With all the publicity about major hacks and security scares, security has got to be top of mind for CIOs right now, right? Well, yes, but as Heather Wright discovers, CIOs may say it’s top priority, but dig a little deeper and all isn’t as it seems.
There’s an interesting paradox at play in the New Zealand IT security market at the moment, and it’s a paradox that could make selling security that little bit more difficult.
The paradox? While CIOs are saying security is a key concern for them, they’re not actually acting on those concerns.
“IDC New Zealand's ongoing market engagement has indicated that security is a rising concern for end users,” says Donnie Krassiyenko, IDC New Zealand associate market analyst.
“Security awareness has gained higher position in CIOs' mindset. As a result, there is growing demand for managed security, particularly network security.”
In fact, he says, IDC studies show security is chosen as the number one strategic initiative to deploy in 2014-2015.
But then comes the kicker: “But regardless of the stated intentions to deploy, New Zealand CIOs give security little consideration when it comes to many IT initiatives, apart from machine to machine and Internet of Things,” Krassiyenko says.
“The other exception that focuses on security investment is industries with strong planning intent to deploy social solutions – banking, financial services and insurance, government and education.”
In fact, Krassiyenko says overall only 9% of organisations have security as the top priority for mobile investment, driven mostly by the manufacturing, BFSI, government, utilities and media and communications sectors.
When it comes to cloud, less than 8% of respondents focus on security, driven this time by professional services, logistics, transportation and distribution.
The trend is similar with big data, with only 9% investing in security, lead by the media and communications, retail and wholesale sectors.
“This is vastly different from the rest of the Asia Pacific region, which placed security as the top investment area across all five considered initiatives,” Krassiyenko says.
He adds that New Zealand CIOs ‘do not really look for security and risk management expertise when selecting ITSPs, when cost and price are taken from the equation’.
“In fact, IT security expertise is not even in the top 10 criteria for vendor selection in ANZ, in contrast to Asia Pacific, where security expertise is the second most important factor.
“In New Zealand, the number one factor is proven track record, including delivery and relationship engagement, of IT vendors.”
So why the discrepancy between the claim that security is a top priority, and the reality that it so often isn’t?
Says Krassiyenko: “Security is not perceived as a revenue-generating investment, but a risk-leveraging mechanism that supports and protects other IT investments. Instead of telling what security issues your product can solve, it is more efficient to tell what types of risk it can mitigate.”
Despite security apparently not being quite as much to the forefront of CIOs thinking as we may have thought, spending on security is, nonetheless, increasing.
IDC figures put the total value of the New Zealand security software market in 2014 at $105.48 million, a figure expected to climb to $116.71 million in 2015 and $129.62 million.
But even that might be a false reality to some degree.
“Security spending is growing because of increases in spending on other IT services – not the other way around,” Krassiyenko says.
He says companies are investing in data centre transformation, network optimisation, mobility (apps and devices), transition of elements of IT to cloud, virtualisation, data quality and automation.
“Advocates of security expect their ITSPs to take care of security and compliance requirements.”
But there is money to be made in security.
IT security software currently has an 8.15% market share of the software market, with a market value of $105.48 million, while IT security services has a market value of $410 million, and takes out 13.10% of the overall IT services market.
Among the key players in the New Zealand market on the software side are Symantec, Red Hat, McAfee (now part of Intel Security) and MPA, Krassiyenko says. On the services side, he lists IBM, Datacom, Microsoft, Vodafone and Spark as frontrunners in the Kiwi market.
Krassiyenko says the top three security issues to be addressed in the next 12-24 months are network security, data loss prevention and endpoint security, with the strongest intentions for security investment coming from retail/wholesale; banking, financial services and insurance; and public sectors.
“From the business demographics point of view, the hottest organisations are those with fewer than 100 seats and more than 1000.”
Adam Dodds, IDC research manager for IT services, says the number one business opportunity for resellers, bar none, is in the consultancy space.
While there’s a general maturity around the physical and technical level with regards to security, Dodds says there should be more focus on the value of information in an organisation, and then the role of security in protecting that information.
“You need to assist businesses with what security and information policies are – and it’s not just the CIO, it’s the role of the executive as a whole, because it transcends just technology. It’s about the value of information, integrity of information, policies, what new information could be used for new markets, what existing information can be used to enter new markets...”
Given the value of their information, most businesses Dodds says are under-investing in security.
Once they understand the value of their information to their business, he argues, they can more clearly ascertain what proportion of IT spend should be spent protecting that information.
Selling security solutions requires strategic conversation with customers, Krassiyenko adds.
“This conversation should – and in most cases naturally will, start with the network, which currently is not only a highly topical IT investment, but also the most addressable security issue.”
But before you get to that, you need to first demonstrate to customers of solid portfolio of works for the vendor you’re representing, he says. “A proven track record is still New Zealand service providers’ gateway to be chosen as security providers.
“It is also important to remember that 90% of end-users prefer an ‘in-country’ option when choosing their hosted cloud provider, so an access to, or a partnership with one, will give a huge advantage over competitors.”
Krassiyenko says resellers also need to address complexity concerns for customers.
“Many organisations have faced the challenge of installing and integrating many layers of complex security point products. While working to make those gaps tighter, these organisations are still confused on how to handle all their security needs.
“End-users need help to understand that security should not be considered as a point solution, but as an end-to-end solution.
“In this instance, rather than talking to end users about security, it is more pertinent to talk about risks associated with their assets. These risks are industry and demographic dependant, and thus classifiable, for instance the biggest industry risk for government would be legal exposure or reputation loss; for public sector it might be safety; for BFSI, financial loss and so on.”