The issue then is that the customers don’t know what questions to ask.
“I had a conversation just the other day with a SaaS provider who was holding data of managed services providers and when I questioned security the comment back was ‘it’s in Azure, secure’.
“There was no thought around that data because it wasn’t their data, it was maybe my data or another MSP’s data, they didn’t see that.”
Symantec’s Taylor said security events still typically trigger changes and investment but that is changing, not least with larger organisations appointing chief information security officers (CISOs).
“We’re also seeing a lot of resellers do a CISO as-a-service to try and address the parts of the market who can’t afford or can’t access the talent of a dedicated CISO,” he said.
Partners are stepping in to fill that gap and provide advice from someone who actually understands security.
The adoption of Office 365 creates other issues, Taylor said. End users have to decide, for instance, whether to pay Microsoft for in-built Office 365 security tools. That can lead to fragmentation if the users are using multiple cloud services.
“All of a sudden you’ve got to manage that across multiple tool sets. You’ve got to duplicate the security controls, you’re trying look at events occurring across multiple places.”
Dean Graham, of enterprise manager A/NZ of Insight Enterprise, said for most the Office 365 journey still sits squarely inside the infrastructure teams of days go by. You would therefore expect the thought and understanding was there along with some concern around security and how to deliver that to the new platform.
On the application side, however, there is a level of panic bubbling up from all quarters.
Often the CIO finds out late in the piece that a part of the business has, for instance, discovered and implemented a way to automate a production line long before they’ve turned to the IT team.
“I think that’s when you get the two-step nature of the security thing happening in the back of the conversation. So, the normal governance, the normal stuff you could expect around any form of roll out is the struggle,” Graham said.
“And it’s critical because now you’re starting to tap into the absolute blood flow of an organisation, its profit centres and its capability and yet it hasn’t had the hands that have always historically been there: the IT managers, the CIOs, the people for whom this stuff that is a constant discipline, or at least it is as disciplined as they are.”
For SMBs the decision to go to the cloud is about costs, said SAS IT’s incoming CEO, Matt Roberts. It’s an opex, subscription-based service not a capital cost and that is what they need. It follows that security is not front of mind.
“I don’t think a lot of businesses have realised what their exposure is and what their risk is and how they can impact on their business, they just depend on a reactive capacity and deal with what they have to deal with.”
Plan B’s Scott recently left Microsoft where he found a lot of good things were happening in NZ mid-market companies because security and functionality were not mutually exclusive.
While there is network security, perimeter security and application security good user identification and authentication can “light that up” to deliver seamless functionality, productivity and security.
“The two don’t need to be mutually exclusive,” he said. “You can have a high degree of user autonomy within a secure world, but it has to be really thought through.”
Insight Enterprises’ Graham was among several roundtable participants who expressed disappointment New Zealand’s looming compulsory breach notification requirements have been softened. Compulsory notification could have been a catalyst for increased change and awareness.
“We love to promote and educate and feed with the carrot, but someone needs the stick,” he said. “There’s got to be something sitting in the back somewhere that is beyond public opinion and public exposure.”
SAS IT’s Roberts sits on a couple of boards with responsibility for protecting the brand from risk in event of an attack. But the bigger issue is the data.
“So, I’m on the board of the YMCA who have got children and family information now up in the cloud,” he said. “I can tell you that every one of our board members is asking the security question because if that’s breached they are personally liable.”
Symantec’s Holtzhausen said the market is looking at the channel for education and to take on their IT and their infrastructure - and that incorporates security.
A service provider specialising in infrastructure and applications now has to look after security as well, he said.
“If you don’t have that capability you have to partner with somebody and make it part of your ecosystem to deliver that service and that outcome for the customer,” he said.
“So, whether you’re a security specialist or not, as a partner I think you need to work out very quickly how you can address that component whether you can upskill and become the trusted advisor in that space or whether you perhaps partner with somebody else as a combined team.”
Taylor said he didn’t know of any partners who are not selling security but it’s very much “if it’s asked for”.
“The real challenge comes around the delivery of that side of things and how they actually roll it out in a way that helps the customer prevent the threats.
“We are seeing the emergence of a number of smaller pure-play security resellers in the last three to four years, spun out from people at various bigger resellers and starting their own firms.
“That only goes to show what the demand is.”
However, security resources are few and far between and it becomes very difficult to find that talent on your own, he added. A lot of resellers are either looking to partner or finding vendors who can assist. Vendors are also coming out with managed security services as well.
With so many vendors in the market, another opportunity beckons for resellers – guiding clients through that maze, said Holtzhausen.
“We’re integrating with many different partners, some of them are competitors, but that’s the way to go to provide that integrated solution to a customer that drives down complexity because this is a complex space that we’re playing in.
“You can imagine the complexity that exists and how confused customers must be when they look at the space.”
For distributor Westcon-Comstor, it’s all about enabling the channel, whether through sales training, technical training or helping with certifications, said Goode.
There are very capable resellers and others who haven’t been security resellers in the past and are looking to get into security. So, there is a big difference in partner cyber security maturity.
In addition to a range of more standard distribution capabilities around pricing, logistics and ordering, Westcon-Comstor also offers cyber strategy resources such as a “sandpit” capability.
“We’ve got some technology, all the technology, for example, for Symantec back in our labs that we have access to for the resellers to try trial proof of concepts.”
Symantec’s Taylor said the fact security is often an afterthought or an add-on after the fact creates an opportunity for the channel – to do it the other way round.
“Every time you buy a computer, write an application, buy a tool or what have you the security considerations need to be baked into the decision process, not something you can deal with at the end,” he said.
This exclusive Reseller News Roundtable was in association with Symantec and Westcon-Comstor. Photo by Maria Stefina.