Denis O'Shea: [00:00:00] The average enterprise is using 44% of what they've purchased, 44% of the capabilities and features that they've purchased. When we're under attack, we buy defenses, and organizations have gone out and on average they've bought 52 security tools. Some of them talk to each other, some don't.
Max Clark: You, you've done two key things, right?
You transitioned from IT into leadership and then- Yep ... specifically non-technical leadership, and then you immediately follow that up with a slew of acronyms- I did ... that most non-technical leadership has- ... any idea even exists, let alone what it means.
Denis O'Shea: If company leaders recognize and accept that passwords were an amazing invention back in 1961, '61, but now in 2026 they're the single biggest reason for all the breaches and hacks and compromises that happen.
None of that AI investment is going into the on-prem legacy tools that were installed in the last century, and so the conclusion from that is[00:01:00]
Max Clark: You, you when I first saw the c- you know, the company, the branding Mobile Mentor, you know, like the initial like instantaneous association becomes cell phones and mobile devices. But that's not actually what Mobile M- Mentor is focused on and, and what you're focused on. So I'm gonna give you a nice little soft like intro.
Can you give me a, you know, high level, you know, what do you, what's the, what do you do? What's the focus? What's, what was the inception thought for the business?
Denis O'Shea: Max, that was not a soft opening, easy question. It was actually probably the most incisive, painful, and, and painful question you could have asked me, 'cause we're going through a whole rebrand at the moment- Mm-hmm
and trying to figure out what our company name needs to be for the next 20 years rather than, you know, what it was for the last 20. Uh, but thank you. Um, yes, the words Mobile Mentor do imply we work with mobile devices, um, which is partially true. We did [00:02:00] nothing but mobile device technology work when we started the business.
Uh, but it's evolved enormously and now we work with a very wide range of technologies, uh, mainly in the Microsoft ecosystem. But if I tell you a little bit about the backstory, it's quite interesting. I used to work for Nokia selling, um, cellular network infrastructure. Okay. Uh, I used to live in, in different countries around the world.
And, um, back in 2003, I was running Nokia's operation in Switzerland, and we lost a major sale, uh, to Orange, and the CEO of Orange said to me afterwards, said, "Why would I buy more technology from you guys when, when our customers are not yet using all the technology we bought from you last year? Spent hundreds of millions of euros.
Customers are not using it. Why would I keep investing?" And I came away from that conversation with my tail between my legs and, and really for some introspection to figure out what do we-- what needs to [00:03:00] happen to drive adoption and consumption of all this new technology. And what was happening back then, if we, if we go back 22 years or 23 years, people were running out and buying these new smartphones.
And I use inverted commas to say smartphones because they actually weren't that smart, but they did have some capabilities. But most people were spending up to $1,000 or euros to buy this new smartphone, and all they were doing was sending text messages and making voice calls because the mobile internet was a horrible experience.
Setting up your email on one of those devices was very complex. You needed to know two different server addresses, an SMTP server and a POP3 server. Mm-hmm. Getting your calendar to sync was difficult. Transferring your contacts from your old phone to your new phone was difficult. Um, getting your music on it was insanely difficult.
Everything was hard. And so what I did was I left Nokia. I'd been there 15 years, and they were very good. They gave me some capital and then, and their blessing, and I went and I built this business called [00:04:00] Mobile Mentor to help drive adoption and consumption of the latest smartphone technology one person at a time.
And my strategy was very simple. It was to sit down with, could be someone like you, who just got your first, um, say, Nokia or Sony Ericsson or Motorola device back in the day, sit down with you for one hour and get everything working. Get your email, uh, working, get your calendar syncing, transfer your contacts, get your music in there, all the things you needed.
Just make you as an individual productive, and then maybe do it for your staff later and- Mm-hmm ... and so on. And so taking these devices and helping people become super productive by harnessing, by really unlocking the full potential of the device. That was, that was the, the basic simple idea, and that was-- that's what Mobile Mentor was built to do.
And we eventually scaled that service and delivered that one-on-one experience to a million people around the world, and that's really what got us going into the business we are in today, which has, has evolved [00:05:00] enormously. You know, we've had pivots and transformations and technology- Mm-hmm ... has adapted, has evolved, so we've adapted to follow.
Um, but yes, that's where the words came from. We were your mobile mentor helping you unlock the full potential of your first smartphone.
Max Clark: I, I've, I'm, I'm laughing because I've... You know, I, I understand the branding and naming pain. It's just, it's-- it, it just seems like, um, you know, when you find a good one and you see good ones, it's always, it's like, "Oh, that was so easy.
It's so obvious." You're like, "How, how much, how-- what, what went into that?" Yeah. Scaling individual like one-on-one services, um, I-- that is a really hard problem. And, you know, you, you talk about like configuration and device configuration. Uh, you know, I-- one of my notes I just wrote here was I don't think people, if they weren't there, really understood, like, the birth of the BlackBerry and why the BlackBerry- Yeah
became such a big thing.
Speaker 3: Yeah.
Max Clark: And part of it was just because, you know, you finally had a device that was really easy to roll out and utilize, [00:06:00] right? You know, because, you know, like email, contacts, and calendar, and all of a sudden worked on your s- on your mobile device. Yes. And, and was reliable, and then was manageable.
You know, the corporate, the corporate IT team could, you know, became responsible for it, and of course- Yeah ... it became like a executive pecking order of like, did you have the BlackBerry? Did you not have the BlackBerry? Yeah. Who got the BlackBerrys? You know, these sorts of things- Yeah ... in the office. Yeah.
Um- Sure ... but it, it's, you know, you know, it's, it's that, the, the association I have, of course, is like that reducing that friction.
Speaker 3: Yeah. You
Max Clark: know, BlackBerry rolled out really aggressively because it, it was usable. Um, iPhone rolled out really aggressively. Apple, I think, has done a good job with the Genius Bar.
You know, uh, people don't utilize it as much as they probably should of being able to say- Mm-hmm ... "Hey, I'm gonna go sit down with somebody and, like, learn- Yeah ... how to use my Apple device." But- Yeah ... for the most part, uh, you know, that, that friction and that ease of use has... That barrier has changed, but then that introduces other problems, right?
'Cause [00:07:00] now you have a proliferation of devices across the enterprise.
Denis O'Shea: Correct. Correct, and, and that's really what happened to us. We, we scaled up this operation. I think I had 250 staff in Brazil, China, Switzerland, UK, Japan, New Zealand, Australia, and, and we were, we were running at a pace of about 10,000 of these one-on-one mentoring sessions every month.
And that was all going gangbusters until the global financial crisis. Mm. And it came to a screaming halt, and, um, a number of things changed around the same time. But I said to our board, "We need to pivot now." And so we shifted from doing that one-on-one mentoring service to become a managed service provider in the mobile space.
And what that meant was helping banks and hospitals and enterprises manage all the thousands of devices that they had now accumulated, and help them get their costs under control, help them, uh, design and build the first apps they wanted to roll out and connect back into their line of business applications, uh, get some security on those devices.
This was back in the [00:08:00] early days of MDM or mobile device management. Um, so w- we, we pivoted, and we became a managed service provider, but just for mobile technology. So apps, security, cost control, asset management, user support, and we built service lines around those and aggregated them.
Max Clark: Any technology that has a consumer experience with it, so a cellphone, right?
Like, the average person has a cellphone, and they have an experience with a cellphone. I find this becomes a huge double-edged sword, right? Yeah. On the one hand, it, it normalizes the technology for then the enterprise to want to have it or the expectation that they should have it, because it's like, "Well, I have this personally.
You know, I should have this- Yeah ... for my business," right? But the requirements You, you know, this isn't like an N plus one issue, right? Where, you know, as an enterprise rolls out a cell phone, what the enterprise has to do to maintain a cell phone is very different from what a personal experience is- Mm-hmm
of like, "Oh, I've got my own cell phone plan," [00:09:00] right? Mm-hmm. Like, like, like really simple benign things of like, oh, just we, you know, have 1,000 lines, like we have to buy 1,000 phones and then roll them out to 1,000 people that are now of course in 1,000 different places. Mm-hmm. That introduces some, some different challenges.
So-
Speaker 3: Totally ...
Max Clark: you know, for, for people that are, you know, walking into either rolling out phones for the first time or taking over c- you know, management and oversight, like you have a new executive that, you know, somebody's been hired into a company and realizes, oh, we've got 2,000 cell phones. Uh, how, how do you help them go through that process and manage, um, you know, these devices?
And what kind of... What's the word I'm looking for? Um, what do they not know that they should know probably at this point?
Denis O'Shea: So firstly, I would say we have won some battles and lost some battles in this arena around- Mm-hmm ... device management. I think we've got 14.5 million devices we have now enabled over the, the years we've been in business, [00:10:00] you know, on the managed service side of the house.
And we, we deal a lot with organizations who try to go too far in managing their employees' devices, and sometimes don't do enough to manage corporate-owned devices. So let's draw a line there and say there's devices that employees went out and bought with their personal credit card, their after-tax dollars.
They own that, that device. It's a BYO device.
Speaker 3: Mm-hmm.
Denis O'Shea: There's a management conversation around that. We'll park that over here. And then the other side is the, the organization has bought the devices. They're company-owned.
Speaker 3: Mm-hmm.
Denis O'Shea: The general recommendation and, and the advice I would give from all the, the, the hard lessons we've learned over the years is that those corporate-owned devices should be fully managed by the organization with a full lockdown profile, pushing out the apps they want people to use, and limited capability to do a whole bunch of personal stuff on it, but limited.
On the other hand, the personal devices should be [00:11:00] unmanaged, and this is where we see organizations get in trouble, when they're trying to impose too much management control on the employees' devices. And the technology now, in particular if you're using Microsoft Intune, which comes with Microsoft 365, if you're using that, you don't need to manage the device itself, but you can wrap some security around the applications and the data and the applications.
So it's a much lighter way of providing security. You're not managing the device, but you're managing the apps and the data in the device, and that's the model we recommend for BYO.
Max Clark: So, okay. Um, I'm, I'm... I've got, like, a whole spiraling list of questions I wanna ask you- ... and talk about, right? Yeah. It's really easy for companies, especially when they're starting or they're small or scaling or fa- or, you know, or, or, you know, startups, whatever, to go into a BYO expense policy.
Yeah. Okay. It's an easy one. You know, go buy... You already have your phone, we're just gonna give you 100 bucks a month, and this becomes your work phone, right? Yeah. Um, and then we've got, and, you know, you're talking about, like, corporate, corporate devices and corporate [00:12:00] management, and then, uh, but there's, like, this middle ground that ends up happening by default with corporate devices that, that, um, you know, we, uh, NIST is, you know, coded COPE, right?
Corporate owned personally enabled devices, right? Yeah. 'Cause when you have somebody, give somebody a cell phone, and that cell phone has the ability to access an app store, and it has a camera on it, and it has all these other utilities on it, and they can download Facebook or whatever else they want on it, TikTok, you now have c- a corporate owned device that has personal information that people have put on this device.
Mm-hmm. Mm-hmm. And this also becomes, like, a really interesting thing in IT management. You know, you give somebody a laptop, right? Yeah. It's, like, a corporate owned device, but it's a laptop now. Are, are they using it for all their stuff? And, you know, over the, over the decades, and you end up with these, like, really large, you know, IT policy and procedure, you know, handbook things that have to get executed and signed, right?
But, but there's, like, the, the, you know, like, those three that, like, that, like, the horizon from BYO to corporate, complete corporate lockdown, car- people carrying two cell phones, right? Like, there's, there's no clear line with this for a company, you know? [00:13:00] But there are major pitfalls and problems across this entire spectrum.
Like, oh, you, you off-board an employee, you know, and their default behavior is to go and wipe all their devices to, to eliminate everything from MDM, and it's like, oh, you just deleted a cell phone that has voicemails from their, like, their dead parents on it, you know? And like, what, what do you do? You know, like, how...
You know, and, and I've heard these stories, right? Yeah. Like, pictures being deleted that were-
Denis O'Shea: Yeah ...
Max Clark: sentimentally important to people- Yeah. Yeah ... because, you know, an MDM policy executes.
Denis O'Shea: Yeah. You're right. Like, there are, there are many shades of gray in between those two paradigms, the full BYOD and the full corporate one, and that's why I said before, if you are applying, if you are doing a COPE model and allowing some personal use of the corporate device, that has to be limited.
There's got to be some guardrails around that. But also, um, we generally recommend not managing the personal device and, and never wiping- Mm ... someone's personal device because the downstream [00:14:00] implications of that, you know, you gave one good example with the voicemails. There are many other examples. Yeah.
Um, and it, it doesn't end well generally. So we find that th- that middle ground I mentioned, where we're managing the data and managing the applications, that's, that's the right solution, leaving the device unmanaged. And then what that sets up, or what often precedes that, is a very clear policy statement to the employees to say, "You bought this device.
We respect your privacy. We're not going to manage it. We're not gonna geo-track your location." We're not going to be able to see what personal apps you have on your device. We're not gonna be able to see your messages or your social media or anything like that. But we absolutely unconditionally must protect our company information.
We must protect our customer data, anything that's in emails, any attachments or files, we have to protect that. And if your device gets lost or goes in for repair, or you want to pass it on to your kids when you [00:15:00] get a new one, we'll simply remove the company applic- company applications. Uh, it might be Outlook and Teams and OneDrive and- Mm-hmm
SharePoint, whatever. We'll remove those, but all your personal stuff stays, all your photos and your music and Tinder, whatever you've got. You keep you. You do you. We're just gonna remove the corporate information that we're all-
Max Clark: People do some really weird stuff with devices, uh, if you sit... Uh, it, um, I, you know, so the cell phones are getting a little better about giving you the ability to have profiles and containers and parti- you know, like, like effectively like partitions within the phone and...
Yeah, 'cause when you start talking about, like, protecting customer, you know, company data, like- Yeah ... w- you know, what are you, what are you really worried about, right? You're worried about a couple different s- you know, like, major scenar- I mean, you're worried about lots of things. Let me, let me back that statement up.
But, um, what are the scenarios people talk about, right? They're talking about, you know, a threat actor or something gaining access to your corporate data and then exfiltrating it, right? So, like, do you have data on a cell phone that people [00:16:00] can access or another app can access and then download? Mm-hmm.
And then you've got the inverse of that, which is something jumping the gap from an unprotected network or an unprotected device, then infecting your corporate data, you know, and being destructive as well. Yeah. I mean, and the... I mean, again, there's, there's so many more, so many more than those two examples, but let's just stick with that.
And, and this, this I find becomes a big trade-off within a company, right? Because now you start, you're, you're battling directly against ease of use and, um, y- let's say like friendliness, you know, in terms of your, you know, your employees and your users using your- Yeah ... you know, infrastructure versus restrictions.
You know, like, like any, any level of protection becomes restrictions. You know, it's like- Yeah ... oh, you can do this, you can't do that. Like you've, you're now res- Yeah ... you're restricting. And- Yeah ... uh, y- you know, and the, and the... Some organizations, banks, I, I, you know, l- approach this really tightly to begin with.
It's just like, "Oh, sorry, everything's locked down, period." Yeah. It's just bank [00:17:00] policy, right?
Speaker 3: Yeah.
Max Clark: But then you have other organizations that I feel, you know, it's like it, it, it seems like they start at zero, and then bad things happen, and they kind of like ratchet up after every bad thing that happens.
And it's like, how many bad things do you have to have happen in a row before you just kind of get to a better place?
Denis O'Shea: Yeah. And look, w- we live in the, at this intersection of security and employee experience. We're constantly... We, we use an infinity symbol diagram to show this never-ending tension between security and employee experience.
And because it's always changing, it's an infinite loop. And the best way to explain that is if we, if we s- keep talking about mobile devices, I think the average mobile device has 92 apps, okay? They all get a, an update about once a month, which means there's probably three app up- app updates happening every day.
So you're using that device at work. It's connected to your corporate Wi-Fi. You've probably got email and Teams and other stuff on it. Mm-hmm. You're introducing new code to your [00:18:00] work en- work environment every day because there are apps updating that nobody looked at, nobody vetted them. Mm-hmm. There's just new things happening on that device that's connected to your network.
So you as an individual are bringing new security considerations to the work environment every day, and then the IT team is doing everything they can to protect the organization, so they're applying new policies, and all the vendors whose products are in the environment are applying updates and new policies, and every one of those is going to somehow have an impact on the end user experience, right?
Because the end us- end user goes to click on something and used to work yesterday, it doesn't work today- Wow ... 'cause there's a new conditional access policy or whatever. So this infinite loop goes on forever and ever.
Speaker 3: Mm-hmm.
Denis O'Shea: It never stops changing. Every day it's changing. How we navigate that, how we manage that is the art in IT.
Truly believe that's the art. The science is, you know, being able to apply good policies and propagate them and all that. The [00:19:00] art is getting that balance right so that we're not alienating the end users. We're not making IT seem like the villain. We're, we're working together to protect the organization, protect, you know, the personal information, whether PII or PHI or student data or, you know, citizen data.
We're protecting the data together and trying to do so in a way that we're not encroaching on the privacy of the person who owns the device.
Max Clark: Uh, pros and cons, BYO versus corporate owned, right? Like it's, it's, y- you know, it's, it's easy just to say, "Hey, we're gonna expense your cell phone for you and give you," you know- Easy.
Super easy ... give you some money on your, on your paycheck every- Mm-hmm ... every month. Mm-hmm. But, um, is, is that just a bad idea?
Denis O'Shea: And I would say no, it's not, as long as mobile application management is in place and there's at least a, a degree of, um, [00:20:00] protection around the corporate data. Now, that model worked very well for most organizations up until, I think it was November 2024. So you could simply say, you know, we'll either manage the device if you're, if it's corporate owned, or we'll manage the apps if it's personally owned.
The, the big shift that happened in November 2024 was the Digital Markets Act legislation in Europe Uh, you're nodding sagely- Mm-hmm ... like you, you've, you've, you've fought this battle. And for those who are not aware of it, it's a bit like GDPR. It's a European thing. You can kind of think, "Oh, those Euros created this new legislation.
It won't impact us." Well, guess what? GDPR found a way of swimming across the Atlantic and impacting every US business and, and global businesses. Yeah. The DMA, the Digital Markets Act, will, will learn how to swim the Atlantic, too. And, and, and what it, what it, what the DMA did is it forced Apple to open up the ability for end users to [00:21:00] sideload apps onto their iPhones.
So we, we, we lived in this beautiful walled garden for about 15 years, where every app developer had to go through Apple to get their app scrutinized- Mm ... and vetted. And Apple did a stunning job in pushing back on all the dodgy apps and only allowing good apps onto the App Store with a certificate and get it properly signed and all that.
So you knew that if you saw an a- an, an app somewhere, and it came from the Apple, um, App Store, it was probably a, a legit, solid app. You never had that assurance in the Android ecosystem, but you always had that assurance in the Apple ecosystem. The Europeans, in their wisdom, forced Apple to permit sideloading so that an iPhone buyer in Europe can choose to get their apps from an app store other than Apple, so essentially unbundling that, that relationship.
And what that means now is you might be a doctor here in the States. You see an interesting-looking app advertised on [00:22:00] social media. You think, "That looks like a useful thing. I'll download that, and I'll install that." You click I agree and consent, and you give the developer full, um, consent to do whatever they like, and, and it might start out as a perfectly benign app, perfectly benign.
But you just granted control to somebody other than Apple, to a developer. You don't know where that person is. You didn't read the T's and C's, and now that app can drift, and over time, it may drift into dangerous territory where it's potentially, um, becoming a kind of a surveillance device. It could be taking data from your device, uploading that data to servers overseas.
It might be logging your keystrokes and capturing any, any passwords. Mm-hmm. It might be turning on the microphone, capturing ambient conversations. It might be turning on the camera and capturing... It might be capturing your, your geolocation. So it becomes a device that can harvest data from, um, from your life.
And this is very real, and, and the Digital [00:23:00] Markets Act opens up about- I think it was seven new threat vectors, man-in-the-middle attacks and, and a whole bunch of other things that I can't remember now. And so I, uh, you know, I like to draw a line and say November 24 was the turning point where we went from only needing mobile device management and mobile app management to now needing a third layer of mobile security, which we call m- which is called mobile threat management.
So it sits well above device management, which will not pick up, you know, a dodgy app that has permissions that drift over time. App management will only protect apps like, you know, the Microsoft apps or any app where you apply something like the Intune SDK. Now we're having to have this threat defense tool that can pick up, um, a, a man-in-the-middle attack or inappropriate permissions or an app that's calling APIs that we might not like, you know, if we're saving stuff to our Dropbox account or, uh, some servers in China or in [00:24:00] Moscow, whatever.
The, the ability to pick up on those things and then raise a flag and say, "This behavior is changing and looks dodgy."
Max Clark: Um, for the record, I fall on the, I'm really unhappy with Apple over this because- Right ... well, you know, DMA is a, is a response to bad behavior inside of Apple. M- monopolistic behavior. Yeah, you know, like, like the whole, like, uh, y- you know, a- App Store rules, 30% payment fee, like all these different things.
I'm not saying that it, you know, like, uh, there's, there's, there's, there's so much more nuance to this conversation with- that I don't want to get into, right? But there was lots of opportunity for Apple a long time along the way to make changes that would've staved this off, and instead they decided to dig their heels in and whatever, and [00:25:00] I, you know, it almost is like as a company, they couldn't change direction internally.
They ha- then, and they were, they, they wanted some external force to force it to change. It was almost like, y- you know, like this weird, this weird thing. Um, so, uh, y- you know, it, it's, it's, this, this is one of those fun things where it's like I appreciate what, you know, DMA has forced, and I appreciate what, um, uh, you know, Epic has done in order to force an opening of this environment because what was happening was so bad.
And I'm not upset with-- I mean, and, and now, like, unintended consequences are gonna come, and they're gonna be really painful, you know? And we're all gonna, we're all gonna pay the price for it, and I'm not upset with the people that have forced the opening of these unintended consequences. I'm really upset with Apple for, like, y- you know, just being so bad for so long, re- really is how I put it.
But mobile threat management [00:26:00] Has... Okay. MDM, I, I love, I love this because you had MDM and then now everybody wants to call it UEM based on what the thing is, because we needed a new term so we could separate the market and yada, yada, yada. Normal tech marketing bullshit. So, MDM is a relatively easy, straightforward thing, right?
Which is just you wanna have a efficient, lean IT staff, and you wanna be able to do device management, and you wanna be able to do app rollout, and you wanna do it globally, and you wanna do it very efficiently, right? And so your, your power law of like, you know, originally when I started in IT, you know, we had this, like, one IT to 60 employee, like, ratio, right?
Now you can have these ratios get, like, really high because w- we have technologies like MDM and UEM- Yeah ... and the abil- and RMM and all, and the ability to actually go out and manage a fleet of devices is so much more effective. Also, the experience of being able to ship a phone to somebody and having zero touch configuration, where, like, a phone comes in the box from a manufacturer and you can open the device up at your house on your couch and push a button and it turns on and it, like- Yeah
and it can [00:27:00] auto-enroll. It's, it's magic. It's beautiful, right? And same with a laptop now,
Denis O'Shea: RMM. Exactly. Yeah.
Max Clark: It's beautiful. It's wonderful. After you've experienced it, you can't imagine life doing anything else, right? Yeah. So that has a direct... There's a direct, um, value proposition within that, right?
Because you understand, it's like, it's, it's time, it's resources, it's staffing, right? It's like an easy, "Hey, if you're trying to do this by hand, it sucks. You know it sucks. You're doing it by hand right now. You can't scale it. Go get MDM, go get UEM and, and look-" Yeah ... "your life is better." Mobile threat management is this interesting thing for me, 'cause once we start ta- dipping into a security conversation, you get into these really fuzzy things, where traditional purchasing acronyms like ROI no longer apply.
Like, what is the ROI on threat management for an enterprise? Mm-hmm. You know? Like, oh, we're gonna m- monitor [00:28:00] the applications that get installed and their data telemetry to see what's going where, and then be able to retroact, you know, to block it if it's looking fishy, right? But, like, that's not an ROI positive activity that you can put on a spreadsheet and say, "We installed MTD..."
you know, "MTM, and so therefore it saved us this much money," or, "We installed MTM and it saved us this much time," or, you know, "We installed MTM and we got this extra capacity, and we made money out of it," right? So how, y- you know, how do you position MTM into an enterprise that's not dealing with like, oh, something bad happened to us that we don't want to experience again?
I
Denis O'Shea: generally position it exactly the same as EDR. So there's no direct ROI on having an, an endpoint detection response agent on your Windows machine, but you need to have it. You just need to have it. You, you could not have a Windows machine now that- is not encrypted and doesn't have EDR and doesn't have some form [00:29:00] of management.
We need to have that. Why? 'Cause we know there's a ton of zero-days and all sorts of vulnerabilities coming in, all the applications that need to be patched, and-
Max Clark: I, I ag- ... then you've got- I, I agree with you, but I'm gonna push back in, in, in terms of the conversation. Like, why? You know, we-- most companies deploy EDR because somebody tells them they have to deploy EDR.
Your insurance requires you to have EDR. You know, like your supply chain, you know, your customer requires you to have EDR. You know, customers aren't requiring MTM yet, insurance companies aren't requiring MTM yet. They're not. You know? So...
Denis O'Shea: But, but in the same way that people are requiring EDR, there's an expectation and a legit need for EDR, you know, because the Windows environment has...
It's, the Windows estate worldwide is so large, it's a massive target for a whole bunch of AI-enabled vectors now. Mm-hmm. And so, you know, we need to have an EDR agent on every Windows device, period. We just need to have it. If we don't, the ROI, the lack of that will be measured in, in, um, breaches, cost of [00:30:00] breaches, and claims and, and all of that.
So I feel like the argument for EDR is super strong. We simply extend that in saying, if you're going to have the same emails flowing into your smartphone as you have into your laptop, and the s- access to the same calendars and the same contacts and the same attachments in your emails and the same teams and the same folders and the same OneDrive content, why would you secure one device, your Windows, and not secure your iOS or your, your iPad device that's got access to the same information?
So we, we need to secure all the devices.
Max Clark: Um, I mean, the cynical side of it for me is just because people haven't experienced breaches on their phones yet- You're right ... and so therefore they look at it as an unnecessary expense.
Denis O'Shea: Yeah. We had an interesting one yesterday. Um, we had... I had two people in the organization contact me and [00:31:00] say, "Hey, did you, did you text me from this number?"
I'm like, "No." Um, so later in the day, I had to send out a, a, an email to all staff notifying them, you know, I will never text you and ask you to go out and buy vouchers or gift cards or, or, or whatever. And, um, and we had not turned on something called executive smishing on our mobile, um, threat defense, but we did, we did yesterday.
And so it's the, uh, it's, it's an AI capability that will detect messages that look like they've come from an exec asking- Mm-hmm ... people to do something or take some action.
Speaker 3: Yeah.
Denis O'Shea: And being able to detect the patterns, uh, across many different devices to see what's, what's going on, and then mitigate them or remove them before they land.
Um, so that, that's another really interesting vector, e- executive smishing.
Max Clark: It's a, it's a very common threat vector in email, right? So we talk about- Yeah ... impersonation protection and, and detection. Like, it's a very, it's an exceedingly common, and they're really [00:32:00] good, by the way. You know, the, the phone number is a little bit easier 'cause on, on theory they can look at the phone number and be like, "This isn't the phone number."
Don't recognize that. Yeah. Yeah. It gets really scary with email because, um, it's very, it's e- the email is correct. You know, if you've- Yeah ... compromised the email server, it is coming from the right email, right? So like- Yeah ... it's even, it's, it's, it's a very, it's ev- it's even scarier. You know, I mean, like, this is...
It's, um... You talk about, like, the infinity loop within IT and, like, like, this- Mm-hmm ... you know, this, this friction between, uh, you know... I mean, you started with, like, security and employee experience, right? But it's really this friction between, like, the responsibilities of IT and employees, right? And, and, and that intersection, right, of those two.
Because, uh, uh, you know, it, in a lot of ways, if IT could have its choice, which is, you know, you have to keep everything running or you're gonna get yelled at/lose your job.
Speaker 3: Yeah. Like, you
Max Clark: put everybody in, like, a box that's not connected to anything, and it's just like a box in a room that you have [00:33:00] to walk in, like Mission Impossible.
Yeah, yeah. Like, your key card. Yeah. Yeah, of course, right? You know, like, that'd be, like, the natural response. Be like, "Okay, great. You wanna use a computer? It's in that room. You need a, like, a retinal scan in order to get in there." Um, but it's, it, it creates, you know... Again, it's, it's like the consumerization of enterprise has created expectations that are unrealistic for, uh, you know, IT.
Like, I, I had, I had a, I had a client, and they were moving into this beautiful new office space. You know, it was a 50,000 square foot floor plate. You know, it's like a, a big office, and there was lots of room for expansion. They'd just taken a, a very sizable round of funding, and they were, they were going, they were planning for hypergrowth, right?
It was a typical, you know, we were this many people, and we're gonna quadruple in size over the next two years, right? Let's go. And, um, and this, and this, you know, the co-founder and CTO was, um... Had, had no corporate background experience, you know, came basically straight out of, like, a college environment, you know, like a hacker kind of [00:34:00] envi- you know, kind of thing.
When I say hacker, like, not, like, software, you know, like security hacker, but, you know- Yeah, yeah. Yeah, hacker ... your traditional, like, Facebook hacker. Yeah. Um, and we're in a conversation. We're talking about this office build-out, and he says to me that he just wants it to be all wireless like it is at his house.
Speaker 3: Mm-hmm
Max Clark: It works fine at my house. We should have zero wires in our new office." And, um, and then you, you know, like I f- I, I realized and then I had this reflection at this point. I was like, "Well, I don't know how to explain to you the density differences. I mean, I can walk you through it, but until you experience this, you're just not gonna have any reference point with it."
You know, you, you wanna put, you know, a, a lot of people in this space. Everybody's gonna have three to four devices. You know, your density per AP is gonna be ridic- like you're j- it's just not gonna work the same. You know? Like- Mm-hmm ... like, I'm sorry. You know? Like, it just doesn't... Things are different in the real world.
Um, but this becomes a big problem and a big challenge now of like, it should just work. It works fine for me and my, you know, [00:35:00] personal account.
Denis O'Shea: And, and we're seeing this play out now, you know, in the AI arena, where it's super interesting watching organizations. Again, it's the infinity loop between the experience you can have on your home computer with an u- with an unmanaged LLM, no guardrails, doing all the things you can do, uh, with AI, and then what you get as a, as a corporate AI solution that does have guardrails- Mm-hmm
that is grounded in your tenant, that does have some data security posture management, um, that does have a limited set of things it can do. It's a different experience. And, you know, we have a lot of conversations with customers now where the, the meeting starts and they say, "Copilot sucks." That's often the opening statement.
And, and so we then have to kind of unpack that- Ah ... and figure out, right, so what's actually going on here. Um, a- and one of the examples I gave one of our healthcare clients recently was, you know, if you, [00:36:00] if you go down to Best Buy, you buy a new Windows machine, you take it out of the box, and you start using that with your personal email account and ChatGPT and whatever, you're just gonna have a fantastic experience, right?
Fantastic. The Windows machine that you would put into a clinical workspace in a hospital is going to have the most god-awful experience you could ever imagine, because we've spent 20 years designing all the controls and lockdowns, and we put Imprivata on it, and probably, you've probably got a virtualization session.
You're coming in over Citrix to access your EMR. You've got so many layers of control, so many guardrails that it's nothing like the experience you would have at home with a Windows device. It's still the same Windows device with the same CPU and blah, blah, blah. Mm-hmm. But you've just rendered it in a way that it's actually safe to use with a person's most sensitive and personal information in a hospital setting.
And I [00:37:00] liken the Copilot thing that's happening now in the same way. You could take ChatGPT 5.4 or whatever the latest one is And if you just allow that to run wild inside organizations, that's going to be like having unmanaged Windows devices. But what's happened, of course, is Microsoft have applied some controls and guardrails and adult supervision and limited the risk and exposure.
So it's almost now like using a Windows machine in a clinical setting and, and, and providing some, some guardrails around that.
Max Clark: Our, our, uh, so, so Microsoft's done a really good job with 365 and, like, sucking all the air out of the room, you know, as they, they've- You mean
Denis O'Shea: Microsoft 365 or Copilot?
Max Clark: Microsoft 365.
Microsoft, yeah. You know, so, like, uh, you know, now we have, we, we're calling it Intra, but then Intune and Defender and Sentinel- Yeah ... and, you know, the, like-
Speaker 3: Purview. Yeah ... you
Max Clark: know, this, the stack is getting denser and denser now. Our, our European friends are, are forcing some changes-
Speaker 3: Yeah ...
Max Clark: um, which Microsoft will work around with new [00:38:00] bundles and different terminology and things like that.
Yeah. Um, y- you know, is there still a place for a... I, I, you know, I'm a really old Windows guy, like, really, really old Windows guy. Um, so the things that, like, are always odd to me is I'm gonna pay Microsoft for the EDR to secure the Microsoft product, you know? I'm gonna pay Microsoft for the anti-spam gateway to secure the email product.
I'm gonna pay Microsoft for the... You know, so, like, there's always, like, a certain amount of friction in me that just goes back because I've been dealing with this for three decades now that I just, you know, some things I'm just probably never gonna let go. Um, but when you look at the MDM space or the MDM/UEM, you know, whatever we wanna call it, space, y- there's a lot of other product on the market.
Mm. But a lot of this other product is competing now with Intune- Mm-hmm ... which is being bundled with 365. Mm-hmm. So if you're a Windows environment and you're looking at, like, do I just use Intune or do I use Intune plus these other [00:39:00] things, or do I use another thing instead, i- is there still space in the market for third parties to be- Other- Yeah, t- for third parties.
Now, the MTM is interesting 'cause that hasn't completely integrated into the Microsoft suite. No, not at all. There's still good product around there.
Denis O'Shea: Not at all.
Max Clark: But, um- Yeah ... y- how, how does this shake out?
Denis O'Shea: So firstly, w- we don't see Microsoft as having a credible play in the mobile threat management space.
Um, they might tell you that Defender will, will do some of the things, but, and, and, but in our opinion, there are other tools that are better. Lookout, Zimperium, Wandera, some of these are better. Um, but when it comes to MDMs, look, my view is that there will be niche, sustainable niches for some other endpoint vendors, um, in particular corners of the market.
So Jamf will probably always retain- Mm-hmm ... a loyal fan base of evangelists who just love [00:40:00] Jamf to manage their school MacBooks or whatever. They've, they've built phenomenal loyalty in their customer base. It's extraordinary. Um, SOTI will probably always have a very strong position with supply chain, um, logistics, retail front of house, i-inventory back of house type applications where you need to go deep into an Android device, be able to pull logs out of a custom application, stuff like that.
They do things that Intune and other mainstream products can't do. AirWatch have such huge market share. AirWatch, which became, um, Workspace ONE, which became Omnissa. They've got such huge market share. They'll survive a long time even though, you know, the product is, is, is aging. Um, but all the others we think are gone.
They're as good as gone, you know. Um, and we think the market will eventually... My personal view is I think the mobile device management market, as we have talked about it for the last [00:41:00] 16 years, um, w- I, I believe it's gonna disappear. It's just gonna disappear as a category, completely be annihilated in the same way that we really don't have any category for desktop operating software.
Microsoft has u- has dominated that space, and the category is gone. We don't have a competitive market, um, for word processing applications or, um, things that compete with Excel or PowerPoint, you know, except with the, the, the Apple products. But what Microsoft tend to do over time is invest enormously into a product, make it so big that it, it dominates the market, and that will happen with Intune, and we've enjoyed maybe 10 years now where we've done a ton of work helping organizations deploy Intune and migrate off Jamf and AirWatch and MobileIron and SOTI into Intune.
I believe that market comes to an end. That business comes to an end at some [00:42:00] point when all, when most of the endpoints are on Intune. There's still a huge wave with SCCM. That's most of the work we're doing now, where you've got people who still have some AD on-prem, they still have some SCCM on-prem.
They're still doing some manual provisioning, maintaining images, maintaining packages, all the legacy way of doing it from the last century. That all does need to go into a product like Intune and go zero touch, zero deployment, silent updates, all of that. Hasn't happened yet, and some are moving surprisingly slowly because they've got technical dependencies.
But once that's done, I believe the device management space as, that we know will become boring and, and, and almost insignificant We will just assume that the device is managed by Intune because most organizations have Microsoft, to your point, they have Microsoft 365. So why wouldn't you use Intune? And all the focus and all [00:43:00] the energy and all the conversation goes to, you know, the next battle.
Max Clark: I mean, Microsoft owns... I mean, let's just, if we stick with enterprise, right? Microsoft effectually owns the, the space, right? We're seeing... It's very common now actually to see Mac desk- you know, laptops. People love MacBooks, right? Yep. So-
Denis O'Shea: Yeah. Love them ...
Max Clark: um, with Microsoft applications running on them- Mm-hmm
um, common f- with our clients, we see Mac laptops with Google Workspace.
Speaker 3: Yeah. Yeah.
Max Clark: Um, which still means iPhones, not Androids typically accessing Google services. Yeah. Just, um, I've always been a big fan of Chromebooks. Google's announced a strategy shift on that one. They're gonna push towards Android.
Thing that people don't really understand with Chromebooks is the management's really basic, right? Mm-hmm. Like, you're pushing a, you're pushing a, a PWA down, you know, and you can get device management [00:44:00] inside a Chrome Enterprise. You just- It's crazy ... you know, in your console, you just click the button, you enable it.
And so the devices, you know, it, it's, you know, like of course Chrome comes from a place of when they were writing the operating system and deploying it initially, they were thinking about fleet management at massive scale because, you know, they'd already understood this was a problem. You know, Windows comes from a legacy of like, that wasn't a thing that you dealt with.
You know, you walked around with floppy disks, and you put them in your computers, and you, you did work on them, right? Um, the, the, the tension that this creates that I, I, opens up an- a, another part of it, which is, you know, the platform ecosystem inside of the Microsoft environment, right? You've got Microsoft in the middle, M365 in the middle, you've got enterprises running the software in the middle, and you have, um, ISVs writing software on, you know, to, to, to run on your Microsoft environment.
And then you have MSPs or [00:45:00] CSPs or whatever we're gonna be called in, you know, in a year or two, orchestrating and kind of, and, and making all this stuff actually work. But then you... But that runs into the second, like this idea of like, "Oh, well, you know, I can just go out and hire a Microsoft admin, and they're gonna be able to manage intra for me," or, "I'm gonna go out and hire a Microsoft admin, they're gonna be able to deploy Intune for me.
Like, they, they should know how to do it. They're a Mi- you know, they're, they're my Microsoft person," right? Mm-hmm. Um, now I, I, I alluded this, I started my career helping deploy Windows NT4 and Exchange 5.0 into enterprises from Novell, right? So like, I know the answer to this question to some degree, my viewpoint of the answer.
But how much, how much tension does that produce inside an enterprise and inside of your customer base as you're talking to them of having like, "Oh, we're gonna run Intune. It's easy. We just have to turn it on. It's in the, it's in the Microsoft console"?
Denis O'Shea: I would say first, the vision is, is, is right, um, but the execution is much harder than it sounds, [00:46:00] and it's not as, it's not as easy as it looks.
So yes, you can manage all your devices on Intune, and many organizations do that now. But Intune has grown into an enormous product to be able to do that. So, you know, 14 years ago when Intune really came out first, it was a dog of a product. It did one thing, it did Windows badly. It was a dog of a product.
Now, it's a very mature product. It does Windows, and Macs, and Chromebooks, and Linux boxes, and smartphones, and, and a whole bunch of things. Does them well, but it's become an enormous product. And I know for a fact, before they added all the new capabilities in December, Intune already had 10,000 unique settings.
10,000. So if you're a, a, a solitary IT admin in a mid-sized company and you say, "I'm gonna do a DIY with Intune. I'm gonna figure it out myself, and I'm gonna basically test and figure out every one of these settings and figure out what the impact is," well, there goes 10,000 hours. [00:47:00] And that's if the product was static.
It's not static. Microsoft is pushing new updates at a crazy pace. And so Intune alone is a beast of a product that's changing at, at the same pace as all the endpoints that it has to manage. 'Cause you know, Samsung and Apple and everybody else, and Lenovo and Dell, they're all innovating with their hardware and their OS and their firmware and their drivers and their whole stacks.
And so in the Intune product line, and I know this 'cause I've been on the advisory board for the Intune product line for a couple of years, they're scrambling to keep up with all the external changes, and then they're trying to add AI capability into everything they do and add all these new capabilities.
So Intune is one tiny piece of Microsoft 365. Now apply that same paradigm to Entra, which has become a monster. You know, Entra and the way it's growing with Entra Suite to become the zero trust plane and the control plane for AI agents, that's an enormous product. And, and in fairness, Microsoft have [00:48:00] realized that as AI agents explode inside organizations, every one of them will need to be registered and have some conditional access policies, and have some governance around which APIs it can call and which data stores it can access, and how it will pull data from different line of business applications.
And so Entra is going to become a monster. Defender is already a monster. 29 Defender products. People only know about four usually, Cloud Apps, Endpoint- Mm-hmm ... Office, and, and Identity. There are 29 Defender products. Purview is colossal because that's how we have to classify and, and, and, and add sensitivity labels to our data so that, you know, when people do a search with an LLM, they're not finding things they shouldn't find.
We're hopefully having some sensitivity labels to our data so that a draft offer letter that got written two years ago and saved on somebody's desktop doesn't pop up in an LLM search or a draft [00:49:00] performance man- a performance improvement letter doesn't show up or a spreadsheet with some salary up data.
You know, so, um, Purview, and the point I'm getting to, Purview is a monster. All these different parts of the Microsoft estate are colossal, and what Microsoft is doing is they're choking them all into this one bundle. And I see that what, what they've done over the last 50 years is they've learned how to bundle more technology into a package and a singular price point than anybody else.
They've become masters of the bundle, and it's just colossal. And, and we often start our, our customer work with an assessment, and we go through 120 topics to figure out what are you using today?
Max Clark: Do you even know what you're using today? Do
Denis O'Shea: you know what you're using, and, and how much of these products are you using, and what overlapping products are you using as well?
And I know from all that data, 'cause we've been doing this for years, that on the average enterprise is using 44% [00:50:00] of what they've purchased, 44% of the capabilities and features that they've purchased. But they're also using 44% of other overlapping products. So there's a, there's a massive opportunity in enterprise today to reduce some of the tech sprawl that's happened.
And, and I believe what's happened over the last 10, 12 years is that organizations were un- under attack. People, you know, there's been a lot of press around all the, the growth in, in cyber attacks and all the things happening. And when we're under attack, we buy defenses. And organizations have gone out, and on average, they've bought 52 security tools.
52. Some of them talk to each other, some don't. Most are designed to be silos, you know, and protect what they do and not share with, with other tools. And, and I liken it to, if you think about Ukraine and their, their defense systems, how many, how many [00:51:00] aerial defense systems do you think Ukraine has accumulated by now?
I bet you it's at least 52, 'cause they will buy a missile defense system from anybody who comes along selling them one 'cause they're under attack.
Speaker 3: Mm-hmm. And
Denis O'Shea: just like our enterprise has been under attack from bad actors over the last 10 years We all accumulated a truckload of security products, and it's been this kind of best of breed mentality.
I think the next wave we're going to see now will be consolidation and figuring out what's best of platform, how do we get the best integration across tools, how do we get a platform that allows AI to reason across all the signals, all the telemetry, all the tooling we've got, make sense of it, and protect us without needing techs that are doing swivel chair integration and looking at this screen and that screen and this screen and trying to pull data and aggregate it and figure out what actually happened and what should we do next.
I think the next wave is getting a platform that allows the data to flow, aggregate [00:52:00] it in a lake, and allow AI to reason over it and make real-time decisions that humans can't.
Max Clark: Excluding a willingness to pay, what qualifies a customer for you? Like, what, what is a, you know, what's the, what's the, um, inflection point where somebody wakes up one day and says, "I need help with this," or, "This is the service I need," or, "I have a problem," or, "There's gap here"?
You know, what's, what's the, like, what's the impetus that drives people to go and find a, a, you know, a partner, an MSP partner to deploy Intune? Or, you know, is this a, "We've woken up and we've decided we wanna rip out Jamf and we wanna go into Intune because we realize we have overlap of tools," you know, uh, and, "We, we don't have Intune expertise now."
Or is it, "We've tried to deploy it ourselves and it was a mistake, and we never..." I mean, I-- The amount of times that we walk into an environment, we find we bought something and we never really deployed it, I mean, I would imagine that is the overwhelming majority of all software packages inside the [00:53:00] enterprise is like, oh-
Denis O'Shea: Yeah.
Max Clark: Shelfware ... we, we, you know. And, um, and, and anything in the security space is even worse, right? 'Cause it's just like, like, you know, it's, it's not creating a, you know, a value accretive ROI for the... You know, it's like, oh, there's no-- You don't-- Like, you don't see the output from it, I guess, in, in- Yeah ... terms of, like, the performance of the business.
Denis O'Shea: Yeah. So to answer your question, I think it's, um, s- it's usually because something or somebody has changed in the customer's organization. So the thing might be the realization that we have a renewal coming up in 12 months' time, and we don't want to renew that thing. So it might be Jamf, to your point. It might be- Mm-hmm
AirWatch, it might be a third-party storage solution, it might be a third-party security product, it might be their, their, their SOC vendor. And they go, "We're now going to look to see what are our options." And so quite often they'll say [00:54:00] to Microsoft, "We just wanna consider options. Who should we talk to?"
And then, you know, hopefully Microsoft will say, "Here's, here are two or three partners that you could, you could talk to." So that's often a starting point. The other starting point is recognition- that they're missing automation. What I often see happen is somebody goes to a conference, they have a coffee with somebody else who makes some comment like, "Well, we haven't touched or seen a Windows machine for three years.
They get drop shipped to the employee's home. The employee has an autopilot zero-touch experience.
Speaker 3: Mm-hmm.
Denis O'Shea: And the device gets updated for three years, and then at the end of three years, we just push out a wipe command, and the person gives it their cater and they sell it on eBay. We never see it. We ha- we're not in the business of handling Windows machines anymore."
Mm-hmm. And the other person's going, "Oh, shit. We've still got a stack of boxes in the corner of the office, and we take them all out of the box, and we spend two hours putting our dirty fingers all over it and laying down an image and, [00:55:00] and updating the OS- Oh ... and installing packages, and then we- It's so common
sit down with the user and we reset the password, and we do all this, all this stuff from the last century." And that's a, that conversation will then force them to go, "Oh my God, we need to automate provisioning and patching and deployment and end of life and the five lifecycle processes." So, you know, that conversation can be very powerful.
That happens at a trade show or a conference. That's one trigger. Another one that's a bad one is where a client goes through an audit and they get, um, they get a report that says, "Here are the gaps." Um, or they're being breached, and the board says, you know, "You've got 90 days, uh, to sort this out." Um, Orange is one of our recent ones.
They got breached for the second time, and the board said, "You've got 90 days to keep your jobs." You know, where, where this cannot happen a third time. And they're like, "Okay, we need to get real now and, and figure out what do we need to do to, you know, change this." [00:56:00] So to answer your question, I'd say it's a renewal, a product, an overlapping product they don't want to renew, or recognition that they're doing things manually that could be eliminated or automated, or third, r- reaction to a post-audit report or a post-breach remediation action plan.
Max Clark: This show exists because of what we do at itbroker.com. If you're in the middle of a real tech decision right now, new technology, vendor selection, a contract that doesn't feel right, an M&A event that just landed on your lap, and so on, we help buyers like you get it right. Independent strategy, sourcing, and contract negotiation.
No kickbacks, no sales quotas, just someone in your corner. Schedule a call at itbroker.com. Back to the episode. The Europeans, you know, have signaled that they're interested in breaking up this bundle. Yeah. And they started with Teams. Yeah. And I would imagine it's gonna go deeper than Teams, which, uh, you know, [00:57:00] effectively Y- you know, it seems like the, the, the remedy was you have to separate items from the bundle and then give a la carte pricing to purchase individually, right?
So then we end up with an even bigger spreadsheet Chinese menu of, of- ... you know, it's gonna be E1 to E57,000 here pretty soon, you know, in terms of just different, different pricing combinations, right? Um, b- bless, bless the Europeans' hearts here on this nightmare- Yeah. ... they're creating for us. I'm, I'm a bit careful '
Denis O'Shea: cause I'm European, Max, yeah.
I,
Max Clark: I, I, I love you guys, but, but like, I... Listen, I appreciate that everything has to be USB- USB-C right now, but I'm not sure if I wanna have a USB-C connector for the rest of my life. There's not something better out there that we could use instead, you know? Oh, oh,
Denis O'Shea: it, it, it'll all go wireless.
Max Clark: My, my, uh, as my mom told me- There'll be a little wireless charger
you know, the, the road to hell is paved with good intentions, you know? Like it's- Yeah. Yeah, yeah ... it's, um... But, you know, you, you look, we, you know, we talk about we, we, we hit Defender a little bit. Um, you know, Microsoft, um, has [00:58:00] their, uh, their SIEM platform, Sentinel. Hmm. Amazing.
Speaker 3: Hmm.
Max Clark: And, and again, mostly good, right?
Yeah. Better, better, you know, it's better, it's, it's, it's more good than it is bad.
Speaker 3: Yeah.
Max Clark: But there's a little tweak with Sentinel, which is if, uh, you know, if you're collecting data off a Windows device's Defender, they're not charging for that ingress, right? Correct. And that makes a pretty massive pricing evaluation when you're looking at another EDR going to a different SIEM platform, right?
Yeah, yeah. Yeah. Like, it's like the, the biggest, the biggest component of cost for your SIEM is just how much data are you ingressing. Correct. Yeah. And, and, uh, you know, I mean, good, good, you know, the, the, the, Microsoft is really smart, and like, "Oh, we're just gonna eliminate that from the consideration.
There is no cost," right? But is, does this create a bad situation for us down the road where you're gonna talk ab- you know, you're, you're eliminating competition through, you know, good/bad behavior. Yeah. And what does that do for us long term?
Denis O'Shea: And, and it's [00:59:00] interesting that the Europeans are pushing in one direction to unbundle the stack, and Microsoft is basically flipping the bird- Yeah
and going the opposite direction with the announcement of E7, where the bundle just got- Is back ... a whole lot bigger. And, and we sent out an email last week, um, informing clients on, on the change and, and the subject line was, "E7 is here, but wait till you see E9." And it was just a cheek, a tongue in cheek thing, but I've had quite a few comments about it since then.
Um, but you know, E- E7 is going to be extraordinary. You can buy all the component parts individually. You know, it's Entra Suite and the five capabilities in there around zero trust and identity governance and verified identity, and Agent 365, which is gonna become huge. You know, just, uh, you know, we, we, we will need a control plane to manage all the agents that get- Mm-hmm
built out across organizations. Microsoft's taking the lead and they're gonna do that first, and they're gonna make it a control plane just [01:00:00] like Entra is the control plane for identity. Intune is the control plane for endpoints. Agent 365 becomes the control plane for the mushroom cloud of agents that's about to happen inside every organization, and, and that's included in E7, and that's smart.
The Europeans might not like it, but it actually makes a ton of sense.
Max Clark: I- it's, it's a little, um... It's misleading, right? Because it's like, "Oh, it's bundled. I can buy this whole thing." You know, E5 was 50 bucks a seat or whatever, right? And we're gonna give you this capability, and it's, it's, you know, uh, you know what? Pick a number. It's gonna be $70 a s- a seat for everything. 99.
90, $99 a seat. 99 for E7. You know, the pricing will come up and down, right? Like all these things. And, you know, and you've-- And, but y- you look at these things indepen- in- individually, and you're like, the capabilities within, you know, Intune or Entra or Defender, each one of these things is really a multi-billion dollar business [01:01:00] inside of 365.
Right. Correct. And, and this is, uh, and, and like, you know, and so, like, it's, it's this weird, it's this weird thing where you're like, "Oh, it's bundled. It's 100 bucks a user. It's not that big of a deal." But then, you know, as you've pointed out, like, there's a little bit of, there's a little bit of buttons that you can push inside of each one of these tools, and are you actually-- Do you even know that the buttons exist, right?
'Cause it's like, "Oh, we turned it on." You're like, "Okay, great. What does that mean for you?" You're like, "We turned on Entra, we turned on Defender." You're like, "Okay, great. Now what?" You know? Like- Yeah ... you, you flip the lights on.
Denis O'Shea: Which, which of the 10,000 settings did you turn on? And, and what impact did you have, and what, what's actually going on for your end users when they're trying to work every day?
Max Clark: So we started this conversation talking about MDM, and listening to you, right, we've gotten into really more, um, into the Microsoft stack, MDM, Identity Entra, Defender security. Security. Right now they all apply, right? I mean, I, I, you know, like, uh, if, [01:02:00] if we're gonna say specific just to mobile and, and laptops, you know, laptops or- Yeah
mobile devices, all right? You know, they all, they all layer and apply, but that m- does make a, a really big shift for your business. I mean, going forward, are you gonna be less, um, y- you know, like a m- a mobile consultancy and more of a Microsoft enablement consultancy managed services provider?
Denis O'Shea: I, I, I see it through a different lens.
I see that our business hasn't changed at all because we're in the people business.
Speaker 3: Mm-hmm.
Denis O'Shea: Tech is simply a tool that we need to use. So we define our mission as empowering people to achieve more with technology. But it's all about, for us, it's all about the people. And when we started out doing those one-on-one mentoring sessions, we developed, you know, through, through the work we did, we developed this enormous empathy for the end user and their experience with technology, 'cause we literally sat with people on the same side of the desk for an hour- Mm-hmm
in their personal space, helping them get this small little device configured. And we got a [01:03:00] really good understanding of what are the triggers to adoption and what are the ba- what are the barriers to adoption. So I feel like the DNA of Mobile Mentor is, is understanding people's relationship with technology.
The technology will evolve. It'll just keep evolving at a crazy pace. So I, I don't define us by the tech we're working with today. I define us by the outcomes we deliver for the end user. And so in some ways the business hasn't changed at all, but we've used different tech to achieve the outcomes. It was a smartphone, then it was apps, then it was Windows and MacBooks and all the Microsoft 365 stuff, and now building, you know, rolling out AI at scale and building agents and, and, and security solutions.
I don't know what it's gonna look like in four or five years' time. I don't know what tech we're gonna be spending most of our time with. But what I do know for certain is that it's going to be in service of the moments that matter for the employee. You know, when they join an organization, what [01:04:00] their setup experience is like, when they go to do something, when they go to use their endpoint, when they go to apply an update, all the moments that matter throughout the life cycle of the employee, we're gonna enable those with the technology du jour, what- whatever the technology happens to be.
And hopefully we will be, you know, still a Microsoft, a leading Microsoft partner, winning Partner of the Year awards and, and recognized for good skills in those technologies. But that's just getting us to the table to be able to do the work we do to enable the end user.
Max Clark: So I, I perceive a, um, let's call it like a, a two-step problem for you, right?
Like there's the first-step problem, which is the, um, the DIY, the build versus buy decision for an enterprise, right? Yeah. Are we gonna try to figure this out ourselves and staff- Yeah ... or we think we know a way how to do this ourselves.
Speaker 3: Yeah.
Max Clark: And, and I, I actually view that as like a maturity thing. You know- Yeah
you can kind of really see it where it's like if you're, if you don't have a lot of experience with things, you try to do it yourself, and [01:05:00] then the more- Yeah ... experience you have, the less you wanna do it yourself.
Speaker 3: Yeah.
Max Clark: Um, so you've got the, we've got the f- so there's like the first half of that- And then the second half of it, the effective barrier to label yourself a Microsoft partner or a Microsoft consultant or a Microsoft expert is relatively low.
You know, now, like- Yeah ... in terms of the actual tiering within the program partner, you know, the partner program within Microsoft and, you know, uh, they, they do do a good job of, like, differentiating, you know, like, y- how much credentials you have and what kind of staff you have and what your expertises are and what different swim lanes you're in, like, all these different things.
But, you know, like an average company going out and looking for somebody to say, "Hey, I, I've, I've decided I want help." A partner. Yeah. "Now I have to figure out who's gonna help me." You know? Yeah. And a lot of times it's like, "Oh, you know, I'm, I'm... Like, this, this company's down the street from me, and that's who I'm using, and they say that they can secure my environment."
And, you know, I get in these conversations with, with companies all the time. They're like, "Oh, we can do... We're, we're a managed service, security services provider." And you're like, "Okay, great. How many people do you have on team that are, that are, [01:06:00] you know, experts in this?" And they're like, "We have... You know, our, our team is nine people, and we have three people in security."
And I'm like,
"Okay, we, we can stop having this conversation right now. We don't have to go any farther." Uh, but that, but that becomes a second part now for the enterprise. The enterprise has to decide, okay, do we build or spy? Do we, you know, do DIY? Yeah. Do we bring in a partner? And then it's like, okay, how do you figure out which partner you're bringing in now?
And then, and then, and then this gets a little even messier because, uh, there's a lot of, um, uh, capital investment, you know, PE partners coming in, doing roll-ups, creating platforms, trying to capitalize, 'cause they look at this thing and go, "Man, there's a trillion-dollar TAM here, you know, in a decade."
Mm-hmm. You know? Like, like, "How do we go get our slice of this?" Yeah. And which creates problems as well for the- Yeah ... for the, the enterprise. Like, how, how do, how, how is an enterprise buyer supposed to figure out and navigate those two questions, but really the second question let's focus on?
Denis O'Shea: And, and the second question being how to find the right [01:07:00] partner for the work- Correct
need to be done? Yeah. Um, I would say ask around. Um, yeah, if it's a nine-person organization down the road or you know the CEO through your church, whatever, that's, that's useful and interesting. But really, I think asking Microsoft who are the leading partners with this particular workload, and being s- using that language, with this particular workload.
'Cause, you know, people come to us all the time and say, "We're moving from Salesforce to Microsoft Dynamics. Can you help us?" And we go, "Hell no. We are absolutely not your partner for anything to do with Dynamics." Um, and, and, and, and hopefully there are Dynamics partners who get the same question and say, "Could you help us deploy Entra and...
Or, or Intune or Defender?" And hopefully they're saying hell no's to that as well. Um, Microsoft have 400,000 partners. 400,000. So it's an extraordinarily difficult task- [01:08:00] To get their attention and stand out above the crowd. Mm-hmm. It's incredibly difficult, but the partners who achieve that recognition generally do it because they've executed well for a long period of time.
And hopefully they get known by Microsoft so that if you go to them and say, "Hey, I need to do a big SharePoint cleanup. Who would you recommend?" That they'll go, "Okay, we know a great partner who can do that thing. They've been around for a long time. This-- that's their expertise." Or, "We need to do, you know, endpoint consolidation and modernization.
Who's the right partner for that?" So I would say talk to Microsoft. They're, they're, they're going to know who's who in the zoo. They'll know the top partners, um, from experience.
Max Clark: The last time we did a, we, we did a count, uh, I think we were at 967 different providers that we've worked with for our clients.
Yeah. And some of these categories, you know, we're tracking 100 different [01:09:00] service providers inside of a category.
Denis O'Shea: Yeah.
Max Clark: And, you know, we're getting inbound every day for more. They're like, "Oh, you should sell us fill in the blank. What do we do? We're blah, blah, blah, blah," you know, in this category. Yeah. And you're like, "Oh, geez."
And, and it's, it's, I- you- like we're in that business every day of evaluating providers and making- Mm-hmm ... like, and, and actually checking and doing due diligence and checking capabilities and, and, and, you know, s- s- sorting the wheat from the chaff, so to speak, right? And it's, it's me- it's hard. It's messy.
Hard. Right? Yeah. Like it is... And the outcomes are so extremely different, you know, between having a good partner and a good provider in place doing a deployment-
Denis O'Shea: Yeah ...
Max Clark: versus having a bad one. And like you could have the best technology underneath of it, and if you have the wrong deployment partner, like-
Denis O'Shea: Yeah
Max Clark: it doesn't matter.
Denis O'Shea: Yeah. Dead right. Dead right. I mean, another great example is ServiceNow. You can do a, you can do a DIY implementation of ServiceNow, but, you know, best [01:10:00] of luck with that. Um, or you can bring in a competent partner and pay them properly and let them do it and, and you're probably going to get the business transformation you're looking for-
Speaker 3: Right
Denis O'Shea: if you're willing to stand back and get out of the way a- and let the partner do what, you know- Right ... what they, what they know best. But if you try and DIY it with a couple of internal devs, um, whew.
Max Clark: So this, this goes, this goes back into like, you know, customer qualification because a 50-person company doesn't have the resources or budget or understanding necessarily of what it is they're trying to achieve or why they're trying to achieve it or what problem they're actually trying to solve or like what the difference- Yeah
between good and not good really looks like.
Speaker 3: Yeah.
Max Clark: Um, and, and I find that You know, our initial indication with, with a company is have they moved into enterprise suite of the productivity tool or not yet, right? Like, that's... Like, for si-size aside, like if you're 170 people and you've moved from the [01:11:00] small business into E3 five licenses, or you've done the equivalent change within Google Workspace, it's a pretty good signal that, like, y-you've- Right
you've hit a s- you've hit a certain amount of maturity, and you've grown to a certain point where, where you've gone there. So outside of, like, the 300 line barrier, you know, somewhere like that 200 person barrier, we see that transition pretty consistently. But it, it still is much larger for most companies.
It's, you know, 500 people, 1,000 people before these really become real issues for them, and you see actual now real investments starting to come down and flow through IT in order to actually improve employee imp- you know, experience and actually- Yeah ... figure out how to improve employee productivity.
Denis O'Shea: Yeah. Yeah. And, and, and we see that all the time. We see organizations do go through stages, um, as they grow and they mature, and we find a lot of IT teams will get to a point where they're, they're, they're constrained by the work they're currently doing. And to get a breakthrough, either they need, they [01:12:00] need to add lots of new people to be able to take on additional work, or they need to be able to automate and offload things that they should no longer be doing.
Speaker 3: Mm-hmm.
Denis O'Shea: And we see actually the greatest gains are in that space. Or the other thing we see is people are doing drudge work that they've been doing for years. They really want to move on. They have the intellectual capacity and curiosity. They want to move on and start working, say, with AI, enabling AI in the business and- Mm-hmm
putting the right framework in place for security and building agents and all that. But they're weighed down by the drudgery that they've inherited from their predecessors. They've still got GPOs they're managing. They're managing images. They're still resetting passwords. They're still taking every new machine out of the box.
They're-
Max Clark: Patch management ...
Denis O'Shea: patch management. They're doing all that. Mm. And so we often come in and say, "This year we're gonna set a goal. We're gonna remove three things. We're gonna remove all passwords. We'll go password-less, so you'll never again reset a password. And, and for the [01:13:00] one password your end users will keep, they'll have self-service password reset.
So we're gonna remove password management or password resets as a category of IT tickets. Secondly, we're gonna implement zero touch provisioning across all the five kinds of endpoints, get all the plumbing in place with autopilot and platform single sign-on, Apple Business Manager, Android, so you never again have to take a device out of the box.
That's the end user's privilege. They'll be the first person to ever touch that shiny new device. And thirdly, we'll automate the five kinds of patching, the OS, the firmware, the drivers, all the Microsoft applications, and all the third-party apps like Chrome and Adobe that get updates every week. Now your life is different- Because you're no longer having to do that drudge work that weighed you down for years.
Now your head is clear and your calendar is clear to go and start thinking about tomorrow and what does the business ne- really need from us.
Max Clark: That is, that is, it's like such a, it, it's, it's the shiny city on the [01:14:00] hill for IT, like the- Yeah ... those three things. I mean, you really, if you break it down, you start talking about it, anybody who's in an IT world or managing IT teams or dealing with any sort of employee whatever, right?
Like, it sounds so basic, "Oh, we can have employee self-managed passwords." It's like, that is so hard to get deployed properly and well inside of a company. It's crazy. Like, it's, it's, it's, y- you know,
Denis O'Shea: and- Yes and no. I, I'm gonna debate this one with you, Max. Okay. Because I think this is a leadership issue, not a technology issue.
Truly, I think it's a leadership issue, and I think if company leaders recognize and accept that passwords were an amazing invention back in 1961, '61, but now in 2026 they're the single biggest reason for all the breaches and hacks and compromises that happen. If they accept that fact, and that every time we ask an employee or require an employee to type a password, it's like asking your kids to run across a busy road.
Speaker 3: Mm-hmm. We're
Denis O'Shea: [01:15:00] taking a risk every time we have to type a password. It's a colossal risk, because we don't know what surveillance software is on our phones or our devices, you know, grabbing that password.
Speaker 3: Mm-hmm.
Denis O'Shea: So, I believe leadership, non-technical leadership in companies have to make the decision, we are going passwordless.
And that then cascades down to a couple of business decisions, not technical, but business decisions to say, we will only buy applications that have single sign-on. We're not gonna buy apps that don't have single sign-on. And we're only going to buy hardware that has an infrared camera, so now we can do a biometric authentication to the device, or if it's a MacBook, we have the fingerprint.
So we're only doing biometric authentication to the OS, and now we can do single sign-on to all our apps because we've been buying apps that are SSO enabled. And we've got MFA, phish-resistant MFA turned on for everybody, and now we join those things together with conditional access policies. Boom, you are passwordless.
Max Clark: Okay. [01:16:00] Now, now it's my turn, right? Yeah. Because you said two k- you, you've done two key things, right? You transitioned from IT into leadership, and then- Yep ... specifically non-technical leadership. Yeah. And then you immediately follow that up with a slew of acronyms- I did ... that most non-technical leadership has-
any idea even exists, let alone what it means. Okay. Right? So, so now, uh, okay, this is, this is great. I love this part How do we bridge the gap between IT and non-technical leadership to explain the value and importance of these acronyms? And forget the acronyms, let's just use outcomes. Yeah. Yeah. Yeah.
Right? Like, like, I don't care that, like, MFA does this. It's like, what are they actually getting as a result of it that they understand, right? Yeah. But this, I think this is a key unlock, right? How do we get from non, from IT into non-technical leadership- Yeah ... that has to then say, "We wanna do this. Go make this happen now."
And I'll tell you how we
Denis O'Shea: typically do it. We do it by, uh, referring to the example that everyone else is already [01:17:00] using. So most execs have an iPhone, and most of them already have Face ID turned on. Mm-hmm. Which basically is biometric authentication to the operating system, to iOS.
Speaker 3: Mm-hmm.
Denis O'Shea: And then the iOS platform has a whole bunch of apps which have SSO, single sign-on, and if they're trusted by the operating system, you immediately can go into those apps.
So if you open app- Apple native email or anything like that, you're immediately signed in. You don't need to put in a password. So now we've shown two things, biometric authentication to the platform, and then automatic pass-through authentication to the application. Now, if you try and get into your banking app, that might ask you for a second factor to be sure that this is the real Max and you are in Dallas, and, and you, you do a second factor or prompt or a code, whatever.
Everybody understands that example I just shared. We're just replicating that on a Windows machine or a MacBook. So sit in front of your Mac, you open up your laptop, sit in [01:18:00] front of it, scans your face, 300,000 data points, makes an instantaneous decision, this is the real Max. And we can do AI matching and say, "Yes, there's a h- very high probability this is Max."
If we're unsure, ask him to type in a six-digit pin to, to verify, but most cases it will sign you in based on your face. And then we should hopefully have single sign-on into Outlook and Teams and OneDrive and all those things, and maybe Bamboo or Salesforce or ServiceNow or all the SaaS applications you're using f- to run your business.
And then if you're doing something tricky or more secure, maybe then you need a second factor to, to verify that, you know, you, you, you need elevated access to something super secure. I feel like that example, starting with the iPhone and Face ID, which everybody gets, is the best way to bridge the gap between getting a leadership mandate.
It's really a mandate from leadership to say to the IT team, "Go passwordless, and make it happen in the next 18 [01:19:00] months." Mm-hmm. You know, that's the language- So- ... I like to hear.
Max Clark: So, so then in that case, really what you're talking about is encouraging the IT team to walk to leadership team and say, "We wanna create an iPhone experience across our environment, and we need your help-" That's really good
"in order to push this, push this
Denis O'Shea: through." That's really good. I might use that language going forward. I like that.
Max Clark: I, um, the amount of very savvy computer people, right? And I'll use crypto. The amount of cr- people involved in the crypto space that have had phishing attacks- Mm-hmm ... account takeovers, APOs, impersonation, and, and lost lots and lots and lots of money in their crypto that, like, have gone public.
And these are savvy people, right? Like, you think about it like probably like the savviest level of people that you can think of are, are vulnerable and are a- actively exploited with this. And I, and I say this not in a, in a negative light. You know, I, I think about this a lot with my wife, for instance, who is not a tech, you know, she's, she's tech native because of her age, you know, she, she's, she lives on her iPhone, [01:20:00] but her relationship with the technology is always very strained, I would say.
And, and I look at it like it, it feels almost impossible to protect her from the internet on her device because of what's actually going on. And then I think, and then you take that kind of, that, that mentality and that, that ex- and that, that, that feeling for me, and then I say, "Okay, now walk this into an enterprise with 5,000 employees that you are hiring, you know, onboarding, off-boarding, you know, 10, 15, 20% at whatever interval," right?
Because, you know, none of these environments are static that you have to go through, and you have to do the same thing for them. And there was this, there, there was this misconception for a long time that, like, the users were, you know, it's like, um, the users were the threat factor. But it's like, it's just too good, you know?
Like, and AI's just gonna make this even harder for people to figure out, like, what's a real email, what's a bad email, what's a good website, what's a bad e- website. Put your password in here. Don't put your password in there. Oh, I was doing the right thing. I didn't call [01:21:00] IT. You know, like, like, I, I feel like we need to like, like check ourselves here and have, have this understanding of like, this is gonna get really bad.
Like really, really bad.
Denis O'Shea: It is. It is. And I, and I'll share something with you. Our VP of technology was up in Redmond, I think the last week of January for a week with Microsoft, and he came away with some different language that I hadn't heard before, and his language was, you know, we're at a point now where going cloud and going cloud native is no longer optional.
Speaker 3: Mm-hmm.
Denis O'Shea: Because for the last few years, we've been talking about, you know, hybrid, hybrid joined for identity or co-managed for endpoints and, you know, all these kind of hybrid scenarios. And, and, and he came away saying, "We're very quickly moving away from that. We have to go cloud native." And the reason is, all the attack vectors that you just talked about, they're all AI enabled.
Speaker 3: Mm-hmm.
Denis O'Shea: So that the bad actors are using AI To basically [01:22:00] drive all these attacks, whether it's phishing or smishing or whatever, they're all AI-enabled. And in response, Microsoft and everybody else, CrowdStrike and Palo Alto and everybody else, is using AI in the defenses, right? That's, it's natural. Mm-hmm.
So they're all investing a lot of money and time and all their best talent into building AI capability and all the defensive tools. That's all going into the cloud, the modern cloud tools. None of that AI investment is going into the on-prem legacy tools that were installed in the last century.
Speaker 3: Mm-hmm.
Denis O'Shea: And so the conclusion from that is every day we continue to rely on on-prem infrastructure is a day we're drifting further and further away from best practice. And so any organization that's still relying on AD to authenticate to their legacy apps or SCCM to manage their devices or push out their applications, we're telling them, you need to go.
You, you need to [01:23:00] set an end of life date. Microsoft haven't given us a date yet. They will, just like they did with Windows 10. They gave us a, they gave us a rundown. They gave us a date, and they didn't blink, right? They didn't blink. They didn't move the date. It, they, they followed through. It was 14th of October, uh, 2025.
They will give us a date for SCCM. They will give us a date for AD and all these things and, and shut them down eventually. But for me, it can't come fast enough, because seeing clients still rely on legacy on-prem infrastructure that will never get AI defenses, they become defenseless against all the smart bad bastards out there that are using AI against us.
Yeah.
Max Clark: You know, I, uh, you say passwordless. I love passwordless authentication. I actually really like passkeys. I mean, there's a lot, I know a lot of security people that hate passkeys because they hate the impli- you know, implementation and it's like, it, you know, it's like it's more good than bad for me, in my view, [01:24:00] right?
Denis O'Shea: Way more good. Way more,
Max Clark: yeah. Um, and, you know, and it's just, it's, um, I, I w- I, I talk about this a lot and I think about this a lot and, and then the evolation, ev- evolation. Evolation. Elevating security- Yeah ... for the an- average enterprise and what it actually takes and what the experience is, right? Yeah. And how do you actually express this?
And there's all these different things. It's like the cyber maturity model or the this model or the that model, and like, no, uh, uh, like, security practitioners have started out by creating im- impossible to understand definitions to non-technical, non-security people to then try to classify like where they actually wanna be.
And, um, I have a friend and he explained it like, you know, it, it, protect your users, protect your devices, and protect your network in that order, right? And it's kinda like- W- anything you can do, and, and also, you know, just in the IT load, if you're not doing patch management anymore, and you're not [01:25:00] doing password resets anymore, and you're not doing pr- device provisioning and recla- you know, reclamation anymore, like you actually have time to look at other things.
Like- You do have
Denis O'Shea: time.
Max Clark: Yeah ... you know, you can, you can take care of it.
Denis O'Shea: And I would've said those three things you mentioned, protect your users, your devices, your, uh, network, was perfectly legit and valid and comprehensive until about two years ago- Mm-hmm ... when LLMs turned our world upside down. Mm-hmm. Now the data-
Speaker 3: Yeah
Denis O'Shea: is, you know, most of the conversations I'm having with CISOs and CIOs every day are less now about their identity, which w- which has become, you know, the perimeter, less about the endpoint, 'cause most of them are getting that under control, less about all the traditional defenses with Defender and whatever, more about tools like Purview to understand first, where the hell is our data?
Speaker 3: Mm-hmm.
Denis O'Shea: Where is it? How much of our important data is locked up in some legacy f- on-prem file store? How much is in different cloud applications? And, and, and [01:26:00] scanning the data to figure out what are all the data assets that have some form of sensitive content, Social Security or whatever. Mm-hmm. Data classification,
Max Clark: yep.
Denis O'Shea: Yeah. Uh, and what's the, what's the size of our data risk estate? And then figuring out how do we get that into a, a single place or consolidated somehow and apply sensible classifications or categorizations to it, and how do we then apply sensitivity labels, and how do we m- pre- protect against ourselves, you know, insider risk?
Um, so the, the conversation has very quickly shifted towards data as being the next frontier for security.
Max Clark: The conversation with a CTO, a CIO, a CISO, you know, it, it, it's, it's technical. It's capabilities, speeds and feeds, features and benefits. Usually they, you know, for the most time, you, you're probably in a conversation that's, um, we kinda [01:27:00] know what we need, we just don't know what to do or how to get there, right?
Like they're, you're, you're, you're usually at that level. When you're talking with non-technical leadership, you're in a, let's say you're, let's say you're in a room with a board, you know, for, for, uh, a, a good size company. We'll just, we won't get defined as too much. That's not a technical conversation.
That's not a we're gonna enable MFA conversation. What, what would you want, like i- in an ideal case, like, like what are you trying to express to them or explain to them, or you want them to like leave that meeting like with an im- imprint, you know, of not like, oh, we need to go out and go ZTNA, right? 'Cause they're not, you know, like who cares.
But what, what is the takeaway that you're hoping that that conversation leads to?
Denis O'Shea: I would always frame this In terms of the end user's experience, the experience we want to give their end users, and the way... And, and I know you're going, you're kind of angling towards security [01:28:00] here. Mm-hmm. The way I think about security is what can we take away?
What can we hide? Uh, we work with a notion called invisible security, and so what we're always trying to do is figure out what we can hide from the end user. Because the more security is in their face is an intrusive and- Mm-hmm ... it's just creating friction. So w- we love taking things away, and so a good example I give, you know, if I was talking to a non-technical board, is back in the last century, they built all these corporate resources to have the notion of a domain, and if you came into the office, you were on the domain, and you had certain privileges that you wouldn't have at home.
Well, that- that's gone now. You know, we just assume that people can work remotely- Mm-hmm ... off the domain. We're using zero trust, blah, blah, blah. So the domain can go away. We can forget about that. Let's take that one off the table. And then we used to have lots and lots of different passwords. Well, if we have a good passwordless strategy, we'll get down to one, and ultimately we get to none.
And so we're getting [01:29:00] rid of all that friction with passwords. We take those away. Then we used to have to maintain all these corporate images, the golden image of our, of our builds with our firmware and all that. Well, now with dynamic builds and automa- automated provisioning, that goes away, and we can simply dynamic assign, dynamically assign the things the new employee needs.
So if somebody new starts in HR on Monday, they should get the folders, the files, the applications, the permissions, the policies, the access rights for their role.
Speaker 3: Mm-hmm.
Denis O'Shea: And so we're making that setup process easy, and we're removing also the need for that user to fire off a bunch of tickets to say, "Hey, can I get access to this folder?
Hey, can I get access to this Adobe Suite? Hey, can I get access to this thing?" We know what job the person's doing. We should fricking know what applications they need to do their job, and they should be part of the build from day one. So we should be able to take that noise away. Um, when we simplify all the software updates, we should be able to take [01:30:00] away the need to reset machines.
Like, um, I don't know if you know about Hotpatch, but the ability to push out updates to a Windows machine without doing a restart, amazing. So again, we're just hiding friction. We're taking it away. You've got an up-to-date machine without forcing a restart in the middle of your day.
Max Clark: I, I think, uh, this is the...
First off, invisible IT, I mean, is fantastic, right? I've, I've used this language and I love that you said it, right? Because it's, it's so true. The thing that's so funny to me is, um, single sign-on is actually loved by end users because they only have to keep track of one thing, right? Yep. It makes their life easier.
It's easier. They have to sign in once, they're done. It's amazing. Um, hot patching, if you walk to anybody who's ever used a Windows computer and told them that they never have to sit through a Windows update ever again for the rest of their life- They'd hug you ... their reaction would probably be to kiss you, right?
Like, it would be such a visceral moment of joy in their life of like, you don't have to worry about being in a board presentation and your computer going through, you know, what's that, the movie that- Windows [01:31:00] install. It's so, it's so... But I mean, but it's so, you know, and it's, it's, um- So real ... I, I, I love, I love the, the reframe always back to the end user experience.
Um-
Denis O'Shea: That's the lens. That's our lens. It's, you know, thinking about a day in the life of, a day in the life of the end user. What, what, what are we imposing on them? What are we asking them to do? What pain are we projecting on them to do their jobs? And, and the more we can strip things away and remove the friction, you know, the better they can get on with their jobs, and the better we look.
Max Clark: That's the thing, is that I can't think of a better, better note to end on. I, I appreciate it. This was fantastic. I love, I love talking about this stuff and, and getting new information from, you know, people in the trenches.
Denis O'Shea: Thank you. Uh, we, we love doing what we do, and love, uh, love working with you guys as partners, and thank you for the opportunity.
Max Clark: That's it for this episode of Signed. [01:32:00] If you got something out of this, share it with someone in your world who's staring down a tech decision, a CIO, a CFO, a founder, a procurement lead, whoever. That's how the show grows. Everything from today lives at itbroker.com/podcast, show notes, transcript, links to anything we mentioned.
If you're in the middle of a real tech decision right now and you want someone in your corner without the vendor bias, that's what we do at itbroker.com. Schedule a call on our website, buy tech without regret. I'm Max Clark. Thanks for listening. See you on the next
one.
