In taking a step back, the security industry is an ironic place to operate.
Bursting to the seams with specialists, threat detectors, evangelists, threat protectors and all-round preachers, everyone is itching to take a slice of the security pie.
But the harsh reality remains that cyber security vendors, overall, emphatically fail when selling to the Chief Information Security Officer (CISO).
Whether it be the usual spiel of trashing the competition, overly complicating simple solutions or short-circuiting the CISO to reach the treasure chest, vendors simply struggle to effectively articulate security to end-users.
So, step forward the partner, tasked with tailoring solutions specific to end-user requirements, working with the vendor when required, but leading in the conversation with the buyer.
“They need to understand both us and our customers,” Serco Asia Pacific head of IT security and risk, George Arronis, said.
Through heading regional security for one of the world’s largest providers of public services to governments, the services Serco provides are often of critical importance to the communities and nations it serves.
Therefore, Arronis stressed the importance of working with IT providers that are attuned to the goals of the business.
“We work close with Federal Government which means there are specific security requirements to meet,” he explained.
“Knowledge and experience in that space is a good starting point.”
In referencing third-party providers, Arronis acknowledged the industry is mixed, with some partners understanding how to engage with the end-user, while others lack the skills required to make inroads.
“Because we deal with many IT providers, their strength in the security space varies,” he observed.
“Providers include niche software houses, data centre hosting, Software-as-a-Service (SaaS) or managed services. Depending on the purchase type, we aim to bring them up to speed where we feel there are gaps in security knowledge.”
Yet as explained by Arronis, partners already operating with Federal Government already have a head-start in understanding the specific challenges and requirements of the sector from a security standpoint.
“Then you have niche players, especially if they are offshore software vendors, which may not have experience in the local market, they don’t always understand the local security landscape,” he added.
“Federal Government in different regions have different needs and this in some cases will override a particular control which needs to be changed.”
On a positive note, Arronis acknowledged that such providers are willing to alter internal practices to accommodate the requirements of Serco.
“But the larger providers are already attuned to customer security needs or well on the way to addressing them,” he added.
“The more comfort a provider can provide us through their own practices, such as through independent audit reports, the better.”
How not to sell
Following nearly six years of experience in the Serco security hot seat, naturally, Arronis has encountered many a bad pitch, whether that be through channel partners or direct encounters with the vendor.
For Arronis, the issue centres around an overriding hunger for securing a larger market share, which blocks providers from offering the best solution to the customer.
“Most providers are trying to grab a bigger piece of the pie in the security and assurance space,” he said. “Some of their offerings are not core strengths and we see this come through in delivery.”
Arronis observed that partners that view cyber security as a new growth area for the business, mistakenly approach sales with a traditional “box dropping” mind-set, offering solutions in a similar manner.
Specifically, this includes relying on a brand to get them in the door or applying a one size fits all approach to potential customers.
But from the perspective of the CISO, Arronis said this approach often causes more damage to the business over the long-term, through offering a technology which isn’t fully understood.
Quite simply, it comes back to knowing the customer.
Arronis acknowledged however that such issues were not exclusive to prospective suppliers, with incumbent partners also guilty of failing to deliver value on insights gained from the product or service provided.
“I find many provide good informational reports yet fail to add value by answering the ‘so what’ question,” he added.
If Serco engages a partner in a managed services capability, usually the partner provides monthly reports crammed with information but little insight.
“What I receive in those reports most of the time is that we have had X number of events and closed out Y number of events,” Arronis explained.
“But what they don’t do is take the information they have seen from their other customers, especially if it is a managed service, and infer new insights from that information, which could potentially drive me to make a change in the way I run security in my organisation.”