ConnectWise is accompanying its ongoing foray into the exploding market for cybersecurity services with an intensified effort to build security more deeply into its product development processes.
The company discussed both priorities with ChannelPro at its IT Nation Explore conference in Orlando, which concluded today in Orlando.
The internal security initiative, which comes in the wake of a ransomware strike last month and an attack several months earlier that exploited a previously patched vulnerability in a ConnectWise integration tool, is being led by John Ford, the vendor’s chief information security officer.
“Our goal is to make sure that our products coming out onto the market have got the best security that we can provide,” says Ford, who was previously CEO of Sienna Group, the security consultancy and managed security service provider that ConnectWise acquired in December.
Establishing a uniform set of security best practices across all of ConnectWise’s development teams is a core element of Ford’s plan for realizing that objective. This group was doing this from security [and] this group was doing this,” he says. “All good things, but they weren’t communicating across the different products.”
Teaching developers about those best practices is a related component of Ford’s strategy. “We’re taking these product teams and really educating them much more on security, so it really becomes part of their core competency,” he says.
To embed security expertise directly within its development organization, ConnectWise plans to appoint security “champions” in each product group as well. Those resources will be advised and supervised by Ford and Tom Greco, the vendor’s recently-hired director of information security. “As it’s created, security is going to be baked into it,” says Ford of the company’s code going forward.
Making security a priority in the coding process is a simple matter of consistency for ConnectWise, Ford observes. “The same things that we’re preaching to other companies, we have to live ourselves.”
A 22-year industry veteran who has served as CSO or CISO for large businesses, Ford views himself as a sort of in-house security consultant for his current employer. Already, he continues, his expertise has helped ConnectWise spot potential vulnerabilities in its products to brute force and SQL injection attacks.
Insights from Ford and the former Sienna team will also play a role in ConnectWise’s forthcoming cybersecurity center of excellence, a security education resource for the vendor’s MSP partners due to officially open its doors in or near the first quarter of 2020.
“The high-level vision is that we want to make available to all of our partners and their customers anything and everything that they need to secure their environments, and those of their customers,” Ford says. “We have a massive amount of information and knowledge about the MSPs and the partners, so we are in a natural thought leadership position to take that information and bring to bear those products and services and thought leadership to our partners.”
The cybersecurity center of excellence, which is one of several centers of excellence designed to help channel pros embrace new business models and opportunities, is part of a larger cybersecurity strategy introduced by ConnectWise founder and former CEO Arnie Bellini last November. As Bellini stated at the time, and ConnectWise executives re-iterated in interviews with ChannelPro last week, building new security products and buying security vendors are also key elements in that plan.
“We’ll do some acquisitions, as well as development of stuff, to help bring the partners along in that space,” says Jason Magee, who took over as CEO in February when ConnectWise was purchased by private equity firm Thoma Bravo for a figure rumored to be well north of $1 billion.
Sienna was the company’s first security-specific purchase, but ConnectWise is in M&A talks with some six other firms at present. It will add solutions from those vendors to its suite of applications and services for managed service providers.
A risk assessment tool called ConnectWise Identify, which was developed in partnership with Sienna, as well as a threat detection and response platform from Perch Security have been charter members of ConnectWise’s security portfolio since March. To date, over 1,000 MSPs have used the tool to perform roughly 2,000 assessments. Ford expects to see that figure rise steeply in the future as partners become more familiar both with the existence of the product and with the importance of scrutinizing client environments thoroughly for potential weaknesses.
“It’s an educational process,” he says. “We have to educate our partners to get out of the mindset that everything is antivirus and client firewall.”
Ford hopes to see more partners take advantage of Perch’s offering over time as well. About 100 MSPs are using the service at present to protect 2.2 million IP addresses. Those endpoints have triggered 1.9 million alerts so far, nearly 2,000 of which turned out to be legitimate threats or breaches requiring escalation and follow-up.
Jeff Bishop, ConnectWise’s chief product officer, emphasizes that vendors like Acronis, Bitdefender, and Webroot, all of which are early adopters of the new e-commerce marketplace that ConnectWise introduced at IT Nation Explore, will remain critical participants in the company’s security vision going forward.
“We do not want to do this alone,” he said during a Friday morning keynote. “There are too many great best-of-breed products out there in the industry that you’re already using today, and we want to make sure that we have the architecture, the APIs, and the UI to support a meaningful integration.”
Which security functions ConnectWise performs itself and which it continues to lean on partners for, though, remains a longer-term work in progress. The same can be said of the company’s cybersecurity initiative generally, Ford notes.
“We’re not looking to sprinkle pixie dust on something and have it be magical,” he says. “This is a journey.”