Moving beyond build mode to tackle ‘cowboyish’ security market

For frequent travellers to RSA Conference in San Francisco, the world’s leading cyber security conference is a sight to behold – housing 40,000 attendees which includes more than 650 speakers and over 500 exhibitors.

On the one hand, a collection of the smartest minds in the security community yet on the other, a breeding ground for brash vendors and reckless selling.

“We’re hearing a lot of feedback from organisations that the market is very cowboyish which leads to a lot of confusion,” noted Luke Power, Managing Director of Australia and New Zealand (A/NZ) at Trellix.

Walking around RSA Conference in April with a local delegation, Power observed that of the extensive list of cyber vendors on display – of which Trellix was one – at last half did not even have a local presence on either side of the Tasman.

“You have Australian or Kiwi CISOs attending and dealing with companies that don’t even have a foot on the ground here,” he said.

“The amount of customer meetings we had hearing that a big bank or a government agency arrived with an expectation of one thing and came away with a completely different objective. It’s so challenging for businesses at the minute.”

A recent case in point is news that the Australian Tax Office (ATO) lost more than $557 million to online fraud during the past two years.

Following an ABC investigation, a Freedom of Information request revealed a “glaring security gap” in the agency’s identity checking system as criminals gained unauthorised access through fake myGov accounts.

Meanwhile in New Zealand, a Russian hacker group claimed to have temporarily taken down a number of Kiwi websites in a denial-of-service (DDoS) attack targeting public and private sector organisations supporting the war in Ukraine.

As reported by Newshub in July, ‘NoName057(16)’ took aim at government websites including legislation.govt.nz and pco.govt.nz.

“Make no mistake, customers are getting threatened every day,” Power acknowledged. “Customers have purchased security solutions and they don’t always understand what they’ve purchased, sometimes that’s because they feel the need to tick a box for the sake of the CEO or the board.”

In response, Power said the number one request issued by businesses to vendors is ‘please, don’t try and sell us something else’. Instead, why not help enable what has already been purchased and advise on the posture gaps exposed.

“We hearing everyday how vendor X, Y or Z sold a solution – whether endpoint, firewall or whatever – and then they go missing for a year or two,” he said. “They just drop it on the customer without any conversation around enablement or integration. We’re seeing the need for a consultative approach instead.”

According to Power, security is arguably the only area of the industry in which dropping products on end-users without any consideration for lifecycle management is not an option. Whether implementation, education or ongoing consultation – transactional vendor approaches seldom hit the mark in cyber.

“We sell a lot of bodies and offer the intelligence and insights of our people to customers,” he added. “We have to provide intelligence and incident response expertise not just drop in a licence and move on.

“It’s not good enough to drop in a firewall like you would a switch or router to solve the problem yet unfortunately, it happens all too regularly.”

Depending on the data, there could be as many as 50,000 cyber security vendors operating across the world, supporting by an ecosystem of thousands of valued-added resellers, system integrators, managed security service providers and consulting firms.

Truth is, no CISO can pin that number down given the array of new players entering the market on a seemingly daily basis. Vendor competition is fierce and unsurprisingly, most are in a rush.

“Procurement teams are very intelligent people and they understand what’s going on,” Power cautioned.

“They understand that when a renewal cycle is coming up they all of a sudden start hearing from vendors after three years. In A/NZ, we of course are seeking to grow but we’re also focused on providing the right attention and support to our existing 4,000 customers locally.”

Moving beyond build mode

Trellix is a cyber security vendor born out of a merger between McAfee Enterprise and FireEye.

Under the control of Symphony Technology Group (STG) – a private equity firm with an expansive market portfolio – the combined entity serves more than 40,000 customers, houses over 5,000 employees and reports nearly $2 billion in revenue.

With Bryan Palma as CEO, the company rebranded to Trellix in early 2022 and operates as a leader within the extended detection and response (XDR) space.

Power joined as local leader in September 2022 following a career spanning Cisco, McAfee, Avaya and Nortel Networks among others.

“For the past 6-7 months in particular, we have been very much in build mode across A/NZ,” Power outlined. “We’ve been operating at the speed of a start-up in a sense, hiring while building out new roles.”

Trellix currently houses approximately 70 employees across Sydney, Melbourne and Canberra with plans in place to officially launch in New Zealand within the coming weeks.

“Things are starting to settle down and we’re getting out of build mode and becoming more proactive,” Power said. “Our customer conversations 12 months ago were more centred on explaining our role in the market.

“In some cases, we had McAfee Enterprise and FireEye customers who were already using our technology but didn’t know who Trellix was, so there was a lot of education required.”

With the market reengaged, Power is also seeking to activate an expansive ecosystem of partners to further fuel growth – tapping into his long channel leadership heritage within this space.

“The channel is a big one,” he confirmed. “How do we activate our channel and attract those niche security partners that are going to help our customers? We’re also looking to leverage the power of distribution and break down the siloes to create more cross-sell and up-sell opportunities.

“We’ve done great work in say 100-150 customer accounts but we’ve only talked to them about 10% of what we can do so the channel can help unlock that opportunity further.”

Trellix represents Power’s first role as a Managing Director following more than 25 years running ecosystems across the region, transitioning to holding company-wide responsibility in the process.

“Looking back 25 years ago, I was building PCs in a little computer store and if you told me then that I’d be the country leader for an American cyber security vendor, I’d probably ask if you were on something,” he smiled. “It’s natural to have an element of imposter syndrome in this role and I do have that.

“This is something I’ve always wanted to do but having the ability to do it in such a unique way is very rewarding – we’re a start-up but we’re also not. We’ve brought in a lot of good people and there’s been a lot of learnings but the results are now coming in and that’s testament to the team.”

In the past, the country leadership role was focused on simply running the sales team but this has since evolved into a more conventional executive position. Power holds responsibility for commercial but also channel, marketing, professional services, customer success, operations and the rest.

“Yes, there’s a lot of managing directors who are just sales directors but this is a real roll up your sleeves type of role,” he outlined. “Having the autonomy and trust to run the business as you see fit is empowering – even to the point of deciding on our new office in North Sydney.

“Those decisions would never cross my desk previously but it’s very important in building a culture and creating the right values in our team.”

For Power, sales is a momentum game – build a team of winners and create the right environment in which they can thrive.

“This isn’t about closing a couple of big deals, it’s about building an engine to ensure everyone is moving in the same direction to execute on our strategy,” he highlighted. “I come from volume-based businesses and while large product sales are nice, we’re looking to build a repeatable sales engine.”

Achieving that requires a strong culture, Power acknowledged. Hierarchy doesn’t work in the same way as 20 years ago, banging on the desk and enforcing a position through aggression is no longer successful or acceptable.

“Coming from a channel background allows you to approach things in a different way because in that role, you’re constantly thinking about the whole of business,” he shared. “We engage everyone in our meetings because that’s important in understanding the best approach and ensuring alignment to the market.”