Security isn’t part of technology anymore, it’s part of business. That’s a concept that still eludes many businesses—which spells opportunity for solution providers.
Businesses are changing the way they think of security, but they’re not necessarily investing properly, according to CompTIA research analysts Carolyn April and Seth Robinson, who talk about the state of security and preview CompTIA’s upcoming cybersecurity research report on the latest Volley podcast available here.
Security Moves from the Data Center to the Boardroom
Security is moving more into lines of business and more business heads are purchasing security, Robinson said.
“Technology is becoming more ingrained in business operations and security is becoming really critical to business operations. A lot of companies had security as part of the function of their overall IT team, but we're seeing it now pull out more and more into [into business],” he said. “The more I've looked at security over the past few years, the more I almost begin to think of it the same way that I would think of accounting or legal. You have to have it and you have to have some pretty deep knowledge and specialization around it. And I think that that's kind of the theme behind this new security report.”
Businesses have been stagnant the last few years regarding their security, but many are starting to take a more modern approach—understanding that it’s not just the technology and it’s not enough to just have a secure perimeter anymore.
“You have to think about processes, you have to think about education. That's not just something that companies can think about as a one-time initiative, like let's put these things in place and then kind of set it and forget it,” Robinson said.
Opportunity Looms Large, But So Do Challenges
Meanwhile, security is expected to be one of the channel’s large growth markets over the next couple of years, according to the forthcoming State of the Channel Study, April said.
“A of third parties are doubling down on the security services that they offer, and hopefully they have the breadth and depth of a specialist in security to be able to offer their customers not just a little bit of knowledge, but the full array of knowledge,” April said.
The problem, April said, is that many small businesses don’t feel that they’re vulnerable to security threats.
“I’ve talked to a lot of people about this. They read the headlines and think, ‘Oh, these data breaches and these things that are horrible…the malicious actors out there who are going after large corporations, they would never target me,’” she said. “But unfortunately, the large corporations can weather the storm. If a smaller company is impacted, they're out of business. And I don't think that a lot of these very small companies think that way. They don't understand. They feel like they'll never be a target.”
That’s where the channel’s opportunity lies—to help businesses better understand the risks they face, the potential consequences, and what they need to do to protect themselves. But the channel needs to make sure it’s protecting itself too, April warned.
“Hackers will target a managed services provider who is running the network for all of these small companies. And that's how they gain access to a large ecosystem of small companies that they can target,” she said. “I think there's a lot of education that has to take place so that these small companies don't feel like they're immune.”
Robinson agrees that smaller companies are starting to recognize the need for improved security—but getting there is… complicated.
“What becomes so challenging is placing a higher priority on it, really embracing the complexity of security today, which probably means increasing your security budget,” Robinson said. “And not only is that really difficult for small companies to do, but it's just a completely different mindset from what technology budgets have been for a long time. Companies have viewed IT as more of a cost center and so they're trying to keep that budget flat or they're trying to reduce it as capabilities improve and still get the same technology out of a lower budget.”
But security doesn’t work that way, Robinson added. The percentage of budget spent on security needs to increase because security processes need to be embedded in more of the business—not just IT.
There’s No Finish Line While Protecting Data
Companies can never have “good-enough” security because threats constantly evolve and risks will increase, April said.
“It's going to be a constantly evolving and changing item on your to-do list. That means having a dedicated central security team like you would in the accounting office, because it is ever changing and the risks aren't eradicated,” she said. “You're never really going to be in a safe spot. There'll always be something else that's out there that's ahead of where you are, and it needs to be constant.”
And that’s why there’s opportunity for solution providers—not just selling security products but enabling customers with the knowledge and the processes to keep safe.
“It's about getting the workforce up to speed. That’s a constant need. There'll be new ways to train people, there'll be new employees who enter your organization that you need to get up to speed, and then there just needs to be a process put in place to make sure that people are doing the things that they're supposed to be doing,” April said.
Join our IT Security Community to get the latest resources and updates!
Add CompTIA to your favorite RSS reader
