What does it take to start a security practice?
At the risk of profiting from the bad luck of others, this is a good time to be in the digital security business. Not only is the world increasingly dependent on digital technologies, but the resulting complexity of a connected world has become a buffet for cyber criminals.
They’re getting more creative, prompting a new generation of security services. This is being responded to by a slew of new innovations and practices among security companies. If you want to start a business in this very dynamic market, what are your options?
A dynamic market
It should be said that security doesn’t appear to be 'disrupted'. There isn't necessarily a generation of companies breaking down the walls of the status quo. This is because, according to Gartner Research VP Tom Scholtz, security has never stood still in the first place. “The security industry is definitely evolving, but I wouldn’t call it a revolution. It’s always been a dynamic place. So the market is changing, but that isn’t uncharacteristic.
Those who want to play the security game aren’t simply going to emerge left-of-field. Nonetheless, the sector is certainly evolving. There has been a distinct shift from prevention tactics towards detection and counter-actions. The mantra these days is that every company can expect to be breached – it’s just a matter of when and to be prepared In the same vein, the best security practices are the ones that can keep pace with the threats, says Kaspersky Lab Africa’s GM, Riaan Badenhorst. “The IT security market is disruptive in that new and more sophisticated threats are emerging at a rapid rate. This means players in the IT security industry must always have their finger on the pulse to ensure that the sector remains relevant and can continue to combat cyber threats and crimes to provide consumers and businesses with the support they need in an increasingly digitally complex world.”
Another factor is how security players can offer more niche services. Or rather, how many more niche solutions are on offer as criminals create demand for better services.
Fewer guard dogs, more advisors
There’s an incredible variety of security solutions. Practices can offer audits (risk assessments, remediation, penetration testing), real-time observation (security information and event management, risk-based authentication), identity security, cloud security, IoT security, data security, mobile security, password management, threat intelligence, endpoint security – it’s a long list.
Some security practices specifically offer security services. Others use their security pedigree to augment other services. For example, some companies introduce a vendor’s cloud services to a client and install preconfigured software. As security has become accepted as a key part of every business project, digitally astute businesses are trying not to separate security functions: if you’re creating something in the business, security should be a part of it.
“Security functions are moving away from being the policeman to being more of an advisor,” says Scholz. “Take automation as an example. You can automate a lot of security features, but that’s not something that comes out of a box. It needs context, depending on the project.”
Stand by your product
So a security practice can be direct – focusing specifically on security – or it can indirectly implement security as part of other solutions. But in both cases, the practice should have a pedigree in place: security isn’t something you just walk into. The only worthwhile security practices are those that secure themselves with their own methods and keep a constant eye on trends.
“An IT security company serious about supporting the fight against cyber crime, and helping consumers avoid becoming a victim of an attack, will inherently understand just how dangerous the cyber threat landscape is,” says Kaspersky’s Badenhorst.
“As a result, the company would likely have its own measures in place to ensure effective protection and a cyber security strategy that’s solid – developed and built around the business’ research and insights into the cyber threat landscape.”
This is evident with modern security solutions as very few still offer a mere point solution. They’re all invested at some level in security platforms. This points back to the trend towards threat detection as opposed to simply blocking attackers. It’s also more lucrative since Security-as-a-Service means customers can be retained for longer while their perceived spend is less.
Service-based security sits well with the cloud, which, according to Gartner's Scholtz, is opening doors in the sector. He says: “The entry-level costs for startups is much lower. But it’s not the same as in other technology channels. Because the security market is so dynamic, it has always been highly competitive. That makes it difficult to get a new brand to stand out.”
A matter of trust
To make its mark, a new security practice needs to build trust – and trust comes from the referral of others. External partners are very important to help build the security business’ reputation, says Badenhorst. “IT security partners should be considered based not only on the proven solutions they can provide, but also on their actionable and concrete measures in place to involve external independent cyber security experts and others in validating and verifying the trustworthiness of the company’s products, internal processes and business operations. Additionally, a provider should also be considered based on its ability to adapt to the threat landscape and change its product portfolio based on this. Furthermore, flexibility is important as it allows the provider to respond to the evolution of threats and the development of technology.”
Partnerships are critical because security has to be treated holistically. A combination of approaches is often necessary to create the type of security for any given client. Yet while some solution providers offer a variety of security products, few can cover all the bases. Unlike other technology channels, which have every reason to compete against each other, the real competition in the security world is cyber criminals. As such, alliances are encouraged in the industry. Niche players and end-to-end shops often collaborate to get the best results.
Skills
Skills are another reason why security companies don’t operate in isolation. Security solutions can vary tremendously – the skills needed to secure data versus teaching staff proper security hygiene are very different. But even the skills to secure an IoT device as opposed to securing a mobile device aren’t quite the same.
“Some industries do require more in-depth and expert skills based on the data protection needed or the types of threats, viruses and malware prevention required,” says Badenhorst. “Mitigating future threats means regular security assessment, upskilling of security personnel, training employees on general security hygiene, and the analysis of current and future attack methods.”
Know what kind of security you will offer, establish a reputation, develop a network of partners and collaborators, talk security at a business level, and keep on fighting the good fight. Security is more of a team enterprise than any other technology channel and that means security practices should be team players at the top of their game. In an industry that wears its dynamic culture on its sleeve, it’s unlikely someone will suddenly unleash a breakthrough that changes all security – at least not until quantum computers lay waste to encryption.