Four well-respected security specialists from the Australian IT channel have revealed how they engage with customers and convince them to invest in defence.
The panel, speaking at the FireEye ANZ partner event in Sydney last week, included The Missing Link security manager and former Dimension Data staffer Aaron Bailey, Optus Business security practice manager Andrew Stephanou and IBM Security Services executive Glen Gooding.
They discussed how to raise the priority of security among clients, with the most frank comment of the day coming from Hewlett-Packard senior security advisor Andrew Latham.
"A lot of times when I talk to [board members], it's like talking to a crack addict," Latham said. "You need them to accept that they have a problem before they're willing to do something to address it."
The audience of security channel executives laughed knowingly, with Optus' Stephanou saying: "You'd be a brave man to call his customers crack addicts."
The panel, facilitated by FireEye global channel boss Steve Pataky, agreed that customer security managers often faced immense pressure from superiors with unrealistic expectations.
"The thing that makes the CISO role so short-lived is the fear of that question from the board: 'Can you give us an assurance that we're not going to be breached?'" said Stephanou. "That's an impossible question to answer."
Bailey added that it was the role of the channel to help security managers hold their heads high.
"Primarily we're trying to make the CISO or security manager a rock star. If we make them look good, they'll like us, and they'll come back to us," Bailey said.
Stephanou agreed, adding: "We have to provide intelligence and visibility in a tangible way – demonstrate to the executive team that this is what has been done and educate them that there's no such thing as 100 percent security. Business is dynamic."
IBM's Gooding said that service firms are of value to customers because security products alone cannot do the job.
"A whole pile of products aren't going to provide a solution. It doesn't solve the overall problem," said Gooding. "This is because everyday we see more attacks and more threats that by-pass whatever security capability has been put in.
"So we do need that true end-to-end discussion. And it leads from our partners and consultative capabilities."
The panel also discussed the value of assessing risk in the first place, with Latham saying many customers are initially unable to even quantify or express their security needs.
"It's like selling insurance. Will I or won't I take the gamble? If [a breach] hasn't happened to an organisation, what's the chance of happening in the future? But there's no real data for [customers] to understand that."
The scenario is an opportunity for security practices to perform a risk assessment, said Latham.
"We'll help them prioritise what it is and where they need it, to be able to build a road map."
FireEye ANZ Partner Momentum, held at Jones Bay Wharf on Sydney Harbour last Wednesday, was the security vendor's first-ever local channel conference.