Panelists Weigh In On AI, Security: ‘They’re Really Perfectly Intertwined’

‘We tend to talk about cybersecurity and AI as two separate things. I don't think it’s an overlapping Venn diagram. I think they are a circle together. You really can't have these conversations separate and distinct,’ says David Powell, vice president of sales strategy Pax8, during a panel at the XChange Best of Breed conference.

The growth in AI is leading to a corresponding need for new ways to secure customers’ businesses.

That’s the word from a panel of MSP technology executives at this week’s XChange Best of Breed conference in Atlanta, hosted by CRN parent The Channel Company.

The panel was moderated by Tom Colleary, president of F3 Technology Partners, a West Hartford, Conn.-based solution provider. He was joined on stage by David Powell, vice president of sales strategy at Greenwood Village, Colo.-based Pax8; Royi Barnea, vice president of channel sales at Herzliya, Israel-based Cynomi; and John Pagliuca, president and CEO of Burlington, Mass.-based N-able.

Even as AI and GenAI have opened new business opportunities for MSPs’ customers, they have also opened new vulnerabilities, according to the panelists.

“The new vulnerability is generative AI,” Pagliuca said. “Basically, all the threat actors are getting much more sophisticated. They’re able to do what they’re trying to do at a much more sophisticated level. Social engineering has been a big part, right? Social engineering is getting more sophisticated, all for the same reason: to gain access to your customers or your technicians, even more importantly, their identity.”

Michael Haley, partner and co-founder of Edge Solutions, an Alpharetta, Ga.-based MSP, told CRN that the panel really put the focus on the importance of education when it comes to AI.

“As Pax8’s Powell said, we have to educate and create awareness in and around AI in your organization,” he said. “We need to understand the opportunities, but also understand the vulnerabilities and the risks, and build policies and standards around that. But more than anything, educate, educate, educate. Powell said AI is being thrown around like a set of Legos, as in, ‘Here are the Legos, now build something.’ And it makes you realize there are certain things that we in our organization need to do from day one to help clients understand the opportunities around AI. Everything has to start internally at our company first.”

The panel had a lot to say about AI and security, as well as the threat caused by inaction on the part of MSPs who may not be moving fast enough to respond to the latest vulnerabilities. Read on to learn more.

From a client and end-user standpoint, it’s easy to get overwhelmed by cybersecurity in general. How does AI start to factor into their thinking processes?

Powell: I feel like the industry’s done a poor job around use cases. I feel like, to some degree, they come out with this big box of Legos in front of everybody and say, ‘Here’s AI. You can build all sorts of cool stuff.’ Great. Like what can I build? ‘Cool stuff.’ Well, like what kind of cool things? ‘Are you not enthusiastic about this?’

Instead, they should be going in and saying, ‘Here’s a hospital, a fire station, a police station. Which one of these lines up with your use case?’ I think that there is a gap now in how some people talk about the professional services piece that needs to go in and how to productize that, shrink-wrap these use cases, and take them to other customers that you may have.

The other thing is, we tend to talk about cybersecurity and AI as two separate things. I don’t think it’s an overlapping Venn diagram. I think they are a circle together. You really can’t have these conversations separate and distinct. They’re really perfectly intertwined. What do I mean? If somebody in HR a long time ago downloaded some employee data that had everyone’s salary information and all kinds of stuff, they may have just dropped it out in the F: drive somewhere. No big deal. Well, that’s now a needle in the haystack. No one’s going to find that rooting through the F: drive. But if you train Microsoft Copilot on all of the information in your system, and that file that doesn’t have any permissions on it, it suddenly gets ingested. Now it can be queried inside Copilot. Most companies haven’t really kind of thought through what they need to do from a data governance standpoint. What do they need to do for AI readiness when they’re just throwing this out there and tinkering with it without really understanding the implications?

Pagliuca: AI is not new, right? The large language models have been around. They’re getting more sophisticated. Generative AI is the layer on top. That’s what’s creating all of this more recent buzz. I agree with David. If you go back to those three dimensions [latest and greatest tools, control team access, focus on security], you want to make sure if your vendor is using AI that they’re making your team more efficient, making them more secure, making themselves more secure. But also really important: What is their policy? How are they using that data? Are they really transparent with you? At N-able, we’re really transparent and post our policy position on AI so our MSP community knows how we’re using that data, what we do with that data, and we actually have them opt in.

As an MSP, educate, educate. Make sure your teams, when they're putting in the black box, know where that black box is. You might want to actually have a separate instance in your own environment so that data is not actually going out into the wild. You can actually control it. We at N-able use AI. Our developers use AI to make sure the code is more efficient and secure. Our sales and marketing teams use it in a restricted way. And our product has AI. Our mail security offering, our DR [disaster recovery] offering, our password management solution, all have AI. Why? Because David’s right. There’s no Venn diagram. You want to see if there’s any anomalous behavior or activity that maybe human eyes can’t pick up. You want to make it more efficient. You want to make it more secure. And education is the big part.

Barnea: I agree with the need for education and can expand on it. You can hear from my accent that I’m from Israel, which is a cybersecurity nation, a very small community. We see a huge trend around AI and security. Let’s be honest. AI is not a new thing. But I don’t think we really know all the vulnerabilities and all the messes that the bad guys will find. Everything in life is good and bad. It’s how you use it. AI can be awesome. It’s how you use it and how you prevent risk. You can prevent risk by using traditional tools, via software development, or connecting with other tools. But it’s highly important that we be educated about it. And if you do any type of processing, you need standardization to look across the board. David’s example is great, but did HR or the lawyer know exactly what system they have? How are they connected to the cloud? How is data invested? How is data transferred? That’s something we need to take into consideration. I think we’re not yet, as an industry, exposed to all vulnerabilities. We need to be.

Powell: I was a big car guy. Subscribed to Car and Driver in the ’90s. When the Nissan 240SX came out, they ran this ad that said, ‘There are “sports cars” and there are sports cars. We make the kind without the quotes.’ Right now, you’re getting a lot of ‘AI’ and a lot of AI. I’m sure you all probably saw Samsung has washing machines with AI. No, it’s not. It’s just simply sensing how much stuff you have in there and figuring out how much water to use. It’s not training a large language model or anything like that.

I do think our customers expect you to educate them. Our customers are bombarded with AI buzzword stuff. I do think there should be some basic education around what AI actually is and where the data is. The buzzword is so overused right now.

You know these vulnerabilities are going to be out there. What are you guys doing to try to pre-empt them? Or are we going to do continue waiting for the next one and figure it out afterward?

Pagliuca: The new vulnerability is generative AI. Basically, all the threat actors are getting much more sophisticated. They’re able to do what they’re trying to do at a much more sophisticated level. Social engineering has been a big part, right? Social engineering is getting more sophisticated, all for the same reason: to gain access to your customers or your technicians, even more importantly, their identity. We’re seeing a lot of that. At N-able, we’re really focusing on giving MSPs the ability to aggregate all this telemetry because you’re not necessarily going to protect everything. We want to make sure if you’re not able to protect, you can detect if there is an incident. Our Cove data protection allows MSPs to recover very quickly, and that’s an important part. Our XDR [extended detection and response] platform actually allows MSPs to ingest data from their endpoint, from the network, and from their cloud applications in a way that aggregates it all, correlates it all, and then gives the MSP the action. And the MSP can choose to actually have eyes on glass and take action themselves, or we can remediate for them, if they want the MDR [managed detection and response] service on top. So it’s providing them the tools, but also that awareness, and if they want to, we can take care of that action for them themselves.

Barnea: We’re in the virtual CISO space. We added, I think seven months ago, very advanced assessment with AI, which is very important. We have already updated that. Those assessments help generate automatic policies, which can help a lot in some standardizations. And those assessments are giving great tips and advice on how you can basically use tools that maybe you have in your stack to check the processes and vulnerabilities of any tools that are related to it. We have AI. We’re very proud of that. And we’re going on the next generation of AI next year.

Powell: I don’t know if your end users, executives or founders know what the risks look like. Take ElevenLabs. I do a lot of public speaking, so there’s a lot of videos of me on YouTube. You can go and train ElevenLabs on my voice. I got a text last year from John Street, who's the founder of Pax8, and it was not from John Street. The English was kind of broken, and said he needed $5,000 worth of Amazon gift cards. And the company sent out an email saying if you get a text from John saying he needs Amazon gift cards, ignore it. And I replied, ‘What do I do with all these gift cards?’ And they were like, ‘Wait a minute, man.’

But if somebody trained John’s voice and I got a cellphone call and it sounds like John, and he’s like, ‘Hey, Dave, I’m in distress, I need something, something, something,’ I'm much more likely to respond to that because it sounds like John. A buddy of mine is a private banker and works with high-net-worth people, and they call all the time saying, ‘I need to move a million dollars from here to here.’ He knows what the voices sound like, and he does it. And they were talking about how they’re going to have to go back almost to the horse and buggy days with a pass phrase that you have to say that can’t be written down anywhere and can't be in an online system.

It’s important to educate your users that a new frontier is coming quickly, that the language in ransomware emails is not going to be broken English anymore. It’s going to be very good. The voice on the other end of the phone may or may not be [someone you know]. I think overall awareness of this has to grow because the weakest link in all the changes John alluded to earlier is dumb humans, right? And there’s no good technological solution for dumb humans. As long as somebody’s willing to give away information via email or via phone, public awareness is going to be super important.

What’s the No. 1 threat out there? What’s keeping you awake at night?

Powell: I would say that the No. 1 threat that we’re seeing with our partners and user customers is just inaction. Let’s be honest with you. When you really look at it, a lot of your small and medium businesses in particular feel that their business or home is in the nice part of town because no one really talks about cybersecurity threats and impacts on them. I think small and medium businesses tend to look at The Wall Street Journal or watch the news and see issues at big companies like United Healthcare and think, ‘Well, that’s not us.’ It’s because no one really talks about it. And so there’s somewhat of a stigma around cybersecurity incidents in the small- and medium- business space. I think our job, to a large degree, is to educate small and medium businesses about what is actually going on around cybersecurity and help them come to terms with the fact that their home, if you will, is not in a gated golf community. It’s actually in the worst part of town. And if your house is in the worst part of town, you would take different measures to protect your house and assets versus how you would do it if it was in a great part of town. Inaction on the part of the small and medium business esis something we see a lot. They just don’t understand their risks, and they are little concerned about what they can do to respond to it.

Barnea: I think it’s always the end user at the end of the day. It’s a never-ending story. But we’re hearing a lot about third parties as well. There’s a lot of concerns about third parties connecting to the end client, and that can be a back door to the organization. So there’s a lot of vulnerability there. And of course, human aspects will come in play to that as well.

Pagliuca: It’s tough for you folks. There are three dimensions that you always have to deal with. One, it’s the vendors you’re using, making sure they’re using the latest and greatest and then making sure their protocols and what they’re doing is secure. Two, it’s your teams and folks getting access. We all know, as David pointed out, you’re in a tough neighborhood. They’re going after your team’s credentials because they know those are the golden keys to gain access to all your clients, right? Folks are focusing more on technicians and using a more modern approach to gain access to your technicians so they can gain access to your systems. Third, your customers, and making sure that you’re actually looking at their security when you do your planning for next year. Security is both an opportunity and a threat to you all, and you should make sure you’re looking to differentiate yourself as an opportunity. And to David’s point, the inaction, a lot of it’s due to a labor shortage and lack of expertise, and so a lot of MSPs don’t really know where to get started looking at this. And so what we’re finding is some of the inaction that David’s seeing is due to that lack of knowing where to start, but also just the lack of competent staffing to make sure that you and your team will be secured and can help customers be secure.

Let’s expand on that a bit. Is that inaction because of processes? Pride? Is it ignorance? Laziness? Or is it just unawareness?

Powell: I think a lot of it is lack of awareness, and I think that a lot of our community is more comfortable talking about speeds and feeds than technology in the MSP space in particular. If I talk with the CEO of a law firm, he might say, ‘Yeah, Dave, I want to work with your MSP. That sounds great. But you really need to see Tom. He’s my techie nerd guy.’ So now all discussions need to be repeated. But at some point, if I come to you and say, ‘Hey, you need to deploy MFA,’ and Tom says, ‘No, I don’t really want to do that because we got too much other stuff going on,’ well, now he just made a risk decision for the company that’s not his job to make. That’s the CEO’s decision to make. And so I think a lot of solution providers allow themselves to get pinned into that technical corner to where technical conversations are being had but with people are not equipped, paid for, empowered, to make risk decisions on behalf of the company.

Pagliuca: I’ve been in the space for 12 years. We’re seeing the divergence of what it means to be an MSP today has increased. We still see what John probably referred to as the ‘trunk slammers.’ Some of that might be ignorance or lack of action. But for this room, ignorance is not the problem. You all know it. You all see it as an opportunity. But it’s difficult because of all the different telemetry that you’re seeing, whether it’s from your endpoints, from your network, from your SaaS applications. And for a lot of shops and folks who are even in this room, I think it’s hard to aggregate all of that telemetry and take action on it in an automated way that’s still efficient. And so I think the problem varies depending on where you are in the spectrum.

Going forward, there’s going to be haves and have-nots in this industry, and the folks that are actually embracing the right policies, the right standards, the right technologies, will continue to grow. Frankly, unfortunately, there’ll be a lot of folks left behind because they’re not investing.

Barnea: What we’re seeing as vendors sometimes is that we lack the ability to give the service providers, the solution providers, the tools and the simple wording to educate their end clients sometimes. True. And we need to simplify it. We’re not working a lot on messages. For us in the vCISO space, CMMC [cybersecurity maturity model certification] is important. If you start reading articles, simplify it so you can help the solution providers educate their clients on it. Educating them will make their lives easier when it comes to delivering those services. This is something vendors can help a lot. Everyone is looking to be exposed to what’s going on with technology. We’ll talk about AI, about compliance, about many topics.