Video: 10 Minute IT Jams - An update from CyberArk
Cyber security is changing fast. In Australia and New Zealand, organisations of all sizes are increasingly turning to managed service providers (MSPs) to keep their defences robust in the face of ever-evolving digital threats. At the heart of this shift is a growing recognition that traditional, in-house approaches to protecting critical assets are no longer enough.
"We focus on identity security because securing those identities is really foundational to any security programme," said Ollie Stimpson, Strategic Business Development Manager for Australia and New Zealand at CyberArk, in a recent interview. "Attackers will always look for identities. 80 to 90 percent of cyber attacks – depending on what you're reading – will revolve around the theft of a credential at some point in that attack chain."
Stimpson, who has worked with CyberArk on and off for the past seven years, is now based in Sydney, leading the company's regional MSP programme. CyberArk, a global leader in identity security, partners with MSPs to help organisations secure the ever-increasing number of digital identities – from employee accounts to administrative privileges and system credentials.
"CyberArk is the leader in identity security. That means we help organisations secure all the types of identity they have – all the accounts, credentials, secrets, passwords, whatever we want to call them," he explained. "We've been focused on that for the past 20 years or so, recognising that at the core of security is the fact that threat actors will always go after some kind of password or credential."
CyberArk's approach is not simply about providing technology, but about working closely with partners – a strategy that has been at the centre of its business since its founding. "Our MSP programme is a special way of working with managed service providers around the world. It allows those partners to own the licensing, own the technology, and build it out into a service they can offer to their customers, large and small," said Stimpson.
The MSP model has become vital at a time when organisations worldwide face a global skills shortage in cyber security. Security professionals are increasingly hard to recruit and retain, particularly for mid-sized and commercial organisations. As Stimpson noted, "There's a global recognition that there's a real lack of talent and cyber security professionals. When organisations, large and small, face new challenges, the first call they make is to that trusted managed service provider."
Cyber security insurers and auditors are also asking tougher questions. "Here in Australia, we've got the Essential Eight, where controls like multi-factor authentication, restricting admin privileges, and application control are seen as best practice and foundational," Stimpson highlighted. "Broaden that across the world and we see cyber insurers asking more and more questions around how identity is being secured. For us, managed service providers are a key route to answer that question in the market."
MSPs themselves are not immune to threats. Recent years have seen attackers exploiting the trusted position of MSPs to gain access to the networks of thousands of downstream customers. This was notably demonstrated in the high-profile Kaseya ransomware incident in 2021, which impacted hundreds of businesses globally.
"An MSP is also a target for a threat actor, unfortunately," said Stimpson. "We saw earlier this year that the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre issued a joint statement – along with their Five Eyes partners – noting how managed service providers were being used as a way to get in, as an initial point of compromise to target organisations far and wide."
Stimpson likens the situation to visiting a surgeon: "You might trust the doctor, you might trust the surgeon to operate on you to fix what's needed – but you'd still want them to be wearing gloves, right? You still want that layer of separation. Sometimes that doesn't exist, and threat actors will make the most of that."
The risks are real and growing. Verizon's investigations report, mentioned by Stimpson, notes that nearly half of data breaches start with the theft of an identity, such as compromised credentials.
So how does CyberArk and its MSP partners work to raise these barriers against attackers? The answer lies in combining best-in-class technology with adaptable service models. "Our MSP programme extends that vision," Stimpson said. "It allows organisations of any size to work with CyberArk to use our technology – and MSP partners are absolutely the glue that holds the two of us together."
MSPs in Australia and New Zealand are already showing what success can look like. Stimpson described the journey of Blue Apache, a Melbourne-based MSP, as a standout example. "They started working with us in 2021, on the understanding that they too had identities, they too had administrative accounts that ultimately posed a risk," he said.
What set Blue Apache apart wasn't just a concern for their own security posture, but their ability to turn CyberArk's technology into a marketable service. "They've been able to use CyberArk's technology and actually build services around it, then offer that out to their customers," Stimpson explained. "It's a capability of using market-leading technology, local innovation, and expertise to create that kind of apple-pie model, where ultimate technology is just a way for this MSP to go out and deliver a really innovative service to the market."
This proactive lead has not gone unnoticed. Blue Apache was awarded Global MSP of the Year by CyberArk, a testament to how local expertise and global technology can combine to drive forward the security posture of entire sectors.
Looking to the future, Stimpson is confident the collaborative MSP model is only going to grow more pivotal. "We hear of organisations facing more and more challenges," he said. "It's those tiers where we really focus – when looking at the mid and commercial tiers of organisations across Australia and New Zealand – because they turn to an MSP."
As identity becomes the new front line in cyber security, how organisations partner, plan, and protect will decide who stays secure. As Stimpson puts it, "For me, it's great that we've got such a leading example right here in the region."