Resellers as service providers in IT security

Cyber lock
A future in 'security as a service'

Almost everybody who touches a computer now knows that the demands of IT security keep changing as new vulnerabilities and threats emerge.

There is also a view in the IT industry that the demands on resellers of equipment and software are changing as more activity moves into the cloud. In future less will be delivered to customers' premises and more as an online service.

This raises the prospect of a change in the role of resellers, in which they become service providers and extend their activities into providing more support for customers' business processes. IT security is one area in which they have a lot of scope to take on this role.

The outlook emerged from a discussion on the implications of cloud and 'bring your own device' (BYOD) for small and midsized businesses, staged by security software provider Kaspersky. It involved representatives of the company along with Bob Tarzey, Director of research firm Quocirca, and Ian Kilpatrick, Chairman of Wick Hill Group, a distributor of IT infrastructure.

IT as a service

The starting point was that SMBs now have ability to source IT from third parties as a service, which should change the way that resellers approach their market. They can provide more added value by getting to know their customers' business processes, ensuring that they get the right services and helping to put them in place.

It is unlikely that many firms yet have the skills to do this, given that there is a shortage of IT specialists who can also talk convincingly about their customers' business. But they are well equipped to provide the expertise in IT security.

One of the first things they can do is help their customers to analyse risks. This is crucial in areas such as the deployment of mobile technology, but many companies do not try to assess the risks or have a policy to protect the information on mobile devices.

The situation is made more dangerous by the continual emergence of new online threats. Companies have to ask themselves a series of questions – "What if?" "How could we be undermined?" How can we mitigate against it?" – and be ready to take the necessary measures.

They also need to instil a security mindset among their employees, so that they think about the potential dangers and behave sensibly when using IT. A point was made in the discussion that for most people, it has become instinctive to be cautious when driving a car or crossing a road, but by contrast most people are not like this when it comes to IT.

Employers do not spend enough time thinking about these issues to instil the right behaviour; but an IT security service provider does think about them and can provide the right guidance.

This could encourage smaller companies to be more confident about taking up cloud services. There has been plenty of talk about worries about the security of data being the main deterrent, and the resellers can establish themselves as trusted advisers.

They can educate customers on issues such as the importance of two-factor authentication in accessing cloud data, and establish service level agreements to maintain security.

BYOD advice

It is also relevant to BYOD, advising companies on how to preserve security as they allow a wider range of devices, often with different operating systems, to access their networks. They can provide the know-how to examine the risks and set up security policies; for example, not allowing an employee to use an iPad for work unless it is proven to be fully secured, insisting on the encryption of data and providing safeguards if a device is lost.

The roads analogy came up again: the policy of a company not allowing an employee to use their own device was likened to not allowing them to drive a company car without a licence and insurance.

"BYOD will happen, and we should encourage businesses not to shy away from it but to employ a policy that makes it more secure," was one of the comments.

Underlying all this is the fact that IT security is very complex for SMBs and implementing policies provides a stiff challenge. Service providers can make themselves valuable by simplifying things without reducing the strength of security.

One route to this is the provision of consoles that provide simple reporting mechanisms, highlighting when security policies are being broken, without the time consuming business of going through firewall logs. This could do a lot to help SMBs get to grips with the issue.

The conclusive comment was: "It's a case of the right software from the right partners to provide the right guidance."

Resellers are going to start jostling to occupy that space.