With cybersecurity concerns now sitting atop many corporate risk registries it is little wonder that technology service providers have rushed in to help. However, the outcome has not always been effective or satisfactory and may have even made things worse, according to the senior executives who joined CRN for an industry roundtable recently.
The industry leaders at the lunch spoke about multiple cybersecurity problems, including:
- Lack of education of customers about security
- Failure by customers and some service providers to maintain currency of expertise
- Growing pains as new entrants rush into the security market
- Failure to create an effective risk management culture, or to translate policies into processes.
And while it may be tempting to simply grab cybersecurity business opportunities, to successfully meet customers’ needs you need to start by truly understanding them. That requires recognition that those needs and cyber maturity vary between and within industries.
Organisational security postures differ from industry to industry, said CCNA MD Craig Sims. For instance, according to Sims, security awareness in the financial services sector is advanced, and born of necessity and of course regulation.
However, the outlook is very different in other sectors. “[If you] look at your verticals, such as manufacturing and education, we've seen a lot of holes there,” Sims said.
“They haven't been driven by legislation and the industry as a whole isn't really where it needs to be.” He has encountered frequent evidence of this over the last 12 months.
Sims told CRN that it is vital to treat customers in a way that reflects their level of cyber maturity.
That sentiment also informed discussion about one of the most important issues raised by the senior executives at CRN’s roundtable – education. While customers need to take responsibility for their own decisions and be accountable for them, the industry needs to model best practice and good behaviour.
That also means getting their own house in order.
Secure Agility strategic alliance director Kirk Jones said, “We've put in a lot of new vendors and products internally, and tested those products before we've let them out to customers.”
Jones’s customers have certainly highlighted their need to upgrade their security. For example, he referenced a customer that was previously content with the security functions bundled in their Microsoft Enterprise agreements package, but was now looking at additional security solutions.
“There is still education to be done,“ Jones said.
Awareness is a particular problem in the SMB marketplace, according to Fuse Technology’s Chuong Mai-Viet. He pointed to the rapid rollout of Office 365.
“Internal IT got their licences for 365 for the first time, they deployed it rapidly, but they are not experts. It was the first time they had ever seen the product. They don't even know half the security features that are available and I think that's the challenge,” Mai-Viet said.
He added, “If someone signs up straight off the Microsoft website, no one from Microsoft turns around and says, ‘By the way, you haven't turned on MFA, you're at risk here.’"
InfoTrust engineering service manager Goran Lepin said, “We need to do quite a lot of work to make sure customers understand where the gaps are in the security they get for free and then obviously highlight those.”
According to Yvette McEnearney, Director, Channel & Mid Market Sales, LogMeIn, learning from past and current events was one of the most important things that partners could do.
“Obviously you are gaining new customers all the time. You're evolving your current customers. You’re working with the people that you partner with and hearing what's going on in the market,” she said.
“If you're working with certain verticals, it is important to know what's going on in those verticals as that will help in terms of where you take the next conversation.”
She also stressed how important it is to understand how security aligns with the overall strategy of a customer’s business.
“It's really about educating yourself and making sure that you're keeping up with what your customers are doing, what that particular vertical is doing, what your competitors and other partners are doing.”
And the industry should be willing to share for the greater good,McEnearney suggested.
“I think it's really important that partners connect and talk about what's happening. If you're talking about it regularly just gives you a bit of a light bulb moment.”
The need to remain current in your expertise is especially critical in the security domain, a point several industry leaders stressed.
The Missing Link’s head of IT services Yogesh Koonjul emphasised the importance of staying on top of the technologies offered to customers, and across every part of the customer-facing part of your business.
“Internally, even we are still educating ourselves, and that's part of our onboarding process [for new hires],” he said.
Koonjul added, “It doesn't matter whether it's a senior engineer or architect, they still do the training that we do internally. It's just not a one-off issue, it's a recurring thing that we do on a monthly basis.”
LogMeIn’s McEnearney said this was a challenge for many partner organisations, who were often so focused on their customers that their own internal protocols were not given the attention they deserved. “And if you're not secure then how are your customers going to be able to trust that you can support them well?”
While all agreed that keeping you own security house in order is important, leading by example was only part of the solution. The other important issue is training those who are most concerned about other issues, such as cost, to have a security mindset.
NetStrategy CEO and founder James Boyle said that while some organisations had moved beyond a compliance mindset, many failed to recognise that compliance is simply a starting point.
“I think the big problem though for the industry as a whole is that there's this mistaken belief that you can stop bad actors from getting into your environment," Boyle said. “That is a pretty common belief, but if you look at how they work in Defence, it is quite the reverse. They expect, [indeed] they know, people will get in and they look for that.”
The biggest challenge is convincing customers that it is unrealistic to believe they can stop all bad actors getting in, Boyle said – a nod to the emergence of zero-trust approaches to cybersecurity which assume that identifies inside the perimeter can not necessarily be trusted and must be verified.
LogMeIn’s senior director of enterprise business, Japan Asia Pacific, Matthew McWhirter, said the way organisations procure security solutions was also “fundamentally broken”.
“The attitude was ‘Let's get that next generation firewall that will stop everything.’ That messaging goes too far as it hurts future investment moving forward because you've asked them for money for a product you said would stop everything. Now, you're asking for more money because it hasn't, so there's a reluctance there [to transact in the future],” McWhirter said.
Seccom Global’s managing director Michael Demery said the growth of the security services market had encouraged a lot of providers without the relevant expertise to start offering security solutions. This was detrimental to improving security postures inside customer organisations, he said.
“Everyone wants to be in security. Security is where the money is. We have MSPs in our industry, but just being an MSP doesn't mean you're a security focused organisation. You might be great at putting in Microsoft and upgrading it, looking after the network doesn't mean you're a security organisation.
LogMeIn’s McEnearney added that some providers had become opportunistic in their approaches to selling security and this had caused problems for providers trying to do the right thing by their clients.
OBT’ Founder and managing director Shane Muller said that this was particularly true for many organisations that relate the concept of security to a single piece of technology.
“Of all the leaders in the organisation we tend to talk to, many come from a world whereby security is related to the word firewall,” he said. “In the past a firewall would protect the perimeter, but in the world we're in right now, there is no perimeter really.”
NetStrategy’s Boyle said that one of the ways his organisation was trying to overcome these misconceptions was to focus the conversation on risk instead of technology.
“The conversations are quite different and often they don't have the same sort of constraints,” he explained.
“If they identify a new risk that they haven't yet fully appreciated, then they need to push for additional funding to help to manage that risk. Often, in my experience, they generally have a faster pathway to the board. Ultimately, the IT manager has to be able approve some unbudgeted expenditure. Often in smaller organisations the risk function is owned by the CFO, it might also be the company secretary. Again, people who have a direct conduit to the board.”
Boyle recommended a multi-tiered approach that engages with IT, but involves a more formal risk function, someone more formally in charge of risk in the conversation as well.
Owning the risk
Cybersecurity has rocketed to the top of the corporate risk registry in recent years as organisations have come to understand the vulnerabilities of their systems, and the intrinsic value of data as a key corporate asset.
But while the profile of cyber risk has increased dramatically, that hasn’t always translated into better processes, according to the industry leaders who took part in our discussion.
Somerville Group CTO Kevin Koelmeyer said a key challenge for many customers was identifying who owns the risk.
“A lot of the time it falls under technology, but it is more related to strategy in terms of how you can close those loopholes. A lot of the time those decision makers are the ones we need to get on board when highlighting risk and responsibility,” Koelmeyer said.
Pandemic-induced changes to ways of working have only exacerbated the problem.
Fuse Technology’s Mai-Viet added that working from home arrangements shifted focus from Wi-Fi to authentication as devices began accessing networks remotely.
“Lots of clients spent a lot of money with on premise security solutions. Well, that's all great, but now you've got people sitting at home, living in shared apartments. Their device is unlocked.”
He said new working arrangements had not previously been taken into account by IT teams, and were now a major cause for concern.
Even when organisations have the data they need to make decisions, and policy frameworks to guide them, they are not always inclined to act.
The Missing Link’s head of information technology services Yogesh Koonjul said that he had seen clients breached but then go through reports to determine if they could avoid addressing the problem at all.
“They actually read through the lines and where it says perceived harm they say ‘No, no, that’s just the phone numbers and the names. That’s not perceived as important to fix’. There are so many organisations that do that.”
The last few months have exposed the vulnerability of organisations around the world to cyber threats. Ransomware alone has caused high profile and costly problems for companies across the globe and here in Australia.
The industry leaders CRN spoke with stressed the need to educate clients, but also for the industry to apply a keen focus to its own approaches. That means staying current with new technologies – and new approaches such as zero trust.
With boards applying increasing scrutiny as they come to better understand the risks, the cybersecurity business opportunity afforded by the growing market will likely grow strongly. But it’s beholden on service providers to stay current and partner with their customers to keep systems and information safe.