July 31, 2019
In order for integrators to monetize cybersecurity, they need to entice clients with services that will provide long-term security that complement physical security, according to Steven Mains, CEO and managing partner at Tech MIS LLC, who spoke at today’s Cyber:Secured Forum in Dallas, Texas.
The second annual conference for physical and IT security leaders, system integrators and cyber professionals is intended to provide attendees with actionable insight. In his breakout session, “Integrating and Monetizing Cyber and Physical Security Offerings,” Mains said that integrators need not only understand what threats companies face but also know what products and services mitigate those threats.
Mains started his talk with a magic trick before jumping into a discussion that identified threats and outlined the security products that match up against each.
When he asked the audience how many people are selling cybersecurity right now, only five people in a packed room raised their hands, making the follow up question of “How does cyber fit into a security integration portfolio?” even more valuable for attendees.
When integrators go into a company and identify their threats, they put together a package to help them mitigate those threats. The crossover in physical and cybersecurity is extensive. From access control to perimeter monitoring, interior monitoring, theft protection, industrial controls, fraud prevention and vulnerability to management, cybersecurity and physical security are both providing protections.
“In the cyber world, it’s the same way. Bradley Manning was downloading massive amounts of information that he wasn’t responsible for, then uploading it to WikiLeaks. It’s exactly the same analogue to what you do in the physical world,” Mains said.
Evacuation drills and phishing training are security procedure trainings. Integrators must become familiar with products match cybersecurity threats. “There’s a million ways to get into a network, but it comes down to unauthorized entry and data exploitation,” Mains said.
Unauthorized entry includes phishing, penetration of web-facing sites, and IoT-stepping, which can be mitigated with vulnerability assessments, training, threat simulations, penetration testing, network scanning, firewalls and endpoint security.
Data exploitation includes ransom, theft, surveillance and data manipulation, which can be mitigated with network scanning, activity monitoring, network design and segmentation, data encryption and backup.
“Companies don’t know what data they have, what they are trying to safeguard and who should have access to it,” Mains said explaining the need for network segmentation.
So how can integrators monetize? Mains offered three models, the first of which he called, “I have a guy.” In this scenario, the client becomes the integrator. When the customer is the integrator, they take the integrator’s fee and there is no long-term commitment or MSSP contract.
“That’s a broken model,” Mains said. “If they are doing the integration, they are doing the work.”
The second model is where the integrator brings in the experts who all sit around the table and build an integrative security solution for the client. “It’s low cost-of-entry because you don’t have to have all those skills on hand, but you’re going to get some of that MSSP commission. It’s a good model to enhance your reputation,” Mains said.
The final model is “I am the guy,” whereby the integrator provides the expertise. “It’s expensive because you are getting into the training and personnel costs, but you pocket all the fees. The return is the highest of the three models, but it’s also the most expensive to get into.”
“Forget model one,” said Mains. Instead, he said to go with model two, which is a familiar approach with a low investment that leverages current clients and provides and income stream.
How? Find a sub to help sell and integrate. “Find a good cyber sub that will come on with you and go out on those sales calls. Start using it yourself, identify potential clients and then go out and sell it,” Mains said.