Abacode CEO Michael Ferris On Unifying Cybersecurity And Compliance And Why MSPs Are ‘Missing A Massive Boat’

Michael Ferris, co-founder and CEO of Abacode, which has pioneered the MCCP model, says that MSPs are in danger of losing customers because they can’t properly address cybersecurity and compliance issues for their customers.

All In With Partners To Address Cybersecurity And Compliance

Abacode is stepping up its drive to team with partners to solve the complex cybersecurity and compliance challenges facing customers, said Abacode CEO Michael Ferris.

In fact, Abacode, Tampa, Fla., is planning to use one third of a recent $8 million round of funding from its investors to build out the company’s three-year-old partnering sales offensive, said Ferris.

“We’re all in with partners,” said Ferris. “We believe it will drive at least two thirds if not 75 percent of our business (up from about 50 percent). Those partners have a trusted technical relationship. The problem is the complexity in security and compliance is deep water that they can no longer address. We can solve it.”

Abacode closed an $8 million round of funding (bringing its total funding to $13 million) in September from investors Ballast Point Ventures, Tampa, Fla. and Signature Bank, North Carolina. That funding round is going to help Abacode expand into the Northeast, Midwest and then out West, said Ferris.

Abacode has built a robust partner program over the last three years under the leadership of Abacode Senior Vice President of Partners and Sales Strategy Greg Chevalier, said Ferris.

“We can literally run the entire play from hello to customer success and everything in between for that partner,” said Ferris. “They usually will stay on with us in the front end. They own the client. It is on their paper if they want. Most of the time it is. You can think of the partners as sales and account management. We do everything else from run books to data sheets to sales enablement and qualifying questions. We handle all the proposals, revenue operations, solutioning.”

The Abacode model is opening the door for partners to drive cybersecurity and compliance services sales growth without a hefty up front capital expenditure to build out a cybersecurity and compliance practice including security operations centers, said Ferris.

“They would have to spend millions of dollars for the infrastructure alone because they would need to stand up two SOCs (Security Operations Centers),” said Ferris. “So they would need to pay for the infrastructure and the people. And it would take them at least five years to get it orchestrated and have it coming together. And then it is still not the core of their business.”

Most MSPs and VARs are still primarily selling NOC (Network Operations Center) and IT services along with help desk services, said Ferris.

“They don’t do full bore cybersecurity and they definitely don’t do compliance at all,” he said. “And both those MSPs and VARs are feeling it now. Security and compliance should be part of every discussion they are having. They are trying to have a security discussion, but it is lumpy, it is not good and it is not effective. And they can’t have a compliance discussion at all. So they are missing a massive boat.”

Ultimately, MSPs that do not address the complex cybersecurity and compliance challenges facing their customers are in danger of those customers going elsewhere, said Ferris. “If you can not have an immediate conversation at the right level around cybersecurity and compliance someone else is in that door and is going to take the entire business from you over time,” he said. “That is what is at risk.”

How did you come up with the idea to marry security and compliance in one managed services package?

We’ve been building this business over the last decade. We really built the business from the inside out with the perspective of how do we address the macro and micro challenges organizations are having around cybersecurity and compliance. So we started there. We really were born out of the boardroom with a look at how do we do this differently, how do we attack these challenges, how do we solve these problems, starting from the top down and not the product or platform up.

We didn’t want to create a software widget and then come up and help an organization with one particular problem. We wanted to start with the board and the enterprise and look at how do we create an umbrella to solve all of these challenges that organizations are having. You must do that from the top down.

So this is all about how do we make sure that we can give the head of IT, that technical leader, everything they need and require from a cybersecurity and compliance standpoint but also how do we give a win in this fight to the non-technical C level leaders like the CFO and the CEO. That is the problem we have solved.

So effectively we took a programmatic approach to cybersecurity and compliance. To unify cybersecurity and compliance we needed to speak both of those fluently because an organization can be secure and not compliant and compliant but not secure. We brought those two together and created a new market category. We were previously an MSSP (Managed Security Service Provider). We stepped out of the shadows and created MCCP (Managed Cybersecurity and Compliance Provider) which Gartner, Forrester, and HFS are all now following.

We have unified those two areas and we are taking a programmatic approach with a perspective on how do we implement a program – not just a product – to solve all these challenges. We can do a few things: first we can help solve the product overload from technical leadership. You have to understand that for every organization that is trying to mature their security or become more compliant there are 80 products that do the same thing who all say they are the best in the world at it.

There are hundreds of products out there that technical leadership (from clients) can’t keep up with anymore. We have kind of wiped that away by standing up an applied research lab where we regularly interview, train, rank, qualify and get certified on security products. That way we are always having a business conversation around technology to technical leadership. We kind of part the clouds and quiet the noise from the product overload.

The second thing we do is: most organizations don’t speak compliance at all and all these compliance regulations are raining down upon them. So they don’t speak it. Their technical partners don’t speak it. We speak it fluently. So we are helping these organizations on the front end meet all these cyber compliance regulations like HIPAA, HITRUST, CMMC, SOC 2, and ISO 27001. We speak that language fluently.

Third our sole focus is security and compliance. That’s important. It makes us become experts in that field.

How did you pioneer this whole MCCP field?

It wasn’t there before we did it. It really goes back to my days in private equity and the boardroom. I was sitting in the CEO seat and was tired of all these product vendors telling me what was needed. I looked at it from building it the right way out of the boardroom.

Effectively what we are doing wasn’t there. We had to create it. That is what we did. We created this idea of bringing cybersecurity and compliance together.

I had to address this as a CEO and chairman of a portfolio company of a $15 billion private equity group with a very sophisticated audit committee, compliance committee, financial committee.

Cyber started to be put on my plate and then I found out how my technical leadership was dealing with it and I thought that was backwards. They were just buying up technologies. There was no governance program.

What does this mean for solution providers and MSPs?

We partner really, really well with all of the IT shops in the channel like outsourced IT, MSPs, VARs, software developers, data center providers and cloud providers. We don’t do what all those IT providers do. We do security and compliance. So you have to think of them as Tax and us as Audit.

So when we engage a client through the channel or direct we immediately give that company the right governance or checks and balances, call it tax and audit, that they are starting to want or require. Historically customers would want their outsourced IT group or whatever you call it to kind of do security. Well kinda doesn’t work and has left them exposed.

By us connecting with the channel, we immediately give them the power to have a single pipe to provide a holistic and programmatic cybersecurity and compliance program to their clients. This gives the end user the right governance checks and balances immediately and it allows our channel partner to not have to come to that end user with a line card.

When an outsourced IT group comes in and goes to address the security and compliance issues they provide a list of products and solutions. That is a hot mess. Customers can’t deal with that anymore. It is too much. It is fragmented. It is not cohesive. There is no consolidated reporting. It is just a mess. We allow our channel partners to not have to go to the customer with a line card. They come to the table with a partner who can address all the client’s cybersecurity and compliance needs.

We are product agnostic. So a lot of the technologies they love and want and even don’t know about we utilize inside of our MCCP core program. So we effectively allow our channel partner to get rid of the line card around security and compliance and have a dedicated partner who is always available to that client. When it comes to security and compliance we don’t have to leave the phone so the partner does not have to bring in a second partner or a third partner, or an eighth vendor, ninth vendor or 12th vendor. We can stay on the phone with the end user and answer all their questions, concerns and needs.

This allows the channel partner to accelerate revenue quicker. We can get to revenue quicker because we can have one phone call and answer everything the customer needs. So the partner gets to revenue quicker and that end user gets to security maturity and compliance faster.

What’s an example of that ability to provide that single cybersecurity and compliance combination?

We’re working with a private equity group that put together eight different (security) vendors and those vendors felt that over the next 18 to 24 months they could implement a cybersecurity and compliance initiative. We told them that we could do it just us in 90 days at a fraction of the cost because we already have a purpose built orchestrated program that works. So this is effectively what we have built. The story with the channel is better together. Effectively together we can go to that end user and give them a single pipe for all things IT, security and compliance.

What is the commission model and channel program that you have put together?

It is monthly recurring revenue, all managed in three to five year agreements. It is at least 30 percent margins with zero lift on the channel’s part.

We have a head of channels, Greg Chevalier, who helped built out this program. We now have five folks on the channel staff. We have built out a sophisticated program from sales enablement to marketing engagement to co-branded webinars and data sheets to solution engineering support. We can literally run the entire play from hello to customer success and everything in between for that partner. They usually will stay on with us in the front end. They own the client. It is on their paper if they want. Most of the time it is. You can think of the partners as sales and account management. We do everything else from run books to data sheets to sales enablement and qualifying questions. We handle all the proposals, revenue operations, solutioning. We have this down to a chart where we can show a client in a spreadsheet the details of the handoffs between both of us.

When did you first introduce the partner program?

So we started building it from scratch three years ago. Over the past two and a half years we have been building out all the components of the channel program, hiring the channel folks and integrating all the data sheets and run books over the last two and a half years.

How big of a gap do you see between the cybersecurity stack you see from partners and compliance when you look at the channel?

It’s a huge gap. Ninety five percent of the channel does not speak compliance at all. They wouldn’t even be able to get on a phone call with a customer and talk compliance. And that is where the whole market is going. The reason a customer moves quickly is either they had a breach and it forces them to act or they are faced with a compliance regulation that is being forced upon them and that is sweeping like GDPR in Europe. We have regulations being forced down on every industry and sector. That is sweeping across the US.

The SEC, for example, has just cemented a regulation that every private equity group now must have a cybersecurity expert on their board.

The SEC knows that financial services is not handling it so they are going to start requiring it. The next thing could be a compliance expert on the board.

The SEC is starting with private equity companies so they can push down on their portfolio companies the right processes, procedures, protocols and services.

The reason the private equity companies have been slower is because they don’t speak tech at all. They are financial operating guys. They don’t want to have a conversation they can not speak fluently about. That train has left the station. The SEC is saying you need to be engaged on this. And they are forcing it because bad things are happening because those private equity companies are not engaged.

The private equity companies can’t have an intelligent conversation on what compliance is and what to do about it. We have solved that issue.

Can you help MSPs have that cybersecurity and compliance discussion with the CEO and boards of directors?

Not only can we, but we are one of the only ones who can even have that conversation. No MSP or VAR can walk into a boardroom where there is a CEO, CFO, a chairman and a COO and have a holistic, programmatic discussion around security and compliance. They can’t. That is the problem. They can’t talk about it because they don’t do it.

Will you go in side by side with the MSP?

Yes. We create a better together story. We have integrated down to the RACI (Responsible, Accountable, Consulted, Informed) chart and we can come into the boardroom together to provide a single pipe to address IT, cyber and compliance needs.

Do you think the MSP platform providers who are stepping into this fray to provide security services have what it takes to get this done?

It is not in their DNA to be cybersecurity firms. ConnectWise is effectively trying to teach MSPs to be MSSPs. I think it is better than sitting in the closet with the lights out. It will never happen because it is not in the (MSP’s) DNA. To a degree it almost leaves that end user even more exposed because they think they are getting secure by their MSP who is kind of doing cyber but it is not their core business which means they don’t have real competency behind it. So there’s a false sense of security. That is why bad stuff keeps happening. That is why regulators step in. The end user companies say the MSP sold us some products, we thought we were doing the right thing, we got breached, we lost data. All because the end user was going to the wrong person to get healthy.

This would be like a patient going into brain surgery, all hooked up and on the operating room table and having a heart surgeon walk in to the operating room to do the surgery. You don’t want a heart surgeon operating on you if you need brain surgery. That heart surgeon knows nothing about your brain. It is a surgeon though. That is the same thing that is going on with MSPs. It is a completely different expertise than an MCCP. The end user doesn’t know that.

What is the call to action for MSPs in terms of what Abacode is offering versus relying on an MSP platform provider or another security company?

The call to action is to recognize as an MSP – at least today- you are not the expert. Because of that you need a partner. But you don’t need to go put together a line card in an area that you really don’t speak fluently. And that is just on the cybersecurity side – forget the compliance side. By putting together a line card for customers MSPs are just transferring confusion from one hand to the other hand. Stop doing that. You are confusing the end user. You are giving them a false sense of security. And it is taking way too much time. We can speed into action immediately, solve the end user’s problem immediately and speed the MSPs revenue time and do it all in fraction of the cost and time of them doing it the other way. That is just on the cybersecurity side.

On the compliance side, MSPs definitely don’t speak that language at all so they can’t even try to get into that conversation. We can address that as well. Every one of the MSP’s customers are having a cyber-compliance discussion internally that they are not having with them. The MSP is not even in that conversation. This allows them to immediately turn the light on and have a compliance discussion which is driving the security initiatives.

How did the MCCP business model come about?

We created the category. HFS has been tracking us for the last 18 months. They have put out a statement on the MCCP sector that we created.

My partner, (Abacode Chief Operating Officer) Rolando Torres and I came up with the MCCP model. I have been a CEO and chairman of tech enabled services companies over the last 25 years. Rolando Torres was a manager at Accenture and an electrical engineer by education, was managing these security compliance projects for Accenture. We came together and started to build out Abacode.

A lot of this came from my tenure working as chairman and CEO for private equity (firm) New Mountain Capital. Cybersecurity started hitting my board and I basically started poking the bear.

I was chairman and CEO of this private equity group and in addition to that I have been a judge for seven years for EY’s national Entrepreneur of the Year awards program. We interview 60 to 80 CEOs of high flying companies every year. Ninety five percent of these CEOs are not technical people. I started asking them what they are doing around security. We found a theme. The theme was they would do two things: they would reach out to their insurance company and ask about cyber liability insurance and the next thing they would do is ask their own internal or external IT folks and ask about what should be done on cybersecurity. That group would say – “Great – We’ll go do it!’ So that group would start doing stuff. The CEO and head of IT would walk away saying we are doing stuff now -we are good. No – Not good. Better than sitting in a closet with lights out. It does not mean they were going down the right path or doing the right things because they were talking to the wrong people. So now bad things started to happen. They thought they were good. They didn’t know why and we fixed the why.

What is the secret sauce regarding the scale and expertise you are providing to the channel and via the channel customers?

The secret sauce is it took a lot of time and a lot of money to orchestrate the services and technologies required to implement a holistic cybersecurity and compliance program. So we have developed this MCCP core program that is effectively an orchestration of all these products and services in a very organized way that we can deploy over time. Basically, we do it in a crawl, walk, run fashion depending on where the client is in their maturity of their wants and needs. But effectively whereever they engage with us they are immediately effectively inside the MCCP program. Now you are immediately in an organized program where we map you to a compliance standard inside a maturity model with consolidated reporting.

Seventy three percent of our clients are increasing wallet share every six to nine months with us because they are figuring out that most of their needs fall inside the MCCP program. That provides them lower cost, faster to results, higher predictability. The CFO then has a predictable (security and compliance) spend that they can see over years instead of this lumpy, dark closet of who knows what is going to be needed next.

The secret sauce is the ability to build out all of these functional areas so we can implement this orchestrated, organized MCCP program.

What specific products are in the Abacode MCCP stack?

We take a multivendor approach. Effectively it is an endpoint solution. It is an MDR, XDR and SIEM solution, IDS and SOAR capabilities. It is a compliance platform or dashboard. It is data governance with DLP (Data Loss Prevention). So there is a myriad of different products that come underneath inside the program like cybersecurity awareness training for employees like KnowBe4. We use CrowdStrike as one for end point. We use Splunk and Microsoft Sentinel and many other SIEM solutions.

What is the model that you use to support all the MSPs and customers that are engaging with Abacode?

Most of our folks are on the engineering or support side of the business. We have a PMO (Project Management Office). That is the team that does the kick off call and implementation services once we land a deal. Then we have a customer success team. That is account management and QBR or executive business reviews.

Then depending on the program that the client is set up we’ll provide SOC monitoring and real time data and reporting, compliance reports to the dashboard. All that is live and continuous. Twenty-four (hours a day)/Seven (days a week) monitoring is live and continuous. Some of the other services are a little bit more start and stop timing like penetration testing, vulnerability assessments. Cybersecurity awareness training is live and ongoing.

Everything rolls up to a single pane of glass. You get a single pane of glass to see where you are in the maturity of the program and meeting the compliance standard.

What are some of the biggest advantages Abacode brings to the table versus competitors?

The biggest thing we can do that most any other company can’t do is we can advise, implement, and manage an entire cybersecurity and compliance program for a fraction of the cost. And we can get that client into a continuous state of security and compliance.

How does your pricing compare to the biggest systems integrators?

We sit right underneath the KPMG, EY, Deloitte, PwC who are the largest cyber-companies in the world. They can pull together a (cybersecurity and compliance) program because they are so large. But they don’t have a purpose built program and by the way they are 10 times the cost (of our services).

Our sweet spot is middle market: SMEs (small medium enterprises). That is companies between $25 million to $1 billion in revenue. Our sweet spot is $750 million to $1 billion. Accenture, PwC, KPMG are enterprise focused on companies with $3 billion and above in revenues. The ConnectWise’s and Kaseya’s are focused on the small MSPs. They are dealing with like one man to 15 man shops with revenue of $500,000 to $1 million to $5 million.

Many of our partners are VARs who have stood up a services practice. So they sell all the gear. They do some services and a little bit of cyber on the product side. But that is not their core business. So we are really focusing on the VARs and MSPs that have from 100 to several thousand employees.

Are you finding a huge market in the channel when you are knocking on the doors of MSPs and VARs?

The VARs making the transition to services is definitely sweeping and it is happening but they are not there yet. If they have gotten into services it is still IT services. So they don’t speak to cybersecurity or compliance at all. They are selling switches and some firewalls and antivirus but they don’t speak cyber much and they don’t speak compliance at all.

On the MSP side they are still mainly selling NOC and IT services, help desk technologies. But they don’t do full bore cybersecurity and they definitely don’t do compliance at all. And both those MSPs and VARs are feeling it now. Security and compliance should be part of every discussion they are having. They are trying to have a security discussion but it is lumpy, it is not good and it is not effective. And they can’t have a compliance discussion at all. So they are missing a massive boat.

What is sales proposition to the VARs and MSPs who are looking at a potential partnership with Abacode?

They get all the remediation that needs to be done that comes out of a vulnerability and cyber-assessment. There are VAR and IT stuff that needs to be done and is required like upgrading firewalls, upgrading servers, moving to the cloud. A lot of the clients need more IT stuff. We get to help bring a lot of that to the surface. But the main value is helping the customer 10 times faster than they are now. Also they are going to get into discussions that are needed and that they are not having now. And they are speeding up revenue for their whole enterprise overnight.

What is the capital expenditure that VARs or MSPs would need to spend to get the cybersecurity and compliance that you are bringing to bear?

The beauty of our model with VARs and MSPs is there is zero capex. It is all opex. We can literally advise, implement and manage an entire cybersecurity and compliance program for a cost of .5 to 1.5 full time equivalents. There is zero capex. It is all Opex. You pay us one predictable monthly fee and we run the whole program: the people, the technologies, all of it. It is all incorporated inside our MCCP program.

How do you price it for the customer?

It is a combination of data output volume and a combination of things like how many employees they have, how much data volume they are producing, IP addresses and things like that.

How much would a VAR or MSP have to spend to get to where Abacode is with MCCP?

They would have to spend millions of dollars for the infrastructure alone because they would need to stand up two SOCs (Security Operations Centers). So they would need to pay for the infrastructure and the people. And it would take them at least five years to get it orchestrated and have it coming together. And then it is still not the core of their business. That is not their sole focus. That’s the problem.

It‘s not their sole focus which means it will never be their sole focus. And I’ll go one step further which is even if they could do it I would ask should they? As a board of director if I am creating a world class enterprise and growing then governance is huge in my vernacular. What I mean by that is even if my MSP or VAR could they do this? If they do that means they are checking their own homework? That is not the right governance. That is not checks and balances. That is not tax and audit. So they need a partner. I don’t care if they can they actually shouldn’t because if they are they are checking their own homework. They need a partner.

I can’t go to my outsourced IT group and tell them they are going to be my IT, Security and compliance. That means they are checking their own homework. That is not going to work. Don’t do it, shouldn’t do it. Partner with someone. It makes more sense. It is more logical. It is faster and better. That is where the board of directors are stepping in. That is where the real smart boards of directors are understanding that. They are saying to the MSP even if you could do it I don’t want you to because there is no tax and audit separation. So find a great partner and get a holistic solution.

Who checks and balances MCCP?

The regulators. We are ISO 9001, ISO 27001. We are SOC 2. On a continuous basis we have regulators stepping in and making sure we are doing the right thing.What is the before and after with the MSPs you are partnering with?

The before is they could not truly implement a cybersecurity program with the client. No. 2 they couldn’t even have a great conversation around it. No. 3 they weren’t even in the discussion around compliance. So they weren’t helping the customer. It was clunky. Now they can immediately provide a complete cybersecurity and compliance program with customers with immediate help and immediate results. Immediate that means right now!

How urgent is it that MSPs take action to address these cybersecurity and compliance issues?

What I say to my internal team all the time is we are saving companies. We are saving companies from what they don’t know. So we are having life saving discussions everyday. That is why it’s so exciting to do what we do. Literally I would say almost every time we have a 30 minute conversation with the client we are rewiring their brain. They literally come out of that conversation telling us “Nobody is speaking to us the way you are. Nobody has ever spoken to us the way that you are. They have never heard this before ever.’

We just signed up a top five applied research lab organization with 2,000 employees. The head of that organization told us that before we worked with him he used to be awake at night thinking about all the problems he couldn’t solve around security and compliance. Now he told us he can’t sleep at night because he is so excited about getting started on solving cybersecurity and compliance. They do research. They tried to find a comparable to us and he couldn’t. So they are sole sourcing it. He had to write a letter to his board to tell them the research he had done and the reason he was sole sourcing it.

How unique is the approach you have taken to this cybersecurity and compliance problem?

We have taken a different approach than almost everyone in the field. You have to understand all these other companies providing cybersecurity or compliance products and services all started from the tech up. They didn’t start with what the board or the enterprise or the C suite needed. They started with tech and built their way up with a widget. We did the opposite.

What kinds of issues have you seen in the MSP community?

We have had partners who have had clients breached and who are done with it. They were kind of in security. If you put it on the whiteboard and list kind of in security it equals increased exposure. That is what kind of gives you. Kind of gives you a false sense of security, but what you have done is actually increase your exposure because you are actually not doing what you should be doing.

Part of our business is digital forensics and incident response when someone has a breach. Every single time someone gets hit with ransomware they were kind of doing stuff around security. Think about that. Their MSP or VAR had sold them some stuff. They were doing some stuff. They thought they were good. They got breached.

They were doing stuff but they just weren’t doing the right stuff, orchestrated the right way or talking to the right people. They are all doing something, but most of them aren’t doing the right stuff. That’s why regulators step in telling them to get secure. Now they are going to force a higher level of maturity which is basically what we are doing- the highest level of security and compliance.

What kind of regulations are you seeing like CMMC?

With CMMC the federal government is stepping in telling defense contractors that they have to meet this level of standard or they are going to be defined or can not do business with the federal government defense industry. It was a big brouhaha. They were right. So they created a standard. What happened in that industry is going to happen in every other industry.

The companies were either not doing it or they were listening to their MSP or VAR that was selling them stuff. That didn’t work. They got breached, bad things happened and that is where regulators step in.

MSPs are heart surgeons – not brain surgeons. That is not their core business. They don’t know what to do. It is not their core business and it won’t be ever.

This is too critical to deal with companies where this is not their core business unless they get a great partner like us.

Can MSPs trust you given there is a concern about the customer accounts?

We have a lot of conversations up front telling them it is on your paper. It is your client. It always will be. It is in our MSA (Master Service Agreement).

Once they find out what we do they realize we are doing what they don’t do.

We get friendly pretty quick. That is why the small MSP model does not work for us. Their client base is not a fit for us.

The midmarket focused partners are business people. They get it. They team up.

Most client end users are asking for a faster horse all the time. We are trying to get them into a car which is a programmatic, holistic, consolidated checks and balance approach to cybersecurity and compliance.

The VARs and MSPs effectively are continuing a faster horse conversation with the end user because that is what they do. That is what they have always done- just buy more widgets. That kind of works in IT but not when it comes to security and compliance.

The MSPs are getting hit by the same bad actors. Rackspace just got hit. If they were using the services of Abacode would that have happened?

It wouldn’t have happened. Rackspace and all these technology companies think they are smart technical people but they are not cyber people so they are not doing the right stuff. They are not. They weren’t secure like they should be. You’d be amazed that even the multibillion companies we go into have massive gaps that they just don’t know about. They are doing some stuff. But they are just not doing the right stuff orchestrated the right way. It is like the doctor who is their own worst patient. It is the same thing with IT companies.

My message is we can secure you. You need it! You can’t secure yourself. There is no tax and audit in that. There is no governance in that. Stop it. A lot of them think they are securing themselves.

Is there an opportunity for MSPs to have you test their cybersecurity stack?

I think a big part of our message to all of them is listen Abacode has a holistic cybersecurity and compliance program with which we can use to secure all MSPs and VARs and provide them partnering opportunities to their end users.

We have got to kind of rewire their brains a little bit about how to think about cybersecurity and compliance. We are friendly. We use a lot of products they have known. We do it more and do it differently in a much more programmatic way.

We can secure MSPs and then help provide MCCP solutions for their end users.

How much at risk are the MSPs and solution providers?

The message is don’t go it alone. Don’t do it yourself. You need a third party who can deliver a programmatic, holistic solution. Let us be that partner for you at a fraction of the cost of trying to piece meal this together or going to someone that is bigger.

How much are MSPs and customers at risk with regard to a potential breach?

The broad numbers are millions of dollars or risk. It is a loss of revenue. A lot of times when we will get a client or partner they were not able to get new revenue because they weren’t secure or compliant enough for the regulation they or one of their clients had to meet. Because they weren’t secure or compliant enough they could not take on that new contract or win new business. Many times it is millions of dollars in business especially in the defense industry.

What is at stake with this issue of cybersecurity and compliance for MSPs and VARs?

What is at stake is you are going to be left out of the conversation and someone else is going to take that business from you. Once they get a foothold in your client you are on a fast track to no longer having that client.

If you can’t have an immediate conversation at the right level around cybersecurity and compliance someone else is in that door and is going to take the entire business from you over time. That is what is at risk.

You are having an IT discussion with the end user but that end user is also having a security and compliance discussion and either you are in it or can discuss it or they probably will not be your client over the next 24 months.

You have some impressive backing. How much have you raised?

We just took on another $8 million which is a follow on investment from Ballast Point and Signature Bank in North Carolina. The total investment is now $13 million.

What are you going to do with the new $8 million investment?

One third of this investment is going into building out the partner program. So we are effectively moving from the Southeast. Now we are taking millions of dollars to move the partner program up the Northeast and to the Midwest and starting moving out West.

We’re all in with partners. We believe it will drive at least two thirds if not 75 percent of our business (up from about 50 percent).

Those partners have a trusted technical relationship. The problem is the complexity in security and compliance is deep water that they can no longer address. We can solve it. But they have got the seat at the table. They have a trusted relationship with the customer. They just can’t have the conversation and do what they need to do. We can solve that for them.

Eight years after cofounding this company how are you feeling about the future of the combined cybersecurity and compliance market opportunity?

We’re pumped. We’re sitting at the top of the food chain from a methodology perspective and the world is coming to us.

There is tons of rooms for growth. The biggest key for partners is they can accelerate value and results to their end users at five to ten times the speed they are doing it now. And they are going to do it more rapidly which makes their income potential exponential.