The non-profit Computing Technology Industry Association (CompTIA) issues a semi-annual study on Trends in IT Security, which looks at what is happening in the security market and ways end users and channel firms should be adjusting to the new security reality.
CompTIA interviewed 291 IT channel executives and professions in October 2014. Among the most notable findings is that nearly half of all channel firms (48%) say they do not get inquiries from clients or take action as a result of major security breaches. At least one in three channel firms said they offer either security as a service or managed security services.
I spoke with Seth Robinson, senior director of technology analysis, to ascertain where channel companies should be focusing their attention, as well as their strengths and their weaknesses.
Q: What has changed since the last time the report was done in 2013?
A: When we ask companies what is driving change, the top answer is a change in IT operations, which makes sense if a company is moving to the cloud or picking up mobile devices more often; that will change their security platform. The problem is that response was only cited by half of the [respondent] companies and many more are adopting cloud and mobiles devices -- or both -- so you see a gap between companies changing their IT operations and companies saying that a change in operations is driving a change in security. So a lot of the message continues to be same.
As we talk about being secure in a cloud environment you need to ask questions of your cloud provider and you need to move beyond just securing mobile devices. There’s a big shift in mindset from [providing] security at the firewall to whether you’re changing technologies or making a change in policy or in educating your workforce. Ultimately, it has to be all of the above.
We’re definitely not seeing critical mass, but we are seeing progress in all those areas. But progress in any individual area is not sufficient.
Q: What do you most want channel companies to know about the latest security study?
They need to become more aware of what a client needs. If they’re still offering the break/fix [model] they may not change their offering, but they should have enough awareness of security so if they are doing something for a client and recognize they are creating a security vulnerability and don’t have expertise in that area, they can point them in the right direction. So how they fit into the overall picture, regardless of the products and services they offer, would be a big help.
Q: What, if anything surprised you about the findings?
We know from watching the news that companies are not quite as focused on security as they should be. These really large companies are having security issues; a lot of breaches and attacks that are successful are not based on new uses of technology. It’s just vulnerabilities that have existed that are now being exploited by attackers with more resources and more time on their hands. That’s just going to accelerate as companies push further into new technologies and companies are going to have to start focusing on security as a separate discipline rather than one piece of their IT infrastructure and their overall IT environment. They have to think about security on a day-to-day basis as its own line item because it’s becoming more complex and critical.
Q: How can channel companies build a strong security culture for their customers – what actions should they be taking?
One of the biggest things they can do is be a little more proactive. We asked what channel firms see happening when security breaches occur. The most common response was ‘We’re getting new inquiries from existing customers or new customers.’ Further down the list we saw that some companies reached out to their customers and tried to educate them on breaches and the types of things they should examine to avoid them. It’s a great time to be doing that and making connections. Again, a lot of firms are not doing anything and if you start having that [education] discussion you get to a discussion about changing their operations and their security approach. There’s a lot of opportunity there. Channel companies have to turn that into a driver for their clients.
Q: What areas should they be focusing on more frequently that they’re not?
It depends on what channel firm is already doing. If they are already offering security technologies then they can move into newer areas, like data loss protection (DLP) or identity and access management. Those are the technology areas they could focus on. If they’re a channel firm that acts as a virtual CIO and performs the overall IT function then they could have the discussion about policy, especially for small clients -- that could be a powerful step. If the channel firm has experience with educating clients on technical products they could expand on educating them on security for the workforce.