FireEye's global channel boss, Steve Pataky, discusses his company's transition to a channel-led security organisation, and how it is pushing its partners to sell its services in new ways, to non-traditional customers.
Tell us a bit about your history with FireEye?
I’ve been with FireEye for two years, but have spent 25 years plus in various channel roles across the technology space – always in the networking and security sectors. I cut my teeth at 3Com Corporation back in the early years, then a variety of startups before I went to Netscreen Technologies. We were then acquired by Juniper, and part of what they wanted to do was use the nucleus of the Netscreen channel business as a way to launch themselves into the enterprise, because at that point they were predominantly service provider infrastructure company. So that provided me with a huge canvas to try and create a global partnering strategy.
I spent nine years at Juniper, and obviously I knew FireEye pretty well from the security space in Silicon Valley. I knew their executives and their VPs, so when I joined, just before the IPO, Dave De Walt [FireEye chairman and CEO] told me that channel was something they really wanted to work on; how they could better partner, and leverage the channel to achieve the company's targets.
I was lucky enough to be brought in to lead that transformation in August 2013.
You’ve said that historically FireEye hasn’t had the strongest partner programme, what’s changed?
FireEye had the nucleus. It was always a partnering company, but as is the traditional trajectory for high-tech companies, they have to build that direct sales presence first. Especially in our space, it was unknown, it’s a completely new technology, and its unbudgeted for most of your customers. We had to have a very evangelical sales approach in the early days, but we observed there was a lot more value that partners could get if they evolved along with us. It’s a ‘give to get’ situation.
We’ve been in a transformative mode for the last few years. The traditional model is not really an interesting model for most partners. The margin for them lies in finding opportunities, honing those opportunities and adding as much value as they can to that.
When I joined, it was basically Web and email. Now we’ve got mobile solutions, datacentre solutions, we are moving to a more fully virtualised Cloud environment.
What that’s going to do is it will allow us to take a lot of that success we’ve had in larger enterprise, and allow us to move downmarket, into the midmarkets. So much of the Australian and New Zealand markets fall into that.
You’ve gone from minimal market presence to all guns firing in just 12-18 months. Why has FireEye had such a sudden impact here in Australia?
For better or worse, we tend to benchmark any market’s success against the US market from a maturity perspective. Australia is now getting a more mature security market.
Also, Phil [Vasic] who has now been working here for over two years is starting to see the fruits of his team's labour.
Read more: Queensland child safety IT bungle worsens
In terms of thinking globally, after the US, A/NZ and Western Europe are kind of the next stop for us. The level of awareness amongst customers is really accelerating. The hint of legislation surrounding disclosure, even the hint of personal liability or exposure, and the horrific news and information surrounding what happens in these breaches, whole boards, whole C-Suites get cleaned out.
Its like anything in tech, the pace of innovation quickens rapidly, and so too the awareness. Who hasn’t heard of a cyberattack, of hacking, of breaches? But the impact on the business, and the reality of the cybersecurity situation is becoming a lot more tangible for businesses.
Is it a cultural issue as well? We are already seeing more realistic depictions of cybersecurity and cyberwar in TV shows and movies, and these breaches are gradually moving towards the front of mainstream news publications…
Definitely. awareness is at an all time high, thanks to the big breaches last year. At the RSA show in the US, a huge security conference, they had a documentary filmmaker following Dave De Walt and Kevin Mandia around the show. They are actually going to make a documentary about it.
It's out there in the zeitgeist, it's in mainstream culture – you see it in movies, see it on TV, it's not just a techie thing anymore. It's in day to day life. For example, my family and I have lost three credit cards to various retail breaches in the last 12 months.
What are some of the key differences you see in A/NZ versus other markets?
Firstly, the size of the channel. Secondly, the number of partners that have a very deliberate security practice. In the US for example, I’ve seen the move from pure-play security providers, to security covering the entire industry. If you’re doing compute, or datacentres, if you don’t have security baked in, or as a piece of a solution, you can’t do business. You have to have an answer.
Security itself is now such a focus area and such a driver of all the other technology decisions.
New Zealand and Australian partners are a lot more hungry for the education, about how they can leverage advanced threat protection and APT into their security practice. How big it should be, how should I build it out? Can I find the skillset to build it out? That’s what I think a lot of the local integrators are working at.
Are there any particular attacks or vectors in A/NZ that are more common? Do we have any unique threat characteristics as a market?
The attacks are now ubiquitous. The attacks occur across every vector. 80 per cent of malware is only used once. Its tightly focused on an objective. They’re smarter, they’re better funded, the tools are more available, you can go online to websites and buy malware. Standardised, commoditised malware – when they’re targeting an enterprise, it's one and done, then they’re onto the next thing.
They are run like startup businesses. Malware-as-a-Service. They are really well funded. They have CFOs. They are well oiled machines. They guarantee their malware, for example, so if it doesn’t breach the company, you get your money back.
The vectors have been standardised. It's now more about how they customise the attack, to go after an individual in an organisation, to go after some specific piece of information is what is so startling.
The patience and professionalism is astounding. One of our clients was talking about a German automobile manufacturer, that was targeted over time with the aim of capturing plans on a new automobile. It really compromised the launch of that automobile outside of their home country. Because all the IP, all of the designs, everything, had been exfiltrated over a period of 10 years.
The retrospective angle is interesting – do you work with any Big Data or business analytics partners? Looking back at old data patterns and finding threats or fraud?
My organisation is about developing alternative partnering routes to market. For example, the opportunity we announced with Visa is really interesting. What’s at stake for them and their 100,000s of merchants. Obviously they’re in the business of providing financial merchant services, but for them, security is paramount. Its not the business they’re in, but as an adjunct, if they can secure those transactions in a different way, or a more comprehensive way for their merchants, then that creates a competitive advantage for them in their space.
I imagine for a company like Visa its as much intangible, reputational damage as it is financial, nevermind what a big hack would do to things like their insurance premiums…
Great example. We’ve actually been developing a new program with the world’s largest cyber defence insurance company, both the underwriters and brokers. Imagine if you now had to rewrite the policy for Target, as an example, or indeed any company? How do you even assess the risk? And how do you create a policy and what kind of a premium do you charge?
We’ve just announced some very specific cyber insurance companies who now want to create a more comprehensive risk profile for their customers, so they can do a better job.
Put frankly, we are soon going to see a day where having some level of protection, whether that’s the services and consult up front, a compromise assessment, or some sort of a Security-as-a-Service - will become a condition of insurance.
Is that becoming a part of your business model? To go in as the initial consult on businesses – such as on clients’ HR policy, or looking at the credentials of a CISO?
We’re already seeing that happen in a lot of different places. There used to be a lot of companies that would promote the fact that they could come in and do a vulnerability assessment. As our boss Kevin Mandia would say, those days are long gone. It's now a compromise assessment.
Where have you been compromised? How bad is it? How long has it been going on? Who’s doing it? What have they exfiltrated? What’s their pattern?
Think about all the places we can apply that. If I’m a new CISO, I might want to do a risk assessment and know what I’m inheriting. If I'm an insurer, what do I need to know to write a policy? If I’m on the board of directors, and you’re legally liable, its about increasing your visibility to the risk.
How do you create the right indices of risk profile so you can rate the company and make it more consumable for people? The average joe doesn’t know half of what we’re talking about. But if you can translate that into business impact, and business risk that’s what really matters.
That’s what we’re challenging our partners to do.
That is quite a challenge for a lot of partners. Most of them don’t have a way of calculating business impact costs, money saved and how it affects the bottom line quarter to quarter. How are you helping?
If you’ve been selling traditional firewalls, and other defenses such as anti-virus solutions, its tough. But that is ultimately what is required now.
Security is absolutely now a Line of Business concern. Its moved from the IT department, to the bespoke IT organisation, to the CISO. Now it's at the CEO/CFO level, and even the board level.
It is a transition. We’ve had to transform ourselves too. That’s why we’ve put our focus on producing a world class partner programme. Our partners are being challenged – and in a good way. They are being asked to go back in and skill up.
Yes we invented this space, and its all new technology – so they look to us for vendor support. Our Fuel Partner Program is more than just sales training. A new feature is ‘The Anatomy of an Attack’ – it shows them how to explain how attacks work now.
But the number one way we help our partner sales reps teams learn that, is by teaming with our field. That’s why our new teaming standards and the rules of engagement really matter. They go out on a sales call with one of our guys, and our sales reps have to go through their own personal certification. We love teaming up a sales rep from our partner, with our field guys. They go call on the customer together.
Any last words?
We’re on a tear. We have the right combination of technology, the intelligence and the expertise. I love that we’re not just going out and telling partners to sell more boxes. We know that happens, but it gets pulled through. If you can formulate a architect-led motion, a services-led motion, and have that economic conversation – the pull through is phenomenal. That’s what we’re trying to instil in our partners.