Happy Independence Day



“Government of the people, by the people, for the people, shall not perish from the earth.”

–Abraham Lincoln, Gettysburg Address, November 19, 1863

No matter what challenges lay in our path, the 4th of July is a time to remember what it means to be a citizen of these United States.

Wishing you all a safe and Happy Independence Day!

Client Engagement & vCIO Collaboration


The following article was published in the July 2, 2018 edition of Channel Executive Magazine:

In the world of MSP services, firms provide a range of proactive services to clients to help them make the most of their IT investments. Over the years, as the market has matured, the notion of the vCIO has become a key component of those services.

VCIOs act as the chief information officer for the client in a virtual capacity. This is because the vCIO is not an employee of the client company but of the MSP. By working with multiple clients, either in the same vertical or across several industries, this executive-level resource brings a wealth of experience to the client relationship. Often, the vCIO is responsible for the overall client relationship, coordinating technical services, project management, customer services, and more. The vCIO is often the most senior resource from the MSP assigned to the client.


In recent years, a new resource has emerged with equal — if not more — importance to the client relationship sometimes referred to as client engagement or sometimes as client success. This department has one responsibility — the overall health and retention of the client relationship. In this capacity, client engagement can take on many of responsibilities that the vCIO would handle. Both are highly consultative while each may have different areas of responsibility within the overall client/MSP relationship. If not properly structured, there could be conflict between these two roles, but there does not need to be.

The vCIO will work with other C-level executives at the client to fully understand where IT sits within overall corporate priorities. The vCIO will also work with other executives to identify the areas where technology is a clear enabler and where it may be a bottleneck. The vCIO will also identify areas of opportunity to improve how technology serves the business as well as be the key MSP resource to keep the client apprised of technologies to be evaluated and the potential benefits of implementing new technologies to help the business reach their stated goals.

The client engagement role will typically have responsibility for managing the relationship with the appointed primary contact at the client. This may not always be the same person that the vCIO interacts most with, especially in larger clients, so having these two key roles in close communication and coordination is critical. Client engagement will typically have ultimate ownership for the relationship, so while the vCIO may seem to be the more senior resource, that person may actually be taking direction from client engagement. At the very least, everything must be in close coordination.

In a growing or midsize enterprise, the vCIO will typically work most closely with a peer, who could themselves be the CIO for the client company or at least an executive-level position like the CFO or a vice president. They will typically not be involved in the day-to-day of the working relationship. Things like help-desk tickets will typically not make their way to the vCIO with the exception of period trending on a quarterly basis. Instead, the vCIO will focus on the overall infrastructure and projects with significant impact to the infrastructure or workflows of the client.

Client engagement typically owns the more day-today relationship items, like managingclientengagement.jpg the replacement of equipment as it reaches its life expectancy, managing software subscriptions, warranty renewals, and the like. They will also typically become involved in escalations from the help desk to ensure the issue is carried through to resolution as quickly as possible and that the client is fully informed every step of the way.

When client engagement becomes aware of issues that point to more strategic need, this is when they will directly engage with the vCIO. The vCIO will, in turn, be sure that the issue at hand has the necessary visibility with the right management personnel at the client. This close coordination helps the client avoid unnecessary expenditures that either may not be necessary or could be better controlled with the right visibility. The last thing any MSP wants to see is a client spend money on short-term fixes when a longer term strategic conversation may help the client make the best choices for how their technology dollars are being spent.

This is especially true when it comes to projects that cross functional areas. It’s always a shame to see one department pursue an IT project that could benefit other departments without their involvement. All too often, if left to their own initiatives, organizations will allow departments to pursue their own objectives. When it comes to IT, this can lead to all manner of applications and systems being implemented with a singular focus. Deep engagement on the part of the vCIO and client engagement with the entire organization can help protect against this and ensure that initiatives are evaluated for possible benefits in areas of the organization that may not have otherwise been considered.


These two critical functions help ensure that the right people at the client are engaged with the right resources at the MSP. Every relationship is a two-way relationship, and this structure helps ensure that the right people are engaged and the right communication is taking place at the right interval. The cadence of client communication and meetings with key stakeholders is very important. It’s very important to map to what works for your client. If talking to the client daily doesn’t make sense, don’t do it. All you will do is annoy your client and risk not getting attention when it’s needed most. Talk to your client about this at the beginning of your relationship. Let them know what you have seen work well with other clients in their industry or of their size. Set the cadence based on mutual agreement and adjust as necessary as you gain experience with one another.

Implemented properly, the concept of client engagement/ client success and the role of the vCIO will ensure a healthy, long-term, and mutually beneficial relationship. In the end, that should be everyone’s objective.

How Do You Assess Cyber Security Readiness?


The following was published in todays Foster’s and Seacoast Sunday.

Cyber security is a moving target, to say the least. The threats change all the time. Regulators continue to clamp down on companies to take the issue of cyber security seriously. The reputation of a well-known brand can be erased by a single report of a data breach.

SAWWe all know about the high-profile hacks that exposed millions of people’s information. Whether it was the breach of popular retailer Target or the credit bureau Equifax, it seems like we read about the latest data breach on a nearly daily basis. Even here in the Seacoast, the city of Portsmouth suffered a hacking incident that took months to recover from. The city informed residents not to open email messages that appear to come from city staff with attachments, especially ones that appeared to have a bill or invoice attached. This was not too long after the city of Atlanta suffered one of the most destructive and expensive municipal cyber incidents.

With large and small companies and governments being targeted, it can seem almost impossible to keep up with the threat, let along mitigate it. Your staff is your last line of defense and making sure they understand the risks and their role in defending the organization they work for is critical. But first, you have to understand your level of risk. How do you do that? A cyber security assessment.

There are numerous types of assessments. Some are free and some cost money. Free assessments run the range of usefulness and paid assessments can cost a lot of money and if not properly qualified up front, that money could be wasted. That’s why I am excited about a tool that the company I work for, Onepath, released this week. The Onepath Cyber Security Self-Assessment Tool is a completely free tool to help you get started understanding your level of risk. In fact, we don’t even ask for your contact information, unless you wish to provide it or contact us for more insight on the topic. That’s how committed we are as an organization to help everyone better understand cyber security and educate themselves on their risk and options to be safer.

The Self-Assessment asks 20 questions to help you evaluate your cyber security posture. Once you answer all the questions, you are presented with your results instantly. You don’t have to wait for someone to review your answers and take their call or respond to an email to get your results. We provide them to you immediately and you have the option to save them, if you want.

Key to this tool is the detailed explanations that come along with your responses. You will get a summary score, to give you an idea of your present state. The explanations to each answer will help you understand what you are doing well and what you need to improve, complete with suggestions of how to pursue improvement. This tool is designed to be a first step, to help you get started. Sometimes getting started is the hardest part of the process. I believe this tool will help countless organizations get over the hump of getting started.

Please check out my blog post about this new tool at https://mjshoer.com/21Fft. I encourage you to take the assessment and get a baseline on where you stand today.

Onepath Cybersecurity Self-Assessment Tool


Today, Onepath released our new Cybersecurity Self-Assessment Tool.  This simple, 20 question, tool will help you determine your organizations cyber-security posture, in plain English.

This was created by our marketing team, with expert oversight from Greg Chevalier, our VP, Information Security Practice.  Take the assessment and let me know what you think.  We think it’s a great tool to help our clients and friends understand the ever changing cybersecurity landscape and where they may be vulnerable.

Here’s the email announcement that went out this morning:


There are many steps that companies need to take to defend themselves, their systems and their data. Those steps, however, and the degree of cybersecurity protection required depend on a number of factors, including the individual business’s risk assessment and tolerance.

Going through these processes can be complicated and overwhelming, leaving many businesses not knowing where to start. Even companies that have programs in place, and have taken steps to improve their information security position, are now left wondering if what they’ve done is right, or is enough.

Onepath has created a cybersecurity self-assessment tool to help businesses establish a baseline of their current security level and posture. The questions cover the basics – the blocking and tackling needed to establish an information security foundation. It may be just a start, but it could be that critical first step you take to get your business on a path toward cyber-protection.


Cyber Supply-Chain Attacks


I recently attended a webinar sponsored by the FBI‘s InfraGard program, which I am a member of.  I wanted to share some useful information from this webinar.

weaklink1-600x293Do you know what a cyber supply-chain risk is?  If not, you should.  Simply stated, a cyber support-chain risk is the risk of a hack or data breach from a 3rd party that you allow to access your secure computer network.  This could be anything from a consultant that works for you to your air conditioning or security system vendor, if they connect remotely into your network to manage these systems.

Here is some thought provoking informatin regarding cyber supply-chain risks:

  • 50% of data breaches are attributable to a 3rd party vendor.
  • 83% of organizations do nothing to manage third party risk.
  • 80% of data breaches are discovered by someone outside the breached organization.

So, what are some of the things you can do to mitigate your risk?

  1. Assess the risk before you allow a vendor access to your network.
  2. Understand your level of risk.  Is a large company a large risk and a small company a smaller risk?  Not necessarily.
  3. Perform an independent security assessment to understand your level of risk.  This assessment should include, at minimum:
    • Network/Perimeter Scan.
    • DNS Resilience.
    • Email Security.
    • Web Application Security.
    • Hacker Threat Analysis.
    • Breach Metrics
    • Patching Candence.

Keep in mind that doing an assessment is just the start.  It’s important to have the tools and processes in place to manage the assessment results.

If you life in a regulated world, you have even more to worry about.  If you take credit cards, you need to comply with PCI 12.8.  If you are in healthcare, you are governed by HIPAA and if you do business in or have employees who are residents of the EU, you much comply with GDPR.

It’s not a matter of if you will be at risk, it’s a matter of when.  You need to have a plan for dealing with a breach caused by a vendor.  Understand your communication and reporting responsibilities and develop your plan now, not after you have an incident.

Remote Workers Pose More Risk


Shred-it, the world leader in document destruction, has released their 2018 State of the Industry Report and it includes some interesting findings with regard to remote workers.  You may click on the link to request a copy of the full report from Shred-it, if interested.

us-sec-trackerThe stat that is most striking is that 86% of C-Suite executives believe that remote workers increase the company’s risk of suffering a data breach.  When looking just at small business owners, that number is 60%.

Employee negligence and a lack of information security is cited as the number one reason for this concern.  When employees work remotely, they may not be as careful as they are when working in the office.  This could be a result of using public WiFi or using devices other than company issued assets.

If you allow employees to work remotely, you should insist on several simple steps to help keep your business safe.  While not all inclusive, the following are six basics that should be considered a must for anyone who works remotely.

  1. Only allow company work to take place on company issued or managed devices.  While many companies now support a “BYOD”, Bring Your Own Device policy, those devices still need management, to ensure that company data is not stored inappropriately in locations that the company has no visibility to.
  2. Public WiFi should be avoided.  With nearly all mobile plans now supporting unlimited data, employees should use their mobile hotspot feature when not at their home or remote office.
  3. Only access company resources via HTTPS connections or over a company managed VPN.
  4. When in public spaces, be mindful of wandering eyes.  Whether at a cafe or on an airplane, nose neighbors and people sitting behind you are in easy sight of confidential information you may have on your screen.  Consider a privacy protector for these instances or sit in a location that prevents others from viewing your screen.
  5. Never let a friend of family member use a company issued or managed device.  You never know what they may expose you to.
  6. Report a lost or stolen device immediately!  If you suspect you may have exposed company data in any way, report it immediately!

Shred-it also released a great infographic that summarizes their report, which you may access here.

Stay safe out there!

I’m Still Blogging


My posts have not been as regular of late and I wanted to let you know why.  With summer getting in to full swing, I actually managed to take a little PTO.  At the same time, business has been booming and I’ve been extremely busy with work at Onepath.

I’m hoping to be back to regular blogging this week, so keep watch for new posts.  In the meantime, I’m enjoying the thrills of business travel.  This week it’s our Columbus office and wouldn’t you know it, my rental car upgrade sports a Cobb County, GA plate.  That’s where Onepath is headquartered.  I thought that was fitting.  I was also pretty tired, having arrived pretty late at night 🙂

Sharing My Colleagues Work


I am very fortunate to work with some great people.  Below is a selection of informative articles that some of them have written for our web site at 1path.com.  I think you’ll enjoy them and learn a few things as well.  These pieces highlight some of practice areas, including IT Services, Cloud Services, Application Management and Building Technologies.  Enjoy!


Five Signs You Should Invest in IT Support
by Eric Ellenberg

You’re a business owner and things are going well. Your customers are happy, your employees love their jobs, and your business is profitable and humming along. Congratulations! You’ve put in some long days and dealt with some tough problems to get here, so take a moment and celebrate your team’s accomplishments.

But increasingly, you’re getting questions about technology. The computers you bought a few years ago aren’t running so great, and your employees need help with them. Your accounting software is a few years old and needs an upgrade to keep up. You’re thinking it might be time to switch to a new customer relationship management system (or start using your first) to better track your current customers and reach out to new prospects. You’re getting emails about PCI compliance, but you’re not sure what the next step is. You’re getting a lot of email that looks a little off that’s actually trying to steal your confidential information. Some of your people have gotten a nasty virus that took them out of commission. That college grad in the office is telling you to move to the cloud, but you’re not exactly sure what that is or how to make it work for your business.

Continue reading…


Your Cloud Security Is Only As Strong As Your Expertise
By Armon Aghaie

When your day-to-day is consulting with prospective clients in IT, you begin to get a feel for which technologies are having the biggest impact. Questions that are asked, articles that are published, etc. all give pretty clear indications about how technical markets are evolving over time. Naturally – it likely comes as no surprise – cloud and security are at the top of everyone’s mind.

Cloud has gone through an interesting evolution as it relates to security. Four years ago, you couldn’t convince most IT leaders that housing their highly important information on the same infrastructure as someone else would ever be a good idea. Makes perfect sense, right? When people share an office, they need only turn their head to see what others are working on. Why wouldn’t it be the same when people share servers?

Fast forward, and now we are talking about how cloud infrastructure has some of the highest levels of regulatory compliance including PCI, HIPPA, GDPR, multi-national, government, and many more.

Continue reading…


Online Product Catalog Allows Firm to Monetize Their Data
Underwriters Laboratories (UL) Case Study
By Raquel Valdez

An industry-leader in certifying and validating products to be green certified wanted to re-platform their online product catalog, in order to monetize it and become the global source for green products. They wanted their new catalog to be an evolution of their older one, expanded to include data from other green partners and a complete network of green products across all markets. They also had an immediate, urgent need to complete the project by the end of the year and needed a trusted partner they could rely on.

The company approached Onepath. The Application Management Services team had previously built an online product catalog for a smaller company devoted to air quality testing, which had since been acquired. Once the acquisition took place, all IT was brought in-house, and they continued using the catalog that Onepath had built. When the need to update and revamp another product catalog arose, Onepath was the obvious choice.

Continue reading…


Emergency Response Radio Coverage (ERRC): Coming to a Building Near You
By Caleb Clarke

When emergency responders enter a building, they rely on radio equipment to communicate with one another and dispatchers, but within certain buildings, standard radio signals become impaired and stop working altogether. When time is most critical, first responders can be cut off from receiving further instructions, coordinating with one another, or requesting additional resources and equipment.

Various building structures and architectural materials can negatively impact the transmission of radio signals and prevent them from working. Standard radio signals have always had this problem, putting emergency responders and those needing rescue at risk, but fire codes weren’t really updated to require minimum performance requirements for emergency radio coverage until inadequate radio communication was determined to be a contributing factor in the death of 343 firefighters during 9/11. Both the National Fire Protection Act (NFPA 72) and the International Fire Code (IFC 510) updated their requirements to include Emergency Responder Radio Coverage (ERRC).

Continue reading…

Goodbye Net Neutrality



Despite the fact that an overwhelming majority fo the citizens of this country support net neutrality, politics has prevailed over the will of the people.  Such is the state of our current political system.

We still live in the greatest democracy that humanity has ever known, but it is flawed.

The House of Representatives has so far, refused to act on the issue.  If you are a regular reader of my blog, you know that the Senate voted to overturn the FCC repeal of net neutrality.  For that overturn to move forward, the House needed to act and they have not.  Should the House choose to act at some future date, then the President would also need to sign off.

At this point, all we can do is bombard the House and White House with plea’s to listen to their continuents and vote to overturn the FCC’s repeal.  For now, we are left to sit back and see if the large broadband Internet providers change the way their networks operate or if costs begin to rise in order to maintain unfettered access to all of the Internet.  Only time will tell.  Hopefully, watchdog groups will keep an eye on this, as there is still a transparency requirments, so providers must disclose if they begin to prioritize traffic.

Keep the pressure up at a grass roots level.  It’s never to late to save net neutrality, but as of today, the prior protections are officially no more.

An Undersea Data Center


You read that right, an underwater data center has been created by Microsoft.  Yes, that Microsoft.

The so called “submarine data center” is a giant tube packed with a whopping 864 servers.  The ocean will offer natural cooling to the data center that sits on the ocean floor off the Orkney Islands off the coast of Scotland.  Cooling is one of the most expensive components of a traditional data center, so this renewable aspect of cooling should cut down on a major cost component.

The tube is about the size of a shipping container and is designed to the deployed rapidly off the coast of major cities allowing for more expansion of cloud capabilities.  What’s not yet clear is how any hardware or power failures would be addressed in a large tube that sits about 100 feet below the ocean surface.

Microsoft plans to monitor this new prototype data center for a year, to determine it’s future viability.  While Microsoft is touting the renewable energy aspects of this development, one does have to wonder if there will be any heat bleeding from the tube and any ambient noise coming from within that could disrupt the marine ecosystem where these tubes are placed.  It will be interesting to see what is learned over the coming year.


Here is a link to more details, including videos and photos of the data center.  It’s worth a look and read.