Bonus Post: Three Final Notes from ConnectWise IT Nation Secure
Read up on research from Barracuda Networks with implications for security vendors and their partners, plus patch management from Nodeware and a partner program from HackerOne.
I’m flying in to Denver as I write this to attend the 2024 edition of Beyond, Pax8’s now second annual partner conference, but despite last Friday’s oversized post I still have a few final updates to share from exhibitors at ConnectWise’s IT Nation Secure event last week.
Further reason to think platform not product
My previous post briefly referenced a study that Barracuda Networks published last week, which showed that 77% of MSPs feel pressure to offer AI guidance, insight, and tools to end users and 87% believe they need “significant or notable improvements” in their knowledge and application of AI products and services.
There was data on a wide range of other topics in the report too though, some of which validates observations I’ve been sharing recently with implications for how security vendors go to market and what they go to market with.
As I’ve noted elsewhere, 80% of channel partners want to finish the year with five or fewer vendor relationships, according to IDC. Per a recent report from Sophos, moreover, 83% of MSPs buy from five or fewer security vendors already.
Now we learn from Barracuda that MSPs plan to add six new services on average in 2024, mostly in security. Combine more services with fewer vendors and you get a market in which companies offering a family of integrated solutions, rather than one or two stand-alone products, have a distinct advantage.
That’s how Barracuda sees it, certainly. MSPs want to sell more security services, notes Jason Beal (pictured), the vendor’s vice president of worldwide partner ecosystems. “But to do it by trying to add six vendors is really different than adding six services from some of your existing vendors,” he says.
Beal has an anecdote involving a large ($50-$100 million) partner in the northeast that quantifies the difference.
“The cost to add an additional vendor to his business is $60,000,” he says. “I can tell you that we have partners that have built great practices with Barracuda, and if they’re doing our backup, email security, awareness training, firewall, and now they want to bolt on an XDR service, I’m pretty darn confident that that’s not going to cost $60,000.”
One last, interesting, word about Barracuda’s study: it found that 92% of MSPs call cloud marketplaces from vendors like AWS and Microsoft a crucial tool for strengthening their go-to-market strategy. In fact, 47% of them are using marketplaces already, and 50% are exploring the option.
According to Beal, they’re wise to do so. Barracuda partners that employ marketplaces plus managed service practices plus VAR sales rather than one route to market alone grow faster on average and do “much more” business, he notes.
How much more?
“Our hybrid partners’ average business is 235% higher than the non-hybrid partners,” Beal says.
Nodeware adds patch management to vulnerability management
Speaking of getting more solutions from fewer vendors, Nodeware (an IT Nation Secure exhibitor) has added patch management to its flagship continuous vulnerability management solution, and has further platform extensions in the works.
Targeted at Windows machines and available to existing users at no extra cost, the patch management feature uses the same Nodeware agent already present on endpoints to scan continuously for updates, install unapplied patches automatically, and perform post-update verification. Significantly, Nodeware emphasizes, the system applies multiple missing patches simultaneously.
“Patch Tuesday this month was 61 vulnerabilities, prior month it was 147, and being cumulative, they quickly add up,” notes Brian Drake, the vendor’s director of technology development.
The new tool lets users create and customize automated workflows, and schedule reboots in advance. “We don’t believe in automatic anything because you know what happens when you do automatic—you blow stuff up. So we give you the ability to say when you want it to reboot,” explains Matthew Koenig (pictured), Nodeware’s vice president of channel sales.
Additional features due later this year will add patching for Microsoft Office applications, .NET, Java, and Adobe Acrobat Reader, with support for Zoom, QuickBooks, and other third-party products to follow. Patch management reporting is in the works as well, along with support for macOS and Linux.
“We’re starting with Windows because it’s the 900-pound gorilla and we wanted to get that one out there first,” Koenig says.
According to Drake, Patching is a natural addition to Nodeware’s existing service. “Patch management and vulnerability management go pretty hand in hand,” he says.
The next major extension, Nodeware says, will be into attack surface management. As we’ve noted previously, IDC expects ASM to gradually become a built-in feature of vulnerability management systems and other security solutions.
HackerOne wants (more) partners
Four years ago, following heavily publicized reports of vulnerabilities in its remote access solution, ConnectWise implemented a “shift-left” initiative aimed at strengthening the security of its entire portfolio. A bug bounty program was part of that effort, and the bug bounty provider ConnectWise chose to partner with was HackerOne.
So while HackerOne didn’t attend last week’s show, the June 11th launch of its first partner program qualifies as IT Nation Secure-adjacent in my book.
For the moment, HackerOne’s PartnerOne program is only open to companies it already shares referrals with informally, according to John Addeo (pictured), the vendor’s recently named vice president of global channels.
“We work a lot with cybersecurity consultancy firms that are recommending what we do to their customers and want to be part of the journey, but are not a sales partner,” he says. “We’re formalizing all of this, and that will then be the foundation for us to evolve into other channel plays.” Those include solution providers, MSPs, and MSSPs, Addeo adds.
A specialist in what it calls “human-powered” security, HackerOne contracts with hundreds of thousands of thoroughly vetted independent ethical hackers who collect cash bounties every time they find a security flaw in a client’s software. To date, the company’s rooted out roughly 360,000 vulnerabilities for its customers and paid out over $300 million of bounties, including $50 million just in the last year. The money behind those rewards comes from end users, who can decide how much or how little to budget. The company offers pen testing and other services as well.
Though HackerOne’s customers have historically been big businesses like ConnectWise, smaller organizations and MSPs with limited in-house security expertise need its services too, according to Addeo.
“It’s not a dollar size issue. It’s just an organizational size problem,” he says. “If you need, through regulation or through other things, to run a pen test, you shouldn’t have to struggle to have access to quality researchers to do that work.”
Partners can mark that work up and profit further on the inevitable follow-on projects clients will embark on after seeing HackerOne’s vulnerability assessment. They can also make money on referrals.
“The program is going to allow them to participate in a revenue model that allows them to uncover opportunities and bring those to us in a deal or opportunity registration program and be rewarded for that behavior,” Addeo notes, adding that those rewards are recurring.
“It’s not just a sell and walk away,” he says. “They’re part of that customer journey solving those problems, and we look to reward those partners that are on that journey with those customers with a year-over-year revenue share.”
According to Addeo, IT providers and their clients have only recently grown comfortable with HackerOne’s unconventional service and staff.
“If we started this formally years ago, we might not have seen the right level of engagement,” he says. “The market has matured and demand has caught up to a point where it makes sense now for this program to be formalized.”
Addeo expects PartnerOne to begin admitting MSPs and MSSPs late this year or early next year. “If you come back to me in 2025 and we have not at least started down this road, we’re probably going to be pretty close,” he says. Potential members needn’t wait until then though to engage with HackerOne, he adds.
“Reach out to us, because what we can do is capture who you are, understand your interests, and maybe start to understand what we can do today,” Addeo says. “That then sets you up for when we’re ready to have those programs formally built down.”