XChange UK day two: Cyber, M&A strategy and tackling the skills shortage
CRN brings you all the highlights from day two of XChange UK
Opening day two of XChange UK 2024 was Ian Hill, director of information and cybersecurity at UPP Corporation using his 30 year tenure in the cyber space to advise CISOs on their common challenges.
As IT budgets continue to feel the pinch due to macroeconomic impacts, Hill shares his experience for CISOs trying to unlock investment from a reluctant board?
He tells a tale from a past employer which hired a "very reputable" penetration test company and was hired and "let loose".
Within a few days the testers had managed to uncover vulnerabilities in the global company.
"When you present that sort of stuff to the board it really scares them," Hill says.
"Showing the board what can happen in the worst instances is an extreme, but sometimes it's difficult because boards often see cybersecurity and information security as a cost.
"One of the things I found when talking to boards is that when you get presented with the question, ‘what value does it bring?', you're asking for a lot of money for value but the answer is it doesn't bring any value. It's there to protect value."
Hill adds that when talking to a board you must also understand their perspective.
"Where it's important for a CISO to understand the business it's also crucial they try to position the requirements from the value that is going to protect you, within the context of business that has to be protected.
"It's not an easy line to balance. But worst case you can always scare them with a penetration test."
How does AI change the field for defence and attack?
AI is the number one topic on the lips of all involved in the technology sector.
"AI will be a massive game changer. There's no two ways about it. Generative AI and interactions between automation and orchestration will have a massive impact on everything we do."
However, Hill believes there is "a lot of noise" at the moment.
"Everyone's jumping on AI but a lot of the tools and things that you see popping up now are not necessarily pure AI driven and are supported by automation tools.
"But what we will be seeing is AI having a massive impact on cybersecurity because the attacks that we're seeing are getting much faster, much more automated.
"I'm starting to see new tools which have genuine AI capability to be able to analyse what we're seeing, and will start to be given access to the automation tools to actually start doing AI-based automated responses.
"On the other side of the fence, threat actors are already using AI tools from an attack perspective. We're seeing more AI-based phishing attacks.
"What I predict will happen, it is going to end up as a battle of machines. It's going to be machines fighting machines. AI threat actors battling the AI defenders, because humans are just way too slow."
How channel partners can be smarter at offering cybersecurity to businesses?
With the plethora of cybersecurity tools available, sometimes businesses blindly buy tech with a bottom up approach.
But Hill believes channel partners play a vital role in helping companies who are overwhelmed with choice.
"Information security has to work top down. Start with business goals and objectives, and work your way down from what you're trying to protect, and eventually work your way down and find a set of tools, security tools that fit your requirements.
"It's so important for the channel when dealing with customers that you understand what their business is about, before you try and flog them some bit of bling
"Half the time you don't know whether they actually require it or not.
"There's so many tools out there now that are increasingly second nature and they're all vying for the same market in the same business.
"You can't just blindly sell into companies, you need to start getting smart, have a much better relationship with these businesses and understand who they are and what they do.
"Because it might be that they've got everything sorted and you might not need to sell. But if you retain the relationship, in time there might be a gap that you can gain."
Evolution of security teams
With a technology driven evolution owing to the increased number of cyber threats, Hill thinks teams require fewer people to operate.
"Whilst there is a demand for cyber analysts, within large companies are deploying automation orchestration tools, they don't need so many people.
"But also, there's very much a culture shift within businesses. Cybersecurity is everybody's problem and everybody's responsibility. What we're now started to see is this shift to what we call federated security.
"Within particularly large businesses they are shifting from this siloed cyber team to much more federated teams.
"When you've got security responsibilities more embedded in the different business functions, empowering them to have the security responsibility, while does involve upskilling, what you create is actually a much bigger security team.
"You'll still have a core cyber team of analysts, but your responsibilities might be federated across the wider business, so that you can then trust that those subject matter experts within those different areas of the business, have a stake in the security of what they're doing.
"So this concept of federated security can very much be looked at as a new way of thinking within larger businesses."
Picking your next MSP acquisition
Partner consolidation continues to hit the channel at pace.
Deals are taking shape by companies seeking either revenue growth, scale and capability.
But not everything is worth buying, Nicholas Ashford, founding partner at Fordhouse warns delegates in his masterclass on how to weigh up an acquisition.
"There are lots of businesses that won't be the right fit, but you've got to go through that.
"The first question is, are you actually ready to acquire? It can be transformational in terms of your wealth, your employees, your business.
"I've seen lots of businesses that have done a deal that has absolutely stumped them. They failed to integrate, staff left, the values went, they took debt out and now they're stuck repaying the debt, but they didn't get an additional unit. And they're actually stuck.
"So think about is it something you actually want to do?"
Statistically, you don't, Ashford says as 70 per cent to 90 per cent of M&A "doesn't deliver value."
"It's not for the faint of heart. You've got to convince yourself that you can buck the statistical trend and actually make it make it a win.
"It's high risk and high reward. If it wasn't high risk everyone would do it and the amount of additional value you bring to your business wouldn't be that high.
"So you've got to be ready to roll the dice."
Ashford dives into what to do when you're ready to roll the dice.
"You need to buy the right MSP which I think about in several terms.
"The first is the strategic fit as well as thinking about geography, capability and capacity.
"Yes you're an MSP and you can service anyone from anywhere, but if you've just bought business you're going to want to get boots on the ground.
"Geography is a valid factor. Do you want to take out a local competitor, so that you become the number one in the region?
"Or perhaps there's a verticalization in the geography. Say you're in Cambridge and you came to pick from biotech, maybe you want to buy around there, because you want to be the dominant biotech player in that space.
"In terms of capabilities, are you buying more of the same? So is it a volume deal where you're stacking on more the same? Or are you trying to fill a hole and bolting on additional capabilities?
"And then finally, capacity. How big is too big, how big is too small. If it's too big, you risk reverse integration, you've got too much to chew.
"On the other hand if it's too small it's not really moving the needle. There are fit overheads and climate and cost in every deal. And so if it's a small deal, there are some costs that remain the same as whether it's a large deal."
Finally, Ashford addresses the big one - revenue.
"What does the revenue of your target look like? We wouldn't look at a business that was less than 50 per cent. I think you need to be shooting for the 60s and 70s.
"Then you've got composition. So what are the service sites? Support is great for foundation whereas hardware and block shifting is not exciting.
"Is it really cyber or are you selling antivirus?"
How to assess culture
"I think culture is arguably the number one thing, which I wouldn't have told you five to ten years ago, but there's been a massive change.
"The answer to how you can assess culture is you can't, but you can as a proxy. I think you can use the owner, if they're actively involved in the business, the vibe you get off them, how they are, will be a proxy for the culture of that business.
"If you can speak to some of the leadership team and maybe one or two customers will give you a good feel of the culture of the business."
Read on for day two insights on culture, diversity and retention...
XChange UK day two: Cyber, M&A strategy and tackling the skills shortage
CRN brings you all the highlights from day two of XChange UK
DEI and the skills shortage
The afternoon kicked off with an inspiring conversation about diversity and recruitment in the channel, including Haley Mooney, general manager at Crayon UK, Donavan Hutchinson, CRO at Trustmarque, and Ben Franklin, CTO at BIT Group.
"We have a very technical side of our business. But equally, we have a huge sales organisation. And we're actually lacking skills across both. So when it comes to technical skills, we're finding that obviously data and AI tends to be a core demand," says Mooney, setting the scene at Crayon UK.
Mooney singles out data engineering, as well as change management skills as other in-demand areas, but also highlighted that the non-technical and sales areas of the business are seeing spiking recruitment as well and encouraged potential candidates with traditional "soft skills" to have confidence in their value in the channel.
Franklin echoes these points, saying: "What skills are we missing? What am I missing? Somebody that will sit on a Teams call with their camera on, instead of hiding under the desk.
"I think that's the big issue for us right now. People that put the bin out, that's on fire, not told me that the bin is on fire and expect me to do something about it. We call it real skills, right? Soft skills, as we call it - drive passion, motivation and commitment. That's the stuff we don't have."
These skills, Franklin goes on, are what really differentiates candidates and what can make rising stars from non-traditional backgrounds stand out.
Meanwhile, Hutchinson adds, training and development can be a tool to build inclusion - both among younger employees and the older cohort.
"From a skills perspective, for DEI as a whole, you get one side, which is the training and development of the younger generation.
"And then then there's the other side, which is the rescaling of people who are the older generation or people that are looking to go back into work.
"And I think that having that representation as part of your training plan is absolutely vital and key in order to ensure that whatever you are taking them on is as inclusive as possible."
Attracting talent is just step one
Attracting a diverse workforce is only step one, however. Next, the panel delves into their strategies for retaining the talent they've recruited.
"I have to keep my technical team busy. You know, I think that's really important for them, that they stay educated, they stay stimulated, says Mooney.
"And we spend a lot of time kind of focused on how we bring our resources together so that they can serve more home. So so we have what we refer to a centre of excellence.
"So we have our core technical teams working together on big projects. And, and actually, they find that really rewarding."
In sales, the strategy differs somewhat, but still focuses heavily on recognition, according to Mooney.
Hutchinson adds that Trustmarque aims to ensure that employees feel taken care of through flexible working policies and health and wellbeing approaches that accommodate a diverse cohort.
"I think organisations need to look at their policies, their processes, their benefits, making sure that they have accessible workplaces and environments that promote inclusivity throughout, for instance, company benefits.
"As an example of something we've rolled out are our policies catering to different age groups. We've got a certain generation, which is, I would say, the middle age bracket up northwards.
"Because we've been around for a while, we introduced the menopause policy. But at the same time, we also introduced the andropause policy.
"And a lot of people don't know what the andropause is but it's essentially the male version of menopause.
"We've also looked to improving our benefits, looking at our insurance policies, looking at our health benefits that are available. We've looked at flexible working patterns as well."
Franklin's approach at training provider BIT Group, meanwhile, emphasises continuous professional development.
"From my perspective, in the training world we're somewhat uniform. Tt's really hard to find technical people that wants to be trained, because they want to work in the channel or at vendors, he says.
"So to retain our individuals that we have, for me, it's about allowing them to do their job as well.
"So if I'm teaching a cybersecurity course, I'd put them into cybersecurity consultancy so that they they're utilising their real skills that they've learned, bring them back to that training environment. So CPD is really, really important."