Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
According to Gartner, companies will spend $118.5 billion on cyber security solutions worldwide and the market will expand by 14% during 2025. The growth of new technologies like generative AI and increased cloud deployments will grow companies’ attack surfaces too. So while the amount of money going into security might go up, the sheer scale of attacks and attempts on companies will stretch those budgets significantly.
At the same time, the number of companies competing to deliver those solutions is growing too. According to Compubase, there are 7,500 companies involved in delivering security solutions to customers in the UK alone, ranging from resellers and partners through to managed service providers and systems integrators. With so many companies involved, and so much noise around new threats to navigate, it should be no surprise that companies face challenges in differentiating themselves in the market.
To be successful in this complex and complicated market, you have to cut through to what customers really care about. Looking at Value at Risk can help.
What is VAR, and why should a VAR care?
The acronym VAR has long stood for Value Added Reseller, and many channel companies focus on how they can add services or consulting to their product sales. The concept of Value at Risk aims to help these companies go further with their customers around long-term security needs.
Value at Risk - hereafter VAR - involves helping customers to understand the real world monetary cost that security issues represent. This involves going into cyber risk quantification (CQR) where you help customers understand both the cost of a potential issue in terms of lost revenue and how likely that issue is to take place. By putting things directly in monetary terms, security teams can express the threats and risks that businesses face without resorting to technology jargon. It also makes it easier to categorise and prioritise those risks based on impact.
VAR might seem obvious - surely every company does this? - but the answer is that many companies don’t have a full operational process that categorises risks over time. Celebrity IT security issues that get all the attention might attract the board’s attention, and then get a full write-up, but those issues may not be relevant or risky to the company itself. This then becomes a distraction. Alternatively, threat intelligence might come in that changes that risk level from one day to another - how can you get the board to understand that risk over time, and what your customer’s team is already doing to prevent it?
Putting money against risk scores makes it easier to put things in business terms. It also makes it easier to justify prioritising certain issues rather than others. For example, take two security issues that affect two of the organisation’s business lines - which one should you prioritise? Without context, it is hard to know. But say one issue has a ten percent chance of affecting the business, and the other has a twenty percent chance … the one that is more likely to take place will take precedence over the other. But hang on. The issue rated at ten percent is in a business unit that makes £200million a year, while the twenty percent issue in one that makes only £20million a year. Now, the risk is £20million compared to £4million, changing priority again. Using VAR helps you - and your customers - make decisions over time around what to prioritise, what to mitigate and where you might need cyber insurance too.
Implementing a risk operations centre
CRQ is an established approach to pricing risk. It’s something that security leads in enterprises want to use, but many of them are not able to make this an operational process. According to Gartner, only a third (36 percent) of cyber security leaders have made CRQ effective enough to support actions while the analyst firm also estimated that around half of all CRQ projects would potentially fail by 2025. To avoid this, companies need to make risk management into an operational process, just like IT security did in the past.
This does require a different mindset compared to looking at the technology or products installed. Instead, it involves creating a specific flow for data from multiple vendors or providers that can then be synthesised effectively into one set of results around potential risk. By turning this into a risk operations process, rather than looking at the results on any one issue, security teams can provide better insight.
For channel companies, this independent approach is a natural starting point. Rather than relying on any one vendor, channel partners are already keen to provide that insight to their customers around risk data. Helping customers to implement a Risk Operations Centre (ROC) to complement their Security Operations Centre (SOC) provides that framework for risk management. Alternatively, partners can provide managed ROC services to their customers, where that data is delivered as a service based on customers’ deployments and potential security gaps.
To achieve this, you can deliver risk advice that looks at the specific assets that your customers have, what issues exist in that environment, and the threat intelligence that is being released over time. As new threats are discovered, or new attack chains are developed, these risks can be scored and then used to inform the business. More importantly, the risk data can be translated into the potential costs and cash impact - otherwise known as VAR - that those threats can have. Using money values in this way makes it easier to explain to customers around risk impact, and demonstrate the specific ways that risk can be reduced, mitigated or eliminated. The most important element here is that this is more than any one product - it is about the whole approach to managing risk based on what is valuable.
Long-term risk
As the security sector continues to evolve and respond to changes in the wider IT industry, IT Security teams will have to secure more infrastructure elements and deliver results across more assets, software and data. That growth of IT around elements like AI will stretch budgets further. In response, teams have to look at the specific risks that are coming up and prioritise which ones really matter.
Understanding those risks involves looking at the money aspect, and the level of risk is based on the cost that they could lead to. For the channel, helping customers to define Value at Risk helps them define and improve their approach to security.
