Cybersecurity Services: The Bad

By Rob Boles, BLOKWORX

This is the second of a three-part cybersecurity series authored by Rob. Click here for part one and click here for part three.

The Gap

Throughout 2018, I have been blessed with opportunities to speak with multiple MSP, business owners, and end user clients. The SMB community has woken up to the risks of technology and is recognizing the threats are very much present and targeting small and medium sized businesses.

Within these conversations a trend has been observed: The gap between effective cyber threat prevention and defense vs. the current cybersecurity defense execution of the channel is substantial. The delta is present both integrating security defending clients as well with MSP defending internal environments.

Participating on multiple panels at leading industry events this year with respected peers, having conversations including offering cybersecurity, effectively delivering cybersecurity, and ultimately selling cybersecurity, the insights have been invaluable. Most telling: At a recent event, one of my peers who is highly respected and an award-winning, successful MSP, in what seemed like frustration, turned the conversation to, “What we are really here to talk about? I refuse to sell on FUD (Fear, Uncertainty, and Doubt), and the question we are all asking is what firewall, what AV. and what SPAM Filtering service is everyone using? Beyond that what else can we do?”

It was a moment of great clarity, as based on the facial expressions of others in the room it was clear this person was not alone. Though each of these components are a layer of an effective defense in depth strategy, the concept of the layers working together as part of a cohesive, extensible prevention strategy did not appear to be considered. We each see the world through our own lens, our “perspective” if you will.

While I had grown up in managed services, even within managed services the experience was unique as my clients ranged from Mom and Pop stores to Fortune 50 corporations, providing a unified lens to the commonalities and differentiators across varying sizes of business. Consider there are more than 2,000 cybersecurity companies globally creating software and solutions which secure “something”, and its more than reasonable there is uncertainty in how these solutions work and conflict with each other.

For MSP, the question remains: How does an MSP owner or decision maker navigate the plethora of solutions to create a seamless, cohesive cyber defense strategy? There is no single answer, other than experience, and/or partnering with expertise. With a surge of new vendors entering the space, it can be quite difficult to distinguish what is real, what is really needed, and how it fits. Education within MSP and the Channel will be critical to the collective success as we move forward.

Fear, Uncertainty, And Doubt

Speaking of FUD, complicating the gap in cybersecurity delivery are the nauseating amounts of statistics and facts stating cybercrime is real, as well as the associated consequences with being breached. Companies breached in the headlines have become a daily occurrence and the lack of consequence, or at least perceived consequence, contributes to the less-than-adequate approach to effective cyber defense.

Consider Equifax, Sony, Yahoo, Target, Home Depot, Uber, Friendfinder, LinkedIn, Verizon, IHG, River City Media, Dun & Bradstreet, UNC Health Care, Ashley Madison … the list goes on, and it’s growing!

Though the announcements of breach are in the news daily, there is somewhat of a backlash against selling on FUD and rightfully so. The statistics are all around us, with every vendor presentation including statistics of risk, going out of business, and doom & gloom.

Collectively, the mere breadth of events resulting in a numbness around the severity of the issue. The numbers are overwhelming, yet without being personal, they have become white noise. I believe MSPs who educate and identify real, present risk for clients with relevant data specific to the client business will best overcome FUD. Providing a roadmap and a plan to reduce risk, plus account for industry and compliance requirements, a differentiator. Without demonstrated financial risk, the majority of clients will not adopt the necessary prevention strategies.

Become An Expert And Offer Cybersecurity

Who has seen any of the marketing for cybersecurity in the channel? “Attend our webinar, become an expert, and start selling high margin cybersecurity services today!!!” Right ... if you believe that, I have some pristine oceanfront property in Colorado to sell you. Call today.

The Channel has some work to do to close the cybersecurity gap, and the notion you can become an expert offering cybersecurity services in an hour by partnering with AwesomeSauce-Cybersecurity Company still boggles my mind. Some of the claims I witness, and the uncertainty being presented under the guise of “we’ll make you an expert,” cause great concern.

Somewhere in the chain is a business owner or stakeholder and his or her family or dependents who depend on the business to provide for them. Let’s not lose sight of the MSP’s business, and those who depend on it.

In this context, we need to be real about cybersecurity and what it truly means to make a commitment to defend a client and protect from cyber risks. If your sole purpose is profitability, it may be worth reviewing priorities. One thing is certain, 20 years of experience will not be equaled in a 60-minute webinar and offering any one partners product or service.

Bruce Schneier, a legend in cybersecurity circles, authored many books, all of which are suggested reading for knowledge relevant to our industry. Bruce’s phrase “security is a process, not a product” is one of the most influential single statements influencing a generation of cybersecurity professionals. In present environments, I advocate cybersecurity is neither a product or exclusively a process but has evolved to be a culture of awareness. Infrastructure has failed users, putting millions of users at risk. As IT professionals, we can do a lot to reduce risk, but if a user “wires the money”

MSPs have resources for insight and cybersecurity training. CompTIA does a nice job with agnostic cybersecurity training, technology vendors offer product centric training, and organizations such as SANS provide advanced training as knowledge becomes more sophisticated. One thing is for certain, if cybersecurity is being provided as part of a solution, the margin for error is far less than for general MSP services. Get educated, partner smart, and plan accordingly.

About The Author

Rob Boles is a cybersecurity expert and privacy advocate. He created BLOKWORX in 2006 to further his passion for creating fast, secure networks. From day one BLOKWORX focused on security, reliability, and positive user experience by understanding how things work, extensive research and testing, alignment with vendors, partners, and clients, and the experience of thousands of nodes managed and monitored, all supported by a mature delivery model built from years of operational experience.