Cloud computing is an inevitability for most organisations. According to the 2018 IDG Cloud Computing Study, published in August 2018, 77 per cent of enterprises have at least one application of their computing infrastructure in the cloud.
Furthermore, technology-reliant industries, such as manufacturing, telecommunications, and the tech industry itself are being driven towards 100 per cent cloud environments. Finally, on average, enterprises are predicting that they’ll invest $3.5 million on cloud apps, platforms, and services this year.
The message is clear: you either invest in cloud services, or you’re left behind. Business transformation is a key priority of enterprises. As was noted in the IDG State of Digital Transformation report, 44 per cent of organisations of started implementing a digital-first approach to business processes, operations, and customer engagement, and cloud is core to the transformation process.
With that appetite for cloud should come a concern for security. In leveraging the cloud, enterprises are potentially opening themselves up to hackers and other malicious activities online.
However the reality is more complex than that and many organisations are neglecting their responsibilities around security. It’s through the channel that organisations need to find the leadership and expertise in developing security solutions to properly protect their environments.
“It’s like when you use your Facebook and give data out, but then the data gets leaked,” Sachin Verma, managing director, Oreta said.
“The same dilemma applies to the enterprise. They have and want the convenience, but there’s a cost involved in that, and that cost is the potential for more exposure. Building awareness of that is what we’re educating boards around. It’s not enough to engage the CIO any more, we actually go to the Chief Risk Officer and say ‘hey do you know…’”
Helping customers help themselves
One of the challenges that the channel needs to overcome is the perception of value with security. As the old adage goes, you don’t need security until after you’ve needed security. Until then, the costs of having a fully secure environment can be beyond the appetite of many organisations – which can then drive them to adopt cloud services without necessarily considering the security implications.
“It’s hard to sell the value, when Office 365 is available for $6 a user, of Office at $20 a user.” Clinton Mckillop, system engineer, Evologic Technologies, said. “And that doesn’t even include security. You need security, so it’s getting up to $30/$40 a user per month, and when you’re talking about 20 staff you just don’t have the turnover for that. The customer just says ‘oh, we’ll stick with the 365’.”
It’s also challenging to overcome the reactive behaviour of larger enterprises around security, Mark Sakajiou, co-founder, Perfekt, added. “We’re sitting in a 200-plus seat space, and we’re also observing a lot of security behaviours that are driven by compliance and regulation, and it’s extremely reactive towards these particular drivers,” he said.
“One of our biggest challenges is trying to help the customer understand which level of protection they want to go up to and how to take a proactive approach to doing so.”
The best solution to this challenge, Daniel Williams, CEO, PowerNET said, is in highlighting to the customer the personal reputational risk involved with cloud services through social media. By demonstrating how easy it can be to circumvent security on a personal level, executives start to realise the risk the entire organisation might also be facing.
“You don’t want to go back to those early days where selling security was done by driving the fear factor, but reputation is one of the most meaningful things that a business shares with an individual person, and there are ways to bring it home for them,” Williams said.
“If you provide a report that shows in plain text the executive’s passwords that they use for their Facebook, LinkedIn, and so on, then suddenly they start to think about what opportunities they have to prevent that.
"This way, you get the CEOs, CFO, and managing directors into a room, who all value reputation and associate the strength of their company to reputation, and they all understand that if this could happen to their personal names, it could happen to the company too. That brings the value of security home with the key decision makers.”
Once the value of security has been qualified, there remains the question on where – and how – to start. Here too, organisations of all sizes struggle to determine for themselves how to take the first steps to security, giving the channel the opportunity to play a critical role in developing a roadmap.
“We work with a company that just focuses predominantly on the big banks and they are so hungry for security solutions. They don’t want to be the one on the news,” Sam Kirkham, Victorian account manager, Arrow ECS, said. “As it comes down further from the executives, however, there’s the question about where do we all start and how do we go about doing it?
“There’s so many different entry points now in the business that which one do you focus in on? Some of their partners will have certain areas that they focus in on, but the challenge is for the general partners who have come from a true SI background; where do they start with their customers?”
For Klasie Holtzhausen, director of channel A/NZ, Symantec, the key is in making security an ongoing conversation. One of the principle reasons that security becomes reactive is when organisations approach it as a set-and-forget solution. For the channel, the opportunity is there to have the ongoing conversations and help the enterprise client stay on top of their security challenge.
“Sometimes security is driven by something that has happened, but it can also be driven by enabling and getting an understanding of the risks that are out there,” Holtzhausen said.
“Speed to market is always so important and sometimes too much focus goes onto the ease of access so that organisations tend to leave security and little bit behind, or they think they have a level of security by doing something, but that something might not be enough and they don’t always have the full understanding of the overall level of risk.
“There’s a lot of customers out there that might think they are secure but they’re not because they think they have a solution, but they don’t have a full understanding and they’ve left gaps in some areas as they’ve been reactive to security challenges that have emerged.”
Managing perceptions of the cloud
Another side to the cloud security conversation is in helping enterprises to understand how their perceptions of cloud security might not necessarily align with the reality.
“The customer perception is that if it’s in the cloud, it’s automatically backed up, it’s automatically secure, so all I need to worry about is the cost,” Evologic’s Mckillop said.
“I don’t have to worry about anymore, I don’t have any servers hidden outside, no one is going to break in and steal my data, so it’s secure. But the reality is that that’s just not the case. Many customers don’t expect that adding robust security to their cloud services is going to cost additional money.”
Unfortunately, MSPs are also struggling to meet the kind of security profiles that their customers expect of them. “We’ve worked with a number of MSPs and we do what we call a simple cyber health check,” Leong Wang, director at Cyber Risk said.
“We look at where the business drivers are, the strategy, where their data is and then we test the controls that they have in place. If I’m honest everyone that we’ve tested that’s had an MSP support them they haven’t been rated too highly.
“For MSPs or small businesses, the first priority is business, to sell and keep the lights on and they don’t worry about protection until they’ve had that incident.”
Read more on the next page...