Safe Mode Podcast: How MSPs Are Dealing with CISA Changes
Date: November 6, 2025
Host: Greg Otto, Editor-in-Chief at CyberScoop
Featured Guests:
- Matt Kapko, Cybercrime Reporter at CyberScoop
- Jason Puffall, VP of Security Services at Vancord (an MSP in the US Northeast)
Episode Overview
This episode explores how recent changes at CISA (Cybersecurity and Infrastructure Security Agency) have impacted Managed Service Providers (MSPs), with a focus on smaller organizations lacking in-house cybersecurity resources. The show features two main segments: a cybercrime news update with Matt Kapko and an in-depth interview with Jason Puffall of Vancord, covering client communications, the realities MSPs face, regulatory pressures, and the downstream effects of CISA’s evolving posture.
Segment 1: Cybercrime News – Defenders Turned Criminals
[00:29 – 09:11]
Key Discussion Points:
- Wild Ransomware Story: Three cybersecurity professionals are indicted for conducting ransomware attacks on five U.S. businesses while holding roles meant to fight such attacks.
- They included an incident response manager and a ransomware negotiator.
- Details of the Crime:
- Attacks spanned two years, ending in April 2025.
- A Florida medical company paid $1.3 million in ransom (May 2023).
- Group included Ryan Goldberg (Signia), Kevin Martin (Digital Mint), and a third affiliate tied to ALF v. Black Cat ransomware.
- Goldberg earned a $200k cut from ransom and tried to flee to Europe.
- The Temptations and Risks in Cybercrime:
- Even defenders can cross the line, especially in an unregulated space like ransomware negotiations.
Notable Quotes:
- “They were effectively allegedly moonlighting as criminals that their jobs required them to thwart.”
— Matt Kapko, [02:15] - “It just sucks all around for the people that are actually doing their jobs.”
— Greg Otto, [08:25] - “Remote work. You can be a remote criminal, too. So anywhere in the world…”
— Greg Otto, [06:44] - “Ransomware negotiation in particular is... It's unregulated. It's a bit of Wild West.”
— Matt Kapko, [07:06]
Memorable Moment:
- The irony of cybersecurity professionals turning to the very crimes they are hired to defend against, raising trust issues across the industry.
Segment 2: Interview with Jason Puffall, Vancord VP of Security Services
[09:14 – 32:02]
About Vancord
- [10:52 – 11:20]
- 20-year-old MSP, 60 people, 45 engineers.
- Split between security services and IT management.
Trends in MSP Work
- [11:20 – 12:52]
- Rising client expectations amid growing threat complexity.
- Smaller businesses often lack true security roles, adding responsibilities to stretched IT staff.
- Vancord provides strategic security guidance and implementation, often supplementing small internal teams.
Common Security Gaps in SMBs
- [12:52 – 14:39]
- Overemphasis on niche solution sales—often driven by fear—over basics.
- Widespread lack of staff security training and regular patching.
- Underinvestment in robust EDR (Endpoint Detection and Response) tools.
- Focus on fundamentals—backups, employee training, appropriate tooling—can provide strong protection.
Quote:
- “There's this idea that security has to be difficult, expensive, and complex. ... But for most businesses, if you just do the core things... you're going to be well positioned.”
— Jason Puffall, [13:44]
Communicating Security ROI to Clients
- [15:46 – 17:14]
- Use real-world ransomware costs to illustrate risk.
- Many businesses underestimate their value as targets (“I don’t have data hackers want”).
- Focus on the fact that attackers seek easy opportunities.
- Tie security efforts to business growth and regulatory requirements (e.g., CMMC).
Threat Detection and Employee Risk
- [17:33 – 19:34]
- Vancord runs its own SOC, monitoring client infrastructure.
- Focuses on both technical threats and people-based risks—social engineering, fraud, phishing.
- Regular phishing and social engineering tests demonstrate real risks to clients.
- Emphasizes that employees often circumvent controls by falling for simple attacks.
Quote:
- “Your employees will effectively circumvent all of your security controls. If they're asked for their username and password, they'll provide it.”
— Jason Puffall, [18:42]
Automation vs. Human-Centric Security
- [20:44 – 22:13]
- Vancord favors human-driven security; automation can cut costs but may underdeliver on nuanced threats.
- Automated tools have a place, but human expertise is key for pen-testing, incident analysis, and translating findings into business decisions.
Navigating Regulatory Complexity (CMMC, etc.)
- [22:13 – 25:43]
- Rising costs and burdens of compliance (CMMC) are making some SMBs reconsider their involvement with federal contracts.
- Uncertainty in assessment processes causes hesitation.
- Vancord’s approach: help businesses implement foundational controls that benefit them regardless of compliance requirements.
Quote:
- “They look out and they say, well, our government’s making decisions regarding security funding and they’re contrary to everything they’re saying about the importance of CMMC… people are continually waiting because they just don’t know if that landscape’s going to change.”
— Jason Puffall, [23:38]
CISA Changes: Impact on MSPs and Clients
- [25:43 – 28:03]
- Notable cuts and changes at CISA (esp. MSI SAC) are concerning for state/local agencies and K–12 clients.
- CISA’s historical focus on sharing actionable, low-cost guidance and tools for small organizations is being diminished.
- The loss of easily digestible, practical threat intel puts extra pressure on MSPs to fill the knowledge gap, which may drive up costs for clients.
Quote:
- “Losing that source of information is going to be a real challenge for state agencies for sure.”
— Jason Puffall, [26:35]
The Value of CISA/MSI SAC Data in Practice
- [28:03 – 29:48]
- Some debate in the community over the utility of CISA/ISAC data, but many Vancord clients used it informally to assess their risk and trigger actions.
Quote:
- “Even small businesses get value out of... written vulnerability information and written threat information... There’s value in just knowing that you have risk and then reaching out for support.”
— Jason Puffall, [29:27]
What Should Improve in CISA/ISAC Processes?
- [29:48 – 31:06]
- Access to industry-specific ISAC data is often restricted.
- Suggestion: Broaden transparent information sharing across industries, so all businesses—not just the well-resourced—can respond to current threats.
- Call for maximum transparency and rapid data distribution.
Quote:
- “Ultimately the country is more secure if we provide more data more quickly to more people and let them sort of figure out what to do with that.”
— Jason Puffall, [30:47]
Closing Thoughts
- [31:45 – 32:02]
- Strong emphasis on equitable access to security resources and information, not just for large or cash-rich organizations.
Quote:
- “Just because you have a lot of money to spend on security doesn’t mean you should be the only one who can be secure.”
— Jason Puffall, [31:47]
Key Takeaways
- Fundamentals First: For most SMBs, shoring up basics—patching, training, backups—is far more effective than chasing after every new tool.
- Security Knowledge Gaps: MSPs fill a critical void for organizations that lack internal expertise but face ever-rising threats and regulatory complexity.
- CISA’s Role is Vital: Cuts to CISA’s outreach and information-sharing functions are making basic security harder and/or more expensive for smaller entities.
- Transparency Needed: Making actionable threat and vulnerability info widely and freely available lifts security outcomes for everyone—not just large enterprises.
- Human Element Remains Central: No amount of automation replaces human judgment in security operations—training and awareness remain paramount.
For listeners wanting practical advice, Jason’s core message is clear: Invest first in sound fundamentals, don’t get distracted by buzzwords, and pursue real, actionable risk reduction.
This summary covers all substantive segments and discussions in the episode, omitting sponsor messages and housekeeping.