There have been multiple attacks recently through the MSP channel, including via source code attacks via SolarWinds and Kaseya. What is Datto doing to secure its source code? Are you doing third-party validation?
Our CISO (chief information security officer) Ryan Weeks’ [announced] that we completed and passed our BSIMM (Building Security In Maturity Model). It’s a security maturity model that Google and Bank of America use. Very enterprise. Very high-end. And our RMM (remote monitoring and management) platform passed.
Ryan‘s been here over five years. He’s got, I think, 30 people directly reporting to him. He’s got another 30 within engineering that are dotted-line reports to him. And I think the main thing he was trying to get across is, this is not something you can [start and finish] this weekend. This is not calling in some penn (penetration) testers to do this, that, or the other. We have a large in-house testing team, and we use multiple firms on the outside. This is what I would call a way of life.
For internal controls, the military is actually a good way to think about it. You‘re running a battleship, you test, you drill, you train the manuals, and then lather, rinse, and repeat, you do it again. There’s north of a hundred-plus people I’m sure at Datto now that feel like this is their day job. And so at the end of the day, in software, that ends up being how you defend your supply chain. You attack your code, you deploy it, you roll it back. I didn’t mean any hubris or to be bombastic, but I said there’s a lot of rumor out in the world. Just for the factual record, publicly, Datto RMM has never been breached. I’m not pointing any fingers at anybody else. ... The only answer is to invest more, which is a bit of advantage for larger companies. That I will admit. If you’re a small company, it’s somewhat hard to do these sophisticated security maturity models. And that’s going to be something we have to share. Vendors have to get together. MSPs have to get together.