With two decades under his belt working in traditional cybersecurity, Gary Fish wasn't exactly a newbie when he decided to start a cloud-based security practice.
Fishtech Group, the cloud security firm he founded, is something of a novelty, however, as many security firms have yet to successfully reinvent themselves in the cloud. As CEO of the company, Fish has gone full steam into the cloud security market, with a variety of offerings, including rolling out a cloud security operations center to offer threat hunting and threat analysis as a service and incident response as a service.
In 2014, Fish sold his $800 million security company, FishNet Security, and took some time off -- but not for long.
After one year, "I decided I really missed being in business and the people, and wanted to stay in the security space, but I didn't want to be a security VAR [value-added reseller] again," he explained. The cloud presented a great new opportunity, he said, and with the connections he had cultivated, cloud security seemed like the logical place to focus on.
"The market was lending itself to someone coming in and focusing not on legacy cybersecurity, but on the next generation of cybersecurity, which to me was cloud security."
Fishtech was officially launched in April 2016.
There were and are a number of VARs attempting to get into the cloud security market, Fish said. "But the issue you have as a traditional VAR ... is you have all of this legacy baggage and it's hard to pivot and say, 'Now I'm focusing on cloud.'" While firms may tell customers they're offering cloud security services, Fish believes there are some key differences they need to contend with, such as the pay-as-you-go model in the cloud. As a VAR, he noted, you bought a firewall and paid for it upfront.
"Now you buy a firewall and you pay for it monthly. [Traditional VARs'] comp plans aren't set up for that, and it's hard to change the mindset of salespeople," Fish said. "We had an opportunity to start fresh and turn everything upside down and do everything different. We like to say we were born in the cloud."
That's not an easy transition when you're a legacy business, he said. It helped that he was starting "from ground zero." What he had working in his favor, he said, was being "very adept at serving customers."
Fishtech still offers on-premises security work. "Cloud security is very different from on-premises [work], but clients really want to have the same view of security across traditional on-premises security solutions and the cloud, so we're the go-between [for] those and bring them together."
In some cases, Fishtech is helping customers securely migrate to the cloud, which sometimes involves dealing with traditional models, he said. For example, a customer may have an on-premises firewall. When it wants to put data in AWS, it could either use AWS' virtual firewalls or its own firewall, and FishTech will set up the management so it can be managed through the same interface, he said.
That way, "even if [your data is] in the cloud, it doesn't feel that different" to the customer," Fish said. "So there's a lot of ways to blend the old and the new where it feels comfortable, but you have to know how to deal with AWS and Azure and Google and private/public cloud, because not many organizations are going to be 100% public cloud; they'll be hybrid." This means keeping some workloads on premises in their own data centers and some in the cloud, and where they will need help is with governance applying management and orchestration, he said.
"Our past sets us up well with managing these cloud environments and making them seamless for organizations," Fish said.
Making the transition to the cloud security market
Fish and his team had the business acumen but found they had to retool their mindset for the cloud. "I brought some people over [to the new business] but also brought in new people that didn't have a legacy background," he noted.
Gary Fishfounder and CEO, Fishtech Group
It is particularly difficult getting a salesforce to sell in a new way, he said. "Unfortunately, they get used to selling what they're used to selling and what's going to make them money, so you can't always influence them easily to change their habits."
When you start out fresh you are able to build into your culture how to approach customers, he said. With a VAR business, it was about selling renewals and maintenance and support, "and in many cases, salespeople get stuck selling renewals to their customers, so it keeps them from moving forward and being able to change their mindset in how to sell."
Once a VAR decides it wants to sell mostly cloud products, it has to de-emphasize traditional compensation plans, "and the company has to be willing to take a hit for a while to make that happen," Fish said. "Most companies aren't in a position to make that switch."
He said he mostly brought former IT workers from his old company to Fishtech. "We've been making a conscious effort to get new salespeople from different places that aren't predisposed to the way we used to do things," Fish said. "Technology people don't care; they just want to build things."
Eric Ullmann, director of enterprise architecture at Fishtech, said his job may have changed, but security technology hasn't -- it's more a case of how it is implemented.
"We still have to provide the level of security we have provided in traditional data centers," he said. "We have to adopt automation and orchestration techniques in order to gain operational efficiencies."
This presents security challenges that must be addressed due to the accelerated nature of cloud deployments, he added. "In order to effectively manage this infrastructure, traditional IT groups need to modify their current process and architecture to adapt to a cloud operating mode."
Even though Fish said he was well known in the cybersecurity space, Fishtech is still a new business. He recalls a former client telling him if he didn't already know him he wouldn't have met with him because the new company is too small. "So I said the previous business was too, but we built it up." Being the new kid on the block has been interesting, he said, because even though your reputation gives you some credibility, "you still have to start over and earn your stripes."
It will be challenging for a traditional VAR to transition to the cloud security market, he said. "A lot of these concepts of virtualization and automation and orchestration are beyond traditional VARs because they're busy selling what they're used to selling -- and they serve a great purpose. But a traditional VAR transitioning to the new world is harder than starting fresh."
One of the biggest differences between the traditional and cloud models is how long it takes to get a customer assimilated with Fishtech, even if they were a previous client, Fish said. "They have the contract process, and it's pretty lengthy in most cases -- up to six months to get a contract through legal," he said. But Fish added he understands that this extensive contract procedure is designed so the customer doesn't end up with "hundreds of vendors and partners."
Relationships in the cloud world
When Fish and his team began pitching their new company, he said he noticed most vendors were quick to embrace them. In one case, "when we pitched our cloud-forward approach to them, they immediately said, 'This is fantastic, because most of our partners don't get this and you're the next-generation partner we're looking for." Fish said he frequently heard from vendors that they have cloud offerings, but it's been hard to take those to market because traditional VARs can't make the transition.
Cloud security also hasn't been too difficult a sell for most customers, who see the cloud as a big opportunity to ramp up workloads and applications quickly and save money in some cases, he observed.
"Years ago, if you talked about automation and orchestration, CIOs would say, 'I wouldn't let software change my processes without my people touching it,'" but with the rapid pace of technology change and the increasing number of cyberattacks, they now realize they need help staying on top of things, he said.
"The reality is most of our data is not in our networks anymore. ... It's really on cellphones and tablets and laptops, so you're no longer able to protect this data like you used to. It's out there in different applications and in the cloud."
Establishing credibility in the cloud security market is easier once you convince a customer you don't have to be a large firm to be good, Fish said. The big security companies will say, "'Hey, we're big. You should work with us,'" he said. "But that doesn't always mean you're the best. So we ask [customers] to give us a project to prove ourselves, and we think we'll become a long-term partner for that customer."
Get insight and tips for channel business model transitions
Read more about breaking into the cloud security market