State of Security: Opportunities for the channel

Cybersecurity services have perhaps never looked so appealing as a path to growth for IT channel companies. Awareness of the risks is arguably at an all-time high and it looks like the cyber business playing field will only improve in 2023.

Gartner forecasts that in 2023, government policies forcing organisations to provide consumer privacy rights will affect five billion citizens and over 70 percent of global GDP. Locally, critical infrastructure laws have expanded protection from 4 to 22 asset classes across 11 sectors. 

In July, a mandatory 12-hour reporting requirement for all attacks on organisations dealing with assets deemed as critical under the Critical Infrastructure Bill came into force.

In October, PwC forecast that more than 60 percent of enterprises would increase their cyber budgets in the next 12 months. Globally c-suite decision makers nominated catastrophic cyber-attacks as their highest priority, while Australian executives were more focused on recession risk mitigation – but one suspects that Australia is now firmly in line with the global consensus.

Money will go to cybersecurity leadership, employee awareness, improved data analytics capabilities, board education and solving workforce talent gaps in the next 12 to 18 months, according to PwC.

“Cyber is a team sport - it should not be siloed within departments or organisations. To build a truly inclusive and holistic cybersecurity culture, entire organisations must be taken on the transformation journey, which the C-suite should lead. Cybersecurity uplift must be expressed as an opportunity, not a burden, and ultimately a vehicle to help organisations achieve their goals,” PwC’s Cyber and the C-suite in Australia report states.

The opportunity for heroic acts by channel providers is nigh. The question is whether they are geared to capitalise on these trends.

A more effective security story

The way cyber security is sold, and what is sold, needs to change, many of those at the forefront of these issues have told CRN.

Some say the business of cyber security is maturing, just as the managed services game matured many years ago with a move from ad-hoc to fully managed services.  

The overarching narrative is a shift from technical, metrics-focussed services to a more holistic approach that takes into account wider business imperatives and reframes expectations of security companies' customers.

Gartner has previously predicted a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders. By 2026, 50 percent of C-level executives will have performance requirements related to risk built into their employment contracts, it predicts.

So, security firms must do better at talking about cyber security to business stakeholders in a language they understand. 

They are being urged to not fixate completely on cybersecurity standards and compliance, and technical aspects – to move cyber security out of its IT silo and deal with it as a business risk. 

The lines of engagement are being clarified. Some cyber firms say they are having “difficult” conversations with customers, telling them they must take minimum levels of cyber security or they can’t support them. 

Some vendors are encouraging security firms to move from an all-or-nothing approach to security, to ranking security services on a scale aligned with accepted security frameworks. Customers agree on a level of risk they are willing to accept and then they pay for a corresponding level of security. The idea is that this could help clarify expectations. 

Some vendors and partners are pushing customers to think of cyber security as “like going to the gym" – the goal being maintaining cyber “fitness”, rather than a one-off assessment or overhaul. 

Some also see an opportunity to make cyber resilience – the ability for organisations to recover quickly from an incident – a bigger focus. 

Cyber security providers are seizing this opportunity and attracting investment - see the $10 million investment in Australian governance, risk and compliance (GRC) software vendor 6clicks by venture capital firm Centerstone Capital this year, for example.

Cyber advisors are also calling for focus on change management and behaviours before demands escalate further. Ben Jones MD at Continuum Cyber states that the most exciting innovation that could be currently enacted is educating the people within these businesses who operate in machines that are exploited. 

In critical infrastructure sectors, new obligations have already altered the relationship between IT partners and their clients. The onus is now and increasingly on the security partner to provide advice on risk mitigation and potential IT security exposures while recommending best practice frameworks.

Skills, solutions, frameworks

Skills shortages remain a challenge and opportunity. “There's lots to recommend in outsourcing to acquire security skills because it makes sense for special security organisations who have those skills can maintain those skills in house, and can ensure they can retain those skills. So, retention of security skills given the current market is a difficult issue for organisations, and will affect commercial outcomes,” says Vertel Commercial Director Tony Hudson.

And the types of tools and services security providers need continues to evolve. Worldwide end-user spending for cloud security is expected to grow the fastest in 2023, up by 26.8 percent, followed by spending for applications security (up 24.7 percent), data privacy (up 16.9 percent), infrastructure protection (up 16.1 percent), identity access management (15.1 percent) and data security (14.2 percent), according to Gartner.

Solving and simplifying digital identity challenges will be a key opportunity. Single sign-on solutions have already proved lucrative – as IT environments increasingly encompass multi-cloud and machine-to-machine systems, tracking and identifying users will remain a challenge.

Juniper Research believes that, as migration to cloud continues, traditional cybersecurity tools and solutions will be phased out and replaced with consolidated cloud-native cybersecurity offerings.

By 2025, 80 percent of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s Security Service Edge (SSE) platform, Gartner predicts.

Global Data reported that the MSSP market would reach $4.7 billion by 2025, driven by identity and access management and security intelligence and management solutions.

All this will be harder to sell, argue some vendors, unless security firms align it with an accepted security framework. 

The cost of scaling a security business

Keeping pace with these demands can be expensive for security services providers. Take MSPs, which often need to secure many remote users in addition to customers’ office systems and networks. Basic endpoint protection is no longer adequate, security providers are told – they are encouraged to provide a truly end-to-end security stack encompassing such elements as assessment and remediation services and an SOC providing 24x7 monitoring.

Savvy partners are finding cost-effective ways to scale their security businesses – such as by using vendors' security services, and outsourcing assessment and remediation to others, instead of hiring bigger security teams. 

They must be careful that the models they choose can evolve as the security puzzle grows more complicated. 

They also have financial liabilities to consider. The cost of insurance has risen and it’s not hard to find MSP owners who are cynical about the value of that insurance, or worried about their liability in the case of a customer breach. 

Only 20 percent of small to medium enterprises have cyber insurance, compared with 35 percent to 70 per cent for larger organisations, according to The Actuaries Institute. Increasing underlying risk is making it harder to get cover as insurers look to limit their exposures and increase premiums.

This is another reason why now is the time for cyber security services providers to evolve their offerings beyond individual products and ad-hoc sales. The way forward looks to be more holistic offerings corresponding with clearly defined and agreed levels of risk, aligned to clear frameworks. 

The security money pot looks set to continue growing. But to seize it, security firms must evolve their approach.

Athina Mallis, Natalie Apostolou, Juha Saarinen, Andrew Birmingham, William Maher, Iain Ferguson and Jennifer O'Brien contributed to the State of Security 2022 report for CRN, iTnews, and Digital Nation.