Security blanket

Today’s security provider can’t just be a reseller. They have to be much more.

Security isn’t productive. Its function isn’t to improve the business, but to protect it. It remains a grudge purchase for companies, which is a problem today. Ask any security expert why cyber threats are more prevalent and the answer inevitably is ‘complexity’. To consume and exploit the data that feeds business intelligences such as strategy and planning, companies increasingly rely on a growing web of interconnected services. These are then presented through more accessible and intuitive interfaces. The result is a mesh with many gaps – from technology to users – that criminals are exploiting.

But companies, in general, still aren’t realising the implications of complexity, says Helen Kruger, MD of Troye Computer Systems. “We’ve found that security is neglected by the majority of South African companies, and this isn’t limited to SMEs. A number of large enterprises are no different. Even once there’s been a breach, they still don’t seem inclined to spend the money to ensure they’re suitably covered and if they do embark on projects, it can take years to evaluate solutions and implement them.”

This is particularly concerning since executives carry more and more responsibility for their digital security. For example, acts such as GDPR and PoPI specify that senior executives such as CEOs can be held legally responsible if their companies were negligent around cyber security, including fines and jail time. Headlines about breaches have raised the issue and there's more awareness at the highest levels of companies. But despite more public and legislative pressure, local businesses still drag their feet around security.

New consumption

There is nonetheless momentum gathering behind better security.

The security market deserves credit for creating services that are more palatable to the conservative tastes of company bookkeepers.

“The way security is being consumed is changing, especially as companies start migrating their workloads and data to the cloud,” says Doros Hadjizenonos, Fortinet’s regional sales director. “Cloud providers are evolving to be able to natively offer security, but I still think that specialist best-of-breed security vendors are way ahead in their ability to secure the cloud, on-premise devices and end-points".

Security vendors are no strangers to centralising their responses because it’s much more effective. Response rooms, where a customers’ security status is monitored from a central location have become de rigueur in the past few years.

Cloud platforms work very well with that type of approach and have added a few more choices to the mix. For example, customers increasingly expect single pane reporting, i.e. dashboards that cater for their views and drill-downs they use to satisfy their own curiosity. Another trend familiar to the cloud is a shift to opex models, driven by managed security services and the growth in this market space.

Many companies are buying security when they get a better sense of ownership and control over costs. Yet these trends don’t necessarily address the complexity issue. Instead, there’s also more demand for security that’s parcelled into a larger service, says Kruger.

 “Today, a digital workspace isn’t enough as it needs to be a secure digital workspace. Customers can no longer close the door on modern solutions that protect against cyber attacks, data leaks, and ensure compliance with corporate content and access policies,” she says.

The business view

Security was once mainly a perimeter drawn around a company’s systems, processes and people. But today’s business is much more nebulous, extending where it’s needed. In addition to working in the office, employees work from home or on the road with services drawn from remote datacentres.
This expansion beyond the perimeter has everything to do with how useful modern business technologies are to their consumer companies. If you want to see a planner’s eyes light up, show them how a software platform can reduce their tasks from hours to minutes. Annual reports can be replaced by daily and even real-time reports. Routine tasks can be automated and software-driven processes can be adjusted with low code, customer queries can be settled in record times and even through self-service with satisfying results.

Business leaders want these advantages. Initially, they tried to ignore the security component that comes with those desires. But a spate of highly visible breaches, such as the Liberty hack that stole terabytes of emails, and more emphasis on cyber security by governance and laws (PoPI and GDPR), are changing attitudes. Today, company boards discuss security threats and C-suites take it more seriously.

But this has also complicated security conversations, says Kruger. “It has changed from past engagements, as there are now much larger and wider teams specifically accountable for security, be it cyber, computer, network, database or application security teams to name a few.”

Security isn’t a singular entity in any business anymore, but a collection of different initiatives that connect to each other. Different projects, teams and departments have their own security requirements, which should also align with the broader security foundation in businesses usually defined by governance and standards. Not surprisingly, the more proactive companies expect serious advisory abilities from their security providers, be it to inform strategy or convince resistance in the organisation, says Hadjizenonos. “In today’s world of digital transformation, security is critical in all parts of the journey and it requires a partner to advise on the best approach to effectively secure a company’s digital assets.”

What companies want

Security is obviously not the same for every business, particularly when taking their respective sizes into consideration. For example, a lack of security skills is commonplace, yet a lack of resources is more acute among SMEs. Nonetheless, there are several common attributes that make security providers attractive to customers.

Communication is very important. Astute providers keep their customers in the loop with regular reports. Proactive security practices hold that eventually, a cyber attack will be successful. The better approach is to anticipate the breach and limit its impact. But companies still buy security thinking that it will make them impervious. Correcting that misconception is important. The best way to articulate security’s value is by keeping its effectiveness visible to the customers. More mature companies don’t want install-and forget security.

Customers also want to see security companies that stand by their solutions. Good security requires audits, response plans, educating staff, creating appropriate policies and a number of adjustments to a business.

“We, as a vendor, ensure we use all our technology to protect our assets and IP and we encourage staff to use our solutions to secure their home and their private data,” says Hadjizenonos. “In addition, we adhere to strict security policies and have a thorough security awareness programme that’s compulsory for all staff.

” Other factors include the provider and vendor’s financial stability (who would buy long-term security from a business that could fold?) and their reputation in the security community. But the most decisive attribute is often the earlier point about mixing security with services: the value of technology is best articulated through what it delivers to the business in terms of output and efficiency. Since best practice dictates that security should come along for the ride, customers are more likely to treat it as a value-add and not a separate grudge purchase.

Ultimately, though, one can argue that most companies in South Africa don’t know what they need from a security provider. That means determining value for the customer can be tricky and a security provider might need to play bad cop every now and then, Kruger says. “Customers often try to perform a blanket approach to security; it’s imperative the security provider doesn’t allow this, or the project will fail,” she concludes.