The increasing expectation that even small and medium businesses (SMBs), mid-market and not-for-profits (NFPs) be able to demonstrate compliance with security best practice is driving a surge of interest in managed security consulting and auditing services, according to the head of fast-growing managed services and security consulting firm Virtual IT Group (VITG).
Facing requirements that they not only implement security technologies but frame them within complex certification and compliance frameworks – for example, the ISO 27001, changes to privacy laws, and the Australian Signals Directorate’s Essential Eight security controls – the company has seen a steady increase in demand from resource-strapped businesses.
“They’re leaning on organisations like ours to either complement their IT staff, or to do the whole lot,” VITG Chief Customer Officer Chris Troncone explained. “The demands on them, and the challenges of finding resources to meet those demands, are getting harder and harder for companies to manage internally.”
Although VITG’s managed services span a range of areas – including network support, helpdesk management, and recently launched unified communications solutions – supporting customers’ ever more urgent information security requirements has become the main driver of growth for the company, which has filled out its roster of 250+ staff through a concerted strategy of acquisitions that has seen it ingest nine other firms in the last three years.
Some acquisitions pave the way towards dramatic changes in the company’s structure, capabilities, and market offerings – as with the recent acquisitions of Greenlight ITC, Powernet and Evologic bolstering the offering to the mid-market.
Growing by acquisition is a “core strategy of ours,” Troncone said, suggesting that the company is far from finished snapping up companies whose staff and capabilities will further improve its ability to meet customer needs.
“We have really strengthened our end to end support and security skill sets – and we find that as we get more and more acquisitions, we’re bringing some really good talent into our organisation.”
Demand for those skills is continuing despite a raft of government initiatives targeted at helping the smaller end of town become more self-sufficient about their cybersecurity – including Essential Eight training, free cyber health checks, the creation of a Small Business Cyber Resilience resource to assist in breach recovery, and the training of up to 50,000 Cyber Wardens to provide small business security training and advice.
For all the assistance such programs promise businesses, Troncone said many IT managers are still scrambling for assistance as the scope of their cybersecurity obligations exceeds what they can comfortably continue to manage on their own.
Others may be managing OK on their own or have other MSPs engaged, but still want someone who can provide a fresh look at their environments and develop security policies that will bring their governance up to scratch.
Getting help where it’s needed most
Access to suitable cybersecurity capabilities is particularly important for NFPs, which are finding that adequate cyber risk management is rapidly becoming part of the governance standards they must meet to remain eligible for government grants and other support.
Access to skilled outside security support is even more important for many NFPs because of the vulnerable communities they serve: one charity that VITG works with, for example, helps women and children escape family violence and manages a broad range of information that could prove massively problematic if compromised.
“If they were to have a breach and people’s details were to be found, that could potentially be life-threatening,” Meg Visser, Virtual CIO and Head of Marketing with VITG, explained.
“We know it’s critical for that sector, and particularly for agencies like that one, to have robust security in place – and coming to someone like us, where we have that expertise to align with, can help.”
Yet for many small businesses, significantly boosting spend on security remains a hard sell with principals that have many priorities to juggle, and limited resources to allocate to them – a problem exacerbated in NFPs where, Visser said, “money hasn’t always been there to spend on these kinds of things.”
“Tying back the risk of security to whatever is important to that business, is the key,” she said. “That’s what I’ve found our clients respond to best.”
The convergence of small and medium businesses on the Microsoft 365 productivity suite has also helped, with businesses who migrate to the platform adopting a well-understood, predictable model for collaboration and data management that can be readily secured and monitored by VITG’s skilled staff.
Yet with new security attacks emerging constantly and businesses pressured to keep up, the key to building an effective business security defense lies not only in the original engagement but in regular follow-up such as the regular security awareness training, ongoing monitoring and compliance audits that VITG ensures are part of various managed security engagements.
To simplify the process, VITG have developed Managed Security as a Service (MSaaS) bundles designed to assist both SME and mid-market customers – starting with a package of entry level capabilities and improving the security posture as they progress through the bundles during the course of their security journey.
It’s a long-term play with short-term consequences for companies that continue to ignore its importance, Troncone explained.
“Just the conversation about what was protective three years ago, is not quite up to scratch now,” he said. “The attack vectors are so wide, and the way in which companies are getting breached – but until they get breached, many still don’t realise the importance of security.”
“We’re trying to get on the front foot with our customer base, to make sure they have ‘security first’ front of mind, and to educate and show them the importance of this. You’ve got to evolve and move with the times.”