Security is one of the fastest growing markets in technology and a huge boon for the channel, but many organisations struggle with cyber maturity due to misinformation and poor guidance from partners.
In the latest IBRS Master Advisory Presentation - Security Leadership: A Fresh Perspective of cyber risk management in a hyper-connected world - the analyst firm’s senior advisor, James Turner, said that cyber risk maturity must be present for both the partner and end-user.
The report states that organisations understand there's an issue around cyber security, but analysis conducted by the IT department and the business remains incorrect.
Consequently, such organisations believe they need to buy more product to improve security standings.
Turner stressed that, without a higher level of maturity, more product will only add to the confusion.
"Look at the fact that you are connected to the internet, this is an entirely foreseeable risk so you need to be able to make an informed decision about that,” Turner told ARN.
Turner said those selling into or delivering services to an organisation must understand this and ensure clients do so as well.
“The challenge that I see a lot of third parties going through is they are locked in to selling a particular service so everything looks like a nail," he added.
“You need a degree of maturity from the supplier as well. Whether that is consulting, advice, product support, or even pen testing, they need to see their part as just one piece of a much larger jigsaw puzzle."
For Turner, if partners can enter the conversation from an informed, pragmatic and balanced perspective, they will help the customer move up the cyber security maturity chain as well.
Turner added that many partners and vendors confront issues because they believe that due to risk management being an issue for the C-suite or the board, they believe they should now be selling to the CEO or the board - yet this is not the case.
“There is absolutely a role for sharing information and helping inform, but if they think that it is their job to go in there and start trying to educate the CEO on the capabilities of their latest piece of software they are misguided," Turner claimed.
Turner said this is because such third parties are having the wrong conversation with the wrong person in the organisation.
“The CEO does not need to be a cyber security expert, they need to reach out and place their hand on someone who is their cyber security expert, either internally or externally, and trust their opinion," he added.
According to Turner, suppliers can often fall into a trap of telling clients that it's negligent to not use a particular technology.
In reality however, that's not the partner’s decision to make - it's a decision for the business based on an informed decision about the risks it faces.
“There is absolutely a place for third parties in this, but they have to understand what their role is and that they are one component and a resource for the organisation to use," he added.
The importance of support
Turner said that ongoing support of new security technologies remains an issue across organisations in Australia.
"They will buy something but then underestimate the amount of effort that it takes to maintain that through time," he added.
"They may have one person that's fully trained up on it, and then that person leaves because it's a really dynamic market so now no one in that organisation knows how that product works and no one has the time to learn it."
As a result, Turner believes it's the responsibility of the organisation to make informed decisions about the products they are buying.
"But particularly in the security space where so much of it's based on trust, it's vital that people looking to support their clients really take a mature and long-term view about this," he cautioned.