The world of data is changing, and we no longer have defined parameters as to where our data lives. We have cloud data, hybrid data, and data in remote locations, being carried around on phones and laptops. So why are you managing your security and data separately? Mike Matchett caught up with Kerry Vickers, Chief Information Security Officer for Aunalytics, to discuss why you can't deliver a managed service effectively or efficiently unless security is included in the plan and how Aunalytics helps its customers reach "security maturity."
Mike Matchett: [00:00:00] Hi, Mike Matchett, Small World Big Data. And we are here talking about the next generation of service providing, which is really how do you bake security into everything security's got to be table stakes say it's got to be default, it's got to be put end to end into everything or you're really not going to get the services you want out of out of it. We've got analytics here today. I've got Cory Vickers. Welcome, Cory.
Corey Vickers: [00:00:24] Thanks, Mike. Glad to be here.
Mike Matchett: [00:00:26] So we just want to chat a little bit about this sort of thing you've evolved to say. Security is embedded end to end throughout what you guys do for service offerings. For folks, it's not simply a layer you add on afterwards or a cafeteria check mark. This is something that's now going to be core into everything you do. Maybe you could tell us just a little bit about how you got there.
Corey Vickers: [00:00:48] Yes. So so security overall really means recognizing, accepting and mitigating risks with that sort of checks and balances. And it's a business shift. It's a culture. It's a methodology. But you know that that concept of combining security functions into every day IT management is really not something that's that's commonly done. It's we perceive it as more of a shared responsibility and it's about about business and risk management and collaboration with a great partner. And so in the past, we had a managed services practice that that really separated security controls and security management from the overall functions of managed services, which is, you know, your end user support, support desk, call support center, workstation support, server management, et cetera. But we felt like we needed to embed security functions into our managed services practice in order to really be effective at mitigating risk and and adapting to the evolving threat landscape and the tools and tactics that the bad actors are using in general and in mass. So so we do that through through through our overall practice and delivery that consists of a number of different teams through service desks through our advanced infrastructure team, our security operations team, our network operations and and our overall centralized services team to actually build these together as a as an overall shared responsibility that we can partner with our customers to deliver these security functions with managed services.
Mike Matchett: [00:02:15] Right. So when you go into a normal I.T. company, your traditional legacy company, the security team sitting over there, right, if they if they have one and they're not really necessarily embedded or integrated, even on the floor of a data center, they're a special set of part team. And the world is changing so much that we no longer have a defined perimeter in our where our data is. It's hybrid data is out there. It's in remote locations, people carrying it around on their laptops and desktops, and they're using SAS applications and email in the cloud, right? So it doesn't make sense anymore to say, you know, it can have a perimeter based separate organization watching the walls. Right, exactly. I have to bake this into everything. And so, so as an MSP, you you come to the conclusion that every service you offer really has to be baked with the security. And kind of I'm really, really admiring that. You were telling a little bit before also about security, not just being a final checkpoint or a goal or destination that there's that there's the security is an ongoing thing. Maybe could explain a little bit about that.
Corey Vickers: [00:03:22] That's right. Yeah, security maturity in itself is is a is a model that's been practiced for for many years. Overall, business maturity models have sort of evolved into security, maturity models and security maturity is really more of a journey than a destination, right? We know that once we get a bunch of, you know, settings and controls and tools and configuration, and that's not the end of the journey because of the way that bad actors evolved their tools, their tactics and their methods, and the fact that software is, you know, constantly vulnerabilities being discovered in software, for example, in various types of of industries. So we feel like we want to meet our customers in that security journey, no matter where they're at and assist them to to improve their security posture over time. And it's it's a it's a practice that that we've been working on for quite some time and we can formalize that through a couple of different ways in the way that we engage customers through assessments and through planning out that security, maturity, maturity journey, depending on the needs of the customer. If they if they're more in a regulated industry, for example, they're going to have to implement more security based controls and have more checks and balances than customers who are not in the regulated industry. However, our security functions, regardless of the customer base, will be embedded and included into those managed services to assist that security journey and take customers to that next level in that phased approach to security maturity.
Mike Matchett: [00:04:46] So there's still an assessment. There's still looking and customizing the programs that someone might need based on the vertical they're in or the industry they're in, or the business that they do. And you've got some advanced packages, I understand for different types. A compliance and things that folks need. Tell us a little bit about the range of things you can offer there.
Corey Vickers: [00:05:05] We do. So aside from our secure managed services package, which includes some baseline security functions in it, like M.F.A. and disk encryption and email security and Office 365 security management and hardening things of that nature, we also have an advanced security package that includes managed detection and response. It includes a security, a SIM solution that actually allows us to collect log information security logs, application logs, et cetera, from from all the various systems bring those together to to correlate, analyze and correlate against current threats. It allows us to react to those things in the sense that the machine learning and AI engine can can correlate something that might happen in a firewall at the same time that something has happened moments later on the workstation, for example, and bring those together to escalate those as an event or an actual incident as it would be. Then we also couple that with vulnerability management. So vulnerability management in the sense that we use a quality VM D.R. platform to assess for for risks and assess for known vulnerabilities throughout an entire infrastructure. And then we can create a remediation plan around that. We can create and prioritize remediation planning and vulnerability management as a whole, and we manage that for our customers, including the scanners and the sensors and the vulnerability scans and so forth.
Mike Matchett: [00:06:25] All right. And then and then you've got CMC, you've got Fed ramp, you've got some other things you can help folks achieve as well when they're going out to that.
Corey Vickers: [00:06:34] That's right. That's right. We also have a compliant support package that we can add in as far as advanced compliance support. So customers who require some additional support to achieve compliance or to maintain compliance controls, we can establish a plan to help them to implement compliance controls related to this related to SoC two type two PCI, even CMC, which is probably some of the more, more demanding types of of control implementation practices.
Mike Matchett: [00:07:00] Again, that's going to be very customer dependent on what they need to achieve for what the industry they're in, but you guys can meet them there and help them. That's great. You know, it's really kind of refreshing to see a managed services that take the approach that, you know, you really can't deliver a managed service effectively or efficiently or feasibly unless security is part and parcel of it. Really, really interested to hear you guys come out with that position? I think that's pretty pretty much a market leading position there. If someone wants to learn a little bit more about analytics and some of this next generation managed service offerings that you guys are rolling out, obviously you have a website, but is anything else you point them out?
Corey Vickers: [00:07:36] Well, I think just on telecom that's that's on AEW, just like analytics, but with an AEW and and that website has a broad content related to our new managed services package. So it includes a security secure managed services. It includes advanced security and includes the advanced compliance packages as well. And of course, we are. Our other bread and butter services include data analytics and data center hosting. So we also operate our own private cloud own and operate two different data centers. And we have a wonderful, incredibly, incredibly effective business analytics platform called On Site and DAYBREAK.
Mike Matchett: [00:08:14] I mean, we've talked about those a little bit before with some of your other folks there, so you can check out some of those recordings as well. Thank you very much, Gary, for explaining this. I think there's a lot more to be talked about when we get into security. Maybe we'll have you back and just dove right into ransomware and some other specific things too, because that's a hot topic for folks. But other than that, thank you for being here today, folks. Check out our analytics.
Corey Vickers: [00:08:36] Thank you. Appreciate the time, Mike.
Mike Matchett: [00:08:38] All right. Take care.