The growth in information security business hasn’t escaped the notice of larger security and service providers that have been snapping up the boutique providers.
BAE Systems kicked off the recent acquisition cycle four years ago, with its $24 million buyout of Sydney IT security provider Stratsec that had bought rival SIFT a few months before. The parent British security and defence behemoth recorded 2013 revenue of £18.18 billion ($34 billion).
And last October, Telstra paid an undisclosed sum for its partner, Brisbane IT security consultancy Bridge Point, which employs 75 staff across Australia. The buy, coming soon after Telstra bought integrator O2 Networks, filled a blank in Telstra’s Network Applications and Services (NAS) portfolio. Bridge Point focuses on security, governance, risk compliance and data-management consultancy, and provides a growing suite of managed services. It counts among its customers Queensland Government departments such as Queensland Health and the departments of transport and education, as well as Suncorp Group and BP.
“Working with a large government organisation, we see the same issues come up, so rather than take their money, we sat down with their applications and development teams and gave them recommendation on secure development practices to address the sheer majority of issues at the source,” says Bridge Point managing principal consultant Michael Trott.
He says the organisation had a “very broad attack surface”, meaning hackers had breached its systems on a “number of instances”. And while the breaches “weren’t as severe as they could have been”, the fact that malicious actors were getting in was worrying.
Trott says developers are often to blame because most have never heard of secure software development. “And software development houses don’t see security as a core focus. Functionality is king – they’re more worried about getting the products out in the world and they worry about [security] later.”
Key to Bridge Point’s success in improving security was introducing developers to the Open Web Application Security Project (OWASP) that bills itself as a “worldwide not-for-profit charitable organisation focused on improving the security of software”.
OWASP’s marquee contribution is its top 10 list of the most critical web application security flaws that includes text injection (such as mangling a URL in the browser to access a database record) and cross-site scripting (XSS) where evil content piggybacks on the permissions of a trusted website.
“Developers aren’t aware of these requirements or understand the ramifications,” Trott says. “A lot of the tool sets developers use, while they’re efficient in enabling developers to push out reasonable-quality code, do not have the ability to identify systemic [security] issues.” But tools such as SourceClear promise to help developers write secure code.
Smart end-customers want experts to manage their risk just like they do their accounting, audit, legal and other professional services, says CQR’s Kernick.
It’s a point echoed by Shane Martin, enterprise strategy consultant at Huawei and former CIO of property developers Mirvac and Stockland.
“The customer will continually get asked, ‘What is the risk profile?’ So managed service providers need to be able to respond to these questions,” Martin says. “If I am running your services, your communications, your servers, what is the disaster recovery? What certification do you have around penetration testing? What is your incident management approach?”
He advises resellers to add risk management to their portfolio of services: “Customers need some comfort from MSPs.”
Tactical advice
Customers are looking for managed security service providers to offer tactical business advice, says George Piatta, information security manager of investment management company Perpetual. Although not authorised to speak on behalf of the wealth manage-ment group and limiting his comments to his personal view, Piatta says that resellers, “instead of giving us a massive brain dump, should give us their experience implementing Salesforce [for instance] in other customers”.
A former security consultant, Piatta pays attention to whether providers are gauging the organisation’s risk appetite. Providers must also map technology to the language of the boardroom and business outcomes, he says.
Cloud adoption is a risk for financial-services companies, he says. He’s influenced by the Cloud Security Alliance and the Jericho Forum. The latter works to remove the boundaries between an organisation’s network and the outside world. He says an IT service provider must create repeatable cloud templates for their customers that evaluate data leaks, contractual security clauses, and audit services to meet Australian Prudential Regulatory Authority and Privacy Act requirements.
“Now the perimeter is extending into the cloud and mobile devices; it is very much grey.” And Piatta says resellers must know the “business requirements to make sure business continuity is in place and be able to support the business with a security architecture”.
Piatta is close to all parts of the business, which gives him the jump on social engineering attempts, he says. For instance, service desks need clear policies about what can be disclosed, while marketing and HR need guidance about what can be said on official and employee social media.
On the technical side, organisations can lower their risk by implementing two-factor authentication, such as texting a confirmation password to a phone over SMS, says Oh Sieng Chye, malware researcher at antivirus vendor ESET.
“Unlike large, complex security architecture, two-factor authentication serves as a scalable and cost-effective way to protect many businesses,” Oh says. Although he lists the biggest threats of 2014 as Poodle, Heartbleed and Shellshock, it is data breaches and leakages that will dominate this current year.
“Most cyber attacks [use] social engineering. Koler ransomware, spread through pornography websites, would lock [the device] pretending to be an Australian Government authority claiming to have found illegal material and demand a fine to return use.”
And despite the sums spent on protecting the G20, an email containing a Word virus spread to supporters of Tibetan freedom. “By pretending to be a benevolent organisation, many Australians were tricked into opening an infected file that they may not
have opened were it from a different source.”
Look beyond
As part of an audit, resellers should look beyond their customers’ firewalls to those of their clients’ suppliers or customers, says Bryce Boland, chief technology officer of vendor Fire Eye.
“The supply chain is becoming one of the biggest threats for business today. We’ve seen a lot of attacks supplying the supply chain to larger organisations,” Boland says. “As organisations become more mature in risk management, often the weakness will lie in someone they trust that doesn’t have the maturity yet.”
The shift to cloud and its complex web of providers widens exposure, he says.
“As you put what matters most to your business – intellectual property, customer information, core business processes – into third parties, you’re expanding your risk. Business can manage some of their own risk reasonably well, [but] they have less control and awareness of the risk of their partners.
“From the attacker’s perspective, attacking a service provider that hooks into many businesses is more effective. That increases your risk because companies providing services to other companies are becoming much more valuable targets to attackers.”
But despite advances in the threat landscape, at a high level the war hasn’t changed in 20 years. Battle-scarred information security warrior turned angel investor and property developer Drazen Drazic says companies are driven by short-termism. This translates to cutting costs and pursuing “glory” IT while ignoring risks.
“CIOs will always be better at whiz-bang technology, and it looks better to the board and shareholders,” Drazic says. “Security isn’t so sexy; and how do you quantify the result? It’s not a big glory job because there’s not a lot [that is] tangible there to demonstrate what someone is doing.”
He’s also critical of a gathering of Australian company directors last year that “brushed over” IT as a priority: “That was a bit of a concern”. (A 2013 global IBM study of senior executives found that while every other country surveyed put IT at number-one priority, Australians put it third place behind regulatory compliance and, distressingly, competition.)
He blames a lot of the woes that surround companies such as Sony on a management culture that pushes security responsibility down to IT. The opportunity is for resellers and consultants to push for meetings with senior management.
“I don’t have a lot of confidence that companies are putting the fixes in. If you patch a system then you’re just stopping new hackers getting in and not getting out those who are already in there.”
And despite founding Securus Global, one of Australia’s leading penetration testers, he’s ambivalent about the benefits for organisations engaging such services for security theatre. “If you have bad process and security in your whole organisation then pen testing won’t help you.
“Most of our clients understand they have to be worried about security but Australians, overall, are pretty lax about it,” he says.
He advises the channel to make the security discussion about the culture of their customers’ businesses.
“Every company we talk to, we stress it has to be part of day-to-day business and culture. It has to be there at the forefront of your mind. You have to think: what are your security obligations?”
Once the consultant has built up trust with the client, it’s time to get down to straight talking on risk. Drazic says that until there is trust, there will always be cynics within the client organisation who see it as a sales pitch. But once the trust has been established, “we can be blunt with our clients and at least get them to listen”.
“Everyone always assumes that someone else in the company has it under control,” he adds.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
