Why partners must understand cyber in context
- 04 May, 2017 08:00
George Arronis - Head of IT Security Serco Asia Pacific
In taking a step back, the security industry is an ironic place to operate.
Bursting to the seams with specialists, threat detectors, evangelists, threat protectors and all-round preachers, everyone is itching to take a slice of the security pie.
But the harsh reality remains that cyber security vendors, overall, emphatically fail when selling to the Chief Information Security Officer (CISO).
Whether it be the usual spiel of trashing the competition, overly complicating simple solutions or short-circuiting the CISO to reach the treasure chest, vendors simply struggle to effectively articulate security to end-users.
So, step forward the partner, tasked with tailoring solutions specific to end-user requirements, working with the vendor when required, but leading in the conversation with the buyer.
“They need to understand both us and our customers,” Serco Asia Pacific head of IT security and risk, George Arronis, said.
Through heading regional security for one of the world’s largest providers of public services to governments, the services Serco provides are often of critical importance to the communities and nations it serves.
Therefore, Arronis stressed the importance of working with IT providers that are attuned to the goals of the business.
“We work close with Federal Government which means there are specific security requirements to meet,” he explained.
“Knowledge and experience in that space is a good starting point.”
In referencing third-party providers, Arronis acknowledged the industry is mixed, with some partners understanding how to engage with the end-user, while others lack the skills required to make inroads.
“Because we deal with many IT providers, their strength in the security space varies,” he observed.
“Providers include niche software houses, data centre hosting, Software-as-a-Service (SaaS) or managed services. Depending on the purchase type, we aim to bring them up to speed where we feel there are gaps in security knowledge.”
Yet as explained by Arronis, partners already operating with Federal Government already have a head-start in understanding the specific challenges and requirements of the sector from a security standpoint.
“Then you have niche players, especially if they are offshore software vendors, which may not have experience in the local market, they don’t always understand the local security landscape,” he added.
“Federal Government in different regions have different needs and this in some cases will override a particular control which needs to be changed.”
On a positive note, Arronis acknowledged that such providers are willing to alter internal practices to accommodate the requirements of Serco.
“But the larger providers are already attuned to customer security needs or well on the way to addressing them,” he added.
“The more comfort a provider can provide us through their own practices, such as through independent audit reports, the better.”
How not to sell
Following nearly six years of experience in the Serco security hot seat, naturally, Arronis has encountered many a bad pitch, whether that be through channel partners or direct encounters with the vendor.
For Arronis, the issue centres around an overriding hunger for securing a larger market share, which blocks providers from offering the best solution to the customer.
“Most providers are trying to grab a bigger piece of the pie in the security and assurance space,” he said. “Some of their offerings are not core strengths and we see this come through in delivery.”
Arronis observed that partners that view cyber security as a new growth area for the business, mistakenly approach sales with a traditional “box dropping” mind-set, offering solutions in a similar manner.
Specifically, this includes relying on a brand to get them in the door or applying a one size fits all approach to potential customers.
But from the perspective of the CISO, Arronis said this approach often causes more damage to the business over the long-term, through offering a technology which isn’t fully understood.
Quite simply, it comes back to knowing the customer.
Arronis acknowledged however that such issues were not exclusive to prospective suppliers, with incumbent partners also guilty of failing to deliver value on insights gained from the product or service provided.
“I find many provide good informational reports yet fail to add value by answering the ‘so what’ question,” he added.
If Serco engages a partner in a managed services capability, usually the partner provides monthly reports crammed with information but little insight.
“What I receive in those reports most of the time is that we have had X number of events and closed out Y number of events,” Arronis explained.
“But what they don’t do is take the information they have seen from their other customers, especially if it is a managed service, and infer new insights from that information, which could potentially drive me to make a change in the way I run security in my organisation.”
Plainly speaking, Arronis said providers today are providing “static information”, rather than real-time and actionable insights.
“Some offer okay insights, but we really want vendors [and partners] to step up and deliver real value in that space,” he said. “That should be part of that base offering, not just providing me with raw data.”
Slotting into the supply chain
Aside from ongoing issues around the need for appropriate security solutions, Arronis said many partners, both large and small, still struggle to understand where they fit within the supply chain.
“They need to be more aware that they are part of the supply chain of our business,” he explained. “They are part of our eco-system and not a lone player.
“If they fail, then we’re at risk of failing also."
For Arronis, a key component for Serco centres around the nature of the business.
As a business support services company, it relies on third parties, meaning multiple providers could be around the table at any given time, working together to solve a pain point.
“They need to be part of that discussion, so it’s more about understanding that the context has changed and we do need to work together,” he added.
“I do see it as an ecosystem where it’s not just our organisation, it’s really the footprint which includes our third parties and the customer that I am concerned about because if a third party gets compromised, that’s a big issue.”
As the leading security executive of a multi- national services company with contracts from state and federal governments to operate hospitals, prisons, and detention centres, Arronis said the organisation has “unique concerns” to address and certifications to maintain.
“A key theme around change in this space is more due diligence,” Arronis said.
“This means more due diligence across multiple teams. A purchase is now about legal, finance, procurement and IT all being aligned.”
With regards to IT, Arronis said Serco had to “step- up” to ensure the business was across the details also.
“The context change is more to do with the type of things we are buying,” he added. “For example, we may be using Salesforce or an application built on top of Salesforce by a third-party developer.
“What then comes into play are such as data sovereignty, data ownership and data access. It becomes an issue of scrutiny of the cloud service provider.”
This raises questions around where they host data, where data centres are and what happens if the provider fails and leave Serco without a safety net.
“Can I recover my data easily?” he questioned. “Can I port my data from one provider to another?
“Do they have any hidden clauses in their contracts which gives them the right to use data through Facebook and Google?”
In the eyes of Arronis and Serco, ownership of risk is key. Because no matter who provides a product or service, Serco holds the risk.
“All we are doing is outsourcing a service, so we need to understand the risk profile,” he said. “The better we understand the risk profile, the more risk we can take on.”
Partner Perspective - Katana1
By Ross Olgivie, technology and consulting director, Katana1
"We’ve recently upped our engagement with CISOs, and are finding that they are popping up everywhere.
"For two of our bigger customers, we will provide a platform and help them run this platform, then we’ll on-board the different departments of the organisation.
"One is a large telecommunications business, and the other an airline, with the projects opened by certain departments within the organisations.
"As a result, Katana1 forms part of an eco-system with other partners such as Fujitsu, IBM and Telstra. Specific to these cases, Katana1 is the application integrator on the Splunk platform.
"We help on-board every department and workshops to showcase what we can do, while also providing information to the business.
"As a business, we’ve approached cyber security from an analytics standpoint, and have focused on bringing information in from all parts of the customer’s environment.
"Consequently, we understand our place in the all- important provider ecosystem and bring unique skills to the table by working with customers and other partners to solve end-user problems.
"We’re not trying to pass the buck or extend ourselves beyond our capabilities.
"The difference between this and traditional forms of IT deployment is that risk is owned by a single department — in these cases the CISO — who assess and manage risk throughout the organisation, before green lighting the rollout to other departments."