Name: The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Uploaded: 2024-09-11T06:04:56.351Z
Duration: 45 min 32 s
Description: The Cybersecurity Playbook for Partners in Asia Pacific and Japan

Transcript for "The Cybersecurity Playbook for Partners in Asia Pacific and Japan": Hello, everyone. Welcome to the webinar today. I'd love to introduce Mark Iles from TRA Tech Research Asia. Mark, welcome to the webinar. Thanks, Ajay. Great to be here. Yeah. Excellent. So thank you, everyone. Our IPJ audience, thanks for joining us today. We're really excited about this one. We've got some fantastic information for you. We've developed, 2 ebooks, that everyone on the webinar today will receive, and these ebooks were commissioned by Sophos and we asked, TRA, Tech Research Asia, and Mark and his team to really go through these and produce a whole stack of information that you can use to understand what your customers are asking for, what where the opportunity lies. As I mentioned, 2 ebooks that are coming out, you'll see there the first ebook, the the information that's involved in that and then the second one as well. Now everyone today on this webinar will receive a copy of that ebook. So don't stress, you'll get that, and we've got the fantastic Mark here to take us through that and, really uncover some really interesting nuggets of information that we where we discovered while doing that research. So with that, Mark, I think I'll hand to you to to to get started. No worries. Pleasure. Thanks, Ajay. Look, my pleasure to be here, joining you all, from around the region. So as AJ mentioned, we're very proud of our association with Sophos. It's been now for quite a few years doing research around the region, looking at the state of of cybersecurity and and getting some really rich insights that we hope are are value to MSPs and help you sort of shape your service offerings, your strategies, and help you think about your business. So today, as I mentioned, there is an ebook that's got all of this data, and we've got you know, we're analysts, and we love to look at data. We love Excel, and we love cutting it and slicing it 9,000,000 ways. You're gonna get a lot more detail, that you can get for your country, specifically as well for those of you based in a particular geography. But today, we're gonna give you a little bit of a walk through of some of the highlights of that data, and just kind of give you a few snippets as to what we found in the most recent research. So, just as a bit of a starting point, so the survey demographics. So this is the construct. So how we think about putting the data together. So we survey just over 900 individuals at 900 different organizations across the region. That covers Australia, India, Japan, Malaysia, Philippines, and Singapore. And based on feedback, and also our analysis of the market, we cut that slightly differently. So you can see here that little pie chart gives you the breakdown of that survey demographics by size. So we know a lot of people don't necessarily target the super high end of town. And from a cyber security point of view, the very high end enterprises and very large government organizations behave quite differently. So we've got a good mix of that sort of 250 to 500, 500 to a 1000 seats, a 1000 to 1515, 100 to 2000. So a good mix of that kind of what we would call mid market and corporate space. So there's kind of really solid businesses around the region. And we also try and get as representative sample as we can by industry. There are, when you talk about cyber, you do get some differences by industry. Obviously some industries have different regulatory frameworks that impact how they think about cyber. So we also like to get a nice breakdown there. And you also see, for example, more manufacturing wholesale in some Asia Pacific countries and obviously more FSI and some of the larger ones and centralized big metro areas. So we get a nice mix across professional services, education, health, arts to give us really a really good sample set. So the takeaway here is really we go very broad, say, nearly a 1000 organisations that we talk to. And we also enhance that with talking individually to CSOs, to the heads of IT within some of these organisations to really try and add a little bit more richness to the data. And as we mentioned, you'll get a whole bunch of this information in the detailed ebooks as well. So let's kick off. So on our little tour here. And what we try and do is some comparisons, because you do get very different results sometimes when you look at, for example, a market like Japan versus a market like India or like Australia. So when we looked at the first question in the survey, the first thing we really wanted to look at was what's the business drivers for cybersecurity and the three things that really come about. And again, very recently, Serge, this is our latest look across the APJ region. Top 3, strengthening the cybersecurity posture around financial operations. So seeing a lot of kind of focus around making sure that that kind of financial operations, ERP systems, everything related to that and linking into supply chain is really robust. And the second one, really looking at the protection of customers. We've seen a lot of focus obviously on privacy, a lot of focus around data breaches, and you can't really separate cyber and privacy to an extent, but those phishing attacks really targeting customer data. And obviously the brand damage and the reputational damage potentially, that we're seeing there, customers really seeing the risk that lies around the customer data that they hold, seeing a strong focus there. And the third one is, interestingly, is we're still seeing a very strong focus around looking at risk management capabilities. And we often talk about, cybersecurity and you really can't talk about cyber without talking about resiliency, without talking about risk. And it's great to see that kind of risk management component. So that more risk and governance focused approach sitting in the top three for these types of organisations. So we'll touch on some tips and tricks for MSPs and for partners here and what customers are looking for from you. But again, it's not all about solutions. We can too often jump into solution mode when we need to step back sometimes and think in terms of frameworks and risk governance. Couple of the other things that came up as well, supply chains we touched on cyber resiliency, we think is very important. We'll talk about, some very interesting data we've got around, backups and immutable backups and how you sort of focus on that, and those type of robust cybersecurity platforms. And the change that we're seeing in some of the behaviour from customers around how they think about cybersecurity platforms and an approach there to a more unified, simplistic view tied with tighter governance is becoming a bit of a trend. And interesting, for example, when you tie here, take the example here of Australia and India, we've got a very strong focus, the largest component there in financial operations versus Japan, which generally has a very different risk profile, The largest component there by far being around risk. So you do get these, these very kind of interesting differences between countries that become quite relevant for MSPs when you're thinking about how you approach and how you talk to your customers about Simon, what's gonna be front and center for them. So let's talk about maturity. So what we asked here was of the security capabilities that you have that are identified as important, which of the following do you currently have in place? And what we're seeing is, unsurprisingly, cloud is now a relative we would argue is a relatively mature technology. You've got 3 major hyperscalers plus some additional focus in private cloud, particularly in some of the regions where the hyperscalers are yet to land in APJ. But that cloud strategy is really starting to see maturity. So we're getting a lot of maturity from customers saying, I've got a pretty robust cloud security strategy, but maybe not so much in some of the other areas. And we're seeing perhaps more of a focus now around some of those security frameworks. And these vary a little bit by country. There are some global ones like NIST, for example, and then you've got some very heavily regionalized ones that are made by the governments of various organizations. You see Essential Aid in Australia, you see CIR TEN in New Zealand, And you see some of those other ones in other countries like Malaysia and India as well. So that focus now is really dropping down where there's less maturity around things like 0 trust, security standards and certifications. We are seeing more focus around some of the ISO standards from customers and also those certifications. So work has now really gone from that kind of, you know, do I have a robust cloud security strategy? Am I starting to think about now, actually, there's more framework orientated approach and more certification orientated approach. You know, can I how do I actually talk about my cyber posture? So, you know, how do I sort of cover if I'm talking to the board or I'm providing an update on our cyber posture, and our cyber risk? And what language do I use? How do I talk about that? And we think there's a really interesting opportunity here for partners to really be on the front foot with not just playing a role in terms of solutions, but playing a role in terms of helping customers understand where should they be from a framework point of view, from a maturity point of view. How do you measure that? And are some of these certifications and standards and frameworks particularly applicable to that? And again, we see a variation here by industry. So if you're in health, for example, very different set of regulations potentially to education, to government, and to finance and insurance in particular. And again, just keep in mind as well, there's a lot of detail in this just because that's the nature of doing research and analysis. We will have the ebooks for this later and we do have country by country breakdowns as well. So those of you that really want to double click on what's happening in Malaysia or in Japan, you do have the ability to do that. And we provide that sort of richness in the data as well. So one of the most interesting topics. So for those of you out there who are MSPs and managed security service providers or MSSPs, one of the more common policies, what we really wanna know is how much runway is there in cyber? Are we starting to see this flame out, so to speak? The good news, I guess, is cyber seems to have a long runway or what we would call from an analyst point of view, a long runway. So we've still got 72% of countries, sorry, 72% of organizations across APJ said they don't have enough budget currently allocated to cybersecurity. That's not a surprise. It's a slightly loaded question by the way that we ask it, but it's still interesting to get that perspective that we still have a lens here with organizations saying, I just don't have enough money to deal with, what I'm doing with cyber. The flip side of that is actually we've got more than that. So we've got 83% actually looking to increase their cyber security in the next 12 months. What we have seen is a slight shift in the amount that these budgets are moving by. So over the last 2 to 3 years, we've seen much bigger jumps. So we've seen people jumping their cyber security budget by, say, 15% or 20% or 25% year on year. So they started to realize they've got to really step up their investments as the if like the attack vectors and the risk profile for their organisation changed. And the sheer number and the sheer number of threats that we were seeing really started to ramp up over the last 2, 3 years. And we'll talk inevitably about AI, because, you know, it's AI. But certainly AI with a cyber context really starts to potentially accelerate that, the risk. So not surprising here that we're seeing an increase in budget. Very good news for anybody out here and absolutely most people on the call, that are MSPs selling managed security services or security products and solutions. There is a little bit by country. You can see there a little bit more focus in India. So we're seeing some relatively strong growth there in India in that kind of 10% more and more bucket. But again, 83% of organizations increasing their cybersecurity budget is a pretty good number. And we think in line, to be honest, with where the risk profile for cybersecurity is going. So a lot of runway is still ahead of us here in each of the different markets that we tested for cybersecurity. Few key things that stand out from this. Focus areas, infrastructure and network security, threat detection and response. So seeing a much bigger focus now around actually, I need to 1 detect, but I also need to be able to respond. And I need to really be able to do this 20 fourseven. I need to do this in an automated and really fast way. So speed is really beginning to matter. And we need that kind of always on type approach to this. Application security still a little bit more focused around identity and access management. We're starting to see a little bit more focus there around credentials as we start to see attacks like credential stuffing, and of course, response and recovery. And then some of the other areas that, for good increases that we're still seeing data protection, hasn't really gone out of fashion. Training and education remains a challenge. We still see a lot of organizations when we talk to the IT managers or the heads of security in in those organizations saying they still just don't have enough cyber understanding at senior executive levels in their organizations, whether that's boards, whether that's CEOs. So we still have quite a bit of work to do there around education and awareness. And we're still having those conversations around cyber insurance. That landscape has been shifting, getting harder and harder in some ways, to get approval for cyber insurance, the requirements. And to an extent, back to what I was talking about on the previous slide where we talked about security standards, accreditations, we're starting to see a linkage now between the requirements for insurance being linked to those accreditations and standards. So they're trying to anchor off those particular components because it's very hard otherwise. And it's obviously, we're seeing a significant ramp up in claims and a significant increase as a result in the cost of policies and to an extent, the amount of cover that we're seeing those policies provide to. So let's come to partner opportunity heat map. We always love putting this data together because it's kind of okay, where we talk about skating to where the puck is going to be. If that's an analogy that hopefully makes sense across the region, but this is really about how do you start to think about building offerings and communicating those offerings to your clients that they're going to want in the future. So we think this is always a great map of this is where customers are looking to spend money in cyber in the future. So over the next 12 to 24 months, and we touched a little on this before, and AI is the one thing that's popping up here fairly significantly and we'll drill a little bit further into AI. As with all of these style of quadrants, anything to the right, to the top right, anything right and high is good. So we've got a whole bunch here that we touched on, threat detection and response application, AI, PI and data security, so training and education. These are all gonna be really interesting areas that organizations across the region are looking to invest in. And we do have at the moment, probably one of the more interesting stats that came out of the research this time, 44% of organizations across APJ have an AI investment strategy for cybersecurity. So we always get into this kind of debate and have been interesting one to have, and we can maybe cover some of this in the Q and A, but is AI better for, attackers, or is it better for us from a cyber point of view to try and mitigate those attacks? Because obviously AI is playing a role for both parties, and we're in a little bit of an arms race to some extent. So we do see, organisations now saying, actually, the attackers have AI. I need to make sure that AI is a part of my cyber strategy. And we would concur, we would certainly agree with that. And the data is reinforcing that as well. So there's some caveats here that we'll touch on. There's a lot of, we'd call it broadly AI washing, which is in other words, if you're gonna do something with AI, we've gotta really make sure that it's well messaged, well landed and genuinely aligned to AI. We're seeing unfortunately a lot of people just saying AI without any real substance. So it's a little bit of mistrust of deciding to build in the marketplace or customers becoming a little bit nervous about AI. So we're just gonna be very clear in our messaging and we'll touch on a few key points that we can do there. Now, other good news for partners, an MSP audience was one of my favorite audiences, demand for partner engagement is still strong. And this echoes our thesis when we talk to CIOs and decision makers around security as well, which is cyber is getting really hard. It's not a question anymore of obviously just putting some endpoint in, having a risk governance framework, locking down passwords, doing multifactor authentication. It's becoming very complicated. The attackers are becoming very sophisticated. And this is a game we would argue at the moment where customers and organizations really need to look to strong vendors and strong partners to help them. And we would say it's building the right strategic partnerships for any organization trying to build a robust cybersecurity strategy is essential. And these are just some of the areas that organizations came back and said they valued in dealing with, MSPs like yourselves on the call today, the consolidation management of multiple infrastructure. You simply can't just kind of get one solution that solves everything. There's invariably a few moving parts in any cybersecurity strategy. Managed SOC operations, certainly being able to do that 20 fourseven, building those capabilities, partnering with the right organizations, being able to alleviate in house skill shortages. We're not in the same situation we were 2 years ago. Anybody that was doing anything in cyber around 2 years ago, we had a real skills crunch, going back a couple of years. Our data indicated that as well. We're not out of the woods, so to speak, but we're in a much better position now as we've started to see more programs at university and colleges starting to generate, cyber skills and younger, younger engineers and technical people that's really starting to help fill that gap. The customers still see that, you know, being able to alleviate some of those in house skills shortages, credential management, catching some of the basics of good cybersecurity hygiene, addressing budget concerns, being able to have somebody else do that as an OpEx spend in some ways, being very strong and really just helping them strategically. And you'll see here, we also asked customers to measure, what are you doing in house versus what do you wanna do with a partnership? And for most of these organizations, and certainly the larger ones in our sample, a mix of their own in house expertise partnered with a third party that provides an expertise, things like managed software example, 20 fourseven monitoring response threat protection is probably the right combination. So they realize they can't potentially have a third party do everything, but they can certainly have a lean on those strategic partnerships to get people to help them build better cyber resilience. And we have this data of course, broken down by country, if you're curious to your own particular market. So let's talk about AI, it's time. And interestingly, there's an anomaly here with Australia, which we'll perhaps touch on in the Q and A with Aaron. But in literally in every market except Australia, AI augmented cyber attacks are the most worrying threat. And we'll sort of touch on this, but obviously we've really seen the rise in AI, both for the good and bad, obviously driven to an extent by Copilot, ChatGPT, but also some of the other Gemini oriented technologies. And we've seen this in cyber for quite a while. So we've been talking about AI in cyber for a long time, but now we're starting to see that coming in from an attack vector point of view. It's really starting to change the game. So the sheer volume and the smarts that can be done here means means that we need to really start thinking about AI on the flip side of that because the speed and the veracity of the attacks and the ability for those attacks to change dynamically is really changing with AI. So we do see the interesting that the data shows customers realize this, and they're starting to think about how they align with both partners and vendors that have a robust AI strategy that can deal with this. So in the language, we'll touch on the language perhaps to use with customers, but it's certainly something we need to be talking about with customers. They see it as the number one, number one threat concern for organizations across the region. So definitely an opportunity for partners that we're talking about. And again, you'll see some of the other ones here around credential stuffing that we touched on. Phishing, unfortunately, still one of the most common cyber security attacks. A A lot of that can be driven by education and awareness, and we still have work to do here. But the AI, certainly in this research from the last time we run this body of research has really surged into that number one spot. And again, this research is really all about, we call it the playbook, for MSPs and APJ. Really hope hopefully helping you to think about what's that conversation I need to have with my clients. How do I position my solutions? What do I need to talk about to make sure that I'm resonating with my customers effectively? Those cyber change triggers. So the other question, so I've got a customer that perhaps with a different organization or they're running their own cybersecurity in house. What makes them want to change? What are the causes of that? 2 things, not surprisingly, number 1 and number 2, relatively consistent, but a poor performance of the solution and any type of breach or outages is obviously a major trigger where they see a weakness potentially, the board or senior management say, look, we paid this money for cyber, but we still got breached. We all know sometimes that may be a reality, but it's still a massive trigger for change. The other one is budget change. So we talked earlier about 83% of organizations in the region looking to invest more on cyber. What we're seeing now is demand for increased simplification. So we obviously had a huge surge in the number of startups in the cyber space over the last 3 to 4 years. Unfortunately, a lot of those playing out and where customers have made decisions to try and get individual small best of breed technologies, they're really changing that focus now to try and simplify their cyber environment. So simplifying to more unified components, even though there's some integration needed. So you'll see here the stats, which we think are super interesting. So you've got 20% of organizations using just 1 vendor or platform, 29% using 2 and another 23% using 3. And you've only got now 10% using 5 or more. So this trend towards simplifying cyber, because it provides the ability to 1, kind of provide perhaps more cost effective solutions, but certainly simpler solutions in terms of thinking and providing coverage across all of these areas from privacy to identity, to firewall, into perimeter, to 0 trust, to all the other areas that we need to do a simplification is the way forward. And also we're seeing the other trend that's interesting for partners. We think more than 50% now, 54% looking for outcomes based terms, which is kind of interesting in a cyber lens, but they're looking for different types of commercial constructs, in their solution. So they're looking for this more strategic partnership simplification, unified platforms, better reporting, easier ways to manage risk and frameworks. So when we start to think about how we're positioning these solutions, we think these are gonna be the key traits for the partners to think about. So summarizing that, tight budgets and cost optimization are a great opportunity for partners if you can demonstrate those flexible commercial models and simplify unified platforms and tool sets that reduce management and reduce education costs. And again, we've got all this data, of course, broken down by individual country. You can see the level. And again, you'll see some of the numbers there, for example, in Malaysia. So some of the challenges. So those are the opportunities. So that's a little bit of a summary of what we think are some of the opportunities. Great drivers in budget. So cyber is not going anywhere. People increasing budgets, they're looking to do things slightly differently, but what are some of the challenges that we're gonna come alongside back with partners? So we got a little bit of work still to do. So, 80% of those businesses still believe that we're not providing enough information at an elevated level. So simplistically, we're still talking product and solution. We should be talking risk and governance and frameworks. And how do I explain cyber to a board? How do I say that if I'm increasing my cyber budget by 10% this year, what does that mean? How do I translate that to a board in terms of are we now 10% more resilient, 10% more secure? Do we now have we've reduced our risk profile by 10%. How do we start to explain what that looks like? And we've got to be very careful not to be AI washing. Customers are starting to see this and it's becoming a little tiring. So we've got to make sure that we can explain AI and the role of AI and how we think about AI in a cyber context clearly to customers. And again, don't forget, we've got AI on two sides. There's AI with a cyber lens, which we're looking at here. And then of course, there's AI. They've got employees and of course staff using AI, using things like chat GPT. They've got staff doing that potentially without guardrails. So while we're busy trying to protect the environment, a lot of these customers at an organizational level and an employee level adding to their risk profile through their employee use of some of these tools. So we're literally trying to race alongside here with cyber and AI alongside the usage of AI inside organizations. So really helping to educate customers on how to think about these things. We think there's real value for partners if they can do that well. And we've still got a job. We've still got a bunch of work to do around awareness and education. We still have too many people, no matter how many times you do tests and send out phishing emails, still an awful lot of people still clicking on those and still a bit of work to do as we sort of covered off with boards and with senior managers. How do I educate boards on risk and on cyber? How do I talk to them about that? And it's really, we don't quite have that language, well instilled yet. And it's all part of that mix towards, how do we talk about our cyber posture and improve our cyber posture in a language that can be used for people that are non technical. Just looking at so we we rather cheekily, asked these organizations. So when you're looking to to engage a cyber partner, like the MSPs that we have on the call, what's important? And isn't it interesting here that when you look at, and and this shows the the coloring here, the dark and then the lighter, and then the third is the number one priority, the number 2 priority, and then the number 3 priority. So when you look at these, it's an interesting the biggest request here is actually cybersecurity strategy, cybersecurity as a as a service, and skills and education. It's not solutions. It's not I need another widget, I need a faster gadget, I need better AI enabled x, y, z. Help me at a strategy level. Help me talk about my risk posture. Help me explain it to the board. Talk to me about strategy and governance. And we often describe cyber budget as kind of spreading butter on toast. So, you know, we talk to a lot of customers as part of this research and we say, well, how do you feel? And they say, well, I just don't know where to spend my cyber to get the best return and I don't even know how to measure return. And the best way to think about this really is to step back a little bit and think about frameworks and certifications, think about risk posture. So bringing the conversation up a level. And again, it becomes about education and awareness. And that cybersecurity as a service is really a measure of what we would call strategic partnership. Starting to form these strategic partnerships with customers, that's really where they wanna go. We've got to take the conversation up from an individual response to a product solution category. And we think partners that can do this will be very well positioned to do well over the next 2 to 3 years. So we also cheekily asked them, so what are some of the mistakes that you see partners and vendors making when selling to your organization? And not surprisingly, it aligns to the previous data, which is they don't understand the business problem. The business problem isn't that I need a new AI enabled endpoint. The business problem is I have a series of customer data I'm not sure is protected. How do I provide a consistent set of security standards across my private cloud workloads, my hyperscale workloads, and other data that may exist in my organization that I haven't seen yet? Business case support, always an interesting question, but how do you measure ROI and security? It's very different. Do you measure that, in terms of actually reduced risk posture, being able to determine what is an acceptable level of risk? Because we all know you can't get to 0 risk. So how do we think about that in a business case support, scenario? How do we do that? For account management communication, that's true in most scenarios, not just cyber. And again, selling on product features, not business value. And business value is a different context, when you talk about cyber, obviously. So being able to really think in that sort of business style context, we think is gonna is gonna be key. So elevating that conversation again above products and solution, we think the partners that can do that will drive longer, stickier, relationships with clients and really be that strategic side of the partner of choice because we are seeing a change here now from customers that have previously just bought a lot of cyber solutions. Now stepping back and going, okay, I've got to look at this differently. I can't just keep spending more money. I need to choose my strategic partnerships. I need to think about platforms. I need to think about frameworks and certifications and standards. This cyber thing isn't going away anytime soon, I've really got to take a more strategic view of this. And they're gonna be looking to partner with people that can help them understand that and build these longer term relationships, which to be honest, we think is really good for MSPs and and good for organizations too. So just as we're sort of wrapping up a bit of a whistle stop tour, again, we've only got a limited amount of time today, so we can really just give you kind of a few of the highlights for the flavors. But as we mentioned, a lot of detail is available post this. So just recapping, education and awareness remain critical factors. Don't underestimate the importance of that. Those cybersecurity budgets, they're growing. So 83% still growing. Fantastic. You know, we we love to see that, but we've got to really think about how we do that new commercial models, new ways of thinking about new ways of justifying, helping your customers get those business cases through. Advanced technology, I didn't use AI in the product here, but let's be honest, we need to talk about AI, but thinking about that advanced technology, but the context of it, not AI washing, genuinely thinking about is their number one thing that they're worried about threat wise. How do we align ourselves to that without panicking? Skills and burnout, we've done quite a bit of work with Softbox on the cyber fatigue issue previously. We are starting to see a little bit of burnout. It's one of those things to keep to be aware of when you're dealing with customers, and they have their own in house teams, that are obviously doing cyber, but also for your own teams. For MSPs, you might have your own cyber engineers. It's it can be a very tiring job. Right? It's kind of relentless. And with AI now, that's beginning to accelerate. And that strategic partnership approach that we touched on, super interesting. I think that's gonna be the way forward for a lot of organizations as they go, you know what? I can't take a tactical solution to and a point to point solution, just plug in lots of different things anymore. I've gotta step back. It's time to be strategic. So POTFF highlights, 83% know we're gonna spend more on cyber. We should obviously go and help them with that, and I'm sure everyone on the call is probably gonna do that. And again, another stat that we love, nearly 28% of those are actually looking for a new managed security services provider within the next 12 months. So we've got a very fertile landscape out there, but we're gonna need as always, we're gonna need to do some work and make sure that we're aligned to our customers well-to-be able to do that. And just as a quick snapshot, this is too detailed. I wasn't gonna present this. But just for those who again, well, that's great. But what about India or Malaysia or I'm based in the Philippines? We have all of this data broken down by individual countries so you can separate out. Right? So we won't cover this off here, but just just so you know, you can actually click in, and see some of that data, by individual country too. And with that, I'll take a breath. I hope that's been I hope that's been an interesting whistle stop tour of, of our latest research with Sophos across the APJ region. And, with that, I'll hand back to AJ. Yeah. Thanks, Mark. That's fantastic. And it's good to say there is such, such opportunity there, right, in the market. Like, there's so much there that MSPs need to do. And, interestingly, I noticed when you said that partnering approach, I think MSPs have often wanted to take over completely and take it completely off hands, but I do think that with businesses that partner aligning nowadays is a lot lot lot more, important and sort of making sure you're showing that value and working with them rather than necessarily taking it all over for them. Yeah. Very much. And and I think that is literally one of the biggest trends going forward where we have this kind of in house, in house outsource debate, and the reality is it's both. Customers have now realized, I can't do everything in house. It's too complicated. I just can't. I need expertise. I need people to do this for a living every day, in a every day, literally, in and out. But also, I can't hand everything across either. I need to build cyber understanding internally. I've still got an education and awareness problem with my employees and with senior executives. So exactly where that line is between what they do in house and what they do with partners will vary, by country, by organization, but it's gonna be a balance of both. Yeah. You nailed it when you sort of you you spoke spoke about return on investment and right with typical managed services, it's quite easy to see the return on investment. They understand it. They know they can't do it themselves. It's very easy to show that, but with cyber, like you said, how do you if there's no events because you've done your job amazingly, how do you Yeah. How do you see that return? Right? Yeah. Exactly. Yeah. We've had some, we've had a couple of questions come through. Some I'm I'm gonna put on screen, some are here, and some I've got separately. But, this was more of a comment, but I thought you might actually want to, you might actually want to call it out. So, with all the talk about privacy, it is ironic to say that, you know, PII management seems to be the least important of all priorities. So any comments on that one? It's interesting, isn't it? And sometimes it's biased by the audience that you talk to. So because we tend to talk to people who have responsibility for cyber, sometimes you'll find that the responsibility for privacy sounds a little strange, but sits somewhere else. So sometimes it will sit with the chief digital officer or a chief people officer or a chief customer officer. So sometimes it can be, the the nature of the research you're asking. But also other times, privacy was huge. Remember back 4 or 5 years ago, we were all talking about GDPR, and it was a huge thing. And then each country has done its own privacy legislation. And then we just seem to wrap privacy inside the cyber umbrella. So it's it's kind of interesting that we sometimes are trying to unpick privacy and say, well, look, it's kind of like a Venn diagram. You know, you can't talk about cyber without talking about privacy, and you can't really talk about privacy without talking about cyber. But we do find often that there's perhaps not enough focus. I I would be concerned with I think it's Varani that asked the question. I would probably share your concern here. I think we're under rotating on privacy because one of the things we forget here is, other research that we've done as well indicates we're seeing this uptick in insider, threats. So people whistle blowers literally. So So it's almost not privacy, but actually it's an insider threat. It's somebody consciously making a decision to share information that they shouldn't. And you can't necessarily stop that with cyber. So how do you think about privacy? So we're we're always kind of intrigued by the the overlap between privacy and cyber. I think they should always go hand in hand. And for MSPs, I think you shouldn't be talking about cyber without talking about your privacy stance. But it it's one of those things that does vary hugely based on legislation by country and and APJ. Yeah. And you're right. Right. It's, you spoke about whistleblowers, but also it's the accidental release of data. Right? It might not be intentional at all. So you are right. I I suspect it's got a lot to do with how hard it is because sometimes putting cyber solutions are easier than trying to necessarily lock up your data and put in the necessary policies and things like that. It requires much more of a a buy in, I would say, from the business. It does. And and you almost need to get to it's a little bit like, the adoption of AI. You need to think about guardrails and ethics and policies and education with privacy. With cyber, there's a tendency we can go, I can just kind of put a solution in then, and I'll be part of the way there. And it's like, well, you can, but we've we've actually got to elevate that whole conversation. And I think for, Brian, it's a it's a great comment, which is if we're having the right conversation with customers, we're talking about cyber strategy, risk, governance, privacy. We're talking about everything all wrapped up and then trying to establish what is our cyber resiliency posture. What's acceptable to us as a business from a risk point of view? Because it's gonna vary. Right? My my risk profile will be very different to yours potentially, AJ. So we should align the strategy accordingly. Right? And no one has limitless amounts of budget, and there's no such thing as no risk anyway. Right? You can't I don't care how much money you spend. You can't get to a zero risk environment. Well, you can. And it's very very cheap, actually. Just turn it off. So Actually, you could just disconnect the Internet probably and then just stop everyone accessing everything. Fantastic. Now, Mark, there was one here that came through. So Australia was the only country in region that didn't list AI. You mentioned it as the number one threat. Well, give me a take on that. What do you think that is? Is this a It's interesting. Is it a thing? Or I think it might be a maturity thing. I mean, Australia has been a very early adopter, in in the recent couple of years. So if you look at adoption of both of hyperscale, you know, the the original hyperscale that came in first landed in Australia in 2012. And obviously, in other parts of the region, we we still don't see the hyperscale as all they've arrived very recently, like Indonesia, for example. So a lot of the AI at the moment is being driven out of hyperscale. So I think there's kind of a a a lack of symmetry here where I think we've got a deeper understanding of AI and certainly other research we've done in AI. The usage of AI in Australia is is quite mature. So we we've got an audience here and a and a landscape that's that's built up a degree of knowledge around AI that I would argue at the moment is greater potentially in Australia. So I think they don't see the risk of it because there's more familiarity with AI outside of the cyber landscape. And even to be honest, I mean, you probably see it in your in your business as well, Aaron, which is the adoption of the more advanced AI cyber solutions has probably been more accelerated in ANZ just due to the the nature of the business here being a little bit more mature and the framework's been more mature. So I think it's really, ultimately, I'd say it's probably down to maturity. Yeah. I would agree with that. We see a lot of that in our, threat detection information and telemetry as well. We do see a lot of, I would guess, dare I say, less mature sub security from a protection standpoint as well and what's been put in place. So, yeah, we do see that across different regions. INZ definitely, when we are talking about bringing on MDR services and things like that as well, we do see, Australia a little bit, even INZ New Zealand, much more advanced across APJ. Yeah. Now you shared some customer feedback on the most common mistake partners, are making, right, when they're selling cyber solutions. So do you have any single practical steps they can take, to make sure, you know, they don't slip into that AI washing or product or whatever it is that that they might mistake? I think I think you can never start a conversation too high. Yeah. You know, it's like it's like the old adage, AJ, you've been selling for a long time as well. You can never sell too high. And and and I would argue that's the same with cyber engagement. You can never engage too high with cyber. So I would say thinking about who you're targeting and the messages that you're using to target those people and what the solution looks like. So in other words, we're starting with strategy. So the first conversation you're having is not, you know, how much budget do you have? What solutions do you currently have? What, you know, what what else can we sell you that's gonna change your cyber posture? But having a sit down conversation about how the customer thinks about risk, how they think about frameworks, if they've got any strategic approach, and starting at cybersecurity strategy and working your way down. And the customer may wanna drag you down quickly to a solution. It's not uncommon in a in a sales scenario, but starting high. I I don't think you can start too high in these conversations. The customer will take you lower, but if you start low, it's very difficult to move higher. And I think often we start too low. Yeah. I couldn't agree more, actually. I've I've seen a lot of that and, yeah, it's it's very true. Right? You need to and you really start that high and and just just to get the fundamentals right. Right? Really just get that sort of understanding in that high level. So Yeah. That actually might play into one thing I was gonna ask you actually. So, I noticed across the board, across APJ, this was something that I picked up on from the ebooks and your data. There was something about implementing immutable backups, and that was at less than 40% across the board. But then I picked up on the fact that implementing security frameworks and the ability to put in standards was higher than that. Now I had to double check myself, and I went and double checked to make sure I wasn't going mad because I've done many of these things. I just wanna make sure I wasn't wrong. Putting in immutable backups is, like, step 1 pretty much of my frameworks and compliance. So do do you think that's, like, highlighting educational thing around frameworks and and stuff like that? Is there an opportunity there? It there's definitely an opportunity there, and we sometimes we do this and you'll know if it's when we work together on the research, but sometimes we'll deliberately ask something where we're asking a counter question that that that balances it just to see whether, you know, our organization's really doing this or is it so you can sometimes kind of cross correlate things, and we look at this and say, yeah. I don't think you can are are you really building that much resilience? And I think there's a question here. It's kind of the the the argument's always kind of you go, how much money do you spend if you look at any framework? Right? How much do you spend on protection or identification versus, you know, protection versus resiliency versus, you know, and how do you think about your budgets? And I think we've spent traditionally customers like to go to protect. So they'll run to protect mode first because it's like, well, I need to stop things. So let's go firewalls and perimeters and endpoint and things that stop. And so we we block things and we stop, you know, and email filters and we do all of these things rather than resiliency. We kind of go, yeah, well, we'll kind of make sure that we've got some backups and probably should be alright. And we've we've got some other data, I think you've seen as well, that says we've asked customers, how long can you survive if you don't have access to your live data? And how long does it actually take you to put it back? Have you ever tried it? And we we asked those people that actually had had an incident, and those two things are terribly misaligned. So we've got customers saying, well, I can only survive for I think 75% of customers could survive for less than 5 days without access to their data. But the majority of customers that experienced an incident, it took them much longer than that to put the data back. So you go, well, these two things aren't aligned. So again, if you'd started at cyber strategy, you'd start with, well, how long could we survive without that? Therefore, what resiliency do we need to put in place? And one of the most obvious things is immutable backup. You know, and any any good malware worth its money will go sideways and your network can find you backup. We we all kind of know that. So immutable backup should be just one of those tick box items that's there from a resiliency point. And I think the again, it's that coming back to the kind of that strategy narrative that we would hope all partners have, which is you're looking very broadly across these frameworks to say to look at the customer's environment and say, okay, how much, you know, how much are you invested in each of these areas? How is your resiliency strategy undercooked versus your protection strategy? Do you have the right balance and counterweights here so that it's a resilient and robust cyber security strategy? And and the immutable backup one is a yeah. That's a it's a little bit of an obvious step, isn't it? So you can how are you gonna how are you gonna have do you have any resilience if your backup is also infected? Like, that's not gonna end well. No. It's not. I do actually remember you you sharing those stats around the recovery of time and, yeah, there was a few drop moments there. So, actually, that probably leads into one last thing. I think we're getting close to time, but one last thing I wanted to say was, you mentioned the shift in cyber budgets, increasing more than previous years. What do you think the main driver of that is if you had to pick 1? You know, would it be is it insurance? Is it compliance? Is it the public sort of amount of hacks going on? What what do you think the main driver is? I think I think what we're saying and this is probably more opinion, but what we're tending to see is, an increase in understanding of both cyber. So the term cyber is now becoming more common in part, so it's not just restricted to IT circles. The breaches are becoming quite public, and people are beginning to understand malware. And some of these terms that traditionally were industry terms. And similarly, AI, you know, these these are now entering mainstream vernacular. So we've got, you know, you know, my dad knows what AI is. You know, generally, he got he knows he knows how to spell AI. I would argue he doesn't really know anything about AI, and I don't think we want my dad on chat GPT. When you when you kind of look at that vernacular, I think there's just a a general awareness now. And so that's helping in a way soft on the ground, I think, for MSPs where you've got executives now going, okay, this side of things not going away. Right? And it seems to be getting worse with AI. So we and I think everyone else is asking them questions and you've got board members and executives talking to other executives and and even in business forums now, cyber's becoming a topic across general business forums. So think everyone recognizes this this thing isn't going away. We can't solve it. We're just buying a couple of solutions anymore and moving on with our lives. We actually need to take this quite seriously. And I think that's probably the biggest driver, and I think that's what's helping it become a more strategic conversation, which I think is the best thing that could happen to us as a cyber industry is we do become more strategic. It's like, remember if you go back about 10 years, we always argued that IT was a reporting line into the CFO. So whereas now IT tends to have a seat on the board, I'd make the same analogy with cyber, which is, you know what, cyber is actually kind of finding its place where it should be, which is it's a strategic driver, for businesses and a very, very strategic risk that needs to be taken more seriously. So I think anything that elevates the conversation around cyber has gotta be good. Right? Absolutely. Yeah. And I'm definitely seeing more boards asking about risk. They're they're much more aware of it. It's becoming mandatory as part of that. So Yeah. Alright. Well, with that, Mark, I wanna thank you for that. That was amazing research, amazing, going through the stats. I hope that's helped everyone on the call today. Thank you everyone for joining. It's been fantastic. As mentioned, you will all receive these ebooks, that have been built by Mark and his team. And if you do have any further questions, please happy feel free to reach out. We do have a survey at the end of this that we would ask that you would fill out. Thanks, Mark. Any final words? Pleasure. No pleasure. I hope that's been useful for everybody. Thanks. Yes. Thank you, Mark. Thank you, everyone. See you later.