By Pam Baker
A traditional defensive posture is only part of a comprehensive cybersecurity readiness plan. That’s because reactive defensive maneuvers aim to stop attacks that have already been initiated. Adding proactive strategies and technologies to preemptively detect vulnerabilities and prevent attacks is a more effective and comprehensive approach.
The Channel Partners Proactive Security Survey, sponsored by AT&T, delivers insights into the behind-the-scenes influences on the decisions to invest in reactive security measures versus newer, stronger proactive defenses.
The survey was conducted online March 6-28, 2019. A composite respondent to this survey is in executive management (C-level/vice president) and works at an SMB with two to nine employees. His or her employer has been in business for 10 or more years, primarily targets midsized businesses and has an annual revenue of between $1 million and $4.99 million. It’s a coin toss (50/50) chance that his or her company specializes in one or more verticals.
Only 6% of respondents were managed security service providers who by nature focus on security strategies and technologies. Slightly more than a quarter, 27%, described their business as a managed service provider writ large, meaning the service each provided was not broken into categories. The remainder included agents, master agents, VARs, distributors, carriers, integrators and consultants. While security is an integral issue in each of these industry segments, its prioritization on each entity’s menu of services and the demand by the respective customer bases can vary significantly.
The majority say they provide the basics in traditional cyber defenses including antivirus, managed firewall, email security, malware protection, BDR and BC. Most also offer at least some proactive security products and services, including proactive monitoring and threat prevention, intrusion detection and prevention, vulnerability analysis and SSL VPN and encryption.
Scroll through the gallery below for an overview of the survey results and what they mean to you and your clients.
Most Are Currently Offering Security Services
Despite the disparate nature of services and products offered, over three-quarters, 76%, of respondents reported they currently offer security services with another 16% planning to do so soon. However, such widespread, across-the-board offerings may be more indicative of a passive client expectation than assertive customer demand and subsequent willingness to purchase.
Only 8% are foregoing offering security services entirely. Of those, nearly one-third indicated the prevailing reason was due to a talent shortage more so than a lack of customer demand or persistent competitive disadvantages. Unfortunately, there appears to be no relief in sight. Cybersecurity Ventures predicts
3.5 million cybersecurity positions will remain unfilled by 2021. The ongoing shortage could represent a boon for security providers as customers remain woefully understaffed and demand rises. But that’s only if providers find a way to hire and train more talent for their own internal needs.
More Than Half Report Receiving Substantial Revenue from Security Services
More than a third (40%) say that 10%-24% of their revenue currently stems from the sale of security services. Another 14% say a quarter to almost half of their revenue comes from these sales. Combined, that’s over half, 54%, of respondents that are reporting substantial revenue from security services.
Research firm IDC predicts
global security spend will soar to $103 billion this year. That would indicate that plenty of opportunity lies ahead for the channel.
Most Consider Themselves to Be Taking Proactive Measures
A majority of respondents, 70%, say they take proactive measures to protect their customers. Only 8% report they are “extremely proactive” and taking a highly aggressive approach in detecting, preventing and thwarting attacks.
The remainder leans more towards providing customers with reactive security measures. But 11% of those are gravitating toward a more proactive stance.
Most Assess New Customers' Vulnerabilities During Onboarding
More than half, 56%, of respondents say they assess new customers’ vulnerabilities as part of the onboarding process and then follow that with regular assessments throughout the relationship with the customer. A vulnerability assessment at onboarding provides a useful baseline to compare progress over time. It also enables the provider to focus on critical vulnerabilities first. Prioritization of vulnerabilities and threats is critical to proactively protecting key assets.
The 15% that reported they do vulnerability assessments at customer onboarding are providing reactive defense measures only. This approach leaves customers vulnerable to attacks over time, particularly when additional elements such as IoT devices and multiclouds are added to the company’s assets and IT’s responsibilities. However, the nearly one-quarter of respondents (23%) who said they only perform vulnerability assessments upon client request or after an incident leave their customers poised for attack. It is impossible to protect vulnerabilities that neither the customer nor the provider knows exists.
Most Are Monitoring Changes to Customers' Networks Regularly
Nearly half, 43%, are monitoring changes to their customers’ networks regularly and deeply enough to detect changes. Only 33% are confident they’ll detect most if not all changes to customers networks and end-user devices. Nearly one-fourth report an erratic hit-or-miss success rate in detecting changes at all.
If changes to a customer’s network or end-user devices are not promptly detected, proactive protective measures cannot be initiated. Instead, both the customer and the provider are left to respond after the damage is done, and when it’s far too late.
Most Are Able to Assess Threats in a Timely Manner
Detecting a change is one thing; assessing its threat level accurately is quite another. False flags can create unnecessary friction for the customer such as delaying onboarding of new employees and devices, blocking a key supply chain vendor from the network or shutting down newly installed IoT devices. However, failing to accurately and quickly determine a threat or vulnerability means leaving the customer open to a costly attack.
Fortunately, most respondents, 64%, say they are able to assess threat levels in network and end-user device changes “most of the time” or “almost always.” While there’s still plenty of room for improvement in these numbers, they indicate high confidence levels that stem from a proactive approach to security.
A quarter, 24%, are still playing traditional defense by necessity since they say they can only detect changes and successfully assess the vulnerability levels of each “some of the time.”
No One's Immune to Cybersecurity Attacks
While 9% admitted to being unsure of whether or not their organizations have suffered a breach, 44% say they know they definitely have. The remaining 47% say they’ve yet to be breached. But this condition doesn’t indicate safety from attack. It’s just a matter of time before all organizations experience an attack. However, that doesn’t necessarily mean that all attack attempts will lead to an actual breach. Prevention through proactive security measures can help move the odds in the defender’s favor.
Most Are Open to New Tools, Provider Relationships
Allocating budget dollars for cyber defenses has always been a point of contention in most organizations. Some prefer to try to maximize existing investments and provider relationships, whereas others aim to add new tools to better thwart new and emerging threats. Either strategy rests on a strong and successful business case for buy-in, in terms of dollars and leadership support, from the C-suite.
Most respondents say they’re open to new tools and new provider relationships, even with startups and disruptors. Only 38% say they’ll stick with their current game plan. This provides significant opportunity for the channel to create new revenue streams via innovative products and services, and perhaps new partnerships with best of breed sources who would otherwise be competitors.
Budget Limitations Are Hampering Cybersecurity Initiatives
The prevailing obstacle in shoring up cybersecurity is budget limitations. Shy of a quarter (22%) allocated 10% to 15% of their FY IT budget for cybersecurity. Only 1% are willing to spend from 25% to 50% of their budget on security tools and provider services.
The good news is that respondents overwhelmingly expect to increase their security budgets next year. A full 85% say their budgets will increase “somewhat” to “significantly.” While 13% expect their cybersecurity spend to stay about the same, 2% say their budgets will decrease either “somewhat” or “significantly.”
Nearly Half Lack Access to an SOC
More than half of respondents (51%) report that they own or have access to a Security Operations Center (SOC). A well-staffed, fully tooled SOC is a formidable defense, as it enables an organized and proactive approach to threat mitigation. However, most SOC teams are short on staff, time and visibility. It is essential to regularly update or replace tools to increase visibility, speed detection, limit false flags and leverage staff talent.
However, 49% said they don’t own or have access to an SOC. While it’s certainly doable to build an SOC, many companies in this situation opt to outsource an SOC to an MSSP provider primarily because it is the most efficient way to establish a fully functional SOC complete with trained talent. This finding indicates significant opportunity for MSSP providers. But it is also a strong opportunity for others in the channel where a potential or existing customer seeks to build their own SOC and needs guidance and tools.
A Majority Have Clients with Formal Compliance Mandates
Some customers have extraordinary compliance needs far and above the requirements of companies belonging to less regulated industries. Thus, they require additional security measures to be or to remain in compliance with more exacting mandates. An overwhelming 85% of respondents said they have health care and related clients that must comply with HIPAA. Another 63% said they have clients who accept electronic card payments and thus must comply with PIC DSS standards. Nearly half, 45%, reported they serve clients with operations, employees or customers in Europe, mandating adherence to GDPR.
Given the penalties are must higher for these formal mandates, it is especially imperative for such organizations to take a proactive approach to security.
The Vast Majority Proactively Work with Clients in Addressing Compliance Needs
The bond between provider and client is strong in compliance matters. A whopping 82% said they proactively work with clients and prospects on addressing compliance needs. Only 18% said they don’t touch compliance issues as part of the overall security planning which is odd since all of these formal mandates have components and penalties directly tied to security accountability.
It simply makes good business sense to combine compliance and security needs in the overall planning and plan execution for clients.