ConnectWise CEO On Product Launches At IT Nation Explore, Bolstering Security For MSPs

‘Everything that we’re looking to do is to drive operational efficiencies, increase productivity, make our partners more profitable. Just make them better at everything they do, i.e., more mature, more profitable businesses,’ ConnectWise CEO Jason Magee tells CRN.

Moving Ahead On MSP Security

Security has become the top-of-mind issue in the MSP community due to the recent spate of ransomware attacks targeting customers whose MSPs work with Kaseya’s RMM (remote monitoring and management) platform. The attacks were a reminder to MSPs—and to the companies that provide technology to them to run their business—of not only how important MSPs are but how critical that security be a part of every conversation.

ConnectWise is no exception. ConnectWise CEO Jason Magee, in a wide-ranging conversation with CRN, told CRN that security is one of the primary drivers of its past and potentially future acquisitions and is central to its core business model.

“Everything that we’re looking to do is to drive operational efficiencies, increase productivity, make our partners more profitable,” he said. “Just make them better at everything they do, i.e., more mature, more profitable businesses.”

Magee also talked about the ConnectWise IT Nation Explore conference and what MSPs could expect from the event, which is taking place this week in a hybrid virtual and face-to-face format. Here is what he had to say.

Tell us about the IT Nation Explore conference. What does the conference cover?

The conference is our user conference. We have multiple conferences. IT Nation Secure, which was a couple of weeks ago. IT Nation Connect is thought leadership, best practices, industry stuff. IT Nation Explore is where the rubber meets the road, as it relates to the users, the techs, and everything in between leveraging our platform. So lots of good content and training and education, whether it’s related to the PSA [professional services automation], the RMM, CPQ [configure, price, quote] and so on.

This year we’re doing it a bit differently. Previously, it used to be a live event. Last year, when it went all-virtual, we crammed it in like an in-person event and did a two- or three-day trade show. ... We opted to take a different path this year. It’s now two and a half or three weeks long, covering different topics. It’s going to be a few hours a day or just a few hours per audience based on their role and what they’re looking for. I think the first week, we’re focused on sales and marketing, second week is finance and operations, and then the service delivery aspect is I think the third week.

Is ConnectWise introducing any news during IT Nation Explore?

[The news is] really product-centric. We’re starting to see some early signs of bringing things together from some of the acquisitions. A good example of that is BrightGauge. We’re announcing BrightGauge Essentials, which will be out-of-the-box dashboards that give partners immediate insight into the health of their business. It is going to be part of [ConnectWise] Manage to start and will be available for other aspects of the platform as well.
A new feature not by way of any of our acquisitions is Reconcile. Reconcile around billings, just to give you a context, really gives MSPs the ability to efficiently reconcile their vendor bills and distributor bills and save time by reducing errors. If you talk to any MSPs, they’ll always have lots of errors in how they’re tracking or invoicing their customers. This really helps build trust and relationships between MSPs and their customers based off just that simple aspect of the bill or invoice. That’s going to be part of ConnectWise Manage at no cost as well. And then I think that’s also scheduled for August release. And then really we’re just going to hit home on some of the InfoSec and how it’s a priority. We’re really looking to educate our partners on everything InfoSec that we have going on so they can be assured that we’re making the appropriate steps and progress and improvements on our behalf.

Tell us about your M&A strategy. What are some things that you look for when you acquire a company?
Obviously I’m not going to disclose what we’re walking toward because I can’t tip my hat to the competitors on that, but any smart people can see where we have gaps that may make sense for us to fill in our platform. That’s where it starts: Where do we have gaps that shouldn’t be in our platform, and where is acquiring better than partnering with someone? Because we take the partnering route as well to fill gaps. But there are certain things within our core and within our wheelhouse that we’re passionate about and where we had those gaps, and we’ll say, ‘Is that a build, buy or partner aspect?’ and then put it through that process. And we’ve got a framework to determine which is the right approach for us and for the partners. Everything that we’re looking to do is to drive operational efficiencies, increase productivity, make our partners more profitable. Just make them better at everything they do, i.e., more mature, more profitable businesses.

I’m guessing security might be one of those areas where acquisitions might be possible this year?
We’ve made a few cyber acquisitions in the last two years. Part of the rationale behind acquiring Continuum was the cybersecurity offering they brought to market through one of their acquisitions. [Continuum acquired Carvr in 2018.] If you look at our ITBoost acquisition, an acquisition we did before Continuum, the documentation and standard operating procedures play in the cyber and InfoSec areas. Then there’s StratoZen and Perch Security.

Do we have gaps? Yes, there are likely gaps that we‘d be looking to fill. Timing, I would say, to be determined. Obviously, I want the teams focused on pulling together what we have amassed so we deliver to partners what they need and we do right by the partners.

So it’s a good guess.

How has the recent ransomware attack via Kaseya and its MSPs caused ConnectWise to perhaps step back and look at what you need to do to improve security?

Every company feels like they’ve got a good handle, a good grasp on it, even if you look at all those impacted over the last 12 months, not just the recent attack. So companies are always evaluating, looking, ‘Are we doing the right things? Do we have the right cadence? Do we have the right monitors in place to let us know? Do we have the right SDLC [software development life cycle] process in place?’ ... Obviously, this event gets you to hyperfocus on it for a point in time. But we’re always re-evaluating. We’re making sure that we‘re doing the right things and are continuing to do more things. And not only that, but communicate better with our partner base about everything we are doing so they can be assured that we are taking it seriously and are focused on it.

So yes, like everyone, when there are things like this, whether it was SolarWinds last year or this one, I think every company at that point does lots of huddling and meetings and says, ‘Hey, run us through this situation. Could this happen to us? If it did, how would we respond? How do we stop it if we think it could have happened?’ Long story short, it’s not just ConnectWise, but most companies are probably going through more meetings, more discussions on InfoSec, AppSec, everything cyber.

Has ConnectWise used the attack on Kaseya to go back and examine its own RMM for any new vulnerabilities that you hadn’t noticed before and patch them?
We continually look, and when these things come up, we look again to see if we missed anything. We bring in several firms every year to test application security, all of that stuff. And whether it’s through that, whether it’s through our bug bounty program, whether it’s through internal pen [penetration] testing, we’re continuously looking for these things. Obviously, this heightens it a bit more, and we say, ‘Hey, can we throw more resources at it?’ But we do track that stuff and we tag it at a certain level of criticality and put it through a process to get resolved in a timely manner. We’ve also [reprioritized] some things around RMM and best practices for partners.

What percentage of your customers use RMM in the cloud versus on-premises RMM? It’s about 66 percent cloud and 34 percent on-prem. Everything from the legacy Continuum side is in the cloud.

Do you see cloud-based and on-premises-based RMM security to be equal? Or are there more vulnerabilities in one side or the other?

The code is the code. The challenge with on-prem versus in the cloud is the partner has to do the upgrade on-prem. We can’t force the upgrade. So if the partner doesn’t do the patch or the upgrade that we roll out, that leaves some servers vulnerable like any software company out there. That’s not unique to ConnectWise. So that would be the bigger piece. And then what MSPs do with their servers and whatnot, that’s out of our control. So from the code base itself it’s equal, as long as they‘re on the same version.

Does ConnectWise have any mandatory two-factor authorization or multifactor authorization
So for the RMM and ConnectWise Control [remote support software], I believe that to be the case. Some of the other stuff, it’s optional. One of the things that we’re pushing forward by the end of the year is to make it mandatory in everything.

You mentioned a bug bounty. Can you share some successes that you’ve had with your bug bounty program?
We get pretty good participation. It’s one of the areas we’ve leveraged in order to uncover where we may have issues. You’ve got to look at it as multifaceted. We hire external companies to do their pen testing and their processes and try to figure out where we have gaps. You’ve got the bug bounty, we do our internal testing, and then anyone could submit through the trust site as well if they come across or they believe that there’s something out there.

So can you tell me about an individual bug bounty success story?

A critical vulnerability that could allow the ability to remotely execute code or directly access confidential data was submitted via the bug bounty program on June 11. It was validated, remediated and a patch released in seven days and the security bulletin was published on June 18.

Do companies like ConnectWise, Kaseya, Datto, N-able and so on ever get together as a group to talk about security and look at ways to beef up security as a whole for the MSP community?
We all get together. I’m not aware of all of the companies coming together at a CEO level. I know [Datto CEO] Tim Weller and I were going back and forth a couple of weeks ago to see if we can touch base and see if there’s more we could be doing from a community stuff with IT Nation. There’s the CompTIA ISAO [Information Sharing and Analysis Organization]. That’s a good avenue to centralize a lot of the discussions. It’s independent from any of us. There are other pockets of what I would say where some of the best practices of security for RMM and MSPs come out of. You’ve got different levels within organizations that work together. Datto and ConnectWise have a handful of colleagues that are on webcasts all the time, really trying to drive change and the way MSPs and TSPs [technology solution providers] think about security within their business and how to communicate it to their customer in a small or medium enterprise business, and so on. Nothing formal that I’m aware of outside of those types of things.

N-able had its IPO [this week], making it an independent company outside SolarWinds. As an independent and publicly listed company, is N-able now more of a competitor to ConnectWise?
Look, they‘ve always been a competitor, even before it was acquired by SolarWinds. So I don‘t think we looked at them any differently whether they were in SolarWinds or not. Obviously, they‘ll have a team that’s hyperfocused solely on this space now, so that probably will benefit them a little bit. And they’re not fighting over resources with a bigger company. But outside of that, I’m not saying that they are any different because we’ve treated them pretty equally from that standpoint over the last 10 years.