Context: Canadian solutions integrator Scalar Decisions is at a high peak in its growth trajectory, and has the new digs to prove it. This November, the company announced new headquarters in Toronto to compliment offices in Montreal, Ottawa, London, Winnipeg, Calgary, Edmonton and Vancouver and to help house 59 new staff the company plans to bring on board as part of ongoing expansion. The Toronto location will also serve as home to a new Advanced Security Operations Centre, which Scalar also announced along with enhancements to its managed security service suite aimed at delivering advanced analytics, threat intelligence, and what the company calls “business specific context.”
To mark this launch, Scalar convened a panel to discuss new sources of security threat, end user efforts to remediate risk, and the locus of security support for businesses that appear to be losing the battle in cyber warfare. Led by Scalar CTO and chief security advisor Ryan Wilson, the panel included Ben Sapiro, senior director, security, privacy & compliance at Vision Critical, Benjamin Boi-Doku, managing director, Eosensa and practice leader, Scalar Decisions, Rafael Etges, executive advisor, cyber security with Strata Advisory Group, and Marc LeCuyer, area VP Canada for RSA, the security division of EMC.
Three keY questions:
What is the source of new threats, is it possible to distinguish between cyber security attacks, and does this matter? Panel responses to this broad question reflect the magnitude of challenge faced by organizations looking to conduct business in a safe and responsible manner. IoT was identified by all members of the group as the primary source of new threat: in M2M communications there are too many IP addresses to monitor, manage or audit; the extension of connectedness to the consumer level can have grave consequences (consider the consequences of a pacemaker hack); and there are identity issues with driverless cars. “It’s frightening to think that a car has an IP address,” Ryan Wilson concluded, and operates without a proper threat assessment in place.
If IoT represents multiple new points of vulnerability, there are also new hacker motives and tactics – the threat of data destruction to extort money as in Sony’s case – and additional paths to target for cyber criminals. As example, Benjamin Boi-Doku cited the case of smaller tech companies with less rigorous security that provide business process services to banks which may act as a conduit to enterprise banking systems. Ultimately, the panel concluded, a hack is a hack, is a hack, and must be addressed whatever its source. While Marc LecCuyer pointed to the need to protect against both internal and external threats, which Ben Sapiro argued change over time, Raphael Etges explained that with government ambiguity on “hack back” activity, it’s best for an unwitting organization to assume it’s possible to get caught in retaliatory cross hairs – and to assume there’s no state support. Though governments are starting to insist on greater diligence in privacy and security management in the wake of the Ashley Madison fiasco, as Sapiro noted, “we are really on our own on this.”
Are customers and security providers keeping pace with new threats? If the quick answer is no, the reason why is a more complex proposition. According to LeCuyer, in applying the “prevention, detection, response” approach, clients have become confused by the plethora of next gen tools and hence reluctant to invest in yet one more. Even amongst those with budgets, lack of expertise remains a barrier to the right investment. Studies of budget allocation have shown, Etges explained, that “in this arms race, we are always playing catch up”: while attackers keep morphing, they tend to attack the company’s people rather than the technology, which represent a bigger risk. With the evolution of ‘self-service’ technology, Sapiro expects this mismatch will only become more problematic. In contrast, a better approach is to step back, take the time to understand the attacks, develop a risk management strategy that includes staff training, and focus on processes and programs rather than on incremental technology spend. Though changing technology is fast, and changing culture relatively slow, this is a prerequisite to risk management.
What is the value of the managed security provider (MMSP) market in Canada? While outsourcing security requirements is a tempting solution to issues with expertise and tools, the panel advised caution in this approach. Ultimately, legal liability for a breach lies with the client – or owner of the data – who also has vested interest in ensuring the appropriate security is in place: as Etges put it, “you can’t outsource risk” and hence should look for a security provider that acts as a partner who understands the business. For the user organization, the panel offered some sound advice on working with a security provider: identify 10-15 things that the provider does well, and come to that supplier able to identify specific needs; identify organizational risk by understanding your industry, classify data appropriately by criticality of the application and develop proper governance; and ensure collaboration between the CISO and business unit managers in creation of a security framework that can align siloed activities. According to Wilson, connecting the business manager with the security professional to stimulate a broader conversation within the company as a whole is what Scalar means by providing “the business context,” which serves as a key differentiator Scalar – and new model for MMSPs in Canada. Boi-Doku offered some detail on how this is done, specifically, the exercise that Scalar goes through with client executives to align security risk to business goals, mapping specific metrics to outcomes in manner that is unique to each client situation.
The bottom line:
A good deal of the panel discussion focused on the enterprise client – categories such as CISO, boards of directors or even the business unit manager, for example, are less likely to apply in the small or potentially even in the mid-sized community. However, the SMB segment offers the greatest growth opportunity going forward. Data from a recent InsightaaS survey of 402 Canadian businesses has found that demand for managed cloud security is exploding within the Canadian small business segment. Currently, 29 percent of Canadian businesses with 1-99 employees are buying cloud-delivered security services, but an additional 53 percent are looking at adding security services in the near term. For the midmarket, the corresponding figures are: 73 percent for current users, and 98 percent for projected use after new adopters come on stream. Basically, cloud security-as-a-service is poised to become part of every midmarket business’s IT strategy. In the enterprise segment, current use is approximately 64 percent, and projected use after new adopters have come on board is 89 percent. So despite focus in the panel discussion, large enterprise have proved more reticent than midmarket firms in embracing cloud security – and likely more capable of delivering security through internal resources – thought the concept is catching on.
or the provider, market direction seems clear. As InsightaaS principal analyst Michael O’Neil observed: “InsightaaS expects to see MSPs and other service providers invest in delivering security-related education and consulting to the small business market in Canada, as a means of developing new accounts in this segment.” To now, much of Scalar’s growth has been predicated on acquisition. Since 2008, the company has acquired IT infrastructure provider XSM Systems, Southwest Sun, 3vis, and more recently Eosensa and Mainland Information Systems, which has put the company at 325 employees and over $325 in annual revenue. To manage organic growth going forward, however, a key requirement will be to leverage this expertise into new and adjacent markets. According to Wilson, “small and medium sized, and even the larger medium sized organization are a great fit for MMSPs; there’s no way they are going to build 24/7 security operation centres, or be able to manage the type of threats we are seeing today.” With its now robust portfolio of security services, including data classification and strategy around security practice for the SMB, combined with extensive integration experience, Scalar is looking to position as the Canadian firm that can best meet client security need with service delivery – aligning messaging with the SMB “business context” should be a tactic productive of ongoing growth.