It's Time for IT Consultants to Take a Step Up
This is Part 4 in a series on transforming our industry into a profession. Here are the previous installments:
Part 4: Legislation and Insurance
For context, please see the previous posts. The first six pillars for an IT profession are: Profit; Maintenance-Focused Support; Education and Certification; Core Values and Ethics; Defending client systems; and Response to our greatest challenges.
Basically, we've been building a collection of actions that can help us all take a big step up from being an industry to a profession. The biggest problem we have is not ransomware per se: Our biggest problem is liability. We are stuck between evil programmers and insurance companies.
There are four major players in the SMB IT equation:
- Your Client
- The Government
- Insurance Companies
By "you" I mean the SMB (small and medium business) IT consultant. You might call yourself an IT pro, a reseller, a VAR (value added reseller), a managed service provider, or other name. By "you" I do NOT mean large, enterprise-level consultant or IT-outsourcing companies.
Why the distinction? Well, there are three primary reasons. First, those very-large outsourced IT companies are really in a very different business. They are generally large, well-funded, with layers of management. And, to be blunt, they can take care of themselves.
Second, those large outsourced IT organizations do not have the same service model. As a rule, they sell IT-as-a-service to very large organizations, including companies with offices all over the country or all over the world. My first consulting gig involved working for one of these mega-corporations. Every year, the company buying tech support would put out bids worth many millions of dollars. And every year, IT outsourcing companies would bid to provide the most support for the lowest amount of money.
As a bit of a side note: Such companies tend to provide overall horrible support. They are the stuff of Dilbert cartoons and TV sitcoms about IT consultants. Their service model is almost opposite of SMB IT in all ways.
Third, those large outsourced IT organizations place very little (or no) value on the client relationship. Someone in the sales department cares about getting the client to renew a contract. Someone in management wants to meet performance targets so they get their bonuses. But pretty much everything else in the organization is designed to beat the metrics and close tickets without regard to making the actual end-user clients happy.
Yes, that's all my opinion. And one might say it's inaccurate. But I'd be happy to have that argument on stage in front of ten thousand users supported by those companies.
My point here is that SMB IT is different and distinct. We are not in the same profession as those folks. Even mediocre IT consultants at the small end of the market are almost obsessed with customer service. To be honest, we don't talk about this as much as we should - just for bragging rights - because we are all hyper-focused on keeping clients happy. In fact, if you go back to Pillar number one, profit is often sacrificed in favor of customer service.
So, there's you. And then there's your client. Again, by definition, we are in the SMB market. As a rule, we don't support 30,000 desktops across fifty different offices. We tend to support between one and one thousand users in one to five offices. There are outliers, but the 1-500 seat clients probably make up ninety percent of all our clients. I'm sure Jay McBain or someone at Forrester knows the number. But you understand who your clients are.
Next there's the government. And, for most of us, that's a state- or provincial-level government. There are few federal or national level laws governing what we do. So far, most of the national level regulations have been around privacy data and financial data. But more laws and regulations are coming.
Most regulation and legislation is a step closer to home. State and provincial governments are actively looking around to see what they can do. Eventually, these things will work their way up to the national level, but for now we are seeing lots of proposed legislation at the state level. This is common with many areas of law, so we're gradually seeing a very normal evolution of regulation.
Basically, it's our turn.
Legislators read about companies and state agencies being attacked and brought down by ransomware and other cyber attacks. Of course, most legislators are from professions other than technology, so they have only a passing knowledge about what's actually going on. But it's their job to defend their constituents, their districts, and the tax payers' interests. So legislation is inevitable.
Finally, there are insurance companies. Believe it or not, insurance companies are more or less caught in the middle as we are. They wrote policies for problems they could foresee and measure (e.g., business interruption due to hard drive failure, or backup failure). They were not prepared for the massive growth in ransomware payouts in the last few years. Numbers are all over the place, but here's one: Bitdefender's Consumer Threat Landscape Report shows a 485% increase in ransomware in 2020.
Insurance companies are scrambling to respond. The requirements for a ransomware payout are becoming stricter. And insurance companies are pushing training for their clients. I have been pleasantly surprised at all the resources my insurance company makes available to me for cyber security training.
With this framework in mind, let's look at the seventh and eighth pillars for turning our industry into a profession.
The Seventh Pillar: Regulation and Protection
Recognition as a profession includes both statutory requirements and limits on liability.
I am a "minimalist" when it comes to regulation. I have a Master's Degree in Political Philosophy, so I could write a book on the appropriate role of governments in civilization. But sometimes you just have to face reality. And right now, for our industry, legislation is coming. The number changes every day, but I believe twenty-one states have proposed legislation that affects our industry.
We have a very simple choice to make on this front: Either jump in and try to influence the regulation as it comes, or do nothing and let that regulation happen to us. Given that choice, I strongly advocate jumping in and participating in the conversation.
Remember: Legislation goes both ways. That's why companies spend the effort to lobby governments. Given the Pillars I have addressed so far, we can identify some "gives" and some "gets" that might be included in government regulation.
[For this discussion, I will talk in terms of a US State legislative body. Similar processes would need to be followed in Canada, the UK, the EU, Australia, etc.]
First, and foremost, the SMB IT industry should be identified as a legitimate profession. That means there are some requirements. It also means there are some protections. The simplest way to be identified by name is require that a specifically identifiable group be registered with an appropriate state agency. Depending on the state, this might be the Secretary of State, Secretary of Commerce, Consumer Affairs, the Contractor's License Board, or some other entity. Each state is different.
Give: We register with the state. There would probably be a small fee for this.
Get: The state should maintain a database of registered IT Service Providers.
Second, the state may then regulate the industry. Specifically, I foresee that a state would require that all companies who do business with a registered IT Service Provider be required to sign a contract, enforceable by the state. This contract would then require that backup services be offered under every contract. And, of course, it would require that cyber security incidents be reported to a specific state agency or regulatory body. Again, this then becomes publicly accessible data.
Give: The state regulates us. This puts some limits on what we must offer.
Get: We have contracts with all clients, no matter how small, and there is an enforcement mechanism with the state government.
Third, the state should provide a way for a client to opt out of data recovery services, but also provide that doing so relieves the registered IT Service Provider from liability or responsibility related to a cyber security incident. Note: It should not be easy to opt out of backup and disaster recovery services. But if the client just plain refuses to buy such services, the IT Service Provider is not responsible for the consequences.
Give: We have to offer the services and educate the client enough that they understand what it means to opt out of such services.
Get: If there is a cyber security incident and the client has opted out of the appropriate protections, we cannot be sued by the client or their insurance company. (Note, also, that the insurance company can use this same legislation to deny or limit cyber security coverage to the client.)
We need to get ahead of this issue. We need to participate in our own well-being. There could be lots of details, of course, regarding the size of deals that must be bound by this legislation. But at least we'll all be playing the same game and everyone will know what the rules are.
The Eighth Pillar: Cooperation and Alliance with the Insurance Industry
A mature profession works with other professionals to safeguard ourselves and our clients.
Insurance rates are skyrocketing, primarily because the insurance companies don't have any choice. On the issues of addressing ransomware, cyber security, and insurance payouts, we find ourselves very much aligned with the insurance industry.
After all, insurance companies have seen ransomware payouts go from a few hundred dollars to several million in just a few years. Attacks are serious, sophisticated, and very highly focused. Insurance companies want to provide reasonable protection to us and to our clients. But when you go up against the essentially unlimited resources of the Russian government, it's hard to figure out how to win.
If we partner with the insurance industry, we can propose solutions that limit liability when client cannot or will not protect themselves. If we had a system like the one described above, it would allow us to be properly insured. Our clients would fall into three categories: 1) Not regulated, 2) Opted into backup and disaster recovery services, and 3) opted out of backup and disaster recovery services.
Those not regulated would also not be allowed to come after us or the insurance company. One obvious example of this: A client who only buys a phone system from you, the total cost is under a specified threshold, and they are not required to have a backup and disaster recovery system with you. So they might have one with someone else, but not your company.
Those who are regulated have a relationship now regulated by law. If they opt into backup and disaster recovery services, the insurance company and you both accept liability and insurance rates can be set. If they opt out of backup and disaster recovery services, then both you and the insurance company are protected from lawsuits that might arise from a cyber security incident.
I'm not a lawyer, a legislator, or an insurance agent. There are lots of details to be worked out. But I believe there's a big picture in which the IT Service Provider industry and the insurance industry have a lot of common ground and some powerful reasons to work together.
As with any professions, there may be times when we're on opposite sides of an issue and times when we're on the same side. In this case, I believe there is great value in being on the same side and partnering up to protect more small businesses, create a reasonable balance of liability, and keep insurance rates at a reasonable and sustainable level.
-- -- --
Next time: Building a Path to our Professional Future
Please post comments, questions, etc.!
-- -- --
Here are links to the entire series: