adverse effects. She also cautioned against the common practice of selecting the cheapest bid as a decision-making criterion, highlighting it as a recipe for failure.
 
 
Structural Furniture Longevity and Design
Felicia discussed the longevity and durability of structural furniture, particularly cabinets and racks. She emphasized that these pieces, often made of steel, aluminum, glass, and possibly plastic, can last for decades if not physically damaged. Felicia argued that considering a 20-year life cycle for such hardware is a more realistic approach than starting from an acquisition cost requirement. She also highlighted the advantages of a four-post full floor standing cabinet over a two-post rack, especially for secure and critical infrastructure. Finally, she noted the importance of wheels in cabinets from a maintenance perspective and referred to cabinet design as an art form.
 
 
Felicia's Network Switch Installation and Maintenance Insights
Felicia shared her extensive experience and insights on the challenges and considerations in network switch installation and maintenance. She emphasized the preference for a 4-post configuration due to the weight and depth of modern switches, and the issues that may arise with alternative setups. Felicia also highlighted the importance of understanding the ramifications of equipment placement, sharing a troubling example of a poorly executed setup. She suggested ways to prevent such issues from occurring in the future.
 
 
Improper Procurement Process in IT
Felicia discussed the lack of a formal procurement process in the IT department, which leads to inefficient and often unnecessary purchases. She explained that the department, composed of individuals not highly proficient in business value justification or total cost of ownership articulation, often sourced items themselves using credit cards, without proper checks and balances. Felicia emphasized the need for a written requirements list to facilitate better decision-making and prevent the focus on apparent acquisition cost. She indicated that she would provide two examples to illustrate these points.
 
 
Addressing Inadequate Infrastructure and Procurement
Felicia discussed the recurring issues with the current wall-mount cabinets and open racks in the infrastructure, which were not deep enough to accommodate modern switches. She emphasized that this problem wasn't new and had been ongoing for at least a decade. Felicia pointed out that previous investments in these inadequate setups were essentially wasted, not just in terms of money but also project time and potential business unit outages. She underscored the need for an appropriate procurement process and oversight to avoid such issues in the future.
 
 
Managing Operations Outside Regular Hours
Felicia discussed the business impact of operations extending beyond regular business hours. She highlighted that this not only affects payroll and product but also has implications for business continuity outside of IT. Felicia emphasized that IT personnel, such as PC technicians and IT managers, often only consider their own needs, which differs from the perspective of a technology executive. She stressed the importance of a different mindset, drawing from her experience as a chief operating officer and service manager, to effectively manage a large number of remote offices.
 
 
Client's Server Outage Due to Unauthorized Access
Felicia shared a story about a client who opted not to spend $350 on an idrac enterprise card, a decision that led to a server issue causing an outage. She emphasized the importance of proper equipment maintenance and restricting unauthorized access to technology cabinets. Felicia pointed out that allowing staff without proper training or maintenance responsibilities to have access to such spaces can lead to unintentional damage, as seen in the case of the client where a staff member put a box on a server keyboard, causing an outage. She underscored the significance of having a mature policy in place regarding remote support and access to technology cabinets.
 
 
On-Site Technical Point of Contact Importance
Felicia stressed the necessity of having an on-site technical point of contact at every facility to handle minor technical issues. She used the example of rebooting cable modems, which she stated often require physical intervention and should not disrupt other equipment. Felicia also emphasized the importance of setting up the facilities in a way that allows easy access for the on-site technical point of contact to perform these tasks without causing further problems. She underscored that this is a common requirement and should be considered in the facility's setup.
 
 
Technology Executive's Role in Procurement
Felicia emphasized the importance of having a technology executive oversee procurement policies and standards in IT departments to ensure good outcomes. She highlighted that the IT department alone should not be making procurement decisions, as they often lack an understanding of the total cost of ownership. Felicia also rejected the idea that a dollar amount should be the sole determinant of procurement decisions, citing the potential for malware to compromise the system. She advocated for a designated technology executive to establish policies and standards, warning that failing to do so could lead to adverse financial outcomes for the organization.
 
For more information, review this resource about racks and cabinets.
https://www.qpcsecurity.com/2024/04/26/why-buy-racks-and-cabinets-from-qpc-security/
Peruse the value of vCISO services.
https://www.qpcsecurity.com/vciso-services/
 

In this episode of Breakfast Bytes with Felicia King, we navigate the complex but crucial realm of cyber security. We explore the emerging menace of supply chain attacks and underscore the vital need for proactive incident response planning. Felicia reveals the staggering average cost of a cyber-attack, per employee and endpoint, and explains why smaller businesses might suffer even greater losses.
King sheds light on the often unnoticed aspect of incident response planning: the critical period between discovering a potential compromise and confirming a successful attack. She also scrutinizes the implications and expenses of in-house response strategies for sizable businesses and outlines how smaller establishments could face heftier costs.
Offering valuable advice, Felicia provides business-centric recommendations on methods of dealing with a reported incident. She addresses important issues such as identifying data breaches and managing downtime during a crisis, stressing the importance of having a contingency plan for extended recovery periods.
Moving on to supply chain risks, King critiques the increasing trend of outsourcing in the IT sector. She cautions against granting upstream providers unrestricted access to systems, noting counterparty risk as an area demanding heightened vigilance. Deeper discussions on access control, audit logs, automated compliance reporting, and other factors in selecting an efficient identity and access management system also unfold.
King further navigates the topic of APIs - the lifeblood of numerous industrial integrations - offering crucial insights into associated risks. She concludes with a call for a mindset shift required to tackle supply chain attacks effectively.
In contemporary threat landscapes, relying solely on the cybersecurity kill chain is a losing battle. This episode underscores the need for encompassing multiple defensive strategies for cybersecurity, such as multi-factor authentication, and conditional access for all accounts. Real-time analytics, endpoint protection strategies, and a zero-trust posture are championed as critical for preventing malicious activities and providing swift threat responses.
We delve into the pros and cons of network layer security, a powerful yet complex technique requiring specific expertise. When appropriately utilized, it presents a scalable solution managing traffic filtering and robust protection from supply chain attacks. The episode concludes with the importance of having a solid incident response plan as a vital proactivity measure in cybersecurity.

"Unlocking Strategic IT Investments and Information Security: Expert Insights with Gina King" dives into the critical aspects of IT investments and infrastructure. Felicia King, host of 'Breakfast Bytes', engages in a captivating conversation with Gina King, a leading Chief Information Security Officer. The extensive dialogue sheds light on necessary expenditures on Information Systems and Technology, managing and optimizing security investments, and realigning perceptions of IT as a valuable strategic asset.
Through their enriching discussion, Felicia and Gina tackle widespread issues of underinvestment in IT, encouraging businesses to understand and optimize their IT expenditures. Pointing to the risks of non-compliance and inadequate IT security measures, they illustrate how a thorough approach to IT spend analysis can tremendously impact a company's financial bottom line, customer satisfaction, and overall client experience.
The episode highlights the importance of a proactive and continuous IT security investment to nurture an effective information security risk management program. Felicia and Gina underscore the significance of considering cybersecurity as an aspect of overall business risk, rather than an isolated problem. They also emphasize the value of tech-savvy leadership and security education in fostering a vigilant workforce and strengthening an organization's security posture.
Switching gears to effective risk management amidst the digital landscape, the episode ends on a call for creating clear policies, continuous vigilance, and an understanding of organizational identity to safeguard online infrastructures. This engaging discussion is a must-listen for anyone involved in IT procurement, investments, security, and overall business operation.

Join us in this insightful episode of Breakfast Bytes with Felicia King, along with our guest Kyle Wentworth of the Wentworth Group. We delve into a balanced exploration of business needs vs IT security needs, demonstrating the magnitude of this issue with a case study of a massive spam operation hijacking over 8000 trusted brand domains.
https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html
In this detailed conversation, our experts elucidate steps towards prevention and emphasize the significance of effective domain ownership and control. Kyle highlights the central role of Technology Management departments in mitigating IT risks and stresses the importance of a comprehensive understanding of orderly processes for DNS management, timely publishing of DNS records, and the related cost implications.
This episode underscores the need for operational maturity in businesses, and how maintaining domain infrastructures and adhering to robust protocols can protect your business from digital threats. Listen to gain invaluable insights into how businesses of all sizes can level up their understanding of the intersections of business and IT security systems.
The episode also draws attention to the potential vulnerabilities of newly registered domain names and the common pitfalls relating to outsourcing these functions. We underscore the necessity to take caution or face serious losses and discuss the ramifications of transferring control of key business aspects to external vendors.
With a candid look at the dangers of ill-considered network security and the hazards of transferring all risks to an external IT service provider, we make a strong case for integral security measures. Listen in to gain an understanding of the importance of viewing technology as a business partner rather than an expense and to learn how focusing on strengthening your network security can pave the way for business success.

In today's episode of Breakfast Bytes, we are delighted to have Joe Brunsman from Brunsman Advisory Group as our special guest. Known for his extensive knowledge on the intersecting worlds of insurance and cybersecurity, Joe offers beneficial insights on the evolving sphere of insurance exclusions and how businesses can navigate these changes amidst the increasing threats of cyber warfare. Tune in as we explore the importance of adopting risk mitigation strategies with tangible security investment returns rather than relying solely on insurance coverage.
Join our profound discussion on the role of senior management in establishing a secure digital environment, starting from understanding IT risks and challenges, creating actionable plans, and sticking to a consistent policy. We also delve deeper into topics like legacy technical debt, the role of a Chief Information Security Officer (CISO), gaps in current insurance policies, and breaches of customer contracts owing to the lack of managerial insight in the IT sector.
In this knowledge-packed episode of Breakfast Bytes, we help you understand the intricate relationship between insurance and cybersecurity, and how enhancing comprehension in these two areas can secure your business in this fast-paced digital age. Listen as we unwrap various complexities surrounding cyber insurance and the emergence of warranties as an alternative, exploring their potential pitfalls and inconsistencies.
From diving deep into the history of insurance to shedding light on the impending exclusions in the upcoming insurance policies, we've got it all covered. Moreover, we highlight the need for skepticism and caution while dealing with Cyber Insurance, emphasizing comprehension over rushing headlong into the risky space of cyber warranties. Also, discover the correlation between proactive security measures and reduced insurance coverage needs, and understand why more insurance doesn't guarantee better safety.
Lastly, our guest Joe Brunsman sheds light on the seldom-discussed aspect of cyber insurance and data security. Learn how states are regulating insurance companies for holding sensitive data and the shockingly minimal regulations surrounding warranty companies. Get enlightened about the real-world realities of cybersecurity and how, despite utilizing SaaS platforms, corporations are not as secured as they think.
This episode guarantees both enlightenment and critical thinking around cyber insurance and data security. Tune in to gain a wealth of knowledge on this important but often unexplored domain!

Felicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities.
the importance of vulnerability assessment and management requirements in contracts
It is imperative for resource owners to be designated and held accountable to outcomes.
Exit strategies must be established as part of the procurement process
Lack of right to audit clauses in cloud services contracts
How the lack of an effective paradigm leads to destructive decision-making
IT must not be seen as the dumping ground or janitor. Instead the business must be charged back for the real proportional costs for the cost of service.
True TCO calculations must be made as part of the procurement requirements definition.
Systems integration and interaction maps are incredibly valuable
IT must be seen as a business partner and involved in decision-making.
Just because IT wants to say yes to help the business does not mean the business gets to disrespect IT standards.
Talking to the CISO can lead to utilization of an already vetted, approved platform making the pace of business faster.
Why procurement justification statements are imperative
Why it is necessary to track TCO and actual costs for product and services associated with a business function
Why it is essential to use operationally mature processes in a paradigm focused on governance, accountability, and transparency
Why the CISO and CTO should sign off on procurement of anything for which there is not already an approved policy standard on.
Why your CISO needs to review the contracts for a service or product before an officer of the company signs the contract
Why business leaders must consider how their revenue is event driven
Why the shared responsibility model is imperative. Resource owners must be defined and made accountable.

Felicia is joined by Laura Conrad, a Security Architect with 30 years of experience in enterprise environments. Laura currently reports directly to a CISO, and has been an integral part of the information security program at two large enterprises.
Felicia has consulted with 26 large enterprises and numerous SMB organizations in the last 30 years. She finds that the same problems occur in every organization that lacks operational maturity. 
Are you a person working in information security frustrated by the lack of progress of a security program in an organization because of the org's lack of operational maturity? Do you struggle in dealing with toxic, unproductive people? What approach could address these problems and more? Learn from two experts how they have seen companies engage in self-destructive and resource wasting approaches simply due to the lack of drive by executive leadership to install a structure for governance, accountability, and transparency in the organization. 
Org structure required for CISOs to be effective
This article and its impact are briefly covered as they are related to this topic.
https://www.darkreading.com/cybersecurity-operations/cisos-struggle-csuite-status-expectations-skyrocket
It is quite a good article, but it implies that if the CISO reports directly to the CEO, the problems in an organization will be reduced. While that is partially true, that by itself will absolutely not fix the problems. Felicia and Laura deep dive the decision-making failures that occur throughout an organization and what drives them. Also discussed are methods to truly and structurally correct the problems across an entire company.
95% of information security risk management issues are HR management issues
Executive management want to run the company, not manage people. This leads to toxicity and unproductivity being tolerated when personnel issues are not fully investigated and actioned. The desire to make an emotional problem go away cannot override the need to get to the core of the issue and put a system in place to prevent it from happening again. This is not about firing people. This is about instilling a culture where the facts matter, personnel issues will be investigated, and structural systems will provide the governance to drive productive staff behavior.
Org executives are unaware of the real costs of inputs
It seems to be a pervasive problem across most organizations that there is no financial management structure which facilitates the tracking of expenses as inputs to a service or product delivery to customers. Without this real understanding, leaders persistently price products and services incorrectly. This leads to one business division or a product line losing money and needing to be subsidized by another.
Executives rarely understand that by tolerating operational immaturity in their organization, they are actually failing in their duty to stakeholders to effectively manage the assets of an organization to maximize value.
Drive change and org-wide staff effort alignment with dashboards that drive transparency and healthy internal competition
Felicia and Laura discuss in detail the how and why of dynamically updating dashboards which help CTO, CIO, CISO manage upward to the CEO and board, while driving downward alignment to objectives.
Governance, Accountability, Transparency in IT Security
Felicia and Laura discussed the importance of governance, accountability, and transparency in IT security and business processes. They emphasized that these principles could help prevent problems caused by a lack of collaboration and understanding between IT and business units. Felicia cited instances where poor prior planning led to unnecessary expenses and internal toxicity, which she believes could be avoided with a more mature approach to operations. Laura added that these principles could also lead to cost savings and risk reduction. 
Harden the procurement policies
Felicia and Laura provide many examples of problems that could have or were avoided by having an enforced procurement policy which resulted in all technology purchases being signed off on by the CISO or security architect and often the enterprise architect. It is infinitely easier to rectify issues before an implementation and before signing a contract than to do so after a purchasing decision has already been made.

Felicia shares insights on the pitfalls of changing IT service providers or MSPs for both clients and the IT service providers themselves. This content is based upon a number of questions that other MSPs have posed to Felicia asking for advice as well as numerous first hand experiences on the subject.
This podcast is primarily for IT service providers or MSPs, but business decisions makers who are considering making a change would also benefit from the content.

The process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.
 

CTO Kyle Wentworth joins Felicia for a discussion about how businesses can avoid adverse financial impacts.
 
Lack of understanding of the language of technology
It changes so incredibly fast that it takes a sea of people who understand the pieces
Complete perspective of how the business of technology should be run
 
Understand what governance and compliance standards your business is held to
That dictates how you do business.
 
Some tangible examples of how things can and should be done:
Justification statement annually for expenses
How it is being used and how the costs were arrived at
Assignment of the resource owner
Misallocation of funds paying for items that should not be paid for takes resources from other needed items.
 
Walk through your business. Identify what you don't understand about the business?
Do you understand every function of the business?
You have to entire your entire business as a whole if you are the leader of the business.
Gaps in your understanding indicate where you need an auditor to identify that your people doing the processes are doing it properly.

Zero trust is not a product you buy.The problem that most organizations have is that they are still not doing the fundamentals well.CIS has a community defense model.I did a detailed webinar on it where I covered a lot of these fundamentals.https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/
Let's look at inventory management, asset management, change management, onboarding and offboarding.
You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught.
Fundamentally, the most effective thing in zero trust are the protections that are in an always on state.Like for example the recent revelation about flaws in UEFI and SecureBoot.These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!!
FUNDAMENTALS MUST BE MASTERED
When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems.Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy.
Procurement policy must include vetting and testing of cloud app integrations. Monitoring and technical controls must be in place to restrict or eliminate the ability of an end user to buy shadow IT and authorize it on their own. Azure AD has controls for this, but they are not on by default.

What is the number one thing you can do as a consumer to protect yourself when dealing with tax preparers?
Practical examples of what to ask for from your tax preparer and why.
What are the total number of people that would have access to my records if I do business with you? You want me to sign a contract with you, terms and conditions that I have to abide by. If you are going to prepare my taxes, show me your affirmation statement where you as a tax prep preparer have put it in writing that you are fully in compliance as a business with the IRS requirements for tax preparers. Put that in writing.
If the IRS is the authority that is providing the designation that an organization is an IRS authorized tax preparer, then the IRS is the entity who defines the standard for what is the requirement put upon that organization or that person in order to have that designation. Therefore, it is completely legitimate to be asking as a prospective customer of that organization, "show me your compliance statements". How do you comply with the IRS requirements for tax preparers? And if you get anything other than a fully prepared premade statement they provided to you in writing,  then that's problematic because it means that they are not compliant.
What is one of the most important things that a business owner can do in order to make their business survive the next decade?
Information security risk management is everyone's problem.
Business leaders cannot delegate and abdicate involvement. 
If you are not having regular meetings with your vCISO, how can you make informed risk decisions? Do you know what the gaps backlog is for your organization? Do you have a risk register? If you refuse to make the time to meet regularly with your vCISO, your business is going to be squeezed by cybersecurity insurance requirements, governmental regulations, and customer requirements.
 
The executive management team needs to understand that if they do not tell all of the managers in an organization that they need to take responsibility for the ownership over their resources, then what needs to happen is that the executive management team needs to make the CISO or the IT department have full total authoritarian control over those resources. But then that turns into a big can of shut the heck up to the people who've abdicated their responsibility to be involved in the process. Because you can't have it both ways. You can't say that IT is responsible for the security of those assets, but then refuse to be involved in the conversations about who should be having access to what and when. And claim that you don't have time to talk about it, that it is not important. Of course it's important. Are you the resource owner or not? So you can't make it somebody else's responsibility to define the policy around who has access to that resource that ultimately you're responsible for and then yet get grumpy. when your access or the people who you thought should have had access to that resource have their access denied because IT is trying to clean up the mess. You can't have it both ways.
Whose responsibility is information security risk management? Ultimately, it's the executive management team. But they can delegate that through the organization to the resource owners and at the end of the day, IS risk management really needs to be everybody in the entire organization's responsibility. Information security practices need to permeate throughout the entire organization. The end users of an organization are the largest attack surface that an organization has.
Suggestions for tax preparers
Tax preparers need to comply with the FTC Safeguard rule which is currently slated to be enforced starting in June 2023. As of May 2023, the expected plan is that private contractors will be the enforcement auditing arm for compliance. 
In reality, any company that had taken cybersecurity insurance compliance preparedness and had engaged a vCISO proactively several years prior would likely have no issue in this area. But the vast majority of tax preparers were unwilling to invest in the kind of protections that should have been in place for decades. 
Here are some resources.
https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan
https://www.irs.gov/pub/irs-pdf/p5293.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Page 13 of publication 4557 states that all tax preparers must comply with the FTC Safeguards rule. That means if you or your organization has an IRS tax preparer ID number, you must be in compliance and be able to prove that you are in compliance. 
Tax preparers that are under $2mm in revenue should expect to spend 15% of revenue annually on all inclusive IT costs. If your spend is not that high, then your organization is likely not going to be competitive in the market and is bound to lose market share to players who have invested in becoming FTC Safeguard rule compliant.
Please also be aware that security theater is not compliance. I have seen some scams such as do-it-yourself kits through technical firms who specialize in servicing accountants (per their website). 
https://www.irs.gov/pub/irs-pdf/p4557.pdf
 
More details from Joe Brunsman, cybersecurity insurance expert.
https://youtu.be/NOY249doJXg
 
 

I get a lot of questions about PSAs, ERPs, and overall paradigms related to core business software. This podcast summarizes things you should be thinking about in your software selection process.
After three years of investigating PSA and ERP options including spending a lot of money on software and payroll, the product we like is Odoo. Organizations using a PSA with add-ons approach are really missing the mark. There is no PSA that does project management well. None of them have accounting systems. Most of them are terrible at quoting. And they are all expensive. They also are all weak at analytics and business visualization or analysis.
So a company ends up paying for:
PSA
Quotewerks
Zomentum
eCommerce processor
Payment gateway provider
project management platform
QuickBooks or Xero
PowerBI
website hosting
Applicant tracking system
HR / people management system
email newsletter system
marketing automation platform
CRM
Social media marketing platform
and more
Whereas, a business could just get Odoo.
Let's look at a brief cost analysis.
Halo - $15,000/yr
Quotewerks or Zomentum $500/mo
QuickBooks or Xero $1300/yr
ConnectBooster $300/mo or more
Project management  $300/mo or more
ATS $5000/yr
HR system $150/mo/employee
Infusionsoft or Hubspot $1200/yr at least
Social media marketing  $200/mo
CRM - $300/mo
 
OR you could just stop all that nonsense.
 
Odoo. $47/mo/user.
Remember that this includes your website hosting too. And it turns out to be much better than WordPress, Joomla, or other smaller CMS.
What I find really hilarious is when I ask other business owners how much they are spending on all the components they use that spackle over the deficiencies in their PSA, they rarely know. It's like it is a financial hole in their business that they don't want to look at.
 
As of 11/22/2023, our 1 year Zoho subscription that we tried has been set for non-renewal. The primary basis for that was four wasted months of payroll, wasted time working with Zoho support, and wasted time working with Zoho consultants to try to get integrations with other modules in Zoho to work. The modules in Zoho One are designed to work independently. In order to get data to flow between them, integrations between the modules is required. We consistently found that those integrations between the individual Zoho modules did not work properly. We had other problems with it as well, but it became quite clear that Zoho One was not really an ERP because it is not foundationally designed with the premise that all of the modules are fully integrated automatically.
I looked deeply into Manage Engine ServiceDeskPlus for MSP also. I spent about a year on that investigation. I encountered a plethora of challenges with that and it still is a PSA-like mindset where ServiceDeskPlus cannot be a comprehensive business tool.
I encounter MSPs that use an outsourced helpdesk that requires the use of a specific PSA. I don't and won't outsource helpdesk for quality control reasons.
Overall, Odoo does everything better than ZohoOne. Odoo integrations are all there from the very beginning automatically integrated because it was designed as an ERP from day one instead of individual modules.
You can see a demo of Odoo at https://demo.odoo.com. Be aware that there are more modules available than what is shown in the demo, but the demo will give you a good overview. Odoo training is online and free. The documentation is online and free. Support is included with paid subscriptions and we have found that support is effective. Conversely, we rarely had any success with Zoho support. Odoo is more intuitive with things just working and being able to be figured out oneself through the use of documentation, training videos, and just playing with the software.
We use the Maintenance module which is good for a facilities maintenance team. I wanted my team to be able to log time entries against particular maintenance tasks. In 2023, it is not possible for time entries to be applied directly on maintenance tasks that flow through to timesheets for payroll. When I put in a feature request, with Odoo, they responded very quickly stating that they were aware of the limitation and were also aware of the need and value. With Zoho, I would put in a feature request and get a response in 9 months. 
I think that Zoho is so busy writing new modules that they have little to no developer time allocated to making the ZohoOne integrated ERP vision a reality.
We spent a LOT of time trying to use the recruiting module in ZohoOne and found it to be an exercise in frustration. We had a lot of success with the Odoo recruiting module with only a few limitations.
 
The bottom line is this. Find just one thing you can use Odoo for that can justify the monthly fee for one user. Get in there and start using it.
We have some clients who are using just one module for free. I got one client up and running on the project management module in a couple hours and got the client trained on it.
Another client, we put on the website module. The feedback we get from clients emphatically is that it is intuitive and easy to use.

Tech E&O and Cyber insurance with:
Joe Brunsman of The Brunsgroup – Expert on Tech E&O and Cyber Insurance
YouTube channel – Joseph Brunsman
https://www.youtube.com/@JosephBrunsman
https://www.thebrunsgroup.com/
Damage Control book
https://www.thebrunsgroup.com/book2
Tech E&O and cyber
MSP should have a tech E&O policy. They cover different things. What types of third-party claims will they cover? A guy on the Que recently said that he did not think that E&O was required because his customers have never asked for it. You must have a TECH E&O policy.
What is the biggest thing that you need to pay attention into the E&O policy?
Look at the definition of technology services in the policy. Everything past that point, it does not matter if the definition of technology services is correct.
Avoid the named peril policy. An all risks policy is better. These are becoming harder to come by.
Named peril:  Technology services means:   there is a list
You have to prove to the insurance company that what you did falls within that definition.
What do you need to look for? “Including but not limited to”  contra proferentem = ambiguity is held against the draftsman. The onus is on the insurance company to prove that what you did was not covered under the definition.
How much coverage in the policy should they have?
How much cyber insurance do you need? Here are the variables that I think about. – See Youtube video
Brokers – There is no legal requirement that they understand or read the insurance policies.
Average IQ of an insurance broker is 104. They do not understand what they are selling. The onus is on the business owner to ask and to get the right things.
What is your major loss event? What are we worried about? Is that even possible to insure for those issues?
Step 1: Stop relying on the insurance broker.
Step 2: Fellow decision-makers in the business, what are you worried about? Talk to the broker about that. Then the broker finds “these are the options in the cyberinsurance market that address those concerns”.
Joe: Huge proponent of defense in depth over cyber insurance. Rank order the biggest bang for the buck. Felicia has been talking about that for years and is doing a webinar on 2/9/2023 on that very topic.
Insights from plaintiff’s attorney
Joe had a great convo with a plaintiff’s attorney and got his opinion on risk management.
Risk discovery question: What is the one thing that sinks the ship in the lawsuit?
There is an internal email. You knew you were supposed to do this. But they said it was too expensive. They were not going to do that. They understood the risk and just accepted it.
What could the business do in order to circumvent that email being a death blow in the lawsuit?
Plan of implementation.
No business has unlimited resources. No business is perfectly secure. You sit down the with business owners and MSP. We need to work on a plan to better your security. You don’t have unlimited money. I am a business owner too. You need a roadmap. Everyone signs off on it. We were trying, we were getting there.
Felicia: Wow this is astonishing because this is what we have been doing with clients for 20 years. It is the type of thing that a CISO knows how to do, but few others know how to do well.
 
 
Life hack tip from Joe:
Convo with the average business owner:
Obviously you are really good at what you do. You have built this business. Build a relationship with them. The MSP is not the subject matter expert on the client’s industry. Fluff their feathers. Transition that. I asked you a bunch of questions, thank you for hearing me. Now we are going to go through this. Can we just do the same thing in reverse? If you do not understand this yet, let me know and let’s break it down.
 
Joe and Felicia agree:
One way or another, those controls will be implemented. Read any breach notification letter. Magically we found more money to invest in cybersecurity.
Either work on your information security program monthly at a pace that your budget can absorb, or that decision of timing and magnitude will be taken away from you.