IT Governance

Join Jason Null, VP at MIS Solutions, and his team for episode #09 of DIY-IT on IT Governance. In this engaging episode, the conversation centers around the vital role of IT governance in managing and securing client data and systems. Jason is joined by Adam Ringland, Nate Jewett, and Austin Doans, who bring their expert insights into compliance, security standards, and auditing processes.

Key Highlights:

  • The integration of IT governance with other areas discussed in previous episodes.
  • The significance of automated and manual IT system auditing to uphold security and compliance standards.
  • Detailed discussions on different compliance requirements like HIPAA, PCI, and new FBI standards.
  • The importance of physical and digital security measures in protecting business operations.
  • How IT governance supports business operations without hindering productivity.
  • Future-oriented security measures like biometrics and phishing-resistant MFA to enhance security without adding user friction.
  • The continuous evolution of security practices and the necessity of staying updated to protect against emerging threats.


This episode is a comprehensive guide on implementing effective IT governance to safeguard business interests and client data. Tune in to discover how IT governance forms the backbone of secure business operations and subscribe to DIY-IT by for more insights on navigating the complexities of IT management.

00:01:00 - Overview of IT governance and its importance.
00:03:00 - Discussion on compliance and security tools.
00:10:00 - The role of auditing in IT governance.
00:15:00 - Future security technologies and their implications for businesses.
00:20:00 - The importance of maintaining high security standards to prevent data breaches and ensure business continuity.

Jason Null: [00:00:00] Welcome to episode nine of DIY-IT for smb. We're talking about IT governance today. Go around the room and we'll introduce ourselves and I'll start to my right here. Hi. Hi, I'm Adam. Good to see you. Adam. I'm Nate. Nate. Good to see you. I'm Austin. Austin. Yeah. Nice to see you too. All right. I thought I, I thought I'd mix it up a little bit today.

Yeah, just give me your first name. Thanks. No problem. Ruined my entire script. We're here. We're glad to be with you guys. So, um, I'm Jason Nall, vice president here at MIS Solutions. So today we're gonna talk about IT governance. Our governance. I should actually pronunciate it really well, but Yeah. Um, talk about kind of.

What it is, how we enforce it, the things that we do to make sure that we're governing our clients and our data and the, the different stuff that we do from a security standpoint. So,

Adam Ringland: well, I mean, hopefully a lot of the folks are, have watched the first eight episodes if they have [00:01:00] a lot of this stuff. It culminates in what this is what we're gonna talk about today.


Jason Null: Thanks for coming. Peace, peace. Peace. We're done. It was great talking to you guys. Yeah. I mean, yeah, just watch the first date. That's, Hey, you're good. Put it all together. Right. I'll come back for 10 cause ten's gonna be awesome. 10

Adam Ringland: help you save money. So you'll want to come back for that one. Yeah, that's

Jason Null: true.

No, I, I agree with that. I mean, we have talked about it governance, coming to this, to this point. Mm-hmm. Everything that is built on in the last eight episodes has somehow touched on this subject. Yep. Um, I mean, one of the big things we can talk about is just computer auditing. Right. Um, we have some tools that do auditing on IT systems for us so that we can maintain different security levels, different requirements.

If it's a hipaa, pci, different compliance areas like that. I know Dunes you work on, you work heavily on this. Mm-hmm. I know you have some spreadsheets that have lots of, lots of colors and lots of like green Yeah. Lots of like, you know, government standards in them, [00:02:00] FBI standards and different things that you've accumulated over the years to kind of make sure that our clients are.

Our partners are following into these. Yep.

Austin Doans: Yeah, a lot of compliance, uh, and a lot of different categories. A lot of things that I, you know, came up with myself over the years that I determined to be best practice just based on things in the industry. Um, even yeah, culminating to different things like. Um, like one of the things you just talked about, the FBI just came out with new, um, compliance standards for security to prevent like ransomware.

Um, they just updated their policies and procedures there. Yeah, I mean, the, the, I mean, I, I manually go through and check a lot of things, but we also, like you talked about how tools that, that automate those things as well. Mm-hmm. And so we, we check those things. Uh, myself and the other team members check those things, uh, monthly or so.

Um, if not, you know, every time you get it, we get into your environment

Adam Ringland: really. Right? Yeah. Auto automation's only good if it's working. Yeah. Yeah. Like, like we kind of talked about earlier in different [00:03:00] conversation today, it's like automation's great, but someone still has to check it every once in a while.

Make sure it's

Austin Doans: plugging away a hundred percent. Yeah. And I mean, and. My goal has always been, you know, like I said, to check it every time we're looking at something, right? Mm-hmm. So I'm already logged in. What the heck, right? I mean, you look around, you make sure you double check, triple check, check your own work, somebody else's work, um, make sure everything looks.

Looks good.

Jason Null: Yeah, I mean, we talked about those three, uh, kind of, we didn't talk about it yet, but three pillars of it coming together to give us this governance, security, it risk management, and then computer auditing or, you know, system auditing, bringing those together to form this piece to make sure that we're secure.

Yep. You know, we're doing the things that we need to do. Um, we're making sure our partners are safe and they're able to do their business, you know, without their buy-in of this. Sometimes it makes things difficult, but at the same time, we're there to help protect them. Mm-hmm. But at the same time, be able to drive their business and make money.

Right, right. And that's what we're all in the business for. I mean, unless someone's [00:04:00] a nonprofit, maybe, but they're still have a end goal, which is maybe take care of somebody. However they're doing their nonprofits. So I love, I love looking at your, your, what you guys do and how you're continuing changing, because I know as soon as you write it down, there's a new standard that comes out tomorrow, right.

And it's changed again pretty much. Then you guys, it's like, you know, your sheets, all of a sudden they're green and you take the weekend off and you come back and now there's like three new categories and things are red again, or you know, yellow for caution or whatever you wanna look at it. Yep. And it's just constant.


Adam Ringland: and from from Nate's side too, I mean, he's, he's been, you know, or the VCO department's been also been instrumental in working with our partners, um, and trying to help get some of this finalized into the finish line to, to get as much green as we can because without their buy-in, and unfortunately that happens a lot, you don't get the buy-in.

They don't take it as serious as. As you want to, and there's a fine line you can, you know, put the gates of hell up on 'em and that scares 'em. [00:05:00] But there's gotta be a happy medium. And I, you know, I think that your department over

Nate Jewett: there is not good actually sitting down with somebody and have a conversation too,

Adam Ringland: versus an email where they're like, email, this is, is glib, bloop.

Nate Jewett: You know? Yeah. You're having a meeting about a bunch of other things. Yes. That also go into the risk management type stuff and making sure assets are updated and that kind of stuff goes into hand in hand with that as

Jason Null: well. Yep. Yeah, having newer hardware, newer equipment too, whether, you know, the firewalls have.

You know, the right kind of next generation security in them. It's not something old or consumer grade. Uh, obviously we, we find in businesses a lot, there's con what we consider consumer grade equipment. It does not have the bells and whistles that we wanna see from a security standpoint, right? They're not able to run like umbrella.

They're not allowed, they're not able to do inline, you know, packet sniffing and different stuff like that. Doesn't tell us if neither's new firmware, right? Yeah. Don't tell. Yeah, and it doesn't, I mean, and that goes back [00:06:00] to automation too, and being able to have something that's automated to pull down patches, to pull down the right things.

And so, yeah. You know, businesses, lots of times, I'm sure, Nate, it's probably difficult when we bring in a new partner who may have consumer grade equipment for them to understand why and uh, right. I mean, what does that conversation usually look like for you guys? Sometimes it's a good, it's a lot of yelling.


Nate Jewett: Sometimes it's a good conversation. You know, they'll be receptive to your ideas and want to make the best changes that they can for their organization. Then other times they can't really see it. They're like, no, my business has functioned just fine the way that it is. Why do I need to change? That's the harder conversation there, right?

It works today. It works today. Why should I, why

Jason Null: should I change it until you show 'em the firewall logs and someone's been in their network for months and like owns out their data and then they're like, oh. Yeah, I didn't know that my, my son put in my [00:07:00] router for me. Mm-hmm. And he put on this, you know, you know, or the, or the other open source

Austin Doans: thing, piece of


Nate Jewett: is, uh, they don't, they don't care about me.

Right. They're never gonna, I'm never gonna be one of those people, but they do care

Jason Null: about you and that, and that comes that'ss. Interesting you say that because, Maybe at one point in time, not, yeah, but since everybody has cyber insurance now, right? Mm-hmm. They don't care who you are because they're just hoping that your comp, your cyber insurance is gonna pay, pay out, right?

Yep. That you're gonna file a claim. Yep. And that, and they're gonna get their money. It could be 10 grand, it could be 20 grand, it could be 3 million. It just depends on the size, but every, every organization, I think today is a target because you, you're insured, you know whether they have. Cyber insurance or not?

Correct. And most places we come across do, um, lots of them. Uh, one of the, we've talked about this in the last, uh, eight episodes too, is that. You know, lots of times cyber insurance is now driving these standards for us. Mm-hmm. They're doing audits finally. They're [00:08:00] trying to make sure equipment's up to date.

They're wanting enterprise, you know. Great. Which is helpful

Nate Jewett: when we go to talk to the partner as well, because we can say, you know, your cyber insurance is requiring this. Do you want to commit fraud or not? Right? Or do you want

Jason Null: your premiums to triple or quadruple? I mean, we've seen premiums go from, oh, it's a thousand dollars a year to now it's 10.

Yep. And nobody wants that. Okay. Mm-hmm. I can spend a thousand dollars on a good firewall and then be compliant. Now still it's a $9,000 savings. Right? Right. Or $8,000 savings once you pay the premium and they're able to then check that box and say, yes, I have two factor this and oh, uh, funny is, we talked about this, we just recently.

Had a partner that we were talking to and you know, with another IT firm, they tried to enable two factor, right? And at right here it comes back down to the business need. And is the business able to run Well? They weren't right. They need, they have the need for it. They need it. But however it [00:09:00] was set up, they were giving like scenarios that they were being prompted every 30 minutes for.

Yeah. It was two factor then. It was. It was so in the way they're like, we can't do this, we can't work. And I mean, they turned it off. Yep. So we went from, you know, Having at least something to now, there's nothing again, which is kind of scary. It makes me worried that how many times or what's going on. But if we look at their office 365 logs, you could just probably see user accounts being just hammered on as somebody's trying to break into them.

Eventually it's gonna happen. Obviously two factors coming. Again, it's coming in a way that I know Dons, you've rolled out two factor for clients like crazy. Yeah,

Austin Doans: I mean, I mean, everything's evolving and advancing, like you said. So I mean, these days best practice is not to use, you know, less secure methods of two factor authentication.

So, I mean, we, we've pushed in the past just for any two factor because, you know, that was, something's something to start, right? But these days, I mean, SMS is the least [00:10:00] secure method of, of two factors. So that'll be a next step that we. We implement or try to get implemented as to, to remove that, that as a factor.


Jason Null: I mean, if you say and SMS you mean text messaging, right? Right, right. Yeah.

Austin Doans: Okay. Yeah, cuz I mean, you're not, these, these acronyms are hard for me. Yeah. You're not your, your, uh, your cell phone number. Your cell phone can be, Can be spoofed fairly easily. Um, same thing with like a phone call. If you get a phone call to your office phone, something like that.

Yeah. Uh, it's easily, uh, in, you know, taken in the middle of its process and Right. Manipulated. Um, so, uh, like I said, it's always advancing. You know, the best practice even for that over the last few years is to get like a dedicated app. Yeah, like the Microsoft Authenticator app, duo, duo app, anything like that.

Um, but even one step further than from that these days, um, Microsoft and, you know, NIST and FBI have been recommending, um, either password lists, authentication, which would be a, a great thing for everyone. I think you won't have to remember your password [00:11:00] at all anymore. You

Nate Jewett: mean like biometric

Austin Doans: stuff?

Biometrics, yeah, face scans, um, you know, fingerprints, that kind of thing. Um, or phishing resistant mfa, which is things like carrying a, a security Fido key with you. So you could buy like a $20 key and have it on your right, your actual key physical keys and use that as like your digital key and you plug it into your laptop or you tap it on it or something.

And you know, that's a way to not maybe, You be hacked and fished, that kind of thing because it has to be on you. Right? Um, other methods include, um, things like, like I talked about, like, like more biometric authentication. One, one is like a windows called Windows. Um, hello for business. Yep. Um, and then another thing is like, it's called certificate authentication.

So that's provided by either US or your business. And it, and it verifies you are who you are. So, And things we might get to eventually, but, [00:12:00] um, it's really, like we talked about, it all comes down to what's best for your business and the time. Um, you know, what isn't gonna impede your workers as much as possible, right?

But it's also gonna provide you with the security level that you need. We've done

Nate Jewett: a lot of that too, to try to make it. As convenient as possible for the end user. Kinda like you were talking about with this one partner. You know, we would obviously want to do it for them that they're in the most secure way possible, but to where it's not impacting the end user from being able to

Austin Doans: perform their function.

Like I, like I said, these all evolutions of things that have, have come in the past and have. Have come, you know, like if you just think about this in the way of, of passwords, right? You know, used to be, Hey, whatever you wanted. Yeah, it didn't, it didn't matter. Um, you can make it your name, you can make it password, whatever.

Those ho hopefully those days have come and gone. Um, so they're requiring longer passwords. Um, or, you know, More complexity, you know, whatever it is. Um, you know, it just, [00:13:00] it's an evolution of those kinds of things. So I should change

Nate Jewett: my password from Nate is cool. 1, 2, 3.

Jason Null: Yeah,

Austin Doans: maybe, maybe. It's good cuz nobody really thinks that

Jason Null: maybe it's true's It's interesting you say all these different methods for authentication and I don't even really think about it because, you know, you pick up your phone, it unlocks for you and it's unlocking cuz of my face, my, my poor thing.

I know my, my obviously my MacBook, um, error. Has fingerprint and I love that. Or my watch. Yeah. I, I love sitting down at my computer and my screen just unlocks. And then I am like, how did it do that? And I realize that my watch unlocked it and I love that cause it's something I have. Mm-hmm. And it's been authenticated too, because I have a passcode on it.

So, you know, you can't just put my watch on, um, and, and be able to get into my computer. So. All these things are being unlocked in one way or another. It's, it's just kind of neat that we're moving to that. I'm glad to see that. I know. It's

Austin Doans: inconvenient. That is the future. And it has been the future. Yeah.

Over the last five years or something. It doesn't want, it actually gets implemented. It's [00:14:00] coming slowly. Oh yeah. Um, but it's, that's gonna be everything. There's not gonna be

Adam Ringland: passwords. Yeah. There's not gonna be a choice. And that's it. And it's explaining it in a nice way to the end users that. Hey you.

You're not even thinking of it, but you've been using two factor for some of your stuff. Mm-hmm. A lot longer than you know. Yep.

Nate Jewett: You have to put in your zip code at the gas station. Gas station pump. Correct.

Jason Null: Same thing. Or just even a pin on an ATM card. That's two factor physical. It's something you know, and

Austin Doans: something you have.

Right, and it doesn't have to be hugely painful. I mean, it really, really doesn't. These methods. Can be implemented in a way that really doesn't impede your business or Right. You know, in your individual. You know, it's not hugely annoying. I mean, it's

Jason Null: managing the risk, right? Yes. In the end, you know, so that, you know, it's not so much that's crushing my business, but I'm managing the risk that I'm not as big of a target as somebody else who doesn't have it now.

Right? So somebody tries to hack into my account. Well, I have two factor. They're gonna move on. Right. They're gonna go to the next business and they're not gonna have two factor, and they're gonna [00:15:00] get in, they're gonna leave me alone. And so I, that's, that's always that risk management for us is, you know, making sure that when somebody does first knocks on the door and they try it, it's locked.

It's like, all right, moving on to the next house. Moving on the next one. Yeah, I think it makes me think of the storm troopers and most heisley knocking on the doors and it's locked and moving on, you know, looking for Luke, but it's.

But yeah, I mean, so it's that always that risk management. So from a computer standpoint, with computer auditing, can you guys tell me how we're doing that? What maybe, uh, you don't have to mention tools. You could talk about the tools and stuff. How does that work for us? I mean, is that something that's happening every minute of every day?

Austin Doans: I mean, auditing happens in a lot of different ways, right? That we talked about a few before. I mean, there's manual automation that I and other people do. Um, there's automated automation and, um, you know, those, those takes many forms. So we have a lot of solutions that that [00:16:00] audit have logs. You know, those things are, are automatically generated and, um, kept for a certain number of days.

Sometimes it's by what we say, depending on how far we wanna go back and check things. Um,

Jason Null: so, you know. And are these logs like being sent to you guys in a lot of cases and you're reviewing them? Sometimes

Austin Doans: it depends on, you know, what we're looking for in the product. Um, you know, sometimes, you know, the logs are generated and kept a certain number of days, like I said.

And if there's something that flags. You know, a certain event in those logs that are flagged, it gets sent directly to us. Um, other times they're just sitting there in case we want to go back and check, you know, certain events, certain things that happened.

Nate Jewett: If you're looking for something specific,

Jason Null: you can go back and yeah, I can imagine how many logs you guys are looking at.

So it's good that we probably have automation tools. I mean, you think about firewall logs, you're looking at PC logs, server logs, and being able to scrape those and pull 'em back to a point to have reports to generate and looking for, you know, The red flags.

Austin Doans: Right, right. I mean, there, [00:17:00] there are obviously certain events that we would wanna be notified of right away.


Jason Null: Um, there are, you have like a siren on your car when that happens. When you turn it up there you go rushing over and fix it.

Austin Doans: Yeah. It's like the bat phone, but, uh, No. And then there's other events that are just informational, right. That will, we may be useful later. Yep. I mean, you know, something we don't want to get a 32 emails about.

So Yeah, it's an alert.

Adam Ringland: It's not a

Austin Doans: critical alert. Right. Well, maybe we wanna go back and see, you know, if the server was off, turned off to reboot at some time. We don't need to know every time the server reboots, because that happens. Uh, it's on, those things are automated. It's for updates and things.

Mm-hmm. We don't need to know when that happens every time. Um, but yeah, I mean, like I said, you know, in that scenario there's, there's times when we would check those logs, you know, manually. Sometimes they're automated. That happens in a lot of different places. Um, not just for that, but, um, you know, for. If you go to look at certain security events and things like we have, we talked about earlier about the software we have that goes through and [00:18:00] monitors compliance and those kinds of things, um, there are goals and bullet points of things that we wanna make sure are happening.

Um, and so, you know, those, those reports are done, like I said, maybe monthly, maybe. More so. Um, and you know, sometimes we'll be alerted of things there that need to be fixed. Um, other times again, it's just manual of just me or someone else checking those things as we see them every day. Yeah. Or, or when we have time, you know, on a monthly basis or something.

Going through and running through. Um, you know, a, a pre a procedure sheet of things that we think we know should be turned on or, you know, should be looked at, and we're just continually doing those things or recommending, you know, greater security in times where that's appropriate for. The client

Jason Null: or whatever.

Do you find existing partners are harder to get to do that? Or do you find new partners maybe are more open to having that kind of stuff done and working? Everything is [00:19:00] situational. It is? Yeah. That's Depends on the

Austin Doans: person. Yeah. Always depends on the person. And if you're just, we're just talking generalized.

Probably the, uh, the person who's been with us a while and is already used to a certain standard is harder to. Break it. It's hard. Yes. Harder to explain those sort of things. Um, maybe it's not Cause they understand how and they trust

Jason Null: us cuz they've been with us for a long time. Right. And they understand how

Austin Doans: fast the industry

Jason Null: moves.

Yeah. The industry is definitely moving fast. I think about like the, the, we call our tool sets and our stacks. Right? I mean, we only use this much of products out there, right. I mean, there's just hundreds of products. Mm-hmm. And then I think about what the, what what it takes for you guys to. Look at logs, look at reports, and I'm like, oh, it's probably easy.

And then I'm like starting to dive down. I'm like, wow, you could just spend a day in one of our products just looking at security information, assessing risk management, tweaking things, and then the next day go somewhere else and do something else. And never percent. You [00:20:00] could just spend days just by the time you're done, you're back to the first Yeah.

Platform. Yeah. So, absolutely. And I do that so our partners just know that we're bored. Yeah. For your benefit. No, it's just gotten way more complex. Um, but the information is even better than it was in the past. And having a lot of the automation, a lot of the risk as risk assessments and the audits going on is a good thing.

Just like, you know, having, we used to use. Antivirus, which we still do, right? But running the next generation MDRs, um, constantly tweaking things, having firewalls. We've talked about in the past, the next gen where when you click on a link, the firewall is verifying that link from your desk now for you. So it's got inline ability to just watch what's going on, email, making sure that it's capturing stuff, and mm-hmm making things, making sure things are clean before it even gets to you.

And there's so many layers. Of our security that we put in place, and then stuff still gets through, [00:21:00] which is always amazes me. It's like as soon as we shift to block something, somebody finds a new way

Austin Doans: around it. So, and security's always, how high do you want to build the wall? Right? Right, right. You know, you can always make a ladder that's higher than the wall.

Mm-hmm. But how much do you want someone to, how many hoops do you want someone to jump through? The

Jason Null: wall over here is a little bit lower. I'm just gonna go mess with that one. Mm-hmm. Instead of trying to get up this one. Yeah, that makes a lot of sense. It's a great analogy. So you guys, anything else to share?

Anything coming up? Security, like, you know, meetings you're going to security? A security mixer? Yeah. Yeah. Security mixer. I mean, what's that like? I mean, is it just like, I'm going to one tomorrow? Yep. Yeah. Yes. A bunch of guys standing in corners not talking to each other cuz they didn't wanna give up too much information.

I don't know. I'll find out.

Nate Jewett: Just make sure you turn your phone off before you walk in.

Jason Null: They probably have you check it in frisk you make sure you're not wearing any wires so they could talk about it. So. Well that's cool. I mean, there's, there's a lot to this. Um, we spend obviously Dons, uh, Austin, you spend hours [00:22:00] doing stuff, uh, which why you're obviously not a very happy person because, no, I'm kidding you.

Um, but yeah, I mean, I, I, I love what you guys do. I love seeing the reports. I mean, even for us recently when we went through the FBI evaluation there and to love to see what your team has done with where we're at, I'm like, that's awesome. You know, to know that we are, we're secure, like that, we're up to these standards and we're, we're even achieving higher ones at times.

Mm-hmm. Is awesome. So I hope we're do, we're obviously, we're doing that for our partners. I hope they appreciate that. And, you know, as businesses come on board or even, you know, sit down and watch this, that they take away something from it that, you know, this is not, you know, it, it's not easy. It's serious.

It is serious.

Adam Ringland: It's, it's a serious business. And you should, yeah. If you're not big enough to have a full, you know, managed service provider and Yeah, yeah. I would just say even then, do your, do your due diligence to make sure you're at least

Jason Null: covered on the basics. Yeah. Make sure you find somebody that can help [00:23:00] you.

Yeah. I would go as far

Austin Doans: as to say this is the most important thing True is done for a business. I mean, cuz if, if, if a lot of things insecurity aren't done, I mean, your business could disappear in the matter of a day. Yeah. Easily.

Jason Null: Yeah. You, you could be out of business in minutes. All your

Nate Jewett: hard work, ACH payment sent somewhere that is not a valid address.

Jason Null: Ran. Or one somewhere, or one fi or one entire server encrypted. Yep. And you're done. Yep. And then your backups are encrypted. You're done. You know you're out of business.

Austin Doans: Yep. Or you gotta pay a million dollars for a ransom or something.

Jason Null: Yeah. Right, right. I mean, we've seen it, unfortunately. So. Well, thank you guys.

Yep. I'm gonna wrap us up here so we can get on to episode 10, which is gonna be really exciting. Follow us on Facebook, YouTube. Instagram and you're MySpace page. I know you're keeping up the date. Yep. So it's Tom.

Adam Ringland: I had one new friend after last one, and then I think he watched an episode and now he's not my friend anymore, so Okay.

So I'm still

Jason Null: just Tom, so come back, check us out next week. He probably didn't [00:24:00] like your featured blank saw on. Check us out next week for episode 10. We're gonna talk about it. Budgeting, save you some cash. Yeah, and then how the B ccio office helps you do that. And you know, and we'll have some other people in here, some new guests, so we get to see some new faces.

So thank you guys all for coming. All right. Check us out again. Twitter, Facebook, MySpace, all those great places.

Subscribe to Our Series

"*" indicates required fields

Remark: We will collect your information for marketing purposes. However, we respect your privacy rights. If you wish to access or amend any Personal Data we hold about you, or request that we delete any information about you that we have collected, please send us an email:*
Remark: We will collect your information for marketing purposes. However, we respect your privacy rights. If you wish to access or amend any Personal Data we hold about you, or request that we delete any information about you that we have collected, please send us an email: