It may have required the public evisceration of Target and Sony Pictures, but it is finally possible to talk about information security in an Australian pub.
It might seem odd that a global industry worth just shy of US$100 billion globally wasn’t already a point of discussion, but cyber security is not your average industry. It is a complex, shadowy sister of consumer tech, better known for its criminals than its champions.
It’s not only reached the pub – it’s also a big topic for the boardroom. Security is a true priority for management. Many CEOs are now approaching their tech providers to ask, “What are we doing about hackers?”
This may help to explain why data from Gartner in November pegged industry spend to be worth US$91 billion by year’s end and US$116 billion by 2019. Gartner predicts spend in the security services industry, including consulting, hardware support, implementation and outsourcing, will trip US$55 billion in 2016 and US$73 billion by 2019.
With so much money at stake, it is no surprise resellers have read the tea leaves and are making forays into the cyber security sector. Dedicated security shops now face competition from a new breed of generalist IT solution providers that are hiring security specialists to win a slice of the hacker-thwarting market.
Resellers recognise cyber security is a permanent part of the landscape and are building the requisite capabilities. They are putting sales staff through security courses, dropping engineers into universities, setting up 24/7 security operations centres and forming advanced, penetration- testing red teams that sit on the forefront of infosec consulting.
It was in September 2013 when The Missing Link, based in Artarmon, Sydney, launched its dedicated security wing with Aaron Bailey at the helm. The reseller already offered security services in other parts of the business, but decided that security warranted a dedicated department with specialist staff.
Bailey was one of two seasoned security professionals to start at the new business. “We focused on core services initially, such as [credit card security standard] PCI DSS gap analysis, wireless audits and ISO audits – things I knew people needed and that were relatively easy to hire skills for,” Bailey says.
The initial core service focus kept the new wing of the 17-year-old business humming while it found its feet, ramped up revenue and hired staff. The next hacker joined six months later and so the pattern continued,, hiring builders, breakers and testers until it reached its current headcount of 14. Bailey says the company has grown its security catalogue from 30 services to more than 40 and developed its list of products so customers can select their level of security maturity, plotted on the Y axis, for security technologies plotted on the X plane.
“We’ve since added heavily to technical consultancy such as wide-scope penetration tests covering web apps, databases and mobile.,” Bailey says. The company’s penetration testing now extends to Hollywood-esque red-teaming, SCADA industrial control systems of the kind powering critical utilities, and social engineering.
Twelve kilometres away in the northern beaches suburb of Balgowlah, tech and communications consultancy Commulynx also ramped up its security offerings into a dedicated practice. “We realised three years ago that we are a security and infrastructure player,” managing director Stephen Knights says. “We discovered that by deeply analysis of what we were did in the market.”
The effort identified shortcomings in the company’s security-focused message, which had remained quiet over the six years to 2012. The company – which has appeared in the CRN Fast50 five times – has since sacrificed nearly two years of growth to bankroll a whole-of-business retraining program schooling geeks and sales, introducing learning materials, better lines of communication and constant revision to ensure relevance.
Knights says Commulynx’s 10 technical staff were retrained in their security vendor products to expand their knowledge , while sales staff had something of a security rite-of-passage in their “significant” education programs. “People are having to wake up to security,” Knights says. “Legislation is being formed and will only become tougher. No longer can you put your head in the sand.”
Brisbane enterprise technology outfit Data#3 has also undergone a security facelift, launching a dedicated department in July. The wing’s national practice manager, Richard Dornhart, says Data#3’s work involves a drive for new security talent, pooling knowledge from within and upskilling sales staff. It marks recognition of the relentless rise of security as a significant element of the industry
“Our operations is really focusing on helping customers develop the appropriate security strategies,” Dornhart says. “There has been a significant change in the way customers are approaching security challenges, be it compliance, risk or whatever else.”
He says security was always a focus for the company, but demand had reached the point that it became necessary to launch the dedicated arm, which has a significant focus on risk assessment.
Next: Stiff competition