IT Security Experts: Look for Risk and Opportunity in the Security Shadow

Data is a company’s most important asset, but many small and midsized businesses don’t know, care or have enough in the budget to protect it, according to a panel of experts during the CompTIA IT Security Community meeting, held during this week’s Annual Member Meeting. “Some small businesses probably don’t know what confidential information is,” said Neal Bradbury, vice president of channel development for Intronis. “It’s not a matter of if you need security; it’s a matter of the level of security they need.”  

Bradbury shared the panel with Ron Culler of Secure Designs Inc., Eric Pinto of Nuvotera, Chris Johnson of Untangled Solutions, and Mike Semel of Semel Consulting L.L.C., who took turns sharing ways the IT security community can discover risks and opportunities in the market.

Educating clients on backup, data recovery and data loss prevention is a good start, since many don’t even know the difference between backup and archiving. Teaching security best practices and helping clients understand that all data is not created equal also helps.

“There’s technology that can be installed based on the size and budget of the business,” said Bradbury, whose company specializes in data backup and recovery. “There’s some simple stuff we can do to educate our clients.”

Discovering Risks and Rewards

There are security risks that fall outside of the normal IT security parameters, but still open the door to data breaches. It’s in those gray areas — call it shadow IT — where IT security providers can identify both risk for their clients and financial opportunity for themselves.  Culler put it simply: Go out and look.

“Find out where their vulnerabilities are. Walk into a retail shop today and there’s a POS system still running Windows XP,” Culler said. “They’ve got a POS system router, a cloud-based voice provider, WiFi, they’ve put a video system in there or hired an alarm company because they have a physical store and things inside it. They bring in an IP-based video surveillance and a nice app … every one of those things are IT-related, but no one’s asked the question, ‘Is that safe?’”

Semel addressed the same issue, calling it “security by walking around.” He shared an example of a client who had laid out $1 million on his security plan, proud as a peacock of all the controls it offered.

“We were walking around his office, and there was a lady with two monitors. I asked if I could walk around her desk to see if there was a password stuck to a Post-It, because there usually is,” Semel said. “The good news is her first monitor didn’t have one, but the bad news is the second monitor was so covered with sticky notes and passwords that it wasn’t being used as a monitor anymore — it was a hanging stand for passwords.”

The Illusion of Security

Very often, Semel said, companies believe they are protected but simply aren’t. The audience blanched at his description of a major healthcare group that thought it was protected, but had more than 50 systems missing at least 10 patches, 19 missing 50 patches, 3 more missing 100 patches, plus systems running on Windows XP and 59 former employees who still had access to the system because their passwords were set to never expire. To cap it off, the company had purchased a firewall — but no subscriptions or updates to go with it.

“People think they’re aware of their IT security, but they’re wrong. It’s what they believe, but it’s not the truth,” Semel said. While it’s frightening for the companies going unprotected, these are great opportunities to educate. “We have to change their beliefs and give them information — hard information in a soft way.”

The IT security consulting business can be lucrative, but it requires educating clients on what’s actually going on.

“We need to create learning opportunities to increase our value as a provider or a subject matter expert,” said Pinto. “We need to provide guidance even when it’s not directly business related, and discover revenue opportunities by discussing cloud and unmanaged solutions and their potential impact to business.”

No More ‘Computer Guy’

Johnson rounded out the panel with a discussion on IT security perception, encouraging providers to come up with a title less like “the computer guy” and more like a trusted adviser or virtual CIO. Does your customer come to you first, he asked, and are you providing vendor management? Are you overseeing their cloud solutions or mobile device management? If so, you’re more than “the computer guy.”

 “Even more-so than two or three years ago, you’re providing direction on policy and procedure, and helping them define their business continuity planning,” he said.

A lot of these services are embedded into broader security offerings, and Johnson suggested breaking them out into standalone services to show your worth. Thread the language into your service offerings, too. Try changing “cloud solutions” to “security cloud solutions” and “vendor management” to “security vendor management.”

“I don’t want to be reactive and educate my customers on security after something happens,” Johnson said. “I believe we can double our current growth just by going after the security element.”

Start the conversation with clients by using the IT Security Wizard. Created by the IT Security Community, the tool helps you walk a potential customer through a series of security assessment questions and produce a comprehensive customer profile that can be used a springboard for security service discussions and sales.

It’s currently the most downloaded resource from CompTIA’s Insight & Tools page. Later this year, CompTIA and the IT Security Community will launch the premier version that lets users upload their company logo and print out professional security analytics for client.

“Walk your customers through the IT Security Wizard,” Johnson said. “It’s a great way to start doing that vetting process.”

Michelle Peterson is a communications specialist for CompTIA. 

Leave a Comment