Clive Madders (CTO) and Mike Ralston (CEO) of UK-based cyber certification and managed security specialist Cyber Tec Security (CTS) give their view on the main security challenges facing SMBs today, the most common barriers encountered when selling in security services – and how partnering with inSOC is helping them.
Founded two years ago, CTS focuses on the whole of the UK, working with SMEs and MSPs to get their (and their clients’) Cyber Essentials certifications.
CTS offers a full package of certification and managed security services. The certification is key, as it leads to a significant reduction in security risk – by around 80%, courtesy of the UK’s National Cyber Security Centre (NCSC) Cyber Essentials governance programme, of which CTS is a Certifying Body.
CTS introduced security services in 2018 in additional to its certification service. We asked Clive and Mike how they are finding the market today.
What are the main security challenges you are seeing?
[Clive] The main challenge among SMBs is a lack of understanding of security and an absence of budget to do anything to improve it. The second challenge is that they don’t really know what they have in place – particularly within the network: the conversations that are going on, the applications, the data and where it’s flowing, and the risks associated with that.
WHAT ARE THE COMMON BARRIERS WHEN SELLING SECURITY?
[Clive] The biggest barrier I see is a lack of budget for cybersecurity. Also, if they haven’t had a breach so far (or one that they’re aware of), prospects often don’t see the need. It’s very much a ‘it won’t happen to us’ mentality. There’s also an assumption that their security needs are being met within existing managed services, so new budget isn’t required. In short, a bit of apathy – everything is fine, we’re good!
How do you overcome these barriers?
[Clive] We have to explain why there is a problem, why they might be at risk and why it’s not just big banks and telcos who are hit by cyberattacks. We tell them how the way into those bigger organisations for bad actors is by slowly working up the food chain via smaller companies – solicitors, accountants and so on.
We also need to get the prospect to understand that the biggest risk of breach is from their own user base – be that by users accidentally (or through manipulation) letting in bad actors, who are launching more and more sophisticated cyberattacks.
[Mike] Once the prospect realises that they must do something, the next problem is that they really don’t know where to start. It’s at this point we suggest they do what the UK Government recommends and become Cyber Essentials certified. This will protect them from around 80% of the risks. By adding SOC and SIEM, they can reduce this risk even more. This order works. Clients tend to be receptive to Cyber Essentials. It’s the only UK standard so they are usually at least aware of it, whereas if we were to start off the conversation with SOC and SIEM – we would lose them very quickly.
[Clive] The problem is that everyone is trying to sell SMBs tools. But, how do they know if they are buying the right technology? What do they expect will be delivered? Do they know what they are protecting against?
Where does inSOC fit into the plan – what were the drivers behind the decision to partner?
[Mike] I became aware of SOC and SIEM and what it can do for clients by reducing risk – and we tried it out ourselves (using AlienVault) but found it impossible to use. So, we needed a partner who understood how to deliver SOC/SIEM. Not a partner at enterprise level – the pricing needed to be appropriate to SMBs and to MSSPs like us. We came across inSOC through our peer group in the US and we worked with them to produce a package which we can resell to clients and which will enable them to keep Cyber Essentials compliant on a daily rather than a yearly basis. The inSOC solution allows risk to be reduced above the 80% achieved through Cyber Essentials – by an additional 15%. So, most clients with Cyber Essentials and SOC and SIEM from inSOC will see about a 95% reduction in risk.
How well does the inSOC approach accommodate UK needs?
[Mike] Our market is the UK and requirements here are based round Cyber Essentials. These do not rank very high on the international scale (on a scale of 1-5, they probably come in around 2), but for clients who want a higher level of security we can work with them to move through the scale to 3, 4 or even 5, using the US-developed NIST Cybersecurity Framework and the Top 20 Controls from the Center for Internet Security (CIS). We are able to leverage these because of our relationship with inSOC.
What reaction has there been from clients?
[Clive] Clients have peace of mind that we are monitoring their network for security threats and breaches 24/7/365 and that we are reacting to incidents. We can also demonstrate the full value of the solution via comprehensive reporting.
What are CTS’s future plans?
[Mike] CTS will continue to expand inSOC services as a branded best-of-breed solution as part of its all-in seat offering.
[Clive] We’ll continue to advise clients to avoid just buying tools, and to align themselves to a standard (Cyber Essentials in the UK), then use SOC and SIEM to further reduce the 20% risk that remains. We advise clients they need to budget to improve security – doing nothing can no longer be an option.