As IoT devices, smart MFPs are susceptible to the growing threat of attempts to implant malware, recruit to botnets (to help perpetrate DDoS attacks), as well as potentially providing an open gateway to the corporate network. A managed print service (MPS) is an effective approach to building a multi-layered print security strategy. This can support cyber resilience; the ability to prepare for, respond to and recover from cyber-attacks. Print infrastructure is a potential security blind spot and businesses of all sizes should seek the expertise of MPS providers to ensure their print infrastructure is resilient and secure-by-design.
An evolving and sophisticated threat landscape
As cyber-attacks continue to grow in both number and sophistication, and businesses face increased regulatory pressure to protect data, cybersecurity is rising up the corporate agenda. The print infrastructure remains a critical element of the IT environment – networked printers and MFPs must be treated as any other endpoint device.
Left unprotected smart MFPs are a potential open door to the network, as well as a source of confidential or sensitive information for hackers. Security vulnerabilities include weak or default passwords, misconfigured devices, software vulnerabilities or lack of software updates.
While many businesses recognise the risks, Quocirca’s Print Security 2019 Study reveals a security gap that must be closed; 73% of organisations report they are concerned about print security, and 77% are increasing print security expenditure, but just 24% are confident that their print infrastructure is secure. It is perhaps unsurprising that 59% had experienced a print-related data loss in the past year.
Measured by Quocirca’s Print Security Maturity Index*, just 27% of organisations in the study are print security leaders, having made the investments in print-specific security integrated with broader IT security. However, for the majority, protection of the print environment is patchy, relatively few organisations having advanced capabilities, and print security is all too often isolated from IT security.
Data theft, a common aim and outcome of cyber-attacks, can lead to financial losses, legal repercussions, reputational damage and loss of customer confidence. To avoid this, businesses must do more to mitigate threats, improve defences and ensure security-by-design within the print environment. This is increasingly important as digital transformation initiatives accelerate and the print infrastructure becomes the bridge between paper and digital workflows.
MPS as a multi-layered approach to print security
The multiple points of vulnerability that characterise the print infrastructure demand a multi-faceted approach that protects the device, the data and the network. An MPS can support an effective and complete print security strategy in the following ways:
- Comprehensive security assessments
An MPS should evaluate the existing device fleet to discover potential vulnerabilities. Legacy devices may have firmware that has not been updated for years and newer devices should be subject to the same update regimes as user devices. Such visibility provides a foundation for the ongoing monitoring of devices once the fleet is optimised and secured. Security assessments can vary widely by MPS providers, with the most advanced offering security maturity roadmaps for their customers.
- A secure-by-design print infrastructure
Print devices with embedded security will be protected through their lifecycle, from deployment to retirement. Automatic vendor upgrades should mean future proofing devices as they become more powerful, store more data and increase in functionality. Legacy devices, that cannot be managed in this way, should be retired or isolated on the network.
Like other networked devices, MFPs require controls that limit network access, manage the use of network protocols and ports, and prevent potential viruses and malware. The most secure MFP platforms offer run-time intrusion detection, BIOS protection and self-healing capabilities should a potential anomaly or attack be detected. More manufacturers are offering security information and event management (SIEM) tool integration, a way of using syslog data to detect potential security events.
- A security policy for the entire printer fleet.
An MPS can establish rules governing the use of networked printers and MFPs. This can prevent employees from accessing certain device functions. User authentication (or pull printing) grants or denies certain privileges based on user roles. This ensures documents are only released to authenticated users (for instance using a smartcard or PIN). Such solutions can be hosted on-premise or in the cloud.
- Continuous monitoring and management
To ensure compliance and to trace unauthorised access, organisations need a centralised and flexible way to monitor usage across all print devices. Auditing tools should therefore be able to track usage at the document and user level. This can be achieved by either using MFP audit log data or third-party tools, which provide a full audit trail that logs the identity of each user, the time of use and details of the specific functions that were performed. Some leading MPS providers offer compliance reports, that include security breach monitoring and reporting. In some cases MPS providers may offer post attack remediation services should a breach be detected.
- User education and training
With many data loss incidents being caused unintentionally by internal users, MPS can be a foundation for not only employee education and training, but development and enforcement of secure print policies.
As organisations accelerate their digital transformation, a secure print infrastructure ensures that productivity and innovation is not threatened by poor security practices. Ultimately, print security demands a comprehensive approach that includes education, policy and technology. In today’s compliance-driven environment, where the cost of a single data breach can run into millions, organisations must proactively embrace this challenge.
An information security strategy can only be as strong as its weakest link, and it is imperative that all organisations evaluate MPS as a means to strengthening the resilience and security of their print infrastructure.
*The index considers seven factors: the proportion of overall IT security spending that goes on print security; the use of print security assessments; the use of pull printing; having a formal print security policy; secure mobile printing; third party testing of printing devices and printer firmware updates.
Data breaches are rarely out of the headlines and compliance pressure, such as the introduction of GDPR, means security remains high on the corporate agenda. Cyber threats and data breaches are no longer the sole domain of the IT department, they must be considered at board level as the repercussions are simply too big to ignore.
Businesses of all sizes are potentially exposed to reputational, legal and financial losses as the result of cyber attacks. The increasing sophistication of attacks and the emergence of insider threats means businesses face a battleground to balance business productivity with the need for privacy and security. One area of the IT environment which is often overlooked is the print infrastructure. The majority of organisations rely on print to support business-critical processes, meaning it can be the gateway to valuable, confidential and sensitive information.
Quocirca’s Print Security Landscape 2019 Report reveals evidence of this tension between productivity and security. It shows that print security is becoming a greater concern to businesses with 59% reporting a print-related data loss in the past year and print-related incidents comprising 11% of security events overall.
To understand how organisations are responding to print-related threats, Quocirca’s print security maturity index assesses an organisation’s print security posture on the basis of their adoption of key elements of print security best practice. The results of the index showed just 27% of organisations could be classed as print security leaders, with 17% laggards and the rest classed as followers. It is therefore imperative that businesses become more print security conscious, particularly as they look to close the paper to digital gap in their business processes. This ultimately requires print security to move higher on the C-level agenda.
Manufacturers respond to security threats
In response, print manufacturers are elevating awareness of print security risks. Today most offer a diverse range of product offerings encompassing built in hardware security, print security solutions and comprehensive security and risk assessments.
HP has cemented its lead as a visionary for print security, driving industry standards and offering one of the most comprehensive hardware, software and services portfolios. Nevertheless, most competitors are hot on their heels in developing their print security propositions. Leading players are moving to a secure-by-design approach, where security is built in from the ground up on new hardware.
What is setting the leaders apart in the market is their investment in security services such as assessments, monitoring and analytics. As the threat landscape becomes more sophisticated, machine intelligence will be key in being able to respond to or predict threats. This will enable an organisation to enhance their print security posture and mitigate potential risks.
Our top-level research findings show that businesses in the US and Europe remain reliant on printing, with 87% expecting it will still be important in two years’ time. This dependence creates risk, however, with 66% ranking print in their top 5 risks, second only to cloud-based services at 69%.
Print security spend is on the rise
In response to increasing threats, 77% of businesses are increasing their print security spend. An average of 11% of security budget is currently devoted to printing and we expect the absolute amount spent will increase. There’s good reason to invest in protection as the costs of breach are significant – an average of £313,000 per annum, plus less tangible costs such as lost productivity also a factor.
Knowing where to spend that growing budget is essential. Here we found a perception gap between what are believed to be the highest risks, and the factors that actually cause breaches. While the top perceived security threat is malware (cited by 70% of respondents), the most common cause of breaches is accidental actions of internal users – inadvertent insider threat – involved in 32% of breaches. This misconception could lead to too much weight being given to some threats and not enough to others. Organisations must take a data-driven assessment approach to identifying areas of weakness in processes and technology, before developing policies, procurement strategies and user education programmes to mitigate them.
Managed Print Services have a positive impact
Those who are getting to grips with print security tend to be MPS users. Overall 62% of organisations are using an MPS to gain access to print management and security skills which are often lacking in-house. This figure rises to 76% for print security leaders (as measured by Quocirca’s index) compared with just 44% for the laggards.
When it comes to the key activities that support best practice print security management, overall 70% of organisations have carried out a security assessment, 51% have a formal print security policy, 48% apply regular firmware updates, 40% use pull printing, 37% use secure mobile printing and 36% third-party device testing.
Print industry vendors are responding to the growing demand for robust print security. Our report details the strategy and approach taken by key manufacturers and ISVs to give customers the security, visibility and efficiency that they need from trusted partners. As devices become more powerful and handle more data, manufacturers must embed security that will serve for the lifecycle of the product and integrate with wider IT security tools. In an evolving threat environment this entails automated patching and security updates to future proof these potential network ingress points against attack.
As businesses adjust to the risk of data breaches as a cost of doing business, organisations should take a more robust strategy being developed around identifying, managing and mitigating risks. In today’s ever expanding threat landscape , every organisations must be vigilant and proactive about securing their data. Managing risk begins with understanding the threat environment, assessing risk and defining incident response plans. Ultimately, print security needs to be top of the board agenda. There is no room for complacency, given the far-reaching repercussions – legal, financial and reputational – of print related data losses.
Read the Quocirca’s Print Security Landscape 2019 Report excerpt.
Quocirca’s Print 2025 Spotlight report Digitisation: the key to SMB success reveals that SMBs are accelerating their digitisation initiatives through the use of digital workflow services and solutions, as they seek to drive business efficiency and employee productivity.
Digital technologies are transforming the SMB landscape, creating opportunities for businesses of all sizes to compete on a level playing field. Increasing mobility, changing workforce expectations and customer preferences for seamless interactions, are pushing SMBs to improve efficiency, agility and productivity to stay ahead.
Heading towards a “paper-lite” workplace
The majority of SMBs expect to remain reliant on printed documents, with 76% of SMBs saying that printed documents are important to their business. However, this reliance comes at a cost, with over half of respondents indicating that they are struggling to reduce paper usage, consumables costs and enhance security. Consequently, fewer SMBs (66%) expect to be reliant on printing by 2025, reflecting that a transition, albeit gradual, to a paper-lite workplace is underway.
Although often hampered by budget and resource constraints, SMBs are positive about the impact of digitisation. Overall, 81% of SMBs believe digitising paper-based processes will be important for driving their organisation’s digital transformation by 2025. In fact, 49% expect paper digitisation to be very important, compared to 13% today. Over 60% of SMBs believe all paper documents should be scanned and over two thirds (67%) expect greater use of document capture, workflow and collaboration tools to lead to reduced printing between now and 2025. There are some regional variations – 90% of large US SMBs see increased document capture and workflow as the biggest driver, compared to 64% of large European SMBs.
However, despite a drive towards improving employee productivity and business efficiency, today, less than 50% of SMBs are using digital workflow solutions such as document capture, mobile data capture or ECM solutions. However, there is certainly an interest to increase digital workflow adoption, with almost half expecting to expand usage of solutions in these areas.
For more key findings download the Print 2025 SMB Digitisation Infographic.
The opportunity for MPS suppliers
The appetite for digitisation, coupled with a continued need to use paper in certain circumstances, is a significant opportunity for managed print service (MPS) providers to articulate a clear proposition around integrated paper and digital workflow services and solutions.
By incorporating document workflow solutions that leverage existing investments in smart MFPs – such as document capture, document management or document collaboration, a managed print service (MPS) can provide the foundation for digital transformation. Most leading MPS providers offer a broad portfolio of digital workflow solutions – from simple tools for scanning and routing expense receipts directly at the MFP to more sophisticated business process automation and digital workflow services.
As SMBs look for guidance in supporting digital initiatives, MPS providers that offer the skills and expertise to drive efficiency and productivity improvements through paper and digital workflow
automation will be best positioned to succeed.
The Global Print 2025 Spotlight Report Digitisation: key to SMB success contains detailed analysis of the trends and opportunities amongst European and US SMBs. The report provides essential guidance for suppliers to help plan and position MPS and digital workflow products and services for SMBs.
The last visit to Unified Comms (UC) expo in London reinforced a view that this sector is slightly misnamed. The attempt a few years ago to tack ‘and collaboration’ (UC&C) onto the end seemed like a positive move as it valiantly switched the focus up the stack from ‘plumbing’ to ‘people’.
This was necessary, but not in itself, sufficient.
Unifying communication may have delivered cost savings in the network for many, especially with the shift from traditional analogue telephony to carrying voice over internet protocols (VoIP). However, it often appears to have had insufficient impact on productivity. Or for that matter, on collaboration.
This might be now be changing.
The renewed interest in embedding video into the everyday and anywhere communications landscape and increasing focus on ease of use apparent from most vendors are very welcome. Combined with more intelligence and automation, this might move UC&C up into significant business productivity territory.
Familiarity from use and usability
The main obstacle to the adoption of new forms of communication is often confidence. In the past with conferencing tools using video, some of the lack of confidence was personal or social – how will I look on camera? Increasingly that is much less of an issue, especially for a selfie sharing generation. However, the biggest drains on confidence still remain – will it work and do I know how to use it?
Many communications products have become much better designed from a usability perspective. Getting onto conference calls and videos can now often be accomplished by fewer than a dozen keystrokes and without needing to jab arcane numbers and symbols onto a silver box with instructions somehow somewhere else. It can even sometimes be achieved seamlessly, automatically and wirelessly.
But not always. With some much focus on individual usability of devices, one thing has been missed. Unified usability or familiarity, ie is the ease of use of one communication technology similar to that of another? This is about much more than having a common set of icons. User experiences need to feel familiar, clear and obvious. Artificial intelligence (AI), or at least some automated augmentation and awareness of context can pay dividends here. Many vendors are talking about AI, often to pick up on current trends, but beyond the hype there are some promising developments. Some of these are starting to use it effectively to optimise the user experience.
Improving individual experience is a great step forward, but the end goal should be about improving overall (business) outcomes. This is where the combination or collaboration between multiple individuals needs streamlining. The most obvious business process element to address this in is meetings.
Valued added meetings build collaboration
Meetings are often the place when communication levels using technology are at their highest. But reaching successful and effective outcomes can be more of a challenge. Despite decades of training programs, funny videos and presentation technology, progress is often still undermined by inefficiently run meetings. This is where adding ‘smarts’ in the unified communications tools could now start to deliver more effective collaboration.
This automation should include the whole lifecycle around a meeting, not just the meeting (or remote meeting if using suitable teleconferencing tools) itself. Where could the process be optimised to achieve better outcomes? Communication might have been improved through the use of technology, and the five minute phaff of trying to connect laptops to projectors is rapidly disappearing. But what about scheduling? What about transcribing content for non-attendees, or creating an annotated precis? What about action point creation and dissemination?
These are productivity sapping opportunities where intelligent use of technology could add real value. Interestingly, the word ‘meeting’ was starting to crop up more and more at UCexpo. If those using it can deliver on the other elements to make the meeting process effective they may help organisations achieve the communications goal they are really seeking. Not simply unified for the benefit of the network, or one or two individuals, but productive and effective collaboration across the entire team.
There is a term which crops up a lot in the technology sector – ‘legacy’. Occasionally, especially when talking to very long-established companies, the term ‘heritage’ occurs. It is useful therefore to consider the important difference between legacy and heritage:
- Legacy tends to be used to refer to something previously purchased (probably by someone else) which you wish you no longer had. Or perhaps as part of a sales or marketing message trying to persuade you to think that way. “Rip out your legacy doodads and replace them with our new shiny widgets!” Once the term legacy has been deployed, the outlook turns negative.
- Heritage is something already in place that you cherish and still use. Typically, in the technology world, this is because it still works effectively, or no one can figure out how to replace it. Nurturing your heritage can be a very pragmatic approach.
For many businesses their pragmatic heritage needs are often ignored by an industry chasing the latest and greatest currently overhyped meme. If there’s no blockchain, AI or virtual reality involved, then it’s probably not worth considering. This means that significant business needs are being overlooked because they are perceived as ‘a bit boring’. These are real opportunities typically with very convincing business drivers. They are also often fundamental parts of an overall ‘digital transformation’ trend. So, as well as bringing in revenues, should satisfy some of any ‘legacy’ need to appear ‘cool’.
One such area of strong heritage within business communications is fax. Some may think that sending facsimiles of pages of paper over networks died out long ago. Perhaps replaced smartphone photos shared via cloud storage and social media? Not so. IDC’s Fax Survey in February 2017 found that overall 43% of organisations had seen growth in fax usage. Only 19% reported a decline.
Getting the message
The reasons for the traffic are pragmatic and sensible and will not change readily. The same IDC survey predicted a growth in fax traffic going forward. The drivers for using fax are related to sound business needs:
- Reach – Fax is a globally adopted standard and pretty much every organisation has a fax number and machine somewhere. It can be simply deployed anywhere. It can support diverse communication needs without high performance Internet connectivity, with only a phone line and piece of paper. Apply it to everything from general purpose to application specific communications, such as meal orders into takeaway kitchens from food delivery aggregators.
- Verifiable source – the originating organisation is known and cannot be masked. This has given fax messages a legal status likely to be trusted where email will not be. Many organisations will only accept requests via fax.
- Data security – The content of a fax is encoded and transmitted as a burble of sounds. Interception en route is of no benefit, and images transmitted (including any signatures) are not stored in the network. Physical security at the point of receipt of incoming transmissions is the only requirement.
- Paper trail – Confirmation of receipt of document transmitted can be requested by the sender, which is only sent once a message gets through in its entirety. This does not require human intervention and cannot be vetoed. The claim of “I didn’t receive it” is much harder to make with fax.
Sales of dedicated fax machines are diminishing with a shift towards software, fax servers and multifunction peripheral (MFP) devices with fax. However, despite the arrival of digital networks – with digital telephony (VoIP) and Fax over IP – there remains a significant number of dedicated hardware fax machines.
Respondents to IDC’s 2017 fax survey still expected over a quarter of fax volume to be from standalone fax machines in two years’ time. If traffic from fax servers and MFPs with fax is added to that using dedicated fax machines, over two thirds of all fax traffic will still be based around hardware. This is despite the anticipated strong growth in cloud-based fax services.
Pulling the plug
The reality is that these machines will mostly connect to an analogue phone line. The issue is that analogue telephone networks are being switched off by carriers in their move to roll out fully digital/IP networks. In the UK, BT is scheduled to stop selling any new analogue connections in 2020 and to switch off it off altogether in 2025. Telcos across Europe all have similar plans, which are often more aggressive in terms of timing. Businesses have already embraced VoIP for phone calls, but the heritage of fax communication embedded deep within critical business processes now needs attention.
It may not appear immediately urgent, but the impact on business process and change management required should not be underestimated. Fax is particularly heavily used in conservative and critical sectors such as legal, finance and especially healthcare. In many of these organisations the use of faxing messages is probably deeply embedded in processes. Or it was put in place by people who have long since left. Perhaps the organisation might be unaware that it uses fax so much. It will have probably been quietly performing so well that nobody took much notice.
As the analogue telco network switchover is looming, it would be wise to take another look at the fax sooner rather than later. Identify what use cases are required. Then consider a move to virtualise fax and shift from fax hardware and phone lines to fax software, networks and cloud services.
Innovation and innovative people are spread evenly around the globe. But there is more of an uneven challenge to bring products and services successfully to market. Many times this is due to a lack of resources or funding and sometimes a lack of a supportive ‘community’. Hence all the ‘Silicon Geography’ models dotted in countries around the world.
However, despite many potentially ‘disruptive’ technologies and propositions, it is often the inertia of the marketplace, aided by the dominance of major players, that holds back the commercial success of technically interesting ideas and concepts.
Perhaps there is another way to tackle this market challenge?
It is an old adage oft-quoted in a now dispersed Californian hotshot open systems hardware company (Sun Microsystems), that the key is not to be first to market, but first to volume.
This requires momentum. The technology, and crucially connectivity, available to today’s tech start-ups removes much of the friction and permits web scale growth, but they still need to focus on ensuring that commercialisation will scale as well.
Perhaps the Agile and DevOps approaches to software development can offer some alternative thinking to help commercialise technology innovation and more rapidly scale? Here are a set of steps to consider:
- Keep the value chain short. If an innovation relies on aligning the agendas of too many organisations, it is going to get bogged down. The term ‘herding cats’ is popular for a reason. Get a tight, small and supportive supply chain and over-collaborate within that team.
- Ensure everyone gets their cut. Companies used to talk about ‘money being left on the table’ and then try to make sure they picked it up. This is a short term win from an accounting perspective, but rapid scaling of the value chain needs fuel. Make sure that all involved are sharing the revenues fairly.
- Deliver real value at the end (user). How do you know? Check. Get feedback, encourage interaction between users, accept what comes back and learn and adapt. “Lessons will be learned” rarely are in large monolithic institutions, but successful rapid scaling operations learn constantly.
- Innovate in rapid cycles. It is a worthy goal to get it right first time, but who knows what ‘right’ really is? Customer research may help at times, but only if the context is well understood. Being able to develop, test value to customer, refine and re-release allows innovative improvement to align most closely to customer needs. Innovation for its own sake is rarely going to bring in sufficient rewards to match the effort involved. Technology companies often try to out-innovate each other, when in reality they should be trying to be ‘most relevant’ to customer requirement.
- Automate to scale. Once the innovation/value cycle is gathering pace, accelerate the process by optimisation. Look for the opportunities that deliver most speed up and gain over the whole cycle, rather than within themselves. Halving a 24 hour configuration process is nowhere near as valuable as a 20% reduction in a 2 week deployment process. Take a holistic and systemic approach.
Using this model of tightly-focussed teams, innovating rapidly and delivering customer value is not just for small start-ups. The two pizza guideline employed in Amazon (any team should be small enough to be fed by two pizzas) seems to be at the heart of what has helped it to experiment, learn and scale rapidly since July 1994.
Perhaps there is something in the approach?
ThreatQuotient ups the ante for dealing with security incidents
The hardware and software that constitutes the average organisation’s IT infrastructure records millions of events a day which are recorded in log files. This is known as machine data. Nearly all such events are benign and of little interest to IT operators. However, some represent anomalies that may indicate problems arising. Dealing this with such incidents was the subject of a 2017 Quocirca research report sponsored by Splunk – Damage Control: The Impact of Critical IT Incidents.
Recognising incidents is one thing, understanding what they mean and prioritising how they are dealt with is another. This requires enriching the machine data with information from other sources. Splunk’s operational intelligence platform does this for IT incidents in general but also specifically for security incidents, which Quocirca’s report identifies as the top concern for IT managers.
When it comes to dealing with security incidents the process is known as security information and event management (SIEM). Here Splunk has several competitors including Micro Focus’s ArcSight, LogRhythm, IBM’s QRadar and McAfee’s Enterprise Security Manager.
SIEM tools enrich machine data to provide context. However, any one tool may not provide all the insight needed to deal with and prioritise all security incidents. Some organisations use multiple operational intelligence and SIEM tools, furthermore, the range of sources for enriching and guiding the process of dealing with security incidents are myriad. These include:
- Threat intelligence feeds that indicate what a security incident might mean, for example, is a there known criminal activity that is leading to certain types of events. Providers of threat intelligence feeds include Digital Shadows, CrowdStrike, Recorded Future and FireEye’s iSIGHT.
- Databases of know malware and scams such as Virus Total, Spamhaus and Malware Domain List.
- Vulnerability management tools which know about current software bugs, the threats they represent and fixes available, such as Qualys and Tenable.
Bringing together all the information from these sources and applying them to the security incidents is daunting task. That is the challenge the ThreatQuotient has taken on with its ThreatQ platform. All the organisations listed above are among the 70 plus partners that integrate with ThreatQ.
ThreatQ was first released in 2013 and launched in Europe in 2016, where ThreatQuotient now has operations in the larger countries and a growing customer base. This week it is upping in the ante with the release of a new interface called ThreatQ Investigations.
ThreatQ Investigations supplements ThreatQ’s existing tabular interface with a graphical tool that shows core incidents with links to all the sources of information that may help deal with them. With a few clicks an operator may be guided from an anomalous event on a firewall to news of a recently detected surge in activity by a criminal gang seeking to exploit a newly found software vulnerability. ThreatQ Investigations aims not just to empower individual operators but to improve collaboration across the teams that come together, often war-room style, to deal with security incidents.
As cybercrime becomes ever more widespread and the actors involved diversify, targeted organisations must become more sophisticated and timely in their ability to detect and respond. ThreatQuotient and the tools its ThreatQ platform brings together can help achieve this.
Bob Tarzey is and freelance analyst and writer formerly of Quocirca:
The position of Chief Information Security Officer (CISO) has become well established in recent years, but where is it heading next? For many it is often perceived as an inward directed role more accustomed to saying ‘no’ than anything else. But is this really fair and does it represent the modern CISO?
Most organisations are under intense pressure to be flexible as well as secure to protect their own assets as well as the privacy of customer data. Going forward, a more pragmatic approach has to blend the agile needs of the business with the continuing challenges of security.
All organisations like to base success on results. Part of the challenge is that when some initially look at what this means for security, it is often about preventing things from happening (bad things), rather than doing good things for the organisation. While this may still be true, it is not a great yardstick for encouraging best behaviours and attitudes. It runs the risk of fostering inaction and retrenchment, rather than moves in a positive directions.
The term ‘Next Gen CISO’ might not be entirely new, but it surfaced again in a recent discussion with LogMeIn CISO, Gerry Beuchelt. This revolved around the evolving relationship between business and security and how by changing behaviours CISOs can add real value to the business as well as keeping it safe.
So what are the attributes of a Next Gen CISO?
The first attribute that a Next Gen CISO needs is to be outward looking. It helps of course to be acutely aware of the challenges faced by other organisations and changes in the market landscape. However, the outward looking CISO needs to be much more than that. They need to be able to engage with, and understand, their organisation’s customers. This should involve working alongside the sales force and channel partners. Why? To understand and appreciate the commercial challenges of any organisational security issue it really helps to see the impact it has on customers.
Risk in context
This outward perspective assists with another attribute for the Next Gen CISO, awareness of the business reward/risk spectrum. Good CISOs will already understand the risks being faced by their organisation and be aware of their vulnerabilities. But it is rarely their responsibility to decide if those risks are worth accepting, depending on the consequential impact on the business. Nor is this a decision for those who do have the business responsibility to take, without being fully aware of the facts.
The Next Gen CISO should be able to present the risks and consequences of different actions (or inaction) in the context of the consequences they will have on the business. It is no good simply presenting information about speed of patching, number of phishing attacks or level of malware exposure. These may be relevant performance indicators within the security function, but mean little in the context of the business overall. Neither should CISOs hide or diminish the risks being faced. The important thing is to make clear and transparent the impacts that different security issues will have on specific aspects of the business. This is about putting security and risk into a clear and understandable business context.
As well as reaching out to customers and fellow C-level staff, the Next Gen CISO needs to be able to engage with employees from across the organisation. Security is not a pinpoint issue that affects only certain individuals or business processes. All roles have some element of security and risk for which they have to accept some responsibility. It might have seemed fine at one time to focus this in the hands of one individual, but that is too onerous. The risk then is the default reaction is that individual would be overly defensive and too often say “no”.
The Next Gen CISO needs to be able to understand business progresses and empathise with the challenges faced by those that undertake them. This helps spread involvement and understanding of the importance of security and what everyone needs to do, to the widest possible audience. By reaching out and engaging with fellow employees, the Next Gen CISO is also extending their threat intelligence and impact assessment information network.
Building understanding and changing behaviour towards security across the organisation then becomes a realistic goal. But this is rarely accomplished with tick box assessments or tedious training courses. Computer based training can play a part in building awareness, but risks downplaying the importance of specific security threats. A Next Gen CISO will enthuse and engage using more pervasive training models. These will include simulation and live role play to ensure the security message hits home and remains embedded in the organisational culture.
The CISO role may be built around information and security. But it is delivered through a passion for protection that aligns and fits closely to the needs of the business. The Next Gen CISO needs hybrid attributes to which many management roles should aspire. That and an ability to assess the value of technical aspects, with a realisation that success will depend on human ones.
Quocirca’s Global Print 2025 report reveals that print manufacturers are set to lose their influence on customer relationships in favour of IT service providers that deliver print services as part of a broader offering. Businesses are increasingly looking for suppliers that can demonstrate IT expertise and be strategic partners to both IT and various lines of business (LOB). Building IT services capabilities would present print manufacturers with the opportunity in the small and mid-sized business (SMB) market, helping to offset declining legacy revenue. However, to do so manufacturers must ensure the right mix of channel and technology partnerships.
Changing channel dynamics
The changing ways SMBs wish to purchase, consume and pay for their IT is redefining the role of the channel, fundamentally changing business models and relationships. While print channel partners are gradually transitioning to a managed print services (MPS) model, extending this to other aspects of IT will be the key to sustaining growth.
While printing is not set to disappear any time soon – overall 64% of businesses expect to still rely on printing by 2025 – digitisation efforts are also accelerating, and security is a top concern. This convergence demands a new breed of supplier that can support the business transformation needs of SMBs.
In the SMB market, print vendors have an opportunity to offset diminishing revenues from traditional hardware-centric business models by advancing services portfolios. The Global Print 2025 study reveals that by 2025, 26% of SMBs expect their organisations to have the deepest relationship with IT service providers, increasing from 23% today. This is at the expense of print manufacturers, which see their influence drop from 27% today to 13% in 2025. A further 17% of SMBs expect a stronger relationship with MPS providers in 2025, up from 14%.
The evolving technology needs of SMBs
SMBs are diverse, ranging in scale and ambition, from fast-growth start-ups to stable, medium-sized businesses. SME technology investment plans vary depending on business focus and size, but according to the Global 2025 report IT security and cloud top the agenda.
Just like larger companies, SMBs are interested in deploying new technology, but are constrained by budget and limited IT expertise. This lack of expertise is good news for suppliers which understand their customers’ business and industry needs and have the technical expertise to deliver a broader array of solutions and services. SMBs are increasingly adopting low-cost, cloud-based services and managed services to reduce operational costs, remain competitive and improve efficiency. Consequently they are placing increased demands on suppliers.
Quocirca’s Global Print 2025 research reflects these changing requirements. In organisations with 100-249 employees, 57% are looking for a provider that can be a strategic partner to both IT and LOB – this rises to 60% in organisations with 500-999 employees. Over half of SMBs expect a supplier to have strong IT security expertise, rising to 65% in SMBs with 500-999 employees. Other top requirements are industry specific expertise, business process automation capabilities and providing analytic insight.
Can the channel shift gear?
Although some print-focussed channel partners have successfully made the transition to managed print services (MPS), the majority remain focused on hardware-centric transactional sales. When it comes to IT services, traditional print partners often lack the skills, experience and capabilities to be credible providers. There may not be the incentives or knowledge in place to sell broader IT solutions, and provide a consultative sales approach which is a core capability of many broader IT service providers. As a result, many print channel partners may view a move to IT services as high risk requiring too much investment and time.
Typically, SMBs do not typically look to traditional print channel partners or print vendors as a source of innovative services beyond print. They are more likely to turn to existing IT service providers focused on business outcomes, rather than speeds and feeds.
So how can the print channel step up its game, and build IT services credibility and reputation? Consider the following recommendations:
- Change the conversation. Channel partners must change their expertise, shifting from the outdated print-centric reselling model to embrace a new role as trusted and strategic advisors to their customers. They must change the nature of the conversation they have with SMBs, engaging with the influential business decision-makers responsible for strategy. The conversation must be around the how to drive efficiency and productivity – not just about technology or products. As businesses turn to them for guidance and support, channel partners will need to be able to deliver consultative services and expertise. This also means tapping into adjacencies such as digitisation and security, which are increasingly part of the broader printing proposition.
- Partner for IT expertise. Partnering with accredited and experienced IT service providers gives print channel partners access to both a broader product portfolio and provides a direct route into the IT services market, supported by specialist technology sales and support resources. For instance, this enables partners to potentially offer print security services and solutions as part of a broader managed security service offering. For manufacturers or large channel organisations, acquiring IT providers can be an effective means of gaining specialised expertise to develop and augment IT services in-house. It is also a direct means accessing experience in selling or supporting IT services. Some manufacturers including Konica Minolta, Ricoh and Sharp have already made the shift, expanding their managed IT service capabilities largely through acquisition.
- Become specialised. The shift to margin-rich services means developing industry specific expertise. Invest in the skills needed to deploy and connect a range of technologies – both across hardware and software – and consider developing vertical specific offerings.
- Focus on delivering business outcomes. As SMB purchasing decisions are increasingly influenced by non-IT decision makers, channel partners will need to expand their influence to multiple stakeholders. For larger businesses, the channel needs to focus on building skills in delivering business outcomes to LOB buyers, while retaining a strong relationship with the IT department.
- Monetise solutions. Channel partners that invest in software development to expand their offerings should consider monetising and building the resultant intellectual property (IP) through delivering applications. Building a portfolio of applications wrapped around the core business – for example, MPS or document workflow – should lead to new opportunities. Consider including assessment or consulting services as well as integration services.
The channel must shift gears and change its business model in order to increase engagement with SMBs. Repositioning as an IT services and solution provider may seem high risk, but by developing credible converged IT offerings, channel partners may be able to increase their relevance, create differentiation and create longer term and more profitable relationships.
Despite the opportunities for technology to be really disruptive, it is surprising how often it simply digitally replicates existing processes. There is one common business process where the results could be described as patchy – meetings.
Meetings tend not to divide opinion that much. Most would say they have too many, they go on for too long and often appear to accomplish little. Decades of training courses and humorous videos have had some impact, but clearly not enough. Surely technology should be able to make it easier for people to work and collaborate efficiently and effectively in meetings?
Tools supporting collaboration (or claiming to) often try to impose a new working agenda of their own, or YACS (yet another communications stream). This might be innovative messaging based on timelines mirroring those that many have become accustomed to in personal lives via social media. It might include more visual interaction with video and screen sharing. But in most cases the focus is more on the media and ‘unification’ rather than their use. This is more like unified plumbing than unified communications from the individual’s perspective.
Some tools might offer significant improvements, especially if all potential users can be compelled to switch over to them or be encouraged by grass roots adoption. The problem is this rarely occurs smoothly. There are often issues in the edge cases – individuals, processes and data – where the new super collaboration system doesn’t fit well. So people move back to their trusty default approaches, typically email and more meetings.
Moves to reduce email sound good in principal, but the reality often disappoints. However, since meetings occupy probably even more working hours that email, surely it would be a good idea to shift the emphasis to them?
There are many important tasks that occur during meetings; sharing information, discussion, decisions, and allocating actions. Information and communication are important, but only on the path towards beneficial outcomes ie decisions and action. Otherwise the outcome is more, and more and more meetings….
Before and After, as well as During
So where is the effort actually expended in meetings? It is useful to consider the whole process as meetings have a ‘before’ and ‘after’ as well as ‘during’. While there has been a lot of technology applied to ‘during’, not enough attention has been applied to the efficiency opportunities across the entire process.
‘Before’ has to mean more than sharing a calendar invite, of obtuse conference call codes, or to a far flung location via a fire and forget email. To get the right people together at the right time, even with decent remote audio or video conferencing equipment, requires some intelligent juggling and scheduling.
This requires time and effort. But since the information about potential meeting participants is often already there, the intelligence employed could be ‘artificial’. More auto-scheduling effort to streamline and simplify arrangements would pay dividends in terms of time saved and would be appreciated.
Even during meetings, for many the use of technology has focused on the medium of sharing. Despite this, getting connected (the video adaptor challenge, followed by the function key shuffle) and getting remote colleagues involved (does anyone know the dial in code or where the remote is, or how to contact support?) seem to take more time than they should.
Capturing information during meetings and sharing accurately afterwards, jogging the memories of those present and informing non-participants, would be hugely beneficial in steering towards these positive outcomes. Technology to voice record, intelligently transcribe to text would make sharing and searching simpler, and is readily available. The key is to seamlessly integrate this into the collaboration tools that participants are already using for their meetings.
Shifting beyond collaboration
This involves a shift in thinking from the unified communications and conferencing industry. Most have already made the jump towards a focus on collaboration. This is necessary, but not sufficient. The next step is to recognise that the long-entrenched models of how people work together will be hard to change. The whole lifecycle of meetings needs to be enhanced, and where possible, automated.
Meetings might seem tedious and wasteful, but few organisations are going to replace them entirely with virtual timelines, shared repositories or interactive online realities. There is a need to look at the elements of greatest inefficiency, apply technology to make incremental improvements, assess the results and then repeat.
This looks a lot like the agile and DevOps approaches now being used in software development. These are yielding great results in terms of both speed and quality. Isn’t that an outcome all organisations would like to see for meetings as well? Look for tool vendors that are moving beyond the audio and visual media. The ones that are extracting meaning and understanding from how people are communicating are putting real business value into collaboration.