At their partner event, ConnectWise detailed both what they are doing to better get their own security house in order, and what they are doing to help partners protect their house.
ORLANDO – At last fall’s ConnectWise IT Nation Connect event, then-CEO Arnie Bellini emphasized the security theme of ‘Protect Your House,’ a campaign to provide the company’s partners with a new tool to help them ramp up their security skills. Protect your House was a limited time promotion centred on a partnership with Tampa-based MSSP Sienna Group, which made a Cybersecurity Risk Assessment Tool that was free to ConnectWise partners for the first three months. Since then, ConnectWise has acquired Sienna Group, and Sienna’s former CEO, John Ford, is now ConnectWise’s top security dog as Chief Information Security Officer. While the specific Protect Your House promo may be over, Ford strongly emphasized at the IT Nation Explore event here that its principles continue to guide ConnectWise’s Security policy. That policy is focused on making their own products more secure, and making their partners more expert themselves around security.
“Our goal at the event is to make you aware of what we are doing to protect our own house, and convey ways that we have to help you and your customers along the security journey,” Ford told the audience at the Evolve opening keynote.
Ford noted that ConnectWise had itself been targeted by hackers earlier this year. A previously-reported vulnerability in ConnectWise’s ManagedIT Sync plugin for Kaseya’s VSA RMM platform was attacked, infecting MSPs who had not applied the patch or who had applied it incorrectly with GandCrab ransomware.
Ford pledged that the company would integrate security even more thoroughly into its own product development, and detailed specific steps being taken to deliver on that.
“We have opened up the purse strings to bring certified ethical hacker, and secure coding practices into our teams,” he said.
While the theme around the event overall was on the stability of leadership, Ford emphasized the importance of one new security addition.
“We just hired Tom Greco as Director of Information Security,” he said. “He has extensive expertise in DevOps, cloud security, government risk and compliance. He is building out his staff.” He described Greco as an upgrade in that role, and the result of an exhaustive search process.
ConnectWise has been implementing new types of team structures throughout the company to increase synergies, and Ford described one of these that has been added specifically for security.
“We are putting security champions in each of the product areas, who will work closely with Tom’s Group around security best practices, and act in an oversight role, he indicated. “By placing a security resource that has accountability for security directly into the product teams, it will produce a culture of developing more secure products. That’s because the champion is a person who has accountability, doing things like ensuring that development teams are coding to best practices for security. We had a layer of oversight before, but we didn’t have the person in each of the product areas who had accountability.”
Ford also highlighted recent security initiatives that ConnectWise has taken to upgrade partner security skills. There’s still a huge need there. The 1000 MSPs who took part in a trial of ConnectWise Identify that began last October were asked to indicate the top cybersecurity measures they specifically had not addressed. 69 per cent identified identifying and documenting threats, while 66 per cent said the same around vulnerabilities, and 57 per cent said informing and training all users.
“So 69 per cent can’t identify threats, 66 per cent can’t identify vulnerabilities and 57 per cent don’t train everyone,” Ford said. “That’s a problem. As a result, while we have a good stack of tools, we are increasing them, with ConnectWise Identify to assess risk and our partnership with Perch Security, and their platform to identify and remediate threats.”
ConnectWise Identify came from Sienna Group, Ford’s company, where it was known as RiskRATS [remote assessment tools] before ConnectWise wisely rebranded it. It fits into ConnectWise’s strategy not just because it gives MSPs a new security capability, but because it changes the conversation with customers.
“MSPs in general are very tool-focused,” Ford said. “But you have to be able to speak the common language of customers. Typically the customer would come to the MSP with a problem, and the MSP would sell them a product to solve that problem, and then another problem would come up, and the MSP would sell them something else. It becomes a game of whack-a-mole and eventually the customer gets frustrated. This changes the conversation so that the customer and the MSP can both be on the same page. It’s a path and a plan to mitigate critical risk. It’s a better conversation than giving them a product.”
Other frameworks besides understanding risk will be added to Identify at some point, Ford added.
He indicated that MSPs have been receptive to Identify because it shows them what they are liable for.
“Customers believe the MSP does everything for them,” he said. “When we show them what they DON’T do and are liable for, it gets their attention. We don’t come out with Hallowe’en costumes and try and scare them for shock value. It’s really about providing information so that people can make the right decisions, by showing the empirical areas of the risk that needs to be addressed. It lets them protect their business so they can grow.”
ConnectWise was in investor in Perch’s Series A funding round announced last fall. It is an intrusion detection and threat intelligent platform, which is purpose-built for MSPs, and capable of either being their SOC [Security Operations Centre] or being used by the MSP’s SOC.
“We have been purposeful in the way that we have leveraged Perch,” Ford said. “To date it has generated 2.2 million alerts, of which 1.9 thousand legitimate incidents have been escalated to clients. We now have 100 plus MSPs using it.”
Ford emphasized in concluding that more will be coming from ConnectWise on the security front.
“We do have a clear vision of where we are going,” he said. “We will get things right and deploy them when we are ready. This year, ‘Protect Your House’ is not a campaign. It’s part of the fabric.”