CRN gathered some of Australia's top information security experts for a roundtable lunch in Sydney. They chewed over a diverse range of issues, from managing risk to selling FUD, to the opportunities for the channel in a world where breaches are only multiplying. Here are some of the top takeaways.
ATTENDEES
- Patrick Butler Loop Technology
- Benjamin Robson IPsec
- Brian Jamieson Shelde
- Dan Boucaut Intalock
- Tony Vizza Sententia
- Stephen Knights Commulynx
- Chris Hagios Airloom
- Damian Huon Huon IT
- Martyn Young F5 Networks (Sponsor)
- Robbie Upcroft Webroot (Sponsor)
- Damien Manuel Blue Coat (Sponsor)
- Steven Kiernan CRN (Moderator)
- Keith Price Black Swan Consulting (Moderator)
There are many degrees of security
Patrick Butler, Loop Technology: At Loop, we try to answer the hard questions like, ‘How secure are you today?’ and ‘How secure do you want to be as an organisation?’ That allows us to find some gaps and we plug those holes with technology.
Robbie Upcroft, Webroot: Is there ever a situation where the customer says, ‘I’m happy to be kind of secure’ rather than 100 percent?
Patrick Butler: Every day. It’s called risk.
Ben Robson, IPSec: Anyone who goes to an organisation and doesn’t start with that concept is one of those guys out there Bible thumping that you’re either 100 percent secure or 100 percent insecure. A soon as you take that approach with an organisation with limited budget, you are out the door. You lose immediate credibility if you start taking that approach.
You usually have to start your conversation with, ‘OK, what are you going for, are you going for a Rolls Royce?’, ‘Are you going for an HSV?’, or ‘Are you going for a 10-year-old Commodore?’
What is your risk appetite as an organisation and how much are you prepared to invest?
We might need to redefine risk
Stephen Knights, Commulynx: Business is risk. You must have a risk tolerance. What I love about the risk discussion is the organisation may have a matrix of one to 10. Everyone says, ‘Oh, that’s super critical’. Then you tell them, ‘Let’s say “critical” means people die, and let’s say seven or eight is where the business is in jeopardy and losing credibility’. You start with readdressing what risk really looks like.
In the security space, we don’t often get up up to 10. That critical spend starts kicking in at around seven, because they’re losing credibility and jobs are on the line at the C-level.
There are benefits of specialising in a vertical
Dan Boucaut, Intalock: Of the IT integrators in Australia, not many are vertically focused. Intalock has aligned itself with healthcare quite a bit, so we can go into the healthcare organisations and say, ‘We understand your risk from the vertical focus’.
There aren’t too many integrators with a strong vertical focus because there isn’t the size of verticals in Australia to do it. In the US, however, you can have a 100 percent vertical focus and run your business out of that single vertical.
The benefits are that you really understand what their information assets are because they are consistent. Then you can understand where can you get a really good cost benefit from protecting those particular assets, so you’re not spending the first six months of an engagement trying to find out what they’re trying to protect.
A security breach may not be the worst risk
Damien Manuel, Blue Coat: From modelling that the big four banks have done, the cost of a security breach can be anywhere between $120–$200 million. Compare that against actual monetary losses from regulatory breaches of a billion dollars – which one of them had for their overseas operations – then that puts it into context. The business is more focused around the operational risk as opposed to the IT risk.
Compare the theoretical $150 million versus the actual billion – a lot of organisations are having that conversation. The industry has been profiting off fear, uncertainty and doubt for a long time.
Look at Target – yes, they had a bit of a blip when they had a breach, there was a bit of a downturn, but consumers still rely on going to Target and buying their products. If you look at Ashley Madison, it’s a totally different business model. That whole business model was around trust. That business is finished.
SMBs should not be complacent
CRN: How can the channel help businesses get out of the ‘It will never happen to us’ mindset?
Tony Vizza, Sententia: The security industry is its own worst enemy when we talk about $20 million and $1 billion [breaches]. There are a lot of small to medium businesses saying, ‘We’re small fry’, but if you look at all the available metrics, it is the small to medium businesses that are being targeted more than anybody else.
It’s the larger enterprises that have got security down pat. Generally speaking, they have invested in it and seen the light. It’s the small to medium businesses that are being hacked. If you look at the latest stats coming out of IBM, Australian businesses are being hacked to the tune of $2.8 million dollars per breach.
Customers are sick of just being sold FUD and licences
Brian Jamieson, Shelde: That’s something we get accused of all the time. You go to the new customer, you may not have the length of relationship with them. You are trying to sit down and build your relationship and work out how you can help them and affect their security posture in a positive way. They see a sales tag tied to it, and that’s a very dangerous thing.
We have to be very cognisant of not waving the flag of fear. It’s a very delicate line you have to walk, because as an SI with a consultative approach to a customer, you need to be their trusted advisor. If you’re not, you’re not actually being effective in the industry, because you’re isolated from what the customer needs. Ultimately, you have to be set like glue between the customer and the vendor and other technologies, or processes that they have, and make it work.
Tony Vizza: You say let’s not use fear as a reason for selling, but how do you not use fear, when it’s actually the fear that drives this?
Brian Jamieson: The fear is all over the place. You go to the internet, you start reading the paper, you watch TV, and it’s there. It’s not something we should propagate. It’s like a witch-hunt from the 1700s.
Next: There is no one rule on ransoms
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
