Talking Channel

Talking Channel #6: Sophos and TET

BPL Group

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 23:23

This month's Talking Channel is a cybersecurity special, with Will Garside joined by Kyle Torres (Sophos) and Lewis Shoulders (TET) to discuss big channel trends and the evolving role of the MSSP

Hello, I'm Will Garside, editor here at IT Europa, and welcome to our monthly podcast Talking Channel. This week we have a themed podcast around the glamorous world of cybersecurity. With me I have Lewis Shoulders and Carl Torres, my expert guest gentlemen. Thank you for joining us. Thank you, Will. Hi well. I did say it was cybersecurity themed, which means everyone's going to turn off now. But so before we start, Lewis, introduce yourself formally. Yep, so I'm Lewis Shoulders. I work for TET Limited. We have been in the industry for 40 odd years. And you're a bit of a techie, I know this, you try to hide here, but I know you're quite technical. Yeah, um, recent years moving into more of the customer relationship, progression, compliance, that sort of space. Um, but yeah, my journey started as an IT engineer, especially at CET. Yeah, on our on our service there six years ago. So Wow, it's a journey. Carl. So my name is Kyle Torres. I've been at SourForce for a little over about nine years. I've been doing cybersecurity for just over ten years. So SolForce is a next gen cybersecurity company doing everything from endpoint to firewall to email. Um and I work on the channel side. So I work specifically with managed service providers, managed security service providers, and helping them shore up and really advance their cybersecurity stack. And also trying to keep abreast of what's going on in the industry. And a little known fact which I know about you is that you are an expert shot because you used to be. Yeah, so I was in the uh military for so I was in the US Army for about five years. Yeah, and then moved to the UK about oh wow, 15 years ago. And we know this because we did an event once, there was like a shooting competition on the final day, and I I think you didn't hustle people, but you could have. I didn't count, it was laser clay pictures. Ah, laser laser schmeizers. So I very simple thought. We think about talk about things that are interesting to us. Um and I'll let you start, Lewis. I mean, cybersecurity is such a broad topic, but we're not gonna get into speeds and feeds. What what area would you like to discuss? Um I guess it's more around compliance and the user aspect of that, right? Yeah, it's more around adoption, change, and processes rather than tooling. You know, completely agree. You can have a tool in place, it's not gonna fix the issue that cybersecurity is, right? If if the business isn't following a defined process and outlining how the end user follows it, then the issue's still there. And you've you've you've moved from coalface to looking at those processes, defining those processes, and working out how you move your business operationally to a to a next level. Where are you seeing some of the the pain points in that journey? So it's I guess the easiest way to say it is maturity, right? Cybersecurity is a mature journey. So customers will look at tooling, they'll look at what they have, tick pocket exercises, compliance, do they have this, do they have that, but not how effective it actually is on a day-to-day. Because I think ultimately it comes down to if if a process is hard because of security, users are gonna find a way around it, right? So how do you make a process easy and secure? The answer is you can't. So you define what the guardrails are. Yeah. And as a business, you protect yourself, but then you make sure your users are protected and helped along that journey as well. I think I think we've been we've all been kind of having this conversation for the last three decades. We've all walked into the office where we've seen the post-it note attached to somebody's monitor with the password there everyone in the IT department uses. Is it changing? You speak to a lot of partners, is it changing? Yeah, yeah. So from you know, having spent so long at the from the vendor perspective, um, what we're seeing from the partners, it's it's exactly what Lewis was talking about, but it's much more en masse. I mean, ten years ago it was who had the best detection rates, who could catch the most the fastest, and now it's turning to operations. It's you know, if this process, if setting up this security, is going to impact your operations or it's going to cause more trouble, it doesn't matter if it has the highest rates. They want to look at what's going to integrate and be operationally efficient and also get ready for compliance. Yeah. Compliance. I think that that's the key thing, right? How, especially as an MSP, how do we prove what we're doing to our customers? Yeah. And more importantly, how do they then take what we've given them and prove that to an auditor? Yeah. Yeah, and then and we we kind of know now that the idea of what does good security look like is a very a different question and answer to people. And we're starting to see people like great benchmarks now. Yeah, I mean benchmarks are great, but they are the flaw. Alright? Yeah. Every business should be looking to move along that. But it's not an overnight thing. It has to be a conversation, it has to be a process and a journey, and that's what we're trying to help our customers through. Yeah. Where are you at now? What's working, what isn't working, and how do we get you to the next step? Not how do we get you to the end goal, how do we get you to the next step along that journey? I think we discussed it earlier that there are between 12 to 13,000 MSPs in the UK. And we've talked about this before as well, the vast majority of them do not have uh ISO 27,001, ISO 9001. Hopefully they all have Cyber Essentials Plus, but even that, based on the number of people that have signed up for it, probably isn't true. Moving forward, this is not a tenable situation. That the industry looking after cybersecurity is in itself not certified to do it. No. And I I'll pass it over to you, I guess, Carl, when I think. It's like what you said, the industry itself isn't geared up to look after that. And I think that's what the government is trying to do. That's exactly like you said. What does cybersecurity look like? What's visible from that? More platforms, more reports, more auditing that can be visible to the board, and the industry can't own that. I think that's why we've seen all the activity and talking with cybersecurity resilience coming up, because the government's going to try to. I mean, my favorite Turkish restaurant has a five-star hygiene rating. It's got a sticker on its door as I walk into it. I actually do not know if MSPX and MSPY, who are both offering a set of cybersecurity services, are competent to do that. We talked about the SCS cybersecurity resiliency bill. I know that you guys are, even though you're not having to, you're actually going through that process now. Yeah, yeah, so we we do quite a lot with the public sector, we do a lot with the private sector as well. And our whole thing is differentiating ourselves from other MSPs, right? What is that? That's how we speak to our customers, how we engage with them, and we focus on outcomes rather than tooling or rather than just selling them a solution or a project, right? It's the outcome, what as a business that they want to achieve. And if we align ourselves with the resiliency bill now, before it's even put through government, we're able to say that, right? We're able to say we've kept track of what's happening out there in the world, and we are able to prove that we can deliver that service to you now before we're enforced to you. I mean, I suspect, and we talked about this before about compliance, and you guys talked about this maybe a year and a bit ago, that compliance as a service and cyber insurance and those related things was just a high growth area, and that a lot of the MSPs that you were working with were looking at that. I mean, ultimately, the industry is going to become compliant, then I suspect that it's going to trickle down eventually to the clients. It really happens in financial services markets, PCI DSS, etc. But longer term, is cybersecurity compliance gonna be a everybody has to comply. I think if you want to be a recognized in the in the managed service provider space, you know, no, it's a channel overall, but that the CSR specifically kind of calls out the managed service. I think you will have to. I think you absolutely will have to. They're they're really fleshing out what the penalties are going to be. They're trying to turn things like critical infrastructure, even if you're not part of the public sector, you know, into something that can be held accountable. Yeah, something really interesting. Um I did a bit of research years ago on sort of cyber terrorism in the context of international law, and it's so fuzzy when you have cyberattacks that impact critical national infrastructure. But then where are all those points in between? Who was looking after that IT infrastructure? Is it down to the end user, or is it down to whoever was running their IT? If they're if they were running their IT and they're compliant, is it down to the people who said they were compliant? So we're trying to say we're seeing the government just try to consolidate that, but it's going to be those IT providers that are going to be held responsible. Ingro the era of finger pointing hasn't gone away because you know it's always like it wasn't us, it was them. Yeah. And I think as an MSP, the key thing is, right, businesses can't outsource risk. No. They can outsource the tooling, they can outsource the framework, the strategy, the design, and the data they're running. Yeah. You can't outsource risk. That has to lay with someone, and that lays with the people who are ultimately at the end of the chain. Completely agree. I mean, I wrote my my favourite blog that I've written in a while, um, op-ed. And it was pointing out that as one of the parts of it, that the cybersecurity industry is very bloated at the moment from a vendor side. I've been quoting a figure of 3,500 vendors. I've now been told by someone who's better than me that it's actually 4,300-ish. Well, is it bigger? I would say Canalis now, sorry, now Um Omdia, I think they think they're at about just over 6,000. Oh, you're joking. My dates are two years out of date. In the ballpark still. So I mean it's up there. That is not a sustainable number of vendors in this market. And there are some inherent risks if you've backed the horse that's about to die. Um, I think we were at an event where we we asked someone around a table, round table, and said to them, have you recently tried to change your supplier? One of your suppliers, and they their description was yes. It was like spending six months punching yourself in the face. Um, but for cybersecurity, I mean, have you have you been down that road of climate change? Um I guess the part of TET being in the industry for 40 years is we are very vendor agnostic. Right. We're not aligned to one particular vendor. Do we have vendors that we work with more than others? Yes. But only because they deliver the outcome for our customers. Yeah. Right? If there's any given moment where they don't deliver, we have six months punching yourself in the face. No, we have other vendors that we've already lined up and are in other customers that we support. So our change is very simple. But are you again? Do you think that this 6,000 number of vendors is a good thing? Choice is always a good thing. Innovation's always a good thing. Innovation's always a good thing. It is. But from my perspective, recently we've been looking at one area. Right. And I've been to events, been to shows, been speaking to multiple vendors, had to come back, meet with them individually afterwards, go through it, write pros, cons, list, go through the pricing, build what the service looks like on the back of that, deliver that internally as a short list of maybe four or five, to then go through down to what the final one or two might be. Right. And you can imagine with 6,000, that's a lot. Oh yeah, we need to do that. Why not these? Why not these? And a customer comes in, oh we've heard of this person. Do the customers care like they used to? I remember in the old days of AV, where it was Doc Solomon's and McAfee and so forth, and it was like all this tech and that tech and this detection rate, and there was like this sort of lots of money being spent. Now, do c do customers really care how the sausage is made? No, like I said at the beginning, focusing on outcomes. Yeah. You know, if you if you're delivering an outcome to a customer, they don't really care how it's been delivered. Yeah. Yeah. I mean, Solforce have been around for a very long time, and you've watched you were in a time where in a market where there was sort of half a dozen really big ones who dropped it all up. Yeah. Now there's everyone with with some time and an AI can create something. Is is this number of cybersecurity vendors sustainable? Or even good for our market? I think I don't think it's sustainable. I don't think we'll see that number continue to grow. Good for the market. I mean it's it's always better to kind of have that choice. Um But no, I don't I don't think that's sustainable. I think it's a lot of it is is outcome-based, like Lewis had just mentioned. I mean, we've seen that sales conversation from you know when I first started in the channel almost 10 years ago, was are your protection rates better than this? Are you more lightweight than than these? And it's now changed to outcome-based. It's well, how can you help mitigate the risk? How are you addressing supply chain issues? What are you doing in regards to compliance? And not all four or five, six thousand vendors out there are going to be able to do that. They're not going to have the platforms that allow for that compliance or the or the visibility. I mean, it does take you know seeing the vendors that are out there and what they can do, it takes a lot of investment and work to even get up into that sort of top, I'd say, 100 kind of space. Trevor Burrus, Jr.: And we've we've we've spent years saying single pane of glass. I love that phrase. Yeah. Single pane of glass, one unified view, yada yada, yada. I mean, let's be very, very, very honest. If something turns up that's particularly good at what it does, that's great. But now you have to integrate it into your workflow. Now you have to integrate it into your telemetry. Now you have to as a person who's been down that road, I mean, do you actually go to that once you've gone through your short list, do you then start thinking operationally, is this a good thing for us? Yeah, of course. You know, if a customer needs it, then we will deliver it for the customer, right? However, how we deliver that internally needs to be questioned. Yeah. And that could be technical enablement, that could be sales enablement, or more importantly, it could just be vendor alignment. Yes. You want the outcome, but not necessarily so that product that they've said, we want this product, it's actually we want this outcome. Yeah. And that outcome might well be available. And again, we've seen all the cybersecurity vendors have moved horizontally with their place. I can't think of many one-trick pony cybersecurity vendors that are doing well. They're there, but you just sort of think they're gonna get gobbled up, they're gonna get gobbled up, and they're gonna die. I if if you're making bets, there's not that many areas where there is no competition. I have no doubt that a lot of the vendors on that big list are probably vendors that specialize in a single point solution with the intention of getting acquired. And again, it drives innovation. Why would you not want to invent the one single really niche piece of security? You're now one of those four, five, six thousand vendors, and then in three years you won't be, because you'll have been acquired. We got nothing wrong with that. But it's what you just said, you need to integrate it into workflows. You need to integrate, integrate, integrate. So maybe that is that goal, all those smaller companies get acquired into someone that can integrate you. But if you don't have that platform optimization, I'm trying to hold off on too many words. If you don't have that platform optimization that lets you integrate, if you are a vendor focusing on a single standalone tool, your direction is your only direction to go is probably just to be acquired. Yeah. Which might be your end goal. And we've also seen this trend where companies that are not in cybersecurity have said, the margins in cybersecurity are quite good. Let's buy some companies and now we're in cybersecurity. And without naming names, we can all think of a few examples. It doesn't always work where culturally, say a chip vendor buys a cybersecurity vendor, and that cybersecurity vendor doesn't flourish as it was doing before it was acquired. I mean, is cybersecurity now the heart of everything and everything connects? I think it needs to be. She knows she has MFA. She knows that she needs to back up. I bet you set it up for it, didn't you? To be honest. Probably. But do you know what I mean? That that at that level people know. Yeah. The next step is how do they practice it day to day? Okay. Because they're aware of it now, which is great, but how does that impact their day-to-day and how do they deliver on it? So cybersecurity should be at the thinking of everything and it should be almost secure by default, is kind of the terminology I've been using. Every service we design has to be secure. Yeah, completely agree. I think also there's there's still a moat around cybersecurity that the MSPs can exploit. Let's be honest, no one's making any money selling copies of Microsoft Office 365 because it's it's it's there's no technical moat. Cybersecurity still has a level of complexity, and also an area that I'd love to talk about, but nobody wants to talk about it, is remediation. Statistically, if you have a thousand customers and you're an MSP, someone's gonna get breached, no matter how good you are. And then it turns up to that conversation which is how are we gonna fix it? Yes, it's an uncomfortable conversation sometimes. It is, and I'm for I want to say, probably four years ago, we were in a very similar situation. We'd been speaking to a customer who is in the retail sector, and they'd be on on their journey, right? As I said at the beginning, going through their journey, just hadn't invested that next bit just yet. They were and was it because internally it was on their list of things to do but never got to it, or was it because there was a pushback from the team or the internals? It's a mixture, ultimately, and this is four years ago. The the landscape has changed massively since then, and it's changing every day, right? Yeah, but they were on their journey, there was pushback, there was financial constraints over this and that. And we helped them through their breach, get their business back up and running, recover what we needed to recover, and then it was uh how do we move forward? Yeah, and out of that we built what we call our secure assessment. And ultimately the secure assessment now is our process of guiding customers through that journey. Yeah. It covers everything in cybersecurity, gives the customer a maturity scale, tells them where they are now, what they're doing that works, and not just tools, what processes they're doing, how they're implemented, what their culture is, the leadership, everything, and and what the next step is. I think we've all heard those those scary stories. And again, I keep saying this a lot, but you do speak to a lot of partners. I see you at events. Do you have to get burnt? Does the client does the customer have to get burnt to have that sensible conversation about cybersecurity? No, I don't I don't think you have to. I think with with the the outcome-based selling, I mean, you know, vet working in the channel wasn't is my my first sales role. I've been in sales roles where you have that sort of sales process. But that this big shift to that sort of outcome-based selling and you know, being in sales, we've had all types of sales trainings and tools and you know techniques you can use to sort of articulate outcome-based selling, and it's very effective. If you can go up front and address their concerns around risk and show that you're familiar with their industry. You know, right now you work as as a baker, you know, you own a bakery, and you can go in and show where they sit on the supply chain, what those risks are. You have an initial assessment as well. Um and they know you're professional. You I don't think you have to be burnt so much anymore. I agree. I think there are ways to articulate that. I always say to any MSP that I make who's talking about cybersecurity says, have you got an assessment process? Have you got an audit process? Because, oh, for new customers, no, no, no. For your existing customers. Because let's be very, very honest, how many customers have you got? Oh, three or four hundred. Someone's gonna get breached. And even though it's not necessarily your responsibility, even though you're not even contracted for cybersecurity, I can guarantee they're gonna blame you or come to you at least for some advice. And if you don't have a security story to discuss, I cannot see certain MSPs that just surviving if you don't have that. It's a security story. You can't go in there and say, well, again, we use the little bakery example. You can't go in there and say X percent of people in your industry have been hit. You know, it's it's that story. It's building you know who they are, where they sit as a business, their importance in the supply chain, and and yeah, building up that story. And and getting over the oh we're in a little bakery, no one's gonna attack us. I can guarantee it. Especially if they're in the supply chain. Gotcha. You know, that bakery could be supplying the bank with sandwiches. Yeah. And they've got a way in. Yeah. Uh and I think the burn customers being burned, right? Yes, that is an element of it. But frameworks and certification and everything is another part. Yeah. Budget comes available when customers get hit and they need to recover to get their business back and running, and they find budget when they need to achieve a certification to fulfill a contract. 100%. Which is great because it's pushing them along it. What my job is and what we try to do is help them get there before that. So if we are securing by default and with our services and having these conversations, the moment they come up with I need ISO, I need ISO 27001, 9001, whatever it is, we've already helped them get a percentage off the way. So it's not you need to spend this much money by these tools. But also you've done it yourself internally. It's really hard to give someone else advice about cybersecurity if your own house isn't in order. And we run every tool. Every tool that we sell to customers, we run internally. Yeah, I think it's a good way to be. We get to break it, we get to fix it, we get to figure out all the quirks, all the issues that it might cause before we even put it in a customer's environment. Yeah, and I I'm still of the I'm still of the belief. I I we we did a another round table on the week that the Marks and Spencer's breach got announced. And a couple people at the table said, Great news. I'm thinking, what do you mean? Trust me, we'll be getting calls tomorrow from our clients who have been holdouts on doing things like company-wide multi-factor or always on VPN who just said no, no, I'm not going to do it, who are going to say yes, we'll we'll do that now. Because the visibility There's always that surge of activity. Yeah. JLR, Marks and Spencer's, the co-op, it always drives those kind of those. So again, you might not have to have gotten burnt. You just need to read in the news. You just read in the news that someone's gotten burnt. Yeah. I could talk about cybersecurity for a really long period of time. I wish I had a point of Guinness and some more time. Um we are out of time, unfortunately. Um gentlemen, thank you. Thank you for being candid and honest in speaking. And for myself, we'll go side editor here at IT Roper, but thank you for joining our podcast, and we'll see you next month.