The importance of creating a customer-centric security strategy is acknowledged in the channel, but ways to achieve this goal are seldom explored.
Partners in New Zealand are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market.
The Kiwi ecosystem is seeking answers, because in 2019, what does a managed security service provider (MSSP) look like?
“The successful partners transitioning to an MSSP model are the partners that are capable of approaching the customer from a business perspective,” outlined Jon Fox, channel director of Australia and New Zealand at Sophos.
According to Fox, transitioning to a security driven services business requires more than just market rhetoric, partners must focus on technologies, talent, offerings, business strategy and messaging.
“These partners are capable of providing all the in-depth security requirements necessary, including comprehensive risk profiles, as opposed to simply surveying a customer environment and making technology recommendations.
“But crucially, this is delivered through the lens of the business, rather than products.”
The definition - and in fact, the role - of an MSSP in New Zealand has been a cause of debate in recent years, triggered by a change in customer requirements from a security perspective.
“We believe that the best differentiation between an MSP and an MSSP is that MSPs tend to be more technically focused, and they primarily focus on offering point solutions to customers,” explained Nigel Everett, CEO and director at Defend, a newly launched security start-up in Auckland.
“Meanwhile, MSSPs offer a business-wide approach, in that you need to be business-centric when recommending any security service.
“Partners can’t just deploy technology and assume that it’s going to resolve an issue, the approach must cover people, process and technology.”
In short, MSSPs must engage with customers beyond the traditional provision of technology, patches and updates.
Echoing the observations of Fox and Everett, Lewis Holden - general manager of Cogent - also emphasised increased focus on the human aspect of managing end-user environments, with businesses continually challenged by a lack of education.
“We engage with a customer because they want a managed firewall, or to ensure that they have anti-virus software on PCs, for example,” Holden said. “But we also enter the conversation knowing that there’s also a human element, which is critical to how information is secured.”
Specifically, as much as 90 per cent of hacks come as a result of some form of human error, rather than an inherent weakness in the technology or security systems.
Consequently, the role and importance of an MSSP heightens in ensuring such internal protocols and defences are in place.
“If people are saving their passwords to a text file that they’ve put on a desktop, it doesn’t matter what security you put around your system, and how sophisticated your tools are, people are still doing something that is inherently not secure,” Holden added.
“Therefore our role must also focus on tackling the human element.”
More broadly speaking, IT services revenue in New Zealand is expected to reach approximately $3.9 billion within four years, driven by increased cloud adoption among customers.
According to IDC findings, the market is predicted to grow at a compound annual growth rate (CAGR) of 2.8 per cent through to 2023, up from an estimated $3.4 billion in 2018.
With security now a leading priority for businesses across the country - as revealed by EDGE Research - some partners are edging towards MSSP status, without officially making the switch.
“Out of the 20-odd people that we have in our engineering team, we’ve now got six that are concentrating on competency and security, so we are building out from that core,” explained Greg Sharp, managing director of Base 2.
Sharp said Base 2 is adopting the practice and service features of an MSSP, without fully making the transition.
“Three staff are focusing on our channel services to the other MSPs, and the other three are securing our own MSP customers,” Sharp confirmed. “I don’t think we’re ever going to be a fully-fledged MSSP, we’ll just be an MSP that has a business line concentrating on security.
“But certainly the approach to security services is an evolving process that we are all going through in the channel.”
Spanning valued-added resellers, system integrators and MSPs, partners are finding value in spinning out dedicated security practices, in a bid to demonstrate market capabilities to customers.
While not the strategy of every provider, such an approach, according to Fox of Sophos, allows partners to “break away” from other forms of technology, creating a specialist focus in the process.
“The most successful partners we’ve seen are the ones that truly break out into a separate stand-alone security business,” Fox said. “For example, a few Sophos partners have broken out of their day-to-day business to become managed service providers, and focus purely on security.
“These are the organisations that the legacy resellers are often partnering up with to handle the expanding demands around security.”
Taking the conversation further, and in assessing the evolving marketplace across New Zealand, David Wilson - general manager of iT360 - assessed that one-time generalist partners continue to be hindered by a lack of customer education.
Specifically, a lack of education in that a one-time technology provider can transform into a dedicated security specialist.
“I like the idea of separating out business so that security is something distinct that we offer,” Wilson said. “I think there’s a perception that IT guys are just IT guys and I certainly don’t want to be lumped into that category.
“Especially in the world we play which is the small to medium business space, in which a business owner might see the IT guy as someone that doesn’t do much more than fix the computers, and that the security experts are different people.”
Maintaining the end-user theme, Noel Simpson - CEO of Lexel Systems - cautioned the channel around evolving customer expectations, specifically related to pricing.
“If the customer pays monthly for a bunch of services, they inherently just assume that security is implied,” Simpson explained. “We use our account management team to go in and manage expectations.
“We have found that the best visual is to say ‘at the moment you’ve got the stickers on the windows of your home but there’s actually no alarm and it’s not monitored. There’s no cop that’s going to turn up to your house when the alarm goes off real loud’.”
Such an approach aligns with Dermot Conlon - director of SpecOps NZ - who observed that managing customer expectations around security continues to be a delicate balancing act for partners.
“With security it’s about probability,” Conlon said. “If someone is determined and they have time, resources and budget then they are getting in, and there’s no two ways about it.”
For Conlon, the end result means that deploying the best security solutions available aren’t necessarily going to be adequate to prevent a determined hacker.
Understanding that, as well as what an organisation should be doing in response, is critical to successful customer engagement around security.
“Providing security services is more about reducing the likelihood of a successful attack, and talking to our customers about their security profile, risk appetite and regulatory requirements,” Conlon outlined.
“Because all of those factors are part of the business outcomes of the organisation, and really boil down to what, as an organisation, you’re there to do. Is it to serve the public, make money, or both?”
Such an approach to customer engagement is of greater importance when dealing at the higher end of the market, said Conlon, chiefly with CSOs or security managers.
Developing the point further, Cameron Reid - MSP channel account executive at Sophos - accepted that in addition to improved levels of education in New Zealand, customers require greater guidance in understanding security priorities.
“If a customer is paying for a monthly service they often won’t even understand where the crown jewels are,” Reid cautioned. “This is because they haven’t necessarily been advised on what’s important to them.
“Is their house important or do they care about their car more? Some might want better protection on their car than their house. And that’s the key, the channel has to engage with customers and discover where those priorities are.”
To achieve this, Fox of Sophos again advised partners to shift the conversation away from speeds and feeds, to a business-centric discussion around security strategy.
Read more on the next page...