404- I.T. Doesn't Just Fix Computers w/Josh Tanner

Phil Howard: Welcome everyone back to You've Been Heard. We've got Josh Tanner on here today. We're supposed to talk about cybersecurity. I actually had a bunch of things come up lately that I would love to ask your opinion on, but before we do that, how did you get into this wild world that changes so slowly called technology? What was your first computer? What were you playing around with? Like, how did this happen?

Josh Tanner: Yeah, first computer built with my brother back in the Fry's Electronics days. Black Friday, Thursday night, we stay up all night into the morning waiting outside a line of Fry's Electronics. It's two in the morning, three in the morning, trying to get there as early as possible just to get the next graphics card or motherboard or whatever it was that came out that year. And one year we had put all of our monies together to really buckle down and make a pretty proficient machine. And that was the year I think the very first Call of Duty ever came out. Or maybe it was Medal of Honor. Maybe that's what it was, I can't remember.

Phil Howard: That was great. All right. Man. So then what happened? How'd you get to where you are today? I like on your kind of LinkedIn resume. You're like various IT roles. Was that actually the company? That would be funny if that was the company. No, no. Various IT roles would be great.

Josh Tanner: I did a few different things for U-Haul corporate here in Arizona. One of them, I was kind of doing more sort of a technical role, not necessarily solely like a help desk type role, but more on the advertising technology side for a bit there and then I had a good friend of mine who was a developer there and really, really liked what he was doing and liked the work he was doing. And so I googled my way into software development and worked as a software developer for over there as well for a time.

Phil Howard: What do you feel about software development right now? I've daily arguments going back and forth with friends that are dev guys. Some are on the AI will significantly put them out of a job, and some are like, nah man, it's screwing up so bad. You should see all the mistakes it makes on a daily basis.

Josh Tanner: Oh yeah. No, that's a really good question.

Phil Howard: I'm on the eighty percent will be gone in eighteen months.

Josh Tanner: Yeah, I don't know about that. And I'll tell you why. Well, let me first say this one. The development world has changed significantly since when I was in it and where it's at today. And that's only, I don't know, twelve years ago or whatever, ten years ago and it's crazy how much it's changed, how much it's shifted. I'm taking on the kind of the DevOps side at our company now and kind of having to go through all of this and relearn some processes and things like that and CI, CD and all that kind of stuff and work out how this is going to work and make sense in our company today. To answer your question, what's the impact of AI? I mean, there's no doubt AI has made developers significantly more productive.

Phil Howard: What about Non-developers just making stuff.

Josh Tanner: Well, and that's the other key to this. It's made developers more productive, but it's made non-developers like they can do stuff now, right? They can do stuff but they don't necessarily know what they're doing, but they don't need to know because it does it for them.

Phil Howard: And at the end to map it out. I mean, you have to do a good job. You have to draw an outline. You have to make like a plan, all this type of stuff, truly.

Josh Tanner: And that's where I think like having the developer background, if you have that framework of like this is how you engineer a project, right? You don't have to go through and do all of that now. Now you can sit there and prompt, this is the project I'm trying to build. Here's the steps I want to build. Write me a prompt and then you prompt that prompt like you just go through until you finally get to a highly detailed prompt that you're actually going to use in like a lovable AI or something like that.

Phil Howard: And when I say eighty percent, I mean like eighty percent of the classic kind of like we're going to build an app and code this out and we're going to hire a team and it's going to take six months and it's going to cost us eighty thousand dollars.

Josh Tanner: That's going to go away.

Phil Howard: Okay. It just like because now I've seen yeah. Like my producer Greg, like he built us an app like over the weekend. And I was like, there's no way there's gonna be problems. It's gonna work. Once we pressure test it, it's going to break. But just a few minor things, and we're good. Now on to more important subjects. We're supposed to talk to about cybersecurity as a business enabler and not a blocker or cost center. And your experience growing up since the building of the computer days with your brother and moving into IT? How has the landscape changed over time as far as C level executives and business leaders understanding IT and giving them a legitimate seat at the executive round table and actually respecting and hearing their input.

Josh Tanner: Yeah, that's a good question. I think that we're in the middle of seeing kind of a big change. I don't know that I would say it's one hundred percent changed. I think that most C level people that I've interacted with see it as a cost center. And as much as I attempt to explain that every bit of what I do impacts every single department in this company in some way, shape or form, it's kind of like, yeah, that makes sense. Haha. But can you fix my computer still? And there's very little, I think there's been not enough. I'll say that. Not enough of a trust created between a lot of the other C-suite and IT. And a lot of it's at the fault of IT. They don't want IT coming and speaking a bunch of technical jargon. And making no sense and telling them we need to spend this money.

Phil Howard: Agreed.

Josh Tanner: What we have to do is we have to bridge that gap. Right. We have to come to our CEO and our CFO and we talk about the bottom line. We talk about revenue. We don't talk about the technical pieces, don't even mention the technical pieces, don't even talk about the tools, don't even talk about implementations and all this kind of stuff. Infrastructure bring up. Here's the operation of what we're trying to do. Here's the risk that's involved and here's the cost of negating that risk. Right. Here's what the risk will cost you in this event. Here's what we've determined to be the cost of remediation or whatever it is, reducing that risk, and then impacting here's how it impacts revenue. Here's how all of those bottom line issues, right, come into play with cybersecurity, even when you are when we talk about like budgets and things like that. Right? I'm going through budgets right now. Lots of people I'm sure are going through budgets. We're still working through hacking away at it. But rather than talking about the ins and outs of implementing a DLP program right now, I can go to the C-suite and say, look, here's the goal of this program, here's what this DLP program is going to do. Here's the reduction of risk it's going to bring. Here's how this is going to align with our goals for, HIPAA and high trust and NIST, CFS and all those different things. Here's how long it's going to take. Here's what it's going to cost. If we don't do that here's the potential risk that's involved. You see what I'm saying?

Phil Howard: Yeah. So the question that I wanted to ask you was. And well, first of all, how many end users do you guys have?

Josh Tanner: I think we're three fifty, roughly.

Phil Howard: Okay. And so you're like head of IT security, kind of like the whole shebang.

Josh Tanner: Correct.

Phil Howard: Right. At what point? From a security standpoint. And we have to sell. I mean, selling security, you've got to sell, like. Okay, look, at least in healthcare, you can say, So it's something like violations and catching people violating these things is up, like, three hundred and fifty percent, something like that. Meaning they're cracking down on things. Security can be hard to sell because it's kind of like selling insurance. It's like we have to buy this stuff because if we don't do it, we're going to get robbed. And if we don't do this, we're going to get fines. And we could look really bad to our customers. We'll lose all our customers. There's not like it's going to help us make more money. Unless you've got a good example of that, I would love to hear it.

Josh Tanner: So I think I understand your question a little bit more.

Phil Howard: People care so much about the healthcare data. I wonder how many patients, if you ask the actual patients, like, hey, your patient data was leaked to the public. Now? Well, it's just it's really, like, hip is like, kind of like a real big crackdown. And I'm wondering why it's so strict there. And this is sounding very ignorant right now. Maybe you can tell me as to why yeah is so strong just because it's like sensitive patient data and stuff like that. I don't know. I mean, it used to be paper files back in the day. I come from a family of doctors, so I know what the hospitals are like, and I know how much information is kind of just randomly talked about and shared across all kinds of barriers. So that's why I'm it's just interesting that HIPAA is like one of the biggest enforcers.

Josh Tanner: So in twenty twenty three, this is the last I.

Phil Howard: Think it's because someone's getting paid. I mean, I think it's great. Let's find people. Let's find people and make money. Collect funds.

Josh Tanner: It's one of the the hottest commodities to sell on the dark web. So that's kind of a big piece of it. And I think the biggest reason is it's not necessarily about the health information specifically, but health information has personal information and typically, financial information. And so if you can pull that contains both personal information, health financial information and health information, now you've got kind of the hottest commodity of data, right. You're not just trying to grab one particular thing. And PHI itself is always tied to that data. So it goes for a higher price on the dark web. They can chart, ransoms are higher for those types of things. So that's why it's such a hot commodity. Twenty twenty three if I'm remembering correctly, the HIPAA journal. I think the average healthcare breach was around eleven million dollars or something like that for twenty twenty five here.

Phil Howard: Average healthcare breach in twenty twenty five was seven point four two million.

Josh Tanner: Yeah. So clearly a high cost.

Phil Howard: Four hundred and eight dollars per stolen record. Two point eight seven billion. Change in healthcare attack in twenty twenty four. So up by quite a bit. Yeah. Ransomware reality. This is the most shocking one. Sixty seven percent healthcare orgs hit in twenty twenty four. Yeah Sixty seven percent.

Josh Tanner: So I was thinking about this the other day, why is it that healthcare orgs are getting hit so hard? And I think that there's kind of a trend I've been seeing. Right. So there's this thought of like migrating everything to the cloud. There's better security, I think. I don't know that that's entirely a myth. I think it's pretty accurate when you move towards a zero trust framework. You've got your identity access on lock, that kind of a thing. You have a higher likelihood of being more secure in the cloud than you do on prem, because the on prem is kind of that older technology everybody's VPN into. One thing, if a bad actor gets access to the VPN or something like that, they can typically get in to a lot more than you want them to. Right? And so if we move towards the cloud, right, and that's kind of what a lot of smaller midsize Modern companies have done well. A lot of these healthcare companies, huge healthcare companies, they've been around for a while. They're older, they've got older legacy systems in place, things like that. But you have to think about the the OpEx and CapEx spend as well. Right? We're building infrastructure, buying infrastructure. That's all CapEx cloud is typically seen as more opex because it's SaaS based, operational, that sort of thing.

Phil Howard: And so switching the books, it's a big switch in the books. It's a big change from depreciation models.

Josh Tanner: Exactly. So it's not just a simple like just migrate to the cloud. It's not that simple. The money has to be there and it has to make sense. And we can't capitalize all of our servers and stuff that we're buying anymore. We now have to move to an operational expense. And that's costly. It's more burn. It affects EBITDA. It's all of these different pieces that affect the financial side that we as IT leaders don't often think about. We think we need to secure, which is true. We need to do that, but we have to do it in a way that is helpful and in line with the business. We can't just move to the cloud It's not just about costs at that point.

Phil Howard: However, at the same time, there's a whole nother world of telehealth, healthcare providers that are new, turning up and are able to move pretty nimble and fast, by, using remote providers. They can span larger areas. They can, completely operate in the cloud, have various different, have desktop design be able to, turn things up and turn things down and remote wipe from a security standpoint, but definitely act more nimble than, like you said, some of the older players in house.

Josh Tanner: Yeah, yeah.

Phil Howard: What I wanted to ask you is, when you're a company of that size, at what point and you have a team of say, I don't know, how big is your team? Three people. Four people. Do you have more than that?

Josh Tanner: Right now? It's just me.

Phil Howard: Okay, so there you go. At what point? Is an MSSP beneficial?

Josh Tanner: Well, it's beneficial for me right now because it's just me.

Phil Howard: Right? Seem sock training. Yeah. They I mean, they can literally, Yeah.

Josh Tanner: I have an MSP and an MSSP. I onboarded them when I came here. And, I mean, it depends on how you work the contract ultimately. And that's really the difficult thing a lot of MSPs want to charge a premium for engineering and things like that. So work it out to where you can get a good price for both help desk tasks and managed services and things like that. And engineering. Then you get the best of both worlds. Right. The only problem is, at some point you start to get tired of explaining every nuance of your company to the person doing all of your projects because they don't know your business.

Phil Howard: They are just there mixing your business up with other people's businesses every day. Well, they see so many different things.

Josh Tanner: One hundred percent, and it's to be expected, but it's helpful. This is how a lot of mid-sized companies get twenty four over seven sock services through an MSSP. They've got people that are constantly monitoring things and making.

Phil Howard: It easier to manage an MSP or an MSSP. I would think it would be easier to manage the MSSP because there's certain things that are fairly standardized.

Josh Tanner: One hundred percent once you write up your runbooks and everybody's got their stuff in place, it's pretty simple. Especially if they work with your MSP, right? If you work in tandem they've got the runbook. This is the situation. This is what happens. They know what they're supposed to do. They whatever quarantine the device. It goes over to the MSP who then works with either they have their workflow of what they do with that particular situation, or they work with me back and forth and what happens or what happened or whatever it is. Once we go through discovery and figure all that stuff out. So yeah, MSP is definitely easier to work with.

Phil Howard: And best practice to have them two separate have the two separate.

Josh Tanner: I would have them on separate contracts.

Phil Howard: I mean like separate. And the reason why I say separate companies is because you want one checking the other. You don't want them, like checking their own homework, so to speak.

Josh Tanner: Yeah, well, and this is there is kind of a conflict of interest. And high trust kind of illuminates this, between the person auditing your IT operations, right, the security and then the actual person overseeing the operations. There's always kind of been this interesting tension. And it seems to be kind of a big movement towards like CIO, CISO type role, where combining both roles because we can't afford both in the C-suite. Right. And so let's just pick one. But ultimately that just causes kind of a conflict of interest when you have your IT operations person also seeing the security of the operations they're doing, right. So you don't have an outside party looking into the operations, auditing, what's actually happening, saying, look, you can't do that because as an operations guy, like, if I'm acting in operations, I got stuff to do. This is close enough to security. It'll work. Let's just go do it.

Phil Howard: Let's not slow down the process because it's going to annoy me.

Josh Tanner: Correct.

Phil Howard: So here's the interesting thing because I've just been looking at a lot of these MSSPs lately and kind of allowing a different ones. And I find it interesting how much pricing can vary across the board. But I have kind of my Recipe of what should be kind of provided, standard from like a SIM, right. SIM SoC EDR, whether it be a no before email training, these type of things, honeypots set up and, whatever yearly pentesting these type of things, it's just kind of like this, like recipe for it. And then it's like, okay, well, what are you using for? I don't know, are you doing CrowdStrike Sentinel one. Like what are we using. There's kind of like a, like an acceptable pattern of like what you guys use for these different things. And yeah, it's interesting that at the end when I look at it, I'm kind of like, well, how are you guys justifying, charging a one point four seven million dollars, over three years. And the other guys that are actually seems like, to be doing a little bit more and a little bit more proactive and are providing a little just seem to be doing a lot better for four hundred thousand dollars. Have you noticed that?

Josh Tanner: Yeah. I mean, on a just.

Phil Howard: A crazy, like, off the scale, just people throwing out crazy pricing here and there. Yeah. And I'm trying to figure out what why. and I sometimes I just can't see why someone would be charging more. And the only thing I can think of is like, well, it's their infrastructure because they're hosting it in, Azure.

Josh Tanner: That could be the case. It just depends. Right. So one of the problems that I've seen with the MSP, which I think does translate and has kind of moved over to the MSSP, is this idea of tooling. Okay. So when you bring on an MSP most of the time it's your MSP is dealing with somebody within the company that doesn't typically have an IT background, doesn't have enterprise experience, doesn't have operational, all of that kind of stuff. The MSPs coming as a one stop shop. We'll fix all your IT problems. And they do that by throwing a bunch of tools at it that they own. Right. And then everything seems to be moving somewhat smoothly. And then you guys grow or something happens and you want to separate from the MSP. And they're like, sounds good. See you later. Bye. They go away and all of your stuff is gone because it's broken.

Phil Howard: Because it's their proprietary stuff.

Josh Tanner: It's their tooling. It's their stuff. Right. And so MSPs have acted not simply as a service company, but as a reseller. And I think that's where the problem lies. So if you can separate your resellers, right. Go buy your Microsoft license from a reseller, buy your services from a service provider. That way, if if you're no longer happy with the services, all your tools and resources don't go away. You just go hire somebody else to.

Phil Howard: Make sure there are tools and services that are easily transferable.

Josh Tanner: Exactly, exactly. So I've seen in the MSP space, and I think that it translates into the security space. And it's super simple to scare everybody into. This is what you need and you need this. And AI is going to do this. And then they can rack up the price because now they can.

Phil Howard: How are you using AI? Is there any AI security, any AI security things that have been helpful.

Josh Tanner: No not really. We're investigating. So we're a Microsoft shop. We use Sentinel and XDR and defender for cloud and all that stuff. We're investigating the security copilot because they just, released security copilot to E5 licenses and things like that. So we're starting to dig into that to see what's helpful, to see where this can fit into workflows, how it can fix workflows. I don't know yet. I don't have an answer for you there, but it seems somewhat promising in some ways and cumbersome in other ways. And like it's we're Microsoft's figuring it out as we're figuring it out.

Phil Howard: Yes. Classic. What is the top down management ask for AI in your organization. Is there a hey, what's our AI strategy?

Josh Tanner: Yeah.

Phil Howard: So is it like, hey, I need our AI strategy on my desk by Monday? Or is it like, hey, what are we doing? What's going on or is it they're just saying that we are doing it.

Josh Tanner: I think like every IT person, their CEO came to them and said, look, I went to some meeting and met with these DCS and these other CEOs and huh. Look at all this cool stuff that they say that they're doing, or that they spent a bunch of money on, or that AI can do And they come and they ask, hey, look, we need AI initiatives, right? We need this.

Phil Howard: Okay.

Josh Tanner: So let's think about what is every department. What are some workflows that they're doing that are, repetitive right. And these are the things that I think every CEO is starting to think about and see as AI is the solution to the repetitive. The problem with that is that solution has existed long before AI because we call that automation. Yep. And so I think what AI is doing is it's enlightened CEOs and high level people to the concept of automation. Hey, are we automating things? Whereas like it's not AI it's just automation. Yeah, we should be spending more time looking at repetitive workflows, designing automation for those things to make our staff more productive. Or maybe there are FTEs we don't have to hire anymore. Whatever it is, because we've automated that particular process. It's not necessarily AI, right? In all cases, in some cases there's some AI involved. But I think to answer your question, how are we using it? We're not really because what it's done is it's opened up. Oh here's the areas where we could go automate. Right. We don't really have a use case for AI yet because we have groundwork to cover, from the start, if that makes sense. We're not quite there to even start to use AI. I mean, we've got Enterprise Copilot enabled for, some of our users. We've got some three hundred sixty five Copilot users as well

Phil Howard: You know, there's no agent agents running.

Josh Tanner: There's nothing like that. We don't have a use case for it at the moment, because every use case we have is just a simple automation that needs to be built out.

Phil Howard: You had mentioned something about data. I mean, obviously everyone knows that the first step is we have to clean up data significantly. What are the significant steps to doing that in any organization?

Josh Tanner: You start small, you smart start real with like pick one high risk area and like.

Phil Howard: Think of an old company. just thinking of, like, what would be a high risk data area?

Josh Tanner: PHI. Right. Let's just start. A high risk data area. PHI. Let's say you have a referral system. Okay. So we want to use a company or we want to build a process or something like that where we take our PHI and we want our therapists. We're in the behavioral health realm, right. So behavioral health realm, they have their patients that they want to refer to someone else. So we want to send their PHI into our referral system that then matches them up with a particular doctor or something like that, and then sends that PHI to their system wherever they're storing that data.

Phil Howard: In other words, their file, their healthcare file basically.

Josh Tanner: So I would just start small, start with the flow. Right. What's the data. Who's the owner of the data? What's the business process? Even map out the business process. What's the purpose of the business process itself? Don't even start with the, like the the security pieces and the IT operations. Like, what is the actual business process? Where is the data created? Where is it used? Not just where it's stored, but trace the flow of what people actually impact the data. Who touches the data. And then put it, I don't know, make it simple, put it on like a single page, make it simple. Those get the stakeholders involved that are all involved. Make sure everybody understands this is the flow of data, right. Have kind of a some minimal fields. Owner what's the purpose?

Phil Howard: That would be a hard one to like. Guys, we need to do this. There has to be, like, almost like a data cleanup committee.

Josh Tanner: And that's what I mean. Like you, it's too difficult because a lot of times when we go to clean up data, it's too late, right? We're already so messy that we have to start so, so small and so simple to get anywhere because it's too overwhelming. It's too much to try and take the whole thing. Right. So you have to start super small.

Phil Howard: And in the healthcare world What are the top three things that you just wish that was different about executive management and the hierarchy of healthcare when it comes to technology? Like, what do you wish they could hear and know about technology? Because I think healthcare has some of the largest strides to be made. And yet sometimes we have some of the biggest breakthroughs in technology, but then we have some of the most antiquated, siloed technology all at the same time, somehow working together.

Josh Tanner: Yeah.

Phil Howard: From executive management standpoint, like, what would you want them to really hear loud and clear if they could hear?

Josh Tanner: That's a good question. I think I would want to say like there's a better way. Like you have your old systems, you have everything tied to your old systems. And that's why we have to do nineteen different, logins to get connected to your VPN and blah, blah, blah. And we've got to use this VDI and this thing and all of these different things like. There's a better way. But the problem is that doesn't necessarily matter because the at the end of the day, like the bottom line is what matters. And if I can't present a case to where, unless there's like, an end of service kind of coming up on your entire infrastructure and like, this is going away and we're not going to have like,

Phil Howard: It's like, if you can just imagine even just walking around any healthcare organization, To me what I see is I see wires and silos and I see wireless devices and you can imagine an entire facility being mapped from even just like a Wi-Fi standpoint. I mean, it's really like just even a hospital alone is very, very, very complicated. And I see endless silos. And I just imagine the department of it there. Either. I don't know, hospitals to me seem like the place that has the department of it. Not this, like this separate entity that kind of hides out in an area of the building somewhere. I don't know if that's correct, but that's just kind of what I imagine when I think of hospitals, because I'm still seeing Nortel phone systems on the wall and I see, wires sticking them on desks. But then we know that, nine one one is flowing very smooth. Yeah, we know that, ambulances are coming and going and then there's all these just providers that are kind of just here and there. There's got to be an a major efficiency. Gain somewhere. That's, it just seems to be this, Ghost of IT floating around somehow, at least in the healthcare world, I think when it comes to hardcore business, manufacturing, logistics, other companies that have very strong, like a kind of very strong manufacturing a widget or doing something. It's different. But healthcare is a very interesting entity.

Josh Tanner: I wonder if it's because I don't know that IT and technology is often a part of the long term strategy. And so I would say like that. I guess I tell healthcare leaders like, look that would be helpful to you in the long run, not just from like, you want to innovate healthcare and things like that. There's certain things that we just can't do with the technology that we have. But if you're unwilling to adjust the business model to make some of the technology work, whether that's moving to the cloud or replacing some of the infrastructure and moving that to the cloud, whatever it is, if there's a way that we can adjust some of this to bring us into the modern world.

Phil Howard: It might not even be infrastructure. It might be like from a medical standpoint, it might be like, think of what goes on in a lot of medical industry. There's a lot of training that goes on. There's a lot of kind of like this awareness and customer experience that's very, very important. Whereas I think from a patient forward standpoint, I think it could take that stance and enter into the conversation a lot easier from that avenue than anywhere else. Whereas I imagine there's a lot of things like that where it could get involved, just communicating with different departments, taking it into their own hands and kind of just walking around and, almost like, meet and greet and finding out how it could make a difference in the organization. I think from that standpoint, it could go pretty far in healthcare.

Josh Tanner: Yeah. I mean.

Phil Howard: As opposed to the broken old, infrastructure that's probably going to be remain ancient for a while until you've made a big enough impact there. Like, we'll give you whatever you want.

Josh Tanner: I don't know if that's like for the IT guys that can sit there and slug it out and they make it work Like, it's almost kind of fun, right?

Phil Howard: For sure.

Josh Tanner: One job. I remember this, I worked for a company and we would build nursing sites all over the country, and we would do a lot of them in. They were educational sites specifically for training nurses and things like that. A lot of them were in hospitals. And so we would go into these hospitals and build out the simulation rooms and all that kind of stuff. So I was overseeing a lot of the IT build stuff, the infrastructure, low voltage, all that kind of stuff. And we would never utilize like the hospital circuits. We would never utilize any of their Wi-Fi. We never like we it was just too much of a hassle to try to integrate into their stuff. So we're going to bring our own circuit. We're going to bring our own network. We're going to set up our own network. We're going to have everything network, all those different things. It was just too much of a hassle to deal with all of the like you're saying, the infrastructure. But what's interesting, I remember multiple occasions trying to work with the IT team. Like they just weren't fun to work with. They were just kind of like, we want to be.

Phil Howard: Exist.

Josh Tanner: In our dark hole, doing our things and bringing people like.

Phil Howard: The gnomes under the stairs. Yeah, I get it. Exactly, exactly.

Josh Tanner: And I think that, like in the modern, like, mid-market sector, there's kind of been this push towards collaboration and everybody, working together and all that kind of where it's forced a lot of IT people to get out there and go make friends and go, network and all that kind of stuff. But in the hospitals, like, no, you are literally pushed to the darkest dankest corners of the hospital that you think people work down here like, this is crazy.

Phil Howard: Yeah, we're going to we're going to move.

Josh Tanner: So it's kind of like they don't want to work with them, but also like they're not really giving them opportunities. So it kind of goes back and forth. You know what I mean.

Phil Howard: So it does still exist.

Josh Tanner: Yeah.

Phil Howard: Is there any, universal best practices? Speaking of the old days, are there any universally accepted best practices that you think are actually damaging?

Josh Tanner: Well, I don't know about that.

Phil Howard: Okay, fine. Is there a myth? Is there a myth about it? You wish the entire industry?

Josh Tanner: Yeah, a friend of mine and I have kind of been talking about this a little bit back and forth, but, I think that Soc2 has kind of been universally accepted as a best practice in a lot of our industries and things like that. I think it's kind of outdated. And,

Phil Howard: So we're not too compliant, but it's outdated,

Josh Tanner: Well, it's we're not soc2, but everybody wants soc2 compliance. And so what I mean is. SoC two shouldn't be the compliance rule. It's outdated. It's not keeping up with the times. It's, managed by the big four and their playbooks and all that kind of stuff. And so.

Phil Howard: It's back to people making money.

Josh Tanner: Yeah, it's exactly what it's kind of become. It's become less about.

Phil Howard: We need two point one.

Josh Tanner: Right. It's not the security piece. It's the auditors. Right. They're not held accountable. They're not held accountable to the outcomes essentially. Right. They're held accountable that you are doing what you say you're doing.

Phil Howard: But okay. So from a security standpoint, doing your job as a security guy or hiring the right people, is it important to check the boxes first, or should we be checking the boxes and also actually be secure? That's kind of the argument there, right?

Josh Tanner: Yeah.

Phil Howard: There's depending on the type of organization you work in, you're going to have people like, we have to be compliant here or we're going to get sued or whatever. Can you please check the boxes? And you might say, well, how about we actually also be secure at the same time?

Josh Tanner: Right. No, one hundred percent. There's the checking the boxes. And I took a screenshot of this nine months ago to show you that we were doing this, but that that doesn't give me real assurance that's still happening or that you continued to do it for nine months. Right? There's no practical evidence that you are actually doing what you say you're doing. Does that make sense?

Phil Howard: Yeah, it's like Gartner Magic Quadrant. We sit in the upper right hand quadrant of Gartner Magic Quadrant at a certain period of time when they printed this piece of paper.

Josh Tanner: And I think there was a time where this was a super helpful framework and all those things. But the times are shifting, so much so that, having more up to date potential even live data. Is a bit more helpful than just kind of the the past playbooks and the way that we've done soc2 and the way that we've done.

Phil Howard: Well, I think you mentioned a term which I think should be entered into the dictionary of, IT terms compliance Theatrics. Can you speak about compliance Theatrics. For a moment?

Josh Tanner: So there's like the theatrics of showing like there's a level of showing, right? I'm acting. We are pretending that we are compliant in every way because we are checking the boxes. But what is the purpose of compliance? The point of compliance is to reduce risk. How do we reduce the risk? By securing. Right. All of the compliance pieces are part of our security measures. We're doing the compliance stuff so that we can be more secure so that we can reduce risk and create trust with our partners we work with, create trust with our patients. This is really the cyber security as a business enabler. Right here is the we're creating a more secure environment that's not just acting like we're more secure. We're actively doing it, and we're caring like we have to do the compliance thing. We have to get the certification or the attestation or whatever it is. We've got to do that because our partners are asking for it. We need the piece of paper that says we're doing it, but ultimately it's more important that our security program is actually being secure, right? So it's one thing to be like, look, I'm high trust R2 certified. Look how cool we are. That's great. But what is your security program look like? I mean, that framework in particular is pretty robust. So it probably looks pretty good. But like if we're just focused on checking the boxes and not creating a program, then we're not being a business enabler. We're not continually creating the trust with our patients. We're not preventing downtime. Breaches are our downtime. It costs money, not just money in ransomware or lawsuits or whatever it is, but it's also downtime And revenue from just an operational standpoint. And if we're preventing that downtime, we're protecting the business, we're protecting patient care, we're increasing, partner and payer trust, right within our organizations, where we can speed up innovations through more clear guardrails, right with the compliance frameworks and stuff. We've got clear guardrails, but we understand what we're doing from a security perspective where we know we're secure. We want to bring AI into the infrastructure. We know exactly what where our data sits. We know exactly what we're doing. We know exactly what our security programme looks like. Sure, let's bring AI in right here and let it sit right here, and then we'll continue to. You see what I'm saying? Like, it starts to speed up certain innovation processes where we're not having to backpedal and go, well, let me make sure that all of this stuff is secure. Yeah. Before we go and we do this one thing. No, no, no, we've already got that on lock. Let's go. Let's do this.

Phil Howard: What is the ask from innovation standpoint. What are the general asks that you get asked on a daily basis. I would also love to know who's going to the compliance theater to begin with. Like who's causing the compliance theater. Is it vendors or is it executives that just need to say that we're in compliant. Like, that's kind of interesting. Just this idea of compliance theater. Like, who wants to go to the compliance theater anyways? But like, who doesn't want to just actually be secure? So there's got to be someone out there that's just like into acting, right? Acting across compliance versus the actual fun of really digging in and being secure because otherwise security is really not that fun. I think it would be pretty boring if it was just theatrics all the time. It'd be pretty lame. So that's why I'm wondering who goes to the compliance theater to begin with. But, aside from that, what kind of innovative asks are you getting, in your role right now?

Josh Tanner: Yeah. Right now it's mostly, data type of asks, like, I mean, AI was one, can we integrate AI and do all these things with AI? Ultimately, the answer is not really. But here's what we can do with automation.

Phil Howard: What are they thinking you're going to do like from an IT like what's your organization's kind of like mission to begin with and how is technology going to support that mission.

Josh Tanner: So we integrate behavioral health into primary care doctors offices.

Phil Howard: Okay.

Josh Tanner: So ultimately what that does, quite a few different things. One, our, model, it's called the CSM model. This is our care model. Has been tested against a bunch of other care models. And we are producing the best results from a care perspective. So our patients are receiving the best care. So that's one good thing. Two, it integrates behavioral health into primary care doctor's offices. So think about it from this perspective. You want to get some mental health Help, right? Most of the time you have to go find a doctor. You date them, you go back and forth. Do I like this guy? Let me try this one out. You have all that. Well, you already have a primary care doctor that you've done that with, right? So now I can go see my primary care doctor. I trust him, I know him, he's got a therapist in his office that our model shares what we go through in our sessions there with the primary care doctor. So the primary care doctor now sees the full picture. Not just your physical side, but also the mental health side. Right. So he's got the full picture happening there. The other benefit is he's your primary care doctor. Now, your regular old insurance covers mental health because he's the primary care. The mental health is in your primary care practice. The other benefit.

Phil Howard: You've integrated it in there, correct?

Josh Tanner: Correct. And the other side to this is, overmedication. Undermedication. Right? We are a highly medicated society. And a lot of that has come from primary care doctors overprescribing things or underprescribing things because they aren't the experts in that particular field, but they have patients that need help that come to them for help. And so what this also helps is reduce the overprescribing of medication or even the underprescribing in some scenarios of medication, so that we can come alongside the primary care doctors and give the patient the best care that we can possibly give.

Phil Howard: Are you guys placing providers in the doctor's office also?

Josh Tanner: Yeah. So we're basically like a staffing company. That's probably a good way to think of it.

Phil Howard: Okay.

Josh Tanner: So we hire the therapists and then we send them to the providers. So we partner with large health organizations and we send our therapists to go into their primary care doctor's offices. Okay.

Phil Howard: Totally makes sense. And I'm just wondering so obviously this goes hand in hand with technology and I have no clue how much you guys outsource as far as, finding people or what technology you have your hands on. But I would imagine that there's a lot to be done there as far as, matching up providers well or what's your growth model?

Josh Tanner: Yeah. So we're kind of working through that right now. We just finished our series B funding. We partnered with Goldman Sachs as our new venture capitalist partner, and brought in a good chunk of change to help us grow. Part of that is really kind of honing in on our sales strategy, and, I think this year our focus is going to be kind of expanding within the markets that we're in currently. And then how do we also get into new markets so that we can expand into new states and things like that? We're in five states right now. So how does technology come alongside and help the sales process? I mean, I have my own thoughts about that, but we are in the middle of discussing that right now. Right. Sales force, all those different technological tools. How does all that stuff come into play?

Phil Howard: What's the basic sales model? Is it like, hey, go to a doctor's office? How do we get in? Or I mean, how obviously a doctor's office or care or other care facilities, is it? Do we want to place more staff members inside other primary care facilities? Is that like the goal potentially.

Josh Tanner: We've kind of exhausted a lot of that, especially in Arizona where we're headquartered. And quite a few of our states, we've kind of hit the max capacity. But the interesting.

Phil Howard: Telehealth, any telehealth stuff?

Josh Tanner: I believe before I got here, they were looking into some of that. But their model is we wants to be like in person for as we possibly can be. We do Telehealth on our, EB site. So EB is the psychiatric practice that we have. So we have MD and then EB is the psychiatric side. So we do a bit more telehealth on that side. We're we're growing that business right now. So we're expanding all of that figuring all of the pieces out there. So we're getting there.

Phil Howard: I would imagine you would definitely be able to find more behavioral help, health therapists with unique backgrounds and experience from a telehealth standpoint, even though there's a benefit to yes, we want to be in person, but maybe if there's some real specialty case or something like that. I'm just thinking off the top of my head and,

Josh Tanner: Yeah. No, I think that's a good thought.

Phil Howard: I know nothing about your business. I'm only pretending. This is after talking for five minutes. I just wanted to see how we're integrating technology and And how is technology leadership brought to the table, for these strategic growth conversations? Yeah. Obviously, about your VC stuff and everything. So you're not a gnome hiding underneath the stairs that they call to, unlock the, port fifty seven on the second floor.

Josh Tanner: Yeah, yeah. A lot of what I know is because I ask a lot of questions because I want to know because I want to understand the company's strategy and the goals, and I want to understand the business that I'm in. Right. I think that's kind of a key piece for any IT leader is like.

Phil Howard: Otherwise you're going to have crazy people coming in and trying to sell them wild stuff that you have to bolt on.

Josh Tanner: Well, and and that's we have experienced that to a degree where I.

Phil Howard: Just I can see it now. I can see someone be like, yeah, Salesforce, like you mentioned Salesforce. And I'm thinking in the meeting, the first thing I thought in my head was like, well, I think Salesforce is going to be out of business in three years once AI catches on and everyone's building their own CRM, but.

Josh Tanner: Well, and that's the thing, just have cloud, build our own CRM and we're good to go.

Phil Howard: Like but then we're sticky. No, we can't leave the MSP then. No, we've come full circle now. We built our own stuff. They cannot leave us.

Josh Tanner: That's a really good point, because this is kind of a key thing that I see as a problem in my current role and even in other roles that I've had, like this redundant tech where we've got one application that does one thing, but we actually have ten applications that do one thing because this department didn't want to use that one, and this department wanted to use a different one and all. And you don't have when you don't have like the governance to, first of all, keep track of all that. And then secondly, lay down the foundation, like is this approved by IT security. Great. Is this approved by the business side? Does this make sense from a business perspective for us to have two tools that do the same thing? No, that doesn't make sense. We don't want to pay for tool tools that do the same thing. You can either not have your tool or you can learn how to use this tool. Right. And so creating those governance, layers within the organization, it takes time because it's a culture shift. At the end of the day it's people are.

Phil Howard: Not like we use WhatsApp, other people use slack, the other person uses the zoom chat thing. This person use teams. Exactly. And we use the Mitel chat thing that still works on our softphone. See? We need to unify. Oh, and we just merged with five other companies that have sixteen different other systems.

Josh Tanner: Exactly, exactly. So as they call it, the shadow, it is real.

Phil Howard: Now we got shadow AI.

Josh Tanner: Now we got shadow AI, which is also real.

Phil Howard: Yeah, well, this has been, a pleasure. And I'll give you the last word If there was one thing that you wanted the executives in healthcare, to hear, what would that be?

Josh Tanner: Uh. IT. Doesn't just fix computers. Cybersecurity is not just an IT Problem anymore, right? It is a core business function. That makes sense. And when we have a breach and we get sued because this data was exposed and all that kind of stuff, if they're not coming after me, right, they're coming after the company. That makes sense. And and that's why we ultimately have a responsibility as a company. I mean, even. Other organizations out there that are auditing these things and and all that kind of stuff, they're looking at. Who on your executive leadership team are involved in making decisions about cybersecurity? Who is looking at the risk? That's not you as a cybersecurity leader. What executive, is actually giving the go ahead on. Yes, we'll allow this risk. And no, we won't allow that risk. All of those different things need to be documented and put in place not just as a practice, but an actual like, documented practice. We're not just doing it, saying we're doing it, but we're now showing you that we're doing these things, and we're showing you that the executives of the company, every executive, is taking a responsible role in the overall cybersecurity of the business.

Phil Howard: And if I had something to say, too, I it would be like, do you realize how smart these people have to be to understand and run all this stuff? That's really what I'm thinking. Also at the same time is you want these people, in your corner helping you To make the right decisions to grow the business. Yeah, at the end of the day. Yeah.

Josh Tanner: Cybersecurity. Affects revenue. Bottom line operational resilience. Patient safety is a huge one right. That's trust right. Regulatory exposure overall and brand trust right. Our brand is super important to us especially with partners. Right. The brand trust is incredibly important, which ultimately brings the long term enterprise value that we would want to have to actually be more marketable in all those different things.

Phil Howard: Yeah, yeah. If you had a very, very bad cyber security attack.

Josh Tanner: We'd be done. We'd be.

Phil Howard: Done. Yeah. You're like, not only are you going to be down, not only is it going to cost you money, it would definitely affect, definitely affect, sales if you had if you had anyone else selling against you at the same time?

Josh Tanner: 100%.

Phil Howard: Not the salespeople should be going out there. Hey, did you know they got ransomware attack? They shouldn't be doing that. Sure. That's not the way. That's not the way. Uh, Josh Tanner, Thank you very, very, much. You've been heard.

Josh Tanner: Cool. Thanks, Phil.