Exclusive Interview: The mandatory data breach laws are here, but can the channel take advantage?
Today is the day the security world - and really every Australian organisation - has been waiting with bated breath for, as we have finally seen the Mandatory Data Breach laws come into play.
However with many organisations still not even aware of the laws, how much of an opportunity is there for the channel to take advantage?
We spoke to Juniper Networks’ area partner director for A/NZ Darrin Iatrou and senior systems engineering manager James Sillence to discuss their take on the laws, in terms of where they see opportunity for channel partners.
With the Mandatory Data Breach laws now in place, what do you see as the biggest priorities for channel partners?
Darrin: The number one area of interest for our partners is that it gives them an opportunity to go back and have another conversation or take a more consultative approach with their customers to ensure they have the most up-to-date systems, policies and procedures to accommodate the new scheme.
Do you think the channel is prepared to take advantage of the laws coming into place?
Darrin: I certainly hope so. The security market in its entirety is an extremely hot topic right now and I would expect that all channel partners who have a security focus to their go-to-market will be talking to their customers about not only this new legislation, but security in general, to ensure that we are collectively fighting that cybercrime.
We believe prevention is certainly better than the cure, so if we can get our partners talking to their customers to ensure that we giving them the best level of protection possible, hopefully, there will be no need for the Notifiable Data Breach Scheme to have an impact on customers.
James, how are the laws set to change an organisation's priorities from a security perspective, in terms of what they need to comply?
James: There are a lot of things to consider there. To be honest, I think it’s actually a little bit sad that at this point in the discussion - now that the breach notification laws have come into play - in some senses we’re only just having this conversation now. Organisations have always had a responsibility to secure data and take all the steps necessary to protect these people’s personally identifiable information.
Now the government is actually mandating that if you have a data breach you are required to notify not only the person that is likely to have suffered harm but also the commissioner. The fact that security has become a hot topic, as a result, is actually a bit of a sad reflection of where a lot of organisations are in their readiness to be protecting people’s personally identifiable information. Organisations need to realise that the security solutions of 4 - 5 years ago aren’t going to protect them from the hackers of today.
At Juniper, we’ve been heavily investing in security for a number of years, really since the acquisition of NetScreen in 2004, so our platform is absolutely ready to take on the modern cyber attacker, and bypass the humiliation of actually having to notify a breach.
It’s important the solutions are highly automated, taking human interaction out of your breach response and actually making sure that everything you do from a security perspective is automated.
Is it of the general belief of channel partners that the laws will be effective?
Darrin: I think the channel certainly believes the laws will have an effective impact, although in a lot of ways the laws serve their interests. They’ll be able to use this adjustment or change in legislation reopen a dialogue with customers to ensure that they have the right internal practices and that their security posture is sound.
As the channel has those conversations, customers will start to take the laws more seriously because of the concerns around fines and embarrassment. So they certainly see it as a very serious change in the law.
James: On that note, I guess it will be interesting to see what the government does when they’re faced with their first incident. There has been a bit of a debate about whether they’ll use the first instance as an example to the rest of the industry.
While there are obvious concerns about embarrassment or reputation damage, what the commissioner will actually do is ask why the level of protection wasn’t adequate. So there will be a reputational impact but they’ll also get massive fines, so there are going to be two aspects to what we’re going to see.
Is it going to take the government to make an example of an organisation to really make the importance of the law known?
James: I think the sad thing is there are a lot of organisations out there today who don’t understand what’s required of them. So there lies a great opportunity for the channel to start educating their customers what is going to be required if they do suffer a breach.
However, I do think that it’s going to that first incident of a company getting fined for the market to get up and realise that it actually does apply to them.
Obviously, there are a lot of opportunities for the channel in the enterprise segment, but do you also see a big relative opportunity in mid-market or SMB?
James: Absolutely. The law applies to every business that is turning over more than $3 million per year, so that goes from the Mum and Dad shop right up to the big four banks. For instance, our channel has an immense opportunity to take a solution from Juniper and say well actually while a Juniper solution suits organisations right up at the top end of town, it plays equally well for a small business. There’s no degradation in functionality, so what you get at the large enterprise level is exactly the same as what you get as a small branch of a security gateway.
It’s a great opportunity for the channel to take a great set of solutions and offer them to small businesses while offering them guidance on how they can specifically implement them, ensuring that they comply with the law.
Do you think it will take some time before the majority of opportunity to become available, as organisations progressively become aware of the laws?
James: I think it will take some time. The vendors have a responsibility there as well and Juniper will certainly run education and information programs to accommodate the laws. I think the partner community will get on board with that, as it’s a sales priority as well as a way of supporting their customers.
Darrin: I definitely think it will take a little while and there are concerns about customer adoption as well. The channel is one thing and we need to be out there as a vendor pushing this change in legislation to our partner community, but whether the customers want to adopt it is a different thing.
They may feel like they have a security posture that they’re comfortable with, so we’ve really got to arm our channel with the right information to effectively audit and help customers understand things more clearly. There are vulnerabilities in networks - IoT is one of increasing of importance - and we’ve got to provide solutions that are effectively going to stop cyberattacks in all parts of the network for customers.
In terms of the networking domains that we play in, we need solutions for everything including cloud, data centre and campus and branch. We can then take those solutions to our channel to be able to add value on top of that.