Making of an MSSP: a blueprint for NZ growth
- 07 February, 2019 11:45
L-R: Dermot Conlon (SecOps); Igor Matich (Dynamo6); Nigel Everett (Defend); Frazer Scott (Plan B); Jon Fox (Sophos); Michael Foley (Umbrellar); Greg Sharp (Base 2); Noel Simpson (Lexel Systems); Igor Portugal (Catalyst IT); Dave Wilson (IT360); Martin Smithson (Kordia); James Henderson (Reseller News); Lewis Holden (Cogent) and Cameron Reid (Sophos)
The importance of creating a customer-centric security strategy is acknowledged in the channel, but ways to achieve this goal are seldom explored.
Partners in New Zealand are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market.
The Kiwi ecosystem is seeking answers, because in 2019, what does a managed security service provider (MSSP) look like?
“The successful partners transitioning to an MSSP model are the partners that are capable of approaching the customer from a business perspective,” outlined Jon Fox, channel director of Australia and New Zealand at Sophos.
According to Fox, transitioning to a security driven services business requires more than just market rhetoric, partners must focus on technologies, talent, offerings, business strategy and messaging.
“These partners are capable of providing all the in-depth security requirements necessary, including comprehensive risk profiles, as opposed to simply surveying a customer environment and making technology recommendations.
“But crucially, this is delivered through the lens of the business, rather than products.”
The definition - and in fact, the role - of an MSSP in New Zealand has been a cause of debate in recent years, triggered by a change in customer requirements from a security perspective.
“We believe that the best differentiation between an MSP and an MSSP is that MSPs tend to be more technically focused, and they primarily focus on offering point solutions to customers,” explained Nigel Everett, CEO and director at Defend, a newly launched security start-up in Auckland.
“Meanwhile, MSSPs offer a business-wide approach, in that you need to be business-centric when recommending any security service.
“Partners can’t just deploy technology and assume that it’s going to resolve an issue, the approach must cover people, process and technology.”
In short, MSSPs must engage with customers beyond the traditional provision of technology, patches and updates.
Echoing the observations of Fox and Everett, Lewis Holden - general manager of Cogent - also emphasised increased focus on the human aspect of managing end-user environments, with businesses continually challenged by a lack of education.
“We engage with a customer because they want a managed firewall, or to ensure that they have anti-virus software on PCs, for example,” Holden said. “But we also enter the conversation knowing that there’s also a human element, which is critical to how information is secured.”
Specifically, as much as 90 per cent of hacks come as a result of some form of human error, rather than an inherent weakness in the technology or security systems.
Consequently, the role and importance of an MSSP heightens in ensuring such internal protocols and defences are in place.
“If people are saving their passwords to a text file that they’ve put on a desktop, it doesn’t matter what security you put around your system, and how sophisticated your tools are, people are still doing something that is inherently not secure,” Holden added.
“Therefore our role must also focus on tackling the human element.”
More broadly speaking, IT services revenue in New Zealand is expected to reach approximately $3.9 billion within four years, driven by increased cloud adoption among customers.
According to IDC findings, the market is predicted to grow at a compound annual growth rate (CAGR) of 2.8 per cent through to 2023, up from an estimated $3.4 billion in 2018.
With security now a leading priority for businesses across the country - as revealed by EDGE Research - some partners are edging towards MSSP status, without officially making the switch.
“Out of the 20-odd people that we have in our engineering team, we’ve now got six that are concentrating on competency and security, so we are building out from that core,” explained Greg Sharp, managing director of Base 2.
Sharp said Base 2 is adopting the practice and service features of an MSSP, without fully making the transition.
“Three staff are focusing on our channel services to the other MSPs, and the other three are securing our own MSP customers,” Sharp confirmed. “I don’t think we’re ever going to be a fully-fledged MSSP, we’ll just be an MSP that has a business line concentrating on security.
“But certainly the approach to security services is an evolving process that we are all going through in the channel.”
Spanning valued-added resellers, system integrators and MSPs, partners are finding value in spinning out dedicated security practices, in a bid to demonstrate market capabilities to customers.
While not the strategy of every provider, such an approach, according to Fox of Sophos, allows partners to “break away” from other forms of technology, creating a specialist focus in the process.
“The most successful partners we’ve seen are the ones that truly break out into a separate stand-alone security business,” Fox said. “For example, a few Sophos partners have broken out of their day-to-day business to become managed service providers, and focus purely on security.
“These are the organisations that the legacy resellers are often partnering up with to handle the expanding demands around security.”
Taking the conversation further, and in assessing the evolving marketplace across New Zealand, David Wilson - general manager of iT360 - assessed that one-time generalist partners continue to be hindered by a lack of customer education.
Specifically, a lack of education in that a one-time technology provider can transform into a dedicated security specialist.
“I like the idea of separating out business so that security is something distinct that we offer,” Wilson said. “I think there’s a perception that IT guys are just IT guys and I certainly don’t want to be lumped into that category.
“Especially in the world we play which is the small to medium business space, in which a business owner might see the IT guy as someone that doesn’t do much more than fix the computers, and that the security experts are different people.”
Maintaining the end-user theme, Noel Simpson - CEO of Lexel Systems - cautioned the channel around evolving customer expectations, specifically related to pricing.
“If the customer pays monthly for a bunch of services, they inherently just assume that security is implied,” Simpson explained. “We use our account management team to go in and manage expectations.
“We have found that the best visual is to say ‘at the moment you’ve got the stickers on the windows of your home but there’s actually no alarm and it’s not monitored. There’s no cop that’s going to turn up to your house when the alarm goes off real loud’.”
Such an approach aligns with Dermot Conlon - director of SpecOps NZ - who observed that managing customer expectations around security continues to be a delicate balancing act for partners.
“With security it’s about probability,” Conlon said. “If someone is determined and they have time, resources and budget then they are getting in, and there’s no two ways about it.”
For Conlon, the end result means that deploying the best security solutions available aren’t necessarily going to be adequate to prevent a determined hacker.
Understanding that, as well as what an organisation should be doing in response, is critical to successful customer engagement around security.
“Providing security services is more about reducing the likelihood of a successful attack, and talking to our customers about their security profile, risk appetite and regulatory requirements,” Conlon outlined.
“Because all of those factors are part of the business outcomes of the organisation, and really boil down to what, as an organisation, you’re there to do. Is it to serve the public, make money, or both?”
Such an approach to customer engagement is of greater importance when dealing at the higher end of the market, said Conlon, chiefly with CSOs or security managers.
Developing the point further, Cameron Reid - MSP channel account executive at Sophos - accepted that in addition to improved levels of education in New Zealand, customers require greater guidance in understanding security priorities.
“If a customer is paying for a monthly service they often won’t even understand where the crown jewels are,” Reid cautioned. “This is because they haven’t necessarily been advised on what’s important to them.
“Is their house important or do they care about their car more? Some might want better protection on their car than their house. And that’s the key, the channel has to engage with customers and discover where those priorities are.”
To achieve this, Fox of Sophos again advised partners to shift the conversation away from speeds and feeds, to a business-centric discussion around security strategy.
Read more on the next page...
“Customers simply don’t care what technology they sit on anymore,” Fox said. “Those days are long gone in the market. The key is in looking at engaging at the right level within the customer, and helping to educate them along the way around what they are trying to achieve.”
Success in security
As the recent hack of Christchurch-based crypto-currency firm Cryptopia highlighted, businesses of all sectors and sizes are now a target in New Zealand.
So much so that more than 1200 cyber security incidents were reported in New Zealand during the first six months of 2018, as threats continue to increase across the country.
Amounting to more than $5 million in losses, the reports range from 1 January to 30 June, according to quarterly report findings from CERT NZ, a Government-backed industry body focusing on cyber security.
With the writing now on the wall for both customers and partners, the channel is finding success in teaming up in security, joining forces to increase protection levels for Kiwi businesses.
According Michael Foley - CEO of Umbrellar - the reality remains that the majority of security risk stems from human behaviour, rendering the idea of a “perimeter” for infrastructure almost redundant.
“It is about behaviour, and it’s not one party that’s going to be able to achieve that for the customer,” Foley said. “And that’s why an ecosystem approach is the right way to do things.”
In agreement, Frazer Scott - CEO of Plan B - acknowledged that the channel is now actively exploring ways to pursue partner-to-partner strategies, in the pursuit of delivering customer value in security.
“Over the last year there was a lot of noise made in encouraging partnering inside our industry,” Scott observed. “It absolutely is the answer.
“In terms of our approach to the partnership model, we’re looking at what we offer, and seeing what is available outside of what we do as non-core business to us. Then, we are asking questions about how to deliver value for the customer.”
For example, Scott said partnering can take place in the form of governance work and board presentations, alongside technical requirements and capabilities.
“We can have IT manager conversations but they can lack the buy-in from the board on occasions, so how do we help level that up as a partner?” Scott asked. “We must focus on the strategy, proof points and outcomes which is how the partner ecosystem can help.
“Australia has made ground from a regulatory perspective in terms of data breaches, and that’s going to happen in New Zealand also.
“The risks around security continue to pose a problem, a problem that continues to grow from the perspective of both the business owner and the board.”
The making of an MSSP
With expertise across cloud and security offerings, Igor Matich - managing director of Dynamo6 - emphasised increased focus on helping customers conduct independent reviews to understand, and then act on, relevant security requirements.
“There’s many factors that are beyond our control that could create a major risk for our business, even though it has nothing to do with us,” Matich said.
“There’s good balance in recommending customers carry out an independent review, whether it’s products that we’ve built or work on to service we provide, and how those fit into their broader security strategy.”
According to Martin Smithson - account director of Kordia - the secret to success for MSSPs centres around “owning the customer relationship”.
“Having that research capability provides us with the credibility that we want from a security perspective,” he said. “And from our perspective at Kordia, that is absolutely crucial.
“We want to continue our focus on our customers, and what their needs are, and additionally how can we build a better partnership ecosystem in New Zealand.”
In addition, Simpson of Lexel Systems cited the “pure-play” approach as a criteria for successful security partners to align to across the country.
“We want to be an outsourced provider to our clients to work with in terms of the ethical implementation, design and upkeep,” Simpson said. “We won’t be doing independent auditing and writing reports because for medium and large customers, they want a true independent person. So that’s where the partnerships come in.”
From a hiring perspective, Conlon of SpecOps NZ, also recommended the benefits of seeking local talent to create homegrown security expertise.
“If you get the right personality you can turn a graduate into a reasonably effective hacker within six months,” Conlon said. “Continuing to invest in homegrown talent across New Zealand is a priority and we see that there’s a lot of room for differentiation through that approach.”
In New Zealand, one of the most significant impacts to the security technology space has been the rise of cloud services. Specifically, the scalability of those services.
“One of the biggest areas of concern in New Zealand is in the response aspect of security,” said Igor Portugal, business development manager at Catalyst IT.
“When you are under attack, when somebody is actually trying to break into your network or using a denial service type attack, do you have the resources that you need to stand up to that attack?”
However, partners transitioning customers to the cloud, and providing security solutions on top, must up the ante in terms of end-user education.
“Some customers think that once they go to cloud they’re secure automatically, and that’s completely the wrong perception,” added Everett of Defend.
“Others are mature enough to know that they can’t be, so what they are asking for, and what we need to provide as MSSPs, is understanding the level of risk that they are exposed to.
“As long as you can investigate or provide the mechanisms that enable the customer to respond, it puts you in a prime position to be able to build services and solutions to take to the customer around response.”
Concluding the conversation, Reid of Sophos observed that escalating risk profiles - triggered by heightened social and political concerns around security - are driving MSSPs to become more specialised.
Such specialisation naturally lends itself to partner-to-partner collaboration.
“Most successful MSPs have picked a chunk of the network that they’re going to look after and they’re very willing to push back from other areas and partner with other partners to cover those gaps,” Reid said.
“Environments and risk profiles are becoming bigger and bigger and customers are now wondering what it even means when they’re being told ‘hey, we’re going to keep your network secure’.”
This exclusive Reseller News Roundtable was in association with Sophos. Photos by Gino Demeer.