Reseller News Roundtable Lunch - The Changing Face of Security (PART 2)
- 23 September, 2015 13:08
As Gregg Steinhafel, a 35-year employee and six-year CEO, cleared his desk for the final time, said his goodbyes and departed as Target CEO, boardrooms across the world stood up, and took notice.
Over 40 million stolen debit and credit card numbers later, the Target data breach serves as a modern day reminder to C-level executives that security - in all shapes and sizes - remains a top business priority.
Any fly on any wall of any New Zealand boardroom will attest to that.
Yet when debating the changing face of security in the local market, while vendors, distributors and partners remain in close agreement that battening down the enterprise hatches is of chief concern, such enthusiasm for protection rarely translates into reality.
As purse strings seemingly loosen up across Kiwi businesses, what’s holding partners back from taking security solutions to market?
“How do you tell businesses about the bad news?” asks Skulk de Wet, Systems Engineer, Network Pro, Auckland-based internet and IT security specialists. “Do you sit them down and scare them? Or play it down so they don’t appreciate the significance of the problem?”
Customer balancing act
In the age of scaremongering by certain vendors in the security industry, de Wet details a catch-22 situation for partners - who are torn between providing full frontal analysis’s or watered down observations, depending on the sensitivity of the company and the decision-maker on the other end of the phone.
“There’s a balance to be had,” he adds. “It depends on who you are talking to. Some prefer to get down into the details and know exactly what is going on and refuse to let emotions get in the way, whereas others prefer a more measured approach.
“If partners do find a breach has occurred and the business has been compromised, it can be difficult to sell this to a new customer.
“We’re dealing with delicate issues and your ability to get the message across clearly is crucial. If you have a long relationship with your customer then maybe a more open, warts and all approach is allowed.
“But if this is a new scenario and you sit down and proclaim that the world is on fire, they could think you’re just trying to sell them something and completely shut down the shop.”
As de Wet, speaking as a security specialist in New Zealand, puts it, the ability of the partner to make customers realise there is firstly a problem, and secondly, the best ways to address this problem, leads to a healthy conversation starter, thus removing traditional barriers of entry when selling security solutions.
Every management authority on the circuit, whether that be in New Zealand or the rest of the world, accepts that loyal customers and repeat business provide the cornerstone of an organisation’s long-term success.
But in seeking innovative ways to develop new business relationships in the Kiwi market, Scott Green, Director of IT Infrastructure, Datacom, believes that pitching to fresh decision makers, who themselves are new in the role, on the topic of security can also be a help, rather than a hindrance.
“There is an element of truth in the belief that it’s easier when your customer is not having to protect poor decisions of the past,” he adds. “But in my opinion, because the landscape is evolving and moving at a rapid pace, the conversation has shifted.”
With over 15 years of IT experience to draw on, Green believes the points of discussion between partner and customer have progressed from those of the past, moving away from fears of public embarrassment to genuine concern around business continuity should a breach occur.
“The conversation is not about the value of the information or data they stand to lose, it’s more about whether the business can still operate and trade following an attack,” adds Green, offering a crucial new insight into the motivations of IT security buyers in New Zealand.
“Of course information and data remains a motivation, but their chief concern is whether their customer service will still be operational following an attack, or whether they can process transactions - this is an area where businesses are prepared to make significant investments.
“That’s got nothing to do with their information being let loose in the public domain, that’s where the real scaremongering comes into play.
“On the topic of business continuity, that is where the true impact lies, in the fear of saying; ‘Sorry we can’t help you today our systems are down.’ Customers think you’re not up to the task and that is where the real sell lies.”
For Green, the sell is no longer to the IT manager, or even the low end security personnel within an organisation.
The pitch is now delivered straight to the CEO, CMO, CFO - the people who, as Green puts, “really care about the customer.”
Echoed by Chris Barton, Regional Alliance Manager, FireEye, board members in New Zealand are now looking across the Pacific at their American counterparts thinking, “I don’t want that to happen to me.”
“Executives don’t want to be responsible for outages and down-time, or reputation and brand loss,” he observes. “They simply can’t afford to let it happen on their watch which is why the industry has seen an increase in spend and focus because those top security decisions are not being made a board level.”
During the past 18 months alone, Sony, Target, JP Morgan have all fallen victim to significant breaches, breaches which have plastered the company logo across every newspaper and bulletin on the planet, causing significant humiliation for those at the top.
“Yes it’s embarrassing,” adds John-Paul Sikking, Head of Security, Cisco, “but your business isn’t going to necessarily fold.
“I know a company that was hit badly by cryptolocker, it had to trace back seven years to find a known good backup implementation. Seven years? Who cares? Just pack up the shop because you’re toast.
“That company now has no relevant records that they can restore so they might as well start over.”
Cryptolocker, as Sikking explains, prevents businesses from operating, and that’s the key.
“Look at Sony,” he adds, “It is going as well as ever, and Target isn’t too far behind. If you’re a bricks and mortar organisation and you lose credit card information, yes it’s very embarrassing and bad for your customers but your recovery depends on how you react.
“If you react well, work closely with your customers then yes, you can survive.”
During a long career within the security industry, Sikking recalls conversations from a decade ago, when he would ask businesses, “What about your reputational risk?”
“It’s still prevalent today but not as important,” he adds.
As the conversation and the business requirements around security change, the role of the managed security service provider - in providing outsourced monitoring and management of security devices and systems - perhaps, is also changing.
Widely acknowledged as the crucial link in the channel community, Kiwi partners in the new age of security are faced with multiple solutions and vendor pitches, yet must consolidate masses of information into one single product, utilising all ends of the security spectrum.
“To be truthful vendors are just pieces of the security puzzle,” adds Shane Varcoe, Channel Account Manager, Webroot.
Fresh from linking up with Kiwi distributor Exeed in New Zealand, Varcoe believes that local partners and service providers are the gel required to mould together a solution and approach that works best for the customer.
“Webroot’s role is around partner enablement and educating the distributor and the channel market bout our solutions and their capabilities, in a way that best fits the equation for the customer,” he adds. “But in the industry there are so many players, with new ones also coming in, with new bells and whistles and it can be confusing for partners.”
“It can be very difficult for resellers when attempting to present the bigger picture to customers,” adds Steve Woodward, Services & Solutions Manager, Westcon Group New Zealand.
Speaking from the distributor side of the equation, Woodward believes partners are looking for the complete vendor, the vendor who provides a complete end-to-end solution.
“Does this vendor exist?” he asks, “I don’t know. But partners are increasingly wanting a one touch approach, a vendor that can provide them with everything.
“As a distributor we provide support and direction but that’s not always easy for distributors given they support many vendors across the same industry.”
For Barton, in utilising his vast experience in the security space and past three years at FireEye, amidst such confusion, presents an opportunity for partners to shine.
In his role as a Senior Solutions Consultant at Network Pro, Wayne Ridgway specialises in network security, disaster recovery and business continuity.
Through his eyes however, “security is a market that can’t be treated like this month’s new printer or laptop.”
As an experienced security partner in the New Zealand industry, Ridgway believes that “if you’re having this type of conversation with your customer then you’ve missed the mark completely.”
Touching on Ridgway’s comments, Jaynean Leaupepe, Business Development Manager, Arrow ECS Australia and New Zealand - a IT security distributor - believes partners should work closer with risk management teams in a bid to help further the security conversation across an organisation, thus making it a greater business priority.
“Partners should examine the risks of an organisation and ask the key question, “what is the business trying to achieve?” she adds. “Until partners fully understand the requirements of a business, they can’t begin to help solve the problem.”
Onus on Partners?
Looking across from the vendor fence, Sikking accepts that it is “extremely difficult” for a distributor to turn the conversation around when a customer rings up with a ready made wish-list.
Alluding to the common sales theory that over half of a typical purchase decision is made before a customer even talks to a supplier, Sikking believes that consequently, “the onus lies with the partners.”
“The decision is already made by this point so it’s down to the partner to drive those questions with the customer and impact decisions earlier,” he says. “The partners must sit down with customers and have a much wider security discussion because at the end of the day, vendors are a bunch of technology companies trying to sell their own individual solutions.
“Of course, for partners the real struggle lies and trying to provide that additional value layer but it’s about driving this through your long-standing relationships with customers and utilising the enablement programs of vendors to get your message across.”
In an ideal world, Sikking says that Cisco, or FireEye, or Webroot, uncovering business problems would help move the discussion along, but in circling back to the first topic, “there’s a lot of people in the industry who don’t want you to lift that rock.”
Onus on Vendors?
Green, in representing Datacom, counters with the view that “security is a not a product sell.”
“We see behaviour from some vendors in the market, and maybe we are all accountable in this respect, that is detrimental to the work of partners,” he adds. “What vendors must recognise is that partners are in contact with vendors providing different technologies, who are constantly claiming that ‘ours is faster, better and cheaper’ and wondering why we don’t implement their solutions.
“There might be a case on the better speeds and feeds but there’s a much bigger picture to consider. What about training, servicing and processes needed to implement those skills? It’s never a simple rip out the product and replace.”
As a result, Green believes there must be a “degree of pragmatism” in the process around how vendors represent a particular product.
“I believe it’s crucial to architect new ways to approach business,” he explains. “Vendors must recognise that it isn’t always about meeting this month’s quota, it’s actually about saying we have to construct a longstanding service together. It might be a 2-3 year relationship that needs to take place but there is room to work out how we can share the risk and turn a dollar.”
Delving deeper into Green’s comments, Sikking adds that the industry has witnessed a “massive shift” from vendors moving to consumption based models.
With customers now paying according to the resources used, Sikking says security is now being delivered as-a-service, in line with industry predications.
Two years ago, research analyst firm Gartner predicted that cloud-based security services market, which includes secure email or web gateways, identity and access management (IAM), remote vulnerability assessment, security information and event management would hit US$4.13 billion by 2017.
The growth, as forecast by Gartner, is likely to come because of the adoption of these cloud-based security services by small- to-mid-sized business (SMB) in particular.
“Rather than sell a product or vendor name to a customer, it’s important to look at selling a service instead,” adds de Wet.
This, according to Sikking, signals a move to a more outcomes based approach, which subsequently “shifts the risk from the customer to the provider.”
“If the outcome is what customer is looking for, the difficult arises from all of the risk pushing back onto the provider,” Sikking adds.
Irrespective of whether the solution is “red, green or blue”, if vendors help partners examine the solution and ensure it delivers the best outcome for the customer, then in the eyes of Debbie Proffit, National Vendor Manager, Westcon New Zealand, that will be the key market differentiator.
“Challenges for resellers in the security market are to a degree no different to that of the data centre or unified communications markets,” Proffit observes. “But at Westcon we find our most successful vendors are the ones who spend time relaying information and education through the channel to the customer, rather than simply trying to sell a product.”
In having the final world, Barton believes that the partner role in New Zealand has never been more crucial, and as changing face of the security landscape continues to shift the goal posts and impact the market, partners that can help deliver technology as-a-service can excel.
“These sorts of partnerships are becoming even more important today,” he concludes.
For an overview of the New Zealand security market, and the threats and challenges within it, check back to the first story by clicking here