Security Starts With People And Behaviour

I recently attended the RSA security conference in London. Being part of the IT industry we always assume there is a technology fix for technology related problems such as a security breach of a network, server or system. As technologists we might look at patching, layering or even upgrading the hardware or software as a “fix”.

During the conference I attended a number of the less technical sessions focusing on human behaviour and security, and especially data leak prevention. These sessions made me have a bit of a general rethink as well as how this might apply to the channel.

For instance statistics from the 2010 Verizon report on IT security breaches estimated that 48% of all reported security breaches were in fact in some manner attributable to insiders. This could be from misuse though someone leaving a password on a Post It note attached to the monitor of the workstation, through to operational issues such as poor supervision or decision based errors resulting in data loss. I.e. sending an email with the wrong attachment or sending it to the wrong person, a real “ooops” moment.

While external hacking at 40% of breaches is still a serious threat to many organisations with poor security systems and policies in place, the real threat is often inside the organisation.

The common element with the majority of insider security breaches are failures of human behaviour, not the technology per se.

With product margins continuing to decline as the industry matures, the channel must create additional or new value add services o replace these “lost” margins.

This begs the following question for the channel when engaging with your customers.

Are you just selling the technology or the business outcome it delivers?

If you are really focusing on the business outcome, then right up front before the technology discussion takes place perhaps there should be a human behavioural discussion with the client, which might not be with the CIO/IT manager, but heaven forbid HR!

A key question could be along the lines of; “Why and where is the product going to be implemented, and how can we help you to design policies and work practises, as well as to educate your staff to be able to get the best from our product?” or even let us help you “imagine the unimaginable” in your business.

This behavioural approach will require the channel to re-think its internal skills training for its sales professionals and sales engineers. Vendor technology certifications will always be critical pre-requisite. We are already seeing the increasing importance of business and financial skills for the sales and pre-sales professionals with the rise of new billing and IT delivery models such as Cloud, now perhaps is the time to think about also developing behavioural and change management skills as well.

At the top end of town good examples of businesses that have developed skills and practices around these are the big consulting firms such as Accenture, Deloitte etc.

However in the mid market and SMB the incumbent channel partner should be ideally paced to deliver these additional services as a trusted supplier with an intimidate knowledge of both IT systems and hopefully the customers business.

There are great programs covering these skills ranging from short courses through to degree level offered by the leading business schools. So why not make your own behaviour change in 2011 and look to add value within your clients beyond just the technology itself.