Australia’s IT services providers are permanently challenged to safeguard their customers from rapidly evolving threats, with skilled talent coming at a high price. As a result, more partners are looking to shift this heavy burden onto vendor partners in the hope of building a more profitable business.
2022 was the year Australian business leaders got a rude awakening from cyber hackers. With Optus and Medibank both hit by major data breaches, Australian organisations looked head-on at the astronomic costs – both monetary and reputational – of cyber security vulnerability. Now, as a new year begins, channel partners and customers are increasingly contending with the need for “always-on security operations” -- something that has become imperative for all.
However, as pointed out by Sophos Asia Pacific and Japan MSP partner manager, channel sales, Cameron Reid, this is a tricky prospect in Australia. “The complexity of modern operating environments and the velocity of cyber threats make it increasingly difficult for most organisations to successfully manage detection and response on their own,” he explained.
During a recent roundtable discussion, held by ARN in association with Sophos, partners weighed up the challenges and opportunities of offloading part of the security burden onto vendors – particularly that of managed detection and response (MDR).
As Reid explained, even without the stress of two high-profile cyber hacks, partners and MSSPs are tasked with protecting an increasingly complex and widening attack surface.
“The pace of change in the threat profile is extremely challenging to be aware of, let alone respond to let alone have the expertise to manage such threats,” said Aaron Everingham, Asia Pacific vice president of Quadient. “As more applications and data shift to software-as-a-service and the cloud, the interconnection risk between these systems is becoming more concerning.”
For Ian Deane, director of IDS, the current cyber security climate has led to a lot of “confusion and unnecessary” expense for customers and partners as vendors release more and more point products in the market. This can be a cause of complexity, he said.
“At IDS, we choose vendors that can help our customers consolidate cyber technologies into a single platform or technologies that complement each other to minimise overlap,” he continued. “By doing this, our customers can reduce the complexity and management overhead associated with running multiple products, with the result being greater coverage across your threat landscape.”
Cyber security, however, is more than simply a technology problem. People – and often, the lack of them – are often a huge cause of breaches. This either comes from poor cyber security training or a shortage of skilled professionals to monitor environments and mitigate risks.
“Expert talent usually follows the money and holding on to expertise becomes a challenge that may impact MSSPs to deliver and maintain a level of service to their customers,” said Rainer Tietz, founder of RT Consulting. “Training staff to fill new shoes is important for sustained success.”
For Douglas O’Hara, founder of Apeak, one of the biggest challenges is regularly building awareness of cyber knowledge at all staff levels from recruited and inducted to and including the board.
“This builds sensitivity and awareness of the criticality of cyber and the importance of staff reporting any variation/difference they observe to their job description and work role,” he said. “This trigger of difference/s alerts their management and technical personnel of potential incidents that need to be investigated.”
Mark Pace, director of Sterling IT, also echoed this point. “I do believe that people are the biggest threat from not only attacks but threats and activation as well,” he said. “As the goalposts are always moving with security and attacks, we seem to always be defending at different fronts. From viruses, then to worms, trojans, malware, ransomware and now identity theft.
Fit for purpose
Before partners and MSSPs can even consider providing MDR solutions, they must have the right agreements in place with their customers. This needs to explicitly state where technical support ends and incident response begins – something that’s harder than expected for partners.
“Service level agreements (SLAs) can be contentious when outsourcing expertise,” said Tietz. “Team effort’ and well-versed management are critical for success. Service providers need to fully understand their obligations and the details of their service agreements. Fortunately, or unfortunately for some, agreements are not contracts.”
In Pace’s experience, customers in general believe everything is on the MSP or IT partner. “Unfortunately, this isn’t always the case, and it is sometimes hard to convey this as even though we are the MSP, we cannot do everything and be responsible for the whole of IT,” he said. “As clear as you can make it, it is still under the belief fully responsible, and I think that is a human thing.”
Quadient meanwhile has a “well-resourced and experienced global capability” that monitors systems 24/7, but as Everingham noted this does not come cheap.
“We have explicit and clear SLAs with customers and operate in accordance with a range of regulatory requirements in multiple jurisdictions,” he said. “This is not a small investment and for organisations that haven’t or can’t make such investments, make sure your SLAs clearly cover what you can and will do.”
Reid, who has worked with Sophos’ MSP community for the past four years, added that the state of SLAs across the Australian ecosystem is varied.
“However, as the tools used to continue to improve, we commonly see weak signals that should be investigated, ignored due to alert fatigue,” he said. “Correlating and knowing when to act quickly to mitigate security risks is critical.”
Sharing the burden
According to Gartner, by 2025, 50 per cent of companies will be using MDR for threat monitoring, detection and response.
In the words of Reid, the opportunity to help improve customers’ cyber insurance coverage eligibility with 24/7 monitoring and endpoint detection and response (EDR) capabilities is “immense”.
Australian partners likewise are exploring various MDR options. For Everingham, the MDR services used by Quadient are used “to augment [its] core team”.
Meanwhile, for Deane, the costs of and shortages in Australia’s talent market make MDR ripe for outsourcing.
“For many organisations, it makes sense to outsource this function as developing the skills in-house is a costly and intensive exercise that can be better left to industry experts,” he said. “This is more so relevant to the Australian market where most businesses fall into the small-to-medium-sized businesses or mid-market category and have smaller IT teams than their enterprise-scale counterparts. One of our vendors is broadening its capability from SASE to providing SOC-as-a-service as they have seen global demand from their customers. I believe this will only become more necessary as time moves on.”
At Sterling IT, MDR is the next step in the service provider’s portfolio, which Pace intends to start recommending to clients.
“It's unfortunate that clients will now have another cost, but like general endpoint protection, this is the extension that really needs to be added to protect further,” Pace said. “It is the next big thing businesses will require to protect and insurance companies, I believe, will insist on this.”
Looking at whether vendor partners can play a role in sharing the MDR burden, Deane noted that the partners who “can offer a reliable and efficient cyber security-as-a-service will build a profitable and long-term pipeline of business”.
“All things from the network to the application require cyber security considerations, so having the ability to offer this service to your customers will be what differentiates you from the rest,” he continued. “If we look at SD-WAN as an example, when it first came out as a technology, it was very much targeted towards software-defined routing features. Now, unless security is bundled into the SDWAN service it is not considered for enterprise consumption. The trend to incorporate security into all IT considerations will continue until they become unified.”
“Obviously this is coming from us as a distributor of solutions, rather than an MSP, but certainly it should help the MSPs and end users,” he added.
Looking ahead, Reid stressed that moving to cyber security-as-a-service helps free up their internal IT and security staff to focus on other business needs for their customers. This will come in handy as partners seek to make their operations more efficient.
“Often the way this work is valued is more lucrative from a profitability perspective,” Reid added. “Threats are becoming more advanced, and the skill set required to contain these threats continues to become more specialised. Most within the industry realise how specialised this has become and are looking for ways to engage as a service.”