Perception vs. Reality - Are Australian partners prepared for the next wave of security?
- 23 September, 2016 10:33
Anthony Stitt (Cisco), Kaarena Chapman (Exclusive Networks), Chris Stradling (HPE), Krutartha Patel (Fortinet), Martyn Young (F5 Networks), Moheb Moses (Channel Dynamics), Joseph Mesiti (Enosys), Hafizah Osman (ARN), Darren Lynn (Uplinx Group), James Henderson (ARN), Dr Gleuto Serafim (Tecala Group)
Businesses remain united in the belief that security - and all it encompasses - stands tall as the overriding priority of the digital age.
But while the notion of securing the enterprise takes precedence across boardrooms in Australia, in reality, organisations remain weak on strategy, outlook and capabilities.
As such, a new breed of partner is emerging, as the channel grapples with changing market demands, new responsibilities and greater risk.
Currently, nearly a third of Australian organisations (32 per cent) have suffered a security breach in the past 12 months, prompted by a lack of interest from C-suite and directors at executive level.
Alluding to a lack of boardroom buy-in as the biggest security challenge facing businesses across the country, local organisations are proving to be from immune when protecting data and customers.
The perception is a market secured to the teeth however, with 78 per cent of Australian businesses currently housing a security incident plan. But all numbers aside, are such plans effective?
“I think it varies greatly across the market segments,” F5 Networks Manager of Systems Engineering A/NZ, Martyn Young, said.
“Australia there’s a handful of large accounts with considerable in-house expertise such as the telcos and banks which drive security policies internally.
“But as you move down the market you reach the more generalist IT sphere, where organisations don’t necessarily have a security guru on staff. They are the ones who require the most leadership and direction from partners.”
With staff and training regularly rated as overriding security concerns for companies during the next 12 months, alongside time and resource pressures for employees, Australian businesses are aimlessly ambling along, desperate to walk the security tightrope above a safety net.
“It depends on who the customer is,” Cisco General Manager of Security Sales A/NZ, Anthony Stitt, said. “What we need to see is a move away from that whole concept of ‘set and forget’ type security.
“The notion of building walls around a business, turning on a few switches and thinking everything is going to be okay is no longer enough for organisations.
“Organisations must make change and better understanding internal environments and practices. But it requires people and skills however, and they are always difficult to find in Australia.”
While Stitt acknowledges that progression is being made within the security space, a clear lack of strategic security planning continues to ensure organisations lurch from crisis to crisis.
“There’s not enough thought into business practices around security at present,” Fortinet Systems Engineering Team Lead, Krutartha Patel, added.
“Even though we read a lot about the threat landscape evolving, the reality is that these attacks are in fact happening, impacting not only the enterprise but small businesses also.
“I don’t think Australian businesses are doing enough to take a step back and evaluate whether they have efficient continuity plans in place. We’ve seen it from the Target attacks, people didn’t take any action even when the alarm bells were ringing and this needs to change in Australia.”
Following high-profile attacks such as Target, a more detailed evaluation of the challenges and gaps in the market is required, with organisations required to abandon reactive tactics in favour of proactive security thinking.
“While nobody wants to encourage cyber-attacks on any organisation, we find that is the only way to shock organisations into action,” Enosys Solutions Sales Director, Joseph Mesiti, said.
“Through mainstream media the profile of cyber security has risen enormously during the past few years, and it has helped drive boards to shift their focus onto how to better protect their digital assets.
“Executives are now educating themselves through the media and this is coming to the fore as they understand the implications of a breach.”
Mesiti said the recent unveiling of the Government’s $230 million cyber security strategy - aimed at enabling innovation, growth and prosperity - also helps bring the conversation to the centre table across Australia, as organisations begin to explore ways to advance and protect assets and interests.
But while conversations can be generated from Government statements such as the cyber security strategy, partners are becoming inundated with customers under threat from the influx of new technologies, causing disruption across all verticals and sectors.
“Customers need their little pockets of new data protected, whether that be on premise or in the Cloud, which brings new challenges,” Tecala founder and CTO, Dr Gleuto Serafim, explained.
“This is where the partner and vendor relationship is key because we need to know what is coming up. As a partner we have more experience sitting down with customers and we need to be enabled and equipped to overcome the new complexities of the market.”
With complexity comes greater challenges for the channel around selling security strategies to business owners and decision makers, such is the human tendency to reject hard truths.
“When you get a seat at the table, you never know whether they will take in your advice and feedback,” Hewlett Packard Enterprise South Pacific Network Consulting Manager, Chris Stradling, admitted.
“There’s always uncertainty around whether the customer will take the discussion to the next level. While you don’t want to play on the insecurities of a customer, there is a need to be strong and decisive in projecting the consequences of inaction.
“It’s a narrative that you serve to the customer, but this time it’s a real story.”
On the flip side however, Uplinx Group Security Practice Lead, Darren Lynn, believes that delivering bad news to customers is the easy part, “it’s whether they want to believe it or not” that proves difficult.
“I find the conversation aspect around delivering risk straight forward,” he said. “I term it as Fort Knox and ask customers to think about what would happen if anything left their own Fort Knox? It could be gold, it could be information, it could be anything but the point is, it needs to stay within Fort Knox.
“When in front of an executive above the technical specialists, that’s when I deliver the fear message. But it’s not so much about risk, more so focusing if the staff within an organisation can handle the pressure if a breach occurs and something goes wrong.
“How do they respond? How do they interact back with the business? We have that conversation in great depth and that’s how we introduce risk.”
Bridging the gap
“In my opinion there are three key elements to security,” Channel Dynamics Director, Moheb Moses, explained.
“There’s the products and the vendors are good at adapting as the market shifts, then there is the process, which is focused on simple things such as don’t put your password on a post-it note on your screen. And finally, there’s people’s behaviour.
“If I look at the skills within the channel, during the past 20-30 years, the market has been very good at selling great products to stop threats, so now the focus turns to process and behaviour.”
For Moses, many security-focused partners in Australia still remain tie to the traditional product style sales approach, bound by customers failing to adapt.
“Customers still think of just putting in good technology to solve the problem, and partners are going along with this line of thinking to a lesser extent,” he added. “But it has to be more around education and understanding the implications of security.”
Echoing the comments of Mesiti, Moses said the reactive nature of businesses will continue to stall this change of thinking irrespective of size of stature.
“When your neighbour gets breached you pay more attention,” he said. “And when your friend dies you write your will, or take out insurance after you’ve been robbed. There’s a role for partners to help customers understand those use cases and change.”
For Young, speaking as a security-focused vendor, the onus is now on the channel to help bridge this widening gap in business.
“It’s an ongoing challenge,” he acknowledged. “The people within an organisation who understand the security and technology elements of business aren’t always the ones capable of communicating it back through the company. That’s where partners can fill the gap and offer real value to customers.”
Interest in security technologies is increasingly driven by elements of digital business, particularly Cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks.
Such a focus is driving investment in emerging offerings, such as endpoint detection and remediation tools, threat intelligence and Cloud security tools, such as encryption.
“There’s business decisions to be made around what’s being protected,” Stitt added. “It’s much like the insurance discussion in that if I have a car that I don’t really care about then I won’t care about my insurance cover unless I hit someone. But if I drive a really nice car I want to make sure that if someone bumps into me then I’m covered.
“Through applying this analogy to information and applications, most businesses and customers also have to place value on what they are trying to secure, because this ultimately determines the investment they make to minimise risk.
“New technologies are playing a role but budget priorities also play a huge factor in the security decision making process.”
Globally speaking, worldwide spending on security reached $US75.4 billion in 2015, an increase of 4.7 percent over 2014.
According to Gartner findings, the increase in spending is being driven by government initiatives, increased legislation and high-profile data breaches.
Security testing, IT outsourcing, and identity and access management present the biggest growth opportunities for technology providers.
“One of the big budgetary shifts in the market has been the move of the IT budget into business units,” Lynn explained. “That is having a whole range of implications for partners and customers because the traditional people who normally make the technology calls are now removed from the conversations.
“Budgets are changing hands because organisations have enormous quantities of digital assets and they are looking to utilise these assets in some business capacity, which means individual divisions must make those calls.”
Lynn said Uplink Group’s internal research validates the shift in mindset, with 35 per cent of CFOs classifying security as an enabler for digital and business transformation, moving away from the traditional risk mitigation mentality.
“The people who need to be getting the message are slowly receiving it,” he added. “We call them secure digitisers, and they are the ones with executive buy in who get projects funded and who get security installed from day one and allocate resources to manage it.
"Security for these people is about how it can drive my business forward, not just protect me from the bad stuff.”
Role of the partner
Logic boasts that it’s easier to sell something a customer wants than a defence against something they desperately want to avoid, thus is the delicate nature of security selling in the channel.
But before the tactics and techniques come to the table, to succeed, partners must be armed with relevant local information to ensure they can expose the customer to the bigger picture.
“Partners must ensure that businesses are fully aware of the repercussions of inaction,” Exclusive Networks Business Unit Manager, Kaarena Chapman, advised.
“The industry has to collectively do a better job of highlighting what is going on in the market, and what the channel needs to do to ensure they have open security discussions with customers, this represents a huge step forward in thinking.
“There’s no value in keeping information in silos, instead collaboration is required. The channel is heading this way which is encouraging but it’s just the early steps on the road to security change.”
From a Fortinet perspective, Patel said partners can also help drive collaboration more across the industry, citing examples from overseas as potential avenues of exploration.
“In the US there are often closed door talks between enterprises to educate the market on security breaches,” he said. “There is a role for the partner to help drive communications early to educate the wider community. But we don’t see a lot of that happening in Australia.
“Partners can utilise distribution and vendors who have a depth and breadth of specialist talent within security, and become that trusted advisor by collaborating more frequently with the market.”
In founding Tecala Group, Dr Serafim believes that while information and knowledge should be better utilised across the industry, as a channel partner, one overriding skill set is required.
“If you want to be a good consultant or a good partner then you must understand your prized business,” he said. “It’s very important because not every rule or piece of information applies to every customer.
“Each customer requires different motivation to spend money on actually protecting their assets, so understanding the ins and outs of the business is imperative. Only then can you begin to provide the right advice and solutions to address the issue.”
In agreement, Mesiti said a deep understanding of the customer base is the “nature of the business” for partners in Australia, forming the foundation of channel success.
“There’s pros and cons to have a large customer base because the need to understand each business doesn’t change,” he added.
“But we’re experts in this field and our job is to articulate the problem is an easy and manageable way. You need to know your customer to address business issues for them which allows you to change the risk conversation.
“By asking executives what they would do if they lost their customer data, that’s an effective way to gain mindshare at a boardroom level as it resonates well with seniority.”
For Mesiti, the technology represents one part of the equation for Enosys, with a heavy focus on delivering professional services in business.
“The implementation of vendor technology is only a small part of the overall project,” he added. “There’s a lot of groundwork that needs to happen around understanding how the customer operates, who’s in charge and what the impact of a breach would be.
"For those partners who are system integrators with the luxury of focusing on a small customer base, there’s an opportunity to be a real asset.
“We’re operating at the trusted advisor level but the larger you become as an organisation, the harder it is to cover all bases.”
Focusing on the technological aspect of the equation, Young said partners are also finding success through focusing on providing agile security in a dev-ops environment.
“We’re seeing lots of opportunity for partners who help organisations drive greater efficiencies and move away from the slowed down methodical application deployment,” he explained.
“Those who can help customers maintain security defences, but also increase agile, are winning market share.”
Tapping into the evolution of the partner, Stitt acknowledged that traditionally, security was largely the domain of the specialists, and is now moving to a more prominent role within organisations.
“Security has become front and centre in delivering risk outcomes or digitisation enablement outcomes for businesses,” he observed. “And because it is moving up the priority ladder for customers, the same is happening for partners.”
But with increased priority and focus, comes increased market competition from vendors.
“Security is a big market and there’s a lot of vendors out there,” he said. “It’s incredibly difficult for partners to be able to get their heads around the options available, and the same applies to the customer.
"That’s why the channel is central to helping customers have a consolidation discussion around what makes sense and what doesn’t, bringing technologies together that work.”
Otherwise, the alternative is partners providing “30, 40, 50 or 60” different vendor solutions to the customer - “I’ve heard numbers as high as 115”.
Following Stitt’s observations, Young said channel opportunity lies in partners honing managed services skills during the coming years, taking advantage of the the skill shortages that continue to plague businesses.
“While a lack of talent and resources is impacting every aspect of the industry, partners can work with businesses who can’t afford to house an entire team of security experts,” he said.
“If partners behave on a transactional basis, they will not build a relationship with the customer or the vendor. It’s an ongoing relationship and all parties are in it together.”
In summarising, Moses said the crucial aspect of separating perception from reality is based on partners selecting vendors that are aligned with their own vision of security.
“But I don’t mean products,” he qualified. “I mean aligned in the sense that they think like you. It’s not about the product it’s about how they engage with their channel.
"Partners work with vendors not just for the great technology, but because crucially, they trust each other.”
This roundtable was sponsored by Cisco, F5 Networks and Fortinet. Photos by Maria Stefina.