Relying on the security of MSPs can cost an organisation substantially, as millions of customer and business records become accessible for those with malicious intent. This applies even through to the biggest cloud providers.
A good example of how cloud services can be compromised, despite the perceived security of them, can be found with Amazon, and the frequency with which even the largest organisations have had vulnerabilities in their AWS S3 buckets expose critical customer data. The stories of Fedex, Uber, Accenture and others, demonstrates how important it is that organisations don’t assume that leveraging reputable cloud providers guarantees security.
“You have to have an architecture behind cloud services, and a thought process of how your identity works in cloud,” Oreta’s Verma said. “How do you manage two factor authentication, and how do you encrypt your data - it’s your responsibility.
“The education has to come from us right from the point of selling, and if my sellers are not doing it then we are not doing full justice to our customers. I feel it’s the responsibility of my team, right from the outset with sales, to educate our customers that bolting on security solutions, or relying on cloud providers is not enough, it’s also got to be part of your design.”
Helping customers articulate and then navigate the challenging, expanded environment once MSPs are added – and then properly defining where each partner’s responsibility lies - is a core role for the industry moving forward, PowerNET’s Williams said.
“What we’ve been doing is going in and educating our clients on what they are already doing well instead of just going in with a list of things that they are not doing and scaring them,” he said. “So we’re going in and saying ‘you’re already doing this well, you’ve got these services are cloud based, you’ve got this on your end point, you’ve got this at your perimeter and here are the things that we could do and take you further down this journey’.
“And then they’ll still say ‘weren’t you supposed to be doing that or aren’t you already doing that?’ And then you’ve got a point to differentiate that as a service offering and they’ll still look at you as a MSP.”
One example of what this evolved security conversation might look like can be seen with how organisations look to manage mobile devices and cloud connections in their environment. As Kelly Clapham, general manager at Loop Secure, described, the conversation that he's having with clients is about making sure security is no longer about the devices themselves, but rather the data on them.
“If you go back a few years, mobile device management was at that stage just about securing the device, not so much the data. But now, if you look at cloud technologies such as Office 365, you can quite easily take stuff off SharePoint and manipulate it on your phone. But how can an organisation make sure that it’s an actual managed company device that’s being used for that? That an employee is not just signing up using whatever brand of phone they’ve got?
“With customers we do a lot of education to help them develop their strategy behind mobile. I do think they’re starting to pick it up now and run with mobile device management that allows users to do whatever they need to do on that device while still keeping their data secure."
This is, again, something that organisations can quickly understand as critical to their business. As Symantec’s Holtzhausen said, security can’t get in the way of people being able to do their jobs on their terms. There’s always the risk that poorly-designed security environments may swing too far and become restrictive to legitimate users, so it’s important that the channel get involved to help enterprises navigate these challenges.
“In today’s world, it’s all about anywhere, anytime,” Holtzhausen said. “If you look at the generation that grows up today that’s how they operate, that’s how they want to work and if you can’t support that in a secure way then you’re not going to attract them to your business.”
Working collaboratively within the channel
The table agreed that one area where there’s significant opportunity for the channel is in working collaboratively with other partners to build out more substantial security solutions. With security being such a broad and rapidly evolving field, being able to present joint solutions and expertise is something that can significantly benefit all partners in establishing that trusted adviser status to customers.
“On the managed services side we’ve got the expertise,” Wayne Pertzel, southern region sales manager at Interactive, said. “Then, if you look at the maintenance side of the business, and disaster recovery and so on, there’s an element of partnering and there’s an element of doing it ourselves.
"We like to partner with start-ups for this,” he added. “The biggest challenge for start-ups would be, particularly in security, the reputation piece. That kind of an organisation suits us, because we’ve got the brand and we need the skills, so we combine with that start-up really well to develop a go to market in an area that would otherwise not work so well.”
This need to partner with other partners is also driven by the increasingly blended role that organisations are playing in the market, Symantec’s Holtzhausen said. “Historically security was a pure play; you were either very specialist, or you are one of the large global SIs that had the scale that meant it could behave very specialised,” he said.
“But today I think it’s blended a lot more. It’s not just that pure security play anymore, and I see that as a challenge because if that was not your core business security can be very difficult to bring into your portfolio, and is not something that can be done overnight.” The solution is to find partners to help build out the expertise as the organisation develops the internal capabilities in this area.
It’s a position that Noel Ervine, sales and new technology director at Emerging IT, agreed with. “As a traditional MSP we have to change. We’ve been in there for almost two decades now, and moving into security is one of our definitely bigger focuses for this year for 2019 as a company.
“That education then that leads onto these other types of security offerings, and then opens up the potential offerings what we work with. We’ve tried to bring some stuff internally, but we’re also more than happy to work with and look for external things that we’re not specifically experienced in – external pin testing and things like that - so being mindful of what we are good at and what we aren’t good at is particularly important.”