Thursday, March 30, 2023

For UK MSP, optimizing customer experience is key to successful security posture and productivity

For managed service providers (MSPs), making the IT infrastructure as invisible as possible isn’t just a “nice-to-have" — it's also elemental to delivering the best customer experience.

Securing IT for these tech services and support users is no different. The less complexity and interference with productivity from the underlying security apparatus — the better.

The next BriefingsDirect security innovations discussion examines how Scottish MSP Grant McGregor Ltd. has taken the customer experience imperative to new heights — even as its users move increasingly to hybrid IT models.

 

Listen to the podcastFind it on iTunes. Read a full transcript or download a copy.


Here to share their story of better managing the security experience as a means of enhancing the overall IT services value are David Lawrence, Co-Founder and Director of IT Support Services and Advice at Grant McGregor in Edinburgh, and Paul Sinclair, Head of IT Service at Grant McGregor. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.


Here are some excerpts:


Gardner: David, what are some of the top trends driving the need for MSPs like yourselves to provide risk management solutions that go beyond just endpoint security?

 

Lawrence: We typically talk about the threat landscape in the context of the threat actor. What  we’ve seen over the last couple of years -- with the need for hybrid working – is really focusing now on keeping the honest, honest -- and the right, right. That’s the knowledge worker, the poor person in the organization who’s trying to do the best they can in a challenging environment.

 

Lawrence

We see organizations doubling down and asking for our advice on helping them stay right, and that’s through conditional-access policies to protect the organization while away from the central network and with security-awareness training that helps educate those people on best practices.

 

With cloud protection and cloud backup, a lot of organizations have made further grounds into the cloud landscape on how they can best protect their organizational data. Critically, people are more aware now of managed detection and response (MDR) and extended detection and response (XDR)

 services. They feel that they want a security [blanket] on their organization wherever those people might be working.

 

Gardner: Tell us about Grant McGregor. What distinguishes you in your mind from other MSPs? How do you enhance your customer experience in particular?

 

Work safely with right tech support

 

Lawrence: With 20 years of experience in delivering world-class people support and technology services, we’ve now grown to 21 people who deliver support and advice to more than 1,500 customers and their endpoints.

 

We want our customers to thrive by creating better and safer places for them to work. And that’s critical. People want to be productive. They want to feel that they have an MSP like us watching out for them. Our service desk team delivers people-centric support, protecting the people themselves and their endpoints. We provide proactive support and administration -- just like an outsourced IT department would.

 

Our professional services team delivers what we consider a standard practice, but I’m amazed that sometimes it’s not. That’s the quarterly business reviews. Those are really important for providing the advice and guidance for our customers as they make and continue the journey to Microsoft Azure cloud – with security as a service (SECaaS), cloud as a service (CaaS). I think our strength is triage with all their other partners in that sort of technology ecosystem.

 

Gardner: Paul, how are your needs for securely delivering IT services and support different from three years ago? What are some of the trends driving your ability to adjust and improve to deliver the best possible experience for your customers?

 

Sinclair: Well, as you know, the world is a much different place than it was three years ago. We’ve had to adjust our own practices. We’ve had a pandemic; we have other crises in the world at the moment as well.

 

Sinclair

So, we’ve had to adjust as a business and learn how to work remotely, work in a hybrid model, but at the same time deliver that high-end, 100 percent world-class service that we too strive to do. Not only that, but we’ve also had to support our own client base and our client users with their hybrid and remote working needs by identifying and delivering the right security products that keep our customers safe – and their customers safe, as well.


Lawrence: It takes a layered approach. For example, only yesterday we had a threat actor maliciously trying to sneak through. So it requires a number of protection measures in place -- from email protection, to education, to security awareness training, and filtering, as well as using Bitdefender’s Managed Detection and Response (MDR).

 

And it was only at the last minute through the human firewall, of clicking on the link to remove that email, using Bitdefender, in this case, and the MDR service. It had our back and blocked it. So, again, we’re very focused on educating our customer base. No one size fits all. What we need is a layered approach to security.

 

Gardner: Because you’re servicing different regions of the UK and you’re servicing different-sized organizations, you need to readily scale up and scale down. How difficult is it to serve the biggest and smallest of your customers?

 

The future is co-management

 

Lawrence: There are some challenges. Our sweet spot is probably the 20- to 70-seat-sized organizations. And we’ve strategically made our people-centric services agile enough for those numbers.

 

The criticality of that is that we want strong partners and strong solutions. We need to know how those solutions work to gain the best out of them. Then all of our people can know what they’re meant to be doing. That’s always been a bit of a journey.

 

Where we are now is we’re very confident that in using providers like BitdefenderProofpoint, and N-Able that we are using leading-edge solutions. But critically, there needs to be a partnership, and that needs to come from our providers.

Our next growth is through co-managed IT services. That's a really great place to be over the next couple of years. We can take what we've learned, the tools we have, and our partnerships and deliver those at scale to help our customers.

Our next growth is through co-managed IT services. That’s a really great place to be over the next couple of years. That’s because we can take what we’ve learned, the tool sets we have, and our partnerships – such as we have with Bitdefender -- and deliver and scale those co-managed security services to help our customers’ stressed and time-strapped IT departments.

 

Gardner: What do those co-managed services typically consist of?

 

Lawrence: You’ve seen the data. It’s incredible in this day and age that a lot of organizations -- even still in the UK -- are not patching the way they should. You would think that would be the number-one priority for these IT departments, to patch with the latest Windows updates, and on the applications, too. But that still isn’t the case. We’re cyber essentials assessors, and we see that for our non-support customers.

 

So, we want to help them and allow them to focus on the strategic side of their organizations. We have the tool sets to enable them to patch their endpoint devices effectively and attain that very minimal first-level knowledge that they’re secure. And then we can work with them on the SECaaS value. That’s where we can add real value from the experiences we’ve learned from and from the partnerships that we have.

 

Gardner: Paul, how do you overcome the challenges your customers have with integrating security tools? So often security consists of many different tools, many different underlying technologies. How do you go about that making that all invisible to them?

 

Sinclair: When David and I first started out many years ago, you needed different applications from different vendors to secure all the threats that were out there. But it was a lot of work and took a lot of time and effort using different products. Over the years, Bitdefender has given us the capability to have a security suite of web protection, a firewall, endpoint protection, USB control, and other security options.

 

Having this one product as a cloud-based solution -- and that has the integration options with our professional services automation (PSA) and remote monitoring and management (RMM) system as well -- allows us to deploy basically one RMM agent that allows several different security controls to be deployed to any PC at any company very, very quickly. It makes the technical support of that extremely easy. It also makes the deployment and the onboarding of new customers very efficient.

 

Gardner: Yes, as more of us are more remote across organizations, that has hastened the movement to a remote control agent approach to security. Do you agree, Paul?

 

Sinclair: Absolutely, yes. It certainly makes it easier than back in the old days of running around to different PCs and asking users to give up their time during the day to allow us to do that. Now we can do that remotely, silently, and very effectively.

Lawrence: We have seen in our MSP peer group in Scotland, and in the UK, that they are cementing their processes and procedures around one or two key products, and in some cases the customer solution. I’m sure this is the same in the United States among mature MSPs. You can only support what you know. You can only train and certify on one key product and in one key area to be the master of one, but not necessarily the master of many.


With Bitdefender, and the other security partners we have, this allows us to focus -- but also put that known stack in place for customers, knowing that we have their backs. And sometimes there are awkward questions from the customers, saying, “Well, you know, I kind of prefer to do it this way” … or “Can I keep this or that security solution?”

Well, we learned from maturity and having the right security posture that the answer needs to be, “No, the answer is no. We’re putting our security stack in to best protect you. And you can hold us accountable, but it needs to be our technology, provided by our partners.”

 

Gardner: Even as so many organizations are moving to the cloud model, so much of security issues comes back to email. Especially in smaller organizations, email remains the source of a lot of security hiccups.

 

How important is picking the right email partner and tools in your overall security posture? What  have you found as the right approach to a steady path of productivity given the inherent risks of email?

 

Lawrence: So, as recently as six years ago, we were probably spending about 60 percent of our day managing email security. You know, the false positives, the stuff that shouldn’t be getting through, and all of the headaches that come from malware and ransomware. It was causing us real pain points.

 

Manage email to educate users

 

Sinclair: There are global threats and new sophisticated ways that we’re seeing daily through which criminals are trying to harvest your data. You need the right email security solution that keeps up with the times. Those providers can figure out for you what the new threats are on the back end. Also, we’re no longer having to log on to the systems daily or weekly and tweaking the settings here and there like we used to.

Email security training for end users is a big must now, and we're promoting that to our clients. It only takes one lapse in concentration. Then before you know it, you can be in some serious bother. I'm a big champion of email security training.

One point I would emphasize as well is email security training for the end users. It’s a big must now, and we’re promoting that to our clients. It only takes one lapse in concentration when some of these busy workers remove a dodgy email from quarantine. Then, before you know it, you can be in some real serious bother. So, I’m a big champion of email security training as well as being on top of your security solution updates.

 

Gardner: Right. Even using the best technology, being successful at security reverts back to behavior. It’s an intangible aspect to all of this. Also, as providers of the best customer experience, you want to embed security measures, make them invisible. That means you need to have the instant visibility into what’s going on in order to react.

 

So, how well do your tools provide the insights needed to fully exploit the security technology?

 

Lawrence: There are two sides of the coin when it comes to visibility. One is the proactive nature of being able to look at the data in real time and to make assessments, and the other is to then feed that back to the client.

 

The reactive nature of the security tools is probably most important because you want to jump on that quickly and effectively to remove threats and then to communicate that to the customer --  what’s happening real time -- and how we’re helping them to quickly get back to a safe place.

 

We’re choosing solutions that are mature, are a good fit for us, and that also integrate into our PSA and RMM systems. And, you know, Bitdefender, Proofpoint, and other solutions that we use all have APIs (Application Programming Interfaces) that allow us then to interconnect services whereby we can build automation and remove the noise.


A lot of the time now, the artificial intelligence (AI) solves problems for us. Other times, we still need the technology support officers in our organization to see the threats and react quickly. Again, only yesterday we had an incident. Thankfully, the third layer of security jumped in -- and that was Bitdefender. We were all over it very quickly, and we could jump into the ConnectWise and other systems and say, “Yeah, we know exactly how that threat transpired and where it came from.”

 

The first gate was closed, but the user opened it. The second gate was closed, but the user decided to open that one, too. And lastly, the third gate was definitely shut and was definitely not opening. And that was Bitdefender MDR.

 

Everything in the world is so quick now, much quicker that it was 10 or 20 years ago. Everybody wants to be able to report data and jump on things quickly. So, yeah, it’s just the right tool set that integrates into our solutions.

 

Gardner: Paul, what do you look for when it comes to consoles and a management overview? Or even taking the next step to provide compliance and auditing requirements? How do those fit into your customer experience needs when it comes to visibility?

 

A single pane of transparent glass

 

Sinclair: We use a reporting service that hooks into our PSA and different security solutions. We send these reports automatically and directly from the product set to the clients on a monthly basis. It shows the non-human tickets, but it also demonstrates the trust in the security services because it shows items that have technically been blocked, deleted, or quarantined. As part of the AI process that David was talking about, these tickets are logged, the product has done the job, and then the ticket is closed.

 

For us, we’re showing the added value that the security solutions are providing for the client. So then, they have transparency of the tickets that we are doing -- and the security solutions that we’ve put in place as well. That’s automated so we are not using the time on the person’s device to do fault finding. And, for us, we found that is really valuable, these reports, and the clients certainly do as well. They look forward each month to receiving them, and we get feedback on them every month. It’s a great service and tool that we’ve built for that.

 

Gardner: David, you mentioned Bitdefender and the tools you’re using from them. Give us an overview of what you’re using and how they fit together to meet your needs as an MSP. I’m also wondering if you’re relying on the Bitdefender Security Operations Center (SOC).

 

Lawrence: We’ve been with Bitdefender for a number of years now. The irony is we were using malware solutions in the past that had a Bitdefender engine. The irony was the vendor just wasn’t just cutting it for us. So, we went to work with Bitdefender directly. We have the confidence that it’s a grown-up solution.

 

They have been around for many years, and they’re always at the forefront of the technology. The way Bitdefender works for us is we use Bitdefender GravityZone, so every one of our customers will have that standard stack. And then, on top of that, we use Bitdefender EDR and advanced threat technology to secure the endpoints. So, for us, that’s just a given. It’s got that great layer of protection.

The solution doesn't just reactively address threats. They do threat hunting for us. ... There have been so many occasions this year that Bitdefender has jumped onto alerts and challenges with endpoints. ... They really have delivered on the MDR service.

I think of those horrible words in our industry, the “single pane of glass” expression, but that’s what it provides. The Bitdefender GravityZone always evolves, changes, and develops. And, for us, that single pane of glass is a very good system to go in there and see what’s going on in that environment. Last year, we adopted the MDR service from Bitdefender and dipped our toes in that with a couple of our professional services customers.

 

The solution doesn’t just reactively address threats. They do threat hunting for us. We give them a lot of information on the customer. They look at domain names, their threat landscape, and provide that in a security center so that we can resell that to our customers. We were open to our customers about who ultimately was providing that, and we would work with that partner to have our customers’ back.

 

There have been so many occasions this year that Bitdefender has jumped onto alerts and challenges with endpoints. And then ultimately we’ve worked together, even saying, "That’s fine, let’s exclude that," or as was the case yesterday, they blocked that threat -- and that’s what we want. Sometimes when you hear technology providers say, “Here’s the service,” and they describe it, you think it’s too good to be true. And actually, that’s not been the case for Bitdefender. It really has worked, and they really have delivered on the MDR service.

 

Gardner: Paul, anything you’d like to add to your use of Bitdefender, and then also the SOC opportunity?

 

Sinclair: In terms of the SOC, once we are able to give the right information to Bitdefender, do you know what that allows us to do? It gives us the confidence that the user habits on the PCs are being monitored, and anything that’s unusual is being picked up on.

 

One of the first things I remember saying to David, once we started seeing the results coming through, was, “Do you know what? I can go to bed at night now and have that good night’s sleep that we never used to get.” You know, you had something niggling in the background. But now I go to bed at night – or on the weekends – with that confidence that user habits are being monitored and looked at and picked up on. And that’s whether that user is in the office, working late, or it’s irrelevant of whatever location in the world they’re in. We know it’s being monitored. For that, and what we did, it’s just second to none.

Gardner: A lot of the benefit that large, sophisticated enterprises had when it came to monitoring behavior and analyzing it didn’t translate down to the smaller organizations, of say 40 to 50 seats. But now with SOC-as-a-service, if you will, the very best of analysis and behavior tracking can be brought to just about anyone.

Sinclair: Absolutely, because when you go to smaller clients than that of 10, 20, or 25, where the user behavior is not necessarily at a company level, they’re still being monitored -- and they’re able to work elsewhere.

 

We had an example not long ago where an end user decided that they were going to go on holiday and still work, but not let the organization know that they were away. They couldn’t do anything because Bitdefender realized the PC was out of the country and was trying to connect through unsecured networks -- at hotels, restaurants, and things like that. It just blocked them from being able to do anything. So, we were approached by that user, and we were able to then pass that information back on to the client organization ourselves. We acted as the eyes and ears for them.

 

Lawrence: When we integrated our organization using the Bitdefender MDR service, they had the goal of securing and providing us a SOC capability to the smaller businesses.

 

Before that, a couple of years ago, there was a manual process between us and the team in the States. We were filling in a spreadsheet, giving them as much customer information -- with the customers’ support -- to understand their organization and ultimately the threat landscape.

 

Fast-forward a couple of years, and Bitdefender has given us the maturity and MDR foundation so that the process for us as an MSP is a lot easier to get our customers on board with that SOC service. Now we don’t need to spin up a spreadsheet and fill it in. We can jump into the single pane of glass that Bitdefender provides and put up that service straight away and provide them all the information to get those customers secure and enjoying that SOC center.


Gardner: I’d like to quantify some of what we’ve talked about. So, I’m looking for metrics of success. What ways do you measure the overall impact on your customers and their experience? How do you know you’re doing it right and whether your suppliers like Bitdefender are getting the job done?

 
For happy clients, take their temperature

 

Lawrence: As an organization, we’re really focused on customer experience, and we have a customer improvement board in our ConnectWise system. We’re consciously seeking that and adjusting feedback from our customers accordingly.

 

And what’s great with the right tool set in place is it’s so different from the noise that we were describing earlier, about having the wrong security product years ago, and all the wrong malware and ransomware protection in place. It really caused us headaches.

Years ago, our customer happiness was around 94 percent. But over the last 12 months, we've had a score of 97.8 percent. That's telling us we're doing as good of a job as we can. ... We're very happy.

Now, when we review our customer happiness factor, we use Customer Thermometer. And years ago, our customer happiness was probably around 94 percent. But over the last 12 months, we’ve had a customer happiness score of 97.8 percent. That’s telling us weekly, monthly, quarterly, and annually that we’re doing as good a job as we can.

 

We also survey the key contacts, our key client IT partners within the organization, every six months on the net promoter score (NPS). Again, that’s very positive compared to where it had been. We’re at 69 now, which I think is world class, and 75 percent of promoters. So again, we’re very happy.

 

And that’s not all just down to selecting the right security tools. That’s having all people that can communicate in English and set the right expectations. But again, so much of our frustrations -- and probably the industry’s frustrations -- come from the wrong tool set. We need the right tools to do our job. That’s critical.

 

Gardner: Paul, any favorite indicators that assure you of that good night sleep?

 

Sinclair: Absolutely. Looking at the numbers, we’re seeing a 47 percent decrease in malware infections between our clients from last year to this year. That’s a massive number in a single year.

 

And that’s not just malware numbers. That has knock-on numbers in terms of technical administration cost savings by using Bitdefender and effectively creating and closing tickets on our PSA system. That’s a 23 percent improvement so far from last year.

 

What it shows us is we are evolving, and Bitdefender and that technology is evolving with us in the right direction. As long as we see these numbers constantly where they need to be, then yeah, that’s amazing.

 

Lawrence: The old frustrations were sticking an antivirus malware protection tool on the machines and having the opposite effect for productivity. The wrong malware protection was dragging the poor machines down. I think Paul told me earlier that it was a 10 percent performance gain that we’ve had since using Bitdefender.

 

Sinclair: Just having that smaller footprint is a big improvement, isn’t it? That smaller footprint from three, four, or five different security products now wrapped down into one. Between the two of us, David and I have been working in this industry for 60 years. We’ve reviewed our security products so often over our 21 years at Grant McGregor from the start and across different technologies. But if the tools weren’t working for the customer, they won’t work for us.

So far with Bitdefender, we have confidence year after year. We’re no longer sitting down and reviewing the Bitdefender technology and stack. We just recommend them as our first product whenever we onboard a new client or user. Bitdefender is the first product that’s recommended and it’s the first product that goes in. Not one client ever has said no. 

Gardner: Those are very impressive numbers, and I commend you for them. But, of course, we can’t rest on our laurels. We have to look for where we go next. For security, it’s never good enough, right?

 

So, what comes next for Grant McGregor? You mentioned co-managed services, for example. What solutions do you look to next, and how can your providers help you get there?

 

Keep the honest, honest

 

Lawrence: We’re in exciting times with exciting new technology. Without the distractions of what’s happening for us in Britain and in Europe, I think there are two trends.

 

As an organization, we’re focused on helping the end user stay right and honest -- and that means helping put in the right tool set. Those will be focused on data loss protection, enforcing policies for the endpoint, and education systems for security awareness.

 

Rather than focus – as the industry often does – on external threats, we want to keep the honest, honest. That’s, first off, an easier sell. Second of all, that means living up to our values. We are supporting the end users and the organization to navigate all the threats out there, but from internally and then outward.

 

The co-managed space is going to be huge. As an MSP – and there are a lot of us out there – maybe not all of us are doing the right things, but we’re all competing and trying to grab each other’s customers.

 

The natural direction is to the co-managed space, where we can pass on those years of experience with using the right tool sets. Unfortunately, soon in the UK, that will be to the cash-strapped IT department and the time-poor departments. They are going to need and want our expertise and advice so they can get on with doing the strategic work that they want to focus on. We’ll be providing to them the patching-as-a-service, the co-managed IT support-as-a-service (SaaS), the email-as-a-service (EaaS), and the backup-as-a-service (BaaS).

 

We’re already making traction in that space, and we’re excited about that. So, those two growth spots are there for us.

 

Gardner: David mentioned the unfortunate predictions across the globe for difficult economic times ahead. Doing more with less becomes the imperative across the board. So, that usually means higher productivity -- and that usually means working smarter, not necessarily harder.

 

What do you see in the next stages in terms of how you can help your customers do more with less from the MSP perspective?

 

Sinclair: It is all about being smarter, isn’t it? For us with the technology that David has touched on, I think we need to look a bit further into the future. And where does that take us? It takes us down that AI route and getting the users to try and help themselves along that route while we keep ourselves up to date with the latest technologies. It means watching for the new threats -- because they are constant. I see us soon taking on more AI and use more of that intelligence to keep the productivity levels where they need to be.

Lawrence: Digital transformation is a big space for customers to get their heads around -- and productivity is absolutely a must as they move to cloud services and platforms. Again, only recently Microsoft released more products and services. And, again, it’s our job as a technology provider to help educate our customers on that new landscape and to use tools such as business intelligence and to get the best from the Microsoft applications.

There’s a lot of new automation there that the customers can build upon, and I think their fear is just how they can get their heads around it. For us, it’s about partnering with the right people to pass on those skill sets to the smaller businesses.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.


You may also be interested in:

Wednesday, March 1, 2023

Defending the perimeter evolves into securing the user experience bubble for UK cancer services provider

An underappreciated aspect of enhancing IT security is the impact on an end user’s comfort and trust in the services provided. In the case of health care services and support, making the patient feel welcome and safe can be a game-changer as they seek access to needed services and care. 

The next BriefingsDirect security innovations discussion examines how Macmillan Cancer Support in the United Kingdom (UK) places the ease of use and sense of security in the services provided as a top IT -- and community service -- requirement.


Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

 

Here to share their story on how to develop and deliver a cloud-ready security bubble around all users, their activities, and the sensitive data they share is our guest, Tim O’Neill, Head of Information Security at Macmillan Cancer Support in London. The interview is moderated by  Dana Gardner, Principal Analyst at Interarbor Solutions.


Here are some excerpts:


Gardner: Tim, tell us about Macmillan Cancer Support. It’s a very interesting and worthy organization. I’d also like to hear about your approach to securing a caring and trusted environment for your community.

 

O'Neill: We have a unique organization in that when people think of a cancer charity, they often think about the medical side of it and about the pioneering of new treatments. Every day there’s something new in the media about how swallowing a leaf a day will keep a cancer away, and things like that.

 

But we deal with the actual effects of having cancer. We help anyone who is affected by cancer. That can be a person who’s just had a cancer diagnosis. That can be the family of someone who has a diagnosis, or their employer, or other employees. Anyone who is affected by cancer can come to us for help.

 

O'Neill

We don’t do a lot in the medical sphere, such as creating new treatments or testing or anything like that. We’re here to look after the impacts that cancer has on your life. We help with the patient’s pathway; we help you understand it and what the implications are – and what might happen next.

We will help you financially if you need help. We believe that nobody should be cold or hungry because of a cancer diagnosis. We provide the cancer nurses who exist in UK hospitals. We train them and we fund them. We have specialist care centers. Again, we fund those. Our psychological care is done through a third party as well. But we manage that, we fund it, we maintain it. We also have an arm that lobbies the government. So, for example, in the UK we had cancer reassigned as a disability.

 

This means that as soon as you have a cancer diagnosis, you are legally recognized as disabled, and you have all the benefits that go along with that. The reason for that is that once you’ve had a cancer diagnosis, it affects the rest of your life. It does not matter if it’s gone into remission. It will still affect you.

 

The treatments are invasive. They affect you. We work in many spheres, and we have a lot of influence. We work with a lot of partners. But the fundamental core of what we do is that you can contact Macmillan when you need help.

 

Gardner: And to foster that level of support, to provide that trusted environment across the full experience, having six levels of authentication to jump through -- or not seeing your e-mails delivered properly -- can stop the entire process.

 

O’Neill: Oh, absolutely. And we have to be realistic here. We are talking at times of people phoning us at the worst moment of their lives. They’ve just had something come out of the blue or the treatments have gone badly, or they’ve had to have that horrible conversation with their loved ones. And it’s at that very point when they need to talk to us.

We have to be accessible exactly when people need us. And in that instant, we can be the difference between them having a completely honest open, and frank conversation -- or having to sit and suffer in silence.

Asking them, “Oh, can you go and grab your mobile phone? Yeah, and stick your fingerprint on there, and now that password was not recognized. You need to change it. And by the way, sorry, that password didn’t have quite as many exclamation marks as we need. And so, now if you’d like to turn on your webcam and log in using a photo, then we’ll let you in.”

 

You can’t do that. We have to be accessible exactly when people need us. And in that instant, we can be the difference between them having a completely honest, open, and frank conversation -- or having to sit and suffer in silence.

 

Gardner: Well, I don’t envy you your position, Tim. On one hand, you have sensitive healthcare and patient data that you need to protect. On the other hand, you need to make this a seamless and worthwhile experience.

 

How do you reach that balance? What have been some of the challenges that you’ve faced in trying to provide that proper balance?

 

Keep everyone secure by managing risk

 

O’Neill: Everything is risk-based. We look at where you normally phone in from, or if you’re a first-time caller, or “Are you in a location that we trust?” “Are you in a number range that we trust?” Things like that. What’s the nature of the conversation you’re having with us?

 

There are a number of parameters. Not everything is a high-level risk if you are just phoning us, and you simply want to talk. If you don’t want to impart any special information or anything like that, then the risk is low. Everything is measured against risk, which is a mentality change in the organization.

 

And, you know, I’ve been in conversations where people say to me, “I don’t like that idea … I think somebody got it wrong” without quantifying the risk. It’s not good enough.

 

But if we understand exactly what the risks are, then we can understand what controls can mitigate those risks. We can choose the effective controls for mitigating the risks. And then we can take the actions and do the tasks to enable those controls.


For example, with multi-factor authentication (MFA), if your workforce is five people working from one office and you have no remote connections, that’s potentially the wrong security control. Your controls could be completely different. They will have the same effect, but they will have a more positive impact on the end-user experience.

 

That’s the narrative change that you have to have. One of the most challenging things, when I first came into the organization, is when we were transforming IT systems. We were starting to understand how people wanted to interact with us digitally.

 

Historically, our interactions had been very much face-to-face, or through phone calls as well. And with COVID, obviously, all of a sudden, all of our interactions changed. So, it became, “How do we make it so that the legacy IT systems, users, and accounts can be migrated to new, safe methods without getting rid of the history of conversations they wanted to keep?” We didn’t want to lose the knowledge that we had and the relationships we had created with these individuals.

 

If you’re sending emails out to people saying, “Oh, we need you to change your log-on credentials because we’ve moved to this new IT system, et cetera, et cetera.” … If that person is sadly deceased -- we’re talking about cancer here -- then potentially sending something like that to their family is not great. So, there are lots of things to consider.

 

Gardner: It sounds like you’re approaching this from a fit-for-purpose security approach and then grading the risk and response accordingly. That sounds very good in theory, but I suspect it’s more complicated in practice and execution. So how, with a small security team such as yours, are you able to accommodate that level of granularity and response technically?

 

O’Neill: Everything starts complex. Every concept that you have starts off with a million boxes on the screen and loads of lines drawn everywhere. And actually, when you come down to it, it becomes a lot simpler.

 

When we get to the bottom level of this: What are the risks that we are trying to mitigate here? We are trying to mitigate the fundamental risk that an individual’s information may end up with the wrong person. That’s the most important risk that we’re trying to manage.

Start off complex, and then bring it all down to the simplest level, and focus on the one thing that actually matters, which is the risk.

And bear in mind that people will tell us about their cancer diagnosis before they’ve even spoken to their family, friends, … anyone. And they will phone us at the darkest moments and talk about suicidal thoughts. Those are conversations that you do not want anyone else to have visibility into.

 

When we get to such a stage that we are entering into something problematic on privacy or risk, at that point, we will do extra validations. Again, it’s all based around the particular risk. You have your conditional access element risk whereby you’re looking at where people are coming from. You’re looking at historical interactions from that location and you’re extrapolating that information to have a choice made automatically based on it.

 

But then you’re also talking about training of individuals where they don’t need to go through vetting questions at the start of conversations but once they get to a point where the nature of it changes, and the data risk of that conversation changes, at that point controls need to be applied.

 

Start off complex, and then bring it all down to the simplest level, and focus on the one thing that actually matters, which is the risk.

 

Gardner: Well, at the same time as you’ve been embracing this model of risk-balancing, you’ve also faced a movement over the past several years to more cloud-ready, cloud-native environments. And that means that you can’t just rely on programmatic web application firewalls (WAFs) or creating a couple of filtering rules for your network.

 

So, how do we move securely toward such a cloud or mixed environment? How is that different from just building a security perimeter? Previously, you’ve mentioned to me a “security bubble.”

 

Remain flexible inside your security bubble

 

O’Neill: The new models are different in a number of ways. What’s historically happened with information security is somebody says, “I have this new system.” Then you ask, “What’s the system? What’s the risk? What are you doing with it? Where is the data going?”

 

And so, you designed the security around that system – but then you get a new system. Is that one okay? Well, then you design a new bit of security. You end up with a set of tools that you apply to each one. It’s slow, and it’s prone to failure because people design the system first and its uses change. It can also lock the organization in.

 

If we take an incredibly simple thing, which is the storage of data, an organization might say, “We’re an Amazon Web Services (AWS) cloud house.” Wherein it’s your house, but as we mature with these cloud strategies, people are going to start leveraging economy of cost of storage by moving their data dynamically to the less expensive storage locations. And when one cloud storage offering is cheaper than another, then your data will fly across to that.

 

We can’t work in the old way anymore within cyber security and information security. What we have to do is create this security bubble that we’ve been talking about. It allows the organization the flexibility to change the security strategy.

 

For example, every year or two, we suddenly go, “There’s a new threat. Here it comes.” Yet every threat works in fundamentally the same way: You have to get in, you have to get the rights to see what you’re doing, and you have to be able to move around. If you break it down to those basics, that’s what everything in security needs to do, really.

 

If we can start to move to this bubble, to say, “We know what our data is, we know who our users are, and we know who they’re going to interact with.” Then we can allow people and organizations the flexibility to do what they want and only block the high-risk events within that.

 

If your data leaves the bubble, and it’s just, “Hey, do you want a cup of tea?” kind of communication, obviously you’re not going to worry about that. If it’s something that contains risky data, then we’ll worry about that. We’ll block that.

 

But we have to stop thinking about application-level security and start thinking a lot bigger and more strategically about security. We may have to stop and ask the business, “Where are you going? What are you doing?” But they don’t know yet. And also, as COVID has shown us, sometimes nobody knows where we’re all going.

 

Gardner: Right. We need to be prepared for just about anything and also be able to react quickly, so you can’t be knee-jerk and react to every app or system differently. As you point out, you need to be strategic.

 

And so, part of being strategic, for an organization such as yours, because you’re supported by donations; you’re a non-profit -- you need to be cost-efficient as well. So again, it’s a balancing act between cost efficiency and being strategic about security. How is that something you’ve been able to manage?

 

A wise spend supports smart security

 

O’Neill: Well, I don’t believe they’re in conflict. If we look at organizations -- I won’t name them, that are huge and have very big budgets, who spend tens of millions on their cyber security – they have huge teams, and they still get breached. The amount that you spend doesn’t necessarily create a graph to greater security.

 

Spending intelligently does, and it all comes from focusing on risks. If you sit there and you say, “You know what we have to do, we have to go through the top 20 NIST or CIS methods or recommendations,” or whatever, “and we’re going to supply the best product on the market for each of those, and check the box.”

 

Firstly, you potentially throw a load of money away because in the end you don’t actually need it all. The spec says, “Oh, you need MFA and a WAF.” Well, actually, it’s not an MFA that you need, it’s not a WAF that you need.

 

What are the risks that those products are mitigating? And then, what is the best way to mitigate the product risks? It all comes down to that, when you sit back and you look at what we do for a living in information security. 

We talk a lot about burnout in information security and wellness. It’s because people keep chasing their tails. Every day, there’s a new headline about a breach or a new zero day or a new technique -- or whatever it may be -- and everyone starts worrying about it. What do we do to protect against this?

 

But it’s about assessing the risk. And from a risk perspective, all the rest of it stays the same to a certain degree. It’s very rare that a new zero day fundamentally changes your risk.

 

Gardner: You bring up an interesting point. Not only are you concerned about the comfort and sense of security for your end users, but you also need to be thinking about your staff. The people that you just mentioned who are increasingly facing burnout.

 

Throwing another tool at them every three months or asking them to check off 16 more boxes every time a new system comes online, it’s going to be averse to your overall security posture. Is there something you look for on how you tackle this that’s also accommodating the needs of your security staff?

 

Monitor what matters

 

O’Neill: You’ll have to ask them -- but they all still have their hair. Yeah, organizations often talk about insider threats. I think it’s a terrible thing to be talking about because it’s such a small percentage. A lot of organizations treat their employees as part of the problem, or almost an enemy that needs to be monitored constantly. I don’t care if you’re on Facebook at all.

 

I care if you’re trying to download something malicious from Facebook or upload something like that to Facebook. But the fact that you’re on Facebook is a management issue, not a cybersecurity issue. We do not monitor things that we do not need to monitor.

 

For example, we were getting a weekly report from one of our security products. It was typically a 14-page report that basically patted itself on the back by saying how great it had been. “This is everything I’ve blocked,” it said. And a member of my team was spending pretty much a day going through that report. Why? What possible gain came from looking at that report?

I care if you're trying to download something malicious from Facebook. But the fact that you're on Facebook is a management issue, not a cybersecurity issue. We do not monitor things that we do not need to monitor. 

The real question is … Once you read the report, what did you do with the information? “Nothing, it was interesting.” “But what did you do with the interesting part? “Well, nothing.” Then don’t do it. Everything has to have a purpose. Even to the smallest degree. I had a meeting this morning about policies. Our acceptable use policy document is, I think, 16 pages long.

 

Come on. It doesn’t need to be 16 pages long. I want two pages, tops. “Do this, don’t do that, or absolutely don’t do this.”

 

We have a mobile device policy that everyone has to sign up to. … We have a mobile device manager. You can’t connect to systems unless your operating system is up to date, all of this sort of stuff. So why have we got a policy that is seven pages long?

 

Say what you can and can’t do on mobile devices. Then all we need to say is, “You’ll have to adhere to the policies.” All of a sudden, we’re making everyone’s life easier. Not just the information security teams, but the normal end users as well.

 

It is all about working out what’s actually valid. We’re very good in information security of doing things because that’s what we’ve done instead of thinking.

 

Gardner: I’m hearing some basic common threads throughout our discussion. One is a fit-for-purpose approach, sort of a risk-arbitrage approach, simplicity whenever possible, and increasingly having the knobs to dial things up and down and find the proper balance.

 

To me, those increasingly require a high level of analysis and data, and a certain maturity in the way that your platforms and environment can react and provide you what you need.

 

Tell me a little bit about that now that we’ve understood your challenges. How did you go about a journey to finding the right solutions that can accommodate those security analysis and strategy requirements of granularity, fit-for-purpose, and automation?

 

Streamline your team’s efforts

 

O’Neill: When we go to market for a security product, usually we’re looking at a specific issue that we’re trying to fix and control. A lot of the products will do the job that you want them to do.

 

But there are a few other things we look for. Can my team log into it and very quickly see what is important? Can we go from seeing that to the action that needs to be taken? How quick is that journey?

 

When somebody is demonstrating the platform, for me, my question is always, “How do I get from seeing it to knowing that it’s actually something I need to do, to then being able to do something about it?” That journey is important. Loads of products are brilliant, and they have a pretty interface, but then they fall apart underneath that.

 

And, the other thing is, a lot of these platforms produce so much information, but they don’t give it to you. They focus on just one element. What value-add can I get that the product might not deliver as a core element, but that actually enables me to easily tick off my other boxes as well?

 

Gardner: Can you describe what you get when you do this right? When you find the right provider who’s giving you the information that you need in the manner you need it? Are there some metrics of success that you look for or some key performance indicators (KPIs) that show you’re on the right track?

 

O’Neill: It’s always a bit difficult to quantify. Somebody asked me recently how I knew that the product we were using was a good one. And I said, “Well, we haven’t been breached since using it.” That’s a pretty good metric to me, I think, but it’s also about my team. How much time do they have to spend on this solution? How long did it take to get what you needed?

 

We have an assumed-breach mentality, so I expect the first job of the day is to prove to me that we have not been breached. That’s job one. Next, how quickly can you tell me that from the time you turn your computer on? How much of the time do you end up looking at false positives? What can the product do every day that helps us get a bit better? How does that tool help us to know what to do?

 

Gardner: We began our discussion today by focusing on the end user being in a very difficult situation in life. Can we look to them, too, as a way of determining the metrics of success? Have you had any results from the user-experience perspective that validate your security philosophy and strategy?

 

Inspect end-user behavior, feedback

 

O’Neill: Yes. Obviously, we interact constantly with the people that we support and look after. It is the only reason we exist. If I do anything that is detrimental to their experience, then I’m not doing my job properly.

 

We go back and we do ask them. I personally have spent time on phone lines as well. I don’t sit within my little security bubble. I work across the organization. I’ve been on the streets with the bucket collecting donations.

 

We have very good relationships with people that we have supported and continue to support. We know because we ask them how it felt for them. What works for them, what doesn’t work for them? We are continually trying to improve our methods of interaction and how we do on that. And I’m constantly trying to see what we can do that makes that journey even easier.

 

We also look at user behavior analytics and the attack behavior analytics on our websites. How can we make the experience of the website even smoother by saying, “We’re pretty sure you are who you say you are.” Are they going to the same places? Are you changing your behavior?

 

And I can understand the behaviors and even how people type. People use their keyboards differently. Well, let’s look at that. What else can we do to make it so that we are sure we are interacting with you without you having to jump through a million hoops to make sure that that’s not the case?

 

Gardner: You mentioned behavior and analytics. How are you positioning yourself to better exploit analytics? What are some of your future goals? What are the new set of KPIs a few years from now that will make you even more strategic in your security posture?

 

Use analytics to lessen user interruptions

 

O’Neill: That’s a really good question. The analysis of user behavior linked to attack behavior – that and analysis of many other elements is going to become increasingly important for smoothing this out. We can’t keep using CAPTCHA, for example. We can’t keep asking people to identify fire hydrants that are within 30 centimeters of a dog’s leg. It’s absurd.

 

We have to find better ways of doing this to determine the true risk. Does it matter if you’re not who you say you are until we get to the point that it does? Because, actually, maybe you don’t want to be who you are for a period of a conversation. Maybe you actually want to be someone else, so you’re disassociating yourself from the reality of the situation. Maybe you don’t want to be identified. Do we have to validate all of the time?

 

I think these are questions we need to be asking. I think the KPIs are becoming a lot more difficult. You have to base them around, “Did we have any breaches?” And I think with breaches we separate our information governance from the information security, but they’re brothers from one another, aren’t they?

We have to find better ways to determine the true risk. Does it matter if you're not who you say you are until we get to the point that it does? Do we have to validate all of the time? These are questions we need to be asking.

The information governance leak shouldn’t happen with good information cyber security, so we should expect to see a lot fewer incidents and no near misses. With the best interaction KPIs, we should be seeing people get in touch with us a lot quicker, and people should be able to talk to the right people for the right reason a lot quicker.

 

Our third-party interaction is very important. As I said, we don’t offer any medical services ourselves, but we will pay for and put you in touch with organizations that do. We have strategic partnerships. To make that all as smooth as possible means you don’t need to worry who you’re talking to. Everything is assured and the flow is invisible. That kind of experience -- and the KPIs that matter the most for delivering that experience – provides well for the person who needs us.

 

Gardner: Any closing advice for those who are moving from a security perimeter perspective toward more of a security bubble concept? And by doing so, it enables them to have a better experience for their users, employees, and across their entire communities?

 

Dial down the panic for security success

 

O’Neill: Yes. This is going to sound a bit odd, but one of the most important things is to conceptualize, and to take the time, to challenge my team. What is the gold standard? What is the absolute? If we had all the money in the world and everything worked, what  the perfect journey? Start from there and then bring it down to what’s achievable or what elements of it are achievable.

 

I know this sounds odd but stop panicking so much. None of us think well when we’re panicked. None of us think well when we’re stressed. Take the time for yourself. Allow your team to take the time for themselves. Allow their brains the freedom to flow and to think.

 

And we’ve got to do what we do better. And that means we have to do it differently. So, ask questions. Ask why do we have endpoint protection? I’ve got this, I’ve got that, I’ve got all these other things. Why have we got something on every endpoint, for example? Ask that question.

 

Because at least then you have validated what it is truly for and better know the amount of value it has, and therefore the proper amount of effort it needs. Stop doing things just by ticking off boxes. Because as an ex-hacker, let’s call it, I know the boxes that you tick. You tick all those boxes; I know how to bypass those boxes. So, yeah, just take time, think, conceptualize, and then move down to reality. Maybe.

 

Gardner: Be more realistic about the situation on the ground, rather than just doing things because that’s the way they’ve always been done?

 

O’Neill: Yes, absolutely. Understand your risk. Understand what you are actually having to support. The fortress approach doesn’t work anymore. The proliferation of software as a service (SaaS) application, the desire to allow everyone to perform to their best within and outside of an organization – that means allowing people flexibility to work in a way that best suits them. And you cannot do that with a fortress.


Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

 

You may also be interested in: