Security on the Small (Enterprise) Side

When business IT infrastructure is always under attack, IT security is a competitive advantage. It’s an advantage that larger enterprises have typically held over smaller organizations but a young provider from Europe says that they can bring large enterprise-class security to even very small companies. Serena VM is using the cloud and a virtual SOC to try to level the security playing field.

Serena VM is the relatively new, U.S.-based name of Trovolone, a French company founded by Teodor Chabin, an engineer who based the company’s foundation intellectual property on work he had done for the French military. Jeff Schilling, chief business development officer, is one of the first company executives to work in the U.S. market. I had a chance to talk with him earlier this week and heard about just how Serena VM plans to give small customers the sort of security capabilities that the large enterprise enjoys.

Jeff Schilling of Serena VM

“The secret sauce is that there are over 33 components under the covers with a simple UI,” Schilling said, explaining that security means more than simply a firewall at the perimeter. Customers demand a combination of security tools managed by experts who know what they’re doing. That combination of services on the ground and strong central management is key. “We called Serena ’20 geeks in a box,” said Schilling.

Serena VM is a 2-part solution: Serena VM replaces the in-line firewall, UTM, or other “bumps on a wire” that are most often used for network and application delivery infrastructure security. In most cases, Serena VM will be installed in a cloud deployment, though in specific circumstances it can be installed on customer hardware on-premise. The other part is the Security Operations Center(“Serena Center”) where traffic is monitored and alerts are issued. In many ways, the SOC is the key, because it brings a level of expertise to the Serena VM customer that most smaller enterprises simply can’t afford.

I asked Schilling whether Serena VM has customers for whom they generate daily reports or for whom they allow regular monitor display access to track activity. He said that Serena VM’s relationship with their customers is based on a much different understanding. “We contact the customer when something is noticed in the SOC. At this point we don’t have anyone who has access to look at [regular] activity,” He said. Serena VM’s customers have neither the need nor the interest to keep up with everything that’s happening — they simply want to know that they’re secure while they get on with their regular business.

“The reporting hasn’t been a high request item from customers,” Schilling explained. “Companies just want to work on their stuff and help their clients.” And that statement may be why security has remained much better for large organizations than for small — there’s generally only so much time, energy, and interest to go around.
For better or for worse, though, the business environment is forcing even smaller organizations to pay attention to “extras” like security. Schilling talked about one potential type of customer when he told me, “Ad agencies are losing business because their clients don’t think their IP is secure.” And it’s that question of client IP/customer PII/financial data that’s forcing the issue. Add in the increasing pressure from regulators and insurers and you get the situation where the demand for security can vastly outstrip an organization’s ability to afford and deploy the security solution.
Serena_VM_Features.png

Serena VM is targeting organizations with 5 – 50 employees. Even at the lower end of that scale, though, there are strictly a business solution with no aspirations for the consumer market. The subscription for charge $10/employee/month. Schilling says that at the time of our discussion pilot projects are out in law firms with 6 – 20 lawyers and architectural offices. “They need security and file encryption but they don’t have the budget or the staff to deal with a robust, multi-layered defense.” In a “ripped from the headlines” story, Schilling told me that the company’s first U.S. customer was the State of Virginia; the IT staff liked being able to temporarily deploy a secure infrastructure to support polling places without having to send a large crew.

Privacy Worries Cost Companies Real Money

It’s easy to get a business executives’ attention: Just take away the money. It’s one of the great equalizers because it doesn’t matter what race, nationality, gender, or religion describes the executive. If you start taking money off the table, you have their attention.

According to a new study released by Cisco, concerns about privacy are now doing just that around the world. In fact, nearly two-thirds of the businesses surveyed — 65 percent — said that privacy concerns are lengthening sales cycles and adding significant delays to sales. And when it comes to the sales cycle, time is, indeed, money. How much money are we talking about, here? A lot. The companies surveyed reported that, on average, privacy concerns are adding 7.8 weeks to their sales cycle. Those weeks matter in the hyper-competitive markets in which most companies now operate.

Privacy.jpg

As with most things, the exact delay differs depending on the industry involved; government and healthcare report the longest delays. And there’s another factor playing with the delay being thrown into so many sales processes: GDPR is coming and few organizations know precisely how it will ultimately affect their sales.

But with all those differences and uncertainties the one constant is that privacy concerns are expensive. The great variable, it seems, is how mature an organization’s privacy regimen is. Companies with mature, well-developed privacy policies and practices suffer delays that are about 1/4 those of companies with ad hoc or immature privacy practices.

Given the potential effects of these delays on sales and revenues, Cisco advises organizations to take the following steps:

  • Measure current delays: Assess the scope of sales delays due to data privacy issues and understand how much sales revenue might be affected by the delays.
  • Assess root causes: Portions of a delay may be caused by sales teams being unable to address customer concerns, incomplete or inaccessible corporate policies, or engineering/design issues. Executives need to know root causes to determine resolutions.
  • Establish ongoing metrics and targeted initiatives: Regularly measure and track the sales delay metric, and set priorities for appropriate investments to reduce the delays.
  • Explore effects on cyber losses: Assess the cause of any data breaches and losses that might have been avoided through more mature data privacy processes.
  • Develop a data privacy and protection plan: If such a plan does not currently exist, plan to create policies and protocols that contribute to good security hygiene.

All of this starts, though, with simply paying attention. It’s far too tempting to assume that privacy is someone else’s problem, or that the most cost-effective strategy is to wait until there’s a problem and just pay the piper. What this study shows is that the piper is always there holding out a hand for more cash — and it’s easy enough to cut down the bill for this particular set of tunes.