How one MSSP’s success story is supported by Check Point – CyberTalk

Jason Whitehurst is the Chairman and CEO of FutureSafe Incorporated. For over eight years, he has been a cyber security services and stack provider in the Managed Service Provider (MSP) space. Jason contributes regularly to large MSP communities as an Evangelist, advocating for the use of Managed Security Services Provider (MSSP) partnerships when selling cyber security to end clients.

FutureSafe specializes in providing MSPs with a comprehensive suite of platforms and services, including SECOPS management. This allows MSPs to offer robust cyber security solutions at competitive margins while minimizing their overall liability. FutureSafe empowers MSPs to present themselves as cyber security experts and providers within their social networks, website and marketing campaigns. Jason maintains a strong advocacy for the Check Point suite of products and capabilities.

In this interview, the CEO of FutureSafe, Jason Whitehurst, discusses how his MSSP business operates, growing cyber security trends, why his partnership with Check Point has been valuable, and why he continues to leverage Check Point’s security technologies. By providing you with new perspectives, this interview will expand your horizons. Don’t miss it!

What inspired you to pursue a career in cyber security? How did your journey lead you to your current role at FutureSafe?

I would say that about eight years ago, I was deep into my career, working with, owning and running a decently sized managed service provider (MSP) for mid-tier and some enterprise businesses, where we worked in a co-managed IT world. We provided expertise that that particular business – usually banks – didn’t have the IT expertise to pursue in-house.

We would often manage them on an ongoing basis. What I noticed, however, was that as IT became more commoditized, the cyber security side started to become significantly more important…The expertise around what was needed to function as a proper CISO or cyber security architect for a client was quite divergent from what someone at the same level, in IT, would do.

So, I closed off the infrastructure side of my business and kept the security side. We were providing security products and consulting to our existing co-managed IT clients. That’s something that we were selling organically. We were just starting to shape up as an industry.

Since then, that’s all that we’ve done – we’ve provided that expertise.

What kinds of businesses do you generally serve?

Yeah, so we’re a little bit unique. We’re an MSSP for MSPs and more direct-to-enterprise businesses. Our MSP (managed service provider) clients are providing a service to their end-client and they’ve recognized that they don’t have any capacity to do cyber security – they just don’t have the expertise, they don’t have anyone who could be sworn in as an expert witness, there’s this whole list of things that they don’t have and that we provide.

We work behind the scenes. The end client doesn’t know that we exist, really. So, we augment the MSP and give them a full team’s worth of cyber security expertise. And the products that we provide and recommend have been fully vetted by us.

So, we have doubled in size, just about every year over the last 3-4 years and certainly, this year, we’ll be up there with our sales targets, reaching historical growth. And a lot of that has to do with what we’re doing with Check Point.

What drives FutureSafe’s ambitions? Organizational mission?

The core of our business is removing the liabilities that MSPs face, and even those that mid-market and enterprise clients face. We provide the proper cyber security despite the fact that they don’t have someone with that expertise in-house.

Companies have been winging it for a long time and tasking cyber security to their existing IT team, which runs into two problems. 1) They can’t make a recommendation because they don’t understand the implications of their recommendation. And 2) IT people feel uneasy because security is often auditing the work that’s been done by IT.

In other words, if an auditor works for IT, then he’s auditing his own boss. And that creates a conflict that we have to make sure isn’t there.

Would you like to provide a brief overview of the challenges that your clients are struggling with?

I think it boils down to standardization, simplification and optimization. Any work that we can do in those three areas will significantly increase the amount of available time, to the MSP, to do whatever it is that’s necessary – they’ll have more time available on their side.

All of our decisions are based around whether or not we can achieve those three objectives. In general, we’ve been able to do those three things very extensively, where our entire security stack is available with one agent that’s put on endpoint, and it doesn’t even require a rebuild. And Check Point is a big part of that stack.

We had to have a platform/stack with ease of onboarding, simplified views and consolidated risk data. Check Point has a level of maturity for that area of need, and there are very very few competitors who can perform at that level.

What kinds of questions do your clients typically have for you concerning stronger cyber security management? What do they want to know about improving their cyber security and cyber resilience?

The big question that they want to know the answer to is ‘what’s the best use of our cyber security budget spend?’ They want to know where to spend it, and where cyber attackers are attempting to infiltrate most frequently.

Oftentimes, we can tell them not only about what that threat landscape looks like, but we can also tell them about the products and services that we can deploy to mitigate corresponding threats.

We try to keep that (products and services) flexible as the threat landscape changes. That seems to work well. It’s better than guessing what will happen over the next 12 months and trying to build accordingly.

When you see client emergencies, what typically triggers those? Example of a client emergency?

It’s predominately business email compromise attack these days. Phishing is part of that, but the vast majority of compromises that we see right now involve threat actors trying to get in through SaaS apps, cloud apps, API connections…It’s a lot easier to exfiltrate that way and extort the exfiltrated database for ransom.

I don’t have a problem handling it when these situations do come to pass, but we just don’t see traditional ransomware as much anymore.

What is FutureSafe’s process for working with clients? How do you ensure that you’re providing comprehensive cyber security coverage?

The first step for us is reviewing whether or not our business — our model, the way that we work, my internal SOC team working in conjunction with the MSP, so that the client doesn’t know that we exist — is a fit. We also look at whether our cultures are a fit, meaning we’re about to start taking over a fair amount of the day-to-day incident response and care-and-feeding and all of that.

Because an MSP has been handling that for quite some time, we have to come to some agreement as to how to proceed…If they truly want to work with us, then we have to qualify if that’s a good fit.

As a vendor, what is your decision-making process when it comes to cyber security tools?

The first thing that we do is determine what level of compliance maturity a given product may have. If they don’t have a baseline of product maturity, it’s not worth looking at that particular platform.

We generally invest in economies of scale with enterprise players. We do have others. But that is the modality that we tend to choose. And that has to do with risk mitigation.

It’s not difficult to explain why I chose the de-facto leader in overall Azure, Microsoft 365 email security – which is Check Point Harmony. There’s just no comparison. So, I don’t really have to qualify that decision. Everybody gets it.

If I’m choosing some other product that is brand new to the market, that hasn’t been vetted or tested really, that says that it can do all of these magical things, we really have to determine whether or not it’s a good fit.

Again, for us, from a culture perspective, if it is, then the next step for us is to determine what piece of that stack we may use. Check Point is one of those vendors that seems like it has a never-ending number of products to solve problems. Trying to pick out what makes the most sense can be a real challenge.

What are your thoughts around leveraging AI within cyber security solutions? How does your team currently work with AI-based products, if at all?

I think that when it comes to AI, leveraging AI in the threat identification workflow is a little premature. I think that the ability to provide the AI platform with enough data, and then to integrate it within an adaptable platform, and to use it to provide actionable intel right now — I’m a little worried about people just accepting the output that comes from an AI platform for a risk decisioning framework.

At some point, the security business will change fundamentally due to the improvements related to AI, but I don’t see it right now. It does need to be in every platform to analyze information and to determine what it means, but I think that letting it function as the sole decision maker for a threat is too risky at the moment.

Is there anything else that you would like to share with the Cyber Talk audience?

Yeah, I think that right now, when folks look at where to spend money and what that budget cycle looks like, as an organization with hundreds of MSP clients and of course, downstream clients, it can be tough to see through the fog.

Look, we’ve tested a multitude of products in-depth, after spending months and months, sometimes 3-4 months, trying to verify that a product does what it says it does…

Based on that time that I’ve already put in, leverage Check Point Harmony with Avanan front-end if you need multi-tenancy, and then using the appropriate version so that you can protect Teams, OneDrive, SharePoint, DropBox, Box.net, ShareFile, as well as a unified quarantine. There just isn’t anything else that comes close.

There’s such a gap between Check Point Harmony and the next vendor that it very much was an easy decision for us.