The Kiwi developers of a new security assessment and compliance system are urging resellers to offer more holistic services around security as the company itself scouts for resellers and service providers for its offerings.
Launched in April, SAM for Compliance provides a cloud-based service, based on Microsoft Azure, which helps organisations self-assess and manage compliance, based around different security standards including CIS Controls and the New Zealand Information Security Manual (NZISM).
Tony Krzyzewski, SAM for Compliance co-founder and director, says the company is talking with a number of services organisations in New Zealand, Australia and the United States about wrapping SAM Compliance into their service offerings.
“What we created is a product that makes it relatively easy for organisations to define standards, assess themselves and then work their way through the management process,” he says of the offerings.
While the initial offering was based around the United States-based CIS Controls, which are widely used internationally, other standards have since been added to the engine, including NZISM – creating a system Krzyzewski believes is ‘the only system on the planet’ designed for managing the implementation of the New Zealand standards – PCIDSS for PCI compliance and HIPPA, covering the security rules within the US Health Insurance Portability and Accountability Act.
While no specifically Australian standards have been used, Krzyzewski says the company has seen ‘definite interest’ in the CIS Controls from the Australian corporate sector.
SAM has already signed an large financial risk services organisation in Australia as a partner, with the company already having sold their first implementation into a ‘nice’ site.
Krzyzewski admits the SAM for Compliance offerings are not products resellers will make a lot of money from simply by selling the offerings themselves.
“We charge $3600 a year per framework and there really isn’t margin in there, but it is the opportunity to wrap services around this as a core and improve their service level offerings,” he says.
“Globally, SAM provides training for other professional services wishing to use SAM as a tool for managing and reducing risk within their client’s business.
“For resellers and VARs in particular, there are opportunities for them to quickly develop an in-house security practice using SAM for Compliance systems to assess, improve and manage their clients’ information security policies and processes.”
Krzyzewski says remediation services is one area where SAM for Compliance can be of use for resellers, helping identify where clients have a weakness in their systems, processes and technologies and then using that to help the client through the remediation process.
“And for service providers that themselves have to comply with the likes of NZSIM, this allows them to work their way through their own remediation process and be able to report back on compliance,” he says.
Late this year SAM expects to a lunch a ‘Bring your own standard’ offering.
“The engine we have created is so flexible, we can plug any standard into it,” Krzyzewski says.
“It doesn’t have to be just IT security. We could plug health and safety in there, financial… it doesn’t make any difference, providing there are pretty clearly defined requirements.
“We’re already in discussion with [the Australian arm of] a reasonable sized multinational with regards to plugging in their own internal standards to it.”
An SMB option may also be on the card, though Krzyzewski says SAM is yet to define a cut down version of standards achieveable for smaller organisations.
“One thing we are very aware of is that it’s no good having a standard you can never comply to, so we’re looking at defining pragmatic and practical controls for smaller organisations – the ones without a resident IT team,” he says.
Plans are already underway for a launch into the United Kingdom and European market next year, with the company initially targeting English speaking countries.
"This is not a New Zealand product, we are going global," he says.
"If we have people in Singapore, Hong Kong or even India that are interested in taking this as a service we would certainly look at that too," he adds.
“There is a growing awareness of the requirement to protect information and systems outside of the IT sector now,” Krzyzewski says.
He notes that recent high profile ransomware and phishing attacks have heightened understanding about security and protection requirements.
“The channel really needs to start thinking about getting themeselves aligned into the more holistic services, rather than just trying to sell a firewall or antivirus. They’ve got to start thinking smarter and wrapping this into a service that can be provided otherwise they will be left behind.”