CRN gathered some of Australia's top information security experts for a roundtable lunch in Sydney. They chewed over a diverse range of issues, from managing risk to selling FUD, to the opportunities for the channel in a world where breaches are only multiplying. Here are some of the top takeaways.
ATTENDEES
- Patrick Butler Loop Technology
- Benjamin Robson IPsec
- Brian Jamieson Shelde
- Dan Boucaut Intalock
- Tony Vizza Sententia
- Stephen Knights Commulynx
- Chris Hagios Airloom
- Damian Huon Huon IT
- Martyn Young F5 Networks (Sponsor)
- Robbie Upcroft Webroot (Sponsor)
- Damien Manuel Blue Coat (Sponsor)
- Steven Kiernan CRN (Moderator)
- Keith Price Black Swan Consulting (Moderator)
There are many degrees of security
Patrick Butler, Loop Technology: At Loop, we try to answer the hard questions like, ‘How secure are you today?’ and ‘How secure do you want to be as an organisation?’ That allows us to find some gaps and we plug those holes with technology.
Robbie Upcroft, Webroot: Is there ever a situation where the customer says, ‘I’m happy to be kind of secure’ rather than 100 percent?
Patrick Butler: Every day. It’s called risk.
Ben Robson, IPSec: Anyone who goes to an organisation and doesn’t start with that concept is one of those guys out there Bible thumping that you’re either 100 percent secure or 100 percent insecure. A soon as you take that approach with an organisation with limited budget, you are out the door. You lose immediate credibility if you start taking that approach.
You usually have to start your conversation with, ‘OK, what are you going for, are you going for a Rolls Royce?’, ‘Are you going for an HSV?’, or ‘Are you going for a 10-year-old Commodore?’
What is your risk appetite as an organisation and how much are you prepared to invest?
We might need to redefine risk
Stephen Knights, Commulynx: Business is risk. You must have a risk tolerance. What I love about the risk discussion is the organisation may have a matrix of one to 10. Everyone says, ‘Oh, that’s super critical’. Then you tell them, ‘Let’s say “critical” means people die, and let’s say seven or eight is where the business is in jeopardy and losing credibility’. You start with readdressing what risk really looks like.
In the security space, we don’t often get up up to 10. That critical spend starts kicking in at around seven, because they’re losing credibility and jobs are on the line at the C-level.
There are benefits of specialising in a vertical
Dan Boucaut, Intalock: Of the IT integrators in Australia, not many are vertically focused. Intalock has aligned itself with healthcare quite a bit, so we can go into the healthcare organisations and say, ‘We understand your risk from the vertical focus’.
There aren’t too many integrators with a strong vertical focus because there isn’t the size of verticals in Australia to do it. In the US, however, you can have a 100 percent vertical focus and run your business out of that single vertical.
The benefits are that you really understand what their information assets are because they are consistent. Then you can understand where can you get a really good cost benefit from protecting those particular assets, so you’re not spending the first six months of an engagement trying to find out what they’re trying to protect.
A security breach may not be the worst risk
Damien Manuel, Blue Coat: From modelling that the big four banks have done, the cost of a security breach can be anywhere between $120–$200 million. Compare that against actual monetary losses from regulatory breaches of a billion dollars – which one of them had for their overseas operations – then that puts it into context. The business is more focused around the operational risk as opposed to the IT risk.
Compare the theoretical $150 million versus the actual billion – a lot of organisations are having that conversation. The industry has been profiting off fear, uncertainty and doubt for a long time.
Look at Target – yes, they had a bit of a blip when they had a breach, there was a bit of a downturn, but consumers still rely on going to Target and buying their products. If you look at Ashley Madison, it’s a totally different business model. That whole business model was around trust. That business is finished.
SMBs should not be complacent
CRN: How can the channel help businesses get out of the ‘It will never happen to us’ mindset?
Tony Vizza, Sententia: The security industry is its own worst enemy when we talk about $20 million and $1 billion [breaches]. There are a lot of small to medium businesses saying, ‘We’re small fry’, but if you look at all the available metrics, it is the small to medium businesses that are being targeted more than anybody else.
It’s the larger enterprises that have got security down pat. Generally speaking, they have invested in it and seen the light. It’s the small to medium businesses that are being hacked. If you look at the latest stats coming out of IBM, Australian businesses are being hacked to the tune of $2.8 million dollars per breach.
Customers are sick of just being sold FUD and licences
Brian Jamieson, Shelde: That’s something we get accused of all the time. You go to the new customer, you may not have the length of relationship with them. You are trying to sit down and build your relationship and work out how you can help them and affect their security posture in a positive way. They see a sales tag tied to it, and that’s a very dangerous thing.
We have to be very cognisant of not waving the flag of fear. It’s a very delicate line you have to walk, because as an SI with a consultative approach to a customer, you need to be their trusted advisor. If you’re not, you’re not actually being effective in the industry, because you’re isolated from what the customer needs. Ultimately, you have to be set like glue between the customer and the vendor and other technologies, or processes that they have, and make it work.
Tony Vizza: You say let’s not use fear as a reason for selling, but how do you not use fear, when it’s actually the fear that drives this?
Brian Jamieson: The fear is all over the place. You go to the internet, you start reading the paper, you watch TV, and it’s there. It’s not something we should propagate. It’s like a witch-hunt from the 1700s.
Next: There is no one rule on ransoms
There is no one rule on ransoms
CRN: The FBI has advised companies compromised by CryptoLocker to just pay the fine. What do you think?
Ben Robson: I tell my customers two things: have your backups; and do not negotiate with terrorists. It’s as simple as that.
Robbie Upcroft: But life is not black and white, so you can’t have a black-and-white answer. When customers ask us, ‘I’ve been hit by CryptoLocker, do I pay?’, the only answer can be, ‘It depends’.
If it’s an endpoint on someone’s machine that is really not that important, then fine, let it go, knowing full well that the bad guys are going to then see you as somebody who is not going to be breached and they’ll potentially walk away. We see a lot of data around when someone makes that first payment, they put a big target on their head saying, these guys are good for it.
The black-and-white statements like [the FBI’s] do more damage than good, because it gives the customer a sense that there’s an easy way out of it, that it’s either ‘I don’t pay’ or ‘I pay’, and thank you for making the decision for me. This is where we see the value of the channel partner, in translating the technology to the business need.
Setting up a security practice is hard
CRN: Damian, what is it like for a traditional IT services provider setting up a security division?
Damian Huon, Huon IT: Firstly, finding a security guy who can speak business language has been very difficult. Finding the right security guy who is not already a director or partner of the firm, and that you can attract away, has been difficult.
We’ve had a couple of false starts, but now we’ve found a consultant who has a lot of track record and works for one of the major banks in a three-day consulting role, so he has availability. He’s an independent who is coming in and assisting us to build our practice. He is going to assist us with different security products and then guide us around the vendor space.
That’s highly attractive to us because we haven’t got an expensive salary on board, initially, while we’re building the practice, and we have some runs on the board with some security tests and pen tests to use for our customers. That’s a toe-in-the-water approach, but we’ve got someone we couldn’t afford to put on staff who’s got a lot of track record.
Brian Jamieson: It’s actually a good approach, because consulting is a costly business. In order to get the right skills and retain those skills, and then provide an environment for someone where
it’s attractive for them to work for you where they’re not being poached, is a very difficult proposition.
New entrants should specialise
Patrick Butler: Pick the area of security you want to be in. There are a lot of areas to choose from: there’s the consulting; there’s the actual security engineering where we deploy products; and there’s the managed services area.
Those are the three broad areas, then you break down consulting and you’ve got pen testers – that’s a completely different skillset to application code reviewers, to social engineering, and physical security… and then you’ve got compliance and governance.
You’ve got to decide: do you want to be doing something well or do you just want to be offering a sort of tick box? Because if you go and do something just because you want to get into this hot market, and you deliver something that’s not at the quality set by the industry, then the risk is that the customer gets tainted by that.
The cloud creates a security opportunity
Martyn Young, F5 Networks: There’s an opportunity for partners to be able to educate, guide and consult around how they expand that security model into the hybrid cloud, make it application-centric and deliver a consistent model across those environments, regardless of whether the application is in the data centre, private cloud or public cloud.
There’s further opportunity for partners around adding the agility higher up the stack. Software-defined networking is gaining more traction for the same reason that server virtualisation gained traction – it provides better utilisation of hardware and a much more agile environment for deployment and flexibility. Security comes with that.
When we move to the full hybrid cloud, it is going to be out in the ether of public cloud or in a true private cloud, on-premise. I think it’s a great opportunity for partners to get in front of that curve and help customers with that transition.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
