It may have required the public evisceration of Target and Sony Pictures, but it is finally possible to talk about information security in an Australian pub.
It might seem odd that a global industry worth just shy of US$100 billion globally wasn’t already a point of discussion, but cyber security is not your average industry. It is a complex, shadowy sister of consumer tech, better known for its criminals than its champions.
It’s not only reached the pub – it’s also a big topic for the boardroom. Security is a true priority for management. Many CEOs are now approaching their tech providers to ask, “What are we doing about hackers?”
This may help to explain why data from Gartner in November pegged industry spend to be worth US$91 billion by year’s end and US$116 billion by 2019. Gartner predicts spend in the security services industry, including consulting, hardware support, implementation and outsourcing, will trip US$55 billion in 2016 and US$73 billion by 2019.
With so much money at stake, it is no surprise resellers have read the tea leaves and are making forays into the cyber security sector. Dedicated security shops now face competition from a new breed of generalist IT solution providers that are hiring security specialists to win a slice of the hacker-thwarting market.
Resellers recognise cyber security is a permanent part of the landscape and are building the requisite capabilities. They are putting sales staff through security courses, dropping engineers into universities, setting up 24/7 security operations centres and forming advanced, penetration- testing red teams that sit on the forefront of infosec consulting.
New blood
It was in September 2013 when The Missing Link, based in Artarmon, Sydney, launched its dedicated security wing with Aaron Bailey at the helm. The reseller already offered security services in other parts of the business, but decided that security warranted a dedicated department with specialist staff.
Bailey was one of two seasoned security professionals to start at the new business. “We focused on core services initially, such as [credit card security standard] PCI DSS gap analysis, wireless audits and ISO audits – things I knew people needed and that were relatively easy to hire skills for,” Bailey says.
The initial core service focus kept the new wing of the 17-year-old business humming while it found its feet, ramped up revenue and hired staff. The next hacker joined six months later and so the pattern continued,, hiring builders, breakers and testers until it reached its current headcount of 14. Bailey says the company has grown its security catalogue from 30 services to more than 40 and developed its list of products so customers can select their level of security maturity, plotted on the Y axis, for security technologies plotted on the X plane.
“We’ve since added heavily to technical consultancy such as wide-scope penetration tests covering web apps, databases and mobile.,” Bailey says. The company’s penetration testing now extends to Hollywood-esque red-teaming, SCADA industrial control systems of the kind powering critical utilities, and social engineering.
Twelve kilometres away in the northern beaches suburb of Balgowlah, tech and communications consultancy Commulynx also ramped up its security offerings into a dedicated practice. “We realised three years ago that we are a security and infrastructure player,” managing director Stephen Knights says. “We discovered that by deeply analysis of what we were did in the market.”
The effort identified shortcomings in the company’s security-focused message, which had remained quiet over the six years to 2012. The company – which has appeared in the CRN Fast50 five times – has since sacrificed nearly two years of growth to bankroll a whole-of-business retraining program schooling geeks and sales, introducing learning materials, better lines of communication and constant revision to ensure relevance.
Knights says Commulynx’s 10 technical staff were retrained in their security vendor products to expand their knowledge , while sales staff had something of a security rite-of-passage in their “significant” education programs. “People are having to wake up to security,” Knights says. “Legislation is being formed and will only become tougher. No longer can you put your head in the sand.”
Brisbane enterprise technology outfit Data#3 has also undergone a security facelift, launching a dedicated department in July. The wing’s national practice manager, Richard Dornhart, says Data#3’s work involves a drive for new security talent, pooling knowledge from within and upskilling sales staff. It marks recognition of the relentless rise of security as a significant element of the industry
“Our operations is really focusing on helping customers develop the appropriate security strategies,” Dornhart says. “There has been a significant change in the way customers are approaching security challenges, be it compliance, risk or whatever else.”
He says security was always a focus for the company, but demand had reached the point that it became necessary to launch the dedicated arm, which has a significant focus on risk assessment.
Next: Stiff competition
Any resellers looking to expand their security practices will soon realise they are not alone. There’s a rush on skills, with end-user IT shops, vendors and experienced security specialists all looking to recruit the best talent.
This is what Damian Huon, managing director of Huon IT, found when he decided to establish a dedicated security operation. While his journey included some roadblocks, the experience offers a helpful case study for other resellers on how to attract some top-level security talent. Being flexible was key.
“First, finding a security guy who can speak business language has been very hard,” Huon told a CRN roundtable last year. “Finding the right security guy, someone who is not already a director or partner of a firm and who you can attract away, has been difficult.
“We’ve had a couple of false starts, but now we’ve found a consultant who has a lot of track record and works for one of the major banks in a three-day consulting role, so he has availability. He’s an independent who is coming in and assisting us to build our practice. He is going to assist us with different security products, then guide us around the vendor space.
“That’s highly attractive to us because we don’t have an expensive salary on board initially while we’re building the practice, and we have some runs on the board with some security tests and pen tests to use for our customers.
“That’s a toe-in-the-water approach, but we’ve got someone we couldn’t afford to put on staff who’s got a great track record,” Huon says.
Compromised
Launching a dedicated security practice is far from easy. Take it from the experts.
“For one, security is hard,” says Ben Robson, director of operations for Melbourne-based security firm IPSec. “Second, it’s expensive; and third, retaining your staff is really hard, because they are always on the look-out for the next thing.”
Robson is a seasoned player in the infosec industry and at the time of writing was in the process of opening a 24/7 security operations centre. He says channel players who want to spin up their own infosec wings must consider the risks of running security services that are unmanned outside normal business hours.
“That is a compromised service,” Robson says – adding that there is a legitimate need for cheaper daylight-hours security monitoring.
“Are your customers going to be happy with you being available Monday to Friday, nine to five, and doing the best you can outside those hours?”
It is a salient point for Australian businesses, since a large proportion of black hats are wide awake as local security professionals are asleep. Sophisticated Russian attackers could hit at 3am, while student-age script kiddies and Anonymous hackers often launch web attacks on weekends.
Joseph Mesiti, sales chief of established North Sydney security player Enosys, urges caution. The security pool is deeper than its shiny, inviting surface.
“Be careful what you take on,” Mesiti says. “Security is very different to other types of managed services. To do it well requires analysts to think outside the box and be proactive rather than reactive.”
Tempting talent
- If you have lemons, don’t make lemonade. Get rid of security staff, regardless of talent, if they hinder the team or business
- Appeal to talented young people with a focus on money and benefits to reduce staff turnover
- Rebalance compensation so it aligns with what’s on offer outside your business to help avoid losing staff
- Make the job interesting and diverse
- Encourage independent research and training, and budget for security conferences
- Allow personal security interests to flourish and become part of an evolving job role where possible
- Set up mentoring programs for new recruits to improve job satisfaction