In an already disruptive space, the changes happening, both big and small, have an even more significant impact. We are part of the ongoing evolution, and if we don’t adapt, then we risk finding success, let alone staying in the game. Anoush D’Orville is very familiar with this fact, having been in the industry for years to finally establish his own company, Advisory Solutions. In this episode, he tells us about MSP and how he is providing technology solutions to clients from different industries. He talks about the importance of organizational buy-in in navigating changes, especially with the acceptance that technology is crucial for success in this day and age. Anoush then dives into what forms the basis of a good IT strategy and highlights the importance of cybersecurity. Businesses and organizations must confront the present threats and risks in this technological age. Let this conversation with Anoush enlighten you to take a step towards securing your future. Tune in to not miss out!
—
Watch the episode here
Listen to the podcast here
Advisory Solutions: The MSP To Businesses And Organizations With Anoush D’Orville
We have a great guest who is a serial enterprise partner with companies like Apple, Cisco, Dropbox, and Google, a linguistic artist, fluent in both English and French, a top-tier appreciator of employees, and the CEO at Advisory Solutions. Welcome, Anoush d’Orville.
Thank you. I’m happy to be here, John and George.
It’s great to have you. We’re going to jump right in here. If cyber risk was a pizza and frameworks are the crust, what’s the riskiest topping you’ve seen? What topping would you equate that to?
I thought a little bit about this question. The answer is probably buffalo chicken and the main reason because as you take the cybersecurity analogy, it’s the perfect thing where you take a topping that has no business being on a pizza and cobble it together into something that is then consumed by people. That’s something that we see quite a bit across our work in the general cybersecurity sphere. People are going out and buying all of these mismatched pieces and putting them on a vessel. They don’t necessarily go together and, in some cases, aren’t the best strategic moves. They decrease security in effect because there isn’t a larger strategy behind it. I’ll stick with buffalo chicken on this one.
That’s a pretty good one. I can see the sauce being like ranch and cheese. Maybe a little blue cheese on that one. Patent pending for pizza.
If you think about it, there are situations I’m sure that you guys had, when you walk into and you look at all of these different patchworks that are there. You guys are in strategy and you see it all the time. Sometimes things are done in isolation. You’re like, “I’m not sure how those two things ended up together.” I feel like that’s a perfect metaphor for what a topping should not be on something as delicious as a pizza.
Do you know what comes to mind? This is great. The very first thing for me is we often see certain environments where the cybersecurity is so tight that don’t want any risks at all. People can’t get their work done at all. It creates problems. We still see that in most traditional brick-and-mortar companies still have technical debt and those sorts of things. What comes to mind for me is, “Did they leave the bone in the chicken when they put it on the pizza?” They’re not even going to stop eating at all. There shouldn’t be any bones.
You need a change management board to agree to take out the bones before you can eat the pizza. The bureaucracy itself, we can belabor the metaphor a bit here but there are a bunch of things that we can pull for it. You see, the buffalo chicken was a good one here. I will stake my claim but that’ll be the best topping that you guys have on season 1 before you go into your season 2.
It’s one of the more creative ones that we’ve heard. That is great to hear.
I thank my local pizzeria for motivating me, as a point of reference.
Did you take a look at their menu?
Shout out to Home Slice.
As a CEO of the business, what keeps you up at night? What do you see most people worrying about?
As an MSP, we focus a lot on the Mac OS world. The one thing that we see quite a bit of is this convergence or at least move to the cloud where the machine itself is less relevant than the actual cloud solutions that are in place. Especially where Macs are a smaller portion of the larger enterprise strategy, what tends to happen is that things are thrown into place in order to check a bunch of boxes like enterprise says this for SCCM. They have a 30-person team then they bring in a contractor for the Mac.
All of a sudden, you have these 80/90 machines that are usually used by senior leadership in these organizations that become these huge vectors for vulnerability. It’s almost out of sight out of mind and the more people are given the choice, whether it’s in higher-ed, in an enterprise, or a nonprofit, if you don’t look at security or even IT strategy as a whole in a universal way, that for us is the biggest concern whenever we manage a client.
We then go back to all of these concepts like change management, introducing different tools that may not be the right tool set for the Macs but are for the Windows, and how they try and shoehorn those things in. Those tend to be huge points of concern for us. The other piece of it is this move towards security questionnaires for everything. There are 30-page questionnaires of, “What do you do for X, Y, and Z?” The other corollary side to that are companies that may be on Mac, for example, but get tools in order to get SOC 2 compliance.
They’re like, “We have these policies that Vanta spit out for us and we put in an AV and we have an MDM and we’re done,” but there’s no actual thought that is put behind bringing all of those pieces together under one large overarching strategy. Those are 2 different areas that we look at, 2 very distinct problem sets often have the largest impediments to change, and 1 of the biggest tasks that we have going in and helping people align themselves a little bit to a more transparent way of looking at security for the whole organization.
That’s one of the reasons that we take a look at these frameworks and how to apply them across networks or devices, whether they be Macs, PCs, or whatever. Those frameworks are getting to be more standardized, can be applied, and help make sure that those bases are covered. There are many times that we see the checkbox theater or somebody saying, “Sorry, but I’ve met these,” but with the right way of doing it, those cybersecurity questionnaires that you’re talking about become much easier and built-in.
You point to your policies and that’s probably what everyone reading this and you guys see quite a bit. How do you get organizational buy-in? That’s also one of the biggest challenges because it’s not just IT strategy but IT strategy is now the domain of finance. It’s now the domain of operations. It’s now the domain of people ops. It’s now everyone’s domain and because it all links together, you need buy-in from every single department. Otherwise, you get this piecemeal approach.
When we talk about what concerns us and what worries us whenever we inherit a situation like that, those are the first things that we have to tackle. First, you educate and then you get buy-in then everything else can flow from there. You also have companies, for example, that will do half of it. There’ll be like, “We got an MDM but SSO can wait because Okta is too expensive and Google Workspace, SSO, or Azure SSO. We’re not so interested in doing it now. We have to buy our licenses. There’s the concept of SSO tax.” All of these things are extremely difficult concepts to be able to take an organization that doesn’t think about security in a structured thoughtful way and bring them to a place where true compliance and security are at the forefront of a lot of their departmental decisions.
The framework is that, at least in this country, we love squishy when it comes to risk management. We’re a country that has a great structure in terms of having checks and balances. We have judges, laws, and those sorts of things. A lot of these statutory requirements, the things that are required by law, comparatively to industry requirements, you’re still all pointing to some foundational framework.
What’s interesting about it is in the technical world, we like prescriptive. If you’re talking to a tech, you’re like, “Is it blue or is it red?” It’s very analytical in nature. Yet now with cybersecurity becoming more litigious, it goes into the argument sense of the American way. It is to argue. If I can do it in the courtroom, the worst thing you can do is be prescriptive. They use the word reasonable. What’s reasonable?
Generally, that’s what you learn as cyber becomes more litigious. Something that’s hard for the technical person to grasp is when you approach them and say, “Do what’s reasonable.” “Blue or red?” “No, we got to do what’s reasonable.” “What do you think is reasonable?” That’s like you want to see a technical person’s head explode. That’s one way to do it is, “It’s either going to be right or it’s going to be wrong.”
It can sometimes be a bit of a challenge in the world of what we consider to be prescriptive controls like an ISO 27001 is going to have some pretty prescriptive controls, the FedRAMP, and the NIST body of work as it relates to prescriptive controls at certain levels. You get into NIST CSF, which is ruling the cyber risk world in the US anyway because that’s the standard that we’re headed towards. It’s all about reasonableness. How do you get somebody? Somebody has to decide out of business what is reasonable.
That’s always the challenge, isn’t it? It’s like, “Here we are prescriptively wanting to and going to configure it this way and it’s going to be this way.” “You may have broken the law. We need to involve the attorney.” “What? The attorney? What are you talking about? I’m a technical person. I don’t want to be with the attorney.” It’s going through those throes of getting comfortable in this new world and what we’re learning is that frameworks are great but somebody still has to make a decision.
Everyone has to understand it. You bring up an interesting point in terms of the evolution certainly that we’ve seen over the last 5 years and exponentially increasing over probably the last 2 to 3. For people within the MSP space, if you haven’t adapted, I know cybersecurity is this big hulking overarching term like the word hacking. It doesn’t mean anything in isolation and it means everything all at once.
If you do not adapt your practice to understand all of those, when I mentioned those departmental needs, you have to be able to get finance and be able to get legal in because, in those frameworks, we’re going through our SOC 2 as we speak now. Every day, I have packed meetings of fieldwork that are being done and all of those in many respects touch all of these different aspects of the business. Sometimes down to like, did we do background checks on people?
That has nothing to do with IT but did we onboard that person with a specific roadmap? Did we then validate it? Was there a change management order put in place into our system and a ticket that followed it? Those are all pieces that flow out of it. The modern-day IT company has to be able to have an element of understanding around security and stakeholder buy-in to be able to be successful, at least in the world that we live in now.
That’s one of the things that maybe COVID accelerated in a lot of respects where companies that were so comfortable in being in place saying, “We’ve spent $100,000 on our network stack and we have all these incredibly beautiful B-lands and everything is segmented off.” That doesn’t mean anything when your laptop walks out of that office. Everyone has flipped that formula on its head.
To go to your point, George, look at it from this multi-departmental framework at least in the world that we live in. It may not be everywhere but it’s in the world that we live in, which are usually small and medium-sized businesses. They tend to be huge to the creative. The stereotype of Mac company is generally who we work with.
You’re going to have people that are a little bit more tech forward-looking but never used to talking about security. Now, it’s literally all they talk about because it’s all their clients talk about. It’s permeating and we have to educate ourselves in all of those frameworks at least to a cursory enough detail that you can sit down in front of general counsel or CFO and be like, “Here are the reasons why money. Here are the reasons why legal,” then you can get a whole team of buy-in.
That isn’t always the hard part though. It’s the buy-in. They can say that they’re doing it but whether they have bad behavior or not is often a cultural issue. If you don’t have control over those departments of your customers, the customer is going to have to make those decisions. Let’s face it, the traditional CEO tends to be a little bit older but none of them are always thinking about cybersecurity. That’s changing now because younger leaders are more technology savvy but a lot of them would say, “It’s got a blinking light. Send it over to the IT guy, CEO, CMO, or whoever it is.”
That’s an IT problem. I don’t know tech. it’s those sorts of claims and so now, that’s what lawmakers are saying and why we see these frameworks. They’re saying, “That’s enough.” CEOs, I’m sorry. If your company has a problem with marketing or with finance, you’re rolling up your sleeves and you’re getting in there.
You can’t say, “I see. Throw it over the fence.” That’s the core reason behind some of these laws. There’s a generational change happening in leadership and it is somewhat invigorating to see new CEOs but seeing older CEOs understand they have to be involved is more exciting because at least, they’re changing. Are you seeing that in your customer base where the owners are, “I don’t know the tech?” They’re not even interested at all in learning even a little bit.
I’ll go back to stereotyping who our clients are. It’s pretty easy to figure out. We worked with a lot of start-ups in the last few years, certainly, and the inevitably younger hue of CEO that came with a lot of these start-ups, the era of a lot of free money, frankly, that was flowing around for a few years responsibly or irresponsibly, brought about a different mindset around how technology was leveraged.
It’s not always for the better but I do think that many of the enterprises took notice because these companies were raking in $100 million of investments and all of a sudden, presenting a challenge to some of the more established enterprise companies that had these long, slow trajectories of 50 to 60-year growth. The adaptability to the ecosystem forced a lot of those enterprise teams to rethink their approach to technology.
Now, as we all know, change in a large enterprise is extremely slow and laborious but that change was even talked about. I’ll go back to Mac being an enterprise. The fact that Macs were even allowed in some of the big law firms or Macs were allowed in some of the big healthcare enterprise companies. That represented a seismic change of thinking around what was and was not secure and that very definition then permeates all of the other strategic questions.
The short answer to your question, George, is that 100% we see it across young and old companies. It doesn’t make difference between more seasoned leadership versus younger leadership. Everyone understands at this point that technology is the key to it. We used to walk around for our pitches and I’d go to the firewall. I’d hold the ethernet cable and be like, “This is why IT is important. If I unplugged this, would you be able to go about your day?” Everyone’s like, “That’s a good point.”
It was like the easiest point to prove why technology was so important but now, you don’t even need to make that argument because it has become understood that whether it’s Zoom, WiFi, security, email, accessibility, or collaboration, all of those are strategic decisions. John, the silver beard may take umbrage a little bit with the gray hair CEO, the older CEO. I saw him smile there. I just wanted to point that out.
Anoush, tell us more about what Advisory Solutions does for their clients so that you’d help them with the regulatory requirements with Macs. Tell us a little more about what you guys do.
Advisory is a pretty traditional MSP, a Managed Services Provider. The easiest way to describe it is a managed services provider is like an outsourced IT department. Our goal is to do everything from designing infrastructure, building it, implementing it, and supporting it. The way that we generally look at IT as a whole, we call it certified IT strategy which is again this big hulking all-encompassing term but it’s built on three pillars, which are endpoint security and management, identity security and management, and network security and management.
Ultimately, how those three things interact with one another is what forms the basis of good IT strategy. We have a pretty standard stack of stuff that we work with. We’re huge Jamf proponents. We’re huge Okta proponents and Cisco Meraki proponents. All of those are strategically chosen because we generally think that they’re best in class but for us, they’re also helpful because they tend to be good one-to-many solutions.
For a team of eighteen people with several thousand endpoints under management, you need good one-to-many solutions. There’s a lot of API work. There’s a lot of security that goes along with that but we don’t want to repeat manual tasks and so much of what we do has to be centralized in the security stack that we do. Within each of those buckets, there are a ton of different things but our goal is to really help people understand through those simple lenses. What are the things that you need to achieve?
Change is not overnight and that’s why as a managed services provider and frankly, how I eat dinner is that we do this over time. This is an iterative process that changes with technology as technology changes. We help organizations adapt to that change in a way that I’d like to think is pretty seamless for them. That’s a 30-second elevator pitch. How did I do?
It’s interesting. I see Jamf and I originally, “Mac,” as always. It’s the default on that. PSA, whatever your stack is in IT services. John and I own an IT-managed service company so we know the ups, the downs, the backs, and the forth. One thing that we’re wholly aware of is that cybersecurity problems are constant for an IT service provider starting with the fear of you trying to be helpful. You tell your customer, “Here are some things you need to do.” They’re like, “I don’t have the budget.” “You need to do that.” “Maybe next year.”
Let’s face it, some of them have short memories and they have issues. If they had done what you had suggested, they wouldn’t have an issue and immediately, they’re pointing to you, “How could you let this happen to me? You’re my IT service provider. How come somebody got in? I thought you were doing your job.” The tides of the relationship can change.
In talking to a lot of MSPs, I’m curious if you have a similar challenge. Even if you are not essentially selling your security services because customers keep saying no, often, do you find that they come back and go, “You’re not doing that for us?” when they have a problem? “I thought you were doing that for us. I thought you were taking care of all those things.” Is that still the case because that’s what it was for us and the problem we try to resolve.
What’s interesting is it manifests itself in two ways whenever we advocate ongoing education, whether it is security trainings. Security trainings have gotten great. A lot of these companies have gone out and bought production companies so they’re not these mundane, horrible twelve-minute videos of us spotting a spoof. There’s good content out there.
We’ll have some clients come to us and say, “Why don’t you just do the training?” That doesn’t necessarily mean you’re running on for 1 hour or 45 minutes sitting and telling everyone, “This is how you spot a spoof for a phishing campaign or don’t go buy that gift card when your CEO texts you and says, ‘I need these Apple gift cards.’” Those types of things aren’t as effective as these little pockets of training that are more importantly tied to larger initiatives.
Those are the building blocks and that’s where we get the buy-in. We start with the training because that’s the check mark that you need to do for your compliance frameworks but then, to make people interested in the training, what we found was phishing campaigns are a fun way of getting everyone involved because we won’t tell anyone. 2 or 3 people will know and sometimes, those 2 or 3 people that know end up falling for it but we won’t tell anyone. When you do the presentations around it like during quarterly or semi-annual meetings, everyone is always like, “Is it you?”
There’s a different component to it but the idea there is it’s cute and fun on the one part where people feel like, “They got me,” but on the other part, it helps inform leadership to show when you have 16% of your company giving away credentials, don’t worry. There’s MFA and all of those things but that only protects you to a certain extent. You have to now use that evidence-based approach in order to get leadership to free up some of the maybe extra-budgetary funds that would be required for additional resources to put things in like secure internet gateways running on the Mac themselves.
We implement Cisco Umbrella, for example, as a standard for a lot of companies that want that DNS layer management. That helps us understand that this isn’t just us throwing a bunch of stuff out at them with all these extra costs but one thing begets another and you have to look at it through that rubric. Otherwise, you’re shouting into a void.
This isn’t just us throwing a bunch of stuff out with all these extra costs, but one thing begets another and you have to look at it through that rubric. Otherwise, you’re shouting into a void.
That’s part of the training problem as well. There’s some great training out there but are people comprehending and consuming? It can be bland from time to time. To some degree, I always wonder. Maybe we’re going to be stuck in the training area until Tom Hanks comes back and you’ve got viruses. They would notice that because it would be a movie and people right remember. Unfortunately, Hollywood always butchers those things. Maybe there is no answer for the training that people will remember.
Throw $100 million at James Cameron. He’ll make a good one. No worries. We’ll all have the best security training videos in the world.
It’s not an avatar. It’s an Avast.
Training is always one of those things. We always say that a company can spend all the money that they want but it takes one person to answer one of those text messages. It takes someone to pick up a phone and give away information. It takes a lack of understanding. GDPR is its own beast. We talked a lot about the US side of the framework and regulations but a lot of our clients, especially design agencies, creative agencies, and things like that tend to have developers or even offices in European capitals.
Now, all of a sudden, you have to rethink the way that you do infrastructure in order to comply with what may be an opaque set of regulations. GDPR is great. From a personal standpoint, it is an important framework for people to be able to reclaim their own data but now companies have to contend with this and a lack of understanding around those things is what’s important.
An employee may accidentally send someone’s email address and mailing address to someone else within the company. You very well may have had a PII violation. It doesn’t need to be as blatant as the social security number or credit card number. The training of giving people that framework is important but one of the steps of many in order to help companies get to a place where they’re not unnecessarily exposing themselves to legal and financial implications around it. GDPR is onerous if you screw up there.
It is and that’s a big part of the point. We’ve been on the journey long enough to understand that a lot of those problems are generally not cybersecurity or hacks from a previous culture that focused on stopping the hacker. Who is unstoppable by the way? There’s no such thing as stopping a hacker completely as you could paint millions of scenarios. Ultimately, these laws like GDPR and even CCPA in California, VC, the Virginia Law, Denver, Colorado area as well. There are a lot of cybersecurity firms in Denver on comprehensive data privacy.
The regulatory train is coming and let’s face it, service providers are tied to the tracks. That will be a big change departmentally. Let’s use a fictitious name. Let’s call her Alexa. Hopefully, none of you have one sitting next to your desk. Alexa in marketing decides to send out a solicitation to a lead list and she’s breaking the laws in some of these states or in GDPR, collecting information.
Maybe she works for a healthcare entity and HIPAA covers it. It doesn’t. There are some gaps between HIPAA and some of these like California data privacy law then you’ve got New York SHIELD Law on top of that if you’re in New York. California and New York are the states that we point to. Somebody has to know this stuff. Our superpower has been trying to be that Sherpa and that navigator for the service provider but what about the end customer?
The behavior they don’t even know that they have that’s bad like in marketing these other departments. That was all the struggle that I had in helping the customer base as a managed service provider and one of the impetuses for why we do what we do is because somebody’s got to take the risk. How about us? Transfer some of that risk to us. It’s almost like the telco agency. Have you had a telco agency before or been involved in telcos that are selling circuits? It’s part of the IT layer.
Generally, they’re not put up as agencies. You don’t become a competitive local exchange carrier, do you? No. There’s FCC and SEAP. There are all these regulations. At some point, that’s where we’re going to be. There’s got to be some momentum there. When you talk about cyber risk, the reality is that it’s the litigious part of it or the insurance and the risk part of it are what a lot of CEOs and board members even are being held accountable for in some legislation ought to be interested to see how much more attentive they are as these laws.
That’s why there has to be an evolution in terms of what people understand as IT. I remember when we used to have a backup as an argument. Do you need backup? This is many years ago. That evolved to now, it’s security. How much security do you need? The fact is that if you’re a services provider, they’re all grounded in the same principle, which is, what are the strategies that you have to create security and redundancy for your purview, and the customers and the staff that you work with?
If you do not evolve to understand each of those frameworks, we don’t have a product. Doing SOC 2 for us is more of an exercise of understanding what our clients go through and also to get that stamp of approval. In many respects, it’s a piece of paper that comes out of it to say, “These guys follow the things that they follow and we attest that those policies are enforced.”
Now, that’s ultimately the challenge that many IT services companies need to face. They need to understand things that have not traditionally been part of that. If we accept that IT is now part of this larger business strategy, then we have to understand all the business strategy implications to IT and the IT implications to business strategy.
To that point, that means you got to go to events and seminars. You got to learn about those things and maybe even find some helpers. Can you tell me then what events you go to, to understand the information and be ready for your customers in these situations?
I’m going to say a young company but we’re not necessarily a young company. We just started going to events because, before that financially and human capital-wise, it was an impossibility to go to a conference for three days. 2022 was the first time we went to JNUC, the Jamf Nation User Conference. We went to Okta’s conference because thankfully, those here in New York. It made things a little easier but we’re starting to move towards a place where now our companies are fleshed out and structured in a way that we have subject matter experts in those specific fields, particularly as it relates to specific products, so Okta, security, and things like that. We’re starting to go out a little bit more into it.
The nice piece that we have as a managed services provider is that because we have a wide diversity of clients, as small sometimes as a 5-person foundation all the way up to a 2,000-person healthcare company of which we’re a piece of. We do learn quite a bit and absorb quite a bit from different strategic approaches where we nestle into an existing IT department and that helps us understand larger strategic implications for smaller companies.
I can name-drop all of them but you may have EPM products that are out there that we have not necessarily ever thought to implement on the Mac side but we see it in these enterprises. Now we can think, “How do we replace 1 or 2 products to be able to nestle this in because this checks off some of the needs that we have from an automation and reporting standpoint up to some SIEM or something like that?”
The conferences are a part that we’re starting to do. There are quite a few good Mac conferences but they tend to be distributed around the world so I don’t know that we’re at the place yet where I can start going to Objective By The Sea in Barcelona or Hawaii as they’ve had it in the past. IT Sounds nice but my CPA would be upset about that tax write-off that I tried to pull from a week-long vacation to any of those places.
For now, JNUC and the Okta conferences are probably part of the piece. The other one that I want to throw out there are the user groups. User groups are a helpful way of understanding how your peers are doing things. In the world that we live in, especially as MSPs or even people directly or tangentially related to IT, user groups, whether they’re the Jamf user groups, Okta user groups, or things like that, those meetups tend to be informational in terms of what other people are doing and how they’re doing it.
The conferences are one thing but those are a little bit more like pageantry. Once you get to the user group level, you get into practice. They have their place in the learning landscape for us to be able to continuously evolve alongside what you may get from the more lofty presentations and vendor booths and things like that at some of the bigger conferences.
I can see that. I remember also looking back on our MSP days and having to do some bootstrap techniques to get to events. There was one event that we realized was channel-friendly but also service-provider-friendly. They paid for your airfare and for your hotel and pretty much all your expenses but you had to sign a contract where you had to be their captive. It’s almost like a timeshare or getting sold the timeshare.
You were like a captive audience, so you had to commit to those three days and they’re bringing different kinds of vendors to your community, to the table like your Kaseya, your ConnectWise, or whoever is hot in the MSP space. That was always the challenge that we faced but as we matured, we got to look more toward the future. It was about the stage that you’re at where we started to, “What excites us about the future?” What excites you about the future? You’re probably starting to look a little bit more forward these days.
It’s a theme of a lot of what I’ve said throughout our discussion here. It’s been that IT is no longer the purview of the dark closet in the back with a lot of lights blinking on switches. It’s now become, you have a seat at the table. We see this in a lot of organizations, schools, and nonprofits. IT is now part of leadership committees because all of those decisions that are made in essence need to funnel through IT. Is this possible? Is this secure? Is this new vendor we’re bringing on compliant with what we’re testing that we’re doing on some of these frameworks?
It’s been a huge breath of fresh air, certainly for us as an MSP. Going back through the days when I started in IT, which was with Apple back in 1999, where I was in higher-ed, then IT was this weird silent thing where there would only be a few people that would feel comfortable talking to you. I learned very quickly that you have to be able to translate complex thoughts and processes into digestible pieces based on who you were speaking to.
There were certain things that were important to highlight. Now that language has shifted, where the language of IT is part and parcel of a lot of these leadership meetings. It’s part and parcel of a lot of the vision and budgets that are being built for companies. Startups are not waiting until they’re 100 people to then now call an MSP and be like, “We think we should probably do some SSO or MDM at this point.” You’re like, “How do you manage your computers now?” They’re like, “I don’t know. The guy has it and sends it back hopefully.”
That shift has been incredibly encouraging where we’re not doing as much advocating for the need for IT but we’re doing a lot more conversations about the strategic implementation of IT. That’s where we, as a company, thrive and that’s where anyone in the IT space thrives. It’s when you can have a conversation about what needs to be done rather than why it needs to be done.
You talked a lot about the business. What about you? We know that you’re in the New York area but tell us a little bit about yourself.
I was born and raised in New York. I tried to leave multiple times. It didn’t work. I kept coming back to the point where I did undergrad at NYU Business School. I did my Master’s at NYU in International Relations. It has nothing to do with computers but when I was younger, maybe to my parents’ credit but they worked at the UN and they always had a love for Macs. It was like this weird thing. Everything in the UN at that point were Wang computers.
I cut my teeth with MS-DOS on United Nations computers, learning how to navigate to directories, which I thought was super cool. I’d always wanted to work at Apple because of my exposure to it. I got a job on my second day of college. Apple was doing a demo on-site. I went up to them and I was like, “I would like a job with you,” and my boss had incredible vision. He’s like, “Why don’t you come for an interview?” The next day I was NYU’s campus rep for Apple for four years, then went on to oversee some of the other campuses like FIT, New School, Parsons, and NYU here in New York.
When I asked for a raise, he fired me but was kind enough to use me as a contractor then he said, “Why don’t you just go start your own thing?” A colleague of mine at Apple and I started our first MSP in 2004 after we were fired from Apple. Our first clients were a lot of these universities and department heads that needed help understanding how you put a G3 in place and why the University of Virginia was able to build a supercomputer off of G4s and how they would do that at NYU Medical.
Those types of things were fun because we got to play practitioner and get paid a little bit better than we were getting paid as lowly Apple employees at that point. I spent a lot of time doing that. I lived and worked in West Africa for a little while in a public-private partnership, doing infrastructure development. We were doing broadband over power lines to help provide larger access via the electricity grid to various different parts of Ghana. What was always the focus of my studies is how to use technology as the catalyst for economic development.
Ultimately, I came back after four years there and a whole many stories that would be its own episode then came back and decided that working with government entities probably was a little bit more stressful and exhausting than I wanted. I went back and did various iterations of MSPs until I founded Advisory on my own in 2016 and we are here now.
I imagine that. For most of us, there’s got to be some passion. That’s something you do outside of work. What’s yours?
I would have answered this question very differently years ago. I have a daughter. COVID was a weird time to also have a kid because you were hamstrung in this small space. Remember I live in New York. It was a little bit different during that period. That was the time to travel. Go to the Philippines for two months, go hang out, and be able to work from there. We were pretty much grounded here for a number of reasons, not least of which was Advisory was still there and we probably needed Advisory to keep humming along.
For now, it’s been family. I’m an avid snowboarder. This season has been phenomenal, so whenever I can sneak away, I will always do that, especially if there’s backcountry involved. I’m a big proponent of teetering as close to the edge of getting in trouble with my family as I possibly can when it comes to that stuff. Other than that, now that we can travel again, that will be back in my future.
I’m right at the base of Sierra Nevada. Come on out to Tahoe and do some skiing but we have a 60-foot base and all of the lifts are buried.
I saw pictures. The 10-foot tunnels that you have to go through to get out of houses over there are nuts. That’s my dream in a sense.
They’re pretty crazy. They were pretty normal years ago. We had another tunnel winter in the Tahoe area. I don’t live in Tahoe but I’ve been up there enough. It’s funny because I remember there was a big snowstorm on the East Coast and it was 2 feet of snow on the East Coast is ridiculous. They can’t believe how much snow there is. This was years ago and somebody from Tahoe created a little image and posted it and said, “In Tahoe, we call that Friday.”
It’s the classic discussion when my wife and I first met. I was like, “Are you a beach or a mountain person?” This was going to be a great determinant of our future. She looked at me and goes, “Beach. What are you talking about?” I was like, “Wow.” We had a lot of figuring out to do and that was part of how we compromised. Thankfully, she’s also a good snowboarder, now turned skier.
The nice thing about snowboarding, for me, especially in doing backcountry stuff is it’s the perfect way to tune out. That’s why for me, it was almost meditation in the sense that you have to focus on every turn. There’s no thinking about anything else. For someone who runs a business and John started by saying almost a serial entrepreneur, I would probably say that I had 4 or 5 different companies in my life in various different ways. Whenever you do that, your brain’s always working. I’m sure you two know it very well. What can you do better? How can you grow? Should you have done something different with this client? Is there a different client you should go to?
It’s this thing. What are your HR problems? Whatever it may be, all of these things are always swirling around in your mind. For me, being able to find things like that focuses you and hones you on living in that moment. I don’t think I’ve ever had that same level of happiness as I do when I’m snowboarding and having to worry about my next turn could be a treat. That’s how I try and how it’s also cathartic for me as a way of getting away from the stresses of work.
I can relate, so I can understand how lifestyle matters. When you try to do things outside, whether it’s snowboarding or what have you, it becomes part of your foundation and your respite. Thank you so much for sharing your personal side and it’s great to hear more about what your company is doing. I’m sure our readers are going to be interested in possibly trying to find you in the future. What’s the best way to get ahold of you these days?
I’m terrible at all things social media but I will say that I’m on LinkedIn, a new store deal. I have an accent of my name but on LinkedIn, it’s my name spelled out. Also, through our website, which is either Advisory.NYC or if you are anti-New York, it’s AdvisoryMSP.com but be at the same place.
I love the NYC TLD I do. There’s another route, so to speak.
Apparently, our SEO people said that it wasn’t good. We had to change it to .com, which is where AdvisoryMSP.com came about. I did disaggregate myself from my roots.
That I understand. The marketing teams certainly love those .coms, how’s that?
That’s right. Thank you very much. I appreciate it.
We do appreciate your participation in our show. We’re intrigued by the new things that we learn in every one of these experiences. Thank you again so much for bringing to light some of the challenges that you faced in cyber risk as well as what your organization does to help people with technology, as well as security, and some wonderful things that you’re doing at Advisory MSP. We appreciate you as well as your time.
For our readers, thank you. This has been another great episode. If you’ve learned something, whether you have laughed or cried in some cases, we had those situations where it’s come close when you start to learn about how some of these attacks happen, please tell somebody about our show. Thank you again, Anoush d’Orville for joining us. We look forward to seeing you next time.
Important Links
- Advisory Solutions
- LinkedIn – Anoush d’Orville
- Advisory.NYC
About Anoush d’Orville
Founder and CEO of Advisory Solutions
He holds advanced certifications and has forged significant relationships with Apple, Cisco, Dropbox, Google, JAMF, Microsoft, Sophos, and multiple other enterprise-level partners.
*After working for Apple Computer as a systems engineer in the education sector from 1999-2005, he went on to found a managed services provider that has focused on building affordable, responsible, and scalable solutions for the creative, education, and non-profit sectors.
