Let’s do some big ideas.
Let’s do some big ideas.
A difficult read, but the big idea is considering what impact to customers tariffs will have. News Not Noise did a great piece highlighting the severe impact of tariffs on small businesses across the United States, revealing how abrupt policy changes threaten their survival. Many entrepreneurs, including Jamie Knowles of Roverlund, face crippling tariffs as high as 168.5% on essential products, forcing them to make unsustainable financial decisions, such as leaving shipping containers stranded in China due to prohibitive costs. The narrative includes various personal accounts from small business owners who have poured years of effort and investment into their operations, only to confront unprecedented challenges. For instance, Kaitlin, a military spouse and healthcare brand owner, expresses frustration over rising tariffs that hinder her ability to manufacture a patented product in the United States. Rachel Solomon, a merchandise consultant, points out that small apparel brands may lose significant inventory investment due to the 145% tariffs imposed on goods arriving from China.
With all the discussion about Secretary Hegseth, I did want to highlight some coverage in the Washington Post illustrating flaws in the current system for handling classified data known as Sensitive Compartmented Information Facilities, or SCIFs. The article highlights that outdated government technology hampers military and intelligence operations, pushing personnel toward insecure alternatives. Critics, including former CIA officer Aaron Brown, argue that SCIFs, which are often cramped and lack internet access, restrict personnel’s ability to act swiftly in critical situations. Brown notes that the SCIF system has not evolved in over 20 years and fails to meet the demands of modern communication needs. He contends that innovation is stifled by outdated security practices and inefficient acquisition processes, leaving personnel with no choice but to resort to unapproved communication methods to keep pace with operational requirements. There are calls for adopting modern technology that could provide secure mobile communications tailored for national security professionals, but change has been slow within the Pentagon.
Relevant to MSP risk, Chief information security officers, often referred to as the “chief scapegoat officer,” are advised to secure personal liability insurance and negotiate a golden parachute when starting new positions to protect themselves against potential scapegoating after security breaches. At the recent RSA Conference, industry experts highlighted the necessity of these precautions, noting that many CISOs find themselves unfairly blamed for incidents beyond their control. Dd Budiharto, a former CISO at Marathon Oil, emphasized the importance of maintaining integrity, even at the risk of losing a job, while Andrew Wilder, CISO of veterinarian network Vetcor, stated that personal legal liability insurance should be standard for new hires in security roles. He referenced high-profile cases, including that of Joe Sullivan, the former CISO of Uber, who faced legal consequences for his actions during a security breach incident. Wilder noted that the average salary for North American CISOs has reached $565,000, indicating the high stakes and pressures within the role. The panel unanimously agreed that documentation of interactions and decisions is crucial, as it protects CISOs in the event of disputes and contributes to overall organizational accountability in cybersecurity.
Why do we care?
I want to leave you with some questions to ponder.
- Have I considered how geopolitical and trade policies affect my clients’ tech supply chains?
- Could my own service costs shift under changing international regulations—and am I proactively communicating that risk to clients?
- Are we clinging to outdated security models simply because “that’s how it’s always been done”?
- What would a “secure by design” approach look like if I built it from scratch today for how my clients actually operate?
- Have I clarified the difference between shared responsibility and assumed liability in my contracts?
Am I helping my clients create a risk-sharing model, or am I implicitly taking the fall if something goes wrong?

